"Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue," reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each... The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them. In total the research scanned through 197,000 packages and found more than 749,000 security issues in all... Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository. The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
The Register supplies some context: Other surveys of this sort have come to similar conclusions about software package ecosystems. Last September, a group of IEEE researchers analyzed 6,673 actively used Node.js apps and found about 68 per cent depended on at least one vulnerable package... The situation is similar with package registries like Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R). In a phone interview, Ee W. Durbin III, director of infrastructure at the Python Software Foundation, told The Register, "Things like this tend not to be very surprising. One of the most overlooked or misunderstood parts of PyPI as a service is that it's intended to be freely accessible, freely available, and freely usable. Because of that we don't make any guarantees about the things that are available there..."

Durbin welcomed the work of the Finnish researchers because it makes people more aware of issues that are common among open package management systems and because it benefits the overall health of the Python community. "It's not something we ignore but it's also not something we historically have had the resources to take on," said Durbin. That may be less of an issue going forward. According to Durbin, there's been significantly more interest over the past year in supply chain security and what companies can do to improve the situation. For the Python community, that's translated into an effort to create a package vulnerability reporting API and the Python Advisory Database, a community-run repository of PyPI security advisories that's linked to the Google-spearheaded Open Vulnerability Database.

Amazon delivery companies around the U.S. are instructing workers to bypass daily inspections intended to make sure vans are safe to drive. From a report: Amazon requires contracted delivery drivers to inspect their vehicles at the beginning and end of their shift as a safety precaution. But some drivers say they're pressured to ignore damage and complete the inspections as quickly as possible, so that delivery companies can avoid taking vans off the road. If delivery companies take a van off the road, they risk forfeiting valuable package routes and drivers may lose a shift.

These inconsistent inspection practices undermine the company's public messaging around worker safety. They also highlight the tension that delivery partners face between ensuring drivers' safety and keeping up with Amazon's aggressive delivery quotas, which can stretch into hundreds of packages per day per driver. CNBC spoke to 10 current and former Amazon delivery drivers in Georgia, Ohio, Indiana, Illinois, Kentucky and Texas who discovered their vans had issues ranging from jammed doors and tires with little to no tread to busted backup cameras and broken mirrors. They say managers told them to ignore these problems and complete their deliveries as usual.

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

"Amazon is tired of ringing doorbells," reports the Associated Press. "The online shopping giant is pushing landlords around the country — sometimes with financial incentives — to give its drivers the ability to unlock apartment-building doors themselves with a mobile device." The service, dubbed Key for Business, is pitched as a way to cut down on stolen packages by making it easy to leave them in lobbies and not outside. Amazon benefits because it enables delivery workers to make their rounds faster. And fewer stolen packages reduce costs and could give Amazon an edge over competitors. Those who have installed the device say it reduces the constant buzzing by delivery people and is a safer alternative to giving out codes to scores of delivery people.

But the Amazon program, first announced in 2018, may stir security and privacy concerns as it gains traction. The company said that it does background checks on delivery people and that they can unlock doors only when they have a package in hand to scan. But tenants may not know that Amazon drivers have access to their building's front doors, since Amazon leaves it up to the building to notify them...

Amazon didn't respond to questions about potential hacking. The company has already installed the device in thousands of U.S. apartment buildings but declined to give a specific number... Amazon salespeople have been fanning out to cities across the country to knock on doors, make cold calls or approach building managers on the street to urge them to install the device. The company has even partnered with local locksmiths to push it on building managers while they fix locks. Amazon installs the device for free and sometimes throws in a $100 Amazon gift card to whoever lets them in.

Threatpost reports on "another vast software supply-chain attack" that was "found lurking in the npm open-source code repository...a credentials-stealing code bomb" that used the password-recovery tools in Google's Chrome web browser. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker's command-and-control (C2) server and can upload files, record from a victim's screen and camera, and execute shell commands...

ReversingLabs researchers, who published their findings in a Wednesday post, said that during an analysis of the code repository, they found an interesting embedded Windows executable file: a credential-stealing threat. Labeled "Win32.Infostealer.Heuristics", it showed up in two packages: nodejs_net_server and temptesttempfile. At least for now, the first, main threat is nodejs_net_server. Some details:

nodejs_net_server: A package with 12 published versions and a total of more than 1,300 downloads since it was first published in February 2019...finally upgrading it last December with a script to download the password-stealer, which the developer hosts on a personal website. It was subsequently tweaked to run TeamViewer.exe instead, "probably because the author didn't want to have such an obvious connection between the malware and their website," researchers theorized...

ReversingLabs contacted the npm security team on July 2 to give them a heads-up about the nodejs_net_server and tempdownloadtempfile packages and circled back once again last week, on Thursday, since the team still hadn't removed the packages from the repository. When Threatpost reached out to npm Inc., which maintains the repository, a GitHub spokesperson sent this statement: "Both packages were removed following our investigation...."

An anonymous reader quotes a report from Bloomberg: During the depths of the U.S. coronavirus pandemic, cars sat idly in driveways, city streets were deserted, onetime commuters worked from bed -- and it was much, much easier to find a parking spot. All of which was devastating news for the small cadre of tech startups dedicated to helping people find and reserve places to park. For SpotHero, which makes an app that helps drivers locate parking spaces, business was down 90% in April 2020 compared with February. The company laid off half its employees. "It was a really hard time for us," Chief Executive Officer Mark Lawrence says. Now, at last, drivers are back, and so is the familiar American pastime of hunting for a parking spot. In the U.S., traffic was up 55% in April from a year earlier, according to the Federal Highway Administration. And although urban roads were slower to refill than their suburban counterparts, traffic in such cities as Chicago, Los Angeles, New York, and Washington, D.C., finally touched pre-pandemic levels again in June, according to Inrix, which analyzes mobility data.

The result has been a wave of new customers for SpotHero and companies like it. SpotHero bookings started to come back in January, then accelerated. "It was slowly, then suddenly," Lawrence says. Now the startup is profitable for the first time in 10 years, he says, thanks in part to a surge in car ownership spurred by people avoiding public transit. At FlashParking, which makes two spot-finding apps and helps event companies and garages coordinate availability, demand is higher than it was before the pandemic in some cities. Meanwhile, SpotAngels, which uses crowd input to create maps of nearby open spaces, says monthly revenue since its previous high in February 2020 had tripled by May 2021. "It's interesting to see how dark it was, and can get," SpotHero's Lawrence says, "and then have such optimism now."

Before the pandemic, the industry was in crisis, says Eran Ben-Joseph, a professor of urban planning at the Massachusetts Institute of Technology and author of ReThinking a Lot: The Design and Culture of Parking. The rise of such ride-sharing services as Uber and Lyft had meant that many parking garages at stadiums and the like were forced to retrofit their spaces for other uses, such as mini-distribution centers for packages. Post-pandemic, though, parking companies are benefiting from a renewed love of personal space. "I do think right now there's a little bit of a psychological issue with taking public transit or taking Uber," Ben-Joseph says. He also thinks parking apps in particular may be benefiting from the lack of desire to touch kiosk screens or hand over cash to an attendant.

An anonymous reader quotes a report from ZDNet, written by Steven J. Vaughan-Nichols: Microsoft now has its very own, honest-to-goodness general-purpose Linux distribution: Common Base Linux, (CBL)-Mariner. And, just like any Linux distro, you can download it and run it yourself. Microsoft didn't make a big fuss about releasing CBL-Mariner. It quietly released the code on GitHub and anyone can use it. Indeed, Juan Manuel Rey, a Microsoft Senior Program Manager for Azure VMware, recently published a guide on how to build an ISO CBL-Mariner image. Before this, if you were a Linux expert, with a spot of work you could run it, but now, thanks to Rey, anyone with a bit of Linux skill can do it.

CBL-Mariner is not a Linux desktop. Like Azure Sphere, Microsoft's first specialized Linux distro, which is used for securing edge computing services, it's a server-side Linux. This Microsoft-branded Linux is an internal Linux distribution. It's meant for Microsoft's cloud infrastructure and edge products and services. Its main job is to provide a consistent Linux platform for these devices and services. Just like Fedora is to Red Hat, it keeps Microsoft on Linux's cutting edge. CBL-Mariner is built around the idea that you only need a small common core set of packages to address the needs of cloud and edge services. If you need more, CBL-Mariner also makes it easy to layer on additional packages on top of its common core. Once that's done, its simple build system easily enables you to create RPM packages from SPEC and source files. Or, you can also use it to create ISOs or Virtual hard disk (VHD) images.

As you'd expect the basic CBL-Mariner is a very lightweight Linux. You can use it as a container or a container host. With its limited size also comes a minimal attack surface. This also makes it easy to deploy security patches to it via RPM. Its designers make a particular point of delivering the latest security patches and fixes to its users. For more about its security features see CBL-Mariner's GitHub security features list. Like any other Linux distro, CBL-Mariner is built on the shoulders of giants. Microsoft credits VMware's Photon OS Project, a secure Linux, The Fedora Project, Linux from Scratch -- a guide to building Linux from source, the OpenMamba distro, and, yes, even GNU and the Free Software Foundation (FSF). To try it for yourself, you'll build it on Ubuntu 18.04. Frankly, I'd be surprised if you couldn't build it on any Ubuntu Linux distro from 18.04 on up. I did it on my Ubuntu 20.04.2 desktop. You'll also need the latest version of the Go language and Docker.

Contract drivers say algorithms terminate them by email -- even when they have done nothing wrong. From a report: Stephen Normandin spent almost four years racing around Phoenix delivering packages as a contract driver for Amazon.com. Then one day, he received an automated email. The algorithms tracking him had decided he wasn't doing his job properly. The 63-year-old Army veteran was stunned. He'd been fired by a machine. Normandin says Amazon punished him for things beyond his control that prevented him from completing his deliveries, such as locked apartment complexes. He said he took the termination hard and, priding himself on a strong work ethic, recalled that during his military career he helped cook for 250,000 Vietnamese refugees at Fort Chaffee in Arkansas. "I'm an old-school kind of guy, and I give every job 110%," he said. "This really upset me because we're talking about my reputation. They say I didn't do the job when I know damn well I did." Normandin's experience is a twist on the decades-old prediction that robots will replace workers. At Amazon, machines are often the boss -- hiring, rating and firing millions of people with little or no human oversight.

Amazon became the world's largest online retailer in part by outsourcing its sprawling operations to algorithms -- sets of computer instructions designed to solve specific problems. For years, the company has used algorithms to manage the millions of third-party merchants on its online marketplace, drawing complaints that sellers have been booted off after being falsely accused of selling counterfeit goods and jacking up prices. Increasingly, the company is ceding its human-resources operation to machines as well, using software not only to manage workers in its warehouses but to oversee contract drivers, independent delivery companies and even the performance of its office workers. People familiar with the strategy say Chief Executive Officer Jeff Bezos believes machines make decisions more quickly and accurately than people, reducing costs and giving Amazon a competitive advantage.

Altice is slashing its cable-Internet upload speeds by up to 86 percent starting on July 12 to bring them "in line with other ISPs." Ars Technica reports: Altice Optimum Online plans that currently have advertised upload speeds of 35Mbps will be reduced to uploads of either 5Mbps, 10Mbps, or 20Mbps, depending on the plan. Altice did not announce any immediate price changes on the plans that are getting upload-speed cuts. The only good news for users is that the change will not affect existing customers as long as they stay on their current service plans, an Altice spokesperson told Ars. But new customers will have to accept the lower upload speeds, and existing customers would have to take the lower upload speeds whenever they upgrade, downgrade, or change service, Altice said.

Altice claimed that its cable network isn't having any trouble offering its current advertised speeds. "Our network continues to perform very well despite the significant data usage increases during the pandemic and the speed tiers we offer," the company said. The upload-speed change is apparently being implemented not to solve any network problem but to match the slower upload speeds offered by other cable ISPs. Altice told Ars that it is changing its cable upload speeds to bring them "in line with other ISPs and aligned with the industry." Altice listed the upcoming changes in a chart on its website.

An anonymous reader quotes a report from Motherboard: Amazon's signature sales event has ended for customers, but Amazon drivers around the world are still working extended hours on routes with hundreds of stops to get those Amazon Prime Day packages delivered. In the United Kingdom, Amazon distributed a set of five tips to its drivers for "keep[ing] in top shape" during Amazon Prime Day: eat breakfast, drink water, take breaks, stay positive, and stop for lunch. But following these tips is impossible for many Amazon drivers who aren't even employed by the company. Amazon delivery drivers face extreme pressure from their contractors, known as Amazon Delivery Partners, who are in turn paid and evaluated by Amazon. In other words, they have to finish their routes as quickly as possible, often under pressure to circumvent safety rules, traffic laws, and skip legally mandated breaks in order to hit delivery targets.

"Keep it positive: Endorphins are your friend!" one of the tips on the flyer distributed to Amazon drivers reads. "Keep them flowing by staying on the move, and striking up a conversation." On Facebook forums, where surviving the Amazon sales event has been a frequent topic of conversation among drivers in recent days, drivers joked about Amazon's tips. "Take your lunch and breaks. Sure, if you want [your dispatcher] on your ass saying you're 20 or so stops behind," an Amazon delivery driver in Los Angeles wrote. "I don't take a break. I eat and drink as I go, as I like to get back to see my kids before they go to bed," an Amazon delivery driver in a suburb of London who received the flyer, told Motherboard. "As for striking up conversations, sometimes customers wanna chat, but we always kinda respond like, 'Haha that's great—anyway we gotta go,'" an Amazon delivery driver in Virginia told Motherboard.

"Everything from Visual Studio Code to Microsoft Edge and Teams package links were affected," reports Windows Central. They note Azure's status page (which now shows the issue lasting for more than 22 hours), though however long it lasted, "it's a virtual eternity for those whose entire ecosystem is crippled by such an outage."

According to Ars Technica, starting on Wednesday, "packages.microsoft.com — the repository from which Microsoft serves software installers for Linux distributions including CentOS, Debian, Fedora, OpenSUSE, and more — went down hard..." The outage impacted users trying to install .NET Core, Microsoft Teams, Microsoft SQL Server for Linux (yes, that's a thing) and more — as well as Azure's own devops pipelines.

We first became aware of the problem Wednesday evening when we saw 404 errors in the output of apt update on an Ubuntu workstation with Microsoft Teams installed. The outage is somewhat better-documented at this .NET Core issue report on Github, with many users from all around the world sharing their experiences and theories...

The entire repository cluster that serves all Linux packages for Microsoft was completely down — issuing a range of HTTP 404 (content not found) and 500 (Internal Server Error) messages for any URL — for roughly 18 hours. Microsoft engineer Rahul Bhandari confirmed the outage roughly five hours after it was initially reported, with a cryptic comment about the infrastructure team "running into some space issues."

Eighteen hours after the issue was detailed, Bhandari said that the mirrors were once again available — although with temporarily degraded performance, likely due to cold caches.

On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum. From a report: In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers. The type of data seems to align with what Volkwagen admitted was stolen. In a website set up by a cybersecurity vendor on behalf of the car maker, Volkswagen said that "the majority" of affected data included: "first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages."

But for 90,000 victims, the data also included "more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver's license numbers," according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.) "There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers," the website read.

Reddit is shutting down the beloved Secret Santa platform Reddit Gifts after the 2021 holiday season. Gizmodo reports: Over the years, the related forum r/secretsanta has attracted over 200,000 members and celebrity surprises such as a cat drawing by Arnold Schwarzennegger, an autographed photo of Shaq, and annual thoughtful gift packages from Bill Gates containing items such as video games, a horse blanket, and 81 pounds of books and toys. "Why the fuck would you kill this," a top comment reads. Reddit admins didn't explain much in their announcement yesterday but acknowledged that "countless acts of love, heroism, compassion, support, growth and hilarity happened through Reddit Gifts, and those memories will live on in the hearts of our community." Plus loads of free press. Why the fuck would you kill this? Reddit has not yet responded to Gizmodo's request for comment.

An anonymous reader quotes a report from The Register: A scammer who convinced some of the world's biggest tech businesses to send him replacement kit has been sentenced to seven years and eight months in the U.S. prison system. Justin David May, 31, used stolen hardware serial numbers, a plethora of fake websites and online identities, social engineering tactics, and a network of associates, to scam Cisco out of nearly $3.5m in hardware in just 12 months. Microsoft lost 137 Surface laptops (retail cost $364,761) to the crew, with Lenovo US also losing 137 replacement hard drives worth $143,000 and APC (formerly American Power Conversion) getting scammed out of a few uninterruptible power supplies. May pled guilty to 42 counts of mail fraud, 10 counts of money laundering, three counts of interstate transportation of goods obtained by fraud, and two counts of tax evasion.

In the largest scam against Cisco, run from April 2016, according to court documents [PDF] filed in eastern district court of Pennsylvania, May and the team set up domains and email addresses to mimic cisco.com user IDs and harvested serial numbers of legit machinery. They then used these to trick Cisco into sending out replacement kit, such as a Cisco Catalyst 3850-48P-E Switch worth around $21,000 at the time, and a couple of Cisco ASR 9001 routers priced at over $100,000 for the pair. The same scam worked well for Microsoft and Lenovo too, it seems. The court docs note that May was skilled at picking imaginary faults that weren't remotely repairable, such as basic software issues, but which were more obvious as serious flaws needing a replacement unit. In addition the crew digitally altered images of their supposed kit and serial numbers to fool support staff. Once the hardware was received, usually via UPS or FedEx, the companies never got the faulty kit back because it never existed. Meanwhile the packages were picked up, sold on eBay and other second-hand sites, and the cash pocketed, or in the case of Microsoft, some of the hardware shipped to Singapore for resale.

An anonymous reader quotes a report from Motherboard: [T]he routing algorithm designed for its Flex app by Amazon's research scientists often makes [Amazon delivery drivers cross two- or three-lane highways], according to a source with direct knowledge of Amazon's routing algorithm. In North America and Europe, roughly 85,000 contracted delivery drivers rely on this algorithm to do their jobs. While crossing the street in a quiet suburban neighborhood is probably safe, doing so on a 50 mph highway can be deadly. Motherboard spoke to Amazon delivery drivers who work in Florida, Illinois, Michigan, South Carolina, Tennessee, Indiana, and California who described sprinting across the street -- or the highway -- to follow the Flex app's directions.

This app determines delivery routes for both Amazon's contracted delivery drivers, who drive Amazon-branded vans, and members of its independent contractor workforce, known as Amazon Flex drivers, who drive their own cars. When a driver has to make deliveries to several addresses that are clustered together, the Flex app combines them into a single stop, rather than make a stop at each address. Drivers call these "group stops," while Amazon research scientists and engineers tasked with optimizing routes that incorporate hundreds of stops per shift refer to this routing mechanism as "stop consolidation." These stops often include addresses on both sides of a street -- or highway. Rather than directing drivers to make a U-turn and deliver packages on one side of the street and then the other, the app instructs drivers to cross the street on foot. Depending on the size and number of packages, the driver might have to walk across the street multiple times, or run in order to meet Amazon's delivery quotas.

Amazon's contracted delivery drivers must use the app and follow its directions to make deliveries, meanwhile Amazon's gig workers -- who are independent contractors -- can manually change Amazon's routing order, but must use the app to make their deliveries. At Amazon, which pays delivery companies a fixed rate per delivery route each day regardless of how long it takes, the goal is to squeeze in as many deliveries as possible on a route, the source with internal knowledge of how Amazon creates its delivery routes said. "The main goal [at Amazon] is to make them deliver the most packages as possible in [a shift] because then we have to hire fewer drivers," the source familiar with Amazon's routing algorithm said. Hiring fewer drivers means the employer can pay less into worker's compensation, disability, and other employment benefits. Alexandra Miller, a spokesperson for Amazon Logistics, denied that Amazon delivery drivers frequently jaywalk across busy intersections and run across high-speed rural highways, and said that if the company identifies data quality issues or defects in its maps, it fixes them promptly.

"Our routing system is designed to make the delivery experience as easy as possible for drivers and prioritizes same side of the street deliveries, unless the road is safe to cross," Miller said.

John Sullivan became the Free Software Foundation's Executive Director back in 2010. But now after 11 years, "I've decided to resign my position..." he tweeted Friday, "effective at the end of a transition period."

"We'll be sharing further details, including information about that transition, and a few more words, in the coming days."

Meanwhile, the Free Software Foundation announced Thursday that it's seeking "a principled, compassionate, and capable leader" to be its new executive director, working remotely out of their Boston office with the Foundation's current staff and board of directors. "The executive director, working with the president, is the public face of the Foundation." The FSF faces many challenges as software becomes increasingly central in the exercise of all fundamental human freedoms, including speech, association, privacy, and movement, and as software owners seek to exploit their control over us to profit at the expense of those freedoms. The executive director has a vital role in enabling the FSF to continue meeting these challenges, starting from the strong base that has been built in the last thirty-five years. The Foundation has recently reached record-high membership numbers and was awarded a perfect score from Charity Navigator, as well as its eighth consecutive four-star rating. Efforts to improve the Foundation's governance are underway.

The executive director is the FSF's chief employed officer. The position reports to the president/CEO and the board of directors, and is responsible for management of all other staff, all day-to-day operations, and oversight of the Boston physical office. The successful candidate will have the opportunity to hire for additional key positions in the management team.
One interesting item on their list of job responsibilities:

• Mentor, inspire, coordinate, and manage all FSF staff, building a culture that upholds the FSF's ideological principles and includes accountability, empathy, efficiency, and excellence

A blog post on the FSF site also notes that the last month saw 11 new GNU releases. "A number of GNU packages, as well as the GNU operating system as a whole, are looking for maintainers and other assistance: please see https://www.gnu.org/server/takeaction.html#unmaint if you'd like to help."

"The official Python software package repository, PyPI, is getting flooded with spam packages..." Bleeping Computer reported Thursday.

"Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once..." PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-... Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI... The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality...

February of this year, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet. At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages... As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging...

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated. Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message. As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.

Universal basic income has become a favored cause for many high-profile Silicon Valley entrepreneurs as a solution to the job losses and social conflict that would be wrought by automation and artificial intelligence -- the very technologies their own companies create. But the conversation has changed. Its center of gravity has shifted away from "universal basic income" aimed at counterbalancing the automation of work and toward "guaranteed income" aimed at addressing economic and racial injustices. Where things stand now: As it turned out, what made the difference wasn't more research but a global pandemic. In the face of the recession caused by the pandemic, relief packages were suddenly seen as necessary to jump-start the American economy. The success of the $1,400 stimulus checks make it more likely now than ever before that that guaranteed income could soon become a permanent fixture of federal policy.

Amazon delivery companies around the United States are encouraging reckless and dangerous driving by ordering delivery drivers to shut off an app called Mentor that Amazon uses to monitor drivers' speed and give them a safety score to prevent accidents. Drivers say they are being ordered to turn the app off by their bosses so that they can speed through their delivery routes in order to hit Amazon's delivery targets. From a report: Sign out of Mentor if you haven't already," an dispatcher at an Amazon delivery company texted a delivery driver at DDT2, an Amazon warehouse in the suburbs of Detroit, Michigan a little after noon on a day in March, according to a screenshot obtained by Motherboard. This was less than five hours into his 10-hour shift. "Starting tomorrow everyone needs to be logged into Mentor for at least 2 hours no more no less, so make sure that's one of the first things we're doing in the mornings," a dispatcher at DAT2, an Amazon delivery station in the suburbs of Atlanta told drivers who work 10-hour shifts in a group chat in May 2020.

Mentor is a smartphone app made by a company called eDriving, which partners with Amazon to monitor the driving behaviors of delivery drivers at Amazon Delivery Service Partners, which are quasi-independent companies who are contracted by Amazon to deliver packages in Amazon-branded vans. Using sensors in a driver's smartphone, Mentor collects information about a driver's acceleration, braking, cornering, and speeding. It also detects "phone distraction" based on how much a driver is using their phone outside of the Mentor app. It then gives drivers a "FICO Safe Driving Score" in order to "objectively measure how safe a driver is." Amazon ties driver bonuses to several metrics, including a delivery worker's driving score.

schwit1 writes: Able to move 1,600 boxes per hour using just one arm, Dill relies on humans to keep it operating efficiently Pickle Robots says that Dill's approach to the box unloading task is unique in a couple of ways. First, it can handle messy trailers filled with a jumble of boxes of different shapes, colors, sizes, and weights. And second, from the get-go it's intended to work under human supervision, relying on people to step in and handle edge cases.

We asked Meyer how much Dill costs, and to our surprise, he gave us a candid answer: Depending on the configuration, the system can cost anywhere from $50-100k to deploy and about that same amount per year to operate. Meyer points out that you can't really compare the robot to a human (or humans) simply on speed, since with the robot, you don't have to worry about injuries or improper sorting of packages or training or turnover. While Pickle is currently working on several other configurations of robots for package handling, this particular truck unloading configuration will be shipping to customers next year.