Mediaboss Marketing

Earlier this year, major technology companies, non-profits, and government agencies convened for an urgent meeting at the White House to discuss how best to address the security concerns posed by free and open-source software (FOSS)software that is developed by a distributed community rather than a centralized company. For years, tech companies and security experts have made the case for greater investments in the security of the FOSS ecosystem, as it has become an increasingly important part of critical digital infrastructure. The importance of doing so was highlighted by the recent Log4Shell vulnerability in the log4j FOSS package. Deployed across a vast range of digital applications, log4j exposed a huge amount of software to a devastating security vulnerability and illustrated the urgent need to improve security in open-source software.

FOSS is decentralized and free to use, so when security vulnerabilities are found it is difficult to determine the exact extent of the threat. Perhaps the most vexing part of the problem is that it is difficult to know which FOSS packages are most widely used (and therefore most concerning if a vulnerability is found in a given package). This lack of knowledge about which FOSS packages are deployedand whereleaves defenders in the dark and makes hard decisions about where to deploy resources even more difficult.

To address this problem, our team at the Laboratory for Innovation Science at Harvard (LISH) has partnered with the Linux Foundation and the Open Source Security Foundation (OpenSSF) to determine which FOSS packages are most widely deployed. Our findings, documented in a report released today, provide a detailed look at which FOSS packages are deployed in production applications and offer a number of lessons for policymakers and developers about how to improve the security of a critical building block of the digital economy.

First released in 1999, log4j is a FOSS component that carries out logging tasks for other pieces of software built on top of it. For example, if a developer of a piece of software needs to log all activity in an application for auditing or debugging purposes, she can utilize the log4j component so she does not have to build such logging functionality from scratch. log4j is extremely popular and is used in production software at companies including Apple, Google, Amazon, Twitter, and Tesla.

As early as 2013, a bug was introduced in the log4j code that treated logged text as code and executed it on the underlying system. Thus, an attacker would simply need to perform an action that would be logged (e.g., changing their username, writing a message in a chat, etc.) using a specific line of code, which would then be executed by the system, including reaching out to a server on the internet and downloading and running a piece of malicious code hosted there. Discovered in November 2021 by a member of Alibabas security team, the vulnerability was named Log4Shell.

The widespread use of log4j (potentially tens of millions of devices), combined with the ease of exploitation (a simple line of code), created a worst-case scenario. To that end, Jen Easterly, the director of the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) called Log4Shellthe most serious vulnerability Ive seen in my decades-long career. Within days of the release of the patch (long before most organizations could install it), there were over 800,000 attacks in a 72-hour period. Chinese and Iranian government-sponsored actors were observed taking advantage of the vulnerability.

The Log4Shell vulnerability is an important example of a much larger issue. FOSS has become a critical building block of the modern economy. However, its distributed and decentralized nature leaves it susceptible to significant bugs that can go unnoticed by developers for years. Further, and even more concerning, is that when such a vulnerability is found, because FOSS is built into nearly every software system, but is not well tracked, it may be difficult to identify all vulnerable instances of the software that are in production.

Prioritizing efforts to address the issue

To determine which FOSS packages are the most widely used (and therefore, the most concerning if a vulnerability is found in them) our team at LISH teamed up with the Linux Foundation and the OpenSSF. We worked with software composition analysis (SCA) companies to aggregate data on the most widely used FOSS packages. SCAs are hired by their customers to scan their codebases to help ensure they are not violating any software licenses. Therefore, by working with just a handful of SCAs, we were able to get insights into FOSS built into products sold by thousands of companies. While this method allowed us to get deep insights into the FOSS companies build into their software, this is only one layer of the technology stack, albeit an important one. In future studies we will consider other layers in the stack.

By identifying the most widely used FOSS packages, we hope to improve efforts to enhance the security of FOSS packages by looking for vulnerabilities in the most popular FOSS packages first. (Our final report can be found here.)

To ensure the privacy of the data shared by the SCAs, and to account for different size customer bases across the SCAs, we utilized statistical z-scores to aggregate the data and organize it such that we could rank-order the FOSS packages observed. Since the FOSS packages that developers build into their software frequently rely on other FOSS packages themselves, we considered both the direct observations of FOSS packages developers built upon, as well as the indirect FOSS packages those packages iteratively rely upon. Additionally, due to the differences in norms in computer programming languages related to the number of functions in a given package (and therefore how many packages a piece of software relies upon), we considered the npm repository (which hosts JavaScript packages) separately from all other repositories and languages. Not doing this would have caused JavaScript packages to incorrectly dominate the list. Finally, we considered FOSS packages in both a versioned and version-agnostic manner such that different levels of granularity could be observed.

In aggregate, we analyzed nearly 600,000 data points from the SCAs, and compiled lists documenting the 500 most used FOSS packages, one for each combination of direct/indirect, npm/non-npm, and versioned/version-agnostic packages. Although this more granular approach makes it harder to precisely say which FOSS packages are the most widely used, it provides more insight into the intricacies of the ecosystem. For example, log4j showed up as number 38 on our list of direct, non-npm, version-agnostic packages, but as number 126 on our list of indirect, non-npm, version-agnostic packages. Moreover, FOSS packages whose primary purpose are to pass data to a logger, potentially including log4j, (e.g., slf4j-api and log4j-api) showed up even higher on our lists (slf4j-api was number 1 on our list of direct, non-npm, version-agnostic packages). However, without deeper insights into how such packages were being used, it was not possible to know if they were relying on a vulnerable version of log4j.

The complexities of log4j became even more intricate when considering version numbers. By a nearly 3 to 1 margin, version 1.x of log4j was much more widely used than version 2.x. However, the Log4Shell vulnerability did not impact version 1.x, and therefore the bulk of log4j users in our dataset were not actually susceptible to the Log4Shell issue (although there are numerous vulnerabilities in the 1.x versions that remain unfixed since it has not been updated since 2015). In aggregate, despite the complexities of our results, they allow for an intricate understanding of the Log4Shell problem, and our hope is that they will also shine light on similar intricacies to help prevent such widespread vulnerabilities in the future.

Our report also identifies a number of high-level issues that need to be addressed if the FOSS ecosystem is to be properly secured:

The scale and scope of the vulnerabilities affecting FOSS packages have been known within the tech community for years. However, it is only recently that federal policy has reflected the importance of this issue to the economy and national security. A May 2021 executive order, for example, directed the U.S. National Institute for Standards and Technology (NIST) to provide guidance for companies on providing a software bill of materials (SBOM) to their customers. An accurate SBOM would give companies deeper insights into the software that is baked into their software, so they would know if they are vulnerable to issues like Log4Shell immediately. Other measures have been considered but failed to be made into law. Funding a FOSS security center within the Department of Homeland Security, for example, was included in the House version of the 2022 National Defense Authorization Act but didnt make it into the final bill.

In response to the Log4Shell vulnerability, the White House National Security Council, held a meeting in January with firms like Google and Microsoft, open-source organizations including the Linux Foundation, the Apache Software Foundation, and OpenSSF, and numerous federal agencies and departments. The meeting focused on preventing, finding, and shortening response time to FOSS vulnerabilities and discussed various potential public-private partnerships. Although there were no concrete pledges from the meeting, the intent was to start a discussion, identify possible paths forward, and commit to future meetings that would yield specific commitments by the various stakeholders.

The Log4Shell issue has also garnered the attention of the U.S. Federal Trade Commission (FTC), which has threatened to fine companies that fail to patch the issue and lose customer data as a result. While the FTCs move may encourage many companies to address the security issue, the fact that the FTC is playing a leading role in the response illustrates that the government lacks broad tools to address major cybersecurity vulnerabilities like Log4Shell.

Log4Shell was by no means the first major vulnerability in FOSS, but hopefully it represents a turning point that will inspire the federal government to take action to address this complex problem. Numerous private entities have already joined the effort by sponsoring FOSS projects and security improvement endeavors including Googles Secure Open Source Rewards, the Plaintext Group/Schmidt Futures FOSS Virtual Incubator and the efforts of the OpenSSF like their recently announced Alpha-Omega Project (sponsored by Microsoft and Google). Such efforts are important, but public support for research and legislation leading to more secure FOSS is critical and cannot come soon enough.

Frank Nagle is an assistant professor of business administration at Harvard Business School. His research is supported in part by the Linux Foundation.

Amazon, Google, and Microsoft provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.

More here:
How to prioritize the improvement of open-source software security - Brookings Institution

Apple's invitation has arrived.

The world's most valuable tech company is about to hold a big product announcement event.

Apple's first major event of the year doesn't grab attention the same way its September iPhone events do, but it's an opportunity for the company to highlight everything else it offers.

Apple's expected to hold a major event in the summer to announce free software upgrades coming in the fall, alongside the rumored next iPhone.

We finally have a date for Apple's next event: Tuesday, March 8 at 10 a.m. PT. Rumors suggest that Apple could reveal a third iPhone SEat the presentation, along with a revamped iPadand at least one new Mac.

The company will show off the devices in an all-virtual event via a livestream on Apple's website. The company said it will be "broadcasting from Apple Park," its headquarters in Cupertino, California. The tech giant has hosted online-only events since the start of the pandemic two years ago. Apple is currently assessing when employees will return to the office, as the omicron variant wanes.

Receive the latest news and reviews on Apple products, iOS updates and more. Delivered Fridays.

Apple's invitation to the media, sent in an email, shows a rainbow Apple logo that gives the impression of movement across a black background. Its tagline reads: "Peek performance." Apple didn't say which products it plans to announce -- it almost never does -- but did include an augmented reality effect in its marketing page for the event that could hint at an aspect of the event.

The event marks another milestone for Apple as it aims to stay on track with its product launch schedule, which typically includes events in the spring, summer and fall. In June 2020, as the pandemic took hold, Apple transformed its Worldwide Developers Conference into a virtual event, with slickly edited videosreplacing live presentations. So far, the formula appears to be working. Apple has continued torake in record sales and profits.

The company has said that customers have especially responded to 5G wireless internet upgrades in its iPhones over the past two years. And in his review of the iPhone 13 last year, CNET's Patrick Holland said that Apple had delivered a "delightful upgrade," praising the cameras and battery life in particular.

See also:Apple's Rumored March Event: When Is It and What to Expect

Apple has also said that demand for new chips it designed to act as the microprocessing brains for its iPads and Mac computers has consistently outstripped supply, with more than $12 billion in estimated pent-up demand in the past year. "Customer satisfaction is off the charts," Apple CEO Tim Cook said during a conference call with financial analysts in January. He said the technology is helping bring in new customers, in addition to upgraders.

At the upcoming event, Apple is also expected to discuss its upcoming iOS 15.4 software, a free upgrade for its most recent iPhones and iPads. The company has already announced that it's building in new Face ID unlock features to work with medical masks, as well as anti-stalking alerts related to its AirTag smart trackers.

Visit link:
Apple Event: Everything We Know About the March 8 'Peek Performance' Event - CNET

TechCrunch is thrilled to announce a special event centered around the exploding scene in Austin, Texas on April 6 at 11:30 am PT / 2:30 pm ET. The area deserves a spotlight on the upcoming startups and recent milestones. Its the city of unicorns and tech giants. Drawn to the laid-back lifestyle and lower cost of living relatively speaking nearly 185 people are moving to the Texas capital on a daily basis, and many of those people work in the tech industry.

Austin wasnt an overnight success. For years it was known primarily for its software scene. But today, new growing sectors include crypto, real estate tech, CPG and insurance technology. As in other maturing markets, companies that have seen success in the past are now spawning a new generation of entrepreneurs.

Look at the companies that surpassed a $1 billion valuation in 2021: The Zebra, Firefly Aerospace, Abrigo, ZenBusiness and Iodine Software. In 2020 Tesla settled into the so-called Silicon Hills district, home to among many, including Google, Apple, Amazon, Facebook and SpaceX.

Funding globally surged over the past year, and Austin was no exception. The year 2021 marked the year of the biggest funding deals ever for Austin startups, according to Silicon Hills News, with $4.9 billion raised more than double the $2.3 billion raised in 2020. Rounds are getting larger too, signaling a further maturing of the market: All of the top 10 deals for Austin in 2021 amounted to $100 million or more.

Not only are companies moving here, investors are too. A number of venture capitalists now call Austin home after relocating from the coasts. They includeJim Breyer of Breyer CapitalandPalantir co-founder Joe Lonsdale, who said last year he wasmoving his venture capital firm, 8VC, from Silicon Valley to the city, and Geoff Lewis, founder and managing partner of Bedrock Capital.

Theres more. TechCrunch Live is hosting a special episode with local leaders and investors who can best speak to the area. We want to hear what it took to build the mature ecosystem, and what challenges are persisting.

We need your help. Apply to pitch your Austin-area startup during the TechCrunch Live Pitch Off. Just like every TechCrunch Live episode, startups will pitch their companies to our guests. This time around theres a prize. The winner gets a free booth at TechCrunch Disrupt 2022 to exhibit their company.

Register for City Spotlight: Austin!

Check back for updates. This is going to be great.

See the article here:
Attend TechCrunch Lives special event in Austin, Texas! (Its free) - TechCrunch

Taxpayers should be prepared for increased delays this filing season as the Internal Revenue Service (IRS) continues to work through a backlog of returns from previous years.

More than eight million individual returns, including two million amended returns from multiple tax years awaited processing as of mid-February.

Every return represents a family or individual waiting for their return, and its likely that in some cases, it has nothing to do with how they filed their taxes, rather it stems from delays and staffing struggles inside the IRS itself.

NBC 5 Responds has heard from many consumers, writing in to share their tax return delay woes. They are certainly not alone.

The recent National Taxpayer Advocates annual report to Congress states customer service representatives at the IRS were only able to answer 11% of calls from the public received in 2021.

Racquel Johnson from the Dallas-Fort Worth area understands that more than most.

You hold [on the phone] for two hours and then it disconnects you. You never get to talk to anybody, and that's constant, all day, Racquel told NBC 5 Responds. Raquel is still waiting for her 2019 amended return that she filed in January 2020 to be processed.

Statistics from the National Taxpayer Advocates report show in 2021, the number of calls from the public to the IRS increased by more than 180% compared to the previous year.

For people lucky enough to get through to a representative, there hasnt been much good news on the other end.

I call every month and they tell me it takes 12 weeks to be reviewed, it has now been eight months, Marianne Carlson of Arlington Heights told NBC 5 Responds. Carlson said her amended refund is in the thousands.

Since 2010, the IRS workforce shrunk by 17% while the number of individual taxpayers has increased by 19%, according to the National Taxpayer Advocates report.

While Congress provided one-time additional funding to implement pandemic-relief programs for Americans, the IRS has had to cope with pandemic problems itself. Processing center staffing was limited with social distancing, while some centers closed altogether.

Thats why the IRS is urging everyone to consider some specific points when filing this year, in hopes to avoid a delayed refund.

To avoid delays, an IRS spokesperson recommends the following:

Its important to not file until all forms are received from employers, applicable banking accounts, and any other income you must report. That includes two new letters about the most recent stimulus checks and advance child tax credit.

IRS letter 6475, the Economic Impact Payment letter, can help people claim the 2021 COVID-19 recovery rebate credit. The letter helps taxpayers determine if they are entitled to claim the stimulus payment, deposited to the first recipients in March 2021, when filing their return this tax season.

IRS letter 6419, the Advance Child Tax Credit payments letter, can help people get the remainder of their 2021 child tax credit. The letter gives the total amount credited in 2021 and the number of qualifying children used to calculate the advance payments.

Eligible families who didnt receive any advance child tax credit payments can claim the full amount on their 2021 federal tax return, including families who don't normally need to file a tax return.

Before you pay for tax preparation or an online software, see if you qualify for free filing resources.

The IRS Volunteer Income Tax Assistance and Tax Counseling for the Elderly programs work with:

You can use the IRS lookup tool to find a local site to help. Enter your ZIP code and select how far youre willing to travel from the drop-down menu.

The City of Chicago also has a free filing service through Ladder Up for most families earning up to $58,000 annually and individuals making $32,000 or less. Appointments can be made online or by calling (312) 588-6900.

If you dont qualify for free tax preparation, you may be eligible to use a free software program to file your own tax return. Taxpayers with an adjusted gross income of $73,000 or less, can file taxes for free through the IRS Free File Program. It is a public-private partnership between the IRS and tax filing software companies. Some companies may charge an additional fee to file an Illinois return.

If youre comfortable navigating basic questions about your income taxes and dont qualify for any of these programs, you may still be able to file your return for free through the United Ways myfreetaxes.com.

The due date to file the 2021 federal income tax return is April 18.

See more here:
Waiting For The Refund: How To Prevent Tax Return Delays This Year - NBC Chicago

Already in its short four months of life, Tysons, Virginia-based regulatory compliance tech company RegScale has already racked up a few noteworthy achievements.

In January, Technical.ly awarded it an honorable mention spot on our annual RealLIST Startups roundup. That came after the company, which spun out of digital services firm C2 Labs in late 2021, raised $1.5 million from the Virginia Innovation Partnerships Corporation and New Dominion Angelsto help build out its technology late last year.

Compliance tech which helps companies manage their regulatory requirements and needs is something that CEO Anil Karmel said is new to the security world. Up until now, he told Technical.ly, companies would often maintain their compliance needs in Excel sheets. RegScale, meanwhile, helps keep paperwork up to date in an API-centric SaaS platform.

Thats just the way its been done its the way it continues to be done, Karmel told Technical.ly. So our thesis was leveraged in the regulatory technology space, which is what we say is the reg tech space: how can we service this bridge between security and compliance so its not either-or, its and?'

With RegScale, Karmel said, he hopes to bring the principles of DevOps to compliance in an idea he calls regulatory operations or RegOps. The platform, which is built with Angular, .NET and SQL, is designed to deploy in a number of existing systems. The RegScale platform will make system audits, issue plans of action, assess risks and note upcoming deadlines and tasks in compliance, among other offerings. Theres both a free model and a paid edition of the software, Karmel said, because he believes compliance should be affordable.

Anil Karmel. (Photo via LinkedIn)

On the whole, he hopes that RegScale can help companies move away from the traditional methods of compliance that have been done for decades.

Were calling it the RegOps movement, Karmel said. Every movement begins with a single step and we have technology, but its also a cultural change. So its helping organizations understand, and people understand, theres a new way to do compliance.

RegScale was funded out of C2 Labs, and the spinout closed an early round of capital after incubating its technology internally, Karmel said. In November, it raised the aforementioned $1.5 million for its research and development arm, including staffing that division. The company is currently hiring for operations staff in Virginia and will continue building out RegScale here. The founder is also hoping to build a large partner ecosystem where companies can further integrate RegScale into their systems.

But in the nearer future, the company is still looking to grow. Next, Karmel and RegScale intend to open a Series A, which will lead to even more hiring. (See open role here.)

Then and now, Karmel said hell keep an eye out for folks looking to make a change in compliance and regulation tech:If youre looking to reimagine an industry with a new innovative technology to reimagine compliance, both from a technology standpoint as well as from an implementation standpoint, those are folks wed love to talk to.

View original post here:
This Tysons startup is upending the regulatory compliance space with software - Technical.ly