All posts by Rene Millman

IBM brings its hybrid cloud to the edge


Rene Millman

1 Mar, 2021

IBM has announced it’ll make its hybrid cloud available on any cloud, on-premises, or at the edge via its IBM Cloud Satellite.

Big Blue said it’s worked with Lumen Technologies to integrate its Cloud Satellite service with the Lumen edge platform to enable customers to use hybrid cloud services in edge computing environments. The firm also said it will collaborate with 65 ecosystem partners, including Cisco, Dell Technologies, and Intel, to build hybrid cloud services.

It said that IBM Cloud Satellite is now generally available to customers and can bring a secured, unifying layer of cloud services to clients across environments, regardless of where their data resides. IBM added that this technology would address critical data privacy and data sovereignty requirements. 

IBM said customers using the Lumen platform and IBM Cloud Satellite would be able to deploy data-intensive applications, such as video analytics, across highly distributed environments and take advantage of infrastructure designed for single-digit millisecond latency.

The collaboration will enable customers to deploy applications across more than 180,000 connected enterprise locations on the Lumen network to provide a low latency experience. They can also create cloud-enabled solutions at the edge that leverage application management and orchestration via IBM Cloud Satellite and build open, interoperable platforms that give customers greater deployment flexibility and more seamless access to cloud-native services like artificial intelligence (AI)internet of things (IoT), and edge computing.

One example given of how this would benefit customers is using cameras to detect the last time surfaces were cleaned or flag potential worker safety concerns. Using an application hosted on Red Hat OpenShift via IBM Cloud Satellite from the proximity of a Lumen edge location, such cameras and sensors can function in near real-time to help improve quality and safety, IBM claimed.

IBM added that customers across geographies can better address data sovereignty by deploying this processing power closer to where the data is created.

“With the Lumen Platform’s broad reach, we are giving our enterprise customers access to IBM Cloud Satellite to help them drive innovation more rapidly at the edge,” said Paul Savill, SVP enterprise product management and services at Lumen. 

“Our enterprise customers can now extend IBM Cloud services across Lumen’s robust global network, enabling them to deploy data-heavy edge applications that demand high security and ultra-low latency. By bringing secure and open hybrid cloud capabilities to the edge, our customers can propel their businesses forward and take advantage of the emerging applications of the 4th Industrial Revolution.”

IBM is also extending its Watson Anywhere strategy with the availability of IBM Cloud Pak for Data as a Service with IBM Cloud Satellite. IBM said this would give customers a “flexible, secure way to run their AI and analytics workloads as services across any environment – without having to manage it themselves.”

Service partners also plan to offer migration and deployment services to help customers manage solutions as-a-service anywhere. IBM Cloud Satellite customers can also access certified software offerings on Red Hat Marketplace, which they can deploy to run on Red Hat OpenShift via IBM Cloud Satellite.

Red Hat closes purchase of multi-cloud container security firm StackRox


Rene Millman

24 Feb, 2021

Red Hat has finalised its acquisition of container security company StackRox. 

StackRox’s Kubernetes-native security technology will enable Red Hat customers to build, deploy, and secure applications across multiple hybrid clouds.

In a blog post, Ashesh Badani, senior vice president of cloud platforms at Red Hat, said over the past several years, the company has “paid close attention to how our customers are securing their workloads, as well as the growing importance of GitOps to organisations.”

“Both of these have reinforced how critically important it is for security to “shift left” – integrated within every part of the development and deployment lifecycle and not treated as an afterthought,” Badani said.

Badani said the acquisition would allow Red Hat to add security into container build and CI/CD processes. 

“This helps to more efficiently identify and address issues earlier in the development cycle while providing more cohesive security up and down the entire IT stack and throughout the application lifecycle.”

He added the company’s software provides visibility and consistency across all Kubernetes clusters, helping reduce the time and effort needed to implement security while streamlining security analysis, investigation, and remediation.

“StackRox helps to simplify DevSecOps, and by integrating this technology into Red Hat OpenShift, we hope to enable users to enhance cloud-native application security across every IT footprint,” added Badani. Red Hat initially announced the acquisition in January. The terms of the deal were not disclosed.

In the previous announcement, Red Hat CEO Paul Cormier said securing Kubernetes workloads and infrastructure “cannot be done in a piecemeal manner; security must be an integrated part of every deployment, not an afterthought.”

Red Hat said it would open source StackRox’s technology post-acquisition and continue supporting the KubeLinter community and new communities as Red Hat works to open source StackRox’s offerings. 

KubeLinter is an open-source project StackRox started in October 2020 that analyses Kubernetes YAML files and Helm charts for correct configurations, focusing on enabling production readiness and security earlier in the development process.

StackRox will continue supporting multiple Kubernetes platforms, including Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).

Kamal Shah, CEO of StackRox, said the deal was “a tremendous validation of our innovative approach to container and Kubernetes security.”

Red Hat acquires Kubernetes security firm StackRox


Rene Millman

11 Jan, 2021

Red Hat has announced it’ll acquire container and Kubernetes-native security provider StackRox in a bid to boost the security of its OpenShift Kubernetes platform. 

StackRox offers native security solutions to Kubernetes containers by directly deploying components for enforcement and deep data collection into the Kubernetes cluster infrastructure. The StackRox policy engine includes hundreds of built-in controls to enforce security best practices; industry standards, such as CIS Benchmarks and NIST; configuration management of containers and Kubernetes; and runtime security. 

Red Hat said the purchase would help it focus on securing cloud-native workloads by expanding and refining Kubernetes’ native controls and shifting security left into the container build and CI/CD phase. This will help provide a cohesive solution for enhanced security up and down the entire IT stack and throughout the lifecycle.

“Securing Kubernetes workloads and infrastructure cannot be done in a piecemeal manner; security must be an integrated part of every deployment, not an afterthought,” said Red Hat CEO Paul Cormier. 

“Red Hat adds StackRox’s Kubernetes-native capabilities to OpenShift’s layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints.”

Red Hat said it plans to open source StackRox’s technology post-acquisition. It’ll also continue to support the KubeLinter community and new communities as Red Hat works to open source StackRox’s offerings.

In addition to Red Hat OpenShift, StackRox will continue supporting multiple Kubernetes platforms, including Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).

In a company blog post announcing the acquisition, StackRox CEO Kamal Shah said his company made a strategic decision to focus exclusively on Kubernetes and pivoted its entire product to be Kubernetes-native.

“Over two and a half years ago, we made a strategic decision to focus exclusively on Kubernetes and pivoted our entire product to be Kubernetes-native. While this seems obvious today; it wasn’t so then. Fast forward to 2020 and Kubernetes has emerged as the de facto operating system for cloud-native applications and hybrid cloud environments,” Shah said.

Malware found on popular Facebook, Instagram and Vimeo browser extensions


Rene Millman

17 Dec, 2020

Malware hidden in at least 28 third-party Google Chrome and Microsoft Edge extensions has been discovered by security researchers.

The malware has the functionality to redirect user’s traffic to ads or phishing sites and to steal people’s personal data, such as birth dates, email addresses, and active devices, according to a report released by cybersecurity firm Avast.

Researchers have said that up to three million users could be affected by the malware.

The malware in question masquerades as legitimate extensions that help download videos from Instagram, Facebook, Vimeo, and other social platforms. The researchers have identified malicious code in the JavaScript-based extensions that allow the plugins to download further malware onto a user’s PC. 

The threat was first spotted last month, but researchers believe the extensions could have been active for years without anyone noticing.

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit.

“The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user),” the report said.

Researchers added that the objective behind this is to monetize the traffic itself. For every redirection to a third-party domain, the cyber criminals would receive a payment. Nonetheless, the extension also has the capability to redirect users to ads or phishing sites.

“Our hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, malware researcher at Avast.

At this moment, the infected extensions are still available for download. Avast has contacted the Microsoft and Google Chrome teams to report them. Both Microsoft and Google confirmed they are currently looking into the issue. Users are recommended to disable or uninstall the extensions for now until the problem is resolved.

Extensions mentioned in the report, many of which are still available to download, include: Direct Message for Instagram, DM for Instagram, Downloader for Instagram, App Phone for Instagram, Universal Video Downloader, Vimeo Video Downloader, Volume Controller, Spotify Music Downloader, and Video Downloader for YouTube.

Google-Qualcomm partnership makes four years of Android update a reality


Rene Millman

17 Dec, 2020

Android phones in the future will support up to four new OS versions thanks to a collaboration between Google and Qualcomm.

All new mobile platforms with Qualcomm silicon will get four OS version updates and four years of security updates, according to a blog post by Google engineers.

In 2017, Google changed Android to be more modular and enabling easier updates. This move, known as Project Treble, split the OS framework and device-specific low-level software (called the vendor implementation).

While this was good for device manufacturers, it introduced “additional complexity” for chipmakers.

“For each SoC model, the SoC manufacturers now needed to create multiple combinations of vendor implementations to support OEMs who would use that chipset to launch new devices and deploy OS upgrades on previously launched devices,” said Google engineers.

They added that the result was that three years beyond the launch of a chipset, the SoC vendor would have to support up to six combinations of OS framework software and vendor implementations – something that resulted in enormous engineering costs.

The new solution now extends the “no-retroactivity principle” to the SoCs as well as to devices. “With this change, the SoC provider would be able to support Android with the same vendor implementations on their SoCs for device launches as well as upgrades.”

Over the last year, Google has worked with Qualcomm so that “all new Qualcomm mobile platforms that take advantage of the no-retroactivity principle for SoCs will support four Android OS versions and four years of security updates”.

This means that a device will ship with the initial Android OS and then will receive 3 additional software updates over the course of its life. Security updates will extend for an additional year, to cover the final software launch, bringing the total lifespan to four years.

Engineers added that all Qualcomm customers will be able to “take advantage of this stability to further lower both the costs of upgrades as well as launches and can now support their devices for longer periods of time”.

The move will see Google reusing the same OS framework across multiple Qualcomm chipsets. It added that this would “dramatically” lower the number of OS framework and vendor implementation combinations that Qualcomm has to support across their mobile platforms and results in lowered engineering, development, and deployment costs.

Google said that the change would be taking effect with all SoCs launching with Android 11 and later.

Golang XML parser vulnerability could enable SAML authentication bypass


Rene Millman

15 Dec, 2020

Security researchers have disclosed three critical vulnerabilities within the XML parser of the Go programming language that could allow hackers to completely bypass the SAML authentication that features in many popular web applications.

The flaws were discovered earlier in the year by cloud collaboration provider Mattermost. It has been working alongside Go’s internal security team since August on addressing these vulnerabilities, as well as with organisations and individuals downstream projects.

All three revolve around the way Go processes XML documents over multiple rounds of parsing, allowing attackers to use specific XML markup language to trick systems. According to a blog post by Juho Nurminen, product security engineer at Mattermost, there are several potential security problems created by these flaws, with one of the most significant being the risk it introduces to the integrity of the web-based SAML single sign-on (SSO) standard.

The first flaw, CVE-2020-29509, is an XML attribute instability in Go’s encoding/xml. An affected SAML implementation can interpret a SAML Assertion as signed, but then proceed to read values from an unsigned part of the same document due to namespace mutations between signature verification and data access. This can lead to full authentication bypass and arbitrary privilege escalation within the scope of a SAML Service Provider.

The other two vulnerabilities – designated CVE-2020-29510 and CVE-2020-29511, respectively – can also be exploited to fully bypass authentication. The former is an XML directive instability while the latter is an XML element instability.

“As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations,” said Nurminen. “In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics.”

“Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it’s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document.”

“The actual impact of these XML round-trip vulnerabilities of course varies by use case,” he said, “but in SAML SSO it’s easy to understand: if your SAML messages can be altered to say you’re someone you’re not, the result is arbitrary privilege escalation within the scope of the SAML Service Provider, or in some cases even complete authentication bypass.”

At present, it has not been possible to patch the vulnerabilities, despite significant efforts by the Go security team, although the Go team has reported that it hopes to introduce some changes in future versions of the language to address them.

There are, however, mitigations in place. Mattermost identified three major open-source SAML implementations which are vulnerable to these flaws:  Dex SAML Connector, github.com/crewjam/saml and github.com/russellhaering/gosaml2. The company has already collaborated with the maintainers of these projects, and patches are now available for all three. Mattermost says it has also privately contacted the maintainers of “significant applications and products” that rely on impacted SAML implementations, and any organisations within that group are advised to start patching as soon as possible.

In addition, it has also open-sourced an XML validation library that can be used as a workaround until a more permanent solution is established. Nurminen noted that refactoring code to avoid encoding round-trips may be an acceptable long-term solution, although he conceded that this would not be possible in all cases.  

Google buys Actifio to bring backup and disaster recovery to Google Cloud


Rene Millman

3 Dec, 2020

Google has announced it will acquire disaster recovery firm Actifio in a bid to boost its Google Cloud business. Terms of the deal were undisclosed.

Actifio provides customers with the opportunity to protect virtual copies of data in their native format, manage these copies throughout their entire lifecycle, and use these copies for scenarios such as development and test.

The company’s technology can deal with data stored in several different environments such as SAP HANA, Oracle, Microsoft SQL Server, PostgreSQL, and MySQL, virtual machines (VMs) in VMware, Hyper-V, physical servers, and Google Compute Engine.

Google said the acquisition would “help us to better serve enterprises as they deploy and manage business-critical workloads, including in hybrid scenarios.”

The company added that it was committed to “supporting our backup and disaster recovery technology and channel partner ecosystem, providing customers with a variety of options so they can choose the solution that best fits their needs.”

“We know that customers have many options when it comes to cloud solutions, including backup and DR, and the acquisition of Actifio will help us to better serve enterprises as they deploy and manage business-critical workloads, including in hybrid scenarios,” said Brad Calder, VP of engineering at Google in the blog post.

Ash Ashutosh, CEO at Actifio said that backup and recovery are essential to enterprise cloud adoption and, “together with Google Cloud, we are well-positioned to serve the needs of data-driven customers across industries.”

“The market for backup and DR services is large and growing, as enterprise customers focus more attention on protecting the value of their data as they accelerate their digital transformations,” said Matt Eastwood, Senior Vice President of Infrastructure Research at IDC.

“We think it is a positive move for Google Cloud to increase their focus in this area.”

Microsoft Teams no longer works on Internet Explorer


Rene Millman

30 Nov, 2020

Millions of Internet Explorer users will be locked out of Microsoft Teams unless they upgrade to Microsoft’s Edge browser instead.

Starting today, the web conferencing service will no longer be available on the legacy browser. The move was announced earlier in the year as part of a push by Microsoft to get people to upgrade to its Chromium-based Edge browser before IE reaches end of life in 2021

Microsoft warns that if users try and access Teams on the unsupported browser, it will display a message explaining the issue and the session limitations. The message also encourages the user to download and use the Teams desktop client or to upgrade to Microsoft Edge, which has been designed to offer “faster and more responsive web access to greater sets of features in everyday toolsets like Outlook, Teams, SharePoint, and more”.

In addition to losing Teams, Internet Explorer is also set to lose access to Microsoft 365. Support for the service on IE11 draws to a close on 17 August 2021, while the legacy version of Microsoft Edge will also reach end of support on 9 March next year.

These changes were announced in a blog post earlier this year. “We’re announcing that Microsoft 365 apps and services will no longer support Internet Explorer 11 (IE 11) by this time next year,” the company said. “Beginning November 30 2020, the Microsoft Teams web app will no longer support IE 11. Beginning August 17 2021, the remaining Microsoft 365 apps and services will no longer support IE 11,” the firm said.

“This means that after the above dates, customers will have a degraded experience or will be unable to connect to Microsoft 365 apps and services on IE 11. For degraded experiences, new Microsoft 365 features will not be available or certain features may cease to work when accessing the app or service via IE 11.

“While we know this change will be difficult for some customers, we believe that customers will get the most out of Microsoft 365 when using the new Microsoft Edge. We are committed to helping make this transition as smooth as possible,” the company added.

The move comes as Microsoft attempts to standardise its online offering around Chromium-based browsers such as Edge and Google Chrome.

Windows 10 might soon be able to run Android apps


Rene Millman

30 Nov, 2020

Windows 10 might soon be able to run Android thanks to a new piece of software that Microsoft is reportedly developing.

Called Project Latte, the software could enable Android apps to run on Microsoft’s operating system with little or no code changes. These apps could be packaged as an MSIX package, a Windows app format that is used to install applications on the OS. 

According to Windows Central, Project Latte is similar to WSL 2 (Windows Subsystem for Linux), which brought Linux applications to the Windows 10 operating system. It claims the tech could appear as soon as late 2021, and that Android apps could be offered through the Microsoft Store for quick deployment.

The project would go beyond previous efforts by Microsoft to bring Android apps to the platform. It already has Your Phone, which streams apps from Samsung phones to Windows 10. However, that requires a phone to be tethered to a Windows PC; Project Latte would no longer require such actions.

The report noted that such apps would not be able to use Google Play Services support as Google restricts this to native Android and Chrome OS devices. This means that Android apps would have to be changed to remove these bits of code before being able to run on Windows 10.

This is not the first time that Microsoft has attempted to bring Android apps to Windows. In 2016, the company pulled the plug on Project Astoria, a tool to allow app developers to port their existing iOS or Android app with minimal or even no code changes.

Red Hat pushes hybrid cloud to the edge


Rene Millman

18 Nov, 2020

Red Hat has unveiled new edge capabilities for Red Hat Enterprise Linux. The firm has also expanded the number of supported environments for Red Hat OpenShift, including leading public clouds and multiple data centre architectures, like IBM Z and Power Systems.

At this year’s KubeCon + CloudNativeCon, Red Hat launched several edge-focused updates to Red Hat Enterprise Linux, including the rapid creation of operating system images for the edge through the Image Builder capability. 

The firm said this would enable IT organisations to create purpose-built images optimized for architectural challenges inherent to edge computing but customized for the needs of a given deployment.

Red Hat also unveiled remote device update mirroring to stage and apply updates at the next device reboot or power cycle, helping limit downtime and manual intervention from IT response teams.

The edge update sports over-the-air updates that transfer less data while still pushing necessary code. Red Hat aims this update at sites with limited or intermittent connectivity. 

Another feature announced is Intelligent rollback built on OSTree capabilities, enabling users to provide workload-specific health checks to detect conflicts or code issues. When it detects a problem, it automatically reverts the image to the last good update to prevent unnecessary downtime at the edge.

Red Hat also announced updates to Red Hat OpenShift 4.6 intended to help enterprises accelerate cloud-native application development. The latest update to OpenShift Serverless with Red Hat OpenShift Serverless 1.11 brings full support for Knative eventing, enabling containerized applications to consume only the resources they need at a given time, which prevents over- or under-consumption.

There is also a Red Hat build of Quarkus, a Kubernetes-native Java stack fully supported by Red Hat. With a single Red Hat OpenShift subscription, customers now have full access to Quarkus, enabling developers to repurpose mission-critical Java applications on Kubernetes, backed by Red Hat’s enterprise support.

Red Hat OpenShift 4.6 now includes new edge computing features with remote worker nodes, extending processing power to space-constrained environments. This enables IT organizations to scale remotely while maintaining centralized operations and management.

OpenShift 4.6 will also extend capabilities for public-sector Kubernetes deployments, including availability on AWS GovCloud and Azure Government Cloud, extended OpenSCAP support and more. 

Further extending OpenShift’s reach into the public cloud domain is Azure Red Hat OpenShift, a jointly-managed, engineered and supported offering on Microsoft Azure backed by Microsoft and Red Hat’s expertise. A similar service is expected to launch on AWS with joint management and support from Red Hat and Amazon.