The latest version of the flagship FOSS browser is out, and it's picked up one of the main features for which we keep Chrome around. From a report: The Firefox version 117 feature list might not look all that impressive, but it does have a big-ticket feature that may tempt people back: automatic translation. The snag is it's disabled by default in the release version, and you'll have to manually enable it. Although it was enabled in the betas, Mozilla has decided to go for a staged rollout and not enable it for everyone until Firefox 118 in six weeks or so.

The new feature is integrated, privacy-respecting machine translation between multiple languages. This was already possible in older versions, but it needed an extension, and that had two side effects. One is that the extension hooked deep into the core of the browser in ways that Mozilla wasn't comfortable about, and the other is that once your text had been sent out to a third-party website, it could be snooped upon -- but the victims of any snooping would blame the browser, even if it wasn't the browser's fault. To enable it, go to the configuration page (enter about:config in the address bar), and search for a setting called browser.translations.enable.

Researchers say they have found fake apps in Google Play that masqueraded as legitimate ones for the Signal and Telegram messaging platforms. The malicious apps could pull messages or other sensitive information from legitimate accounts when users took certain actions. ArsTechnica: An app with the name Signal Plus Messenger was available on Play for nine months and had been downloaded from Play roughly 100 times before Google took it down last April after being tipped off by security firm ESET. It was also available in the Samsung app store and on signalplus[.]org, a dedicated website mimicking the official Signal.org. An app calling itself FlyGram, meanwhile, was created by the same threat actor and was available through the same three channels. Google removed it from Play in 2021. Both apps remain available in the Samsung store.

Both apps were built on open source code available from Signal and Telegram. Interwoven into that code was an espionage tool tracked as BadBazaar. The Trojan has been linked to a China-aligned hacking group tracked as GREF. BadBazaar has been used previously to target Uyghurs and other Turkic ethnic minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it to previous targeting by the BadBazaar malware family. Signal Plus could monitor sent and received messages and contacts if people connected their infected device to their legitimate Signal number, as is normal when someone first installs Signal on their device. Doing so caused the malicious app to send a host of private information to the attacker, including the device IMEI number, phone number, MAC address, operator details, location data, Wi-Fi information, emails for Google accounts, contact list, and a PIN used to transfer texts in the event one was set up by the user.

A tiny island in the Caribbean is now sitting on a digital treasure. From a report: Anguilla, a tropical British territory, is known for its coral reefs and white sand beaches. Since the 1990s, however, it's also been in charge of assigning internet addresses that end in .ai to residents and businesses looking to register websites. It was one of hundreds of country-specific domain names and easy to overlook -- until recently. Stability.ai, Elon Musk's X.ai and Character.ai are just a few of the hot artificial intelligence startups that have snapped up the .ai domain assigned to the islands and cays that comprise Anguilla. Plenty of tech giants have their own web addresses ending in .ai as well: Google.ai and Facebook.ai route visitors to their company's AI-focused webpages and Microsoft.ai shows off the company's Azure AI services.

The total number of registrations of sites ending with these two letters has effectively doubled in the past year to 287,432, according to Vince Cate, who for decades has managed the .ai domain for Anguilla. Cate estimates Anguilla will bring in as much as $30 million in domain-registration fees for 2023. Once one of the many obscure top-level domains assigned to countries and territories, .ai websites experienced a slow but steady increase in demand in recent years. But the sudden spike in .ai domains nine months ago highlights the broader frenzy around artificial intelligence and its ripple effects throughout the global economy. Since ChatGPT launched, a growing number of tech companies have raced to raise billions in capital, scoop up engineering talent and secure powerful but increasingly scarce chips. A domain may sound less essential, but for an industry obsessed with clever branding, the right name can be everything. "Since November 30, things are very different here," Cate said, referring to the date when ChatGPT launched publicly.

Some of the world's leading astronomical observatories have reported cyberattacks that have resulted in temporary shutdowns. Space.com reports: The National Science Foundation's National Optical-Infrared Astronomy Research Laboratory, or NOIRLab, reported that a cybersecurity incident that occurred on Aug. 1 has prompted the lab to temporarily halt operations at its Gemini North Telescope in Hawaii and Gemini South Telescope in Chile. Other, smaller telescopes on Cerro Tololo in Chile were also affected. "Our staff are working with cybersecurity experts to get all the impacted telescopes and our website back online as soon as possible and are encouraged by the progress made thus far," NOIRLab wrote in a statement on its website on Aug. 24.

It's unclear exactly what the nature of the cyberattacks were or from where they originated. NOIRLab points out that because the investigation is still ongoing, the organization will be cautious about what information it shares about the intrusions. The cyberattacks on NOIRLab's facilities occurred just days before the United States National Counterintelligence and Security Center (NCSC) issued a bulletin (PDF) advising American space companies and research organizations about the threat of cyberattacks and espionage.

Foreign spies and hackers "recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets," the bulletin stated. "They see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise."

Activision has partnered with a company called Modulate to moderate voice chats using an AI technology called ToxMod. According to The Verge, the tool "will work to identify behaviors like hate speech, discrimination, and harassment in real time." From the report: ToxMod's initial beta rollout in North America begins today. It's active within Call of Duty: Modern Warfare II and Call of Duty: Warzone. A "full worldwide release" (it does not include Asia, the press release notes) will follow on November 10th with the release of Call of Duty: Modern Warfare III, this year's new entry in the franchise. Modulate's press release doesn't include too many details about how exactly ToxMod works. Its website notes that the tool "triages voice chat to flag bad behavior, analyzes the nuances of each conversation to determine toxicity, and enables moderators to quickly respond to each incident by supplying relevant and accurate context."

The company's CEO said in a recent interview that the tool aims to go beyond mere transcription; it takes factors like a player's emotions and volume into context as well in order to differentiate harmful statements from playful ones. It is noteworthy that the tool (for now, at least) will not actually take action against players based on its data but will merely submit reports to Activision's moderators.

Slash_Account_Dot shares a report from 404 Media, written by cybersecurity journalist Joseph Cox: In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day. During all this monitoring, I wasn't anywhere near the rider. I didn't even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system. With their consent, I had entered the rider's credit card information -- data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain -- and punched that into the MTA site for OMNY, the subway's contactless payments system. After a few seconds, the site churned out the rider's travel history for the past 7 days, no other verification required.

On the OMNY website, the MTA offers the ability for riders to "Check trip history." This feature works for people who use contactless bank cards when entering the subway, or other solutions like Apple Pay and Google Pay. The issue is that the feature requires no other authentication -- no account linked to an email, for example -- meaning that anyone with a target's details can enter it and snoop on their movements. The MTA does offer the option of an OMNY account, which requires a password. The website says having an account lets riders "Securely access your trip history." But the first option that appears on the trip history website is the unauthenticated version. After 404 Media raised the concerns to the MTA, a spokesperson said the agency will look into improving the system. "But at the moment, the tracking feature is still accessible without any authentication," notes Cox.

UPDATE 8/31/23: The MTA says it will disable the feature that leaked trip history.

An anonymous reader quotes a report from Ars Technica: Sports leagues are urging the US to require "instantaneous" takedowns of pirated livestreams and new requirements for Internet service providers to block pirate websites. The Digital Millennium Copyright Act of 1998 requires websites to "expeditiously" remove infringing material upon being notified of its existence. But pirated livestreams of sports events often aren't taken down while the events are ongoing, said comments submitted last week by Ultimate Fighting Championship, the National Basketball Association, and National Football League.

The "DMCA does not define 'expeditiously,' and OSPs [online service providers] have exploited this ambiguity in the statutory language to delay removing content in response to takedown requests," the leagues told the US Patent and Trademark Office in response to a request for comments on addressing counterfeiting and piracy. The leagues urged the US "to establish that, in the case of live content, the requirement to 'expeditiously' remove infringing content means that content must be removed 'instantaneously or near-instantaneously' in response to a takedown request." The leagues claimed the change "would be a relatively modest and non-controversial update to the DMCA that could be included in the broader reforms being considered by Congress or could be addressed separately." They also want stricter "verification measures before a user is permitted to livestream."

The UFC separately submitted comments on its own, urging the US to require that ISPs block pirate sites. The UFC said that a "significant and growing" number of websites, typically operated from outside the US, don't respond to takedown requests and thus should be blocked by broadband network operators. The UFC wrote: "Unlike many other jurisdictions around the world, the US lacks a 'site-blocking' regime whereby copyright owners may obtain no-fault injunctions requiring domestic Internet service providers to block websites that are primarily geared at infringing activity. A 'site-blocking' regime, with appropriate safeguards to prevent abuse, would substantially facilitate all copyright owners' ability to address piracy, including UFC's." Website-blocking is bound to be a controversial topic, although the Federal Communications Commission's now-repeated net neutrality rules only prohibited blocking of "lawful Internet traffic." While the UFC said it just wants "websites that are primarily geared at infringing activity" to be blocked, a site-blocking regime could be used more expansively if there aren't strict limits.

According to a report from Technews Taiwan, ASUS has shut down its Zenfone division responsible for making some of the best compact Android flagships on the market. The reason is due to "internal restructuring." Employees in the Zenfone division are being moved over to the ROG Phone team and other parts of the business. Android Authority reports: The report further asserts that the Zenfone 10 will be the last phone in the Zenfone series. Since the team no longer exists, there is unlikely to be a successor to this phone. The report follows other incidents around Zenfone. Earlier in the month, ASUS stopped allowing bootloader unlocks for Zenfone owners. The company maintained that they are not stopping the possibility of unlocking, just that the tool is currently unavailable.

A few weeks ago, community members also spotted that ASUS had removed older Zenfone firmwares from its website. Community moderators responded that ASUS no longer provides previous firmware versions or downgrade packages to ensure users remain on up-to-date firmware. Both of these incidents do not directly point to the shutdown of the Zenfone division. But they add the value of hindsight to the report, and we can't help but wonder if the writing was on the wall all this time.

Chess.com and Hans Niemann have reached a settlement in which Niemann has agreed to drop a $100 million lawsuit against Chess.com and Magnus Carlsen, and will be allowed to return to compete, the company announced Monday. From a report: This puts an end to the legal aspect of a cheating scandal that captivated the chess world for nearly a year. As part of the settlement, chess world champion Carlsen said "there is no determinative evidence that Niemann cheated in his game against me at the Sinquefield Cup. I am willing to play Niemann in future events, should we be paired together."

"Hundreds of monster hunters equipped with drones and infrared cameras have gathered in the Scottish Highlands with a singular goal," reports the Washington Post: "to be the ones to finally find the Loch Ness monster." But it won't be easy. On Saturday, the rain was lashing and the skies were gray, hampering visibility in the search for the folkloric creature, affectionately known as Nessie. The mythical monster, which legend says lives in a freshwater lake in Scotland, has eluded capture, or any definitive proof of existence, since its first recorded sighting in the 6th century.

But trying to find Nessie is an age-old tradition, and the volunteer hunters who showed up Saturday are dedicated — and better equipped than those who came before. The search for the monster, organized over two days by the local Loch Ness Center in Inverness, is the biggest in a half-century, and certainly the most high-tech. Some people drove hours to be here, while others flew in from overseas... The Loch Ness Center launched the event — which it called "The Quest" — in partnership with Loch Ness Exploration, a research group that studies the lake and other unexplained phenomena. It put out a call for volunteer hunters "fascinated by the legendary tales of Nessie" and with "a passion for unraveling mysteries and exploring the extraordinary."

The center was later forced to close online registrations for volunteers "due to an overwhelming surge in demand," according to the website...

Some hunters with drones are equipping them with infrared cameras to seek out heat spots in the lake — as well as sending them underwater. They've also come armed with a hydrophone to pick up acoustic signals 60 feet below the loch's surface — although nobody really knows what the monster would sound like. Other participants can join several surface-watch locations staged by organizers or cruise the 23-mile-long lake by boat. They have been asked to document everything they see — from surface movements to weather changes — and are getting lessons on how to capture potential sightings on their phones.
The BBC notes that "Almost 300 have signed up to monitor a live stream from the search, which is taking place on Saturday and Sunday."

NPR has some audio excerpts of past witnesses who said the've seen the monster — and some of the current crop of monster hunters. (While Wikipedia has its own detailed debunking of the famous Loch News monster "Surgeon's Photo".) But the Washington Post sums up the whole story with this two-word quote from a woman who'd traveled from France for a Loch Ness vacation.

"I believe."

Tuesday Mark Zuckerberg shared a photo on Instagram with "actual footage of me building Threads for web." And now ZDNet reports that Zuckerberg's photo is available on his new Threads page on the web.

"As of Thursday, Meta's new platform is fully accessible to all users from any computer and desktop browser, Instagram head Adam Mosseri confirmed in a new Threads post."

"Use your Instagram account to log in: threads.net," explains the official Threads account. "Scroll to catch up on the conversation, or start a new thread of your own." Posts can include photos and videos, or you can reply and repost to other posts. "This is just the beginning. We're working on bringing everything you know and love from mobile over to web. More soon."

Wired argues the move makes Threads "more broadly usable." Most users will still access it through mobile, if the way people currently access the internet is any indication. But the move to the web is the next step in Meta creating an application just sticky enough to kneecap X and draw attention away from Bluesky, Mastodon, Spoutible, Post, and any other newish social app.

It's also a way to juice its users again. After that spectacular initial sign-up period in July, Threads usage dropped off precipitously. New data from market intelligence firm Sensor Tower suggests that daily active users are down more than 60 percent from its first-week average, though it's now back on the upswing. Threads amassed 44 million daily active users during its launch peak, then saw usage drop to a low of 7 million DAUs in late July. As of mid-August, the app has seen increases of 11 million DAUs, Sensor Tower analysts say. However, time spent on the app per daily active user has also fallen, the firm says.
Caling Threads "a work in progress," Wired notes it ""will supposedly be compatible with ActivityPub, an open social networking protocol, but that hasn't happened yet. The app also doesn't currently support direct messages, a popular feature on X. And Threads is not available in the European Union, due to the regulatory climate there."

Their article also shares an idea from data journalist and engineer Surya Mattu: that both devices and social media apps like Threads should implement a transparency-guaranteeing "inspectability API" to always allow users to inspect their data and activity in real-time.

College Board sends student SAT scores and GPA to Facebook and TikTok, according to tests by tech news outlet Gizmodo. Even when searching for colleges, personal academic details are shared with social media companies. From the report: Gizmodo observed the College Board's website sharing data with Facebook and TikTok when a user fills in information about their GPA and SAT scores. When this reporter used the College Board's search filtering tools to find colleges that might accept a student with a C+ grade-point average and a SAT score of 420 out of 1600, the site let the social media companies know. Whether a student is acing their tests or struggling, Facebook and TikTok get the details.

The College Board shares this data via "pixels," invisible tracking technology used to facilitate targeted advertising on platforms such as Facebook and TikTok. The data is shared along with unique user IDs to identify the students, along with other information about how you use the College Board's site. Organizations use pixels and other tools to share data so they can send targeted ads to people who use their apps and websites on other platforms, such as Google, Facebook, and TikTok.

Mastercard and crypto exchange Binance will end their four crypto card programmes in Argentina, Brazil, Colombia and Bahrain as of Sept. 22. From a report: The Binance cards allow users to make payments in traditional currencies, funded by their cryptocurrency holdings on the exchange. Mastercard's website also lists partnerships with crypto exchanges including Gemini. The decision will not impact any of Mastercard's other crypto card programmes, the spokesperson said. Binance is facing legal and regulatory challenges.

Dropbox, a provider of online data storage, is ending its unlimited option, saying a small handful of customers were using massive amounts of resources that had the potential to degrade the cloud service for the rest of its clients. From a report: The company's highest-tier "all the space you need" storage plan will be capped at about 5 terabytes per user for new customers, the company said in a blog post.

While the plan was designed for businesses, some clients were instead using it for cryptocurrency mining, pooling storage with strangers, or re-selling the cloud service, Dropbox said. These uses "frequently consume thousands of times more storage than our genuine business customers, which risks creating an unreliable experience for all of our customers," the company said. [...] The change follows Alphabet's Google removing "as much storage as you need" product branding for its highest-tier Workspace plan in May, according to copies of its website hosted on the Wayback Machine.

According to The Information (paywalled), SpaceX is working with Cloudlfare to boost the performance of its satellite internet service Starlink. Reuters reports: The two companies are working on a way to increase Starlink's network of mini data centers around the globe that could help it deliver faster network speeds to its customers, the report said. According to SpaceX's website, Starlink users typically have download speeds between 25 and 220 Mbps, with the "majority" over 100 Mbps. Upload speeds range between 5 and 20 Mbps.

Microsoft is discontinuing the Kinect, again. The Verge explains: The company officially stopped manufacturing the depth camera and microphone in 2017 and brought it back in a new form in 2019 as the Azure Kinect Developer Kit. Now, Microsoft is ending production of that, too, but it has partnered with some outside companies to provide options available for people who need similar types of devices.

If you want to get one of the remaining Azure Kinect Developer Kits, they'll be available to buy through the end of October or "until supplies last," Microsoft's Swati Mehta said in a post on the company's website. If you already have one, Mehta promises that you can keep using it "without disruption." "As the needs of our customers and partners evolve, we regularly update our products to best support them," Mehta wrote. "From time to time, this includes introducing new opportunities, as well as retiring products. We have made the decision to end production of Azure Kinect Developer Kit, but this is far from the end of this technology as it will continue to be available through our partner ecosystem." One alternate suggestion from Mehta is Orbbec's Femto Bolt, which uses the depth camera module found in the Azure Kinect Developer Kit.

Under a new initiative, named Bandwagon, SpaceX is expanding its rideshare program to cater to the demand for launches to mid-inclination orbits. TechCrunch reports: Orbital inclination refers to what part of the Earth is visible to a satellite as it rotates around the planet. A satellite in an equatorial orbit is at 0 degrees inclination; a satellite in a sun-synchronous orbit (SSO) is slightly higher than 90 degrees; and a mid-inclination orbit is around 45 degrees. Currently, SpaceX offers rideshare services on the Falcon 9 rocket to SSO through the Transporter program, which is in notoriously high demand. But mid-inclination orbits (MIOs) are appealing to a growing number of customers, especially to remote sensing companies that want to strengthen their coverage over areas like parts of Asia and the Middle East. Right now, companies must often purchase a dedicated launch from Rocket Lab if they want to position a satellite in MIO.

With the new rideshare program, called Bandwagon, SpaceX is going after this slice of the market. According to SpaceX's website, it currently has two Bandwagon missions booked for 2024 and two for 2025. If they become even close to the popularity of the Rideshare program, they could be a major threat to all other small launch providers: According to Jarrod McLachlan, director of rideshare sales at SpaceX, who spoke at the industry conference, SpaceX has delivered 682 spacecraft to orbit to date via rideshare missions.

An anonymous reader quotes a report from Ars Technica: A new proposed class-action lawsuit (as noticed by Bloomberg Law) accuses user-generated "metaverse" company Roblox of profiting from and helping to power third-party websites that use the platform's Robux currency for unregulated gambling activities. In doing so, the lawsuit says Roblox is effectively "work[ing] with and facilitat[ing] the Gambling Website Defendants... to offer illegal gambling opportunities to minor users." The three gambling website companies named in the lawsuit -- Satozuki, Studs Entertainment, and RBLXWild Entertainment -- allow users to connect a Roblox account and convert an existing balance of Robux virtual currency into credits on the gambling site. Those credits act like virtual casino chips that can be used for simple wagers on those sites, ranging from Blackjack to "coin flip" games.

If a player wins, they can transfer their winnings back to the Roblox platform in the form of Robux. The gambling sites use fake purchases of worthless "dummy items" to facilitate these Robux transfers, according to the lawsuit, and Roblox takes a 30 percent transaction fee both when players "cash in" and "cash out" from the gambling sites. If the player loses, the transferred Robux are retained by the gambling website through a "stock" account on the Roblox platform. In either case, the Robux can be converted back to actual money through the Developer Exchange Program. For individuals, this requires a player to be at least 13 years old, to file tax paperwork (in the US), and to have a balance of at least 30,000 Robux (currently worth $105, or $0.0035 per Robux).

The gambling websites also use the Developer Exchange Program to convert their Robux balances to real money, according to the lawsuit. And the real money involved isn't chump change, either; the lawsuit cites a claim from RBXFlip's owners that 7 billion Robux (worth over $70 million) was wagered on the site in 2021 and that the site's revenues increased 10 times in 2022. The sites are also frequently promoted by Roblox-focused social media influencers to drum up business, according to the lawsuit. Roblox's terms of service explicitly bar "experiences that include simulated gambling, including playing with virtual chips, simulated betting, or exchanging real money, Robux, or in-experience items of value." But the gambling sites get around this prohibition by hosting their games away from Roblox's platform of user-created "experiences" while still using Robux transfers to take advantage of players' virtual currency balances from the platform. In a statement, Roblox said that "these are third-party sites and have no legal affiliation to Roblox whatsoever. Bad actors make illegal use of Roblox's intellectual property and branding to operate such sites in violation of our standards."

Yes, Red Hat Enterprise Linux changed its licensing last month — but how will that affect AlmaLinux? The chair of the nonprofit AlmaLinux OS Foundation, benny Vasquez, tells SiliconANGLE that "For typical users, there's very, very little difference. Overall, we're still exactly the same way we were, except for kernel updates." Updates may no longer be available the day a new version of RHEL comes out, but developers still have access to Red Hat's planned enhancements and bug fixes via CentOS Stream, a version of RHEL that Red Hat uses as essentially a test bed for new features that might later be incorporated into its flagship product. From a practical perspective, that's nearly as good as having access to the production source code, Vasquez said. "While there is a generally accepted understanding that not everything in CentOS Stream will end up in RHEL, that's not how it works in practice," she said. "I can't think of anything they have shipped in RHEL that wasn't in Stream first."

That's still no guarantee, but the workarounds AlmaLinux has put in place over the past month should address all but the most outlier cases, Vasquez said. The strategy has shifted from bug-for-bug compatibility to being application binary interface-compatible... ABI compatibility doesn't guarantee that problems will never occur, but glitches should be rare and can usually be resolved by recompiling the source code. "It is sufficient for us to be ABI-compatible with RHEL," Vasquez said. "The most important thing is that this allows our community to feel stability."

In fact, Red Hat's change of direction has been a blessing in disguise for AlmaLinux, she said... "We view this as a release from our bonds of being one-to-one." Patches can be applied without waiting for a cue from Red Hat and "we get to engage with our community in a completely new and exciting way." AlmaLinux has also seen a modest financial windfall from Red Hat's decision. "The outpouring of support has been pretty impressive," Vasquez said. "People have shown up for event staffing and website maintenance and infrastructure management and we've gotten more financial backing from corporations."
Vasquez also told the site that "the number of everyday people throwing in $5 has more than quadrupled."

"Serde, a popular Rust (de)serialization project, has decided to ship its serde_derive macro as a precompiled binary," reports Bleeping Computer.

"The move has generated a fair amount of push back among developers who worry about its future legal and technical implications, along with a potential for supply chain attacks, should the maintainer account publishing these binaries be compromised." According to the Rust package registry, crates.io, serde has been downloaded over 196 million times over its lifetime, whereas the serde_derive macro has scored more than 171 million downloads, attesting to the project's widespread circulation... The Serde ecosystem consists of data structures that know how to serialize and deserialize themselves along with data formats that know how to serialize and deserialize other things," states the project's website. Whereas, "derive" is one of its macros...

Some Rust developers request that precompiled binaries be kept optional and separate from the original "serde_derive" crate, while others have likened the move to the controversial code change to the Moq .NET project that sparked backlash. "Please consider moving the precompiled serde_derive version to a different crate and default serde_derive to building from source so that users that want the benefit of precompiled binary can opt-in to use it," requested one user. "Or vice-versa. Or any other solution that allows building from source without having to patch serde_derive... Having a binary shipped as part of the crate, while I understand the build time speed benefits, is for security reasons not a viable solution for some library users."

Users pointed out how the change could impact entities that are "legally not allowed to redistribute pre-compiled binaries, by their own licenses," specifically mentioning government-regulated environments.
The official response from Serde's maintainer: "The precompiled implementation is the only supported way to use the macros that are published in serde_derive. If there is implementation work needed in some build tools to accommodate it, someone should feel free to do that work (as I have done for Buck and Bazel, which are tools I use and contribute significantly to) or publish your own fork of the source code under a different name.

"Separately, regarding the commentary above about security, the best path forward would be for one of the people who cares about this to invest in a Cargo or crates.io RFC around first-class precompiled macros so that there is an approach that would suit your preferences; serde_derive would adopt that when available."