Commentary: The shift in the open source industry from infrastructure like Splunk to Elasticsearch comes down to trust, says Gaurav Gupta, a prominent product executive turned investor.

Image: marekuliasz, Getty Images/iStockphoto

Back in 2013 Mike Olson made a bold claim: "No dominant platform-level software infrastructure has emerged in the last ten years in closed-source, proprietary form." Olson is a smart guy, and he was nearly correct except for one small exception to his rule: Splunk. Splunk thrived in spite of its proprietary nature, and leading that success was Gaurav Gupta, then vice president of product at Splunk, and now a partner with Lightspeed Venture Partners. It was a "different time," he said in an interview, both for the industry and for him.

Ever since then he's been building infrastructure the open source way, whether running product at Elastic or later investing in companies like Grafana as a VC. As successful as Splunk was, however, Gupta believes that the "incredible amounts of trust" that open source fosters, coupled with low friction to experimentation, make it the smart investment for today, whether you're a VC or an enterprise trying to innovate your way through a pandemic.

Image: Lightspeed Venture Partners

It's worth dwelling for a moment on Gupta's Splunk experience. Splunk, after all, exploded in adoption at a time when much of the infrastructure world went open source. According to Gupta, Splunk may have slipped into the market just in time. After all, he noted, "Open source didn't exist back then [2004] for the most part." Yes, Linux was around and, yes, things like MySQL and Drupal were taking root, but open source had yet to command the market like it does today.

Splunk was also helped by the fact it catered to a customer (system administrators and similar roles analyzing log data) that was perhaps neither capable nor interested in digging into source code. What this audience did appreciate, by contrast, was an "incredible end-to-end [product] that really focused on great user experience, and traditionally open source hasn't done a great job on user experience [for] less technical audiences." It didn't hurt that "We were the only one in the market for years," Gupta continued.

SEE:How to build a successful developer career (free PDF)(TechRepublic)

By Gupta's reckoning, despite years of VCs trying to fund "copycat" competitors to Splunk, no one successfully did so...until Elastic managed the feat by accident. "Elastic wasn't designed to be a logging company at all, it was a search company." Having left Splunk for Elastic, Gupta and team saw that users were starting to use the search tool for logging use cases, and hired the developers behind Logstash and Kibana to help build out Elastic's log management capabilities. Unlike open source companies before it, Elastic determined to "not be super generic" and instead "create an integrated stack" to target specific use cases like search and logging.

All of which helps to explain how Splunk emerged as a hugely successful proprietary software company in an area of software (infrastructure) that increasingly skewed open source. It also explains how Gupta jumped from proprietary software to open source. But in a world where cloud delivers and, perhaps, perfects many of the benefits of open source ("ultimately people want to consume open source as a service," he said), what is it about open source that makes it fertile ground for investments, decades after open source stopped being novel?

Cloud gives enterprises a "get-out-of-the-burden-of-maintaining-open-source free" card, but savvy engineering teams still want open source so as to "not lock themselves in and to not create a bunch of technical debt." How does open source help to alleviate lock-in? Engineering teams can build "a very modular system so that they can swap in and out components as technology improves," something that is "very hard to do with the turnkey cloud service."

SEE: Linux commands for user management (TechRepublic Premium)

That's the technical side of open source, but there's more to it than that, Gupta noted. Referring to how Elastic ate away at Splunk's installed base, Gupta said, "The biggest reason...is there is a deep amount of developer love and appreciation and almost like an addiction to the [open source] product." This developer love is deeper than just liking to use a given technology: "You develop [it] by being able to feel it and understand the open source technology and be part of a community."

Is it impossible to achieve this community love with a proprietary product? No, but "It's a lot easier to build if you're open source." He went on, "When you're a black box cloud service and you have an API, that's great. People like Twilio, but do they love it?" With open source projects like Grafana and Elasticsearch, by contrast, developers really love the project, he said, because it's more than a project, more than a technology: "As a developer, you want to be part of that movement."

One key aspect of such developer movements isn't a matter of open source code, though that helps. No, it's really about trust.

A lot of it comes from the fact that things are very transparent in these open source companies, their Github repositories, their issues, their roadmaps. [The] majority of the code may be written by the company, but they do a pretty good job of explaining why every single decision is being made, how it's been made, how it's architected.

It's about trust. When developers have to make a big decision, they're making a bet. Maybe they're embedding Elasticsearch, or they're banking their entire operations team on Grafana. They think, 'This is something [we're] going to be stuck with for a while. I'm actually putting my neck on the line to do this.' And so, good open source companies build incredible amounts of trust.

Such trust is paying dividends for open source companies now, with so many companies struggling to do more with less, and so many developers who are "busy, but they also have time on their hands. They're exploring," suggested Gupta, and open source is the lowest-cost software with the least amount of friction to start experimenting...and falling in love with their software.

Disclosure: I work for AWS, but the views herein are mine and don't necessarily reflect those of my employer.

You don't want to miss our tips, tutorials, and commentary on the Linux OS and open source applications. Delivered Tuesdays

Follow this link:

How does open source thrive in a cloud world? "Incredible amounts of trust," says a Grafana VC - TechRepublic

Israeli fintech powerhouse Payoneer recruiting 300 new employees globally. Payoneer has benefitted from the Covid-19 pandemic due to the increased demand for online money transfer and digital payment services. Read more

Private micro-mobility companies might finally give cities the innovation they need. CTech spoke with the CEO of Bird Israel on how private companies can help public sectors - to the benefit of millions. Read more

Never trust hyperlinks, says founder of anti-phishing company Segasec. Elad Schulman, co-founder and former CEO of cybersecurity company Segasec, recently acquired by Nasdaq-listed Mimecast, says visually inspecting a URL no longer cuts it, as attackers become more sophisticated by the day. Read more

Israeli chipmaker Hailo launches a Japanese subsidiary. The new launch comes following the news of a recent $60 million series B funding round. Read more

Israeli government approves coronavirus czars traffic light model. According to the approved plan, Israeli towns and regions will be divided into four colored categories, according to the current severity of the outbreak in their territory. Read more

Welltech1 announces $400,000 investment in winner of global wellness startup competition. PopBase is a storybook game that helps kids make healthy life choices; Our portfolio reflects the diversity in the field, says Welltech1 co-founder Galit Horovitz. Read more

Israel Innovation Authority CEO Aharon Aharon resigns. Aharon who was led the government's tech investment arm since 2017 said he felt the job had run its course. Read more

Opinion | Can Israel lead the open-source code revolution? The Israeli tech scene is based on partnerships, innovation and independent thinking which are all vital in open-source code. Read more

Read more from the original source:

Who is hiring hundreds of new employees and can Israel lead the open-source code revolution? - CTech

As our customers increasingly adopt containers to run their workloads, we saw a need for a Linux distribution designed from the ground up to run containers with a focus on security, operations, and manageability at scale. Customers needed an operating system that would give them the ability to manage thousands of hosts running containers with automation.

Meet Bottlerocket, a new open source Linux distribution that is built to run containers. Bottlerocket is designed to improve security and operations of your containerized infrastructure. Its built-in security hardening helps simplify security compliance, and its transactional update mechanism enables the use of container orchestrators to automate operating system (OS) updates and decrease operational costs.

Bottlerocket is developed as an open source project on GitHub with a public roadmap. Were looking forward to building a community around Bottlerocket on GitHub and welcome your feature requests, bug reports, or contributions.

We began designing and building Bottlerocket based on the things weve learned from how customers use Amazon Linux to run containers and from running services such as AWS Fargate. At every step of the design process, we optimized Bottlerocket for security, speed, and ease of maintenance.

Bottlerocket improves security by including only the software needed to run containers, which reduced the security attack surface. It uses Security-Enhanced Linux (SELinux) in enforcing mode to increase the isolation between containers and the host operating system, in addition to standard Linux kernel technologies to implement isolation between containerized workloadssuch as control groups (cgroups), namespaces, and seccomp.

Also, Bottlerocket uses Device-mappers verity target (dm-verity), a Linux kernel feature that provides integrity checking to help prevent attackers from persisting threats on the OS, such as overwriting core system software. The modern Linux kernel in Bottlerocket includes eBPF, which reduces the need for kernel modules for many low-level system operations. Large parts of Bottlerocket are written in Rust, a modern programming language that helps ensure thread safety and prevent memory-related errors, such as buffer overflows that can lead to security vulnerabilities.

Bottlerocket also enforces an operating model that further improves security by discouraging administrative connections to production servers. It is suited for large distributed environments in which control over any individual host is limited. For debugging, you can run an admin container using Bottlerockets API (invoked via user data or AWS Systems Manager) and then log in with SSH for advanced debugging and troubleshooting. The admin container is an Amazon Linux 2 container image and contains utilities for troubleshooting and debugging Bottlerocket and runs with elevated privileges. It allows you to install and use standard debugging tools, such as traceroute, strace, tcpdump. The act of logging into an individual Bottlerocket instance is intended to be an infrequent operation for advanced debugging and troubleshooting.

Bottlerocket improves operations and manageability at scale by making it easier to manage nodes and automate updates to nodes in your cluster. Unlike general-purpose Linux distributions designed to support applications packaged in a variety of formats, Bottlerocket is purpose-built to run containers. Updates to other general-purpose Linux distributions are applied on a package-by-package basis and the complex dependencies among their packages can result in errors, making the process challenging to automate.

Furthermore, general-purpose operating systems come with the flexibility to configure each instance as necessary for its workload uniquely, which makes management that is performed with traditional Linux tools more complex. By contrast, updates to Bottlerocket can be applied and rolled back in an atomic manner, which makes them easy to automate, reducing management overhead and reducing operational costs.

Bottlerocket integrates with container orchestrators to enable the automated patching of hosts to improve operational costs, manageability, and uptime. It is designed to work with any orchestrator, and AWS-provided builds work with Amazon EKS (in General Availability), and Amazon ECS (in preview).

We have launched Bottlerocket as an open source project to enable our customers to make customizations to the operating system (e.g., integration with custom orchestrators/kernels/container runtimes) used to run their infrastructure, submit them for upstream inclusion, and produce custom builds. All design documents, code, build tools, tests, and documentation will be hosted on GitHub. We will use the GitHubs bug and feature tracking systems for project management. You can view and contribute to Bottlerocket source code using standard GitHub workflows. The availability of build, release, and test infrastructure makes it easy to produce custom builds that includes their changes. ISV partners can quickly validate their software before their customers update to the latest versions of Bottlerocket.

We want to grow a vibrant community of users and contributors who adopt and support Bottlerocket as an open source project. We believe that an open source approach enables us to drive innovation based on our experience with working with other open source projects in the container space such as containerd, Linux kernel, Kubernetes, and Firecracker.

Bottlerocket includes standard open source components, such as the Linux kernel, containerd container runtime, etc. Bottlerocket-specific additions focus on reliable updates and an API-based mechanism to make configuration changes and trigger updates/roll-backs. Bottlerocket code is licensed under either the Apache 2.0 license or the MIT license at your option. Underlying third-party code, like the Linux kernel, remains subject to its original license. If you modify Bottlerocket, you may use Bottlerocket Remix to refer to your builds in accordance with the policy guidelines.

Although you can run Bottlerocket as a standalone OS without an orchestrator for development and test use cases (using utilities in the admin container to administer and update Bottlerocket), we recommend using it with a container orchestrator to take advantage of all its benefits.

An easy way to get started is by using AWS-provided Bottlerocket AMIs with either Amazon EKS or Amazon ECS (in preview). You can find the IDs for these AMIs by querying SSM with the AWS CLI as follows.

To find the latest AMI ID for the Bottlerocket aws-k8s-1.17 variant, run:

aws ssm get-parameter --region us-west-2 --name "/aws/service/bottlerocket/aws-k8s-1.17/x86_64/latest/image_id" --query Parameter.Value --output text

To find the latest AMI ID for the Bottlerocket aws-ecs-1 variant, run:

aws ssm get-parameter --region us-west-2 --name "/aws/service/bottlerocket/aws-ecs-1/x86_64/latest/image_id" --query Parameter.Value --output text

In both of the above example commands, you can change the region if you operate in another region, or change the architecture from x86_64 to arm64 if you use Graviton-powered instances.

Once you have this AMI ID, you can launch an EC2 instance and connect it to your existing EKS or ECS cluster. To connect to an EKS cluster with the Kubernetes variant of Bottlerocket, youll need to provide user data, such as the following, when you launch the EC2 instance:

[settings.kubernetes]api-server = "Your EKS API server endpoint here"cluster-certificate = "Your base64-encoded cluster certificate here"cluster-name = "Your cluster name here"

To connect to an ECS cluster with the ECS variant of Bottlerocket, you can provide user data like this:

[settings.ecs]cluster =Your cluster name here

For further instructions on getting started, see the guide for EKS and the guide for ECS.

In addition to using AWS-provided Bottlerocket AMIs, you can produce custom builds of Bottlerocket with your own changes. To do so, you can fork the GitHub repository, make your changes, and follow our building guide. As a prerequisite step, you must first set up your build environment. The build system is based on the Rust language. We recommend you install the latest stable Rust using rustup. To organize build tasks, we use cargo-make and cargo-deny during the build process. To get these, run:

cargo install cargo-makecargo install cargo-deny --version 0.6.2

Bottlerocket uses Docker to orchestrate package and image builds. We recommend Docker 19.03 or later. Youll need to have Docker installed and running with your user account able to access the Docker API. This is commonly enabled by adding your user account to the docker group.

To build an image, run after your source code changes are made:

cargo make

All packages will be built in turn, and then compiled into an img file in the build/ directory.

Next, to register the Bottlerocket AMI, for use on Amazon EC2, you need to set up the aws-cli and run:

cargo make ami

We invite you to join us in further enhancing Bottlerocket. See the Bottlerocket issues list and the Bottlerocket roadmap. We welcome contributions. Going over existing issues is a great way to get started contributing. See our contributors guide for details.

We hope you use Bottlerocket to run your containers and we look forward to your feedback!

See the original post:

Announcing the General Availability of Bottlerocket, an open source Linux distribution built to run containers - idk.dev

When Computer Weekly spoke to Vint Cerf, father of the internet, in 2013 at the 40th anniversary of TCP/IP, the protocol he co-wrote with Robert Kahn, he spoke about the challenges facing users arising from the globalisation of the internet.

Today is the age of sharing and, as Cerf points out, sharing tools are now very common. But his concern is that social media amplifies everything, both good and bad. He says: Now we have to tame cyber space.

The internet has become a global collaboration platform, and it was designed that way, says Cerf. The whole story is all about sharing look at Tim Berners-Lee and the worldwide web.

Cerf says the origins of the internet lie in Arpanet in 1969, motivated by a desire by the US Defense Advanced Research Project Agency to stimulate collaboration between artificial intelligence and computer science researchers across universities. Sharing information broadly and collaboration motivated the development of the internet and, by the1980s, Cerf recalls that 3,000 universities were connected. The US Department of Energy and Nasa wanted connectivity and sponsored the research, he adds.

But although it has been rooted in collaboration, the founding principles of the internet are now under threat. There are ongoing trade disputes between countries such as the spat between China and the US, which, if taken to an extreme, could result in one state closing off internet access. Cerf says: People are surprised that the internet can be turned off, but if you shut down the underlying transport mechanisms, the net simply does not work.

The internet may have been born as a platform for global collaboration, but Cerf is worried that it risks being fragmented. Some states, such as Russia and China, are monitoring their internet borders with country firewalls; others, including India, have thrown a switch to turn off the internet, which happened at the end of last year in the Kashmir region, when the state intervened in a bid to curb public unrest.

In 2019, Cerf spoke about the pacification of cyber space when he gave a talk at Oxford University. He argues that fraud, malware and misinformation are now far too commonplace on the internet. Immeasurable harm is happening, he warns. Many people dont feel very safe right now. People may not want to use the net at all for fear of harm, and the net will simply collapse.

Like the major pieces of infrastructure that evolved during the 19th and 20th century, Cerf believes that a legislative framework is now needed. He says: When roads were improved to carry cars, there were very few rules, but eventually it became apparent that people need rules.

He says this tends to happen when policy-makers start to appreciate that peoples behaviour requires management, which leads to legislation. At some point, there will have to be consequences for bad behaviour on the net, he says.

But to succeed, Cerf argues that such legislation will require cooperation across international boundaries, in order to track down people who are exhibiting harmful behaviour and this is not going to be easy.

It will lead to extremes, he says. If you look at the Chinese mechanisms for limiting bad behaviours, they are way off in a direction most US and UK citizens would not want to go. Total anarchy is not very attractive, either. There must be some place in between where behaviour is adequately regulated, so we can feel we are safe.

Today, with the internet of things (IoT), Cerf says: You have many billions of devices interacting with other devices. We are doing billions of experiments with pieces of software that have never seen each other before.

For Cerf, the only reason these things actually work is thanks to internet standards, which is another form of collaboration. Standards really help, he says. They allow interoperability, even if you havent tested a particular combination.

The architecture of the internet is open, he says, which means that if people dont like how it works, it can be changed. The protocols are also open, so people can see how they work.

Open encompasses open protocols, open data and open source, and when asked about the significance of open source, Cerf admits he has mixed views. Open source implementations are open, he says. I like that you can see code, and ingest the code. But I worry that people grab open source code and think there are no bugs. Your eyes should be wide open when you use open source. We find bugs that are 20 to 25 years old. People assume they have all been erased already.

Such bugs lead to security flaws such as Heartbleed, the 2014 bug in the OpenSSL library that wreaked havoc across the internet.

Looking at how to make the internet safe, Cerf says: Transparency is our friend it creates common sense. Safety is a shared responsibility. People have to recognise they are part of the solution to the problem.

For instance, he says, no one should ever click on an attachment that claims to have come from a friend. Instead, they should email the attachment to the friend directly, asking whether it is legitimate.

For Cerf, the HTTPS protocol is a very important mechanism for securing communications. He is also a fan of two-factor authentication for securing online banking and is happy to use an authentication device, even if it is not convenient, because it adds a layer of security against fraudsters. But he adds: I have 300 online accounts and so I need the equivalent of one two-factor authentication device to handle all accounts.

Cerf doesnt trust the use of mobile phone as the second factor of authentication. He says: Mobiles are hackable. The SIM chip can be conned. I have seen server hijacking [attacks] use that technique.

Security of the internet and web is built on layers, but, as Cerf points out, achieving this is hard because it requires third-party trust. He says that third-party trust is a really tough problem to solve, because there are many certificate authorities, some of which have been compromised.

Cerf is also extremely concerned about IoT security. They are cheap devices and the manufacturers dont spend a lot of time on security, he says. To improve IoT security, Cerf says he would like to see public/private key authentication implemented in IoT connectivity.

Today, internet connectivity involves transmitting photons in optical cables at the speed of light between one point on the planet and another. Looking towards the future of internet technology, one of the most compelling areas of research to emerge is the use of quantum mechanics in data communications.

The classic use is in quantum key distribution, says Cerf. The hottest topic is the quantum relay. The idea is to build a network that allows you to transmit photons that are entangled, so that two different quantum machines that are separate from each other can become entangled, so that the computation can happen concurrently.

Cerf says the benefit of a quantum relay is that it gets around the difficulties of building bigger quantum machines reliably, which use more qubits. A quantum relay effectively enables quantum computers to scale horizontally, as Cerf explains: If you can build one quantum machine with enough qubits to do something, what would happen if you then have replicas and pass the quantum state to the other machines, so that you can run them in parallel?

This is the goal of a quantum relay, he says.

See the original post:

Vint Cerf: Why everyone has a role in internet safety - ComputerWeekly.com

Security has become ever more important in the development process, as vulnerabilities last year caused the 2nd, 3rd and 7th biggest breaches of all time measured by the number of people that were affected.

This has exposed the industrys need for more effective use of security tooling within software development as well as the need to employ effective security practices sooner.

Another factor contributing to this growing need is the prominence of new attacks such as next-generation software supply-chain attacks that involve the intentional targeting and compromising of upstream open-source projects so that attackers can then exploit vulnerabilities when they inevitably flow downstream.

RELATED CONTENT:How does your company help make applications more secure?A guide to security tools

The past year saw a 430% increase in next-generation cyber attacks aimed at actively infiltrating open-source software supply chains, according to the 2020 State of the Software Supply Chain report.

Attackers are always looking for the path of least resistance. So I think they found a weakness and an amplifying effect in going after open-source projects and open-source developers, said Brian Fox, the chief technology officer at Sonatype. If you can somehow find your way into compromising or tricking people into using a hacked version of a very popular project, youve just amplified your base right off the bat. Its not yet well understood, especially in the security domain, that this is the new challenge.

These next-gen attacks are possible for three main reasons. One is that open-source projects rely on contributions from thousands of volunteer developers, making it difficult to discriminate between community members with good or bad intentions. Secondly, the projects incorporate up to thousands of dependencies that may contain known vulnerabilities. Lastly, the ethos of open source is built on shared trust, which can create a fertile environment for preying on other users, according to the report.

However, proper tooling, such as the use of software composition analysis (SCA) solutions, can ameliorate some of these issues. SCA is the process of automating the visibility into open-source software (OSS) for the purpose of risk management, security and license compliance.

DevOps and Linux-based containers, among other factors, have resulted in a significant

increase in the use of OSS by developers, according to Dale Gardner, a senior director and analyst on Gartners Digital Workplace Security team. Over 90% of respondents to a July 2019 Gartner survey indicate that they use open-source software.

Originally, a lot of these [security] tools were focused more on the legal side of open source and less on vulnerabilities, but now security is getting more attention, Gardner said.

The use of automated SCAIn fact, the State of the Software Supply Chain report found that high-performing development teams are 59% more likely to use automated SCA and are almost five times more likely to successfully update dependencies and to fix vulnerabilities without breakage. The teams are more than 26 times faster at detecting and remediating open-source vulnerabilities, and deploy changes to code 15 times more frequently than their peers.

The high-performer cluster shows high productivity and superior risk management outcomes can be achieved simultaneously, dispelling the notion that effective risk management practices come at the expense of developer productivity, the report continued.

The main differentiator between the top and bottom performers was that the high performers had a governance structure that relied much more heavily on automated tooling. The top teams were 96% more likely to be able to centrally scan all deployed artifacts for security and license compliance.

Ideally, a tool should also report on whether compromised or vulnerable sections of code once incorporated into an application are executed or exploitable in practice, Gardner wrote in his report titled Technology Insight for Software Composition Analysis. He added, This would require coordination with a static application security testing (SAST) or an interactive application security testing (IAST) tool able to provide visibility into control and data flow within the application.

Gardner added that the most common approach now is to integrate a lot of these security tools into IDEs and CLIs.

If youre asking developers I need you to go look at this tool that understands software composition or whatever the case may be, that tends not to happen, Gardner said. Integrating into the IDE eliminates some of the friction with other security tools and it also comes down to economics. If I can spot the problem right at the time the developer introduces something into the code, then it will be a lot cheaper and faster to fix it then if it were down the line. Thats just the way a lot of developers work.

Beyond complianceUsing SCA for looking at licenses and understanding vulnerabilities with particular packages are already prominent use cases of SCA solutions, but thats not all that theyre capable of, according to Gardner.

The areas I expect to grow will have to do with understanding the provenance of a particular package: where did it come from, whos involved with building it, and how often its maintained. Thats the part I see growing most and even that is still relatively nascent, Gardner said.

The comprehensive view that certain SCA solutions provide is not available in many tools that only rely on scanning public repos.

Relying on public repos to find vulnerabilities as many security tools still do is no longer enough, according to Sonatypes Fox. Sometimes issues are not filed in the National Vulnerability Database (NVD) and even where these things get reported, theres often a two-week or more delay before it becomes public information.

So you end up with these cases where vulnerabilities are widely known because someone blogged about it, and yet if you go to the NVD, its not published yet, so theres this massive lag, Fox said.

Instead, effective security requires going a step further into inspecting the built application itself to fingerprint whats actually inside an application. This can be done through advanced binary fingerprinting, according to Fox.

The technology tries to deterministically work backwards from the final product to figure out whats actually inside it.

Its as if I hand you a recipe and if you look at it, you could judge a pie or a cake as being safe to eat because the recipe does not say insert poison, right? Thats what those tools are doing. Theyre saying, well, it says here sugar, it doesnt say tainted sugar, and theres no poison in it. So your cake is safe to eat, Fox said. Versus what were doing here is were actually inspecting the contents of the baked cake and going, wait a minute. Theres chromatography that shows that theres actually poison in here, even though the recipe didnt call for it and thats kind of the fundamental difference.

There has also been a major shift from how application security has traditionally been positioned.

Targeting developmentIn many attacks that are happening now, the developers and the development infrastructure is the target. And while organizations are so focused on trying to make sure that the final product itself is safe before it goes to customers and to the server, in the new world, this is irrelevant, according to Fox. The developers might have been the ones that were compromised this whole time, while things were being siphoned out of the development infrastructure.

Weve seen attacks that were stealing SSH keys, certificates, or AWS credentials and turning build farms into cryptominers, all of which has nothing to do with the final product, Fox said. In the DevOps world, people talk a lot about Deming and how he helped make Japan make better, more efficient cars for less money by focusing on key principles around supply chains. Well, guess what. Deming wasnt trying to protect against a sabotage attack of the factory itself. Those processes are designed to make better cars, not to make the factory more secure. And thats kind of the situation we find ourselves in with these upstream attacks.

Now, effective security tooling can capture and automate the requirements to help developers make decisions up front and to provide them information and context as theyre picking a dependency, and not after, Fox added.

Also, when the tooling recognizes that a component has a newly disclosed vulnerability, it can recognize that its not necessarily appropriate to stop the whole team and break all the builds, because not everyone is tasked with fixing every single vulnerability. Instead, its going to notify one or two senior developers about the issue.

Its a combination of trying to understand what it takes to help the developers do this stuff faster, but also be able to do it with the enterprise top-down view and capturing that policy not to be Big Brother-y but to capture the policy so that when youre the developer, you get that instant information about whats going on, Fox said.

Read the original post:

Closing the (back) door on supply chain attacks - SDTimes.com

Hackers Can Turn Off Your Dell Servers Remotely Using the Newly Found iDRAC Vulnerability - Researchers who found the path transversal vulnerability also found hundreds of exposed servers via the internet.

Nutanixs Hyperconverged Infrastructure Comes to AWS - The worlds second most popular HCI software now available as a service running in AWS data centers.

New RISC-V CTO On Open Source Chip Architectures Global Data Center Momentum - With more big international players on board, the foundation's new head of technology sees signs of "state of the art moving forward."

Renewed Interest in OpenStack Bare Metal Project Ironic, as Software Moves Closer to Hardware - "As long as we have access to x86 or Arm, we can run Linux, and Linux can run anything."

Is Kubernetes Changing Data Centers in Perceptible Ways? - Containerization has promised to carry the torch further after virtualization catalyzed a re-imagining of the data center. Has it delivered?

Equinix Enters India with a $161M Mumbai Data Center Acquisition - Acquires local provider GPXs network-dense two-data center campus

GitHub delivering open source code for safekeeping at its Arctic Code Vault on a Norwegian island in the Arctic Ocean.

GitHub's Arctic Vault Makes Sure Open Source Code Survives the Apocalypse - In early July, GitHub deposited 186 kilometers of photographic film, containing 21TB of digitized snapshots of all the public-facing code in its repository, to its underground Arctic Code Vault, located on a Norwegan island in the Arctic Ocean.

Will Growth at the Edge Shrink the Core? - When a human population spreads out, it tends to spread thinner. Will computing capacity follow the same pattern?

IBM Watson AI to Help CBRE Manage Client Data Centers - AI, augmented reality, and analytics technology will provide remote management and predictive maintenance support globally.

A Volkswagen plant in Zwickau, Germany

Industry-Tailored Clouds Give Platforms More Marketplaces They Can Run - Their internet marketplaces under regulatory scrutiny, Google, Amazon, and others are building more ecosystems but of a different kind.

See original here:

Top 10 Data Center Stories of the Month: August 2020 - Data Center Knowledge

Some people think you need expensive hardware to have fun playing video games, but the truth is, you don't. Believe it or not, there are plenty of free games that can run well on a fairly meager PC. No, I am not just talking about emulating classic video games (piracy is bad, mmkay). Actually, there are some really fun PC games that you can legally download at no charge.

One such popular game is SuperTuxKart. This open source Mario Kart clone is totally FREE on Windows, Mac, and Linux. It can even be had on Android too. Rather than use Nintendo mascots, the racers in SuperTuxKart are based on open source projects -- it is quite cute. The game even has network support these days, so you can have a multiplayer experience over the internet. SuperTuxKart recently reached version 1.2, and the new version is chock full of improvements. The developers are also sharing their plans for the future of the game.

"SuperTuxKart development efforts will continue in the 1.x series, with another release targeted in a few months. While not as catchy as brand new tracks, gameplay mechanics or graphics effects, the changes will once again improve player experience. Beyond more polish, development on Vulkan support is planned to begin as well as general improvements in the rendering engine for more performance. We have also sent another e-mail to previous contributors for the dual-licensing of STK code, with a more detailed background," says theSuperTuxKart developers.

The devs further explain, "After this, our focus will switch to a 2.0 release that will deliver many new or overhauled tracks, gameplay changes, and much more. The work on improved tracks has already begun. SuperTuxKart is a free open-source game that depends on community contributions. There is no shortage of things to work on for programmers and 3D artists alike. How quickly the next releases will come and how much content they bring might also depend on you!"

But enough about the future, what about the present? The developers share the following changes in SuperTuxKart 1.2.

If you want to trySuperTuxKart 1.2, you can download it from Sourceforgehere. Apparently, having the game hosted on Sourceforge is controversial (people complain about everything), so it is now also available on Microsoft's GitHub here.

Photo credit:Roman Kosolapov /Shutterstock

Originally posted here:

Open source Mario Kart clone SuperTuxKart 1.2 is FREE on Windows, Mac, and Linux - BetaNews

Dijon Kizzee was 29 years old.

By NewsOne Staff

Police in Los Angeles on Monday shot and killed a Black man after officers stopped him while riding a bike for what was being described as a bicycle code violation, sparking a night of protests in Californias biggest city.

The victim was identified as Dijon Kizzee and witnesses have reportedly blamed the Los Angeles Sheriffs Department (LASD) for overreacting.

However, the LASD attempted to justify the killing by claiming when they accosted the 29-year-old, he dropped a gun, ran away and ultimately assaulted an officer before he was shot. There is graphic cell phone footage on social media showing portions of the encounter, which prompted protests into Tuesday morning.

The LASD said Kizzee was carrying an armful of clothes but that he dropped them before he fled, revealing a gun among the apparent laundry. It was unclear if riding a bike while carrying the clothes was the purported violation Kizzee was stopped for, but one witness told CBS Los Angeles that he posed no threat to the officers.

He had a towel and he had his clothes and his pants couldnt even stay up, so thats what made him slow down so they had enough to get him, the woman who granted anonymity said. They didnt have to shoot him more than 5 times, they could have shot him one time in the leg.

She continued:Whats the use of having the prison system if yall are just gonna kill us? What are yall here for? Who are you protecting?

Police offered a different narrative with varying chronology.

Our suspect was holding some items of clothing in his hands, punched one of the officers in the face and then dropped the items in his hands, Lt. Brandon Dean said. The deputies noticed that inside the clothing items that he dropped was a black semiautomatic handgun, at which time a deputy-involved shooting occurred.

The Los Angeles Times reported the sequence of events happening a bit differently:

When the deputies attempted to contact the man, he dropped the bicycle and ran north on Budlong for one block with deputies in pursuit, Dean said. In the 1200 block of West 109th Place, deputies again tried to make contact with the man, and he punched one of them in the face, Dean said.

In doing so, the man dropped a bundle of clothing he had been carrying. The deputies spotted a black handgun in the bundle, Dean said, and both opened fire, killing the man.

According to the Open Source Intelligence news website, at least 2 officers began unloading their weapons after Kizzee panicked, punched one officer, and started fleeing. While running away, Dijon dropped his clothes, and in the process, a black semiautomatic handgun fell to the ground with the articles of clothing.

LASD said reports of as many as 20 shots being fired were untrue.

The identity of the officers involved in Kizzees killing was not immediately revealed.

Protesters took to the streets and marched to LASD headquarters after the shooting and chanted phrases like Black Lives Matter, Say his name and No justice, no peace.

It was unclear where on his body Kizzee was shot, but one consistency with the differing narratives is that he was struck while running away, suggesting he could have been hit in the back.

Kizzees death is the most recent instance of apparently preventable police violence against Black people and follows last weeks shooting of Jacob Blake in Kenosha, Wisconsin. Blake, also 29, was shot in the back multiple times while attempting to enter his vehicle on Aug. 23.

This is America.

This article originally appeared on NewsOne.

Looking to Advertise? Contact the Crusader for more information.

More:

LA Cops Shoot And Kill Dijon Kizzee Following Alleged 'Bicycle Code Violation' | The Crusader Newspaper Group - The Chicago Cusader

Co-developed solution bridges the gap between devops and securityoperations teams

HONG KONG, CHINA - Media OutReach - August 28, 2020 - (; ), the leader in cloud security, today announced plans for a new,co-developed solution with Snyk, the leader in developer-first opensource security. The joint solution will help security teams managethe risk of open source vulnerabilities from the moment open sourcecode is introduced without interrupting the software deliveryprocess. This marks the expansion of a strategic partnership that has already helped countless organizations enhance DevOpssecurity without impacting product roadmaps.

"We know that vulnerabilities in open source software, which isincreasingly used by all development teams, have increased 2.5x inthe past three years," said Geva Solomonovich, Global AlliancesCTO."This partnership is ground-breaking because for thefirst time it is giving the security operations team visibilityinto Open Source, which is one of the fundamental building blocksof cloud native applications, and its risk. Through thiscollaboration we will be helping bridge the technology, process andorganizational gap between security operations and devops teams."1

According to Gartner, "Open-source libraries can carry significantvulnerabilities and the fact that developers may not even know acomponent is embedded within a library exposes them to unseenvulnerabilities."2

"DevOps sits at the beating heart of innovation-first enterprisesand no one knows these teams like Snyk, especially when it comes topreventing open source vulnerability threats," said Kevin Simzer,chief operating officer for Trend Micro. "What we are putting intoplay is effectively a virtual open source cybersecurity expert tothose teams running our Cloud One platform. Together we can solvesecurity issues before they occur, with complete coverage from codecreation to runtime and across any type of developer environment."

The latest capabilities, delivered by combining the strengths ofboth companies, enables teams to find vulnerabilities in opensource code automatically and immediately. It offers significantbenefits for security and development teams, including helping tosupport compliance with ISO 27001, SOC 2 and other key frameworksand standards.

The joint solution will help create fundamental mind shifts incollaboration, driving closer alignment between security anddeveloper teams. It will be available as part of the Trend MicroCloud One platform, for additional details visit: http://www.trendmicro.com/cloudone. For an overview of the partnership visit: http://www.trendmicro.com/snyk.

1 Snyk, Inc.; 2020 State of Open Source Security: https://info.snyk.io/sooss-report-2020

2 Gartner, Inc.; Hype Cycle for Application Security, 2020, July2020 | G00448216

Snyk is a developer-first security company that helps organizationsuse open source and stay secure. Snyk is the only solution thatseamlessly and proactively finds and fixes vulnerabilities andlicense violations in open source dependencies and containerimages. Snyks solution is built on a comprehensive, proprietaryvulnerability database, maintained by an expert security researchteam in Israel and London. With tight integration into existingdeveloper workflows, source control (including GitHub, Bitbucket,GitLab), and CI/CD pipelines, Snyk enables efficient securityworkflows and reduces mean-time-to-fix. For more information or toget started with Snyk for free today, visithttps://snyk.io.

Trend Micro, a global leader in cybersecurity, helps make the worldsafe for exchanging digital information. Leveraging over 30 yearsof security expertise, global threat research, and continuousinnovation, Trend Micro enables resilience for businesses,governments, and consumers with connected solutions across cloudworkloads, endpoints, email, IIoT, and networks. Our XGen securitystrategy powers our solutions with a cross-generational blend ofthreat-defense techniques that are optimized for key environmentsand leverage shared threat intelligence for better, fasterprotection. With over 6,700 employees in 65 countries, and theworld's most advanced global threat research and intelligence,Trend Micro enables organizations to secure their connected world http://www.trendmicro.com.hk.

See the rest here:

Trend Micro and Snyk Significantly Expand Partnership with Technology Collaboration to Solve Open Source Development Risks - AsiaOne

Earlier this summer, Monday.com released a new kind of app-building experience on its platform. The core insight is relatively simple: If you dont like your workflow, you can change it.

Though many workflow systems allow for user customization, few have achieved the level of configurability found in the Tel-Aviv-based companys new release. In a way, the app framework brings the modularity and broad functionality of an iOS, Androidor Windows operating system to a destination site for getting work done.

The Monday system itself is built around the concept that, as a work operating system, you can choose and build the workflow that you like, like putting Lego bricks in place to build something majestic, said Matt Burns, a startup ecosystem leader at the company.

One benefit of the new framework, according toDipro Bhowmik, a technical success lead on the appframework, is a low-code environment that allows users with virtually no software experience to curate their workspaces.

You can choose and build the workflow that you like, like putting Lego bricks in place to build something majestic.

Prior to the release of the appframework, Bhowmik said, users could choose from a selection of pre-installed apps and integrations, including embedded Zoom calls, a whiteboard, a pivot table, an online document viewerand a working status feature all released in March with the intention of creating a better experience for people working from home.

Now, Monday.com has gone one step further in its bid to be the workplace OS of choice, with building blocks for others to create apps hosted on itssite.

More on Emerging Product MarketsOpen Door Is Speeding Up Plans to Digitize Home Buying

For trained developers, the framework offers sophisticated app customizationoptions not only the APIs and tools to access Monday.com data ontheir platformsusers, Bhowmik said, but the capability to upload their own code to Mondays infrastructure, where it is hosted and maintained as part of a monthly service agreement. This allows companies to scratch-build customized board views, widgets and integrations that are presented to users as native features.

So, tomorrow, if you wanted to build a new board view, youd be able to build a web application and upload your code to our servers, Bhowmik said. We would serve it for you; you would use the software development kit to make your API calls. You wouldnt have to worry about any kind of authentication, because we handle that for you.

The real power of the system, though, lies in its interoperability. Just as an iPhone allows a user to employ the phones ecosystem to run a Spotify app,Monday.com ispositioning itself as an accessible host for a range of existing and yet-to-be-built external apps, including those of potential competitors,Burns explained.

The folks who are building these apps could be anyone from hobby developers who just have a cool idea and want to build something and show it off to the world,to folks who want to build an entire business.

One look at theintegrations on Monday.coms website and you get a sense of the scope of its ambitions. The list includesSlack, Zendesk, Salesforce, Microsoft Teams, Jira, Asana, Trello, GitHub, Dropbox and several common G-Suite apps, among many others.

The software is written in JavaScript, but it is compatible with virtually all coding programs and languages. As of June, more than 100 apps had been built by external partners and customers, 20 by Monday.com itself,and the app framework was in use by 8,900 weekly active users.

The folks who are building these apps could be anyone from hobby developers who just have a cool idea and want to build something and show it off to the world, to folks who want to build entire businesses, Bhowmik said.

As more companies move to remote work, the app framework can reasonably be seen as a strategic objective in a broader turf war between Monday.com and its near-market competitors to claim ownership of the digital workspace. The end game for Monday.com, as a recent press release indicates, is a world where software serves as a central hub and OS for any kind of work.

Or, as Burns puts it: Whereas Windows is an operating system that works for your computer, we want to be the brain of the business, where we can collect, digest, translate and transparently show you all that information.

Its hardly any secret that companies like Slack and MURAL are vying for similar territory. As of May,Slackreporteda record 12.5 millionsimultaneously connected users, including at least 65 of the Fortune 100 companies, with a total active use ofmore thanone billion minutes each weekday. MURAL just raised $118 millionin Series B funding,tripled annual revenue year over yearand added more than a million monthly active users.IBM, Intuit, Atlassianand Autodesk each have up to tens of thousands of MURAL members collaborating with the product each month,the briefing reported.

Many of these platforms focus on integrating applications and visualization tools to recreate the meetings, sprints and strategy sessions that commonly took place not so long ago in the physical office.

Whereas Windows is an operating system that works for your computer, we want to be the brain of the business.

In that sense, Monday.com is no different. Valued at nearly $2 billion with $130 million in annual recurring revenue, the company works with 100,000 teams around the globe, from cattle ranchers to digital agencies to enterprise clients like Walmart, Adobe and General Electric. Where some other software workplace tools specialized, Burns told me aiming to be the best plumbing software for plumbers Monday widened its lens, adopting a more universal design vernacular.

When he was first introduced to CEO Roy Mann at the corporate headquarters in Tel Aviv in 2016, Burns said, Mann told him the widespreadproblem companieswere facingwasthe breakdown of team collaboration through silos a view Burnsshared.

The solution offered by Mann, however, caught him off guard. It was not the traditional business school tract to find a niche and own it but, instead, to create a tool that could unify disparate teams, from employees at small- and medium-sized firms to enterprise teams that dont normally collaborate closely.

The market potential of that untapped space convinced Burns, a former independent marketing consultant for healthcare providers, that it was time to make the jump. One of his first clients, which he describedas a luxury hotel for breeding steers, strengthened his convictionthat the platform had far broader appeal than competing workplace tools.

Each item in their board was a different cow they were tracking as [the cows]moved to different farms, he said. His next thought was this: Oh my God, this can be used for absolutely anything.

Now, Monday must prove its solution is the best one for the job.

More on Remote Workplace ToolsWhat Sets MURAL, Miro and Invisions Freehand Apart?

Speedhas been key to Mondaysdevelopment approach. The company devised plans for the appframework in early 2020, but when COVID-19 arrived unexpectedly, Mondayaccelerated the release cycle. What was supposed to happen duringthe course of several weekshappened in a two-day hackathon over Zoom that resulted in 20 new apps.

Eighteen invited clients and partners participated. One of them was KPMG, a global tax advisory and auditing company headquartered in the Netherlands.

KPMGdevelopedan internal smart document reader that can scan and extract invoice numbers and other pertinent information from financial documents. But the company confronted a question faced by countless software firms: How could itmake the tool more accessible for users in the context of their actual workflows?

During the hackathon, KPMGhit on a solution: an integration that allows a customer to upload a document directly into Monday.com, where it is securely processed through the embedded smart document reader and, within seconds, sent to a Monday.com board.

This is really a new generation of tools that we're seeing, which are using a work operating system to empower what people are doing every day.

To the end user, the value of the integration is convenience. You dont have to go into another tool and upload that information. You dont have to be dealing with three or four different windows at once. Its all seamless, Bhowmik said.

Thats an obvious advantage to companies like KPMG, who want to create a more frictionless experience for their customers. Its also a strategic victory for Monday.com, which can keep people locked into its operating system.

We want to make it so you can spend all your time in the Monday.com work OS, Bhowmik said. Do all your work, or as much as you can, there, and have that information either fed in from other tools that your team uses, or sent from Monday.com to those other tools, so the rest of your team has visibility.

Companies in the United States and internationally are starting to experiment with the new app framework. The Paris-based open-source CRM and e-commerce company Synolia developed a visualization tool that monitors team members progress during a sprint, reporting results in a chart. The Dubai-based software consulting company Cloud Concept, meanwhile, built a document generator app that can take a basic invoicing template, populate it with a customer list harvested from Monday.com and produce invoices to distribute to customers.

It remains unclearwhat kindof workplace apps will emerge as more developers begin tinkering with the platform and whether the app frameworkwill make Monday.com the go-to command center in agrowing market for digital workplace tools.

But Burns, at least, is openly bullish about the frameworks prospects: Its not like were replacing technology that people are using and seeing out there. Were building something different.

View post:

Monday.com Wants to Be Your Only Open Tab at Work - Built In