Search the Community
Showing results for tags 'projects'.
steven36 posted a topic in Security & Privacy NewsMisconfigured Jira servers from big names in the tech industry exposed information about internal projects and users that could be accessed by anyone with a good command of advanced search operators. Jira is a popular solution for project management, developed by Atlassian for agile teams. It is used by Fortune 500 companies for easy tracking the progress of various tasks and issues. Organizations like Google, Yahoo, NASA, Lenovo, 1Password, Zendesk, as well as governing bodies across the world left unprotected private details that could have jeopardized their developments. Some entities continue to unwittingly expose to the public the names, roles, and email addresses of employees involved in various projects of the organization, along with the current stage and development of those activities. Definitely a visibility problem This information becomes public when a setting is used for controlling the visibility of filters and dashboards for projects on Jira servers, says Avinash Jain, the security engineer that discovered the problem. Jain told BleepingComputer that when a new filter and dashboard is created in Jira Cloud, the default visibility setting is "all" and this is understood as 'all within the organization' but it refers to everyone on the internet. Projects on Jira Cloud can be set up for anonymous access, which does not require a user to log in. One of the sharing options for filters and dashboards is called Public and comes with a warning: "If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users." Jira Cloud documentation. A broader setting is from the Global Permissions menu, where the admin can choose "Anyone" from the drop-down list to grant access to users that are not logged in. This is not recommended for "systems that can be accessed from the public Internet such as Cloud." Jira has a user picker functionality that allows retrieving a complete list of usernames and email addresses on the misconfigured exposed servers. Finding misconfigured servers Using specific search operators (Google Dorks), Jain was able to identify the machines configured to allow access to information about users and related projects. When BleepingComputer tried them we could easily find government domains that were affected as well as private companies and educational institutions. Depending on the organization, these details are valuable for reconnaissance operations before planning an attack or for spying on the competition. "Thousands of companies filters, dashboards and staff data were publicly exposed," says the researcher. "I have discovered several such misconfigured JIRA accounts in hundreds of companies. Some of the companies were from Alexa and Fortune top list including big giants like NASA, Google, Yahoo, etc and government sites." - Avinash Jain The researcher reported some of his findings to affected parties and was recognized for his role in improving their security protocols. One of the organizations is the United Nations; another recognition was for CODIX - a financial solution used by the European Union institutions and agencies. Last year, Jain found and reported responsibly to NASA a misconfigured Jira server that exposed details (names and email addresses) of 1,000 users. Source
mood posted a topic in Software NewsThe Open Source Index showcases GitHub’s most popular projects right now Concept illustration for open source software Image Credit: Esra Sen Kula / via Getty It intersects with just about every piece of software, from systems architecture to APIs, and enterprises are adopting it more than ever. Open source software, judging by just about every estimation in recent years, is eating the world. But sifting through the vast array of open source projects out there, sorting the wheat from the chaff, can be a challenge, which is partly why early stage VC firm Two Sigma Ventures has launched a new index designed to surface “high-level trends” in the open source sphere. It’s worth noting that there are already all manner of indexes and charts out there that deliver useful insights for the open source world, such as the Open Source Contributor Index, which ranks commercial organizations by their employees’ open source contributions (Google’s in the lead). And GitHub itself charts things like trending repositories. It’s possible to slice, dice, and present GitHub data in any way you see fit through its publicly available API, which is exactly what Two Sigma Ventures has done with the Open Source Index. But rather than relying on “stars,” it uses “watchers,” which it argues provides a more accurate reflection of a project’s true popularity. Star watchers GitHub, for the uninitiated, allows logged-in users to either “star” or “watch” a project — the former can perhaps best be likened to bookmarking, as the user saves the project to their profile so they can easily check in on it without having to search. It can also be used as a show of respect, similar to how someone might “like” a Facebook post or tweet — “I dig what you’re doing for open source, keep up the good work.” When someone chooses to “watch” a project, however, they are likely taking a more active interest, as they essentially sign up to receive project notifications. As such, the Open Source Index is based on the top GitHub projects as per the number of people that are “watching” a project. While there are of course broad correlations between “stars” and “watchers,” i.e. top projects will likely have a high number of both, they aren’t always totally aligned. Moreover, Two Sigma Ventures wanted to showcase what’s popular today, rather than what has built a high “vanity metric” by virtue of having launched 10 years ago. “A stars-based ranking tends to prioritize older projects that have been around for a while, since stars are more cumulative in nature,” Two Sigma Ventures VC Vinay Iyengar told VentureBeat. “With watchers, we believe we have a better sense of the projects that are ‘hot’ right now, as opposed to those that have been around for a while.” And so the Open Source Index, which is continuously updated, showcases the 100 “most popular and fastest-growing” open source projects, allowing users to sort and filter by various criteria (Two Sigma Ventures filtered out all the non-technical projects, such as books and educational content from the index). For the index, Two Sigma Ventures has produced its own TSV (Two Sigma Ventures) ranking, which is weighted as an average of five variables: Watchers (40%); Watcher growth (25%), which considers the variance in watchers over the past quarter; Contributors (15%); Release cadence (10%), which is the number of commits over a project’s lifetime; and Community health score (10%), which is based on GitHub’s own metric for how well-maintained a repository is. “We think our TSV Score metric is somewhat of a ‘super’ metric, in that it takes into account several factors that we believe lead to building a great open source project/community,” Iyengar said. None of this is an exact science of course, and Iyengar acknowledges that these weightings are somewhat “arbitrary,” reflecting “just one perspective on what’s important in building a great open source community.” The index defaults to the TSV score ranking (highest to lowest), and doesn’t reveal too many surprises — TensorFlow, React, Vue, Angular, and Kubernetes all rank highly, and they all have high numbers of stars and watchers. Above: Open Source Index: Top 10 by TSV ranking But playing around with the various filters is where things start to get a little more interesting. Chinese tech titan Baidu’s open source autonomous driving project Apollo, for example, ranks 41st when using the TSV ranking and 72nd by number of watchers. And in terms of stars, Apollo comes in last at 100th. However, if you filter the index by the quarterly watcher growth metric, Apollo is in pole position. Above: Open Source Index: Apollo on top There could be a number of reasons for this surge in interest. Two months ago, Baidu’s Apollo became the sixth company in California to get approval to test fully driverless cars on public roads, while the company has launched all manner of autonomous vehicle programs and projects in its domestic China too. Whatever the reason behind this surge, it serves as an interesting data point for any developer, company, or entrepreneur wanting to keep their finger on the open source pulse. “It [watcher growth metric] gives us an important signal on which projects have momentum in the developer ecosystem,” Iyengar noted. Other interesting observations including Bitcoin, which is ranked 40th in the index by number of stars (48,000 stars) and 33rd by TSV ranking. However, it’s in seventh place by number of watchers, ahead of JQuery, Kubernetes, and Visual Studio Code, among other arguably “more relevant” projects. Above: Open Source Index: Bitcoin is top 10 for most-watched The Two Sigma factor So why has Two Sigma Ventures taken the time to create this list, and what relevance does it hold? Well, as an investor, the firm has backed several startups that commercialize open source projects, such as GitLab, Timescale, Radar Labs, NS1, and Replicated. Playing around with the various menus and filters on the index reveals some interesting insights related to this, such as that seven of the top 100 projects were either created by private VC-backed startups or are maintained by commercial companies created by the original project creators — these are Redis, Grafana, Vercel, Hashicorp, Confluent, Databricks, and Preset. But the VC entity is a separate business simply called Two Sigma, which is an investment management company that applies “cutting-edge technology to the data-rich world of finance,” according to Iyengar. It counts 1,700 employees — more than half of whom are software developers and use open source software on a daily basis. They are also creators of a number of open source projects, such as Flint and BeakerX. “We have seen firsthand how software created by developers, for developers, leveraging community-based development, leads to incredible innovation,” Iyengar said in a separate blog post announcing the index. “Moreover, we are excited about how enterprise software is moving toward bottoms-up adoption, and how an open core business can lead to remarkably efficient customer acquisition and growth.” This new index also constitutes part of a growing trend in the technology realm that strives to make sense of the open source world. Just last week, OpenLogic launched an upgraded tool it calls Stack Builder, which helps enterprises choose the right open source software. And earlier this year, Openbase emerged out of the ether to serve as a sort of Yelp for open source software packages. If nothing else, the Open Source Index serves as a useful accompaniment to these other efforts, helping companies and developers dig down into the best — or most popular — open source projects on GitHub right now. There are plans to add more data to the mix in the future, according to Iyengar, such as downloads, community engagement in external channels such as Slack or Discord, and even mentions in job advertisements. The Open Source Index is available now and free to use for anyone. Source: The Open Source Index showcases GitHub’s most popular projects right now