Harbor, the open-source container image registry, has reached version 2.0, becoming the first open-source registry to fully support the Open Container Initiative (OCI) specification.

There are quite a few registries that allow you to store container images which represent blueprints for launching containerized applications and other cloud app artifacts that describe related metadata like Helm charts, OPAs (Open Policy Agents), and other configuration-related files.

Perhaps the best known is the open source Docker Registry and Docker Hub, a hosted implementation of that code.

There's also Portus, an authorization server and front-end for Docker Registry made by SUSE. And there are various commercial offerings from cloud providers like Alibaba Container Registry, Amazon Elastic Container Registry (ECR), Azure Container Registry, GitLab Container Registry, Google Container Registry, and Red Hat Quay.

Harbor was developed by VMware and put under the oversight of the Cloud Native Computing Foundation in 2018. It's used by thousands of enterprise organizations that want to run their own container image registries, said Michael Michael, director of product management at VMware and Harbor maintainer, in an interview with The Register.

The OCI defines an image specification, for building the application, and a runtime specification, for creating the application environment.

So Harbor's OCI-compliance means that it supports the full set of APIs for defining what can be stored in a Harbor registry.

"Now you have more ways to describe what a container image looks like and how it can be deployed," said Michael. "It enables you to store in any OCI-complaint registry all of the cloud-native artifacts that are important to you."

These cloud-native artifacts, he explained, allow policy rules to be applied to ensure that containers are handled securely.

Version 2.0 brings several noteworthy features.

For example, Harbor now supports the OCI image index specification, by which platform-specific versions of an image can be declared via an index. Also, charts for Helm, the Kubernetes package manager, can now be stored within Harbor, using Helm v3, instead of separately in a Helm-specific repository known as Chart Museum.

Also, the Clair image scanner, which looks for vulnerabilities in Harbor-stored images, is being replaced, though it will still be supported.

"We're making Aqua's image scanner Trivy the default scanner for all your projects," said Michael.

Version 2.0 adds the ability to set expiration dates on individual robot accounts, instead of just a single system-wide setting. It also introduces the ability to configure Harbor services to use SSL, a significant security improvement.

And it adds the ability to trigger webhooks API callbacks individually, so users can configure them, on a project basis, to target HTTP or Slack.

Michael said the 2.0 update also lays the groundwork for future improvements to how Harbor handles container image garbage collection containers create a lot of files that need to be removed. The Docker model of garbage collection, he said, isn't scalable because it adds downtime. Harbor now tracks all the layers in an image and in the future will be able to handle garbage collection without downtime.

Sponsored: Webcast: Build the next generation of your business in the public cloud

More:
We'd love to come up with a Harbor container ship pun but we're too corona-frazzled. Version 2.0 is out - The Register

The disruptive attacks highlight what some cyber experts say is an overlooked or underestimated threat vector among developers: Infrastructure-as-Code (IaC). Considered a key element of DevOps practices, IaC tools such as Salt typically allow developers to use code to automate the managing and provision of complex computer infrastructure environments, helping them avoid configuration discrepancies between machines that can hold up software deployments that might otherwise require manual intervention. But its these helpful capabilities that can also make the exploitation of IaC tools uniquely dangerous.

To understand the potential implications of an IaC, one must remember that IaC is designed to accomplish two fundamental objectives:consistency and speed, said Bill Santos,president and COO ofCerberus Sentinel. IaC tools are designed to quickly deploy and update large environments in a very standardised way very quickly.The implication to an exploited IaC is significant:Whereas the consistency and speed is advantageous for approved changes, an exploited change will get deployed equally quickly and equally consistently across that same environment, dramatically increasing its impact vs. other exploit approaches.

Santos added that many developers are not appreciating the importance of IaC code and are not reviewing it, testing it, etc. at the same level they would application-level code.And in so doing, they are creating or increasing a very real threat vector.

Therefore, Its important to elevate the significance of any automation code, especially IaC code, within the context of the development lifecycle, said Santos. It is not second class code, but rather carries the same importance and significance as any other code supporting an application. It needs to be reviewed, tested and assured in a [manner] similar to every other element of an application architecture.

Indeed, in the recently released Spring 2020 edition of theUnit 42 Cloud Security Report, researchers with Palo Alto Networkss global threat intel team warned that developers are failing to scan IAC templates for security issues whenever they are created or updated, which raises the likelihood of encountering exploitable cloud vulnerabilities.

We found that nearly 200,000 IaC templates contained at least one vulnerability or misconfiguration, which range in severity from exposing systems to the public to disabling encryption and logging requirements. So yes, IaC is often overlooked as a serious threat vector, said Nathaniel Quist senior cloud threat researcher with Unit 42.As an industry, we should encourage all organisations to employ the proper implementation of IaC templates within a vetted and secure CI/CD Development Operations using Cloud Native Security Platforms (CNSP). IaC templates greatly increase the speed at which organisations can deploy business-critical applications, but without proper security oversight, they could also increase the speed in which they open themselves up for malicious attacks.

The various attacks took place after adversaries scanned the internet looking for Salt masters servers used to control minions that carry out tasks for the IaC tool that were both exposed over the internet and vulnerable to the two bugs. Users are vulnerable to exploit only if these conditions are met.

Ghost on May 3reportedan outage affecting its services, later reporting that an actor exploited vulnerabilities in its Salt server management infrastructure to install cryptojacking software. The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately, the blogging platform stated.

In a subsequent update, Ghost said it removed the cryptominer and added multiple new firewalls and security precautions, the introduction of which ironically further disrupted customer blog sites temporarily. At this time there is no evidence of any attempts to access any of our systems or data, Ghost asserted. Nevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.

Jeremy Rowley, VP of business development at DigiCert, reported via a May 3Google Groups postthat a CT (Certificate Transparency) Log 2 key used to sign Signed Certificate Timestamps was compromised.

We are pulling the log into read-only mode right now, the post said.Although we dont think the key was used to sign SCTs (the attacker doesnt seem to realise that they gained access to the keys and were running other services on the [infrastructure]), any SCTs provided from that log after 7pm MST yesterday are suspect. The log should be pulled from the trusted log list. Rowley later said in an update that the log should be distrusted for everything after 17:00:02 on May 2.

And LineageOSreportedthat on 2 May, a malicious actor accessed its Salt master to gain access to our infrastructure. LineageOSs services were knocked temporarily offline, forcing the developer to restore them in piecemeal fashion. However, signing keys and builds were unaffected.

Researchers with F-Secure, who discovered the flaws, reported last Friday in ablog postand correspondingadvisorythat attackers could exploit the bugs to bypass the authentication and authorisation controls used to regulate access to Salt implementations and then remotely execute code with root privileges on the master, allowing for control of all its minions.

Patch by Friday or compromised by Monday, said F-Secure principal consultantOlle Segerdahl in the blog post.

F-Secure says it conducted its own scan and found 6,000 instances of exposed Salt masters. I was expecting the number to be a lot lower. Theres not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet, said Segerdahl.

However, Alex Peay, SVP of product at SaltStack, characterized the 6,000 instances as a very small portion of the [Salt] install base, adding that Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.

According to SaltStacks officialadvisory, the two bugs, designated CVE-2020-11651 and CVE-2020-11652, were discovered in the salt-master process ClearFunc class of Salt versions prior to 2019.2.4 and 3000.2. The former bug is due to the improper validation of method calls, and allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions, the advisory states. The other flaw allows access to methods that improperly sanitise paths. These methods allow arbitrary directory access to authenticated users, the advisory continues.

In a patch issued at the end of April, Salt fixed the validation process. However, attackers did not waste time taking advantage of users who did not immediately update one of the patched, secure versions.

Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorised users since the release of the patches, said Peay. We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.

James McQuiggan, security awareness advocate atKnowBe4, said that the Salt vulnerabilities can be abused for a lot worse than just the reported cryptomining scam.

If organisations do not update their SaltStack, they are exposed to an attack where malware, ransomware or attack vectors can be initiated to gain control, steal intellectual property or hold an organisations data for ransom, said McQuiggan. Incident response for organisations needs to be swift to implement testing and patching of the servers using SaltStack. If they cannot be updated, additional steps will be required to reduce access on applications, users and systems to only those necessary and required for access.

Quist from Unit offered these key takeaways for IaC users: Trust but verify all network operations. All user access events should be monitored and only authorised users should be given access. Changes or updates to all Salt master or minion nodes need to be vetted to ensure no security risks are present. No changes should be allowed to occur to any Salt IaC template without approval and changes need to be verified for integrity. All requests for change need to be properly authenticated and their integrity needs to be verified.

This article was first published in SC US.

See more here:
Patch by Friday or compromised by Monday: Salt exploit exposes Infrastructure-as-Code tools threat - SC Magazine UK

It is just over a year since South Koreas SK Telecom launched the worlds first commercial 5G service, on April 3, 2019. In a recent announcement to mark the anniversary, the company, which is the country's mobile market leader, revealed 5G progress subscriber base of 2.2 million and 45 percent market share as well as its plans to deliver business growth with the fifth-generation cellular technology over the next few years.

While in the consumer realm those plans include Project xCloud, a step change in the mobile gaming experience enabled by via 5Gs high-speed, high-bandwidth connections to cloud servers, SK Telecom is placing a particularly strong focus on the enterprise segment by working with companies in diverse sectors in order to, in its words, catalyse industrial innovations in Korea.

Those collaborations include one with semiconductor giant SK Hynix to develop a smart factory based on a private 5G network deployment; with Korea Hydro & Nuclear Power (KHNP) to realize a 5G smart power plant; and with LG Electronics to develop and commercialize 5G cloud-based autonomous robots.

Significantly, SK Telecoms 5G anniversary announcement also detailed its plans to build 5G MEC (multi-access edge computing) centers in 12 different locations across the country in order to lead a cloud-driven industrial revolution. As defined by ETSI (European Telecommunications Standards Institute), multi-access edge computing is an IT service environment provided at the edge of a mobile network and characterized by ultra-low latency, high bandwidth and real-time access to radio network information for leverage by applications.

In the context of industrial 5G, MEC allows communications from factories to/from cloud-server hosted applications to meet critical latency requirements by removing the latency component associated with directly connecting to cloud computing infrastructure sited at distant data centers, and hence enables the flexible and unfettered use of productivity and quality enhancing technologies such as augmented and virtual reality (AR/VR), machine vision and robotics.As well as the distributed type of MEC that SK Telecom is deploying at its own premises, MEC can also be implemented on-site at individual end user facilities, which can help to ease data security and privacy concerns as well as further reduce latency.

The aforementioned SK Telecom/LG Electronics 5G cloud-based autonomous robot project intends to make use of MEC technology, while SK Telecom competitor KT plans to use MEC in a collaboration with Cognex to develop a 5G based machine vision solution and also with Hyundai Heavy Industries to integrate 5G technology in the development of autonomous robots and smart factory facilities. According to company chairman Hwang Chang-Gyu, KT's edge-cloud architecture has led to the establishment of edge-computing telecom centers in major cities across the country, lowering the 5G latency to a 5 ms level.

Of course, multi-access edge computing activities are not restricted to Korea. Mobile operators of the likes of AT&T and Verizon in the US and Deutsche Telekom and Vodafone in Europe are all at various stages of MEC deployments and are actively exploring and promoting use cases that can best leverage the technology. Verizon, for example, touts the following potential applications for 5G + MEC: autonomous vehicles; immersive experiences (AR/VR); massive IoT (MIoT); connected factories; next-level logistics; and smart communities (public safety, transit, utilities, citizen engagement).

It is not surprising that the major cellular network technology suppliers such as Ericsson, Huawei and Nokia have developed MEC solutions for their telco customers. However, the market is also seeing activity from new entrants and non-traditional telecoms industry players. SK Telecom, for example, is partnering with MobiledgeX, a company funded by Deutsche Telekom but independently run in San Francisco, for its MEC deployments. Verizon is making use of Amazons AWS Wavelength 5G edge computing platform, which was launched in December 2019. And AT&T has an edge computing collaboration with Microsoft, building on a broader partnership between the two companies announced last year at MWC 2019 in Barcelona.

Follow this link:
Industrial 5G and the Mobile Edge - ARC Viewpoints

LONDON--(BUSINESS WIRE)--Technavio has been monitoring the rugged servers market and it is poised to grow by USD 546.29 million during 2020-2024, progressing at a CAGR of about 5% during the forecast period. The report offers an up-to-date analysis regarding the current market scenario, latest trends and drivers, and the overall market environment.

Technavio suggests three forecast scenarios (optimistic, probable, and pessimistic) considering the impact of COVID-19. Please Request Latest Free Sample Report on COVID-19 Impact

The market is fragmented, and the degree of fragmentation will accelerate during the forecast period. Core Systems, Crystal Group Inc., Dell Technologies Inc., EMET Computing, Enoch Systems LLC, International Business Machines Corp., Mercury Systems Inc., Sparton Corp., Systel Inc., and Trenton Systems Inc. are some of the major market participants. The increased adoption of cloud applications will offer immense growth opportunities. To make the most of the opportunities, market vendors should focus more on the growth prospects in the fast-growing segments, while maintaining their positions in the slow-growing segments.

Increased adoption of cloud applications has been instrumental in driving the growth of the market.

Rugged Servers Market 2020-2024: Segmentation

Rugged Servers Market is segmented as below:

To learn more about the global trends impacting the future of market research, download a free sample: https://www.technavio.com/talk-to-us?report=IRTNTR40500

Rugged Servers Market 2020-2024: Scope

Technavio presents a detailed picture of the market by the way of study, synthesis, and summation of data from multiple sources. Our rugged servers market report covers the following areas:

This study identifies the emergence of containerized data centers as one of the prime reasons driving the rugged servers market growth during the next few years.

Rugged Servers Market 2020-2024: Vendor Analysis

We provide a detailed analysis of vendors operating in the rugged servers market, including some of the vendors such as Core Systems, Crystal Group Inc., Dell Technologies Inc., EMET Computing, Enoch Systems LLC, International Business Machines Corp., Mercury Systems Inc., Sparton Corp., Systel Inc., and Trenton Systems Inc. Backed with competitive intelligence and benchmarking, our research reports on the rugged servers market are designed to provide entry support, customer profile and M&As as well as go-to-market strategy support.

Register for a free trial today and gain instant access to 17,000+ market research reports.

Technavio's SUBSCRIPTION platform

Rugged Servers Market 2020-2024: Key Highlights

Table Of Contents:

Executive Summary

Market Landscape

Market Sizing

Five Forces Analysis

Market Segmentation by End-user

Customer landscape

Geographic Landscape

Drivers, Challenges, and Trends

Vendor Landscape

Vendor Analysis

Appendix

About Us

Technavio is a leading global technology research and advisory company. Their research and analysis focus on emerging market trends and provides actionable insights to help businesses identify market opportunities and develop effective strategies to optimize their market positions. With over 500 specialized analysts, Technavios report library consists of more than 17,000 reports and counting, covering 800 technologies, spanning across 50 countries. Their client base consists of enterprises of all sizes, including more than 100 Fortune 500 companies. This growing client base relies on Technavios comprehensive coverage, extensive research, and actionable market insights to identify opportunities in existing and potential markets and assess their competitive positions within changing market scenarios.

Continue reading here:
Analysis on Impact of COVID-19- Rugged Servers Market 2020-2024 | Increased Adoption of Cloud Applications to Boost Growth | Technavio - Business Wire

As an increasing number of students and employees accomplish daily tasks from home, this additional internet usage has combined with gaming and streaming needs to bring about the most significant IT energy crisis of modern times. While it's easy to forget, keeping websites like Google, Facebook, and Netflix online requires an incredible amount of electrical energy, and the Neutrino Energy Group proposes that neutrino-derived electricity could be used to push server technology away from fossil fuels and toward true sustainability.Does IT Electrical Demand Damn Sustainable Energy to Fringe Applications?According to IT writer Mark Mills, the recent global lockdown clearly illustrates how our digital energy use is directly tied to future economic health. While gasoline consumption went down nearly 30 percent during the first week of lockdown in the United States, for instance, overall electrical consumption only decreased by seven percent. These figures actually indicate increased overall energy use across all sources, demonstrating how our ability to fuel online interactions will determine the viability of global technological society over the next few decades.At present, fossil fuels are the only energy technology capable of sustaining our combined internet needs. While existing renewable energy technologies can take some of the burden away from oil and coal, making a complete switch to renewables at this stage would cause the internet to collapse around the world.According to Mills, it is still "prohibitively expensive" to produce reliable energy from solar and wind farms since these energy technologies depend on specific environmental conditions to operate. What this seasoned tech author fails to point out, however, is the significant decrease in voltage that occurs when electricity is transported from sustainable energy farms to the server banks that operate the global cloud.On-Site Renewable Energy Generation Is RequiredIn 2015, two of the world's most prominent energy physics researchers independently discovered that neutrinos have mass, making these ethereal particles serious targets of sustainable energy research. Unlike wind or solar farms, neutrino-based energy technologies can operate anywhere, anytime regardless of environmental conditions.The neutrinovoltaic technology developed by the Neutrino Energy Group derives electrical energy from neutrinos, which are invisible and bombard the Earth in roughly equal numbers every moment of every day, instead of drawing energy from the visible spectrum of light.The revolutionary technology developed by the Neutrino Energy Group harvests a small amount of the kinetic energy of neutrinos as they pass through everything we see, and this kinetic-energy is then transformed into electricity.Solar cells can not be stacked on top of each other since they can only operate when they are unblocked from the suns rays. This design flaw ist not suffered by Neutrinvoltaic cells which means they can be stacked on top of each other with the bottom cells generating just as much electrical power as the cells on top.Neutrino Inside devices could operate mere centimeters away from server banks, eliminating voltage-over-distance energy decreases. In fact, Holger Thorsten Schubart,founder of the Neutrino Energy Group, even proposes that Neutrino Energy could be modified to fit inside existing technologies like cloud servers.Support the Neutrino Energy Group to Keep the Internet RunningWhile the present crisis spared the internet, we can't say the same for future economic catastrophes. The best way to preserve our ability to go online is to invest in renewable energy technologies, and neutrino energy is the only electricity-generating technology that can operate close to or inside of server banks. Support the Neutrino Energy Group to defend our IT infrastructure from any crisis the future may bring.For more information click here : https://neutrino-energy.comDisclaimer: The views, suggestions and opinions expressed here are the sole responsibility of the experts. NoForbes Indiajournalist was involved in the writing and production of this article.

Read more:
Neutrino Energy Will Power The Future's Internet Consumption - Forbes India