October 6, 2023
In this Episode:
Marcel Brown: October 6th, 1942. Chester Carlson is issued a patent on a process called electrophotography, now commonly known as photocopying. It was not until 1946 that a company had any interest in pursuing photocopying commercially.
Edwin Kwan: A malicious component in the npm package registry has been found to be deploying an open-source rootkit. This incident is a reminder that developers need to take caution when installing open-source components.
Trac Bannon: Sonatype has released the 9th Annual State of Supply Chain Report. One of the most important evolutions is the emphasis on security during software creation.
Olimpiu Pop: Sonatype published the 9th edition of their already-traditional state of the software supply chain report. There is a high need of continuously monitoring the state of the libraries that we are using in our projects. According to the report, 18.6% of the open-source projects are not maintained anymore.
Katy Craig: OpenSSF is to software, what a health inspector is to restaurants. And guess what? They’ve got scorecards. Good scores here don’t just get you bragging rights. They predict fewer vulnerabilities, so your software is not just rocking it, it’s also locking it down.
The Stories Behind the Cybersecurity Headlines
npm Typo-Squat Deploys RootKits
This is Edwin Kwan from Sydney, Australia.
The package is called node -hide console-windows, which looks to be a typosquat of the legitimate npm package node hide console window. There is an additional ” s” at the end of the malicious package name, and it had been downloaded 704 times over the past two months.
The package downloaded a Discord bot, which facilitated the planting of the rootkit. The malicious code is contained within the packages index. js file and executes an open-source Trojan known as Discord RAT 2.0. The Trojan allows attackers to remotely control the victim’s machine over Discord, using over 40 commands to facilitate the collection of sensitive data while disabling security software.
This is the first time a package has been found to deliver rootkit functionality. The package was also built using freely available components, allowing attackers to put together a supply chain attack with little effort.
This incident is a reminder that developers need to take caution when installing open-source components, make sure security scans are done, and also have scanning policies to protect against typo squatting.
– Reversing Labs: https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research
– Hacker News: https://thehackernews.com/2023/10/rogue-npm-package-deploys-open-source.html
This Day, October 6-7, in Tech History
October 6th, 1942. Chester Carlson is issued a patent on a process called electrophotography, now commonly known as photocopying. It was not until 1946 that a company had any interest in pursuing photocopying commercially.
The Haloid Company finally licensed Carlson’s patent and created the word “xeography,” to differentiate the process from traditional photography. Eventually, photocopying became such a large part of the company’s revenue that Haloid changed their name to Xerox.
October 6th, 1987. Microsoft introduces Microsoft Windows 2.0. Windows 2.0 introduces the advance of allowing individual system windows to overlap each other. And this was also the reason that Apple chose to sue Microsoft for copyright infringement on the Macintosh operating system.
October 6th, 1997. During a trade conference, Michael Dell is asked for his opinion on the current situation at Apple.
He was asked what he would do if he was the CEO of Apple, and he replied, “I’d shut it down and give the money back to the shareholders.” This would go down as one of the most short-sighted comments by a technology executive, as less than 10 years later Apple would surpass Dell in market value.
October 7th, 1952. American inventors Norman Joseph Woodland and Bernard Silver are granted US patents for classifying apparatus and method, described as “article classification through the medium of identifying patterns.” Of course, today we better know these identifying patterns as barcodes. Woodland and Silver eventually sold their patent for only $15,000, but were later inducted into the Inventors Hall of Fame.
Barcodes were first used commercially in 1966 and it rapidly developed so that eventually by 1970, there was a requirement to have some sort of industry standard set. A company called Logicon, Inc. created the Universal Grocery Products Identification Code, or UGPIC for short, in order to implement the barcode throughout the retail industry.
Monarch Marking, based in the US, was the first company to produce barcode equipment using UGPIC for retail trade use. British company Plessy Telecommunications followed suit, creating their equipment later in the same year. The UGPIC was transformed into UPC, or Universal Product Code, which is still used in the US. The first piece of equipment using UPC was installed in a Marsh’s Supermarket in Ohio, and the first product checked out using a barcode was a packet of Wrigley’s Juicy Fruit chewing gum on June 26th, 1974.
October 7th, 1954. IBM researchers modify an existing model 604 vacuum tube calculator to use transistors.
This experiment didn’t shrink the desk-sized machine, nor make it any faster, but it did use only 5 percent of the power the vacuum tube base design did. Encouraged by this successful experiment, IBM introduced the first commercial transistor calculator four years later, the model 608.
That’s your technology history for this week. For more, tune in next week and visit my website, ThisDayInTechHistory.com.
Software Supply Chain: What Matters to an Architect
Sonatype has released the 9th Annual State of Supply Chain Report. One of the most important evolutions is the emphasis on security during software creation. This makes my inner software architect happy.
Hello, this is Trace Bannon reporting from Camp Hill, Pennsylvania.
The Sonatype report has a ton of great information on the direct impact of software development processes, cybersecurity measures, and the adoption of AI in the software supply chain.
The report places emphasis on cybersecurity in software creation. As software continues to be deeply integrated into various sectors and critical infrastructure, ensuring its security from the point of creation is paramount. Any vulnerabilities can lead to substantial financial, reputational, and operational consequences. Architects and engineers must be proactive in incorporating secure development practices, frameworks, and tools, especially given the increasing sophistication of cyber threats.
The report dives deep into the adoption and integration of AI in the development processes, highlighting the transformative role of AI, especially Large Language Models, LLMs. Tools like ChatGPT and GitHub Copilot can assist developers in generating code, and there is a broad trend towards integrating generative AI into development processes overall.
While leveraging AI can lead to increased productivity, faster development cycles, and reduced errors, it’s vital to understand the potential and the limitation of such tools. AI-generated code can sometimes introduce unforeseen vulnerabilities and it may not align with leading coding practices. AI tools themselves might have biases or potential security issues, which need to be understood and managed. For now, these tools can augment human capabilities. They should not be overly relied on without proper oversight and checks.
A topic often overlooked is awareness of licensing and the security implications of open-source LLMs. There are potential licensing risks when deploying open source LLMs and the complexities tied to model selection, parameter size, versioning, among other decisions.
As software systems often integrate various open-source components, being aware of their licenses is essential to avoid legal complications. In the context of AI, there’s an added layer of complexity due to the proprietary nature of some of the models and their training data. Ensuring compliance with licensing terms is crucial. The security of open-source components, including LLMs, needs constant attention to prevent potential vulnerabilities or biases that could be introduced into the software being developed.
As CISA says, we need to be Secure-by-Design, Secure-by-Default, and Secure-in-Depth. The Sonatype report foot-stomps this. As an industry, we must prioritize cybersecurity from the onset, make informed decisions about AI integrations while being wildly aware of its strengths and limitations, and we must always be diligent about licensing and security implications when utilizing these open-source tools and components.
Definitely check out the State of Software Supply Chain Report. It will give you something to noodle on.
– CISA: https://www.cisa.gov/news-events/news/software-must-be-secure-design-and-artificial-intelligence-no-exception
– Sonatype: https://www.sonatype.com/state-of-the-software-supply-chain/introduction
Supply Chain Attacks are a Growing Threat
The report emphasizes, once more, the growing threat the supply chain attacks have become. Sonatype identified a quarter of a million malicious packages. That’s three times more than the previous year. Or, put differently, 2023 saw twice as many as all the previous years, starting with 2019.
Who’s to blame? 96% of the vulnerable packages downloaded have a version without a vulnerability as alternative. Probably this is one reason SA and their friends pointed that most attacks are using already known vulnerabilities, rather than zero-days. For instance, one of the most exploited vulnerabilities is Log4Shell. Currently, a quarter of the downloads are of vulnerable versions two years from the event. Initially, a third of the downloads were vulnerable. So, awareness on the consumer side is essential.
There is a high need of continuously monitoring the state of the libraries that we are using in our projects. According to the report, 18.6% of the open-source projects are not maintained anymore.
Additional points of view on the report you can hear in today’s episode on 505updates.com.
Olimpiu Pop reporting from Tienen, Belgium.
– Sonatype Report: https://www.sonatype.com/hubfs/9th-Annual-SSSC-Report.pdf
OpenSSF Scorecards for Open Source
OpenSSF is to software, what a health inspector is to restaurants. And guess what? They’ve got scorecards. Good scores here don’t just get you bragging rights. They predict fewer vulnerabilities, so your software is not just rocking it, it’s also locking it down.
This is Katy Craig in San Diego, California.
Let’s spotlight a few key checks.
- – Binary Artifacts. Are binary artifacts being left unchecked? Think of this as leaving your diary out in the open.
- – Branch Protection. Branch protection ensures no one’s bypassing crucial steps, like not letting anyone sneak cookies before dinner.
- – Code Review. Got a buddy to review your code? Two heads are better than one, especially when hunting bugs.
- – Dependency Update Tool. Using tools to refresh those dependencies, like having that app to remind you to drink water.
- – Fuzzing. Fuzzing tools in use? Checking for misuse and abuse cases.
- – Security Policy. Got a security policy? These are like house rules, but for your software.
- – Signed Releases. Putting those digital signatures on your work. No forgeries here.
- – Token Permissions. Making sure those tokens are tight-knit and no oversharing.
And there you have it. Dive into open source, but don’t forget these checks. Secure software is like a fortress, and OpenSSF is helping make sure the drawbridge works. Stay savvy, and until next time, keep your shields up and your code tight.
This is Katy Craig. Stay safe out there.