Open Source - Page 4 of 17

Apache CloudStack 4.15 available with a new user interface

The Apache Software Foundation (ASF) has version 4. 15 of their IaaS software (Infrastructure as a Service) CloudStack released. The update is a so-called LTS release with an extended support period (long-term support). Since the release of CloudStack 4. 04 according to ASF, the open source software for creating cloud infrastructures has been about Improvements have been incorporated and 15 new ones Features added – including a modernized user interface.

Renovated surface From CloudStack 4. 15 comes via the URL : 8080 / client uses the new, revised user interface by default, which is now generally available (general availability). The previous legacy UI remains for the time being via : 8080 / client / legacy and will also be used in production environments supported. However, it is already marked as out of date (deprecated) and should be dropped with the release of CloudStack 4. 16.

New in the release is the integration of the VNC console (Virtual Network Computing) noVNC for virtual machines (VM). Another new Websocket Proxy allows interaction with the VNC console, ConsoleProxyClient is used to read and write data during communication between VM and Websocket. The console developed on the basis of noVNC 1.1.0 has been tested on various platforms – including KVM, Ubuntu, CentOS and VMware 6.5.

Workaround for new KVM Hosts CloudStack 4 supports management servers and KVM hosts. 15 now CentOS8 and Ubuntu 20. 04. However, users should note that an End-of-Life (EoL) has already been announced for CentOS8 at the end of the year. When adding new KVM hosts, users of some GNU / Linux distributions must also be aware of a problem associated with the latest OpenSSH package. Due to a lack of support in the trilead-ssh library used by CloudStack, individual SSH algorithms and encryption methods do not work correctly. Therefore, a workaround is currently necessary before adding new KVM hosts. The following lines must be added to / etc / ssh / sshd_config of the KVM host and then the SSH server restarted:

PubkeyAcceptedKeyTypes = + ssh-dss HostKeyAlgorithms = + ssh-dss KexAlgorithms = + diffie-hellman-group1-sha1 Among the other new features in CloudStack 4. 15 are to be mentioned, the support for role-based users in projects, extended storage functions from VMware (vSAN, vVols, VMFS6, Datastore Clusters), PVLAN for L2 networks as well Support for XCP-ng 8.1 and MySQL 8. A complete overview of all round 20 improvements and new functions can be found in the release notes. CloudStack 4. 15 is now available for free download under the Apache license 2.0.

(map)

Snort 3: On the trail of the attacker with multithreading

Besides Suricata, Snort is the best-known open source network intrusion detection / prevention system (NIDS / NIPS). Originally started 1998 by Martin Roesch as a simple network sniffer, over the years it has developed into the NIDS reference in the open source environment . After seven years of development, the developer team has re-implemented the code in C ++ and now released the long-awaited Snort3.

Snort is a component many commercial solutions and also works at the core of Cisco’s Firepower IPS solutions. The network specialist bought 2013 the company from Martin Roesch (Sourcefire) and then integrated the commercial version into its own products. This long history was also a curse for Snort and already led 2009 to the development of Suricata, since the internal architecture of Snort is considered by many developers to be was viewed as backward. While Suricata was already multi-threaded and offered automatic protocol support, Snort could not come up with these functions. Since 2013 the Snort development team has been working more or less actively on a completely new version that was now written in C ++ instead of C. The main innovations of Snort version 3.1 are:

The packet processing takes place in several parallel threads. These can access a common configuration and attribute table. The PCRE analysis is carried out with the new Hyperscan library from Intel (hyperscan.io). This significantly accelerates the detection compared to version 2. Snort now supports Realtime Network Awareness (RNA). This enables Snort to learn for itself which systems and protocols are used in the network. This was previously a feature that was only available in commercial products. Full plug-in support in Lua. Since Snort can recognize application protocols regardless of the port (RNA), the rules can now be written depending on the protocol are no longer restricted to ports. However, the rule syntax has also changed slightly. Some of the commercial products from Cisco already allow an upgrade to the new Snort 3 Core. However, they do not yet master all functions.

Even in version 3, Snort users don’t be afraid of the command line.

Although Snort is one of the most powerful IDS engines, there is still a lack of suitable management interfaces in the open source environment with which the product can be used effectively. Security Onion and OPNSense are two of the few products that use Snort and offer a rudimentary management interface.

(avr)

Beeper: Chat app wants to combine 15 messengers in one interface

An app instead of numerous messengers on the smartphone – Beeper wants to be this dream. 15 Services including iMessage are to be combined there in one interface. So far, the project was called NovaChat, which Eric Migicovsky, CEO of the former smartwatch manufacturer Pebble, announced on Twitter Beepers can then be controlled include WhatsApp, Signal, Telegram, Matrix, Skype, Slack, Twitter, Discord, Instagram, Facebook Messenger and iMessages. “Yes, iMessage runs on Android, Windows and Linux with a trick,” tweeted Migicovsky. The trick is to use a permanently running device from Apple as a bridge on which the Beeper app is installed. If such a device is currently unavailable, Beeper helps out with discarded and jailbroken iPhones.

Open source and yet not secure The messenger itself uses the matrix protocol. The client is not open source, however, the connections that are used to the other messengers are. To use it, you have to pay ten US dollars a month. In return you get a “clean interface” with search and filter for the chats, it says on the website. Bots can be created for beepers via Matrix API and extensions can be connected. You can also host yourself. End-to-end encryption is likely to be lifted in all cases.

The app is still not easy to use. You first have to submit an application online and enter at least the ID of your “favorite network” and other usage habits. Perhaps the dream of a new Adium-croaking duck is not quite fulfilled after all. Apple is unlikely to be happy about a service that publicly issues jailbreak iPhones and thus uses its messaging function. There have already been similar attempts, but so far they have not prevailed.

(emw)

End for connector and electronic health card: Gematik presents TI 2.0

By the year 2025 a “telematic infrastructure 2.0” should replace the networking of the healthcare system that exists today. With this TI 2.0, the Gematik project company draws the conclusions from the network failure in the year 2020. The connectors used in medical practices, hospitals and pharmacies are being replaced as “proprietary IT solutions” by open “access interfaces on the Internet”. The master data management of the insured by inserting an electronic health card is being replaced by an internet service.

“IT arena for medicine” Gematik’s groundbreaking white paper outlines the future German healthcare system as an “IT arena for medicine” in which different playing fields exist and different games are played, each with its own rules. As the designer of this IT arena, Gematik takes on other roles such as “entrance control for all parties involved” and the role of the referee who makes sure that nobody commits a foul. In addition, it develops new rules of the game and playing fields for “new disciplines”.

Aside from all the beautiful metaphors and graphics, the white paper on TI 2.0 shows that Gematik is now the consequences of the failure of the TI 1.0 in summer 2020. At that time, after a faulty certificate change 80. 000 medical practices were flown out of the telematic infrastructure. In two thirds of the practices, a software update of the connectors had to be installed manually. The entire troubleshooting took 52 days. Now the connectors are to disappear as a “proprietary IT solution” and the “universal accessibility of the services through access interfaces on the Internet” is to be replaced. This universal accessibility also means that the previous smart card solutions will disappear.

For the insured, the doctors and dentists, this means that the insured master data management via the electronic health card through an internet service of the respective health insurance companies is replaced. The electronic health professional card and the SMC cards for the identification of medical practices, hospitals and pharmacies are also to be replaced by electronic ID procedures, in which the medical associations, associations of statutory health insurance physicians and other associations provide the appropriate federated eID. If possible, a single sign-on should always be used.

Open source preferred As the Gematik explains , the redesign of the telematic infrastructure is inevitable, because a lot has happened in recent times technically. IT is thought and implemented differently today than it was ten years ago. “The basic architecture must become more technology-independent so that data silos are dissolved and mobile patient care possible. The trend is clearly towards the cloud with” unlimited resources “and economies of scale. The spread of the open source culture in society and industry has increased significantly.” Wherever possible, TI 2.0 uses open source.

(mho)

Pebble founder promises iMessage on Android and Windows with universal chat app

Beeper is a new universal chat app that’s an attempt to unify 15 different chat platforms into a single interface. The app is the work of a team that includes Eric Migicovsky, the CEO and founder of former smartwatch manufacturer Pebble, who announced its launch on Twitter. Beeper’s site notes that the project was previously known as NovaChat, and requires a $10 per month subscription.

Although Beeper integrates with world’s most popular messaging services like WhatsApp, Signal, Telegram, Slack, Twitter, Discord, Instagram, and Facebook Messenger, it’s the support for Apple’s iMessage that’s perhaps most interesting. iMessage is only officially available on Apple devices, and it’s often cited by users as something that prevents them switching to Android. Migicovsky says Beeper should allow iMessage to work on Android, Windows, and Linux, but admits that it’s “using some trickery” in doing so.

And yes, iMessage works even on Android, Windows and Linux using some trickery 🙂

— Eric Migicovsky (@ericmigi) January 20, 2021

An FAQ on Beeper’s website gives a more in-depth explanation of exactly what this trickery involves. If you’ve got an always-online Mac, then you can install the Beeper Mac app to act as a bridge, similar to the approach AirMessage uses. But things get really wild if you don’t have access to a Mac, at which point Beeper says it’ll literally send each of its users a “Jailbroken iPhone with the Beeper app installed” in order to act as a bridge. At this point we should probably mention that using Beeper involves paying a $10 a month subscription, which may or may not include the cost of the iPhone.

Just in case you thought Beeper was joking, in a followup tweet, Migicovsky said that he currently has 50 old iPhone 4S’s at his desk, ready to be upcycled for use with Beeper.

If the workaround works as Beeper claims, then the result should be a universal chat app that works across MacOS, Windows, Linux, iOS, and Android, offering a unified inbox, and the ability to search across messages from each of the 15 services. It’s built on the open source Matrix messaging protocol (Migicovsky previously described NovaChat’s relationship to Matrix as akin to Gmail’s relationship with email), and although the client app itself isn’t open source, the bridges connecting it to other chat services are.

Oh, and there’s a dark mode coming in Beeper’s next update, naturally.

Beeper’s interface can include chats from multiple different services.

Image: Beeper

While the short-term aim is to make it easier to chat to people across different chat apps, eventually Migicovsky has talked about the prospect of everyone using Matrix itself to chat with friends and colleagues, rather than simply using it as a bridge between services.

Although Migicovsky says he’s been using Beeper as his default chat client for the past two years, it doesn’t appear to be widely available just yet. Instead, Beeper asks prospective users to fill out a form on its website for an invitation.

Here’s the full list of chat services that Beeper currently supports:

Whatsapp
Facebook Messenger
iMessage
Android Messages (SMS)
Telegram
Twitter
Slack
Hangouts
Instagram
Skype
IRC
Matrix
Discord
Signal
Beeper network

Java framework Quarkus 1.11 introduces RESTEasy Reactive and new Dev UI

The Java framework Quarkus, which was launched under the slogan “Supersonic Subatomic Java” 62 and supported by Red Hat, has been offering JAX-RS-2.1 since then -Implementation RESTEasy, with which HTTP endpoints can be defined. Quarkus 1. 11 now goes one step further and implements RESTEasy Reactive, which offers reactive extensions that go beyond the scope of the JAX-RS-2.1 specification . The RESTEasy-Reactive integration developed in the JBoss project is initially tailored primarily to Quarkus and is based on its vert.x layer in order to be completely reactive.

More speed The RESTEasy-Reactive that was announced experimentally at the end of the year 2020 -Integration is now available to all users of the open source framework with the release of Quarkus 1. 11. As an alternative to Quarkus’ Reactive Routes API, RESTEasy Reactive is intended to open up a way that many Java developers are familiar with to further optimize the performance of their applications. According to the Quarkus development team, it should not be possible to increase the maximum achievable throughput of an application, and start times and memory requirements should also be lower. In addition, typical framework tasks such as scanning annotations or creating metamodels can be done during the build. Further details on RESTEasy Reactive can be found in the implementation documentation.

Expandable developer console With a redesigned console for developer mode, Quarkus developers are to make their work even easier and clearer. The new Dev UI can be flexibly set up to keep an eye on the functions of various extensions of the framework. The range of possibilities ranges from simply listing the CDI beans and endpoints to repeating Flyway migrations and deployments on OpenShift. Quarkus 1. 11 now introduces the technical foundation with a basic set of extensions. In order to gradually expand the Dev Console with further extensions, the support of developers is expressly desired. If you want to contribute your own extensions to the open source framework, you will find valuable information in the Dev UI Guide.

Among the other new features in Quarkus 1. 11 are worth mentioning the improved support for micrometers. Metrics from Kafka streams can now be displayed and the Prometheus registry has been integrated into the core extension. Further registries such as Azure Monitor, Datadog, JMX, SignalFX, Stackdriver and StatsD will be hosted in the extensions on Quarkiverse in the future.

The Quarkus team has also expanded the shell scripting with jbang. The deeper integration of jbang allows the activation of the development mode and the use of Quarkus platforms (BOM) for version management. The prerequisite for this, however, is at least version jbang v0. 62. All other improvements and new functions are summarized in the blog post about the release of Quarkus 1. 11.

(map)

Elastic: Now comes the fork

Logz.io is promising new distributions for Elasticsearch and Kibana, which, in contrast to Elastics’ future direction, should appear completely as free software. The developers do not use the word fork, but due to the new licenses, the future project is left with less than a split from the original provider.

This is exactly what CEO Tomer Levy describes in his announcement of the move, because the community and many as yet unknown organizations should be involved in the new distributions. The choice of the Apache 2 license is also not surprising, as Elasticsearch has previously appeared under it. The aim is to put the free versions of Elasticsearch and Kibana under the umbrella of the CNCF or ASF.

Don’t feel sorry for Elastic Elastics CEO Shay Bannon blamed Amazon and the reluctance of the AWS cloud division to cooperate with the original developers for the license change in drastic terms. Tomer Levy doesn’t skimp on criticism himself – but at Elastic, because the developer has let the open source offerings fall asleep over the years and put the innovations into his commercial offers.

In addition, the new Server Side Public License (SSPL) would not just be a measure against AWS: Parts of the license were formulated in such a way that users would expose themselves to legal risks when using such software. In fact, when switching from MongoDB to the SSPL and now again, the OSI determined that the SSPL was not an open source license.

I entered it myself Gigant Tomer Levy generally rejects Elastics’ victim role, because it would rather be a billion dollar company that wants to force its users into commercial dependency and block competition. A look at the figures shows that in the year 2020, Elastic had sales of 427, generated 6 million US dollars, a growth of 57 percent over the previous year.

Instead of wanting to switch off AWS as a competitor with a license change, Elastic should develop a better cloud service. That is more difficult, but it would be the right step for users. The announcement of the new distributions and the new allegations can be found on the Logz.io blog. The provider offers data analysis software on the ELK stack, among other things. Meanwhile, Amazon did not comment on the allegations by Elastic.

(fo)

DNSpooq is the new series of DNS vulnerabilities: beware of phishing, credential theft, DDoS attacks

7 software vulnerabilities identified DNS widely used by connected device manufacturers and which threatens to jeopardize millions of devices

di Andrea Bai published on 20 January 2021 , at 15: 41 in the channel Security

JSOF, an Israeli company operating in the field of cyber security, today revealed the existence of seven vulnerabilities, known together with the name of DNSpooq , referring to Dnsamsq. The vulnerabilities are particularly serious as they allow for “DNS poisoning” attacks, remote code execution and denial-of-service attacks against a potential pool of millions of devices . Dnsmasq is an open source software involved in DNS forwarding and which allows you to add DNS caching functionality, DHCP server to Internet of Things devices.

Currently Dnsmasq is widely used in the sector and its diffusion does not allow to draw up an exhaustive list of all the companies that use it. JSOF limited itself to compiling a list of 40 reality among the best known, in which we see names like Android / Google, Asus, Cisco, Redhat, Netgear, Qualcomm, Linksys, IBM, D- Link, Dell, Huawei and Synology , just to name a few.

DNSpooq: seven serious vulnerabilities put millions of devices at risk

In DNSpooq vulnerabilities there are three, indicated by the codes CVE – 2020 – 25686, CVE – 2020 – 25684 and CVE – 2020 – 25685 , which allow you to perform “DNS cache poisoning” or “DNS spoofing” attacks. This type of attack allows the perpetrator to replace the DNS on a target device with arbitrary DNS of their choice .

Small step back: DNS is the acronym for Domain Name Service and, in summary, is the system that allows you to translate the domain names of websites into IP addresses. When configuring the devices connected to the internet, it is necessary to specify the IP address of a “DNS server” which has the task of carrying out this “translation” by consulting the appropriate tables.

It then becomes evident how a DNS Spoofing attack allows the attacker to redirect users to server under its control, while the user has the impression of visiting a legitimate website . This opens up the possibility of carrying out phishing attacks, credential theft or malware distribution from what the user perceives to be a trustworthy reality. The first DNS spoofing attack was illustrated in 297 by security researcher Dan Kaminsky, who demonstrated that DNS software can be exploited to steal data and forge any website address.

“Traffic that could be compromised includes normal Internet browsing, but also other types such as e-mails, SSH communications, remote desktop functions, voice calls, software updates, etc. Possible attack scenarios also include JavaScript-based DDoS, reverse DDoS, and wormable attacks in the case of mobile devices that change networks regularly, “JSOF points out in its report.

Other vulnerabilities, identified by codes CVE – 2020 – 25687, CVE – 2020 – 25683, CVE – 2020 – 25682 and CVE – 2020 – 25681 , are buffer overflow types and potentially allow you to execute code remotely on vulnerable network devices when Dnsmasq is configured to use DNSSEC.

Compounding the situation is the fact that perpetuating attacks exploiting the set of DNSpooq vulnerabilities are fairly simple to conduct and do not require the use of unusual tools or knowledge of techniques details: “The attack can be successfully completed in seconds or minutes and requires nothing special. We found that many instances of Dnsmasq are misconfigured to listen on the WAN interface, making the attack possible directly from the Internet “says JSOF.

DNSpooq: resolve by updating to the latest version or, if not possible, mitigate with some countermeasures

Over 1 million Dnsmasq servers are currently exposed on the Internet according to Shodan, while they would be 630 thousand according to BinaryEdge , but there would be millions of routers, VPNs, smartphones, tablets, infotainment systems, modems, access points, drones and any other kind of equipment vulnerable to attack while not directly accessible from the Internet: ” Some of the DNSpooq vulnerabilities allow DNS cache poisoning and one of the vulnerabilities could allow remote code execution capable of acquiring many brands of home routers and other network equipment, with millions of affected devices and over a million instances directly exposed to the Internet “said JSOF.

JSOF explains that it is possible to completely protect yourself from attacks that attempt to exploit DNSpooq vulnerabilities by updating the Dnsmasq software to latest version available which is currently 2. 83. If, on the other hand, it is not possible for any reason to proceed promptly with the update of Dnsmasw, JSOF has prepared a series of possible alternatives that allow to partially mitigate the problem . We report them below:

Configure Dnsmasq to avoid listening on the WAN interface unless it is necessary in the operating environment you are in.
Reduce the maximum number of queries that can be forwarded via the dns-forward-max = option. The default value is 150, but it may be useful to lower it.
Temporarily disable the DNSSEC validation option until you can install a patch or update the DNSpooq version.
Use protocols that provide DNS transport security (such as DoT or DoH). This is a measure that can mitigate Dnspooq, which however could have other security and privacy implications depending on the configuration and operating environment.
Reducing the size of EDNS messages could mitigate some of the vulnerabilities. This is an untested measure and is inconsistent with the RFC recommendations 5625.

Nursing apps & Co .: Federal government is driving digital healthcare forward

More “digital helpers” are to be used in care in the future. The federal cabinet approved a bill on Wednesday “for the digital modernization of care and nursing”. Human attention is the basis for good care, explained Federal Health Minister Jens Spahn (CDU). However, useful apps could help those in need of care to cope better with their everyday lives.

Improve their health According to Spahn, digital care applications (Dipas) can help to stabilize or improve one’s own state of health through exercises and training. The aim is to reduce the risk of falls, train the memory or improve communication between nursing staff and relatives. The care advice is also to be expanded to include digital elements.

At the same time, the government wants to create a new procedure for the possible reimbursement of care apps. The Federal Institute for Drugs and Medical Devices should be responsible for approval. For social long-term care insurance, the cabinet calculates up to 2025 for Dipas for 365. 000 People with overspending of good 130 Million Euros. This would stand in the way of “non-quantifiable relief”.

The Bundestag had already decided 2019 with the “Digital Supply Act” that people with statutory health insurance are entitled to digital health applications by prescription under certain conditions. However, the Federal Office for Information Security (BSI) warns of the high risks associated with health apps. Data protection activists are calling for a tightened approval procedure after security deficiencies were made public in the first approved applications.

More data protection planned Data protection and The cabinet now wants to strengthen the IT security of digital applications in this sensitive area. It plans a duty of confidentiality for manufacturers and a mandatory safety certificate. Insured persons should also be given the opportunity to enter data from such apps as well as prescription and dispensing information in their electronic patient record (EPR). Access to the EPR is currently still difficult. The Society for Computer Science (Gematik) should therefore support the health insurance companies. According to the draft, this help could “in particular consist of providing a reference implementation or parts of it in an open source license”.

The government wants to give telemedicine a helping hand. When arranging medical appointments in the practice, online services should also be agreed. The medical on-call service as well as medicine providers and midwives should also be able to offer telemedical activities. In the future, sick leave should generally be allowed “in the context of exclusive remote treatment”.

Gematik is given the task of providing “secure, economical, scalable access” to the telematics system that is adapted to the different needs of users To develop infrastructure (TI) as a “future connector”. So far, IT security has been considered inadequate here. In future, insured persons, service providers and payers should be able to use video conferences and a messaging service to exchange data and communicate in addition to e-mail. For authentication, special digital identities are provided by 2023 to.

More and more functions The emergency data on the electronic health card (eGK) should be “further developed into an electronic patient summary” together with information from the insured on the storage location of personal statements. The electronic medication plan will also be transferred to its own TI application. The eGK should no longer serve as a data storage device, but only as proof of insurance.

Declarations of organ donation can soon also be made via the insured person’s apps of the health insurance companies. A national e-health contact point is to be set up by the middle 2023 so that insured persons can also make their health data available to doctors in other EU countries “safely and translated”.

The government wants to introduce electronic regulations for the areas of home and out-of-hospital intensive care, sociotherapy, remedies and aids, narcotics and other prescription drugs. Corresponding institutions must therefore gradually join the TI. The cabinet wants to strengthen interoperability in the health care system, feed the national health portal with more data and thus put it on a more reliable basis.

The state should also carry out the data protection impact assessment for the use of TI components such as connectors and card readers take over. Doctors are said to have one-time around 730 million euros and around 548 million euros annually Euros are saved for adjustments. In addition, you do not have to appoint a data protection officer, which should reduce your costs by 427 million euros annually.

(mho)

Data science for a better world

data.org, a US nonprofit, has announced the winners of its “Inclusive Growth and Recovery Challenge”. The funding of 10 million US dollars will go to eight projects that use data science to improve people’s lives.

One of the selected projects is an app from the non-profit Swiss foundation BASE, which gives Indian smallholders access to secure cold chains and supports them in making decisions based on weather and market data wants to see whether cooling is worthwhile. In this way, more food should be protected from spoilage. A project by the University of Aalborg in Denmark is also being funded to develop a map that can be used to identify economically particularly vulnerable regions. Community Lattice from the USA wants to give everyone easy access to critical environmental information so that they can assess health risks. Fundación Capital combines Mozambique’s largest digital platform for jobs in the informal sector with an AI assistant to give job seekers a better overview of job and income opportunities.

The University of Chicago receives funding, to develop maps and open source tools that can be used to identify regions that are left behind when Internet access is fast. GiveDirectly wants to use machine learning to accelerate digital cash transfer in Africa. Solar Sister promotes the spread of renewable energies in Africa with market analyzes. Women’s World Banking aims to make it easier for women entrepreneurs in Mexico, Nigeria and India to access credit.

data.org is a platform that partners with local actors to promote the use of data science in the social and societal fields wants to advance. It is funded by Mastercard’s Center for Inclusive Growth and the Rockefeller Foundation.

(odi)

Elastic: Amazon is to blame for the open source end

In a blog post, CEO Shay Bannon justifies why Elasticsearch no longer appears as free software. Amazon is solely responsible for the step, whose behavior towards the developers of the search engine is unacceptable. Now, as the market leader, Elastic has to stand up to the group.

Specifically, it is about AWS offering Elasticsearch without Amazon cooperating with Elastic. The name Amazon Elasticsearch represents a trademark infringement, all attempts to clarify with the group have failed and ultimately made a lawsuit necessary.

Amazon Elasticsearch: Fork or no fork? Furthermore, AWS would repeatedly advertise its services with a cooperation with Elastic, which however does not exist. Again and again this confuses the community. Amazon’s own distribution for Elasticsearch caused even more irritation, with parts of the code coming from the developer’s commercial features.

Shay Bannon repeatedly emphasizes that nothing changes for the users – and he does I also do not speak out against cooperation with cloud providers, provided that this corresponds to the basic open source ideas of transparency, cooperation and openness. In fact, the CEO of Amazon publicly accused Amazon of violating these principles.

The license change will take place with the upcoming version 7. 11, from which the Elastic License and the Server Side Public License (SSPL) are available. All allegations against AWS can be found in the blog entry from Elastic. iX asked Amazon to comment on the allegations, which was not yet available at the time the report was published.

(fo)

DNSpooQ: Vulnerabilities discovered in DNS / DHCP server Dnsmasq

Security researchers from JSOF have found seven vulnerabilities in the DNS / DHCP server Dnsmasq. Attackers could attack devices equipped with them and manipulate DNS entries, for example, in order to redirect victims to websites they control. 2008 the computer scientist Dan Kaminsky presented such a DNS attack for the first time. The execution of malicious code and the complete takeover of devices by attackers is also conceivable.

Dnsmasq is a widely used DNS / DHCP server Open source basis, which is mainly used in embedded systems and IoT devices. According to a report by the security researchers, more than 40 manufacturers are affected. These include, for example, Comcast, Google and Netgear. The Dnsmasq version 2. 83 is secured against the attacks. The first manufacturers have already published security updates (see list at the end of this message).

Dangerous effects Attacks are supposed to be direct be possible over the Internet. The security researchers claim to have discovered around 1 million listening Dnsmasq servers via the Shodan IoT search engine. For example, attackers could launch attacks using prepared queries. According to the security researchers, attacks should be possible “in seconds or a few minutes without special requirements”.

Attacks via web browsers are also conceivable. It should be sufficient if attackers can smuggle an advertisement with malicious code into an advertising network. If a victim visits a page with this ad, the attackers could gain access. According to the security researchers, however, such attacks are comparatively complex.

Even if none of the seven vulnerabilities is classified as “critical”, attackers could combine several vulnerabilities to ultimately carry out a critical attack. In a technical white paper, the security researchers describe possible attack scenarios and their effects. Specifically, attackers could, for example, trigger DDoS states, hook into connections as man-in-the-middle, redirect victims to their own websites (DNS cache poisoning) and execute malicious code.

Vulnerabilities:

CVE – 2020 – 25681 CVSS 8.1 CVE – 2020 – 25682 CVSS 8.1 CVE – 2020 – 25683 CVSS 5.9 CVE – 2020 – 25687 CVSS 5.9 CVE – 2020 – 25684 CVSS 4 CVE – 2020 – 25685 CVSS 4 CVE – 2020 – 25686 CVSS 4 Previously published Security updates:

Arista Cisco Dnsmasq Netgear RAX 35 and RAX 40 Firmware 1.0.3. 88 OpenWRT Siemens Sophos Ubuntu (of)

Union: IBM Germany is planning almost 1,000 layoffs

In Germany, IBM will give almost 1000 employees the termination. The group has informed its supervisory boards and the responsible works council committees accordingly in the last few days with maintaining competitiveness and realigning the organization and skills. This was announced by the service union ver.di. In order to implement the layoffs, negotiations on redundancy plans are to be started with the responsible bodies of the companies belonging to the German IBM group . It is also still unclear which parts of the group are affected.

Restructuring and profits Last autumn, IBM expanded its infrastructure Services split off into a new company in order to focus even more on cloud services. In this area, IBM 2018 had the open source provider Red Hat converted for 30 Billion euros taken over. Red Hat is now part of the Cloud & Cognitive Services division. Here IBM was able to record a growth in turnover, while the income of the other services declined. Nevertheless, in the third quarter 2020, IBM was still able to post slightly increasing profits of 1.7 billion US dollars, the equivalent of almost 1.4 billion euros.

IBM CEO Arvind Krishna announced a growth target of five percent for the group in October. To this end, IBM wants to further develop its strategies and implement measures to simplify and improve the business model.

Worldwide, IBM has around 350. 000 Employees, in Germany the number of positions is over 10.000 estimated. The ver.di union protests against the layoffs and calls on IBM not to implement the plans. Information events and protests are being planned.

(fds)

Apple M1: VLC Media Player runs natively on ARM Macs

New Macs with Apple chips can now get a native version of VLC Media Player: The open source project is stored in a separate ARM 64 Version 3.0. 12. 1 available for download for macOS – parallel to the new version 3.0. 12 for Intel Macs.

The video player is likely to appear as a universal app in the future. A higher version number was chosen to enable an “automatic upgrade path”, write the developers. Owners of an ARM Mac who have already used the Intel version of the VLC Media Player with the help of the Rosetta 2 translation layer can upgrade to version 3.0. 12 and should then be offered the native version 3.0. 12. 1 for download.

Improvements for macOS 11 Big Sur In addition to native support for Macs with Apple chips – so far the MacBook Air, MacBook Pro and Mac mini with Apple’s M1 – the new VLC version also brings visual adjustments to the user interface for macOS 11 Big Sur, as the release notes explain. In addition, problems with the user interface in the bookmark window have been fixed. A distorted audio playback after starting playback should be a thing of the past under macOS.

With VLC, a popular universal video and audio player is now available in native form on M1 Macs. Other tools such as Plex still have to use Rosetta 2. Apple’s QuickTime Player is also adapted, but supports only a comparatively few video formats.

New features for all operating systems VLC 3.0. 12 promises improved support for the streaming format Dynamic Adaptive Streaming over HTTP (DASH), the streaming protocol, on all supported operating systems RIST and Bluray tracks, emphasize the developers. Problems with video filters and Direct3D 11 in Windows have also been eliminated and the winding in WMV files has been improved.

(lbe)

Homeschooling: Call for digital sovereignty through free software

The Gesellschaft für Informatik (GI) is concerned that many schools are using “proprietary software solutions that are questionable under data protection law” against the background of the corona crisis and the current level of suffering in homeschooling. Above all, programs that transfer data from those affected to third countries such as the USA are questionable in view of the “good alternatives” available. There were “powerful and easy-to-use cloud solutions and learning management systems” that allowed data protection-compliant, legally secure operation on European servers.

Resources required The GI names the freely available programs Moodle and Ilias, which support interactive cooperative forms of work with plugins such as H5P and provide a “suitable basis for the IT infrastructure of schools” represented. In order to be able to operate such solutions smoothly and to avoid failures, the federal states would have to provide the necessary human and technical resources. This is the only way to “continuously improve” the open-source solutions in order to further develop conditional and competitive applications.

In general, the association advocates the digital Strengthen the sovereignty of students, schools, teachers and the IT location through open source software. This makes it possible to show transparently “which data is processed how and by whom”. At the same time, “the dependence on large corporations will be reduced”. The public view of the source code allows vulnerabilities to be found more quickly and security gaps to be closed. In this way, everyone involved could “act independently, self-determinedly and securely in the digital world”.

“The current political decisions for digital infrastructures will shape our education system for years,” emphasized GI Vice President Ulrike Lucke . “Transferable standards and formats” should be promoted “in order to avoid lock-in effects”. It has been proven that schoolchildren stayed with a digital tool they had got to know well beyond their school days. The GI therefore welcomes the fact that in the dispute over the digital education platform in Baden-Württemberg there is a broad alliance against the planned introduction of Microsoft Office 365 as a solution for all schools.

Currently high hurdles Two thirds of the students, parents and teachers experience In digital teaching during Corona times, Initiative D 21 meanwhile has a representative, in July through the Market research institute Kantar conducted survey found. The problem most frequently mentioned with 42 percent was the inconsistent approach to how and where teaching material is made available: the teaching material and how to fill it in of questionnaires mostly remained analogous.

37 percent found the self-organization required of them to be stressful, 27 percent complained about inadequate explanations on how to use the technology . There was a rarer barrier in the infrastructure: 16 Percent of those affected stated that they did not have enough equipment 14 percent complained about a poor internet connection. “Insufficient data protection” hits eight percent badly. 78 Percent support that teachers should receive compulsory digital training. 74 percent demand that schools try out new forms of learning and working methods more often. 60 percent fear that the current situation will exacerbate educational injustices.

(mho)