You've probably heard that open source software is secure, and it is. You've probably also heard that open source software is not secure, and that's true, too. You would be forgiven for wondering how two polar opposites can be true, but they can be. It's not the type of software. Some open source applications have been breached. So have some proprietary applications. Hold that thought.
Software security was a topic of some importance at the recent Open Source Summit in Vancouver. One of the more interesting discussions featured Intel Chief Software Security Officer, Window Snyder, and Linux Foundation Executive Director Jim Zemlin.
The Linux Foundation's Open Source Summit at the Vancouver Convention Center (August 29-31)
So how can open source software be secure and not secure at the same time? That's easy. Implementation determines safety just as it does with the safety of fire, an automobile, or electricity. All can be helpful or hazardous. It also depends on what kinds of threats are involved and that's a topic that Zemlin explored with Intel's Window Snyder, who explained that the threat landscape has changed.
Next, Zemlin asked Snyder what she thinks has improved software security and the answer wasn't what he had expected.
There is a story, perhaps an urban legend, that at one time Bill Gates ordered all software development at Microsoft to halt until everyone had received additional training in security. Those who employ developers have a certain amount of leverage, but Zemlin wondered how open-source developers can be encouraged to be more in tune with security needs.
The next event, Open Source Summit 2019, will be held in San Diego from August 21 through August 23, 2019. Similar events that are sponsored by the Linux Foundation are held in Europe and Japan.
The foundation supports the creation of sustainable open source ecosystems by providing financial and intellectual resources, infrastructure, services, events, and training as investments in the creation of shared technology. More than 1 million people have enrolled in the organization's free open source training courses and about 25 thousand people attend the Linux Foundation's annual events.
The organization recently released a free electronic book (45 pages) to help organizations assess the use of open source software. Enterprise Open Source: A Practical Introduction is available for download without charge. Topics covered include why to use open source applications, information about various open source business models, how to develop an open source strategy, important open source work-flow practices, open source tools, and how to integrate open source code.
The Federal Communications Commission wants to levy a $37.5 million fine against an Arizona company that the commission says used false phone numbers to make more than 2 million telemarking calls.
Callers must either block caller ID or provide the number from which the call originated. The FCC says that Affordable Enterprises presented phony numbers. Some of these were numbers not currently in use and others were numbers used by real people or companies. In some cases, irate recipients of phony calls called the reported number to complain.
So this is a good first step, but don't expect much to change. Affordable Enterprises is unusual in that it is located in the United States. Most of the fraudulent calls come from overseas.
Passwords are supposed to protect your data, but too many problems exist for them to succeed. People create weak passwords, reuse passwords, and accidentally give passwords to crooks. Three organizations are starting what might be the final assault on passwords.
Microsoft is one of those organizations. The company already has facial recognition and fingerprint validation. Those are used by nearly 50 million people. Microsoft also has an Authenticator app that can authenticate a user on various Microsoft and third-party accounts. The IOS and Android apps eliminate passwords with a combination of phone and fingerprint, facial recognition, or PIN for a multi-factor sign-ins.
Microsoft is extending these technologies to work with Azure, a cloud computing service used for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data centers. It provides software, platform, and infrastructure as a service and supports both Microsoft and third-party software and systems.
This could go a long way toward eliminating passwords in organizations.
Another option involves the use of physical USB tokens that authenticate a user when they're connected to a device. Google started selling such a device this week. The fob acts a the second factor of a 2-factor authentication system. Accessing important information would still require a user name and password, both of which can be easily compromised. An account protected by a USB device wouldn't be accessible even if a crook obtains the user name and password.
Another option involves the use of physical USB tokens that authenticate a user when they're connected to a device. Google started selling such a device this week. The fob acts a the second factor of a 2-factor authentication system. Accessing important information would still require a user name and password, both of which can be easily compromised. An account protected by a USB device wouldn't be accessible even if a crook obtains the user name and password.
Google's Titan Security Keys work with most browsers and services such as Gmail, Facebook, Twitter, Dropbox, and others. To work with the Titan security key, a site must support FIDO (Fast IDentity Online), an open-source organization for authentication devices. The keys are now available in the Google Store.
At $50, Google's solution is more expensive that some competing options, but it includes two devices: One is a standard USB device and the other is a Bluetooth unit. Google explains that one is for your primary use and the other is for safe keeping. The USB Security Key is used with a computer and the unit can connect to most Android devices that support USB or NFC. The Bluetooth Security Key works with IOS and Android devices. The Titan Security Key bundle works with all Google phones, Chromebooks, tablets, and anything running Google Chrome.
Yubi is also selling the YubiKey 5 that incorporates near-field connections and FIDO2. Users need to choose among 4 models that range in price from $45 to $60. Each key in the YubiKey 5 series supports FIDO2 / WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.
To help users determine which of the 4 devices is the right one for them, the YubiCo website asks 5 questions about the equipment you want to protect and which services you want to use the key with. You'll need to identify the type of USB port on the computer, decide whether you want to use the key as a NFC device, whether you want to protect any password managers with the key, whether you want to leave the key in your computer or carry it with you, and whether you want the key to unlock your Windows or MacOS computer.
So overall it looks like the password's days are numbered. And it's about time.
When a network problem crops up, you may use command line functions such as ping and tracert to research the issue, but PowerShell has more powerful tools. Let's consider a few of them.
That's certainly not an inclusive list of PowerShell commands that can be used for network troubleshooting and PowerShell is a far more complex and robust environment than what is provided by the command line. Fortunately, Microsoft has free resources for learning how to use PowerShell. A good place to start is the Microsoft Virtual Academy.
