"One of Python's long-standing weaknesses, its inability to scale well in multithreaded environments, is the target of a new proposal among the core developers of the popular programming language," reports InfoWorld: Developer Sam Gross has proposed a major change to the Global Interpreter Lock, or GIL — a key component in CPython, the reference implementation of Python. If accepted, Gross's proposal would rewrite the way Python serializes access to objects in its runtime from multiple threads, and would boost multithreaded performance significantly... The new proposal makes changes to the way reference counting works for Python objects, so that references from the thread that owns an object are handled differently from those coming from other threads.

The overall effect of this change, and a number of others with it, actually boosts single-threaded performance slightly — by around 10%, according to some benchmarks performed on a forked version of the interpreter versus the mainline CPython 3.9 interpreter. Multithreaded performance, on some benchmarks, scales almost linearly with each new thread in the best case — e.g., when using 20 threads, an 18.1x speedup on one benchmark and a 19.8x speedup on another.

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."

ZDNet reports: "Python 3.10.0 is the newest major release of the Python programming language, and it contains many new features and optimizations," CPython maintainers announced in a blogpost...

One of the headline features is "structural pattern matching" in Python 3.10 -- a technique for handling data that's already available in C, Java, JavaScript, Scala and Elixir. "Structural pattern matching has been added in the form of a match statement and case statements of patterns with associated actions. Patterns consist of sequences, mappings, primitive data types as well as class instances. Pattern matching enables programs to extract information from complex data types, branch on the structure of data, and apply specific actions based on different forms of data," the project explains in release 3.10 notes. "While structural pattern matching can be used in its simplest form comparing a variable to a literal in a case statement, its true value for Python lies in its handling of the subject's type and shape," it adds.

Python core contributors presented the update in a meeting this week. Pablo Galindo Salgado, a physicist and core Python contributor, explained how the project is using Microsoft's GitHub Actions DevOps (CI/CD) tools to test Python changes on Windows, Linux and macOS systems. "When you merge something to Python, there is a CI in GitHub Actions, and we have other providers, although we are mainly using GitHub Actions now. It tests your commits on every single commit on Linux, Windows, and macOS," said Salgado.
Besides better error messages (including more precise and reliable line numbers for debugging), other changes to the language include overloading the pipe operator to allow a new syntax for writing union types, and type aliases (a kind of user-specified type, offering a way to explicitly declare an assignment as a type alias).

ZDNet reports that Python "is now the most popular language, according to one popularity ranking."

"For the first time in more than 20 years we have a new leader of the pack..." the TIOBE Index announced this month. "The long-standing hegemony of Java and C is over."

When Slashdot reached out to Guido van Rossum for a comment, he replied "I honestly don't know what the appropriate response is...! I am honored, and I want to thank the entire Python community for making Python so successful."

ZDNet reports: [I]t seems that Python is winning these days, in part because of the rise of data science and its ecosystem of machine-learning software libraries like NumPy, Pandas, Google's TensorFlow, and Facebook's PyTorch. Python is also an easy-to-learn language that has found a niche in high-end hardware, although less so mobile devices and the web — an issue that Python creator Guido van Rossum hopes to address through performance upgrades he's working on at Microsoft.

Tiobe, a Dutch software quality assurance company, has been tracking the popularity of programming languages for the past 20 years. Its rankings are based on search terms related to programming and is one measure of languages that developers should consider learning, along with IEEE Spectrum's list and a ranking produced by developer analyst RedMonk. JavaScript, the default for front-end web development, is always at the top of RedMonk's list. For Tiobe, its enterprise focus, has seen Java and C dominate in recent years, but Python has been snapping at the heels of Java, and has now overtaken it...

Python's move to top spot on the Tiobe index was a result of other languages falling in searches rather than Python rising. With an 11.27% share of searches, it was flat, while second place language C fell 5.79% percentage points compared to October last year down to 11.16%. Java made way for Python with a 2.11 percentage point drop to 10.46%.

Other languages that made the top 10 in Tiobe's October 2021 index: C++, C#, Visual Basic, JavaScript,. SQL, PHP, and Assemblyy Language. Also rising on a year-on-year basis and in the top 20 were Google-designed Go, number-crunching favorite MATLAB, and Fortran.
"Python, which started as a simple scripting language, as an alternative to Perl, has become mature," TIOBE says in announcing its new rankings.

"Its ease of learning, its huge amount of libraries, and its widespread use in all kinds of domains, has made it the most popular programming language of today. Congratulations Guido van Rossum!"

"According to one measure, Python is potentially on the verge of becoming the most popular computer programming language," reports ZDNet, joining C and Java as the only other two languages to attain the #1 spot.

Of course, it depends on who's making the list... Python has been snapping at the heels of Java and C for the past few years on the 20-year-old Tiobe index and recently knocked Java off the second spot to rival C. Tiobe, a software testing company, bases its rankings on searches for programming languages on popular websites and search engines.

The Tiobe index is updated monthly, and it doesn't align with other language popularity rankings. For example, the electrical engineering magazine IEEE Spectrum has ranked Python as the most popular language since at least 2020, followed by Java, C, and JavaScript, while developer analyst RedMonk has JavaScript in top place, followed by Python and Java, and places C at tenth...

"Python has never been so close to the number 1 position of the TIOBE index," writes Paul Jansen, chief of Tiobe software. "It only needs to bridge 0.16% to surpass C. This might happen any time now..."

Python is hugely popular because of machine learning, but it has no place in mobile app development or web applications or development on mobile devices. It's also slow. Python's creator, Guido van Rossum, who works at Microsoft, recently conceded Python consumes too much memory and energy from hardware. He's working to improve Python's performance and reckons double is feasible...

Tiobe's top 10 programming languages in September 2021 were C, Python, Java, C++, C#, Visual Basic, JavaScript, Assembly language, PHP, and SQL. The top 20 languages also included Classic Visual Basic, Groovy, Ruby, Go, Swift, MATLAB, Fortran, R, Perl, and Delphi. Fortran's re-emergence as a top 20 language is notable. Just in July 2020, Tiobe ranked it as the 50th most popular language. But earlier this year, Fortran shot up to the 20th spot in Tiobe's index.
Paul Jansen, chief of Tiobe software, also called out some other interesting moves in this month's calculation. "Assembly gained 1 position from #9 to #8, Ruby gained 2 positions from #15 to #13, and Go went up even 4 positions from #18 to #14."

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.

Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.

In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.

"The programming language Java's popularity has been slowly declining in some programming language index rankings, but it's popped back into the second spot in RedMonk's latest chart," reports ZDNet: Javascript still rules in RedMonk's Q3 2021 language popularity rankings, which have been updated twice a year since 2010.

Python overtook Java for the second spot in RedMonk's Q2 2020 ranking, and Java has remained there in Python's shadow ever since, but now it has jumped one spot to second — a place it once again shares with Python. As RedMonk analyst Stephen O'Grady notes, Java's consistent third placing over the past year was "prompting questions from observers as to whether it was fated to a gradual drift down these rankings".

Tiobe's CEO Paul Jensen last September said Java was in "real trouble" because of a notable decline in its share of queries for programming languages on major search engines. But now, according to RedMonk, Java has 'surged' back. "This would be less of a surprise but for many of the language's competitors — and, it should be said, the odd industry analyst or two — writing regularly recurring epitaphs for the stalwart of enterprise infrastructure," said O'Grady.
The article also reports that Google's Dart programming language "made its debut in RedMonk's top 20 this month and displaced Perl."

RoccamOccam writes: For the sixth-year, Rust is the most loved language, while Python is the most wanted language for its fifth-year in Stack Overflow's 2021 survey of 80,000 developers.

"Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue," reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each... The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them. In total the research scanned through 197,000 packages and found more than 749,000 security issues in all... Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository. The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
The Register supplies some context: Other surveys of this sort have come to similar conclusions about software package ecosystems. Last September, a group of IEEE researchers analyzed 6,673 actively used Node.js apps and found about 68 per cent depended on at least one vulnerable package... The situation is similar with package registries like Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R). In a phone interview, Ee W. Durbin III, director of infrastructure at the Python Software Foundation, told The Register, "Things like this tend not to be very surprising. One of the most overlooked or misunderstood parts of PyPI as a service is that it's intended to be freely accessible, freely available, and freely usable. Because of that we don't make any guarantees about the things that are available there..."

Durbin welcomed the work of the Finnish researchers because it makes people more aware of issues that are common among open package management systems and because it benefits the overall health of the Python community. "It's not something we ignore but it's also not something we historically have had the resources to take on," said Durbin. That may be less of an issue going forward. According to Durbin, there's been significantly more interest over the past year in supply chain security and what companies can do to improve the situation. For the Python community, that's translated into an effort to create a package vulnerability reporting API and the Python Advisory Database, a community-run repository of PyPI security advisories that's linked to the Google-spearheaded Open Vulnerability Database.

"Dallas-based Texas Instruments' latest generation of calculators is getting a modern-day update with the addition of programming language Python," reports the Dallas Morning News: The goal is to expand students' ability to explore science, technology, engineering and math through the device that's all-but-required in the nation's high schools and colleges...

Though most of the company's $14 billion in annual revenue comes from semiconductors, its graphing calculator remains its most recognized consumer product. This latest TI-84 model, priced between $120 to $160 depending on the retailer, was made to accommodate the increasing importance of programming in the modern world.
Judging by photos in their press release, an "alpha" key maps the calculator's keys to the letters of the alphabet (indicated with yellow letters above each key). One page on its web site also mentions "Menu selections" that "help students with discovery and syntax." (And the site confirms the calculator will "display expressions, symbols and fractions just as you write them.")

There's even a file manager that "gives quick access to Python programs you have saved on your calculator. From here, you can create, edit, run and manage your files." And one page also mentions something called TI Connect CE software application, which "connects your computer and graphing calculator so they can talk to each other. Use it to transfer data, update your operating system, download calculator software applications or take screenshots of your graphing calculator."

I'm sure Slashdot's readers have some fond memories of their first calculator. But these new models have a full-color screen and a rechargeable battery that can last up to a month on a single charge. And Texas Instruments seems to think they could even replace computers in the classroom. "By adding Python to the calculators many students are already familiar with and use in class, we are making programming more accessible and approachable for all students," their press release argues, "eliminating the need for teachers to reserve separate computer labs to teach these important skills.

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

Fossbytes has an article detailing how you can check to see if your mobile device is infected with the "Pegasus" spyware. What's Pegasus you ask? It's phone-penetrating spy software developed by NSO Group and sold to governments to target journalists and activists around the world. The CEO of NSO Group says law-abiding citizens have "nothing to be afraid of," but that doesn't help us sleep any better. Here's how to check if your device has been compromised (heads up: it's a bit of a technical and lengthy process): First off, you'll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you'll have to install libimobiledevice beforehand for that. Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system -- if you don't have it already. Here's how you can install the same for Windows, macOS, and Linux. After that, go through Amnesty's manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line. Now, let's go through the steps for detecting Pegasus on an iPhone backup using MVT.

First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located.

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

The TIOBE index of programming language popularity celebrates 20 years of continuous publishing this month. Started as a hobbyist project back in 2001, the site estimates each programming language's popularity by counting search engine results for the phrase <language> programming (indirectly counting each listing for developers, courses, and third-party vendors).

When it was started 20 years ago, the top languages were Java, C, and C++.

20 years later, the top languages are now C, Java, Python, and C++

And "The difference between position 1 and position 3 is only 0.67%." This means that the next few months will be exciting. What language is going to win this battle? Python seems to have the best chances to become number 1, thanks to its market leadership in the booming field of data mining and artificial intelligence.
ZDNet also noted the trends: Searches for C were down 4.83 percentage points compared to last July. Java searches were down 3.93% over the period, while Python gained 1.86%.

The top 10 languages behind C, Java and Python are C++, C#, Visual Basic, Javascript, PHP, Assembly Language, and SQL.
But they also have this to say about TIOBE's calculations: It's a different methodology to developer analyst RedMonk, which looks at language usage on software projects hosted on GitHub and discussions on the developer Q&A site, Stack Overflow.

RedMonk's Q1 2021 rankings place JavaScript in top place, followed by Python and Java.

Other interesting moves this month:

• C++ gained more than 0.5% getting closer to the top 3
• Rust rose from #30 to #27
• Go rose from #20 to #13
• TypeScript rose from #45 to #37
• Haskellrose rose from #49 to #39

Reactions are starting to come in for GitHub's new Copilot coding tool, which one site calls "a product of the partnership between Microsoft and AI research and deployment company OpenAI — which Microsoft invested $1 billion into two years ago." According to the tech preview page: GitHub Copilot is currently only available as a Visual Studio Code extension. It works wherever Visual Studio Code works — on your machine or in the cloud on GitHub Codespaces. And it's fast enough to use as you type. "Copilot looks like a potentially fantastic learning tool — for developers of all abilities," said James Governor, an analyst at RedMonk. "It can remove barriers to entry. It can help with learning new languages, and for folks working on polyglot codebases. It arguably continues GitHub's rich heritage as a world-class learning tool. It's early days but AI-assisted programming is going to be a thing, and where better to start experiencing it than GitHub...?"

The issue of scale is a concern for GitHub, according to the tech preview FAQ: "If the technical preview is successful, our plan is to build a commercial version of GitHub Copilot in the future. We want to use the preview to learn how people use GitHub Copilot and what it takes to operate it at scale." GitHub spent the last year working closely with OpenAI to build Copilot. GitHub developers, along with some users inside Microsoft, have been using it every day internally for months.

[Guillermo Rauch, CEO of developer software provider Vercel, who also is founder of Vercel and creator of Next.js], cited in a tweet a statement from the Copilot tech preview FAQ page, "GitHub Copilot is a code synthesizer, not a search engine: the vast majority of the code that it suggests is uniquely generated and has never been seen before."

To that, Rauch simply typed: "The future."

Rauch's post is relevant in that one of the knocks against Copilot is that some folks seem to be concerned that it will generate code that is identical to code that has been generated under open source licenses that don't allow derivative works, but which will then be used by a developer unknowingly...
GitHub CEO Nat Friedman has responded to those concerns, according to another article, arguing that training an AI system constitutes fair use: Friedman is not alone — a couple of actual lawyers and experts in intellectual property law took up the issue and, at least in their preliminary analysis, tended to agree with Friedman... [U.K. solicitor] Neil Brown examines the idea from an English law perspective and, while he's not so sure about the idea of "fair use" if the idea is taken outside of the U.S., he points simply to GitHub's terms of service as evidence enough that the company can likely do what it's doing. Brown points to passage D4, which grants GitHub "the right to store, archive, parse, and display Your Content, and make incidental copies, as necessary to provide the Service, including improving the Service over time." "The license is broadly worded, and I'm confident that there is scope for argument, but if it turns out that Github does not require a license for its activities then, in respect of the code hosted on Github, I suspect it could make a reasonable case that the mandatory license grant in its terms covers this as against the uploader," writes Brown. Overall, though, Brown says that he has "more questions than answers."
Armin Ronacher, the creator of the Flask web framework for Python, shared an interesting example on Twitter (which apparently came from the game Quake III Arena) in which Copilot apparently reproduces a chunk of code including not only its original comment ("what the fuck?") but also its original copyright notice.

An anonymous reader shares a report: Two weeks ago, World Wide Web creator Tim Berners-Lee sent an NFT of the web's original source code to the auction block with a starting bid of just $1,000. Yesterday, Sotheby's announced that the crypto asset sold for $5.4 million. The sum makes Berners-Lee's work one of the priciest NFTs of all time. The digital package included not just the source code but also a letter from Berners-Lee reflecting on the creation of the web, some original HTML documents, an SVG "poster" of thousands of lines of code, and a 30-minute visualization of the code being typed on a screen.

But there's a twist. An eagle-eyed researcher pointed out on Twitter that the animation initially posted on the Sotheby's site had errors in the code, possibly introduced when the person making the video fed the Objective-C code through an app or web service to produce the typing effect in the animation. Instead of angle brackets that are present in the code (), the HTML codes for the symbols ( & lt; and & gt;) appeared instead. On the poster, which was made by a Python script created by Berners-Lee, the brackets appear correct. Presumably, they are also correct in the code itself. The code was corrected in later animations, raising questions about this particular NFT and NFTs as a whole.

An anonymous reader shares a report: When Kevin Modzelewski and his colleagues at Dropbox set out to create Pyston in 2014, they had a very simple objective: to lower the costs of running Python code on Dropbox's servers, by making the code itself faster. "We were growing exponentially, so our server cost was growing exponentially," Modzelewski tells TechRepublic. "If we could get Python running faster, we would spend less money running Python." The original cost reduction initiative at Dropbox snowballed into a bigger project for Modzelewski when the company moved away from Python in 2017 and cancelled the Pyston project. He had realized while working on the language that there was a strong demand for faster Python among the developer community, and while there were plenty of tools around for improving the performance in smaller applications, there were none designed for big, business logic-type applications such as Dropbox.

"There's a lot of tools out there for helping you run Python faster, but there weren't any that were a good fit for Dropbox's use case," says Modzelewski. "This was an area of the Python market where a lot of money was being spent, but not very many tools were being developed for helping. It was under served." Fast forward to today and Pyston is now in version 2.2, and has been open-sourced, with Modzelewski and fellow developer Marius Wachtler now leading the project as co-founders. The latest implementation promises a 30% performance improvement over Python 3.8.8, with a key benefit being that developers can simply drop their Python applications into Pyston and get going, without having to rewrite their code. It's also a "completely separate thing" to what Modzelewski and fellow developers built for Dropbox some seven years ago.

Tim Berners-Lee has defended his decision to auction an NFT (non-fungible token) representing the source code to the web, comparing the sale to an autographed book or a speaking tour. From a report: The creator of the world wide web announced his decision to create and sell the digital asset through Sotheby's auction house last week. In the auction, which begins on Wednesday and will run for one week, collectors will have the chance to bid on a bundle of items, including the 10,000 lines of the source code to the original web browser, a digital poster created by Berners-Lee representing the code, a letter from him, and an animated video showing the code being entered.

"This is totally aligned with the values of the web," Berners-Lee told the Guardian. "The questions I've got, they said: 'Oh, that doesn't sound like the free and open web.' Well, wait a minute, the web is just as free and just as open as it always was. The core codes and protocols on the web are royalty free, just as they always have been. I'm not selling the web -- you won't have to start paying money to follow links. "I'm not even selling the source code. I'm selling a picture that I made, with a Python programme that I wrote myself, of what the source code would look like if it was stuck on the wall and signed by me. "If they felt that me selling an NFT of a poster is inappropriate, then what about me selling a book? I do things like that, which involve money, but the free and open web is still free and open. And we do still, every now and again, have to fight to keep it free and open, fight for net neutrality and so on."

Freenode's Linux support channel has an official web page at freenode.linux.community, which now bears this announcement:

22+ year old ##linux on freenode has been seized by freenode staff

The community's (multi-platform) site reminds visitors of the alternative channels #linux on Libera and Linux.Chat on Discord.

But they're not the only ones making changes. "[T]he FSF and GNU have decided to relocate our IRC channels to Libera.Chat," reads an official announcement on the FSF blog. "Effective immediately, Libera is the official home of our channels, which include but are not limited to all those in the #fsf, #gnu, and #libreplanet namespaces." As we have had nearly twenty years of positive experiences with the Freenode staff, most of whom now comprise the staff of the Libera network, we are confident in their technical and interpersonal expertise, as well as their ability to make the network as long-lasting and integral to the free software community as they made Freenode. We look forward to joining the large number of free software and free culture projects who have already made Libera.Chat their home, and hope to stay there for many years to come.
Also making a move: freenode's #Python channel. Software developer Ned Batchelder, one of the channel's operators (and also an architect at edX), shared a recent experience in a new blog post this morning. When they'd decided to move #python to the new Libera.chat network (run by former Freenode staffers), they also stayed in Freenode's channel "to let people know where everyone had gone." Yesterday, after a heated debate in the Freenode channel where I was accused of splitting the community, I got k-lined (banned entirely from Freenode). The reason given was "spamming", because of my recurring message about the move to Libera. Then the entire Freenode #python channel was closed... Was it malice or was it mistake? Does it matter? It's not a good way to run a network. After the channel was closed, people asking staff about what happened were banned from asking. That wasn't a mistake... [T]he new staff seems to be using force to silence people asking questions. It's clear that transparency is not a strong value for them.

Setting aside network drama, the big picture here is that the Freenode #python community isn't split: it's alive and well. It's just not on Freenode anymore, it's on Libera.

Freenode was a good thing. But the domain name of the server was the least important part of it, just a piece of technical trivia. There's no reason to stick with Freenode just because it is called Freenode. As with any way of bringing people together, the important part is the people. If all of the people go someplace else, follow them there, and continue.

See you on Libera.

A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability. BleepingComputer reports: The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems. FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters. The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency.

As Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials.

GameStop has quietly unveiled a new web portal for a non-fungible token (NFT) platform. The Block reports: "We are building a team" the page declares, stating: "We welcome exceptional engineers (solidity, react, python), designers, gamers, marketers, and community leaders. If you want to join our team, send your profile or something you've built to: nfteam@gamestop.com."

The exact scope of the project is unclear, though prominently featured on the page is a link to an Ethereum address, indicating that GameStop's team will use Ethereum as a technology base. The smart contract code declares "Game On Anon" and links to GameStop's NFT page and indicates that potential GameStop-released NFTs will utilize Ethereum's ERC721 standard. The code also points to a dedicated token, GME.