Information Technology

The House Select Committee investigating the January 6th terror attack on the US Capitol has issued four subpoenas to Google, Facebook, Twitter and Reddit as it seeks more information about the incident. Chairman Bennie Thompson said in a statement that the subpoenas were issued due to “inadequate responses to prior requests for information.”The subpoenas related to “the spread of misinformation, efforts to overturn the 2020 election, domestic violent extremism, and foreign influence in the 2020 election.””Two key questions for the Select Committee are how the spread of misinformation and violent extremism contributed to the violent attack on our democracy, and what steps—if any—social media companies took to prevent their platforms from being breeding grounds for radicalizing people to violence,” Thompson said. “It’s disappointing that after months of engagement, we still do not have the documents and information necessary to answer those basic questions.  The Select Committee is working to get answers for the American people and help ensure nothing like January 6th ever happens again. We cannot allow our important work to be delayed any further.”In a letter to Alphabet CEO Sundar Pichai, Thompson said YouTube was a “platform for significant communications by its users that were relevant to the planning and execution of January 6th attack on the United States Capitol, including livestreams of the attack as it was taking place.”The letter notes that former Trump administration official Steve Bannon live-streamed his podcast on YouTube in the days before and after January 6 and live-streams of the attack appeared on YouTube as it was taking place. 

“The Select Committee believes Alphabet has significant undisclosed information that is critical to its investigation, concerning how Alphabet developed, implemented, and reviewed its content moderation, algorithmic promotion, demonetization, and other policies that may have affected the January 6, 2021 events,” Thompson wrote. “For example, Alphabet has not produced any documents that fully explain non-public moderation discussions and policies that led to President Trump’s suspension or that explain whether or why the platform did or did not act regarding President Trump’s account in advance of January 6th. Additionally, Alphabet has not produced documents relating to YouTube’s policy decisions that may have had an impact on the planning, coordinating, and execution of January 6th Attack on the U.S. Capitol.”In a statement to ZDNet, Google said they “have been actively cooperating with the Select Committee since they started their investigation, responding substantively to their requests for documents, and are committed to working with Congress through this process.” “We have strict policies prohibiting content that incites violence or undermines trust in elections across YouTube and Google’s products, and we enforced these policies in the run-up to January 6 and continue to do so today. We remain vigilant and are committed to protecting our platforms from abuse,” a Google spokesperson said. Thompson’s letters to the CEOs of Facebook parent company Meta, Reddit and Twitter similarly criticize the companies for failing to adequately respond to questions from Congress about their role in facilitating the attack last year. Meta did not respond to ZDNet’s requests for comment. A Twitter spokesperson declined to comment. A Reddit spokesperson said, “We received the subpoena and will continue to work with the committee on their requests.”Thompson said a number of Meta’s platforms were used “to share messages of hatred, violence, and incitement; to spread misinformation, disinformation, and conspiracy theories around the election; and to coordinate or attempt to coordinate the Stop the Steal movement.””Public accounts about Facebook’s Civic Integrity Team indicate that Facebook has documents that are critical to the Select Committee’s investigation,” Thompson said among a host of other charges about Facebook’s role in the attack on Congress. Reddit was slammed by the Select Committee for hosting the “r/The_Donald” ‘subreddit’ community that eventually moved to the website TheDonald.win in 2020. The website “hosted significant discussion and planning related to the January 6th attack,” according to Thompson. Twitter was also accused of allowing users to plan and execute the assault on the Capitol. Thompson said Twitter “was reportedly warned about potential violence being planned on the site in advance of January 6th.””Twitter users also engaged in communications amplifying allegations of election fraud, including by the former President himself,” Thompson said. “Twitter’s former CEO Jack Dorsey acknowledged last year that Twitter bore some responsibility for the violence that occurred on January 6th.”Thompson said Twitter has refused to produce documents related to the warnings they got about the potential attack and would not commit to a timeline for complying with the Select Committee’s request for a variety of documents related to the 2020 election. “Finally, Twitter has failed to produce any documents that fully explain either its decision to suspend President Trump’s account on January 8, 2021, or any other decisions the company made regarding President Trump’s account relating to the events of January 6th,” Thompson said.  More

The New York Power Authority (NYPA) announced a new deal with cybersecurity firm IronNet and Amazon Web Services that will help the country’s largest state public power organization bolster its cybersecurity defenses. Victor Costanza, deputy CISO at the NYPA, said the rise in sophisticated cyber attacks prompted them to help municipal utilities implement a strong security program that can detect and mitigate attacks in real-time. “With the technologies provided by IronNet and AWS, the IT and power infrastructures in NYPA’s supply chain ecosystem can collect and share anonymized cyber threat information so we can defend our enterprise networks collectively, raising the security posture of all of us throughout the state,” Costanza said.The deal comes two days after the Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020.CISA also specifically cited previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. Bill Welch, co-CEO of IronNet, said that in the same way utilities band together to provide mutual aid after damaging weather events, NYPA is making collaborative responses to cyber attacks possible. “We are proud to work with NYPA to enable all public utility stakeholders to adopt a proactive defense against any cyber adversary with an eye on the grid—from criminal groups to nation-states,” Welch said.  

NYPA will be adopting IronNet’s Collective Defense solution, which is supported by AWS. The tool will allow municipal utilities in New York and their partners “to create a dynamic, radar-like view of the attack landscape that provides visibility into a wider and deeper range of threats across the state’s entire power grid.”IronNet and AWS ran a pilot program with five NYPA municipalities before the deal was signed and decided to expand it due to its success. “Powered by a network detection and response system that tracks network anomalies with behavioral analytics, NYPA’s key supply chain partners can use IronNet’s Collective Defense platform to collaborate in real time to better detect and defend against attacks. This approach further enhances the resilience of New York’s grid amidst the escalating prevalence of attacks on US critical infrastructure,” IronNet explained in a statement. “Defenders of the state’s IT and power infrastructure will receive alerts on anomalous network behaviors correlated with other Collective Defense participants from the U.S. energy sector at large. In the event of a coordinated attack, the community also benefits from expert guidance from the top cybersecurity professionals of IronNet’s Security Operations Center.” More

School officials in Albuquerque, New Mexico have cancelled classes for Thursday and Friday due to a cyberattack. The shutdown took place just days after a ransomware attack hit government services across Bernalillo County.

In a statement posted to the Albuquerque Public Schools (APS) website, officials said schools will remain closed “as the district continues to investigate a cyberattack that compromised the student information system used to take attendance, contact families in emergencies, and assure that students are picked up from school by authorized adults.” On Wednesday, the school said it was working with cybersecurity experts to get systems back up and running before Friday. The school amended its statement on Thursday.  Athletic activities and other extracurricular activities will continue, but school meals will not be served while the schools are closed. For those in need of meals while the schools are shut down, officials suggested the Roadrunner Food Bank Food Assistance Line for help.They also suggested parents turn to the Boys & Girls Clubs of Central New Mexico, which will be providing free all-day programming for youth 5-18 while the school deals with the cyberattack.  APS Superintendent Scott Elder told the Albuquerque Journal that teachers discovered the attack on Wednesday morning after they tried to log into the student information system and were unable to gain access to the site.”APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network, and ensure a safe environment to return to school and business as usual,” Elder said. 

APS spokeswoman Monica Armenta said the district does have cyber insurance. Multiple government services across Bernalillo County — which covers the state’s most populous cities of Albuquerque, Los Ranchos, and Tijeras — have been dealing with a ransomware attack that started between midnight and 5:30 a.m. on January 5.

County officials have taken the affected systems offline and cut network connections, but most county building are closed to the public. Emergency services are still available and 911 is still operating, but a Sheriff’s Office customer service window was closed.Visitation at the Metropolitan Detention Center has been postponed indefinitely, but all community centers are still open. Many other government services are still available over the phone and in person. County officials said in a statement that the attack knocked out the Clerk’s Office, limiting access to marriage licenses, real estate transactions, and voter registrations. “The public is being asked to understand the gravity of this ransomware issue and that, at this time, county services are still limited,” officials said. FBI spokesman Frank Fisher told the Albuquerque Journal that even though the school outages were taking place at the same time as the other issues, the cyberattack on APS was not tied to the ransomware attack on Bernalillo County.On Wednesday, reports emerged that the Metropolitan Detention Center went into lockdown after the attack. A public defender filed a lawsuit revealing that the ransomware attack knocked out the jail’s internet, data management servers, and security camera networks. The lawyer said inmates’ rights had been violated because video-based court hearings were cancelled and people could only contact their lawyers through pay phones. 

ZDNet Recommends More

Corporations aren’t doing enough to improve their employees’ personal security practices. Credentials remain the highest targeted data type as they are the gateway to ransomware and data theft. 61% of data breaches in 2021 involved the use of stolen and misused credentials. Bad actors took advantage of a global pandemic to increase the number of phishing attacks, the cause of stolen credentials in 36% of breaches — a 9% increase over last year — according to the Verizon 2021 Data Breach Investigations Report. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

We know one of the best ways to protect corporate data is to require multi-factor authentication (MFA). The use of MFA is expanding, more than 50% of enterprises provide an option to use MFA, and, according to Yubico and 451 Research, over 74% of organizations say they are increasing investment in MFA solutions. Major platforms, such as Salesforce, announced that all logins to their platform will require MFA in February 2022, and organizations like the IRS have taken a strong stance on the requirement for MFA. Every platform should follow suit, and companies that command a premium to offer MFA should be publicly shamed (see the SSO Wall of Shame) into making this a core part of all of their offerings. While the increasing adoption and additional spending are good trends to see, progress has been too slow.To improve overall corporate security, enterprises should be actively educating and providing tools for employees to follow these same practices in their personal lives. When we attach the word corporate to security we’re letting employees off the hook. We’re sending the message that at work you have to follow secure processes — implying that at home they have no such requirement.In August 2020, MalwareBytes Labs reported 20% of organizations experienced breaches due to remote workers. This number is likely underreported given the rapid increase in remote workers and the length of time the pandemic has impacted the workforce. Equally alarming, employees themselves are overconfident in their likelihood to be the cause of a breach. 61% of respondents in Egress’ Insider Data Breach Survey for 2021 answered that they felt they were equally or less likely to be the cause of a data breach while working from home.The slow adoption of security best practices is often attributed to tool complexity and user experiences. We are all creatures of habit, and if we encourage the use of password managers, multi-factor authentication, and firewalls for personal use we would see the resistance decline for implementing these tools in the enterprise. Given how connected we all are, the rising demands of working anywhere, and increasingly savvy bad actors who capitalize on a remote workforce, enterprises can no longer contain their efforts to the office space and ignore the home environment. The costs for education and licensing that support employees at home is a small investment that will pay big dividends in increased security at work and provide a boon for protecting employee personal data. More

Google and IBM are urging tech organizations to join forces to identify critical open source projects after attending a White House meeting on open source security concerns. The meeting, led by White House cybersecurity leader Anne Neuberger, included officials from organizations like Apache, Google, Apple, Amazon, IBM, Microsoft, Meta, Linux, and Oracle as well as government agencies like the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA). The meeting took place as organizations continue to address the Log4j vulnerability that has caused concern since it was discovered in December. 

more Log4j

Kent Walker, president of global affairs at Google and Alphabet, said that, given the importance of digital infrastructure to the world, it is time to start thinking of it in the same way we do our physical infrastructure. “Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Walker said.In a blog post, Walker explained that during the meeting, Google floated several proposals for how to move forward in the wake of the Log4j vulnerability. Walker said a public-private partnership is needed to identify a list of critical open source projects, and criticality should be determined based on the influence and importance of a project. The list will help organizations prioritize and allocate resources for the most essential security assessments and improvements.  IBM’s enterprise security executive Jamie Thomas echoed Walker’s comments and said the White House meeting “made clear that government and industry can work together to improve security practices for open source.”

“We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field,” Thomas said. Walker touted the work of organizations like the OpenSSF — which Google invested $100 million into — that are already seeking to create standards like this. 

He also said Google proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. He noted that Google was “ready to contribute resources” to the move. The blog post notes that there is no official resource allocation and few formal requirements or standards for maintaining the security of critical open source code. Most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, “is done on an ad hoc, volunteer basis.””For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all,” Walker said.  More

If you’re a real network administrator, you know and love open source Wireshark. For over 15-years, it’s been the tool that professionals use for network traffic protocol analysis. Nothing else even comes close. Now, Sysdig, the container and cloud security company, has hired Gerald Combs, its creator and project leader, to join its open source team. There, Combs will help them with Sysdig-related open-source projects such as  Falco, Prometheus, eBPF, and Sysdig Inspect. In addition, Sysdig will sponsor and manage the Wireshark community and extend Wireshark to monitoring and analyzing cloud networks. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Wireshark is an open source GUI network package capturing tool for those who don’t know Wireshark yet. With it, you can monitor network traffic, learn protocols and packet basics, and troubleshoot network problems. For network admins, Wireshark is the de facto standard for checking the health and security of networks at a microscopic level. If you want to know more about how to use Wireshark, I highly recommend Chris Sander’s
Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems

.Besides being the open-source tool for real-time network packet capture and analysis, you can also save its findings for later viewing and analysis. Armed with this information, you can filter through that traffic to find evidence from day-to-day network problems and attacks from hackers. Wireshark can be used on almost any platform, including Windows, Linux, and macOS.Wireshark is already the world’s foremost and widely-used traffic protocol analyzer, even without a company behind it. More than 60 million downloads have been downloaded in the last 5 years.A big reason Combs is joining Sysdig is that Loris Degioanni, Sysdig’s CTO and Founder, partnered with him to launch Wireshark. While studying network analyzers and working on his Ph.D. in Italy, Loris was invited to the United States to do research, which is where he met Gerald. Gerald joined Loris at CACE Technologies in the early 2000s, where they collaborated and grew Wireshark. CACE Technologies was later acquired, and since that time, Gerald has focused on growing the tool and ensuring Wireshark and its community have the resources needed to thrive.Degioanni added, “Gerald and I have been friends for a long time, starting when Wireshark was called Ethereal. At that time, a capture library that I developed while I was a university student in Italy, WinPcap, was used to port Ethereal to Windows. That was my first contribution to the project. Since the beginning, my work at Sysdig has been heavily inspired by the “packet capture stack” that Gerald and I helped define: Wireshark, tcpdump, libpcap, BPF. One of the reasons why Sysdig’s instrumentation is universally considered the most accurate, rich, and scalable is that we built it on top of the ideas behind that stack, adapting them to the modern world of cloud and containers. Countless times, during Sysdig’s early days, we were inspired by Gerald’s work.”

Networking

“I am excited to be reunited with Loris and explore the opportunity we have to expand Wireshark to the cloud,” said Combs, now Sysdig’s Director of Open Source Projects. “My move to Sysdig and the subsequent move for Wireshark will give Wireshark the corporate sponsor it needs to continue moving forward. This is a significant milestone for Wireshark, and with Sysdig’s backing, we will have the assistance we need to continue to evolve use cases for Wireshark.””It’s amazing to see the lasting heritage of Wireshark, led by Gerald. I can guarantee most of the fortune 2000 companies are actively using Wireshark,” said Degioanni. “I am excited to be reunited with Gerald and to advance the project in the same way Sysdig supports Falco and the Sysdig open source project. This move ensures Wireshark will continue to innovate. Our goal at Sysdig is to empower Wireshark.”Looking ahead, Sysdig will back the Wireshark community, including supporting Gerald as its leader. Together they’ll make sure Wireshark has the resources it needs to operate and sponsor SharkFest, its international developer conference. Sysdig’s open-source team will also contribute to the Wireshark project. Reunited, working together again, Gerald and Loris will investigate new innovative ways to address challenges with securing the cloud. Degioanni added, Wireshark “opens up a universe of possibilities. Wireshark is an incredibly important tool. Its UI is part of the muscle memory of every software professional. Its feature set has saved our butts countless times. At the same time, the world is changing quickly. Software today runs in the cloud, orchestrated by Kubernetes. With the help of Gerald, Sysdig wants to invest in making Wireshark even more useful in modern cloud environments. We’ll work on expanding its feature set and make sure it remains the cornerstone of troubleshooting and security investigation, even when software is containerized and runs in the cloud.”Finally, another reason for this move is they both want to make sure Wireshark remains a healthy open-source project. The Log4j and OpenSSL vulnerabilities have shown that large and small organizations are relying on open-source projects and major trouble comes when critical vulnerabilities are found in these tools. Maintaining the project’s health is of the utmost importance considering Wireshark’s widespread adoption.I’m looking forward to seeing what the two friends can do together. I’ve been a Wireshark user for over a decade. The idea that I’ll soon be able to use it in cloud-native environments is an exciting one. Just as it’s made network troubleshooting very easy, I can see that it Related stories:  More

When you set up a Windows PC for the first time, you’re required to create a user account that will serve as the administrator for the device. Depending on your Windows edition and network setup, you have a choice of up to four separate account types.On business editions (Pro, Pro for Workstations, Enterprise, and Education), the Windows Setup program asks you to choose whether you want to set the PC up for personal use or for use on a network managed by your organization, as shown below. If you choose the second option, you can set up the PC using an account in your Windows Active Directory domain or you can sign in using an Azure Active Directory account, such as the one associated with an Office 365 Business or Enterprise subscription.This choice is only available with Windows 10 Pro or EnterpriseOn Windows 10 Home edition, that choice isn’t available, and you’re limited to only the personal options: a local account or a Microsoft account. The Setup program is extremely persistent about trying to coax you into signing in with a Microsoft account. Windows 11 Home edition gives you only the option for a Microsoft account, although can add a local account (or remove the connection to the Microsoft account) after you’ve signed in for the first time.In this post, I’ll explain the pros and cons of each account type and explain why your best option might be a combination of two account types.

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

Microsoft accountThis is Microsoft’s free online account for personal use, required for signing in to the company’s consumer services, including OneDrive, Xbox Live, Skype, and Microsoft 365 (formerly Office 365) Family and Personal subscriptions, among others.If you have an email account at Outlook.com or Hotmail.com (or, for old-timers, at live.com or msn.com), you already have a Microsoft account. You can also sign up for a new account anytime, choosing a new address at Outlook.com or using your own email address.Signing in to your Windows 10 or Windows 11 PC with a Microsoft account offers several distinct benefits:On PCs designed for Windows 10 or Windows 11, signing in with a Microsoft account automatically enables full-disk encryption for the system drive, even on systems running Home edition. If you turn on BitLocker encryption (Pro and Enterprise editions only), your recovery key is stored in OneDrive, allowing you to retrieve your data if you find yourself locked out.Signing in with a Microsoft account stores a record of your successful activation, allowing you to easily restore your activation (no product key required) if you ever have to reinstall Windows.Windows allows you to sync settings between PCs where you sign in using the same Microsoft account. That includes personalization settings like your desktop background, saved passwords (including Wi-Fi profiles), language and regional settings, and more. (For a full list, see “Windows 10 roaming settings reference.”)You can sign in automatically to any Microsoft consumer service using your saved Microsoft Account credentials.You can sync data and settings for preinstalled Windows apps (Mail and Calendar, for example) and easily restore apps you download from the Store.

Note that Windows telemetry data is tied to your device and isn’t associated with a Microsoft account.And, of course, you can create a Microsoft account and use it exclusively for signing in to Windows while keeping your email, cloud storage, and other services elsewhere. But if you do use a Microsoft account for services such as Office 365 and OneDrive, it makes sense to sign in to Windows using the same account. Local accountA local account is about as old school as Windows gets. You don’t need a network connection or an email address; instead, you create a username (up to 20 characters) and a password, both of which are stored on the PC where you create them and grant access only to that device.There’s no particular security or privacy advantage to signing in with a local account (indeed the lack of device encryption is a negative, in my book); but if that’s your preference, you can do so when you first set up Windows 10 (any edition) or Windows 11 Pro on a new PC.Windows 11 Home requires you to sign in with a Microsoft account during initial setup. You can do so by creating a brand-new Microsoft account, and then, after signing in for the first time, go to Settings > Accounts > Your Info. Under the Account Settings heading, choose Sign In With A Local Account Instead and follow the prompts.On Windows 10, when you reach the Sign In With Microsoft screen shown here, click the “Offline Account” option in the lower left corner; then click “No” on the Sign In With Microsoft Instead screen, which appears next.That option in the lower left corner allows you to set up a local accountAfter you get past those speed bumps, you can enter your username and password. With a Microsoft account, you have multiple options to recover if you forget your password. With local accounts, you’ve historically had no such option if you forget your password. On Windows 10, setting up a local account on Windows 10 requires that you fill in answers to three security questions, to help you recover in the event you forget your password.You can’t bypass those questions, nor can you choose alternatives other than the six predefined questions. If you’re worried that a thief with a search engine can guess those answers, do as I do and … be creative. For example, you can answer the three security questions with a three-word passphrase of your own, entered one word at a time. Or, if you’d prefer to bypass the whole feature, just mash the keyboard to create random “answers” that no one (including you) could possibly guess. If you choose either option, don’t blame me if you forget your password.You can switch at will between a local account and a Microsoft account, using options in Settings > Accounts > Your Info.Even if you prefer a local account, consider signing in first with a Microsoft account. After you confirm that your system is properly activated and the activation status is recorded with that Microsoft account, switch back to a local account and go on about your business.Likewise, if you’re fussy about the name of your default user profile folder, consider signing in with a local account first, and then attach your Microsoft account. If you follow that procedure, Windows uses the exact local username you specify as the folder name and retains that name when you switch; if you start with a Microsoft account, your user profile folder name is the first five characters of the portion of your email address to the left of the @ sign.Active Directory (domain join)On an enterprise network with a Windows server running as a domain controller, you can join a Windows 10 ow Windows 11 PC to the domain. Creating that type of account requires that a domain administrator create an Active Directory account, after which you can sign in using the credentials in the format domainusername (or username@domain, if the domain is associated with a fully qualified domain name).Ironically, before you can join a PC to a domain and sign in with your Active Directory account, you have to first create a local account.Azure Active DirectoryThis is the newest option in the lineup of Windows account types. Like a domain account, an Azure AD account is managed by an organization’s administrator, but it doesn’t require a local server. Instead, the credentials are managed in Microsoft’s Azure cloud.If your organization uses Microsoft 365 or has an Office 365 Business or Enterprise subscription, you have an Azure AD account. It behaves similarly to a Microsoft account, with the ability to sync settings across devices where you’re signed in with the same account. The big difference is that your access to the device is managed by your organization’s administrator, who can apply security settings and restrict some options.To manage Azure AD accounts, administrators use the Azure AD admin center, which also includes the option to synchronize the cloud-based directory with a local domain’s Active Directory, an option called Azure AD Connect.Administrators can manage Azure AD from this portalA basic Azure AD account is free, but like all Microsoft enterprise services, upsell options abound. Paying for Azure AD Premium (included with an Enterprise Mobility and Security E5 subscription) unlocks advanced security features.And you can mix and match account types on the same device for the sake of flexibility. You might want a local account to handle routine administrative tasks, a Microsoft account for personal use, and an Azure AD account for connecting to your organization’s servers. (To set up additional accounts after the first one, use Settings > Accounts > Family & Other Users > Add Someone Else To This PC). Just choose the right account when you first sign in to a new session.

Windows 10 More

Chances are unless you’re a JavaScript programmer, you’ve never heard of the open-source Javascript libraries ‘colors.js’ and ‘faker.js.” They’re simple programs that respectively let you use colored text on your node.js, a popular JavaScript runtime, console, and create fake data for testing. Faker.js is used with more than 2,500 other Node Package Manager (NPM) programs and is downloaded 2.4 million times per week. Colors.js is built into almost 19,000 other NPM packages and is downloaded 23 million times a week. In short, they’re everywhere. And, when their creator, JavaScript developer Marak Squires, fouled them up, tens of thousands of JavaScript programs blew up.

Thanks, guy.This isn’t the first time a developer deliberately sabotaged their own open-source code. Back in 2016, Azer Koçulu deleted a 17-line npm package called ‘left-pad, ‘which killed thousands of Node.js programs that relied on it to function. Both then and now the actual code was trivial, but because it’s used in so many other programs its effects were far greater than users would ever have expected.  Why did Squires do it? We don’t really know. In faker.js’s GitHub README file, Squires said, “What really happened with Aaron Swartz?” This is a reference to hacker activist Aaron Swartz who committed suicide in 2013 when he faced criminal charges for allegedly trying to make MIT academic journal articles public.Your guess is as good as mine as to what this has to do with anything.What’s more likely to be the reason behind his putting an infinite loop into his libraries is that he wanted money. In a since-deleted GitHub post, Squires said, “Respectfully, I am no longer going to support Fortune 500s ( and other smaller-sized companies ) with my free work. There isn’t much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”Excuse me. While open-source developers should be fairly compensated for their work, wrecking your code isn’t the way to persuade others to pay you. 

This is a black eye for open-source and its developers. We don’t need programmers who crap on their work when they’re ticked off at the world.Another problem behind the problem is that too many developers simply automatically download and deploy code without ever looking at it. This kind of deliberate blindness is just asking for trouble. Just because a software package was made by an open-source programmer doesn’t mean that it’s flawless. Open-source developers make as many mistakes as any other kind of programmer. It’s just that in open source’s case, you have the opportunity to check it out first for problems. If you choose to not look before you deploy, what happens next is on you.

Some criminal developers are already using people’s blind trust to sneak malware into their programs. For example, the DevOps security firm JFrog recently discovered 17 new JavaScript malicious packages in the NPM repository that deliberately attack and steal a user’s Discord tokens. These can then be used on the Discord communications and digital distribution platform.Is that a lot of work? You bet it is. But, there are tools such as NPM audit, GitHub’s DependendaBot, and OWASP Dependency-Check that can help make it easier. In addition, you can simply make sure that before any code goes into production, you simply run a sanity check on it in your continuous integration/continuous distribution (CI/CD) before deploying it to production. I mean, seriously, if you’d simply run either of these libraries in the lab they would have blown up during testing and never, ever make it into the real world. It’s not that hard!In the meantime, GitHub suggests you revert back to older, safer versions. To be exact, that’s colors.js 1.40 and faker.js 5.5.3. As CodeNotary, a software supply chain company, pointed out in a recent blog post, “Software is never complete and the code base including its dependencies is an always updating document. That automatically means you need to track it, good and bad, keeping in mind that something good can turn bad.” Exactly!Therefore, they continued, “The only real solution here is to be on top of the dependency usage and deployment. Software Bill of Materials (SBOMs) can be a solution to that issue, but they need to be tamper-proof, queryable in a fast and scalable manner, and versioned.CodeNotary suggests, of course, you use their software, Codenotary Cloud and the vcn command-line tool, for this job. There are other companies and projects that address SBOM as well. If you want to stay safe, moving forward you must — I repeat must — use an SBOM. Supply chain attacks, both from within projects and without, are rapidly becoming one of the main security problems of our day.Related Stories: More