Aggregator

The late, great Shane Warne built a career on confusing opposition batsmen, but he also confused plenty of diners and waiters with a hilarious act.

Since 2023 the Python Software Foundation has had a Security Developer-in-Residence (sponsored by the Open Source Security Foundation's vulnerability-finding "Alpha-Omega" project). And he's just published a new 11-page white paper about open source's "phantom dependencies" problem — suggesting a way to solve it. "Phantom" dependencies aren't tracked with packaging metadata, manifests, or lock files, which makes them "not discoverable" by tools like vulnerability scanners or compliance and policy tools. So Python security developer-in-residence Seth Larson authored a recently-accepted Python Enhancement Proposal offering an easy way for packages to provide metadata through Software Bill-of-Materials (SBOMs). From the whitepaper: Python Enhancement Proposal 770 is backwards compatible and can be enabled by default by tools, meaning most projects won't need to manually opt in to begin generating valid PEP 770 SBOM metadata. Python is not the only software package ecosystem affected by the "Phantom Dependency" problem. The approach using SBOMs for metadata can be remixed and adopted by other packaging ecosystems looking to record ecosystem-agnostic software metadata... Within Endor Labs' [2023 dependencies] report, Python is named as one of the most affected packaging ecosystems by the "Phantom Dependency" problem. There are multiple reasons that Python is particularly affected: - There are many methods for interfacing Python with non-Python software, such as through the C-API or FFI. Python can "wrap" and expose an easy-to-use Python API for software written in other languages like C, C++, Rust, Fortran, Web Assembly, and more. - Python is the premier language for scientific computing and artificial intelligence, meaning many high-performance libraries written in system languages need to be accessed from Python code. - Finally, Python packages have a distribution type called a "wheel", which is essentially a zip file that is "installed" by being unzipped into a directory, meaning there is no compilation step allowed during installation. This is great for being able to inspect a package before installation, but it means that all compiled languages need to be pre-compiled into binaries before installation... When designing a new package metadata standard, one of the top concerns is reducing the amount of effort required from the mostly volunteer maintainers of packaging tools and the thousands of projects being published to the Python Package Index... By defining PEP 770 SBOM metadata as using a directory of files, rather than a new metadata field, we were able to side-step all the implementation pain... We'll be working to submit issues on popular open source SBOM and vulnerability scanning tools, and gradually, Phantom Dependencies will become less of an issue for the Python package ecosystem. The white paper "details the approach, challenges, and insights into the creation and acceptance of PEP 770 and adopting Software Bill-of-Materials (SBOMs) to improve the measurability of Python packages," explains an announcement from the Python Software Foundation. And the white paper ends with a helpful note. "Having spoken to other open source packaging ecosystem maintainers, we have come to learn that other ecosystems have similar issues with Phantom Dependencies. We welcome other packaging ecosystems to adopt Python's approach with PEP 770 and are willing to provide guidance on the implementation."

Read more of this story at Slashdot.

Asad Rehman (pictured), who became the first person of colour to lead Friends of the Earth this week, said more needed to be done as he pledged to develop a diverse movement.

Anthony Barron, formerly of Grove, Oxfordshire, was sentenced to life in prison in 2007 after pleading guilty to 87 charges of sexual offences against children.

Shasta Groene was eight years old when serial killer Joseph Edward Duncan III butchered her family and spent weeks torturing her in the woods, where he also killed her brother. A new book tells her story

The underwater 'island', which is the size of two tennis courts and weighs the same as two double decker buses, is said to have harmed the wildlife and ecology of the river.

Hundreds of dedicated early risers were up at dawn on Sunday to enjoy Bristol's annual balloon festival - as the skies were filled with dinosaurs, aliens and cows over the weekend.

Holidays used to be about making memories. But for younger generations, this is the real reason they are breaking the bank to go abroad.

The fire broke out at Arthur's Seat at around 4pm on Sunday, as visitors were forced to make a quick getaway to avoid the flames.

Decision to use MXFP4 makes models smaller, faster, and more importantly, cheaper for everyone involved

Analysis  Whether or not OpenAI's new open weights models are any good is still up for debate, but their use of a relatively new data type called MXFP4 is arguably more important, especially if it catches on among OpenAI's rivals.…

PLUS: Huawei open sources its CUDA equivalent; China boosts brain-computer interfaces; Scientists to visit penguins Trump taxed; And more!

Asia In Brief  Indian services giant Tata Consultancy Services will shed over 10,000 staff but will give pay rises to most of those who remain.…

A husband has been refused permission to build a parking space for his disabled wife outside their village home - over fears it would 'harm the character' of the heritage site where they live.

At least one person in Greece has died after wildfires consumed nearly 16,000 acres of land amid a surge of fires across Europe. 

"What happens when cybercriminals stop thinking small and start thinking like a Fortune 500 company?" asks a blog post from Koi Security. "You get GreedyBear, the attack group that just redefined industrial-scale crypto theft." "150 weaponized Firefox extensions [impersonating popular cryptocurrency wallets like MetaMask and TronLink]. Nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen." They upload 5-7 innocuous-looking extensions like link sanitizers, YouTube downloaders, and other common utilities with no actual functionality... They post dozens of fake positive reviews for these generic extensions to build credibility. After establishing trust, they "hollow out" the extensions — changing names, icons, and injecting malicious code while keeping the positive review history. This approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review process, then weaponizing established extensions that already have user trust and positive ratings. The weaponized extensions captures wallet credentials directly from user input fields within the extension's own popup interface, and exfiltrate them to a remote server controlled by the group... Alongside malware and extensions, the threat group has also launched a network of scam websites posing as crypto-related products and services. These aren't typical phishing pages mimicking login portals — instead, they appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair services... While these sites vary in design, their purpose appears to be the same: to deceive users into entering personal information, wallet credentials, or payment details — possibly resulting in credential theft, credit card fraud, or both. Some of these domains are active and fully functional, while others may be staged for future activation or targeted scams... A striking aspect of the campaign is its infrastructure consolidation: Almost all domains — across extensions, EXE payloads, and phishing sites — resolve to a single IP address: 185.208.156.66 — this server acts as a central hub for command-and-control, credential collection, ransomware coordination, and scam websites, allowing the attackers to streamline operations across multiple channels... Our analysis of the campaign's code shows clear signs of AI-generated artifacts. This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection. This isn't a passing trend — it's the new normal. The researchers believe the group "is likely testing or preparing parallel operations in other marketplaces."

Read more of this story at Slashdot.

Car buyers are being offered a cash incentive to purchase a new electric vehicle (EV) for the first time in three years. But the size of the discounts and the rules have left drivers confused.

I felt vindicated in particular by one Army officer who told me she'd postponed her toddler's birthday to make it to a meeting. I'm still cringing years after having done the same thing.

How bored are you of hearing about trainers? A bit, no doubt, because in the past 15 years, trainers have become the number one fashion forward footwear for all ages and both sexes.

The singer, 40, has not spoken to his sibling since he missed his wedding in 2009 to take part in The X Factor semi-finals.

An explorer who visited Japan's largest abandoned resort has shared fascinating footage of the decaying complex - including the remnants of what would have been a five-star, 1000-room hotel.

Linda Calvey, 77, known as 'The Black Widow', was one of East London's most terrifying and prolific gangsters, who earned an estimated £1million from armed robberies.