Crop of expensive fantasy adaptations from Amazon and HBO Max served up at subsidised prices. Financial Times: Since 2016, the veteran US television executive John Landgraf has been predicting the arrival of "peak TV" -- the moment when the number of new scripted shows reaches an all-time high. The streaming boom has proved him wrong every time but he gamely made the prediction again this month, telling guests at the Television Critics Association press tour that 2022 would mark "the peak of the peak TV era." Landgraf, chair of Disney's FX network, conceded that he could be wrong this time too. But there is little doubt that this autumn will present audiences with a flood of some of the most expensive television ever produced. On September 2, Amazon Prime will release its adaptation of The Lord of the Rings, with an estimated budget of $465mn for the first season -- almost enough to make Top Gun: Maverick three times over.

HBO Max's House of the Dragon -- the prequel to Game of Thrones -- is reported to have cost $200mn for the season's 10 episodes. At Disney Plus, Star Wars: Andor will lead a large slate of new programmes that include a Pinocchio remake, She Hulk, and a spin-off of the Cars franchise. These shows are being served up to consumers at subsidised prices by streaming platforms making record losses. The only profitable exception is Netflix, but the industry pioneer's market value has plunged almost $200bn over the past year because of slowing subscriber growth. Its share price is languishing at a four-year low. The forthcoming crop of new programming was given the green light during a headier time, when Wall Street cheered as streaming services committed lavish sums to compete. But faith in the streaming business model -- and investor tolerance for profligate spending -- has waned as Netflix's once-blistering subscription growth has gone into reverse.

[...] On top of that, there are growing concerns that inflation will bite into discretionary spending, including on streaming services. "Everyone [in Hollywood] is throwing big dollars after big things," said Niels Juul, who was an executive producer of Martin Scorsese's Netflix film The Irishman. "But [subscribers] are inundated now to the point where they are looking at their monthly bills and saying, 'Something's got to go -- I've got $140 worth of subscriptions here!'" Even so, Tom Harrington at Enders Analysis said consumers were still getting a better deal than the streaming companies themselves. "People get through $100mn of TV in a day and say: 'what's next?' From a consumer point of view that is great. But for a video operator, it's clearly unsustainable."

After offering them for over a decade, Heroku announced this week that it will eliminate all of its free services -- pushing users to paid plans. From a report: Starting November 28, the Salesforce-owned cloud platform as a service will stop providing free product plans and shut down free data services and soon (on October 26) will begin deleting inactive accounts and associated storage for accounts that have been inactive for over a year. In a blog post, Bob Wise, Heroku general manager and Salesforce EVP, blamed "abuse" on the demise of the free services, which span the free plans for Heroku Dynos and Heroku Postgres as well as the free plan for Heroku Data for Redis.

[...] Wise went on to note that Heroku will be announcing a student program at Salesforce's upcoming Dreamforce conference in September, but the details remain a mystery at this point. For the uninitiated, Heroku allows programmers to build, run and scale apps across programming languages including Java, PHP, Scala and Go. Salesforce acquired the company for $212 million in 2010 and subsequently introduced support for Node.js and Clojure and Heroku for Facebook, a package to simplify the process of deploying Facebook apps on Heroku infrastructure. Heroku claims on its website that it's been used to develop 13 million apps to date.

It turns out, software testers are relying more on automation than ever before, driven by a desire to lower testing costs and improve software quality and user experience. VentureBeat shares the findings from a new report by Kobiton: Kobiton asked 150 testers in companies with at least 50 employees across a range of industries. [...] For context, there are two kinds of software testing: manual and automated. Manual is still common but it's not ideal for repetitive tests, leading many testers to choose automation, which can expedite development and app performance. To wit, 40% of testers responding to Kobiton's study said their primary motivation for using automation is improving user experience. "In a study we conducted two years ago, half the testers we asked said their automation programs were relatively new, and 76% said they were automating fewer than 50% of all tests," said Kevin Lee, CEO of Kobiton. "Nearly 100% of testers participating in this year's study are using automation, which speaks to how far the industry has come."

Testing managers are prioritizing new hires with automation experience, too. Kobiton's study found that automation experience is one of the three skills managers are most interested in. And how is automation being used? A plurality (34%) of respondents to Kobiton's survey said they are using automation for an equal mix of regression and new feature testing. And it's made them more efficient. Almost half (47%) of survey respondents said it takes 3-5 days for manual testing before a release, whereas automated tests can have it done in 3-6 hours.

The kingdom of Google's third major operating system, Fuchsia, is growing a little wider today. ArsTechnica: 9to5Google reports Google completed the rollout of Fuchsia to the Google Nest Hub Max. Along with the original Nest Hub/Google Home Hub, that puts two of Google's three smart displays on the new OS, with the one holdout being the 2nd Gen Nest Hub. The Nest Hub Max is the first device running Fuchsia that Google is currently selling -- the Home Hub only got Fuchsia after it had been discontinued. The Google smart display user interface is written in Flutter, a Google programming language designed for portability, which runs on Android, iOS, Fuchsia, and the weird cast platform Nest Hubs typically use. So it's not right to describe the user interface as "similar" after the OS swap -- it's the exact same code because Flutter runs on nearly everything.

You are getting a slightly newer code version, though, and it comes with a Bluetooth menu. If you dive into the settings and hit "about device," you'll see a "Fuchsia Version" field that will say something like "6.20211109.1.3166243." It's a bit weird to do an entire OS switch to the futuristic, secretive Fuchsia project and then have basically nothing to show (or say) for it in terms of obvious improvements in performance or security. You can dive into the minutia of the Fuchsia source code, but it continues to be a mystery in terms of what practical benefits it offers consumers. Google never talks about Fuchsia, so not much is known about what, exactly, Google is accomplishing here.

Co-creator of core Unix utility, now 80, just needs to run a few more tests. From a report: A Princeton professor, finding a little time for himself in the summer academic lull, emailed an old friend a couple months ago. Brian Kernighan said hello, asked how their US visit was going, and dropped off hundreds of lines of code that could add Unicode support for AWK, the text-parsing tool he helped create for Unix at Bell Labs in 1977. "I have tested this a fair amount but clearly more tests are needed," Kernighan wrote in the email, posted as a kind of pseduo-commit on the onetrueawk repo by longtime maintainer Arnold Robbins. "Once I figure out how ... I will try to submit a pull request. I wish I understood git better, but in spite of your help, I still don't have a proper understanding, so this may take a while." Kernighan is the "K" in AWK, a special-purpose language for extracting and manipulating language that was key to Unix's pipeline features and interoperability between systems. A working awk function (AWK is the language, awk the command to invoke it) is critical to both Standard UNIX Specification and IEEE POSIX certification for interoperability. There are countless variants of awk, but "One True AWK," sometimes known as nawk, is the version based on Kernighan's 1985 book The AWK Programming Language and his subsequent input.

Kernighan is also the "K" in "K&R C," the foundational 1978 book The C Programming Language he cowrote with Dennis Ritchie that sticks with programmers, mentally and in dog-eared paper form. C's roots go much deeper. Kernighan had been teaching C to workers at Bell Labs and convinced its creator, Dennis Ritchie, to collaborate on a book to spread the knowledge. That book gave birth to "the one true brace style," the endless debate that goes with it, and the structure underpinning every modern programming language. Kernighan also named Unix and first demonstrated the "Hello, world" code example.

"Hyundai predictably fails in attempting to secure their car infotainment system with a default key lifted from programming examples," writes Slashdot reader sinij. "This level of security is unfortunately expected from auto manufacturers, who also would like to sell you always-connected Car2Car self-driving automobiles." Cryptographer and security experience Bruce Schneier writes: "Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]," writes an unidentified developer under the name "greenluigi1." Luck held out, in a way. "Greenluigi1" found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like "RSA Encryption & Decryption Example with OpenSSL in C." Two questions remain:
1.) How did the test key get left behind?
2) Was it by accident or design?

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.

This week the Rust team announced the release of Rust 1.63.

One noteable update? Adding scoped threads to the standard library: Rust code could launch new threads with std::thread::spawn since 1.0, but this function bounds its closure with 'static. Roughly, this means that threads currently must have ownership of any arguments passed into their closure; you can't pass borrowed data into a thread. In cases where the threads are expected to exit by the end of the function (by being join()'d), this isn't strictly necessary and can require workarounds like placing the data in an Arc.

Now, with 1.63.0, the standard library is adding scoped threads, which allow spawning a thread borrowing from the local stack frame. The std::thread::scope API provides the necessary guarantee that any spawned threads will have exited prior to itself returning, which allows for safely borrowing data.
The official Rust RFC book says "The main drawback is that scoped threads make the standard library a little bit bigger," but calls it "a very common and useful utility...great for learning, testing, and exploratory programming.

"Every person learning Rust will at some point encounter interaction of borrowing and threads. There's a very important lesson to be taught that threads can in fact borrow local variables, but the standard library [didn't] reflect this." And otherwise, "Implementing scoped threads is very tricky to get right so it's good to have a reliable solution provided by the standard library."

"Python seems to be unstoppable," argues the commentary on August's edition of the TIOBE index (which attempts to calculate programming-language popularity based on search results for courses, vendors, and "skilled engineers").

By that measure Python's "market share" rose another 2% in this month's index — to an all-time high of 15.42%. It is hard to find a field of programming in which Python is not used extensively nowadays. The only exception is (safety-critical) embedded systems because of Python being dynamically typed and too slow. That is why the performant languages C and C++ are gaining popularity as well at the moment.

If we look at the rest of the TIOBE index, not that much happened last month. Swift and PHP swapped places again at position 10, Rust is getting close to the top 20, Kotlin is back in the top 30, and the new Google language Carbon enters the TIOBE index at position 192.
InfoWorld notes it's been 10 months since Python first claimed the index's #1 spot last October, "becoming the only language besides Java and C to hold the No. 1 position." In the alternative Pypl Popularity of Programming Language index, which assesses language popularity based on Google searches of programming language tutorials, the top 10 rankings for August were:

1. Python, 28.11% share
2. Java, 17.35%
3. JavaScript, 9.48%
4. C#, 7.08%
5. C/C++, 6.19%
6. PHP, 5.47%
7. R, 4.35%
8. TypeScript, 2.79%
9. Swift, 2.09%
10. Objective-C, 2.03%

True 5G wireless data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferates -- combining expanded speed and bandwidth with low-latency connections -- one of its most touted features is starting to come in to focus. But the upgrade comes with its own raft of potential security exposures. From a report: A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn't practical or available. Individuals may even elect to trade their fiber-optic internet connection for a home 5G receiver. But the interfaces that carriers have set up to manage internet-of-things data are riddled with security vulnerabilities, according to research that will be presented on Wednesday at the Black Hat security conference in Las Vegas. And those vulnerabilities could dog the industry long-term. After years of examining potential security and privacy issues in mobile-data radio frequency standards, Technical University of Berlin researcher Altaf Shaik says he was curious to investigate the application programming interfaces (APIs) that carriers are offering to make IoT data accessible to developers.

These are the conduits that applications can use to pull, say, real-time bus-tracking data or information about stock in a warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they haven't been widely used in core telecommunications offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, Shaik and his colleague Shinjo Park found common, but serious API vulnerabilities in all of them, and some could be exploited to gain authorized access to data or even direct access to IoT devices on the network. "There's a big knowledge gap. This is the beginning of a new type of attack in telecom," Shaik told WIRED ahead of his presentation. "There's a whole platform where you get access to the APIs, there's documentation, everything, and it's called something like 'IoT service platform.' Every operator in every country is going to be selling them if they're not already, and there are virtual operators and subcontracts, too, so there will be a ton of companies offering this kind of platform."

In addition to NVIDIA being busy working on transitioning to an open-source GPU kernel driver, yesterday they made a rare public open-source documentation contribution... NVIDIA quietly published 73k lines worth of header files to document the 3D classes for their Fermi through current-generation Ampere GPUs. Phoronix's Michael Larabel reports: To NVIDIA's Open-GPU-Docs portal they have posted the 73k lines worth of 3D class header files covering RTX 30 "Ampere" GPUs back through the decade-old GeForce 400/500 "Fermi" graphics processors. These header files define the classes used to program the 3D engine of the GPU, the texture header and texture sampler layout are documented, and other 3D-related programming bits. Having all of these header files will be useful to the open-source Nouveau driver developers to save on their reverse-engineering and guessing/uncertainty over certain bits.

NVIDIA's Open GPU Kernel Driver is for only GeForce RTX 20 "Turing" series and newer, so it's great seeing NVIDIA now posting this documentation going back to Fermi which is squarely to help the open-source community / Nouveau. [...] The timing of NVIDIA opening these 3D classes back to Fermi is interesting and potentially tied to SIGGRAPH 2022 happening this week. Those wanting to grab NVIDIA's latest open-source GPU documentation can find it via this GitHub repository.

An anonymous reader quotes a report from The Register: A dozen US midwestern research colleges and universities have signed up to a project intended to bolster the semiconductor and microelectronics industries with combined research and education to ensure work for their students in high-tech industries. The "Midwest Regional Network to Address National Needs in Semiconductor and Microelectronics" consists of a dozen institutions, made up of eight from Ohio, two from Michigan, and two from Indiana. Their stated aim is to support the onshoring efforts of the US semiconductor industry by addressing the need for research and a skilled workforce.

According to Wright State University, the network was formed in response to Intel's announcement that it planned to build two chip factories near Columbus, Ohio, and followed a two-day workshop in April hosted by the state. [...] However, the university network was also formed to help address the broader national effort to regain American leadership in semiconductors and microelectronics, or at least bring some of it back onshore and make the US less reliant on supplies of chips manufactured abroad.

The president of each institution has signed a memorandum of understanding to form the network, and the expectation is that the group will expand to include more than these dozen initial members. The intention is that the institutions taking part will be able to make use of each other's existing research, learning programs, capabilities, and expertise in order to boost their collective ability to support the semiconductor and microelectronics industry ecosystems. Challenges for the network include developing mechanisms to connect existing research, and training assets across the region, and developing a common information sharing platform to make it easier to identify opportunities for joint programming and research across the network. The institutions involved in the network include: Wright State University, Columbus State Community College, Lorain County Community College, Michigan State University, Ohio State University, Purdue University, Sinclair Community College, University of Cincinnati, University of Dayton, University of Michigan, and the University of Notre Dame, Indiana.

Further reading: Biden Signs China Competition Bill To Boost US Chipmakers

Roman Semenov, one of the co-founders of Tornado Cash, has reported his account was suspended at the developer platform, GitHub, following the United States Treasury Department's sanctioning of the privacy protocol. From a report: In a Monday tweet, Semenov said that despite not being individually named as a Specially Designated National, or SDN, of Treasury's Office of Foreign Asset Control, he seemed to be facing repercussions from the Treasury alleging Tornado Cash had laundered more than $7 billion worth of cryptocurrency. As SDNs, identified firms and individuals have their assets blocked and "U.S. persons are generally prohibited from dealing with them."

Being identified as an SDN would seemingly include any contact for business purposes, which could extend to associations on GitHub. According to a joint statement from the Federal Financial Institutions Examination Council and Office of Foreign Asset Control, prohibited transactions could be interpreted to include "downloading a software patch from a sanctioned entity." Semenov called the move to suspend his account "a bit illogical." However, U.S. residents have been effectively barred from using the crypto mixer, given its alleged failure "to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks," according to Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

If it weren't for Slashdot, Mark Zuckerberg wouldn't be facing a six-hour deposition over alleged involvement in the Cambridge Analytica Scandal, argues long-time Slashdot reader theodp: In 2003, Harvard's student newspaper the Harvard Crimson reported that Zuck's programming skills attracted attention from the likes of Microsoft and others following a 2003 Slashdot post. That post — titled Machine Learning and MP3s — described how "Students at Caltech [freshman Adam D'Angelo, Quora CEO and co-founder] and Harvard [freshman Zuck] developed a system that analyzes playlists and learns people's listening patterns." The playlist-making software, Synapse AI, was Zuck's high school senior project at Phillips Exeter Academy.

Interestingly, in a modded-up comment ("Informative") on the post, Slashdot user Mark Zuckerberg vowed to protect user privacy. "And a note about privacy," promised Zuck. "None of your musical listening data will be available to anyone other than you. We hope to use massive amounts of data to aid in analysis, but your individual data will never be seen by anyone else."

Hey, things change. And Slashdot user SkyIce (apparently D'Angelo) added, "I'm not going to spam people. I promise." .
Zuckerberg was just 18 years old — and Steven Levy's 2020 book Facebook: The Inside Story recounts how all "the Slashdot attention was a boon." Zuckerberg heard from multiple companies interested in the student project, including Microsoft and AOL. Zuckerberg and D'Angelo got an offer approaching a million dollars from one of those suitors. But the payout would be contingent on Zuckerberg and D'Angelo committing to work for that company for three years. They turned it down.
That summer, back in Cambridge, young Mark Zuckerberg "thought it was interesting that I was so excited about Friendster," D'Angelo remembered in the book. Friendster was an earlier social network founded in 2002 (which eventually closed in 2018). D'Angelo remembered that Zuckerberg "wasn't into it as a user, but it was clear to him that there was something there...."

JavaScript, the world's most popular programming language according to most surveys, has become a barrier to progress, according to Douglas Crockford, creator of the JSON (JavaScript Object Notation) specification used everywhere for serializing data in web applications.

Crockford made this assertion in an interview last month:

"The best thing we can do today to JavaScript is to retire it. Twenty years ago, I was one of the few advocates for JavaScript. Its cobbling together of nested functions and dynamic objects was brilliant. I spent a decade trying to correct its flaws. I had a minor success with ES5. But since then, there has been strong interest in further bloating the language instead of making it better. So JavaScript, like the other dinosaur languages, has become a barrier to progress. We should be focused on the next language, which should look more like E than like JavaScript."

According to a StackOverflow survey earlier this year, JavaScript is used by over 65% of developers, way ahead of second placed Python at 48 percent (ignoring HTML, CSS and SQL which are not general purpose languages).
Crockford also acknowledged there's be two difficulties in replacing browser-based JavaScript, according to the article. "First, we don't have the next language yet. It needs to be a minimal capability-based actor language that is designed specifically for secure distributed programming. Nothing less should be considered.

"Second, we need all of the browser makers to adopt it and to simultaneously replace the DOM with a well designed interface. Good luck with that."

UPDATE (8/5): "GitLab has reversed its decision to automatically delete projects that are inactive for more than a year and belong to its free-tier users," the Register reported Friday.

Thursday the same site had reported that GitLab planned to automatically delete projects if they've been inactive for a year and are owned by users of its free tier. From that report: The Register has learned that such projects account for up to a quarter of GitLab's hosting costs, and that the auto-deletion of projects could save the cloudy coding collaboration service up to $1 million a year. The policy has therefore been suggested to help GitLab's finances remain sustainable. People with knowledge of the situation, who requested anonymity as they are not authorized to discuss it with the media, told The Register the policy is scheduled to come into force in September 2022. GitLab is aware of the potential for angry opposition to the plan, and will therefore give users weeks or months of warning before deleting their work. A single comment, commit, or new issue posted to a project during a 12-month period will be sufficient to keep the project alive. The Register understands some in the wider GitLab community worry that the policy could see projects disappear before users have the chance to archive code on which they rely. As many open-source projects are widely used, it is feared that the decision could have considerable negative impact.

Alexis Ong writes via The Verge: It is a truth universally acknowledged that if you build something on the internet, people will find ways to creatively break it. This is exactly what happened with cohost, a new social media platform that allows posts with CSS. Digging through the #interactables hashtag on cohost reveals a bounty of clickable, CSS-enabled experiments that go far beyond GIFs -- there's a WarioWare mug-catching game, an interactive Habbo tribute, magnetic fridge poetry, this absolutely bananas cog machine, and even a "playable" Game Boy Color (which was, at one point, used for a "GIF plays Pokemon" event). Yes, there's also Doom. The cohost team embraced the madness. It was the beginning of a creative avalanche that simply isn't possible on other social media sites -- a phenomenon that the cohost community has since dubbed "CSS crimes."

People will confess all sorts of things to podcasters, from their unpopular political beliefs or embarrassing romantic mishaps to their worst fears. But there's one revelation certain guests will never disclose -- namely, that they're paying thousands of dollars just to be interviewed on the show. From a report: Welcome to the golden era of pay-for-play podcasting, when guests pay handsomely to be interviewed for an entire episode. In exchange, the host gets some revenue, fills out the programming calendar, and might bag a future advertiser. Determining exactly how widespread the practice is can be tricky. Disclosures, if included at all, might last only a few fleeting seconds in an hourlong interview, and various hosts use different language to describe the nature of such relationships. What percentage of shows accepts payment in exchange for airtime is also difficult to say. According to nearly a dozen interviews with industry sources, it appears the practice is particularly popular among podcasts in the wellness, cryptocurrency, and business arenas.

In an age when social media influencers routinely get paid for mentioning a brand in an Instagram post or YouTube video, this marriage of convenience shouldn't come as a complete shock. Still, not everyone thinks it's a good idea. "As someone who's making money for that type of advertorial content, it should be disclosed," says Craig Delsack, a New York-based media lawyer. "It's just good practice and builds trust with the podcaster. It can't be the Wild West." US regulators also agree that consumers might be misled when they don't know a media mention only occurred in exchange for compensation. Even so, the phenomenon appears to be thriving in podcasting. Online platform Guestio has raised more than $1 million to build a marketplace devoted entirely to brokering paid guest appearances. On Guestio, the flow of money sometimes reverses direction, and a podcaster provides payment to land a particularly coveted guest such as boxer Manny Pacquiao, who charges $15,000 for an appearance.

The system for getting donated kidneys, livers and hearts to desperately ill patients relies on out-of-date technology that has crashed for hours at a time and has never been audited by federal officials for security weaknesses or other serious flaws, according to a confidential government review obtained by The Washington Post. From the report: The mechanics of the entire transplant system must be overhauled, the review concluded, citing aged software, periodic system failures, mistakes in programming and over-reliance on manual input of data. In its review, completed 18 months ago, the White House's U.S. Digital Service recommended that the government "break up the current monopoly" that the United Network for Organ Sharing, the nonprofit agency that operates the transplant system, has held for 36 years. It pushed for separating the contract for technology that powers the network from UNOS's policy responsibilities, such as deciding how to weigh considerations for transplant eligibility.

About 106,000 people are on the waiting list for organs, the vast majority of them seeking kidneys, according to UNOS. An average of 22 people die each day waiting for organs. In 2021, 41,354 organs were transplanted, a record. UNOS is overseen by the Health Resources and Services Administration (HRSA), but that agency has little authority to regulate transplant activity. Its attempts to reform the transplant system have been rejected by UNOS, the report found. Yet HRSA continues to pay UNOS about $6.5 million annually toward its annual operating costs of about $64 million, most of which comes from patient fees. "In order to properly and equitably support the critical needs of these patients, the ecosystem needs to be vastly restructured," a team of engineers from the Digital Service wrote in the Jan. 5, 2021, report for HRSA, which is part of the Department of Health and Human Services.

"If combating attacks and hijackings of legitimate software on open source registries like npm weren't challenging enough, app makers are increasingly experiencing the consequences of software self-sabotage," writes security researcher and reporter Ax Sharma via TechCrunch. "A developer can, on a whim, change their mind and do whatever they want with their open source code that, most of the time anyway, comes 'as is' without any warranty. Or, as seen by a growing trend this year, developers deliberately sabotaging their own software libraries as a means of protest -- turning software into 'protestware.'"

One of the many examples Sharma mentions happened during the first week of 2022, when thousands of applications that rely on the heavily used npm projects colors and faker broke and began printing gibberish text on users' screens. "It wasn't a malicious actor hijacking and altering these legitimate libraries," writes Sharma. "It turned out the projects' developer Mark Squires had intentionally corrupted his own work to send a message of protest to big corporations..." An anonymous reader shares an excerpt from his report: Open source developers are discovering new and creative avenues that no longer limit them to implementing new features for their projects, but to actively express their views on larger social matters by modifying their projects for a cause. And, unlike proprietary code that has to function in line with a paying customer's expectations, most open source licenses are quite permissive -- both for the consumer and the developer -- offering their code with licenses that offer no guarantees as to what a developer is not supposed to and will never do with their code, making protestware a gray area for defenders. In fact, as a security researcher at Sonatype, I observed how protestware posed a challenge for us in the early stages and how we would tweak our automated malware detection algorithms to now catch self-sabotages with projects like colors and faker. Traditionally, the system was designed to spot typosquatting malware uploaded to open source repositories, but cases like malicious hijacks or developers modifying their own libraries without warning required a deeper understanding of the intricacies of how protestware works.

The theme has also put major open source registries like npm -- owned by GitHub, a Microsoft subsidiary -- at a crossroads when having to deal with these edge cases. Socket's founder Feross Aboukhadijeh told TechCrunch that registries like GitHub are in a difficult position. "On the one hand, they want to support maintainers' right to freedom of expression and the ability to use their platform to support the causes they believe in. But on the other hand, GitHub has a responsibility to npm users to ensure that malicious code isn't served from npm servers. It's sometimes a difficult balancing act," said Aboukhadijeh. A simple solution to ensuring you are getting only vetted versions of a component in your build is to pin your npm dependency versions. That way, even if future versions of a project are sabotaged or hijacked, your build continues to use the "pinned" version as opposed to fetching the latest, tainted one. But this may not always be an effective strategy for all ecosystems, like PyPI, where existing versions of a component can be republished -- as we saw in the case of the hijacking of the ctx PyPI project.

"The conversation around 'protestware' is really a conversation about software supply chain security. You can't trust what you can't verify," Dan Lorenc, the co-founder and chief executive at Chainguard, a startup that specializes in software supply chain security, told TechCrunch. Lorenc's advice against preventing protestware is to follow good open source security hygiene and best practices that can help developers develop protestware more easily and early on. "Knowing and understanding your dependencies, conducting regular scans and audits of open source code you are using in your environments are a start." But Lorenc warns the debate about protestware could draw in copycats who would contribute to the problem and detract open source software defenders from focusing on tackling what's truly important -- keeping malicious actors at bay. And with protestware there remain unknown unknowns. What issue is too small -- or too big -- for protestware? While no one can practically dictate what an open source developer can do with their code -- it is a power developers have always possessed, but are now just beginning to harness.