Twitter
Home Blog Page 321

ICANN Sets Plan to Reinforce Internet DNS Security

By
Network World
-

Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the internet’s address book – the Domain Name System (DNS). 

The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or “roll” the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010.

The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. 

Read more at Network World

Open Source Summit EU Registration Deadline, Sept. 22, Register Now to Save $150

By
The Linux Foundation
-

You have TWO days left to save $150 on your ticket to Open Source Summit Europe & ELC + OpenIoT Summit Europe.

Grab your ticket and build your schedule today! Choose from 300+ sessionsdeep-dive labs, and tutorials; discover new projects & technologies in the Technical Showcase, and make new connections at the Attendee Reception, and in the Speed Networking & Mentoring Event, Developer Lounges, and Hallway Tracks.

Register now, and join 2,000+ open source professionals to collaborate, share information, and learn about cutting-edge open source technologies.

The discount ends Saturday, September 22.

Sign up to receive updates on Open Source Summit Europe: 

REGISTER & SAVE $150 »

Registration includes access to Open Source Summit Europe and ELC + OpenIoT Summit Europe!

This article originally appeared at The Linux Foundation

Building a Secure Ecosystem for Node.js

By
The Linux Foundation
-

At Node+JS Interactive, attendees collaborate face to face, network, and learn how to improve their skills with JS in serverless, IoT, and more. Stephanie Evans, Content Manager for Back-end Web Development at LinkedIn Learning, will be speaking at the upcoming conference about building a secure ecosystem for Node.js. Here she answers a few questions about teaching and learning basic security practices.

Linux.com: Your background is in tech education, can you provide more details on how you would define this and how you got into this area of expertise?

Stephanie Evans: It sounds cliché, but I’ve always been passionate about education and helping others. After college, I started out as an instructor of a thoroughly analog skill: reading. I worked my way up to hiring and training reading teachers and discovered my passion for helping people share their knowledge and refine their teaching craft. Later, I went to work for McGraw Hill Education, publishing self-study certification books on popular IT certs like CompTIA’s Network+ and Security+, ISAAP’s CISSP, etc. My job was to figure out who the biggest audiences in IT were; what they needed to know to succeed professionally; hire the right book author; and help develop the manuscript with them.

I moved into online learning/e-learning 4 years ago and shifted to video training courses geared towards developers. I enjoy working with people who spend their time building and solving complex problems. I now manage the video training library for back-end web developers at LinkedIn Learning/Lynda.com and figure out what developers need to know; hire instructors to create that content; and work together to figure out how best to teach it to them. And, then update those courses when they inevitably become out of date.

Linux.com: What initially drove you to use your skill set in education to help with security practices?

Evans: I attend a lot of conferences, watch a lot of talks, and chat to a lot of developers as part of my job. I distinctly remember attending a security best practices talk at a very large, enterprise-tech focused conference and was surprised by the rudimentary content being covered. Poor guy, I’d thought…he’s going to get panned by this audience. But then I looked around and most everyone was engaged. They were learning something new and compelling. And it hit me: I had been in a security echo chamber of my own making. Just like the mainstream developer isn’t working with the cutting-edge technology people are raving about on Twitter, they aren’t necessarily as fluent in basic security practices as I’d assumed.  A mix of unawareness, intense time pressure, and perhaps some misplaced trust can lead to a “security later” mentality. But with the global cost of cybercrime up to 600 billion a year from 500 billion in 2014 as well as the exploding amount of data on the web. We can’t afford to be working around security or assuming everyone knows the basics.

Linux.com: What do you think are some common misconceptions about security with Node.js and in general with developers?

Evans: I think one of the biggest misconceptions is that security awareness and practices should come “later” in a developer’s career (and later in the development cycle). Yes, your first priority is to learn that Java and JavaScript are not the same thing—that’s obviously most important. And you do have to understand how to create a form before you can understand how to prevent cross-site -scripting attacks. But helping developers understand—at all stages of their career and learning journey—what the potential vulnerabilities are and how they can be exploited needs to be a much higher priority and come earlier than we may intuitively think.

I joke with my instructors that we have to sneak in the ‘eat your vegetables’ content to our courses. Security is an exciting, complex and challenging topic, but it can feel like you’re having to eat your vegetables as a developer when you dig into it. Often ‘security’ is a separate department (that can be perceived as ‘slowing things down’ or getting in the way of deploying code) and it can further distance developers from their role in securing their applications.  

I also think that those who truly understand security can feel that it’s overwhelmingly complex to teach—but we have to start somewhere. I attended an introductory npm talk last year that talked about how to work with dependencies and packages…but never once mentioned the possibility of malicious code making it into your application through these packages. I’m all about teaching just enough at the right time and not throwing the kitchen sink of knowledge at new developers. We should stop thinking of security—or even just security awareness—as an intermediate or advanced skill and start bringing it up early and often.

Linux.com: How can we infuse tech education into our security practices? Where does this begin?

Evans: It definitely goes both ways. Clear documentation and practical resources right alongside security recommendations go a long way towards ensuring understanding and adoption. You have to make things as easy as possible if you want people to actually do it. And you have to make those best practices accessible enough to understand.

The 2018 Node User Survey Report from the Node.js Foundation showed that while learning resources around Node.js and JavaScript development improved, the availability and quality of learning resources for Node.js Security received the lowest scores across the board.

After documentation and Stack Overflow, many developers rely on online videos and tutorials—we need to push security education to the forefront, rather than expecting developers to seek it out. OWASP, the nodegoat project, and the Node.js Security Working Group are doing great work here to move the needle. I think tech education can do even more to bring security in earlier in the learning journey and create awareness about common exploits and important resources.

Learn more at Node+JS Interactive, coming up October 10-12, 2018 in Vancouver, Canada.

The Human Side of Digital Transformation: 7 Recommendations and 3 Pitfalls

By
The New Stack
-

The following is the first in a series of posts from The Cloud Foundry Foundation on digital transformation, in preparation for the upcoming Cloud Foundry Summit in Basel, Switzerland.

Not so long ago, business leaders repeatedly asked: “What exactly is digital transformation and what will it do for my business?” Today we’re more likely to hear, “How do we chart a course?”

Our answer: the path to digital involves more than selecting a cloud application platform. Instead, digital, at its heart, is a human journey. It’s about cultivating a mindset, processes, organization and culture that encourages constant innovation to meet ever-changing customer expectations and business goals.

In this two-part blog series we’ll share seven guidelines for getting digital right. Read on for the first three.

1. Start with the End: Know What You Want

Whatever your objective, you’ll need to put together the people, technology and processes to release better software, faster. Execution velocity is a key differentiator in the digital economy, so think in terms of days, not weeks or months. Get there by creating a minimum viable product (MVP) and then iterating.

Read more at The New Stack

Tracking and Controlling Microservice Dependencies

By
ACM Queue
-

Dependency cycles will be familiar to you if you have ever locked your keys inside your house or car. You can’t open the lock without the key, but you can’t get the key without opening the lock. Some cycles are obvious, but more complex dependency cycles can be challenging to find before they lead to outages. Strategies for tracking and controlling dependencies are necessary for maintaining reliable systems.

Reasons to Manage Dependencies

A lockout, as in the story of the cyclic coffee shop, is just one way that dependency management has critical implications for reliability. You can’t reason about the behavior of any system, or guarantee its performance characteristics, without knowing what other systems it depends on. Without knowing how services are interlinked, you can’t understand the effects of extra latency in one part of the system, or how outages will propagate. How else does dependency management affect reliability?

SLO

No service can be more reliable than its critical dependencies.8 If dependencies are not managed, a service with a strict SLO1 (service-level objective) might depend on a back end that is considered best-effort. …

After a disaster, it may be necessary to start up all of a company’s infrastructure without having anything already running. Cyclic dependencies can make this impossible: a front-end service may depend on a back end, but the back-end service could have been modified over time to depend on the front end. As systems grow more complex over time, the risk of this happening increases. Isolated bootstrap environments can also provide a robust QA environment.

Security

In networks with a perimeter-security model, access to one system may imply unfettered access to others.9 If an attacker compromises one system, the other systems that depend on it may also be at risk. Understanding how systems are interconnected is crucial for detecting and limiting the scope of damage. You may also think about dependencies when deploying DoS (denial of service) protection: one system that is resilient to extra load may send requests downstream to others that are less prepared.

Read more at ACM Queue

How to List Repositories on Linux

By
Network World
-

A Linux repository is a storage location from which your system retrieves and installs OS updates and applications. Each repository is a collection of software hosted on a remote server and intended to be used for installing and updating software packages on Linux systems. When you run commands such as “sudo apt update” or “sudo apt upgrade”, you may be pulling package information and package updates from a number of repositories.

Repositories contain thousands of programs. Standard repositories provide a high degree of security, since the software included is thoroughly tested and built to be compatible with a particular distribution and version. So, you can expect the updates to occur with no unexpected “side effects.”

Repositories may be standard or non-standard. Once a non-standard repository has been added to your system’s list of repositories, the system can install software from it, as well as from the standard ones; otherwise, it cannot. 

Read more at Network World

How Writing Can Expand Your Skills and Grow Your Career

By
Amber Ankerholz
-

At the recent Open Source Summit in Vancouver, I participated in a panel discussion called How Writing can Change Your Career for the Better (Even if You don’t Identify as a Writer. The panel was moderated by Rikki Endsley, Community Manager and Editor for Opensource.com, and it included VM (Vicky) Brasseur, Open Source Strategy Consultant; Alex Williams, Founder, Editor in Chief, The New Stack; and Dawn Foster, Consultant, The Scale Factory.

The talk was inspired by this article, in which Rikki examined some ways that writing can “spark joy” and improve your career in unexpected ways. Full disclosure: I have known Rikki for a long time. We worked at the same company for many years, raised our children together, and remain close friends.

Write and learn

As Rikki noted in the talk description, “even if you don’t consider yourself to be ‘a writer,’ you should consider writing about your open source contributions, project, or community.” Writing can be a great way to share knowledge and engage others in your work, but it has personal benefits as well. It can help you meet new people, learn new skills, and improve your communication style.

I find that writing often clarifies for me what I don’t know about a particular topic. The process highlights gaps in my understanding and motivates me to fill in those gaps through further research, reading, and asking questions.  

“Writing about what you don’t know can be much harder and more time consuming, but also much more fulfilling and help your career. I’ve found that writing about what I don’t know helps me learn, because I have to research it and understand it well enough to explain it,” Rikki said.

Writing about what you’ve just learned can be valuable to other learners as well. In her blog, Julia Evans often writes about learning new technical skills. She has a friendly, approachable style along with the ability to break down topics into bite-sized pieces. In her posts, Evans takes readers through her learning process, identifying what was and was not helpful to her along the way, essentially removing obstacles for her readers and clearing a path for those new to the topic.

Communicate more clearly

Writing can help you practice thinking and speaking more precisely, especially if you’re writing (or speaking) for an international audience. In this article, for example, Isabel Drost-Fromm provides tips for removing ambiguity for non-native English speakers. Writing can also help you organize your thoughts before a presentation, whether you’re speaking at a conference or to your team.

“The process of writing the articles helps me organize my talks and slides, and it was a great way to provide ‘notes’ for conference attendees, while sharing the topic with a larger international audience that wasn’t at the event in person,” Rikki stated.

If you’re interested in writing, I encourage you to do it. I highly recommend the articles mentioned here as a way to get started thinking about the story you have to tell. Unfortunately, our discussion at Open Source Summit was not recorded, but I hope we can do another talk in the future and share more ideas.

Check out the schedule of talks for Open Source Summit Europe and sign up to receive updates:

Kubernetes 101: How to Get Started with Container Orchestration

By
Jaxenter
-

With Kubernetes, life as a developer is a whole lot simpler. Although it started life as an open source project at Google, Kubernetes now is one of the fastest growing automation systems for containers today. Though there is a steep learning curve with Kubernetes, it’s still a simple, highly effective orchestration engine.

Kubernetes is also known as K8s and it might just be the greatest thing that’s hit the DevOps scene in the last few years. With the right skills, Kubernetes can majorly boost the development process by automating updates and even managing apps and services without worrying about downtime. So, how can beginners get started with Kubernetes and why should they even want to? This intro guide breaks down everything you need to know about Kubernetes, so you can hit the ground running. …

Your first step to getting started with Kubernetes is to create a cluster so you can deploy an app. The cluster needs to include both a master and one or more node. To start, run a cluster on a local machine. The Minikube software is the perfect space to test your initial development.

Read more at Jaxenter

Working with Linux File Links

By
-

In this article by Oliver Pelz, the author of Fundamentals of Linux, you’ll take a look at what Linux file links are and how to work with them.

Connecting a filename to the actual data is managed by the filesystem using a table or data structure, which is called a title allocation table. In the Linux filesystem, an Inode is the actual entry point to a specific file’s data on the hard disk. To simplify, you can just consider that the Inode represents the actual data of a file. The filesystem management now ensures that every normal file, upon creation, has one link entry in its allocation table to connect the actual filename to the Inode on the hard disk. Such a link is also called a hard link. The original filename to the Inode relationship is also linked using a hard link. Now, the cool thing about the Linux filesystem is that you can create additional hard links to an existing Inode, which is like having alternative names for a file.

One of the drawbacks of a hard link is that you cannot differentiate a hard link from the original filename or the Inode. This can cause problems and side effects because if you change the original file’s content, the hard link’s content will be changed as well. 

Read more at LinuxTechLab

Virtme: The Kernel Developer’s Best Friend

By
Mark Filion
-

When working on the Linux Kernel, testing via QEMU is pretty common. Here’s a look at virtme, a QEMU wrapper that uses the host instead of a virtual disk, making working with QEMU extremely easy.

By Ezequiel Garcia, Senior Software Engineer at Collabora.

When working on the Linux Kernel, testing via QEMU is pretty common. Many virtual drivers have been recently merged, useful either to test the kernel core code, or your application. These virtual drivers make QEMU even more attractive.

However, QEMU can be hard to setup, which is discouraging for some developers: all you wanted was to run a test, and suddenly you are reading through QEMU man pages, trying to find the right combination of arguments. We have blogged about QEMU’s bonanzas and so this time we want to take a somewhat different path and explore virtme, which is basically a QEMU wrapper. Quoting virtme’s own readme:

“Virtme is a set of simple tools to run a virtualized Linux kernel that uses the host Linux distribution or a simple rootfs instead of a whole disk image. Virtme is tiny, easy to use, and makes testing kernel changes quite simple.”

The tool was written by Andy Lutomirski. See more details on the readme.

We really enjoy using this tool, and have found it’s not too well known. So, we’ve decided to spread the word, and put together a curated zero-to-kernel steps:

Installing virtme

Instead of using Andy Lutomirski’s upstream, we are going to use Ezequiel’s repo. This version of virtme, simply adds some extra sugar.

git clone https://github.com/ezequielgarcia/virtme.git
cd virtme
sudo ./setup.py install

Now get your favourite kernel tree

git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Configure it for virtme

virtme comes with some handy tools to produce a suitable kernel configuration. This makes the config process much easier.

virtme-configkernel --defconfig

Enable the drivers you need

For instance, let’s enable the vim2m driver. This is a virtual video4linux memory2memory virtual driver.

CONFIG_MEDIA_SUPPORT=y
CONFIG_MEDIA_CAMERA_SUPPORT=y
CONFIG_VIDEO_DEV=y
CONFIG_VIDEO_V4L2=y
CONFIG_V4L2_MEM2MEM_DEV=y
CONFIG_V4L_TEST_DRIVERS=y
CONFIG_VIDEO_VIM2M=y

Build the kernel

make -j4

Run virtme

sudo virtme-run --kimg arch/x86_64/boot/bzImage

or just:

sudo virtme-run --kdir .

Extra sugar

Running scripts at boot

One of them is --script-dir, which allows to run some scripts at boot. This can be used to run all your tests at boot, providing a quick way to test kernel changes.

Continue reading on Collabora’s blog.

1...320321322...10,742Page 321 of 10,742