Open-source News

OpenWrt, an open source alternative to firmware for home routers Stephan Avenwedde Tue, 07/12/2022 - 03:00 2 readers like this 2 readers like this

If you're reading this article from home, you are probably connected with a LTE/5G/DSL/WIFI router. Such devices are usually responsible to route packets between your local devices (smartphone, PC, TV, and so on) and provide access to the world wide web through a built-in modem. Your router at home has most likely a web-based interface for configuration purposes. Such interfaces are often oversimplified as they are made for casual users.

If you want more configuration options, but don't want to spend for a professional device you should take a look at an alternative firmware such as OpenWrt.

OpenWrt features

OpenWrt is a Linux-based, open source operating system targeting embedded network devices. It is mainly used as a replacement for the original firmware on home routers of all kinds. OpenWrt comes with all the useful features a good router should have like a DNS server (dnsmasq), Wifi access point and client functionality, PPP protocol for modem functionality and, unlike with the standard firmware, everything is fully configurable.

LuCI Web Interface

OpenWrt can be configured remotely by command line (SSH) or using LuCI, a GUI configuration interface. LuCI is a lightweight, extensible web GUI written in Lua, which enables an exact configuration of your device. Besides configuration, LuCI provides a lot of additional information like real time graphs, system logs, and network diagnostics.

Image by:

Stephan Avenwedde, CC BY-SA

There are some optional extensions available for LuCI to add even further configuration choices.

Writeable file system

Another highlight is the writeable filesystem. While the stock firmware is usually read-only, OpenWrt comes with a writeable filesystem thanks to a clever solution that combines OverlayFS with SquashFS and JFFS2 filesystems to allow installation of packages to enhance functionality. Find more information about the file system architecture in the OpenWrt documentation.

Extensions

OpenWrt has an associated package manager, opkg, which allows to install additional services. Some examples are an FTP server, a DLNA media server, an OpenVPN server, a Samba server to enable file sharing, or Asterisk (software to control telephone calls). Of course, some extensions require appropriate resources of the underlying hardware.

Motivation

You might wonder why you should try to replace a router manufacture's firmware, risking irreparable damage to your device and loss of warranty. If your device works the way you want, then you probably shouldn’t. Never touch a running system! But if you want to enhance functionality, or if your device is lacking configuration options, then you should check whether OpenWrt could be a remedy.

In my case, I wanted a travel router which I can place on an appropriate position when I’m on a campsite in order to get a good connection to the local Wifi access point. The router should connect itself as an ordinary client and broadcasts it’s own access point for my devices. This allows me to configure all my devices to connect with the routers access points and I only have to change the routers client connection when I’m somewhere else. Moreover, on some campsites you only get an access code for one single device, which I can enhance with this setup.

As my travel router, I choose the TP-Link TL-WR902AC for the following reasons:

• Small
• Two Wifi antennas
• 5V power supply (USB)
• Low power consumption
• Cost effective (you get it for around $30)

To get an idea of the size, here it is next to a Raspberry Pi4:

Image by:

Stephan Avenwedde, CC BY-SA 4.0

Even though the router brings all hardware capabilities I demand, I relatively quickly found out that the default firmware don’t let me configure it the way I wanted. The router is mainly intended as an Wifi access point, which repeats an existing Wifi network or connects itself to the web over the onboard Ethernet interface. The default firmware is very limited for these use cases.

Fortunately, the router is capable of running OpenWrt, so I decided to replace the original firmware with it.

Installation

When your LTE/5G/DSL/WIFI router meets the minimum requirements, chances are high that it's possible to run OpenWrt on it. As the next step, you look in the hardware table and check whether your devices is listed as compatible, and which firmware package you have to choose. The page for the TP-Link TL-WR902AC also includes the installation instructions which describe how to flash the internal memory.

The process of flashing the firmware can vary between different devices, so I won’t go into detail on this. In a nutshell, I had to connect the device over  a TFTP server on a network interface with a certain IP address, rename the OpenWrt firmware file and then boot up the device considering pressing the reset button.

Configuration

Once flashing was successfully, your device should now boot up with the new firmware. It may take a bit longer now to boot up as OpenWrt comes with much more features compared to the default firmware.

OpenWrt acts as a DHCP server, so in order to begin with configuration, make a direct Ethernet connection between your PC and the router, and configure your PC’s Ethernet adapter as a DHCP client.

On Fedora Linux, to activate the DHCP client mode for your network adapter, first you have to find out the connection UUID by running:

$ nmcli connection show
NAME          UUID         TYPE      DEVICE
Wired Conn 1  7a96b...27a  ethernet  ens33
virbr0        360a0...673  bridge   virbr0
testwifi      2e865...ee8  wifi     --
virbr0        bd487...227  bridge   --
Wired Conn 2  16b23...7ba  ethernet --

Pick the UUID for the connection you want to modify and then run:

$ nmcli connection modify <UUID> ipv4.method auto

You can find more information about these commands in the Fedora Networking Wiki.

After you have a connection to your router, open a web browser and navigate to http://openwrt/. You should now see LuCI’s login manager:

Image by:

Stephan Avenwedde, CC BY-SA 4.0

Use root as the username, and leave the password field blank.

Configuring Wifi and routing

To configure your Wifi antennas, click on the Network menu and select Wireless.

Image by:

Stephan Avenwedde, CC BY-SA 4.0

On my device, the antenna radio0 on top operates in 2.4 GHz mode and is connected to the local access point called MOBILE-INTERNET. The antenna radio1 below operates at 5 GHz and has an associated access point with the SSID OpenWrt_AV. With a click of the Edit button, you can open the device configuration to decide whether the device belongs to the LAN or WWAN network. In my case, the access point OpenWrt_AV belongs to the LAN network and the client connection MOBILE-INTERNET belongs to the WWAN network.

Image by:

Stephan Avenwedde, CC BY-SA 4.0

Configured networks are listed under Network, in the Interfaces panel.

Image by:

Stephan Avenwedde, CC BY-SA 4.0

More great content Free online course: RHEL technical overview Learn advanced Linux commands Download cheat sheets Find an open source alternative Explore open source resources

In order to get the functionality I want, network traffic must be routed between the LAN and the WWAN network. The routing can be configured in the Firewall section of the Network panel. I didn’t change anything here because, by default, the traffic is routed between the networks, and incoming packets (from WWAN to LAN) have to pass the firewall.

So all you need to know is whether an interface belongs to LAN or (W)WAN. This concept makes it relatively easy to configure, especially for beginners. You can find more information in OpenWrt’s basic networking guide.

Captive portals

Public Wifi access points are often protected by a captive portal where you have to enter an access code or similar. Usually, such portals show up when you are first connected to the access point and try to open an arbitrary web page. This mechanism is realized by the access point's DNS server.

By default, OpenWrt has a security feature activated that prevents connected clients from a DNS rebinding attack. OpenWrt’s rebind protection also prevents captive portals from being forwarded to clients, so you must disable rebind protection so you can reach captive portals. This option is in the DHCP and DNS panel of the Network menu.

Image by:

Stephan Avenwedde, CC BY-SA 4.0

Try OpenWrt

Thanks to an upgrade to OpenWrt, I got a flexible travel router based on commodity hardware. OpenWrt makes your router fully configurable and extensible and, thanks to the well-made web GUI, it's also appropriate for beginners. There are even a few select routers that ship with OpenWrt already installed. You are also able to enhance your router's functionality with lots of available packages. For example, I’m using the vsftp FTP server to host some movies and TV series on a connected USB stick. Take a look at the projects homepage, where you can find many reasons to switch to OpenWrt.

OpenWrt is a Linux-based, open source operating system targeting embedded network devices.

Image by:

Opensource.com

Networking What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

7 kinds of garbage collection for Java Jayashree Hutt… Tue, 07/12/2022 - 03:00 2 readers like this 2 readers like this

An application written using programming languages like C and C++ requires you to program the destruction of objects in memory when they're no longer needed. The more your application grows, the great the probability that you'll overlook releasing unused objects. This leads to a memory leak and eventually the system memory gets used up, and at some point there's no further memory to allocate. This results in a situation where the application fails with an OutOfMemoryError. But in the case of Java, Garbage Collection (GC) happens automatically during application execution, so it alleviates the task of manual deallocation and possible memory leaks.

Garbage Collection isn't a single task. The Java Virtual Machine (JVM) has eight different kinds of Garbage Collection, and it's useful to understand each one's purpose and strength.

1. Serial GC Image by:

Opensource.com

A primitive implementation of GC using just a single thread. When Garbage Collection happens, it pauses the application (commonly known as a "stop the world" event.) This is suitable for applications that can withstand small pauses. Garbage Collection has a small footprint, so this is the preferred GC type for embedded applications. This Garbage Collection style can be enabled at runtime:

$ java -XX:+UseSerialGC2. Parallel GC Image by:

Opensource.com

Like Serial GC, this also uses a "stop the world" method. That means that while GC is happening, application threads are paused. But in this case, there are multiple threads performing GC operation. This type of GC is suitable for applications with medium to large data sets running in a multithreaded and multiprocessor environment.

This is the default GC in JVM, and is also known as the Throughput Collector. Various GC parameters, like throughput, pause time, number of threads, and footprint, can be tuned with suitable JVM flags:

• Number of threads: -XX:ParallelGCThreads=
• Pause time: -XX:MaxGCPauseMillis=
• Throughput (time spent for GC compared to actual application execution): -XX:GCTimeRatio=
• Maximum heap footprint: -Xmx
• Parallel GC can be explicitly enabled: java -XX:+UseParallelGC. With this option, minor GC in the young generation is done with multiple threads, but GC and compaction is done with a single thread in the old generation.

There's also a version of Parallel GC called Parallel Old GC, which uses multiple threads for both young and old generations:

$ java -XX:+UseParallelOldGC3. Concurrent Mark Sweep (CMS) Image by:

Opensource.com

Concurrent Mark Sweep (CMS) garbage collection is run alongside an application. It uses multiple threads for both minor and major GC. Compaction for live objects isn't performed in CMS GC after deleting the unused objects, so the time paused is less than in other methods. This GC runs concurrently with the application, which slows the response time of the application. This is suitable for applications with low pause time. This GC was deprecated in Java 8u, and completely removed from 14u onwards. If you're still using a Java version that has it, though, you can enable it with:

$ java -XX:+UseConcMarkSweepGC

In the case of CMS GC, the application is paused twice. It's paused first when it marks a live object that's directly reachable. This pause is known as the initial-mark. It's paused a second time at the end of the CMS GC phase, to account for the objects that were missed during the concurrent cycle, when application threads updated the objects after CMS GC were completed. This is known as the remark phase.

4. G1 (Garbage First) GC Image by:

Opensource.com

More on Java What is enterprise Java programming? Red Hat build of OpenJDK Java cheat sheet Free online course: Developing cloud-native applications with microservices Fresh Java articles

Garbage first (G1) was meant to replace CMS. G1 GC is parallel, concurrent, and incrementally compacting, with low pause-time. G1 uses a different memory layout than CMS, dividing the heap memory into equal sized regions. G1 triggers a global mark phase with multiple threads. After the mark phase is complete, G1 knows which region might be mostly empty and chooses that region for a sweep/deletion phase first.

In the case of G1, an object that's more than half a region size is considered a "humongous object." These objects are placed in the Old generation, in a region appropriately called the humongous region. To enable G1:

$ java -XX:+UseG1GC5. Epsilon GC

This GC was introduced in 11u and is a no-op (do nothing) GC. Epsilon just manages memory allocation. It doesn’t do any actual memory reclamation. Epsilon is intended only when you know the exact memory footprint of your application, and knows that it is garbage collection free.

$ java -XX:+UnlockExperimentalVMOptions -XX:+UseEpsilonGC6. Shenandoah

Shenandoah was introduced in JDK 12, and is a CPU intensive GC. It performs compaction, deletes unused objects, and release free space to the OS immediately. All of this happens in parallel with the application thread itself. To enable Shenandoah:

$ java -XX:+UnlockExperimentalVMOptions \ -XX:+UseShenandoahGC7. ZGC

ZGC is designed for applications that have low latency requirements and use large heaps. ZGC allows a Java application to continue running while it performs all garbage collection operations. ZGC was introduced in JDK 11u and improved in JDK 12. Both Shenandoah and ZGC have been moved out of the experimental stage as of JDK 15. To enable ZGC:

$ java -XX:+UnlockExperimentalVMOptions -XX:+UseZGCFlexible garbage collection

Java provides flexibility for memory management. It's useful to get familiar with the different methods available so you can choose what's best for the application you're developing or running.

Learn about the choices you have in Java for memory management.

Image by:

Photo by Nathan Dumlao on Unsplash

Java What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

The post How To Set Correct SSH Directory Permissions in Linux first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

For SSH to work well, it requires correct permissions on the ~/.ssh or /home/username/.ssh directory: the default location for all user-specific ssh configuration and authentication files. The recommended permissions are read/write/execute for the user,

The post How To Set Correct SSH Directory Permissions in Linux first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

List Upgradable Packages With apt Command in Ubuntu  It's FOSS

Editor’s note: Today, we announced that Matt Hicks will assume the role of president and chief executive officer of Red Hat, succeeding Paul Cormier who will serve as chairman of Red Hat, Inc. Matt shared the following email with Red Hatters. 

—

Hi all,

Editor’s note: Today, we announced that Matt Hicks will assume the role of president and chief executive officer of Red Hat, succeeding Paul Cormier who will serve as chairman of Red Hat, Inc. Paul shared the following email with Red Hatters. 

---

Hi all, 

In a few moments, we will publicly share an update about Red Hat’s leadership team externally. Before we do, I wanted to share it with you. 

AMD Is Hiring To Improve Its Linux Graphics Driver Installation Experience  Phoronix

While AMD's open-source Linux graphics driver stack is wonderful if living on the bleeding-edge with a modern Linux distribution, for those on enterprise Linux distributions that tend to stick to older versions of packages for the support lifetime or where wanting to run a vetted/qualified driver stack, it can be more of a pain. For AMD's packaged Linux driver stack it only supports those select enterprise Linux distributions and can run into pain points trying to run elsewhere or even say running brand new LTS distributions at times can lack support. There are also challenges in installing/running the ROCm compute stack outside of the few officially supported Linux distributions by AMD. Fortunately, they are now hiring Linux build engineer(s) to work on such issues...

While open source software is ubiquitous and generally regarded as being secure, software development practices vary widely across projects regarding application development practices, protocols to respond to defects, or lack of standardized selection criteria to determine which software components are more likely to be secure. Consequently, software supply chains are vulnerable to attack, with implications and challenges for open source project communities. 

To help improve the state of software supply chain security, the Linux Foundation, the Open Source Security Foundation (OpenSSF), Snyk, the Eclipse Foundation, CNCF, and CI/CD Foundation conducted research and released the findings in the report, Addressing Cybersecurity Challenges in Open Source Software, during the 2022 Open Source Summit North America. 

At the Summit, Stephen Hendrick, LF’s Vice President of Research, and Matt Jarvis, Director of Developer Relations at Snyk, sat down with Alan Shimel of TechStrong TV to discuss the findings and next steps. Here are some key takeaways:

Alan: “ I think we’re always disappointed when we do the surveys that we find out, you know, beyond the lip service that gets paid to security, what actually is going on under the covers, and we’re always wishing for and hoping for more. That being said, I don’t want to be pessimistic. I am of the glass half full opinion that we are doing better and more security now than we probably ever have done.”

Stephen: “On the issue of, do organizations have an open source security policy. What we found was 49% said they had one, that’s good. 34% did not. And 17% said they don’t know.”

Matt: “In larger enterprises… you’ve got that kind of ingrained culture over a long time in terms of security and about how you consume software. . . the hardest problem in security isn’t really about technology at all. It’s always about people and culture. . . We’ve got two kinds of things happening in almost a perfect storm. At the same time, we’ve got this massive rise in supply chain attacks on open source, because, you know, it’s a victim of its own success. And attackers have realized it’s a lot easier to get into the supply chain than it is to find zero days in end user applications. So you’ve got that going on, where all of a sudden, folks are going, well, everything we do is based on open source, like, what do I do about security? And then, as Steve pointed out, you’ve got this, this ongoing, massive transformation of how we develop software, you know, this superfast high velocity.”

Stephen: “We asked. . . how do you intend to improve on the situation?. . . Top of the list was organizations are looking for more intelligent tools. . .  That was at 59%. . . Right behind that at 52% was a strong desire to understand and essentially codify best practices for how to do secure software development”

Matt: “Culture change is such a big part of how you make that transition from your kind of old school, security as gatekeeper kind of function, to this thing, where we put it to the developers, because the developers are the ones who, you know, you fix it at the developer eyeball before it’s got anywhere near production. That is the cheapest.”

Stephen: “You know, I did a report last year on SBOMs. And I gotta tell you that factors right into this. . . we did some stats in this survey on dependencies, you know, both direct and transitive, and found, really, sort of low levels of strong, strong security around organizations understanding the security posture of all these different dependencies and dependencies of dependencies. Really low numbers there. SBOMs would go so far in helping sort all that out.

“They’re going to give you knowledge about the metadata, it’s gonna give you usability, so you know that you’re licensed to use the stuff, and it’s going to know if it was good, if you trust that not only what you’re looking at for metadata is not falsified, but also understanding quite clearly, you know, what’s been fixed, what hasn’t been fixed from a vulnerability standpoint.”

Matt: “I think when people think about policies, they think, Oh, this needs to be like a 100 page document of some kind, you know, then it becomes overwhelming, but really a policy can be a one liner.”

Watch the full interview and read the transcript below.

Transcript

Alan Shimel 0:00
This is Alan Shimel witih Tech Strong TV. We’re back here live in Austin streaming out at you from the Open Source Summit. We’re having a great time. This is our third day of coverage here, though technically, it’s only day two of the event. It’s a long story, but we’ll talk about it later. Let me introduce you to our next two guests. This is a conversation I was really looking forward to. To my left here is a gentleman who’s been on fixture on TV a few times with us and talked in person, great person. He’s the VP of Research for the Linux Foundation, Steven Hendrick. Steven, welcome.

Stephen Hendrick 0:42
Thanks, Alan.

Alan Shimel 0:43
And joining Stephen and I from our friends at Snyk. Matt, Javis. And Matt, if I’m not mistaken, your director of developer relations. Welcome.

Matt Jarvis 0:55
Thank you.

Alan Shimel 0:55
So Steven, and Matt presented, was it yesterday. Yeah, yesterday, on a new survey that you guys recently announced and revealed and report. Why don’t you if you don’t mind share with everybody

Stephen Hendrick 1:10
Sure, I’d love to. OpenSSF is a very large project inside of the Linux Foundation. Brian Behlendorf, yeah. And so at his request, we went out and did a survey into sort of what’s happening in the open source space as far as secure software development. So we put together a survey in March, we fielded that it in April, we wrote it up in May, and had it produced in June. And so it’s being released here at the event. I think that happened yesterday morning. We did it in partnership with Snyk. So that’s why we’ve been working together with the messaging on all this.

Stephen Hendrick 1:55
And it’s it was not a surprise from the standpoint of what the results were. But it wasn’t, I was a little disappointed in kind of where we are at this point, from the standpoint of the uptake of attention to security when it comes to open source. So anyway, so we’ve got information that talk a little bit about, you know, where we are, you know, help, sort of, to understand the context of the problem. And then they have information about what people are doing about it. And it’s, that’s more exciting in many respects, because good things are happening.

Alan Shimel 2:33
I agree. So first of all, look, I think we’re always disappointed when we do the surveys that we find out, you know, beyond the lip service that gets paid to security, what actually is going on under the covers, and we’re always wishing for and hoping for more. That being said, I don’t want to be pessimistic I am of the glass half full opinion that we are doing better and more security now than we probably ever have done. Yeah. Yeah, I agree. That being said, Before we dive into it, I just wanted to really just quickly, so OpenSSF is the website? Yeah. And I’m going to assume that the report is there for anyone who wants to download it. That’s right. Let’s take let’s say that up front for people at home following along, or whether it’s live while you’re watching this.

Stephen Hendrick 3:30
It’s on the Snyk site. It’s so on the Linux Foundation site and it’s on OpenSSF. So yeah, it’s everywhere.

Alan Shimel 3:37
I think we might have covered it via Snyk over on Security Boulevard.

Matt Jarvis 3:41
I think I did some I did some press interviews. Before flying out here. So, yeah, we may have.

Alan Shimel 3:46
It may very well be on our Securityf Boulevard site. But nevertheless, it’s out there for people. Yeah. Let’s dive in now, though, what was some of the findings? Steven?

Stephen Hendrick 3:55
Sure. Well, let’s see what we’ll start with this, this whole issue of do organizations have an open source security policy? And what we found was 49% said they had one, that’s good. That’s good. 34% did not. And 17% said they don’t know. Everybody uses open source – 98% of organizations use it so. So they don’t even know they don’t know if they have won or not. So if you take put aside the don’t knows at this point, you’ve got about a 60/40 split between use that don’t have have a policy and don’t have a policy.

Stephen Hendrick 4:37
I mean, if you look at little more deeply into that, what you find is that small companies are more likely to not have a policy and that’s not surprising, they have resource constrained so it’s harder for them to have CISOs and OSPOs and policies be it for either just software development or open source software development so I can understand challenges there. So, but the idea of when you, even if you look at company size, we still ended up with about 30% of large in very large organizations that don’t have a policy for open source software development.

Alan Shimel 5:16
So a couple of thoughts. First of all, I empathize with small SMB businesses. We are an SMB business, but in today’s day and age, and maybe it’s when you’re a hammer, everything looks like a nail, but in today’s day and age, how do you not have security policies?

Matt Jarvis 5:40
Yeah, I mean, I think that there’s, there’s a couple of different things at play there. I mean, you know, addressing open source security, you know, is, is more complex than than it seems, because it’s not just about the code itself, you’ve kind of got to understand how open sources is created, how projects are governed, because governance can have a big play into, you know, whether we’re looking at some of those recent things around the sort of protestsware movement, where we’ve seen maintainers kind of go rogue, you know, and this comes down to single maintainer governance projects. And you need to take those things like governance into account if you’re going to base your business on something.

Alan Shimel 6:24
Right, but you just said, and that’s a completely loaded question. I would bet, if I was a betting man, right, that at the large enterprise level, you’re 100%, correct. At the SMB level, if you ask most of these people a threshold question of where is your open source software, it’s 10 o’clock, where’s your open source software? And a lot of them don’t know, because they’re SAS-ops companies, right? They don’t they don’t have a server closet, their cloud installation – they run it on SAS. And so the beautiful part about SAS is, one of the nice things about it, is you don’t know what’s behind the curtain, you just know, you log in on the website, and you’ve got all your information there that you need. Are they using an open source database? Are they using, you know, what are they using behind the curtain? A lot of smaller companies don’t know. And as part of their due diligence, they don’t dig that deep. So I could, again, I can empathize with the larger ones, the larger enterprises, though, that’s a problem that is that I think,

Matt Jarvis 7:39
You know, in a lot of those larger enterprises, you’re you’ve got that kind of ingrained culture over a long time in terms of security and about how you consume software. And you know, the hardest problem in security isn’t really about technology at all right? It’s always about people and culture. And I think, you know, probably in a lot of larger organizations, you’ve got kind of, you know, that sort of friction of, well, we’ve always done it like that.

Stephen Hendrick 8:07
Well, you also have a lot of change going on from standpoint of how software is being developed. And I think that’s part of the problem as well, which is that, you know, change is always hard for people. And especially given the rapid evolution of tools and standards, in essence around how we should do security for software. Everything’s changing so quickly, it’s I think, it’s probably hard for people to keep up.

Matt Jarvis 8:33
Because we’ve got these two kind of things happen in almost a perfect storm. At the same time, we’ve got this massive rise in supply chain attacks on open source, because, you know, it’s a victim of its own success. And attackers have realized it’s a lot easier to get into the supply chain than it is to find zero days in end user applications. So you’ve got that going on, where all of a sudden, folks are going, well, everything we do is based on open source, like, what do I do about security? And then, as Steve pointed out, you’ve got this, this ongoing, massive transformation of how we develop software, you know, this superfast high velocity,

Alan Shimel 9:10
I blame DevOps?

Matt Jarvis 9:15
Unless you do, and unless you can transform, you know, someone’s going to eat your lunch, right? Because there’s some hungry competitor behind you who’s disruptive and who does have a superfast software delivery pipeline. They can deliver new features, they know how to analyze the data. And so for a lot of big organizations, you’ve got these two big problems happening right at the same time, because that change in software development requires a completely different approach to security. You know, this space that it’s the thing that sneaks talk about all the time about developers?

Alan Shimel 9:45
I mean, you look at let’s say, the Phoenix Project by Gene Kim, right. And that’s based on a book called The Goal. Yeah, right. And the thing about, so The Goal is about manufacturing, but really the principle behind The Goal, and I think Gene tried to capture that in the Phoenix Project, is that, look, as soon as we kind of erase one bottleneck, we see that next bottleneck right behind it. Don’t think that once you get rid of that bottleneck its smooth sailing, it’s not. We have massively, revolutionarily speeded up the pace of software development. We did it in large part by creating this software factory pipeline, CI/CD, DevOps kind of things. The enabler of that was having this massive library of open source that we can assemble into a very high quality software.

Alan Shimel 10:43
Man, we blew through that roadblock at 150 miles an hour. The wall we hit right after is, wait a second, now, that’s become a huge security problem. Right? So for companies that are developing their own code, this is a major thing? Knowing that though, and still telling me that 30% of the companies don’t have a policy around it, scary. Yeah, it is.

Stephen Hendrick 11:09
Well, let’s we should we should talk about what people are doing about trying to deal with this. Right.

Alan Shimel 11:14
Here’s the good news.

Stephen Hendrick 11:14
So we asked a question, which was, okay, so how do you intend to improve on the situation? What do you what are you doing, and we had quite a long list of responses. Top of the list was, organizations were looking for more intelligent tools from a threat where repetitive security focus. So we’re talking SCA, SAS DAST, IAC, you know, all the usual suspects, and looking really, to those tools to be able to help them improve their security posture. So that was top of the list. That was 59%.

Stephen Hendrick 11:52
And then right behind that at 52% was a strong desire to understand and essentially codified best practices for how to do secure software development. That was really encouraging, because we know all about best practices. Yep. Know exactly what they all are. In fact, David Wheeler, at LF.

Stephen Hendrick 12:14
We had David A. Wheeler. We interviewed David yesterday and we have a follow-up as well.

Stephen Hendrick 12:32
He and I had lunch yesterday, and we were talking about this, because I said, you know, how many best practices do you have? So we know counted them all up – he’s got like, 150, 160. So that’s kind of daunting. And he said, like the last 25 to get to the highest level can take, in some cases, years to master. So this is, this is, despite understanding what these best practices are, it’s still very challenging to wrap your head around what is necessary to be successful there.

Matt Jarvis 13:00
It’ll be good. And partly because, you know, as we were just talking about that, that culture change is such a big part of how you make that transition from, you know, you kind of old school, security as gatekeeper kind of function, to this thing, where we put it to the developers, because the developers are the ones who, you know, you fix it at the developer eyeball before it’s got anywhere near, you know, production. That is the cheapest.

Alan Shimel 13:28
Say 10 to 100x cheaper to do there.

Matt Jarvis 13:30
I mean, we look at the other interesting thing here that’s slightly tangential to this, but is like how many developers there are in the world, right, and how many we anticipate there being you know, there’s something like, I think the anticipation is something like 30 million developers in the world, and there’s only, like, a tiny proportion of security folk.

Alan Shimel 13:51
So I go by GitHub accounts. Right? There’s about 70 plus million GitHub accounts right now. So let’s assume it’s not one-to-one. But I think it’s safe to say this 40 to 45 million developers, probably growing at somewhere in the area of 10% a year.

Matt Jarvis 14:08
And security professionals aren’t aren’t growing at that rate.

Alan Shimel 14:13
So security professionals are growing because we’re starting to see, look, when I came up, you didn’t have a cybersecurity major in college. We’re seeing schools churn out cybersecurity majors. Are they security professionals? I’ll leave it to you. But there are people coming out here who want to work in security, but not anywhere near I mean, you’re talking here in here.

Alan Shimel 14:39
Here’s an interesting thing, though. And I think it’s what’s turning up the heat on all of this, is that this is getting major focus from the White House, from the federal government. The whole world is saying hey, this is a problem. This is a big problem.

Stephen Hendrick 14:58
Well, you know, you got to do something you You know, I did a report last year survey on SBOMs. Yep. And I gotta tell you that factors right into this No, of course, because, you know, we did some stats in this survey on dependencies, you know, both direct and transitive, and found, really, sort of low levels of strong, strong security around, you know, organizations understanding the security posture of all these different dependencies and dependencies of dependencies. Really low numbers there.

Stephen Hendrick 15:34
SBOMs would go so far in helping sort all that out, because, you know, SBOMs, they’re going to give you knowledge about the metadata, it’s gonna give you usability, so you know that you’re licensed to use the stuff, and it’s going to know if it was good, if you trust that not only what you’re looking at for metadata is not falsified, but also understanding quite clearly, you know, what’s been fixed, what hasn’t been fixed from a vulnerability standpoint.

Alan Shimel 15:59
So I’ll tell you over the last two days, we’ve, we’ve done a lot of interviews, but no shortage of people talking about SBOMs and SBOM solutions. I think we’re going to see, just like everything else in technology, we’re gonna see sort of a camp Cambrian explosion of SBOM solutions out there, and then the market will figure out which ones make sense, which ones don’t. My fear is that we, we think SBOMs are a magic bullet for supply chain security, because we have a tendency of doing that in security.,

Matt Jarvis 16:33
Ultimately I think the real challenge here is going to be the chain of trust part of that, right? Because what’s an SBOM at the end of the day, it’s a text file with some stuff.

Alan Shimel 16:43
Oh, no, but they’re, you know, they’re, they’re building some elaborate text files in there.

Stephen Hendrick 16:49
It’s a lot of good metadata. Yeah, but one more point I want to touch on, though, is that the number three issue from the standpoint of doing improvements to your software security posture was more automation. So IAC tools ended up ranking very highly from the standpoint of helping you address that particular need, and just for our audience, IAC (infrastructure as code), right. Okay. So that one actually surprised me, because this whole idea of, you know, developers/manual activities, not only that is a great way to invite in problems. And so more automation, ultimately, is better.

Matt Jarvis 17:33
We did some some work last year as part of our cloud native application security report. And what was really interesting there was, you know, we kind of use high levels of development automation, i.e.automated CI/CD pipelines and all that stuff as a as a proxy for how far along your cloud native journey you are. I think it’s a pretty reasonable proxy to take. And in organizations with those high levels of of deployment automation, for a start, we see much higher levels of adoption of security tooling, because automation gives you lots of places where you can hook in other automation. But, most importantly, we see massive reduction in the time to fix the vulnerabilities. Because through directly through a direct correlation to okay,

Alan Shimel 18:25
I’ve been in security a long time. We had a vulnerability solution company I founded back in 2005. Back then, there was a company called Hercules – Citadel was the company Hercules was the product, right? They were doing, you know, they were pushing automated remediation. There’s several companies today that have automated remediation. For whatever reason, up until now, organizations have been hesitant to adopt automated remediation, because they’re afraid it’s going to break something else if it’s in a totally automated situation. Now, doing this further left in the in the development pipeline, if it’s broken, supposedly, that should come up in testing.

Matt Jarvis 19:16
I mean, this is again what we see when when companies adopt Snky, is like, you know, the the automated remediation part of in terms of automated fix PRs, you know, is, is probably not where people start, but very quickly, they go out.

Alan Shimel 19:33
Yeah, look, this is a no brainer. Yeah, absolutely, because it goes back to what I said before blame DevOps, right. If we are going to automate the CI/CD pipeline, we’re going to automate building software, the answer cannot be that we’re going to manually do security. It just doesn’t work. It’s a disconnect.

Matt Jarvis 19:54
Yeah, I mean, and it’s an anti-pattern in terms of velocity, right. I mean, velocity is the key differentiator for whether, sort of, visitors in the cloud era are going to survive. Absolutely, because if you don’t have velocity, you are probably don.e.

Alan Shimel 20:08
No, but a lesson we learned in security, or we should have learned over the last 25 years, is if we are going to drag our heels and dig our heels in and say no, no, no, no. You know what? The train leaves the station without you. Yeah. So easy to get on board and figure out yes, we can. And here’s how we’ll get out of the way. Right? Lead, follow, get out of the way. Security cannot be the drag on this because velocity is too important.

Matt Jarvis 20:36
And where we see folks who’ve successfully made this transition to developer-first, you see this sort of this change in security teams from kind of being gatekeepers to being enablers.

Alan Shimel 20:41
DevSecOps right there. Yeah, you just the just the the heart of it. That’s it. Steven, anything else?

Stephen Hendrick 21:02
So what’s the answer to this issue of not having a security policy? I mean, is it, Do you need to start with the CISO? Did you start with an OSPO? Do you need, or at least part time roles and people in organizations, you know, in those functions if you are small? I’m not sure what the answer is, but I mean, we need one.

Matt Jarvis 21:27
I think when people think about policies, they think, Oh, this needs to be like 100 page document of some kind, you know, this is it becomes overwhelming, but really a policy can be a one liner.. I mean, we, we have this conversation a lot when people start to adopt security scanning, right, they’ve done no security scanning before, and they scan this software, and they go, Oh, my God, I’ve got like 500 vulnerabilities. What do I do? But you’ve got to just pick a starting point. Right. And I mean, usually, you know, a sensible place would be no critical vulnerabilities that have got a fix in production. Well, there’s a policy right there, right. And it’s three lines. I, and it’s better than having these zeros.,

Alan Shimel 22:06
100% right. I run into this firsthand. People, they hear we need a security policy, they think I need the employee handbook, right, that comes from you know, this thick. You know, it could be one page or five bullet points. Anything that’s critical is worthy to stop production. Anything not critical does not stop production but has to get fixed within 30 days. That’s a policy.

Matt Jarvis 22:32
I mean, there’s plenty of great, templated stuff of usage of open source. You know, this stuff by the way.

Alan Shimel 22:39
I’d love to the OpenSSF have a library of that kind of thing. Yeah.

Stephen Hendrick 22:47
And actually, the good news is once you have policy then automation can follow up pretty quickly. That’s that’s, that’s the right path. You’re right.

Alan Shimel 22:54
Guys, we’ve got our next guest here in the wings. We could talk about this all day, I’m sure. I’d love to, but it wouldn’t be fair to them. Again, you can get this survey over on the Snky site, which is snky.io. Or on the OpenSSF site.

Alan Shimel 23:17
Steven, good work again. I love you surveys. Very good. We are going to take a quick break. We’re going to make up our next guest and we’ll be right back here with live in Austin.

The post Hendrick and Jarvis Talk Software Security appeared first on Linux Foundation.

Lilbits: Linux laptops and handhelds, iOS 16 beta, and Microsoft Store policy change blocks sales of some open source apps  Liliputing

Lilbits: Linux laptops and handhelds, iOS 16 beta, and Microsoft Store policy change blocks sales of some open source apps  Liliputing

Like many of the folks in open source, the LF’s Kenny Paul is a huge fan of building things out of LEGO. For Kenny however, it goes a bit beyond just opening a box and following the instruction book. In fact, he rarely ever builds anything from a kit, instead building highly complex and detailed models entirely from his imagination. Yes, for you LEGO Movie fans, Kenny is a Master Builder. 

 When I get a new kit I usually look at it in terms of pure raw material rather than whatever is shown on the box

 “When I get a new kit I usually look at it in terms of pure raw material rather than whatever is shown on the box”, he says with a smile radiating the possibilities. That approach seems to have worked quite well for him for a long time now. Over the holiday season he builds a 120 square foot display in his garage that often draws 300+ people a day, he worked on the Mythbusters’ Giant LEGO Ball episode (#117), he has scale models of farm equipment in the permanent collection of a local museum, and in January of 2020 he finished second in a competition for one of LEGOLand’s coveted LEGO Master Model Builder positions, of which there are only 13 in all of North America. 

PreviousNext1234567
Photos: MythBusters Giant LEGO Ball mid-build, LEGOLand’s LEGO Master Model Builder Competition, and Kenny’s holiday garage display

Angel Island

However, he recently finished a project that he says has been the most difficult and meaningful project he has ever been a part of. The subject matter revolves around a troubling chapter in American history and a small bit of rock and scrub brush in the middle of San Francisco Bay called Angel Island.

Ask your average 4th grader if they have ever heard of Ellis Island and they can probably tell you at least something about the well-known narrative surrounding immigration and the United States. Ask them about Angel Island, however, and you’ll probably get a confused look and a shake of the head.

Although Angel Island was often called, “The Ellis Island of the West” in the early 1900s, it was anything but welcoming. In reality it was established specifically for the purpose of excluding immigration for those of Asian descent and Chinese immigrants in particular. It wasn’t a place for, Give me your tired, your poor, your huddled masses… It was more like, Nope, talk to the hand. 

Japanese Internments

When Japan attacked the US Naval base at Pearl Harbor on December 7th, 1941, Angel Island took on an entirely new role during the early stages of the war, but one that was unfortunately still in line with its original anti-Asian roots. Many people are still unaware that following Pearl Harbor, the US Government, on the orders of President Franklin D. Roosevelt, rounded up thousands of US citizens and put them into internment camps for the duration of the war simply because of their Japanese ancestry. Yes, that’s right. This included US citizens who were officially reclassified as enemies of the state purely based upon their heritage. For the first wave of those who were incarcerated, Angel Island was used as the processing center before they were sent off to one of the infamous internment camps across the US, like Manzanar, Tule Lake, or Heart Mountain. 

How to educate children about the history?

Remember how we mentioned 4th graders earlier?  Well, learning about California history is a pillar of the 4th grade curriculum here in the Golden State and that is what led to this particular project. The problem? Hundreds of 4th graders tour Angel Island every year – How do you engage them on very painful and hard to understand subject matter like internment?  Well, the folks from the California State Park system and the Angel Island Immigration Station Foundation, which runs the museum there, thought that a LEGO model of the site as it existed during WWII might help bridge that gap.

AIISF reached out to the local LEGO club in the Bay Area in August of 2021 to see if anyone might be interested in volunteering for a project. A number of folks joined the introductory Zoom call, but after hearing the scope of what was being requested, it was clear that this was a long duration project that would take months to complete. After that first meeting, only Kenny and two other members of the club, Johannes van Galen and Nick McConnell, agreed to proceed with the build.

The LEGO Build

The model was unveiled as the center anchor point for the exhibit, “Taken From Their Families; …” in May, which is Asian & Pacific Islander Heritage Month. Measuring 4 feet by 6 feet, it contains an estimated 30,000 LEGO pieces. The trio invested over 400 hours between research, design, procuring the parts, and of course the build itself.

Getting the model to the museum was no easy feat either. It had to be built in sections, moved by van about 60 miles from where it was being constructed, taken over to the island on a state park supply ship, then reassembled and “landscaped” once on site. 

PreviousNext123
The Research

“The research aspect was really fascinating to me”, said Kenny, who was responsible for building all of the buildings. He spent countless hours pouring through archival photos and diagrams and topographic maps provided by the state park and even went as far as looking at records from the Library of Congress in some cases. The goal was to be as accurate as possible while still working within the limitations of scale, plus LEGO part and color availability.  In one case that research took an unexpected turn that as Kenny puts it, “Stood the hairs up on the back of my neck.”  

The largest building in the camp during WWII was still under construction when the war broke out. It replaced a previous building which burned to the ground in 1940. After Pearl Harbor, the new building was rapidly completed and pressed into service. Following the War, it was bulldozed by the Army. The problem was that no one working on the project could figure out what that building actually looked like. Only two grainy photos of the WWII era building could be found and neither photo made sense when compared to the building foundations that can still be seen on the island today. Then Kenny realized a well-known watercolor drawing in the museum’s collection solved the puzzle. The most remarkable aspect of the drawing is that the entire camp is depicted the way it looks from offshore rather than as viewed from the perspective of the detention barracks where prisoners were held. The realization was stunning – it was painted from memory by the artist. It was the way he saw the island the day he steamed into San Francisco Bay from Hawaii as a political prisoner of his own country. Smiling as tears well up in his eyes, Kenny says, “Every time I think about the fact I needed a painting made by one of the very first Japanese Americans arrested during that time to complete a scale model of that same camp 80 years later, it always chokes me up.”  

Every time I think about the fact I needed a painting made by one of the very first Japanese Americans arrested during that time to complete a scale model of that same camp 80 years later, it always chokes me up.

The model is now on permanent display in the same mess hall that was used by the prisoners. For more information on the exhibit, please see https://aiisf.org/taken.

Kenny Paul works as a Senior Technical Community Architect at the Linux Foundation. He currently works on the Open Network Automation Project (ONAP) and LF Networking. His is just one of the many unique backgrounds that make up the people behind open source. To hear more stories, listen to our Untold Stories of Open Source podcast. 

And on a related aside, this is a gripping and heart-warming story about bonds made at the Heart Mountain Japanese internment camp in Wyoming.

Below are photos of some of Kenny’s favorites builds.

PreviousNext1234
Photos: Some of Kenny’s favorite builds: B-17; Firehouse #7 in Washington, DC, home to the first all-black engine company in the days of departmental segregation between 1919 and 1962; and, LEGO tractors built for a museum display.

Some other stories behind open source
LEGO and Angel IslandBlog, Diversity & Inclusion, Featured, Linux Foundation, Linux Foundation, Open Source Stories https://www.linuxfoundation.org/wp-content/uploads/LEGO-Angel-Island-display.png 662 1200 Dan Whiting https://live-linux-foundation.pantheonsite.io/wp-content/uploads/lf_logo.svg Dan Whiting2022-07-11 12:06:522022-07-11 12:06:53LEGO and Angel IslandUntold Stories of Open Source: Priyanka SharmaBlog, Diversity & Inclusion, Featured, Linux Foundation, Linux Foundation, Open Source Stories https://www.linuxfoundation.org/wp-content/uploads/priyanka-sharma-1.png 662 1200 Dan Whiting https://live-linux-foundation.pantheonsite.io/wp-content/uploads/lf_logo.svg Dan Whiting2022-06-06 13:04:452022-06-06 13:05:16Untold Stories of Open Source: Priyanka SharmaLinux Foundation Podcast Series: “The Untold Stories of Open Source”Blog, Featured, Linux Foundation, Linux Foundation, Open Source Stories https://www.linuxfoundation.org/wp-content/uploads/brian-behlendorf-featured-image.png 662 1200 Dan Whiting https://live-linux-foundation.pantheonsite.io/wp-content/uploads/lf_logo.svg Dan Whiting2022-05-20 05:20:002022-06-06 15:29:14Linux Foundation Podcast Series: “The Untold Stories of Open Source”More Time on Innovating, Less Time on ComplianceBlog, Compliance and Security, Featured, Legal, Linux Foundation, Linux Foundation, Open Source Stories, Projects https://www.linuxfoundation.org/wp-content/uploads/diagram-of-openchain-process-e1650030891859.png 315 1200 Dan Whiting https://live-linux-foundation.pantheonsite.io/wp-content/uploads/lf_logo.svg Dan Whiting2022-04-15 06:58:422022-04-15 06:58:43More Time on Innovating, Less Time on ComplianceA Rarity in Open SourceBlog, Featured, Linux Foundation, Linux Foundation, Open Source Stories, Projects https://www.linuxfoundation.org/wp-content/uploads/dream-big-little-one.png 662 1200 Dan Whiting https://live-linux-foundation.pantheonsite.io/wp-content/uploads/lf_logo.svg Dan Whiting2022-04-14 07:34:442022-04-14 10:01:12A Rarity in Open SourcePreviousNext

The post LEGO and Angel Island appeared first on Linux Foundation.

How to Run Commands as Another User in Linux Scripts  How-To Geek

New Highly-Evasive Linux Malware Infects All Running Processes | eSecurityPlanet  eSecurity Planet

1. New Highly-Evasive Linux Malware Infects All Running Processes | eSecurityPlanet  eSecurity Planet
2. Sneaky New Orbit Malware Backdoors Linux Devices  Threatpost
3. This 'evasive' new Linux malware creates a backdoor to steal passwords and more  ZDNet
4. New stealthy OrBit malware steals data from Linux devices  BleepingComputer
5. Researchers Warn of New OrBit Linux Malware That Hijacks Execution Flow  The Hacker News
6. View Full Coverage on Google News

AMD Navi 31, 32 And 33 RDNA 3 APUs And GPUs Break Cover In Linux Patch Details  HotHardware

Merged prior to the weekend into LLVM 15 was a basic web server implementation...

Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs  The Hacker News

Scratch Can Even Do Linux Kernel  iProgrammer

Don't like Windows 11? Four Linux alternatives based on Ubuntu  Linux Shout