"Hackers briefly turned a widely trusted developer tool into a vehicle for credential-stealing malware that could give attackers ongoing access to infected systems," the news site Axios.com reported Tuesday, citing security researchers at Google.

The compromised package — also named axios — simplifies HTTP requests, and reportedly receives millions of downloads each day: The malicious versions were removed within roughly three hours of being published, but Google warned the incident could have "far-reaching impacts" given the package's widespread use, according to John Hultquist, chief analyst at Google Threat Intelligence Group. Wiz estimates Axios is downloaded roughly 100 million times per week and is present in about 80% of cloud and code environments. So far, Wiz has observed the malicious versions in roughly 3% of the environments it has scanned.
Friday PCMag notes the maintainer's compromised account had two-factor authentication enabled, with the breach ultimately traced "to an elaborate AI deepfake from suspected North Korean hackers that was convincing enough to trick a developer into installing malware," according to a post-mortem published Thursday by lead developer Jason Saayman: [Saayman] fell for a scheme from a North Korean hacking group, dubbed UNC1069, which involves sending out phishing messages and then hosting virtual meetings that use AI deepfakes to clone the face and voices of real executives. The virtual meetings will then create the impression of an audio problem, which can only be "solved" if the victim installs some software or runs a troubleshooting command. In reality, it's an effort to execute malware. The North Koreans have been using the tactic repeatedly, whether it be to phish cryptocurrency firms or to secure jobs from IT companies.

Saayman said he faced a similar playbook. "They reached out masquerading as the founder of a company, they had cloned the company's founders likeness as well as the company itself," he wrote. "They then invited me to a real Slack workspace. This workspace was branded... The Slack was thought out very well, they had channels where they were sharing LinkedIn posts. The LinkedIn posts I presume just went to the real company's account, but it was super convincing etc." The hackers then invited him to a virtual meeting on Microsoft Teams. "The meeting had what seemed to be a group of people that were involved. The meeting said something on my system was out of date. I installed the missing item as I presumed it was something to do with Teams, and this was the remote access Trojan," he added. "Everything was extremely well coordinated, looked legit and was done in a professional manner."
Friday developer security platform Socket wrote that several more maintainers in the Node.js ecosystem "have come out of the woodwork to report that they were targeted by the same social engineering campaign." The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers. Attackers also targeted several Socket engineers, including CEO Feross Aboukhadijeh. Feross is the creator of WebTorrent, StandardJS, buffer, and dozens of widely used npm packages with billions of downloads... Commenting on the axios post-mortem thread, he noted that this type of targeting [against individual maintainers] is no longer unusual... "We're seeing them across the ecosystem and they're only accelerating."

Jordan Harband, John-David Dalton, and other Socket engineers also confirmed they were targeted. Harband, a TC39 member, maintains hundreds of ECMAScript polyfills and shims that are foundational to the JavaScript ecosystem. Dalton is the creator of Lodash, which sees more than 137 million weekly downloads on npm. Between them, the packages they maintain are downloaded billions of times each month. Wes Todd, an Express TC member and member of the Node Package Maintenance Working Group, also confirmed he was targeted. Matteo Collina, co-founder and CTO of Platformatic, Node.js Technical Steering Committee Chair, and lead maintainer of Fastify, Pino, and Undici, disclosed on April 2 that he was also targeted. His packages also see billion downloads per year... Scott Motte, creator of dotenv, the package used by virtually every Node.js project that handles environment variables, with more than 114 million weekly downloads, also confirmed he was targeted using the same Openfort persona.
Socket reports that another maintainer was targetted with an invitation to appear on a podcast. (During the recording a suspicious technical issue appeared which required a software fix to resolve....)

Even just technical implementation, "This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package," the CI/CD security company StepSecurity wrote Tuesday The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json with a clean decoy... Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had even finished resolving dependencies... Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline.
"As preventive steps, Saayman has now outlined several changes," reports The Hacker News, "including resetting all devices and credentials, setting up immutable releases, adopting OIDC flow for publishing, and updating GitHub Actions to adopt best practices."

The Wall Street Journal called it "the latest in a string of incidents exposing risks in the systems that underpin how modern software is built."

Valve is facing a new consumer class-action lawsuit two weeks after New York sued the video game company for "letting children and adults illegally gamble" with loot boxes. The new lawsuit is similar, alleging that loot boxes in games like Counter-Strike 2, Dota 2, and Team Fortress 2 are "carefully engineered to extract money from consumers, including children, through deceptive, casino-style psychological tactics."

"We believe Valve deliberately engineered its gambling platform and profited enormously from it," Steve Berman, founder and managing partner at law firm Hagens Berman, said in a press release. "Consumers played these games for entertainment, unaware that Valve had allegedly already stacked the odds against them. We intend to hold Valve accountable and put money back in the pockets of consumers." PC Gamer reports: The system is well known to anyone who's played a Valve multiplayer game: Earn a locked loot box by playing, pay $2.50 for a key, unlock it, get a digital doohickey that's sometimes worth hundreds or even thousands of dollars but far more often is worth just a few pennies. Is that gambling? If these cases go to court, we'll find out.

The full complaint points out that the unlocking process is even designed to look like a slot machine: "Images of possible items scroll across the screen, spinning fast at first, then slowing to a stop on the player's 'prize.' Players buy and open loot boxes for the same reason people play slot machines -- the hope of a valuable payout." Loot boxes, the complaint continues, are not "incidental features" of Valve's games, but rather "a deliberate, carefully engineered revenue model." So too is the Steam Community Market, and Steam itself, which the suit claims is "deliberately designed" to enable the sale of digital items on third-party marketplaces through "trade URLs," despite Valve's terms of service prohibiting off-platform sales.

And while the debate over whether loot boxes constitute a form of gambling continues to rage, the suit claims Valve's system does indeed qualify under Washington law, which defines gambling as "staking or risking something of value upon the outcome of a contest of chance or a future contingent event not under the person's control or influence." "Valve's loot boxes satisfy every element of this definition," the lawsuit alleges. "Users stake money (the price of a key) on the outcome of a contest of chance (the random selection of a virtual item), and the items received are 'things of value' under RCW 9.46.0285 because they can be sold for real money through Valve's own marketplace and through third-party marketplaces that Valve has fostered and facilitated."

New York state has filed a lawsuit against Valve alleging that randomized loot boxes in games like Counter-Strike 2, Team Fortress 2, and Dota 2 amount to a form of unregulated gambling, letting users "pay for the chance to win a rare virtual item of significant monetary value." From a report: While many randomized video game loot boxes have drawn attention and regulation from various government bodies in recent years, the New York suit calls out Valve's system specifically for "enabl[ing] users to sell the virtual items they have won, either through its own virtual marketplace, the Steam Community Market, or through third-party marketplaces."

The vast majority of Valve's in-game loot boxes contain skins that can only be resold for a few cents, the suit notes, while the rarest skins can be worth thousands of dollars through marketplaces on and off of Steam. That fits the statutory definition of gambling as "charging an individual for a chance to win something of value based on luck alone," according to the suit.

The Steam Wallet funds that users get through directly reselling skins "have the equivalent purchasing power on the Steam platform as cash," the suit notes. But if a user wants to convert those Steam funds to real cash, they can do so relatively easily by purchasing a Steam Deck and reselling it to any interested party, as an investigator did while preparing the lawsuit.

The Free Software Foundation "hinted that it would organize an unprecedented virtual memorabilia auction" in March to celebrate this year's 40th anniversary, according to an announcement this week. Those hints "left collectors and free software fans wondering which of the pieces of the FSF's history would be auctioned off."

But Tuesday the FSF "lifted the veil and gave a sneak peak of some of the more prestigious entries in the memorabilia auction." First of all, the memorabilia auction will feature an item that could be especially interesting for art collectors but will certainly also draw the attention of free software fans from all over: the original GNU head drawing by Etienne Suvasa, which became the blueprint for the iconic GNU logo present everywhere in the free software world.

The list of memorabilia for sale also entails some rare and historic hardware, such as a "terminus-est" microcomputer, and an Amiga 3000UX that was used in the FSF's old office at the Massachusetts Institute of Technology (MIT) in the early days of GNU, when these machines were capable of running a GNU-like operating system. Another meaningful item to be auctioned off, and one that collectors will want to keep a keen eye on, is the Internet Hall of Fame medal awarded to founder Richard Stallman. When Stallman was inducted into the Internet Hall of Fame, it was the ultimate recognition of free software's immense impact on the development and advancement of the Internet. This medal is definitely worthy of joining a fine historical collection...! [T]here are several more historic awards, more original GNU artwork, and a legendary katana [as seen in an XKCD comic] that became a lighthearted weapon in the fight for computer user freedom.

The auction is only the opening act to a whole agenda of activities celebrating forty years of free software activism. In May, the FSF invites free software supporters all over the world to gather for local in-person community meetups to network, discuss what people can do next to make the world freer, and celebrate forty years of commitment to software freedom. Then, on the actual birthday of the FSF on October 4, 2025, the organization intends to bring the international free software community to Boston for a celebration featuring keynotes and workshops by prominent personalities of the free software movement.
"The bidding will start as a virtual silent auction on March 17 and run through March 21, with more auction items revealed each day, and will culminate in an virtual live auction on March 23, 2025, 14:00 to 17:00 EDT," according to the announcement.

"Register here to attend the live auction. There's no need to register for the silent auction; you can simply join the bidding on the FSF's LibrePlanet wiki."

This week, in celebration of Global Accessibility Awareness Day, Apple is introducing several new accessibility features. Noteworthy additions include eye-tracking support for recent iPhone and iPad models, customizable vocal shortcuts, music haptics, and vehicle motion cues. Engadget reports: The most intriguing feature of the set is the ability to use the front-facing camera on iPhones or iPads (at least those with the A12 chip or later) to navigate the software without additional hardware or accessories. With this enabled, people can look at their screen to move through elements like apps and menus, then linger on an item to select it. That pause to select is something Apple calls Dwell Control, which has already been available elsewhere in the company's ecosystem like in Mac's accessibility settings. The setup and calibration process should only take a few seconds, and on-device AI is at work to understand your gaze. It'll also work with third-party apps from launch, since it's a layer in the OS like Assistive Touch. Since Apple already supported eye-tracking in iOS and iPadOS with eye-detection devices connected, the news today is the ability to do so without extra hardware. [...]

There are plenty more features coming to the company's suite of products, including Live Captions in VisionOS, a new Reader mode in Magnifier, support for multi-line braille and a virtual trackpad for those who use Assistive Touch. It's not yet clear when all of these announced updates will roll out, though Apple has historically made these features available in upcoming versions of iOS. With its developer conference WWDC just a few weeks away, it's likely many of today's tools get officially released with the next iOS. Apple detailed all the new features in a press release.

As of today, Walmart is able to sell physical goods directly to users inside Roblox. Digiday adds: The introduction of real-life e-commerce could be a watershed moment for the company's ambitions to become an all-encompassing destination for virtual life. Walmart's Roblox e-commerce experience launches later today, with users inside the pre-existing Walmart Discovered able to have real-life items shipped directly to their doorsteps. Users entering the experience will be greeted with a new storefront showcasing virtual twins of select physical items sold at real-life Walmart stores.

After trying out the virtual items on their avatars, players will be able to load an e-commerce experience that takes the form of a browser window inside Roblox imitating the experience of shopping on Walmart's website -- essentially a virtual laptop set up inside Roblox to access Walmart.com. The commerce feature within Walmart Discovered will be gated specifically to users aged 13 or older in the United States only. "There is a traditional sort of checkout flow where you put your name, your address and your credit card information, and that's all powered by a Walmart API that handles all of the information super securely -- it's very safe," said Walmart director of brand experiences and strategic partnerships Justin Breton. "And once you hit checkout, you'll get your confirmation email from Walmart. All of that is handled by us on the back end, the user will then get their item in the mail, but the virtual twin is granted immediately back on Roblox."

It's the busiest shopping season of the year, but one item that doesn't appear to be flying off store shelves is Meta Platforms's Quest brand of virtual-reality headsets. Part of the reason is that many shoppers aren't comfortable trying one on in a store. From a report: The headsets are prone to collect dirt and grime and smear your makeup. During the peak of the Covid-19 pandemic, people were especially resistant to put them on in stores, even though Meta paid to have cleaners on hand to sanitize the headsets between each use, said a former Meta employee who wasn't authorized to speak publicly and asked not to be identified.

The health emergency is over, but many people are still weirded out by the idea of putting on a VR headset in public. Meta sells the Quest in the US through the stores of mobile carriers like AT&T, T-Mobile and Verizon. The thinking was, people are already trying out and buying other gadgets there. But picking up a phone that other people have touched feels different than strapping something to your face that other people have strapped to theirs. In-store sales of Quest headsets at mobile carriers' locations are very low, according to former employees of Reality Labs, the division that builds Meta's VR products.

An anonymous reader quotes a report from 9to5Mac: Apple's first AR/VR headset could be unveiled sometime this spring, and rumors continue to offer more information about what Apple has in the works. A wide-ranging new report from Bloomberg now offers a slew of details on Apple's "Reality Pro" headset, including that the "eye- and hand-tracking capabilities will be a major selling point" for the product. Using external cameras, the headset will be able to analyze the user's hands, while internal sensors will be used to read the user's eyes.

The report explains: "The headset will have several external cameras that can analyze a user's hands, as well as sensors within the gadget's housing to read eyes. That allows the wearer to control the device by looking at an on-screen item -- whether it's a button, app icon or list entry -- to select it. Users will then pinch their thumb and index finger together to activate the task -- without the need to hold anything. The approach differs from other headsets, which typically rely on a hand controller."

More details on the hardware of the headset include that there will be a Digital Crown similar to the Apple Watch for switching between AR and VR. The VR mode will fully immerse the wearer, but when AR mode is enabled the "content fades back and becomes surrounded by the user's real environment." This is reportedly one of the features Apple hopes will be a "highlight of the product." To address overheating concerns, the Reality Pro headset will use an external battery that "rests in a user's pocket and connects over a cable." There will also be a cooling fan to further reduce the likelihood of the headset overheating. "The headset can last about two hours per battery pack," Bloomberg reports. The battery pack is "roughly the size of two iPhone 14 Pro Maxes stacked on top of each other, or about six inches tall and more than half an inch thick." Another tidbit from the report is that the headset will be able to serve as an external display for Mac. "Users will be able to see their Mac's display in virtual reality but still control the computer with their trackpad or mouse and physical keyboard," reports Bloomberg. Apple is also "developing technology that will let users type in midair with their hands."

Additionally, FaceTime on the headset will "realistically render a user's face and full body in virtual reality."

A team of more than 1,000 people have been reportedly working on the first version of the device for the past seven years. It's slated to cost "roughly $3,000" when it debuts sometime this spring.

David Matthews writes via Nature: See whether this sounds familiar: you build a piece of software to solve a research question. But when you move on to the next project, there's no one to maintain it. As it ages, it becomes obsolete, and the next academic to tackle a similar problem finds themselves having to reinvent the wheel. [...] Now, a funding initiative hopes to help ease that burden. [...] In January, Schmidt Futures, a science and technology-focused philanthropic organization founded by former Google chief executive Eric Schmidt and his wife Wendy, launched the Virtual Institute for Scientific Software (VISS), a network of centers across four universities in the United States and the United Kingdom. Each institution will hire around five or six engineers, says Stuart Feldman, Schmidt Futures' chief scientist, with funding typically running for five years and being reviewed annually. Overall, Schmidt Futures is putting US$40 million into the project, making it among the largest philanthropic investments in this area. The aim is to overcome a culture of relative neglect in academia for open-source scientific software, Feldman says, adding that support for software engineering is "a line item, just like fuel" at organizations such as NASA. "It's only in the university research lab environment where this is ancillary," he says. [...]

Those setting up VISS centers say Schmidt Futures' steady, relatively long-term funding will help them to overcome a range of problems endemic to academic software. Research grants rarely provide for software development, and when they do, the positions they fund are seldom full-time and long-term. "If you've got all of this fractional effort, it's really hard to hire people and provide them with a real career path," says Andrew Connolly, an astronomer who is also helping to set up the Washington centre. What's more, software engineers tend to be scattered and isolated across a university. "Peer development and peer community is really important to those types of positions," says Stone. "And that would be extraordinarily rare in academia." To counter this, VISS centers hope to create cohesive, stable teams that can learn from one another. [...]

Dario Taraborelli, who helps to coordinate another privately funded scientific-software project at the Chan Zuckerberg Initiative (CZI) in California, says that such initiatives fill a key gap in the scientific-software ecosystem, because funding agencies too often fail to prioritize crucial software infrastructure. Although there are now "substantial" grants dedicated to creating software, he says, there's precious little funding available to maintain what is built. Computer scientist Alexander Szalay, who is helping to set up a VISS centre at Johns Hopkins, agrees, noting that very few programs get to a point where enough researchers use and update them to remain useful. "They don't survive this 'Valley of Death,'" he says. "The funding stops when they actually develop the software prototype."

After announcing earlier this week that creators can sell digital items in Horizon Worlds for real money, Meta has offered details about how many fees creators will have to pay on earnings made through the platform. According to Road to VR, "Meta explained that anything sold in Horizon Worlds would be subject to the same 30% fee the company charges developers selling apps through its VR platform and then an additional 25% fee on top of the remaining amount." From the report: The company provided the following example: "...if a creator sells an item for $1.00, then the Meta Quest Store fee would be $0.30 and the Horizon Platform fee would be $0.17, leaving $0.53 for the Creator before any applicable taxes." That's an effective rate of 47.5% of anything sold on Horizon Worlds to Meta, leaving 52.5% to the creator.

That's a pretty hefty take, but not entirely out of line with contemporaries. Roblox, for instance, takes between 30% and 70% of the revenue generated by creators depending upon whether the creator sold the item directly to customers or if the item was sold on the Roblox marketplace or by another party. These are big fees, no doubt, but creators are getting something in return. Horizon Worlds, for instance, offers up its self-contained collaborative building tools, access to an audience, and handles all hosting and networking costs associated with the things creators build. Whether that's worth 47.5% of what someone manages to sell on the platform is going to be up to the creator.

Days after detailing the technical specs of the PS VR2, Sony has updated the details of a patent to include language that says would "allow players to scan real-world items into virtual reality, making anything interactive in the VR space," reports Game Rant. From the report: This patent isn't actually anything new as Sony filed it on June 23, 2021, however, the patent office took issue with some of its claims requiring the tech giant to rework some details and resubmit. It would seem that, as of yesterday, Sony and the patent office have begun moving forward with the process following updates and revisions by Sony. [...] According to the patent mock-up, it seems as if players will be able to scan larger items than the handheld ones featured in the banana patent such as full-sized lamps. The only caveat seems to be that players will need to be able to have a 360-degree view of the item in order to bring it into the digital world. As the report notes, the patent is still being processed so we "shouldn't expect this tech to be featured in games any time soon."

Returning unwanted gifts this holiday season is becoming so expensive for retailers that they just might let customers keep the products -- and issue refunds anyway. Axios reports: The cost of online returns is soaring, contributing to increased prices, product shortages and supply chain stress. Returning a $50 item is expected to cost an average of $33, up 59% from 2020, according to Optoro, a returns processor. Worker shortages and supply chain problems are taking a toll, Optoro CEO Tobin Moore tells Axios. About three in 10 online purchases are returned, according to CBRE Supply Chain.

Retailers are expected to pass on the cost of returns in the form of higher prices. "The consumer pays the price of a free return,â Columbia Business School retail studies professor Mark Cohen told Today. Some retailers, namely Amazon, sometimes tell returners to keep it. It would cost them too much to process a return, Moore says. The challenge for online retailers is to process returns quickly and get the goods back onto their virtual shelves, minimizing depreciation. "The faster you can get a good back to stock, the more you can avoid markdowns," Moore says.

If Apple can't improve the reliability of its software, the next big thing won't matter, argues Dan Moren in an opinion piece for Macworld. From the report: Uneven distribution: As sci-fi writer William Gibson famously said, "the future is already here -- it's just not evenly distributed." While Gibson's comment resonates mostly on a socio-economic level that is borne out by Apple's not inexpensive technology, it's also embodied geographically by the company's work: if you're interested, you can see which Apple features are available in which regions. Many of these, of course, are due to restrictions and laws in specific regions or places where, say, Apple has not prioritized language localization. But some of them are cases where features have been rolled out only slowly to certain places. [...] It's surely less exciting for Apple to think about rolling out these (in some cases years old) features, especially those which might require a large degree of legwork, to various places than it is for the company to demonstrate its latest shiny feature, but it also means that sometimes these features don't make it to many, if not most of the users of its devices. Uneven distribution, indeed.

To error is machine: It's happened to pretty much any Apple device user: You go to use a feature and it just doesn't work. Sometimes there's no explanation as to why; other times, there's just a cryptic error message that provides no help at all. [...]

Shooting trouble: Sometimes what we're dealing with in the aforementioned situations are what we call "edge cases." Apple engineers surely do their best to test their features with a variety of hardware, in different places, with different settings. [...] Nobody expects Apple to catch everything, but the question remains: when these problems do arise, what do we do about them? One thing Apple could improve is the ease for users to report issues they encounter. Too often, I see missives posted on Apple discussion boards that encourage people to get in touch with Apple support... which often means a lengthy reiteration of the old troubleshooting canards. While these can sometimes solve problems, if not actually explain them, it's not a process that most consumers are likely to go through. And when those steps don't resolve the issues, users are often left with a virtual shrug.

Likewise, while Apple does provide a place to send feedback about products, it's explicitly not a way to report problems. Making it easier for users to report bugs and unexpected behavior would go a long way to helping owners of Apple products feel like they're not simply shouting their frustrations into a void (aka Twitter). If Apple can't improve the reliability of its software [...] it at least owes it to its users to create more robust resources for helping them help themselves. Because there's nothing more frustrating than not understanding why a miraculous device that can contact people around the world instantaneously, run incredibly powerful games, and crunch data faster than a supercomputer of yesteryear sometimes can't do something as simple as export a video of a vacation. While Moren focuses primarily on unfinished features to help make his case, "there is also a huge problem with things being touched for no reason and making them worse," says HN reader makecheck. "When handed what must be a mountain of bugs and unfinished items, why the hell did they prioritize things like breaking notifications and Safari tabs, for instance? They're in a position where engineering resources desperately need to be closing gaps, not creating huge new ones."

An example of this would be the current UX of notifications. "A notification comes up, I hover and wait for the cross to appear and click it," writes noneeeed. "But then some time later I unlock my machine or something happens and apparently all my notifications are still there for some reason and I have to clear them again, only this time they are in groups and I have to clear multiple groups."

"Don't get me started on the new iOS podcast app," adds another reader.

An anonymous reader quotes a report from Ars Technica: Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain: "When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment and carries out a series of tasks to build and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy your code to a web server or application host." But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds. Environment variables can include sensitive secrets like signing keys, access credentials, and API tokens. If these variables are exposed, attackers can abuse the secrets to obtain lateral movement into the networks of thousands of organizations.

Tracked as CVE-2021-41077, the bug is present in Travis CI's activation process and impacts certain builds created between September 3 and September 10. As a part of this activation process, developers are supposed to add a ".travis.yml" file to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. Another place encrypted secrets may be defined is Travis' web UI. But, these secrets are not meant to be exposed. In fact, Travis CI's docs have always stated, "Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code." Ideally, Travis is expected to run in a manner that prevents public access to any secret environment variables specified. [...] This vulnerability caused these sorts of secrets to be unexpectedly exposed to just about anyone forking a public repository and printing files during a build process. Fortunately, the issue didn't last too long -- around eight days, thanks to Lange and other researchers who notified the company of the bug on September 7. But out of caution, all projects relying on Travis CI are advised to rotate their secrets.

The presence and relatively quick patching of the flaw aside, Travis CI's concise security bulletin and overall handling of the coordinated disclosure process has infuriated the developer community. In a long Twitter thread, Peter Szilagyi details the arduous process that his group endured as it waited for Travis CI to take action and release a brief security bulletin on an obscure webpage. "After 3 days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th. No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen," tweeted Szilagyi. After Szilagyi and Lange asked GitHub to ban Travis CI over its poor security posture and vulnerability disclosure processes, an advisory showed up. "Finally, after multiple ultimatums from multiple projects, [they] posted this lame-ass post hidden deep where nobody will read it... Not even a single 'thank you.' [No] acknowledgment of responsible disclosure. Not even admitting the gravity of it all," said Szilagyi, while referring to the security bulletin -- and especially its abridged version, which included barely any details. Szilagyi was joined by several members of the community in criticizing the bulletin. Boston-based web developer Jake Jarvis called the disclosure an "insanely embarrassing 'security bulletin.'" "Travis CI implemented a series of security patches starting on Sept 3rd that resolves this issue," concluded Mendy on behalf of the Travis CI team. "As a reminder, cycling your secrets is something that all users should do on a regular basis. If you are unsure how to do this, please contact Support."

An anonymous reader quotes a report from Popular Mechanics, written by Laura Rider: After four long years of planning, the world's first 3D-printed steel bridge debuted in Amsterdam last month. If it stands up to the elements, the bridge could be a blueprint for fixing our own structurally deficient infrastructure in the U.S. -- and we sorely need the help. Dutch Company MX3D built the almost 40-foot-long bridge for pedestrians and cyclists to cross the city's Oudezijds Achterburgwal canal. It relied on four robots, fit with welding torches, to 3D-print the structure. To do it, the machines laid out 10,000 pounds of steel, heated to 2,732 degrees Fahrenheit, in an intricate layering process. The result? An award-winning design, pushing the boundaries of what steel can do.

Designers first came up with the concept for the bridge in 2015, with the goal of making an exceptionally efficient structure. To do so, they had to emphasize two things: simplicity and safety. To monitor the efficiency of their design, scientists at Imperial College London engineered the bridge to be a "living laboratory." A team of structural engineers, computer scientists, and statisticians developed a system of over one dozen embedded sensors for the bridge, which send live data to the university for further analysis of the bridge's performance. They monitor the bridge's movement, vibration, temperature, strain (the change in shape and size of materials under applied forces), and displacement (the amount an object shifts in a specific direction) over time. From that data, scientists built a "digital twin" -- computer science parlance for an identical, virtual rendering -- of the bridge that gets more accurate over time. With machine learning, they can now look for trends that might suggest modifications are in order.

For this bridge, designers utilized two methods of 3D printing -- Direct Energy Deposit (DED) and Powder Bed Fusion (PBF). With DED, the printer feeds material (typically in powder or wire form) through a pen-like nozzle, and an intense heat source (typically a laser, but sometimes an electron beam) melts the metal on contact. PBF works similarly in that a laser or electron beam melts powder down to build each layer. The main advantage of PBF, though, is that it operates with much smaller (and more expensive) parts, resulting in a higher-resolution project than DED could accomplish on its own. This allows designers to take their visions a step further.

Comic-Con went virtual again in 2020. (San Diego businesses will miss the chance to profit from the 100,000 visitors the convention usually attracted.) And NPR reports the convention has gotten smaller in other ways: Both Marvel Studios and DC are staying away; as it did last year, DC is again directing its resources towards its own event, DC FanDome, set for mid-October. But fans of shows like Doctor Who, Dexter and Comic-Con stalwart The Walking Dead will have lots to look forward to.
Rotten Tomatoes and The Verge have gathered up the trailers that did premier. Some of the highlights:

• Blade Runner: Black Lotus , an upcoming anime television series set to premiere in late 2021 on Crunchyroll and Adult Swim (co-producing it with Alcon Television Group).
• The upcoming remake of Dune
• J.J. Abrams' new four-part Showtime documentary about UFOs.
• Season 2 of Star Trek: Lower Decks and the new Star Trek: Prodigy, a CGI-animated series about a group of aliens who escape captivity onboard the Enterprise.

But interestingly, one of the more visibile presenters was: NASA. Current and former NASA officials made appearances on several different panels, according to Space.com, including one on modern space law, U.N. treaty-making, and how it all stacks up against the portrayal we get in our various future-space franchises. And a former NASA astronaut was also part of a panel touting a virtual simulation platform, "where students can have access to the same tools that professionals use and in the case of space are given the opportunity to solve real problems related to missions to our Moon, Mars, and beyond... from piloting to terra-forming to creating habitats and spacecraft."

There was also a panel of four NASA engineers titled "No Tow Trucks Beyond Mars," on "how we go boldly where there's no one around to fix it. Hear stories from the trenches of the heartbreaks, close calls, and adventures of real-life landing (and flying!) on Mars and our round-table discussion of what Netflix got right in their movie Stowaway."

Sunday's panels will include an astronomer, an astrobiologist, and a geologist/paleontologist discussing "The Science of Star Wars" with the concept designer for Star Wars episodes 7-9, Rogue One, and Solo.

An anonymous reader quotes a report from Motherboard: In a short CCTV video, a clerk at a small convenience store can be seen taking a bottle of coffee from a cooler and drinking it. When he returns to the cash register, an unseen person's voice emits from a speaker on the ceiling and interrogates him about whether he scanned and paid for the item. In another video, a cashier is standing behind the counter talking to someone just out of frame. There's a 'ding' sound, and the voice from above questions the cashier about who the other man is -- he's there to give the cashier a ride at the end of his shift -- then orders the man to stand on the other side of the counter.

The videos are just a few examples that Washington-based Live Eye Surveillance uses to demonstrate its flagship product: a surveillance camera system that keeps constant watch over shops and lets a remote human operator intervene whenever they see something they deem suspicious. For enough money -- $399 per month according to one sales email Motherboard viewed -- a person in Karnal, India will watch the video feed from your business 24/7. The monitors "act as a virtual supervisor for the sites, in terms of assuring the safety of the employees located overseas and requesting them to complete assigned tasks," according to a job posting on the company's website. [...] On its website, the company claims several major corporations as customers, including 7-Eleven, Shell, Dairy Queen, and Holiday Inn. Many of those businesses are franchised, and it isn't clear from Live Eye's materials whether the corporations have purchased the surveillance systems or if they've been bought by individual franchise owners.

"On Friday, Nintendo and Universal Studios Japan took the veil off a years-in-the-making project: the very first Nintendo-themed theme park," reports Ars Technica (in an article shared by long-time Slashdot reader mprindle): And who better to introduce the world to this life-sized walk through of all things Mario than the character's creator himself, longtime Nintendo developer and designer Shigeru Miyamoto...

Many of the park's decorations and objects can be interacted with by park visitors who wear a special wristband, dubbed the Power-Up Band, which includes an Amiibo-like NFC chip. Press its sensor near park objects like a Super Mario coin block, and a new virtual item will appear in a synced Super Nintendo World app on your smartphone. Exactly how these virtual items will affect your visit to Super Nintendo World remains unclear, but Miyamoto-san hinted to surprising attractions and hidden interactable panels for park visitors to discover in person. (Additionally, those Power-Up Bands will double as Amiibo for compatible hardware, like Nintendo Switch.)

Only one "ride" received a showcase in the video, albeit a brief one: a Mario Kart race against Bowser. It's hosted inside a replica of Bowser's castle, and visitors will sit in one of a series of Mario-styled go-karts that appear to be linked on a rollercoaster-like track, as opposed to freely controllable. Exactly what visitors will see on that ride remains unclear, but previous news about the ride's augmented reality (AR) elements was reinforced with the first official look at the park's AR glasses, which come attached to a Super Mario hat.
The park opens in Japan on February 4, 2021, according to Ars, followed by later launches at Universal Studios in in Singapore, and at its U.S. locations in Orlando, Florida and Los Angeles.

SuperKendall (Slashdot reader #25,149) shared this review of the recent 5G standards codified by the 3rd Generation Partnership Project (3GPP) in Release 16 (finalized on July 3).

"5G just got weird," writes IEEE Spectrum: 4G and other earlier generations of cellular focused on just that: cellular. But when 3GPP members started gathering to hammer out what 5G could be, there was interest in developing a wireless system that could do more than connect phones... One of the flashiest things in Release 16 is V2X, short for "Vehicle to Everything." In other words, using 5G for cars to communicate with each other and everything else around them... The 3GPP standards bring those benchmarks into the realm of gigabytes per second, 99.999 percent reliability, and just a few milliseconds.

Matthew Webb, a 3GPP delegate for Huawei and the other rapporteur for the 3GPP item on V2X, adds that Release 16 also introduces a new technique called sidelinking. Sidelinks will allow 5G-connected vehicles to communicate directly with one another, rather than going through a cell-tower intermediary... Tseng says that sidelinking started as a component of the V2X work, but it can theoretically apply to any two devices that might need to communicate directly rather than go through a base station first. Factory robots are one example, or large-scale Internet of Things installations.
Some other "weird" highlights of the new 5G standards:

• "5G incorporates millimeter waves, which are higher frequency radio waves (30 to 300 GHz) that don't travel nearly as far as traditional cell signals. Millimeter waves means it will be possible to build a network just for an office building, factory, or stadium. At those scales, 5G could function essentially like Wi-Fi networks."

• "In past generations of cellular, three cell towers were required to triangulate where a phone was by measuring the round-trip distance of a signal from each tower. But 5G networks will be able to use the round-trip time from a single tower to locate a device."

• "Release 17 includes a work item on extended reality — the catch-all term for alternate reality and virtual reality technologies."

The Entertainment Software Rating Board (ESRB), which is the organization that rates the content of video games, announced a new label today to indicate that a game will offer in-game purchases of loot boxes or similar types of items that provide a player with randomized rewards. The Verge reports: "This new Interactive Element, In-Game Purchases (Includes Random Items), will be assigned to any game that contains in-game offers to purchase digital goods or premiums with real world currency (or with virtual coins or other forms of in-game currency that can be purchased with real world currency) for which the player doesn't know prior to purchase the specific digital goods or premiums they will be receiving (e.g., loot boxes, item packs, mystery awards)," according to the ESRB. The label will be applied to "loot boxes, gacha games, item or card packs, prize wheels, treasure chests, and more," the organization said.

The new label will sit below the game's content rating, as seen in the photo above. The ESRB originally introduced the "in-game purchases" label in February 2018, but that label was broad enough that it could be applied to any game that offered any sort of buyable digital good, including non-randomized items like subscriptions, season passes, or upgrades to disable ads.