Cisco has disclosed a bug in Exhibitor, a popular open source package for the Apache Zookeeper server for distributed applications in the cloud.

Exhibitor is an open source program developed by Netflix to help deal with ephemeral cloud instances within Zookeeper, which wasnt built to handle cases where hosts dont know the hostnames of other hosts within an ensemble of container engines.

As Google Cloud explains, Exhibitor is a supervisor process that coordinates the configuration and execution of Zookeeper processes across many hosts, which gives Zookeeper users backup and restore capabilities and provides a GUI for Zookeeper nodes among other things.

About three months ago Cisco researchers discovered a fairly serious security issue in the Exhibitors web UI component, which lacks any form of authentication, leaving it exposed to an exploitable command injection vulnerability.

Cisco disclosed details about the flaw because its report about the flaw was not addressed within its 90 day disclosure policy.

The bug appears not to have been addressed because the former Netflix platform engineer who created Exhibitor, Jordan Zimmerman, abandoned the software in September 2016. Zimmerman was explaining to distributed system developers what Exhibitor was in 2012.

Exactly how widely the software is still used isnt known, but Zimmerman guessed that Exhibitor will just die if there was no interest among developers to maintain it after he stopped working on it.

Google posted blog Taming the herd: using Zookeeper and Exhibitor on Google Container Enginea few months before Zimmerman announced he would no longer maintain the software.

The other major issue is that prior to version 1.7.0, the Exhibitor supervisor did not have any way to specify which interfaces to listen on, according to Cisco.

Read more: Get ready for Trump fake ransomware: trump.exe and Trump Screen of Death

Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper, explains Cisco Talos Intelligence researcher Jon Munshaw.

The command injection flaw is present in Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1, according to Munshaw.

Given the slim chances of a fix being created, anyone still using Exhibitor should probably remove the software as soon as possible.

Error: Please check your email address.

Tags Cloudopen sourcecisconetflixGoogle CloudTalos Intelligence

More about ApacheCiscoGoogleNetflix

Original post:
Cisco: there's a bad bug in open source software that a Netflix engineer abandoned in 2016 - CSO Australia

Smart organizations in the business of building software need to use a mix of application testing tools to ensure their code is high-quality and secure.

With over $1 billion in annual revenue, JDA Software has been the worlds leading supply chain provider for the past 30 years. JDA enables companies to improve their ability to plan, execute, and deliver by better predicting and shaping demand, fulfilling more intelligently and quickly, and improving customer experiences and loyalty. More than 4,000 global customers use JDAs unmatched end-to-end solutions portfolio to shorten their supply chains, increase speed of execution, and profitably deliver to their customers.

As with many organizations in the business of building software, JDAs portfolio of 100+ applications contains a mix of custom-built codebases, commercial, and open source components.

Our open source management prior to Black Duck was done primarily through spreadsheets, developer honesty, and with our providing basic guidance on using permissive rather than viral licenses, says John Vrankovich, principal architect at JDA.

We have over a hundred products, with each of those having hundreds to thousands of different open source components. We recognized that we needed a solution to ensure we were tracking and managing open source and commercial components as part of our overall software security initiative.

All software development teams need a complete and balanced software development program to ensure their applications stay healthy. Every application testing tool has advantages and disadvantages, and no single solution should be expected to find and fix all code issues. Smart organizations in the business of building software like JDA Software know they need to use a mix of application testing tools to help them ensure the code they produce is high-quality and secure.

Static analysis security testing (SAST) tools such as Coverity are critical for uncovering and eliminating issues in proprietary software early in the SDLC by scanning an applications code for flaws while that code is still in a nonrunning (i.e., static) state. However, SAST tools arent effective in finding open source software vulnerabilities (CVEs) in code, or in identifying open source license types or versions.

Given that open source is an essential component of application development today, adding an effective software composition analysis (SCA) tool to application testing should be as imperative to every software development team as SAST is.

JDA first implemented Black Duck Code Center in 2015. Code Center provides JDA with software component selection, approval, and tracking of open source and other third-party software components.

All of our core products are using Code Center, says Meghan Caudill, project manager for third-party product compliance at JDA. About three years ago, we began to use Black Duck SCA when building the CI/CD process for our JDA Luminate product line, newly developed, SaaS-native products. Our goal is full migration to Black Duck SCA by the beginning of 2020.

Synopsys Black Duck SCA is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers, enabling organizations to control open source usage across the software supply chain and throughout the application life cycle. Black Duck enables JDA to set and enforce open source use and security policies, automate policy enforcement with DevOps integrations, and prioritize and track remediation activities.

With the Black Duck tools, we were able to write an open source compliance strategy that addressed our requirements and priorities, says John Vrankovich. Were now able to ensure that none of our products are released with open source license risks, quality or security issues. Any issues we discover are tracked and remediated, all license obligations are being met, and only approved open source components are used in our products. We know what were using, the licenses were using, the versions were using, and any security issues and component patch statuses.

Read the full JDA Software case study

The rest is here:
JDA Software: Extending their SDLC to remediate open source issues - Security Boulevard

Open-source software is used in some way by organisations worldwide - and not only commercial enterprise but healthcare, charities, roads, utilities, science and more. Incentivising those developers who give their time and work away directly leads to making the whole world better, says Devon Zuegel.

In particular, global open-source lifecycle platform, GitHub, announced today its GitHub Sponsors program - in beta since May - has been extended to support teams. This announcement is good news for project teams, but for this writer, the real story is the one behind the news.

How GitHub got to this point of facilitating Patreon-like sponsorship centres around a young lady, Devon Zuegel, who fiercely embodies the open-source spirit. Zuegel reflects a movement of intelligent and articulate professionals determined to bring about global good and who see the free and open asynchronous exchange of ideas a key component. For these people, GitHub is the platform to enable this, almost incidentally a platform about software and software development.

It is Zuegel, Senior Product Manager at GitHub, and her team who put GitHub Sponsors together. Though, you may ask why fund open-source software when people give it away for free, and other causes exist?

The answer, Zuegel says, is because "the whole world would be better if open-source could be funded.

Fast forward to today where open source software is in use among all organisations of any size, whether directly or indirectly as a component of commercial software or hardware.

Some open-source developers are funded because they are employed in an organisation actively contributing to projects. Obvious examples include Red Hat and Microsoft - itself a vast transformation from demonising open source to being a major player.

Yet, many are not funded. They perform their duties, giving to society, out of their own passion and belief system. Everyone needs to eat so, understandably, these pursuits can take second stage to real-world employment.

However, when it is said to open source software is in use among all organisations this is not merely commercially-motivated technology enterprises. Charities, hospitals, power grids, research and scientific pursuits all depend on open source software also.

Zuegel has a background in Computer Science and economics, and a career in software engineering. However, she is also an activist with a deep passion for creating social good. Her work here brewed within her a strong belief incentive design is the challenge behind the challenge.

To explain what this means, Zuegel provides an example from her work in San Francisco housing policy, striving towards affordable housing to alleviate homelessness as well as attract new people to the city. On one level everyone she spoke with agreed this is necessary. However, often the sentiment was accompanied with but not in my neighbourhood - the perennial NIMBY, or not in my back yard, situation.

Or, she says, regarding climate change "everyone agrees we dont want our planet to turn into a crisp but everyone is tempted to take a longer shower or use the air conditioner for longer. These actions are only a small drop in the bucket in isolation, but if we all put drops in, it fills and overflows.

The conflict, Zuegel sees, is one of misaligned incentives between individuals, or between global and local concerns. Thus Incentive design is the most important problem to work on. Humans are good at overcoming obstacles when they have reason to do so. The word problems tend to be ones of cooperation, not technological or scientific understanding, she says.

Through Zuegel's work with San Francisco housing policy, she came to know Nat Friedman who was himself engaged in this area, and when Friedman was appointed GitHub CEO she reached out to express her opinions on what GitHub could do to incentivise developers.

"I sent Nat an email with a lot of opinions you should do this and that. He said Ok, how about you come and do it with us she said, leading to Zuegel herself making the move to GitHub as Senior Product Manager.

Zuegel put forth her incentive design philosophies. "Incentives unlock opportunity. Funding open source is a major incentive problem - the whole world would be better if we fund open source. Its behind the infrastructure we all depend on such as roads and bridges and the power grid, she said.

Thus GitHub Sponsors came to the platform in May, originally in beta across 30 countries, and now extending to more regions while also adding sponsorship support for teams.

In practice this means a person can decide they want to sponsor a project because they recognise the value it brings them - for example, Zuegel herself sponsors curl, the command-line tool to retrieve online data across various protocols, maintained for 22 years by Swedish developer Daniel Stenberg. curl has saved Zuegel plenty of time over the years, as well as countless developers with curl used across many projects.

Conversely, developers can add a 'support' button to their GitHub projects to encourage its users to consider converting their appreciation of the code into tangible financial support.

Like popular crowdfunding sites, GitHub Sponsors allows developers to list sponsorship tiers though unlike crowdfunding the end goal is not for the sponsor to receive a specific item, but purely to express their support and appreciation for the project, and to aid the developer in committing time to continue the project.

GitHub Sponsors pays sponsored developers directly into their local bank account and at this time GitHub is covering all transaction fees that apply. It is also matching sponsorships right now, meaning if you sponsor a developer for (say) $5 per month, the developer gets all of that $5, and in fact receives $10 because of the matching.

GitHub Sponsors is extending to other countries. "Expanding the opportunity, and access to opportunity is crucial. We want people all around the world to access the tools, Zuegel said.

This sponsorship can be life-changing. "There is a Romanian developer being sponsored and is receiving what would be considered a good amount of money in the USA, but which is a really good amount of money for Romania. He can now do his open-source work full-time, Zuegel said.

For companies, this is highly practical. "There are a lot of great developers in Eastern Europe, China and other countries where money goes further. The sponsor gets more bang for their buck she said.

The writer is attending GitHub Universe 2019 as a guest of the company.

Original post:
Want to make the world a better place? Fund open source developers. - iTWire

YOKOHAMA, Japan--(BUSINESS WIRE)--NTT Electronics, a leading provider of advanced components for optical communications systems including coherent optics and digital signal processors (DSPs), contributes the Goldstone Network Operating Software (NOS *1) for disaggregated coherent transponders to the Telecom Infra Projects NOS Software Project hosted by the Open Optical and Packet Transport project group. Launched in February 2016, TIP was started with the goal of accelerating the pace of innovation in the telecom industry.

Goldstone utilizes many existing open source components which have been developed in Open Compute Project (OCP *2) and Telecom Infra Project (TIP *3) including Open Network Linux (ONL *4), SONiC *5, Switch Abstraction Interface (SAI *6) and Transponder Abstraction Interface (TAI *7) to provide a full-fledged open source solution. ONL is used as the base operating system and provides a wide range of open network device support. On top of ONL, Kubernetes *8 is employed to enable containerized application management, which realizes flexible and modular software composition. SONiC/SAI is deployed as a fleet of containers when the target hardware comprises Ethernet switch ASIC, whereas TAI is used when the target hardware has coherent transponder components. Because of its modular architecture, Goldstone can be extended to support networking devices, which dont have Ethernet ASIC, but may include conventional transponders, ROADMs or amplifiers in the future.

Goldstone was originally started as a prototype NOS for Edgecores Cassini Platform by the proposal from NTT Electronics. This has led to a production deployment by mixi in Japan.More than five industry partners are using Goldstone for evaluation on the Cassini platform.It is also being incorporated in Wistrons Galileo platform.

The NOS is planned to be contributed to TIP Open Optical Packet Transport (OOPT *9) group as an open source project. Goldstone is planned to be part of a live running demonstration at the TIP Summit 2019.

Quote from mixi, Inc.

As the first operator who deployed Goldstone in production, mixi welcomes the contribution of Goldstone by NTT Electronics to foster more collaboration among the open networking industry. Goldstone brought us huge flexibility and control over our DCI connectivity which is critical for our services Tatsuma Murase, CTO, mixi, Inc.

Quote from Edgecore

Edgecore is pleased to be working with NTT Electronics and the broader industry community to enable disaggregated solutions with open packet transponders that will provide broader optical technology choices for network operators. George Tchaparian, President and CEO, Edgecore Networks

Quote from Wistron

Wistron is excited to have Goldstone in the open networking industry. Goldstone will accelerate the adaptation of the open disaggregated networking model and we believe it will become a viable solution together with our latest Galileo platform. Arthur Chang, Sr. Technical Director, Wistron

*1 Network Operating System (NOS) : Operating system for a network device such as a router, switch or firewall.

*2 Open Compute Project (OCP) : The Open Compute Project (OCP) is a collaborative community focused on redesigning hardware technology to efficiently support the growing demands on compute infrastructure. In 2011, Facebook shared its designs with the public and launched the Open Compute Project and incorporated the Open Compute Project Foundation along with Intel, Rackspace, Goldman Sachs and Andy Bechtolsheim. (Reference: OCP web site: https://www.opencompute.org/)

*3 Telecom Infra Project (TIP) : The Telecom Infra Project (TIP) is a collaborative telecom community founded by Facebook and partners. Launched in February 2016, TIP was started with the goal of accelerating the pace of innovation in the telecom industry. TIP members include operators, suppliers, developers, integrators, startups, and other entities that have joined TIP to build new technologies and develop innovative approaches for deploying telecom network infrastructure. (Reference: TIP web site: https://telecominfraproject.com/)

*4 Open Network Linux (ONL) : Open Network Linux(ONL) is an open-source, foundational platform software layer for next-generation, modular NOS architecture on open networking hardware. ONL is a part of the Open Compute Project and is a component in a growing number of commercial NOS stacks and open source projects like CoRD & Stratum. (Reference: ONL web site : http://opennetlinux.org/)

*5 Software for Open Networking in the Cloud (SONiC) : Open source software developed by Microsoft, etc.. It dramatically enhances operations and management of network switches. (Reference: SONiC repository: http://azure.github.io/SONiC/)

*6 Switch Abstraction Interface (SAI) : The Switch Abstraction Interface (SAI) defines the API to provide a vendor-independent way of controlling forwarding elements, such as a switching ASIC, an NPU or a software switch in a uniform manner. (Reference: SAI repository: https://github.com/opencomputeproject/SAI)

*7 Transponder Abstraction Interface (TAI) : The Transponder Abstraction Interface (TAI) is the open API to provide a vendor-independent way of controlling coherent optical components. TAI has been developed under TIP OOPT group and NTT is leading the development. https://www.ntt.co.jp/news2018/1810e/181016c.html

*8 Kubernetes : Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services. Google open-sourced the Kubernetes in 2014. (Reference: Kubernetes web site : https://kubernetes.io/)

*9 Open Optical Packet Transport (OOPT) : The Open Optical & Packet Transport project group will define Dense Wavelength Division Multiplexing (DWDM) open packet transport architecture that triggers new innovation and avoids implementation lock-ins. Open DWDM systems include open line system & control, transponder & network management and packet-switch and router technologies. (Reference: TIP web site: https://telecominfraproject.com/oopt/)

About NTT Electronics

NTT Electronics (NEL) has been developing and commercializing optical communications devices since 1995. It has complete portfolio of optical and electronics products to cover the industry needs for 100G-and-beyond link systems, ROADM components and FTTH networks. For more information about NEL, visit https://www.ntt-electronics.com/en/.

Continue reading here:
NTT Electronics Contributes Goldstone - Open Source Network OS for Disaggregated Coherent Transponders to the Telecom Infra Project - Business Wire

Now that a little time has passed since the Huawei Connect conference was held in Shanghai, it seemed like a good time to look back on a couple of the underlying trends from the event. The jumping off pointfor this is a round table Q&AwithGuo Ping, one of the companys rotating chairmen.

Three main themes emergedthat are crucial to a number of wider issues related towhat CIOs need to be thinking,particularly just how much the three main prongs of Huaweis game plan they need to be considering. The chances are growing that they will soon need to address all three.

These are the need for a new computing platform, seen by the company as a prerequisite foraddressing the other two, which are the coming of 5G communications and the combined issues and capabilities surrounding open source software. There is a fourth topic, of course, and that is on-going geo-political economic one. Until this year, itwould be an obvious 'given factor that the USA would still be the dominant player in the direction and development of technology, both hardware and software. Others China particularly might lead in the building of systems, but the technology they used would be, predominantly, of US design.

Suddenly that is no longer the case, and 5G plus the devices that will exploit it is the key driver. As Guo Ping pointed out, the number of countries developing local applications for 5G isgrowing, and countries like Japan, South Korea, France, Russiaand of course China itselfnot only provide a substantial and already energetic 5G market, but that marketis happening in both consumer and business/industrial sectors. Recent evidence now suggests that the UK will also be amongst those players.

The key thing here, of course, is that 5G is about much more than even smarter smart phones for trendy millennials and GenX-ers. Indeed, that market is likely to be pretty secondary. It is the many different business sectors that are going to drive the growth and development, and this is where CIOs need to be paying particular attention. With 5G communications providing the possibility of flexible, movable, and above all very fat pipes working with data where it is most needed becomes not just possible but essential to business.

Data centers will dissolve and become virtualized across corporate networks, including public cloud operations, and the volume and quality of data will be such that existing systems and processorarchitectures are likely to be stretched to and possibly beyond - breaking point. This is particularly the case when the rapid growth in new AI applications is thrown into the pot. Apart from anything else these are best run on processors with a fundamentally different architecture from the venerable and rightly venerated general purpose x86 processor family. That, as Guo Ping made clear, is one of the key targets that Huawei has in its sights.

With a global marketplace he reckons as worth $2 trillion, he is understandably keen that as many customers as possible can get to build their computing capabilities on top of that primary connectivity business. To help that happen, it is therefore being quite specific and controlled in choosing which elements it needs to provide and which to leave to the cjustomeers. For example, it intends to focus on the processor cards and associated components based on its Kunpeng and Ascend processors and help system providers develop services and solutions for its customers.

Guo Ping was particularly keen to point out that Huawei now sees an opportunity for these processors as alternatives to the established device families, not least because of the perceived weakness of of the latter at running AI applications, particularly as they become more complex:

We aspire to provide a processor cards computing platform as an alternative for the world. I think this is an important solution that the businesses from the UK and other countries can look to as they seek business continuity and a plan B for heterogeneous computing. And before we officially put the computing platform on the market, we had already been using it on more than 100,000 of our servers within our company. So, it's already a mature technology.

One of the interesting undercurrents here is the companys commitment to open source software, both as a user and a contributor. Even when it does set out to develop significantly new lines of software, as it did earlier this year with the introduction of HamornyOS, open source contributions from many others play an important part.

For example, though Hauweis primry contribution to 5G development is in the communications infrastructure, it is well aware that much of the reason for anyone using it will come from the applications that are developed as a consequence of its existence. Those applications will come from around the world, and some will certainly have global impact over time. Being as open as possible with the software infrastructure, therefore, gives those developers the best possible chance to flourish.

Guo turned to software history to make this point for him:

Essentially, open source is just one of the business models that leads to business success. A case in point is the competition between Apple II and IBM's PC. IBM chose the open-source model, which resulted in the wide-spread success of today's PCs. In its competition with iOS, Android also opted for an open-source model, which has allowed more vendors to come on-board. As a result, Android has captured nearly 85% of the market share.

The reason why we adopted an open-source approach for our computing platform is that we hope we can attract more vendors and users, and this way, they can benefit more and achieve business success as they deploy AI and computing platforms. Huawei is willing to make more contributions for this reason.

And of course the goal here is not just to create more opportunities to sell 5G switches, antenna and other infrastructure components. With its new ARM-based processor families and server systems that run on them, the company is now moving up the 5G applications food chain, particularly where Artificial Intelligence and Machine Learning applications are concerned. These are most certainly going to be based on open source contributions from around the world, and it is reasonable to guess that many of the developments and breakthroughs in these fields will come from non-western sources, including nations where China in general and Huawei in particular already have a strong foothold:

We have made our systems open source, because we believe open-source systems are the most competitive. I'm very pleased to see that many open-source organisations have moved their headquarters to permanently neutral states like Switzerland. I believe this is a trend that will spread to more open-source organisations, as they want their systems to be widely used by the world's seven billion people.

One of the inevitabilities with 'the natural order of things is that the order always ends up getting disrupted. One of the key natural orders in the computer industry and wider IT domains has been that the key developments come out of Europe and the USA (with the latter being largely European by proxy). But over the last 10 years or so (much longer if one wants to include the development of semiconductor technologies used to make the essential computer chips) the lead has changed hands. Many of the leading companies, though still based in the dominant IT marketplace of the USA, are the product of Indian, Korean and Chinese minds.

With Huawei being one of the dominant developers and providers of the infrastructure underpinning the next developments 5G, AI, ML and computing out to the edge and Korean SK Telecom becoming a leader in 5G systems implementations there are signs that the centre of gravity for computing and IT is moving eastwards.

Here is the original post:
Look east as the IT center of gravity shifts - Diginomica