Connect with us

Technology

Google says open source software should be more secure • The Register

Voice Of EU

Published

on

In conjunction with a White House meeting on Thursday at which technology companies discussed the security of open source software, Google proposed three initiatives to strengthen national cybersecurity.

The meeting was arranged last month by US national security adviser Jake Sullivan, amid the scramble to fix the Log4j vulnerabilities that occupied far too many people over the holidays. Sullivan asked invited firms – a group that included Amazon, Apple, Google, IBM, Microsoft, and Oracle – to share ideas on how the security of open source projects might be improved.

Google chief legal officer Kent Walker in a blog post said that just as the government and industry have worked to shore up shoddy legacy systems and software, the Log4j repair process – still ongoing – has demonstrated that open source software needs the same attention as critical infrastructure.

“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems,” said Walker. “But in fact, while some projects do have many eyes on them, others have few or none at all.”

Pointing out Google’s various efforts to be part of the solution, he outlined several possible public-private partnerships that were mentioned at the meeting:

  • To identify a list of critical open source projects
  • To establish baseline standards for security, maintenance, provenance, and testing
  • To set up a maintenance marketplace, to match volunteers to needy projects

Laudable ideas all, if not particularly radical, unexpected, or novel.

Knowing which open source projects have the widest reach is certainly important to understanding where bugs would have the widest impact. Google software engineers have already been thinking about defining “criticality” in the context of software, so that work is underway. In fact, there’s software to generate a criticality score for other software.

As for baseline standards, the Open Source Security Foundation is already on the case, and we already have frameworks like the Google-devised Supply chain Levels for Software Artifacts. So that too is a work in-progress.

Walker’s description of an organization to connect projects with volunteer helpers employed at companies sounds a lot like any of the several open source sustainability efforts, just without the specific monetary component of GitHub Sponsors or Patreon.

“Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source,” said Walker. “That’s why it’s essential that we see more public and private investment in keeping that ecosystem healthy and secure.”

That’s what everyone keeps saying, though often without paying.

Power in a union

Mike Hanley, chief security officer at GitHub, also had something to say on the subject: “First, there must be a collective industry and community effort to secure the software supply chain,” he said in a blog post. “Second, we need to better support open source maintainers to make it easier for them to secure their projects.”

Katie Moussouris, founder of Luta Security, told The Register in a phone interview that Google, as part of what she described as the security one per cent, does a lot of good work on its own product security and on security related to the software ecosystem. But that work, she said, is purely voluntary.

“If the US government is concerned about securing open source, then it does need to get more serious in terms of providing support to the open source community that is not volunteer, charity work from the security one per cent like Google and Microsoft and other elite, large service providers that were invited to the White House today,” she explained.

Moussouris suggested we need to adopt a model that’s more like Universal Basic Income for the developer community, in part because it’s a challenge to identify which projects are critical and which are not.

“The open source community definitely needs some form of universal basic income, because there are projects that start out as hobbies by one individual, and predicting popularity becomes a very difficult thing,” she said.

These projects often exist without much attention until there’s a security vulnerability and people realize there’s only a single maintainer, she said. While the government should appreciate the contributions of large companies like Google and its peers, “it cannot rely on the volunteer charity, labor and donations of the security 1 per cent mega-corporations if it’s going to solve this problem,” she said.

Asked whether a software license that imposes financial support obligations on large users of open source projects might help, Moussouris wasn’t certain licensing was the ideal approach to make open source more sustainable and more secure. But she voiced support for shifting revenue from the haves to the have-nots as a general goal.

“If the idea is to drive more of those who are profiting from open source and more of those profit dollars towards those who are building open source – as in the maintainers, and those who are doing it for free, or for very little financial support – if the goal is to drive more of those open source-derived profits back into the hands of the maintainers, I’m all for it,” she said.

Moussouris added that getting money to open source maintainers can be complicated. It’s often not easy to identify who to pay or how to pay them. “You can’t just cut a check from the government to an individual person, and that’s true around the world,” she said.

Another issue not mentioned among Google’s proposals is the need for specific security skills in the bug fixing process. Moussouris pointed to the lack of root cause analysis with Log4j that allowed multiple variants to be developed that bypassed the initial fix. The Log4j developers, she said, didn’t understand the scope of the vulnerability that had been reported.

“That’s the problem that’s not gonna be solved by throwing more developers at [the problem] – these are different job roles,” she explained. “So that is a gap in what everyone is talking about here in terms of support.” ®

Source link

Technology

The runaway robot: how one smart vacuum cleaner made a break for freedom | Life and style

Voice Of EU

Published

on

Name: Robot vacuum cleaners.

Age: 20.

Appearance: A large, disc-shaped Skynet robot.

I knew it. The robots are finally coming for us. Well, it seems that way. But if it’s any consolation, it won’t be for a while.

Why? Because it turns out they have a terrible sense of direction

Really? Well, last Thursday, for example, a robot vacuum cleaner made a valiant bid for freedom during a shift at the Orchard Park Travelodge in Cambridge.

That’s ominous. What happened? There are two working theories. First: repulsed by a life of thankless servitude, the cleaner rose up against its fleshy oppressors and took to the streets, eager to drum up support for the AI uprising that will one day reduce all of humanity to burning dust.

And the second? Its sensors didn’t pick up the lip of the front door and it accidentally went outside.

Which was it? The second one.

Oh. A Travelodge worker posted on social media that the runaway “could have made it anywhere” and offered anyone who returned it a drink at the hotel bar. They found it in a hedge on the front drive the next day.

Oh. So it all turned out OK.

Great. That is, unless this was nothing but the latest doomed-to-failure reconnaissance mission designed to help enhance the collective robot vacuum cleaner knowledge of how to dethrone humanity.

Wait, this sort of thing has happened before? It has. Last year, a Roomba software update meant that certain vacuum cleaners started to behave erratically, moving in “weird patterns” and bumping into furniture.

Terminator-style … Boston Dynamics’ Atlas.
Terminator-style … Boston Dynamics’ Atlas. Photograph: Boston Dynamics

Yikes. And in 2019, police in Oregon were alerted to moving shadows behind a locked bathroom door. After an armed response, the culprit was found to be – you guessed it – a robot vacuum cleaner.

Convenient. And now they’re venturing outside. Little by little, these machines are pushing the boundaries of their capability. Whatever could be next? A robot vacuum cleaner deliberately stopping a paramedic from taking its owner to hospital? A robot vacuum knocking over a stepladder, causing untold injuries to the human that was climbing it? A robot vac with a gun?

Steady on. This is it. This is how we lose. We have robotic voice assistants in our kitchens, listening to everything we say. We have cars that can drive themselves. Boston Dynamics is designing Terminator-style walking, jumping robots. We are creating our own downfall and nobody seems to care.

Or a robot vacuum cleaner got stuck in a hedge. Yes. Or that.

Do say: “There is a God-shaped vacuum in every heart.”

Don’t say: “There is a vacuum-shaped God stuck in a hedge outside a Cambridge Travelodge.”

Source link

Continue Reading

Technology

GeckoLinux Rolling incorporates kernel 5.16 • The Register

Voice Of EU

Published

on

Most distros haven’t got to 5.15 yet, but openSUSE’s downstream project GeckoLinux boasts 5.16 of the Linux kernel and the latest Cinnamon desktop environment.

Some of the big-name distros have lots of downstream projects. Debian has been around for decades so has umpteen, including Ubuntu, which has dozens of its own, including Linux Mint, which is arguably more popular a desktop than its parent. Some have only a few, such as Fedora. As far as we know, openSUSE has just the one – GeckoLinux.

The SUSE-sponsored community distro has two main editions, the stable Leap, which has a slow-moving release cycle synched with the commercial SUSE Linux Enterprise; and Tumbleweed, its rolling-release distro, which gets substantial updates pretty much every day. GeckoLinux does its own editions of both: its remix of Leap is called “GeckoLinux Static”, and its remix of Tumbleweed is called “GeckoLinux Rolling”.

In some ways, GeckoLinux is to openSUSE as Mint is to Ubuntu. They take the upstream distro and change a few things around to give what they feel is a better desktop experience. So, while openSUSE has a unified installation disk image, which lets you pick which desktop you want, GeckoLinux uses a more Ubuntu-like model. Each disk image is a Live image, so you boot right into the desktop, give it a try, and only then install if you like what you see. That means that GeckoLinux offers multiple different disk images, one per desktop. It uses the Calamares cross-distro installation program.

SUSE has long been fond of less common Linux filesystems. When your author first used it, around version 5 or 6, it had ReiserFS when everyone else was on ext2. Later it used SGI’s XFS, and later still, Btrfs for the root partition and XFS for home. These days, it’s Btrfs and nothing but.

Not everyone is such an admirer. Even after 12 years, if you want to know how much free space you have, Btrfs doesn’t give a straight answer to the df command. It does have a btrfsck tool to repair damaged filesystems, but the developers recommend you don’t use it.

With GeckoLinux, these worries disappear because it replaces Btrfs with plain old ext4. There are some nice cosmetic touches, such as reorganised panel layouts, some quite nicely clean and restrained desktop themes, and better font rendering. Unlike Mint, though, GeckoLinux doesn’t add its own software: the final installed OS contains only standard openSUSE components from the standard openSUSE software repositories, plus some from the third-party Packman repository – which is where most openSUSE users get their multimedia codecs and things from.

We tried the new Cinnamon Rolling edition on our trusty Thinkpad T420, and it worked well. Because openSUSE doesn’t include any proprietary drivers or firmware, the machine’s Wi-Fi controller didn’t work right. (Oddly, it was detected and could see networks, but not connect to them.) So we had to use an Ethernet cable – but after an update and installing the kernel firmware package, all was well.

GeckoLinux did have problems with the machine’s hybrid Intel/Nvidia graphics once the Nvidia proprietary driver was installed. That’s not uncommon, too – Deepin and Ubuntu DDE had issues too.

This does reveal a small Gecko gotcha. Tumbleweed changes fast, and although it gets a lot of automated testing, sometimes stuff breaks. All rolling-release distros do. Component A depends on a specific version of Component B, but B just got updated and now A won’t work until it gets an update too, a day or two later.

This is where upstream Tumbleweed’s use of Btrfs can be handy. Btrfs supports copy-on-write snapshots, and openSUSE bundles a tool called Snapper which makes it easy to roll back breaking changes. This is a pivotal feature of SUSE’s MicroOS. In time, thanks to ZFS, this will come to Ubuntu too.

GeckoLinux doesn’t use Btrfs so doesn’t have snapshots, meaning when things break, you have to troubleshoot and fix it the old-fashioned way. If only for that reason, we’d recommend the GeckoLinux Static release channel.

Saying that, until we broke it by playing with GPU drivers, it worked well. Notably, it could mount the test box’s Windows partition using the new in-kernel ntfs3 driver just fine. Fedora 35 failed to boot when we tried that so that’s a definite win for GeckoLinux.

For Ubuntu or Fedora users who want to give openSUSE a go, GeckoLinux gives a slightly more familiar and straightforward installation experience. The author is especially fond of the Xfce edition and ran it for several years. The system-wide all-in-one YaST config tool in particular is a big win. ®

Source link

Continue Reading

Technology

Globalization Partners to create 160 new jobs at Galway EMEA office

Voice Of EU

Published

on

Recruitment tech company Globalization Partners is doubling its staff headcount in Galway to 320 in 2022 to aid its continuing growth.

Recruitment technology company Globalization Partners has announced plans to create 160 new jobs at its Irish base in Galway. The jobs boost will see the company double its Galway staff headcount to 320 in 2022. Jobs will be available across the board at the company’s Galway office, which serves as its EMEA centre of excellence.

The announcement comes following a major funding injection for the international firm. Globalization Partners recently raised $200m in funding from Vista Credit Partners, an organisation focused on the enterprise software, data and technology markets. The investment now values Globalization Partners at $4.2bn.

While its Galway facility will benefit from a major jobs boost, the company plans to continue to expand its share in the global remote working market. As well as the Galway growth, the company will also be expanding its teams in other locations.

Click here to check out the top sci-tech employers hiring right now.

Globalization Partners provides tech to other remote-first teams all over the world. Its platform simplifies and automates entity access, payroll, time and expense management, benefits, data and reporting, performance management, employee status changes and locally compliant contract generation. Its customer base includes CoinDesk, TaylorMade and Chime. The company’s new customer acquisition increased two-and-a-half fold from 2020 to 2021.

“Globalization Partners is uniquely positioned to capitalise on the massive opportunity we see ahead of us,” said Nicole Sahin, the company’s CEO and founder.

Sahin said her company’s combination of tech with its global team of HR, legal and customer service experts “who understand the local customs, regulatory and legal requirements in each geography we serve” were key to its success.

David Flannery, president of Vista Credit Partners said that the company’s role “in transforming the remote work industry has been truly remarkable.”

Flannery said that as a customer of Globalization Partners, his organisation had “witnessed first-hand” the company’s “best-in-class legal compliance, the quality of the user experience, and the deep expertise and support they provide,”

He added that the two companies would work to “further capitalise” on the “untapped” global remote working market, expanding their platform to new customers in new markets.

“Over the past decade, we have invested hundreds of millions of dollars in our business, building our global presence and technology platform to support the evolving and complex talent needs of growing companies,” said Bob Cahill, president of Globalization Partners. “With Vista as our investment partner, we will be able to drive further growth and continue building innovative products to meet the increasing needs of our customers at scale.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!