Radio Cloud Native – Week of March 23, 2022
Every Thursday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.
This week they discussed:
- CRI-O vulnerability
- Updates to NSA’s Kubernetes hardening guidance
- HackerOne responsible security drive
- Biden warns of possible cyberattacks against U.S. private sector
- Legislation in Washington
- The conversation on microservices
- Red Hat and domain names
- Open source and the enterprise
- Harness and Weaveworks
- Data centers
- Open Source & Politics Debate
- FreedomFi closes funding round for democratized 5G
- Cryptocurrency news
You can watch the full replay here.
To join Nick and Eric next Wednesday, March 30, at 1:00pm EST/10:00am PST, register here.
Eric Gregory:If you’re a Kubernetes or OpenShift user, depending on CRI-O for your container runtime, you’ll want to make sure you’re up to speed on a new arbitrary code execution vulnerability designated CVE-2022-0811. This impacts any version of CRI-O 1.19 or above, and it enables attackers to compromise a host with a relatively low bar of difficulty.
CRI-O has already been patched. If you know you’re using CRI-O but you’re not sure whether you’re affected, you can run the command:
run crio --version
If your version is 1.19 or later, make sure to download the latest patch, which you can find here.
Updates to NSA’s Kubernetes hardening guidance
The NSA and CISA have released an updated version of their Kubernetes hardening document, the first update since last August. As guidance goes, these have proven to be pretty influential documents, reflecting a really close and thorough reading of the Kubernetes security landscape, and providing a useful resource to organizations that aren’t quite sure where to start.
The update brings questions about user authentication into the scope of the document, really adding an essential new chapter and advising readers on how to approach issues like role-based access control.
It also treats issues like continuous container image scanning, authentication with the control plane, and encryption for etcd. You can read the full document here.
- NSA spies ample opportunities to harden Kubernetes | The Register
- Kubernetes Hardening Guide | NSA and CISA
- NSA & CISA Kubernetes Hardening Guide – what is new with version 1.1 | ARMO
HackerOne responsible security drive
Speaking of guidance for improved security, Computer Weekly reports that "Technology brands including GitLab, Starling Bank, TikTok and Wix have signed on to support a new corporate security responsibility pledge drive initiated by penetration testing and bug bounty specialist HackerOne." HackerOne's goal is to essentially eliminate the "security through obscurity" posture that is so prevalent in most firms, replacing it with an environment where companies share information to provide the best security possible.
Biden warns of possible cyberattacks against U.S. private sector
And speaking of the need for hardened security, on Monday, President Biden warned that “evolving intelligence” suggested possible cyberattacks by Russian state actors against the U.S. private sector, in retaliation against economic sanctions and withdrawals.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, said that U.S. intelligence had observed “preparatory activity” such as external vulnerability scans of companies’ websites. The administration has reportedly given classified briefings to organizations it expects to be affected, but issued a general appeal to prioritize security hardening.
Legislation in Washington
Nick Chase: Biden also signed a law requiring Critical National Infrastructure organizations to report ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.
And in other legislative news, bills are now before the United States Congress to forbid mergers over $5 billion, and also to potentially enable the Federal Trade Commision to unwind mergers that have already happened. Some mergers that would have been prohibited by this law are the Amazon/MGM merger for $8.4b, Microsoft's/Activision for $68.7bn, Google/Mandiant at $5.4bn, and Salesforce and Slack at $27.7bn. Of course these bills have a long way to go.
The conversation on microservices
So, this isn’t news in the sense of breaking events, but a bit more of an editorial discussion. Michael DeHaan, who some folks might know as the original developer of Ansible, wrote a Substack post a few days ago questioning the wisdom of decomposing applications into microservices. The piece is titled “Microservices: Why Are We Doing This,” and that subtitle serves as a mission statement as well as sort of a plaintive cry–it’s trying to explain why organizations are taking the microservices approach and articulate an argument against the trend. It prompted some lively discussion in places like Hacker News, and I thought it might be interesting for us to think about here.
So DeHaan’s argument, in short, is that breaking down apps into microservices is often an attempt to solve a social problem rather than a technical problem. Specifically, modularized codebases allow teams to act with relative independence—do things their own way, avoid code reviews, experiment with new languages, and so on. Devs generally like that. But in DeHaan’s view, while the ability to improvise as needed can be helpful, too many teams doing their own thing can lead to a messy bloat of approaches, standards, languages, etc., and he suggests that this is what happens too frequently with shifts to microservices.
A big part of DeHaan’s argument here is that centralized authority in a large codebase—a project architect or technical lead—can be a good and important part of the process, lending a project coherence and making it easier to understand and maintain in an ongoing way. The same goes for code reviews.
DeHaan also argues that many of the technical aims of microservices architecture aren’t as straightforward as sometimes presented. On the goal of speed, he notes that function calls are faster than web requests, and on the question of resiliency, he argues that adding more moving parts to a system tends to make it less resilient. His conclusion is that an older model of tiered architecture more successfully achieves the technical aims of a microservices architecture while requiring more communication and oversight, which for him is the real crux of the issue.
Red Hat and domain names
Nick Chase: Red Hat's attempt to get control of the domain WeMakeFedora.org away from Daniel Pocock and the Software Freedom Institute SA has been deemed harassment by a mediator appointed under ICANN's Uniform Domain Name Dispute Resolution Policy (UDRP). Red Hat had not only demanded that the Institute stop using the domain, but that it be handed over to Red Hat itself, on the theory that it included the Fedora trademark. Because Pocock isn't using the site for commercial purposes that claim was thrown out, which could set an interesting precedent, since there are actually a lot of trademarks in the open source community that people don't think about.
Open source and the enterprise
And in other open source conflict news, the US Court of Appeals for the Ninth Circuit affirmed a lower court decision that companies cannot call software open source if it's not licensed that way. The decision stems from a conflict over Neo4J Enterprise Edition, which is licensed in such a way that the owners can forbid certain commercial uses. So technically companies that were providing those commercial uses weren't licensed, and thus could not provide an open source license, and thus could not, according to the court, say the software was open source. Here's where I remind everyone that I Am Not a Lawyer, nor do I play one on TV.
Harness and Weaveworks
Software delivery platform Harness has acquired ChaosNative, makers of the open source LitmusChaos project recently accepted into the Cloud Native Computing Foundation. With the addition Harness can now add chaos engineering to its application deployment offerings.
This is part of a trend of beefing up DevOps-focused products. This week, Weaveworks announced that it was releasing GitOps, a tool for doing...well, GitOps, which helps automate application delivery.
- Harness acquires ChaosNative to bring ‘chaos engineering’ to DevOps workflows |
- Weaveworks Brings Policy-as-Code to GitOps for K8s | Container Journal
And speaking of complaints, French data center provider OVHCloud and two other, as yet anonymous, providers have lodged an antitrust complaint with EU regulators against Microsoft. The complaint is about how Microsoft licenses its cloud services, with the notion that if you're building your hosting service on Azure, you're going to have to charge prices that are higher than Azure. And in other news, water is wet. I don't really get this one, but Microsoft responded that, "The cloud market is growing and European cloud providers have built successful business models using Microsoft software and services. Cloud providers enjoy many options to provide cloud services to their customers using Microsoft software, whether purchased by the customer or the partner. We're continuously evaluating how we can best support partners and make Microsoft software available to customers across all environments, including those of other cloud providers."
Microsoft is also gathering some complaints based on some "experimental" code that showed up on some users' systems after an automatic update. The code showed a banner in the Windows File explorer, which is making people understandably unhappy. Brandon LeBlanc, Senior Product Manager, Windows, said that, "This was an experimental banner that was not intended to be published externally and was turned off," but The Register points out that he didn't say anything about it not getting turned back on. Just one more reason I will keep running Windows 7 on this machine until it becomes completely impossible to work.
And in better Microsoft news, the company has entered into a partnership with Fortum, Finland's largest energy company, to create a data center in Helsinki that will create 11,000 jobs, run on clean power, and most importantly, take all that heat those servers put off and use it to heat homes, services, and businesses connect to its district heating system. Finally somebody puts those two together. Bravo.
Which is perhaps a good lead-in to the fact that Microsoft was also named to Ethisphere's list of the world's most ethical companies for the 12th time. Apple was also named to the list, in this case for the first time, which is ironic because this week also brought the news that Apple, and by the way also Google, is trying to get the UK's Competition and Markets Authority to stop trying to make it do ridiculous things like give other app stores a fair shake, enable third party payment processors, and basically not be 800 pound gorillas stomping competition into the dust. The companies are requesting that if what is now an interim report is to be seriously considered, that regulators look more deeply into the industry and hopefully, in their eyes, into what they consider to be the upside for users and developers of their alleged monopolies.
- Apple, Microsoft top list of most ethical tech companies | TechRepublic
- Apple, Google urge monopoly watchdog to leave them alone | The Register
Moving back to data centers for a moment, co-location provider (and, I should point out, Mirantis partner) Equinix is buying four datacenters from Chilean telecom Entel for $705 million. Three of these facilities will be in Chile and one in Peru. The sale is expected to close in Q2 of this year. Equinix already has a presence in Columbia, Mexico, and Brazil, and has been in Latin America since 2011.
Meanwhile, Amazon is planning to spend $2.4 billion on data centers in the UK over the next two years. The company already has a presence in London, and in neighboring Ireland.
Open Source & Politics Debate
Eric Gregory: Over the last few weeks, we’ve seen the open source community try to grapple with tough questions about how open source fits into larger ethical and political contexts, largely prompted by the ongoing Russian invasion of Ukraine.
You might remember the story from a couple of months ago in which the developer of a widely used npm package deliberately sabotaged his own package to make a point about corporations using open source software without giving back.
This week saw a similar story with a different political aim: protest against the war and direct sabotage of systems in Russia and Belarus. The developer in question updated the npm package node.ipc, which serves as an inter-process communication module depended on by other popular packages like the Vue.js CLI.
Once updated, the package would check the IP address to see if it was associated with Russia or Belarus, and if so, it would wipe files from the system and replace them with a heart emoji.
Ars Technica reported on the incident and its fallout in the open source community, including an angry response from a Twitter user who claimed to be part of an American NGO helping Ukrainian refugees. This user says they lost data documenting Russian war crimes on account of the node.ipc protest, because they were using a server in Belarus. While we have no way of assessing the veracity of this account, it’s a plausible scenario in line with many cybersecurity experts’ warnings against independent cyber-attacks–through the fog of war, it’s easy for an individual to accidentally harm a cause they mean to support.
Other individual protests in the open source world have opted to focus on communication, with packages updated to check IP addresses and display messages about the war to users in Russia. Some people have called for organizations running major hubs of open source collaboration—GitHub and GitLab, for example—to discontinue service in Russia.
And all of this has formed a part of a larger debate on the place of open source in politics. Should open source software be available for anyone—including dictators and autocratic regimes—to use freely? Should protest be conducted through software packages? What about licenses? What about distribution channels? Should open source licenses be more ethically prescriptive or strive to be apolitical?
- How OSS Devs Can Take Ethical Stances without License Changes | The New Stack
- A Developer Altered Open Source Software to Wipe Files in Russia | Wired
Nick Chase: Unfortunately, Ukraine is joining security in the eternal corner, hopefully that won't last for long but in the meantime here's today's installment.
We reported last week on President Biden's executive order instructing federal agencies to look into the feasibility of crypto currency, now Michael Chobanian, founder of the Kuna Exchange and president of the Blockchain Association of Ukraine, has told the Senate Banking Committee about how the technology has been a godsend in getting donations where they need to go inside the war-torn country. “The minute the crypto landed on these addresses, the government could use them immediately,” Chobanian said. “No bureaucracy. We spent that immediately the next day.” And he's not talking about chump change here; last Thursday they had already raised $50 million of their $100 million goal, and somewhere in all these stories I believe I saw they hit that target.
However, if you're going to try to donate to Ukraine via cryptocurrency, don't do it on the Dark Web. According to ComputerWeekly, Check Point Research reports that the Dark Web is littered with scammers supposedly taking money for Ukraine, but, well, not. Of course if you're going to fool around on the Dark Web you're going to want to be careful anyway, but the Dark Web is one of those things that has started to come into its own during this war, with legit services such as the BBC using it to try and get unbiased news out to Russians who have been cut off from non-state news sources.
And speaking of bait and switch, TechRepublic reports that users trying to get into the "let's help attack Russia's infrastructure" game are getting a rude surprise, as in many cases the software they're downloading to carry out these attacks is actually malware that puts their own systems at risk, introducing ransomware and other nasties onto their own computers and networks. Moral of the story: If you're not an expert, for heaven's sake don't try to hack into the systems of a foreign country. Actually don't try to hack into anything, it's still illegal, and you should know better than to download strange software, particularly from people who come right out and admit they're hackers.
All of this hacking and counter hacking tied to the conflict in Ukraine has started to shine a light on war exclusions in cybersecurity insurance policies. If you don't live in a warzone, you might not have noticed that little provision in most insurance policies, cyber or otherwise, but insurance policies typically have a clause that prevents them from, say, having to rebuild an entire city that's been destroyed by, oh, I don't know, an invading army, or in the case of Merck Pharmaceuticals, which was an unintended victim of the NotPetya ransomware attack against Ukraine in 2017, paying for $1.75 billion in losses due to 40,000 damaged systems and was denied payment under an "all risk" policy. Courts ruled in favor of Merck, but be careful. TechRepublic reports that "New Jersey Superior Court Judge Thomas J. Walsh stated that both parties were aware that cyber attacks, including those from nation-states, have become more common. "Despite this, Insurers did nothing to change the language of the exemption to reasonably put this insured on notice that it intended to exclude cyber attacks," Judge Walsh said in the ruling, "Certainly they had the ability to do so." So check your policies and make sure these attacks aren't explicitly excluded.
Finally, Russians are also increasingly turning to VPNs to get around restrictions. The Register reports that demand for Virtual Private Networks has risen by 2,692%, and that "Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer." The agency has concerns that the government of Russia might insert malicious or strategic code into the Kaspersky software, with or without the company's knowledge or permission. Meanwhile, Kaspersky says that code that was supposedly "leaked" by hackers is actually code that has been publicly available for years.
- Russian demand for VPNs skyrockets by 2,692% | The Register
- Germany advises citizens to uninstall Kaspersky antivirus | The Register
- Kaspersky forced to deny source code leak | Computer Weekly
FreedomFi closes funding round for democratized 5G
Open source 5G provider FreedomFi has closed a $9.5 million Series A funding round from backers such as Blueyard Capital, Qualcomm Ventures, and Samsung. Now, I hear you saying it: "What the heck is open source 5G"? Well, I'm glad you asked. Well, I'm sort of glad you asked. For non-hardware, non-5G experts like me this is a little complicated, so bear with me while I put together all the facts here.
FreedomFi makes 5G gateway software that is a hardened version of the open source Magma project and connects to multiple CBRS-enabled antenna and radio systems. Citizens Broadband Radio Service (CBRS) spectrum, a 150 MHz wide broadcast band of the 3.5 GHz band. This setup can be used to create fixed wireless installs or private 5G installations.
With me so far?
OK. Now, by itself this warms my little rebellious heart, because I love the idea of being able to, say, run my own little private mobile provider, though my coverage map would be, like, a teeny tiny dot you couldn't even see. But again, that's not the point, it's really about creating these local 5G networks for IoT and similar applications.
But now we run into an additional issue; CBRS, as unlicensed spectrum, has serious power limitations so you don't interfere with what's going on around you, which means that in order to make this worthwhile, it has to be dirt cheap to set up.
So, according to Fierce Wireless–and NOT, by the way, according to FreedomFi's PR guy, who I know personally, but who didn't think to send me this story, thanks a LOT, Joe–we get to the truly interesting part, which is that users will be able to offset costs by mining the Helium cryptocurrency. "Bobcat Miner, a top maker of Helium hotspots, [has] disclosed…it is teaming up with FreedomFi to build new 5G hotspots for mining cryptocurrency by providing cellular and LoRaWAN wireless leveraging [FreedomFi]’s firmware. The partnership is significant as Bobcat commands more than 30% market share of the Helium ecosystem, with 240,000 hotspots deployed in 12 months."
The general idea is that users will be compensated for offloading cellular traffic from FreedomFi partners such as Dish.
Meanwhile FreedomFi's target is to provide small cell radios that are plug-and-play compatible with their gateway software, which they've already done with Baicells and with their own hardware. Joey Padden, CTO and co-founder of FreedomFi, said in a statement that “our ultimate goal is to enable other hardware manufacturers and small cell vendors to adopt open source software powering decentralized wireless architecture.”
Dish is the first carrier to partner with FreedomFi, which says that it will be pursuing similar agreements with other carriers.
A week or two ago we reported on efforts by European lawmakers to pass the Markets in Crypto Assets (MiCA) in an effort to curb nastiness such as money laundering, and that if it did pass, clauses that outlaw "proof of work" coins, such as Bitcoin and Etherium would be in trouble. Well, the act has passed, but without that provision. Bad for the environment, but good for innovation, say supporters, who point out that not every proof of work coin burns down a rainforest every time you make a trade.
However, let's move to the philosophical for a moment. Time magazine has put on its cover Vitalik Buterin, founder of Ethereum, not because he's become immensely rich, or because he's flashy, or really any of that, quite the opposite. Buterin, who has been largely reclusive up till now, has been starting to make more noise in the press because he's frankly unhappy to see what his baby has been up to. If you were paying attention when Ethereum was created, you might remember that it was actually created to do things like smart contracts and other useful work that happens to take advantage of blockchain technology. But if you don't remember that, you're completely forgiven because of course the crypto market is full of people just, well, getting rich and showing how rich they are. Now we've got celebrities making commercials telling people to invest in crypto.
And all of this seriously disturbs Buterin, who wants people to basically knock it off. But of course the currency was specifically designed to be decentralized, so of course he has no control over the situation except to try and be a voice of reason.