Weekend Reads 072321


The next tech talent wars may be less about the free stuff, and more about the freedom to work from anywhere in the world. Those famously expensive Silicon Valley campuses that double as adult playgrounds, with their nap pods and herb gardens and bike-shares, are competing with a newfound love for the home office.


There are some features in any architecture that are essential, foundational, and non-negotiable. Right up to the moment that some clever architect shows us that this is not so.


Looking at the Resource Public Key Infrastructure (RPKI) landscape today, it is vastly different from two to three years ago. At the time, resource holders around the world had created a considerable amount of Route Origin Authorization (ROAs), but actually using RPKI data to perform Route Origin Validation (ROV) was only done by a handful of networks


A newly discovered breed of cyber assault is threatening corporate networks. Dubbed “FragAttacks” (Fragmentation and Aggregation Attacks) by Mathy Vanhoef, the researcher who discovered them, these security breaches are a subcategory of digital airborne attacks performed over Wi-Fi networks.


While there’s enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword. Cybercriminals and other threat actors can engage the same techniques or manipulate the automated systems businesses employ.


Most carriers don’t order 200,000 5G base stations, so they will pay more, but that’s the actual price for the joint procurement of China Telecom and China Unicom.


The seemingly endless battle against copyright infringement has caused plenty of collateral damage. But now that damages is reaching new levels, as copyright holders target providers of basic internet services. For example, Sony Music has persuaded a German court to order a Swiss domain name service (DNS) provider, Quad9, to block a site that simply indexes other sites suspected of copyright infringement.


Organizations report it’s becoming increasingly difficult to maintain the security of their Web applications and APIs with a patchwork of security tools and a rising wave of false positive alerts.


In most circumstances, I think it is bad practice for a vendor to do anything other than having patch and advisory publication synchronized. There may be exceptions to this, such as when a vulnerability is under active attack before a patch is available, but there are risks worth considering on either side of a synchronized release.


Why all this talk about an obscure game? Well, the game came to mind the other day as I was working my way through some security data trying to pinpoint a specific piece of information. The problem I had was that there are many signals (like the players looking the wrong way) that distracted from what I was looking for, and even when I started to zoom in on a general area, assessing the space was difficult.


For example, the crazy gyrations in bitcoin prices are ample evidence that financial markets are not efficient. Since bitcoins generate no income, their intrinsic value is zero, yet people have paid hundreds, thousands, and tens of thousands of dollars for bitcoins.


And one of the central tenets of that belief is that, given how many HPC and AI applications are bound by memory bandwidth – not compute capacity or even memory capacity – that some form of extremely close, very high bandwidth memory would come to all manner of calculating chips: GPUs, CPUs, FPGAs, vector engines, whatever.


The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).


The RIPE NCC is very invested in Resource Public Key Infrastructure (RPKI) and runs a Trust Anchor (one of the root certificate authorities (CAs). It also hosts a platform for maintaining Route Origin Authorizations (ROAs). The NCC also offers a publication server accessible over rsync and RRDP.


The way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software.

Weekend Reads 071621


Social media platforms like Instagram and Facebook have become key places for businesses to communicate with customers and even sell directly to consumers. Yet when it comes to actually making a purchase, do consumers trust a social media site over a domain?


Ransomware payouts are putting the squeeze on cyber-insurance companies and resulting in higher premiums for organizations that want protection against the threat.


Christopher Belfi was waiting tables in a lakeside resort near this Upstate New York town a decade ago when he got the career break he’d been waiting for — an invitation to work at a semiconductor factory


Until we can solve the cybersecurity problem for the user at home, threats will remain a concern even for enterprises, with many having large numbers of work-from-home employees.


Prompted in part by devastating attacks such as those on SolarWinds Orion, Microsoft Exchange, and Colonial Pipeline, the White House issued an executive order on cybersecurity in May.


The InfiniBand interconnect emerged from the ashes of a fight about the future of server I/O at the end of the last millennium, and instead of becoming that generic I/O it became a low latency, high bandwidth interconnect used for high performance computing.


It is a microkernel operating system aimed primarily at midrange to high-end processors such as RISC-V with a memory management unit (MMU) and provides a competitive software platform for all industries in the embedded space.


Having your laptop stolen isn’t just stressful because you need to replace a pricey piece of hardware—it also poses a threat to your digital security. Fortunately, there are steps you can take to protect yourself both before and after your laptop goes missing.


Businesses in need of chips are taking supply-chain risks they wouldn’t have considered before, only to find that what they buy doesn’t work. Dubious sellers are buying ads on search engines to lure desperate buyers. Sales of X-ray machines that can detect fake parts have boomed.


In a nutshell, GDPR states that the personally identifiable information of EU citizens must be protected against disclosures, and there are laws in the US that require precisely such disclosures (FISA with its section 702 and the CLOUD Act).


The current discourse about AI and cybersecurity often confuses the different perspectives, as if the intersection of disciplines is monolithic and one-dimensional.


SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.

Controversial Reads 071021


According to the company’s market research, just about every demographic wants more data privacy: young, old, male, female, urban, rural. Public polling backs that up, though the results vary based on how the question is asked. One recent survey found that “93 percent of Americans would switch to a company that prioritizes data privacy if given the option.”


Once upon a very different internet era, law professor Tim Wu rose to intellectual prominence warning of the doom to come without “net neutrality,” a term he coined.


In a blog post on March 3, Google announced that it would be removing third-party cookies from its Chrome browser—a decision that would effectively end use of third-party cookies. Google also pledged to avoid any other technology for tracking individuals as they browse the web.


The $35 million contract given to SKDKnickerbocker was controversial. The state controller refused to pay it, pointing to the fact that there was no authorization in the budget for that spending.


The Judiciary Committee of the U.S. House of Representatives recently released a comprehensive series of bills designed to curb the excesses of Big Tech. One of them, the Platform Competition and Opportunity Act, addresses one of the biggest, most obvious problems among the largest tech companies: that they use their deep pockets to buy up services and companies which might have one day competed with them.


Work is one of the primary means by which we fulfill our true purpose: to glorify God, serve the common good and further God’s Kingdom. God reminds us of this on the seventh day of creation.


The robot revolution is always allegedly just around the corner. In the utopian vision, technology emancipates human labor from repetitive, mundane tasks, freeing us to be more productive and take on more fulfilling work.


In the competitive pursuit of speedrunning, gamers vie to complete a given video game as quickly as humanly possible.


For de Vesine, Google’s attempt to corral its employees after a year of remote work has been marked by indecision and backpedaling.


Today’s online consumer is drowning indeed — in the deluge of privacy policies, cookie pop-ups, and various web and app tracking permissions.

Weekend Reads 070921


A long-standing, generally accepted norm in the computing field distinguishes between software interfaces and implementations: Programmers should have to write their own implementing code, but they should be free to reimplement other developers’ program interfaces.


The traditional approach to statistical disclosure control (SDC) for privacy protection is utility-first. Since the 1970s, national statistical institutes have been using anonymization methods with heuristic parameter choice and suitable utility preservation properties to protect data before release.


Shared libraries encourage code reuse, promote consistency across teams, and ultimately improve product velocity and quality. But application developers are still left to choose the right libraries, figure out how to correctly configure them, and wire everything together.


When October 5 came, there was no vulnerability advisory being published and I still had not heard a CVSS or CVE for the issue, so I reached out again to their PSIRT who this time replied that the release had been postponed until October 14th now due to a delay in QA.


Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.


But as attacks have increased in scope and sophistication, so have we. Microsoft has a clear vision for how to help protect our customers now and in the future and we know our approach works.


PolarProxy is a transparent TLS proxy that outputs decrypted TLS traffic as PCAP files. PolarProxy doesn’t interfere with the tunnelled data in any way, it simply takes the incoming TLS stream, decrypts it, re-encrypts it and forwards it to the destination.


Google has launched an updated version of Scorecards, its automated security tool that produces a “risk score” for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis.


Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work


Now one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.


There was an outside chance that China might pull a surprise on the HPC community and launch the first true exascale system – meaning capable of more than 1 exaflops of peak theoretical 64-bit floating point performance if you want to be generous, and 1 exaflops sustained on the High Performance Linpack (HPL) benchmark if you don’t – but that didn’t happen. And so, we wait.


These days, it’s not a matter if your password will be breached but when. Major websites experience massive data breaches at an alarming rate.


When we talk about supporting a global Internet, it’s important to remember that the majority of the world does not speak English as a first language.


It’s well known the code is buggy; that’s why software updates for anything from apps to operating systems are now the norm. But if the public understands this, the courts have not followed suit.


A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.

Weekend Reads 070221


Many ISPs in the Asia Pacific region use MikroTik RouterOS to provide access to their customers via PPPoE (please get on board with IPv6!), and some use MikroTik for their edge/core routers as well.


In the reorganization that relatively new chief executive officer and formerly not only Intel’s first chief technology officer (in 2001) and also the first general manager (in 2005) of its Digital Enterprise Group, the company’s first implementation of Data Center Group.


Let’s begin with the obvious, uncontested fact: the number of ransomware attacks is going up because companies are paying the ransoms.


The 2020 calendar year will long be remembered as an annus horribilis for most, except for a handful of technology companies that reaped the rewards of a global shift to remote work with successful initial public offerings (IPOs).


In 2021, the high-end TV landscape is just as confusing to new buyers as ever. There’s a bunch of new televisions to consider, a raft of technical-sounding features — 8K, HDR, Ultra HD 4K, 120Hz and HDMI 2.1 — and a stable of familiar brand names competing for your dollar.


Windows 11 adds several unexpected new features, including Android apps, a revised Start Menu and Taskbar, new Widgets, and more.


Confidence isn’t new when it comes to cybersecurity. All the way back in 2015, for example, 86% of security professionals working in the energy sector told Tripwire that they were confident they could detect a breach in a week. Just less than half (49%) said it wouldn’t take them longer than a day to spot an attack.


On Hacker News, this article claiming “You won’t live to see a 128-bit CPU” is trending”. Sadly, it was non-technical, so didn’t really contain anything useful. I thought I’d write up some technical notes.


The cyberattack on the Colonial Pipeline by the hacker group DarkSide disrupted gasoline supplies across the Southeast. The company caused a stir by paying a 75 Bitcoin ransom to DarkSide.


Today’s supply chains are labor-intensive and expensive to run. A number of autonomous systems that reduce the human factor are about to change all that.

Weekend Reads 062521


We were increasing HTTP requests for one of our applications, hosted on the Kubernetes cluster, which resulted in a spike of 5xx errors.


A continuous integration/continuous deployment (CI/CD) pipeline is an anchor for every DevOps initiative.


If you are new to the security world, it is fair to ask yourself, “Isn’t access to data and systems always conditional? Isn’t it always granted to someone who has access to the credentials (ID and password)?”


Could artificial intelligence be better at designing chips than human experts? A group of researchers from Google’s Brain Team attempted to answer this question and came back with interesting findings.


The CIS Controls are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks.


The VPN industry is booming and prospective users have hundreds of options to pick from. All claim to be the best, but some are more privacy-conscious than others.


In this article, we look at the key differences between the most popular cloud technology delivery models: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and (Infrastructure-as-a-Service).


Daily decisions should be motivated by how they can improve the company, and your understanding should be that they will have a lasting impact. Think about this responsibility in the context of minimizing corporate risk and building a strong security posture to protect corporate assets.


Supply chain integrity attacks—unauthorized modifications to software packages—have been on the rise in the past two years, and are proving to be common and reliable attack vectors that affect all consumers of software.


ECDSA is a digital signature algorithm that is based on a form of cryptography termed Elliptical Curve Cryptography (ECC). This form of cryptography is based on the algebraic structure of elliptic curves over finite fields.


The global chip shortage is pushing up prices of items such as laptops and printers and is threatening to do the same to other top-selling devices including smartphones.


Now a well-intentioned mechanism to easily update the firmware of Dell computers is itself vulnerable as the result of four rudimentary bugs.


When ransomware hit Colonial Pipeline’s networks in May, the whole world knew about it within days.


In 2015, police departments worldwide started finding ATMs compromised with advanced new “shimming” devices made to steal data from chip card transactions.


The only sure-fire way to eliminate such a threat is to fix the vulnerability in the codebase. But until a security patch is released, your systems are at the mercy of being exploited. Many of us accept this status quo.


Over the last few years, microservices have gone from an overhyped buzzword to something you should understand as a software engineer.

Weekend Reads 061821


Electric vehicles are expected to account for 58% of global passenger vehicle sales by 2040. The software and electrical components markets are also likely to face increased pressure and new challenges as they develop secure designs and equipment for these futuristic vehicles.


Community managers, maintainers, and foundations seek metrics and insights about open source communities.


The principle of least privilege in cybersecurity prescribes that no user should have access to system resources beyond what’s necessary for fulfilling a specific task.


(External) memory fragmentation is a long-standing Linux kernel programming issue. As the system runs, it assigns various tasks to memory pages.


In a world that is constantly evaluating costs, it is little wonder that there is an increasing demand for cost-effective solutions to business problems. In the real world, this means ‘free,’ and in the digital marketplace, it means ‘open source.’


There’s an infinite number of studies of ransomware lately, all breathlessly talking about how to fight this dangerous threat. They’re all dangerously wrong. Ransomware is not the problem.


Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address to steal sensitive information.


Moore’s Law is not just a simple rule of thumb about transistor counts, it’s an economic, technical, and developmental force—and one strong enough to push some of the largest chipmakers to future-proof architectural approaches.


Multi-factor authentication (MFA) is among the most useful measures companies can use against the rise in credential attacks, but attackers are adapting, as demonstrated in a variety of bypasses that allowed them to infiltrate networks — even those protected by MFA.


Thus, for performance-sensitive software such as databases, abstraction might bring unwanted consequences. How can we boost performance for these applications?


You hear it at every conference and in the halls of every university computer science program. It’s mentioned in every sales pitch for cybersecurity tools and outsourcing services: There simply aren’t enough qualified cybersecurity professionals.