Information Technology

The White House has announced a set of proposals for keeping the US ahead of quantum computing race globally, while mitigating the risk of quantum computers that can break public-key cryptography. Quantum computers powerful enough to break public-key encryption are still years away, but when it happens, they could be a major threat to national security, financial and private data. Some projects like OpenSSH have implemented mitigations for the event that an attacker steals encrypted data today with the hope decrypting it when such a computer exists, but so far there are no official US standards for quantum-resistant cryptography. The Biden administration’s memorandum outlines its desire for the US to maintain its leaderships in quantum information science (QIS) as well as a rough timeline and responsibilities for federal agencies to migrate most of the US’s cryptographic systems to quantum-resistant cryptography. There’s no hard deadline for the post-quantum cryptographic migration, but the White House wants the US to migrate cryptographic systems to ones that are resistant to a ‘cryptanalytically’ relevant quantum computer (CRQC), with the aim of “mitigating as much of the quantum risk as is feasible” by 2035. “Any digital system that uses existing public standards for public-key cryptography, or that is planing to transition to such cryptography, could be vulnerable to an attack by a QRQC,” the White House states. The migration will affect all sectors of the US economy, including government, critical infrastructure, businesses, cloud providers, and basically anywhere today’s public-key cryptography is used. The memorandum protection mechanisms may include counter-intelligence and “well-targeted export controls”.  The quantum-cryptography memorandum follows the NATO Cyber Security Centre’s recent test run of secure communication flows that could withstand attackers using quantum computing. The renewed urgency comes as China makes headway in quantum computing. Scientists in China last year tested two quantum computers on tasks they claimed were more challenging than those that Google put its 54-qubit Sycamore quantum computer in through in 2019 when it claimed to have achieved “quantum supremacy”. IBM researchers contested Google’s claim. In October, US intelligence officials singled out quantum computing as one of five key foreign threats like China and Russia. Others were artificial intelligence, biotechnology, semiconductors and autonomous systems.   “Whoever wins the race for quantum computing supremacy could potentially compromise the communications of others,” the US National Counterintelligence and Security Center warned in a white paper, noting that China wants to achieve leadership in these fields by 2030. “Without effective mitigation, the impact of adversarial use of a quantum computer could be devastating to national security systems and the nation, especially in cases where such information needs to be protected for many decades.”Despite lacking a hard deadline for the migration, the memorandum does outline roles, reporting requirements and key dates for relevant federal agencies.  The directors of the National Institute of Standards and technology (NIST) and the National Security Agency (NSA) are developing standards for quantum-resistant cryptography. The first set of these standards are slated for public release by 2024.Within the next 90 days, the Secretary of Commerce will work with NIST to establish a working group involving industry, critical infrastructure and others on how to progress the adoption of quantum-resistant cryptography. And within a year, the heads of all Federal Civilian Executive Branch (FCEB) agencies — all agencies except Defence and intelligence — will deliver a list of CRQC-vulnerable IT systems to CISA and the National Cyber Director. The inventory will include cryptographic methods used on IT systems, including sysadmin protocols, as well as non-security software and firmware that require upgraded digital signatures.    FCEB agencies have been instructed not to purchase any quantum-resistant cryptography systems until NIST releases its first set of standards of the technology and those standards have been implemented in commercial products. However, these agencies are encouraged to test commercial products in this category.  More

Sometime this year or next, we may finally get to say goodbye to our passwords. Google, Apple and Microsoft have all extended their commitment to building passwordless support into their device platforms. Over the next year, the three tech giants will implement passwordless FIDO sign-in standards across Android and Chrome; iOS, macOS and Safari; and Windows and Edge. This means that, sooner or later, you won’t need a password to log into devices, websites or applications. Instead, your phone will store a FIDO credential called a passkey, which is used to unlock your device — and your entire online account. 

A passkey is significantly more secure than a password because it’s protected with cryptography and is only shown to your online account when you unlock your device. Passwords, meanwhile, leave us vulnerable to phishing scams and our own bad habits, like using the same password across accounts. The three companies’ platforms actually already support passwordless sign-in standards created by the FIDO Alliance, an open standards industry body formed to solve password and phishing problems. However, under previous implementations, users have to sign into each website or app with each device before they can use passwordless functionality. With this extended commitment, users will be able to automatically access their passkey on many of their devices, even new ones, without having to re-enroll every account. Additionally, people will be able to use FIDO authentication on their mobile device to sign into an app or website on a nearby device, regardless of the OS platform or browser they’re running.Don’t forget your passwords just yet, though. Developers still have to implement passkey experiences into their websites and applications. To do so, developers can use APIs available in the browsers and operating systems to get cryptographic sign-in messages, which they verify on the server, Sampath Srinivas, Google PM Director for Secure Authentication and president of the FIDO Alliance, explained to ZDNet in a statement provided over email. These API calls have direct analogues in the password manager world, Srinivas explained. One API call is a direct analogue for “Create a new random password” (it can also create a random username since the user does not need to care about that). Another API call is a direct analogue for “Now play the username and password into the website”. Additionally, this new kind of “password manager” can play a password from a nearby phone onto your computer.”And finally, on the server-side, just like the developer has to write code to verify passwords, there is a standard way to verify the crypto message which comes from the user’s browser or app,” Srinivas said. This new collective commitment was commended by Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency, who called it “the type of forward-leaning thinking that will ultimately keep the American people safer online.””I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said in a statement. “Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.” More

The internet does not like to forget. Many of us know this, or at least it’s something that’s in the backs of our minds as we post updates to Facebook, share photos on Instagram, detail little insights into our daily lives on Twitter, and enter our personal data into a variety of other social media platforms and online services. But now I can see that it’s really true, for me at least.

ZDNet Recommends

For years, I’ve been writing about cybersecurity, so I’m aware of the risks around personal information being shared online and how valuable our sensitive data can be to cyber criminals – as I wrote about when someone tried to use my stolen bank details over 4,500 miles away.SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIt’s why I’m careful with what I sign-up to, what I post, and who can see it. I make sure that my passwords are complex enough so they can’t be guessed, plus whenever possible, I use multi-factor authentication to protect my accounts. These are all habits I’ve developed during the past 10 years or so. But prior to that, I was much more naive about putting personal data online, particularly when I started regularly using the internet, after getting a home computer for the first time as a teenager in around 2001. This access opened a lot of worlds to me. I was part of gaming clans, I got my first taste of social media with MySpace, and I joined various online forums, posting comments and talking with people with similar interests – later, even meeting other users in person at group meets. Back then, security and privacy didn’t really cross my mind. Gradually, as I got older, and went to university, found and changed jobs, moved to different cities and found new hobbies, I didn’t post on the forums anymore, and eventually I forgot about them. Which is why it was startling when someone showed me how easy it was to find my username for a particular forum – and linked to a thread from the bulletin board containing almost two-decade old photos of me from a forum meetup. These old photos were innocent enough – just group photos from a London pub – but I had completely forgotten they existed, yet there they were still sitting on the open internet. It was strange to see them and think about how they’d been sitting online for almost 20 years – and for a savvy cyber sleuth, that account could provide a pathway to finding out all sorts of other information about me and my online habits – and as I discovered, it does.Fortunately for me, it wasn’t anyone with ill-intent who’d been digging around my online history, but rather Jack Chapman, VP of threat intelligence at cybersecurity company Egress. But it gave me an insight into how this long-forgotten online profile – and other aspects of my digital footprint – were out there on the internet and how they could be abused. Because while finding old data about me had nostalgia value, in the wrong hands and against a different person, such information could be the key to unlocking a whole lot more.”We’re in the age of data and that data can easily be held by people with nefarious means,” Chapman told me. So how was it possible to track down an old forum account, along with a bunch of other information, and tie it to me?  It starts with something that, unfortunately, has happened to almost anyone who has online accounts – being involved in a data breach, where hackers have broken into online services, stolen and then leaked email addresses, passwords, contact information, credit dark details and other sensitive personal data.  It was one of these elements that was the first step to tracking down long-forgotten aspects – or so I thought – of my online footprint. SEE:  How to keep your bank details and finances more secure onlineIf you’re using the internet, it’s highly likely that you have at least one personal email address. It’s what we use to sign up for various services – and there can potentially be hundreds of those, even if we only use them once before forgetting about them. And that information doesn’t go away. I have a personal email address that that’s been active for almost 20 years, which has been used to sign up for many different websites and online services. Unfortunately, a number of those services have ended up being breached by cyber criminals and information about the accounts pasted online.  According to HaveIBeenPwned, that email address has been in at least 14 different breaches over the years, exposing linked information including my name, online usernames, passwords and more.  Some of these were huge data breaches that exposed the information of millions of people, such as May 2016’s LinkedIn data breach that exposed 164 million email addresses and passwords, or January 2019’s Collection 1 dump, a massive set of leaked and stolen data that contained 773 million usernames and passwords. Chapman was able to use that information as a jumping-off point to search for personal data about me available online that malicious cyber criminals could potentially use against me – and it was a shock to hear him read out some of my old passwords to me. In most cases, I knew these passwords had been revealed in breaches and previously made the effort to change each one to a unique new password. But 10 to 15 years ago when I was more naive about using the internet, I used the same password across multiple different online accounts – which meant if one account was breached, the others were also vulnerable to being hacked.  Cyber criminals often take advantage of the way people re-use the same password. For example, someone using one password on their personal email account and the same one for their corporate account could potentially provide cyber criminals with a route into a corporate network. Alternatively, if your username and password for your email is the same as your username and password for your bank, cyber crooks will quickly discover and exploit this loophole. Some of the breaches of my details involved some of my old online usernames related to forum accounts and online-gaming handles. By combining that information with my name and email address, it was possible to locate an old forum profile – particularly as it turned out I’d long forgotten that I’d written blogs for one of these websites, which linked my real name and user profile name together.  It was via this profile that Chapman was able to find my old forum posts, including those in the photo thread that I’d forgotten about until now – because my username was in the title for the forum thread. It was very weird seeing how someone could use leaked information to track old photos of me.This particular bit of online history was from 2005, when I hadn’t really considered online privacy as an issue. And yet over 15 years later, a determined attacker could use these – as it turned out – very public details to try to gather information about me that could be used to break into accounts or attempt to carry out phishing attacks designed around my habits. 

But at least I remember posting on these forums – what was worrying was how a database of breaches, which my old email address had been involved in, included various websites I don’t even remember signing up for or using. SEE: A winning strategy for cybersecurity (ZDNet special report)One of these that stood out was a data breach of online game Stronghold Kingdoms in July 2018, exposing usernames, passwords and email addresses. I’ve heard of the game but don’t remember ever signing up to play it. It’s possible I did, or given the nature of games, that the studio behind it was acquired or merged with another studio, which created a previous online game I played years before. Yet my username and password were exposed in this breach. And from there, Chapman was able to link to another data breach, at a website called Zoosk. This is another site I have no memory of at all, but it turns out to be a dating website that I apparently used in about 2010 – and that data breach gave away my date of birth and the city I was living in at the time. Further analysis of the breach even linked it back to an IP address and an internet provider. This was a location I haven’t lived in for over a decade now, but it was still unnerving to see how information on a website could be used to ultimately help trace the geolocation of where I was at the time.  All of this is sensitive information that cyber criminals could use to build a better picture of targets and to gain as much from them as possible – and, in this case, as much as possible about me. “By having more information, it allows an attacker two key advantages – first, it allows them a better understanding of your life and work. This allows them to tailor their attacks to improve their credibility and likelihood of success,” says Chapman.  “The other opportunity is that it offers them the chance to understand your ‘social network’ both on a personal and work front. This is often used for robust targets, where they initially breach a more vulnerable victim in their target’s close network”. In my case, that ‘social network’ attack would involve a cyberattacker spying on people I know or hacking their accounts to gain more information about me. If I thought an email was really sent from a friend, I might be more willing to open links contained within it. A cyber criminal who controlled that account could use that link to deliver malware or carry out other nefarious activities.Some of the breaches my data has been exposed in are over a decade old. And the problem is that once that data is out there, it’s not going away. While it’s possible to change passwords, for other information – such as your name, address, online username and email address – it isn’t really possible. Our email address is often the key to our online lives. We use it to log in into social networks, banking, shopping and many other online services. Most of us stick to the email address that we’ve used for many years, because we’re used to it, and it’s tied to so many things we use everyday. That makes it difficult to alter – imagine having to go around dozens of your online accounts and in each case going through all the steps to change your email address every time it gets leaked in a breach. But is there a case to be made for potentially discontinuing the use of an email address if it’s been in too many breaches, because that could leave us vulnerable to being hacked, particularly if it’s a corporate email address? Chapman thinks so.”One thing we as an industry haven’t had a conversation about is retiring email addresses. If they have been in a certain number of breaches, should we have best practice where we say, ‘no, actually, that’s elevating the amount of risk we’re facing as a business – we should shut that down now,'” he says.But for most of our information, once it’s out there on the internet, it’s out there for good and there’s not much we can do about it. That means the best practice is to understand what information might be out there and to be alert about when your personal data might potentially be abused.  For example, if you know credit card details have been stolen in a data breach, it’s a good idea to contact your bank, cancel that card and get a new one to avoid fraudulent activity on your account. Meanwhile, if you get an alert from a service provider that they’ve been hacked and it’s possible information might have been stolen, it’s good practice to change your password for that account – and any other accounts that password may be used for – to stop cyber criminals abusing stolen data. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyIf you’re aware that your details have been leaked in a breach, you should also be on the lookout for phishing emails. In many cases, leaked emails just get put on spam lists. Many of these are simple to detect – emails claiming you’ve won gift cards or offering free items. But some are sneakier and will use worries around data breaches to send more targeted phishing emails. For example, when a Bitcoin trading site is the victim of a hack, other attackers look to take advantage by sending phishing emails to leaked lists of users, claiming their accounts are at risk and to ‘click here’ to fix it – only for that link to be a portal to steal login details and Bitcoin.  This happens with many different breaches, so it’s vital that users treat emails like this with suspicion. It’s unlikely that a company will inform you of a breach and include a link to log in. And if you do think there might be an issue, it’s best to open your internet browser and go to the site itself, thus avoiding getting caught out by a phishing email. If there’s old accounts that you don’t use anymore, it might be worth shutting them down, as they could contain a lot of personal information that could be used against you by cyber criminals. If the account doesn’t exist, there’s much less risk to the user.  “Unless you manually delete or change things, nothing is forgotten now – and attackers know that,” says Chapman.  That’s certainly the case with the old photos on the online forum. But in a frustrating twist, I checked to see if I could go back and delete the images from the forum posts, but it isn’t possible – my account was automatically shut down at some point because it wasn’t being used, only listing my profile as a ‘former member’ of the forum. But my username is in the title of the thread and the photos are still there.There’s no way to remove the photos or the connected forum posts, along with a traceable trail of information about my online history spanning almost 20 years. It’s a little disturbing but serves as a reminder that personal information that ends up on the internet can end up there forever, even if it’s something you’d rather forget. More

Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years. 

On Thursday, SentinelOne published a security advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523. Avast acquired AVG in 2016 for $1.3 billion. According to the cybersecurity firm, the vulnerabilities have existed since 2012 and, therefore, could have affected “dozens of millions of users worldwide.” CVE-2022-26522 and CVE-2022-26523 were found in the Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The first vulnerability was present in a socket connection handler used by the kernel driver aswArPot.sys, and during routine operations, an attacker could hijack a variable to escalate privileges. Security products must run with high privilege levels, and so attackers able to exploit this flaw could potentially disable security solutions, tamper with a target operating system, or perform other malicious actions.  The second vulnerability, CVE-2022-26523, is described as “very similar” to CVE-2022-26522 and was present in the aswArPot+0xc4a3 function.  “Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation,” SentinelLabs said. “For example, the vulnerabilities could be exploited as part of a second-stage browser attack or to perform a sandbox escape, among other possibilities.”SentinelLabs reported the vulnerabilities to Avast on December 20, 2021. By January 4, the cybersecurity solutions provider had acknowledged the report and released fixes in Avast v.22.1 to deal with the vulnerabilities after triage.  The vulnerabilities were patched by February 11. SentinelLabs said there is no evidence of active exploitation in the wild. 

ZDNet Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Users should have received the necessary updates automatically and do not need to take further action.  “The impact this could have on users and enterprises that fail to patch is far-reaching and significant,” the company added. “We would like to thank Avast for their approach to our disclosure and for quickly remediating the vulnerabilities.”  Avast told ZDNet:”Avast is an active participant in the coordinated vulnerability disclosure process, and we appreciate that SentinelOne has worked with us and provided a detailed analysis of the vulnerabilities identified. SentinelOne reported two vulnerabilities, now tracked as CVE-2022-26522 and CVE-2022-26523, to us on December 20, 2021. We worked on a fix released in version 22.1 in February 2022 and notified SentinelOne of this applied fix. Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users constantly update their software to the latest version to be protected. Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

on May 4, 2022

| Topic: Legal

In an Australian first, the Federal Court has found that financial services firm RI Advice breached its licence obligations by failing to implement adequate risk management systems to manage cybersecurity threats. This was the first case brought by the Australian Securities and Investments Commission (ASIC) against any licensee and, subsequently, sets a new legal standard for how financial service providers should seek to execute cybersecurity management plans. The company has been ordered by the court to pay AU$750,000 toward ASIC’s costs, and to engage a cybersecurity expert within the next month to advise and assist RI Advice’s authorised representative network.The decision comes after a significant number of cyber incidents affected authorised representatives of RI Advice between June 2014 and May 2020, leading ASIC to file against the company for breach of its licence obligations. In a statement, ASIC detailed that one of the incidents involved an unknown malicious agent who obtained access to an authorised representative’s file server, through a brute force attack, from December 2017 to April 2018 before being detected. ASIC claimed that this resulted in the “potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.In her judgment, federal court justice Helen Rofe said that cybersecurity risks pose a significant threat to the conduct of a business and its provision of financial services. “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level,” said justice Rofe. ASIC deputy chair Sarah Court said the cyber attacks allowed third parties to gain access to sensitive personal information. “It is imperative for all entities, including licensees, to have adequate cybersecurity systems in place to protect against unauthorised access. “ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber threat environment,” Court said.Prior to October 2018, RI was a wholly-owned subsidiary of ANZ Bank. It then became a wholly-owned subsidiary of IOOF Holdings Limited as one of four financial planning dealer groups sold by ANZ under a AU$975 million deal.   Related Coverage More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Thomas Jensen/Unsplash
Cisco has released patches for a trio of bugs that hit its Enterprise NFV Infrastructure Software, and could result in escaping from virtual machines, running commands as root, and leaking system data. Leading the way with a CVSS score of 9.9 is CVE-2022-20777 and relates to a bug in next generation input/output feature that allowed an authenticated remote attacker to jump out of the guest VM and run commands as root on the host machines via an API call. Cisco obviously points out that such access could compromise the host completely. For unauthenticated remote attackers, CVE-2022-20779 with a CVSS score of 8.8, allows for root commands to be run if an administrator can be convinced to install VM image with crafted metadata that will execute the commands when the VM is registered. Rounding out the trio is a vulnerability dubbed CVE-2022-20780 with a CVSS score of 7.4 that exists in an XML parser and could leak system data. “An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM,” Cisco said. “A successful exploit could allow the attacker to access system information from the host, such as files containing user data, on any configured VM.” Cisco has been under the pump on the security front in the past month, with 64 vulnerabilities either appearing or being updated since April 13. Of that number, a vulnerability in the Cisco Wireless LAN Controller scored a perfect CVSS score of 10 due to an attacker being able to bypass password validation. “An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials,” the company said. “A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator. The attacker could obtain privileges that are the same level as an administrative user but it depends on the crafted credentials.” To be vulnerable, devices needed to have the MAC filter radius compatibility option set to other. At the same time, Cisco said it had conducted tests with customers on predictive models related to network issues. “Cisco predictive networks work by gathering data from a myriad of telemetry sources. Once integrated, it learns the patterns using a variety of models and begins to predict user experience issues, providing problem solving options,” the company said. “Customers can decide how far and wide they want to connect the engine throughout the network, giving them flexible options to expand as they need.” Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: Ben Stansall/Getty Images
When a majority of the English Premier League’s income comes from exclusive broadcast deals, it makes sense why the football organisation is committed to cracking down on piracy globally. Speaking to ZDNet, Premier League chief legal counsel Kevin Plumb said that while anti-piracy work has been on the company’s agenda for a long time, making it a priority started with former executive chairman Richard Scudamore, “who really prioritised it alongside broadcast sales because he saw it as two sides of the same coin”. “We know it’s a problem in every territory — not just for sports or the Premier League, it’s for movies, it’s TV shows … and that’s one of the reasons why we opened an office in [Singapore three years ago]. We are pretty loud and proud about our anti-piracy work,” Plumb said. “Back in the day, it used to be a ‘non-secret’ and something we did in the background … but now we’re right at the cutting edge of anti-piracy work and we want to show our broadcasters and our fans that as well.” In fact, Plumb reckons all the anti-piracy work is having a significant impact, pointing out that the company’s revenue for international broadcasting deals will be up by 30% for 2022-25. Based on reports earlier this year by The Times, international deals will be worth £5.3 billion, while domestic rights will bring £5.1 billion, and commercial contracts taking the total to £10.5 billion.  While there are plenty of reasons for the revenue bump up, Plumb believes the company’s anti-piracy work is a contributing factor. “We can comfortably say our anti-piracy work will be one of those factors because if we weren’t so committed, if we weren’t having the impact that I think we are having — and particularly in this part of the world — I think we’ve managed to be quite influential, working with other rights owner as well,” he said. “It’s kind of turning the ship around and sort of getting the momentum back in favour of the rights owner. I think if we just sort of left the situation alone, I’m not sure if we would be in a position where we we’re as happy with the rights sales we have.”

According to Plumb, the company’s anti-piracy program is shaped by four pillars: Legal action, blocking, lobbying, and education and awareness. He detailed that blocking, for instance, is a method designed to minimise the supply of pirated content. It involves working with vendors to help remove pirate content form search results to make it harder for casual users to locate, as well as tracking down ads on pirate sites to “starve the revenue stream”. “What we look at is the whole journey from logging onto the computer or turning the smart TV to access a pirate stream, and we try to disrupt every part of that journey to make it as difficult as possible for someone to access the stream,” Plumb said. “We try to put as many hurdles up as possible because we find that if you put up one hurdle that dissuades 100 people from carrying on that journey. If you put two that’s 500 people.” Premier League has also been working with local law enforcement globally to ensure that legal action can be taken out against those who are supplying pirate services. For instance, in Singapore and Malaysia, the company secured legal precedent that the sale of Kodi media boxes and the use of them to access pirate content is a criminal offence. “In Singapore three years ago when we when we first came out here, it was really easy to buy these [Kodi] devices in the shops. That process was a pleasant purchasing experience — you bought it from a nice shop, there’ll be a nice salesperson to show you a nice box with nice branding, and it’s all boxed beautifully,” Plumb said. “So, a lot of our emphasis has been trying to stop those shops from selling them and getting them off the streets … that’s why we’ve established that it’s a criminal act now to sell those boxes. “We now routinely sweep those shops, and we’ll do undercover purchases and then we follow it up with legal letters. We’ve reduced the number of those shops by 80% in the last few years.” Meanwhile, in Thailand, Plumb said the Premier League works closely with the Department of Special Investigation to ensure criminals raids are carried out or that local law enforcement turns up at the doorsteps of pirates for a “knock and talk”. But not all country’s legislation is up to scratch when it comes to piracy, conceded Plumb. “We do lots of lobbying work because … we always want legislation to be clear and we’d always want legislation to move with the technology because that is one of the challenges. You have pirates who are really quick, and you’ve got law and legal process which can be deafly slow. How you fit those two bits together is one of our biggest challenges,” he said. Plumb also acknowledged that even though the sale of Kodi media devices may be slowly disappearing from physical store fronts, pirates are likely to sell them through other channels. “What we now expect is that those shops move online, therefore we have to be ready for that — we are sweeping auction sites and Lazada. We’ve removed a few thousand listings from Lazada in the last year,” he said. “And then where do they move then? They move to their own websites, maybe they set up a Facebook profile, so we sweep Facebook and we take them down from Facebook. We always have to be aware of their next step and that does mean we’ll be doing this for a long time.” At the end of the day though, all the anti-piracy work is designed to protect the fans, Plumb said.   “In this part of the world where people are getting up at silly o’clock in the morning to watch their teams play — teams they may have never seen in person — but who they are absolutely fervent fans of … so it’s really important that we protect those people.” Related Coverage More

Kubernetes, everyone’s favorite container orchestrator, in its latest release, Kubernetes 1.24 Stargazer, has made two major changes: The developers dropped support for the Docker Engine container runtime and added supply chain security via Sigstore.  First, don’t start hyperventilating because Dockershim has been deprecated. While Dockershim enabled you to use the Docker containerd runtime within Kubernetes, it was never designed to be embedded inside Kubernetes. Further, it’s incompatible with Kubernetes’ Container Runtime Interface (CRI). The fix was for dockershim to bridge the gap between Docker’s containerd and CRI.  Maintaining dockershim, however, was a pain so Kubernetes started deprecating it. As Kat Cosgrove, a Pulumi Developer Advocate and Cloud Native Computing Foundation (CNCF) Ambassador, explained, in Kubernetes’ early days, “We only supported one container runtime. That runtime was Docker Engine. Back then, there weren’t really a lot of other options out there and Docker was the dominant tool for working with containers, so this was not a controversial choice.” 

But Kubernetes users wanted more runtime choices. They got that with CRI, but the Docker Engine was not CRI-compatible. The fix, Dockershim, filled in the gaps between Docker Engine and CRI. “However,” Cosgrove continued, “this little software shim was never intended to be a permanent solution. Over the course of years, its existence has introduced a lot of unnecessary complexity to the kubelet itself. Some integrations are inconsistently implemented for Docker because of this shim, resulting in an increased burden on maintainers, and maintaining vendor-specific code is not in line with our open-source philosophy.” Unfortunately, Cosgrove admits, the Kubernetes developer community did a poor job of communicating what they were doing by removing Dockerhsim. It also doesn’t help that when we say “Docker,” we might refer to the container image; Docker, the company, or the Docker runtime. By removing Dockershim, we’re referring only to the runtime. Docker containers still run just fine on Kubernetes. As Cosgrove concluded, “Docker is not going away, either as a tool or as a company.” Still, “removing dockershim from kubelet is ultimately good for the community, the ecosystem, the project, and open source at large.  But if you really want to stick with the Docker Engine you can even if Kubernetes no longer natively supports it. Mirantis, which now owns the Docker program, will continue to support Dockershim in Docker Engine and Mirantis Container Runtime with Kubernetes. This new Dockershim program, cri-dockerd, provides a shim for Docker Engine, which enables you to control Docker via the Kubernetes CRI. You can also, of course, switch to one of the supported Kubernetes runtimes, such as containerd v1.6.4 and later, v1.5.11 and later, or CRI-O 1.24 and later. For more on making sure your Kubernetes clustered are ready for the change, see Is Your Cluster Ready for v1.24? In another major development, Kubernetes is now supporting encrypted software artifact signing to improve its software supply chain security. According to founding Sigstore developer Dan Lorenc, Sigstore certificates enable Kubernetes users to verify the authenticity and integrity of the distribution they’re using by “giving users the ability to verify signatures and have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle, and container image.” The Kubernetes programmers began working on Supply chain Levels for Software Artifacts, (SLSA, pronounced salsa) compliance to improve Kubernetes software supply chain security in 2021. SLSA is a security framework that includes a checklist of standards and controls to prevent tampering, improve the integrity, and secure the packages and infrastructure of software projects.  The Sigstore program, which is SLSA Level 2 compliant, is a major step forward for Kubernetes security. It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries. Once signed, the signing record is kept in a tamper-proof public log. This gives software artifacts a safer chain of custody that can be secured traced back to their source.  Kubernetes 1.24 brings other improvements as well. For example, new beta application programming interfaces (APIs) will no longer be enabled in clusters by default. However, existing beta APIs and new versions of them will continue to be enabled by default. In another API change, Kubernetes 1.24 offers beta support for publishing its APIs in the OpenAPI v3 format. There have also been storage and volume changes. Storage capacity tracking now supports exposing currently available storage capacity via CSIStorageCapacity objects and enhances scheduling of pods that use Container Storage Interface (CSI) volumes with late binding. In the meantime, you can resize existing persistent volume with Volume expansion. Work is also underway to migrate the internals of in-tree storage plugins to call out to CSI Plugins while maintaining the original API. So far, the Azure Disk and OpenStack Cinder plugins have both been migrated. Finally, while there are many other changes and improvements, I particularly bring your attention to Kubernetes 1.24’s new optional networking feature, which lets you soft-reserve a range for static IP address assignments to Services. With the manual enablement of this feature, the cluster will prefer automatic assignment from the pool of Service IP addresses, thus reducing the risk of collision. I like this feature a lot. A Service ClusterIP can be assigned either: dynamically, which means the cluster will automatically pick a free IP within the configured Service IP range. statically, which means the user will set one IP within the configured Service IP range. These Service ClusterIP are unique; hence, trying to create a Service with a ClusterIP that has already been allocated will return an error. This makes avoiding otherwise simple-to-make networking errors much simpler.  Usually, companies take their time about moving to a new Kubernetes release. For Stargazer, however, I suggest you consider making an exception. It’s an exceptional release. Related Stories: More