Skip to content


Weekend Reads 120619

Vulnerability assessments are useful for detecting security issues within your environment. By identifying potential security weaknesses, these assessments help us to reduce the risk of a digital criminal infiltrating its systems. These assessments also help us learn more about their assets in a meaningful way that allows them to improve our overall security posture. —Ben Layer

Older information-technology professionals are being passed over by employers, even as IT job openings soar to record highs and employers say recruiting tech talent is a challenge. —Angus Loten

Security researchers at SRLabs have found a number of vulnerabilities with the way carriers around the world are implementing RCS, the new messaging standard designed to replace SMS, Motherboard reports. In some cases, these issues could compromise a user’s location data, they could allow their text messages or calls to be intercepted, or they might allow their phone number to be spoofed. —Jon Porter

A newly discovered vulnerability in the Android operating system could let attackers abuse legitimate apps to deliver malware. In doing so, they could track users without their knowledge. —/Kelly Sheridan

On 1 October, APNIC introduced a special type of inet[6]num (that is, either an inetnum or an inet6num) record, called a whois stub record, into the APNIC Whois Database. It aims to fill in a few gaps in the data and improve query results, as will be demonstrated later in this article. —Rafael Cintra

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default. —Bram Bonné

However, there are customers who prefer to have the compute and the rest of the infrastructure hosted within their own data centers. Their reasons include security, data governance and low latency. The AWS Outposts solution is designed to bring AWS Cloud services to customers’ on-premises data centers. An AWS Outposts Rack is delivered to a customer site as a preconfigured standalone rack, requiring only power and network connectivity to begin providing service in customers’ data centers. —Chris Spain

Let’s step back into the blockchain jungle and take a look at the current state of the ecosystem and the projects trying to solve some of the limitations of blockchain technology: speed and throughput, cross-blockchain information and value exchange, governance, and identity and account management. —Axel Smith

Weekend Reads 112919

The United States on Tuesday set out a procedure to protect its telecommunications networks and their supply chains from national security threats, saying it would consider whether to bar transactions on a case-by-case basis. —David Shepardson

Last Thursday, Tesla CEO, Elon Musk unveiled Tesla’s latest innovation, the Cybertruck (Or, as he prefers to say, CYBRTRCK.) Tesla already has— if Musk’s cryptic tweet embedded below is correct—at least 200,000 preorders (though the fact that only $100 down payment is required means that enthusiasm is not very expensive)… —Brendan Dixon

The proportion for Golden Ratio is 1:1.618. It is a mathematical equation that has found its way into design practices as well. The golden ratio has been scientifically proven beautiful. The best example to understand the importance of the Golden Ratio can be traced back to one of the most famous paintings: the Mona Lisa. The painting itself uses the golden ratio. —Harsh Raval

After all these “cybersecurity” rules are in place, no foreign company may encrypt data so that it cannot be read by the Chinese central government and the Communist Party of China. In other words, businesses will be required to turn over encryption keys. —Gordon G. Chang

Bean counters have noted that many iconic businesses (Uber, Lyft, Airbnb, WeWork, etc.) are not very profitable. A market shakeout will probably raise the cost of urban living. Here’s some background… —Deyse O’Leary

The minimum viable product (MVP) approach is the minimal or “lean” way to give consumers what they want without it necessarily being a fully realized idea. Given how the cloud works and its unprecedented ability to test incomplete ideas, the MVP approach has become the dominant methodology for pushing ideas out into the world. —John Maeda

By eliminating all the check-out steps required to buy something online, 1-click gave Amazon a decisive edge against cart abandonment, which, according to some studies, averages 70 percent and remains one of the two or three biggest challenges to online retailers. 1-click made impulse buys on the web actually impulsive. —Cliff Kuang

Have you ever worked with someone that has the most valuable time in the world? Someone that counts each precious minute in their presence as if you’re keeping them from something very, very important that they could use to solve world hunger or cure cancer? If you haven’t then you’re a very lucky person indeed. Sadly, almost everyone, especially those in IT, has had the misfortune to be involved with someone whose time is more precious than platinum-plated saffron. —Tom Hollingsworth

The growing adoption of multifactor authentication (MFA) has resulted in a proportionate rise in cyberattacks that target MFA technologies. In a recent Private Industry Notification (PIN), the Federal Bureau of Investigation (FBI) recognized how recent cyberattack campaigns are focusing directly on circumventing MFA. The FBI outlined three specific and comprehensive tactics that hackers have been developing in order to bypass MFA. —Tanner Johnson

Weekend Reads 112219

While the term “network slicing” typically brings up an association with 5G technology and services, they are not directly related. Network slicing simply is the ability for to carve out multiple virtual networks, with significantly different performance characteristics, from a common physical infrastructure. 5G resonates with network slicing because 5G ‘by definition’ includes distinct service classes for very high bandwidth, ultra-low latency with high availability, and massive IoT. It is hard to see how the 5G services vision is achievable without network slicing. —Jonathan Homa

Have you actually thought about how much you are tracked on a daily basis? Think about everything you post on social media, what you search, the apps that are generating metadata (with or without your consent), what your phone knows about you. Not forgetting your “voice assistants,” there is a worrying amount of data we generate every day that builds an impressive digital footprint. —Stuart Peck

So, if there’s always been a battle of the browsers, why do we care so much about how many browsers are available today? You’d think it wouldn’t matter much. After all, browsers are nothing more than a shell through which we access the web, right? Superficially, that’s true. As consumers, browsers provide us with key navigational elements that help us move around the web: the home button, address bar, back and forward buttons, bookmarks, and more. —Suzanne Scacca

So what are the advantages of Li-ion (as compared to VLA or VRLA) batteries? First, the power density of Li-ion technology exceeds that of VLA or VRLA, so Li-ion batteries deliver more power from a smaller footprint. Second, Li-ion technology allows for more charge/discharge cycles without degrading the battery. —Chris Brown

Years ago, I spoke with the risk management leader at a bank where I was consulting. This person was new in the role and was outlining plans for implementing an IT risk management program. The company’s program was to be based on the NIST 800 series, which predates the creation of NIST Cybersecurity Framework, and they had worked out their own proprietary risk rating system based on the control catalog in SP 800-53. It was well thought out and the leader had some success in a previous role working with the same solution. —Jack Freund

If you consider cybersecurity breaches to be the “new normal,” you’re in good company. A recent survey conducted by Kaspersky Lab revealed that 86% of 250 top security officials who participated believe that cybersecurity breaches are inevitable. The complexity of today’s cyber environments guarantees that every company is on a path to a breach. —Ariel Zeitlin

An IT crash at Britain’s TSB bank that locked out nearly 2 million customers and halved parent Sabadell’s profits last year was caused by moving to a new banking platform before it had been properly tested, an investigation has found. —Lawrence White and Iain Withers

Online multiplayer gaming is growing rapidly, with free-to-play titles like Fortnite and League of Legends each generating over a billion dollars in revenue via in-game purchases. However, game-play experience is easily affected by network conditions, with poor “lag” causing frustrated gamers to complain on forums and churn between ISPs. —Vijay Sivaraman

One of the recurring and common complaints about Agile and its associated methodologies is that it doesn’t make an explicit provision for balancing software maintenance with new features. I’ll make the case that those are both related, and explain a system that I’ve seen work in the past to balance both maintenance and quality with new product work. —Trevor O

Usenet — Netnews — was conceived almost exactly 40 years ago this month. To understand where it came from and why certain decisions were made the way they were, it’s important to understand the technological constraints of the time. —Steven Bellovin

Weekend Reads: 111519

However hard you work on documentation, it won’t work for your software – unless you do it the right way. There is a secret that needs to be understood in order to write good software documentation: there isn’t one thing called documentation, there are four. —Daniele Procida

Like most new technologies, 5G has brought with it a great deal of media hype. Some of this hype is accompanied by a significant distortion of facts and amplification of the actual capabilities of 5G technology. However, one claim that has universal agreement is that 5G will achieve ‘blistering speeds’, or in other words, much higher bandwidth compared to previous generations. —Paresh Khatri

Fraud and abuse in the form of robocalling, and more specifically illegally spoofed calling, is the No. 1 consumer complaint to the Federal Communications Commission (FCC). Robocalls make up nearly half of all phone calls, so frustrated consumers simply don’t answer incoming calls and businesses can’t get through to customers when they need to reach them. —Mark B. Cooper

Welcome to the next phase of the streaming wars, where some of the biggest companies in tech and media are fighting for your attention and your subscription dollars. With the launch earlier this month of Apple’s AAPL, +0.35% streaming service and then, this week, Disney’s DIS, -0.24% Disney+, never before have there been so many services, offering a deluge of content, various bundles and countless add-ons. But there’s only so much money in peoples’ budgets.

A cyberattack limited to one organization can be enough to cause significant financial loss, data compromise, and long-term damage. When an attack extends to several victims, as is increasingly the case with enterprise incidents, the effects quickly multiply. —Kelly Sheridan

Today, we are told that the bigness of Big Tech giants was inevitable: the result of “network effects.” For example, once everyone you want to talk to is on Facebook, you can’t be convinced to use another, superior service, because all the people you’d use that service to talk to are still on Facebook. And of course, those people also can’t leave Facebook, because you’re still there. —Cory Doctorow

Intel CPUs that received hardware, software, and microcode fixes for various Spectre-related bugs are still vulnerable to a new speculative execution attack called ZombieLoad v2. This latest flaw in Intel’s chip design doesn’t make every single Core processor vulnerable, but it affects the latest few generations, from 2013’s Haswell architecture through to the latest Cascade Lake designs. —Jon Martindale

Relying on more than one network to manage your Kubernetes pods is usually no big deal. For webscale applications, the process usually involves sending traffic to multiple networks and that is the end of the story. But for network-intensive workloads, you might need more than one road to get to where you’re going. —Doug Smith

Technology giants are showing a heightened interest in the financial-services industry as they see Chinese tech companies succeeding in payments, an area that could be lucrative for data collection. —Emily Bary

In this post, I will explain how to hide your Amazon Web Services Elastic Compute Cloud (AWS EC2) server from those scanners using IPv6. The address range for Internet Protocol version 6 is ~7.9×1028 times larger than IPv4, so, in practice, it’s currently not targeted by bots. —Paweł Urbanek

Weekend Reads 110819

This judgment has major implications for online freedom of expression around the world…. The ruling also means that a court in one EU member state will be able to order the removal of social media posts in other countries, even if they are not considered unlawful there. This would set a dangerous precedent where the courts of one country can control what internet users in another country can see. —Judith Bergman

I am happy to announce the release of NetworkMiner 2.5 today! This new version includes new features like JA3 and parsers for the HTTP/2 and DoH protocols. We have also added support for a few older protocols that are still widely used, such as Kerberos and the CIFS browser protocol. Additionally, NetworkMiner can now parse PCAP files up to twice as fast as before! —Erik Hjelmvik

One of the habits of the modern mind is division. If we are Christians, we might divide our profession of faith on Sunday morning from our daily lives Monday through Saturday (particularly, it seems, when it comes to Friday night). Then, when we build compartments, we often divide our view of the person, separating a Christian vision of reality from our use of technology. As it turns out, however, our view of the imago dei, or the image of God in man, plays a significant role in the way we view technology—particularly artificial intelligence (AI). —Russ White

Cyber insurance policies are designed to cover the costs of security incidents and breaches such as system forensics, data recovery, and legal and customer reparations costs. Typical incident types that are covered include invoice fraud, cryptolocker recovery, and insider threats. While cyber insurance has its place in a holistic approach to security, its place is misunderstood. —Chris Kennedy

The next great (and possibly confusing) version of USB is on its way. In early September 2019, the USB Implementers Forum (USB-IF) published the USB4 specification paving the way for blazing-fast USB connections comparable to the speeds of Thunderbolt 3. —Ian Paul

FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts —Raymond Leong, Dan Perez, Tyler Dean

Cybersecurity firm Trend Micro has disclosed a security incident this week carried out by an employee who improperly accessed the personal data of thousands of its customers with a “clear criminal intent” and then sold it to a malicious third-party tech support scammers earlier this year. —Wang Wei

Two former employees of Twitter have been charged with spying on thousands of Twitter user accounts on behalf of the Saudi Arabian government, likely with the purpose of unmasking the identity of dissidents. —Swati Khandelwal

The popular VPN provider, NordVPN, recently announced a server breach at a third-party data center. NordVPN reassured users that its key services were not impacted, but some user logins from this breach were found to have been leaked and were used to try to access users’ accounts. —Alexis Hancock

Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called “Delegated Credentials for TLS.” Delegated Credentials for TLS is a new simplified way to implement “short-lived” certificates without sacrificing the reliability of secure connections. —Mohit Kumar

Google is teaming up with tech industry partners to launch OpenTitan, an open source project to strengthen chip security. The initiative will build reference design and integration guidelines for root-of-trust (RoT) silicon chips to be implemented in data center servers, storage devices, peripherals, and other technologies. —Kelly Sheridan

For many in Gen X using Blind Carbon Copy (Bcc) in group emails is an identifying tic of cultural lag becoming as anachronistic as the word carbon in the term itself. Back in the day we were tight with out lists, they were like the Glengarry leads, to us they were gold, and those who received our emails did not get to have them. But sadly, this is changing as exhibitionist Millennials regularly flood my inbox with hundreds of email addresses. —David Marcus

SpaceNews recently reported that Elon Musk and his low-orbit space venture Starlink have filed with the International Telecommunications Union (ITU) to launch an additional 30,000 broadband satellites in addition to the 11,927 now in the planning stages. This looks like a land grab and Musk is hoping to grab valuable orbital satellite paths to keep them away from competitors. —Doug Dawson

Weekend Reads 110119

Hard to believe we are past Halloween, and almost into the new year.

Some of the folk wisdom going around in software engineering, often cluessly repeated for decades, is just wrong. It can be particularly damaging when it affects key aspects of software development and is contradicted by solid scientific evidence. —Bertrand Meyer

SPAM (or more specifically phishing) email has become one of the most popular and effective weapons used by cyber attackers. As such, it can be a useful artefact for security enthusiasts to analyze. —Imtiaz Rahman

A recent exchange on CircleID highlighted a critical need for data to inform the debate on the impact of ICANN’s post-GDPR WHOIS policy that resulted in the redaction of domain name registrant contact data. A bit of background: in my original post, I made the point that domain name abuse had increased post-GDPR. —Frederick Felman

As I’ve written previously, this Third Amendment is necessary because of the First Amendment to the .com Registry Agreement which extends the current agreement’s term, including the wholesale registration price cap, until 2024 — a circumstance made inconvenient late last year when the National Telecommunications and Information Administration (NTIA) amended its Cooperative Agreement with VeriSign to remove the 2012 price restriction and granting pre-approval, beginning in 2020, for increases that don’t exceed 7% annually in four out of every six years of a .com Registry Agreement term. —Greg Thomas

Over the last few years, everyone’s been talking about Dark Mode. It’s said to boost productivity and focus while reducing eye strain. It’s also supposed to be better for your battery life. —Suzanne Scacca

One of the greatest misconceptions about online safety is that home networks are somehow private. Unfortunately, this hasn’t been true since around the turn of the century when we started filling our home networks with Internet-connected boxes serving local web pages. —Craig Young

One of the biggest security challenges with IoT is the substantial increase in the security attack surface — as IoT devices often have different operating systems and connect to networks (wireless, mobile and wired) with a variety of protocols, making them susceptible to a range of security vulnerabilities. —Vijay Varadharajan

Google recently released a paper showing that its quantum processor, called Sycamore, solved a computing problem in 200 seconds that would have taken the world’s best supercomputer 10,000 years to solve. And Google says this is just the beginning of what quantum computers will be able to do. —Beau Carnes

An absurd thing is happening in the halls of Congress. Major ISPs such as Comcast, AT&T, and Verizon are banging on the doors of legislators to stop the deployment of DNS over HTTPS (DoH), a technology that will give users one of the biggest upgrades to their Internet privacy and security since the proliferation of HTTPS. —Ernesto Falcon

We hear it all the time from security marketers and evangelists alike. “Information technology and operational technology are converging!” It’s a simplistic way of characterizing what is a highly complex web of digital transformations affecting a broad range of industries, from manufacturing to energy to real estate. —Dave Weinstein

SPAM (or more specifically phishing) email has become one of the most popular and effective weapons used by cyber attackers. As such, it can be a useful artefact for security enthusiasts to analyze. —Imtiaz Rahman

Weekend Reads 102519

Last year, OpenSSL celebrated its 20th birthday. It was born of the earlier SSLeay project, which had begun some years before. The age of the project and the development history over those years evolved into a code base that wasn’t always simple and easy to maintain. —Paul Dale

In August last year, Amazon vowed to move all of its applications off internal Oracle databases and onto various database services running on the Amazon Web Services public cloud. Such projects are very difficult to do, particularly for companies that have applications and databases that have been in the field for one, two, or more decades. —Timothy Prickett Morgan

Glitching (or fault-injection) attacks aren’t easy (yet). But get ready, because as the IoT grows, these attacks will be a big reason that hardware security should be part of your cybersecurity planning. —Curtis Franklin Jr.

A team of German cybersecurity researchers has discovered a new cache poisoning attack against web caching systems that could be used by an attacker to force a targeted website into delivering error pages to most of its visitors instead of legitimate content or resources. —Swati Khandelwal

Conceptually, a cache system always involve at least three participants. With HTTP, these participants are the client, the server, and the caching proxy. —Léo Jacquemin

A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce). —Jack Wallen

For many years, Chinese users of Apple devices have had a very different experience from non-Chinese users. Chinese users can’t type or see the Taiwanese flag emoji (which has even caused severe bugs in the past)… —Danny O’Brien

Andre Fuetsch, President of AT&T Labs and CTO of AT&T hopes you don’t think that the new 5G internet will just mean more bandwidth. It could also mean that your smartphone will go the way of the calculator, replaced by a wristband or glasses. Put simply, more and more, “Objects become apps.” —Denyse O’Leary

The European Data Protection Supervisor (EDPS) says it has “serious concerns” over Microsoft’s contracts with European Union institutions and their compliance with European data-protection laws. —Liam Tung

A new data analysis by ProPublica and the Urban Institute shows more than half of older U.S. workers are pushed out of longtime jobs before they choose to retire, suffering financial damage that is often irreversible. —Peter Gosselin

Scroll To Top