Weekend Reads 121721


Unfortunately, when engineers are entrusted with the task of delivering smooth video streaming to our users, we face numerous challenges from ‘last-mile’ wireless connections.


Exploit code has been released for a serious code-execution vulnerability in Log4j, an open source logging utility that’s used in countless apps, including those used by large enterprise organizations, several websites reported last Thursday.


The Tuesday outage at an Amazon Web Services data center affected services from several collaboration software vendors, highlighting how reliant companies have become on cloud providers for a variety of workplace tools.


Amazon.com Inc.’s ubiquitous cloud-computing network, the spine for a lot of digital communications and transactions across the U.S., went dark for several hours on Tuesday.


This is the hoarder’s mentality. “I can’t use this right now, but maybe I will some other time.”


More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities


So much for a quiet holiday season: CVE-2021-44228 (aka Log4Shell) may well be the most impactful vulnerability we’ve seen in years.


Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip, putting billions of electronic devices at risk of stealthy attacks.


In late 2021, the term Web3 began to increasingly appear in mainstream media outlets. This does not refer, however, to a sudden increase in interest in the Semantic Web as defined by Tim Berners-Lee, but rather to something entirely different.


It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.


At 10:30 p.m. PST on Oct. 6, Twitch released the following statement on its corporate blog: “We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”


The HDMI Licensing Administrator, the group that defines and licenses HDMI standards, has some confusing requirements around the HDMI 2.1 standard.


Intel issued a press release, unveiling various advancements in the fields of packaging, transistor, and quantum physics. The company has stated that these new findings were made in pursuit of Moore’s Law.

Posted in WEEKEND READS

Controversial Reads 121021


In a highly anticipated decision, a judge of the United States International Trade Commission ruled in August that Google infringed five patents owned by speaker maker Sonos. The case charged Google with copying Sonos’ patented technology in its Google Home smart speakers.


If you’ve followed the news over the last few years, you’re probably convinced that we’re living in a golden age of conspiracy theories and disinformation.


Americans, and not just Americans, are well aware of how deep the dysfunction of the ruling factions runs. Many older ones remember the abuses of the Intelligence Community and the warnings against the Military-Industrial Complex; they have lived long enough to see the political resistance to the Community and the Complex shift, under pressure of deliberate policies, from the Left to the Right.


The rumors spread like wildfire: Muslims were secretly lacing a Sri Lankan village’s food with sterilization drugs. Soon, a video circulated that appeared to show a Muslim shopkeeper admitting to drugging his customers — he had misunderstood the question that was angrily put to him.


Antitrust has not had its moment since the 1911 breakup of Standard Oil. But this past year, policymakers and government leaders around the globe have been taking a hard look at the technology markets.


For well over a decade, I have been arguing that governments should create IT accident investigation boards for the exact same reasons they have done so for ships, railroads, planes, and in many cases, automobiles.


Yet risks remain, and once the genie is out of the bottle, they are often difficult to manage and contain—they range from unintended consequences and side effects to threats to privacy and loss or misdirection of control.


How can we change the field of computing so that ethics is as central a concern as growth, efficiency, and innovation? There is no one intervention to change an entire field: instead, broad change will take a combination of guidelines, governance, and advocacy.


Jerome Pesenti, Facebook’s VP of Artificial Intelligence, explains the changes to the face recognition system that have accompanied the very recent brand name change from Facebook to Meta…


The dominant regime of the electric age—“democracy” mediated and managed by corporate journalists, academics, experts—is being slowly eaten by a new cybernetic order, mediated by algorithm and increasingly not managed at all.


The metaverse is, as they say, happening. Mark Zuckerberg announced last month that Facebook’s parent company, now called Meta, will take the lead in building out an immersive, interactive, and ubiquitous network of virtual environments that he envisions as the next phase of the Internet.


When Google introduced Manifest V3 in 2019, web extension developers were alarmed at the amount of functionality that would be taken away for features they provide users. Especially features like blocking trackers and providing secure connections.


In preventing people like me from accessing Twitter despite plainly qualifying under their own terms of service — and in failing to provide the kind of communication Dorsey testified under oath occurs in situations like mine — Twitter is arguably engaging in fraud, telling the public one thing while engaging in the opposite.


Privacy law is manifested in practice as a litany of “Agree” buttons to consent to data collection and a series of long, convoluted statements of data collection practices that are supposed to give users enough notice about what companies do with our data to enable us to make informed decisions.


It’s been 24 hours since Jack’s resignation, and while I’m not really interested in the evolving loser drama surrounding the new CEO’s decade-old tweets, it is worth noting that Twitter has already updated its content policy in a manner that effectively makes citizen journalism impossible.


In one of the more unusual cybersecurity policing stories of the past year, the FBI announced in June that it had created its own company, called ANOM, to sell devices with a pre-installed encrypted messaging app to criminals.


In its response to Stossel’s defamation claim, Facebook responds on Page 2, Line 8 in the court document (download it below) that Facebook cannot be sued for defamation (which is making a false and harmful assertion) because its ‘fact checks’ are mere statements of opinion rather than factual assertions.


While GDPR has provided essential data protections for Europeans, it has also imposed substantial compliance costs on American companies seeking to do business in the bloc and forced many companies to cease their European operations.

Posted in WEEKEND READS

Weekend Reads 121021


It is refreshing to find instances in the IT sector where competing groups with their own agendas work together for the common good and the improvement of systems everywhere. So it is with the absorption of the Gen-Z Consortium by the CXL Consortium.


What is open core? Is a project open core, or is a business open core? That’s debatable. Like open source, some view it as a development model, others view it as a business model.


From the recent writeup of the DNS work at the IETF its clear that there is a large amount of attention being focused on the DNS. It’s not just an IETF conversation, or a DNS OARC conversation, but a conversation that involves a considerable amount of research activity as well.


It seems like Antarctica’s McMurdo Station could be getting high-speed internet—a modern day luxury feature that could connect its remote laboratories (and seasonal tourist hub) to the rest of the world. The station is located on an island just off the northwestern part of the continent and is the largest US research hub on Antarctica.


“Your phone’s front camera is always securely looking for your face, even if you don’t touch it or raise to wake it.”


Organizations must improve their cybersecurity protocols to detect fraudulent identities and make sure they’re safeguarding their consumers’ personal information.


Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network.


Kubernetes Security is constantly evolving – keeping pace with enhanced functionality, usability and flexibility while also balancing the security needs of a wide and diverse set of use-cases.


Let’s say you’re tasked with selecting a strong authentication solution for your organisation. Where do you begin? This article is the first of a series that will explore authentication and authorisation technologies in the context of recent exploits and developing trends.


At the University of California, Riverside, we found the current design and implementation of modern OSes can lead to side-channel-based DNS cache poisoning attacks, namely SAD DNS (Side-channel AttackeD DNS).


If you’re looking for a rugged case for your phone or tablet, you’ve probably seen the terms MIL-SPEC or MIL-STD. But what do they mean? It’s a simple standard, but its appearance on product packaging is a complex topic.


Web 1.0 was from 1991 to 2004 when web users were consumers of content, and the web was a series of static websites. Web 2.0 emerged in 2004 as user-created content overtook static content. The big winners in this era have been the huge social media platforms that became some of the biggest companies on the planet.


Do-it-yourself is a great way to learn coding, but it’s a risky way to tackle complex application problems that have scant room for error, such as authentication and encryption.


Manifest V3, Google Chrome’s soon-to-be definitive basket of changes to the world of web browser extensions, has been framed by its authors as “a step in the direction of privacy, security, and performance.”


At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.

Posted in WEEKEND READS

Hedge 111: Machine Learning and Security with Micah Mussler

Machine Learning (ML) and Artificial Intelligence (AI) are all the rage in the network engineering world. Where might these technologies be useful, as opposed to mere hype? The two most obvious areas where AI and ML would be useful are failure reaction and security. Micah Mussler joins Tom Ammon and Russ White to discuss the possibilities of using AI and/or ML in the broader security market—and focusing in on the network.

download

Posted in HEDGE, LONG AUDIO

Weekend Reads 120321


SpaceX had filed a new application with the Federal Communications Commission for a smaller dish, which just received approval yesterday.


Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads.


IBM unveiled a 127-qubit quantum computing chip called Eagle this week, showing off a new asset in the race to build the most powerful quantum computer.


Insurers have halved the amount of cyber cover they provide to customers after the pandemic and home-working drove a surge in ransomware attacks that left them smarting from hefty payouts.


U.S. banking regulators on Thursday finalized a rule that directs banks to report any major cybersecurity incidents to the government within 36 hours of discovery.


After squandering its lead because of a half decade of problems modernizing its manufacturing, that’s where Intel has been headed.


General Motors (GM.N) aims to tackle the global semiconductor shortage with new designs built in North America, President Mark Reuss said on Thursday.


As telehealth and digital platforms cement their role in the post-pandemic future, it’s imperative for the digital health ecosystem to find ways of enhancing support networks, marking the transition from telehealth to tele-wellbeing.


There is currently no specific time frame during which banks must report to federal regulators that a security incident had occurred. A new notification rules changes that to 36 hours.


One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family.


DDR5 has barely hit the shelves, but Samsung has confirmed it’s already working on the next generation of RAM.


Speculative execution attacks present an enormous security threat, capable of reading arbitrary program data under malicious speculation, and later exfiltrating that data over microarchitectural covert channels. This paper proposes speculative taint tracking (STT), a high security and high performance hardware mechanism to block these attacks.


Alternatively, the unencrypted variants of these protocols can be upgraded to encrypted connections via a mechanism called STARTTLS.


Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control.


In the field of artificial intelligence (AI) research, this article posits that it is tooling which has played a disproportionately large role in deciding which ideas succeed and which fail.


Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.


A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it’s possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users.


No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users’ credentials and carrying out further follow-on attacks.


To answer this, we at Waseda University have conducted a large-scale survey into the adoption of various DNS security mechanisms — DNSSEC, DNS Cookies, CAA, SPF, DMARC, MTA-STS, DANE, and TLSRPT — and in doing so identified what effects adoption rates.

Posted in WEEKEND READS

Hedge 110: Andrew Alston and SRv6 Security

SRv6, a form of source routing, is the new and interesting method being created by the IETF to allow traffic engineering and traffic steering. This is not the first time the networking world has tried source routing, however—and in the spirit of rule 11, we should ask some questions. How and why did source routing fail last time? Have we learned those lessons and changed the way we’re doing things to overcome those limitations? Security seems to be one area where problems arise in the source routing paradigm.

Andrew Alston joins Tom Ammon and Russ White to discuss security in SRv6.

download

Posted in HEDGE, LONG AUDIO