Information Technology

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects. The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation’s Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it. “Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users,” Caleb Brown of Google’s Open Source Security Team explains in a blogpost.  

Open Source

“Despite open-source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.”SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThe Package Analysis project identified more than 200 malicious packages in one month, according to OpenSFF. For example, it found token theft attacks on Discord users that were distributed on PyPl and npm. The PyPl package “discordcmd”, for example, attacks the Discord Windows client via a backdoor downloaded from GitHub and installed on the Discord app to steal Discord tokens.   Attackers distribute malicious packages on npm and PyPl often enough that it’s something OpenSSF, which Google is a member of, decided it needed to be addressed. In March, researchers found hundreds of malicious packages on npm that were used to target developers using Microsoft’s Azure cloud, most of which contained typosquatting and dependency confusion attacks. Both types are social-engineering attacks that exploit repetitive steps when developers frequently update a large number of dependencies. Dependency confusion attacks rely on unusually high version numbers for a package that in fact may have no previous version available.  OpenSSF says most of the malicious packages it detected were dependency-confusion and typo-squatting attacks. But the project believes most of these are likely the work of security researchers participating in bug bounties. “The packages found usually contain a simple script that runs during install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior,” OpenSSF and Google note.  OpenSSF notes that any of these packages “could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.”The recent Log4j flaw highlighted the general risks of software supply chain security in open source. The component was embedded in tens of thousands of enterprise applications and prompted a massive and urgent clean-up by the US government. Microsoft last week also highlighted the role of software supply chain attacks carried out by Russian state-backed hackers in connection with military attacks on Ukraine.   This February, Google and Microsoft pumped $5 million into OpenSSF’s Alpha-Omega Project to tackle supply chain security. The Alpha side works with maintainers of the most critical open-source projects, while the Omega side will select at least 10,000 widely deployed open-source programs for automated security analysis. More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

on May 2, 2022

| Topic: Cloud

One year on from unveiling its Apex-as-a-service portfolio, Dell Technologies is bolstering the portfolio to move beyond infrastructure and target more workload-based solutions, with the launch of Apex Cyber Recovery. The service is designed to streamline the deployment of cyber recovery solutions through standardised configurations and recovery options. “With Apex Cyber Recovery, customers can feel confident in the ability to recover from a destructive cyber attack and achieve more agility by offloading the day-to-day management of data protection. Customers get more resiliency from an isolated, immutable, and intelligent data vault,” Dell Apex product management vice president Chad Dunn told media during a briefing on Apex. Apex Cyber Recovery is initially being made available in the US with plans for broader availability later this year. The tech giant is also extending its reach in the multi-cloud ecosystem, starting with the release of PowerProtect Cyber Recovery for Microsoft Azure on the Azure Marketplace. Dell said it will allow organisations to deploy an isolated cyber vault in the public cloud, so that if recovery is necessary, they can do so back to their main corporate data centre, an Azure private network, or a clean environment within Azure. The release comes off the back of Dell recently delivering a similar offering for Amazon Web Services (AWS). On AWS, Dell has announced the launch of CyberSense on AWS Marketplace to use analytics, metadata and machine learning to proactively detect, diagnose and speed up data recovery when an attack has occurred, as well as identify the last known uncorrupted copy of data to recover from. Both PowerProtect Cyber Recovery for Microsoft Azure and CyberSense for Dell PowerProtect Cyber Recovery for AWS will be globally available in Q2. Additionally, Dell has drummed up a new strategic partnership with Snowflake, so that joint customers can for the first time leverage Snowflakes’ cloud-based analytics for on-premise data and gain more insights. Jon Siegal, the company’s ISG product marketing VP, explained customers will be able to connect Dell’s object storage to Snowflakes in two ways. “The first way is by running snowflakes analytics against Dell’s on-premise object storage without moving the data to the cloud … it’s really for customers who don’t want to move their data to the cloud, whether it’s for compliance, security, control, data sovereignty reasons,” he said. “Secondly, customers that have the ability also to connect their on-prem Dell object storage to Snowflake by simply copying Dell’s on-premises object data to the Snowflake cloud, so it can be analysed in Snowflake’s cloud itself.” Dell also took the opportunity to provide an update on Project Alpine that was introduced at the start of the year. Siegal said from the second-half of this year, Dell will be introducing data mobility and the same consistent management experience across on-premise and public cloud environments. He added customers will be able to “power up” their multi-cloud environments by leveraging Dell’s data services capabilities found its storage platforms, such as PowerStore, PowerScale, PowerFlex, and ObjectScale. Related Coverage More

Written by

Jack Wallen, Contributing Writer

Jack Wallen
Contributing Writer

Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

Full Bio

Secure Shell (SSH) is one of those tools every Linux user will probably work with at some point. With SSH you can easily (and securely) log into remote servers and desktops to administer, develop, and check up on those machines.Using SSH is as simple as:ssh jack@192.168.1.11
Or even just:ssh 192.168.1.11
Of course, you would exchange the IP address for the address (or domain) of the machine you need to access. 

ZDNet Recommends

The best Linux Foundation classes

Want a good tech job? Then you need to know Linux and open-source software. One of the best ways to learn is via a Linux Foundation course.

SSH gets a bit less simple when you have numerous machines you access with different configurations (such as different usernames or SSH authentication keys). Imagine if you had 20 or so different servers you had to log into daily. Not only would you have to keep track of the IP addresses or domains of those servers, but you’d also have to remember what usernames or authentication keys were used. That alone could get rather overwhelming.Thankfully, SSH allows you to create a config file to house all of that information. So, instead of having to type something like ssh olivia@192.168.1.100 -p 2222, you could simply type ssh web1. Let me show you how this is done.Creating the SSH config fileLog in to the Linux machine you use to SSH into all of those remote machines. Open a terminal window and create the new configuration file with the command shown in Figure A.Figure ACreating the new SSH config file with the help of nano.Since this is a new file, it’ll be a blank canvas to which we can start adding configurations for servers. Let’s say you want to configure the following remote servers:web1 at 192.168.1.100 with user oliviadb1 at 192.168.1.101 with user nathan and SSH key ~/.ssh/id_nathandocker1 at 192.168.1.102 with user lilly on port 2222Our first entry will look like this:Host “web1”
Hostname “192.168.1.100”
User olivia
If you save and close the file at this point, you could SSH into 192.168.1.100 with the command:ssh web1
Let’s go ahead and configure the next two entries, which will look like this:Host db1
Hostname “192.168.1.101”
User nathan
IdentityFile ~/.ssh/id_nathan
PubkeyAuthentication yes

Host docker1
Hostname “192.168.1.102”
User lilly
Port 2222
Save and close the file. You can now secure shell into those machines with the commands:ssh web1
ssh db1
ssh docker1
You can use whatever nickname you need for each host, just make them memorable, so you don’t forget which machine you’re trying to reach and have to constantly reference the config file to jar your memory.Let’s say, however, that you use the same username on all your remote servers, but you use a different username on your local machine. For example, your local machine username might be jack but you’ve created the admin user on all of your remote servers. You could create a single entry for all of those servers with a wildcard in the IP address like this:Host 192.168.1.*
User admin
The above configuration would be placed at the top of your config file.You could then configure each server individually as needed, leaving out the User option. For example, if both servers at 192.168.1.200 and 192.168.1.201 use SSH key authentication, you could configure entries like so:Host web2
Hostname 192.168.1.200
IdentityFile ~/.ssh/id_admin
PubkeyAuthentication yes

Host web3
Hostname 192.168.1.201
IdentityFile ~/.ssh/id_admin
PubkeyAuthentication yes
Because we applied user admin to the entire range of machines on IP address scheme 192.168.1.x, that username will be applied to all connections. You can also override that global configuration by adding a User configuration line on an as-needed basis.The SSH config file allows for several other options (all of which can be read about in the official SSH config documentation), but these examples shown above should be everything you need to get going with the SSH config file. And that’s all there is to using the SSH config file to help make your remote access with Secure Shell even easier.

Jack Wallen: How To More

An investigation into mental health and prayer apps has revealed a disturbing lack of concern surrounding user security and privacy.

On Monday, Mozilla released the findings of a new study into these types of apps, which often deal with sensitive topics including depression, mental health awareness, anxiety, domestic violence, PTSD, and more, alongside religion-themed services.According to Mozilla’s latest *Privacy Not Included guide, despite the deeply personal information these apps manage, they “routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.” In a study of 32 applications geared toward mental health and religion, the organization found that 25 of them did not meet Mozilla’s Minimum Security Standards. These standards act as a benchmark for the *Privacy Not Included reports. The mismanagement or unauthorized sharing and sale of user data, vague data management policies, a lack of encryption, weak password policies, no clear vulnerability management system, and other lax security policies can all downgrade a vendor product in the eyes of Mozilla. If an app or service fails to meet these basic requirements, they are slapped with the “*Privacy Not Included” warning label. The mental health and prayer-related apps have received an accolade — but not one you’d covet. The company says:”When it comes to protecting people’s privacy and security, mental health and prayer apps are worse than any other product category Mozilla researchers have reviewed over the past six years.” The organization examined apps including Talkspace, Better Help, Calm, Glorify, 7 Cups, Wysa, Headspace, and Better Stop Suicide. As a result, each app now has a dedicated space that can be accessed to find out more about the software’s privacy and security rating. For example, Better Stop Suicide, a suicide prevention app, failed Mozilla’s test. “Holy vague and messy privacy policy Batman! Better Stop Suicide’s privacy policy is bad,” Mozilla says. “Like, get a failing grade from your high school English teacher bad.” While the app gathers some personal information and says that users can reach out to them if they have further queries, they did not respond to Mozilla’s attempts at contact and did not mention who “trusted partners” were when data sharing. Only two applications on the list, PTSD Coach and the AI chatbot Wysa, seemed to take data management and user privacy seriously. “The vast majority of mental health and prayer apps are exceptionally creepy,” commented Jen Caltrider, Mozilla’s *Privacy Not Included lead. “They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data. Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Xiaomi
India’s anti-money laundering agency, the Directorate of Enforcement (ED), has seized assets worth ₹5551.27 crore (around $725 million) from Xiaomi India after it found the company had broken foreign exchange laws. In 2014, the company began operations in India and is alleged to have commenced the illegal activity in 2015. The ED claimed that Xiaomi India remitted foreign currency to three off-shore entities under the guise of royalties, with one of those including a company within the Xiaomi group, whilst the others were US-based. Further, the ED stated that the payments were made “on the instructions of their Chinese parent group entities”.Xiaomi India responded via Twitter, claiming that their financial processes are compliant with Indian laws and regulations.”We believe our royalty payments and statements to the bank are all legit and truthful,” said the company in its response. “These royalty payments that Xiaomi India made were for the in-licensed technologies and IPs used in our Indian version products. It is a legitimate commercial arrangement for Xiaomi India to make such royalty payments.” Xiaomi India did, however, commit “to working closely with government authorities to clarify any misunderstandings”.After experiencing 83% year-on-year growth during the 2021 second quarter, parent-company Xiaomi achieved 17% market share for smartphones, surpassing Apple, and eventually Samsung, to briefly take the number one spot in the global smartphone market, according to Counterpoint Research.RELATED COVERAGE More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Investing over AU$33 million to enhance eSafety capabilities and legislating the proposed anti-trolling laws are just some of the policies the Coalition government has pledged to follow up if it is re-elected at the upcoming federal election on May 21. Specifically, the policy includes AU$23 million to raise awareness of the eSafety Commissioner’s support for Australian schools, provide training programs for teachers, improve online safety resources for schools, and enhance support for schools with external online safety providers. It also includes an additional AU$10 million for the eSafety Commission to further expand coordination with other regulatory and law enforcement agencies, ensuring victims “tell-us-once” and are supported with the right service. Additionally, the Morrison government said it will continue to stick with legislating proposed anti-trolling laws, touting that it will ensure social media companies are held accountable, while Australians are given more power to deal with harmful defamatory comments from anonymous trolls. Read: Inman Grant’s reappointment as eSafety commissioner comes with new powers The proposed laws, however, have been blasted by senators, online abuse victims, and organisations including the eSafety Commission for being too hard to access and unclear, and would require more work if it is to become law. The government said it also wants to introduce a binding industry code under the Online Safety Act to ensure smartphones and tablet devices have “strong” parental controls installed that are easier to find and activate — and harder for kids to bypass — if industry does not act within 12 months. An additional AU$2 million has also been earmarked under the Online Safety Grants to benefit online safety projects that support women and girls in culturally and linguistically diverse communities. “Our kids should be able to learn, be entertained, or connect with their friends and family without facing abuse, humiliation or online predators. The online world cannot be a cowards’ cavern where the rules of the real world do not exist,” Prime Minister Scott Morrison said. “Big tech and social media giants must be held to account. Our plan will force them to do more – they cannot create it, and wash their hands of all consequences of it. “Our plan will also ensure parents can protect their kids online with strong parental controls, help to prevent harm by raising awareness in every school, and improve our support for those harmed online.” See also: Musk’s Twitter goal of authenticating all users is good for ending bots but bad for humansAt the same time, the government said a new AU$3.8 million funding, delivered through the 2022-23 Budget, would be handed to youth mental health organisation Batyr to expand its OurHerd digital platform, which endeavours to provide young people with a safe digital space to view and learn from positive mental health stories shared by peers. The funding would build on the government’s previous investment of AU$2.8 million through the 2019-20 Budget to develop OurHerd. Minister for Health and Aged Care Greg Hunt said the additional funding for OurHerd will support approximately 60,000 young people aged 14-30 years with mild to moderate mental health needs, their families, carers and communities. “Through peer-to-peer education and the sharing of stories of lived experience, Batyr is helping more young people to get help before they reach a crisis point,” Minister Hunt said. “This early support reduces the lifelong impacts of mental illness and saves lives.” Meanwhile, the Opposition, as part of its election campaign, has vowed to establish a Royal Commission into robo-debt by the end of this year, with consultation to begin after the election. It envisions the Royal Commission will identify who was responsible for the robot-debt scheme; establish what advice, and what processes informed the design and implementation; investigate the handling of complaints for the scheme; determine how much the implementation, suspension, and wind-back of the scheme cost taxpayers; investigate the harm caused to Australians; and investigate the use of third-party debt collectors under the scheme. Labor has been advocating for a Royal Commission into the government’s robo-debt disaster since June 2020. “We still do not know how this reckless scheme was unleashed. We do not know whether poor legal advice was given or whether legal advice was simply never sought,” Shadow Minister for Government Services Bill Shorten said.  “We do not know if public servants were inappropriately heavied and politicised. And without knowing the true origins we do not know what safeguards could be put in place to prevent a repeat.”  In May 2020, the federal government conceded its data-matching Online Compliance Intervention (OCI) initiative, dubbed robo-debt, got around 470,000 “debts” wrong.  Read also: Federal Court approves AU$112m compensation in settlement for robo-debt failure The OCI program automatically compared the income declared to the Australian Taxation Office (ATO) against income declared to Centrelink, which resulted in debt notices, along with a 10% recovery fee, being issued whenever a disparity in government data was detected. Centrelink’s OCI program from 1 July 2016 through 31 August 2019 saw 1,159,662 assessments initiated using the automated data-matching technique. Separately, the Opposition also said it will launch a user audit of the myGov government services digital portal to “take a fresh look” at how well it is performing and help identify what changes and improvements can be made.  “Millions of Australians interact with myGov everyday and rely on it to provide essential services. It’s not up to scratch, and Australians deserve better. That’s why we will review myGov, and make improvements where necessary,” Opposition leader Anthony Albanese stated. Related Coverage More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Jakub Porzycki/NurPhoto via Getty Images
Say what you will about Elon Musk, and no doubt there is plenty to say, but should the $44 billion deal to buy Twitter close, at least the person in control of the social media site actually uses the damn thing. A common criticism across recent years over the direction of Twitter has been whether those at the top use the site like its regular users do. Rather than tackle abuse properly by giving everyone access to the German option of autobanning neo-Nazi and white supremacist content, Twitter gave us Fleets, which didn’t even survive a year. That sort of approach looks really good as a box ticking exercise for project managers, but for users, it looks like the company is distracted and doesn’t really understand its own service. Enter Elon Musk with his billions in financing and a plan to remake Twitter. “Free speech is the bedrock of a functioning democracy, and Twitter is the digital town square where matters vital to the future of humanity are debated,” Musk said in the official announcement of the deal. “I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans.” There is a lot of meaning in that single paragraph to unpack. Even Musk has walked back his prior apparent absolutist approach to free speech, saying if it is legal, it will be allowed. That leaves an awful lot of legal speech that is utterly abhorrent, which Musk will accept. See also: No, Elon, Twitter will never be a platform for ‘Free Speech’ “He has a kind of primitive libertarian notion of free speech, which essentially amounts to freedom of the microphone belongs to the person with the loudest voice and and the biggest club to beat away anybody else,” executive director of the Dart Centre for Journalism and Trauma at Columbia University Bruce Shapiro said on ABC Radio last week. “It’s not really a free speech model. It’s a bullying model, that ends up turning platforms into vehicles for jeering culture wars and indeed, suppressing often more reasoned voices.” The big issue for a future Musk Twitter to consider is laws in places other than America. Traditionally a blind spot for US companies at the best of times, for a social network it takes on new meaning when concepts like defamation, hate speech, and authoritarian regimes are added.For someone sitting in Australia, reading the words “authenticating all humans” from Musk sounds like the Australian government’s dreams come true. With an election due later this month, the anti-trolling Bill — that was actually a big stick for the powerful and cashed up to potentially start lobbying defamation threats and actions against those they disagreed with — lapsed as Parliament rose. Given the bipartisan backing the concept has, it’s best to think of it as sleeping, rather than deceased. The Bill was something that Twitter had raised its own concerns about. “Under this bill, online platforms choose between facing liability in court or turning over private sensitive information about users without a legal determination as to whether the content is in fact defamatory under the law,” Twitter Australia’s director for public policy Kara Hinesley said in March. “We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters. “We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.” Retrospect: Twitter founder Jack Dorsey regrets playing a role in centralising the internetExecutive director of Digital Rights Watch, James Clark, told ZDNet that anonymity is vital in challenging the powerful. “In an age when our digital footprint is more permanent and traceable than ever before, staying anonymous is a way to maintain a private life alongside a public one online,” he said. “I would also add that given Musk’s history of intimidating critics and whistleblowers, I imagine there are many people who would be rightfully reluctant to upload identification documents to a platform that he controls.” Twitter being a billionaire’s plaything is nothing new — the last one in charge is now using the moniker of Block Head — but it may soon be captured by a shitposting owner focused solely on killing off spambots and pursuing free speech as defined by the US First Amendment. Those in the rest of the world where Musk’s initiatives result in the sort of speech-stifling lawfare he seeks to avoid, are likely to be regarded as nothing more than collateral damage, even as they sink under legal fees. ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 11:00PM in London. PREVIOUSLY ON MONDAY MORNING OPENER :  More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft rolled out a new Windows 11 Insider test build, No. 22610, to the Dev and Beta Channels on April 29. This build includes a lot of fixes, along with a handful of new features and updates. Today’s test build also no longer enables the SMB1 file-sharing client by default in the name of security. However, testers who have installed SMB1 manually or upgraded from a preview Windows version where SMB1 was installed will not have SMB1 removed from the latest test builds. Build 22610 adds new mobile device management and group policies for IT admins. These new policies can be configured locally using the group policy editor or via Microsoft EndPoint Manager. Among the policies available as of today:Disable Quick Settings flyoutDisable Notification Center and calendar flyoutsDisable all taskbar settingsDisable search (across Start & taskbar)Hide Task View from taskbarBlock customization of ‘Pinned’ in StartHide ‘Recommended’ in StartDisable Start context menusHide ‘All apps’ in StartToday’s test build also includes an update to the Family Safety Widget which provides a new location-sharing view to show where those using the Family Safety app are located. There’s also an update that includes “an improved view” of screen time usage across apps and devices. For those with PCs that support it, the estimated battery life timing will show up in the battery icon in the system tray. Today’s test build does not include the usual build watermark, which typically indicates that Microsoft is closing in on completing a new Windows feature update. However, officials reminded testers “this doesn’t mean we’re done” and said the watermark will be back in a future build. And even once Windows 11 22H2, expected this fall, does “RTM” relatively soon, testers will get updates and fixes for months before 22H2 rolls out to the mainstream.Today’s build also disables the tablet-optimized taskbar feature that Microsoft began rolling out in Build 22563. Officials said they are hoping to bring this feature back “after further refinement of the experience.” Build 22610 also updates the rename, properties, and optimize icons used in the context menu and command bar to improve discoverability and consistency.For a full list of the fixes, updates and known issues in Build 22610, see Microsoft’s blog post.

Windows 11 More