Cloudflare launches web hosting service Cloudflare Pages


Keumars Afifi-Sabet

18 Dec, 2020

US web infrastructure firm Cloudflare has devised its own tool that lets web developers build and host websites.

Taking advantage of the company’s global infrastructure network, Cloudflare Pages is a hosting service that supports platforms built directly on the edge using the JAMstack architecture.

The firm has described this as “the next breakthrough in the web performance battle” due to the way it takes advantage of edge computing, with Cloudflare claiming performance will be almost twice as fast as other platforms.

Beyond this, Cloudflare also suggests its Pages service will be secure and scalable, saving developers time on integrated disparate systems, as well as benefitting from seamless GitHub integration to ease the development process.

“From day one Cloudflare was built to service developers. Over the last ten years, millions of developers have counted on us for our network performance and security services,” said Matthew Prince, Cloudflare CEO and co-founder. “With Cloudflare Pages, we’re now providing them with a scalable, fast, secure, cost-effective platform to build next-generation applications that they can deploy globally. 

“Internally, we believe it’s only a matter of time before an individual developer builds a billion-dollar company on their own. We hope Cloudflare Pages will provide the building blocks to help make our belief a reality.”

Its scalability can be attributed to the fact it’s built on Cloudflare’s global network of more than 200 cities, the company added, while running on the edge means Pages will be within 100 milliseconds of 99% of the internet-connected population.

The firm is also hoping to soon integrate Cloudflare Pages with its Cloudflare Workers serverless development platform, so users can integrate third-party APIs into their own platforms. This will allow frontend developers versed in JavaScript to build scalable backends to their applications in the same language.

The security of the platform, meanwhile, is being assured with free SSL as standard, alongside the firm’s Web Application Firewall (WAF). The company will also provide support for the latest web standards with HTTP/3, the QUIC transport layer network protocol, and image compression.

2020 in review: A SaaS success story


Bobby Hellard

25 Dec, 2020

2020 will undoubtedly be remembered for the coronavirus pandemic, but it should also be marked as the year cloud services and the SaaS market kept the world ticking over.

The sudden shift to mass remote working presented a lot of software firms with an opportunity to show what they could do to a wider audience. For example, very few had heard of Zoom in January, but just two months later it was a household name. By the summer, so many of us were using it that the company had reported 355% growth year-on-year and many businesses were starting to worry about “video-call fatigue”. 

That wasn’t the only issue Zoom users worried about, initially, as the sudden attention on the video conferencing platform also unearthed some critical security flaws. A lack of end-to-end encryption and the ease with which unwanted guests could access meeting IDs created a bit of a PR nightmare.  

Despite these faults, the firm grew and grew and the simplest explanation for its rapid rise is that it was offered as a free service. Businesses need to stay connected with employees and Zoom allowed them to do that without adding an extra cost. So far, the company’s success is tied to the coronavirus pandemic, but it may live on long after COVID-19. 

“The pandemic forced many organisations to implement remote working overnight,” explains Rob Harrison, UK MD at SAP Concur. “With employees unable to travel to the office, activities such as expense claims and invoice processing became more difficult for those organisations still using paper-based processes. 

“Cloud-based tools helped organisations to continue their operations with minimal disruption, despite having no access to the office. Now that both organisations and employees have seen the lifeline that these tools can provide, we are likely to see continued investment in cloud-based systems.” 

SaaS (Software as a saviour) 

The switch to remote working was so swift and large that, by July, Gartner predicted the Software as a service (SaaS) market would grow from $104.7 billion in 2019 to $120.9 billion by 2021. The organisation’s vice president of research, Sid Nag, said the cloud had “delivered exactly what it was supposed to” by meeting customers’ demand for remote software.

The benefits of cloud computing and remote working software have been obvious to the tech industry for years, but the rest of the world needed a little more convincing. So when COVID-19 hit and we all went inside, collaboration services like G Suite or Office 365 suddenly saw a rapid increase of users

This was particularly true for communications platforms. In the first three months of 2020, as the pandemic spread around the west, Microsoft Teams usage surged to 44 million active daily users. This jumped up to 75 million a couple of months later partly because, as rival firm Slack pointed out, it was bundled into a subscription service, so users had it whether they specifically wanted it or not. 

Slack referred to Microsoft Teams as a “weak copycat product” in an anti-competition complaint it filed with the European Commission (EC). But the year ended with Slack being acquired by Salesforce after failing to match the pandemic growth of other collaboration services, while Microsoft Teams continued to grow. 

The acquisition of Slack by Salesforce capped off a brilliant year for the SaaS giant. The company made changes to its business during the first half of the year – “reallocating resources”, as CEO Marc Benioff phrased it – making certain roles redundant while investing in more digital ones. The firm saw 29% growth in Q2 and announced plans to hire 12,000 new workers over the next year. 

Given what Salesforce provides, this is as good an indication of the growth of the software market. And, despite news of a vaccine, now that world has seen what it can do, it may never go back.

Malware found on popular Facebook, Instagram and Vimeo browser extensions


Rene Millman

17 Dec, 2020

Malware hidden in at least 28 third-party Google Chrome and Microsoft Edge extensions has been discovered by security researchers.

The malware has the functionality to redirect user’s traffic to ads or phishing sites and to steal people’s personal data, such as birth dates, email addresses, and active devices, according to a report released by cybersecurity firm Avast.

Researchers have said that up to three million users could be affected by the malware.

The malware in question masquerades as legitimate extensions that help download videos from Instagram, Facebook, Vimeo, and other social platforms. The researchers have identified malicious code in the JavaScript-based extensions that allow the plugins to download further malware onto a user’s PC. 

The threat was first spotted last month, but researchers believe the extensions could have been active for years without anyone noticing.

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit.

“The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user),” the report said.

Researchers added that the objective behind this is to monetize the traffic itself. For every redirection to a third-party domain, the cyber criminals would receive a payment. Nonetheless, the extension also has the capability to redirect users to ads or phishing sites.

“Our hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, malware researcher at Avast.

At this moment, the infected extensions are still available for download. Avast has contacted the Microsoft and Google Chrome teams to report them. Both Microsoft and Google confirmed they are currently looking into the issue. Users are recommended to disable or uninstall the extensions for now until the problem is resolved.

Extensions mentioned in the report, many of which are still available to download, include: Direct Message for Instagram, DM for Instagram, Downloader for Instagram, App Phone for Instagram, Universal Video Downloader, Vimeo Video Downloader, Volume Controller, Spotify Music Downloader, and Video Downloader for YouTube.

Google-Qualcomm partnership makes four years of Android update a reality


Rene Millman

17 Dec, 2020

Android phones in the future will support up to four new OS versions thanks to a collaboration between Google and Qualcomm.

All new mobile platforms with Qualcomm silicon will get four OS version updates and four years of security updates, according to a blog post by Google engineers.

In 2017, Google changed Android to be more modular and enabling easier updates. This move, known as Project Treble, split the OS framework and device-specific low-level software (called the vendor implementation).

While this was good for device manufacturers, it introduced “additional complexity” for chipmakers.

“For each SoC model, the SoC manufacturers now needed to create multiple combinations of vendor implementations to support OEMs who would use that chipset to launch new devices and deploy OS upgrades on previously launched devices,” said Google engineers.

They added that the result was that three years beyond the launch of a chipset, the SoC vendor would have to support up to six combinations of OS framework software and vendor implementations – something that resulted in enormous engineering costs.

The new solution now extends the “no-retroactivity principle” to the SoCs as well as to devices. “With this change, the SoC provider would be able to support Android with the same vendor implementations on their SoCs for device launches as well as upgrades.”

Over the last year, Google has worked with Qualcomm so that “all new Qualcomm mobile platforms that take advantage of the no-retroactivity principle for SoCs will support four Android OS versions and four years of security updates”.

This means that a device will ship with the initial Android OS and then will receive 3 additional software updates over the course of its life. Security updates will extend for an additional year, to cover the final software launch, bringing the total lifespan to four years.

Engineers added that all Qualcomm customers will be able to “take advantage of this stability to further lower both the costs of upgrades as well as launches and can now support their devices for longer periods of time”.

The move will see Google reusing the same OS framework across multiple Qualcomm chipsets. It added that this would “dramatically” lower the number of OS framework and vendor implementation combinations that Qualcomm has to support across their mobile platforms and results in lowered engineering, development, and deployment costs.

Google said that the change would be taking effect with all SoCs launching with Android 11 and later.

IBM appoints CEO Arvind Krishna as chairman of the board


Bobby Hellard

17 Dec, 2020

IBM’s board of directors has elected the company’s CEO, Arvind Krishna, as its chairman, as it continues to revamp its business model.

Krishna again succeeds former CEO Ginni Rometty, who is set to completely retire from the company on 31 December 2020.

Rometty’s departure as CEO was announced back in January along with Krishna’s appointment to the helm. He officially took charge in April and the company has made seismic changes during his brief time in charge.

Krishna previously oversaw IBM’s cloud and cognitive software divisions and also played an integral role in its acquisition of Red Hat. The tech giant has prioritised hybrid cloud and artificial intelligence services and will spin off its managed infrastructure business by the end of 2021.

How long these changes have been in the works is unknown, but they have undoubtedly been pushed by the spread of the coronavirus and the resulting mass acceleration of migrations to the cloud.

In January, the firm pinned its first quarter of growth for more than a year on the uptick in its cloud division, with 2019 Q4 results showing a 21% rise in total cloud revenue, at $6.8 billion. Over the next 12 months, the company continued to invest and prioritise cloud, particularly hybrid cloud services, with a number of announcements made in October.

The month began with IBM expanding its partnership with SAP to help customers move into hybrid cloud environments. The firm also announced a new partnership with telecoms provider AT&T for 5G-based hybrid cloud architecture, and a blockchain platform with R3 that works across IBM’s Cloud Hyber Protect Service.

IBM is still a year away from its deadline to spin off its legacy business, which suggests that it will continue to invest and release more hybrid-cloud based applications. So far, its decision to focus on cloud services has been vindicated by its quarterly reports – for 2020 Q3, total cloud revenue was up 19%, year-over-year, at $24.4 billion.

2021 could be the year of cloud experimentation


Bobby Hellard

16 Dec, 2020

If 2020 was the year to accelerate your digital transformation plans, then 2021 could be the year to explore all the wonders you might now have at your disposal. 

From containers to artificial intelligence, businesses now have a lot more power in their hands. While much of this won’t necessarily be new technology, a more varied uptake of it may lead to new use cases, greater insights and lots more experimentation. 

Pip White has been the managing director of Google Cloud’s UK and Ireland operation since June. She tells IT Pro that this year may be about exploring the benefits of all those cloud migrations. 

“Until now, cloud migration has been an infrastructure decision, promising to change the way business devices and information systems interact with each other,” White explains. “But cloud migration brings another type of transformation too – of a company’s culture – and it’s coming to the forefront of conversations.

“As we enter 2021, cloud migration will be increasingly driven by the need to establish a culture of continuous innovation to keep pace with rapid change. Untethering staff from low value, labour-intensive tasks and allowing them to focus on innovation and high-impact projects. Companies will move away from what might have been top-down corporate strategies, to fully infusing transformation and letting every person in an organisation transform.” 

White also cites a term coined by Gartner: The “anywhere operations model”, where businesses allow employees to access services from any device, any time and, as the name suggests, from anywhere. This will naturally result in greater cloud security functions, which we should see more of in 2021, though that is an area that has seen lots of attention over the last few years. 

The “Open” cloud

The ever-evolving workplace will force businesses to prioritise agile and “responsive” models, according to White. This may include a move to an “open” cloud approach, rather than using one vendor, with containerisation moving up the agenda.

“As businesses continue to stabilise themselves post-pandemic, a renewed focus will be placed on projects that enhance employee and customer experiences, reduce costs, increase operational efficiencies and boost revenue,” White says. “To enable an open cloud, build new environments and modernise old ones, the open-source community will dial-up investment in container and serverless functions, creating a spike in global demand.”

This is a fairly safe bet as containers have been steadily increasing in popularity for the last few years. Developers use them to build applications and going into 2021, demand for that skill is likely to grow. 

AI and ML shift

With the mass migration to the cloud, more and more businesses will suddenly be using artificial intelligence and or machine learning to improve customer services, boost productivity and enhance their use of data, according to White. 

“Technologies like AI and ML will be crucial to extracting meaningful insights from data sets,” White says. “For example, the banking industry has dialled up AI investment to enhance personalisation, deliver financial well-being insights and better manage risk. Even industries who are not already using AI or ML will start to experiment with technology to create tailored experiences, from anywhere.”

Again, this isn’t necessarily new, but to businesses that made the jump to the cloud in 2020, or ones that invested more into established setups, a world of automation and data analytics awaits them.

AWS slams Microsoft’s “politically corrupt” JEDI win in new complaint


Bobby Hellard

16 Dec, 2020

Amazon Web Services (AWS) has urged a US judge to halt the Pentagon’s $10 billion JEDI contract and assess the remaining issues with Microsoft’s winning bid

In a redacted court filing from October, the cloud giant said that the award must be “invalidated” as it was “the product of systematic bias” and a “flawed and politically corrupted decision”. 

AWS has again accused Donald Trump of exerting “undue influence”. The US President reportedly said “screw Amazon” when discussing the bidding process, allegedly due to an ongoing spat with the company’s founder Jeff Bezos. 

The cloud migration project was awarded to Microsoft in October 2019, but the Redmond-based tech giant hasn’t yet been able to begin its work due to legal challenges brought by AWS. Of all of the issues the cloud giant cited, a US court only found a problem with a pricing scenario quoted by Microsoft

In September the Department of Defence (DoD) said a court-ordered reevaluation determined that Microsoft’s proposal still represented the best value for the government, which AWS now claims is incorrect.  

“After the Court rejected the flawed initial JEDI evaluation, the DoD spent over four months attempting to revive Microsoft’s non-compliant bid and reaffirm that flawed and politically-biased decision,” an AWS spokesperson said. 

“As a result of the DoD fixing just one of many errors, the pricing differential swung substantially, with AWS now the lowest-priced bid by tens of millions of dollars.” 

The cloud giant’s argument is that the one issue the DoD did fix caused a “substantial” change, in this case making Amazon’s bid more cost-effective. As such, it is pushing for a reevaluation of the “errors that remain unaddressed”.   

“We had made clear that unless the DoD addressed all of the defects in its initial decision, we would continue to pursue a fair and objective review, and that’s exactly where we find ourselves today,” the spokesperson added.  

Microsoft did not immediately respond to CloudPro’s request for comment. 

Connexin rolls out UK’s first nationwide IoT network


Keumars Afifi-Sabet

16 Dec, 2020

Smart city development firm Connexin has announced plans to expand its Internet of Things (IoT) network across the entirety of the UK, with all local authorities and regions now able to link up with the company’s flagship platform.

Such a universal carrier-grade roaming long ranger wide area network (LoRaWAN) aims to lower the barriers to entry for regional governments hoping to launch their own smart city projects. This also eases the process for all organisations hoping to adopt IoT products.

This national rollout is the first of its kind in the UK and has started following successful regional deployments in Yorkshire, with organisations such as Yorkshire Water, Hull City Council and Amey among those which are already using the system.

Using the LoRaWAN network can allow any organisation in public service, from councils to utility firms, deploy IoT products without having to build their own network as they can tap into Connexin’s universal system.

“With a low-cost wide-area networking solution becoming available to all organisations across the UK, it opens up opportunities for those looking to deploy IoT solutions for a fraction of the cost of existing cellular infrastructure solutions,” said the founder and CEO of Connexin, Furqan Alamgir. 

“Not only does this promote the development of new IoT-based technology but it allows existing solutions to be rolled out nationwide to encourage further adoption and will allow more people to utilise and benefit from affordable, carrier-grade IoT connectivity.”

This news builds on an £80 million fundraising effort in September, with the company aiming to become the UK’s chief smart cities provider following successful regional deployments in Sheffield, Hull, and the South Coast. The expansion of its national IoT network to cover all areas of the UK is now underway.

The presence of a national IoT network may help to kickstart smart city projects across the UK, with only limited implementation and success to date. Many projects are either small in scale, or in the pipeline for future development, such as the government’s £90 million cash injection to build ‘future transport zones’. These will be located in the West of England Combined Authority, Portsmouth and Southampton, and Derby and Nottingham.

Golang XML parser vulnerability could enable SAML authentication bypass


Rene Millman

15 Dec, 2020

Security researchers have disclosed three critical vulnerabilities within the XML parser of the Go programming language that could allow hackers to completely bypass the SAML authentication that features in many popular web applications.

The flaws were discovered earlier in the year by cloud collaboration provider Mattermost. It has been working alongside Go’s internal security team since August on addressing these vulnerabilities, as well as with organisations and individuals downstream projects.

All three revolve around the way Go processes XML documents over multiple rounds of parsing, allowing attackers to use specific XML markup language to trick systems. According to a blog post by Juho Nurminen, product security engineer at Mattermost, there are several potential security problems created by these flaws, with one of the most significant being the risk it introduces to the integrity of the web-based SAML single sign-on (SSO) standard.

The first flaw, CVE-2020-29509, is an XML attribute instability in Go’s encoding/xml. An affected SAML implementation can interpret a SAML Assertion as signed, but then proceed to read values from an unsigned part of the same document due to namespace mutations between signature verification and data access. This can lead to full authentication bypass and arbitrary privilege escalation within the scope of a SAML Service Provider.

The other two vulnerabilities – designated CVE-2020-29510 and CVE-2020-29511, respectively – can also be exploited to fully bypass authentication. The former is an XML directive instability while the latter is an XML element instability.

“As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations,” said Nurminen. “In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics.”

“Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it’s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document.”

“The actual impact of these XML round-trip vulnerabilities of course varies by use case,” he said, “but in SAML SSO it’s easy to understand: if your SAML messages can be altered to say you’re someone you’re not, the result is arbitrary privilege escalation within the scope of the SAML Service Provider, or in some cases even complete authentication bypass.”

At present, it has not been possible to patch the vulnerabilities, despite significant efforts by the Go security team, although the Go team has reported that it hopes to introduce some changes in future versions of the language to address them.

There are, however, mitigations in place. Mattermost identified three major open-source SAML implementations which are vulnerable to these flaws:  Dex SAML Connector, github.com/crewjam/saml and github.com/russellhaering/gosaml2. The company has already collaborated with the maintainers of these projects, and patches are now available for all three. Mattermost says it has also privately contacted the maintainers of “significant applications and products” that rely on impacted SAML implementations, and any organisations within that group are advised to start patching as soon as possible.

In addition, it has also open-sourced an XML validation library that can be used as a workaround until a more permanent solution is established. Nurminen noted that refactoring code to avoid encoding round-trips may be an acceptable long-term solution, although he conceded that this would not be possible in all cases.  

Giffgaff migrating IT infrastructure and development to AWS


Keumars Afifi-Sabet

14 Dec, 2020

UK mobile network operator Giffgaff has outlined plans to shift its entire IT infrastructure and operations to Amazon Web Services (AWS), completing its migration from on-premise data centres by the end of the year.

Giffgaff will opt into more than 60 of AWS’ 175 cloud services, the company announced, including compute, analytics, storage, databases, containers and machine learning. In doing so, the firm will become the first European mobile virtual network operator (MVNO) to be powered by AWS in its entirety. 

The company will have shifted its IT infrastructure and application development operations to AWS by 2021, as it aims to become more capable of experimenting at pace, and speeding up a host of internal processes. The company claims to have already transformed its development lifecycle from a complex and monolithic approach to a modern, microservices-based architecture that’s enabled fast-paced development.

 

“We started out with a traditional, on-premises infrastructure, but the need for ongoing maintenance made this model overwhelming for our technical team. For example, it used to take us up to two weeks to provision a new server,” said chief operating and technical officer at Giffgaff, Steve MacDonald. 

“When we began to adopt AWS, we were able to turbocharge our development lifecycle by focusing on innovation rather than wasting time on maintenance. It’s such a powerful capability for a digital-native business like ours.”

While the announcement is still fresh, the firm has been partnering with AWS for some time already, using AWS analytics and machine learning services, for example, to understand members’ network experiences.

Aggregating and analysing data across all cases helped the company create an early warning system for network incidents. Prior to moving to AWS, too, it could take Giffgaff up to two weeks to provision a server, which can now be done within a matter of minutes.

Adopting a continuous delivery approach, and moving containerised workloads to the fully managed Amazon Elastic Kubernetes Service (Amazon EKS), meanwhile, has freed up 3,000 days of engineering and development time, according to Giffgaff.

This is equivalent to refocusing up to 15 people on innovation, and has allowed them to devote more resources to creating new apps for members.