#kelsey newman | Explore Tumblr Posts and Blogs

jcmarchi · 5 months

Text

Boosting faith in the authenticity of open source software

New Post has been published on https://thedigitalinsider.com/boosting-faith-in-the-authenticity-of-open-source-software/

Boosting faith in the authenticity of open source software

Open source software — software that is freely distributed, along with its source code, so that copies, additions, or modifications can be readily made — is “everywhere,” to quote the 2023 Open Source Security and Risk Analysis Report. Ninety-six percent of the computer programs used by major industries include open source software, and 76 percent of those programs consist of open source software. But the percentage of software packages “containing security vulnerabilities remains troublingly high,” the report warned.

One concern is that “the software you’ve gotten from what you believe to be a reliable developer has somehow been compromised,” says Kelsey Merrill ’22, MEng ’23, a software engineer who received a master’s degree earlier this year from MIT’s Department of Electrical Engineering and Computer Science. “Suppose that somewhere in the supply chain, the software has been changed by an attacker who has malicious intent.”

The risk of a security breach of this sort is by no means abstract. In 2020, to take a notorious example, the Texas company SolarWinds made a software update to its widely used program called Orion. Hackers broke into the system, inserting pernicious code into the software before SolarWinds shipped the latest version of Orion to more than 18,000 customers, including Microsoft, Intel, and roughly 100 other companies, as well as a dozen U.S. government agencies — including the departments of State, Defense, Treasury, Commerce, and Homeland Security. In this case, the product that was corrupted came from a large commercial company, but lapses may be even more likely to occur in the open source realm, Merrill says, “where people of varying backgrounds — many of whom are hobbyists without any security training — can publish software that gets used around the world.”

Now, she and three collaborators — her former advisor Karen Sollins, a principal research scientist at the MIT Computer Science and Artificial Intelligence Laboratory; Santiago Torres-Arias, an assistant professor of computer science at Purdue University; and Zachary Newman SM ’20, a research scientist at Chainguard Labs — have developed a new system called Speranza, which is aimed at reassuring software consumers that the product they are getting has not been tampered with and is coming directly from a source they trust.

“What we have done,” explains Sollins, “is to develop, prove correct, and demonstrate the viability of an approach that allows the [software] maintainers to remain anonymous.” Preserving anonymity is obviously important, given that almost everyone — software developers included — values their confidentiality. This new approach, Sollins adds, “simultaneously allows [software] users to have confidence that the maintainers are, in fact, legitimate maintainers and, furthermore, that the code being downloaded is, in fact, the correct code of that maintainer.”

So how can users confirm the genuineness of a software package in order to guarantee, as Merrill puts it, “that the maintainers are who they say they are?” The classical way of doing this, which was invented more than 40 years ago, is by means of a digital signature, which is analogous to a handwritten signature — albeit with far greater built-in security through the use of various cryptographic techniques.

To carry out a digital signature, two “keys” are generated at the same time — each of which is a number, composed of zeros and ones, that is 256 digits long. One key is designated “private,” the other “public,” but they constitute a pair that is mathematically linked. A software developer can use their private key, along with the contents of the document or computer program, to generate a digital signature that is attached exclusively to that document or program. A software user can then use the public key — as well as the developer’s signature, plus the contents of the package they downloaded — to verify the package’s authenticity.

Validation comes in the form of a yes or a no, a one or a zero. “Getting a one means that the authenticity has been assured,” Merrill explains. “The document is the same as when it was signed and is hence unchanged. A zero means something is amiss, and you may not want to rely on that document.”

Although this decades-old approach is tried and true in a sense, it is far from perfect. One problem, Merrill notes, “is that people are bad at managing cryptographic keys, which consist of very long numbers, in a way that is secure and prevents them from getting lost.” People lose their passwords all the time, Merrill says. “And if a software developer were to lose the private key and then contact a user saying, ‘Hey, I have a new key,’ how would you know who that really is?”

To address those concerns, Speranza is building off of “Sigstore” — a system introduced last year to enhance the security of the software supply chain. Sigstore was developed by Newman (who instigated the Speranza project) and Torres-Arias, along with John Speed Meyers of Chainguard Labs. Sigstore automates and streamlines the digital signing process. Users no longer have to manage long cryptographic keys but are instead issued ephemeral keys (an approach called “keyless signing”) that expire quickly — perhaps within a matter of minutes — and therefore don’t have to be stored.

A drawback with Sigstore stems from the fact that it dispensed with long-lasting public keys, so that software maintainers instead have to identify themselves — through a protocol called OpenID Connect (OIDC) — in a way that can be linked to their email addresses. That feature, alone, may inhibit the widespread adoption of Sigstore, and it served as the motivating factor behind — and the raison d’etre for — Speranza. “We take Sigstore’s basic infrastructure and change it to provide privacy guarantees,” Merrill explains.

With Speranza, privacy is achieved through an original idea that she and her collaborators call “identity co-commitments.” Here, in simple terms, is how the idea works: A software developer’s identity, in the form of an email address, is converted into a so-called “commitment” that consists of a big pseudorandom number. (A pseudorandom number does not meet the technical definition of “random” but, practically speaking, is about as good as random.)

Meanwhile, another big random number — the accompanying commitment, or co-commitment — is generated that is associated with a software package that this developer either created or was granted permission to modify. In order to demonstrate to a prospective user of a particular software package as to who created this version of the package and signed it, the authorized developer would publish a proof that establishes an unequivocal link between the commitment that represents their identity and the commitment attached to the software product. The proof that is carried out is of a special type, called a zero-knowledge proof, which is a way of showing, for instance, that two things have a common bound, without divulging details as to what those things — such as the developer’s email address — actually are.

“Speranza ensures that software comes from the correct source without requiring developers to reveal personal information like their email addresses,” comments Marina Moore, a PhD candidate at the New York University Center for Cyber Security. “It allows verifiers to see that the same developer signed a package several times without revealing who the developer is or even other packages that they work on. This provides a usability improvement over long-term signing keys, and a privacy benefit over other OIDC-based solutions like Sigstore.”

Marcela Mellara, a research scientist in the Security and Privacy Research group at Intel Labs, says, “This approach has the advantage of allowing software consumers to automatically verify that the package they obtain from a Speranza-enabled repository originated from an expected maintainer, and gain trust that the software they are using is authentic.”

A paper about Speranza was presented at the Computer and Communications Security Conference in Copenhagen, Denmark.

1 note · View note

merlinband-archive · 9 months

Text

The Merlin File

Source: Melody Maker

Date: Late 1974

From my own collection

(Transcript Below)

The MERLIN File

EVOLUTION: Merlin’s manager, Derek Chick, and Allan Love decided in May 1973 to form a new London-based group that would incorporate three basic essentials: musicianship, image and stage presentation. After extensive auditions and rehearsals the band was gigging by July under the name Madrigal, which was changed in February 1974 to Merlin.

PERSONNEL CHANGES: Jacob Magmusson (keyboards) left in October 1973 and Paul Taylor (bass) in September 1974.

ORIGIN OF NAME: Scully Wagon-Lit’s idea in the van going to a gig.

FIRST PUBLIC APPEARANCE: Zero 6, Southend, 17/July/1973.

FIRST BROADCAST: BBC Radio One David Hamilton Show and Radio Luxembourg Power Play consecutively in March 1974.

FIRST TELEVISION: Scottish TV’s Showcase in November 1973.

MANAGEMENT: Derek Chick, Chic’s Own Music and Management Ltd, 246/248 Great Portland Street, London W1 (01-381 6192/3).

AGENT: Barry Collings Agency Ltd, 15 Claremont Road, Westcliff-on-Sea, Essex (0702-47343/43464).

RECORDING COMPANY: CBS Records Ltd, 28-30 Theobalds Road, London WC1 (01-242 9000).

RECORD PRODUCER: Roger Greenaway.

MUSIC PUBLISHING COMPANY: Shapiro, Bernstein and Co Ltd, 246/248 Great Portland Street, London W1 (01-387 6192) and Grenyoco Music Ltd, 108 Park Street, London W1 (01-493 6439).

FAN CLUB: Ling, 17 Gladstone Park Gardens, Cricklewood, London NW2.

BRITISH TOURS: 47 dates 1/March-28/April/1974 Top Rank ballrooms, clubs and colleges. Solo tour.

AMERICAN TOURS: None.

TRANSPORT: Ford DO607 3-ton truck for the equipment and Audi 100 for the group.

STAGE MANAGERS: Iain Ward (Sound Engineer), Chris Taylor (Lighting Engineer), “Speedy” (Stage Roadie), “Crystal” (Assistant Lighting Engineer).

SINGLES: “(Let Me) Put My Spell On You” c/w “Just ANother Fish On My Hook (CBS, 1/March/1974), "Alright” c/w “Pictures In My Mind” (CBS, 28/June/1974), “Wild Cat” c/w “Half A Man” (CBS, 1/Nov/1974).

ALBUMS: “Merlin” (CBS, 25/Oct/1974).

P.A.: 1400-watt JBL system comprising Kelsey 16-channel stereo custom mixer, 4 x DC3000 Crown amps, 4 x bass bins with 2 x 15 inch JBL speakers in each, 2 x mid range JBL horns, 2 x high-frequency JBL boxes with lens horns, two bullets. Microphones are 8 Sure Unidyne III 545, 2 AKG 190C, one AKG D12, 4 Calrec condensers, 4 Sims Watts condensers, 3 Sure Unisphere B. Binson Echorec and Mavis 3-way active stereo crossover with stage boxes, cables, etc. Lighting comprises 6 x 100 watt Strand Floods on stage, 30 x 200 watt Strand Floods on stage scaffolding, 3 x Strand 1,000-watt follow spots and stands, 2 x Strobes and a Strand dimmer board.

ALAN LOVE: Vocalist

BORN: Hampsted, North West London. 13/Dec./1952.

EDUCATED: Challoner School, Finchley, North London.

MUSICAL TRAINING: None.

MUSICAL CAREER: Has been professional for seven years, playing in Opal Butterfly from 1967 to 1969 with Simon King (Hawkwing) and Tom Doherty (Sting). Referendum from 1969 to 1973 and Madrigal/Merlin from 1973.

OTHER OCCUPATIONS: None.

MUSICAL INFLUENCES: Mick Jagger, Joe Cocker, Little Richard.

COMPOSITIONS: “Half A Man,” “Space Raider” and co-wrote with Gary Hardwick “Getting Involved” all recorded by Merlin.

FAVOURITE SINGLES: “Something In The Air” (Thunderclap Newman), “McArthur Park” (Richard Harris).

FAVOURITE ALBUMS: “Tapestry” (Carol King), “Court Of The Crimson King” (King Crimson), “Bridge Over Troubled Waters” (Simon and Garfunkel).

FAVOURITE MUSICIANS: Paul McCartney, Steve Howe, Tom Doherty.

FAVOURITE SONGWRITERS: Lennon and McCartney, Cat Stevens, Carol King.

FAVOURITE SINGERS: Joe Cocker, Neil Diamond.

RESIDENCE: Bachelor flat in Wandsworth, South West London.

INSTRUMENTS: None.

GARY ALICE STRANGE: Bass, vocals and guitar.

BORN: Hampsted, London. 26/Oct./1952.

EDUCATED: Whitefield School, Barnet.

MUSICAL TRAINING: Three classical guitar lessons and then self taught.

MUSICAL CAREER: Various semi-pro bands and wrote first song aged 16 featured on ATV programme “Come Here Often.” Former band with Dave Martin called March Hare and recorded LP for MAM. Group then changed to newly-formed Kinks Production Company, but after few months of touring with Kinks and recording, split up. Joined Merlin.

OTHER OCCUPATIONS: Director of La Starza Palace Studio.

MUSICAL INFLUENCES: Beatles, Stones, Free, Average White Band.

COMPOSITIONS: “Gipsy Rose Lee” and “Lay Me Down” for March Hare both issued as singles by MAM.

FAVOURITE SINGLES: “I Am A Walrus” (Beatles), “Need Your Love So Bad” (Fleetwood Mac), “Little Bit Of Love” (Free), “Amoureuse” (Kiki Dee).

FAVOURITE ALBUMS: “Elf” (Elf), “Sgt Pepper” (Beatles), “Talking Book” (Stevie Wonder).

FAVOURITE MUSICIANS: Andy Fraser, David Martin, Peter Green, Liberace.

FAVOURITE SONGWRITERS: Lennon and McCartney, Holland, Dozier and Holland, Lional Bart and Paul Simon.

FAVOURITE SINGERS: Paul Rodgers, Elvis Presley, Tina Turner, Rod Stewart.

RESIDENCE: Single and lives in Hampstead, North West London.

INSTRUMENTS: Fender Precision Bass with thin maple neck. Hagstrom six-string guitar with pick-up. Kemble baby grand piano. Rotosound Roundwound strings. Orange 120-watt amp with 2 x 15 inch reflex cabinets.

JAMIE MOSES: Lead guitar and vocals.

BORN: Ipswich, Suffolk, 30/Aug/1955.

EDUCATED: Schools in America and Japan. Shirley High School and Redhill Technical College in Surrey.

MUSICAL TRAINING: Self-taught.

MUSICAL CAREER: Given first guitar when ten, formed first band at 11. Formed the Inferno, 1969-71, in Japan, doing gigs, radio, TV. Came to England in 1971, worked with semi-pro bands and at a music shop in Croydon. Formed Angel with Scully 1972 and recorded LP of original material. Joined Madrigal July 1973.

MUSICAL INFLUENCES: Jimmy Page, Paul Kossoff, Beatles.

COMPOSITIONS: “Just Another Fish On My Hook”, “Gypsy”, and “He Thinks About You All The Time” all recorded by Merlin. Co-wrote “Angel” LP with Scully.

FAVOURITE SINGLES: “Livin’ For The City” (Stevie Wonder), “Can’t Get Enough” (Bad Company), “Joybringer” (Manfred Mann’s Earthband).

FAVOURITE ALBUMS: “Foxtrot” by Genesis.

FAVOURITE MUSICIANS: Genesis, Steve Howe, Free, Scully Wagon-Lits.

FAVOURITE SONGWRITERS: Paul McCartney, Genesis, Stevie Wonder.

FAVOURITE SINGERS: Paul Rodgers, Peter Gabriel, Mario Lanza and David Coverdale.

RESIDENCE: Is single and lives with his parents at Sanderstead, Surrey.

INSTRUMENTS: White Les Paul Deluxe (1973) and black Les Paul Custom (1974), both with Rotosound ultra-light strings and Gibson plectrums. EKO 6-string acoustic guitar with La Bella strings. Hiwatt 100-watt amp fitted with half power switch for distortion and sustain at almost any volume. Two 2 x 15 Fender Dual Showman JBL Cabinets. A cheap Japanese fuzz box with a three-tone fuzz switch.

SCULLY WAGON-LITS: Keyboards, guitar and vocals.

BORN: Balham, South West London, 20/Dec./1953.

EDUCATED: Henry Cavendish (Balham), Bec School (Tooting) and Archbishop Tennison (South Croydon).

MUSICAL TRAINING: Guitar lessons at night school for one year aged eight, cello at school for three years and double bass for two months, but is self-taught on keyboards.

MUSICAL CAREER: Played guitar in band in Balham (1964-65), joined Angel with Jamie (1972-1973) as semi-pros and recorded an album. Turned pro June 1973 with Big Wheel in South France. Joined Madrigal October 1973.

OTHER OCCUPATIONS: Organ salesman at Western Music and Selmer.

MUSICAL INFLUENCES: Harry Stoneham, Miller Anderson, Keith Emerson, Christian Vander.

COMPOSITIONS: “Marina,” “Takin’ Part,” “Pictures In My Mind,” etc.

FAVOURITE SINGLES: “Rock Man” (Elton John), “Space Oddity” (David Bowie).

FAVOURITE ALBUMS: “Tarkis” (ELP), “Fire And Water” (Free), “Dark Side Of The Moon (Pink Floyd).

FAVOURITE MUSICIANS: Keith Emerson, Tony Banks, Steve Howe.

FAVOURITE SONGWRITERS: Paul McCartney.

FAVOURITE SINGERS: Paul Rodgers, Stevie Wonder, Peter Gabriel, Greg Lake

RESIDENCE: Single and lives in Surrey.

INSTRUMENTS: Hamond RT3 with additional height plynth and customised guts driven through Hiwatt amps and put out through one Leslie 145 and two RSE 1 x 15 inch JBL bins and three custom-made Werlin Bat rotating horn units. Muri-Moog (modified) through Hiwatt 100-watt amp with JBL Showman Cabinet. Hagspiel grand piano, with scaffolding, miked through PA. Black Gibson SB Les Paul Junior (1960) plugged into Moog.

DAVID WIGHTWICK: Drums and vocals.

BORN: Dunstable, Bedfordshire, 25/August/1950.

EDUCATED: Priory Secondary School, Dunstable.

MUSICAL TRAINING: Self-taught.

MUSICAL CAREER: Former member of Madrigal from 1967 to 1973. The band split and was reformed with new members and retitled Merlin.

OTHER OCCUPATIONS: Varied from soldier to postman.

MUSICAL INFLUENCES: Beatles, The Move, Genesis.

COMPOSITIONS: None.

FAVOURITE SINGLES: "Say You Don’t Mind” (Colin Blunstone), “Motet Overture” (Abors), “Eleanor Rigby” (Beatles)

FAVOURITE ALBUMS: “Dark Side Of The Moon (Pink Floyd), "Erismore” (Colin Blunstone), “Tubular Bells” (Mike Oldfield), “Moving Waves” (Focus).

FAVOURITE MUSICIANS: Carl Palmer, Jon Bonham, Simon Kirke.

FAVOURITE SONGWRITERS: Lennon and McCartney, Colin Blunstone, Genesis.

FAVOURITE SINGERS: Ian Billan, Colin Blunstone, Karen Carpenter.

RESIDENCE: Flat in London.

INSTRUMENTS: Hayman see-through drumkit comprising 1 x 22 inch bass drum, 1 x 12 inch and 1 x 13 inch mounted tom-toms, 1 x 16 inch and 1 x 18 inch floor tom toms, 1 x 14 inch snare drum, Ludwig/Paiste 22 inch cymbal, 1 x 22 inch and 1 x 20 inch Zildjian ride cymbals, 1 x 18 inch Zildjian crash cymbal, 1 x 14 inch Zildjian hi-hat, Ludwig and Hayman accessories and Premier C and Selmer sticks.

#clippings #reference

0 notes

wwuerth · 1 year

Video

MOVE from Rick Mereki on Vimeo.

For more information on upcoming films : facebook.com/rick.mereki

MOVE

3 guys, 44 days, 11 countries, 18 flights, 38 thousand miles, an exploding volcano, 2 cameras and almost a terabyte of footage... all to turn 3 ambitious linear concepts based on movement, learning and food ....into 3 beautiful and hopefully compelling short films.....

= a trip of a lifetime.

move, eat, learn

For updates and sneak peeks at upcoming projects please feel free to follow me on facebook and instagram facebook.com/pages/Rick-Mereki/277839202256508 instagram.com/rickmereki

Rick Mereki : Director, producer, additional camera and editing Tim White : DOP, producer, primary editing, sound Andrew Lees : Actor, mover, groover

These films were commissioned by STA Travel Australia: youtube.com/watch?v=-BrDlrytgm8

Thanks heaps to Adam Fyfe, Brendan, Simon and Crissy at STA.

All Music composed and performed by Kelsey James ([email protected]) Soundtrack available here: itunes.apple.com/au/album/play-on-move-soundtrack-single/id456257170

Music Recorded and mixed by Jake Phillips

Colour Grade : Edel Rafferty and Roslyn Di Sisto Online Edit : Peter Mirecki

Assistance in titles and production design : Lee Gingold, Jason Milden, Rohan Newman

Big Ups to Michelle, Kiri, Renee, Hana, Andre, Ross, Bernie & Julie for your patience and support and awesomeness.....

Huge Thanks to : Marco, Juliana and Julio at GAP Argentina and Peru Ariana Cardenas, Toni Figuera and cooltra scooters in Barcelona, Abete Zanetti Glass blowing school, Murano, Venice (abatezanetti.it) Annabel, Rosario and Carolina (Pitu) in France Juane and Andrea from the Princeca Insolenta hostel in Chile

Thank you all for your kind words and encouragement. The response has been phenomenal and overwhelming. We never thought this little project would reach out to so many people. x

0 notes

edpor68 · 1 year

Text

Happy Friday! Pattye as Cecile in the Lou Grant episode “Henhouse” 10/11/77-Reporter Billie Newman (Linda Kelsey) investigates the death of a poetry teacher- here she talks to 2 of his students- Cecile “He called them …his dead plays” #pattyemattick #1977tv #lougrant #lindakelsey always remembered, never forgotten 👩🏻‍🦰👓📺💐

#pattyemattick #patricia mattick #adorable #lou grant #1977 #1970s television #gonebutnotforgotten #gonebutnevereverforgotten #gone too soon #youtube

0 notes

thestageyshelf · 2 years

Text

Richard III @ Belgrade Theatre Coventry 2010 (#203)

Title: Richard III

Venue: Belgrade Theatre Coventry

Year: 2010

with ticket from 19th November 2010

Condition: Marking to front cover

Author: William Shakespeare

Cast: Tony Bell, Kelsey Brookfield, Dugald Bruce-Lockhart, Richard Clothier, John Dougall, Richard Frame, Robert Hands, Chris Myles, David Newman, Thomas Padden, Sam Swainsbury, Dominic Tighe, Jon Trenchard

FIND ON EBAY HERE

#Richard III #Belgrade Theatre Coventry #Play #theatre #theatre programme #stageyshelf

0 notes

kaylinalexanderbooks · 1 month

Text

OC Picrew Tag

I did another Picrew here for Lexi, Robbie, and Carmen!

Version 1

Thanks @mk-writes-stuff here, @pluto-murphy-writes here, and @saltysupercomputer who I send my sincerest apologies to not getting to this since May here.

Rules: use this Picrew to create a couple OCs!

Maddie Morgan, Kelsey Newman, and Akash Singh

[image ID in alt text]

Maddie: OC in three, two truths and a lie

Kelsey: filled-in bingo

I haven't done anything for Akash yet??? I am ashamed

Version 2

Thanks @badluck990

Rules: use this Picrew to create a couple of OCs and yourself!

Me (Kaylin), Gwen Amante, and Jedi Moon

[image ID in alt text]

Gwen: OC in three

Jedi: Smash or Pass (acearo version)

Tagging softly @atelierwriting @awritingcaitlin @ceph-the-ghost-writer @buffythevampirelover @little-mouse-gardens @blind-the-winds @little-peril-stories @sleepywriter00

TSP intro

TSP tag list (ask to be +/-): @thepeculiarbird @illarian-rambling @televisionjester @fairy-tales-of-yesterday who as always can join in

#the secret portal #tsp #teaspoon #my ocs #picrew #picrew tag game #writing tag game #maddie morgan #kelsey newman #akash singh #gwen amante #jedi moon #writing blog #writers on tumblr #writing community #writers of tumblr #writing on tumblr #writeblr #writeblr community

34 notes · View notes

the-rise-of-irk · 9 months

Text

Well, I might as well share this with you guys;

I have plans to turn The Rise Of Irk into an animated Web Series!

But as you all probably know, animating a full fledged animated web series is DIFFICULT. I need all the help I can get, so I’m looking for:

ARTISTS

ANIMATORS!!!!!!!!!

STORYBOARDERS (?)

COMPOSERS (for BG music)

VOICE ACTORS

EDITORS

AUDIO MIXERS

ANYONE WHO IS INTERESTED IN THE PROJECT IN ANY WAY!!!

The project is a direct adaptation of the book series on Wattpad, just with a few slight changes! So if you have any interest in the project, please read the series first haha.

Everyone who test read it absolutely loved it and said it was really well done and became VERY attached to the characters (if that convinces you)

AVAILABLE ROLES FOR VAs

- Zim

- Dib Membrane

-Star Newman

-Jek

-Tak

-Tek

-Professor Membrane

-Doctor Newman

-Luna Bitters

-Jade Black

-Zib

-Admiral Jak

-Gaz Membrane

-GIR

-KORA

-ELiSE

-Minimoose

-General Vol

-Irken Announcer

-Teachers

-Camp Counselors

-Background Irkens

-Background Students

-Irken Guards

(And in case you ask, I will be voicing Bel and Kelsey, just because I love them too much to let them go 😭)

Before you audition, PLEASE read the book, as my interpretations of the characters are quite different from the canon versions.

HELP IS WANTED AND APPRICIATED!

Thank you so much!

For auditions and inquiries, please either DM me on Tumblr or email me at [email protected]!

#the rise of irk #invader Zim #casting #HELP WANTED #auditions #voice acting #voice acting opportunities #VA #VA opportunities

2 notes · View notes

victoriasmodels · 5 years

Photo

Charlie Newman, Kelsey Merritt and Anastasiia Matviienko for Triangl | 📸 Cameron Hammond

#Charlie Newman #Kelsey Merritt #Anastasiia Matviienko #Triangl #Cameron Hammond #2019 #Mykonos

2K notes · View notes

jcmarchi · 5 months

Text

Boosting Faith in the Authenticity of Open-Source Software - Technology Org

New Post has been published on https://thedigitalinsider.com/boosting-faith-in-the-authenticity-of-open-source-software-technology-org/

Boosting Faith in the Authenticity of Open-Source Software - Technology Org

Open source software — freely distributed software, along with its source code, so that copies, additions, or modifications can be readily made — is “everywhere,” to quote the 2023 Open Source Security and Risk Analysis Report.

Speranza – artistic interpretation. Image credit: MIT CSAIL

Ninety-six percent of the computer programs used by major industries include open-source software, and seventy-six percent consist of open-source software. But the percentage of software packages “containing security vulnerabilities remains troublingly high,” the report warned.

One concern is that “the software you’ve gotten from what you believe to be a reliable developer has somehow been compromised,” says Kelsey Merrill, a software engineer who received a master’s degree earlier this year from MIT’s Department of Electrical Engineering and Computer Science.

“Suppose that somewhere in the supply chain, an attacker with malicious intent has changed the software.”

The risk of a security breach of this sort is by no means abstract. In 2020, to take a notorious example, the Texas company SolarWinds made a software update to its widely used program called Orion.

Hackers broke into the system, inserting pernicious code into the software before SolarWinds shipped the latest version of Orion to more than 18,000 customers, including Microsoft, Intel, and roughly one hundred other companies, as well as a dozen U.S. government agencies—including the Departments of State, Defense, Treasury, Commerce, and Homeland Security.

In this case, the corrupted product came from a large commercial company. Still, lapses may be even more likely to occur in the open source realm, “where people of varying backgrounds—many of whom are hobbyists without any security training—can publish software that gets used around the world.”

She and three collaborators—her former advisor Karen Sollins, a Principal Scientist at the MIT Computer Science and Artificial Intelligence Laboratory; Santiago Torres-Arias, an assistant professor of computer science at Purdue University; and Zachary Newman, a former MIT graduate student and current research scientist at Chainguard Labs—have developed a new system called Speranza, which is aimed at reassuring software consumers that the product they are getting has not been tampered with and is coming directly from a source they trust.

This new approach, Sollins adds, “simultaneously allows [software] users to have confidence that the maintainers are, in fact, legitimate maintainers and, furthermore, that the code being downloaded is, in fact, the correct code of that maintainer.”

So how can users confirm the genuineness of a software package to guarantee, as Merrill puts it, “that the maintainers are who they say they are?” The classical way of doing this, which was invented more than 40 years ago, is by means of a digital signature, which is analogous to a handwritten signature—albeit with far greater built-in security through the use of various cryptographic techniques.

To carry out a digital signature, two “keys” are generated simultaneously—each of which is a number composed of zeros and ones 256 digits long. One key is designated “private,” the other “public,” but they constitute a mathematically linked pair.

A software developer can use their private key and the contents of the document or computer program to generate a digital signature attached exclusively to that document or program. A software user can then use the public key, the developer’s signature, and the contents of the package they downloaded to verify its authenticity.

Validation comes in a yes, no, 1, or zero. “Getting a 1 means the authenticity has been assured,” Merrill explains. “The document is the same as when it was signed, hence unchanged. A 0 means something is amiss; you may not want to rely on that document.”

Although this decades-old approach is tried-and-true in a sense, it is far from perfect. Merrill notes that one problem “is that people are bad at managing cryptographic keys, which consist of very long numbers, in a secure way that prevents them from getting lost.”

People lose their passwords all the time, Merrill says. “And if a software developer were to lose the private key and then contact a user saying, ‘Hey, I have a new key,’ how would you know who that really is?”

Sigstore automates and streamlines the digital signing process. Users no longer have to manage long cryptographic keys. Still, they are instead issued ephemeral keys (an approach called “keyless signing”) that expire quickly—perhaps within minutes—and therefore don’t have to be stored.

A drawback with Sigstore stems from the fact that it dispensed with long-lasting public keys, so software maintainers have to identify themselves—through a protocol called OpenID Connect (OIDC)—in a way that can be linked to their email addresses.

That feature, alone, may inhibit the widespread adoption of Sigstore, and it served as the motivating factor behind—and the raison d’etre for—Speranza. “We take Sigstore’s basic infrastructure and change it to provide privacy guarantees,” Merrill explains.

Meanwhile, another big pseudorandom number—the accompanying commitment (or co-commitment)—is generated that is associated with a software package that this developer either created or was granted permission to modify.

In order to demonstrate to a prospective user of a particular software package as to who created this version of the package and signed it, the authorized developer would publish a proof that establishes an unequivocal link between the commitment that represents their identity and the commitment attached to the software product.

The proof that is carried out is of a special type, called a zero-knowledge proof, which is a way of showing, for instance, that two things have a common bound, without divulging details as to what those things—such as the developer’s email address—actually are.

“It allows verifiers to see that the same developer signed a package several times without revealing who the developer is or even other packages they work on. This provides a usability improvement over long-term signing keys, and a privacy benefit over other OIDC-based solutions like Sigstore.”

Marcela Mellara, a research scientist in the Security and Privacy Research group at Intel Labs, agrees: “This approach has the advantage of allowing software consumers to automatically verify that the package they obtain from a Speranza-enabled repository originated from an expected maintainer and gain trust that the software they are using is authentic.”

Written by Steve Nadis

Source: Massachusetts Institute of Technology

You can offer your link to a page which is relevant to the topic of this post.

0 notes