Controversial Reads 111922

So in terms of the daily lived experience of most people reading this, truly autonomous vehicles just aren’t going to happen.

When the federal government gets together with social media giants to censor critics of the government, is that free speech or censorship?

If you own an advanced Android phone, you may find that Google Assistant will interrupt conversations to offer its own “insights”. Google is also pursuing “prebunking” of what it considers “misinformation” with preemptive propaganda campaigns.

The outcomes of such a system are incentives to not be the new person on a team, to not ask questions, to not work on new and unfamiliar efforts, and to not work together at all generally. Those behaviors become embedded in an organization’s DNA, despite whatever is advertised publicly.

Today’s business headlines herald a harsh reality for Big Tech: tumult at Twitter; meltdown at Meta; atrophy at Alphabet; adjustments at Amazon. Layoffs, sliding stock and shrinking valuations are hallmarks of the moment.

To understand the sudden downfall of the now-collapsed crypto exchange FTX, you have to go back to the beginning.

Twitter was their home. Elon broke into their home. Then he kicked out their friends, and told everyone left to do their laundry.

Weekend Reads 111822

Internet users are being tricked into installing browser extensions that can hijack their web searches.

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

Silicon Valley startup Eliyan thinks its technology for enabling chiplet-based designs can best those from semiconductor giants Intel and TSMC by providing better performance, higher efficiency, fewer manufacturing issues, and more supply chain options.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

Qualcomm and Arm have been engaged in one of those very entertainingly bitter court fist-fights that the industry throws up when friends fall out over money.

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914.

I suspect this reflects a significant change in the economics of the sector. For the last 20 years, Silicon Valley has had the wind at its back thanks to rapid adoption of new technologies like the internet and smartphones. As a result, the industry fared better than the broader economy during and after the 2008 recession.

By playing unexpected moves outside of KataGo’s training set, a much weaker adversarial Go-playing program (that amateur humans can defeat) can trick KataGo into losing.

New research released this week reveals the process used by third party advertisers to target online users can be viewed or manipulated by online adversaries using only their target’s email address.

On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework.

This raises an important question: How do you take what is good about these patterns for creating innovation? Specifically, how do you apply open source principles and practices as appropriate? That’s what we’ve sought to accomplish with Red Hat Research.

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

That’s opened major questions about how these now-forever-roaming workers are connected to information resources and to each other.

A novel attack method has been disclosed against a crucial piece of technology called time-triggered ethernet (TTE) that’s used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft.

Weekend Reads 111122

User-first security must begin with an understanding of how people use computing technology. We have to ask: What is it that makes users vulnerable to hacking via email, messaging, social media, browsing, file sharing?

How does the industry effectively assess software security, enabling an approved list (allowlist) of software and libraries on distributed systems across multiple industries?

The COVID pandemic pushed a lot of school coursework to the internet, with an increased reliance on true/false and multiple-choice tests that can be taken online and graded quickly and conveniently.

Top chipmakers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development.

Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect.

Several models have been proposed to the Multi-State Information Sharing and Analysis Center (MS-ISAC) and other ISACs for a role in software assurance for supply chains using the Software Bill of Material (SBOM) information and associated digital signatures.

A lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Tests show that deploying malware in a persistent manner on load balancer firmware is within reach of less sophisticated attackers.

This fall, Microsoft claimed to have addressed anticompetitive cloud infrastructure complaints from a few smaller cloud services providers in Europe.

The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

Meta, formerly Facebook, once seemed an impenetrable fortress, but it’s now showing big cracks.

As a security researcher, common vulnerabilities and exposures (CVEs) are an issue for me — but not for the reason you might think.

That will be one of the reasons crypto has been plummeting for most of this year but recent events have intensified the sense of crisis.

Weekend Reads 110422

The recent rise of HTTP request smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.

Eternity typically keeps its activities on the down low—in the Dark Web. Still, we sought to determine if LilithBot and Eternity also engaged in dealings on the Surface Web.

The Financial Conduct Authority, the UK’s financial services regulator, has begun discussions with the aim of understanding the impact of Big Tech on industry competition.

You really shouldn’t be trying to manage your own passwords when high-performance graphics cards featuring GPUs as powerful as Nvidia’s GeForce RTX 4090 could be in use by hackers.

The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization.

In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse.

Finding new ways to collect information about a network and limit the meta-data exposed to others is a constant struggle we see in research as this data can be used for both benign and malicious intentions.

BlackEnergy first appeared in 2007. Designed to launch distributed denial-of-service (DDoS) attacks or download customized spam or banking data-stealer plug-ins, it was again used to target the State Bar of Georgia last May.

Over the last two years, office workers of the world have gotten a tantalizing taste of either fully remote work or partially remote hybrid work. Many don’t want to go back to commuting to a workplace full-time, no matter the cost.

An issue with this approach is that it assumes the recommended resolvers offer improved protection versus the one currently being used. In reality, the existing resolver may support one or more encrypted DNS protocols and the connection may already be encrypted.

Comcast has a problem—it isn’t signing up many new broadband customers. But Comcast also has a solution—get more money from existing subscribers.

There are many opinions about encryption and its role in our society, and many of those opinions are contradictory. Still, the general public is largely unaware of the nuances of this issue, which can lead to confusion or misunderstanding about what encryption really is and why it is crucial to all internet users.

Most pressingly, there is a general lack of demand for 5G services from enterprises. This means that service providers, eager to place themselves at the head of the race to deliver 5G services, are struggling to sell the potential benefits to their customers.

LastPass today released findings from its fifth annual Psychology of Password findings, which revealed even with cybersecurity education on the rise, password hygiene has not improved.

Some room-temperature takes on yesterday’s not-quite-RCE vulnerabilities in OpenSSL 3.0, and on what there is to learn about safe cryptography engineering.

Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar clean-up bill stemming from the sprawling NotPetya ransomware attack in 2017.

Weekend Reads 102822

Data security in the public cloud has been a concern since the computing medium emerged in the mid-2000s, but cloud providers are allaying fears of theft with a new concept: confidential computing.

Fewer than half of 5G users say they’ve experienced improvements in speed or reliability over 4G according to a new survey, but that is not going to stop some in telecoms pushing ahead with efforts to deliver an enhanced version branded 5.5G.

So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)’s VP of Security, this week tweeted, “OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.”

These include multiple forms of wireless, artificial intelligence, and sustainability, according to Frances Karamouzis, distinguished vice president and analyst at Gartner, and external events are making IT pros’ decisions about them even more difficult.

As the priorities of IT are driven by the needs to support business goals, one of the increasingly important needs IT leaders must to pay attention to is attracting and retaining high-quality employees.

SBOMs are meant to be something like a nutrition label on the back of a grocery store item listing all of the ingredients that went into making the product.

US telco Verizon has highlighted that the higher a person climbs up the corporate ladder, the harder it is for them to see what’s happening down at the bottom.

According to Susquehanna, a company that researches markets to inform its complex equity trading strategies, semiconductor lead times were down four days on average last month. “September represents the first real signs of [lead time] capitulation in our data,” the analysts wrote in the firm’s latest SemiSIGnals report.

The business world thinks about post-pandemic flexibility as the ability to choose where we work. But being able to to choose when we work may be far more important.

Earlier this month, the European Union approved legislation aimed at regulating social media platforms: the Digital Services Act. The law will take effect in 2024, in time for the next U.S. presidential elections, and promises big shifts in how online speech is refereed not just in Europe, but also here at home.

Intel plans to lay off a “meaningful number” of employees and dump some products as part of a massive reduction in spending the chipmaker expects will reach up to $10 billion annually by 2025.

Mark Zuckerberg’s metaverse push is getting a bit sad. One only has to look at the ads pumped into Facebook by parent company Meta, forcing the concept down people’s throats.

Controversial Reads 102222

A Chinese law that went into effect six months ago required online service providers to file details of the algorithms they use with China’s centralized regulator, the Cyberspace Administration of China (CAC).

How is deep learning going to assist rather than replace the average creative worker? If replacement is the goal — valid, by the way, if a net positive for humanity — are we paying the people responsible for work the models have been trained on?

Since the WSJ and a viral TikTok video made quiet quitting a cultural phenomenon, it seems as though every news outlet, Fortune 500 CEO, lifestyle coach, or entry-level employee has something to say about quiet quitting.

After looking into the matter, I’m less confused but more distressed: Smart heating and cooling is even more knotted up than I thought. Ultimately, your smart thermostat isn’t made to help you. It’s there to help others—for reasons that might or might not benefit you directly, or ever.

This month, LinkedIn researchers revealed in Science that the company spent five years quietly researching more than 20 million users. By tweaking the professional networking platform’s algorithm, researchers were trying to determine through A/B testing whether users end up with more job opportunities when they connect with known acquaintances or complete strangers.

Big Tech companies shouldn’t have to pay for Internet service providers’ network-upgrade costs, a Google executive said today amid a push in Europe to have tech companies pay for broadband expansions and improvements.

The lawsuit largely focuses on the way Amazon penalizes sellers for listing products at lower prices on other websites. If Amazon spots a product listed cheaper on a competitor’s website, it often will remove important buttons like “Buy Now” and “Add to Cart” from a product listing page.

During his first year as a senator, Josh Hawley of Missouri started to talk about, and propose policies about, Big Tech, in a way that was different than the way politicians of the Right had previously discussed the issue.

But when you look beyond the splashy headlines, you’ll see that the real danger isn’t how smart A.I.s are. It’s how mindless they are—and how delusional we tend to be about their so-called intelligence.

After all, PayPal only partially reversed its policy. The company will still fine users up to $2,500 for other offenses listed under its user agreement, including activities presumably promoting “hate” and “intolerance.”

In response, Big Tech platforms (platforms), their sympathizers, and some in the media asserted outright falsehoods like the Court could “overturn” Section 230 and these cases could end the internet.

The Metaverse, as the company formerly known as Facebook defines the term in its financial filings, is “an embodied internet where people have immersive experiences beyond two-dimensional screens.”

Cloudflare’s recent headline-making decision to refuse its services to KiwiFarms—a site notorious for allowing its users to wage harassment campaigns against trans people—is likely to lead to more calls for infrastructure companies to police online speech.

Nvidia believes it will not be affected by the latest US controls on technology, if only because it is already under similar restrictions. However, the effects on Chinese companies could be dramatic amid fears of a protracted trade war.

Conventional wisdom suggests the proliferation of dating apps has made us more connected than ever. Now I wonder if most Americans can see through the cliché.

Two new political science studies investigate how all of this time spent on social media affects our politics. The first asks what, if anything, digital denizens learn about politics, while the second develops a model to explain how social media interactions spark culture wars by sorting people into antagonistic political tribes.

The Google Pixel 7, Pixel Watch, and Pixel Tablet all have something in common other than being Google-branded products with generic names. They’re part of an explicit attempt by Google to build a Pixel ecosystem of its own.

Mark Zuckerberg’s ambitious, multi-billion-dollar Metaverse platform is yet to garner the same traction as existing platforms Facebook and Instagram, according to internal documents.

Weekend Reads 102122

New research has disclosed what’s being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm.

Telcos deal with a considerable amount of multivendor devices. Although many hope/expect that these are equipped with state-of-the-art telemetry technologies, most of the time they’re not

Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

Cracks and keygens have long been a problem for software vendors in that they allow users to install their products without needing to pay for a legitimate license. As the Internet and website development advanced and became more accessible, the number of sites offering software cracking tools grew.

The result is ChilliRack, a cooling system that Klein believes can address key challenges in the cost of cooling and the low utilization seen in many data centers.

With DevSecOps coming a long way as a discipline, there are now great frameworks and best practices for applying security gates in your CI, and later CD.

LitmusChaos is a dynamic open source chaos engineering platform that enables teams to identify weaknesses and potential outages in infrastructures by inducing chaos engineering tests/experiments in a controlled manner.

A survey by Ericsson’s ConsumerLab has uncovered some intriguing attitudes regarding 5G service quality; revealed some of the increasingly-popular activities among 5G punters; and drawn one or two questionable conclusions.

Modern phishing is driven by the desire for credential theft and business impersonation, but it’s also increasingly recognized as the gateway for launching malware and ransomware attacks, which often lead to serious compromises of corporate systems and other security issues, such as domain name system (DNS) attacks.

Earlier this year, the US Securities and Exchange Commission (SEC) announced proposed amendments to its security incident disclosure requirements for public companies.

Fears that 5G C-band signals could disrupt aircraft altimeters are misplaced, US government researchers claim in a report, saying that current efforts to filter any potentially dangerous frequencies are likely enough to combat problems.

Despite Google’s touting of the incognito mode feature available on its Chrome web browser, the feature is allegedly something of a joke to the company’s own engineers.

After months of trying and being refused access to my own user data, I found myself at the precipice of nearly committing fraud to get my user information, photos, and videos back from Instagram.

At start of the 90s, a small group of people came together to make sure that the numbering system that allows computers to connect with each other over the Internet would remain stable.

New research from CSC indicates that fraudsters took advantage of the 2022 supply chain shortages to target consumers with fake websites.