bdpatoday® | software

Robots Compete during RoboJawn as Philly Tech Week Returns

PHILADELPHIA — Robots take the field for their initial rounds of competition during RoboJawn ‘22. FIRST Tech Challenge RoboJawn is similar to an official tournament in many ways.

Teams bring their robots and their Gracious Professionalism to compete in this year’s FREIGHT FRENZY challenge following FIRST‘s challenge rules.

***Students inspect and calibrate their robots for RoboJawn 2022* bdpatoday *photo © 2022***

Similar to an official tournament, teams are interviewed by a panel of judges, and submit an engineering portfolio, to vie for judged awards.

Central High School in Philadelphia, PA hosted this year’s RoboJawn. For this year’s off-season competitions, bdpatoday co-sponsored Central High School’s and Philadelphia High School for Girls’ RoboJawn teams.

For upcoming RoboJawn events, visit → https://roboticscoalition.org/

^{— Source: Philadelphia Robotics Coalition | Cover photo: bdpatoday}

^{A D V E R T I S E M E N T}

Explore new careers at Octo

The U.S. Spent $2.2 Million on a Cybersecurity System That Wasn’t Implemented — and Might Have Stopped a Major Hack

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

NEW YORK—As America struggles to assess the damage from the devastating SolarWinds cyberattack discovered in December, ProPublica has learned of a promising defense that could shore up the vulnerability the hackers exploited: a system the federal government funded but has never required its vendors to use.

The massive breach, which U.S. intelligence agencies say was “likely Russian in origin,” penetrated the computer systems of critical federal agencies, including the Department of Homeland Security, the Treasury Department, the National Institutes of Health and the Department of Justice, as well as a number of Fortune 500 corporations. The hackers remained undetected, free to forage, for months.

The hackers infiltrated the systems by inserting malware into routine software updates that SolarWinds sent to customers to install on its products, which are used to monitor internal computer networks. Software updates customarily add new features, remove bugs and boost security. But in this instance, the hackers commandeered the process by slipping in malicious code, creating secret portals (called “back doors”) that granted them access to an untold bounty of government and company secrets.

The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers.

This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for “as a whole”), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. Cappos, 43, has made securing the software supply chain his life’s work. In 2013, Popular Science named him as one of its “Brilliant Ten” scientists under 40.

Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.

“In security, you almost never go from making something possible to impossible,” Cappos told ProPublica, during two video interviews from Shanghai, where he is teaching. “You go from making it easy to making it hard. We would have made it much harder for the [SolarWinds] attackers, and most likely would have stopped the attack.” Although the SolarWinds breach was a “really sneaky” approach, Cappos said, “in-toto definitely can protect against this. It’s very possible to catch it.”

In-toto’s system has supporters among experts in the government and corporations. When ProPublica asked Robert Beverly, who oversees in-toto’s federal grant as a program director at the National Science Foundation, whether using in-toto could have saved the government from the hack, he replied, “Absolutely. There seems to be some strong evidence that had some of the, or all of the, in-toto technologies been in place, this would have been mitigated to some extent.” Beverly, whose NSF responsibilities include “cybersecurity innovation for cyberinfrastructure” and who is on leave from his post as a computer science professor at the Naval Postgraduate School, added that it’s impossible to know for sure what impact in-toto would have had, and that the system remains at an early stage of adoption. “Unfortunately,” said Beverly, “it often takes some of these kinds of events to convince people to use these kinds of technologies.”

Some companies have embraced in-toto, and others, like Microsoft, have expressed interest. “I am a big fan of in-toto,” Kay Williams, head of Microsoft’s initiatives in open source and supply-chain security, said in an email to ProPublica. A second Microsoft program manager, Ralph Squillace, praised in-toto in a recent NYU press release for applying “precisely to the problems of supply chain confidence the community expects distributed applications to have in the real world.” (After Williams’ initial response, Microsoft declined to comment further.)

One senator blasted the government’s failure to use a system it paid for. “The U.S. government invested millions of dollars in developing technology that can protect against this threat, and while several large technology companies have already adopted it, they are the exception,” said Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee. “The government can speed up industry adoption of this best practice by requiring every government contractor to implement the best available technology to protect their supply chains.”

The in-toto system requires software vendors to map out their process for assembling computer code that will be sent to customers, and it records what’s done at each step along the way. It then verifies electronically that no hacker has inserted something in between steps. Immediately before installation, a pre-installed tool automatically runs a final check to make sure that what the customer received matches the final product the software vendor generated for delivery, confirming that it wasn’t tampered with in transit.

Cappos and a team of colleagues have worked to develop the in-toto approach for years. It’s been up and running since 2018. The project received a three-year grant from the National Science Foundation that year, aimed at promoting “widespread practical use” of in-toto. (Later in 2018, President Donald Trump signed the Federal Acquisition Supply Chain Security Act, aimed at protecting government secrets from software supply-chain threats.)

In-toto could block and reveal countless cyberattacks that currently go undetected, according to Cappos, whose team includes Santiago Torres-Arias, an assistant electrical and computer engineering professor at Purdue University, and Reza Curtmola, co-director of the New Jersey Institute of Technology’s Cybersecurity Research Center. In an August 2019 paper and presentation to the USENIX computer conference, titled “in-toto: Providing farm-to-table guarantees for bits and bytes,” Cappos’ team reported studying 30 major supply-chain breaches dating back to 2010. In-toto, they concluded, would have prevented between 83% and 100% of those attacks.

“It’s available to everyone for free, paid for by the government, and should be used by everyone,” said Cappos. “People may still be able to break in and try to hack around it. But this is a necessary first step and will catch a ton of these things.” The slow pace of adoption is “really disappointing,” Cappos added. “In the long game, we’ll win. I just don’t know that we want to go through the pain that it’ll take for everyone to wise up.”

One of in-toto’s earliest adopters, starting in 2018, was Datadog, a SolarWinds competitor that provides monitoring software for internet cloud applications. Now a publicly traded company with 2020 revenues of nearly $600 million, its customers include Nasdaq, Whole Foods and Samsung. Datadog uses in-toto to protect the security of its software updates. In an NYU press release, Datadog staff security engineer Trishank Kuppusamy, who worked on the program’s design and implementation, said that what distinguishes in-toto is that it “has been designed against a very strong threat model that includes nation-state attackers.” (Datadog did not reply to ProPublica’s requests for comment.)

The General Services Administration, which provides access to software for federal government agencies, still lists SolarWinds products available for purchase. But it said in a statement that “compromised versions” of SolarWinds programs identified by DHS are no longer available.

SolarWinds itself declined to weigh in on whether its hack could have been prevented. “We are not going to speculate on in-toto and its capabilities,” a spokesman said in an emailed statement. “We are focused on protecting our customers, hardening our security and collaborating with the industry to understand the attack and prevent similar attacks in the future.”

Previously little known to the general public, SolarWinds is a public company based in Austin, Texas, with projected 2020 revenues of just over $1 billion. It boasts of providing software to 320,000 customers in 199 countries, including 499 of the Fortune 500 companies. In a recent SEC filing, the company said its flagship Orion products, the vehicle for the cyberattack, provide about 45% of its revenues. A SolarWinds slogan: “We make IT look easy.”

After the hack was discovered, SolarWinds’ stock plunged, and it is now facing shareholder lawsuits. The company has shifted aggressively into damage-control mode, hiring CrowdStrike, a top cybersecurity firm; elite Washington lobbyists; a crisis-communications advisor; and the newly formed consulting team of Christopher Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (who was famously fired for contradicting Trump’s claims of mass voting fraud) and Alex Stamos, former security chief at Facebook.

News of what’s now known as the SolarWinds attack first came on Dec. 8. That’s when FireEye, perhaps the nation’s preeminent hack-hunter, announced that it had itself fallen victim to a “highly sophisticated state-sponsored adversary” that had broken into its servers and stolen its “Red Team tools,” which FireEye uses to try to hack into the computer networks of its clients as a test of their cyber-defenses. FireEye soon discovered the attackers had gained access through corrupted updates to the SolarWinds Orion network-monitoring software that it used.

On the evening of Dec. 13, CISA issued an emergency directive, identifying SolarWinds as ground zero for the hack and alerting federal agencies using Orion products to disconnect them immediately. Over the following weeks, investigators discovered that SolarWinds had been targeted back in early September 2019, when hackers started testing their ability to inject code into its software updates. After remaining undetected for months, they inserted malware in new updates between February and June 2020. SolarWinds estimated these infected updates affected “fewer than 18,000 of its customers.”

Precisely what the hackers saw, and stole, has yet to be determined and is under investigation. But the full impact of the breach is becoming clearer, as we now know it touches several tech companies, including Microsoft. The software giant has also labored to limit the damage by helping seize an internet domain in the U.S. that the hackers used to siphon data from some SolarWinds customers.

Stamos told the Financial Times, in an interview after being hired to help SolarWinds, that he believed the attackers had embedded hidden code that would continue to give them access to companies and government agencies for years. He compared the situation to Belgian and French farmers going out into their fields where two world wars were fought and discovering an “iron harvest” of unexploded ordnance each spring.

Dmitri Alperovitch, who co-founded CrowdStrike (the cybersecurity firm SolarWinds has hired to investigate the hack) before leaving last year to start a nonprofit policy group, said he thinks that, in theory, the in-toto system could work. But he warned that software is so complex, with many products and companies in the supply chain, that no one defense is a panacea. Still, he agrees that in-toto could provide protection, and said “it’s always a good thing to have more protection for supply chains.”

Russian intelligence services have clearly identified supply-chain attacks “as a much better way to get in,” offering “a much bigger set of targets,” Alperovitch said. “This is an indictment of the entire cybersecurity industry, as well as the intelligence community, that they were able to orchestrate such a broad, sweeping attack right under our noses.”

NOAA’s Global Systems Laboratory Welcomes Dr. DaNa Carlis As New Deputy Director

BOULDER, CO — DaNa L. Carlis, Ph.D., joined GSL as the Deputy Director in September 2020. He comes to GSL from the NOAA Weather Program Office (WPO), where he established the Earth Prediction Innovation Center (EPIC) Program. DaNa enjoys working between science, policy, and society to ensure better products and services for the American people. He is also passionate about leadership, diversity, and inclusion, and mentoring the next generation of scientists.

“I couldn’t be more grateful and excited to join GSL because of its focus on applied research and development, advanced technologies, and transitioning and improving research-to-operations with the National Weather Service (NWS). GSL aligns perfectly with my desire to provide better products and services to the American people. I’ve always wanted to do research that impacts people’s lives, and GSL is a premier NOAA research laboratory that provides innovative tools and services that lead to better decisions and ultimately save lives,” said Carlis. “As the GSL’s Deputy Director, I am committed to bringing strong leadership and listening skills along with a creative mind to continue to advance the GSL mission. In addition, I plan to continue to uphold GSL’s scientific prowess, which is displayed in our cutting-edge research portfolio that is widely recognized by the Weather Enterprise.”

DaNa attended Howard University in Washington, DC, and earned his B.S. degree in Chemistry (1999), and an M.S. (2002) and Ph.D. in Atmospheric Science (2007) as a graduate student of the NOAA Center for Atmospheric Science and Meteorology (NCAS-M). In 2002, DaNa accepted a fellowship from the NOAA Office of Education Educational Partnership Program (EPP) as a member of the Graduate Sciences Program and completed his M.S thesis research at NASA’s Goddard Space Flight Center (GSFC) conducting an analysis of SO2 cross-sections for the Total Ozone Mapping Spectrometer (TOMS) satellite. He completed his Ph.D. dissertation on the beautiful island of Oahu, Hawaii, titled “Numerical Simulations of Island-Scale Airflow and the Maui Vortex Under Summer Trade-wind Conditions.” DaNa was the second male to receive a Ph.D. in Atmospheric Sciences since Howard’s inception in 1867.

DaNa credits NCAS-M and NOAA’s Educational Partnership Program/Minority-Serving Institution EPP/MSI Program for allowing him to pursue what he loves and providing a pathway to federal employment. DaNa has held positions at the NWS National Centers for Environmental Prediction (NCEP) Environmental Modeling Center (EMC) as a research meteorologist working on NOAA’s Global Forecast System (GFS) Model (2007-2014), and as a policy advisor to NOAA’s Chief Scientist and NOAA’s Assistant Secretary of Environmental Observations and Prediction (2014-2016). DaNa is a graduate of NOAA’s Leadership Competency Development Program (LCDP) Class IX where he learned a great leadership lesson that’s been his mantra for the last few years and that’s to work in an environment where he’s comfortably uncomfortable.

DaNa is originally from Tulsa, OK. In his spare time, he enjoys cheering for his favorite sports team, the Oklahoma Sooners, mentoring boys from underrepresented communities that come from single-parent households, and traveling the world with his family. In 2016, he wrote a children’s book titled “MIT: Meteorologist in Training” and he’s published peer-reviewed papers. DaNa is married to Dr. Lydia Carlis, and they have a daughter, Dia Dannielle, who is a senior at Georgia State University. — bt

^{— Source and photo: National Oceanic and Atmospheric Administration (NOAA)}
^{Cover photo (above): Dr. DaNa Carlis keynotes BDPA’s 2019 annual Regional Earth Day Tech Summit}
^{with Jr. Devs (coders and developers) and Regional High School Coding Competition (HSCC) finalists}

^{A D V E R T I S E M E N T}

**Tablets For Teens** | tabletsforteens.org

High Performance Data Processing: COBOL Programmers needed for huge surge in jobless data

TRENTON, NJ (BDPA-NJ) — “New Jersey needs COBOL Programmers.” At a press conference today, governor Phil Murphy asked for the help of volunteer coders who still know how to program in COBOL.

In New Jersey and perhaps other states with “legacy systems”, experts are urgently needed to fix COBOL-based unemployment insurance systems—some at least four decades old—that are overwhelmed due to COVID-19 related job losses.

The state recently experienced a 1,600% increase in claims volume in a single week, said labor commissioner Robert Asaro-Angelo during today’s briefing, stating that “over the prior two weeks we saw more than 362,000 people apply for unemployment as a result of this public health emergency.”

Tech industry and cybersecurity experts feel such “volunteers”, similar to demographics of National BDPA’s founding members, are likely well over 60 years old making them especially vulnerable to COVID-19. Whether they would risk venturing back out to work or volunteer to update legacy systems that should have been updated decades ago remains an open challenge, especially if they cannot remotely perform emergency upgrades from home or a secured facility. bt

Discover more. Preview related technical content, archives, or career articles from Industry and local BDPA Chapters via LinkedIn and Pinterest.

— Sources: New Jersey Department of Labor, Quartz, and BDPA-NJ
Top courtesy photo: Newark, NJ

Visit page 4 (COBOL | Mainframes: Admiral Grace Hopper) of your March 2020 special Womens History Month edition of bdpatoday.

Pinterest files with SEC for proposed IPO

SAN FRANCISCO — Visual search engine Pinterest, Inc. (Pinterest) this week announced it has filed a registration statement on Form S-1 with the U.S. Securities and Exchange Commission (SEC) relating to a proposed initial public offering (IPO) of shares of its Class A common stock. The number of shares to be offered and the price range for the proposed offering have not yet been determined.

According to The Verge, Pinterest, which launched in 2010, generates revenue by attracting advertisers to its platform where users create boards in which they self-identify their interests. Advertisers try and sell the products that closely match user interests. According to Pinterest, more than 250 million monthly active users have created more than 4 billion boards with a cumulative 175 billion pins saved. The platform itself has processed more than 2 billion searches, many of which Pinterest attempts to visually process using machine (ML) learning-based methods like object and image recognition. Last quarter, the Pinterest rebuilt their infrastructure behind its “product pins.” This update brought to their app current pricing with stock information for all product pins to monetize their platform with new advertisers.

The Verge also reported such an influx of money could drastically shake up the Bay Area landscape by creating waves of new millionaires, a capital injection that could reshape San Francisco and, as a result, the tech industry itself due to the ripple effects it could have on new startups and investments.

— Sources: Pinterest and The Verge

A D V E R T I S E M E N T

Spring Ahead: ‘CB’ Time vs. ‘CP’ Time

The Celestial Body (‘CB’) — The Sun, a Moon, a planet, and stars — have provided us a reference for measuring the passage of time throughout our existence. Ancient civilizations relied upon the apparent motion of these bodies through the sky to determine seasons, months, years from “celestial body” time to modern day coders and software developers’ “computer people” time.

According to National Institute of Standards and Technology (NIST), we know very little about the details of timekeeping in prehistoric eras, but wherever we turn up records and artifacts, we usually discover that in every culture, some people were preoccupied with measuring and recording the passage of time.

Ice-age hunters in Europe over 20,000 years ago scratched lines and gouged holes in sticks and bones, possibly counting the days between phases of the moon. Five thousand years ago, Sumerians in the Tigris-Euphrates valley in today’s Iraq had a calendar that divided the year into 30 day months, divided the day into 12 periods (each corresponding to 2 of our hours), and divided these periods into 30 parts (each like 4 of our minutes). We have no written records of Stonehenge, built over 4000 years ago in England, but its alignments show its purposes apparently included the determination of seasonal or celestial events, such as lunar eclipses, solstices and so on.

The earliest Egyptian calendar was based on the moon’s cycles, but later the Egyptians realized that the “Dog Star” in Canis Major, which we call Sirius, rose next to the sun every 365 days, about when the annual inundation of the Nile began. Based on this knowledge, they devised a 365 day calendar that seems to have begun around 3100 BCE (Before the Common Era), which thus seems to be one of the earliest years recorded in history.

Why do we change clocks twice a year? Select here to discover more …

—Source: National Institute of Standards and Technology (NIST)

Cisco to Layoff up to 20% of its Global Workforce

SAN JOSE, CA [CRN] — Cisco Systems is expected to announce the cuts within the next few weeks, as many early retirement package plans have already been offered to employees, said sources. Cisco is set to announce its fourth fiscal quarter results after the market closes later today.

Cisco must retool digital tool sets for all vertical markets (such as education, healthcare, transportation, energy) with new people and new skills to become a smaller, leaner, and more agile company. Mark Haranas of CRN reports Cisco is laying off upward of 14,000 employees representing nearly 20 percent of the networking giant’s global workforce, according to multiple sources close to the company. These heavy cuts, which sources say range between 9,000 and 14,000 employees worldwide, stem from Cisco’s transition from its hardware roots into a new “software-centric” organization.