So I'm in a securitywaiter discord and we love random encounters.

And the fnaf musical by the guys behind random encounters.

We also ship AJ(purple guy) and Madpat(phone guy/William Afton). We named them chainguard/nightsaw

So- enjoy!

Chainguard Raises $61M in Series B Funding

Chainguard, a Kirkland, WA-based software supply chain security company, raised $61M in Series B funding. The round was led by Spark Capital and existing investors Sequoia Capital, Amplify Partners, The Chainsmoker’s Mantis VC, and Banana Capital. The company intends to use the funds to expand the global go-to-market team, invest in product research and innovation and customer support…

View On WordPress

Big Tech Vendors Object to US Gov SBOM Mandate

Big Tech Vendors Object to US Gov SBOM Mandate

Home › Cyberwarfare Big Tech Vendors Object to US Gov SBOM Mandate By Ryan Naraine on December 07, 2022 Tweet The U.S. government’s mandates around the creation and delivery of SBOMs (software bill of materials) to help mitigate supply chain attacks has run into strong objections from big-name technology vendors. A lobbying outfit representing big tech is calling on the federal government’s…

View On WordPress

Valkey 7.2 On Memorystore: Open-Source Key-Value Service

The 100% open-source key-value service Memorystore for Valkey is launched by Google Cloud.

In order to give users a high-performance, genuinely open-source key-value service, the Memorystore team is happy to announce the preview launch of Valkey 7.2 support for Memorystore.

Memorystore for Valkey

A completely managed Valkey Cluster service for Google Cloud is called Memorystore for Valkey. By utilizing the highly scalable, reliable, and secure Valkey service, Google Cloud applications may achieve exceptional performance without having to worry about handling intricate Valkey deployments.

In order to guarantee high availability, Memorystore for Valkey distributes (or “shards”) your data among the primary nodes and duplicates it among the optional replica nodes. Because Valkey performance is greater on many smaller nodes rather than fewer bigger nodes, the horizontally scalable architecture outperforms the vertically scalable architecture in terms of performance.

Memorystore for Valkey is a game-changer for enterprises looking for high-performance data management solutions reliant on 100% open source software. It was added to the Memorystore portfolio in response to customer demand, along with Memorystore for Redis Cluster and Memorystore for Redis. From the console or gcloud, users can now quickly and simply construct a fully-managed Valkey Cluster, which they can then scale up or down to suit the demands of their workloads.

Thanks to its outstanding performance, scalability, and flexibility, Valkey has quickly gained popularity as an open-source key-value datastore. Valkey 7.2 provides Google Cloud users with a genuinely open source solution via the Linux Foundation. It is fully compatible with Redis 7.2 and the most widely used Redis clients, including Jedis, redis-py, node-redis, and go-redis.

Valkey is already being used by customers to replace their key-value software, and it is being used for common use cases such as caching, session management, real-time analytics, and many more.

Customers may enjoy a nearly comparable (and code-compatible) Valkey Cluster experience with Memorystore for Valkey, which launches with all the GA capabilities of Memorystore for Redis Cluster. Similar to Memorystore for Redis Cluster, Memorystore for Valkey provides RDB and AOF persistence, zero-downtime scaling in and out, single- or multi-zone clusters, instantaneous integrations with Google Cloud, extremely low and dependable performance, and much more. Instances up to 14.5 TB are also available.

Memorystore for Valkey, Memorystore for Redis Cluster, and Memorystore for Redis have an exciting roadmap of features and capabilities.

The momentum of Valkey

Just days after Redis Inc. withdrew the Redis open-source license, the open-source community launched Valkey in collaboration with the Linux Foundation in March 2024 (1, 2, 3). Since then, they have had the pleasure of working with developers and businesses worldwide to propel Valkey into the forefront of key-value data stores and establish it as a premier open source software (OSS) project. Google Cloud is excited to participate in this community launch with partners and industry experts like Snap, Ericsson, AWS, Verizon, Alibaba Cloud, Aiven, Chainguard, Heroku, Huawei, Oracle, Percona, Ampere, AlmaLinux OS Foundation, DigitalOcean, Broadcom, Memurai, Instaclustr from NetApp, and numerous others. They fervently support open source software.

The Valkey community has grown into a thriving group committed to developing Valkey the greatest open source key-value service available thanks to the support of thousands of enthusiastic developers and the former core OSS Redis maintainers who were not hired by Redis Inc.

With more than 100 million unique active users each month, Mercado Libre is the biggest finance, logistics, and e-commerce company in Latin America. Diego Delgado discusses Valkey with Mercado Libre as a Software Senior Expert:

At Mercado Libre, Google Cloud need to handle billions of requests per minute with minimal latency, which makes caching solutions essential. Google Cloud especially thrilled about the cutting-edge possibilities that Valkey offers. They have excited to investigate its fresh features and add to this open-source endeavor.”

The finest is still to come

By releasing Memorystore for Valkey 7.2, Memorystore offers more than only Redis Cluster, Redis, and Memcached. And Google Cloud is even more eager about Valkey 8.0’s revolutionary features. Major improvements in five important areas performance, reliability, replication, observability, and efficiency were introduced by the community in the first release candidate of Valkey 8.0. With a single click or command, users will be able to accept Valkey 7.2 and later upgrade to Valkey 8.0. Additionally, Valkey 8.0 is compatible with Redis 7.2, exactly like Valkey 7.2 was, guaranteeing a seamless transition for users.

The performance improvements in Valkey 8.0 are possibly the most intriguing ones. Asynchronous I/O threading allows commands to be processed in parallel, which can lead to multi-core nodes working at a rate that is more than twice as fast as Redis 7.2. From a reliability perspective, a number of improvements provided by Google, such as replicating slot migration states, guaranteeing automatic failover for empty shards, and ensuring slot state recovery is handled, significantly increase the dependability of Cluster scaling operations. The anticipation for Valkey 8.0 is already fueling the demand for Valkey 7.2 on Memorystore, with a plethora of further advancements across several dimensions (release notes).

Similar to how Redis previously expanded capability through modules with restricted licensing, the community is also speeding up the development of Valkey’s capabilities through open-source additions that complement and extend Valkey’s functionality. The capabilities covered by recently published RFCs (“Request for Comments”) include vector search for extremely high performance vector similarly search, JSON for native JSON support, and BloomFilters for high performance and space-efficient probabilistic filters.

Former vice president of Gartner and principal analyst of SanjMo Sanjeev Mohan offers his viewpoint:

The advancement of community-led initiatives to offer feature-rich, open-source database substitutes depends on Valkey. Another illustration of Google’s commitment to offering really open and accessible solutions for customers is the introduction of Valkey support in Memorystore. In addition to helping developers looking for flexibility, their contributions to Valkey also support the larger open-source ecosystem.

It seems obvious that Valkey is going to be a game-changer in the high-performance data management area with all of the innovation in Valkey 8.0, as well as the open-source improvements like vector search and JSON, and for client libraries.

Valkey is the secret to an OSS future

Take a look at Memorystore for Valkey right now, and use the UI console or a straightforward gcloud command to establish your first cluster. Benefit from OSS Redis compatibility to simply port over your apps and scale in or out without any downtime.

Read more on govindhtech.com

THE Norton: 1969 Commando 750 powered “Domiracer” by Stéphane Bertet of @rusty_motors, inspired by the 961 Domiracer and built nearly from scratch from two boxes of parts containing the engine and gearbox: “I’m used to working on classic machines, so I wanted to build an old / new Domiracer — an old engine with appeal and character in a modern rolling frame.” Highlights include GSX-R1000 K9 suspension, @beringer_brakes_official brakes, 17-inch wheels with supermoto rubber, @motogadget electronics, a slew of custom-built parts (fenders, oil tank, chainguard, etc.), hand-built aluminum tank and tail from @cevennesretromotors, @usvracing yokes and axles, and much more. “An old charismatic British engine without any oil leaks in a modern frame!” Photos: @jeanfrancoismuguet. Full story today on BikeBound.com! ⚡️Link in Bio⚡️ https://instagr.am/p/Cmof4mfOAct/

Election Deception and Bicycles with Red Flags

        Election Deception and Bicycles with Red Flags

        Tuesday morning, 17 September 2024

        The first part of this dream is precursory cognizance modeling or proto-cognizance. That means my meandering dreaming mind is attempting to practice the discernment of text and contrasting information. It is the mental half of coming to my senses (attaining wakefulness).

        The second part of this dream is precursory vestibular modeling, establishing mind-body communication in an extraordinarily vivid event relating to leg motions and body mobility. It is the physical half of coming to my senses (attaining wakefulness plus mobility).

        The outcome includes coordination modeling (arm mobility), a predictable process in my dreams in my last stage of sleep as REM atonia lessens.

        My dream's foundation builds firstly on how Zsuzsanna and I sit on the couch together at night when watching movies on television - here, as two unfamiliar people who sit behind a service counter, illogically in what turns out to be the living room of the Loomis Street house (unseen since 1994) - though presently implied to be a public voting area and facing away from where the television was in the Loomis Street house in reality (a purposeful dream content reversal). They each have a long and narrow scroll listing each vote for Trump and each vote for Biden. The woman hands me a scroll to hold temporarily.

        I turn and walk to the right (where the couch I slept on in the Loomis Street house in Wisconsin was in reality - a purposeful dream content correlation - though it leads to a doorway in my dream, which corresponds with the south entrance of my elementary school in Florida - which corresponds with proto-cognizant staging and trying to discern text).

        Although they had said (to other people in the room) that most votes were for Biden, I vividly discern the name Trump in many rows when I open the scroll. After a short time, some instances of "TRUMP" change into "BDN," which I assume is Biden. However, there are only about five instances of it in one area. Most of the listings are still "TRUMP." I imagine going back to the counter and telling people about this, imagining there is now a news crew in the area, but consider that it would cause chaos. (The natural virtual amnesia of the dream state prevents the realization that Biden would not be a candidate in the upcoming election.)

        Realizing I was not supposed to read the scroll, I attempt to roll it back up but remain unsure which side to roll up even though it is still partly curved. (This total lapse of real-world cognizance has an additional failure of logic since it would be logical to roll it so the text would not be visible.)

         I go back inside and hand the scroll back to the woman. I walk out the Loomis Street house's back door.

        I briefly ride a bicycle to the middle of the yard. I vividly feel my legs pedaling it. I feel joy and peace. It is night even though it was morning seconds earlier. (This error is typical in dreams, often the result of my vestibular or somatosensory cortex suddenly becoming more active, where it is then sometimes because of focusing on imaginary movements or my sense of touch more than illusory imagery.) An unknown woman remains by the door. I sense she will be riding with me, but I am unaware of the destination. (This woman would be Zsuzsanna, with the doorway marking the division between the dream state and reality, though virtual amnesia is still ongoing.)

        I get off the bicycle because I recall a law requiring a red pennant flag on the back of one for safety reasons. I suddenly have one in my hands. I try to fit its thin pole into a circular recess by the chainguard (on the bicycle's left side), but it will not stay there. I try an area higher up near the baskets. It would only come up to my waist when on the bicycle (which I perceive in an offset dream, seeing the left side of my "other" body near only the waist area). My dream fades from here. (Red is typically a waking alert factor because of chromostereopsis - though also when I have slept too long or have an ongoing headache - but it often vanishes after waking and moving around.) Otherwise, my dream's content predictably builds upon the same causality (related to how I respond to the dream state itself, either intuitively or lucidly, since "dream interpretation" is an asinine myth) as it has been for over 50 years - but the narratives are usually fascinating and unique.

House of Toes is offering the best kids cycle online at a competitive rate. Buy now and give your kids the wings of joy. Their bicycles come with a backrest, chainguard, adjustable seat, mudguard, and alloy structure-like safety features; a water bottle holder with a water bottle is an extra-added bonus.

Top 10 Kids Cycles of 2024

As we move into 2024, parents are more focused than ever on choosing the perfect kids cycle that combines safety, durability, and style. The market for kids cycles has evolved significantly, offering a wide range of options designed to cater to different age groups, preferences, and skill levels.

In this blog, we’ll highlight the top 10 kids cycles of 2024, helping you make an informed decision for your child's next ride.

1. R for Rabbit Tiny Toes Jazz Kids Cycle

One of the standout options in 2024 is the kids cycle from R for Rabbit. The Tiny Toes Jazz model is designed for toddlers and young children, offering a perfect blend of safety and style. It features a plug-and-play design, making assembly a breeze for parents. The cycle is equipped with sturdy training wheels, a comfortable seat, and vibrant colors that appeal to kids. It’s an ideal choice for those looking to introduce their little ones to cycling.

2. Schwinn Koen Kids Bike

The Schwinn Koen is a reliable option for children aged 3 to 7 years. Known for its sturdy frame and easy-to-use coaster brakes, this cycle is perfect for beginners. The adjustable seat and handlebars allow the bike to grow with your child, ensuring they get years of use out of it. The lightweight frame makes it easy for kids to handle, while the wide tires provide stability on various terrains.

3. RoyalBaby Freestyle Kids Bike

The RoyalBaby Freestyle is a versatile and durable kids cycle designed for active children. Available in multiple sizes, this bike features a steel frame, front caliper brake, and rear coaster brake, ensuring maximum safety. The removable training wheels and adjustable seat make it a great option for children transitioning from beginner to intermediate riders.

4. Strider 12 Sport Balance Bike

For younger children learning to balance, the Strider 12 Sport Balance Bike is a top choice. This pedal-less bike is perfect for kids aged 18 months to 5 years. It helps them develop balance and coordination before moving on to a pedal bike. The lightweight design, adjustable seat, and handlebar height make it a popular choice among parents and children alike.

5. WOOM 2 Pedal Bike

The WOOM 2 is designed specifically for kids transitioning from a balance bike to a pedal bike. It features a lightweight aluminum frame, ergonomic design, and easy-to-use hand brakes. The bike’s low center of gravity and short cranks make pedaling easy for young riders, promoting confidence and control.

6. Raleigh Jazzi 16-Inch Kids Bike

The Raleigh Jazzi is an excellent choice for children aged 4 to 6 years. With its stylish design and durable construction, this kids cycle offers a comfortable and safe ride. The bike comes with removable training wheels, a chainguard to protect little fingers, and a padded seat for added comfort during longer rides.

7. Guardian Ethos Kids Bike

Safety is the primary focus of the Guardian Ethos Kids Bike. It features a patented SureStop braking system that prevents the bike from tipping over during sudden stops. This kids cycle is available in various sizes and colors, making it suitable for children of different ages and preferences. The lightweight frame and easy-to-use features make it an excellent choice for both beginners and more experienced riders.

8. Huffy Moto X Kids Bike

The Huffy Moto X is a rugged kids cycle designed for adventurous children. With its BMX-style frame, this bike is built to handle rough terrains and provide an exhilarating ride. The padded seat, front pegs, and durable tires make it a great option for kids who love to explore the outdoors.

9. Mongoose Legion Freestyle BMX Bike

For older kids interested in BMX riding, the Mongoose Legion Freestyle is a fantastic option. This bike is designed for tricks and stunts, featuring a sturdy steel frame, rear U-brakes, and a 360-degree brake rotor. It’s perfect for kids who want to take their cycling skills to the next level and enjoy BMX-style riding.

10. Btwin 100 14-Inch Kids Bike

The Btwin 100 is a budget-friendly kids cycle that doesn’t compromise on quality. It’s ideal for children aged 3 to 5 years, offering a simple design with training wheels, a bell, and a chainguard. The lightweight frame and easy handling make it a great first bike for young riders.

Complementing Cycling with Other Activities

Cycling is a fantastic way to keep your child active, but it’s also important to mix in other physical activities. Consider incorporating Indoor and Outdoor Games into your child’s routine to promote overall fitness and coordination. These activities can provide a fun balance to cycling and help your child develop a variety of skills.

Conclusion

Choosing the right kids cycle in 2024 means considering factors like age, size, safety features, and style. The bikes listed here represent the best in the market, offering options for every type of young rider. Whether your child is just starting out or ready to tackle more advanced rides, there’s a perfect bike on this list to suit their needs.

Chainguard raises $140 million to strengthen open source software security

http://securitytc.com/TB3NSq

Microsoft, NVIDIA, Google e altri formano la Coalizione per l'intelligenza artificiale sicura (CoSAI)

La Coalition for Secure AI (CoSAI), un nuovo organismo del settore, è stata annunciata oggi all’Aspen Security Forum. I fondatori Premier Sponsor di CoSAI includono Google, IBM, Intel, Microsoft, NVIDIAe PayPal. Anche Amazon, Anthropic, Cisco, Chainguard, Cohere, GenLab, OpenAI e Wiz sono sponsor fondatori. Questa iniziativa open source mira a offrire una guida attraverso metodologie open…

Elevate Your Ride with Elegance

Dive into the world of customization with our stunning, USA-made wooden fenders and chain guards! Crafted with precision in our factory, these accessories are designed to turn your electric bike into a masterpiece reminiscent of a luxury yacht adorned with exquisite wood trim.

Choose from a palette of beautiful colors to design your dream e-bike today! Our accessories not only enhance the look of your stylish cruisers but also offer all-weather protection, ensuring your ride is both glamorous and durable.

Swipe to see how you can transform your ride and visit [our website](https://electricbikecompany.com/?utm_source=Social+Media&utm_medium=Sean&utm_campaign=Sean) to start designing your personalized electric bike with our premium wooden accessories.

#ElectricBikes #CustomEBikes #WoodenFenders #ChainGuards #EbikeStyle #LuxuryCycling #SustainableRiding #MadeInUSA #DesignYourRide #ElectricBikeCompany #BestEBikes #EbikeLovers #BikeCustomization

FX 2 Disc - 2021, X-Large

FX 2 Disc (Satin Lithium Grey) 2022 Brand: Trek Type: Hybrid Bikes Gender: Unisex Material: Aluminum Racks: No Racks Gearing Type: External Gearing Braking Type: Disc Brakes Item condition: New Availability: Pick Up In Store, Buy online ID: 254698605

Specifications

Fork: FX Alloy, flat mount disc, rack mounts, 405 mm axle-to-crown, ThruSkew 5mm QR Stem: Bontrager alloy, 31.8mm, Blendr compatible, 7 degree, Size XS, S, M: 90mm length, Size L, XL, XXL: 100mm length Brake: Tektro HD-R280 hydraulic disc, flat mount, 160mm rotor Chain / Belt: KMC X9 Frame: Alpha Gold Aluminum, DuoTrap S compatible, internal cable routing, flat mount disc, rack & fender mounts, 135x5mm QR Grips: Bontrager Satellite Tires: Bontrager H2 Comp, wire bead, 30 tpi, 700x35mm Pedals: Bontrager City pedals Rotors: Max brake rotor sizes: 160mm front & rear Saddle: Bontrager Sport Wheels: Bontrager Connection, double-wall, 32-hole, 20 mm width, Schrader valve Headset: 1 1/8'' steel threadless Cassette: Shimano HG200, 11-36, 9 speed Shifters: Shimano Altus M2010, 9 speed / Shimano Altus M2010, 2 speed * Handlebar: Bontrager alloy, 31.8mm, 15mm rise, Size XS, S, M: 600mm width, Size L, XL, XXL: 660mm width Seat Post: Bontrager alloy, 27.2mm, 12mm offset, 330mm length Bottom Bracket: Sealed cartridge, 68mm Rear Derailleur: Shimano Altus M2000, long cage Weight*: M - 11.73 kg / 25.87 lbs Crank: Forged alloy, 46/30, chainguard, 170mm length Rear Hub: Formula DC-22, alloy, 6-bolt, Shimano 8/9/10 freehub, 135x5mm QR Front Hub: Formula DC-20, alloy, 6-bolt, 5x100mm QR Front Derailleur: Shimano Acera T3000, 34.9mm clamp, top swing, dual pull Rear Axis: 152x5mm QR Front Axis: 130x5mm QR, ThruSkew Maximum Weight Allowed: This bike has a maximum total weight limit (combined weight of bicycle, rider, and cargo) of 300 pounds (136 kg).

Exchange, Returns, and Refunds Policy

Exchange, Returns, and Refunds Policy Product specifications may be subject to errors and technical changes.

Chainguard Images now available on Docker Hub

https://www.chainguard.dev/unchained/chainguard-images-now-available-on-docker-hub

Endor Labs Joins Race to Secure Software Supply Chain

Endor Labs Joins Race to Secure Software Supply Chain

Home › Cyberwarfare Endor Labs Joins Race to Secure Software Supply Chain By Ryan Naraine on October 10, 2022 Tweet It’s officially a venture capital funding frenzy in the software supply chain security space. Less than two weeks after Ox Security banked a whopping $34 million in seed-stage financing, a new Silicon Valley startup called Endor Labs announced the closing of a $25 million seed round…

View On WordPress

Introducing CoSAI And Founding Member Organisations

AI requires an applied standard and security framework that can keep up with its explosive growth. Since Google was aware that this was only the beginning, Google released the Secure  AI Framework (SAIF) last year. Any industrial framework must, of course, be operationalized through close cooperation with others, and above all, a forum.

Together with their industry colleagues, Google is launching the Coalition for Secure AI (CoSAI) today at the Aspen Security Forum. Over the past year, Google have been trying to bring this coalition together in order to achieve comprehensive security measures for addressing the particular vulnerabilities associated with AI, for both immediate and long-term challenges.

Creating Safe AI Systems for Everyone

In order to share best practices for secure  AI deployment and work together on AI security research and product development, the Coalition for Secure  AI (CoSAI) is an open ecosystem of AI and security specialists from top industry organisations.

What is CoSAI?

Collective action is necessary for security, and using AI itself is the greatest approach to secure AI. Individuals, developers, and businesses must all embrace common security standards and best practices in order to engage in the digital ecosystem securely and ensure that it is safe for all users. AI is not an exception. In order to address this, a diverse ecosystem of stakeholders came together to form the Coalition for Secure  AI (CoSAI), which aims to build technical open-source solutions and methodologies for secure  AI development and deployment, share security expertise and best practices, and invest in AI security research collectively.

In partnership with business and academia, CoSAI will tackle important AI security concerns through a number of vital workstreams, including initiatives like:

AI Systems’ Software Supply Chain Security

Getting Defenders Ready for a Changing Security Environment

Governance of AI Security

How It Benefits You

By taking part in CoSAI, you may get in touch with a thriving network of business executives who exchange knowledge and best practices about the development and application of safe  AI. By participating, you get access to standardised procedures, collaborative efforts in  AI security research, and open-source solutions aimed at enhancing the security of AI systems. In order to strengthen the security and trust of AI systems inside your company, CoSAI provides tools and guidelines for putting strong security controls and mitigations into place.

Participate!

Do you have any questions regarding CoSAI or would you like to help with some of Google’s projects? Any developer is welcome to participate technically for no cost. Google is dedicated to giving each and every contributor a transparent and friendly atmosphere. Become a CoSAI sponsor to contribute to the project’s success by financing the essential services that the community needs.

CoSAI will be headquartered under OASIS Open, the global standards and open source organisation, and comprises founding members Amazon, Anthropic, Chainguard, Cisco, Cohere, GenLab, IBM,  Intel, Microsoft, NVIDIA, OpenAI, Paypal, and Wiz.

Announcing the first workstreams of CoSAI

CoSAI will support this group investment in  AI security as people, developers, and businesses carry out their efforts to embrace common security standards and best practices. Additionally, Google is releasing today the first three priority areas that the alliance will work with business and academia to address:

Software Supply Chain Security for  Artificial Intelligence Systems: Google has been working to expand the use of SLSA Provenance to  AI models in order to determine when AI software is secure based on the way it was developed and managed along the software supply chain. By extending the current efforts of SSDF and SLSA security principles for AI and classical software, this workstream will strive to improve  AI security by offering guidance on analysing provenance, controlling risks associated with third-party models, and examining the provenance of the entire AI application.

Getting defenders ready for an evolving cybersecurity environment: Security practitioners don’t have an easy way to handle the intricacy of security problems when managing daily AI governance. In order to address the security implications of  AI use, this workstream will offer a framework for defenders to identify investments and mitigation strategies. The framework will grow mitigation measures in tandem with the development of AI models that progress offensive cybersecurity.

AI security governance: Managing AI security concerns calls for a fresh set of tools and knowledge of the field’s particularities. To assist practitioners in readiness assessments, management, monitoring, and reporting of the security of their AI products, CoSAI will create a taxonomy of risks and controls, a checklist, and a scorecard.

In order to promote responsible  AI, CoSAI will also work with groups like the Partnership on AI, Open Source Security Foundation, Frontier Model Forum, and ML Commons.

Next up

Google is dedicated to making sure that as  AI develops, efficient risk management techniques do too. The industry support for safe and secure AI development that Google has witnessed over the past year is encouraging. The efforts being made by developers, specialists, and large and small businesses to assist organisations in securely implementing, training, and utilising AI give them even more hope.

AI developers require and end users should have access to a framework for AI security that adapts to changing circumstances and ethically seizes opportunities. The next phase of that journey is CoSAI, and in the upcoming months, further developments should be forthcoming. You can go to coalitionforsecureai.org to find out how you can help with CoSAI.

Read more on Govindhtech.com

Boosting faith in the authenticity of open source software

New Post has been published on https://thedigitalinsider.com/boosting-faith-in-the-authenticity-of-open-source-software/

Boosting faith in the authenticity of open source software

Open source software — software that is freely distributed, along with its source code, so that copies, additions, or modifications can be readily made — is “everywhere,” to quote the 2023 Open Source Security and Risk Analysis Report. Ninety-six percent of the computer programs used by major industries include open source software, and 76 percent of those programs consist of open source software. But the percentage of software packages “containing security vulnerabilities remains troublingly high,” the report warned.

One concern is that “the software you’ve gotten from what you believe to be a reliable developer has somehow been compromised,” says Kelsey Merrill ’22, MEng ’23, a software engineer who received a master’s degree earlier this year from MIT’s Department of Electrical Engineering and Computer Science. “Suppose that somewhere in the supply chain, the software has been changed by an attacker who has malicious intent.”

The risk of a security breach of this sort is by no means abstract. In 2020, to take a notorious example, the Texas company SolarWinds made a software update to its widely used program called Orion. Hackers broke into the system, inserting pernicious code into the software before SolarWinds shipped the latest version of Orion to more than 18,000 customers, including Microsoft, Intel, and roughly 100 other companies, as well as a dozen U.S. government agencies — including the departments of State, Defense, Treasury, Commerce, and Homeland Security. In this case, the product that was corrupted came from a large commercial company, but lapses may be even more likely to occur in the open source realm, Merrill says, “where people of varying backgrounds — many of whom are hobbyists without any security training — can publish software that gets used around the world.”

Now, she and three collaborators — her former advisor Karen Sollins, a principal research scientist at the MIT Computer Science and Artificial Intelligence Laboratory; Santiago Torres-Arias, an assistant professor of computer science at Purdue University; and Zachary Newman SM ’20, a research scientist at Chainguard Labs — have developed a new system called Speranza, which is aimed at reassuring software consumers that the product they are getting has not been tampered with and is coming directly from a source they trust.

“What we have done,” explains Sollins, “is to develop, prove correct, and demonstrate the viability of an approach that allows the [software] maintainers to remain anonymous.” Preserving anonymity is obviously important, given that almost everyone — software developers included — values their confidentiality. This new approach, Sollins adds, “simultaneously allows [software] users to have confidence that the maintainers are, in fact, legitimate maintainers and, furthermore, that the code being downloaded is, in fact, the correct code of that maintainer.”

So how can users confirm the genuineness of a software package in order to guarantee, as Merrill puts it, “that the maintainers are who they say they are?” The classical way of doing this, which was invented more than 40 years ago, is by means of a digital signature, which is analogous to a handwritten signature — albeit with far greater built-in security through the use of various cryptographic techniques.

To carry out a digital signature, two “keys” are generated at the same time — each of which is a number, composed of zeros and ones, that is 256 digits long. One key is designated “private,” the other “public,” but they constitute a pair that is mathematically linked. A software developer can use their private key, along with the contents of the document or computer program, to generate a digital signature that is attached exclusively to that document or program. A software user can then use the public key — as well as the developer’s signature, plus the contents of the package they downloaded — to verify the package’s authenticity.

Validation comes in the form of a yes or a no, a one or a zero. “Getting a one means that the authenticity has been assured,” Merrill explains. “The document is the same as when it was signed and is hence unchanged. A zero means something is amiss, and you may not want to rely on that document.”

Although this decades-old approach is tried and true in a sense, it is far from perfect. One problem, Merrill notes, “is that people are bad at managing cryptographic keys, which consist of very long numbers, in a way that is secure and prevents them from getting lost.” People lose their passwords all the time, Merrill says. “And if a software developer were to lose the private key and then contact a user saying, ‘Hey, I have a new key,’ how would you know who that really is?”

To address those concerns, Speranza is building off of “Sigstore” — a system introduced last year to enhance the security of the software supply chain. Sigstore was developed by Newman (who instigated the Speranza project) and Torres-Arias, along with John Speed Meyers of Chainguard Labs. Sigstore automates and streamlines the digital signing process. Users no longer have to manage long cryptographic keys but are instead issued ephemeral keys (an approach called “keyless signing”) that expire quickly — perhaps within a matter of minutes — and therefore don’t have to be stored.

A drawback with Sigstore stems from the fact that it dispensed with long-lasting public keys, so that software maintainers instead have to identify themselves — through a protocol called OpenID Connect (OIDC) — in a way that can be linked to their email addresses. That feature, alone, may inhibit the widespread adoption of Sigstore, and it served as the motivating factor behind — and the raison d’etre for — Speranza. “We take Sigstore’s basic infrastructure and change it to provide privacy guarantees,” Merrill explains.

With Speranza, privacy is achieved through an original idea that she and her collaborators call “identity co-commitments.” Here, in simple terms, is how the idea works: A software developer’s identity, in the form of an email address, is converted into a so-called “commitment” that consists of a big pseudorandom number. (A pseudorandom number does not meet the technical definition of “random” but, practically speaking, is about as good as random.)

Meanwhile, another big random number — the accompanying commitment, or co-commitment — is generated that is associated with a software package that this developer either created or was granted permission to modify. In order to demonstrate to a prospective user of a particular software package as to who created this version of the package and signed it, the authorized developer would publish a proof that establishes an unequivocal link between the commitment that represents their identity and the commitment attached to the software product. The proof that is carried out is of a special type, called a zero-knowledge proof, which is a way of showing, for instance, that two things have a common bound, without divulging details as to what those things — such as the developer’s email address — actually are.

“Speranza ensures that software comes from the correct source without requiring developers to reveal personal information like their email addresses,” comments Marina Moore, a PhD candidate at the New York University Center for Cyber Security. “It allows verifiers to see that the same developer signed a package several times without revealing who the developer is or even other packages that they work on. This provides a usability improvement over long-term signing keys, and a privacy benefit over other OIDC-based solutions like Sigstore.”

Marcela Mellara, a research scientist in the Security and Privacy Research group at Intel Labs, says, “This approach has the advantage of allowing software consumers to automatically verify that the package they obtain from a Speranza-enabled repository originated from an expected maintainer, and gain trust that the software they are using is authentic.”

A paper about Speranza was presented at the Computer and Communications Security Conference in Copenhagen, Denmark.