Since the internet first arrived in the mid-90s, there have been lots of messaging apps. AOL, Yahoo, MSN, ICQ, and the various Google incarnations, to name just a few. Then things got ramped up a notch with Skype introducing VoIP (Voice over Internet Protocol), which finally allowed you to ditch landline phones for good and do your international calling for a fraction of the cost.

These days, you now have audio and video messaging apps such as Skype, Zoom, Signal, and Telegram. But as far as worldwide dominance goes, nothing is able to remotely touch the Facebook-owned WhatsApp. It has two billion active users worldwide, and one hundred million messages are sent every day. To put it into context, the population of the United States is 334 million, so youre talking about six United States populations actively using WhatsApp. So if youre not on it yet, youre late to the party.

Read also: WhatsApp not working? Here are ten easy fixes you can try

What is WhatsApp, and how does it work?

Who can use WhatsApp?

WhatsApp says you must be at least 13 years old to register for a WhatsApp account, and for some reason, you have to be at least 16 years old in the European Union. Anyone under those ages can have their accounts disabled if WhatsApp finds out about you.

Besides that, anyone can use WhatsApp, provided they adhere to the terms of service, and not use the platform for spam or criminal activities. However, some countries may block access either permanently or temporarily to WhatsApp for their citizens, such as China, North Korea, and Iran. This, of course, can change anytime, depending on the political situation in any given country. But saying that, you may be able to access WhatsApp in these countries via a VPN app.

As well as individuals, small businesses can also use a WhatsApp Business version, and larger companies can apply for the WhatsApp Business API. WhatsApp Business is a slightly modified version to allow companies to keep in touch with their customers on the platform and publish a catalog of their goods and services.

Who owns WhatsApp?

Of course, this meant that they were soon on Mark Zuckerbergs radar, and in 2014, Facebook bought WhatsApp for an eye-watering $19 billion. Despite Facebooks initial promises of WhatsApp remaining an independent company, it was gradually brought more and more into the Facebook ecosystem, and Acton and Koum subsequently left the company.

Is WhatsApp free?

Yes, WhatsApp is free to use, regardless of the platform. You will only encounter a cost if you decide to use the WhatsApp Business API. Connecting the API to your preferred business communication platform will incur costs. Other than that, WhatsApp is free of charge.

Why is WhatsApp so popular?

There are so many reasons why WhatsApp is popular, and if you asked users, they would likely tell you about their favorite feature. But what made WhatsApp the breakthrough app when it first started was that it pretty much killed regular SMS. Obviously, we still have SMS today, but its a radically much better version than it used to be.

Phone carriers used to look upon SMS as their milk cow, and some charged exorbitant rates for a single SMS message. Message characters were counted, sending photos cost more, and monthly SMS messages were strictly capped. Phone carriers did it because they knew they could. They knew there were no serious competitors to upset the apple cart.

But then WhatsApp came along, and suddenly you could send uncapped messages and multimedia for free, regardless of the length of the message. That was when the phone carriers realized the good old days were over. Now, phone companies are offering bundles of free SMS messages every month with customer tariffs.

What are the pros and cons of WhatsApp?

The pros and cons of WhatsApp are numerous, and well be covering a lot of the features here that make WhatsApp popular. But the main pro is that you are identified on WhatsApp by your phone number. This means that if you are in someones phone contact book, you are also in their WhatsApp contact list (assuming you all use WhatsApp). There are no usernames to remember, no profile URLs to click. If you know the phone number, you know how to get in touch.

The main downside is that it is a Facebook-owned company, and despite the platform being encrypted, there are still privacy concerns (see the next section for this.) The other con is that you cant use the same WhatsApp phone number on two or more phones. So if you have multiple devices and wish to use WhatsApp on each phone, you need to either get separate SIM cards or use a not-so-elegant workaround.

Is WhatsApp safe and private?

In these privacy-focused times, the main concern turns naturally to whether or not WhatsApp can be trusted with our chats and media attachments. Our own Calvin Wankhede has written a great guide on the end-to-end encryption installed on WhatsApp.

The main thing to remember at the end of the day is to exercise caution. Dont reveal sensitive information and media on WhatsApp. If you use it for general chatting, youll be fine.

The main feature of WhatsApp is obviously its messaging function. There are two features that may give users cause for concern on the privacy front. But both features can be switched off if you feel you dont need them.

The first is the checkmarks that get added to each message. One tick means the message has been sent, and two ticks mean the message has arrived with the recipient. Both of these are obviously harmless. But when the recipient reads the message, those two ticks turn blue. If you dont want anyone to know youre reading those messages, then those blue ticks are a dead giveaway.

The second is under the username, where your contacts can see the last time you logged onto WhatsApp. Again, this may be something you dont want anyone to know. But as we said, you can easily switch this off in the settings.

There is also a bookmarking system (of sorts), where you can save important messages for easy access later. Simply select the message and star it. You can then go to a separate area of WhatsApp to view your starred messages.

Finally, of course, you can clean up your messaging inbox by archiving old and unneeded messages. If you need any of them again in the future, they can be brought out of the archive and back into the inbox.

WhatsApp isnt only for one-to-one chats. You can also bring in up to 256 people to chat in one place as well. Setting up a WhatsApp group is as simple as choosing participants from your contact list, selecting a group name, and off you go.

Opening them up and closing them down is so easy and fast that you can effortlessly start one to organize spontaneous special events. Or if you want to say start up a community, you can publicize a joining URL that people can click to enter your group.

The third tier of the WhatsApp platform is video calls. If both you and the person you want to call are on WhatsApp, you can make free unlimited video calls to one another, regardless of country. You can even make group video calls. Although, if youre on a strictly capped internet data plan, you may want to toggle the WhatsApp setting that restricts how much data these calls use up.

Youd be mistaken if you thought that calling and texting are the only things WhatsApp has to offer. There are also other useful features you should use if you decide to jump on the WhatsApp bandwagon.

As we start to take more photos and video clips with our phones, being able to instantly transfer them to someone via WhatsApp becomes invaluable. Obviously, other platforms such as Skype were doing this first WhatsApp is hardly the trailblazer in this area. But as we move more towards talking to everyone we know on WhatsApp, being able to send and receive files from everyone on the same platform and then if necessary, forward those files on to other WhatsApp contacts becomes ever more convenient.

Some people might view disappearing messages as the answer to their privacy concerns. Send a message then watch it self-destruct in five seconds once its been read. But as we explained in our article on disappearing messages, it isnt a foolproof method of wiping messages. You should instead use it as a kind of auto-wiping feature to keep your inbox neat and tidy.

Voice messages are another useful feature, especially if youre rushing about and you dont have time to stop and type messages. Just start the recorder and let your voice do all the work. WhatsApp only holds onto the recordings until the recipient comes on to WhatsApp and listens to them or 30 days whichever comes first.

You can also download WhatsApp voice messages to your device or desktop computer as OGG audio files.

Even though many WhatsApp users may be focused on their privacy, there are still many extremely useful scenarios where sharing your location can be a lifesaver. You could be lost and need directions from a friend who lives locally? Or perhaps you want to track the current live location of your child? A couple of taps in WhatsApp, and your contact gets an updating map of which direction youre heading in.

Finally, who doesnt love being asked their opinion? If you want to question the hive mind and get a snapshot of which way the prevailing mood is blowing, then why not create a WhatsApp poll?

WhatsApp doesnt provide this officially, but third-party apps and platforms do. Eventually, WhatsApp will come up with something themselves.

How to backup and transfer WhatsApp

There are not a lot of customization options for WhatsApp. The only three are the background wallpaper, changing your status, and adding a profile picture.

By changing the wallpaper, you can either choose one of the preinstalled wallpapers in WhatsApp or upload an image from your Photos app.

Adding a profile image is the easiest way to personalize your account and give your contacts an easy way to pick you out of a crowded contact list.

Creating a status is very similar to Instagram Stories, although not as advanced. You can upload an image or video clip, add text, and have it next to your username for 24 hours.

WhatsApp is obviously not the only messaging app on the block. If for any reason WhatsApp doesnt appeal to you, consider using one of the following.

The free Signal app is highly regarded as the best secure messaging app currently in existence, having been endorsed by the likes of Edward Snowden. Its much more secure than WhatsApp because Signal holds no data on their users, so they have nothing to give to law enforcement if they come knocking with a warrant.

Another alternative is Telegram, although concerns have been raised in the past about how secure it is. User data such as IP addresses are logged, which might concern some if they live in an authoritarian country and dont wish to be tracked.

Can you make your own stickers on WhatsApp?

Can you make payments to your contacts on WhatsApp?

As of December 2021, WhatsApp is trialing a payment system called Novi to a limited number of its US users. It uses a new cryptocurrency called Pax Dollars, which are pegged to the actual value of real US dollars. Theres no word yet on when or if Novi will come to WhatsApp users in the rest of the world.

See original here:
What is WhatsApp? The ultimate starter's guide - Android Authority

SAN FRANCISCO--(BUSINESS WIRE)--Appsmith, the first open-source low code software helping developers to build internal tools, reported impressive progress in 2021. The company was founded in mid-2019 and its open source software has been downloaded more than 5 million times with more than 11,000 stars on GitHub (100% growth since September). That ranks third on this list of open source projects compiled by Runa Capital in terms of percentage increase in GitHub stars over the fourth quarter.

Highlights from 2021 include introducing more than 150 enhancements, including major features like JS Editor, Gitsync, and 30-plus new widgets and variations. In total, 184 features were released. A full list can be viewed here.

Appsmith now has more than 2,000 community members with 168 contributors -- 100 of those from outside the company.

Appsmith is the first open-source low code software that helps developers build custom (often critical yet tedious) internal and CRUD (create, read, update and delete) type applications quickly, usually within only hours.

Its so easy to build an app with Appsmith that it took just less than 10 minutes, says Jatin Sharma, operations engineer at Fyle, a financial technology firm, that has used Appsmith to increase its customer success department's productivity by 30%.

2021 was the year we grew our community and created a framework used by thousands of developers worldwide, said Abhishek Nayak, co-founder and CEO, Appsmith. With a much larger community, contributors, and core team, were excited for what lies ahead in 2022. Were doubling down on the commitment and enthusiasm of our amazing contributors from all over the world with new widgets, custom theming, enhanced mobile support, additional security features and much more.

A list of more than a dozen areas targeted for new features in 2022 can be viewed here.

Every enterprise needs to create custom applications -- a slow, repetitive, expensive process -- that requires work to build the user interface, write integrations, code the business logic, manage access controls and ultimately deploy the app. Appsmith is 10 times faster by enabling software engineers to build the user interface with pre-built components, code the business logic by connecting application programming interfaces (APIs) along with any database, then test and deploy a web application where users are authenticated using a dashboard.

To learn more, check out the Getting Started information.

About Appsmith

Appsmith was founded in 2019 with the mission to enable backend engineers to build internal web apps quickly with a low code approach. Taking an open source software approach provides anyone with access to the software and the opportunity to get involved in the community. The company has offices in San Francisco and Bengaluru, India. For more information visit https://www.appsmith.com

Continue reading here:

Popular Open Source Low Code Software Appsmith Delivered 184 New Features Last Year, Providing a Reliable and Mature Platform - Business Wire

ActiveState's Trusted Artifacts eliminate the risk of developers using insecure artifacts from open source repositories.

JFrog Artifactory is a popular language-agnostic repository that provides enterprise developers with a central location from which to retrieve the open source packages their software development projects require. Enterprises take two main approaches to populating JFrog Artifactory:

We also know from our Secure Supply Chain Survey that ~80% of organizations that build from source code struggle with creating reproducible builds, meaning the open source artifacts they create are insecure since there is no way to verify if the source code was compromised when the original build was produced.

The ActiveState Platform features a secure build service that delivers reproducible builds whose provenance can be verified by tracing each component back to its original source. Scripted builds from vetted source code occur inside of ephemeral, isolated and hermetically sealed (i.e., no internet access) containers purpose-built to perform a single function, reducing the potential for compromise. As a result, ActiveState can help enterprises ensure the security and integrity of their open source supply chain by populating their JFrog Artifactory with secure Java, JavaScript, .Net, Python, Ruby, PHP, and other open source language artifacts.

Loreli Cadapan, Vice President, Product Management, ActiveState, said: "Open source organizations are making great strides to improve the security of their public repositories, but the reality is that they are still the Wild West where anything goes. Our recent Supply Chain Security Survey results indicate that a worryingly high proportion of organizations continue to implicitly trust these open source repositories. Starting with our Artifactory offering, ActiveState is looking to help enterprises overcome these limitations in order to improve the security and integrity of their software development processes."

ActiveState Trusted Artifacts is now generally available. Talk to our product experts to understand how ActiveState can help you decrease the risk and overhead of managing open source language packages in Artifactory.

About ActiveState

ActiveState has a 20+ year history of providing secure, scalable open source language solutions to more than 2 million developers and 97% of Fortune 1,000 enterprises. Enterprises choose ActiveState to support mission-critical systems and speed up software development while enhancing the security and integrity of their open source supply chain. Visit http://www.activestate.com/for more information.

Related linksActiveState Blog: Introducing trusted open source artifact subscription for Artifactory usersSolution Sheet: Automate, secure, and streamline artifact maintenance in JFrog Artifactory

SOURCE ActiveState

Here is the original post:

ActiveState Trusted Artifacts Secures the Open Source Supply Chain - PRNewswire

Getting an Arm platform that works with mainline Linux may take several years as the work is often done by third parties, and the silicon vendor has its own Linux tree. That means in many cases, the software is ready when the platform is obsolete or soon will be. It would be nice to start software development before the hardware is ready. It may seem like a crazy idea, but thats what the team at Collabora has done to add support for Arm Valhall GPUs (Mali-G57, Mali-G78) to the Panfrost open-source GPU driver.

The result is that it only took the team a few days to successfully pass tests using data structures prepared by their Mesa driver and shaders compiled by their Valhall compiler after receiving the actual hardware thanks to the work done in the last six months. So how did they achieve this feat exactly?

We have to go back in time by a few months first. Last July, Collabora announced they had reverse-engineered Mali-G78 GPUs Valhall instruction set using a Samsung Galaxy S21 smartphone. Wait? Didnt I just say they work without Mali-G78 hardware? Correct, but they could not install mainline Linux and their GPU driver on the device as it was not rooted. They just used it to reverse-engineer the instructions and perform some testing by modifying compiled shaders and GPU data structures to experiment with individual bits. That step could have been avoided if Mali G78 documentation was available.

Alyssa Rosenzweig, a graphics software engineer for Collabora, continued her software development work, and in November 2021. she had written a Valhall compiler, and reverse-engineered enough to write a driver but still had no Linux hardware to test the code. So she wrote unit tests for everything from instruction packing to optimization and managed to solve a few bugs in the process simply using her development machine running Linux.

The next step was to use drm-shim library with fake GEM kernel drivers in userspace for CI (continuous integration) used in the Mesa project. A drm-shim driver makes the system think it features an actual GPU, but does nothing apart from receiving systems calls from userspace graphics drivers. This is not an emulator, and can not be used to test functionality, but it can help find flaws in the program flow. She was able to run a large number of tests on Apple M1 running Linux after fixing a bug (Hint: page size is 16K, instead of 4K) including compiling thousands of shaders per second with the Valhall compiler, and running Khronoss OpenGL ES Conformance Test Suite to identify any issues.

Collabora also attempted to identify differences between Valhall and earlier Arm Mali GPUs such as Bifrost, and reuse a large part of Panfrost driver code, and only change the part of the code where they detected differences. For instance, the Valhall instruction set is quite similar to the older Bifrost instruction set, so embedded the Valhall compiler as an additional backend in the existing Bifrost compiler. Alyssa explains:

Shared compiler passes like instruction selection and register allocation just work on Valhall, even though they were developed and debugged for Bifrost.

Earlier this month (January 2022), Collabora finally received a Chromebook with a MediaTek MT8192 (Kompanio 820) system-on-chip (with Mali-G57 MC5 GPU) and a serial cable, they managed to run mainline Linux on the board after fixing USB, although the display is not working yet. The GPU is automatically disabled in MT8192 apparently due to a silicon bug but can be enabled after disabling the Accelerator Coherency Port (ACP). As discussed above it then only took a few days to successfully pass hundreds of tests on the actual hardware thanks to their preparation work. Collabora now expects Panfrost to support Valhall GPU in time for end-users. You can read the full story on Collabora blog.

Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.

Here is the original post:

Speeding up open-source GPU driver development with unit tests, drm-shim, and code reuse - CNX Software

Security tool vendor Snyk recently added code scanning to its range of tools for DevSecOps practitioners.

Snyk (pronounced "sneak") was founded in 2015 by Guy Podjarny, and offered an open source dependency scanner so developers could easily see if there were any known vulnerabilities in the open source code they used in their software. Importantly, the scan is recursive, so it not only checks the libraries used by the developer, but the libraries used by those libraries, and so on.

Since then, Snyk Open Source has been joined by three other tools Snyk Container (to find and fix vulnerabilities in container images and Kubernetes applications), Snyk Infrastructure as Code (to find and fixe insecure configurations in Terraform and Kubernetes code), and recently Snyk Code (to find and fix vulnerabilities in the developer's own code).

All four run on a single platform, explained Snyk APJ head of solutions engineering Lawrence Crowther, so it is possible, for example, to apply global policies across the software development lifecycle.

{loadposition stephen08}

Furthermore, Snyk is developer focussed, he said, so the platform integrates with common developer tools IDE, source control, CI/CD, etc so "the tool does the heavy lifting for them" and the developer can then concentrate on fixing the problem rather than finding it.

"We started with the digital natives" because for them, DevSecOps is a natural extension of DevOps, but now the company is addressing the enterprise market including the financial services sector. Local Snyk customers include Afterpay and Australia Post.

"DevSecOps is a bit of a buzzword," Crowther admitted, but one of the company's goals is to bake security into DevOps so that in a few years the security part will be a first class citizen of every project.

But "you need to do DevOps right before you do DevSecOps," he warned.

The broad adoption of cloud has led to the adoption of different architectures (vs traditional monolithic applications), and this means the security of all the components must be properly addressed.

For example, it's easy to get started with Kubernetes, he said, but it has a range of security implications and so DevOps teams need to step back and think about issues such as ensuring only the correct ports are open, that files aren't inappropriately exposed, and that the exactly correct privileges are assigned.

There's a cultural issue here, Crowther suggests, because developers need to take ownership of security not only of the code they write, but right down to the infrastructure level.

One way this can be addressed is by moving security specialists into application security roles, but this means they will need to understand engineering practices, DevOps workflows, and so on. Consequently, there aren't many people who can be slotted immediately into such roles.

So organisations need to find ways to provide developers with security guidance (eg, "how to avoid SQL injection flaws) and should invest in reskilling, including giving developers sufficient time to learn and absorb this knowledge.

Australian organisations are behind the US, but ahead of most of the APAC region, said Crowther. However, they are generally not getting to grips with the proper checking of open source code.

A typical project now contains around 10% locally developed code, with the other 90% being open source, he said. But that 90% depends on other open source libraries, and if a project explicitly uses 10 libraries it could be implicitly using another 1000.

Without proper checking, you're "just trusting the internet," he said.

A further problem is that most tools for checking open source libraries only go one level down. In contrast, Snyk Open Source traverses the entire dependency tree according to Crowther.

Similarly, downloading a container image from Docker Hub is a risky business without due diligence. It might purport contain something simple such as a Linux distribution and Node, but have other libraries been planted in it, and are there any old libraries that should have been updated?

Lots of blind spots exist, he warned, so it is important to check all dependencies.

If you're not sure whether Snyk's products are right for you, or if you only work on a small project, the company offers a 'free forever' plan that has a monthly limit of 200 Open Source tests, 100 Container tests, 300 Infrastructure as Code tests, and 100 Code tests.

Otherwise, prices start at $115 a month for five developers using Snyk Open Source.

And if you have your eye on job opportunities, Crowther said Snyk will be hiring sales, solutions engineering and support staff in 2022, in part to staff a planned Canberra office that will augment the existing operations in Sydney and Melbourne.

Read more here:

The O-RAN Alliance announced the 5th release of its open source software - iTWire

The development and expansion of the EV charging software ecosystem is a critical component to the mainstream adoption of electric vehicles. However, the industry has become complex and fragmented, with multiple isolated solutions and inconsistent technology standards. This slows and threatens the adoption of EVs.

In response,PIONIXhas developed a project calledEVerest, an open-source software stack designed to establish a common base layer for a unified EV charging ecosystem.

EVerest has gained some serious cred in the developer world, with its biggest support LF Energy (the Linux open-source foundation for the power systems sector). I spoke to the projects brainchild, Dr. Marco Mller, managing director of PIONIX, to find out more.

The idea for EVerst came from Marco Mllers previous startup, German commercial drone software firm MAVinci(Intel acquired the company in 2016). Mller shared:

We saw over our10 years in the drone industry that open source software benefited from the power of so many developers, including those from universities,and their development speed finally outpaced even the largest players in the market.

After the initial founder teamleft Intel in 2020, theydid consulting work with charging manufacturers and found that many engineers were involved in me too projects, effectively replicating the same code, even though 99% of the code was already engineered.

Shared open source implementations are vital to mitigate the differences in charging standards globally fromCHAdeMo, commonly used by Japanese automakers, to ChinasChaoJi, andCCS, popular in Europe and the US.

Further, every car is slightly different, making it even more urgent to have an open-source solution for the chargers. An open tech stack means developers can focus on more exciting work and bring products to market faster.

Mller explained that the project had received interest from various players in the EV charging space, except for a few big proprietary players, noting:

Cloud operators were particularly keen on standardization. I was told that the market leader for charge point clouds has more than 200 different dialects implemented of the same protocol. This is because everyone is doing slightly different ChargePoint protocols.

The EVerest software platform runs on a lightweight Linux system inside the charging point. It manages communication around energy between different players:

EVerest digitally abstracts the complexity of multiple standards and use cases. This means it can run on any device, from AC home chargers to public DC charging stations. This helps facilitate new features for local energy management such as local energy management, PV integration, and initiatives like wind and solar-powered EV stations and bi-directional charging.

Theres been a lot of research about the challenges of securing EV chargers, especially preventing hackers from using them for over or undercharging, committing identity fraud, or damaging the grid.

Vulnerabilities in open-source libraries have increasingly become an attack vector. The insertion of malicious code being inserted into packagesin repositories (for example, npm and PyPI) is rising, and the recentLog4j zero-dayexploits demonstrate the challenge of code maintenance in open source projects.

However, having a project under the auspices of The Linux Foundation is an advantage. It especially helps lend credibility increases the number of people working on the code. Mller noted:

We follow the security standards as well as we can. We have quite an advanced team. They know what theyre doing. We try to do extra security layers. Open source still has the benefit that a lot of people are looking at it.

The project is also liaising with the hacker enthusiast community to participate in hackathons over the summer months hopefully. As Marco asserts, these people who break systems for fun. The team is also raising venture capital, which will go into developing and improving the open-source codebase.

In short, EVerest welcomes the global community to contribute to this project. Visit the project onGitHuband subscribe to the EVerestgeneral mailing list.

Read more:

Project EVerest is on a mission to standarize EV charging protocols - The Next Web

During the recentOcado Re:Imagined event, the companys founder and CEO, Tim Steiner, discussed how stealth disruptors were used to invent something he described as really radical. Really radical, in Ocados case, is embodied in its 600 series grocery fulfilment bot. The headline figure is that half of the parts it uses are 3D printed.

This is not about making 3D printed prototypes. It is about manufacturing production grade robots that are destined to be deployed in warehouses to fulfil customer grocery orders. Ocado has the ability to print bot parts on site, or at manufacturing sites equipped with 3D printers.

As Jame Donkin, the companys CTO, pointed out in Computer Weekly, it is very important to lower the level of specialist skills required in Ocado warehouses. This is why the company has tried to drive down maintenance costs of operating these bots.

Exploring the idea of stealth disruptors further, Computer Weekly recently spoke to Nicolas Forgues, former CTO at the supermarket chain, Carrefour. When the company found that the maintenance of one of the open source components it needed would become prohibitive, the company formed Tosit, the Open I Trust alliance, with several other French businesses including EDF and SNCF. Their objective was to maintain the open source code themselves. In doing so, alliance members have been able to free themselves from costly support and maintenance fees normally associated with open source software. Support is effectively at no cost. Instead, each organisation agrees to commit a certain number of people to work on the open source code.

On its own, supporting open source code in-house is not disruptive. Some may argue that it defies logic, since experts in the open source community are primed and ready to offer such services. But sometimes, as Forgues and members of Open I Trust, realised, the pricing of open source support contracts is not necessarily a good match for the business model of the customer. When the cost of support is growing faster than the business benefit derived from the open source software, then it is time to take a look at a different approach. By sharing best practises and contributing code and human resources, alliance members are able to maintain the open source code among themselves. This is stealth disruption.

What these examples with the CEO of Ocado and former CTO of Carrefour illustrate, is that stealth disruption is not about evolving an existing good idea. Its about difficult choices and taking the road less travelled.

View original post here:

The road less travelled paves the path to stealth disruption - ComputerWeekly.com

Chip designer Arm has released a prototype of its Morello development board for researchers at Google, Microsoft and industry to test its goal for a CPU design that wipes out a chunk of memory-related security flaws in code.

The Morello board is the product of a collaboration between Arm, Cambridge University, Microsoft and others based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture. Microsoft says the board and system on chip (SoC) is the first high-performance implementation of CHERI, which provides "fine-grained spatial memory safety at a hardware level". If it proves successful after testing with legacy software, it could pave the way for future CPU designs.

CHERI architectural extensions are designed to mitigate memory safety vulnerabilities. CHERI augments pointers the variables in computer code that reference where data is stored in memory with limits as to how those references can be used, the address ranges that they can use to access, and which functionality they can use. "Once baked into silicon, they cannot be forged in software," Arm explained. CHERI was developed by the University of Cambridge and SRI International after it received funding from DARPA's Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) program.

SEE: The IT skills gap is getting worse. Here are 10 ways you can avoid a crisis

The Morello architecture is based on CHERI. Arm kicked off work on hardware for the Morello program in 2019 with backing from the UK government's Digital Security by Design (DSbD) program and UK Research and Innovation (UKRI).

The Morello demonstrator board is a tweaked Arm Neoverse N1, a 2.5GHz quad-core server core CPU with support for Armv8.2a 64-bit architecture that has extra features to enable CHERI-based "compartmentalization" to counter exploits against memory-related security flaws.

"For any research project, this phase is both exciting and critical. There has never been a silicon implementation of this hardware capability technology in a high-performance CPU," said Arm.

The Morello board is a significant advancement for CHERI, which has been in development for over a decade. Saar Amar, of Microsoft's Security Research and Defense team, notes the top existing implementation of CHERI topped was Toooba, which while a "significant achievement" could only run in an FPGA at 50MHz in a dual-core configuration. It was "roughly equivalent in microarchitecture to a mid-'90s CPU" that wasn't good enough for testing complex software stacks at scale.

The CHERI and Morello architectures may be one way of tackling memory-related security flaws that stem from code written in programming languages like C and C++. Microsoft and Google say the majority of security bugs are memory safety issues and they're often due to coding issues written in these languages.

The volume of these bugs and patches they require has prompted major software firms like Microsoft, Google and Amazon to explore 'type safe' languages like Rust for systems programming. However, Rust is generally used to write new components because vast, existing code bases written in C or C++ are left in place, as Google is doing for Android's code base.

The Morello boards are being shared with researchers to test the hypothesis of CHERI's compartmentalization approach and whether it is a viable security architecture for businesses and consumers in the future.

As detailed in a paper about CHERI by Google researcher Ben Laurie and peers, various CHERI modes can be more effective and efficient than mitigations in conventional memory management unit (MMU) hardware, which are used to translate virtual memory addresses to physical addresses.

CHERI allows for software compartmentalization in a similar way to process isolation in software for today's operating systems, notes Laurie. It also includes an in-process memory safety mechanism that avoids the need to make major changes to source-code a potentially major benefit for existing code bases.

"Contemporary type-safe languages prevent big classes by construction, whereas CHERI memory protection prevents the exploitation of some of these bug classes," writes Microsoft's Armar.

"There are billions of lines of C and C++ code in widespread use, and CHERI's strong source-level compatibility provides a path to achieving the goals of high-performance memory safety without requiring a ground-up rewrite."

The rest is here:

Software is crammed full of bugs. This 'exciting' project could banish most of them - ZDNet

Elyra is a set of AI-centric extensions to JupyterLab Notebooks that includes features like an AI pipelines visual editor; the ability to run a notebook, Python, or R script as a batch job; reusable code snippets, and more.

To create pipelines using the Visual Pipeline Editor, users need to open the JupyterLab Launcher and select the desired pipeline editor type whether thats Generic, Kubeflow Pipelines, or Apache Airflow.

Then, they can expand the properties panel and define the pipeline properties and drag-and-drop components from the palette onto the canvas or double click on a palette entry.

Elyra can also act as an extension to the Jupyter Notebook UI to allow for execution of a notebook as a batch job in local or remote cloud environments. In order to use this AI pipelines-enabled feature, users will need either a Kubeflow Pipelines or Apache Airflow deployment through a runtime configuration.

Also, the open-source project leverages Jupyter Enterprise Gateway in order to be able to share resources across distributed clusters such as Apache Spark, Kubernetes, OpenShift, and more.

Additional features of Elyra include hybrid runtime support, Python and R script editors with local/remote execution capabilities, and Python script navigation using an auto-generated Table of Contents.

Additional details on Elyra are available here.

Go here to read the rest:

SD Times Open-Source Project of the Week: Elyra - SDTimes.com

A decade ago, everyone was talking about moving applications to the cloud, meaning uprooting something running on a private server and taking it to a cloud provider. The original models of cloud computing -- IaaS, PaaS and SaaS -- reflect three ways of doing that. What's happened instead is that the cloud has become more of a universal front end to legacy data center applications.

Little of what runs in the cloud ever ran elsewhere; it was developed for the cloud, and cloud providers quickly realized that. They created web services or hosted features that developers could use to build applications. These services created the successor to the old PaaS cloud model, and when people talk about PaaS today, they're referring to these services.

There are four major advantages to modern PaaS:

Most enterprises that adopt a PaaS cloud model today do so because of one or more of these benefits. And the majority say that the greatest benefits of PaaS are accrued during project development and maintenance, where cloud provider tools improve project quality and accelerate the delivery of results.

For all the positives of PaaS, there are three significant negatives as well. Enterprises agree that the upsides of PaaS are most visible to development teams, and the downsides of PaaS to CFOs. The most significant are the following:

The best way to get the most out of PaaS is to plan accordingly. The risks of PaaS can be minimized by fully assessing the costs of using PaaS tools for application development and deployment. Enterprises can sometimes reduce costs through careful feature selection, and all cloud providers offer tools to estimate costs. If an enterprise has good data on application usage, it can avoid cost surprises that would incur the wrath of senior management.

PaaS benefits can also be optimized. Planning is the key to this as well. Cloud providers often offer multiple ways of doing essentially the same thing -- high-level PaaS features aimed at IoT, for example, that are really wrappers around lower-level features such as event handling. You might not need all the high-level features, and if that's the case, the benefits won't offset the costs.

The most difficult problem to address in PaaS is portability. Tools are likely to be implemented differently across cloud providers, and that increases the cost of sustaining a multi-cloud or changing cloud providers. One way to address this is to design applications so that cloud provider-specific features are contained in small software modules that can be changed easily or switched for multi-cloud deployment -- or if another cloud provider offers a better deal.

These measures work where there's a modest number of specialized PaaS tools involved, but they can be difficult to apply when there's a lot of software and a lot of PaaS tools associated with the software. In that case, it's wise to look at the idea of separating PaaS tools from the cloud provider completely.

Enterprises generally agree that the best alternative to cloud provider PaaS is what can be called private PaaS, which means building applications on middleware tools designed to be portable across cloud providers and hosted directly via IaaS VM or containers. This, if done properly, can eliminate most of the risks of PaaS while retaining the main benefits.

The key to success with this approach is minimizing the number of software sources required to create the private PaaS. Try to lay out all PaaS requirements for current and future applications, and then use that list to find software sources, starting with software providers that can fulfill the largest number of PaaS needs. Enterprises that acquire their private PaaS software from an open source supplier rather than building their own tools from source code generally report having fewer issues with managing compatibility across tools and libraries.

Private PaaS is more work, and the acquired PaaS tools likely won't be free, so it's essential to compare the costs and benefits of private PaaS with those of traditional public cloud PaaS. Enterprises should also look at how well private PaaS tools work compared with public PaaS. Cloud providers' implementations of private PaaS tools can take advantage of relationships with cloud provider infrastructure that aren't exposed to users, and thus aren't available to private PaaS implementations.

Cloud provider relationships with software vendors, increasingly common in the cloud market, can offer an easier pathway to private PaaS. Look at the tools available from a source that's affiliated with all your cloud options first, and then compare it with the costs and benefits of others as you would with public cloud PaaS tools.

There's no easy way to tell how to balance the pluses and minuses of PaaS. Every enterprise must look at each benefit and risk and assign a value to it based on their own operations. It's also important to track any shifts in those values created by changes in cloud provider services and pricing, company application usage and traffic, and expenses and capital costs. Keeping careful notes on how each plus and minus is assessed -- each time an assessment is made -- is essential to getting the best results over time.

Continued here:

What are the main advantages and disadvantages of PaaS? - TechTarget