Cloud Native and Industry News — Week of April 6, 2022

Nick Chase & Eric Gregory - April 7, 2022 - , , ,

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.

This week, Nick was out so our producer, Nica, filled in.

Eric and Nica discussed:

You can watch the full replay here.

To join Nick and Eric next Wednesday, April 13, at 1:00pm EST/10:00am PST, go here.

Docker, Inc.’s latest funding round

One of the biggest stories in the cloud world this week was Docker, Inc.’s announcement that they’ve raked in $105 million in a round of Series C fundraising led by new investor Bain Capital.

Now, before we go any further, I should note that we at Mirantis aren’t totally disinterested observers here — Mirantis’ 2019 acquisition of Docker’s enterprise offerings set the stage for both our growth in the container and orchestration space and Docker’s reorganization into a more strictly developer-focused business.

Earlier this year, TechCrunch observed, “essentially both Docker and Mirantis came in at $50 million ARR [annual recurring revenue] in terms of what Docker was able to create on its own after selling the enterprise product, and what Mirantis turned those Docker enterprise assets into. It’s a rare deal that matches up so well for both parties two years after it happened.”

So what have those two years looked like for Docker, Inc.? Well, they’ve focused on their developer-facing technologies, with the most prominent example being Docker Desktop, which nailed down paid tiers—though not without controversy—in 2021. Looking forward, Docker CEO Scott Johnston hinted that the company would be focusing on support for a shift-left approach to security as well as ways to test serverless functions before deployment.

On the business side, some observers remarked that Docker, Inc. seemed to be on a trajectory for a long-sought IPO, while others noted the involvement of Atlassian Ventures in Docker’s recent funding round, wondering whether that might portend an acquisition.


Google Cloud’s move to the “edge”

Docker’s big funding round isn’t the only news in the cloud world. Google announced that its Google Distributed Cloud Edge product has reached general availability. The new offering is, as you might imagine, Google’s play for the edge space, a managed hardware and software solution that is pretty much the Pepsi to the Coca-Cola of AWS Outposts, providing very similar 5G Core functionality as well as some significant competitive pressure in the public edge space.

Source: Google’s on-prem edge gear to challenge AWS Outposts | The Register

Azure’s new Arm offering

Meanwhile, over in Redmond, Microsoft is previewing a new Arm server offering for Azure, with VMs powered by Ampere’s Arm-based Altra server chips. According to Microsoft, these chips provide a 50% price-performance improvement over x86 chips. That means competition for Intel, in the hardware world, as well as an alternative to AWS’ Graviton.

Source: Microsoft Azure vaults into the Arm server era with chips from Ampere | Protocol

The Spring4Shell vulnerability

Moving over to security, there have been some exciting new…offerings in zero-day vulnerabilities in the last few weeks, with the hot new release being dubbed Spring4Shell. This new CVE—2022-22963—affects the Java framework Spring, and can enable attackers to run arbitrary code on a vulnerable system.

Like Log4Shell, another web shell based attack through a common Java tool, the key issue here is how widely Spring is used as a component of applications that users may or may not know is built on Spring. VMWare, for example, reported that three of its Tanzu products were affected by the vulnerability: VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI), and they certainly aren’t alone in that.

Security firm AquaSec reports, “Applications are likely to be vulnerable if they have functions that allow users to pass POJO (Plain Old Java Objects) as parameters. The currently circulating exploit takes advantage of vulnerable configurations to drop a web shell onto the affected host. Once this web shell is in place, attackers can execute arbitrary code on the affected server with the rights of the user running the Tomcat server.”

Now, the good news is that the vulnerability has been patched. The even better news is that security experts are pretty unanimous in reassuring us that this is not the next Log4j, despite some surface-level similarities and hype to the contrary. Indeed, some experts discourage using the name Spring4Shell, though at this point, that particular ship has probably sailed.

So what makes this vulnerability different? Even pre-patch, it needed a more particular set of circumstances to align in order to be actionable: an app developed on Spring needs to be running on Apache Tomcat and deployed as a WAR file. That will affect plenty of people, and they’ll want to get patching as soon as possible if they haven’t already, but it narrows the scope pretty dramatically from the massive swath of apps touched by Log4Shell.

If you think your app might be affected, researchers at the security firm Randori created a simple, non-malicious shell script that you can run to test for vulnerability:

Screenshot of Twitter post sharing how to test for vulnerability of Spring4Shell


The Browser-in-the-Browser phishing technique

Of course, as we discuss almost every week, security threats are as likely to be a function of social engineering as technical trickery. At TechRepublic, TrendMicro’s Cedric Pernet warns of an emerging phishing model called Browser-in-the-Browser, which exploits users’ familiarity with Single Sign On authentication. In this type of attack, the phisher sends their victim a link to a corrupted or fraudulent page where the user might be expected to authenticate. The page issues an entirely legitimate seeming pop up asking for Single Sign On, and boom, now the attacker has the credentials for their Google or Microsoft or GitHub account.

As with most phishing attacks, one of the most important steps to protect yourself is to maintain vigilance about the links that you follow, especially from emails, texts, and direct messages, and especially when they are from strangers or seem sketchy. Also consider turning on multi-factor authentication, especially with accounts that you use for Single Sign On. And to really harden your security, you really can’t do better than hardware two-factor authentication keys.

Source: “Browser in the Browser” attacks: A devastating new phishing technique arises | TechRepublic

The UK Treasury’s new NFT

All right, moving from deceptive exploitation of credulous victims to web3…this week brought the announcement that the UK’s Royal Mint will produce an NFT to appear this summer. A tweet from the Treasury provides its own analysis of the news, saying that the decision “shows the forward-looking approach we are determined to take toward cryptoassets in the UK.”

Tweet of the UK Treasury's announcement about the creation of their NFT

In a follow-up tweet, Her Majesty’s Treasury added, “How do you do, fellow…apes…yacht…diamond hands? To the moon? Are we doing it?”

Source: Her Majesty’s Treasury is working on a new kind of mint: NFTs | The Verge

Crypto losses

Of course, we kid—you can understand why the UK Treasury would want to get in on the crypto market. It’s an exciting place. For example, in the first quarter of this year, the overall crypto ecosystem “lost” about $1.23 billion of value to hacks and exploits, such as the massive hacks of web3 players Wormhole, Qubit Finance, and the “play-to-earn” game Axie Infinity. That makes a year-over-year spike of 695% in value lost to exploits, according to Adrian Hetman, an analyst from web3 security firm ImmuneFi, interviewed in TechCrunch.

Hetman attributes these losses to the relative youth of the industry, saying that “users are still not well educated on how to safely interact with different projects” and developers are “copying and pasting code from other projects.”

Now, we should note that the UK Treasury’s announcement included more than hype about their big NFT drop; they also talked about introducing regulations for stablecoins and assessing the legal status of DAOs. In a lot of ways, those are probably the more notable developments, part of a global trend of states and web3 technologies finding a sort of rapprochement. In the heady early days of crypto, boosters said the technology was going to take down treasuries and central banks, but for a lot of web3 folks the story has sort of shifted to position it as a revolution against big tech.

Source: Q1 crypto losses spike 695% on year following massive hacks | TechCrunch

New developments in medical imaging AI

I have to confess, when I’m feeling cynical about all of the money and energy that gets poured into speculative projects, one of my first thoughts is, “I wish some of that effort was going into advancing medical technology.” This week, we do have a story of a fascinating medical advance, though it’s not without some complications.

The Verge reports that last week, the European Union approved a fully autonomous medical imaging AI that reads and evaluates chest X-rays without the intervention of a human radiologist. The company that created the tool, Oxipit, says that this is the first such fully autonomous AI in the radiology field. The tool essentially checks for healthy chest X-rays, which represent the vast majority of the images that get processed, and then refers any irregularities on for human analysis. In theory, this dramatically cuts down on the workload of radiologists, but…you can probably see where this is going.

Radiology professionals are uneasy about a machine that assumes a large percentage of their workload, and professional organizations like the American College of Radiology have spoken out against the technology, questioning its accuracy outside of artificial lab conditions. For its part, Oxipit claims that in a pilot program across multiple sites, the AI made no “clinically relevant” errors. With CE and FDA clearance, Oxpit expects its technology to be in general use by next year.

Source: First autonomous X-ray-analyzing AI is cleared in the EU | The Verge

Elon Musk’s purchase of a big slice of Twitter

Well, I’ve avoided it for as long as possible, and can delay no longer. As inevitable as death and the slow entropic drift of celestial bodies, our final story for today is Elon Musk’s purchase of 9.2% of Twitter. Tesla founder and committed poster Elon Musk spent a lot of money to buy a lot of the platform where he likes to post, and in short order was appointed to the board of said company.

Naturally, as with anything Musk-related, there were a lot of takes to be had. Some of those who feel Twitter is an unduly censorious platform welcomed the Tesla CEO’s influence, given his history of expressing similar opinions. Others noted that Tesla has a history of firing employees for speech and a single monied person being able to buy power over a communication platform is maybe not the best example of free speech on the march.

But: the twists don’t end there. In short order, Musk posted a Twitter poll asking whether users would like, dramatic flourish please, an edit feature.

Elon Musk's Twitter poll about adding an edit button to Twitter

This naturally shocked, scandalized, thrilled, and confused the Twittersphere. Ultimately, the people voted heavily for “yse,” and the to-do was followed by intimations from Twitter folks that an edit feature has indeed been in development for some time.

Well, I’m happy to report that our team of scryers, prophets, and prognostication AIs have given us advanced and exclusive access to the next polls Elon Musk will be posting to Twitter.

Mock Elon Musk Twitter poll: "Vine is back but it's NFTs" Yes or no? Mock Elon Musk Twitter poll: Which feature would you pay more for? swap like and reply count on your tweet or steal another user's blue checkmark, like the crown of a weak and unworthy king Mock Elon Musk Twitter poll: Which sounds cooler? elon mountain or olympus musk

Source: Elon Musk buys 9.2% of Twitter, sends share price to the Moon | The Register

That’s all for this week! To join Nick and Eric next Wednesday, April 13, at 1:00pm EST/10:00am PST, go here.

From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
The Definitive Guide to Container Platforms