Controversial Reads 062522

Research by Citrix shows business leaders don’t entirely trust their employees when it comes to hybrid work.

The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.

Last month, the 11th Circuit Court of Appeals held that several parts of Florida’s social media law, S.B. 7072, were likely unconstitutional.

So when Facebook points out that Apple is using switching costs to take its users hostage, they know what they’re talking about.

Eliza became a phenomenon. Engineers got into Abbott and Costello–worthy accidental arguments with it when they thought they’d connected to a real co-worker.

Over the past few years, data brokers and federal military, intelligence, and law enforcement agencies have formed a vast, secretive partnership to surveil the movements of millions of people.

The positive and negative real-world impacts of blockchain applications both direct and indirect are critical. Whether this increasingly institutionalized sector will spark a real revolution or further entrench SSDD remains to be seen.

When I was 21, the cool thing to be was famous on Instagram. Now the cooler thing to be is a mystery. Anonymity is in.

Funny — they are building a personal brand “anonymously” … which doesn’t help their career, etc. … what’s the point? Probably won’t last.

Both sides of the argument on China’s domination of the wireless market, as presented in Jon Pelson’s Wireless Wars, are moot.

The goal of the Digital Markets Act (DMA) is to ensure that large “gatekeeping” platforms —such as Google, Apple, Meta, Amazon and the like—do not use their position as a core platform to restrict innovation and growth among the companies and apps that rely on them.

But behind the scenes everything had changed: Now all internet traffic was passing through a Russian provider and Vladimir Putin’s powerful online censorship machine.

Weekend Reads 062422

The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East.

A service level agreement (SLA) is a contract between a cloud provider and a user. The SLA describes the provider’s minimum level of service, specified by performance metrics, and the compensation due to the user should the provider fail to deliver this service.

Grooming techniques used in various frauds are getting more common and more elaborate. Fraudsters are coming up with narratives that involve complicated lies and may have different stages, depending on the type of fraud.

For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear.

Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

In recent years, the price per address for small blocks (/17 and smaller) has been greater than the price per address of large blocks (/16 and larger).

Domain Name System (DNS) abuse is one of the most important ongoing discussions in the community. Many of the existing industry white papers and general discussions around abuse incidents are based on data from reputation feeds, also called Reputation Blocklists (RBLs).

Despite the good-mood vibe, there are a lot of issues to be resolved when it comes to embarking on a multi-year project to bring fiber broadband to all unserved areas in the U.S.

Digital twin technology allows for the creation of a virtual duplicate of a live production system, network environment, or cloud instance in real time — and it promises to be a rapidly growing market and boon to manufacturers and security pros alike.

Average household broadband usage in March 2022 was measured at 514 gigabytes, staying over half a terabyte of data used for the average household.

If cloud services weren’t complicated enough for the typical business today to properly configure and secure, there’s also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

The Payment Card Industry Security Standards Council has released its first update to their Data Security Standard (PCI DSS) since 2018.

To understand why security teams are so held back by noise, we must first understand the consequences of noise for the security team. While not an exhaustive list, here are a few key repercussions.

In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship.

I’ve gathered the 10 most common mistakes teams make when starting with platform engineering.

Weekend Reads 061622

Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.

A European team of university students has cobbled together the first RISC-V supercomputer capable of showing balanced power consumption and performance.

During the last decade, various individuals and organizations have contributed to promoting and deploying IPv6, which recently passed 40% adoption globally.

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

An Avengers-style mash up of telecoms firms are collaborating on experimental trials of new communications technologies expected to be underpinned by 6G.

Personally, in my more than 20 years of internet governance experience, tackling DNS abuse is one of the more important issues I’ve participated in and seen debated.

Infrastructure operators are struggling to reduce the rate of IT outages despite improving technology and strong investment in this area.

Cloud service providers drove the datacenter switching market to its fifth consecutive quarter of year-over-year growth, but it won’t last forever, Dell’Oro Group analyst Sameh Boujelbene told The Register.

While it all sounds scary, it’s not quite as worrying as you might think: Attackers can only use PACMAN to exploit an existing memory bug in the system, which can be patched.

Controversial Reads 061122

In the hands of police and other government agencies, face recognition technology presents an inherent threat to our privacy, free expression, information security, and social justice.

From social credit scores and online censorship to electronic billboards that display a citizen’s “violations” like jaywalking, surveillance is a part of everyday life for millions of Chinese people.

But there’s a much bigger threat to democracy coming out of Silicon Valley and it’s this: America’s largest financial and tech increasingly act as independent countries, routinely exporting jobs, money and technology to our most significant global adversary.

It’s difficult to overstate how dramatic this shift is, both in substance and in tone. Overpaying, and even coddling, talented engineers has, for years, been seen as a point of pride among tech’s leadership class.

Excessive centralization can stymie coordination and erode freedom, democracy, and economic dynamism—decentralization is supposed to be the remedy. But the term on its own is too vague to be a coherent end goal.

In early March, weeks after senators advanced a sweeping bill to expand competition in the tech industry, a regional newspaper more than 2,000 miles from Silicon Valley ran a defensive op-ed.

Raskin didn’t foresee how tech giants would exploit his design principle, creating apps to automatically serve more and more content without your asking for it—or necessarily being able to opt out.

And although most legislators haven’t the foggiest idea of how the internet actually works, there is a bipartisan consensus that ignorance shouldn’t preclude action.

Florida and Texas passed statutes last year that require the fair, unbiased treatment of social media users. The Ohio attorney general also brought a lawsuit asking an Ohio state court to declare that Google is a common carrier. Big Tech, of course, opposed all these efforts in the courts.

How did Facebook become a business worth $1 trillion at one point last year? Not just by fulfilling its mission of “connecting people,” but by keeping them hooked on the site, sometimes for hours on end.

The truth is out there, but Twitter is not forthcoming. Why might this be? Here is where we get to the core of the issue: the reach data provided by these companies—this pertains not only to Twitter but to hundreds of thousands of sites—form the basis of its pricing structure for advertisers and therefore drive the fundamentals of the business model.

Do you ever get the feeling that we’re all just…stuck? The notion keeps coming up in conversations I have with friends, relatives, even the occasional stranger.

While Apple bills the service as “designed with users’ financial health in mind,” BNPL is a practice that has come under scrutiny by government regulators as something that could potentially harm customers.

Weekend Reads 061022

Alongside the announcement of Ryzen 7000 processors, AMD revealed a new technology coming to the platform: Smart Access Storage.

The web of global intermediary liability laws has grown increasingly vast and complex as policymakers around the world move to adopt stricter legal frameworks for platform regulation.

Like other kinds of computing, if you put garbage data into a machine learning training run and then pour new data through it, what comes out as the answer is puréed garbage.

A critical code execution zero-day in all supported versions of Windows has been under active exploit for seven weeks, giving attackers a reliable means for installing malware without triggering Windows Defender and a roster of other endpoint protection products.

Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear.

By expanding the breadth of device-to-application solutions with IPv6, LoRaWAN’s addressable IoT market is also broadened to include internet-based standards required in smart electricity metering and new applications in smart buildings, industries, logistics, and homes.

Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting the fact that LockBit 2.0 was the fastest.

In this post, I’ll explain the fundamentals of an IPTV system, starting from the origination of the content to its delivery on the viewer’s screens.

Because the rate of expansion is higher than a typical network team can handle, AI must be introduced to keep the already complex network structure of the present manageable, while enabling organizations to be ready to manage expansions in real-time.

Apple will have to include a USB-C charging port in iPhones it sells into Europe by 2024 after an EU amendment makes it the common standard across a range of devices.

Queryable Encryption could let a bank agent investigate your account for possible fraud on a range of dates without knowing which dates specifically flagged the system.

Technology companies added workers for the 18th consecutive month and employer job postings for tech occupations reached a new high in May, according to an analysis of the latest employment data by a nonprofit association for the IT industry and workforce.

Microsoft has announced a handful of significant changes for employee contracts and agreements that would scrap some of the most controversial workplace policies in tech.

Weekend Reads 060322

This edition of weekend reads begins with a few straight security stories of interest. I knew key loggers existed in the wild, but the logging of keystrokes before a web form is submitted is apparently a lot more common than I realized—

They found that 1,844 websites gathered an EU user’s email address without their consent, and a staggering 2,950 logged a US user’s email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.

Illustrating that security is often a game of “whack-a-mole,” web skimmers are obfuscating their operation—

Microsoft security researchers recently observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts.

Identity is fraught with problems even in the real world; just as people used to carry “letters of introduction” with them when they moved to a new area or started a new job, identity is often a matter of transitive trust. How to replicate transitive trust in the digital world is still a problem, but it’s also the foundation of decentralized systems—

The central thesis of the decentralized future is that I should be able to demonstrate certain aspects of my identity in the digital domain that are manifest in the physical domain – for example, my valid passport, academic record, Social Security details, and financial transactions.

Some thoughts on containers and security—

In this article, we outline how containers contributed to agile development, which unique security risks containers bring into the picture – and what organizations can do to secure containerized workloads, going beyond DevOps to achieve DevSecOps.

DNS is often used by attackers in various ways, so it’s always fruitful to watch this space—

Central to many phishing attacks is an associated domain name, used either in the construction of a convincingly deceptive email delivery (“from”) address, for hosting the phishing site, or both.

However, geotargeting (or geoblocking) is increasingly being used by bad actors with their infringing websites.

Lots of stuff going on in the world of hardware and processors—

With the IPU, this offload model has been taken up another notch, with sophisticated networking and computation being put into a server’s network controller that makes it really a system in its own right.

Having created the Arm-based Nitro DPUs to offload compute, network, and storage virtualization and encryption work from its X86 servers, AWS decided back in 2018 to scale it up and create the initial Graviton to test the idea of using Arm servers in production.

Nearly all modern communications depend on optical hardware at some point, and improvements in that technology have the chance to be directly applied to quantum computing hardware.

Turing probably had little influence on computer construction. Even with the British stored program machines, with the exception of the Ace, he contributed little or nothing at all.

If you wanted to make a CPU, and you’re not AMD or Intel, there are two real choices: ARM and RISC-V.

Finally, a few articles on network performance and management—

I’ve written about this before, and the big ISP argument is pure bosh. Broadband costs are not related to the overall volume of broadband being delivered on a network.

When performance is poor, debugging these systems is challenging due to the complex interactions between different subcomponents and the possibility of the problem occurring at various places along the communication path.

Instead, I wanted to show how you can use Wireshark to find which specific packet triggered a Snort rule in seconds from within the Wireshark GUI, giving you all the surrounding context that a PCAP can give you.

And a bit of ‘net history—remember all 100 episodes of the History of Networking are still available, even if I’ve not recorded a new one in a long time—

At the close of the first day of SEE 10, Slobodan Markovic and I had the honour of giving a presentation that served as an introduction to a panel discussion on the Internet in Yugoslavia.

Weekend Reads 052722

networks and policy

Leading off this weekend, an article by Simon Sharwood on the impact of the centralization of the Internet. I wrote a somewhat longer article on the Public Discourse a while back on the same topic.

The internet has become smaller, the result of a rethinking of when and where to use the ‘net’s intended architecture. In the process it may also have further concentrated power in the hands of giant technology companies.

Is softwarization really going to change the way we build networks from the ground up? I suspect things will change, but they’ve always changed. I also suspect we’ll be hearing about how software is going to eat the world ten years from now, and IPv6 still won’t be fully deployed.

DOCSIS 4.0 is set to deliver faster speeds for cable network operators, but the next generation technology will also spur an operational sea change, telecom consultant Sean McDevitt told Fierce.

By default, the Docker server configures container networks for IPv4-only, so I had a hard time running it in this environment.

security and other technologies

This one on Costa Rica is a serious warning—

A ransomware gang that infiltrated some Costa Rican government computer systems has upped its threat, saying its goal is now to overthrow the government.

A soda can, a smartphone stand, or any shiny, lightweight desk decoration could pose a threat of eavesdropping, even in a soundproof room, if an attacker can see the object, according to a team of researchers from Ben-Gurion University of the Negev.

Deception is a powerful resilience tactic that provides observability into attack operations, deflects impact from production systems, and advises resilient system design.

The push for open source isn’t limited just to software; in fact, there’s quite a big push for open-source hardware as well, and RISC-V is leading the charge.

work and life

The recent corporate pushback against working from remote locations (referred to, unfortunately, as work from home) is both self-destructive and bizarre.

With a 2% unemployment rate, the tech industry is rethinking what job applicants need to get hired. Skills-based hiring is on the rise, and 59% of employers are considering eliminating college degree requirements — changes that could reshape the IT workforce.

Companies have utilized technology that attempts to assess if an employee is trustworthy, The New York Times reports. Some software can offer nearly constant evaluations and watch for suspicious computer behavior, review employee credit reports and arrest records.