Daily Archives: April 13, 2023

Google debuts deps.dev API to check security status of dependencies

Posted on by

[…]

On Tuesday, Google – which has answered the government’s call to secure the software supply chain with initiatives like the Open Source Vulnerabilities (OSV) database and Software Bills of Materials (SBOMs) – announced an open source software vetting service, its deps.dev API.

The API, accessible in a more limited form via the web, aims to provide software developers with access to security metadata on millions of code libraries, packages, modules, and crates.

By security metadata, Google means things like: how well maintained a library is, who maintains it, what vulnerabilities are known to be present in it and whether they have been fixed, whether it’s had a code review, whether it’s using old or new versions of other dependencies, what license covers it, and so on. For example, see the info on the Go package cmdr and the Rust Cargo crate crossbeam-utils.

The API also provides at least two capabilities not available through the web interface: the ability to query the hash of a file’s contents (to find all package versions with the file) and dependency graphs based on actual installation rather than just declarations.

“Software supply chain attacks are increasingly common and harmful, with high profile incidents such as Log4Shell, Codecov, and the recent 3CX hack,” said Jesper Sarnesjo and Nicky Ringland, with Google’s open source security team, in a blog post. “The overwhelming complexity of the software ecosystem causes trouble for even the most diligent and well-resourced developers.”

[…]

The deps.dev API indexes data from various software package registries, including Rust’s Cargo, Go, Maven, JavaScript’s npm, and Python’s PyPI, and combines that with data gathered from GitHub, GitLab, and Bitbucket, as well as security advisories from OSV. The idea is to make metadata about software packages more accessible, to promote more informed security decisions.

Developers can query the API to look up a dependency’s records, with the returned data available programmatically to CI/CD systems, IDE plugins that present the information, build tools and policy engines, and other development tools.

Sarnesjo and Ringland say they hope the API helps developers understand dependency data better so that they can respond to – or prevent – attacks that try to compromise the software supply chain.

There are already hundreds of software supply chain tools and projects, but the more the merrier. Judging by the average life expectancy of Google services, the deps.dev API should be available for at least four years.

Along similar lines, Google Cloud on Wednesday nudged its Assured Open Source Software (Assured OSS) service for Java and Python into general availability.

[…]

Source: Google debuts API to check security status of dependencies • The Register

Mitsubishi 3000GT Car Phone Modded To Work Like an iPhone, link to full 3 year journey included

Posted on by

Software engineer Jeff Lau, posting under the username UselessPickles, showed off the restored car phone in a video uploaded to YouTube. The Mitsubishi came from the factory with an optional “DiamondTel” handset and hands-free system, which was rendered inoperable by the discontinuation of analog “AMPS” cell service in the U.S. in 2008. (The 3G shutdown bricked a ton of newer cars’ connectivity features, too.)

After three years of work, Lau restored the device’s functionality using a custom Bluetooth adapter. Lau engineered the adapter to piggyback between the stock phone transceiver and hands-free control unit located under the trunk carpet. That let Lau tap into modern cell networks with his 1993 car phone—but he didn’t stop there.

Paired with a smartphone, the stock handset displays the name of the paired device and the signal strength of the smartphone’s network. It gets better: The car’s hands-free microphone feeds the smartphone voice commands (to Apple’s Siri in this case). It’s pretty much all the functionality of a 2023 hands-free system but without the distraction of a touchscreen.

Obviously, that isn’t about to become a widespread resto-mod trend soon. The lengthy dev time, low take rate of car phones in their day, and uniqueness of individual cars’ systems mean we’re probably not about to see off-the-shelf car phone restoration kits soon. But the fact that bringing car phones back is possible will hopefully inspire someone else out there to resuscitate theirs—maybe even one of those retro Chrysler VisorPhones will ride one day again. Or ring, I should say.

Source: Clever Collector Mods Mitsubishi 3000GT Car Phone To Work Like an iPhone

The whole process is laid out in this forum thread, starting on 23/12/21: Making a Bluetooth adapter for a Car Phone from the 90’s

Streaming Services Urged To Clamp Down on AI-Generated Music by Record Labels

Posted on by

Universal Music Group has told streaming platforms, including Spotify and Apple, to block artificial intelligence services from scraping melodies and lyrics from their copyrighted songs, according to emails viewed by the Financial Times. From the report: UMG, which controls about a third of the global music market, has become increasingly concerned about AI bots using their songs to train themselves to churn out music that sounds like popular artists. AI-generated songs have been popping up on streaming services and UMG has been sending takedown requests “left and right,” said a person familiar with the matter. The company is asking streaming companies to cut off access to their music catalogue for developers using it to train AI technology. “We will not hesitate to take steps to protect our rights and those of our artists,” UMG wrote to online platforms in March, in emails viewed by the FT. “This next generation of technology poses significant issues,” said a person close to the situation. “Much of [generative AI] is trained on popular music. You could say: compose a song that has the lyrics to be like Taylor Swift, but the vocals to be in the style of Bruno Mars, but I want the theme to be more Harry Styles. The output you get is due to the fact the AI has been trained on those artists’ intellectual property.”

Source: Streaming Services Urged To Clamp Down on AI-Generated Music – Slashdot

Basically they don’t want AI’s listening to their music as an inspiration for them to make music. Which is exactly what humans do. So I’m very curious what legal basis would accept their takedowns.

New Map of Dark Matter Supports Einstein’s Theory of Gravity

Posted on by

Scientists using data from the Atacama Cosmology Telescope in Chile have made a detailed map of dark matter’s distribution across a quarter of the sky.

The map shows regions the distribution of mass extending essentially as far we can see back in time; it uses the cosmic microwave background as a backdrop for the dark matter portrait. The team’s research will be presented at the Future Science with CMB x LSS conference in Kyoto, Japan.

“We have mapped the invisible dark matter across the sky to the largest distances, and clearly see features of this invisible world that are hundreds of millions of light-years across,” said Blake Sherwin, a cosmologist at the University of Cambridge, in a Princeton University release. “It looks just as our theories predict.”

[…]

the only way dark matter is observed is indirectly, in the way its gravitational effects are observed at large scales. Enter the Atacama Cosmology Telescope, which more precisely dated the universe in 2021. The telescope’s map builds on a map of the universe’s matter released earlier this year, which was produced using data from the Dark Energy Survey and the South Pole Telescope. That map upheld previous estimations of the ratio of ordinary matter to dark matter and found that the distribution of the matter was less clumpy than previously thought.

The new map homes in on a lingering concern of Einstein’s general relativity: how the most massive objects in the universe, like supermassive black holes, bend light from more distant sources. One such source is the cosmic microwave background, the most ancient detectable light, which radiates from the aftermath of the Big Bang.

The researchers effectively used the background as a backlight, to illuminate regions of greater density in the universe.

“It’s a bit like silhouetting, but instead of just having black in the silhouette, you have texture and lumps of dark matter, as if the light were streaming through a fabric curtain that had lots of knots and bumps in it,” said Suzanne Staggs, director of the Atacama Cosmology Telescope and a physicist at Princeton, in the university release.

The cosmic microwave background as seen by the European Space Agency's Planck observatory.
The cosmic microwave background as seen by the European Space Agency’s Planck observatory.
Image: ESA

“The famous blue and yellow CMB image is a snapshot of what the universe was like in a single epoch, about 13 billion years ago, and now this is giving us the information about all the epochs since,” Staggs added.

The recent analysis suggests that the dark matter was lumpy enough to fit with the standard model of cosmology, which relies on Einstein’s theory of gravity.

Eric Baxter, an astronomer at the University of Hawai’i and a co-author of the research that resulted in the February dark matter map, told Gizmodo in an email that his team’s map was sensitive to low-redshifts (meaning close by, in the more recent universe). On the other hand, the newer map focuses exclusively on the lensing of the cosmic microwave background, meaning higher redshifts and a more sweeping scale.

“Said another way, our measurements and the new ACT measurements are probing somewhat different (and complementary) aspects of the matter distribution,” Baxter said. “Thus, rather than contradicting our previous results, the new results may be providing an important new piece of the puzzle about possible discrepancies with our standard cosmological model.”

“Perhaps the Universe is less lumpy than expected on small scales and at recent times (i.e. the regime probed by our analysis), but is consistent with expectations at earlier times and at larger scales,” Baxter added.

New instruments should help tease out the matter distribution of the universe. An upcoming telescope at the Simons Observatory in the Atacama is set to begin operations in 2024 and will map the sky nearly 10 times faster than the Atacama Cosmology Telescope, according to the Princeton release.

[…]

Source: New Map of Dark Matter Validates Einstein’s Theory of Gravity

Physicists Discover that Gravity Can Create Light

Posted on by

Researchers have discovered that in the exotic conditions of the early universe, waves of gravity may have shaken space-time so hard that they spontaneously created radiation.

[…]

a team of researchers have discovered that an exotic form of parametric resonance may have even occurred in the extremely early universe.

Perhaps the most dramatic event to occur in the entire history of the universe was inflation. This is a hypothetical event that took place when our universe was less than a second old. During inflation our cosmos swelled to dramatic proportions, becoming many orders of magnitude larger than it was before. The end of inflation was a very messy business, as gravitational waves sloshed back and forth throughout the cosmos.

Normally gravitational waves are exceedingly weak. We have to build detectors that are capable of measuring distances less than the width of an atomic nucleus to find gravitational waves passing through the Earth. But researchers have pointed out that in the extremely early universe these gravitational waves may have become very strong.

And they may have even created standing wave patterns where the gravitational waves weren’t traveling but the waves stood still, almost frozen in place throughout the cosmos. Since gravitational waves are literally waves of gravity, the places where the waves are the strongest represent an exceptional amount of gravitational energy.

The researchers found that this could have major consequences for the electromagnetic field existing in the early universe at that time. The regions of intense gravity may have excited the electromagnetic field enough to release some of its energy in the form of radiation, creating light.

This result gives rise to an entirely new phenomenon: the production of light from gravity alone. There’s no situation in the present-day universe that could allow this process to happen, but the researchers have shown that the early universe was a far stranger place than we could possibly imagine.

Source: Physicists Discover that Gravity Can Create Light – Universe Today

EVE Online player uses CEO vote to pull off the biggest heist in the game’s history

Posted on by

Back in 2017, we learned about the biggest heist in EVE Online history (opens in new tab): A year-long inside job that ultimately made off with an estimated 1.5 triillion ISK, worth around $10,000 in real money. But now another EVE player claims to have pulled off a heist worth significantly more than that—and with significantly less work involved.

The 2017 heist, like so many of EVE’s most interesting stories, relied primarily on social engineering: Investing months or years of time into grooming a target before pulling the rug out from beneath them. But redditor Flam_Hill (opens in new tab) said this job was less bloody: Instead of betrayal, this theft was dependent upon learning and exploiting the “shares mechanic” in EVE Online in order to leverage a takeover of Event Horizon Expeditionaries, a 299-member corporation that was part of the Pandemic Horde alliance.

Using a “clean account with a character with a little history,” Flan_Hill and an unnamed partner applied for membership in the EHEXP corporation. After the account was accepted, Flan_Hill transferred enough of his shares in the corporation to the infiltrator to enable a call for a vote for a new CEO. The conspirators both voted yes, while nobody else in the corporation voted at all.

This was vital, because after 72 hours the two “yes” votes carried the day. The infiltrating agent was very suddenly made CEO, which was in turn used to make Flan_Hill an Event Horizon Expeditionaries director, at which point they removed all the other corporate directors and set to emptying the coffers.

They stripped 130 billion ISK from the corporate wallet, but that was only a small part of the haul: Counting all stolen assets, including multiple large ships, Flam_Hill estimated the total value of the heist at 2.23 trillion ISK, which works out to more than $22,300 in real money. ISK can’t be legally cashed out of EVE Online, but it can be used to buy Plex (opens in new tab), an in-game currency used to upgrade accounts, purchase virtual goods, and activate other services.

[…]

The one aspect of the story that some redditors took issue with is the origin of the 1,000 shares in Event Horizon Expeditionaries that made this theft possible in the first place.

[…]

It all comes down to EVE’s corporation voting system (opens in new tab): Any member of a corporation holding more than 5% of the total shares can start a vote, and—this is what it really comes down to—”the option that gains more than 50% of cast votes wins the vote.” This is why the inattentiveness of EHEXP membership was so vital: Flam_Hill and his partner were the only ones to vote “yes,” so they had 100% of the cast votes and were thus able to seize power.

[…]

EVE Online developer CCP Games eliminated any doubt by confirming that the heist did in fact take place, although it declined to comment on the value of the theft.

In the end, it turned out that the “former CEO” theory was correct. Speaking to PC Gamer, the mastermind of the heist, known in EVE as Sienna d’Orien—real name Dave—confirmed that he was in fact the founder and former chief of Event Horizon Expeditionaries, which is how he had the shares in the company that enabled the takeover. He quit EVE in 2018, citing burnout and other priorities, but returned in 2022 to find EHEXP “a shell of its former self.”

After forming a new group, Dave reached out to the corporation to inquire about getting some of his old assets back, but was ignored. His partner in the heist, Packratt, then brought up the shares mechanic, and they went to work. They were aided by a third friend and former EHEXP member, Highlander McLeod, who handled some of the research in order to keep d’Orien’s name out of it—although McLeod was kept in the dark about the job until it was over, in order to ensure operational security.

[…]

They managed to pull the job off with virtually complete anonymity, but Dave said he’s stepping out of the shadows because “it will get out eventually” anyway—and it probably doesn’t hurt that he can now bask in the glory of the moment.

[…]

As for Dave, who’s now playing “in a new corp with old mates,” he acknowledged that the heist could complicate his in-game life somewhat: He’ll be an interstellar folk hero to some (people love a good EVE heist) but no doubt a villain—and a target—in the eyes of others.

[…]

Source: EVE Online player uses obscure rule to pull off the biggest heist in the game’s history | PC Gamer

Google’s free Assured Open Source Software service hits GA

Posted on by

About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing for vulnerabilities some of the world’s most popular software libraries. Today, Google is launching Assured OSS into general availability with support for well over a thousand Java and Python packages — and while Google didn’t initially disclose pricing when it first announced the service, the company has now revealed that it will be available for free.

Software development has long depended on third-party libraries (which are often maintained by only a single developer), but it wasn’t until the industry got hit with a number of high-profile exploits that everyone (including the White House) perked up and started taking software supply chain security seriously. Now, you can’t attend an open source conference without hearing about Software Bills of Materials (SBOMs), artifact registries and similar topics

[…]

Google promises that it will constantly keep these libraries up to date (without creating forks) and continuously scan for known vulnerabilities, do fuzz tests to discover new ones and then fix these issues and contribute these fixes back upstream. The company notes that when it first launched the service with around 250 Java libraries, it was responsible for discovering 48% of the new CVEs for these libraries and subsequently addressing them.

[…]

By partnering with a trusted supplier, organizations can mitigate these risks and ensure the integrity of their software supply chain to better protect their business applications.”

Developers and organizations that want to use the new service can sign up here and then integrate Assured OSS into their existing development pipeline.

Source: Google’s free Assured Open Source Software service hits GA | TechCrunch

 

Google announces GUAC open source project on software supply chains

Posted on by

Google unveiled a new open source security project on Thursday centered around software supply chain management.

Given the acronym GUAC – which stands for Graph for Understanding Artifact Composition – the project is focused on creating sets of data about a software’s build, security and dependency.

Google worked with Purdue University, Citibank and supply chain security company Kusari on GUAC, a free tool built to bring together many different sources of software security metadata. Google has also assembled a group of technical advisory members to help with the project — including IBM, Intel, Anchore and more.

Google’s Brandon Lum, Mihai Maruseac, Isaac Hepworth pitched the effort as one way to help address the explosion in software supply chain attacks — most notably the widespread Log4j vulnerability that is still leaving organizations across the world exposed to attacks.

“GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata,” they wrote in a blog post. “GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding.”

They noted that U.S. President Joe Biden issued an executive order last year that said all federal government agencies must send a Software Bill of Materials (SBOM) to Allan Friedman, the director Cybersecurity Initiatives at National Telecommunications and Information Administration (NIST).

[…]

While SBOMs are becoming increasingly common thanks to the work of several tech industry groups like OpenSSF, there have been a number of complaints, one of those centered around the difficulty of sorting through troves of metadata, some of which is not useful.

Maruseac, Lum and Hepworth explained that it is difficult to combine and collate the kind of information found in many SBOMs.

“The documents are scattered across different databases and producers, are attached to different ecosystem entities, and cannot be easily aggregated to answer higher-level questions about an organization’s software assets,” they said.

Google shared a proof of concept of the project, which allows users to search data sets of software metadata.

The three explained that GUAC effectively aggregates software security metadata into a database and makes it searchable.

They used the example of a CISO or compliance officer that needs to understand the “blast radius” of a vulnerability. GUAC would allow them to “trace the relationship between a component and everything else in the portfolio.”

Google says the tool will allow anyone to figure out the most used critical components in their software supply chain ecosystem, the security weak points and any risky dependencies.

[…]

Source: Google announces GUAC open source project on software supply chains