Category Archives: Open Source Software

OSMC 2013 | Holger Koch: 10 Jahre Monitoring mit Open Source Software bei der DB Systel (DE) – Video

Posted on by


OSMC 2013 | Holger Koch: 10 Jahre Monitoring mit Open Source Software bei der DB Systel (DE)
Der Vortrag bietet im ersten Teil einen berblick ber die Anfnge. Dabei wird sowohl auf die verwendete Technik und Architektur, als auch auf die kulturelle...

By: NETWAYS

More here:
OSMC 2013 | Holger Koch: 10 Jahre Monitoring mit Open Source Software bei der DB Systel (DE) - Video

Obama administration backs disclosing software vulnerabilities in most cases

Posted on by

The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, the country's spy agency said.

The government was on Friday countering a news report that said the U.S. National Security Agency knew about the recently identified Heartbleed vulnerability for at least two years and had used it for surveillance purposes.

The administration said the NSA was not aware of Heartbleed until it was made public in a private sector cybersecurity report.

"When Federal agencies discover a new vulnerability in commercial and open source software -- a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it -- it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," the Office of the Director of National Intelligence said in a statement Friday.

The ODNI statement added that the White House had reviewed its policies in response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, set up to review the surveillance practices of the NSA.

Under an inter-agency process called the Vulnerabilities Equities Process, unless there is a clear national security or law enforcement need, the process is "biased toward responsibly disclosing such vulnerabilities," according to the spy agency.

One of the recommendations in December of the review group was that U.S. policy should ensure that zero-day vulnerabilities are quickly blocked and the underlying vulnerabilities are patched on U.S. government and other networks. The group allowed that in "rare instances," the policy of the government may briefly authorize using a zero-day flaw for intelligence collection after inter-agency review involving all relevant departments at a senior level.

Referring to allegations that the U.S. government introduced "backdoors" into commercially available software, enabling the decryption of apparently secure software, the review group said it was not aware of any such incidents, but advised that the US Government should make it clear that the NSA will not engineer vulnerabilities into "encryption algorithms that guard global commerce."

The Heartbleed vulnerability takes advantage of a problem in certain versions of OpenSSL, a set of encryption tools used for securing Web connections, and could allow a remote attacker to expose critical data such as user authentication credentials and secret keys.

Internet companies rushed to fix the problem, while the Canada Revenue Agency halted online filing of tax returns by the country's citizens as a preventive measure. The CRA's systems were restored on Sunday after applying a "patch" that addresses the vulnerability. "We could not allow these systems back online until we were fully confident they were safe and secure for Canadian taxpayers," said CRA Commissioner Andrew Treusch in a statement. The U.S. Internal Revenue Service said it continued to accept tax returns ahead of an April 15 deadline, as its systems were not affected by Heartbleed

See the article here:
Obama administration backs disclosing software vulnerabilities in most cases

Heartbleed prompts joint vendor effort to boost OpenSSL, security

Posted on by

Reeling from the Heartbleed security fiasco, major IT vendors including Microsoft, IBM, Intel, Google and Cisco are backing a Linux Foundation initiative designed to boost open source projects considered critical to the industry.

Under the Core Infrastructure Initiative, these and other tech vendors such as Fujitsu, Facebook, NetApp, Rackspace and VMware will support open source projects with funding and expertise.

Unsurprisingly, the first such project on the list for consideration is OpenSSL, the cryptographic library used by millions of websites to encrypt their communications via SSL (Secure Sockets Layer) and TLS (Transport Layer Security) whose Heartbleed vulnerability sent the entire IT industry into emergency mode earlier this month.

On April 7, it was revealed that a severe flaw that existed since December 2011 in several versions of the OpenSSL had been patched, sending thousands of companies scrambling in turn to patch their websites.

If exploited, the flaw could allow an attacker to steal critical data, such as account and password information, from affected systems.

Open source software projects, like OpenSSL, are developed by communities of volunteer coders, and often only have a handful of full-time staffers working on them. This was the case with OpenSSL.

OpenSSL could receive funding "for key developers" and other resources to improve its security, according to The Linux Foundation, which is organizing the multi-million dollar initiative.

"We are expanding the work we already do for the Linux kernel to other projects that may need support," said Jim Zemlin, executive director of The Linux Foundation, in a statement. "Our global economy is built on top of many open source projects."

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Read the original here:
Heartbleed prompts joint vendor effort to boost OpenSSL, security

The 5 Most Dangerous Software Bugs of 2014

Posted on by

Dealing with the discovery of new software flaws, even those that leave users open to serious security exploits, has long been a part of everyday life online. But few years have seen quite so many bugs, or ones quite so massive. Throughout 2014, one Mothra-sized megabug after another sent systems administrators and users scrambling to remediate security crises that affected millions of machines.

Several of the bugs that shook the Internet this year blindsided the security community in part because they werent found in new software, the usual place to find hackable flaws. Instead, they were often in code thats years or even decades old. In several cases the phenomenon was a kind of perverse tragedy of the commons: Major vulnerabilities in software used for so long by so many people that it was assumed they had long ago been audited it for vulnerabilities.

The sentiment was that if something is so widely deployed by companies that have huge security budgets, it must have been checked a million times before, says Karsten Nohl, a Berlin-based security researcher with SR Labs who has repeatedly found critical bugs in major software. Everyone was relying on someone else to do the testing.

Each of those major bug finds in commonly used tool, he says, inspired more hackers to start combing through legacy code for more long-dormant flaws. And in many cases, the results were chilling. Heres a look at the biggest hacker exploits that spread through the research community and the worlds networks in 2014.

Heartbleed

When encryption software fails, the worst that usually happens is that some communications are left vulnerable. What makes the hacker exploit known as Heartbleed so dangerous is that it goes further. When Heartbleed was first exposed in April, it allowed a hacker to attack any of the two-thirds of Web servers that used the open source software OpenSSL and not merely strip its encryption, but force it to cough random data from its memory. That could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data. Even after systems administrators implemented the patch created by Google engineer Neal Mehta and the security Codenomiconwho together discovered the flawusers couldnt be sure that their passwords hadnt been stolen. As a result, Heartbleed also required one of the biggest mass password resets of all time.

Even today, many vulnerable OpenSSL devices still havent been patched: An analysis by John Matherly, the creator of the scanning tool Shodan, found that 300,000 machines remain unpatched. Many of them are likely so-called embedded devices like webcams, printers, storage servers, routers and firewalls.

Shellshock

The flaw in OpenSSL that made Heartbleed possible existed for more than two years. But the bug in Unixs bash feature may win the prize for the oldest megabug to plague the worlds computers: It went undiscovered, at least in public, for 25 years. Any Linux or Mac server that included that shell tool could be tricked into obeying commands sent after a certain series of characters in an HTTP request. The result, within hours of the bug being revealed by the US Computer Emergency Readiness Team in September, was that thousands of machines were infected with malware that made them part of botnets used for denial of service attacks. And if that werent enough of a security debacle, US CERTs initial patch was quickly found to have a bug itself that allowed it to be circumvented. Security researcher Robert David Graham, who first scanned the Internet to find vulnerable Shellshock devices, called it slightly worse than Heartbleed.

POODLE

Read the original here:
The 5 Most Dangerous Software Bugs of 2014

Open Source’s 2014: MS ‘cancer’ embrace, NASDAQ listings, and a quiet dog

Posted on by

Ho hum. Another year, another slew of open source announcements that prove the once-maligned development methodology is now so mainstream as to be tedious. Running most of the worlds most powerful supercomputers? Been there, done that. Giving retailers the ability to deliver highly customized paper coupons to consumers based on warehouse inventory nearby? So 2013!

And yet in 2014 we had a few events in open source that managed to surprise us, and suggest an even brighter future.

The biggest open source news of 2014 actually isnt. News, that is. As Red Hat storage executive Neil Levine opines, the dog that didn't bark in 2014 was the fact that "no major enterprise platform launched this year that wasn't built with [open source software]".

In fact, as Cloudera co-founder Mike Olson declares: No dominant platform-level software infrastructure has emerged in the last ten years in closed-source, proprietary form. Even proprietary platforms such as Amazon Web Services are built almost entirely from open source components.

Which is why its so significant that we got our first open source IPO since 2007, when security vendor Sourcefire went public on the back of the popular Snort project. Prior to Sourcefire only two other open source companies made it to the public markets, both in 1999: Red Hat and VA Linux.

Of those three open source vendors, only one remains as a public company: Red Hat. VA Linux imploded soon after its offering, and Sourcefire was acquired by Cisco in 2013.

Which is all the more reason to celebrate the arrival of Hortonworks, which soared to a billion-dollar valuation on its first day of public trading (after falling from its previous billion-dollar valuation on the private markets).

While its nice that the IPO made its executives rich(er) - many of them made millions as part of the JBoss and SpringSource acquisitions by Red Hat and VMware, respectively - the real importance of Hortonworks IPO is that it paves the way for many more open source companies to become independent peers to Red Hat.

Linus Law: Given a large enough beta-tester

and co-developer base, almost every problem

Read this article:
Open Source's 2014: MS 'cancer' embrace, NASDAQ listings, and a quiet dog

Free Website Web Design Builder | Open Source Software for Business Marketing – Video

Posted on by


Free Website Web Design Builder | Open Source Software for Business Marketing
Learn to create stunning one page web pages that make instant conversions. Using an easy drag and drop website builder you can create easy websites in second...

By: Linktrusted

See original here:
Free Website Web Design Builder | Open Source Software for Business Marketing - Video