NPM Users Download 2.1B Deprecated Packages Weekly, Say Security Researchers

The cybersecurity site SC Media reports that NPM registry users “download deprecated packages an estimated 2.1 billion times weekly, according to a statistical analysis of the top 50,000 most-downloaded packages in the registry.”

Deprecated, archived and “orphaned” NPM packages can contain unpatched and/or unreported vulnerabilities that pose a risk to the projects that depend on them, warned the researchers from Aqua Security’s Team Nautilus, who published their findings in a blog post on Sunday… In conjunction with their research, Aqua Nautilus has released an open-source tool that can help developers identify deprecated dependencies in their projects.

Open-source software may stop receiving updates for a variety of reasons, and it is up to developers/maintainers to communicate this maintenance status to users. As the researchers pointed out, not all developers are transparent about potential risks to users who download or depend on their outdated NPM packages. Aqua Nautilus researchers kicked off their analysis after finding that one open-source software maintainer responded to a report about a vulnerability Nautilus discovered by archiving the vulnerable repository the same day. By archiving the repository without fixing the security flaw or assigning it a CVE, the owner leaves developers of dependent projects in the dark about the risks, the researchers said…

Taking into consideration both deprecated packages and active packages that have a direct dependency on deprecated projects, the researchers found about 4,100 (8.2%) of the top 50,000 most-downloaded NPM packages fell under the category of “official” deprecation. However, adding archived repositories to the definition of “deprecated” increased the number of packages affected by deprecation and deprecated dependencies to 6,400 (12.8%)… Including packages with linked repositories that are shown as unavailable (404 error) on GitHub increases the deprecation rate to 15% (7,500 packages), according to the Nautilus analysis. Encompassing packages without any linked repository brings the final number of deprecated packages to 10,600, or 21.2% of the top 50,000. Team Nautilus estimated that under this broader understanding of package deprecation, about 2.1 billion downloads of deprecated packages are made on the NPM registry weekly.

Read more of this story at Slashdot.

Ultra-Large Structure Discovered In Distant Space Challenges Cosmological Principle

“The discovery of a second ultra-large structure in the remote universe has further challenged some of the basic assumptions about cosmology,” writes SciTechDaily:

The Big Ring on the Sky is 9.2 billion light-years from Earth. It has a diameter of about 1.3 billion light-years, and a circumference of about four billion light-years. If we could step outside and see it directly, the diameter of the Big Ring would need about 15 full Moons to cover it.

It is the second ultra-large structure discovered by University of Central Lancashire (UCLan) PhD student Alexia Lopez who, two years ago, also discovered the Giant Arc on the Sky. Remarkably, the Big Ring and the Giant Arc, which is 3.3 billion light-years across, are in the same cosmological neighborhood — they are seen at the same distance, at the same cosmic time, and are only 12 degrees apart on the sky. Alexia said: “Neither of these two ultra-large structures is easy to explain in our current understanding of the universe. And their ultra-large sizes, distinctive shapes, and cosmological proximity must surely be telling us something important — but what exactly?

“One possibility is that the Big Ring could be related to Baryonic Acoustic Oscillations (BAOs). BAOs arise from oscillations in the early universe and today should appear, statistically at least, as spherical shells in the arrangement of galaxies. However, detailed analysis of the Big Ring revealed it is not really compatible with the BAO explanation: the Big Ring is too large and is not spherical.” Other explanations might be needed, explanations that depart from what is generally considered to be the standard understanding in cosmology…

And if the Big Ring and the Giant Arc together form a still larger structure then the challenge to the Cosmological Principle becomes even more compelling… Alexia said, “From current cosmological theories we didn’t think structures on this scale were possible. ”

Possible explanations include a Conformal Cyclic Cosmology, or the effect of cosmic strings passing through…
Thanks to long-time Slashdot reader schwit1 for sharing the article.

Read more of this story at Slashdot.

Do Electric Vehicles Fail at a Lower Rate Than Gas Cars In Extreme Cold?

In a country experiencing extreme cold — and where almost 1 in 4 cars are electric — a roadside assistance company says it’s still gas-powered cars that are experiencing the vast majority of problems starting.

Electrek argues that while extreme cold may affect chargers, “it mainly gets attention because it’s a new technology and it fails for different reasons than gasoline vehicles in the cold.”

Viking, a road assistance company (think AAA), says that it responded to 34,000 assistance requests in the first 9 days of the year. Viking says that only 13% of the cases were coming from electric vehicles (via TV2 — translated from Norwegian) [“13 percent of the cases with starting difficulties are electric cars, while the remaining 87 percent are fossil cars…”]

To be fair, this data doesn’t adjust for the age of the vehicles. Older gas-powered cars fail at a higher rate than the new ones and electric vehicles are obviously much more recent on average.

Thanks to long-time Slashdot reader Geoffrey.landis for sharing the article.

Read more of this story at Slashdot.

Google To Invest $1 Billion In UK Data Center

Google announced today that it will invest $1 billion building a data center near London. Reuters reports: The data centre, located on a 33-acre (13-hectare) site bought by Google in 2020, will be located in the town of Waltham Cross, about 15 miles north of central London, the Alphabet-owned company said in a statement. The British government, which is pushing for investment by businesses to help fund new infrastructure, particularly in growth industries like technology and artificial intelligence, described Google’s investment as a “huge vote of confidence” in the UK.

“Google’s $1 billion investment is testament to the fact that the UK is a centre of excellence in technology and has huge potential for growth,” Prime Minister Rishi Sunak said in the Google statement. The investment follows Google’s $1 billion purchase of a central London office building in 2022, close to Covent Garden, and another site in nearby King’s Cross, where it is building a new office and where its AI company DeepMind is also based. In November, Microsoft announced plans to pump $3.2 billion into Britain over the next three years.

Read more of this story at Slashdot.

Bing Gained Less Than 1% Market Share Since Adding Bing Chat, Report Finds

BMW Will Employ Figure’s Humanoid Robot At South Carolina Plant

Figure’s first humanoid robot will be coming to a BMW manufacturing facility in South Carolina. TechCrunch reports: BMW has not disclosed how many Figure 01 models it will deploy initially. Nor do we know precisely what jobs the robot will be tasked with when it starts work. Figure did, however, confirm with TechCrunch that it is beginning with an initial five tasks, which will be rolled out one at a time. While folks in the space have been cavalierly tossing out the term “general purpose” to describe these sorts of systems, it’s important to temper expectations and point out that they will all arrive as single- or multi-purpose systems, growing their skillset over time. Figure CEO Brett Adcock likens the approach to an app store — something that Boston Dynamics currently offers with its Spot robot via SDK.

Likely initial applications include standard manufacturing tasks such as box moving, pick and place and pallet unloading and loading — basically the sort of repetitive tasks for which factory owners claim to have difficulty retaining human workers. Adcock says that Figure expects to ship its first commercial robot within a year, an ambitious timeline even for a company that prides itself on quick turnaround times. The initial batch of applications will be largely determined by Figure’s early partners like BMW. The system will, for instance, likely be working with sheet metal to start. Adcock adds that the company has signed up additional clients, but declined to disclose their names. It seems likely Figure will instead opt to announce each individually to keep the news cycle spinning in the intervening 12 months.

Read more of this story at Slashdot.

Apple Again Banned From Selling Watches In US With Blood Oxygen Sensor

A U.S. Court of Appeals said Apple will again be barred from selling the Apple Watch Series 9 and Ultra 2 beginning Thursday. These models both contain a blood oxygen sensor that infringes on the intellectual property of medical device company Masimo.

“The court order Wednesday did not rule on Apple’s effort to overturn a U.S. International Trade Commission ban on the company selling the affected watches in the United States,” notes CNBC. “But it lifted an injunction that had blocked the ban from taking effect while that appeal is pending.” From the report: In December, Apple chose to briefly remove the affected watches from its online and retail stores, though retailers with those devices in stock may still sell them. Earlier this week, court filings suggested that Apple had received approval from U.S. Customs for a modified version of its Apple Watches that lack the blood oxygen feature and therefore no longer infringe on Masimo’s intellectual property. It could open a path for a modified Apple Watch to return to U.S. store shelves.

Read more of this story at Slashdot.

Sheryl Sandberg To Exit Meta’s Board After 12 Years

According to Axios, former Meta chief operating officer Sheryl Sandberg plans to leave Meta’s board of directors after holding a seat for the past 12 years. From the report: “With a heart filled with gratitude and a mind filled with memories, I let the Meta board know that I will not stand for reelection this May,” Sandberg wrote In a Facebook post announcing her departure. “After I left my role as COO, I remained on the board to help ensure a successful transition,” Sandberg said. Acknowledging CEO Mark Zuckerberg’s leadership, Sandberg said he and Meta’s current leadership team “have proven beyond a doubt that the Meta business is strong and well-positioned for the future, so this feels like the right time to step away.” “I will always be grateful to Mark for believing in me and for his partnership and friendship; he is that truly once-in-a-generation visionary leader and he is equally amazing as a friend who stays by your side through the good times and the bad,” Sandberg added. She also expressed gratitude to her colleagues and teammates at Meta as well as Meta’s board members.

Sandberg left the company she helped build as an executive in September 2022 after 14 years. She remained on Meta’s board following her departure, a seat she held for the past 12 years. In announcing her departure, Sandberg said she aimed to focus on more philanthropic work. In the time since leaving the company as an executive, she has focused more her time on her women’s leadership philanthropy, Lean In. More recently, Sandberg has also focused on the conversation around rape and sexual violence as a weapon of war, particularly as it pertains to the Israel-Hamas conflict. Axios notes that Meta’s revenue “grew 43,000% from $272 million in 2008 to nearly $118 billion in 2021” under Sandberg’s business leadership.

Read more of this story at Slashdot.

Mobile Device Ambient Light Sensors Can Be Used To Spy On Users

“The ambient light sensors present in most mobile devices can be accessed by software without any special permissions, unlike permissions required for accessing the microphone or the cameras,” writes longtime Slashdot reader BishopBerkeley. “When properly interrogated, the data from the light sensor can reveal much about the user.” IEEE Spectrum reports: While that may not seem to provide much detailed information, researchers have already shown these sensors can detect light intensity changes that can be used to infer what kind of TV programs someone is watching, what websites they are browsing or even keypad entries on a touchscreen. Now, [Yang Liu, a PhD student at MIT] and colleagues have shown in a paper in Science Advances that by cross-referencing data from the ambient light sensor on a tablet with specially tailored videos displayed on the tablet’s screen, it’s possible to generate images of a user’s hands as they interact with the tablet. While the images are low-resolution and currently take impractically long to capture, he says this kind of approach could allow a determined attacker to infer how someone is using the touchscreen on their device. […]

“The acquisition time in minutes is too cumbersome to launch simple and general privacy attacks on a mass scale,” says Lukasz Olejnik, an independent security researcher and consultant who has previously highlighted the security risks posed by ambient light sensors. “However, I would not rule out the significance of targeted collections for tailored operations against chosen targets.” But he also points out that, following his earlier research, the World Wide Web Consortium issued a new standard that limited access to the light sensor API, which has already been adopted by browser vendors.

Liu notes, however, that there are still no blanket restrictions for Android apps. In addition, the researchers discovered that some devices directly log data from the light sensor in a system file that is easily accessible, bypassing the need to go through an API. The team also found that lowering the resolution of the images could bring the acquisition times within practical limits while still maintaining enough detail for basic recognition tasks. Nonetheless, Liu agrees that the approach is too complicated for widespread attacks. And one saving grace is that it is unlikely to ever work on a smartphone as the displays are simply too small. But Liu says their results demonstrate how seemingly harmless combinations of components in mobile devices can lead to surprising security risks.

Read more of this story at Slashdot.

Uber Shutting Down Alcohol Delivery Service Drizly

Uber is shutting down alcohol delivery service Drizly three years after the company acquired it for $1.1 billion. Axios reports: Drizly was always a bit of an odd match for Uber, in that it didn’t hire or contract its own delivery workers. Instead, Drizly provided backend tech that let local liquor stores provide their own deliveries. The bigger issue, however, might have been cybersecurity. Drizly in 2020 confirmed a hack that exposed information on around 2.5 million customers.

What it didn’t say, however, was that the company had been aware of the security flaw for two years without fixing it. That information was discovered by the Federal Trade Commission, after Uber’s acquisition of Drizly, and led to an FTC order that restricted the types of customer information that Drizly could collect and retain. “After three years of Drizly operating independently within the Uber family, we’ve decided to close the business and focus on our core Uber Eats strategy of helping consumers get almost anything — from food to groceries to alcohol — all on a single app,” said Pierre-Dimitri Gore-Coty, Uber’s SVP of delivery. “We’re grateful to the Drizly team for their many contributions to the growth of the BevAlc delivery category as the original industry pioneer.”

Read more of this story at Slashdot.