Driven by vulnerabilities in widespread software affecting organizations worldwide, the US government met with the open source community and major software firms on Jan. 13 at the White House to find ways to support the innovative software development community, while at the same time reducing the likelihood of future security flaws in common software components.

The White House Software Security Summit brought together officials from the various government agencies that deal with national security and technology with representatives from major software companies includingAkamai, Amazon, Apple, GitHub, Google, Meta, Microsoft, and RedHat as well as members of the open source software community, such as the Apache Software Foundation and the Linux Foundation.

The summit aimed to find ways of "preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes," the Biden administration said in a statement.

At the heart of the discussion, however, is how the innovative development of open source communities can continue to flourish while improving efforts to create secure software and speed the patching in the face of vulnerabilities.

"Open source software brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance," the administration stated. "Participants had a substantive and constructive discussion on how to make a difference in the security of open source software, while effectively engaging with and supporting, the open source community."

The summit took place as companies continue to struggle to find and patch a significant vulnerability in the Log4j logging framework for Java applications, which is widely used in enterprise applications. More than 80% of the Java applications on the Maven Central Repository, a widely used package management repository, had Log4j as a dependency meaning those Java applications and components are likely vulnerable. While the vulnerability has not yet led to a major compromise, according to US officials, the issue will likely take years to remediate because of its ubiquity.

A Long History of Widespread VulnsVulnerability in widespread software packages are not new. The 2014 Heartbleed vulnerability in OpenSSL and the 2018 SPECTRE and Meltdown vulnerabilities demonstrated that security issues found in ubiquitous software and firmware have long tails.

"The world runs on software, which in turn relies on open source, [which] means that vulnerabilities in open source code can have a global ripple effect across the billions of developers and services that rely on it," Mike Hanley, chief security officer at GitHub, said in a statement on the summit. "Weve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, safety, and trustworthiness of entire systems in the blink of an eye."

The summit aimed to find ways for government and industry to work together to improve the security of open source code, such as integrating security features into developer tools and services as well as ensuring the integrity of the platforms used to store and distribute packages. Initial efforts will likely focus on ways to improve the security of popular and critical open source software projects and packages and speed the adoption of software bills of materials to allow developers and companies to track their dependencies.

"This all begins with a common effort to increase visibility into the use of open source software," says Boaz Gelbord, chief security officer with Akamai. "Government and private sector organizations must invest in tools that reveal the reliance on open source technologies and, crucially, take action to mitigate and contain risks to strengthen the security of the ecosystem at large."

The efforts will be a balance between maintaining the innovative and standards-setting efforts of independent open source development and enforcing secure development practices on projects and products that become part of the critical infrastructure on which industry and government rely, says Brian Behlendorf, executive director of the Open Source Security Foundation (OpenSSF).

"At the beginning of the supply chain is the raw, sometimes messy, but also often incredibly innovative processes of writing code in a group that so often leads to great software," he says. "Thats precious and shouldnt be shackled by bureaucracy or requirements that create no value for those upstream core devs."

However, the OpenSSF recognizes that more secure development processes need to be added to each step in the chain from core developer to package manager to the development teams that eventually use the software component or library.

"Whats important now, in a world of millions of software projects and developers, is to help scale up what used to be informal, high-trust processes along this chain into more rigorous, automatable tools and practices," Behlendorf says.

The industry has already started investing in securing open source software, as well as their own software products. At a similar summit in August, Google and Microsoft pledged to spend billions on software security and cybersecurity efforts in the next five years. Google, for example, has committed to an invisible security initiative to integrate protections so that developers and businesses reap the benefits, and also hasworked with the OpenSSF to release tools for developers. Akamai committed to continuing to help the open source community find ways to detect vulnerabilities in software and contain attacks, but recognized that the work is only starting.

"While this executive order is a move in the right direction, more needs to be done to support the open source community to thrive within our ever-evolving threat landscape," Akamai's Gelbord says.

Last year, the Biden administration released an executive order on cybersecurity that was widely praised for being more detailed than past administrations. In addition, the administration announced in October that it would create the Bureau of Cyberspace and Digital Policy within the US Department of State to lead international diplomacy on the issue.

Read more:

White House Meets With Software Firms and Open Source Orgs on Security - DARKReading

Thousands of universities all over the world use open-source software to support learning, teaching, and research. There are plenty of advantages that this specific type of software delivers for example, it costs less to use and provides educational institutions with more flexibility.

This article will discuss precisely what open-source software is and how universities can use it. We will also mention how it reduces institutional costs and improves flexibility.

What Is Open-Source Software?

Open-source software provides the user with plenty of opportunities when it comes to editing and changing the coding. In short, this type of software is released with its source code, allowing the user to edit, study, use, or share the program.

As we have already discussed, there are plenty of advantages to using this type of software. One of the most essential features of open-source software is that it can be adapted to the users needs and wants. Also, there is an element of complete transparency when the code is used and shared.

With this being said, open-source software is perfect for universities and other educational institutions. Below, we will be discussing why that is true based on flexibility and cost.

Cost and Capacity

Many educational facilities use open-source software primarily because it is free from licensing costs. Seeing as thousands, if not millions, of students, are plagued by student debt, this is a significant aspect.

While there are no licensing costs, the school will still have to pay for additional features, such as enterprise-grade support, input into new features, extra functionality, and rapid bug fixes. However, these costs are still much lower than proprietary software, making it perfect for universities and other businesses.

Flexibility

Open-source software provides universities with plenty of flexibility. As we have already mentioned, this type of program is released with its source code, allowing the user to edit, study, use, or share the software.

This means that the university will be able to alter the code according to their needs and wants. Many educational institutions use open-source software to attract students from around the world. Additionally, plenty of platforms can create courses, share learning materials, assess students, etc.

Concluding Thoughts

Many universities and educational institutions around the world use open-source software as opposed to proprietary software. There are various reasons for this for example, open-source software can be adapted to the universitys, teachers, and students needs. On top of that, there is an element of transparency when the code is used.

However, arguably the most important and attractive aspect of open-source software is the fact that it is free from licensing costs. This type of software also provides the user with more flexibility and adaptability.

More here:

Why Universities Are Choosing Open-Source Software - The Tech Edvocate

Opinion We're going to be cleaning up Apache Log4j security problems for months to come, but the real problem isn't that it was open-source software. It's how we track and use open-source code.

When security vulnerabilities were found in the extremely popular open-source Apache Log4j logging library, we knew we were in trouble. What we didn't know was just how much trouble we were in. We know now. Just ask the Belgian defence ministry. In this ongoing security disaster, many people blame open source for all our troubles.

In the Financial Times (FT), Richard Waters, the newspaper's west coast editor, wrung his hands, saying it's a "little alarming to discover that, more than two decades into the open-source era, glaring security holes sometimes surprise even the experts."

Surprising? I think not. It's software. It always has bugs. Sometimes they're really bad bugs. As security maven Bruce Schneier said over 20 years ago: "Security is a process, not a product." There's no surprise here.

Waters went on: "If an orphan software project like this could be sitting in the heart of the world's internet infrastructure, how many other potential time-bombs are out there?"

Orphan? A major Java library such as Log4j? I think not.

Now, there are vital open-source projects that are orphans. We all know the xkcd cartoon about the tiny but all-important program thanklessly maintained by a person in Nebraska since 2003. The serious part of the joke is that it's not far wrong. Remember OpenSSL's Heartbleed fiasco?

Today, there are fewer such programs. That's because shortly after Heartbleed bled out, the Linux Foundation and mates started the Core Infrastructure Initiative (CII). Its job, and its successor's, the Open Source Security Foundation (OpenSSF), is to find those little under-supported projects and make sure they get the help they need to keep the lights on and the code safe.

But, repeat after me, "security is a process, not a product." Linus's law, as Eric S Raymond phrased it in his seminal work on open source The Cathedral and the Bazaar, "given enough eyeballs, all bugs are shallow" does work. If, and it's a big if, those eyeballs are there and looking. If the code just sits there getting copied over and over again without a moment's thought, no bugs will be found. Simple, isn't it?

Now some people say that the problem is not enough money. As the programmer Xe argues, "'Open Source' is broken" because even now no one is paying the developers. Xe's not wrong. Ralph Goers, the Log4j maintainer who made the initial fix, confessed he works on Log4j in his spare time and has "always dreamed of working on open source full time." As Xe also remarked, "GitHub stars famously cannot be used to pay rent."

So far, so right. But would Goers get paid to go over old Java code with a fine-tooth comb looking for security vulnerabilities even if Oracle were to hire him just to work on Java? I doubt it. Coders are paid to make new code, not fix old code. That's just how things work whether your programs are proprietary or open source.

And if anyone ever tells you proprietary code is safer, ask them about Patch Tuesday. Microsoft Exchange still blew up on New Year's Day because of a Y2K-style problem with a 32-bit integer variable that couldn't handle the new year.

Until the day comes when companies pay developers to fix and clean their old code while looking for security bugs, we will always have this kind of problem pop up. I expect that to be the same day when companies finally make and check their backups reliably and Jane and Joe stop using "password" for their password.

That said, the real reason why Log4j has proven to be such a pain in the ass isn't the code. I mean, we've now had four, count 'em, four Log4j patches. As I write this, if you want to be safe you should be using Log4j 2.17.1. But the real trick, my friend, is making sure you've replaced all those instances of Log4j 2, which aren't so safe. There's the rub.

You see, Java hides its source code and binaries in numerous Java Archive (JAR) variations. There is honestly no telling where a vulnerable Log4j library might be hiding. The only thing you can do is use a variety of tools to help you win this game of high-tech security hide-and-seek. Oh, one problem. None of these security-scanning programs, not one, can find every possible case. Is it a great time to be working in IT or what?

The answer to this are Software Bills of Material (SBOM). Well done, an SBOM does just what it says. It tells you exactly what software libraries, routines, and other code are used in your program.

As David A Wheeler, the Linux Foundation's director of Open Source Supply Chain Security, has explained, with SBOMs and verified reproducible builds, you can make sure you know what's what in your programs. That way, when not if a security hole is found in a component, you can simply patch it rather than search like a madman for the problem code before being able to fix it.

SBOMs, however, are still a work in progress. If we manage to have reliable SBOMs by the end of the 2020s, I'll be a happy man. That will be a pleasant surprise. Oh, and if we can actually pay people to search for trouble in code before things go wildly askew that would be great too. But I'm not holding my breath on that one.

Link:

Open source isn't the security problem misusing it is - The Register

Danish Intelligence Chief Detained Over Leak of Confidential Information

Lars Findsen, the head of Denmarks foreign intelligence service, was revealed as one of the four people detained in December of 2021 for leaking highly classified information. All four detainees are employees of the Danish intelligence service, but Findsen is the only one who remains in custody. He has reportedly been charged with violating a section of the penal code by sharing highly classified information and faces a maximum penalty of 12 years in prison. Unnamed sources said the chargesare a consequence ofFindsen leaking classified information to news outlets. This isnt Findsens first punishment for mishandling classified information, as he had been suspended from his role as intelligence chief since August 2020 for allegedly sharing raw data with the National Security Agency in 2020.

TSMC Will Invest up to $44 Billion for Semiconductor Production in 2022

Taiwan Semiconductor Manufacturing Company announced that it would increase investments in its production capacity to its highest levels ever in 2022, allocating over $40 billion towards expanding semiconductor production. That figure represents a $10 billion increase from the previous high.TSMCs finance chief also said that between seventy and eighty percent of the spending would be directed towards TSMCs most advanced manufacturing processes, with the remainder earmarked for legacy chips. TSMC has been expanding its production capacity recently, with plans to open plants in Arizona and Japan in the next five years.

U.S. Cyber Command Releases Malware Samples from Iranian APT MuddyWater

More on:

Cybersecurity

Iran

Supply Chains

China

Cyber Command provided an official attribution for the threat actor MuddyWater, describing it as a direct subordinate group of the Iranian Ministry of Intelligence and Security. Included in the release was an analysis of several malware tools and techniques used by the group. In December 2021, MuddyWater was detected orchestrating a campaign against telecommunications companies in the Middle East and Southeast Asia. While cybersecurity firms have previously linked MuddyWater to the Iranian government, Cyber Commands announcement is the first time the U.S. government has marked the group as Iranian-sponsored.

White House Hosts Summit on Open-source Software

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.2-4 times weekly.

Digital and Cyberspace Policy program updates on cybersecurity, digital trade, internet governance, and online privacy.Bimonthly.

A summary of global news developments with CFR analysis delivered to your inbox each morning.Most weekdays.

A weekly digest of the latestfrom CFR on the biggest foreign policy stories of the week, featuring briefs, opinions, and explainers. Every Friday.

The White House convened a summit on Thursday with several major technology companies to discuss how to increase security for open-source software. The summit comes in the wake of the disclosure of a flaw in the Log4j open-source software, potentially one of the most damaging vulnerabilities ever discovered. The summit brought together technology companies, government agencies, and foundations supporting open-source software projects. Log4j has mostlybeen used in ransomware attacks since its detection although Iranian hackers used the vulnerability to launch a PowerShell backdoor earlier this week. Since the disclosure of the Log4j flaw, the White House has described securing open-source software as a key national security concern, and this summit appears to reflect that emphasis.

Omicron outbreak in Xian shuts down factories, threatens chip supply chains

As Xian locks down due to Chinas largest outbreak of the Omicron variant to date, chipmaking factories in the northwestern city are experiencing production hiccups. Samsung Electronics and Micron Technology, who together account for 67% of DRAM chips and 45% of NAND flash chips globally, have modified operations in their Xian hubs due to staff shortages. It has been speculated that prolonged manufacturing slowdowns induced by the Omicron variant could worsen the global semiconductor shortage, especially if factories must close their doors. Micron has said that it remains optimistic that it will meet consumer demand with only near-term delays in the wake of Chinas biggest COVID challenge since Wuhan.

More on:

Cybersecurity

Iran

Supply Chains

China

Read the original post:

Cyber Week in Review: January 14, 2022 - Council on Foreign Relations

These words were well received earlier. However, at the present time, the idea of saying farewell to a sport that is one's passion and source of income makes it very hard for a cricketer.

Age is now no longer a concern. The modern fitness and health regimes have prolonged the life of a cricketer. In the past, anyone past 30 years was looked upon as one heading into the veteran zone, and for one to make a debut nearing that age was highly improbable.

Many of the greats of Indian cricket fell victim to the subject of retirement. One can understand the reason and that was because having given their blood, sweat and tears to cricket, it was not an easy call to make.

Timing one's departure from the sport is a decision which at most times is very scary. In cricket, a cricketer from his school days to the International level goes through the ups and downs that the game provides and the arduous journey that each one faces is what makes an end difficult to digest.

The digital world and live cricket coverage have given a life to many of the former cricketers. Several of the well-known cricketers have captured the television and multi-media world by becoming commentators. Others have also become leadership and performance-related speakers and coaches. Cricket, off the field, is now more than just a game and one can make a career as a specialist coach, umpire and get involved in the business-related areas of the game.

In the past, after retirement, cricketers were soon forgotten, and many went through hardship and depression. They went straight from the glamorous world to one of obscurity. There were very few opportunities in the cricketing world and most had to find a source to keep their home fires burning through a job. Therefore, quite understandably, although they chose to play, they were weeded out at most times unceremoniously.

The present cricketers, although they may have a longer tenure, the plethora of cricket at all levels and formats of the game, keeps them pursuing a journey without a thought as to what the future holds for them.

The journey of the three such stalwarts, Pujara, Rahane and Ishant Sharma, one feels, has the curtains coming down on their careers as Test cricketers. One does feel for them, especially for what they have contributed towards the progress of Indian cricket. However, none of them saw the writing on the wall as to what position they were putting themselves into.

Ajinkya Rahane, once relieved of his vice captaincy, Cheteshwar Pujara being questioned about his technique and Ishant Sharma on his loss of speed and fitness were asking for the inevitable to happen.

Cricket has this aura about it that one feels one is just one innings away from reviving one's form and reputation. However, understanding where one stands if it does not work out is what a modern-day cricketer will need to evaluate.

See the article here:

CLOSE-IN: Always a difficult decision as to when to hang up one's boots in cricket - National Herald

The cryptocurrency firm FTX has announced the launch of a $2 billion venture capital fund called FTX Ventures. The funds focus will be on advancing blockchain and Web3 technology alongside investments in social, gaming, fintech, software, and healthcare.

FTX Trading Limited has announced the launch of a new venture capital fund aimed at bolstering blockchain and cryptocurrency solutions that are applied to an assortment of different industries. In addition to launching FTX Ventures $2 billion venture capital fund, the company has hired former Lightspeed Ventures partner, Amy Wu. According to the announcement, Wu will lead FTX Ventures gaming, M&A and commercial initiatives.

The venture capital fund announcement sent to Bitcoin.com News explains:

FTX Ventures core mission is to advance global blockchain and web3 adoption, with a broad investment mandate across social, gaming, fintech, software, and healthcare. The fund will invest in multi-stage companies and projects, providing flexible funding and strategic support from FTX and its network of global partners.

Wu says that she looks forward to working alongside FTX CEO Sam Bankman-Fried and she remarked that FTX Ventures looks forward to supporting businesses and entrepreneurs. Were particularly excited about web3 gaming and its ability to bring mainstream audiences into the ecosystem, Wu said in a statement.

FTX has been making a great number of moves during the last 12 months with a significant focus on sports and entertainment. Last year, FTX partnered with Monumental Sports Entertainment (MSE), Sports Illustrated, the Los Angeles Angels Shohei Ohtani, the global esports firm TSM, Green Bay Packers running back Aaron Jones, the Mercedes-AMG Petronas Formula One team, and seven-time Super Bowl winner Tom Brady and his supermodel wife Gisele Bndchen.

During the first week of November 2021, FTX joined Solana Ventures and Lightspeed in order to launch a $100 million blockchain gaming fund. Our investors at FTX have made a deep impact in supporting our growth and development, Sam Bankman-Fried said on Friday in regard to the new venture capital fund. We strive to do the same at FTX Ventures and are excited to find the brightest minds and disruptive innovation in tech, Bankman-Fried added.

What do you think about the new $2 billion venture capital fund called FTX Ventures? Let us know what you think about this subject in the comments section below.

Jamie Redman is the News Lead at Bitcoin.com News and a financial tech journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open-source code, and decentralized applications. Since September 2015, Redman has written more than 5,000 articles for Bitcoin.com News about the disruptive protocols emerging today.

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

Continued here:

FTX Launches $2 Billion Venture Capital Fund Focused on Bolstering Blockchain, Web3 Adoption Finance Bitcoin News - Bitcoin News

Your browser doesnt support HTML5 audio

On Friday, Chinese tech firm Tencent officially announced the the open source status of PAG (Portable Animated Graphics), its core animation tool. This product has been widely used in dozens of the firms apps, such as WeChat, mobile QQ and Honor of Kings, as well as other applications outside the company.

PAG is a complete animation workflow solution independently developed by Tencents AVGenerator OTeam. It can effectively reduce or eliminate R&D expenses in animation, significantly speeding up the process from designer creation to material delivery, and continuously delivering high-quality animation content that can be edited at runtime.

Compared with animation workflow solutions commonly used in the industry, PAG supports more AE features, features a wider platform availability (macOS, Windows and Linux), and delivers a highly optimized performance. It supports text and placeholder editing and replacement, and can be closely integrated with video editing scenarios.

Adobe After Effects (AE) is the most widely used animation design software. While this may work for animation production and app presentation, AE comes with high communication costs and its difficult to guarantee performance.

SEE ALSO: Huawei Donates OpenEuler Open Source Operating System, Releases ORA Talent Development Acceleration Plan

Compared with traditional methods of R&D and restoration, Tencents PAG scheme significantly improves the efficiency of online animation material. Designers can directly produce animation files after design, free from code restoration in R&D. They only need to access SDK once to make materials go online on their own. It also avoids the joint adjustment time cost of repeated effect confirmation, and can also produce materials in batches, directly replace the traditional small workshop form from the process, and greatly improve the design and R&D efficiency by using industrial production methods.

Originally posted here:

Tencent's Animation Tool PAG Now Open Source, Used Widely in WeChat - Pandaily