Connect with us

Technology

A largely dry and corporate affair where the best bits involved a spot of Kubernetes-hacking roleplay • The Register

Voice Of EU

Published

on

Kubecon A session on how to hack into a Kubernetes cluster was among the highlights of a Kubecon where the main events were generally bland and corporate affairs, perhaps indicative of the technology now being a de facto infrastructure standard among enterprises.

Kubecon Europe took place online last week with more than 27,000 attendees, according to Chris Aniszczyk, CTO of the Cloud Native Computing Foundation (CNCF), which hosts the Kubernetes project among many others.

That is a substantial increase on the reported 13,000 or so at last year’s event, which was also virtual. Kubernetes is huge, and if there was an underlying theme at the event it was that Kubernetes is becoming the standard runtime platform.

There was plenty of strong technical content at the event, though attendees were left in no doubt that Kubernetes is big business and there was a dry corporate flavour to much of the keynote content along with the usual mutual backslapping.

CNCF introduced 27 new members, and observability specialist New Relic became a Platinum member, highlighting the significance of the OpenTelemetry project for collecting and analysing metrics, logs and traces from Kubernetes deployments. New Relic’s Zain Asgar joined the CNCF Governing Board. Asgar is CEO of Pixie Labs, acquired by New Relic in December 2020, and Pixie, a native Kubernetes observability product, has been open-sourced and will be contributed to CNCF.

“We wanted to make the observability product ubiquitous… it’s very hard to have a commercial offering that’s going to get to play everywhere,” Asgar told us.

“The goal behind Pixie is for it to be a vendor-neutral thing that everyone can use.” The commercial aspect is that Pixie is a data source that New Relic’s platform can consume, and the company also hosts Pixie Cloud as an option for managing the technology.

Spotify walked off with a “CNCF End User Award” for its work on Backstage, software that makes it easier to manage multiple services and share information. Spotify has 1,600 engineers, 14,000 software components and 1,400 microservices in production, according to web engineer Emma Indal who spoke at Kubecon, which explains why it came up with Backstage, and maybe why the Spotify app is no longer the simple, quick affair for streaming music that it was when first became popular.

Hacking Kubernetes: a story

As so often, the best content was not in the keynotes but in low-profile sessions. A highlight was a short piece on Hacking into Kubernetes by Ellen Körbes, head of product at Title, and Tabitha Sable, systems security engineer at Datadog. Körbes played the part of a developer at a fictional company where Sable was grandly called “Director of DevSecOps Enforcement”.

The story began when Körbes was annoyed by another developer using her port on the cluster. “I’m not calling the security people, they’re not fun, I’ll do this on my own,” she said.

She had limited RBAC (role-based access control) rights to the cluster, but that did not stop her. She got a shell on a pod that ran in a namespace with higher permissions, and performed the necessary command from there. The breach was discovered, but Körbes sat back and thought: “If the development cluster was out of commission all day, I would get the rest of the day off.”

She spotted CVE-2019-11253, “improper input validation in the Kubernetes API server… allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable.”

Tilt's Ellen Körbes poses as a Kubernetes hacker at Kubecon Europe

Tilt’s Ellen Körbes poses as a Kubernetes hacker at Kubecon Europe

DevSecOps ups the security to control its wayward developers but Körbes disliked being spied on and decided to go in and delete her logs. “Nobody is auditing anything.” Enter CVE-2020-15257 – “the containerd-shim API is improperly exposed to host network containers.” Körbes figured: “If I use a vulnerability in something Kubernetes is running on top of, I can bypass all Kubernetes security completely.”

A reverse shell and a bit of (unpublished) code later, she was in. Kubernetes vulnerabilities “don’t come around very often, but when they do they can ruin your day,” she mused. There is more: we will not spoil the story completely as it will be published for all to enjoy from 14 May.

“I struggled a lot to learn how to make talks engaging. The way to keep people engaging is with story,” explained Körbes at the wrap-up later, while Sable said: “We realised, Kubernetes security is complex because it’s the union of Linux security and network security and usually cloud provider security, and also Kubernetes has its own additional layer of complication there especially around RBAC and tying your shoes together with RBAC… I believe this is the first public demonstration of that Containerd exploit against Kubernetes.”

Too complex?

That was a great session, and also a neat illustration of what remains the big issue with Kubernetes: its complexity makes it hard to learn and easy to get wrong. There is no consensus on how this will be resolved, or whether it should be. We spoke to Mark Boost, CEO of Civo, a UK company offering hosted Kubernetes based on the lightweight K3S distribution (about which we hear more and more).

Despite the company’s focus on Kubernetes, Boost said he thinks fewer organisations will tangle with it directly in future. “Kubernetes is a great product but in the future it will be more under the hood, still be running Kubernetes, but there’ll be these layers on top which are just doing management on top to make things simple.”

Do we then end up back at Heroku, a revolutionary service when it was launched in 2007 as a way to run Ruby applications in the cloud (it has evolved since to support other runtimes) without managing the infrastructure? “In some ways, we do,” said Boost.

It seems that while many agree that using Kubernetes could and should be easier, other users would rather put up with the complexity for flexibility and control. “As more teams start modernising their applications, anything you can do to lower the cognitive cost of entry is good,” said Justin Turner, director of engineering at H-E-B, speaking at a Kubecon panel on the future of cloud native development.

“But there is a point where if you put too much abstraction on top of it, you lose a lot of control. You lose the ability to run operators… if we had too many layers of abstraction it may be hard to understand that those options are available.”

Jason McGee, CTO of IBM Cloud, said: “The lesson of Kubernetes is that there’s a diversity of workloads. People are moving towards an as-a-service consumption model and Kubernetes is evolving to have different personalities on how you consume the platform depending on what you are trying to do. Heroku, or the Cloud Foundry style of push code, lots of people want that. But maybe one of the lessons of that generation was that the platform doesn’t do everything.

“To me the power of Kubernetes is, if I’m building a simple app I can use that style, if I need to drop down and mess with the details of the application run stateful things, I can do that, all in one environment. I think we’ll add that to the ways Kubernetes is consumed. The question is whether we’ll do that in one way or whether there’s going to be 35 ways for that to happen.”

Most likely 35 ways, which makes the consensus around Kubernetes itself all the more remarkable. “For the first time in the industry we have standardised on the infrastructure with Kubernetes being that de facto control plane,” said Aniszczyk. ®



Source link

Technology

Amazon given contract to store data for MI5, MI6 and GCHQ | GCHQ

Voice Of EU

Published

on

The UK’s spy agencies have given a contract to Amazon Web Services (AWS) to host classified material in a deal aimed at boosting the use of data analytics and artificial intelligence for espionage.

GCHQ had supported the procurement of a high-security cloud system, which would be used by its sister services, MI5 and MI6. Other government departments, such as the Ministry of Defence, would also use the system during joint operations.

The agreement, estimated by industry experts to be worth £500m to £1bn over the next decade, was signed this year with Amazon.com’s cloud service unit AWS, the Financial Times first reported, citing people familiar with the discussions.

The contract with Amazon is likely to ignite concerns over sovereignty because the UK’s most secret data will be hosted by a single US tech company.

GCHQ told news agencies it would not comment on reports about its relationships with tech suppliers. AWS declined to comment on the report.

In February, British spies at GCHQ said they had fully embraced artificial intelligence (AI) to uncover patterns in global data to counter hostile disinformation and catch child abusers.

GCHQ has been using basic forms of AI, such as translation technology, for years but is stepping up its use, partly in response to the use of AI by hostile states and partly due to the data explosion that makes it effective.

Gus Hosein, the executive director of Privacy International, told the FT there were many things parliament, regulators and the public needed to know about the deal.

“This is yet another worrying public-private partnership, agreed in secret,” he said. “If this contract goes through, Amazon will be positioned as the go-to cloud provider for the world’s intelligence agencies. Amazon has to answer for itself which countries’ security services it would be prepared to work for.”

On Monday, the GCHQ director, Jeremy Fleming, told a conference the number of ransomware attacks had doubled across the UK in 2021, compared with last year.

Source link

Continue Reading

Technology

Google deliberately throttled ad load times to promote AMP, claims new court document • The Register

Voice Of EU

Published

on

More detail has emerged from a 173-page complaint filed last week in the lawsuit brought against Google by a number of US states, including allegations that Google deliberately throttled advertisements not served to its AMP (Accelerated Mobile) pages.

The lawsuit – as we explained at the end of last week – was originally filed in December 2020 and concerns alleged anti-competitive practice in digital advertising. The latest document, filed on Friday, makes fresh claims alleging ad-throttling around AMP.

Google introduced AMP in 2015, with the stated purpose of accelerating mobile web pages. An AMP page is a second version of a web page using AMP components and restricted JavaScript, and is usually served via Google’s content delivery network. Until 2018, the AMP project, although open source, had as part of its governance a BDFL (Benevolent Dictator for Life), this being Google’s Malte Ubl, the technical lead for AMP.

In 2018, Ubl posted that this changed “from a single Tech lead to a Technical Steering Committee”. The TSC sets its own membership and has a stated goal of “no more than 1/3 of the TSC from one employer”, though currently has nine members, of whom four are from Google, including operating director Joey Rozier.

According to the Friday court filing, representing the second amended complaint [PDF] from the plaintiffs, “Google ad server employees met with AMP employees to strategize about using AMP to impede header bidding.” Header bidding, as described in our earlier coverage, enabled publishers to offer ad space to multiple ad exchanges, rather than exclusively to Google’s ad exchange. The suit alleges that AMP limited the compatibility with header bidding to just “a few exchanges,” and “routed rival exchange bids through Google’s ad server so that Google could continue to peek at their bids and trade on inside information”.

The lawsuit also states that Google’s claims of faster performance for AMP pages “were not true for publishers that designed their web pages for speed”.

A more serious claim is that: “Google throttles the load time of non-AMP ads by giving them artificial one-second delays in order to give Google AMP a ‘nice comparative boost’. Throttling non-AMP ads slows down header bidding, which Google then uses to denigrate header bidding for being too slow.”

The document goes on to allege that: “Internally, Google employees grappled with ‘how to [publicly] justify [Google] making something slower’.”

Google promoted AMP in part by ranking non-AMP pages below AMP pages in search results, and featuring a “Search AMP Carousel” specifically for AMP content. This presented what the complaint claims was a “Faustian bargain,” where “(1) publishers who used header bidding would see the traffic to their site drop precipitously from Google suppressing their ranking in search and re-directing traffic to AMP-compatible publishers; or (2) publishers could adopt AMP pages to maintain traffic flow but forgo exchange competition in header bidding, which would make them more money on an impression-by-impression basis.”

The complaint further alleges that “According to Google’s internal documents, [publishers made] 40 per cent less revenue on AMP pages.”

A brief history of AMP

AMP was controversial from its first inception. In 2017 developer Jeremy Keith described AMP as deceptive, drawing defensive remarks from Ubl. Keith later joined the AMP advisory committee, but resigned in August saying that “I can’t in good faith continue to advise on the AMP project for the OpenJS Foundation when it has become clear to me that AMP remains a Google product, with only a subset of pieces that could even be considered open source.”

One complaint is that the AMP specification requires a link to Google-hosted JavaScript.

In May 2020 Google stated it would “remove the AMP requirement from Top Stories eligibility”.

This was confirmed in April 2021, when Google posted about an update to its “page experience” whereby “the Top Stories carousel feature on Google Search will be updated to include all news content, as long as it meets the Google News policies. This means that using the AMP format is no longer required.” In addition, “we will no longer show the AMP badge icon to indicate AMP content.” Finally, Google Search signed exchanges, which pre-fetches content to speed page rendering on sites which support the feature, was extended to all web pages where it was previously restricted to AMP pages.

This is evidence that Google is pulling back from its promotion of AMP, though it also said that “Google continues to support AMP”.

As for the complaint, it alleges that Google has an inherent conflict of interest. According to the filing: “Google was able to demand that it represent the buy-side (i.e., advertisers), where it extracted one fee, as well as the sell-side (i.e., publishers), where it extracted a second fee, and it was also able to force transactions to clear in its exchange, where it extracted a third, even larger, fee.”

The company also has more influence than any other on web standards, thanks to the dominant Chrome browser and Chromium browser engine, and on mobile technology, thanks to Android.

That Google would devise a standard from which it benefited is not surprising, but the allegation of deliberately delaying ads on other formats in order to promote it is disturbing and we have asked the company to comment. ®

Source link

Continue Reading

Technology

What is COP26 and what can we expect from climate talks?

Voice Of EU

Published

on

Shelley Inglis from the University of Dayton explains how global climate negotiations work and what’s expected from the upcoming Glasgow summit.

Click here to visit The Conversation.

A version of this article was originally published by The Conversation (CC BY-ND 4.0)

Over two weeks in November, world leaders and national negotiators will meet in Scotland to discuss what to do about the climate crisis. It’s a complex process that can be hard to make sense of from the outside, but it’s how international law and institutions help solve problems that no single country can fix on its own.

I worked for the United Nations for several years as a law and policy adviser and have been involved in international negotiations. Here’s what’s happening behind closed doors and why people are concerned that COP26 might not meet its goals.

What is COP26?

In 1992, countries agreed to an international treaty called the United Nations Framework Convention on Climate Change (UNFCCC), which set ground rules and expectations for global cooperation on combating climate change. It was the first time the majority of nations formally recognised the need to control greenhouse gas emissions, which cause global warming that drives climate change.

That treaty has since been updated, including in 2015 when nations signed the Paris climate agreement. That agreement set the goal of limiting global warming to “well below” 2 degrees Celsius, and preferably to 1.5 degrees Celsius, to avoid catastrophic climate change.

COP26 stands for the 26th Conference of Parties to the UNFCCC. The “parties” are the 196 countries that ratified the treaty, plus the European Union. The UK, partnering with Italy, is hosting COP26 in Glasgow, Scotland, from 31 October to 12 November 2021, after a one-year postponement due to the Covid-19 pandemic.

Why are world leaders so focused on the climate crisis?

The UN Intergovernmental Panel on Climate Change’s latest report, released in August 2021, warns in its strongest terms yet that human activities have unequivocally warmed the planet, and that climate change is now widespread, rapid and intensifying.

The IPCC’s scientists explain how climate change has been fuelling extreme weather events and flooding, severe heat waves and droughts, loss and extinction of species, and the melting of ice sheets and rising of sea levels. UN secretary-general António Guterres called the report a “code red for humanity.”

Enough greenhouse gas emissions are already in the atmosphere, and they stay there long enough, that even under the most ambitious scenario of countries quickly reducing their emissions, the world will experience rising temperatures through at least mid-century.

However, there remains a narrow window of opportunity. If countries can cut global emissions to “net zero” by 2050, that could bring warming back to under 1.5 degrees Celsius in the second half of the 21st century. How to get closer to that course is what leaders and negotiators are discussing.

What happens at COP26?

During the first days of the conference, around 120 heads of state, like US president Joe Biden, and their representatives will gather to demonstrate their political commitment to slowing climate change.

Once the heads of state depart, country delegations, often led by ministers of environment, engage in days of negotiations, events and exchanges to adopt their positions, make new pledges and join new initiatives. These interactions are based on months of prior discussions, policy papers and proposals prepared by groups of states, UN staff and other experts.

Non-governmental organisations and business leaders also attend the conference, and COP26 has a public side with sessions focused on topics such as the impact of climate change on small island states, forests or agriculture, as well as exhibitions and other events.

The meeting ends with an outcome text that all countries agree to. Guterres publicly expressed disappointment with the COP25 outcome, and there are signs of trouble heading into COP26.

What is COP26 expected to accomplish?

Countries are required under the Paris Agreement to update their national climate action plans every five years, including at COP26. This year, they’re expected to have ambitious targets through 2030. These are known as nationally determined contributions, or NDCs.

The Paris Agreement requires countries to report their NDCs, but it allows them leeway in determining how they reduce their greenhouse gas emissions. The initial set of emission reduction targets in 2015 was far too weak to limit global warming to 1.5 degrees Celsius.

One key goal of COP26 is to ratchet up these targets to reach net-zero carbon emissions by the middle of the century.

Another aim of COP26 is to increase climate finance to help poorer countries transition to clean energy and adapt to climate change. This is an important issue of justice for many developing countries whose people bear the largest burden from climate change but have contributed least to it.

Wealthy countries promised in 2009 to contribute $100bn a year by 2020 to help developing nations, a goal that has not been reached. The US, UK and EU, among the largest historic greenhouse emitters, are increasing their financial commitments, and banks, businesses, insurers and private investors are being asked to do more.

Other objectives include phasing out coal use and generating solutions that preserve, restore or regenerate natural carbon sinks, such as forests.

Another challenge that has derailed past COPs is agreeing on implementing a carbon trading system outlined in the Paris Agreement.

Are countries on track to meet international climate goals?

The UN warned in September 2021 that countries’ revised targets were too weak and would leave the world on pace to warm 2.7 degrees Celsius by the end of the century. However, governments are also facing another challenge that could affect how they respond: energy supply shortages have left Europe and China with price spikes for natural gas, coal and oil.

China – the world’s largest emitter – has not yet submitted its NDC. Major fossil fuel producers such as Saudi Arabia, Russia and Australia seem unwilling to strengthen their commitments. India – a critical player as the second-largest consumer, producer and importer of coal globally – has also not yet committed.

Other developing nations such as Indonesia, Malaysia, South Africa and Mexico are important. So is Brazil, which, under Jair Bolsonaro’s watch, has increased deforestation of the Amazon – the world’s largest rainforest and crucial for biodiversity and removing carbon dioxide from the atmosphere.

What happens if COP26 doesn’t meet its goals?

Many insiders believe that COP26 won’t reach its goal of having strong enough commitments from countries to cut global greenhouse gas emissions 45pc by 2030. That means the world won’t be on a smooth course for reaching net-zero emissions by 2050 and the goal of keeping warming under 1.5 degrees Celsius.

But organisers maintain that keeping warming under 1.5 degrees is still possible. Former US secretary of state John Kerry, who has been leading the US negotiations, remains hopeful that enough countries will create momentum for others to strengthen their reduction targets by 2025.

The cost of failure is astronomical. Studies have shown that the difference between 1.5 and 2 degrees Celsius can mean the submersion of small island states, the death of coral reefs, extreme heat waves, flooding and wildfires, and pervasive crop failure.

That translates into many premature deaths, more mass migration, major economic losses, large swathes of unliveable land and violent conflict over resources and food – what the UN secretary-general has called “a hellish future.”

The Conversation

By Shelley Inglis

Shelley Inglis is executive director of the Human Rights Center at the University of Dayton in Ohio. She is a research professor of human rights and law, and previously held various management positions with the United Nations Development Programme.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!