Special report Last year, lawyer Van Lindberg drafted a software license called the Cryptographic Autonomy License (CAL) on behalf of distributed development platform Holo and submitted it to the Open Source Initiative (OSI) for approval as an Open Source Definition-compliant (OSD) license.

The debate over whether or not to approve the license, now in its fourth draft, has proven contentious enough to prompt OSI co-founder Bruce Perens to resign from the organization, for a second time, based on concern that OSI members have already made up their minds.

"Well, it seems to me that the organization is rather enthusiastically headed toward accepting a license that isn't freedom respecting," Perens wrote in a missive to the OSI's license review mailing list on Thursday. "Fine, do it without me, please."

Perens, for what it's worth, drafted the original OSD.

Another open-source-community leader familiar with the debate who spoke with The Register on condition of anonymity claimed Lindberg lobbied OSI directors privately to green-light the license, contrary to an approval process that's supposed to be carried out in public.

"I don't think that's an appropriate characterization," said Lindberg, of law firm Dykema, in a phone interview with The Register. "I think there are number of people who from the beginning made up their minds about the CAL. You'll see a lot of people jumping onto any pretext they can find in order to oppose it."

"With regard to this idea of lobbying, there have been procedural-type communications that I think are entirely reasonable," he added. "But all the substantive debate has been on the license review and license discussion forums."

In an interview with The Register, Pamela Chestek, chair of the OSI's license review committee, said she was not aware of whether Lindberg had approached other OSI board members to lobby for the CAL.

"I do know people seemed to think there was something going on what wasn't going on," she said.

Chestek explained that the OSI board is generally happy to consult with parties in advance of a license review. "I did have a phone conversation in that context to help him understand what the issues are with the license," she said. "I think that communication may have been misunderstood."

Perens, in a phone interview with The Register, explained that the OSI has existed for 21 years and has been approving software licenses during that time. There are more than 100 such licenses, he said, and having that many is harmful to the community because when you combine software with multiple licenses, that creates a legal burden.

"Most people who develop open source don't have access to lawyers," he said. "One of the goals for open source was you could use it without having to hire a lawyer. You could put [open source software] on your computer and run it and if you don't redistribute or modify it, you don't really have to read the license."

Perens contends the CAL breaks that model. "The reason it does is if you are operating software under the CAL and you have users, you have the responsibility to convey the user's data back to them under certain conditions," he explained.

The reason for this, he said, is that Holo expects to oversee a network of CAL-licensed applications, and they don't want those creating clients for the distributed platform to sequester data from users to lock users in.

As Lindberg explained in a post about the CAL back in March, "You must refrain from using the permissions given under this License to interfere with any third partys Lawful Interest in their own User Data."

Holo's software is "a hashchain-based application framework for peer-to-peer applications." It's essentially a platform that allows software developers to create distributed applications secured by cryptographic code. The reason developers might want to do so is that distributed applications spread infrastructure costs among network participants rather than saddling the developer with the cost of a centralized server.

According to Holo co-founder Arthur Brock, distributed peer-to-peer software needs a license that addresses cryptographic key rights, which is why the CAL has been proposed.

"We are trying to say: the only valid way to use our code is if that developers end-users are the sole authors and controllers of their own private crypto keys," he wrote in a post last year.

Lindberg said the CAL is applicable to current web applications but it more meaningful in the context of distributed workloads and distributed computation, which he contends will become more important as people seek alternatives to the centralization of today's cloud-based systems.

"A lot of people are very concerned about this concept of owning your data, owning your compute, having the ability to really control your computing experience and have it not be controlled by your cloud provider," said Lindberg.

Perens said, "It's a good goal but it means you now need to have a lawyer to understand the license and to respond to your users."

Perens said he resigned because the OSI appears to have already decided to accept the license. He said he's headed in a different direction, which he called "coherent open source."

"We've gone the wrong way with licensing," he said, citing the proliferation of software licenses. He believes just three are necessary, AGPLv3, the LGPLv3, and Apache v2.

Chestek said the OSI has been aware for years that it's undesirable to have too many software licenses, pointing to the organization's long-standing anti-proliferation policy. The CAL, she said, has some novel aspects, specifically its data provision requirement.

"If someone uses this license to provide services, they also have an obligation to provide data," she said. "That's an entirely new concept for open source licenses."

"It's interesting because we are having a merger of data and software," Chestek opined. "It's getting harder to tell where the line is. I think it's worthwhile for the OSI to consider this."

In response to the concern voiced by Perens about that software licenses show signs of mission creep by attempting to address aspects of behavior traditionally addressed through public law or other mechanisms, Chestek acknowledged that's a matter of ongoing discussion at the OSI.

"What is it that's appropriate for a software license to do?" she said, pointing to another license facing OSI review, the Vaccine License, which "requires that users vaccinate their children, and themselves, and that user businesses make a similar requirement of their employees, to the greatest extent legally possible."

Asked whether the OSI plans to approve the CAL, Chestek said she doesn't yet have an opinion. "It's still under active discussion," she said.

However, she said that Lindberg has made a great effort to work with the OSI during the review process. "It has taken a long time," she said. It's a very painful process to go through. That's the way the system is supposed to work."

Even so, there are those who would see the process take longer still.

"[T]he policy implications of OSI volunteers interactively drafting a very novel copyleft license with a for-profit entity's lawyer and then approving it quickly really concern me," wrote Software Freedom Conservancy policy fellow Bradley Kuhn, in a post to OSI's license review list.

"Licenses function as legislation of our community. Yes, lobbyists often write our legislation, but that rarely generates good outcomes for the Republic and its people."

Read more from the original source:
Bruce Perens quits Open Source Initiative amid row over new data-sharing crypto license: 'We've gone the wrong way with licensing' - The Register

The Global Open Source Software Market covers important aspects of this market concerning fundamental parameters. The report explains outline of the business range, concentrating on the overall industry, development possibilities, types and application. It brief Open Source Software summary of the market considering the current and future scenarios. It also provides information in terms of development and its capacities.

The Open Source Software industry analysis size, share, growth, trends, and forecasts 20202025. The Open Source Software report help to analysis players to improve their business strategies and helpful data. It shows key players in the worldwide market and trends about methodologies utilizing to separate themselves from other players. The analysis involves a broad outline of the Open Source Software market information on different particular divisions. The Open Source Software research report gives a pestal analysis rely upon the total market, available size, development scene, and analysis.

Detailed TOC along with also Charts and Tables of Open Source Software Market Research Report accessible at: https://www.futuristicreports.com/request-sample/399

Advanced Medical Solutions Group, B. Braun, Cardinal Health, Integra LifeSciences, C. R. Bard, Cohera Medical, Baxter International, CSL Behring, Cryolife, Johnson and Johnson

This Open Source Software report explores feasibility with an objective of educational new entrants in regards to the changes within the market. The description, thorough SWOT analysis & investment analysis is given which Open Source Software predictions are impending opportunities for its players.

Geographically, global Open Source Software market report offers segment research and export and import status, require status, production volume, including regions such as North America, South America, Europe, China, Japan, India, The Middle East & Africa, Others.

Get it in Discounted Price: https://www.futuristicreports.com/check-discount/399

The Open Source Software market gives fundamental data about the significant difficulties that will impact on development. Furthermore gives in general insights concerning the business. The report will help the current market to inspect the different aspects on growing their business.

It provides in-depth study on the current state of the global Open Source Software industry with focused growth. The report provides key statistics. The report provides an in-depth insight of 2020-2025 global Open Source Software covering all important parameters.

Enquire more at: https://www.futuristicreports.com/send-an-enquiry/399

Company Name: Futuristic Reports

Email: [emailprotected]

Visit our website: https://www.futuristicreports.com

Phone: +1 (408) 520 9037

Address: 2066 N. Capitol Ave, Suite 3041

City: San Jose, CA 95132

Country: United States

Continue reading here:
Open Source Software Market Technology, Regional Outlook, Competitive Strategies And Forecast from 2020 2025 - Instanews247

Volvo Group Venture Capital has invested in Apex.AI, a developer of software for autonomous cars and mobility.

Volvo says the investment will fund the development of a safety-certified software framework for autonomous systems.

Apex, a Palo Alto, California-based company founded in 2017, is building an automotive-grade version of Robot Operating System, an established open source software framework commonly used in robotics and autonomous systems research.

Apex says it provides a safer and more reliable version of ROS that will be certified according to the functional safety standard ISO 26262, adding that this enables companies to take their autonomous vehicle projects into production.

Anna Westerberg, acting CEO of Volvo Group Venture Capital and SVP Volvo Group Connected Solutions, says: We are excited to invest in a company that enables easier development of safety-certified systems.

Dan Tram, the Silicon Valley-based investment director of Volvo Group Venture Capital, says: Apex.AI has a promising product offering with important commercial deployment potential for autonomous systems.

The role of Volvo Group Venture Capital is to make investments in innovative companies at the forefront of service orientation as well as product differentiation and to support collaboration between startup companies and the Volvo Group.

Volvo Group Venture Capital says that, based on the trends shaping the future of transportation and Volvo Group strategic priorities, its investment areas are:

You might also like

Continued here:
Volvo invests in autonomous car software developer Apex - Robotics and Automation News

Add to favorites

You can even run it natively on Kubernetes

The Apache Software Foundation (ASF) oversaw 339 projects in 2019 with a robust community of over 3,000 committers tweaking a huge 59,309,787 lines of code.

The most active project, by commits, was Apache Camel a tool designed to allow enterprise developers to integrate a huge range of applications.

Apache Camel lacks the brand recognition of fellow ASF projects Hadoop, Kafka, or Spark; all widely used by well-known businesses, many of which have build critical components of their architecture on such open source software.

But as businesses seek to integrate more applications e.g. to make combined use of the data they generate Apache Camel is growing more important.

(This is particularly so for those who favour a developer-led DIY approach, rather than using a third-party contractor and paying the license fees for its software.)

Credit: Jessica Arias, Unsplash. Creative Commons.

Among those using Apache Camel are the European Commission (EC)s developers.

With European policy makers forthright in their desire to see more open source toolings put to use across member states, perhaps thats no surprise.

And as one developer at the EC responsible for developing reusable components, and advocating open source software puts it: I personally like the elegance and performance compared with other integration frameworks.

He also touts a lively community (that made 41,164 commits in 2019).

Confluents Kai Whner is also effusive about the project.

In a DZone blog, he notes that [Apache Camel lets you] easily integrate different applications using the required patterns.

You can use Java, Spring XML, Scala or Groovy. Almost every technology you can imagine is available, for example HTTP, FTP, JMS, EJB, JPA, RMI, JMS, JMX, LDAP, Netty, and many, many more (of course most ESBs also offer support for them). Besides, own custom components can be created very easily.

He adds: You can deploy Apache Camel as standalone application, in a web container (e.g. Tomcat or Jetty), in a JEE application Server (e.g. JBoss AS or WebSphere AS), in an OSGi environment or in combination with a Spring container.

Every integration uses the same concepts!

No matter which protocol you use. No matter which technology you use. No matter which domain specific language (DSL) you use it can be Java, Scala, Groovy or Spring XML. You do it the same way. Always! There is a producer, there is a consumer, there are endpoints, there are EIPs, there are custom processors / beans (e.g. for custom transformation) and there are parameters (e.g. for credentials).

Even Mulesoft, which provides a similar offering in the form of its open source Mule ESB acknowledges thatCamels lean framework makes it easy to learn for programmers. Camel also accommodates different Domain Specific Languages (DSLs), allowing programmers to work in whichever language they find most confortable.

Camel also closes the gap between modeling and implementation by adhering to Enterprise Integration Patterns (EIPs) allowing programmers to split integration problems into smaller pieces that are more easily understood.

In 2019 the Apache Camel team added two new projects: Camel K and Camel Quarkus. Camel K essentially takes the toolkit of Camel and runs it natively on Kubernetes, in a version specifically designed for serverless and microservice architectures.

(Users of Camel K can instantly run integration code written in Camel DSL on their preferred cloud, using Kubernetes or OpenShift).

Early this year it plans to add new tools including a Kafka Connector and Camel Spring Boot (moved out from main repository) an open source Java-based framework used to create microservices that was developed by Pivotal.

The European Commission may seem an unlikely trail-blazer, but expect to hear a lot more about Apache Camel in 2020.

Go here to read the rest:
We Need to Talk About Apache Camel - Computer Business Review

Happy New Year! To kick off 2020, the leadership team at Synopsys share their predictions for the year to come.

Steve Cohen, Security Services Manager at Synopsys:

Focus: Cloud Security

In 2020, I believe well see the accelerated adoption of finer granular objects to drive efficiencies. As developers adopt these finer granular objects within their cloud applications, such as containers, microservices, micro-segmentation, and the like, security testing tools will need to be object aware in order to identify unique risks and vulnerabilities introduced by utilizing these objects.

I anticipate that new approaches to collecting security related data may become necessary in the cloud. In addition to application logs, cloud API access will be seen as necessary. There will also be a growing focus on centralized logging in the upcoming year.

In addition to application security, the cloud management plane will become an additional security layer that needs addressing in 2020. Developers, for example, will require access to the management plane to deploy applications. Incorrect settings here could expose the application to security risks as sensitive information flows through it.

Reduced transparency around whats going on within a given application will likely be a growing trend. A cloud provider doesnt necessarily tell you what security controls exist for the PaaS services they expose to you. Businesses will therefore need to make some assumptions about their security considerations and stance.

In terms of data security and integrity in the cloud, there will be more of a need to have proper policies in place so prevent improper disclosure, alteration or destruction of user data. Policies must factor in the confidentiality, integrity and availability across multiple system interfaces of user data.

In 2020, the adoption of PaaS and serverless architecture will provide even more of an opportunity to dramatically reduce the attack surface within the cloud.

Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre):

Focus: General Cybersecurity

Cyber-attacks on 2020 candidates will become more brazen. While attacks on campaign websites have already occurred in past election cycles, targeted attacks on a candidates digital identity and personal devices will mount.

With digital assistants operating in an always listening mode, an embarrassing live mic recording of a public figure will emerge. This recording may not be associated directly with a device owned by the public figure, but rather with them being a third party to the device. For example, the conversation being captured as background noise.

With the high value of healthcare data to cybercriminals and a need for accurate healthcare data for patient care, a blockchain-based health management system will emerge in the US. Such a system could offer the dual value of protecting patient data from tampering while reducing the potential for fraudulent claims being submitted to insurance providers.

Emile Monette, Director of Value Chain Security at Synopsys:

Focus: General Cybersecurity

In the year to come, I anticipate that well see continued developments in software transparency (e.g., NTIA Software Component Transparency efforts). Additionally, a continued need for software testing throughout the software development life cycle (SDLC) will also persist as a focus in 2020most assuredly a positive step in terms of firms understanding the criticality of proactive security maturity. I also have reason to believe well see increased efforts to secure the hardware supply chain, and specifically efforts to develop secure microelectronic design and fabrication will come into focus in the upcoming yearb

Asma Zubair, Sr. Manager, IAST Product Management at Synopsys:

Focus: Endpoint Security

In 2020, we know that attackers will continue to exploit all applications, end-points, and networks they possibly can. This includes, but isnt limited to, web and mobile apps (internal or external), IoT devices in smart homes, and even the 5G network as it is being rolled out. Attackers will also continue to use the latest and greatest technologies (be it in machine learning, AI, or open source components that are freely available) to carry out ever-more sophisticated attacks at even greater scale. At the same time, organizations will continue to struggle as they try to balance competing priorities: the need to improve security, reduce time to market, and complete projects within budget and time constraints.

SEE ALSO:

As we look to what will change in the year to come, California's SB-327 IoT bill will take effect on Jan 1, 2020 requiring manufacturers to build reasonable security into their connected devices. This is a step in the right direction as it will establish minimum standards and improve security of IoT devices available in the market. I anticipate there will be more legislative activity in 2020, especially in the US. The California Consumer Privacy Act will also take effect on January 1, 2020. I expect more states to follow suit. If done properly, regulations will bring about the accountability needed to improve the overall state of cybersecurity.

We saw several high-profile GDPR-related lawsuits, fines, and settlements in 2019. I wouldnt be at all surprised to see more of these to hit the headlines in the coming year.

Organizations tend to focus a good deal of attention to their end-point protection and network security, and this is indeed very important. But applications, another very critical piece in the overall security puzzle, often dont get as much attention and therefore tend to become a weak link in terms of security. Organizations need to test their applications throughout the development process for security vulnerabilities using methods such as interactive application security testing (IAST), static application security testing (SAST), or dynamic application security testing (DAST). They must also actively work to address the vulnerabilities detected by these testing methods.

Kimm Yeo, Senior Manager at Synopsys:

Focus: Cellular/Wireless

The introduction of wireless broadband communication technologies such as 4G and LTE havent only affected consumer lifestyles. Such technology has also fueled the growth of ride-sharing business models. Although the adoption of LTE has been broad based, with over 600 carriers in 200 countries deployed, and over 3.2 billion subscribers worldwide (as of 2018), the enhanced user experience and convenience hasnt come without a price. Several dozen new security flaws related to LTE have been identified through fuzz testing.

As both cellular and wireless technologies continue to advance to 5G, 6G and beyond, this will not only greatly reduce latency and improve the user experience, it will also open the door to new attack surfaces and attack strategies. Its extremely difficult to anticipate and prevent such malicious advances in the increasingly connected ecosystems and lifestyles in which we all live. However, this is something we should strive to improve upon in the not-so-distant future.

Dennis Kengo Oka, Senior Solution Architect at Synopsys:

Focus: Automotive

There are two major trends emerging. The first is the concept of CASE (connected, autonomous, shared, electric). As technologies such as 5G lead to increased connectivity alongside advances in proprietary and open source software (e.g., Automotive Grade Linux), well see targets move beyond the vehicle. Malicious actors will leverage new, evolving attack vectors in backend systems, mobile apps, infrastructure and services relating to automotive technologies.

The second major trend well see in 2020 is that of standardization and regulations such as ISO/SAE 21434 and UNECE WP.29 driving cybersecurity activities in the automotive industry. This will lead to changes in organizational teams and processes, including the addition of security gates such as static code analysis, open source risk management, fuzz testing, and penetration testing to implement security throughout the entire vehicle life cycle. An increased focus on automated test processes and toolchains will continue to emerge as well in the year to come.

Go here to read the rest:
2020 vision: Synopsys predictions - Gigabit Magazine - Technology News, Magazine and Website

Taking the time to make the right hires and carefully thinking through your recruiting strategy is one of the best investments your business will ever make

Just about every business today relies on people who write code. The problem is that hiring good developers is difficult. It may even be the most difficult thing a business will do.

The reason developer hiring is such an important topic (and something many businesses find challenging) is that unlike many other professions, good developers can be many times more productive than their peers.

If you are hiring a driver to get you from A to B, regardless of how fast the driver you hire is, the difference between a high-performing driver and any other driver will be fairly minimal: they will both get you from A to B within a reasonable amount of time. It is essentially impossible for a driver to get you from A to B 10 times or 100 times quicker than another driver.

But this is not true in the technology industry. A great developer may be many times more productive than other developers, and a poor developer may actually remove value from your organisation. In short, hiring developers is a high-stakes game because the productivity multiple between one developer and another may be significant and business-altering.

There are only two ways to reach developers: in-person and online. Regardless of your tactics, if you want to recruit good people you need to get their attention, and without question, the best way to do this is to be an active participant in the developer community.

For in-person recruiting, this might involve giving technical talks at programming conferences, hosting developer dinners, and participating in developer events, such as hackathons or community meetups.

If youre able to, having your existing technical talent present on new methods and tools they are using at programming events can be a great way to connect with like-minded developers working on similar problems, make friends, and build a reputation for both your business and your employees.

Similarly, hosting a relaxed dinner where you invite some of your top developers as well as other respected developers in your area can be a great way to make authentic connections and explore opportunities. I have met some truly great people hosting these types of intimate events. Supporting these activities by giving your existing developers time and resources so they can attend these types of events is an authentic and effective way to recruit great people to your business.

But as much as I love in-person developer events, it would be remiss to not mention more scalable, online ways to attract great developers.

Some of the most effective ways Ive found to recruit great developers online is to publish technical articles and videos, answer questions on topics related to your business on popular developer sites like StackOverflow, and build and share open source software that other developers can use to solve problems.

Giving your top people time to share some of the interesting technical things they have learned on a company blog and YouTube channel can be incredibly effective. It can get the attention of developers working on similar problems, build developer awareness of your company and attract thousands of developers to your site over a number of years

While it can be a lot of work, allowing your technical teams to publish some of the software they create as open source solutions can be very effective too. Not only will open sourcing some of the projects your teams work on attract external developers to your company, it often makes your engineering team work more effectively by forcing them to build reusable solutions to common problems.

These strategies will help you reach the right people, but after you have reached them, it is still up to you to win them over. That means understanding fair market rates, developer culture, and engineering management. If you can foster an environment in which great developers want to work, you will have a much easier time getting great people to join your company.

One common misconception I have heard from business owners is that if you hire great developers they will perform well. This is not true. All developers can perform well under certain conditions, but it is up to you to design a hiring process that ensures the developers you hire will flourish based on your engineering culture, management, company values and technology needs.

When you are designing a developer hiring process the first thing you need to know is that testing developers and finding a great fit is tricky. There is no perfect way to do it and you will never be able to guarantee you always hire the right people.

With that said, here are the things that I have found work well in a developer hiring process.

Ask developers in-depth questions about projects they have worked (or are working) on. Avoid just asking them what they are doing currently, instead have them explain it to you in great depth. Ask them why they are doing things certain ways and how they might change things. Probe at a deeper level and you can gain a deeper understanding of how they think and what their realm of expertise is.

It is important to ask a candidate what their favourite project has been. I often have them walk me through it what they liked about it, and what they disliked. This is a great way to figure out not only what the candidate knows, but also the types of projects they enjoy working on.

Instead of coding-puzzles, give candidates a take-home project. Not only are coding-puzzles a poor reflection of what candidates will actually be doing on the job, they also incentivise poor behaviour. Instead of making the interview process about a candidates experience and depth of knowledge, coding-puzzle-style technical quizzes end up merely testing the candidate on how well they have memorised a series of common math problems, which is almost certainly what you do not want to test for.

Instead of forcing a candidate to solve problems on a whiteboard, consider giving them a take-home project. What I like to do is ask candidates to build a very small application (which they should spend no more than four hours on); something similar to what they would be working on if they get the job. This way, the candidate has a chance to think through what they are working on without the performance pressure of an interview and can show you how they perform in a real-world scenario.

An added benefit of the take-home project is that if the candidate does come in for an onsite, you will have plenty to talk about using the take-home assignment as a basis for conversation. I like to ask candidates what they liked and disliked about the assignment and use those questions as a starting point to dive deeper into the technology choices and strategies they used.

Making sure every developer you hire understands your business challenges and how things can be improved is critical. Bringing on developers who will just take orders is a recipe for disaster, as your business will be unable to innovate effectively with this mindset. It is vital that the strongest members of your team have the same vision for fixing issues and pushing for change that you do.

When this is all done successfully, developers will be one of the strongest growth factors for your business. Taking the time to make the right hires and carefully thinking through your recruiting strategy is one of the best investments your business will ever make.

Read more here:
Recruiting Developers: the importance of finding the right people - Techerati

Assistive technology is extremely fertile ground for hackers to make a difference, because of the unique requirements of each user and the high costs of commercial solutions. [Nick] has been working on Earswitch, an innovative assistive tech switch that can be actuated using voluntary movement of the middle ear muscle.

Most people dont know they can contract their middle ear muscle, technically called the tensor tympani, but will recognise it as a rumbling sound or muffling effect of your hearing when yawning or tightly closing eyes. Its function is actually to protect your hearing from loud sounds screaming or chewing. [Nick] ran a survey and found that 75% can consciously contract the tensor tympani and 17% of can do it in isolation from other movements. Using a cheap USB auroscope (an ear camera like the one [Jenny] reviewed in November), he was able to detect the movement using iSpy, an open source software package meant for video surveillance. The output from iSpy is used to control Grid3, a commercial assistive technology software package. [Nick] also envisions the technology being used as a control interface for consumer electronics via earphones.

With the proof of concept done, [Nick] is looking at ways to make the tech more practical to actually use, possibly with a CMOS camera module inside a standard noise canceling headphones. Simpler optical sensors like reflectance or time-of-flight are also options being investigated. If you have suggestions for or possible use case, drop by on the project page.

Assistive tech always makes for interesting hacks. We recently saw a robotic arm that helps people feed themselves, and the 2017 Hackaday Prize has an entire stage that was focused on assistive technology.

Continued here:
Assistive Technolgy Switch Is Actuated Using Your Ear Muscles - Hackaday

With open source software, weve grown accustomed to a certain level of trust that whatever we are running on our computers is what we expect it to actually be. Thanks to hashing and public key signatures in various parts in the development and deployment cycle, its hard for a third party to modify source code or executables without us being easily able to spot it, even if it travels through untrustworthy channels.

Unfortunately, when it comes to open source hardware, the number of steps and parties involved that are out of our control until we have a final product production, logistics, distribution, even the customer makes it substantially more difficult to achieve the same peace of mind. To make things worse, to actually validate the hardware on chip level, youd ultimately have to destroy it.

On his talk this year at the 36C3, [bunnie] showed a detailed insight of several attack vectors we could face during manufacturing. Skipping the obvious ones like adding or substituting components, hes focusing on highly ambitious and hard to detect modifications inside an ICs package with wirebonded or through-silicon via (TSV) implants, down to modifying the netlist or mask of the integrated circuit itself. And these arent any theoretical or what if scenarios, but actual possible options of course, some of them come with a certain price tag, but in the end, with the right motivation, money is only a detail.

Sure, none of this is particularly feasible or even much of interest at all for a blinking LED project, but considering how more and more open source hardware projects emerge to replace fully proprietary components, especially with a major focus on privacy, a lack of trust in the hardware involved along the way is surely worrying to say the least. At this point, there is no perfect solution in sight, but FPGAs might just be the next best thing, and the next part of the talk is presenting the Betrusted prototype that [bunnie] is working on together with [xobs] and [Tom Marble]. That alone makes the talk worth watching, in our view.

Read the original:
36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware - Hackaday

Flagrant tales of epic (security) fails

Stupid criminals, careless politicians, inept bug handling, and more slapdash or just plain stupid behavior were abundant in the arena of cybersecurity over the past 12 months.

Everyone involved in this year's #StupidSecurity run-down ought to resolve to do better in 2020, perhaps by starting to cast an eye over examples of the people and organizations whove handled infosec problems with a bit more grace, preparation, and better passwords. Sounds familiar..

Bug bounties and ethical hacking particularly in the field of web security are a major topic of interest for The Daily Swig.

Vendor missteps are legion but sometimes its the bug hunters who get it wrong.

Back in July, developers of the VLC media player were able to debunk widely covered reports of a critical security issue in their popular open source software.

Jean-Baptiste Kempf, president of VLC owner VideoLAN,told The Daily Swig that the exploit did not work on the latest VLC build. In fact, it turned out that any potential issues related to the vulnerability were patched more than a year ago.

CERT-Bund which initially flagged the issue as critical - downgraded the vulnerability to low impact after we challenged the organization on its originally published classification, which was based largely on a public ticket.

Missteps in bug handling are more common on the vendor rather than researcher side, of course.

July brought the discovery of a Zoom client bug that allowed any site to force Mac users into video chat.

Security researcher Jonathan Leitschuh went public with a vulnerability in the Mac version of the Zoom video conferencing app that could allow a malicious site to auto-join Mac users to a video call and enable their webcam without permission.

Security researchers faulted Zoom for its initially dismissive response to the issue.

Check out the latest bug bounty and security news

Capital One grabbed news headlines in July when the US financial services company announced that some information of approximately 106 million people residing in the US and Canada had been exposed.

The criminal breach also compromised more sensitive information on a smaller number of customers: 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers.

Capital One tried to deflect attention from this aspect of the problem, much to the derision of the security community.

The alleged perpetrator, Paige A. Thompson, gained access through a misconfiguration of a cloud-hosted web application, according to prosecutors.

On a much smaller scale, the Dutch Data Protection Authority was left red-faced back in May after it failed to report itself on time over a minor data breach, caused by one of its own employees.

Oops.

DNS-over-HTTPS (DoH) an emerging web protocol that aims to protect online privacy online became the arena for policy controversies this year.

The technology is supported by browser makers including Google and Mozilla but criticized by some because of its reliance on third-party DNS providers, among other reasons.

The Internet Service Providers Association (ISPA) controversially argued that DoH impedes web blocking programs going as far as nominating Mozilla as an internet villain over its support of the technology.

The ISPA trade association was obliged to backtrack and pull the nomination after a backlash from sections of the internet security community.

What could be a more awkward if not plain ridiculous situation than to be arrested while doing your job?

But thats what happened to two staff at US security consultancy Coalfire, who were arrested during late night physical pen tests at a courthouse in Dallas County, Iowa, back in September.

Dallas County Iowa Sheriff Chad Leonard told The Daily Swig that he acted properly in arresting the two infosec workers who went outside the scope of their contract.

In August, digital bank Monzo told hundreds of thousands of customers to change their PINs after it realized it was accidentally storing sensitive customer data in log files.

Monzo isnt alone when it comes to slip ups in this area.

For example, back in March it was revealed that Facebook had been logging web requests containing clear-text passwords for years.

Facebook came under fire once again months later, in September, over a data leak that exposed the phone numbers of hundreds of millions of its users.

Having had its share of privacy scandals, Facebook's all-caps rebrand in November to FACEBOOK was also widely mocked as tone deaf. A design that said reflective repentance may have been viewed as more appropriate.

Check out the latest data breach and security news

Last year in Stupid Security, Kanye West infamously exposed the PIN code of his phone in front of the spectating press corps during an Oval Office meeting with President Trump. The rapper was captured tapping in 000000 to unlock his iPhone.

But 2019 showed us that it's not only rappers who fall victim to easy to guess PIN codes.

In October Congressman Lance Gooden made much the same security slip up in revealing his phone password was 111111 by entering the code during a filmed Congressional session.

Gooden made light of his faux pas, choosing to disregard the part that hacking played in the 2016 US presidential election cycle or the sensitivity of the communications the first-term congressman handles.

The Republican congressman isnt alone in being captured by cameras in making a questionable security trade-offs.

Back in March, a video surfaced on Twitter that appeared to show Hashim Thai, the President of Kosovo, logging into his computer using an all-too-simple password.

Passwords remain a necessary evil despite predictions that were moving towards a passwordless future, a warm future thats perennially two or three years away..

One online resource, a Dumb Password Rules tool, spotlights firms that take an idiosyncratic approach to password policy.

Examples of curious policies include those of the BMO (Bank of Montreal), where users passwords must be exactly six characters long and include no special characters..

Entropy, theyve heard of it. Or perhaps they havent?!

LISTEN NOW SwigCast, Episode 4: MAGECART

John McAfee who we sense will become a fixture of this annual list backed up his support for a much criticised crypto-currency wallet last year with a stand-out performance in a different category, OpSec fail.

In July, McAfee posted pictures on Twitter that revealed that he was holed up in Vilnius, Lithuania, in a tin-foil lined room. The disclosure followed days after McAfee and his entourage were arrested after his yacht docked in the Dominican Republic over concerns that Army-grade weapons were on board.

The group were released without charge four days later before resurfacing in eastern Europe.

Criminals and police alike served up a steady diet of WTF moments in infosec over the last 12 months.

In January, a Microsoft employee chided the Chicago Police Department over claims the police forces Windows 7 machines were at the cutting edge of technology.

In July somebody hijacked the Met Polices official newsfeed and Twitter account, a small example of a wide field of slapdash security that involves what might loosely be described social media shenanigans.

Staying with police-related security missteps, Chinese citizen Yujing Zhang was arrested at Trumps Mar-a-Lago club in Florida with suspect items including multiple phones, two passports, and a USB stick that it turned out was stuffed full of malware.

It emerged that the US Secret Service trained security professionals, lest we forget plugged the suspect USB into one of their computers.

Not so much Bodyguard as the booby-trapped guards.

YOU MIGHT ALSO LIKE Swig Security Review 2019: Part II

See the rest here:
The year in #StupidSecurity 2019's biggest security and privacy blunders - The Daily Swig

By some estimates there are roughly 190 million companies on earth today. Imagine if they were all contributing to open source. Of course, most of those companies arent in a position to contribute code, but if we want truly sustainable, customer-friendly open source, its time to focus on the best possible source: companies that dont sell software.

Why? Because the more software is built to suit the needs of those who are actually running it day-to-day, the better that software will be, and the less well need to worry about sustainability.

Despite the fact that open source has never been more broadly used, apparently were in an open source sustainability crisis. Its the same crisis weve been in for the past 20 years, with persistent warnings that this cant last. I wrote about it in 2008 (Open source has the chance of becoming a nonrenewable resource if enterprises consume it without contributing cash or code back), but by 2013 my concern had faded:

By early 2019 I was calling open source sustainability concerns fake news because open source clearly has never been stronger.

While I continue to believe open source is nowhere near an existential crisis, I do believe weve frittered away needless energy looking for sustainability in the wrong place: vendors. As I pointed out in 2013, the real innovation in open source stems from customers; that is, from enterprises who use open source to build their businesses and contribute code accordingly.

Red Hat CEO Jim Whitehurst has been agitating for customer-driven open sourcefor well over a decade: Ultimately, for open source to provide value to all of our customers worldwide, we need to get our customers not only as users of open source products but truly engaged in open source and taking part in the development community.

There are many reasons why such customer-driven (or user-driven) innovation might be best, but Linux veteran Matt Wilson put it this way: If I can risk predicting the future, I think youll see a lot more new open source software emerging from companies that are building it and using it to solve their business problems. And it will be better because of a positive feedback loop of putting the software into an applied practice.

Say that again?

Wilson: If you look backwards in time, [youll see] that software vendors dominate the enterprise software space. And I think that is a reason why so much of it is so so bad. Because the people building the software are not using it to solve problems.

Not software sold on a golf course. Software built to meet real-world needs by the companies experiencing those needs.Fortunately, its already happening:

There are many more. Even a cursory review of the speakers at OSCON 2019 reveals Uber, Bosch, The Home Depot, Comcast, and others, many of them talking about how their companies bothuse and build open source software.

And of course theres great software built by vendors, too, though the best software released by vendors tends to have more to do with how theyre running their infrastructure than what theyre selling. Take Google and Kubernetes, for example: Google had been running containerized workloads for over a decade before releasing Kubernetes. Kubernetes suddenly gave non-Google-like companies Google-like powers.

This is the future of open source. Vendors will continue to contribute to open source projects, and to release projects of their own. But Whitehurst and Wilson seem to be onto something: the best software is software that companies build to scratch their own itches, in true open source fashion, and address their own day-to-day needs.

Error: Please check your email address.

Tags open source

Excerpt from:
Customer-driven open source is the future of software - ARNnet