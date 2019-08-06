OSS Leftovers
Developing and maintaining secure firmware for tablets, cars, and IoT devices is hard. Often, the firmware is initially developed by a third party rather than in-house. And it can be tough as projects move from inception and prototyping to full-force engineering and finally to deployment and production.
Now, an engineer at self-driving car service Cruise is easing the pain with the release of FwAnalyzer, a tool he and his Cruise colleagues developed themselves. Collin Mulliner spent more than a decade scouring firmware found in phones and other devices before becoming Cruise’s principal security engineer. He helped write FWAnalyzer to provide continuous automated firmware analysis that could aid engineers at any phase of the code’s lifecycle.
“It's peace of mind that there's constant analysis,” Mulliner said of the tool, which he’ll be discussing at a panel on Wednesday at the Black Hat security conference in Las Vegas. “At any step in development… it runs checks.”
Privately developed apps, unlike open source, don’t let their code be accessed by the general public. So if there are any channels that allow security breaches to take place, they cannot be accessed. Even if the app developers intentionally have a system in place that extracts user data from the cloud, there is no way of knowing because the coding framework is kept under lock and key. This is why even if people are aware of the data security risk that comes with installing Facebook, there’s not much they can do about it. Because ultimately Facebook is a privately license enterprise that can only be modified by the people employed by it. Open-source applications aren’t developed for profit, and since they aren’t licensed so they have little incentive to sell your data to third parties. The biggest advantage is that open source apps are transparent about data vulnerabilities.
In short, if you’re looking for alternatives to google maps and FaceApp, there are good open-source apps available that won’t sell your data to advertisers.
A Linux Foundation survey last year found 72% of companies “frequently using open source for non-commercial or internal reasons”, while 55% have incorporated open source components into their commercial products.
Interest in the use of open source components continues to grow.
A recent study found that “on average, developers had access to more than 21,448 new open source component releases every day, since the beginning of 2018.”
Citing numbers from IT analyst firm IDC, the same study said that in 2018, “developers around the world consumed hundreds of billions of open-source software component releases.”
A shout-out to Ankush Das, a tech blogger who put together a really nice list of 11 "open-source" CRM applications for the Linux-focused website It's FOSS.
Das recommended products like SuiteCRM, Vtiger, EspoCRM, YetiForce and others - both well-known and more obscure – and they all represent a good variety of choices for companies that have a developer mindset.
Open source products like the ones included in Das' list mostly come with the ability to be hosted internally or by a hosting provider, offer free and paid versions based on either the number of servers or users and include documentation and support provided by the application’s developer communities.
The OSSs are the outcome of the several like-minded software developers working towards developing one software which has an objective to solve a problem while following the discipline which is coming from the Open Source philosophy. This Philosophy also allows copyright holders to grant users the right to study, change and distribute the software to anyone for any purpose. This philosophy not just helped in making software’s faster and of high quality but also made it affordable for various businesses, governments and non-profit organizations.
Linus Torvalds initiated this revolution by releasing the first-ever open-source software known as Linux Kernel in the mid-90s, the software industry we see today is an outcome of many such small and big initiatives since then. Many IT companies have built their entire business model around commercial open source, offering business value in the form of subscription services (aka Opex Model) giving a tough fight to the multi-billion dollar proprietary software industry selling perpetual software license with YoY maintenance (aka Capex Model).
Also look at who else is supporting these open source SCADA applications, such as members of Linux or Eclipse Foundations. “Eclipse manages a lot of projects and they have specific project areas for Industrial Internet of Things software, like Paho and Tahu for MQTT and Sparkplug B. These are both open source technologies that are backed by a big organization. That can give a user a lot of confidence that there’s a support mechanism and community behind them.”
ForgeRock extends its leadership in innovation and commitment to developers in providing the IoT Edge Controller as open source under the Apache 2.0 License. Open source customers and partners can more easily build industry-specific solutions with additional functionality, and ultimately drive higher levels of interoperability. More information on ForgeRock’s IoT solutions is here, and to access the open source Edge Controller, please visit here.
Digital identity management solutions provider ForgeRock has announced the availability of its IoT Edge Controller, which provides consumer and industrial manufacturers with the ability to deliver trusted identity at the device level.
In this way, “things” can have the same identity capabilities as traditional (customer or employee) identities.
An end-to-end security solution for IoT deployments, the IoT Edge Controller runs on smart edge devices and provides the privacy, integrity and security required for devices to register as identities in the ForgeRock Identity Platform.
ForgeRock has provided the IoT Edge Controller as open-source under the Apache 2.0 License. Open source customers and partners can more easily build industry-specific solutions with additional functionality, and ultimately drive higher levels of interoperability.
There has perhaps never been so much angst over whether open source software development is sustainable, and yet there has never been clearer evidence that we’re in the golden age of open source.
Or on the cusp. Here and there an open source company might struggle to make a buck, but as a community of communities, open source has never been healthier. There are a few good indicators for this.
It's only been a few years since Amazon unveiled the Alexa-powered Echo, but since then, smart speakers have become a major consumer-electronics category.
Open Hardware: OpenHAK, Rock Pi, RISC-V Foundation and Nvidia GPU Documentation
Joel Murphy and Leif Percifield have been involved in the open source hardware for over 12 years and have now pooled their skills and resources to create the OpenHAK open source fitness tracker. Watch the introduction video below to learn more about the open source fitness system and its features that allows you to keep your data safe and secure.
The developers behind the open source fitness tracker explain more about its inspiration, and why they made OpenHAK : “The short answer, is Because We Can! That’s right, the availability of open-source technology has exploded over the last decade with access to low-cost development boards and powerful code libraries to the point where you’d think simple things like fitness trackers would start to self-assemble in the box on the UPS truck from SparkFruit. Well, we couldn’t wait for that, so we got the basic parts required, poked ’em into place with a soldering iron, stubbed out some codeware, and what do you know? It works! We made OpenHAK because we want to share what we’ve got with you, Dear Backer, and see what we can build together!”
One of the highlights of Linux 5.2 release was support for two new Arm Mali GPU open-source drivers, namely Lima for Mali-4xx GPU...
Red Hat, now part of IBM, joined the RISC-V Foundation to develop support for the open-source instruction set architecture in its Linux distributions.
IBM also formed the OpenPower Foundation in 2013 for open source development of the ISA for its Power-brand microprocessors. Today, OpenPower is backed by Google and Nvidia and others, and the idea is that companies besides IBM can make Power chips.
However, outside of supercomputers and a few data centers, the Power chips aren’t all that ubiquitous, as they tend to cost a pretty penny for similar performance to Intel chips. The recent AMD Epyc Rome server chips have further increased the performance/price competition by several fold, which should make it even more difficult for Power chips to compete in the server chip market.
Nvidia has extended a helping hand to the developers working on Nouveau, the open source Linux driver for Nvidia graphics cards, in a move that comes rather out of the blue.
To be precise, Nvidia has released further GPU hardware documents to aid the project which has had its fair share of thorny issues, shall we say.
Nvidia contacted Phoronix in an emailed statement which reads: “Nvidia has released public, freely available (MIT licensed) documentation of portions of its GPU hardware interface. This is a work in progress; not all interfaces have been published.”
You might want to check if pigs are flying outside your window. Nvidia has published a wealth of GPU hardware documentation on GitHub.
Nvidia GPU hardware documents have been released on GitHub for the easier development of Open source Linux drivers, also known as NOUVEAU. Open Source software like Linux and Nvidia haven’t played nice for a long time. So,
it’s no surprise that Nvidia has been promising to release the full documentation of its GPU since 2012. That was the case until now when complete Nvidia GPU hardware documents for Linux have been released.
Security: Defcon, GSM, Black Hat, Avaya and DARPA
In a talk at the Defcon hacker conference today in Las Vegas, Jmaxxz described a series of vulnerabilities in MyCar, a system made by Canadian company Automobility, whose software is rebranded and distributed under names including MyCar Kia, Visions MyCar, Carlink, and Linkr-LT1. MyCar's devices and apps connect to radio-based remote start devices like Fortin, CodeAlarm, and Flashlogic, using GPS and a cellular connection to extend their range to anywhere with an [Internet] connection. But with any of three different security flaws present across those apps—which Jmaxxz says he reported to the company and have since been fixed—he says he could have gained access to MyCar's database backend, letting him or a less friendly hacker pinpoint and steal any car connected to the MyCar app, anywhere in the world.
-
Bill Demirkapi, an 11th grader in Lexington, Massachusetts, had found a vulnerability in Aspen, the software his school uses to deliver students' grades, transcripts, and schedules. With this sort of access, an attacker could obtain a student's password, their birth city, details on their free or reduced lunch, and other information.
But Demirkapi didn't want to abuse the vulnerability he discovered. He wanted to do the responsible thing and let the company that makes the software, Follett Corporation, know about the issue so it can fix it and make students' personal data safer. The problem was that Follett didn't respond to Demirkapi's multiple attempts to warn them about the vulnerability. So he tried a different approach and used a feature of the software to send a message to Follett.
-
Regular GSM calls aren't fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can't just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and listen in on basically anything.
"GSM is a well documented and analyzed standard, but it’s an aging standard and it's had a pretty typical cybersecurity journey," says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. "The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you’re using there is a flaw historically created and engineered that you’re exposing."
-
The popular Black Hat USA 2019 conference was held from August 3 – August 8 at Las Vegas. The conference included technical training sessions conducted by international industry and subject matter experts to provide hands-on offensive and defensive skill-building opportunities. It also included briefings from security experts who shared their latest findings, open-source tools, zero-day exploits, and more.
Tech giants including Apple, IBM, Microsoft made some interesting announcements such as Apple and Microsoft expanding their bug-bounty programs, with IBM launching a new ‘warshipping’ hack, and much more.
Black Hat USA 2019 also launched many interesting open-source tools and products like Scapy, a Python-based Interactive packet manipulation Program, CyBot, an open-Source threat intelligence chatbot, any many other products.
-
Meet Somu open-source and secure key with FIDO2 support for two-factor authentication, or Microsoft account passwordless login.
-
Carbon Black (NASDAQ: CBLK), a leader in cloud-native endpoint protection, today announced the launch of “Binee,” an open-source binary emulator that bridges the gap between static and dynamic analysis of real-world malware. Binee empowers researchers to extract run-time data from binaries at a cost, speed and scale previously only possible with static analysis tools, opening up a wealth of run-time malware data for behavioral analysis and machine learning applications.
-
RSA encryption has been around for decades. Unfortunately, so have bad implementations that leave it less secure.
-
At Black Hat USA in Las Vegas, Anomali threat research team manager Joakim Kennedy explained to Eleanor Dallaway why he believes the open source movement in the cybersecurity industry will help to address the skills gap.
“One way of opening up the industry to more people is to provide good free tools accessible to everyone.” The open source movement allows people “to take the toolkits and moderate them.” This, he said, is particularly relevant to teenagers and people outside of the cybersecurity industry that may have an interest in joining. “The best way to learn is to get hold of toolkits and play with them, moderate them,” he said, explaining that his own path into the industry began as a teenager, “using whatever tools were available” and self-educating himself.
Making these open source tools available “will trigger the interest of the next generation of potential employees by giving them the tools to play with for free and get their interest. We need to get more interested people into the field and there’s a high threshold to get started.” He explained this high threshold means that the paid products and tools in the industry are very expensive. “The license price is too high.”
-
VoIP phones from leading provider Avaya are the latest IoT devices exposed as a cyber risk by security researchers.
-
The issue was discovered by researchers from security firm McAfee and was disclosed Thursday at the DEF CON security conference in Vegas. However, firmware updates have been available since June 25.
The vulnerability is located in the DHCP service, which allows the devices to automatically obtain IP addresses on the network. Attackers can exploit it by sending maliciously modified DHCP responses to the devices, which do not require authentication, and winning a race condition with the network’s legitimate DHCP server.
-
FOR THE LAST two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government's mad science wing.
Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD.
Databases: BlazingSQL, Apache Cassandra, CockroachDB
-
Yesterday, the BlazingSQL team open-sourced BlazingSQL under the Apache 2.0 license. It is a lightweight, GPU-accelerated SQL engine built on top of the RAPIDS. ai ecosystem. RAPIDS. ai is a suite of software libraries and APIs for end-to-end execution of data science and analytics pipelines entirely on GPUs.
Explaining his vision behind this step, Rodrigo Aramburu, CEO of BlazingSQL wrote in a Medium blog post, “As RAPIDS adoption continues to explode, open-sourcing BlazingSQL accelerates our development cycle, gets our product in the hands of more users, and aligns our licensing and messaging with the greater RAPIDS.ai ecosystem.”
Aramburu calls RAPIDS “the next-generation analytics ecosystem” where BlazingSQL serves as the SQL standard. It also serves as an SQL interface for cuDF, a GPU DataFrame (GDF) library for loading, joining, aggregating, and filtering data.
-
A new open-source project wants to take analytics to the next level. BlazingSQL is a GPU-accelerated SQL engine built on the RAPIDS ecosystem. RAPIDS is an open-source suite of software libraries for executing end-to-end data science and analytics pipelines entirely on GPUs.
According to the team, BlazingSQL was built to address the expense, complexity and sluggish pace users deal with when working on large data sets.
“BlazingSQL addresses these customer concerns not only with an incredibly fast, distributed GPU SQL engine, but also a zealous focus on simplicity,” Rodrigo Aramburu, CEO of BlazingSQL, wrote in a blog post. “With a few lines of code, BlazingSQL can query your raw data, wherever it resides and interoperate with your existing analytics stack and RAPIDS.”
BlazingSQL enables users to query datasets from enterprise data lakes directly into GPU memory as a GPU DataFrame (GDF). GDF is a project that offers support for interoperability between GPU applications. It also defines a common GPU in-memory data layer.
-
With its roots and foundations in the open source Apache Cassandra database, Santa Clara headquartered DataStax insists that it likes to keep things open.
As such, the company is opening a wider aperture on its collaboration with VMware by now offering DataStax production support on VMware vSAN, now in hybrid and multi-cloud configurations.
-
Cockroach Labs, the New York-based developer of the open source distributed database project CockroachDB, today announced that it’s closed a $55 million, oversubscribed series C round co-led by Altimeter Capital, Tiger Global, and GV (formerly Google Ventures). The raise, which saw participation from existing investors Benchmark, Index Ventures, Redpoint Ventures, FirstMark Capital, and Work-Bench, brings the company’s total capital raised to $108.5 million and comes after a year in which revenue doubled quarter-over-quarter.
