These startups create innovative products for everyday use – CTech

Fifteen companies advanced to the semifinals of Calcalists and Bank Hapoalim High-Techs StartUp+ competition and will face off for a spot in the finals. A representative from each company gave its 3-minute pitch presenting their solutions, and afterward answered judges' questions. Batsheva Moshe, Head of Poalim High-Tech at Bank Hapoalim spoke at the event.

The judges panel consisted of Eti Ben-Zeev - CIO, Head of Information Technology at Bank Hapoalim; Natalie Refuah, Partner at Viola Growth; Emanuel Timor, General Partner at Vertex Ventures; Sigalit Klimovsky, Partner at Grove Ventures; Ayal Itzkovich, Pitango managing partner; Yuval Cohen, Founder & Managing Partner of StageOne Ventures; Netalie Nadivi, Partner at Triventures; Nofar Amikam, Partner at Glilot Capital Partners; and Rotem Eldar, Managing partner at 10D.

Read the original:

These startups create innovative products for everyday use - CTech

Moving To Linux From Windows: Is Linux Hard To Use? – Fossbytes

The first time I heard about Linux was in 2017, when I was getting started with my college degree. I proceeded with my Computer Science major and stumbled upon Linux as a subject. Id often hear my senior friends terming Linux as a hard to learn subject and all I was taught by the lecturers is learn the syllabus and spill it out on the examination sheet.

As the saying goes by, Not everything you hear is always true, I had some enthusiasm for the subject, and Im glad I dug in and explored this amazing gem of software.

Linux is often overlooked as a hard to use operating system, hence people avoid it without even trying it. Most people want an operating system to work and work very well, and Windows strikes a perfect balance of not being too complex and working well at the same time. But, I bet many people in society are currently on the edge of their seats, trying to find one more reason to ignore Linux.

And to those people, Id say youre missing out on a lot of quality stuff out there, which will not fail to amaze you. Most users complained about the gaming scene on Linux, and Ive written a separate article on the same topic, so check it out.

If you havent got time to read the article, the gaming scene has improved drastically over the past few years. Games like GTA V, CS: GO, and many of them, which dont come with any anti-cheat mechanisms, work better on Linux than on Windows.

Being one of the largest open-source operating systems, people can modify the source code, contribute to the project, or fork (make their own copy) and create their own version of the OS. As a result, there are hundreds of variants that are called Linux Distributions. You always have the freedom to choose or hop into whatever distro that you think suits you.

Not to mention, the OS is a boon for developers. The CLI and the package manager allows developers to get things done faster and easier. Since it is built and maintained by developers, you dont miss out on any development tools. Installing apps on Linux from the GUI store or CLI requires minimum effort.

One of my favorite parts of Linux is customization. Different desktop environments have different features and customizations to make the OS truly yours.

Also, the fact that you get to choose from different desktop environments for the same distribution is amazing. Im a fan of almost all the desktop environments as each one of them has their own advantages and disadvantages.

You dont need to be a rocket scientist; neither do you need to graduate in Computer science to use Linux. All you need is a USB drive and a little curiosity to learn new things. It is not hard to use as most people claim it to be without even trying. In fact, Id say it has a shallow learning curve, and it is superior to Windows in terms of user-friendliness.

All Id say to people starting with their journey is; Dont give up or hesitate to ask if you get stuck. There are millions of people working on the project who can help you learn. Also, Google is your best friend.

That said, some distributions require you to be well versed in Linux. As you climb up the ladder by using easier distros first, youll eventually get to the Pro level IF you have even a tiny bit of enthusiasm in you.

I bet youve heard a lot about the security features of Linux. While it is more secure than Windows, the fact is that not every OS is 100% attack-proof. Due to many people contributing to the project, there are always users who are fixing stuff in the kernel as you read this article keeping the OS secure.

Your data is always safe on Linux and will not be sent to anyone, anywhere.

While 4GB of RAM is recommended for running Windows 10, lightweight distros like Linux Lite dont consume more than 1GB of RAM. Other heavy distros dont need more than 2GB of RAM.

As the OS is less power hungry, you can add new life to old computers that you thought were nothing less than junk.

Beginners often have issues deciding where to start as there are tonnes of distros out there. Id suggest starting by installing any Ubuntu-based distributions like Linux Mint or Pop!_OS or Ubuntu itself. Check out my review of Pop!_OS 20.04 (Spoiler: Its the best Ubuntu-based Linux distro that Ive ever tried.)

Remember, the key to learning Linux is to use it as much as you can. Getting familiar with the CLI would feel like a horrendous task but, once you master it, the skys the limit. Dont be shy about asking for help.

If you aspire to pursue a career in Linux development, make sure to check out this free to read book.

With developers, big firms, and us users putting a lot of effort into making the Linux operating system better, the future of Linux looks bright.

Link:

Moving To Linux From Windows: Is Linux Hard To Use? - Fossbytes

Top Open Source Predictions to Watch Out for in 2021 – Analytics Insight

Open source software is growing exponentially these days. It gives users the autonomy to develop and modify their work in unique ways, and integrate the work into a larger project or determine a new work based on the original. As it is a type of licensing agreement, organizations like the Apache Software Foundation have supported open source software development that led to new applications and online services. Open source licenses are increasingly being leveraged in the software industry. Thanks to its enhanced capabilities, professionals integrate this software across robotics, biotech, and electronics, among others.

Since organizations whether large or small embrace it, the future of open source will continue to grow.

Analytics Insight accumulated here top open source predictions for 2021.

Kubernetes is an open source container orchestration platform. It allows users to deploy cloud-native applications anywhere and manage them effectively everywhere. Kubernetes handles the work of scheduling containers onto a compute cluster and manages the workloads to ensure they run as the user intended. IDC predicts that for open source, the growth of Kubernetes operators to integrate and manage tasks will be essential. These developments will be indispensable as the availability of new application drivers that make adoption easier.

The use of open source software will witness an incredible surge credited to its control, training, security, and stability capabilities. By using open source, people will have more control over their software. It can help people willing to take a closer look at open source software to become better programmers. As open source code is publicly accessible, students, as well as tech enthusiasts, can easily study it as they learn to make better software.

Open source projects rely significantly on a collaborative approach. These projects are developed in diverse and geographically dispersed communities that have their own rules, conventions, tools, and processes. As many companies see open source as critical to their business growth, their role in open source community development will be more obvious in the future.IDCnoted that companies that support open source should look at how to bolster and make such projects more widely available. This can considerably make a huge impact on how projects get adopted and supported over time.

In the field ofdata science, open source software is ubiquitous, enabling the work of nearly every data scientist effectively. Open source projects permeate all levels in the data science world. R and Python are the most popular general-purpose data science programming languages that are themselves open source. As a myriad of open source projects is available in the software world today, most of them never make it onto enterprises collective radar. However,Hadoopis an exception to pachydermic proportions, powering big data applications at large companies like Yahoo, Facebook, and others.

Linux is an open-source Unix-like operating system based on the Linux kernel, an operating system kernel. This has long been far away from the desktop operating system world. However, Linux has gradually improved its market share in the last few years. Linux is typically packaged in a Linux distribution that involves Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project.

Read the original:
Top Open Source Predictions to Watch Out for in 2021 - Analytics Insight

Open Mobility Foundation launched to help create new open data standards for the kerb – SmartCitiesWorld

Coord's is among those to develop kerbside management solutions

City-led open-source organisation, the Open Mobility Foundation (OMF), has announced the formation of its first-ever Kerb Management Working Group to accelerate kerbside innovation and to help cities better manage their streets.

In the wake of the coronavirus pandemic, there has been a surge in food and e-commerce deliveries and the need for outdoor space to accommodate dining, socially distanced travel, as well as other activities. These phenomena have come together to place unique demands on urban kerb space, and kerb demand is at an all-time high, OMF reports.

Across the US, cities have stepped up to manage public spaces and meet the evolving needs of residents. And, while many have made progress in digitising their kerb and other physical assets, technology and data offer new tools to proactively manage kerbs and sidewalks, and in doing so deliver more public value from this scarce resource.

According to OMF, where signs and paint and the right-of-way communicate city regulations, a digital index or map can provide a digital mechanism for communicating regulations for kerb use to fleet operators, delivery services, and navigation apps.

Digitising the kerb opens the door for more dynamic regulations and new approaches to kerb-usage fees that could enable more goal-driven management strategies, the organisation said.

This data will only get more important for cities to collect and understand as they look to kerbs to meet communities changing needs

Comprising a pool of mobility experts like Waymo, Ford AV and Coord, the Kerb Management Working Group will share data and common data specifications that aim to will act as starting points for city and private-sector leaders and members of the public embarking on an open, participatory standards creation process.

Writing in a blog post about the launch of the working group, Jacob Baskin, CTO and co-founder of , kerb management company Coord, emphasised the multiple layers of kerb data cities need, from assets (physical things in the world such as signs, hydrants, bike racks, kerb cuts) to regulations (what you can do on a given kerb at a given time) to occupancy (how the kerb is actually being used).

This data will only get more important for cities to collect and understand as they look to kerbs to meet communities changing needs from growing delivery, ride-hail and shared micromobility activity, to sustainable transit such as buses and bikes, to recreation and commercial activity, he said.

We are confident that this initiative will accelerate cities efforts to align kerb space regulations with community priorities and to more dynamically manage access to their kerb space.

Standardised application programming interfaces (APIs) can enable new approaches to kerb management, such as:

The Kerb Management Working Group plans to move forward in two major phases: discovery and implementation. During the discovery phase, the working group will review kerb management priorities and assess the potential for partnership with other organisations and related projects. Coord and the SharedStreets KerbLR project have agreed to present their work for discussion.

This initiative will accelerate cities efforts to align kerb space regulations with community priorities and to more dynamically manage access to their kerb space

During the implementation phase, the working group will apply the OMFs open-source development model to bring together public and private sector organisations to create and release data specifications for kerb management.

The group will be managed and directed by a steering committee made up of OMF member organisations, including: the Los Angeles Department of Transportation; City of Minneapolis; San Diego Association of Governments; San Francisco MTA; City of San Jose; Seattle Department of Transportation as well as several private sector members of the OMF including Automotus, Coord, Ford AV, and Waymo.

You might also like:

Read more:
Open Mobility Foundation launched to help create new open data standards for the kerb - SmartCitiesWorld

Hands on with the new Raspberry Pi OS release: Here’s what you need to know – ZDNet

A new release of the Raspberry Pi OS arrived last week. As usual, the release announcement gives a general overview of the most important additions and improvements, and the release notes contain a lot more detail. In addition to the usual accumulation of updates since the previous release (August 2020), there has been some significant new hardware such as the Raspberry Pi 400 and the Raspberry Pi 4 Case Fan, which needed new support in the operating system: it was getting to the point where building a new Raspberry Pi SD card required more time on updates than it did for actually downloading the OS image and copying it to the card.

Also: Best Raspberry Pi alternatives in 2020: Banana Pi, Odroid, NanoPi, and more

You can update an existing system to the new level with just a few package management commands:

After these commands, reboot the system.

Creating a new SD card requires a bit more effort, and a bit of thought about content and size of the three different versions of Raspberry Pi OS currently available. The new images are available from the Raspberry Pi Downloads page, of course. As has always been the case, all of the images are compatible with all of the different Raspberry Pi systems, from the original Model A and Model B through to the latest Pi 400 keyboard, and including all of the Pi Zero variants.

If you are old and stubborn, as I am, and you have a Linux system with an SD card slot, you can download the image and then copy it to an SD card, using the pipeline I have given in several previous posts:

Be sure to very carefully replace "sdX" with the device name of the SD card on your system. The alternative is to use the Raspberry Pi Imager utility, which is available for Linux, Windows and macOS; it performs the steps I just described, with a GUI interface, and saves you the trouble (and danger) of figuring out the SD device name. I have installed it on a Debian 10 system, and the window is shown at the right. I ran into a bit of a problem while installing it; the web page says that to install on Raspberry Pi OS you type sudo apt install rpi-imager, but on the Debian system that just kept telling me that it couldn't find the rpi-imager package. I finally had to explicitly tell it to look in the package I had downloaded, with the command:

That makes sense to me, but maybe if you were actually running it on a Raspberry Pi, the simpler command would work. But then, if you are running on a Raspberry Pi that is booted from the SD card, what are you going to use for a destination SD card? Maybe you would have a USB SD card reader? Beats me, but anyway, that's why I didn't try it on a Pi.

The Choose OS button drops down a list of everything it knows how to install, including all three versions of the Raspberry Pi OS plus Ubuntu, LibreElec and RetroPie. The Choose SD Card button looks for a writeable SD card to use for the destination; remember, if your computer has an SD card slot, but there is no card inserted, you won't get anything here. Once you have made a choice on both buttons, you can click Write and the utility will download the file and write it to the SD card, without you having to worry about Linux utility program names, pipes, command line options or anything else. That sounds great, but personally I'm just a bit too old and set in my ways, thanks.

Anyway, when you boot a freshly prepared SD card, it will automatically extend the root filesystem to fill the free space on the card, and then reboot and start the Raspberry Pi installation wizard (aka piwiz). This will walk you through a few steps for the initial configuration of the Raspberry Pi operating system. There's nothing magic in this script (even if it is a wizard), it just keeps you from having to go through several steps in different places the first time you boot. It configures the Locale, display overscan, wireless network, and downloads and installs all outstanding updates.

SEE: Hands-On: Adventures with Ubuntu Linux on the Raspberry Pi 4

One warning about this for some reason, on a few of the systems I have installed over the past few days when the first-run setup wizard starts, it starts talking to you, saying something like, "To install the orca screen reader press control-alt-space". It doesn't happen very often, and it seems to be timing-related somehow, so it is more prone to happen on older/slower models. The first time it happened I just about jumped out of my chair in surprise. I looked everywhere for a button or option to shut it up, to no avail. I finally figured out that all I needed to do was hit Next on the introduction screen. A bit more information on the screen at this point would be very useful...

Oh, one other minor irritant. After finishing the first-run wizard and rebooting, my systems didn't have the right keyboard layout defined. That might be because I am doing an English installation with a Swiss German keyboard, but anyway if you are using a non-US Ascii keyboard, you should check this after rebooting, and go back to the Raspberry Pi Configuration utility to set it correctly if necessary.

So all of this will get you to the point where you have either an upgraded or freshly installed system. As I mentioned at the beginning, the release notes give a good list of the changes in this release. One of the big ones is improvement in Chromium integration with the Raspberry Pi OS. I used Chromium pretty extensively while I was monitoring the CPU temperature with the new Raspberry Pi 4 Case Fan, so I can say that in my opinion they really have made a noticeable improvement in this. It is faster than in previous releases, and it plays streaming audio and video noticeably better. There are a number of other changes and improvements mentioned which I haven't tried yet, or simply don't use. The other thing I was interested in was the additions made to support new hardware.

I mentioned a week or so ago in my post about the Raspberry Pi 400, that there is only one LED on the keyboard, and it is used as a simple "power" indicator, rather than a "disk activity" indicator, which I think would be much more useful. It turns out that they have added a selection for this in the Raspberry Pi Configuration utility. I hadn't even thought about the fact that the Pi Zero also has only one LED until I read the change note on this; the control applies to those models as well. I know this seems like a very small change, but it is one of my favorites in this release I really wanted that LED on the Pi 400 to tell me if the system was still actually doing something rather than just powered on.

Also related to my recent post on the Pi 4 Case Fan, the Pi Configuration utility includes controls for the fan operation; you can select which GPIO pin the control wire is connected to, and the temperature at which the fan should turn on (and off). This is one small difference that I noticed between the case fan and the fan SHIM; the controls for the shim allow you to set some hysteresis in the temperature, meaning that you could specify that it comes on and goes back off at different temperatures. This can help avoid having the fan constantly switching on and off in some cases for example, I usually have the shim fan set to come on at 70 degrees, and go off at 65.

That's about all I have to say about this new release. I have upgraded a couple of running systems to it without trouble, and I have installed it from scratch on at least one of every model (except the original Model A if anyone has one of these and would like to sell it, let me know), all with no trouble.

Follow this link:
Hands on with the new Raspberry Pi OS release: Here's what you need to know - ZDNet

OneSpin Contributes to the OpenHW Ecosystem to Achieve Processor Integrity for the CORE-V CVE4 Open-Source RISC-V Cores – Business Wire

MUNICH--(BUSINESS WIRE)--OneSpin Solutions, provider of certified IC integrity verification solutions for building functionally correct, safe, secure and trusted integrated circuits, announced that its 360 Design Verification (DV) solutions contributed to the speedy, successful, and bug-free delivery of the OpenHW CV32E40P RISC-V core. The OpenHW Verification Task Group recognizing that simulation would not be enough collaborated with OneSpin to develop a verification plan that included formal methods to verify the family of CORE-V open-source RISC-V cores. These processors are intended to be integrated into high-volume, commercial chip projects that will require strict integrity criteria be met with respect to functional correctness, safety, trust and security.

Working within the OpenHW Group ecosystem to verify the CORE-V family of RISC-V processors is an opportunity to demonstrate the power of our technology, said Raik Brinkmann, President and CEO of OneSpin. As these cores get released into the community, users can have confidence that they will be functionally correct, safe, trusted and secure. Of course, designs integrating any IP should still go through rigorous verification but using these exhaustively verified cores will help to reduce that overall effort.

RISC-V Opportunities and Verification Challenges

RISC-V offers the design community customization and flexibility but creates new challenges beyond the traditional SoC design verification flow. Processor verification is a new requirement that adopters of RISC-V will need to undertake. However, processors cores are difficult to verify. Complex microarchitectures for achieving power, performance, and area targets combined with a vast number of instruction combinations, cache, interrupts, exceptions, and a myriad of custom extensions, all need to be fully verified. Further complicating verification is ensuring that the core is correct with respect to the instruction set architecture (ISA) as well as making sure that the RTL matches the ISA.

The traditional simulation approach requires months of testbench set up, weeks of simulation runtime, and days of debugging a single problem. Even after simulation is implemented, critical corner case bugs can be missed, and designs are left with an incomplete function coverage. Simulation is also unable to detect the absence of hidden instructions. Any user optimization or addition of custom instructions requires a complete re-verification.

OneSpin Work on CORE-V

OneSpins unique technology was an ideal contribution to the OpenHW Verification Task Group helping to identify bugs that simulation alone would have missed, commented Rick OConnor, President and CEO of OpenHW Group. Their solution allowed the task group to achieve the coverage necessary to reach the Functional RTL Freeze signoff goals both in terms of speed and quality.

OneSpins solutions augment the SystemVerilog / UVM based CORE-V Verification Test Bench simulation efforts to produce a robust verification environment to overcome RISC-V verification challenges resulting in zero bug escapes. Once the testbench was implemented, runtime was completed in a matter of days and debugging was finished in just minutes. Exhaustive and complete verification was achieved in a very short period of time. The use of the OneSpin Processor Integrity solution led to the detection of many critical bugs including eight related to regular and exception instructions as well as other aspects of the privileged specification. Simulation alone would have taken weeks and missed these important bugs.

Integrators of CORE-V may access a packaged processor integrity verification solution to verify custom instructions and code optimizations.

Silicon Labs, an integral member of the OpenHW Group helping to lead the verification task group, witnessed first-hand OneSpins involvement in the verification effort. The CV32E40P core, is the first open-source core for high-volume chips verified with the state-of-the-art process required for high-integrity, commercial SoCs. OneSpin is a key contributor. The OneSpin RISC-V integrity formal verification solution has systematically detected corner-case bugs in the exception logic and pipeline. These issues would only be triggered under rare conditions in the instruction sequence, memory stalls, and Control and Status Register programming. Constrained-random simulation tests to find these issues would require large investments in development and simulation time, stated Steve Richmond, verification manager at Silicon Labs and co-chair of the OpenHW Verification Task Group.

The pinpointing of the issues' root cause was impressive and a massive time-saver in debug time. The solution also showed almost zero noise in detecting real RTL bugs, as opposed to other approaches where the issues reported often lead to fixes in the verification environment, added Arjan Bink, principal architect at Silicon Labs and chair of the OpenHW Cores Task Group.

Customizing and Integrating the CV32E40P Core

Although the OpenHW CV32E40P core is fully verified, there are still some verification challenges when integrating the core or if customization of the core is done. Formal verification of the core should be done if any tailored updates to the cores functionality are made. This step will ensure that the changes do not introduce new bugs that adversely affect how the core operates. When the core is integrated into the design, verification of the complete design should be done to assure the integrity of the design.

To learn more about how OneSpin collaborated within the OpenHW Group ecosystem to verify the CORE-V CV32E40P processor, be sure to visit the OpenHW Pavilion at the RISC-V Virtual Summit, December 8-10, 2020. Sign up to attend the conference session conducted by OpenHW, Silicon Labs, and OneSpin titled, CORE-V-VERIF, an Industrial-Grade Verification Platform for RISC-V cores.

About OpenHW and Core-V

The charter of the OpenHW Group is to serve developers of processor cores and hardware and software engineers who design SoCs with greater awareness, understanding and availability of open-source processor implementations for use in high volume production. OpenHW provides an infrastructure for hosting high quality open-source HW developments in line with industry best practices. The cores task group within the organization has the mandate to develop feature and functionality roadmap and the open-source IP for the cores within the OpenHW Group such as the CORE-V Family of open-source RISC-V processors.

The Organizations Verification Task Group has the mandate to develop best-in-class verification test bench environments for the cores and IP blocks designed within the OpenHW Group. Originally known as the PULP RI5CY core, the CORE-V CV32E40P is a 32bit, 4-stage core that implements, RV32IMFCXpulp, has an optional 32-bit FPU supporting the F extension and instruction set extensions for DSP operations, including hardware loops, SIMD extensions, bit manipulation and post-increment instructions.

About OneSpin Solutions

OneSpin Solutions is a leading provider of certified IC integrity verification solutions for building functionally correct, safe, secure and trusted integrated circuits. These solutions are based on OneSpin's widely used formal verification technology and assure the integrity of SoCs, ASICs and FPGAs. Headquartered in Munich, Germany, OneSpin partners with leaders worldwide in automotive and industrial applications; defense; avionics; artificial intelligence and machine learning; consumer electronics; and communications. Its advanced solutions are well-suited for developing heterogeneous computing platforms, using programmable logic, and designing and integrating processor cores, such as RISC-V. OneSpin's customer-oriented commitment is fundamental to its growth and success. OneSpin: Assuring IC Integrity. Visit http://www.OneSpin.com to learn more.

OneSpin, OneSpin Solutions and the OneSpin logo are trademarks of OneSpin Solutions GmbH. All other trademarks are the property of their respective owners.

Connect with OneSpin:

Twitter: @OneSpinSolutionLinkedIn: https://www.linkedin.com/company/onespin-solutions Facebook: https://www.facebook.com/OneSpinSolutions

View original post here:
OneSpin Contributes to the OpenHW Ecosystem to Achieve Processor Integrity for the CORE-V CVE4 Open-Source RISC-V Cores - Business Wire

Report: Guardsquare Reveals Security and Privacy Risks Persist in Global COVID-19 Contact Tracing Apps – Business Wire

LEUVEN, Belgium--(BUSINESS WIRE)--Guardsquare, the mobile application security platform, today announced the release of the companys second Global Contact Tracing App Analysis, which reassesses the levels of security protections and privacy risks of COVID-19 contact tracing apps. The report found that of the 95 mobile apps analyzed, 60% use the official application programming interface (API) for secure exposure notifications. For the remaining 40% of the contact tracing apps, the majority of which gather GPS location data, security is paramount yet lags.

It is always important to follow security best practices during the development of any application which handles sensitive user data, and that is even more true when that app is a vital tool in the worldwide fight against the pandemic. Contact tracing apps gathering user location data and personally identifiable information are especially attractive targets for exploitation, further reinforcing the need for developers to implement essential security protections, said Grant Goodes, Chief Scientist at Guardsquare.

Contact tracing apps have been commissioned and distributed by governments around the world to track and notify individuals of exposure to COVID-19 so they can take appropriate action in order to prevent the spread of the virus. Guardsquare first analyzed government-sponsored COVID-19 contact tracing Android mobile apps in June 2020, uncovering that the vast majority lacked even basic security protections. For this report, Guardsquare reanalyzed the original Android apps (with the exception of those no longer in use), added new apps that have since emerged, and included iOS mobile apps to derive insights into the two market-leading mobile operating systems.

In the updated analysis, Guardsquare found use of the Exposure Notification API developed by Apple and Google to be much more prevalent than in the June report. Notably, of the apps Guardsquare analyzed, 62% of the Android apps and 58% of the iOS apps are using the API. However, contact tracing apps not using the Exposure Notification API have applied either a minimal level of fundamental security protection techniques or no security protection techniques.

The research reveals that although progress has been made, security and privacy issues among contact tracing apps persist. In particular, the analysis found that apps using GPS, Bluetooth, or a combination of the two, to collect sensitive data are operating in a manner endangering the security and privacy of users.

Key Findings of COVID-19 Contact Tracing Apps (Exposure Notification API Not Used):

According to Guardsquares assessment, the apps based on the Exposure Notification API have minimal security concerns. Alternate routes to detecting exposure via proximity to infected individualsemploying GPS, building custom Bluetooth proximity detection, or bothraise significant security and privacy concerns. Unprotected mobile applications that gather GPS data and require sensitive identity credentials risk exploitation and potentially flagrant violations of user data privacy.

Apps, especially applications downloaded by users on mobile devices requiring personal or location data, should always incorporate proper security protections and code hardening techniques to ensure that the privacy of the data they are collecting is sufficiently protected, Goodes said. To successfully combat the spread of COVID-19, contact tracing app security should be at the forefront for developers, public health authorities, and governments.

Methodology:

In this report, Guardsquare analyzed 52 Android apps and 43 iOS apps based on six key features to determine which security protections apps are applying, or lacking, to safeguard code and user data. Researchers conducted analysis on contact tracing apps on Android and iOS mobile app platforms worldwide and across 13 U.S. states and 2 US territories.

For further information about mobile application protection and to download the contact tracing report, please visit: https://insights.guardsquare.com/mobile-application-contract-tracing-report

About Guardsquare

Guardsquare is the global leader in mobile application protection. More than 650 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications hardening them against both on-device and off-device attacks. With the addition of ThreatCast, its mobile application security console, Guardsquare offers the most complete mobile security solution on the market today. Guardsquare is based in Leuven, Belgium with a US office in Boston, MA.

Read more from the original source:
Report: Guardsquare Reveals Security and Privacy Risks Persist in Global COVID-19 Contact Tracing Apps - Business Wire

Open source developers say securing their code is a soul-withering waste of time – TechRepublic

A survey of nearly 1,200 FOSS contributors found security to be low on developers' list of priorities.

One respondent called security "an insufferably boring procedural hindrance."

Image: monstArrr_, Getty Images/iStockphoto

A new survey of the free and open source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than three percent of their time on security issues and have little desire to increase this.

A report based on the answers of nearly 1,200 FOSS contributors carried out by the Linux Foundation and Laboratory for Innovation Science at Harvard (LISH) highlighted a "clear need" for developers to dedicate more time to the security of FOSS projects as businesses and economies become increasingly reliant on open-source software.

The survey, which included questions designed to help researchers understand how contributors allocated their time to FOSS, revealed that respondents spent an average of just 2.27% of their total contribution time to responding to security issues.

Moreover, responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they "find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks," while another said: "I find security an insufferably boring procedural hindrance."

The researchers concluded that a new approach to the security and auditing of FOSS would be needed to improve security practices, while limiting the burden on contributors.

Some of the most requested tools from contributors were bug and security fixes, free security audits, and simplified ways to add security-related tools to their continuous integration (CI) pipelines.

"There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors," read the report.

"Developers generally do not want to become security auditors; they want to receive the results of audits."

SEE:Linux commands for user management(TechRepublic Premium)

Other proposed solutions by the researchers included encouraging organizations to redirect efforts into identifying and addressing security issues in projects themselves. Alternatively, developers "could rewrite portions or entire components of FOSS projects that are prone to vulnerabilities," as opposed to trying to mend existing code.

The researchers continued: "One way to improve a rewrite's security is to switch from memory-unsafe languages (such as C or C++ ) into memory-safe languages (such as nearly all other languages)," researchers said.

"This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees."

Gender diversity or rather, lack thereof was another key finding of the report.

Of the 1,196 survey respondents, 91% reported being male and between 25 and 44 years old. The researchers noted that the findings "emphasizes the continuing concerns about a lack of female representation in FOSS communities," and pointed out that that the lack of female representation in the report suggested that the results were "biased towards male contributors' FOSS activities and are not fully representative of female contributions to FOSS."

Most of the respondents to the survey were from North America or Europe, with the majority in full-time employment. Nearly half (48.7%) said they were paid by their employer for time spent on open source contributions, while 44.02% said they were not paid for any other reason.

SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)

Interestingly, the results indicated that the COVID-19 pandemic had had little impact on contributors working status, with very few respondents reporting being out of the workforce. Again, the researchers noted that due to the lack of female representation in the survey, "these findings may not reflect the experiences of women who contribute to FOSS, particularly those impacted by increased family responsibilities during the pandemic."

While the overwhelming majority of respondents (74.8% were employed full-time and more than half (51.6% percent) were specifically paid to develop FOSS, money scored very low in developers' motivations for contributing to open-source projects, as did a desire for recognition amongst peers.

Instead, developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used.

"The modern economy both digital and physical is increasingly reliant on free and open source software," said Frank Nagle, assistant professor at Harvard Business School.

"Understanding FOSS contributor motivations and behavior is a key piece of ensuring the future security and sustainability of this critical infrastructure."

From the hottest programming languages to the jobs with the highest salaries, get the developer news and tips you need to know. Weekly

View original post here:

Open source developers say securing their code is a soul-withering waste of time - TechRepublic

Open source: Almost one in five bugs are planted for malicious purposes – ZDNet

Microsoft-owned GitHub, the world's largest platform for open-source software, has found that 17% of all vulnerabilities in software were planted for malicious purposes.

GitHub reported that almost a fifth of all software bugs were intentionally placed in code by malicious actors in its 2020 Octoverse report, released yesterday.

Proprietary software makers over the years have been regularly criticized for 'security through obscurity' or not making source code available for review by experts outside the company. Open source, on the other hand, is seen as a more transparent manner of development because, in theory, it can be vetted by anyone.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

But the reality is that it's often not vetted due to a lack of funding and human resource constraints.

A good example of the potential impact of bugs in open source is Heartbleed, the bug in OpenSSL that a Google researcher revealed in 2014, which put a spotlight on how poorly funded many open-source software projects are.

Affecting a core piece of internet infrastructure, Heartbleed prompted Amazon, IBM, Intel, Microsoft, Cisco and VMware to pour cash into The Linux Foundation to form the Core Infrastructure Initiative (CII).

For the past few years, GitHub has been investing heavily in tools to help open-source projects remediate security flaws via its Dependency Graph, a feature that works with its Security Alerts feature.

The security alerts service scans software dependencies (software libraries) used in open-source projects and automatically alerts project owners if it detects known vulnerabilities. The service supports projects written in Java, JavaScript, .NET, Python, Ruby and PHP.

GitHub's 2020 Octoverse report fond that the most frequent use of open-source dependencies were JavaScript (94%), Ruby (90%), and .NET (90%).

While almost a fifth of vulnerabilities in open-source software were intentionally planted backdoors, GitHub highlights that most vulnerabilities were just plain old errors.

"These malicious vulnerabilities were generally in seldom-used packages, but triggered just 0.2% of alerts. While malicious attacks are more likely to get attention in security circles, most vulnerabilities are caused by mistakes," GitHub notes.

As ZDNet's Charlie Osborne reported, vulnerabilities in open-source projects remain undetected for four years on average before they're revealed to the public. Then it takes about a month to issue a patch, according to GitHub. In other words, there's still room for improvement despite GitHub's efforts to automate bug fixing in open-source projects.

GitHub notes in its report that the "the vast majority" of the intentional backdoors come from the npm ecosystem. ZDNet'sCatalin Cimpanu reported this week that the npm security team had to remove a malicious JavaScript library from the npm website that contained malware for opening backdoors on programmers' computers. Using this venue to distribute malware to developers makes sense given that JavaScript is the most popular programming language on GitHub.

SEE: Google: Here's how much we give to open source through our GitHub activity

GitHub notes that only 0.2% of its security alerts were related to explicitly malicious activity.

"A big part of the challenge of maintaining trust in open source is assuring downstream consumers of code integrity and contitinuity in an ecosystem where volunteer commit access is the norm," GitHub explains.

"This requires better understanding of a project's contribution graph, consistent peer review, commit and release signing, and enforced account security through multi-factor authentiticatition (MFA)."

GibHub notes that flaws can include 'backdoors', which are software vulnerabilities that are intentionally planted in software to facilitate exploitation, and 'bugdoors', which are a specific type of backdoor that disguise themselves as conveniently exploitable yet hard-to-spot bugs, as opposed to introducing explicitly malicious behavior.

The most blatant indicator of a backdoor is an attacker gaining commit access to a package's source-code repository, usually via an account hijack, such as 2018's ESLint attack, which used a compromised package to steal a user's credentials for the npm package registry, GitHub said.

The last line of defense against these backdoor attempts is careful peer review in the development pipeline, especially of changes from new committers. Many mature projects have this careful peer review in place. Attackers are aware of that, so they often attempt to subvert the software outside of version control at its distribution points or by tricking people into grabbing malicious versions of the code through, for example, typosquatting a package name.

See more here:

Open source: Almost one in five bugs are planted for malicious purposes - ZDNet

For the love of open source: Why developers work on Linux and open-source software – ZDNet

The myth of the open-source developer is they're unemployed young men coding away in basements. The truth is different. The Linux Foundation's Open Source Security Foundation (OSSF)and the Laboratory for Innovation Science at Harvard (LISH) new survey, Report on the 2020 FOSS Contributor Survey, found a significant number of women developers, with the plurality of programmers in their 30s, and the majority are working full-time jobs with an annual average pay rate of $123,000.

Of those surveyed, over half surveyed reported they receive payment for free and open-source software (FOSS) contributions -- from either their employer or a third party. More than half of those surveyed, 51.65%, are specifically paid to develop open-source programs.

That said, while open-source jobs are in high demand and the pay is great, it's not money that brings programmers to open-source. Indeed, even those people paid for working on a FOSS project also contributed to other open-source programs without being compensated.

The survey of almost 1,200 developers found the top reason was adding a needed feature or fix to a program they already use. Or, as Eric S. Raymond put it in his seminal open-source work, The Cathedral and the Bazaar, "Every good work of software starts by scratching a developer's personal itch."

The other top two reasons were the enjoyment of learning and fulfilling a need for creative or enjoyable work. At the bottom? Getting paid.

It's not that programmers dislike making money from their open-source work. Far from it! But money alone isn't that important to them. This can be seen by their answer to another question, which showed that no matter "how many hours they spent on FOSS during paid work time, nearly all respondents also spend some of their free time working on FOSS."

That said, one vital area of software development is being neglected: Security.

On average, programmers use just 2.27% of their total contribution time on security. Worst still, there's little desire to spend more time and work on security.

David A. Wheeler, The Linux Foundation's director of open-source supply chain security, said: "It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors."

The solution, the report authors suggest, is to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.

Specifically, they suggest:

The survey also found that companies are continuing to do better about supporting their people working on open-source projects. Today, over 45.45% of respondents are free to contribute to open-source programs without asking permission, compared to 35.84% 10 years ago. However, 17.48% of respondents say their companies have unclear policies on whether they can contribute and 5.59% were unaware of what policies -- if any -- their employer had.The Linux Foundation plans on refreshing The FOSS Contributor Report and Survey. If you're an open-source developer and you'd like to participate, please sign up here.

View post:

For the love of open source: Why developers work on Linux and open-source software - ZDNet