Category: Network

Jul 17

Python programming: PyPl is rolling out 2FA for critical projects, giving away 4,000 security keys

istock-1255905201.jpg

Image: Getty Images/iStockphoto

PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language.

Python is one of the world’s most popular programming languages, loved for its breadth of packages or add-on libraries that make it useful for data science. Developers need to update these packages frequently and attackers have used this behavior to backdoor their Windows, Linux and Apple machines through bogus packages that are similarly named to legitimate ones, otherwise known as software supply chain attacks.

PyPI, which is managed by the Python Software Foundation (PSF), is the main repository where Python developers can get third-party developed open-source packages for their projects.

SEE: Working hard or hardly working? Employees don’t trust their colleagues to be productive while working from home

PyPI and JavaScript’s equivalent npm repository act like the App Store/Play Store for developers, but aren’t closed and the free services don’t have the resources to vet package submissions for malware.

Google, through the Linux Foundation’s Open Source Security Foundation (OpenSSF), is tackling the threat of malicious language packages and open-source software supply chain attacks. It found over 200 malicious JavaScript and Python packages in one month and noted “devastating consequences” for developers and the organizations they write code for when they install them.

One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind “critical projects” to use 2FA in coming months. PyPI hasn’t declared a specific date for the requirement.

“We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them,” the PSF said on its PyPI Twitter account.

As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google’s open-source security team.

“In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” PSF said in a statement.

“To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis, so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them.

In the name of transparency, PyPI is also publishing 2FA account metrics. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using

Read More
Jul 12

Locksmith, wife held at gunpoint for car key programming laptops; puppy stolen – The News Herald

A Trenton couple is shaken to the core and heartbroken after the husband had a gun pointed in his side and his wife had one in her face as men demanded laptops from them and stole their puppy.

Jason Schlegel, a locksmith for a mobile company, said he was lured to Gateway Townhomes in Romulus on Wednesday night under the guise that someone needed his locksmith services to make a key.

“It was a total setup,” Schlegel said.

His wife, Amber, and their French bulldog Boston terrier named Rocky were along for the ride.

The appointment was set for 8:30 pm

According to Schlegel, he pulled up in his van at about 8:32 pm and was approached by the man who called about getting a key made.

Rocky the dog
Rocky was stolen during a botched robbery at Gateway Townhomes in Romulus Wednesday night. (Photo courtesy of Jason Schlegel)

It only took seconds before the situation, which unfolded in front of a playing child, turned potentially deadly, he said.

“A man stuck a gun in my side and said, ‘Be quiet and no one gets hurt,’” Schlegel said. “He said to give up the laptop.”

Schlegel said his laptops are valuable because they can be programmed to make car keys for sought-after vehicles.

Once the keys are made, he said, thieves can go and steal them rather quickly.

In what could be considered a botched robbery, one of the suspects saw a bag in the vehicle and took it thinking it was a laptop bag.

“It was actually the dog’s diaper bag,” Schlegel said of the botched robbery. “The criminals knew what they wanted, but didn’t know what it looked like inside a box. What they were looking for was right in front of their faces and they missed it.”

The man who met with Schlegel for the alleged appointment was black and had long braided hair.

Rocky the dog
A reward is being offered for the safe return of Rocky, a French bulldog Boston terrier. (Photo courtesy of Jason Schlegel)

The other two men who later joined in also were black and were wearing masks with only their eyes showing.

All three were about 6 foot tall and appeared to be in their 20s.

According to Schlegel, there was a man looking in the back of the van for laptops, one in the front where he and his wife were and one who eventually drove the getaway car.

They didn’t get what they were after, but they still took things of value to the couple.

As they grabbed boxes of various computer programming tools, they also took Rocky before fleeing.

“He was a bonus,” the owner said. “He was there and they had an opportunity.”

The whole incident took place quickly.

By 8:35, the couple was on the phone with Romulus police reporting the incident.

“We’re lucky we’re here,” Schlegel said. “I feared for our lives. They were waving the guns around. You never know, one could have gone off.”

The couple said they can

Read More
Jul 12

Data Oriented Programming in Java

Key Takeaways

  • Project Amber has brought a number of new features to Java in recent years. While each of these features are self-contained, they are also designed to work together. Specifically, records, sealed classes, and pattern matching work together to enable easier data-oriented programming in Java.

  • OOP encourages us to model complex entities and processes using objects, which combine state and behavior. OOP is at its best when it is defining and defending boundaries. 

  • Java’s strong static typing and class-based modeling can still be tremendously useful for smaller programs, just in different ways.

  • Data-oriented programming encourages us to model data as (immutable) data, and keep the code that embodies the business logic of how we act on that data separately. Records, sealed classes, and pattern matching, make that easier.

  • When we’re modeling complex entities, OO techniques have a lot to offer us. But when we’re modeling simple services that process plain, ad-hoc data, the techniques of data-oriented programming may offer us a straighter path.

  • The techniques of OOP and data-oriented programming are not at odds; they are different tools for different granularities and situations. We can freely mix and match them as we see fit.

Project Amber has brought a number of new features to Java in recent years — local variable type inference, text blocks, records, sealed classes, pattern matching, and more. While each of these features are self-contained, they are also designed to work together. Specifically, records, sealed classes, and pattern matching work together to enable easier data-oriented programming in Java. In this article, we’ll cover what is meant by this term and how it might affect how we program in Java.

Object-oriented programming

The goal of any programming paradigm is to manage complexity. But complexity comes in many forms, and not all paradigms handle all forms of complexity equally well. Most programming paradigms have a one-sentence slogan of the form “Everything is a …”; for OOP, this is obviously “everything is an object.” Functional programming says “everything is a function”; actor-based systems say “everything is an actor”, etc. (Of course, these are all overstatements for effect.)

OOP encourages us to model complex entities and processes using objects, which combine state and behavior. OOP encourages encapsulation (object behavior mediates access to object state) and polymorphism (multiple kinds of entities can be interacted with using a common interface or vocabulary), though the mechanisms for accomplishing these goals vary across OO languages. When modeling the world with objects, we are encouraged to think in terms of is-a (a savings account is-a bank account) and has-a (a savings account has-a owner and account number) relationships.

While some developers take pleasure in loudly declaring object-oriented programming to be a failed experiment, the truth is more subtle; like all tools, it is well-suited to some things and less well-suited to others. OOP done badly can be awful, and a lot of people have been exposed to OOP principles taken to ridiculous extremes. (Rants

Read More
Jul 12

DISH Network transforms with push to be fourth wireless network

DISH lit up a new 5G cellular network in more than 120 cities on June 14, including Grand Junction and Pueblo, meeting an early target federal regulators had set for the construction of the nation’s fourth wireless network.

Whether Project Genesis, as the network is called, succeeds or fails will determine the fate of one of Colorado’s largest public companies, and could weigh heavily on Denver’s future as a center of telecommunications innovation, a legacy that goes back decades to the early days of cable television.

“Through DISH’s efforts, Denver is becoming a wireless hub,” said John Swieringa, president and chief operating officer of DISH Wireless. “Our partners are coming here, too, and investing in people and resources in this market. We expect Denver to become a leader in 5G.”

DISH Wireless has hired more than 1,600 workers in the past 18 months and is looking to add 500 more, Swieringa said. DISH, the parent company, already employs 6,000 people along the Front Range. A successful launch of the new network could provide a big boost to the region economically for years to come. Failure could cost thousands of jobs.

5G stands for fifth-generation mobile network. The technology can move larger bundles of data at much faster speeds and lower lag times than 4G. That added capacity promises to open up a host of uses such as self-driving cars, smart cities, remote surgery, and enhanced virtual reality. It also allows wireless carriers to better compete in providing home and business broadband service and makes possible multiple new commercial applications.

The big three carriers — AT&T, Verizon and T-Mobile — have built their 5G networks on top of existing and proprietary 4G networks, which in turn were built on top of 3G networks. DISH, by contrast, is building a 5G network from scratch, using something called Open Radio Access Networks or OPEN-RAN. That approach is software-focused, cloud-based and flexible in terms of using technologies from outside partners.

“One of the biggest advantages is that the cost of upgrading and maintaining the network is far lower. We will more readily adapt to evolving technologies and standards. We are relying heavily on automation. Our network is forward-looking,” Swieringa said.

Genesis cell sites have a much smaller footprint than those of older carriers, and much of the signal processing is pushed out to centralized server centers.

Favoring software over hardware lowers overall costs, provides more flexibility and allows for a more open and automated network. Established technology players such as Amazon Web Services, Dell and VMware, to name a few, are actively involved in Project Genesis, contributing resources and development expertise to ensure its success.

“They (DISH) are leveraging the desire of multiple vendors to participate in the only new national wireless network being built. Their vendors are contributing in the form of development and assets,” said Roy Chua, principal at AvidThink, an independent telecom and technology research firm in San Jose, Calif.

DISH has invested more than $30 billion in wireless spectrum and

Read More
Jul 12

Amazon launches CodeWhisperer, a GitHub Copilot-like AI pair programming tool – TechCrunch

At its re:Mars conference, Amazon today announced the launch of CodeWhisperer, an AI pair programming tool similar to GitHub’s Copilot that can autocomplete entire functions based on only a comment or a few keystrokes. The company trained the system, which currently supports Java, JavaScript and Python, on billions of lines of publicly available open source code and its own codebase, as well as publicly available documentation and code on public forums.

It’s now available in preview as part of the AWS IDE Toolkit, which means developers can immediately use it right inside their preferred IDEs, including Visual Studio Code, IntelliJ IDEA, PyCharm, WebStorm and Amazon’s own AWS Cloud 9. Support for the AWS Lambda Console is also coming soon.

Ahead of today’s announcement, Vasi Philomin, Amazon’s VP in charge of its AI services, stressed that the company didn’t simply create this in order to offer a copy of Copilot. He noted that with CodeGuru, its AI code reviewer and performance profiler, and DevOps Guru, its tool for finding operation issues, the company laid the groundwork for today’s launch quite a few years ago.

Image Credits: Amazon

I think the technology is at a point where we thought it was the right time to do it,” Philomin said. “And it fits nicely with the other pieces that they have. It’s been a journey and we’ve just done different parts at different times.”

Internally, Amazon has been testing the service with only a small number of developers — mostly in order to keep the announcement under wraps.

Image Credits: Amazon

The company notes that the system continuously examines your code and comments and even takes your own coding style and variable names into account. Using this contextual information — and where your cursor is — it’ll then generate its own custom code snippets.

It’s worth noting that CodeWhisperer does some things different from the likes of Copilot. For one, while most of the code that the system generates is novel, every time it generates code that is close to an existing snippet in its training data, it will note that and highlight the license of that original function. It’s then up to the developer to decide whether to use it or not. This should alleviate some (though maybe not all) of the copyright concerns that maybe come with using a tool like this.

Image Credits: Amazon

Another factor Philomin stressed is security. Based on Amazon’s own experience managing large codebases and doing debriefs after things go awry (using its formalized “correction of errors” process), as well as its experience with CodeGuru, CodeWhisperer will scan the code for potential security issues.

“Security is always important in AWS and so we want to make sure that the code we generate is secure,” Philomin said. “Now obviously we’ve generated the code and the developer can change it — and so CodeWhisperer has the capability to say: run a scan on the current source file. It will … scan and … tell you any

Read More