FOXTROT/ALFA: Networking Gear Vulnerabilities, The Open Usage Commons Organisation, No Google Cloud in China

Hey, everyone! Hope your week’s going well… As you can tell, I was too busy yesterday to get a newsletter out. But I’m making up for it today with a long one that hopefully recaps everything important from yesterday and today. So, without further ado, let’s get into the tech news. Here’s issue 136 of FOXTROT/ALFA for Thursday, 9 July 2020:

Palo Alto and Citrix Vulnerabilities

First, here’s an update on the most recent security vulnerability news. It seems networking gear is all the rage with hackers right now:

Palo Alto Networks has emitted its second software update in as many weeks to address a potentially serious security vulnerability in its products. The vendor on Wednesday issued an advisory for CVE-2020-2034, a remote code execution flaw in its PAN-OS GlobalProtect portal, which can be exploited by a remote unauthenticated miscreant to execute arbitrary commands on the gateway as a superuser.

No in-the-wild attacks have been reported… yet. Palo Alto confirmed to The Register that GlobalProtect is not enabled by default, though anecdotal evidence suggests it’s widely used. Short of applying the PAN-OS updates, there is no way to mitigate the vulnerability, other than turning off GlobalProtect.

This latest Palo Alto advisory comes just ten days after the IT supplier sounded the alarm for another remote code execution flaw in its PAN-OS. That vulnerability, CVE-2020-2021, was serious enough to warrant an alert from Uncle Sam’s CyberCom, which feared that in-the-wild exploitation attempts were likely. However, before admins go and schedule downtime to patch this latest bug, keep in mind that anyone who updated their PAN-OS gear to protect against CVE-2020-2021 already has the fix in place for this CVE-2020-2034 bug. Both were addressed with the earlier update.

You can find more details on these Palo Alto fixes in this story by The Register.

Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products. The bundle includes fixes for one code injection bug, three information disclosure flaws, three elevation of privilege bugs, two cross-site scripting vulnerabilities, one denial-of-service hole, and one authorization-bypass flaw.

Affected gear includes the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. So far there have been no reports of any of the bugs being targeted in the wild, though Rob Joyce, former head of the NSA’s Tailored Access Operations elite hacking team, warns it’s time for admins to get busy – and so soon after patches emerged for vulns in F5 and Palo Alto networking gear.

The code injection flaw, CVE-2020-8194, is interesting. According to Citrix, an unauthenticated remote attacker can somehow present to a potential victim a downloadable malicious executable file from the gateway’s IP address. If the mark fetches the file and runs it, thinking it’s a legit application file from their networking gear, they now have malicious code running on their local PC. No other details on this cryptic flaw are known right now.

Meanwhile, those who rely on Linux PCs will want to check out CVE-2020-8199, a flaw in the Citrix Gateway Plugin for Linux that can be exploited by a rogue user or malware already on the system to elevate its privileges and cause more damage. On the more likely-to-be-targeted end of things, there is CVE-2020-8187. That is a denial-of-service flaw in Citrix ADC and Citrix Gateway 12.0 or 11.1. The flaw can be remotely exploited without authentication.

Details in this story, also on El Reg.

Ninja Goes to YouTube, The Doc Drops Off the Face of the Earth

As expected, Ninja is now streaming on YouTube.

One of the biggest names in streaming is heading to YouTube. Today, Tyler “Ninja” Blevins started streaming on Google’s platform, finding a new home after the surprise closure of Microsoft’s Mixer. Ninja teased the stream earlier today in a tweet, and started his new YouTube venture with a Fortnite stream alongside Dr Lupo, TimTheTatman, and Courage. It’s not clear yet whether this is an exclusive deal, or if Ninja will feature on other platforms, like Twitch, as well. Today’s stream was his first-ever on YouTube.

Meanwhile, we still have no clue whatsoever what happened to The Doc.

Stone cold, eerie silence surrounding this entire situation. And that itself is a story. We should probably not be waiting around for Twitch to explain what’s going on. They rarely issue direct statements about the reasoning for bans, short of when they banned the president of the United States from the platform last week, citing specific examples of “hate speech” from his rallies. But for streamers, even someone as high profile as Dr Disrespect, I would not expect to hear anything from their end.

But it’s Doc and his wife going silent that seems the most strange. We have seen many streamers be “cancelled” or flat-out deplatformed and banned in the last few weeks, but none of them have gone stone silent like this. Many post practically daily updates about fighting their bans, moving to new platforms, defenses of their actions, apologies, something, anything. But again, Doc was not caught up in the wave of accusations that has swept through the gaming community the last few weeks. No one has come out and accused him of anything.

The looming shadow over all of this is that behind the scenes, there may be some sort of criminal investigation going on. One of the strange things that happened with this ban is that Doc claims Twitch banned him and didn’t tell him why. One explanation for that would be some sort of subpoena of Twitch by law enforcement with the stipulation that they are forbidden from telling him anything. A subpoena of Twitch and Discord would explain why both platforms more or less instantly cut ties with Doc, and have not said a word about it.

There is nothing public to indicate Doc has been arrested or charged with anything. And yet a legal matter would also explain why he himself might not be making any public statements. Some sort of serious legal matter explains Twitch, Discord and Doc’s silence, and it also could be why insiders are clamming up, as no one wants to just publicly accuse someone of a specific crime without evidence. This is a truly bizarre situation involving one of the highest profile streamers in the world, and the void of information surrounding this case is unlike anything I’ve ever seen in this incredibly leaky industry. It will likely not stay this way forever, but for now, the total silence certainly does not seem to be a good sign.

This is indeed extremely weird. And kinda fascinating…

The Open Usage Commons Organisation and Istio’s Governance

Google has created a new organisation to deal with trademarks of open source projects.

Google has set up an organization dubbed the Open Usage Commons to manage three open-source projects' trademarks – and provide developers advice on handling and using brands. The new org has had some initial funding from Google, and has three sets of trademarks to look after for starters: those of Angular (a Typescript web framework), Gerrit (a code-collaboration tool) and Istio (a service mesh for Kubernetes). All three of these projects are closely associated with Google. No code or stewardship of code is being transferred to the OUC. Instead, the org has been tasked with handling the projects' trademarks, and advising others on how to look after their brands.

Chris DiBona, director of Open Source at Google and Alphabet, said the OUC arose from the internet goliath’s own experience: “Currently we have more than 3,000 active open source projects. Google ends up hitting all the intellectual property edge cases before anybody else …one of the places that open source hasn’t been great is around trademarks. If you look at open source licenses they either don’t mention trademarks at all, or they disclaim them. What that meant was people just read the Apache license and figure it applies to everything. We decided we need to fix this for open source software. Open source makes it clear for any piece of software what you can do and what you can’t do. We wanted to bring that kind of comfort and clarity to trademarks and establish guidelines in accordance with the open source definition for trademark usage.”

True to the independent spirit of the open source community, this move is already being criticised.

Google’s creation of an Open Usage Commons organisation to manage trademarks including that of Istio – a key open source project for many users of Kubernetes – has drawn harsh criticism from other tech giants unhappy with the new approach. IBM’s veep and and CTO of Cloud Platform, Jason McGee said that Google’s initiative “doesn’t live up to the community’s expectation for open governance… without this vendor-neutral approach to project governance, there will be friction within the community of Kubernetes-related projects.”

Projects like Istio, which manages network traffic and security, are essential for successful Kubernetes deployments unless developers are willing to do a lot of additional work. There are alternatives to Istio, such as Linkerd, but Istio is the best known and most feature-rich service mesh for Kubernetes.

IBM, along with Google and Lyft, founded the Istio project in 2017, with IBM contributing code from its earlier Amalgam8 project. “At the project’s inception, there was an agreement that the project would be contributed to the CNCF [Cloud Native Computing Foundation, already the home of Kubernetes] when it was mature,” said McGee. Google has not done this, and the OUC is not an open source foundation.

What of reports citing Google Cloud CEO Thomas Kurian as saying in April this year that Istio would be donated to a foundation? When we asked Google’s director of open source Chris DiBona, he said that the formation of the OUC had no direct bearing on the matter. “This doesn’t change any of that,” said DiBona, “for good or for bad. If your perception is that [Istio stewardship] needs to be fixed, then it still needs to be fixed.”

It appears, though, that it is related. A post yesterday from Google’s Sean Suchter, lead engineer and director of Istio, was headed “Open and neutral", and stated it was an update on “trademarks and project governance.” Suchter described the transfer of trademarks, but also wrote about “the next evolution of Istio’s governance” – which is nothing more than tweaks to the Steering Committee and a new appointment to the Technical Oversight Committee. There is nothing about transfer to a foundation, on top of which it would be odd to have a foundation oversee the code without also having the trademark.

We asked DiBona to comment again in the light of the response to the OUC, and he said “what I can tell you is that work towards updating Istio’s governance is being done right now via a new Steering Committee charter, being discussed in the open with the community.”

Further confusing the issue, Google’s application to register the Istio trademark has been suspended by the US Patent and Trademark Office (USPTO) because of “likelihood of confusion” with the already-registered SAIL. Istio is a Greek word meaning sail. DiBona told us that “Google is in the process of seeking USPTO registration for Istio, but this is not required for ownership.” It is reasonable to conclude that the OUC is in fact Google’s attempt to satisfy the demand for Istio to be under neutral governance.

The Linux Foundation has implied that the rationale behind the formation of the OUC is flawed. “There has been concern that open source hasn’t addressed issues of trademarks as it relates to major OSS projects. This is not the case,” said the Foundation, explaining that it already registers and manages trademarks for some projects that it hosts. “We have successfully done this for the most important open source projects in the world.

If Google’s aim with the OUC was to convince its partners that Istio is now in neutral hands, then it has more work to do. It appears instead that it has created greater friction. The implication is that it sees commercial advantage not handing Istio over to the CNCF or another well-known foundation, and must figure that this advantage more than outweighs the cost in terms of worsening relationships with its Kubernetes partners.

This is very much a developing story. I’ll keep an eye on it.

SAP Suffering but There’s Light at the End of the Tunnel

SAP, predictably, is suffering from the coronavirus situation, but things might be slowly getting better.

Amid a lack of commitment from customers to sign off ERP upgrade projects in a pandemic, and with SAP revising its full year guidance revenue downward after a slower-than-expected March, things look to be gradually improving.

According to preliminary calendar Q2 figures, SAP revenues went up 2 per cent year-on-year to €6.74bn. For context, arch rival Oracle recently reported a 6 per cent drop in sales for its Q4 fiscal ‘20. Software licence revenue fell 18 per cent to €770m from the same quarter last year, although it could also be described, and was, as a “strong sequential improvement” on the 31 per cent decline SAP reported in the prior quarter. The question on analysts’ lips is whether this is a more lasting trend or something that will dissipate once the current crisis abates.

SAP reaffirmed that it expects annual turnover to be between €27.8bn and €28.5bn, unchanged since the initial forecast of €29.2bn to €29.7bn was downgraded by 5 per cent in April. The company is banking on Q3 and Q4 showing improvements.

Suse Buys Rancher Labs

Linux-vendor Suse has bought the enterprise Kubernetes management provider Rancher.

As Rancher is privately held neither party is discussing money. What we can say is that SUSE believes its expertise in enterprise Linux, AI and edge computing will benefit from Rancher’s Kubernetes management stack. And Rancher likes the idea of having more resources to plough into its wares.

An off-the-record comment from an industry analyst to The Register suggested the deal is a good one for Rancher, which otherwise faced the possibility of being hoovered up by a minor K8s player like Cisco or NetApp that would have bought it to bolster thin efforts that would have little chance of long-term success. As a SUSE deal puts Rancher amidst a recognisably useful combination of technologies, the latter’s K8s tech has a better chance of thriving.

No Google Cloud in China

Amid the wider US/China trade war, Google is pulling the plug on its Chinese cloud project.

Google has scrapped plans to offer cloud services in China. The project, called “Isolated Region”, began in early 2018 and aimed to address Chinese regulations that require foreign companies that provide data or networking services to form a joint venture with a Chinese partner. Those requirements see AWS' Chinese presence operated by local company Sinnet, VMware offer cloud services through Alibaba and Azure work through 21Vianet. According to sources who spoke to Bloomberg, Google balked at the requirement to work with a Chinese company.

The project was part of a larger Google project called “Sharded Google” that sought to develop new data storage and processing facilities, known as “shards”, walled off from the rest of the company’s ecosystem. The project aimed at addressing markets such as China and the EU, which have strict laws for companies offering services that collect and process personal data.

The project was dropped partly because global tensions, which were exacerbated by the Covid-19 pandemic, according to Bloomberg’s sources. The sources said that Google provided documents detailing global tensions and their influence on the project’s closure. Google confirmed that the project had been dropped but denied that it was because geopolitical concerns or the pandemic.

Yeah, sure. LOL.

Flutter Alpha SDK for Linux

Google and Canonical have released an alpha SDK to bring Google’s UI framework Flutter to desktop Linux.

Google has hauled in Canonical to help extend the search giant’s Flutter development framework to support Linux desktop applications. Flutter, designed primarily for cross-platform mobile applications, is a UI toolkit which uses the Dart language. It has production support for Android and iOS, beta support for web applications (in which case Dart is compiled to JavaScript), and alpha support for desktop applications for macOS.

The Linux alpha SDK introduced today leaves Windows as the least well-supported, although there is an “early technical preview” of Windows support, according to the Flutter wiki. According to Google, adding desktop support is a substantial challenge. “This work includes extensive refactoring of the engine to support desktop-style mouse and keyboard input as well as resizeable top-level windows,” said Google’s Chris Sells and Canonical’s Ken VanDine in a joint statement.

Canonical’s primary goal is to persuade developers of existing Flutter applications to port them to Linux. “We are not choosing Flutter over any other existing framework or ecosystem,” Martin Wimpress, Engineering Director for Ubuntu Desktop, told The Reg. “We see lots of momentum in the Flutter developer community and around 80,000 Flutter apps published in other app stores. We want to invite those developers to bring their applications to desktop Linux and Ubuntu, just as we have done with GTK, Qt and Electron in the past. Our objective here is to further close the application parity gap for desktop Linux users and broaden the developer audience.” One potentially contentious point is that Canonical will focus on building and packaging applications for its Snap Store. “Flutter developers are already familiar with publishing apps via an ‘app store’ paradigm,” Wimpress told us.

They’re still pushing the Snap thing over there, I see. It’s the latest buttons-on-the-left crusade for Don Quixottleworth, it seems.

Also Noteworthy

Other stories I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.