Controversial Reads 111922

So in terms of the daily lived experience of most people reading this, truly autonomous vehicles just aren’t going to happen.

When the federal government gets together with social media giants to censor critics of the government, is that free speech or censorship?

If you own an advanced Android phone, you may find that Google Assistant will interrupt conversations to offer its own “insights”. Google is also pursuing “prebunking” of what it considers “misinformation” with preemptive propaganda campaigns.

The outcomes of such a system are incentives to not be the new person on a team, to not ask questions, to not work on new and unfamiliar efforts, and to not work together at all generally. Those behaviors become embedded in an organization’s DNA, despite whatever is advertised publicly.

Today’s business headlines herald a harsh reality for Big Tech: tumult at Twitter; meltdown at Meta; atrophy at Alphabet; adjustments at Amazon. Layoffs, sliding stock and shrinking valuations are hallmarks of the moment.

To understand the sudden downfall of the now-collapsed crypto exchange FTX, you have to go back to the beginning.

Twitter was their home. Elon broke into their home. Then he kicked out their friends, and told everyone left to do their laundry.

Weekend Reads 111822

Internet users are being tricked into installing browser extensions that can hijack their web searches.

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

Silicon Valley startup Eliyan thinks its technology for enabling chiplet-based designs can best those from semiconductor giants Intel and TSMC by providing better performance, higher efficiency, fewer manufacturing issues, and more supply chain options.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

Qualcomm and Arm have been engaged in one of those very entertainingly bitter court fist-fights that the industry throws up when friends fall out over money.

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914.

I suspect this reflects a significant change in the economics of the sector. For the last 20 years, Silicon Valley has had the wind at its back thanks to rapid adoption of new technologies like the internet and smartphones. As a result, the industry fared better than the broader economy during and after the 2008 recession.

By playing unexpected moves outside of KataGo’s training set, a much weaker adversarial Go-playing program (that amateur humans can defeat) can trick KataGo into losing.

New research released this week reveals the process used by third party advertisers to target online users can be viewed or manipulated by online adversaries using only their target’s email address.

On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework.

This raises an important question: How do you take what is good about these patterns for creating innovation? Specifically, how do you apply open source principles and practices as appropriate? That’s what we’ve sought to accomplish with Red Hat Research.

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

That’s opened major questions about how these now-forever-roaming workers are connected to information resources and to each other.

A novel attack method has been disclosed against a crucial piece of technology called time-triggered ethernet (TTE) that’s used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft.

Mean Time to Innocence is not Enough

A long time ago, I supported a wind speed detection system consisting of an impeller, a small electric generator, a 12 gauge cable running a few miles, and a voltmeter. The entire thing was calibrated through a resistive bridge–attach an electric motor to the generator, run it at a series of fixed speed, and adjust the resistive bridge until the voltmeter, marked in knots of wind speed, read correctly.

The primary problem in this system was the several miles of 12 gauge cable. It was often damaged, requiring us to dig the cable up (shovel ready jobs!), strip the cable back, splice the correct pairs together, seal it all in a plastic container filled with goo, and bury it all again. There was one instance, however, when we could not get the wind speed system adjusted correctly, no matter how we tried to tune the resistive bridge. We pulled things apart and determined there must be a problem in one of the (many) splices in the several miles of cable.

At first, we ran a Time Domain Reflectometer (TDR) across the cable to see if we could find the problem. The TDR turned up a couple of hot spots, so we dug those points up … and found there were no splices there. Hmmm … So we called in a specialized cable team. They ran the same TDR tests, dug up the same places, and then did some further testing and found … the cable was innocent.

This set up an argument, running all the way to the base commander level, between our team and the cable team. Who’s fault was this mess? Our inability to measure the wind speed at one end of the runway was impacting flight operations, so this had to be fixed. But rather than fixing the problem, we were spending our time arguing about who’s fault the problem was, and who should fix it.

When I read this line in a recent CAIDA research paper–

“Measurement is political, and often adversarial.”

It rang very true. In Internet terms, speed, congestion, and even usage are often political and adversarial. Just like the wind speed system, two teams were measuring the same thing to prove the problem wasn’t their’s–rather than to figure out what the problem is and how to fix it.

In other words, our goal is too often Mean Time to Innocence (MTTI), rather than Mean Time to Repair (MTTR).

MTTI is not enough. We need to work with our application counterparts to find and fix problems, rather than against them. Measurement should not be adversarial, it should be cooperative.

We need to learn to fix the problem, not the blame.

This is a cultural issue, but it also impacts the way we do telemetry. For instance, in the case of the wind speed indicator, the problem was ultimately a connection that “worked,” but with high capacive reactance such that some kinds of signals were attenuated while others were not. None of us were testing the cable using the right kind of signal, so we all just sat around arguing about who’s problem it was rather than solving the problem.

When a user brings a problem to you, resist the urge to go prove yourself–or your system–innocent. Even if your system isn’t the problem, your system can provide information that can help solve the problem. Treat problems as opportunities to help rather than as opportunies to swish your superhero cape and prove your expertise.

Weekend Reads 111122

User-first security must begin with an understanding of how people use computing technology. We have to ask: What is it that makes users vulnerable to hacking via email, messaging, social media, browsing, file sharing?

How does the industry effectively assess software security, enabling an approved list (allowlist) of software and libraries on distributed systems across multiple industries?

The COVID pandemic pushed a lot of school coursework to the internet, with an increased reliance on true/false and multiple-choice tests that can be taken online and graded quickly and conveniently.

Top chipmakers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development.

Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect.

Several models have been proposed to the Multi-State Information Sharing and Analysis Center (MS-ISAC) and other ISACs for a role in software assurance for supply chains using the Software Bill of Material (SBOM) information and associated digital signatures.

A lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Tests show that deploying malware in a persistent manner on load balancer firmware is within reach of less sophisticated attackers.

This fall, Microsoft claimed to have addressed anticompetitive cloud infrastructure complaints from a few smaller cloud services providers in Europe.

The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

Meta, formerly Facebook, once seemed an impenetrable fortress, but it’s now showing big cracks.

As a security researcher, common vulnerabilities and exposures (CVEs) are an issue for me — but not for the reason you might think.

That will be one of the reasons crypto has been plummeting for most of this year but recent events have intensified the sense of crisis.

Hedge 154: Path Aware Networking Research Group

Applications generally assume the network provides near-real-time packet transmission without regard for what the application is trying to do, what kind of traffic is being transmitted, etc. Back in the real world, its often important for the network to coordinate with applications to more efficiently carry traffic offered. The Path Aware Research Group (PANRG) in the Internet Research Task Force (IRTF) is looking at the problems involved in understanding and signaling the path characteristics to applications.

In this episode of the Hedge, Brian Trammel joins Tom Ammon and Russ White to discuss the current work on path aware networking.