Google announced a new initiative Tuesday aimed at securing the open-source software supply chain by curating and distributing a security-vetted collection of open-source packages to Google Cloud customers. From a report: The new service, branded Assured Open Source Software, was introduced in a blog post from the company. In the post, Andy Chang, group product manager for security and privacy at Google Cloud, pointed to some of the challenges of securing open-source software and stressed Google's commitment to open source. "There has been an increasing awareness in the developer community, enterprises, and governments of software supply chain risks," Chang wrote, citing last year's major log4j vulnerability as an example. "Google continues to be one of the largest maintainers, contributors, and users of open source and is deeply involved in helping make the open source software ecosystem more secure." Per Google's announcement, the Assured Open Source Software service will extend the benefits of Google's own extensive software auditing experience to Cloud customers. All open-source packages made available through the service are also used internally by Google, the company said, and are regularly scanned and analyzed for vulnerabilities.

An anonymous reader quotes a report from Ars Technica: When you turn off an iPhone, it doesn't fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down. It turns out that the iPhone's Bluetooth chip -- which is key to making features like Find My work -- has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany's Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone's location or run new features when the device is turned off. This video provides a high overview of some of the ways an attack can work.

The findings (PDF) have limited real-world value since infections required a jailbroken iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries. Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And of course, firmware infections are already extremely difficult to detect since it requires significant expertise and expensive equipment.

Apple has released iOS 15.5, macOS 12.4, and more today with updates like new features for Apple Cash, the Podcasts app, and the Studio Display webcam fix. However, a bigger reason to update your devices is the security patches with today's releases. iOS 15.5 includes almost 30 security fixes while macOS 12.4 features over 50. 9to5Mac reports: Apple shared all the details for the security fixes in its latest software for iPhone, iPad, Mac, and more on its support page. For both iOS and Mac, many of the flaws could allow malicious apps to execute arbitrary code with kernel privileges. Another for iOS says "A remote attacker may be able to cause unexpected application termination or arbitrary code execution." Specifically on Mac, one of the 50+ flaws fixed was that "Photo location information may persist after it is removed with Preview Inspector." Important security updates are also available for macOS Big Sur with 11.6.6, macOS Catalina, Xcode 13.4, and watchOS 8.6.

Red Hat's CEO/president Paul Cormier assessed the last two years in a speech at this week's Red Hat Summit. "Globally we saw nearly every industry go to 100% remote working overnight." Regardless of industry and size, organizations learned to operate virtually and on-demand. Companies needed to deliver goods and services to customers without a set brick-and-mortar footprint. We saw new tech hubs emerge in unlikely places because workers we no longer bound by needing to be based in specific cities. Newly-remote workers realized that they didn't have to be tied to a physical office, and organizations focused on hiring new talent based on skill and not location.

These are not insignificant achievements, and while this way of working was unfamiliar to those who were forced to adapt during the pandemic, to the open source world, it was just another day.

Every open source project is worked on remotely and has been since their inception. Just look at the Linux Foundation, which supports more than 2,300 projects. There were more than 28,000 active contributors to these projects in 2021, adding more than 29 million lines of code each week and with community participants coming from nearly every country around the globe. Most of these contributors will never meet face to face, but they are still able to drive the next generation of open technologies.

Whether we realized it or not, our accomplishments during the pandemic brought us closer to the open source model, and this is why open source innovation is now driving much of the software world. Through this new way of working, we saw new revenue streams, found new ways to become more efficient, and discovered new ways to engage with our customers. As we approach what, hopefully, is the tail end of an incredibly difficult few years, it's time to accelerate. It's time to take the lessons that we learned and applied as we transformed to digital-first and use them to improve our businesses, cultures and global communities.

The term "new normal" is now used like it's pre-determined and static. It isn't. You get to define your new normal. What do you want your business to look like? How do you want to embrace the next generation of IT?

"If you've visited a website in recent days and been randomly redirected to the same pages with sketchy "resources" or unwanted ads, it's likely the site in question was 1) built with WordPress tools and 2) hacked," reports Gizmodo. Details come from this blog post by researchers at Sucuri (a security provider owned by GoDaddy): As outlined in our latest hacked website report, we've been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads. The websites all shared a common issue — malicious JavaScript had been injected within their website's files and the database, including legitimate core WordPress files... This JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the attacker's destination.... Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects....

At the time of writing, PublicWWW has reported 322 websites impacted by this new wave... Considering that this count doesn't include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher. Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing....

We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.
"It's important to note that these hacks are related to themes and plugins built by thousands of third-party developers using the open source WordPress software, not WordPress.com, which offers hosting and tools to build websites," Gizmodo points out. But this also cite this warning from Sucuri malware analyst Krasimir Konov: "This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they'll be opted in to receive unwanted ads even when the site isn't open — and ads will look like they come from the operating system, not from a browser," Konov wrote.

"Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package," reports the Register, "to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security." "I just noticed 'foreach' on NPM is controlled by a single maintainer," wrote Vick in a Twitter post on Monday. "I also noticed they let their domain expire, so I bought it before someone else did. I now control 'foreach' on npm, and the 36,826 projects that depend on it."

That's not quite the full story — he probably could have taken control but didn't. Vick acquired the lapsed domain that had been used by the maintainer to create an NPM account and is associated with the "foreach" package on NPM. But he said he didn't follow through with resetting the password on the email account tied to the "foreach" package, which is fetched nearly six million times a week. In an email to the Register, Vick explained... "I did not log into the account, as again, that crosses a line. I just sent a password reset email and bailed.

"Regardless of how much control I have over this particular package, which is unclear, NPM admits this particular expired domain problem is a known issue, citing this 2021 [research paper] which says, 'We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.' In other words, anyone poking around is going to find accounts easy to take over in this way. I was not lucky or special." His point, which he has been trying for several years to communicate to those overseeing NPM — a part of GitHub since March 2020 — is that taking over the NPM account of a popular project to conduct a software supply chain attack continues to be too easy.

Part of the problem is that JavaScript developers often use packages that implement simple functions that are either already built into the language, like forEach, or ought to be crafted manually to avoid yet another dependency, like left-pad (now built-in as padStart). These trivial packages get incorporated into other packages, which may in turn become dependencies in different packages, thereby making the compromise of something like "foreach" a potentially far-reaching security incident.
But Vick argues that with so many upstream attack vectors, "We are all just trusting strangers on the internet to give us good candy from their truck," according to the Register. Their article points out that on Tuesday GitHub launched a beta test of improved 2FA security for all its NPM accounts — which Vick calls "a huge win... [T]hat is the best way to protect accounts. We in the security community have been demanding this for years."

But he's still worried about the possibility of email addresses with weak two-factor authentication or compromised NPM employees, and would like to see NPM implement cryptographic signatures for code. "I am talking with a member of their team tomorrow and we will see where this goes."

An anonymous reader quotes a report from ZDNet: Securing the open-source software supply chain is a huge deal. Last year, the Biden administration issued an executive order to improve software supply chain security. This came after the Colonial Pipeline ransomware attack shut down gas and oil deliveries throughout the southeast and the SolarWinds software supply chain attack. Securing software became a top priority. In response, The Open Source Security Foundation (OpenSSF) and Linux Foundation rose to this security challenge. Now, they're calling for $150 million in funding over two years to fix ten major open-source security problems.

The government will not be paying the freight for these changes. $30 million has already been pledged by Amazon, Ericsson, Google, Intel, Microsoft, and VMWare. More is already on the way. Amazon Web Services (AWS) has already pledged an additional $10 million. At the White House press conference, OpenSSF general manager Brian Behlendorf said, "I want to be clear: We're not here to fundraise from the government. We did not anticipate needing to go directly to the government to get funding for anyone to be successful."

Here are the ten goals the open-source industry is committed to meeting:

1. Security Education: Deliver baseline secure software development education and certification to all.
2. Risk Assessment: Establish a public, vendor-neutral, objective-metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
3. Digital Signatures: Accelerate the adoption of digital signatures on software releases.
4. Memory Safety: Eliminate root causes of many vulnerabilities through the replacement of non-memory-safe languages.
5. Incident Response: Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.
6. Better Scanning: Accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
7. Code Audits: Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
8. Data Sharing: Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
9. Software Bill of Materials (SBOMs): Everywhere Improve SBOM tooling and training to drive adoption.
10. Improved Supply Chains: Enhance the 10 most critical open-source software build systems, package managers, and distribution systems with better supply chain security tools and best practices.

An anonymous reader quotes a report from VentureBeat: Today, researchers at security service edge provider, Netskope, published the Netskope Cloud and Threat Report: Global Cloud and Malware Trends, which found that phishing downloads rose 450% over the past 12 months, and highlighted that attackers are using search engine optimization (SEO) to rank malicious PDF files on search engines. The report's findings show that phishing attempts are constantly evolving, and attackers aren't just targeting employees through their email inboxes; they're also using popular search engines like Google and Bing. The increase in phishing attacks and the growing popularity of SEO techniques among cybercriminals highlights the need for enterprises to provide their employees with security awareness training so they're prepared to spot threats and not at risk of handing over sensitive information.

When it comes to defending against these SEO-driven attacks, [Ray Canzanese, director of Netskope's Threat Labs] highlights several methods that security teams can use to protect employees. One of the most effective is to use a solution that can decrypt and scan web traffic for malicious content. At the same time, security teams should encourage users to inspect all links they click on, and to exercise caution if the link takes them to an unfamiliar website. In the event an employee does click on a malicious PDF, they can expect to see a fake captcha at the top of the first page, followed by text on other pages. In these scenarios, users should close the file, delete it from the device and report it to the security team ASAP. Canzanese also notes that it's important for users to report malicious URLs that feature on popular search engines to help the provider unlist them from the site and prevent other users from falling victim to a scam.

Third Position shares a report from The Verge: Elon Musk says his deal to buy Twitter is "temporarily on hold" after the social network reported that false or spam accounts comprised less than 5 percent of its 226 million monetizable daily active users. The Tesla CEO, who offered to buy twitter for $44 billion, tweeted a link to a May 2nd Reuters report on Twitter's filing, saying he wants to see the company's calculations.

"Twitter deal temporarily on hold pending details supporting calculation that spam/fake accounts do indeed represent less than 5% of users," Musk tweeted. However, in a follow-up tweet, he added that he's "still committed to [the] acquisition," suggesting that it'll proceed after Twitter provides satisfactory information on its numbers. Slashdot reader Excelcia shared a similar report from the BBC, which cited analysts speculating "he could be seeking to renegotiate the price or even walk away from the takeover."

"One analyst, as quoted in the story, suggests that 'Many will view this as Musk using this Twitter filing/spam accounts as a way to get out of this deal in a vastly changing market,'" writes Excelcia. "Shares have dropped another 10% since the announcement."

EU countries and lawmakers agreed on Friday to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players. From a report: The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Directive, in effect expanding the scope of the current rule known as NIS Directive.

The new rules cover all medium and large companies in essential sectors - energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, waste water, digital infrastructure, public administration and space. All medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online market places, online search engines, and social networking service platforms will also fall under the rules.

The US is readying new encryption standards that will be so ironclad that even the nation's top code-cracking agency says it won't be able to bypass them. From a report: The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. "There are no backdoors," said Rob Joyce, the NSA's director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor. The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today's computers can't. But it's also one that the White House fears could allow the encrypted data that girds the U.S. economy -- and national security secrets -- to be hacked.

Robert Triggs, writing for AndroidAuthority: In 2022, there's now a multifaceted argument in favor of a new approach to smartphone manufacturing. One which focuses on long-term support for both hardware and software. Core to this line of thinking is that smartphone hardware has hit a plateau. From the mid-range to flagships, hardware is now more than powerful enough to last several years without going obsolete. The days of rampant year-on-year improvements are long gone, whether you're looking at bleeding-edge performance, cameras, or battery life. This isn't to say we don't yearn for those yearly gains, but they no longer suddenly mark older models for obsolescence even if they materialize. As such, modern smartphones deserve long-term software support above and beyond semi-annual security patches.

Not to mention the increasingly compelling sustainability and right-to-repair arguments regarding raw materials and e-waste. It's increasingly hard to justify the production of throwaway electronics built to last just a handful of years. Simultaneously, sky-high prices and a squeeze in the cost of living have cast new light on the need for easier access to repair programs and spare parts. Not forgetting the popularity of refurbished handsets. Long-term support doesn't have to be an unprofitable venture for smartphone manufacturers either. Official repair channels bring in revenue over time, and it's possible to factor long-term support into the retail price of a handset. Then there's the whole avenue of hardware-as-a-service to explore.

Google is expanding end-to-end encryption (E2EE) to include group texts in the Messages app. The feature will be available as an open beta later this year. Engadget reports: Google hasn't revealed more details about E2EE in group chats, but it will surely be similar to how the option works in one-on-one conversations. Everyone in the group will need to have RCS chat functions switched on to use the feature. You'll be able to tell if a message you're about to share with the group is encrypted if there's a lock icon on the send button. The Messages app now has more than 500 million monthly active users with RCS. So, there's already a large number of people who'd be able to take advantage of E2EE in group chats.

The European Commission has proposed controversial new regulation that would require chat apps like WhatsApp and Facebook Messenger to selectively scan users' private messages for child sexual abuse material (CSAM) and "grooming" behavior. The proposal is similar to plans mooted by Apple last year but, say critics, much more invasive. From a report: After a draft of the regulation leaked earlier this week, privacy experts condemned it in the strongest terms. "This document is the most terrifying thing I've ever seen," tweeted cryptography professor Matthew Green. "It describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration." Jan Penfrat of digital advocacy group European Digital Rights (EDRi) echoed the concern, saying, "This looks like a shameful general #surveillance law entirely unfitting for any free democracy." (A comparison of the PDFs shows differences between the leaked draft and final proposal are cosmetic only.) The regulation would establish a number of new obligations for "online service providers" -- a broad category that includes app stores, hosting companies, and any provider of "interpersonal communications service."

An anonymous reader quotes a report from Ars Technica: Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks. The vulnerability, which carries a 9.8 severity rating out of a possible 10, affects F5's BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks. There are more than 16,000 instances of the gear discoverable online, and F5 says it's used by 48 of the Fortune 50. Given BIG-IP's proximity to network edges and their functions as devices that manage traffic for web servers, they often are in a position to see decrypted contents of HTTPS-protected traffic.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing (PDF) BIG-IP devices. "This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented," Aaron Portnoy, the director of research and development at security firm Randori, said in a direct message. "Once you are an admin, you can interact with all the endpoints the application provides, including execute code."

Images floating around Twitter in the past 24 hours show how hackers can use the exploit to access an F5 application endpoint named bash. Its function is to provide an interface for running user-supplied input as a bash command with root privileges. While many images show exploit code supplying a password to make commands run, exploits also work when no password is supplied. [...] Elsewhere on Twitter, researchers shared exploit code and reported seeing in-the-wild exploits that dropped backdoor webshells that threat actors could use to maintain control over hacked BIG-IP devices even after they're patched. BIG-IP users can check exploitability via a one-line bash script that can be found here.

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. BleepingComputer reports: The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible. [...] The dropper copies the legitimate OS error handling file [...] and then drops an encrypted binary resource to the 'wer.dll' (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code. DLL hijacking is a hacking technique that exploits legitimate programs with insufficient checks to load into memory a malicious Dynamic Link Library (DLL) from an arbitrary path.

[Denis Legezo, lead security researcher at Kaspersky] says that the dropper's purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - 'AB' in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager. "The dropped wer.dll is a loader and wouldn't do any harm without the shellcode hidden in Windows event logs," says Legezo. The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant's red team, has created and published on GitHub source code for injecting payloads into Windows event logs.

Lincoln College is scheduled to close its doors Friday, becoming the first U.S. institution of higher learning to shut down in part due to a ransomware attack. From a report: A goodbye note posted to the school's website said that it survived both World Wars, the Spanish flu and the Great Depression, but was unable to handle the combination of the Covid pandemic and a severe ransomware attack in December that took months to remedy. "Lincoln College was a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections," the school wrote in its announcement. "All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester." The Illinois school, which is named after President Abraham Lincoln and broke ground on his birthday in 1865, is one of only a handful of rural American colleges that qualify as predominantly Black institutions by the Department of Education.

Apple's director of machine learning, Ian Goodfellow, "is leaving the company due to its return to work policy," reports a tech reporter for the Verge. "In a note to staff, he said 'I believe strongly that more flexibility would have been the best policy for my team.'"

9to5Mac notes that Apple "poached Goodfellow from Google back in 2019 to join its 'Special Projects Group' as the director of machine learning." Apple employees started returning to in-person work on April 11 following a two-year stint of remote work brought on by the COVID-19 pandemic... At first, the company required employees to work in person at least one day per week. On May 4, the company ramped that up to two days per week in the office.

Starting on May 23, employees will need to be in the office three days per week. This is the start of Apple's so-called "hybrid" work plan, which will require employees to work from the office on Monday, Tuesday, and Thursday every week....

Goodfellow's former employer Google mandated that some teams return to in-person work starting last month, but many employees are able to permanently work from home.
Discontent with that policy is widespread, reports Fortune: Seventy-six percent of Apple workers surveyed said they were dissatisfied with Apple's return-to-office policy that was implemented after the COVID pandemic started waning. The survey, conducted by anonymous social network Blind, collected answers from 652 Apple employees from April 13 to April 19....

Accustomed to no commute, they're now balking at having to return to the office and say they will seek jobs at other tech companies that offer more flexible work arrangements. A sizable number of workers — 56% — claimed they are looking to leave Apple expressly because of its office requirement. It's unclear how many actually will carry through.... Blind's users are "overwhelmingly corporate workers in engineering or product roles," according to Rick Chen, director of public relations at Blind.

More action might be expected after May 23 when the pilot plan for hybrid work comes into full effect. Another worker stated: "Apple is going to see attrition like no other come June. 60% of my team doesn't even live near the office. They are not returning. "

This week the Washington Post described Russia as "struggling under an unprecedented hacking wave" — with one survey finding Russia is now the world's leader for leaked sensitive data (such as passwords and email addresses). "Federation government: your lack of honor and blatant war crimes have earned you a special prize..." read a message left behind on one of the breached networks...

Documents were stolen from Russia's media regulator and 20 years of email from one of Russia's government-owned TV/radio broadcasting companies. Ukraine's government is even suggesting targets through its "IT Army" channel on telegram, and has apparently distributed the names of hundreds of Russia's own FSB security agents. And meanwhile, the Post adds, "Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said." Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace. The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine. One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.

Network Battalion 65 [a small hacktivist group formed as the war began looking inevitable] went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies. "We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world," the group said. "As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely."

In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn't gotten any money yet but would donate anything it collects to Ukraine.
Ars Technica quotes a cybersecurity researcher who now says "there are tens of terabytes of data that's just falling out of the sky."

Thanks to long-time Slashdot reader SpzToid for sharing the article!

A UCLA assistant professor of Information Studies just published a short history of software engineering in Logic magazine — titled "Agile and the Long Crisis of Software."

It begins by describing Agile's history as "a long-running wrestling match between what managers want software development to be and what it really is, as practiced by the workers who write the code." When software engineering failed to discipline the unwieldiness of development, businesses turned to Agile, which married the autonomy that developers demanded with a single-minded focus on an organization's goals. That autonomy is limited, however, as developers are increasingly pointing out. When applied in a corporate context, the methods and values that Agile esteems are invariably oriented to the imperatives of the corporation. No matter how flexible the workplace or how casual the meetings, the bottom line has to be the organization's profits.
But this has major implications, the essay's conclusion argues: Could Agile even have played a role in some of the more infamous failures of the tech industry...? If a company sets a goal of boosting user engagement, Agile is designed to get developers working single-mindedly toward that goal — not arguing with managers about whether, for example, it's a good idea to show people content that inflames their prejudices. Such ethical arguments are incompatible with Agile's avowed dedication to keeping developers working feverishly on the project, whatever it might be.

This issue becomes especially pressing when one considers that contemporary software is likely to involve things like machine learning, large datasets, or artificial intelligence — technologies that have shown themselves to be potentially destructive, particularly for minoritized people. The digital theorist Ian Bogost argues that this move-fast-and-break-things approach is precisely why software developers should stop calling themselves "engineers": engineering, he points out, is a set of disciplines with codes of ethics and recognized commitments to civil society. Agile promises no such loyalty, except to the product under construction.

Agile is good at compartmentalizing features, neatly packaging them into sprints and deliverables. Really, that's a tendency of software engineering at large — modularity, or "information hiding," is a critical way for humans to manage systems that are too complex for any one person to grasp. But by turning features into "user stories" on a whiteboard, Agile has the potential to create what [software engineer] Yvonne Lam calls a "chain of deniability": an assembly line in which no one, at any point, takes full responsibility for what the team has created.
Other observations from the article:

• "Daily standups, billed as lightweight, low key check-ins, have become, for some workers, exercises in surveillance. "

• "The warts-and-all breakdown of Agile 'retrospectives' seems healthy, but I've watched them descend into a structureless series of accusations; everything depends on who's leading the team."

• One freelance developer in the article even argues that "As developers, IT professionals, we like to think of ourselves as knowledge workers, whose work can't be rationalized or commodified. But I think Agile tries to accomplish the exact opposite approach."

• "Some people I talked to pointed out that Agile has the potential to foster solidarity among workers. If teams truly self-organize, share concerns, and speak openly, perhaps Agile could actually lend itself to worker organization.
  
  "Maybe management, through Agile, is producing its own gravediggers. Maybe the next crisis of software development will come from the workers themselves."