Better late that never … 🙂

For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that’s all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient. Using many small suppliers is inefficient. Inefficiency is unprofitable. —Bruce Schneier

In this post, we describe the challenges associated with measuring anycast services and propose a tool called the Border Gateway Protocol (BGP) Tuner. By using our open-source tool, operators can see in advance how changes in their BGP policies may impact the traffic load distribution over the anycast sites. This post is a short description of our technical report available here. —Joao M. Ceron

There are increasing calls to break up, tax, regulate or [other intervention here] Big Tech. What I’m curious about is what for. —Matt Webb

Hence I made a self-experiment in which I generated two certificates with random names, monitoring the authoritative DNS servers as well as the IPv6 addresses of those names in order to check who is resolving/connecting to otherwise unknown hostnames. —Johannes Weber

This is not OK. When a home becomes an office, it remains a home. Workers should not be subject to nonconsensual surveillance or feel pressured to be scrutinized in their own homes to keep their jobs. —Bennet Cyphers and Karen Gullo

In the first quarter of 2020, distributed denial-of-service (DDoS) attacks jumped more than 542% compared with the last quarter of 2019 and more than 278% year-over-year. NexusGuard researchers suggest the spike may be linked to a parallel increase in malicious cyber activity during the COVID-19 pandemic. —Dark Reading

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on vulnerabilities in Netgear routers that remote attackers can exploit to take control of them. These routers are typically used in home networks. The agency acknowledges the coronavirus-related rise in working from home has elevated this consumer problem to an issue for many enterprises. —Dark Reading

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse. —Krebs on Security

Here’s my little article about (almost) everything I know about Apple Lightning and related technologies: Tristar, Hydra, HiFive, SDQ, IDBUS and etc. But first a tiny warning…

DNS Response Policy Zones (RPZ) provide a cost-effective security method similar to a firewall. It allows a nameserver administrator to apply custom policies on top of the global DNS and set alternative routes for queries, in particular, bad domains. —Swapneel Patnekar

Think about it: When we picture the great seagoing voyages of discovery, there were cooks, chandlers, medics, and all sorts of other support staff. But that’s not the case in space. And the reasons why have critical echoes for professionals in cybersecurity. —Curtis Franklin Jr.

There is a general misunderstanding about what makes a vulnerability dangerous. Hype and publicity tend to be focused on the most advanced threats and tactics. In response to this, security teams focus more on controlling these advanced attacks rather than the more mundane ones, largely because the business supports these sensational cases more easily — at least until the memory has faded. —Douglas Ferguson

As we approach four months since the WHO declared COVID-19 to be a pandemic, and with lockdowns and other restrictions continuing in much of the world, it is worth reflecting on how the Internet has coped with the changes in its use, and on what lessons we can learn from these for the future of the network. —Jari Arkko

What makes Thiel (think PayPal, Facebook, Palantir, Airbnb, Lyft, and Elon Musk’s SpaceX) unique is that he so much contradicts the Valley stereotype and is certainly not afraid to tell the Valley its faults. In fact, he moved down to Los Angeles in 2018, fed up with the Valley as a one-party state. He suggested in 2019 that Google be investigated for treason for refusing to work with the Pentagon but helping the Chinese military.

While the pandemic circling the globe has undermined many critical systems and institutions of our society, I believe it also has the potential to strengthen the resolve of the Internet community to embrace the vision Berners-Lee had more than 50 years ago. We have the opportunity to enter the next major phase of the Internet — the era of trust. —Byron Holland

Driven by growth in the JavaScript, Java, and Python ecosystems, the number of open source software packages more than doubled in 2019, but the number of vulnerabilities fell by 20%, suggesting that developers are weeding out simple vulnerabilities, a new report shows. —Robert Lemos

MANRS began as a collaboration among network operators and internet exchange providers, with Verisign formally becoming a participant in its Network Operator Program in 2017. Since then, with the help of Verisign and other MANRS participants, the initiative has grown to also include content delivery networks (CDN) and cloud providers. —Yong Kim

Insider threats can be accidental or intentional, but the impact of insider breaches remain the same. Negligence at the organization regarding data privacy requirements and compliance can cause catastrophic data loss. To implement effective mitigation measures, employees must be aware of their responsibility towards the usage and sharing of data. With recent changes in data protection and privacy laws, various companies have seen a significant impact on their current security practices and controls. —Ikjot Saini

Security researchers came across a new ransomware family called “CryCryptor” that masqueraded as a Canadian COVID-19 tracing app. —David Bisson

There have been many workshops and training sessions and much in the way of counting the generation of RPKI certificates and Route Origin Attestations in recent months. The data published by the US National Institute of Standards and Technology (NIST) in its RPKI monitor is a good example (https://rpki-monitor.antd.nist.gov). Around 20% of the announced prefix / origin AS pairs have an associated valid ROA. —Geoff Huston, Jaoa Damas

Each of the FANGAM stocks are investments in incredible companies (germ of truth), and they function better in this virus-infested world (another germ of truth). But at the core, their existence is grounded in the real, not virtual, world. —Vitaliy Katsenelson

AMD this week announced it had exceeded its goal to increase energy efficiency 25-fold by 2020. Called the 25×20 goal, it has been a driving force for the company for most of the last decade and explains why cloud providers like Google have begun to favor AMD processors. —Rob Enderle

Deception tools basically use misdirection, false responses, and other tricks to lure attackers away from legitimate targets and point them to honeypots and other decoy systems designed to trap or distract them from their missions. Deception tools — many of which leverage artificial intelligence (AI) and machine learning (ML) — can help organizations detect intrusions early and provide them with an opportunity to observe an attacker’s tools and tactics. —Jai Vijayan

Foundational controls are basic measures that should ideally form the basis of any organization’s IT security posture. As such, they should constitute the foundation on which an organization bases the rest of its IT security strategy. —Dean Ferrando

A little late, but still…

In the recent GitHub Satellite online conference, one of the most exciting product announcements was GitHub Codespaces. The idea is to have a code button on every repository. —Michael Yuan

High impact vulnerabilities in modern communication protocol used by mobile network operators (MNOs) can be exploited to intercept user data and carry out impersonation, fraud, and denial of service (DoS) attacks, cautions a newly published research. —Ravie Lakshmanan

I want to explain the cost structure that firms, and in particular technology companies, must manage. I absorbed these lessons by studying the financial documents and annual reports of companies that perhaps you aspire to work for or whose products you may use and enjoy. —Adam Naor

As a search engine optimization (SEO) and domain name consultant, one of the questions I get asked most often about domain names is whether or not the domain name or TLD (Top-Level Domain) matters. Will the domain name ending have an effect on SEO or search engine rankings. Are certain domain name endings preferred by the search engines over other domain name extensions? I decided to answer this question based on search engine optimization testing and not just on my personal and professional experience. —Bill Hartzer

Even before the coronavirus pandemic hit, Intel, the dominant maker of processors for servers on the planet, was rejiggering its product roadmaps behind the scenes in conjunction with its largest OEM partners as well the hyperscalers and large public cloud builders that drive about a third of its revenues these days. —Timothy Prickett Morgan

Cybersecurity is not a static world. You can say that it is a social system, it affects and is affected by its surrounding environment. For example, back in 2018, it was the GDPR that shook the foundations of security and privacy by making the protection of our personal data a fundamental human right. But that was then. What is shaping today’s cybersecurity? —Anastasios Arampatzis

The first wave of cryptocurrencies, starting in the 1980s, attempted to digitize government-issued currency (or fiat currency, as cryptocurrency enthusiasts say).8 The second wave, represented prominently by Bitcoin, provide their own separate currency—issued and operated independently of any existing currencies, governments, or financial institutions. Bitcoin’s currency (BTC) is issued in fixed quantities according to a hard-coded schedule in the protocol. —Communications of the ACM

The Data Science Life Cycle introduced here can be used as a framing principle to guide decision making in a variety of educational settings, pointing the way on topics such as: whether to develop new data science courses (and which ones) or rely on existing course offerings or a mix of both; whether to design data science curricula across existing degree granting units or work within them; how to relate new degrees and programmatic initiatives to ongoing research in data science and encourage the development of a recognized research area in data science itself; and how to prioritize support for data science research across a variety of disciplinary domains. —ictoria Stodden

From an economics perspective, this new market design solution provides some of the advantages of a centralized digital platform (for example, the ability of participants to rely on a shared network and benefit from network effects) without some of the consequences the presence of an intermediary may introduce such as increased market power, ability to renege on commitments to ecosystem participants, control over participants’ data, and presence of a single point of failure. —hristian Catalini, Joshua S. Gans

Planet-scale applications are driving the exponential growth of the Cloud, and datacenter specialization is the key enabler of this trend. GPU- and FPGA-based clouds have already been deployed to accelerate compute-intensive workloads. ASIC-based clouds are a natural evolution as cloud services expand across the planet.

A few months ago, there was a lot of discussion that despite its claims, Zoom did not actually offer end-to-end encryption. They’re in the process of fixing that, which is good, but that raises a deeper question: why trust their code?—Steve Bellovin

Intel has announced new CPU-level capabilities designed to protect apps against threats that take advantage of buffer overflow and other common vulnerabilities related to memory security. —Jai Vijayan

The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe. —Mohit Kumar

The cyber risks to our H2O infrastructure have yet to enter the public debate in the way that vulnerabilities in the electric grid have, despite proven attacks on this critical infrastructure. —Samantha F. Ravich

Amazon Web Services recently had to defend against a DDoS attack with a peak traffic volume of 2.3 Tbps, the largest ever recorded, ZDNet reports. —Jon Porte

Intel today announced its third-generation Xeon Scalable (meaning Gold and Platinum) processors, along with new generations of its Optane persistent memory (read: extremely low-latency, high-endurance SSD) and Stratix AI FPGA products. —Jim Salter

Cited by 30% of the survey respondents, the COVID-19 pandemic brought vast changes in the way people work and how we need to secure remote workforces. —Anastasios Arampatzis

The United States on Monday confirmed a Reuters report that it will amend its prohibitions on U.S. companies doing business with China’s Huawei to allow them to work together on setting standards for next-generation 5G networks. —Karen Freifeld and David Shepardson

possibly controversial

To commemorate the company’s initial public offering in 2011, LinkedIn gave some of its employees a lucite cube emblazoned with the stock ticker, LNKD, on one side and “Next Play” on the reverse. That phrase encapsulates the business philosophy of Jeff Weiner, LinkedIn’s CEO at the time. —Ian Bogost

HBO Max is incredible. Not because it is good, but because of how many problems with the media landscape it epitomizes. If you ever had trouble seeing where monopoly, net neutrality, and technology intertwine, well then thanks, I guess, to AT&T for its achievement in HBO Max. No one knows what it’s supposed to do, but everyone can see what’s wrong with it. —Katherine Trendacosta

That we feel this way even when hyperconnected might seem like a contradiction. But the facts are clear: Constant virtual connections can often amplify the feeling of loneliness. —Leslie Katz

Since May 2014, when Chinese Communist Party Secretary Zhang Chunxian announced the People’s War on Terror in the Uighur region, Chinese technology firms have received billions of dollars in Chinese state capital to build a comprehensive Muslim “re-education” system in Northwest China. —Darren Byler

Mapping the Internet’s topology improves our understanding of its interconnectivity, and thus its robustness and resilience. One of the best ways to do this is to capture data at the router level; it provides the greatest detail of the physical infrastructure of the Internet. —Kevin Vermeulen

A number of groups are using different approaches to measure Internet outages, including active probing of most of the IPv4 Internet, and passive observation of traffic. Our group at the Information Sciences Institute of the University of Southern California (USC/ISC), developed Trinocular, a system that pings millions of /24 IPv4 blocks every 11 minutes (since October 2014). —Guillermo Baltra

Benefits like wearing pajama bottoms to work and going for a mid-day run can be mitigated by the costs to your motivation, self-confidence, and self-esteem when you no longer hear “you aced it!” from your boss on the walk back from a client meeting, or when you can’t get a high-five in the coffee room from a teammate — or even a smile from the receptionist on your way to the elevator. —Deborah Grayson Riegel

It’s a truism that in computing, the easiest way in the door is with a general-purpose computer, but when you need serious scale for solving a particular problem, you turn to purpose-built hardware. This can be for reasons of cost, performance, or both. —John Scudder

It all started in 2003 when I wrote my master’s thesis — an experimental DHCPv6 implementation for Linux. Back in the day, IPv6 was a novelty. The IETF RFC documents that defined it were a bit over four years old. —Tomek Mrugalski

At the same time, the QUIC headline feature is its built-in low latency handshake that is more reliant on small handshake sizes than is widely understood. QUIC implementations are now faced with the decision of whether or not updating their embedded TLS code to support certificate compression is urgent. —Patrick McManus

We are now more than a year into what the carriers are labeling as 5G. If you read this blog regularly you know by now that I don’t think we’ve seen any 5G yet – what has been introduced so far is new spectrum. A new band of spectrum can improve broadband performance in crowded markets, and so the carriers are getting some praise for this development. But these new spectrum bands are operating as 4G LTE and are not yet 5G. —Doug Dawson

Automated bots that collect content, product descriptions, pricing, inventory data, and other public-facing information from websites have a greater economic and performance impact than many organizations might realize, a new study suggests. —Jai Vijayan

And Finally, this is worth watching on why computers barely work, and this is worth watching on “all links are safe.”

On 27 February 2020, MalwareMustDie (MMD), a workgroup focused on the research and study of Linux malware, analysed and shared a new type of malware they called RHOMBUS. This malware was compiled for different architectures, had persistence mechanisms and dropped a second-stage payload. —Lisandro Ubiedo

Security researchers witnessed the deployment of PonyFinal ransomware at the end of extended human-operated attack campaigns. In a series of tweets, Microsoft Security Intelligence revealed it had observed human-operated campaigns laying in wait for the right moment to deploy PonyFinal ransomware as their final payload. —David Bisson

NetWalker (also known as Mailto) is the name given to a sophisticated family of Windows ransomware that has targeted corporate computer networks, encrypting the files it finds, and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. —Graham Cluley

Memory isolation is a cornerstone security feature in the construction of every modern computer system. Allowing the simultaneous execution of multiple mutually distrusting applications at the same time on the same hardware, it is the basis of enabling secure execution of multiple processes on the same machine or in the cloud. The operating system is in charge of enforcing this isolation, as well as isolating its own kernel memory regions from other users.

Recently, I was tipped off about certain sites performing localhost port scans against visitors, presumably as part of a user fingerprinting and tracking or bot detection. This didn’t sit well with me, so I went about investigating the practice, and it seems many sites are port scanning visitors for dubious reasons. —Charlie Belmer

Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data. —Ravie Lakshmanan

Modern Intel and AMD processors are susceptible to a new form of side-channel attack that makes flush-based cache attacks resilient to system noise, newly published research shared with The Hacker News has revealed. —Ravie Lakshmanan

It has been over a year since ransomware-as-a-service RobbinHood appeared in a major attack against the city government of Baltimore. While initially described as amateur and unsophisticated among cybersecurity pros, the ransomware has since changed in ways that make it a threat to watch. —Kelly Sheridan

The concept of network devices being programmable computers that can be re-coded at will with new features and protocols just like the original IMP is back. That’s quite a change from today, but what does this mean for the network engineers of tomorrow? —Juha Saarinen

Here there be controversy

Various organizations, such as the EFF, have been weighing in on their platforms to support section 230, which allows social media networks to claim the status of “publisher” in some cases and “platform” in others. It seems useful to think about what the “other side of the story” might be—what arguments are being made against section 230. Whether you agree or disagree with this, it is always worth listening.

I’ve been writing and speaking about this question for a while, most recently in Newsweek, because it has stirred internecine conflict on the Right between individuals who think social media companies should remain free from policy intervention (ignoring, of course, that they thrive as a result of Section 230, itself a government policy) and those, like me, who believe that these corporations have accumulated a troubling amount of power over our lives, data, behavior, and the free market. —Rachel Bovard

Finally, a sad article about deaths of despair in the world of IT…

In the front seat of a pickup truck sat the lifeless body of Kevin Flanagan beside a 12-gauge Remington. Behind him were boxes of his personal effects from his office at Bank of America, where the programmer had worked for nearly a decade. —Pedro Gonzalez

Data breach notifications are meant to tell you what happened, when and what impact it may have on you. —Zack Whittaker

If “experience is merely the name men gave to their mistakes,” as Oscar Wilde puts it in The Picture of Dorian Gray, then the more we know about the threats we face and how we react to these threats, the better our chances are of keeping our data secure and our company’s name out of the headlines for all the wrong reasons. —Anastasios Arampatzis

Whenever a popular web interface gets any kind of significant visual change, a lot of people react with confusion, dismay, and even anger. —Angela Lashbrook

MicrosoftMicrosoft is creating a new kind of Office document. Instead of Word, Excel, or PowerPoint, the company has created Lego blocks of Office content that live on the web. The tables, graphs, and lists that you typically find in Office documents are transforming into living, collaborative modules that exist outside of traditional documents. —Tom Warren

First of all, I’d like to discourage you from adding security gimmicks to your product. You are no more likely to come up with an exciting new security feature on your own as you are a miracle cure for the covid. Your sales and marketing people may get excited about the feature, and they may get the customer excited about it too, but the excitement won’t last.

Academics from École Polytechnique FĂ©dĂ©rale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers. —Ravie Lakshmanan

Named Ramsay, ESET says this malware toolkit appears to have been designed with features to infect air-gapped computers, collect Word and other sensitive documents in a hidden storage container, and then wait for a possible exfiltration opportunity. —Catalin Cimpanu

Jay-Z isn’t happy. In fact, the 50-year-old rapper and father of three sounds like he’s flipping out in a way you’ve never heard before. You’d have to go back to Jay during his early-2000s feud with Nas to hear him anywhere close to this incensed. Only this time he’s not rapping. He’s ranting. —Luke Dormehl

In this final part of the series, I discuss why everyone should consider reviewing their OPSEC (Operations Security), not just those with something to hide.

Identity access management is the process of verifying information to identify a user. This information is used to authenticate the identity of an individual, and in the process of authentication, the user is given authorized access and to perform certain tasks or to access information. Access management is about what networks, systems, applications, and data that the identified user can access and control. —Steve Tipton