Slashdot.org

Syndicate content Slashdot
News for nerds, stuff that matters
Updated: 55 min 39 sec ago

Erroneous 'Spam' Flag Affected 102 npm Packages

Sat, 01/13/2018 - 10:34
There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time... In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication. They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

Read more of this story at Slashdot.

Interviewing the Interviewer

Sat, 01/13/2018 - 09:20
Terry Gross, NPR's The Fresh Air host, on the art of the Q&A: "People are always projecting things. They're hearing things that weren't said or projecting meaning that was not intended and, perhaps, not even implied. I've gotten both insults and compliments for interviews I've never done. What can you do? There's no way of controlling what people think. I do have a bullshit detector and it's something I'll use, but I do think I try and be empathetic to everyone I interview," said Terry Gross.

Read more of this story at Slashdot.

Adult Themed VR Game Leaks Data On Thousands

Sat, 01/13/2018 - 08:00
chicksdaddy writes from The Security Ledger: Somebody deserves a spanking after personal information on thousands of users of an adult virtual reality game were exposed to security researchers in the UK by a balky application. Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application -- a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability to parent company inVR, Inc., Digital Interruption researcher and founder Jahmel Harris told The Security Ledger. Jahmel estimated that more than 19,000 records were leaked by the application, but did not have an exact count. SinVR is a sex-themed virtual reality game that allows players to navigate in various adult-themed environments and interact with virtual characters in common pornographic themes including BDSM, cosplay, naughty teacher, and so on. The company discovered the data after reverse-engineering the SinVR desktop application and noticing a function named "downloadallcustomers." That function called a web service that returned thousands of SinVR customer records including email addresses, user names, computer PC names and so on. Passwords and credit card details were not part of the data dump, Harris said.

Read more of this story at Slashdot.

Cryptocurrency Exchange Kraken Suddenly Goes Dark For Two Days

Sat, 01/13/2018 - 05:00
An anonymous reader quotes the San Francisco Chronicle: One of the biggest cryptocurrency exchanges was down more than 40 hours this week, causing clients to freak out... San Francisco's Kraken went offline at 9 p.m. on Wednesday for maintenance that was initially scheduled to last two hours, plus an additional two to three hours for withdrawals, according to an announcement on the company's website. "We are still working to resolve the issues that we have identified and our team is working around the clock to ensure a smooth upgrade," according to a status update on Kraken's website posted early Friday. "This means it may still take several hours before we can relaunch." Shortly after noon, the company said it was "still working to track down an elusive bug which is holding up launch." It promised customers "a substantial amount of free trading" after the problem was resolved. In previous updates, Kraken mentioned it is working on "unexpected and delicate issues" and assured clients their funds were secure, adding that "Yes, this is our new record for downtime since we launched in 2013. No, we're not proud of it." It's 53 hours after the downtime began, and their web page is still showing the same announcement. "Kraken is presently offline for maintenance."

Read more of this story at Slashdot.

French Songwriter Kiesza Composes First Mainstream Music Album Co-Written With AI

Sat, 01/13/2018 - 02:00
dryriver shares a report from the BBC, highlighting "a new album that features everything from cowboy sci-fi to Europop." What's special about the album -- Hello World by Canadian singer Kiesza -- is that it's the first full-length mainstream music album co-written with the help of artificial intelligence. You can judge the quality for yourself: First, view the single "Hellow Shadow" with Canadian singer Kiesza. Next, the BBC story, which seems to think that the album is actually rather good: "Benoit Carre has written songs for some of France's biggest stars: from Johnny Halliday -- the French Elvis, who died last year -- to chanteuse Francoise Hardy. But this month, the 47-year-old is releasing an album with a collaborator he could never have dreamt of working with. It's not a singer, or rapper. It's not even really a musician. It's called Flow Machines, and it is, arguably, the world's most advanced artificially-intelligent music program. For musicians, there's been one good thing about these projects so far: the music they've produced has been easy to dismiss, generic and uninspiring -- hardly likely to challenge Bob Dylan in the songwriting department. But Carre's album, Hello World, is different for the simple reason that it's good. Released under the name SKYGGE (Danish for shadow), it features everything from sci-fi cowboy ballads to Europop, and unlike most AI music, if you heard it on the radio, you wouldn't think something had gone horribly wrong. Flow Machines, developed at Sony's Computer Science Laboratories in Paris, does indeed write original melodies, Carre adds. It also suggests the chords and sounds to play them with. But Carre says a human is always needed to stitch the songs together, give them structure and emotion. Without people, its songs would be a bit rubbish. "There were many people involved in this," he says, listing the likes of Belgian house producer Stromae and Canadian pop star Kiesza. "They gave their soul, their enthusiasm. I think that's the most important point of the album, in a way -- that it's a very human one.'"

Read more of this story at Slashdot.

Comment