WEEKEND READS

Weekend Reads 082319

Red Hat is unveiling its own service mesh for OpenShift version 4, its hybrid cloud enterprise Kubernetes platform. The commercial offering packages Istio, the emerging leader in the space, as well as the Jaeger project for tracing, and Kiali for monitoring and management of Istio. —Susan Hall

DNSSEC is increasingly adopted by organizations to protect DNS data and prevent DNS attacks like DNS spoofing and DNS cache poisoning. At the same time, more DNS deployments are using proprietary DNS features like geo-routing or load balancing, which require special configuration to support using DNSSEC. —Jan Včelák

Cybercrooks increasingly are anonymizing their malicious traffic by routing it through residential broadband and wireless data connections. Traditionally, those connections have been mainly hacked computers, mobile phones, or home routers. But this story is about so-called “bulletproof residential VPN services” that appear to be built by purchasing or otherwise acquiring discrete chunks of Internet addresses from some of the world’s largest ISPs and mobile data providers. —Krebs on Security

At first glance, the University of the South Pacific network is not your usual university network. Our network operates across 26 sites in 12 different Pacific economies and is spread over 33 million square kilometres of ocean — about three times the size of Europe. —Edwin Sandys

Facebook users are eager for alternatives to the service, but are held back by the fact that the people they want to talk with are all locked within the company’s walled garden. Interoperability presents a means for people to remain partially on Facebook, but while using third-party tools that are designed to respond to their idiosyncratic needs. —Cory Doctorow

Geoffrey A. Fowler of the Washington Post recently engaged a data expert to track everything going on behind the scenes with his iPhone. What he found was surprising since Apple touts itself as a company that doesn’t invade user privacy. The various apps on his phone were routinely handing out his personal data on a scale that shocked him. —Doug Dawson

In this post, I explore the methods that recursive resolvers use to select authoritative nameservers and why. Answering these questions informs decisions around authoritative nameserver deployment and improving recursive resolver behaviour. —Kyle Schomp

DNS Flag Day was the result of a collaborative effort and agreement of DNS implementers and DNS resolver operators to commit to no longer providing workarounds for non-standards-compliant authoritative nameservers as of 1 February 2019. —Willem Toorop

As long we’ve had electronic mass media, audiences and creators have benefited from periods of technological upheaval that force old gatekeepers to compete with brash newcomers with new ideas about what constitutes acceptable culture and art. Those newcomers eventually became gatekeepers themselves, who then faced their own crop of revolutionaries. But today, the cycle is broken: as media, telecoms, and tech have all grown concentrated, the markets have become winner-take-all clashes among titans who seek to dominate our culture, our discourse and our communications. —Cory Doctorow

Dan Bricklin, co-creator of the first killer app, VisiCalc, recently pointed out it’s been 38 years since the IBM PC was introduced. It wasn’t the first PC — when it rolled out I wrote about it on my CP/M-powered KayPro II — but it was the one that started Bill Gates and Microsoft on their way to stardom. —Steven J. Vaughan-Nichols

Weekend Reads 081619

If you are using any supported version of the Windows operating system, stop everything and install the latest security updates from Microsoft immediately. —Swati Khandelwal

Is poor documentation always evil? Absolutely not. I’m often amazed at just how much some open source projects manage to accomplish considering the limited resources they’re usually working with. And, in any case, as long as people (like me) aren’t volunteering to help out, we have no right to grumble. —David Clinton

In any chip design, the devil – and the angel – is always in the details. AMD has been burned by some architectural choices it has made with Opteron processors in the past, where assumptions about how code might exploit the hardware did not pan out as planned. — Timothy Prickett Morgan

The unknown knowns quadrant is often overlooked or just misinterpreted. I can easily understand why people don’t see the importance of it and just refer to it as a nonsense contradiction — how can someone not know something they already know? —Alon Kiriati

With a focus on continuous improvements, agile project management upends the traditional linear way of developing products and services. Increasingly, organizations are adopting agile project management because it utilizes a series of shorter development cycles to deliver features and improve continually. —Matt Shealy

Seldom has a new IETF protocol sparked so much controversy and discussion than the DNS privacy protocol DNS-over-HTTPS (DoH). —Carsten Strotmann

The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name. —Leo Kelion

How safe are your secrets? If you used Amazon’s Elastic Block Storage snapshots, you might want to check your settings. —Zack Whittaker

It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer. —Joseph Cox

How do you solve a problem like deepfake? It’s a question that everyone from tech companies to politicians are having to ask with the advent of new, increasingly accessible tools that allow for the creation of A.I. manipulated videos in which people’s likenesses are reappropriated in once unimaginable ways —Luke Dormehl Luke Dormehl

With so much dissatisfaction over how companies like Facebook and YouTube moderate user speech, you might think that the groups that run the Internet’s infrastructure would want to stay far away from the speech-policing business. Sadly, two groups that control an important piece of the Internet’s infrastructure have decided to jump right in. —Mitch Stoltz

Weekend Reads 080919

Doors across the United States are now fitted with Amazon’s Ring, a combination doorbell-security camera that records and transmits video straight to users’ phones, to Amazon’s cloud—and often to the local police department. —Matthew Guariglia

Amazon’s surveillance camera company coaches local police departments on ways to obtain a customer’s video images, even if that person does not wish to provide such information, Vice reported Monday, citing documents and internal memos. —Chris White

Despite the clear shift toward mobile browsing, much of the web has been designed for desktop machines on a wired connection. —Byungjin Jun

A new variant of the Spectre (Variant 1) side-channel vulnerability has been discovered that affects all modern Intel CPUs, and probably some AMD processors as well, which leverage speculative execution for high performance, Microsoft and Red Hat warned. —Mohit Kumar

A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction. —Mohit Kumar

In a way, the evolution of the textbook has mirrored that in every other industry. Ownership has given way to rentals, and analog to digital. Within the broad strokes of that transition, though, lie divergent ideas about not just what learning should look like in the 21st century but how affordable to make it. —Brian Barrett

When a major data breach occurs, security and business leaders running companies large and small are quick to ask the same familiar question: “How can we prevent this from happening to us?” —Kelly Sheridan

When software engineers mostly use shared code, they save time but risk losing understanding —Brendan Dixon

Weekend Reads 080119

Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city’s power company got attacked by a ransomware virus —Mohit Kumar

Business logic security issues are not well understood by the industry and difficult to identify before they reach production environments. The First American Financial exposure provides several valuable lessons on how to manage business logic risk in DevOps pipelines that seem to accelerate every day. —Chetan Conikee

It is important to note, however, that once the IT department work has moved off premises, the business no longer owns that service or the infrastructure that delivers it. Instead, the company is investing in an intangible service from a centralized source. There are several consequences of this trend. —Tim Gooding

Major shifts in the way consumers spend their time and money have created a lethal competitive field for news media. Here are some facts and charts about it. —Frederic Filloux

On the three-year anniversary of the No More Ransom project, Europol announced today that users who downloaded and decrypted files using free tools made available through the No More Ransom portal have prevented ransomware gangs from making profits estimated at at least $108 million. —Catalin Cimpan

Many modern digital devices are difficult to repair — and this is by design. What’s more, companies like Apple will often void consumer warranties if their devices are fixed at a local mom and pop shop rather than by their own company’s professionals. —Navneet Alang

I don’t get surprised very often in this industry, but I must admit that I was surprised by the amount of money awarded for satellite broadband in the reverse auction for CAF II earlier this year. Viasat, Inc., which markets as Exede, was the fourth largest winner, collecting $122.5 million in the auction. —Doug Dawson

According to Troy Hunt, creator of HaveIBeenPwned, an increasing number of data breaches and data leaks are a direct result of weak passwords and password reuse. —Kacy Zurkus

When CVE-2019-5021 was released on May 8, it made me wonder how widespread the issue of vulnerabilities in popular containers is. Businesses have increasingly come to rely on containers as an agile development tool, but because they are inert when not in use, security vendors have found them difficult to scan. —Jerry Gamblin

When some people hear “Cryptography”, they think of their Wifi password, of the little green lock icon next to the address of their favorite website, and of the difficulty they’d face trying to snoop in other people’s email. Others may recall the litany of vulnerabilities of recent years that boasted a pithy acronym (DROWN, FREAK, POODLE…), a stylish logo and an urgent warning to update their web browser. —Ben Herzog

When it comes to cybersecurity, the world is obsessed with attribution. We see sensational headlines all the time that question, speculate on, and purport to confirm the identities of attackers. —Brandon Levene

In what could be the first significant expansion of the Supreme Court’s finding in Carpenter v. United States, a federal district court in Massachusetts granted a motion to suppress evidence, ruling that police use of a “pole camera” represented a search under the Fourth Amendment. —Evan Ringe

Cisco Systems has agreed to pay $8.6 million to settle a lawsuit that accused the company of knowingly selling video surveillance system containing severe security vulnerabilities to the U.S. federal and state government agencies —Mohit Kumar

Weekend Reads 072619

When a packet reaches our network, the first thing we see is where the IP address packet originates from. And we make decisions based on that IP address. —Ólafur Guðmundsson

Such practices are a thing of the past for companies that subscribe to the DevOps method of software development and delivery. New releases are frequent: often weekly or daily. Bugs are fixed rapidly. New business opportunities are sought with gusto and confidence. New features are released, revised, and improved with rapid iterations. In one case study, a company was able to provide a new software feature every 11 seconds.17 —ACM

Spam! That’s what Lorrie Faith Cranor and Brian LaMacchia exclaimed in the title of a popular call-to-action article that appeared 20 years ago in Communications. —Emilio Ferrara

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity. —Brian Krebs

There is a utopian vision shared by hard workers everywhere: One day we will look back on all our accomplishments and say “at last, the age of respite and luxury has finally arrived!” But as the forecasted luxury manifests all around us, the respite is nowhere in sight. —Saul Zimet

In 2016 Gizmodo wrote an exposé that sent shockwaves through the social media universe. An investigative reporter had discovered that employees who monitored Facebook’s trending topics were intentionally purging conservative stories from appearing in the module. —Kelly Sadler

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head. —Dan Goodin

The US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) has run an analysis on suspect transactions in the past year and found that US businesses in 2018 wired around $301 million per month to business email compromise (BEC) scammers. —Liam Tung

A protocol recently released by the IETF, DNS over HTTPS (DoH), is at the centre of an increasingly polarised debate. This is because DoH uses encryption in the name of security and privacy and re-locates DNS resolution to the application layer of the Internet. This will impact cyber security, Internet consolidation, public policy issues, and our expectations of key actors in the Internet ecosystem — creating more problems than it solves at this time. —Stacie Hoffmann

But despite the fact that innovative cultures are desirable and that most leaders claim to understand what they entail, they are hard to create and sustain. This is puzzling. How can practices apparently so universally loved—even fun—be so tricky to implement? —Gary P. Pisano

Weekend Reads 071919

There have been a number of research papers that have described effective DNS cache poisoning attacks using IP fragmentation. —Kazunori Fujiwara

The game is changing for the IT ops community, which means the rules of the past make less and less sense. Organizations need accurate, understandable, and actionable metrics in the right context to measure operations performance and drive critical business transformation. —Julie Gunderson

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. —Krebs on Security

Route Origin Validation (ROV), based on Route Origin Authorizations (ROAs), is increasingly being deployed by registries, organizations and users worldwide in an effort to reduce the risk of problems associated with network misconfigurations and mistakes. —Taiji Kimura

Organizations around the world are wondering how to become immune from cyber attacks which are evolving every day with more sophisticated attack vectors. —Giridhara Raam

Similarly to other components of the Internet’s infrastructure (for example, TCP/IP, BGP, DNS), NTP was designed without security in mind. NTP’s design thus reflects the need to achieve correctness in the presence of inaccurate clocks (‘falsetickers’), assumed to be fairly rare, as opposed to designated attacks by powerful and strategic adversaries. —Neta Rozen Schiff

An American organization founded by tech giants Google and IBM is working with a company that is helping China’s authoritarian government conduct mass surveillance against its citizens, The Intercept can reveal. —Ryan Gallagher

Unfortunately, almost all DNS packets are sent unencrypted at present. This design makes DNS traffic vulnerable to snooping and manipulation, which is widely considered as one of the Internet’s biggest bugs. —Baojun Liu

Gabriel Weinberg is taking aim at Google from a small building 20 miles west of Philadelphia that looks like a fake castle. An optometrist has an office downstairs. —Nathaniel Popper

Sometimes ideas based in good intentions are so poorly thought out that they would actually make things worse. This seems to be especially prevalent in the copyright world of late (I’m looking at you, Articles 15 and 17 of the EU Copyright Stan Adams

Weekend Reads 071219

If you’re serious about typing, gaming, or using your PC for long periods of time, a mechanical keyboard is a great way to treat yourself to a more comfortable experience, but also improve your speed and accuracy too. —Jon Martindale

PacNOG is sometimes viewed as a meeting for only ISPs and those who have very big networks to manage. I guess this perception had made me question the usefulness of going in the past (having worked on government networks). —Suetena Faatuuala Loia

The crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly successful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after allegedly having earned more than $2 billion in extortion payouts from victims. —Krebs on Security

But small details aside, his point is right: It does not make economic or environmental sense to “boil the sky” with warm air or the rivers with warm water. Large data centers, even very efficient ones, can and do put out a lot of heat, which wastes money, burns up energy and pushes up carbon emissions. —Andy Lawrence

Eight of the world’s biggest technology service providers were hacked by Chinese cyber spies in an elaborate and years-long invasion, Reuters found. The invasion exploited weaknesses in those companies, their customers, and the Western system of technological defense. —Jack Stubbs, Joseph Menn, Christopher Bing

Offensive Security has released an official version of Kali Linux for Raspberry Pi 4—the most powerful version of the compact computer board yet that was released just two weeks ago with the full 4GB of RAM at low cost and easy accessibility. —Wang Wei

But new data gathered from real-world appsec penetration tests exposes just what types of configuration mistakes organizations are making that expose their data. —Kelly Jackson Higgins

Security researchers say they have uncovered a massive espionage campaign involving the theft of call records from hacked cell network providers to conduct targeted surveillance on individuals of interest. —Zack Whittaker

Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year. —Swati Khandelwal

Blockchain is a linked list (i.e., a chain) of blocks that provides immutable, append-only and shared-data storage. Among other things, blockchain enables decentralization and a distributed consensus protocol for the historical log of shared states for transactional data sharing. Blockchain also supports applications that require tamper-evidence and transparency. —Miyuru Dayarathna

There are a lot of discussions nationwide about the ethics involved with providing video cameras. Today’s blog discusses topics you should consider if you offer, or plan to offer video cameras. —Doug Dawson