Amazon has announced that its palm-scanning payment technology, called Amazon One, will roll out to all 500-plus Whole Foods locations by the end of 2023. From a report: Amazon first introduced the contactless Amazon One payment system in 2020, but its expansion by the end of 2023 will be its largest to date. Amazon One works by the user scanning their palm above a reader -- in other words, it's another form of contactless biometric authentication, like Apple's Face ID. But instead of reading your face, Amazon One reads the lines and ridges of your palm and the unique vein patterns beneath it. This reading of deeper subcutaneous features means that someone can't just photograph your palm and start loading up on costly cheeses at Whole Foods at your expense.

Your palm signature is associated with your Amazon Prime account or just a credit card, and it means you don't even need to bring your phone or wallet with you to shop and pay for goods. Currently, Amazon One is available at 200 Whole Foods in the United States as well as 200 locations at other retail outlets. Amazon's rollout will bring the total Amazon One payment locations to over 700 by year's end. Other locations where you can currently use Amazon One include Coors Field in Colorado and select Panera Bread restaurants.

The Perseverance rover's Scanning Habitable Environments with Raman & Luminescence for Organics & Chemicals (SHERLOC) instrument, designed to analyze organic chemicals on Mars, has provided valuable insights into the presence and distribution of potential organic materials on the surface of Mars. The findings have been published in the journal Nature. An anonymous reader shares a report from Ars Technica: SHERLOC comes with a deep-UV laser to excite molecules into fluorescing, and the wavelengths they fluoresce at can tell us something about the molecules present. It's also got the hardware to do Raman spectroscopy simultaneously. Collectively, these two capabilities indicate what kinds of molecules are present, though they can't typically identify specific chemicals. And, critically, SHERLOC provides spatial information, telling us where sample-specific signals come from. This allows the instrument to determine which chemicals are located in the same spot in a rock and thus were likely formed or deposited together.

SHERLOC can sample rocks simply by being held near them. The new results are based on a set of samples from two rock formations found on the floor of the Jezero crater. In some cases, the imaging was done by pointing it directly at a rock; in others, the rock surface, and any dust and contaminants it contained, was abraded away by Perseverance before the imaging was done. SHERLOC identified a variety of signatures of potential organic material in these samples. There were a few cases where it was technically possible that the signatures were produced by a very specific chemical that lacked carbon (primarily cerium salts). But, given the choice between a huge range of organic molecules or a very specific salt, the researchers favor organic materials as the source. One thing that was clear was that the level of organic material present changed over time. The deeper, older layer called Seitah only had a tenth of the material found in the Maaz rocks that formed above them. The reason for this difference isn't clear, but it indicates that either the production or deposition of organic material on Mars has changed over time.

Between the different samples and the ability to resolve different regions of the samples, the researchers were able to identify distinct signals that each occurred in many samples. While it wasn't possible to identify the specific molecule responsible, they were able to say a fair bit about them. One signal came from samples that contained a ringed organic compound, along with sulfates. The most common signal came from a two-ringed organic molecule, and was associated with various salts: phosphate, sulfate, silicates, and potentially a perchlorate. Another likely contained a benzene ring associated with iron oxides. A different ringed compound was found in two of the samples. Overall, the researchers conclude that these differences are significant. The fact that distinct organic chemicals are consistently associated with different salts suggests that there were either several distinct ways of synthesizing the organics or that they were deposited and preserved under distinct conditions. Many of the salts seen here are also associated with either water-based deposition or water-driven chemical alteration of the rock -- again, consistent with the processes involved changing over time. Collectively, the researchers say this argues against the organic chemicals simply having been delivered to Mars on a meteorite.

An anonymous reader quotes a report from TechCrunch: Nearly 70 IT security and privacy academics have added to the clamor of alarm over the damage the U.K.'s Online Safety Bill could wreak to, er, online safety unless it's amended to ensure it does not undermine strong encryption. Writing in an open letter (PDF), 68 U.K.-affiliated security and privacy researchers have warned the draft legislation poses a stark risk to essential security technologies that are routinely used to keep digital communications safe.

"As independent information security and cryptography researchers, we build technologies that keep people safe online. It is in this capacity that we see the need to stress that the safety provided by these essential technologies is now under threat in the Online Safety Bill," the academics warn, echoing concerns already expressed by end-to-end encrypted comms services such as WhatsApp, Signal and Element -- which have said they would opt to withdraw services from the market or be blocked by U.K. authorities rather than compromise the level of security provided to their users. [...] "We understand that this is a critical time for the Online Safety Bill, as it is being discussed in the House of Lords before being returned to the Commons this summer," they write. "In brief, our concern is that surveillance technologies are deployed in the spirit of providing online safety. This act undermines privacy guarantees and, indeed, safety online."

The academics, who hold professorships and other positions at universities around the country -- including a number of Russell Group research-intensive institutions such as King's College and Imperial College in London, Oxford and Cambridge, Edinburgh, Sheffield and Manchester to name a few -- say their aim with the letter is to highlight "alarming misunderstandings and misconceptions around the Online Safety Bill and its interaction with the privacy and security technologies that our daily online interactions and communication rely on." "There is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties," the experts warn, adding: "The history of 'no one but us' cryptographic backdoors is a history of failures, from the Clipper chip to DualEC. All technological solutions being put forward share that they give a third party access to private speech, messages and images under some criteria defined by that third party."

Last week, Apple publicly voiced its opposition to the bill. The company said in a statement: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

Rolling Stone reports: Over 100 artists including Rage Against the Machine co-founders Tom Morello and Zack de la Rocha, along with Boots Riley and Speedy Ortiz, have announced that they are boycotting any concert venue that uses facial recognition technology, citing concerns that the tech infringes on privacy and increases discrimination.

The boycott, organized by the digital rights advocacy group Fight for the Future, calls for the ban of face-scanning technology at all live events. Several smaller independent concert venues across the country, including the House of Yes in Brooklyn, the Lyric Hyperion in Los Angeles, and Black Cat in D.C., also pledged to not use facial recognition tech for their shows. Other artists who said they would boycott include Anti-Flag, Wheatus, Downtown Boys, and over 80 additional artists. The full list of signatories is available here.

"Surveillance tech companies are pitching biometric data tools as 'innovative' and helpful for increasing efficiency and security. Not only is this false, it's morally corrupt," Leila Nashashibi, campaigner at Fight for the Future, said in a statement. "For starters, this technology is so inaccurate that it actually creates more harm and problems than it solves, through misidentification and other technical faultiness. Even scarier, though, is a world in which all facial recognition technology works 100% perfectly — in other words, a world in which privacy is nonexistent, where we're identified, watched, and surveilled everywhere we go...." New York venue Citi Field as well as Cleveland's FirstEnergy Stadium, Miami's Hard Rock Stadium, and the Pechanga Arena in San Diego are among several venues across the country that have used face-scanning.
Thanks to long-time Slashdot reader SonicSpike for sharing the story.

An anonymous reader quotes a report from Ars Technica: The Brave browser will take action against websites that snoop on visitors by scanning their open Internet ports or accessing other network resources that can expose personal information. Starting in version 1.54, Brave will automatically block website port scanning, a practice that a surprisingly large number of sites were found engaging in a few years ago. According to this list compiled in 2021 by a researcher who goes by the handle G666g1e, 744 websites scanned visitors' ports, most or all without providing notice or seeking permission in advance. eBay, Chick-fil-A, Best Buy, Kroger, and Macy's were among the offending websites.

Some sites use similar tactics in an attempt to fingerprint visitors so they can be re-identified each time they return, even if they delete browser cookies. By running scripts that access local resources on the visiting devices, the sites can detect unique patterns in a visiting browser. Sometimes there are benign reasons a site will access local resources, such as detecting insecurities or allowing developers to test their websites. Often, however, there are more abusive or malicious motives involved.

The new version of Brave will curb the practice. By default, no website will be able to access local resources. More advanced users who want a particular site to have such access can add it to an allow list. The interface will look something like the screenshot displayed [here]. Brave will continue to use filter list rules to block scripts and sites known to abuse localhost resources. Additionally, the browser will include an allow list that gives the green light to sites known to access localhost resources for user-benefiting reasons. "Brave has chosen to implement the localhost permission in this multistep way for several reasons," developers of the browser wrote. "Most importantly, we expect that abuse of localhost resources is far more common than user-benefiting cases, and we want to avoid presenting users with permission dialogs for requests we expect will only cause harm."

"As far as we can tell, Brave is the only browser that will block requests to localhost resources from both secure and insecure public sites, while still maintaining a compatibility path for sites that users trust (in the form of the discussed localhost permission)" the Brave post said.

Apple has criticised powers in the UK's Online Safety Bill that could be used to force encrypted messaging tools like iMessage, WhatsApp and Signal to scan messages for child abuse material. From a report: Its intervention comes as 80 organisations and tech experts have written to Technology Minister Chloe Smith urging a rethink on the powers. Apple told the BBC the bill should be amended to protect encryption. End-to-end encryption (E2EE) stops anyone but the sender and recipient reading the message. Police, the government and some high-profile child protection charities maintain the tech -- used in apps such as WhatsApp and Apple's iMessage -- prevents law enforcement and the firms themselves from identifying the sharing of child sexual abuse material.

But in a statement Apple said: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. "Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

The latest Windows 11 Insider Preview build includes improved support for passkeys, a new standard for passwordless authentication, as well as support for Unicode 15 emoji, changes to Windows' location-based time zone setting, and a handful of bug fixes. Microsoft has also rolled back proposed changes to the File Explorer that would have removed several relatively obscure settings from the Folder Options window. Ars Technica reports: Though the Microsoft Edge browser has supported passkeys for a while now, this week's Insider build expands support to "any app or website that supports passkeys," which can use built-in Windows Hello authentication (either via a PIN, fingerprint reader, or face-scanning camera) to sign you in without requiring a password. You can also view the full list of passkeys that have been created on your device and delete individual passkeys if you no longer want to use them. If your browser natively supports passkeys and has its own user interface for handling them, you'll need to select "Windows Hello or external security key" to use the built-in Windows UI instead.

The new Insider build also adds support for Unicode 15 emoji, a few changes to Windows' location-based time zone setting, and a handful of fixes. But most notably for people who complained about last week's Insider build, Microsoft has rolled back proposed changes that would have removed several relatively obscure settings from the Folder Options window in the File Explorer. "As is normal for the Dev Channel, we will often try things out and get feedback and adjust based on the feedback we receive," wrote Microsoft's Amanda Langowski and Brandon LeBlanc in a post detailing the new build's changes.

Privacy-focused firm DuckDuckGo has released a public beta of its browser for Windows, offering more default privacy protections and an assortment of Duck-made browsing tools. From a report: Like its Mac browser, DuckDuckGo (DDG) uses "the underlying operating system rendering API" rather than its own forked browser code. That's "a Windows WebView2 call that utilizes the Blink rendering engine underneath," according to DuckDuckGo's blog post. Fittingly, the browser reports itself as Microsoft Edge at most header-scanning sites. Inside the DuckDuckGo browser, you'll find:

1. Duck Player, which shows (most) YouTube videos "without privacy-invading ads" and doesn't feed your recommendations
2. Tracker blocking that DDG cites as "above and beyond" other browsers, including third-party tracker loading
3. Enforced encryption
4. The "fire button" that instantly closes all tabs and clears website data
5. Cookie pop-up management, automatically selecting a private option and hiding "I accept" pop-ups
6. Email protection, making it easier to use an auto-forwarding duck.com address on web forms

An anonymous reader shared this report from Bloomberg: Ask Amazon's digital assistant, "Hey, Alexa, is Amazon a monopoly?" and it will profess ignorance.

"Hmm, I don't know that one," it answers.

But ask about any of the other tech giants' business practices, and it's ready to critique them. Surfacing answers from across the internet, Alexa describes Apple as an "oligopoly" and cites Alphabet's Google as violating privacy rights, according to Bloomberg News tests of the software on three devices.... [Alexa] won't label Amazon a monopoly, but it tends to respond in the affirmative when asked the same question about Google, Meta's Facebook, Microsoft and Walmart. When Alexa is asked if Amazon has broken antitrust law, it says, "I don't have an answer to the question I just heard."

Google's Assistant and Apple's Siri, Alexa's two closest competitors, each cite news stories on government antitrust lawsuits against their companies. Siri, for the most part, offers up criticisms of the iPhone maker. But it evades at least one question about Apple's power. When asked whether Apple is a monopoly, Siri often replies, "I can't answer that, but Apple.com should be able to...."

Alexa also cites alleged privacy lapses by its rivals, bringing up a Facebook privacy settlement with the FTC and allegations that Apple's finger-scanning technology violates constitutional rights. When users ask whether Amazon violates users' privacy, Alexa sticks up for its safeguards: "Amazon builds multiple layers of privacy protections into your Alexa experience." It also links to an Amazon website with more information about Alexa's privacy settings.

An anonymous reader quotes a report from Ars Technica: Atomic-scale imaging emerged in the mid-1950s and has been advancing rapidly ever since -- so much so, that back in 2008, physicists successfully used an electron microscope to image a single hydrogen atom. Five years later, scientists were able to peer inside a hydrogen atom using a "quantum microscope," resulting in the first direct observation of electron orbitals. And now we have the first X-ray taken of a single atom, courtesy of scientists from Ohio University, Argonne National Laboratory, and the University of Illinois-Chicago, according to a new paper published in the journal Nature.

"Atoms can be routinely imaged with scanning probe microscopes, but without X-rays one cannot tell what they are made of," said co-author Saw-Wai Hla, a physicist at Ohio University and Argonne National Laboratory. "We can now detect exactly the type of a particular atom, one atom at a time, and can simultaneously measure its chemical state. Once we are able to do that, we can trace the materials down to [the] ultimate limit of just one atom. This will have a great impact on environmental and medical sciences." [...] Hla has been working for the last 12 years to develop an X-ray version of STM: synchrotron X-ray-scanning tunneling microscopy, or SX-STM, which would enable scientists to identify the type of atom and its chemical state. X-ray imaging methods like synchrotron radiation are widely used across myriad disciplines, including art and archaeology. But the smallest amount to date that can be X-rayed is an attogram, or roughly 10,000 atoms. That's because the X-ray emission of a single atom is just too weak to be detected -- until now.

SX-STM combines conventional synchrotron radiation with quantum tunneling. It replaces the conventional X-ray detector used in most synchrotron radiation experiments with a different kind of detector: a sharp metal tip placed extremely close to the sample, the better to collect electrons pushed into an excited state by the X-rays. With Hla et al.'s method, X-rays hit the sample and excite the core electrons, which then tunnel to the detector tip. The photoabsorption of the core electrons serves as a kind of elemental fingerprint for identifying the type of atoms in a material. The team tested their method at the XTIP beam line at Argonne's Advanced Photon Source, using an iron atom and a terbium atom (inserted into supramolecules, which served as hosts). And that's not all. "We have detected the chemical states of individual atoms as well," said Hla. "By comparing the chemical states of an iron atom and a terbium atom inside respective molecular hosts, we find that the terbium atom, a rare-earth metal, is rather isolated and does not change its chemical state, while the iron atom strongly interacts with its surrounding." Also, Hla's team has developed another technique called X-ray-excited resonance tunneling (X-ERT), which will allow them to detect the orientation of the orbital of a single molecule on a material surface.

An anonymous reader quotes a report from Wired: Spain has advocated banning encryption for hundreds of millions of people within the European Union, according to a leaked document obtained by WIRED that reveals strong support among EU member states for proposals to scan private messages for illegal content. The document, a European Council survey of member countries' views on encryption regulation, offered officials' behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe. The proposed law would require tech companies to scan their platforms, including users' private messages, to find illegal material. However, the proposal from Ylva Johansson, the EU commissioner in charge of home affairs, has drawn ire from cryptographers, technologists, and privacy advocates for its potential impact on end-to-end encryption.

For years, EU states have debated whether end-to-end encrypted communication platforms, such as WhatsApp and Signal, should be protected as a way for Europeans to exercise a fundamental right to privacy -- or weakened to keep criminals from being able to communicate outside the reach of law enforcement. Experts who reviewed the document at WIRED's request say it provides important insight into which EU countries plan to support a proposal that threatens to reshape encryption and the future of online privacy. Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain's position emerging as the most extreme. "Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption," Spanish representatives said in the document. The source of the document declined to comment and requested anonymity because they were not authorized to share it.

In its response, Spain said it is "imperative that we have access to the data" and suggests that it should be possible for encrypted communications to be decrypted. Spain's interior minister, Fernando Grande-Marlaska, has been outspoken about what he considers the threat posted by encryption. When reached for comment about the leaked document, Daniel Campos de Diego, a spokesperson for Spain's Ministry of Interior, says the country's position on this matter is widely known and has been publicly disseminated on several occasions. Edging close to Spain, Poland advocated in the leaked document for mechanisms through which encryption could be lifted by court order and for parents to have the power to decrypt children's communications. Several other countries say they would give law enforcement access to people's encrypted messages and communications. "Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge," says Ella Jakubowska, a senior policy advisor at European Digital Rights (EDRI) who reviewed the document. "They are seeing this law is going far beyond what DG home is claiming that it's there for."

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected." "While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples," Brandt wrote. "The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs."

Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list. "If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote. "A Google representative said the company doesn't scan password-protected zip files, though Gmail does flag them when users receive such a file," notes Ars.

"One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files."

According to the Financial Times, OpenAI CEO Sam Altman is close to raising around $100 million in funding for his Worldcoin cyrpto project. Markets Insider reports: Worldcoin is in advanced talks to raise the cash from both new and existing investors ahead of a potential launch within the next few weeks, the Financial Times said Sunday, citing three people with knowledge of the deal. The startup wants to use eyeball-scanning technology to create a digital identification system that would give people across the globe access to a free crypto token called Worldcoin. It's previously received backing from Andreessen Horowitz's crypto fund, Coinbase's VC arm Coinbase Ventures, and FTX founder Sam Bankman-Fried.

Worldcoin pulled in $100 million from investors last year through a token sale that valued the company at around $3 billion, according to a report by The Information from March 2022. That fundraising effort came before a bruising period for crypto in which flagship tokens like bitcoin and ether cratered in price and high-profile companies including Bankman-Fried's FTX collapsed. "It's a bear market, a crypto winter. It's remarkable for a project in this space to get this amount of investment," one of the FT's sources told the publication.

The humble and familiar barcode -- a staple on consumer packaging for nearly 50 years -- will soon be replaced with a more robust and muscular successor that offers far more information about the product inside. Axios reports: In a worldwide push called "Sunrise 2027," the retail industry is transitioning from the standard 12-digit barcode -- that square of vertical lines that's printed on a package and makes it go "beep" at the checkout scanner -- to a two-dimensional web-enabled version. The effort is being orchestrated by GS1 US, the nonprofit standards organization that oversees the barcode world. In the United States, Universal Product Code (UPC) barcodes will be supplanted by a new 2D type, with information encoded on both the horizontal and vertical axes. By 2027, only the 2D barcodes will be accepted at registers globally.

The new "2D" barcodes will unlock reams of online extras (for consumers) and revolutionize inventory management (for retailers). Scanning them may tell us the field where something was grown, the factory where a garment was sewn, the sustainability practices of the company that made it -- or the washing instructions. [...] Stores will be able to respond immediately to product recalls, identifying faulty items and removing them from shelves. They'll be able to flag foods that are approaching their sell-by date -- and offer discounts before they expire. Consumers will gain online access to a trove of useful data -- everything from ingredients, recipes and potential allergens to promotional offers and information about how to recycle the product.

GS1 US just released a "barcode capabilities test kit" to help retailers evaluate their readiness for the 2D transition. We can expect to start seeing more products printed with 2D barcodes (or both types, as the transition moves forward) fairly soon.

Amazon is making its AI-powered coding assistant CodeWhisperer free for individual developers, reports the Verge, "undercutting the $10 per month pricing of its Microsoft-made rival." Amazon launched CodeWhisperer as a preview last year, which developers can use within various integrated development environments (IDEs), like Visual Studio Code, to generate lines of code based on a text-based prompt....

CodeWhisperer automatically filters out any code suggestions that are potentially biased or unfair and flags any code that's similar to open-source training data. It also comes with security scanning features that can identify vulnerabilities within a developer's code, while providing suggestions to help close any security gaps it uncovers. CodeWhisperer now supports several languages, including Python, Java, JavaScript, TypeScript, and C#, including Go, Rust, PHP, Ruby, Kotlin, C, C++, Shell scripting, SQL, and Scala.
Here's how Amazon's senior developer advocate pitched the usefulness of their "real-time AI coding companion": Helping to keep developers in their flow is increasingly important as, facing increasing time pressure to get their work done, developers are often forced to break that flow to turn to an internet search, sites such as StackOverflow, or their colleagues for help in completing tasks. While this can help them obtain the starter code they need, it's disruptive as they've had to leave their IDE environment to search or ask questions in a forum or find and ask a colleague — further adding to the disruption. Instead, CodeWhisperer meets developers where they are most productive, providing recommendations in real time as they write code or comments in their IDE. During the preview we ran a productivity challenge, and participants who used CodeWhisperer were 27% more likely to complete tasks successfully and did so an average of 57% faster than those who didn't use CodeWhisperer....

It provides additional data for suggestions — for example, the repository URL and license — when code similar to training data is generated, helping lower the risk of using the code and enabling developers to reuse it with confidence.

An anonymous reader shares a report: About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing some of the world's most popular software libraries for vulnerabilities. Today, Google is launching Assured OSS into general availability with support for well over a thousand Java and Python packages -- and while Google didn't initially disclose pricing when it first announced the service, the company has now revealed that it will be available for free.

Software development has long depended on third-party libraries (which are often maintained by only a single developer), but it wasn't until the industry got hit with a number of high-profile exploits that everyone (including the White House) perked up and started taking software supply chain security seriously. Now, you can't attend an open source conference without hearing about Software Bills of Materials (SBOMs), artifact registries and similar topics. It's no surprise then that Google, which has long been at the forefront of releasing open-source products, launched a service like Assured OSS.

Google promises that it will constantly keep these libraries up to date (without creating forks) and continuously scan for known vulnerabilities, do fuzz tests to discover new ones and then fix these issues and contribute these fixes back upstream. The company notes that when it first launched the service with around 250 Java libraries, it was responsible for discovering 48% of the new CVEs for these libraries and subsequently addressing them.

Slashdot reader quonset writes: In an effort to more personalize a customer's experience, the U.S. restaurant chain Panera Bread is rolling out palm-scanning technology which will link the palm print with the customer's loyalty program. According to Panera Bread CEO Niren Chaudhary, the move will allow a "frictionless, personalized, and convenient" evolution of Panera's loyalty program, which boasts 52 million members. The claim is this will allow the company to offer menu choices based on a customer's order history, allow staff to personally greet the customer, and offer further suggestions.

Privacy advocates are not so sure. From the story:

Panera says the technology will securely store its customers' biometric data. However, digital rights activists worry that information could be tapped by federal agencies or accessed by hackers.

"Federal agencies like Customs and Border Protection have experienced devastating hacks where large databases of biometric information have been stolen," Fight for the Future told CBS MoneyWatch in an email. "Do we really expect Amazon, or Panera, to have better cybersecurity practices?"
The scanners are already installed at locations in St. Louis, Panera announced Wednesday, and scanners will "expand to additional locations in the coming months." (Panera has 2,113 locations in 48 states.) "After a simple scan of the palm, Panera associates will be able to greet guests by name, communicate their available rewards, reorder their favorite menu items, or take another order of their choice," the announcement gushes, "extending the guest experience into a true and meaningful relationship.

"When they are done ordering, guests can simply scan their palm again to pay."

A federal judge on Monday will weigh pleas by four major book publishers to stop an online lending library from freely offering digital copies of books, in a case that raises novel questions about digital-library rights and the reach of copyright law that protects the work of writers and publishers. From a report: Nonprofit organization Internet Archive created the digital books, building its collection by scanning physical book copies in its possession. It lends the digital versions to readers worldwide, with more than three million digitized books on offer. Titles range from Stephen King's scary bestseller "It" to Kristin Hannah's historical novel "The Nightingale." The archive expanded its digital lending during the Covid-19 pandemic, temporarily lifting limits on how many people could check out a book at one time. The move helped prompt the publishers' copyright infringement lawsuit in 2020, which is pending before U.S. District Judge John Koeltl in Manhattan.

The plaintiffs are Lagardere SCA's Hachette Book Group, John Wiley and Sons, Bertelsmann SE's Penguin Random House, and HarperCollins Publishers, which like The Wall Street Journal is owned by News Corp. They argue the Internet Archive book platform "constitutes willful digital piracy on an industrial scale" and hurts writers and publishers who rely on consumers buying their products. William Adams, general counsel for HarperCollins Publishers, said the archive's approach has no basis in law. "What they're doing is supplanting what authors and publishers do with libraries and have been doing for a long time," he said. The Internet Archive says its lending practices are a fair and legal use of the books, in the same way that traditional bricks-and-mortar libraries have a right to share their collections with the public.

Amazon did not alert its New York City customers that they were being monitored by facial recognition technology, a lawsuit filed Thursday alleges. CNBC reports: In a class-action suit, lawyers for Alfredo Perez said that the company failed to tell visitors to Amazon Go convenience stores that the technology was in use. Thanks to a 2021 law, New York is the only major American city to require businesses to post signs if they're tracking customers' biometric information, such as facial scans or fingerprints. [...] The lawsuit says that Amazon only recently put up signs informing New York customers of its use of facial recognition technology, more than a year after the disclosure law went into effect. "To make this 'Just Walk Out' technology possible, the Amazon Go stores constantly collect and use customers' biometric identifier information, including by scanning the palms of some customers to identify them and by applying computer vision, deep learning algorithms, and sensor fusion that measure the shape and size of each customer's body to identify customers, track where they move in the stores, and determine what they have purchased," says the lawsuit.

"It means that even a global tech giant can't ignore local privacy laws," Albert Cahn, project director, said in a text message. "As we wait for long overdue federal privacy laws, it shows there is so much local governments can do to protect their residents."

An anonymous reader shares a report: Socket has found a way to protect developers from npm, GitHub's insufficiently safe JavaScript package manager, by wrapping it in a security blanket. The npm registry, operated by NPM until the security biz was acquired by Microsoft's GitHub in 2020, hosts software packages for the JavaScript ecosystem. It is, by its own account, "the world's largest software registry." In the past few years, the maliciously inclined have increasingly focused on compromising package registries like npm in what's known as a supply chain attack. Subverting a popular software library has the potential to enable widespread viral distribution. Those running the npm registry have put in place various defenses over the years, such as npm audit, a vulnerability scanning command in the npm command line interface (CLI). But the tool's implementation leaves something to be desired and developers often ignore audit warning messages, particularly if automated resolution doesn't work.

Socket built its own vulnerability scanning system and last year made it available for free (with paid tiers for teams and organizations) for open source projects. Its scanner runs as a GitHub app on code repositories when changes are made. It catches more issues than npm audit -- covering not just supply chain risk but also quality, maintenance, vulnerability, and license concerns. But Socket's scanner is also now available as a CLI that developers can install on their machines. On Thursday, Socket updated its CLI with a safe npm command that defends developers whenever they invoke npm install or npm uninstall, which perversely can install packages amid removing others. "npm creates what is called the 'ideal tree' for a given package.json," explained Feross Aboukhadijeh, told The Register. "So by removing a package you might actually change what the ideal tree is. Removing a package may remove a constraint which is keeping a package on an older version, so then npm may update those packages to a more ideal/recent version."