The Defense Advanced Research Projects Agency has begun a broad collaboration with the Linux Foundation, hoping to spur open-source development of technologies for use by the U.S. government that include secure 5G network software and applications.

The US GOV OPS (Open Programmable, Secure) umbrella organizations first project, OPS-5G, will focus on a software stack for 5G, the network edge and IoT. According to a newly established website about the project, OPS-5G will define and test an end-to-end 5G stack and include elements from multiple Linux Foundation projects, including LF Networking, LF Edge, Zephyr Project and Cloud Native Computing Foundation, along with other top-tier projects that call the Linux Foundation home.

The project formation encourages ecosystem players to support U.S. government initiatives to create the latest in technology software, according to DARPA and the Linux Foundation. According to the two organizations, OPS-5Gs goal is to create open source software and systems enabling secure end to end 5G and follow-on mobile networks and address feature velocity in open-source software, mitigate security concerns such as large-scale botnets that leverage IoT devices, network slicing on suspect gear and adaptive adversaries operating at scale.

Mike Woster, head of ecosystems at theLinuxFoundation, said that the Linux Foundations breadth of projects means that between existing open source projects and new ones that may be initiated under the US GOV OPS umbrella, it will be possible to stitch together a full, 5G end-to-end 5G reference architecture. The umbrella project also gives DARPA a place to push the results of its research and development into open-source collaborations. The overall goal is to accelerate 5G software development ranging from specific applications to network feature support, and orchestration and analytics, by borrowing from and building upon existing open-source projects and new ones.

The US GOV OPS project will launch as a standard open source project, with a charter similar to other projects within the Linux Foundation; which already is home to a number of projects related to Open RAN, edge computing, Kubernetes and others that will enable US GOV OPS to build on a secure code base for use by the U.S. government, according to a release.

But Its more than just code, said Woster, head of ecosystems at theLinuxFoundation. Open source development and open development is really around having a neutral governance framework; open, transparent development processes; that its secure, that the intellectual property is properly managed and that the velocity for developers that all of that matches the needs of the developers.

DARPAs use of open source software in the Open Programmable Secure 5G (OPS-5G) program leverages transparency, portability and open access inherent in this distribution model, said Dr. Jonathan Smith, program manager for DARPAs information innovation office, in a statement. Transparency enables advanced software tools and systems to be applied to the code base, while portability and open access will result in decoupling hardware and software ecosystems, enabling innovations by more entities across more technology areas.

The Linux Foundation 5G project is just one of the ways that the U.S. Department of Defense is supporting or exploring the use of 5G. Carriers are deploying 5G at military bases to test various use cases, and earlier this week, Federated Wireless announced that it is leading a project to use 5G in CBRS spectrum to modernize operations at a Marine Corps warehouse in Albany, Georgia. DARPA has also supported research into ad hoc spectrum sharing with its three-year Spectrum Collaboration Challenge. Some of the work from SC2 has informed DARPAs continued support of research into the possibility of more granular CBRS sharing.

Related Posts

See original here:

DARPA starts a 5G open-source stack project with the Linux Foundation - RCR Wireless News

Dapr, the Microsoft-incubated open-source project that aims to make it easier for developers to build event-driven, distributed cloud-native applications, hit its 1.0 milestone today, signifying the projects readiness for production use cases. Microsoft launched the Distributed Application Runtime (thats what Dapr stand for) back in October 2019. Since then, the project released 14 updates and the community launched integrations with virtually all major cloud providers, including Azure, AWS, Alibaba and Google Cloud.

The goal for Dapr, Microsoft Azure CTO Mark Russinovich told me, was to democratize cloud-native development for enterprise developers.

When we go look at what enterprise developers are being asked to do theyve traditionally been doing client, server, web plus database-type applications, he noted. But now, were asking them to containerize and to create microservices that scale out and have no-downtime updates and theyve got to integrate with all these cloud services. And many enterprises are, on top of that, asking them to make apps that are portable across on-premises environments as well as cloud environments or even be able to move between clouds. So just tons of complexity has been thrown at them thats not specific to or not relevant to the business problems theyre trying to solve.

And a lot of the development involves re-inventing the wheel to make their applications reliably talk to various other services. The idea behind Dapr is to give developers a single runtime that, out of the box, provides the tools that developers need to build event-driven microservices. Among other things, Dapr provides various building blocks for things like service-to-service communications, state management, pub/sub and secrets management.

Image Credits: Dapr

The goal with Dapr was: lets take care of all of the mundane work of writing one of these cloud-native distributed, highly available, scalable, secure cloud services, away from the developers so they can focus on their code. And actually, we took lessons from serverless, from Functions-as-a-Service where with, for example Azure Functions, its event-driven, they focus on their business logic and then things like the bindings that come with Azure Functions take care of connecting with other services, Russinovich said.

He also noted that another goal here was to do away with language-specific models and to create a programming model that can be leveraged from any language. Enterprises, after all, tend to use multiple languages in their existing code, and a lot of them are now looking at how to best modernize their existing applications without throwing out all of their current code.

As Russinovich noted, the project now has more than 700 contributors outside of Microsoft (though the core commuters are largely from Microsoft) and a number of businesses started using it in production before the 1.0 release. One of the larger cloud providers that is already using it is Alibaba. Alibaba Cloud has really fallen in love with Dapr and is leveraging it heavily, he said. Other organizations that have contributed to Dapr include HashiCorp and early users like ZEISS, Ignition Group and New Relic.

And while it may seem a bit odd for a cloud provider to be happy that its competitors are using its innovations already, Russinovich noted that this was exactly the plan and that the team hopes to bring Dapr into a foundation soon.

Weve been on a path to open governance for several months and the goal is to get this into a foundation. [] The goal is opening this up. Its not a Microsoft thing. Its an industry thing, he said but he wasnt quite ready to say to which foundation the team is talking.

See the rest here:

Microsofts Dapr open-source project to help developers build cloud-native apps hits 1.0 - TechCrunch

One of the biggest questions dogging Unified ID 2.0 has been answered.

Independent industry organization Prebid.org will serve as operator of the initiative.

Unified ID 2.0 is a collective industry effort, originally spearheaded by The Trade Desk, to create an email-based alternative to third-party cookies.

Prebid, which has roughly 100 member companies, is also the industry body that oversees the Prebid Server, which is an open source solution for server-to-server header bidding, and Prebid.js, which is an open source header bidding wrapper.

Hello, operator

According to Prebids charter, its purpose is to operate infrastructure on behalf of the industry in cases where trust and transparency is required and a for-profit entity just isnt an appropriate choice. Unified ID 2.0 fits that bill to a tee, said Tom Kershaw, chairman of Prebid and CTO of Magnite, which was an early supporter of UID 2.0.

The plan is for Prebid to stand up the necessary infrastructure to support UID 2.0 by Q2 and to be live by the middle of the year.

Besides managing UID 2.0s hardware and software infrastructure, Prebid will also handle the email encryption and decryption process, make sure the IDs are readable and generally guarantee that the IDs are functioning properly.

For example, Prebid will operate the physical machines that UID 2.0 will run on Prebid has preexisting cloud accounts with Amazon and Prebids GitHub repository will be home to the open source software that underpins the ID.

During the transition period, The Trade Desk will provide Prebid with the working code and framework for UID 2.0 and eventually relinquish oversight to Prebid.

The timing is tight, but the progress is real, Kershaw said.

Id argue that UID 2.0 and Prebids efforts around identity are moving at a faster pace than the Privacy Sandbox and that theyll probably be ready earlier than some of the Privacy Sandbox work, he said.

Open source for real

Prebids involvement is also a signal that UID 2.0 is a truly open source initiative. If it were any other way, Prebid wouldnt be involved, Kershaw said.

"If it became controllable by any one company, I can bluntly say that Prebid would disassociate itself, he said.

Despite being UID 2.0s operator, there are some things that Prebid wont do, by design.

Were not administering it or providing policing functions, Kershaw said. What were doing is operating the machinery.

Its possible that there might eventually be a charge for using UID 2.0, if, for example, the initiative reaches massive scale and operating the machines gets pricier.

For now, though, the plan is to keep UID 2.0 free for publishers and advertisers to use. The cost of running the software will be absorbed by the fees that companies pay to be members of Prebid, which range from $5,000 a year for agencies and brands to $40,000 annually for power members.

Next steps

Unified ID 2.0 isnt the only ID housed within Prebid.

A few months ago, Prebid launched its own first-party cookie identifier SharedID, which is written by a single publisher and cant be shared across sites. UID 2.0 is a natural extension of SharedID, Kershaw said.

UID 2.0 is a logged-in value, which makes it persistent and gives it cross-site capabilities, but UID 2.0 only works if users share their email, Kershaw said. SharedID is a solution that could work for the rest of the internet that isnt captured with UID 2.0.

Because getting consent at scale is a nontrivial task, and something that needs to get a lot more attention from the industry, Kershaw said.

Before anyone can do anything with UID 2.0, we need logins, and its not like publishers have figured out how to do this yet, he said.

With Prebid signed on as the operator of UID 2.0 and the Partnership for Responsible Addressable Media in the midst of reviewing the UID 2.0 code, the next steps include writing additional code, figuring out which other independent third-party organizations to bring on board to help with governance and continuing to sign up new partners.

Prebids involvement is the move that a lot of people in the industry have been waiting for in order to really get behind this, Kershaw said.

Read more:

Prebid.org Will Operate Unified ID 2.0 And Make Sure It Remains Open Source - AdExchanger

Easy to read, easy to write, and easy to learn, Python is the ultimate beginner-friendly programming language here are our favorite online classes to kickstart your coding career.

Sitting around with "a lot of time on my hand," Dutch computer scientist Guido van Rossum decided to take on a fun little side project over Christmas break in 1989: building a new programming language. The one he used in projects at work was overcomplicated and clunky, but he thought he could use some of its better features to create something more forgiving, flexible, and easier to read.

Van Rossen developed his language mostly in his free time over the course of the next year (with the help of some colleagues' feedback), eventually deciding to name it "Python" after the British comedy series Monty Python's Flying Circus, whose published scripts he was reading at the time of its implementation. In the years since, it's basically become the Holy Grail of general-purpose programming languages.

"I certainly didnt set out to create a language that was intended for mass consumption," van Russum told The Economist in 2018. Yet according to SlashData's most recent State of the Developer Nation report, Python is one of the most popular and fastest-growing programming languages out there with 9 million active developers worldwide, having added 2.2 million net users in the past year alone. (It's now second only to JavaScript, which boasts 12 million active developers.) Moreover, the almost 65,000 developers polled for Stack Overflow's 2020 Developer Survey named Python their third most loved programming language and the one they wanted to learn most.

If you're interested in pursuing a career in software development (or simply want to future-proof your current gig), this is definitely the bandwagon to hop on.

Python's popularity can be credited to a bunch of different factors:

Its syntax is extremely simple and neat, which make it easy to read, easy to write, and very easy to learn. If you're just dipping your toes into the world of coding, it's an excellent jumping-off point for other programming languages.

It has an active community and detailed online documentation, so there are tons of resources for users to explore and build upon.

It has an extensive standard library. A programming language's standard library is a collection of ready-made, commonly used functions and script modules, which you can use to simplify the coding process and avoid writing everything manually.

It's productive. Compared to other programming languages like C, C++. and Java, Python can get the same task done in fewer lines of code. Similarly, it's great for whipping up prototypes in the early stages of a project's development.

It's open-source, which means it's entirely free to download, modify, and distribute.

It's cross-platform. Python code works the same on macOS, Windows, and Linux.

It plays well with others. Python code is both "extensible" and "embeddable," meaning you can write some of it in a different language and put it in another language's source code, respectively.

It's versatile. From tech to IT, web design, social media, finance, insurance, healthcare, retail, banking, and even aerospace, Python is a general-purpose programming language whose real-world applicability is seemingly limitless.

It's scalable. Python's simplicity makes it a go-to for personal projects, but it's also powerful enough for the likes of Netflix, Spotify, Facebook, Instagram, Google, Dropbox, Reddit, and NASA.

It's adaptable. What's especially interesting about Python is that despite being three decades old, it's stuck around *and* continued to grow at a remarkable rate alongside new technologies. (SlashData's report notes that it's a favorite among machine learning developers, data scientists, and Internet of Things engineers.) Per Associate Prof. Daniel Guetta of Columbia Business School, "Python today is what Excel was 20 years ago."

Simply put, it's where the (good) jobs are at. According to a 2020 survey of over 116,000 software engineers by the tech hiring platform HackerRank, nearly half of hiring managers worldwide look for Python programming skills in their potential employees. (It came in second only to JavaScript in that poll.) Furthermore, a recent analysis of the jobs site Indeed by the software development company Daxx found that the average U.S.-based Python developer makes $110,840 a year, making it the second best-paid programming language behind Ruby.

SEE ALSO: 7 of the best online learning platforms to advance your career (or side hustle)

More broadly, any sort of programming knowledge will give you a leg up in the job market these days. The U.S. Bureau of Labor Statistics estimates that the employment of software developers will grow 22% from 2019 to 2029, which is "much faster than the average for all occupations."

Conducted by the software vendor JetBrains in partnership with the Python Software Foundation (a nonprofit that holds the language's trademark, manages its open-source licensing, and funds its development), the most recent official Python Developers Survey found that its users work across the fields of science, education/training, accounting/finance/insurance, and medicine/health, though the vast majority are in IT/software development. More than two-thirds are employed full-time by a company or organization, as opposed to just 6% who are self-employed and 5% who are freelancers.

"Python today is what Excel was 20 years ago."

Notably, the vast majority of Python developers polled for that study have five or fewer years of experience with the language, and 29% have under a year of professional coding experience overall. In other words, it doesn't take much to break into the industry. (To add to that point, Stack Overflow's report found that Python developers typically have higher salaries with fewer years of experience compared to users of other languages.)

While large tech companies like Apple and Google typically hire software developers with Bachelor's degrees or higher, Python's gentle learning curve makes self-taught online classes and bootcamps a smart choice for novice or casual programmers. After sorting through dozens of expert reviews and hundreds of comments on the subreddit r/LearnPython (an excellent resource for Python newbies), we've concluded that the best Python classes tick all or most of the following boxes:

They're not too expensive. Some of the best Python classes are cheap or even free. (If you're spending thousands of dollars, you're doing it wrong.)

They offer lifetime access to class materials so you can refer back to and build upon what you've previously learned.

They're self-paced.

They're not subscription-based so you're not penalized for learning slowly.

They're updated regularly with the latest version of Python. New releases come out every 12 months; the latest is Python version 3.9. (Avoid courses on Python 2 that version's dead as of Jan. 1, 2020. RIP.)

They offer opportunities for feedback and staff support. Coding with Python in professional settings is often a very collaborative experience. (Fifty-three percent of Python Developers Survey participants said they worked on a team.)

They give real-world context to Python concepts so you can see the potential of those lines of code on your computer screen.

Their instructors are engaging. Coding can sometimes be dull and tedious, so it helps to have a teacher who not only understands the language but makes it fun to learn, too. (Most Python courses on the online learning marketplace Udemy are great picks for this reason.)

With those criteria in mind, here's a rundown of the Python courses we recommend taking.

While most learning platforms will give you a certificate of completion for finishing a Python course, and companies like Microsoft offer Python certification exams, credentials don't really matter in the world of programming (as opposed to, say, the finance industry). People on r/LearnPython often compare the career of a programmer to that of a photographer in that your work should speak for itself, so channel your energy into building a nice portfolio of projects on GitHub instead of chasing fancy diplomas. (And for what it's worth, the Python Software Foundation doesn't offer, recognize, or recommend any certifications.)

Read the original:

Best Python coding courses: Learn to code online in 2021 - Mashable

This story was originally published 2021/02/13 7:00am PSTon Feb 13, 2021 and last updated 2021/02/20 7:32am PSTon Feb 20, 2021.

Your online accounts are much safer when you rely on more than only a password, and that's where two-factor authentication (2FA) apps come in. You can use them to create an extra layer of security for your accounts, requiring you to enter a one-time password (OTP) in addition to your regular credentials when you log in. That prevents hackers from accessing your account with a stolen password only.

Some services offer to send you OTPs via SMS, but you should always opt for proper 2FA apps if you can. Text messages aren't encrypted and phone numbers can be spoofed, so an elaborate hacker has no trouble getting past these measures. Luckily, there are quite a few great 2FA apps to choose from.

It's generally a good idea to rely on open-source tools for security the code is transparent and openly available, so security audits are easy to conduct. That's why our first recommendation and my personal 2FA manager of choice is andOTP, a fork of the long-inactive OTP Authenticator app. The open-source app might not be the prettiest, but it gets the job done very well. You can optionally encrypt your data at rest, and its local backups can be secured via a password. Since andOTP doesn't offer cloud syncing, you can rest assured that your OTPs will never be stored on unknown, potentially insecure servers without your explicit permission. andOTP also saves the secret code you need to use to set up your OTPs, so you can easily switch to another OTP manager if you ever want to without having to go through the setup process for all of your accounts again.

You can download andOTP from the Play Store or F-Droid.

Aegis is another open-source client that is mostly identical to AndOTP on the surface, showing your OTPs in a list and supporting local backups. But it places an even higher emphasis on security and highly encourages you to lock the app with a password or biometrics, which allows your codes to be encrypted at rest using AES-256-GCM. Regarding optics, the app adheres to your system dark or light preference, and you can add app icons by yourself using its icon pack or your own symbols (which is a little more complicated than other solutions that automatically add icons).

Aegis also lets you access secret codes and supports exporting and importing from and to other OTP managers, so you're not locked in if you just want to give it a try. You can download it from the Play Store or F-Droid.

If you don't value the open-source aspect that much and prefer a 2FA app that automatically and securely syncs over the cloud, Authy might be the service of your choice. Its cloud backup is secured by a password and an SMS-based 2FA system, allowing you to seamlessly sync your OTP codes across multiple devices.The service also offers desktop apps that sync with your online vault.

Authy is free for individuals; it earns its money with enterprise customers. That's why you can rest assured that it does everything humanly possible to protect your data as it can't afford to lose its paying customers due to breaches.

Unfortunately, Authy doesn't let you recover the secret codes used to set up OTPs, so if you ever want to switch to another manager, you'll have to set up all of your OTPs via your accounts anew again or save them somewhere else whenever you add some to Authy.

If you don't want to backup or sync your 2FA codes at all for security reasons, the Google Authenticator might be interesting for you. It supports the usual features and runs locally on your Android phone. If you switch phones, you can move your credentials via a QR code you can generate in the app settings. Google Authenticator automatically based on your system theme, but it doesn't have the option to add icons, so depending on how many services you protect, it might get pretty hard to tell them apart.

It's generally not recommended to store 2FA credentials in the same place as your password as that effectively eliminates thesecond factorpart of the equation. But as long as you take all imaginable measures to secure your password manager, having all of your credentials in one place is convenient and might encourage you to set up 2FA for more of your accounts, which is inherently more secure than just relying on one factor. You might still want to use a standalone 2FA app for your most important accounts when you go this route.

Here are our favorite solutions for password managers with 2FA support:

Microsoft Authenticator started out as a 2FA app, but the company recently turned it into a full-fledged password manager that syncs with Microsoft Edge when you log in with your Microsoft account. You can still use the Authenticator as a standalone 2FA app by simply not adding passwords if you prefer that. You also don't have to log in with your Microsoft account if you don't want or need cloud backups.

MYKI probably isn't the best-known password manager out there, but it has some unique tricks up its sleeve. Your data doesn't ever leave the devices you own, but your passwords and 2FA codes still sync via its peer-to-peer setup that doesn't require too much manual work on your part. That's great if you're concerned about server security without wanting to lose the convenience of cross-device syncing. Our own Rita wrote an extensive review a few years back, and it's still to the point.

OTPs are displayed alongside your password and account name.

If you'd rather rely on cloud-based software, Bitwarden is a great open-source choice. To use it for 2FA codes, you need to pay for the $10/year premium version, which is incredibly fair compared to other password managers. Once you've got everything set up, you can use Bitwarden to autofill passwords. OTP codes will then be added to your clipboard automatically, so you can just paste them.

LastPass's approach is a little different from other password managers with integrated OTP support. The security company offers a secondary 2FA app that you need to use in tandem with the main password manager application. When you log in to one of your OTP-protected accounts, you'll receive a push notification on your phone, allowing you to seamlessly verify your identity. You can also back up your OTPs to your LastPass account.

Keep in mind that LastPass is changing how its free tier works on March 16, 2021, so it's only really a viable option if you're ready to pay $3 a month for the Premium version.

Of course, this is only a small selection of 2FA apps out there, but we found these to be the most secure solutions that are either very affordable or free. Most password managers have built-in support for 2FA codes, but as we said, it's always a good idea to keep 2FA and passwords separate.

You can find out which of your services support 2FA on the crowdsourced twofactorauth.org website. Tap the "Docs" shortcut in the results to see detailed instructions on how to enable OTP codes for the service in question.

We've updated this article to include Aegis. Thanks, everyone who recommended the app!

Original post:

The 8 best 2FA apps on Android - Android Police

DURHAM Success did not come overnight for Durham-based ProcessMaker, which just raised $45 million from Aldrich Capital Partners in its first outside investment for its open source automated workflow product.

It was a long haul, said CEO Brian Reale in an interview with WRAL TechWire. We took a lot of different paths. Most people dont do that.

The funding is big news in the emerging field of no-code/low-code that ProcessMaker has helped pioneer.

The promise of no-code platforms is that theyll make software development just as easy as using Word or PowerPoint so that the average business user can move projects forward without the extra cost (in money and time) of an engineering team, notes VentureBeat.

And here comes ProcessMaker.

ProcessMaker is a no-code/low-code open source process automation platform founded during the dotcom boom and bust of 2000 by Bobby Vernon and Reale. The bootstrapped startup had no funding, So the only way to generate forward momentum is to sell, Reale said.

Unfortunately, if you have no funding, you also dont have anything to sell, he noted. So, in addition to working on the product development, the company did consulting to help pay bills. A venture capitalist told me you should never do that, combine consulting with a product company. But if you dont have any funding, I dont see how else you could do itj. Thats exactly what you should do to organically build a business.

The two entrepreneurs failed often during their initial years.

For a time, Reale was in Bolivia, where he had built an earlier company to provide internet service there. Some of his scrappiness was already in evidence because he talked his modem making employer into giving him outdated modems for the service. He said he originally agreed to do the Bolivia project thinking it would be an adventure. It was, he said.

The internet venture eventually sold to a U.S.-based public company. ProcessMaker still maintains offices in La Paz, Bolivia, and Bogota, Colombia.

Over the years, the entrepreneurs continued to refine and find the focus for their product. In 2008 they launched what is now known as ProcessMaker one of the first open source workflow software solutions in the industry at the time.

The fact that they didnt have a lot of competitors helped them hire and retain employees, Reale said.

Weve run ProcessMaker really lean and scrappy for 20 years. The hard work paid off.

The company grew from zero to 140 global employees, boasts several million open source downloads, and hundreds of customers across 52 countries.

The platform focuses primarily on mid-market banking, higher education, and manufacturing. Customers include community banks, multi-nationals, and more than 150+ universities. In 2020, The company will continue to focus on those verticals, Reale said, as it builds its executive team and sales and marketing with new hires. We expect to go from 30 people in Durham to 50 by the end of the year.

In its mid-market banking vertical ProcessMaker offers an off-the-shelf commercial account opening process that can be deployed by community banks in a couple of weeks. The result, the company says, is that community banks can now deliver to their customers an experience that rivals the digital experience of banks 10 times their size at a fraction of the cost.

During COVID, this meant the banks were able to pivot from in-person commercial account opening to a fully digital experience while still focusing on building relationships with their customers.

In Higher Education, ProcessMaker automates student-facing processes like transfer of credit approvals and grade change processes. At one of the largest public university systems in the US, ProcessMaker reduced the average time for approving transfer credits from 5 months to 19 hours.

Reale said the company relocated to the Triangle for its attractive business atmosphere. We chose the right place, he said.

The company refreshed its product prior to the new funding, so its faster and cleaner, Reale said. So it will be able to use the funds to increase its sales and marketing rather than upgrade its product.

Aldrich Capital Partners Managing Partner, Mirza Baig said in the funding announcement, Aldrich invested in ProcessMaker because it is a highly capital efficient founder-run business that has a respected global brand. ProcessMaker is a market innovator that has proven that it knows how to be profitable and thrive even during a once in a century world-wide pandemic.

He noted that low-code automation of processes is a hot commodity right now.

At ACP, we love low-code process automation and fully expect hundreds of market verticals to be transformed in the next decade, she said.

The global process automation market is expected to reach nearly $17 billion by 2023 with a CAGR of 5.8% according to a recent report.

The investment from Aldrich Capital will allow ProcessMaker to continue to invest in its market-leading digital process automation platform and build out its presence in community banking, higher education, and manufacturing.

Startup profile: ProcessMaker, aiming to automate key business processes (+ video)

View post:

'A long haul' from bootstrapping to $45M in funding: The saga of Durham's no-code ProcessMaker - WRAL Tech Wire

More than one trillion SQLite databases potentially active in myriad operating systems, browsers, and applications

UPDATED SQLite has issued a security patch after the discovery of a use-after-free bug that, if triggered, could lead to arbitrary code execution or denial of service (DoS).

The highest threat to systems running affected versions of SQLite, a C-language library that implements an SQL database engine, is to system availability, according to a Red Hat Bugzilla thread.

However, the flaw is only marked as medium severity because exploitation depends on attackers already having access to query the data in the database, noted Todd Cullum, senior product security engineer at Red Hat, an open source software vendor.

Richard Hipp, who launched the SQLite project in 2000 and remains its architect, didnt think the vulnerability posed a serious threat.

If an SQL injection bug exists on a target system then it might be possible dependent on other protections in place to cause SQLite to read a previously freed data structure and potentially cause a crash, he told The Daily Swig. More likely, it will just cause SQLite to return a goofy answer.

As a read rather than write after free bug, there are no known paths to an RCE, he added. So really, this problem allows an attacker to escalate an SQL injection vulnerability in the application into a denial of service.

But in that case, the attacker already has a more trivial denial of service by simply sending in a (well-formed) SQL statement that runs forever. So it isnt clear that this bug gives an attacker any new capabilities.

If the impact of the vulnerability is described as moderate, then surely few other applications present such an enormous attack surface.

Open source SQLite is likely used more than all other database engines combined, claims the SQLite website, which estimates the number of active SQLite databases at more than one trillion.

Catch up on the latest security vulnerability news

The relational database management system is built into all 3.5 billion active smartphones, as well as all Apple Macs and Windows 10 machines; Firefox, Chrome, and Safari web browsers; Skype, iTunes, and Dropbox; and most smart TVs, among many more applications.

Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, told The Daily Swig that the bugs moderate severity might instil a false sense of security into some vendors.

The problem with these kind of medium severity vulnerabilities is that vendors will often not consider fixing it until real-world impact is shown, he explains. This is a highly contextual vulnerability that would only work in specific situations.

Therefore, I do not expect that vendors will make breaking changes in order to mitigate this vulnerability, which could potentially lead to chained attacks of unpatched systems in the future.

Found in SQLites query functionality (), the issue arose because of a problem handling sub-queries with both a correlated clause and a clause where the parent query is itself an aggregate, according to a vulnerability alert published by Ubuntu, the Linux distribution, on February 5.

The problem was apparently introduced by a code change implemented in June 2020.

Todd Cullum of Red Hat expanded on this analysis: The clause , uses an aggregate column from the outer query.

If the term is moved into the clause in this case, SQLite would at one point optimize to simply . Which is logically correct, but happened to cause problems in aggregate processing for the outer query.

The security flaw, which affects the SQLite 3 release line, was first flagged in an SQLite bug tracker on January 19, then patched the following day in version 3.341 on January 20.

The issue (CVE-2021-20227) was resolved by adding the check to the statement before the business logic in in file , according to Cullum.

Ubuntu updated its software accordingly on February 11, while the latest versions of Red Hat Enterprise Linux 6, 7, and 8 are unaffected as they run SQLite versions that predate the commit that introduced the bug.

A security bulletin issued by AUSCert (Australias Computer Emergency Response Team), confirmed that the flaw is exploitable on Ubuntu, Windows, UNIX, Linux, and OSX operating systems.

Even though there are no known vulnerabilities due to this bug, it does come close to being an opportunity to escalate an SQLi into something more serious, so it is still good to upgrade, if only for defense-in-depth, said Richard Hipp of SQLite.

This article was updated on January 16 with comments from Richard Hipp and Inti De Ceukelaire.

YOU MAY ALSO LIKE Measuring risk: Organizations urged to choose defense-in-depth over CVE whack-a-mole

Continue reading here:

SQLite patches use-after-free bug that left apps open to code execution, denial-of-service exploits - The Daily Swig

TEL AVIV, Israel, Feb. 17, 2021 /PRNewswire/ --Spectral left stealth today, announcing $6.2M in funding for their developer-first code security scanner. The Tel Aviv-based DevSecOps startup, founded by Dotan Nahum, Lior Reuven, Uri Shamay and Idan Didi, uses the first hybrid engine that combines hundreds of detectors with AI in order to find, prioritize and block costly coding mistakes. The seed round was led by Amiti and MizMaa.

When a company's code isn't secure, their data isn't secure. Exposing internal API keys or committing passwords and other sensitive access credentials to repositories and cloud providers, can give bad actors unauthorized access to codebase and developer assets, and from there, quickly lead to severe security breaches.

In fact, Spectral's recent data shows that 35% of organizations that have a strong open-source posture had at least one public leak. In addition, close to 50% of the leaks are due to bad security hygiene originating from personal employee accounts and shadow accounts on cloud services like GitHub, Dockerhub, npm, and others.

With increasing demand to produce more, better quality software in less time, a tiny mistake by an ambitious R&D team can have a disproportionate impact on the business, costing a company millions in fines, lost revenue and reputation. IBM estimates that even small security breaches cost US companies an average of $8.2M.

Dotan Nahum, Spectral's founder and CEO, saw these challenges while CTO at Como, HiredScore and unicorn Fintech company Klarna. As an established open-source contributor for around 20 years, he saw how the industry was shifting more responsibilities onto developers. Spectral's customers and deep research activities also indicated that these issues were being compounded by poor developer tools.

"Scanning tools today take long minutes or even hours to run in a given pipeline," said Nahum. "Developers just don't have that kind of time, or the funds (many CI providers meter by the minute). Some developers are so overwhelmed by slow, irrelevant, and non-intuitive results that they stop using scanners altogether. There's an obvious need for a robust yet simple, fast yet extensive product that's developer-first and won't slow down DevSecOps and CI/CD pipelines."

Spectral is a lightning-fast, developer-first cybersecurity solution that finds and protects against costly security mistakes in code, configuration, and other developer assets. In a matter of seconds per average-sized repository, Spectral can detect mistakes across hundreds of tech stacks including the actual source code, providing real-time prevention as well as flagging these issues via a "single pane of glass" to allow each team to productively triage, fix and monitor these issues, charting their own progress and improvements.

Following the principle of "implement strong security measures, but act like you have none," Spectral protects against the leakage of secrets outside of an organization as well as internally. "We observe that with so many tech stacks, SaaS vendors and integrations, mistakes in private repositories end up appearing in public repos too," said Nahum, "It's these things the things you don't know that you don't know about that really keep you up at night. Spectral helps reveal these blindspots through a Public Scan feature through which we have already discovered breaches in over 20 Fortune 500 companies and counting."

The Spectral platform monitors, crawls, and protects organizations by intelligently discovering developer-facing systems like Slack, npm, maven, log providers, and more sources, which companies tend not to think about in their active threat modeling.

The Spectral scanner is a developer-first solution. It respects security and privacy practices and never sends a company's code, configuration or other assets outside of the company's perimeter, making it more secure, faster and easier for software teams to use internally with integrations to Travis, Jenkins, CircleCI, as well as plugins for popular frameworks and products such as Webpack, Gatsby, Netlify and more.

Spectral includes an ever-growing set of detectors. It can scan any programming language, configuration files and other assets using machine learning-based analysis. Users can also build their own custom detectors using a purpose-built query language called SPEQL.

Founded in mid-2020, Spectral has a team of 15, and already protects millions of lines of code for a significant base of customers, including publicly-listed companies.

"Our solution prevents security breaches on a daily basis," said Spectral's co-founder and COO, Idan Didi. "The pain points we're addressing resonate strongly across every company developing software, because as they evolve from own-code to glue-code to no-code approaches they allow their developers to gain more speed, but they also add on significant amounts of risk. Spectral lets developers be more productive while keeping the company secure."

Media Contact Lazer Cohen [emailprotected]+1 347-753-8256

SOURCE Spectral

https://spectralops.io/

Here is the original post:

Spectral exits stealth with $6.2M to protect companies from costly coding mistakes - PRNewswire

I first met LastPass in 2008, and it was love at first sight. Nobody had ever offered to manage my passwords in quite such a convenient way. Im sure Im not the only one who feels that way. Oh, I havent been exclusive with LastPass. I went with Dashlane for a good while, and now I rely on Keeper. But I always figured LastPass would be there for me, for free. Lately, though, the relationship has hit a rough patch. First, LastPass locked Emergency Access behind the paywall. Now, I have to choose between using it on mobile devices or on desktops, but not both.

The thing is, syncing between desktop and mobile devices is one of the best things about a password manager. You can do any complicated stuff like setting up password inheritance on the nice big desktop screen, but easily fill passwords on your smartphone with just a touch to authenticate. Take away that ability and you dont really have a full password manager anymore

Do you feel like its time to break up with LastPass? Maybe you need some relationship advice? Here are a few password manager alternatives to put a smile back on your face.

Most password managers store your essential data in the cloud. Its super-encrypted so that even the password company cant get at it, but cloud storage just bothers some security-conscious folks. With the free Myki app, your passwords live primarily on your phone, syncing to other devices as needed. And youre necessarily using two-factor authentication, since access requires both your phone and your master password.

You can import passwords from other utilities, including LastPass. And Myki checks all the boxes when it comes to advanced features. You can securely share your passwords with trusted partners, or arrange to pass your data to a digital heir in the event of your death. An actionable password strength report helps you tune those weak and duplicate passwords. It even replaces Google Authenticator for sites that support that form of two-factor authentication.

The cloud is just somebody elses computer. If you dont like the idea of having your passwords floating in the cloud, Myki is the way to go.

If we assigned star ratings based strictly on the number of features, LogMeOnce would get about nine stars. This password suite is absolutely bursting with features. Most of them are available at the free level, with limitations. For example, free users can share five passwords while top-tier paying customers have no limit on sharing. Free users can enable two-factor authentication using email or Google Authenticator, while paying customers have many more choices including authentication by Yubikey.

There are no limits on the number of passwords you can save or the number of devices you can sync. All the expected features such as password capture and replay, form filling, and password strength analysis are available for free. As noted, secure sharing is available, though limited, and you can define a beneficiary to inherit your passwords.

Free LogMeOnce users get support via email, something that will soon be taken away from free LastPass users. Yes, top-tier LogMeOnce customers can use live chat, but email is certainly better than nothing. And stylistically, LogMeOnce is more like LastPass than Myki is.

Security through obscurity never works. If the protection of your passwords depends on some big secret key or algorithm, then a hacker who steals that key or cracks that algorithm owns you. Open-source software is the cure for security through obscurity. Experts can (and do) pore over open-source code to winkle out any defects. If youre on the open-source bandwagon, Bitwarden is the password manager for you.

Bitwarden takes security seriously. Consider this possible master password: 123Abc!123Abc!123Abc! Its 21 characters long and uses all character types, so a simple strength algorithm would rate it mighty strong. But Bitwarden notices the patterns and repetition and therefore marks it as weak. You will have to use Bitwardens online portal to import your LastPass passwordsthat feature isnt internal to the app.

You can use Google Authenticator (or a workalike) to enable two-factor authentication in Bitwarden. As with LogMeOnce, paying customers get more two-factor options, including Yubikey.

While Bitwarden doesnt support password inheritance at this time, you can use it to securely share passwords (though the free edition limits you to sharing with one other user). It performs all the expected password management tasks, with flair. If youre an open-source enthusiast, check this one out right away.

Wait, you say, arent we getting away from LastPass? Certainly, the free edition just isnt as desirable as it once was. But if youre giving any consideration at all to a paid alternative such as Dashlane or Keeper, you should at least give a thought to LastPass Premium.

Yes, youll have to suck up your resentment at paying for what you used to get for free. Its not a great feeling. But on the other hand, youre totally familiar with how LastPass works. You dont have to worry about the possibility that the export / import process might mess up some passwords that you dont notice until its too late. Its just that good ol LastPass that you know, plus additional features like enhanced two-factor choices and managing application passwords.

A LastPass Premium subscription costs $36 per year. Dashlane is a good bit more, at $59 per year. Keeper goes for $34.99 per year. If youre going to pay something, if its not going to be free, these prices arent hugely different.

So, those are your choices. Strike up a new password manager relationship and stay free. Stick with the familiar and pay for the LastPass that used to be free. Or do bothchoose a new password manager and pay for it.

Read the original here:

Had It With LastPass Free? Here Are Some Alternatives - PCMag.com