Join the growing list of organizations supporting the advancement of securing open source technology and funding the development and adoption of OpenSSF initiatives. Explore Membership Subscribe to the OpenSSF Mailing List!Get the latest announcements, event info, and the community news in your inbox. hbspt.forms.create( region: "na1", portalId: "8112310", formId: "f161ab59-364e-4ccc-8f5d-b7278fa9ae75", version: "V2_PRERELEASE" );
Copyright 2023 The Linux Foundation . All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.
Open source communities during this time have been resilient. Open source software development by its very nature happens, and thrives, amongst a distributed group around the world. Many individuals in our communities are already working in a distributed virtual environment on their open source collaboration efforts.
Open source offers job security
Open source communities are still moving forward. As the world quickly migrated to virtual work environments, the online developer communities familiar with working together virtually had a pretty smooth transition, or in some cases, no disruptions at all. We are seeing many open source communities push forward despite all the challenges around them at home and in their local communities. Given their experience working in virtual environments, many open source community members and organizations are sharing their best practices and helping others adapt to working virtually.
We believe that the broader technology industry can use open source governance models to address more widespread industry challenges that could not be as easily solved with more traditional, proprietary solutions. Many blockchain open source software projects have arisen over the last few years that are now ready to support industry ecosystem and utility networks. We see early adopters moving beyond just software to addressing challenges with trust and verification in blockchain systems in our recently announced Trust over IP project.
In open source software communities, many organizations leverage nonprofits like the Linux Foundation to have a neutral home for an open governance model that no one company in the industry controls. We see a trend that those same principles apply in the case of the governance of an industry service built on blockchain technology with nodes contributed by multiple organizations.
With open source becoming pervasive, we now have to think about these technologies as they support critical infrastructures. LF Energy and LF Networking are becoming more focused on economic and financial systems (see FINOS), and also safety systems (see ELISA).
Many other critical infrastructure systems have a severe impact if they fail. With open source software underpinning these critical systems, we need to figure out how to manage these systems. To succeed, our members started with identifying and tracking what software is in a system (see SPDX) and how to maintain software over a very long lifespan (see Civil Infrastructure Platform).
Within the Linux Foundation ecosystem, we have open technical communities building software and specifications. We also have communities that have identified interoperability points, processes, or frameworks for technology or managing technologies, that all benefit from being formally written as specifications. Standards are a natural next step in their journey as ecosystems coalesce around a common specified way of doing things. This year started with the Joint Development Foundation (JDF) being approved as an ISO PAS Submitter, making it possible for our communities to go from a specification repository to an international standard. We expect to see many more communities forming that is focused on a hybrid of standards and open source development.
In addition to its work with the JDF, LF Networking also has a great collaboration with other established standards development organizations to ensure harmonization of specifications and code in the open source projects that facilitate deployment for carriers globally.
As another example, today I could stand up an OpenStack instance, a Red Hat Enterprise Linux instance or the community equivalent thereof, or a MongoDB instance, and I could do it on my own with the open source software available freely over the Internet. I could start building a project, or a platform, or testing feasibility or developing my skills.
Open source is generally much more cost-effective than a proprietary solution. Not only are open source solutions typically much more inexpensive in an enterprise environment for equivalent or superior capability, but they also give enterprises the ability to start small and scale (more on that coming up). Given that enterprises are often budget challenged, it just makes financial sense to explore open source solutions.
You can solve your enterprise problems while effectively sharing some of the maintenance costs. One of the fundamental advantages of open source is community involvement. Rather than writing an application and having to sustain it yourself, you can share the cost of maintaining and sustaining applications among multiple parties.
For some people, work offers a sense of purpose and meaning. We can often tie our identities, our passions, and who we are as people to our work. Beyond a sense of identity, job security matters for many reasons.
For example, you might volunteer for projects out of your comfort zone. Or you might attend a training or class to build a new skill. Whatever the learning opportunity looks like, keep an open mind. You never know how learning opportunities might benefit your career journey.
In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022. The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.
LinkedIn Threat Prevention and Defense detected ZINC creating fake profiles claiming to be recruiters working at technology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to the encrypted messaging app WhatsApp for the delivery of malware. ZINC primarily targeted engineers and technical support professionals working at media and information technology companies located in the UK, India, and the US. Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior.
MSTIC has observed at least five methods of trojanized open-source applications containing the malicious payload and shellcode that is tracked as the ZetaNile malware family. The ZetaNile implants, also known as BLINDINGCAN, have been covered in CISA and JPCERT reports. The implant DLLs in the ZetaNile malware family are either packed with commercial software protectors such as Themida and VMProtect or are encrypted using custom algorithms. The payload in the malicious DLL is decrypted using a custom key, passed as part of the DLL search order hijacking of the legitimate Windows process, as shown in Figure 3. The ZetaNile implants use unique custom encryption methods or AES encryption to generate command and control (C2) HTTP requests to known compromised C2 domains. By encoding the victim information in the parameters for common keywords like gametype or bbs in the HTTP POSTs, these C2 communications can blend in with legitimate traffic.
The DC Office of Unemployment Compensation (OUC) is a resource to help DC residents, workers, and employers overcome workforce challenges. The primary goal of the Unemployment Insurance (UI) program is to provide temporary wage replacement to eligible unemployed individuals. This support also helps to stimulate the local economy by maintaining a level of consumer spending during an economic decline.
The Department of Employment Services (DOES) mission is to connect District residents, job seekers, and employers to opportunities and resources that empower fair, safe, effective working communities. 2ff7e9595c
Comments