This post is by Nicholas Thompson from Feed: All Latest
In an interview with WIRED, former secretary of defense Ash Carter discussed how to build morality into AI—and make sure other countries do too.
RedHat today announced that it’s acquiring container security startup StackRox . The companies did not share the purchase price.
RedHat, which is perhaps best known for its enterprise Linux products has been making the shift to the cloud in recent years. IBM purchased the company in 2018 for a hefty $34 billion and has been leveraging that acquisition as part of a shift to a hybrid cloud strategy under CEO Arvind Krishna.
The acquisition fits nicely with RedHat OpenShift, its container platform, but the company says it will continue to support StackRox usage on other platforms including AWS, Azure and Google Cloud Platform. This approach is consistent with IBM’s strategy of supporting multicloud, hybrid environments.
In fact, Red Hat president and CEO Paul Cormier sees the two companies working together well. “Red Hat adds StackRox’s Kubernetes-native capabilities to OpenShift’s layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints,” he said in a statement.
CEO Kamal Shah, writing in a company blog post announcing the acquisition, explained that the company made a bet a couple of years ago on Kubernetes and it has paid off. “Over two and half years ago, we made a strategic decision to focus exclusively on Kubernetes and pivoted our entire product to be Kubernetes-native. While this seems obvious today; it wasn’t so then. Fast forward to 2020 and Kubernetes has emerged as the de facto operating system for cloud-native applications and hybrid cloud environments,” Shah wrote.
Shah sees the purchase as a way to expand the company and the road map more quickly using the resources of Red Hat (and IBM), a typical argument from CEOs of smaller acquired companies. But the trick is always finding a way to stay relevant inside such a large organization.
StackRox’s acquisition is part of some consolidation we have been seeing in the Kubernetes space in general and the security space more specifically. That includes Palo Alto Networks acquiring competitor TwistLock for $410 million in 2019. Another competitor, Aqua Security, which has raised $130 million, remains independent.
StackRox was founded in 2014 and raised over $65 million, according to Crunchbase data. Investors included Menlo Ventures, Redpoint and Sequoia Capital. The deal is expected to close this quarter subject to normal regulatory scrutiny.
Government knowledge of what sites activists have visited can put them at risk of serious injury, arrest, or even death. This makes it a vitally important priority to secure DNS. DNS over HTTPS (DoH) is a protocol that encrypts the Domain Name System (DNS) by performing lookups over the secure HTTPS protocol. DNS translates human-readable domain names (such as eff.org) into machine-routable IP addresses (such as 18.104.22.168), but it has traditionally done this via cleartext queries over UDP port 53 (Do53). This allows anyone who can snoop on your connection—whether it’s your government, your ISP, or the hacker next to you on the same coffee shop WiFi—to see what domain you’re accessing and when.
In 2019, the effort to secure DNS through DoH made tremendous progress both in terms of the deployment of DoH infrastructure and in the Internet Engineering Task Force (IETF), an Internet governance body tasked with standardizing the protocols we all rely on. This progress was made despite large pushback by the Internet Service Providers’ Association in the UK, citing difficulties DoH would present to British ISPs, which are mandated by law to filter adult content.
2020 has also seen great strides in the deployment of DNS over HTTPS (DoH). In February, Firefox began the rollout of DoH to its users in the US, using Cloudflare’s DoH infrastructure to provide lookups by default. Google’s Chrome browser followed suit in May by switching users to DoH if their DNS provider supports it. Meanwhile, the list of publicly available DoH resolvers has expanded to the dozens, many of which implement strong privacy policies, such as not keeping connection logs.
This year’s expansion of DoH deployments has alleviated some of the problems critics have cited, such as the centralization of DoH infrastructure. Previously, only a few large Internet technology companies like Cloudflare and Google had deployed DoH servers at scale. This facilitated these companies’ access to large troves of DNS query data, which could theoretically be exploited to mine sensitive data on DoH users. Mozilla has sought to protect their Firefox users from this danger by requiring the browser’s DoH resolvers to observe strict privacy practices, outlined in their Trusted Recursive Resolver (TRR) policy document. Comcast joined Mozilla’s TRR partners Cloudflare and NextDNS in June.
In addition to policy and deployment strategies to alleviate the privacy concerns of DoH infrastructure centralization, a group of University of Washington academics and Cloudflare technologists published a paper late last month proposing a new protocol called Oblivious DNS over HTTPS (ODoH). The protocol introduces a proxy node to the DoH network layout. Instead of directly requesting records via DoH, a client creates a request for the DNS record, along with a symmetric key of their choice. The client then encrypts the request and symmetric key to the public key of the DoH server they wish to act as a resolver. The client sends this request to the proxy, along with the identity of the DoH resolver they wish to use. The proxy removes all identifying pieces of information from the request, such as the requester’s IP address, and forwards the request to the resolver. The resolver decrypts the request and symmetric key, recursively resolves the request, encrypts the response to the symmetric key provided, and sends it back to the ODoH proxy. The proxy forwards the encrypted response to the client, which is then able to decrypt it using the symmetric key it has retained in memory, and retrieve the DNS response. At no point does the proxy see the unencrypted request, nor does the resolver ever see the identity of the client.
ODoH guarantees that, in the absence of collusion between the proxy and the resolver, no one entity is able to determine both the identity of the requester and the content of the request. This is important because if powerful entities (whether it be your government, ISP, or even DNS resolver) know which people accessed what domain (and when), it gives that entity enormous power over those people. ODoH gives users a technological way to ensure that their domain lookups are secure and private so long as they trust that the proxy and the resolver do not join forces. This is a much lower level of trust than trusting that a single entity does not misuse the DNS queries you send them.
Looking ahead, one possibility worries us: using ODoH gives software developers an easy way to comply with the demands of a censorship regime in order to distribute their software without telling the regime the identity of users they’re censoring. If a software developer wished to gain distribution rights in Saudi Arabia or China, for example, they could choose a reputable ODoH proxy to connect to a resolver that refuses to resolve censored domains. A version of their software would be allowed for distribution in these countries, so long as it had a censorious resolver baked in. This would remove any potential culpability that software developers have for revealing the identity of a user to a government that can put them in danger, but it also facilitates the act of censorship. In traditional DoH, this is not possible. Giving developers an easy-out by facilitating “anonymous” censorship is a worrying prospect.
Nevertheless, the expansion of DoH infrastructure and conceptualization of ODoH is a net win for the Internet. Going into 2021, these developments give us hope for a future where our domain lookups will universally be both secure and private. It’s about time.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2020.