Newsletter
WebAssembly: Some assembly still required
Today: the WebAssembly community gathers to discuss its progress and acknowledges there's a lot of work ahead, Microsoft explains how Chinese hackers got one of its encrypted keys, and this week in enterprise moves.
Welcome to Runtime! Today: the WebAssembly community gathers to discuss its progress and acknowledges there's a lot of work ahead, Microsoft explains how Chinese hackers got one of its encrypted keys, and this week in enterprise moves.
(Was this email forwarded to you? Sign up here to get Runtime each week.)
Containers to components
After several years of excitement about the promise of WebAssembly as a next-generation application development tool, Cosmonic CEO Liam Randall thinks the technology has hit its "Docker moment."
Randall outlined the bull case for WebAssembly (Wasm) this week at the first-ever WasmCon in Bellevue, Wash., invoking the container format that took enterprise tech by storm nearly a decade ago. Docker became one of the fastest-adopted enterprise technologies ever after giving developers a simple way to exploit Linux containers, and while enthusiasm for Wasm was plentiful over two days of the event, it was also clear that milestone has not arrived.
The event was put on by the Linux Foundation, which would very much like to see Wasm succeed containers and Kubernetes as the next evolution of the so-called "cloud native" movement.
- Wasm grew out of browser technologies developed at Mozilla and has only recently started to realize its future on the server.
- It appeals to its boosters because it promises an app development platform with serverless computing-like speed and security that doesn't require users to throw away investments in containers and Kubernetes.
- Wasm is also "probably the most remarkably vendor-neutral core that I have ever seen," Fermyon CEO Matt Butcher told Runtime earlier this year.
However, there's an awful lot of glue work that needs to be done before enterprises start to adopt Wasm as a development platform.
- Randall and other speakers updated the community on the progress of the "component model," which will make Wasm easier to work with across different types of programming languages and development frameworks.
- A basic proposal for that component model has been roughed out, but there are still two more preview versions that need to be completed to make enterprise shops feel more comfortable about the technology.
- At one point this year those versions were expected to arrive in 2023, but the timeline has shifted into 2024.
- "Unfortunately, as you've heard through some of the keynotes, getting all those tools together into the right place with the right version, so that all works correctly with examples and all that kind of stuff, it's still a little bit of a work in progress in this community," said Brendan Burns, one of the co-founders of Kubernetes and currently a distinguished engineer at Microsoft.
So it's likely to be at least another year before Wasm actually reaches that "Docker moment," of mass adoption. However, early adopters like industrial giant Bosch showed why so many are excited about its potential.
- Emily Ruppel, a research scientist at Bosch, thinks Wasm could help the company develop software across all the different types of hardware that will be required for autonomous cars.
- "These software stacks were never meant to handle computers ranging from ECUs (electronic control units) to the cloud in a single application," she said.
- Bosch is experimenting with using Wasm to abstract all that hardware away from the developer, who can write their apps to a single platform.
- There are still plenty of challenges before it's ready for prime time, she said, but "we see WebAssembly as the most promising solution for bringing lightweight virtualization all the way across cyber physical systems."
Finding the keys
Microsoft released several new details Wednesday about the breakdown that allowed Chinese hackers to steal a consumer authentication key and use it to break into enterprise email accounts belonging to top U.S. government officials. It all started with a blue screen of death.
In an extraordinary series of events, the compromised key was included with a standard "crash dump" file after one of the systems used to sign consumer authentication keys crashed in April 2021 and, per standard policy, that file was moved into Microsoft's debugging environment. The key was not supposed to be included in that crash dump file, but it was, and unlike the production environment in which the signing system was running, the debugging environment is connected to Microsoft's internal internet-connected corporate network.
A hacker was then able to gain access to the account of an internal Microsoft engineer and somehow discover the key present in the crash file in the debugging environment. Incorrect assumptions about how Microsoft validated consumer keys versus enterprise keys meant that Outlook developers didn't include the proper validation checks when deploying a 2022 update, and while everything described here has been corrected, this incident could be an expensive case study for Microsoft's internal software teams.
Enterprise moves
Mudge, known to his local DMV as Peiter Zatko, joined CISA to help its "Secure by Design" efforts after a legendary hacking career.
Dave Brown and Swami Sivasubramanian of AWS were tapped for Amazon's exclusive council of leaders from across the company under former AWS CEO Andy Jassy.
Krish Venkataraman is the new president of Dataiku after a stint as CFO of Socure and helping lead KnowBe4 to its 2021 IPO.
Walter Sun is the new head of global AI at SAP, after 18 years in various AI-related roles at Microsoft.
Glenn Weinstein is the new CEO of Cloudsmith, joining the company from Twilio where he served as chief customer officer.
The Runtime roundup
CISA expects to finalize the details around its cyber-incident reporting rule by the end of this year or early next year, according to Director Jen Easterly.
Alteryx is discussing those fabled "strategic options" with an investment bank after receiving takeover interest, Reuters reported.
Tenable acquired Ermetic, which helps customers of the major cloud providers secure their workloads, for $265 million in cash and stock.
Slack announced new generative AI features that could help vacationers catch up on everything they missed, without bothering to wait for next week's Dreamforce hullabaloo.
Thanks for reading — see you Saturday!