ApacheCon gathers attendees from over 60 countries to learn about core open source technologies directly from the Apache developer and user communities.
The ApacheCon program committee is seeking proposals from speakers with fresh ideas, enlightening case studies, best practices or deep technical knowledge fornewstandalone tracks such as FlexJS Summit, TomcatCon, ApacheIoT, CloudStack Collaboration Conference and general tracks covering other Apache projects.
You have 4 days left to submit a proposal. The deadline is February 11. Submit a Proposal Now!
ApacheIoT is a new conference track that lays the vision, framework, and components for an IoT system architected to operate at scale for a wide range of compelling use cases. It is aimed at developers, operators, and users to discuss applicable projects, to reach beyond the boundaries of each product, and collaborate on evolving into coherent end-to-end systems.
CloudStack Collaboration Conference
The CloudStack Collaboration Conferenceis aimed at developers, operators and users to discuss and evolve the open source software project, its functionality and real world operability. The event will offer participants the opportunity to learn and collaborate on CloudStack, while also discovering new projects.
TomcatCon
TomcatCon is the place for all users of Tomcat to expand their Tomcat knowledge in areas such as networking, security, performance and deployment. It also offers an opportunity to discuss the current Tomcat roadmap and help inform future development.
FlexJS Summit
FlexJS Summitis a new summit track that shows where FlexJS is today and lays out the future for the FlexJS project. It is aimed at existing Apache Flex and new Apache FlexJS developers, designers, and users. Participants have a wonderful opportunity to discover new projects and exchange ideas.
Apache: Big Data
Apache: Big Datagathers together the Apache projects, people and technologies working in Big Data, ubiquitous computing and data engineering and science to educate, collaborate and connect in a completely project-neutral environment. It is the only event that brings together the full suite of Big Data open source projects.
Not looking to speak at ApacheCon but want to attend? Registerby March 12 to save $400! One registration gives you access to ApacheCon, Apache: Big Data, FlexJS Summit, TomcatCon, ApacheIoT, Traffic Server Conf and CloudStack Collaboration Conference.
Linux.com readers can register now for ApacheCon or Apache: Big Data with the discount code, LINUXRD5, for 5% off the registration price.
More than 600 open source professionals, developers and operators will convene in Tokyo this year to collaborate, share information, and learn at Open Source Summit Japan. The technical conference will cover the latest in open source technologies, including Linux, containers, cloud computing, software-defined networking, and more.
This year Open Source Summit Japan will also be co-located with Automotive Linux Summit, to be held May 31 – June 2 at the Tokyo Conference Center. Automotive Linux Summit gathers the most innovative minds from the automotive arena including automotive systems engineers, Linux experts, R&D managers, business executives, open source licensing and compliance specialists and community developers. The event connects the developer community with the vendors and users providing and using the code in order to drive the future of embedded devices in automotive.
The Linux Foundation is now seeking proposals for both conferences from speakers with fresh ideas, enlightening case studies, best practices, or deep technical knowledge.
Not interested in speaking but want to attend? Linux.com readers get 5% off the “attendee” registration with code LINUXRD5. Register now to save over $150 on Open Source Summit Japan through April 16.
There is a complimentary add-on option on the Open Source Summit Japan registration form to join Automotive Linux Summit.
Throughout 2016, Software Defined Networking (SDN) continued to rapidly evolve and gain maturity. We are now beyond the conceptual phase of open source networking, and the companies that were assessing the potential of these projects two years ago have begun enterprise deployments. As has been predicted for several years, SDN is beginning to redefine corporate networking.
Market researchers are essentially unanimous on the topic. IDC publisheda study of the SDN market earlier this year and predicted a 53.9 percent CAGR from 2014 through 2020, at which point the market will be valued at $12.5 billion. In addition, the Technology Trends 2016 report ranked SDN as the best technology investment for 2016.
“Cloud computing and the 3rd Platform have driven the need for SDN, which will represent a market worth more than $12.5 billion in 2020. Not surprisingly, the value of SDN will accrue increasingly to network-virtualization software and to SDN applications, including virtualized network and security services. Large enterprises are now realizing the value of SDN in the datacenter, but ultimately, they will also recognize its applicability across the WAN to branch offices and to the campus network,” saidRohit Mehra, Vice President of Network Infrastructure at IDC.
The Linux Foundation recentlyannounced the release of its 2016 report“Guide to the Open Cloud: Current Trends and Open Source Projects.” This third annual report provides a comprehensive look at the state of open cloud computing, and includes a section on unikernels. You candownload the report now, and one of the first things to notice is that it aggregates and analyzes research, illustrating how trends in containers, unikernels, and more are reshaping cloud computing. The report provides descriptions and links to categorized projects central to today’s open cloud environment.
In this series, we are looking at various categories and providing extra insight on how the areas are evolving. Below, you’ll find several important SDN projects and the impact that they are having, along with links to their GitHub repositories, all gathered from the Guide to the Open Cloud:
Open Network Operating System (ONOS), a Linux Foundation project, is a software-defined networking OS for service providers that has scalability, high availability, high performance and abstractions to create apps and services. ONOS on GitHub
OpenContrail is Juniper Networks’ open source network virtualization platform for the cloud. It provides all the necessary components for network virtualization: SDN controller, virtual router, analytics engine, and published northbound APIs. Its REST API configures and gathers operational and analytics data from the system. OpenContrail on GitHub
OpenDaylight, an OpenDaylight Foundation project at The Linux Foundation, is a programmable, software-defined networking platform for service providers and enterprises. Based on a microservices architecture, it enables network services across a spectrum of hardware in multivendor environments. OpenDaylight on GitHub
Open vSwitch, a Linux Foundation project, is a production-quality, multilayer virtual switch. It’s designed for massive network automation through programmatic extension, while still supporting standard management interfaces and protocols including NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, and 802.1ag. It supports distribution across multiple physical servers similar to VMware’s vNetwork distributed vswitch or Cisco’s Nexus 1000V. OVS on GitHub
Open Platform for Network Functions Virtualization (OPNFV), a Linux Foundation project, is a reference NFV platform for enterprise and service provider networks. It brings together upstream components across compute, storage and network virtualization in order create an end-to-end platform for NFV applications. OPNFV on Bitergia
Recently, Marcel Holtmann from Intel began looking at the challenge of shrinking Linux to run on small, IoT devices as a hobby project, and at LinuxCon Europe, he presented what he’s learned about how to run Linux on tiny peripherals.
The security vulnerabilities that you need to consider when developing open source software can be overwhelming. Common Vulnerability Enumeration (CVE) IDs, zero-day, and other vulnerabilities are seemingly announced every day. With this flood of information, how can you stay up to date?
“If you shipped a product that was built on top of Linux kernel 4.4.1, between the release of that kernel and now, there have been nine CVEs against that kernel version,” says Ryan Ware, Security Architect at Intel, in the Q&A below. “These all would affect your product despite the fact they were not known at the time you shipped.”
Ryan Ware, Security Architect at Intel
In his upcoming presentation at ELC + OpenIoT Summit, Ryan Ware, Security Architect at Intel, will present strategies for how you can navigate these waters and successfully manage the security of your product. In this preview of his talk, Ware discusses the most common developer mistakes, strategies to stay on top of vulnerabilities, and more.
Linux.com: Let’s start from the beginning. Can you tell readers briefly about the Common Vulnerabilities and Exposures (CVE), 0-day, and other vulnerabilities? What are they, and why are they important?
Ryan Ware: Excellent questions. Common Vulnerabilities and Exposures (CVE) is a database maintained by the MITRE Corporation (a not-for-profit organization) at the behest of the United States government. It’s currently funded under the US Department of Homeland Security. It was created in 1999 to house information about all publicly known security vulnerabilities. Each of these vulnerabilities has its own identifier (a CVE-ID) and can be referenced by that. This is how the term CVE, which really applies to the whole database, has morphed into meaning an individual security vulnerability: a CVE.
Many of the vulnerabilities that end up in the CVE database started out life as 0-day vulnerabilities. These are vulnerabilities that for whatever reason haven’t followed a more ordered disclosure process such as Responsible Disclosure. The key is that they’ve become public and exploitable without the software vendor being able to respond with a remediation of some type — usually a software patch. These and other unpatched software vulnerabilities are critically important because until they are patched, the vulnerability is exploitable. In many ways, the release of a CVE or a 0-Day is like a starting gun going off. Until you reach the end of the race, your customers are vulnerable.
Linux.com: How many are there? How do you determine which are pertinent to your product?
Ryan: Before going into how many, everyone shipping software of any kind needs to keep something in mind. Even if you take all possible efforts to ensure that the software you ship doesn’t have known vulnerabilities in it, your software *does* have vulnerabilities. They are just not known. For example, if you shipped a product that was built on top of Linux kernel 4.4.1, between the release of that kernel and now, there have been nine CVEs against that kernel version. These all would affect your product despite the fact they were not known at the time you shipped.
At this point in time, the CVE database contains 80,957 entries (January 30, 2017) and includes entries going all the way back to 1999 when there were 894 documented issues. The largest number in a year to date was 2014 when 7,946 issues were documented. That said, I believe that the decrease in numbers over the last two years isn’t due to there being fewer security vulnerabilities. This is something I’ll touch on in my talk.
Linux.com: What are some strategies that developers can use to stay on top of all this information?
Ryan: There are various ways a developer can float on top of the flood of vulnerability information. One of my favorite tools for doing so is CVE Details. They present the information from MITRE in a very digestible way. The best feature they have is the ability to create custom RSS feeds so you can follow vulnerabilities for the components you care about. Those with more complex tracking problems may want to start by downloading the MITRE CVE database (freely available) and pulling regular updates. Other excellent tools, such as cvechecker, allow you to check for known vulnerabilities in your software.
For key portions of your software stack, I also recommend one amazingly effective tool: Get involved with the upstream community. These are the people who understand the software you are shipping best. There are no better experts in the world. Work with them.
Linux.com: How can you know whether your product has all the vulnerabilities covered? Are there tools that you recommend?
Ryan: Unfortunately, as I said above, you will never have all vulnerabilities removed from your product. Some of the tools I mentioned above are key. However, there is one piece of software I haven’t mentioned yet that is absolutely critical to any product you ship: a software update mechanism. If you do not have the ability to update the product software out in the field, you have no ability to address security concerns when your customers are affected. You must be able to update, and the easier the update process, the better your customers will be protected.
Linux.com: What else do developers need to know to successfully manage security vulnerabilities?
Ryan: There is one mistake that I see over and over. Developers always need to keep in mind the idea of minimizing their attackable surface area. What does this mean? In practice, it means only including the things in your product that your product actually needs! This not only includes ensuring you do not incorporate extraneous software packages into your product, but that you also compile projects with configurations that turn off features you don’t need.
How does this help? Imagine it’s 2014. You’ve just gone into work to see that the tech news is all Heartbleed all the time. You know you include OpenSSL in your product because you need to do some basic cryptographic functionality but you don’t use TLS heartbeat, the feature with the vulnerability in question. Would you rather:
a. Spend the rest of your work working with customers and partners handholding them through a critical software update fixing a highly visible security issue?
b. Be able to tell customers and partners simply that you compiled your products OpenSSL with the “–DOPENSSL_NO_HEARTBEATS” flag and they aren’t vulnerable, allowing you to focus on new features and other productive activities.
The easiest vulnerability to address is the one you don’t include.
Embedded Linux Conference + OpenIoT Summit North America will be held on February 21-23, 2017 in Portland, Oregon. Check out over 130 sessions on the Linux kernel, embedded development & systems, and the latest on the open Internet of Things.
Linux.com readers can register now with the discount code, LINUXRD5, for 5% off the attendee registration price. Register now>>
It seems like every day new IoT devices with a very limited amount of RAM and storage space are appearing in homes, gardens, businesses, labs, and elsewhere. This includes things like heart rate monitors, thermometers, home automation components, and other devices that only need to perform small, limited tasks. About a year ago, Marcel Holtmann from Intel began looking at the challenge of shrinking Linux to run on these types of small, IoT devices as a hobby project, and at LinuxCon Europe, he presented what he’s learned about how to run Linux on tiny peripherals.
When you begin working with these tiny devices, you ultimately need to decide whether to use a real-time operating system (RTOS) or stick with Linux, Holtmann says. He mentioned that at the October 2015 Kernel Summit in Seoul, Jon Corbet talked about the fear that if they couldn’t shrink Linux, Linux would lose out on the vast numbers of IoT opportunities and become less relevant. In some cases, Holtmann points out that Linux will be a better choice than a RTOS. For example, if you need an IPv6 stack to support a particular feature or Wi-Fi connectivity, most RTOS’s won’t have them, but Linux does. Where do you spend your time? Shrinking Linux or building a new feature into your RTOS?
The costs of these devices are coming down drastically, to the point where people are starting to use devices like the Raspberry Pi for speaker gifts and other giveaways. Holtmann talked about three categories of devices: First, simple sensors, like thermometers and Bluetooth heart rate monitors that are very inexpensive; second, IP nodes, like IPv6-enabled devices used for home automation and with a variety of mesh technologies; and, third, larger gateway devices like routers and Wi-Fi access points.
Holtmann said that for the tiny devices he wanted to focus on, you can’t just install your favorite distribution and hope for the best. He picked several very specific components to build his Linux-based devices: gummiboot (UEFI boot loader), Linux (OS kernel), musl (C library), ELL (utility library), and BlueZ (Bluetooth library). From the idea to implementation, he worked mostly in QEMU to avoid tangling with the hardware until he figured out what would actually work. When he was ready to test it on real hardware, he booted it from a MicroSD card on a Minnowboard Max with a USB-based Bluetooth dongle.
For all of the details about exactly how he optimized Linux to run on a tiny device, watch the video of Holtmann’s entire presentation below.
Interested in speaking at Open Source Summit North America on September 11-13? Submit your proposal by May 6, 2017. Submit now>>
Not interested in speaking but want to attend? Linux.com readers can register now with the discount code, LINUXRD5, for 5% off the all-access attendee registration price. Register now to save over $300!
As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. And that’s before we consider that the code we write has a tremendous value of its own and should be protected.
Taking responsibility for our security hygiene is, thankfully, not very difficult. Today, most tools we need are either already present in our operating systems or can be added without much effort. In this post, I’ll take you down a list of things you should consider.
The Kodi media player developers have been busy working on a new release, and now it’s finally here. This release of Kodi includes some significant interface changes that should make Kodi users quite happy.
Kodi, of course, is the popular media application that some have linked with piracy of movies and TV shows. The app has generated controversy in the media, and the release of Kodi 17 will probably draw even more scrutiny as additional users begin installing it on their computers.
As the Internet of Things (IoT) market continues its explosive growth and development, more and more businesses are looking at the ways they can generate business value from connected devices and the data they generate. By 2020, research firm Gartner predicts that more than half of major new business processes and systems will incorporate IoT elements.
However, just where businesses are deploying these devices, and how they are using them depends on the vertical market. Here are 10 ways that enterprises are deploying IoT for real business value.
Last summer at the Black Hat cybersecurity conference, the DARPA Cyber Grand Challenge pitted automated systems against one another, trying to find weaknesses in the others’ code and exploit them.
“This is a great example of how easily machines can find and exploit new vulnerabilities, something we’ll likely see increase and become more sophisticated over time,” said David Gibson, vice president of strategy and market development at Varonis Systems.
His company hasn’t seen any examples of hackers leveraging artificial intelligence technology or machine learning, but nobody adopts new technologies faster than the sin and hacking industries, he said.
“So it’s safe to assume that hackers are already using AI for their evil purposes,” he said.
