The recent inclusion of 'protestware' in popular open source software (OSS) codebases highlights some emerging risks to organisations that rely on OSS.

Key takeouts

There have been recent incidents of 'protestware' or malicious codebeing incorporated within open source software (OSS) codebases.

Organisations who rely on business critical software which contains OSS may be subject tosecurity and business risks.

Organisations should implement policies and procedures tomitigate again risksassociated with the use of OSS.

Open source software (OSS) is ubiquitous in commercial software. Both in-house and external developers use community-sourced code from public repositories such as GitHub to more efficiently build, test, launch and maintain software. This shortens release times and helps organisations gain competitive advantage.

While the OSS community generally functions as a gatekeeper for quality control, the sheer volume and widespread use of OSS means that there are still risks associated with its use.

On 8 March 2022, the maintainer of node-ipc, an OSS JavaScript library that is downloaded approximately a million times a week, released an update containing protestware. The release included obfuscated code that determined the approximate location of machines running the software. If the IP address was geocoded as Russian or Belarussian, the software traversed the users filesystem, overwriting any data encountered with heart symbols. The maintainer defended their additions to the module as a protest over Russias invasion of Ukraine.

The Director of Developer Advocacy at Developer Security Platform 'Snyk', which investigated and disclosed the incident, observed that it highlighted a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security. Not surprisingly, the implementation of the node-ipc protestware affected more than just its intended targets subsequent reports claimed that a US NGO running a production server in Belarus was adversely affected.

This is but one example of recent OSS protestware and other OSS-related incidents. In January, the maintainer of two open-source libraries (with more than 3.5 billion total downloads combined) issued an update that caused applications to, amongst other things, repeatedly print the word 'Liberty'. The maintainer stated that this was in protest of larger corporations using his work for free.

And in December 2021, malicious code (referred to as 'Log4Shell') was discovery in Log4j a ubiquitous OSS JavaScript library employed across numerous cloud-based services which allowed hackers to remotely access and take control of affected systems.

These incidents highlight how organisations that are dependent on OSS for business critical software, or that contract with outsourced service providers who that OSS, or products or services that contain OSS, rely on the diligence and good faith of the open-source community. This has the potential of creating a supply chain risk for the organisation.

How can organisations mitigate these risks?

To mitigate these risks, organisations should consider giving effect to the following:

Read the original post:
Protestware: what organisations should be aware of when using open source software - Lexology

Opinion We concentrate on their technical aspects, but file systems can get pretty political. They're one of the last fronts still fighting in the Interoperability Wars. While you can plumb any number of open file systems to Linux if you need what they have, NTFS remains a problem.

Why? Because it's a very practical issue that can't be magicked away into the cloud. There are any number of cases* where the best answer is to marry Linux-based functionality to an NTFS store reliably, flexibly and fast. And until fall last year, it was a case of choose any two.

Then a good thing happened but if 2022 has any lessons for us, it's that we can't have good things.

Before October 2021, when Paragon Software's full-fat NTFS3 driver was accepted into the Linux kernel, the easiest choice was the Linux kernel's long-standing and resolutely read-only NTFS support. If you needed to write, which isn't unknown in file system use cases, Tuxedo could give you read/write NTFS for Linux, only in userspace, not the kernel. Limited and slow. Not what you need to integrate Linux with the primary enterprise file system on the planet.

Then came late 2021's revolution. Paragon's NTFS3 driver was not sexy, not the stuff of analysts' PowerPoint decks, but if you needed it, you needed it like crazypants.

Not so fast, said 2022. Paragon Software is a 200+ employee company that has been doing low level hard disk magic since 1994, but the maintainer of the Linux kernel driver is the company founder and CEO, Konstantin Komarov.

He saw it pushed live in 2021; by 2022, he'd stopped responding to messages. No code has been touched, no emails answered, nobody's saying why.

The company was founded in Russia and he's Russian, neither of which helps after Vladimir Putin's invasion of Ukraine on February 24, so theories abound. In the end, though, people are free to vanish if they like, for whatever reason, and everybody hopes that Komarov is safe and well, of course.

It's just that if they're the sole maintainer of key open source software, we all have a problem. With nobody to fix bugs, patch vulnerabilities, or track Microsoft's changes, that path is tricky to take.

Open source's primary defence against alien abduction et cetera is that, well, it's open. Anyone can pull the project from the repo, take over the reins, and rescue orphaned code.

You could, if only you knew NTFS internals backwards, write high performance kernel driver code. Of course you'd also need the time and energy to single-handedly cope with the fiery vortex of open source politics at the highest level, and the financial resources to do it all for free in a 24/7 world that needs its data NOW. What's stopping you?

You can see why a person might vanish. The miracle of open source isn't that it has taken over so much of IT, it's that the darn stuff survives at all.

Here, it has taken decades to get it working properly, through the work of one key figure who's spent his working life in the file system sector. Seeking another seems doomed to fail.

There is one way to get the expertise, motivation, resources and commitment to take on NTFS for Linux and make it golden for the long term: Microsoft. That sounds a ridiculous proposition for something the company has treated as one of its crown jewels, a centerpiece of its Windows strategy for both consumer and enterprise. Yet that's fighting an antique war.

Why is NTFS proprietary in the first place? It came out of the OS/2 NT divorce with IBM, when the partners became enemies and wanted any advantage they could jealously guard.

Windows New Technology, with the New Technology File System, came out in 1993 as the first child of that battle.

For decades afterwards, Microsoft's policy was fiercely exclusionary towards all rivals, big or small. It could not and would not stand the idea of anyone producing a better NTFS and gaining any sort of toehold in a market the company considered its exclusive territory.

These were the years when Microsoft's hyper-aggressive approach to other people's technologies saw it fined hundreds of millions of dollars for trying to squelch disk compression company Stac Electronics. These were the years Steve Ballmer described Linux as a cancer. These were bad times. NT as Nineties Tyranny.

Twenty years on,Microsoft loves Linux.

Moreover, Microsoft is severely relaxed about interoperability. It is hard to see how an open NTFS standard would damage the company commercially. Quite the opposite. It would add confidence in the future, but take away nothing from the present.

It certainly doesn't conflict with Microsoft's cloud strategy, where the choice of file system seems as obsolete a concept as decisions about tape formats. It would be a welcome gift to those who have to keep on with the old work, which is to say a very great deal of IT today.

For Microsoft, it would bestow a halo of good citizenship. Microsoft may have embraced the penguin, but it still thinks using Windows 11 as an advertising platform is a great idea.

We still have our memories. We still have our doubts. An act that was unambiguously beneficial to the corporate IT community would help enormously in losing misgivings. It will have some cost, but nothing compared to the billions habitually spunked on stuff nobody asked for nor cared about, let alone the sums spent on killing the competition that we desperately wanted back in the day.

Microsoft. Here's your chance. Do a good thing. One that manifestly helps real world corporate IT, yet one of tremendous symbolic value. New Technology became Nineties Tyranny: let the final transformation be one of New Trust.

* Just a few examples include data security, migration, and platform integration.

Read the original:
Only Microsoft can give open-source the gift of NTFS. Only Microsoft needs to - The Register

This week in Washington IP news, the Senate Science Committee convenes an executive session on Wednesday to deliberate over a pair of bills that would direct the Federal Communications Commissions activities on establishing universal telecommunications services. Over in the House, the Investigation and Oversight Subcommittee and the Research and Technology Subcommittee explore issues in the use of open source systems for enterprise-level cybersecurity, the Space and Aeronautics Subcommittee focuses on the federal governments efforts to develop civil capabilities for space situational awareness, and the Task Force on Artificial Intelligence discusses issues related to the use of AI technologies in the growing regtech sector automatic complex regulatory processes in the financial industry.

U.S. Patent and Trademark Office

Patent Public Advisory Committee Public Meeting

At 1:00 PM on Tuesday, online video webinar.

On Tuesday afternoon, the Patent Public Advisory Committee (PPAC) of the USPTO will convene its latest public meeting to discuss several issues overseen by Patent Pendency, Quality, International, Patent Trial and Appeal Board (PQuIP). Topics covered by PQuIP during the upcoming public meeting will include a high-level brief on the external quality perception survey, the Patent Trial and Appeal Board (PTAB) Pro Bono Program, and the PTAB Legal Experience and Advancement Program (LEAP).

U.S. Patent and Trademark Office

Trademark Basics Boot Camp, Module 6: Responding to an Office Action

At 2:00 PM on Tuesday, online video webinar.

This workshop, the sixth module in the USPTOs Trademark Basics Boot Camp series, is designed to teach small business owners and entrepreneurs the basics of how to respond to official letters from USPTO examiners that have completed review of trademark registration applications. Topics covered during this workshop include response timeframes and deadlines, tips for filing a successful response and basics of office actions.

House Committee on Oversight and Reform

Legislative Markup Session

At 10:00 AM on Wednesday in 2154 Rayburn House Office Building.

On Wednesday morning, the House Oversight Committee will convene a legislative markup session to review several bills that would impact various responsibilities of federal government employees. A few of these bills are related to emerging areas of technology including the currently unnumbered Artificial Intelligence Training for the Acquisition Workforce, introduced by Representative Carolyn Maloney (D-NY) and James Comer (R-KY), which would direct the federal government to create an AI training program for acquisition activities; and H.R. 7535, the Quantum Computing Cybersecurity Preparedness Act, introduced by Representatives Ro Khanna (D-CA), Nancy Mace (R-SC) and Gerry Connolly (D-VA), which would direct the Office of Management and Budget to prioritize migration to post-quantum cryptography of agency IT systems within one year of the promulgation of post-quantum cryptographic standards by the National Institute for Standards and Technology (NIST).

House Subcommittee on Investigations and Oversight

House Subcommittee on Research and Technology

Securing the Digital Commons: Open-Source Software Cybersecurity

At 10:00 AM on Wednesday in 2318 Rayburn.

A recent State of Enterprise Open Source report issued by software firm Red Hat found that, in a survey of 1,296 information technology (IT) leaders, 89 percent of respondents believe that open source software solutions are at least as secure as proprietary software solutions. The view that open source solutions offer a high level of security persists despite vulnerabilities posed by application programming interfaces (API) like Log4j, which was widely used in open source programs distributed by the Apache Software Foundation. The witness panel for this hearing will include Brian Behlendorf, General Manager, Open Source Security Foundation; and Dr. Andrew Lohn, Senior Fellow, Center for Security and Emerging Technology, Georgetown University.

Senate Committee on Science, Commerce, & Transportation

Executive Session

At 10:00 AM on Wednesday in 253 Russell Senate Office Building.

On Wednesday morning, the Senate Science Committee will convene an executive session to review several pieces of proposed legislation, including a pair of bills that would direct the Federal Communications Commission (FCC) to take several actions related to the deployment of infrastructure for universal service. These bills include S. 2427, the Funding Affordable Internet with Reliable (FAIR) Contributions Act, which would direct the FCC to study the feasibility of funding the Universal Service Fund through contributions from edge providers like online search engines; and S. 3692, the Network Equipment Transparency (NET) Act, which would require the FCC to examine the current supply chain for telecommunications network equipment and determine whether there is any lacking availability significantly impacting the deployment of advanced telecommunications capabilities.

U.S. Patent and Trademark Office

Conducting an Effective Patent Examiner Interview

At 12:00 PM on Wednesday, online video webinar.

This USPTO workshop is designed to provide patent applicants with the skills necessary to complete successful examiner interviews to improve applicants ability to complete patent prosecution at the USPTO with a patent grant. Topics covered during this workshop include tips on scheduling examiner interviews, interview preparation and tips for conducting effective interviews.

U.S. Patent and Trademark Office

USPTO Trade Secrets Symposium 2022: Trending Cross-Border Issues

At 1:00 PM on Wednesday, online video webinar.

On Tuesday afternoon, the USPTO will kick off the first day of a two-day symposium focused on exploring the challenges faced by U.S. companies doing business in foreign countries, especially those issues related to economic espionage and trade secret misappropriation. Topics covered during this event include balancing patents and trade secrets as different forms of IP protection, risks associated with overseas talent recruitment programs and coordinating civil investigations with criminal prosecution proceedings.

House Subcommittee on Commerce, Justice, Science, and Related Agencies

Fiscal Year 2023 Budget Request for the National Science Foundation

At 2:00 PM on Wednesday, online video webinar.

In late March, the Biden Administration issued its budgetary request for fiscal year 2023, including $10.5 billion in appropriations earmarked for the National Science Foundation (NSF), which represents an 18.7 percent increase over the NSFs budget for fiscal year 2022. If approved, this funding would support research related to climate science and clean energy, the establishment of the new Directorate for Technology, Innovation and Partnerships, and diversity initiatives to broaden the participation of underrepresented populations within the science and engineering fields. The sole witness for this hearing will be the Honorable Sethuraman Panchanathan, Director, National Science Foundation.

House Subcommittee on Innovation, Entrepreneurship, and Workforce Development

Moving Upwards and Onwards: The Workforce and Innovation Needs of the Aviation and Aerospace Industry

At 10:00 AM on Thursday in 2360 Rayburn.

The aviation industry is undergoing major changes thanks to several waves of innovation in areas like unmanned flight systems and alternative fuels. Incorporating these innovations requires a workforce with a solid education in science, technology, engineering and math (STEM) fields, but the aviation industry is still feeling the effects of the COVID-19 pandemic which has caused labor shortages across an industry that is mainly made up of small businesses. The witness panel for this hearing will include Eric Fanning, President and CEO, Aerospace Industries Association; ML Mackey, CEO, Beacon Interactive Systems, and testifying on behalf of the National Defense Industrial Association; Blake Scholl, Founder and CEO, Boom Technology, Inc.; and Judy Burns, President, Patriot Machine.

House Subcommittee on Space and Aeronautics

Space Situational Awareness: Guiding the Transition to a Civil Capability

At 10:00 AM on Thursday in 2318 Rayburn.

The U.S. federal governments long-term space exploration plans include returning a manned spacecraft to the lunar surface in preparation for the worlds first manned mission to the planet Mars, which is currently planned to take place sometime during the 2030s. Recently, the U.S. Space Force created a 19th Space Defense Squadron responsible for tracking cislunar space and other regions of space outside the outer regions of Earths orbit. In mid-April, state and defense ministers of both the United States and India signed a bilateral agreement on space situational awareness, including plans to collaborate on both space innovation and strategic defense operations. The witness panel for this hearing will include Dr. Matthew Hejduk, Senior Project Leader, The Aerospace Corporation; Dr. Moriba Jah, Associate Professor, Aerospace Engineering and Engineering Mechanics Department, Mrs. Pearlie Dashiell Henderson Centennial Fellowship in Engineering, Oden Institute for Computational Engineering and Sciences, The University of Texas at Austin; Andrew DUva, Senior Policy Advisor, Space Data Association; and Kevin M. OConnell, Founder, Space Economy Rising, LLC.

Brookings Institution

Forensic Algorithms: The Future of Technology in the US Legal System

At 11:00 AM on Thursday, online video webinar.

New algorithm-based technologies are being implemented by law enforcement agencies across the nation in order to improve the identification of criminal suspects from biological matter collected from crime scenes and other matters important to criminal investigations. However, as a report issued last June by the U.S. Government Accountability Office found, many law enforcement agencies experience issues in properly interpreting and communicating the results of these algorithmic-based processes, as well as the potential for programmer bias or operator misuse in applying these processes. This event will feature a fireside chat with Rebecca Wexler, Nonresident Fellow, Governance Studies, Center for Technology Innovation; and Representative Mark Takano (D-CA), Chairman, House Veterans Affairs Committee. Following that chat will be a discussion with a panel including Rebecca Wexler; Rediet Abebe, Assistant Professor of Computer Science, University of California, Berkeley; Glenn Rodriguez, Co-Director of Youth Services, Center for Community Alternatives; Andrea Roth, Professor of Law, University of California, Berkeley School of Law; and moderated by Julia Angwin, Founder, The Markup.

U.S. Patent and Trademark Office

The Path to a Patent, Part V: Understanding the Role of Claims in a Patent Application

At 2:00 PM on Thursday, online video webinar.

This workshop, the fifth part of the USPTOs Path to a Patent series, is designed to teach prospective patent applicants about the role of patent claims during the prosecution of a patent application. Topics covered during this workshop include different parts of a patent claim, examples of claim illustrations from U.S. patents and the viewpoint of patent examiners when reviewing a patent claim.

U.S. Patent and Trademark Office

What You Need to Sell Your Arts and Crafts Online: Building Your Identity, for Native American Visual Artists and Craftspeople

At 3:00 PM on Thursday, online video webinar.

This workshop, the third in a series of monthly webinars focused on the sale of arts and crafts produced by Native American visual artists, is designed to provide these artists with resources for managing the migration of their products from local arts and crafts fairs, which have seen flagging attendance numbers since the onset of the COVID-19 pandemic, to online e-commerce channels.

House Task Force on Artificial Intelligence

Keeping Up With the Codes Using AI for Effective RegTech

At 9:00 AM on Friday in 2128 Rayburn.

Artificial intelligence holds great promise for automating processes in many sectors, especially for regulatory processes in the financial industry that are extraordinarily complex. Global spending in the regtech industry is expected to increase from $68 billion in 2022 up to $204 billion in 2026, and the use of AI systems in digital onboarding processes for regtech is also expected to climb from 8 percent in 2022 up to 26 percent in 2026. The witness panel for this hearing has yet to be announced.

U.S. Patent and Trademark Office

PTAB LEAP: AIA Mock Oral Argument Practicum

At 1:30 PM on Friday, online video webinar.

This workshop, offered by the Patent Trial and Appeal Boards (PTAB) Legal Experience and Advancement Program (LEAP), gives PTAB practitioners a chance to hone their oral argument skills by presenting an America Invents Act (AIA) trial argument to a panel composed of administrative patent judges (APJs) currently working at the PTAB. Participants will receive feedback and a chance to participate in a question-and-answer panel following the practicum.

Read the original post:
This Week in Washington IP: Open Source Cybersecurity Solutions, Civil Capabilities for Space Situational Awareness and Using AI for Effective RegTech...