In the past, I have blended links of a more controversial nature about culture, technology, and governance into my weekend reads posts. There has been so much, however, on the situation with social media platforms blocking prominent people, and the Parler takedown, that it seemed worth setting aside an entire post containing some of the interesting things I’ve run across on these topics. I may, from time to time, gather up more controversial sets of reading into separate posts in the future, so people can skip (or read) them if they want to.
But then I think of this comment from a recent essay by Cory Doctorow: “The one entity Facebook will never, ever protect you from is Facebook.” We need to face quite clearly the fact that these recent events serve to consolidate the power of the tech giants—tech giants who quite literally have no principles to guide them other than self-interest, though they might occasionally discover reasons to act on our behalf.
Infrastructure companies much closer to the bottom of the technical “stack”— including Amazon Web Services (AWS), and Google’s Android and Apple’s iOS app stores—decided to cut off service not just to an individual but to an entire platform
Twitter once touted itself as “the free speech wing of the free speech party” and rebuked Congress’ calls for it to ban terrorists, proclaiming that “the ability of users to share freely their views — including views that many people may disagree with or find abhorrent” — was its mission.
The digital market has matured over the last 20 years, and it is no longer an excuse for governments to do nothing with the aim to let new markets and innovations emerge without immediate regulatory oversight.
Late in 2019, Twitter CEO Jack Dorsey floated “Project Blue Sky,” a plan for an interoperable, federated, standardized Twitter that would let users (or toolsmiths who work on behalf of users) gain more control over their participation in the Twitter system.
Section 230 is not a gift to Big Tech, nor is repealing it a panacea for the problems Big Tech is causing—to the contrary repealing it will only exacerbate those problems. The thing you hate is not 230. It’s lack of competition.
What should platforms like Facebook or YouTube do when users post speech that is technically legal, but widely abhorred? In the U.S. that has included things like the horrific video of the 2019 massacre in Christchurch. What about harder calls – like posts that some people see as anti-immigrant hate speech, and others see as important political discourse?
Laws regulating platforms can also regulate their users. Some laws may protect users, as privacy laws often do. Others, including many well-intentioned regulations of online content, can erode protections for users’ rights. If such laws are crafted poorly enough, they will violate the Constitution.
After a decade or so of the general sentiment being in favor of the internet and social media as a way to enable more speech and improve the marketplace of ideas, in the last few years the view has shifted dramatically—now it seems that almost no one is happy. Some feel that these platforms have become cesspools of trolling, bigotry, and hatred. Meanwhile, others feel that these platforms have become too aggressive in policing language and are systematically silencing or censoring certain viewpoints.
What happened was that the network platforms turned the originally decentralized worldwide web into an oligarchically organized and hierarchical public sphere from which they made money and to which they controlled access. That the original, superficially libertarian inclinations of these companies’ founders would rapidly crumble under political pressure from the left was also perfectly obvious.
I recently shared at a conference how a seasoned brand and fraud expert from one of the world’s largest global financial institutions lamented a major attack where multiple fraudulent websites would pop up every single day.
Every now and then we hear buzzing in the news about some egregious Big Tech privacy infringement. We are also frequently notified about all the new steps our apps are taking to further protect our privacy.
Few people would seriously dispute the advantages of a zero-trust security model, particularly in a fast-changing cloud environment with business being conducted by a dispersed workforce using a wide variety of devices. The question is how best to approach zero trust.
Silicon photonics has been proving its worth in telco and communications but there is a much brighter opportunity photonics-based computing. The energy efficiency and data movement potential is promising, especially for increasingly data-laden analytics and AI/ML applications, but the road to a diverse hardware ecosystem for compute is still long.
The designers of DNSSEC, as well as academic researchers, have separately considered the answer of “negative” responses — when the domain name doesn’t exist. In this case, as I’ll explain, responding with a signed “does not exist” is not the best design. This makes the non-existence case interesting from a cryptographer’s perspective as well.
Charter and other cable companies use hybrid fiber-coaxial (HFC) technology to deliver service to customers. This technology builds fiber to neighborhood nodes and then delivers services from the nodes using coaxial copper cables.
As yet another piece of malware has been uncovered in the attack on SolarWinds network management system software, there still remain several missing elements needed to draw a complete picture of the massive cyberattacks against major US government agencies and corporations, including security vendor and incident response expert FireEye.
DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and manipulation by malicious parties. Rather than an end-user device communicating with a DNS server over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is known, encrypts requests and responses using the same encryption websites rely on to send and receive HTTPS traffic.
NSEC5 is a result of research by cryptographers at Boston University and the Weizmann Institute. In this approach, which is still in an experimental stage, the endpoints are the outputs of a verifiable random function (VRF), a cryptographic primitive that has been gaining interest in recent years.
Artificial intelligence and machine learning and data are inextricably linked. Yet common misconceptions persist. What is intelligence and is machine intelligence same or better than human intelligence? What are implicit biases and can we eliminate them from being programmed to either reinforce or hinder stereotypes to guard against prejudice in AI?
Cybersecurity researchers have uncovered multiple vulnerabilities in Dnsmasq, a popular open-source software used for caching Domain Name System (DNS) responses, thereby potentially allowing an adversary to mount DNS cache poisoning attacks and remotely execute malicious code.
In December 2020, the industry was rocked by the disclosure of a complex supply chain attack against SolarWinds, Inc., a leading provider of network performance monitoring tools used by organizations of all sizes across the globe.
Engineering teams at Juniper have developed a broad set of 400G pluggable optics that support an extensive range of use cases for customers, including 500m and 2km single-mode fiber intra-data center interconnects. Juniper’s current 400G optics are based on PAM4 modulation technology that has been standardized in the IEEE 802.3 with some additional optical specifications provided by the 100G Lambda MSA
or perhaps the friday fifteen …
Injection of counterfeit electronics into the market is only a subset of vulnerabilities that exist in the global IC supply chain. Other types of attacks include trojans built into the circuitry, piracy of intellectual property, and reverse engineering.
2020 saw governments on three continents take action against the dominance of the biggest tech platforms, with a flurry of pro-competition rules, investigations and lawsuits. As exciting as this is, it’s just the beginning.
Defining and measuring programmer productivity is something of a great white whale in the software industry. It’s the basis of enormous investment, the value proposition of numerous startups, and one of the most difficult parts of an engineering manager or CTO’s job description.
On August 10 and 11, 2016, Mansoor received an SMS text messages on his iPhone promising “new secrets” about detainees tortured if he clicked on an included link. Instead of clicking, Mansoor sent the messages to the Canadian Citizen Lab researchers.
This switch to public resolvers is driven by the fact that they offer services beyond just resolving a DNS request, like malware filtering or privacy protections like DNS-over-HTTPS that aren’t offered by ISP resolvers.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
One of the software success stories of the COVID-19 pandemic era has been videoconferencing service Zoom. Despite already existing in a crowded field of both startups and mature competitors, Zoom became a household name for anyone stuck at home to avoid the coronavirus. But as Zoom boomed, so did Dark Web sales of zero-day vulnerabilities in its software.
these last three are in the political/policy realm, and hence may be a bit controversial
The internet is in crisis, and you can lead your organization to help solve the problem. You’ll be well compensated, and you’ll enjoy massive public relations benefits. I fear that if you don’t, global governments will force your hand.
But if somebody would have expected that the Covid-19-Desaster is a wake-up call for the world to be more united, work hand in hand, and pool resources reducing risks of a borderless threat, this “somebody” was wrong
In response to ongoing cybersecurity events, the National Security Agency (NSA) released a Cybersecurity Advisory Thursday “Detecting Abuse of Authentication Mechanisms.” This advisory provides guidance to National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to detect and mitigate against malicious cyber actors who are manipulating trust in federated authentication environments to access protected data in the cloud.
Data analytics isn’t just for large organizations anymore. As businesses and community collectives increasingly move their operations into digital spaces, the vast amounts of data being collected pose an opportunity for them to get to know their stakeholders better.
In one of his most famous studies, 54 volunteers were served tomato soup. Half were served from normal bowls and half from “bottomless bowls” which had hidden tubes that imperceptibly refilled the bowls.
For all its breadth, depth, and skillful insertion via the supply chain, the latest hack of critical departments of the U.S. government—and of many leading corporations from around the world — should come as no surprise.
Let’s face it–Most enterprises aren’t building their own Internet of Things (IoT) systems. Very few organizations have the scale to develop and deploy IoT devices of their own in their environments — the hardware tends to be specialized, most of the software doesn’t look like the stuff their corporate horde of Java developers use to write code, and there just isn’t enough value for risky projects like that to make sense.
The US Cybersecurity Infrastructure and Security Agency (CISA) has warned of critical vulnerabilities in a low-level TCP/IP software library developed by Treck that, if weaponized, could allow remote attackers to run arbitrary commands and mount denial-of-service (DoS) attacks.
The May 2017 WannaCry ransomware attack caused a great deal of damage across Europe and Asia, wreaking particular havoc with Britain’s National Health Service. The attack exploited a Microsoft Windows vulnerability that had been discovered and exploited by the U.S. National Security Agency.
Over the last few years, the idea of patching systems to correct flaws has graduated from an annoying business disruption to a top priority. With all of the notorious vulnerabilities that can wreak total havoc, the time it takes to patch becomes a minor inconvenience when weighed against both the technical challenges and possible regulatory penalties of not patching.
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.
On December 31, Flash died. Adobe stopped updates and now recommends you uninstall it. This end has been a long time coming—since June 2017, officially; unofficially, since April 2010, when Apple’s Steve Jobs announced that Flash would not run on the iPhone.
If you’re reading this, you might have read the juicy piece that Elle dropped this weekend chronicling how a former Bloomberg reporter torched her entire career after falling for the longtime subject of her reporting—professional-tool-turned-convicted-securities-fraudster Martin Shkreli. And if you know about that article, you probably know about The Ad.
Internet Society Chapters in Europe are warning the European Commission that its recent plea for Member States to help find ways to access encrypted communications could make millions of citizens and countries more vulnerable to harm and terrorism online.
Every Christmas season the Mozilla Foundation reviews a list of IoT devices that do not protect privacy. It seems like almost anything we buy today that includes electronics also connects to the Internet.
You have probably heard the saying: “If you are not paying for the product, you ARE the product”. Nowhere is this more acute than on the internet when our personal data is collected, analyzed and used to persuade us to buy products or ideas, many times without our explicit knowledge or permission.
Due to its growing popularity, identifying which addresses are anycasted and from where they are announced is becoming fundamentally important to provide a more accurate assessment of the Internet’s resilience.
Privacy plays an important part in the development of NLnet Labs products. For Unbound this manifests itself by being in the front line of the development of privacy preserving features like QNAME minimization, auth-zones, and DNS-over-TLS (DoT).
The 2020 (ISC)2 Cybersecurity Workforce Study looks at the effect of this transition to remote work and how organizations have fared. It also analyzes the impact of the pandemic and the resultant transition to remote work on cybersecurity professionals.
Our recent annual surveys found that racks with densities of 20 kW and higher are becoming a reality for many data centers (we asked about highest rack density) — but not to the degree forewarned. Year-over-year, most respondents said their highest density racks were in 10-19 kW range, which is not enough to merit wholesale technical changes.
Domain spoofing is a very common form of a security breach wherein a cybercriminal tries to impersonate a company’s business email domain to carry out a range of malicious activities by forging the sender’s address.
Some widely sold D-Link VPN router models have been found vulnerable to three new high-risk security vulnerabilities, leaving millions of home and business networks open to cyberattacks—even if they are secured with a strong password.
One of these questions was posed first to DNS resolver operators in the middle of the last decade, and is now being brought to authoritative name server operators: “to encrypt or not to encrypt?” It’s a question that Verisign has been considering for some time as part of our commitment to security, stability and resiliency of our DNS operations and the surrounding DNS ecosystem.
Chances are, by now you have heard about the controversy surrounding TikTok, the popular social media video app. The controversy stems from allegations that TikTok complies with Chinese Communist Party’s request to provide user data for purposes of surveillance and intelligence gathering. And yes, that data is purported to include US user data.
Large-scale phishing attacks remain a key threat to Internet users and organizations, both due to the direct harm these attacks can cause, such as identity theft or account compromise, and other collateral damage, such as risks due to password reuse across services or simply the necessity of mitigations.
Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system.
In their report “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?,” for instance, Siemens and the Ponemon Institute found that 64% of respondents considered sophisticated attacks against the utilities sector a top challenge. Slightly less than that (54%) said that they expected an attack on CNI would occur in the next year.
The Open Platform Communications Unified Architecture (OPC UA) protocol is a prime candidate for secure future industrial communication. While the protocol’s security features are widely attested, it requires extensive configuration to achieve the promised security level.
You’ve probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you’re unfamiliar, a MITM vulnerability works by redirecting a victim’s legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim’s data before sending it to its intended destination.
The easiest way to understand the concept is with an example. Consider a passive optical fiber network where up to 32 homes share the same neighborhood fiber. In the most common GPON technology, the customers on one of these neighborhood nodes (called a PON) share a total of 2.4 gigabits of download data.
The push to develop and deploy applications faster has evolved from simply a goal for developers to a business-level priority that affects every organization’s bottom line. To meet this goal, companies have begun to de-silo development, operations, and security, moving toward a DevSecOps model to deliver
In a survey of 603 free and open source software (FOSS) contributors, the Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard University (LISH) discovered that the average FOSS developer only spent 2.3% of their time on improving the security of their code.
Chris Lewis joins EFF hosts Cindy Cohn and Danny O’Brien as they discuss how our access to knowledge is increasingly governed by click-wrap agreements that prevent users from ever owning things like books and music, and how this undermines the legal doctrine of “first sale” – which states that once you buy a copyrighted work, it’s yours to resell or give it away as you choose.
Exfiltration is the action of exporting sensitive data out of the network by connecting to an external destination and/or using covert channels. The latter is commonly used to exfiltrate information while being undetected or avoid any measure in place to stop the migration of data.
In our previous post we discussed the changes to the Registration Data Access Protocol (RDAP) architecture to scale to multiple cloud deployments to improve round-trip-times (RTT) by dynamically steering traffic to the Google Cloud Platform (GCP) Kubernetes cluster closest to the request.
In April 2020, APNIC announced the initial release of Registration Data Access Protocol (RDAP) to the cloud using the Google Cloud Platform (GCP) in the Sydney region. Today, we’d like to announce the expansion of this service to a multi-regional cloud deployment with the addition of new Google Kubernetes Engine (GKE) clusters hosting RDAP in Singapore and North Virginia.
Hey, did you get that sketchy email? You know, the one from that malicious hacker trying to fool us into clicking on some malware? Boy, these criminals are relentless. Wait, what? You clicked on it? Uh-oh.
A couple of vulnerabilities that a security researcher from China-based Singular Security Lab disclosed at this week’s Black Hat Europe 2020 virtual event has highlighted once again why it’s dangerous for organizations to underestimate the threat from old, overlooked bugs in commonly used software products.
If you live in a city where AT&T is the incumbent telephone company, the chances are high that the cable company is now a broadband monopoly. Unless some other ISP is building fiber, you no longer have a choice of broadband provider – it’s the cable company or nobody. When AT&T announced that it is no longer connecting DSL customers as of October 1, the company has fully ceded its historic telephone properties to its cable company competitors.
Amazon Web Services has begun designing its own rack-level uninterrupted power supply (UPS) units for its data centers, a move that will dramatically improve the power efficiency of its cloud computing operations, the company said this week.
Millions of Americans have spent this year working from home, and employers have realized just how smoothly things can get done when they trust their staff to work remotely. But for those fortunate enough to work from home, will COVID-19 have a lasting effect on how we do our jobs? Or will millions of commuters return to cities if and/or when vaccines are made available?
Consumers in the U.S. face an infuriating lack of transparency when it comes to purchasing broadband services. Bills are convoluted, featuring complex pricing schemes. Roughly 7 in 10 U.S. adults surveyed by Consumer Reports who have used a cable, internet, or phone service provider in the past two years said they experienced unexpected or hidden fees. Unsurprisingly, 96 percent of those who had experienced hidden fees found them annoying.
The first part of this report on the handling of large DNS responses looked at the behaviour of the DNS, and the interaction between recursive resolvers and authoritative name servers in particular and examined what happens when the DNS response is around the Internet’s de facto MTU size of 1,500 octets.
Figure 1 depicts measured last-mile queuing delay for two major ISPs, Comcast in the US (AS7922) and NTT OCN in Japan (AS4713). The x-axis shows the time of the day (UTC) and the y-axis is the median last-mile queuing delay in milliseconds.
Google used to have a simple motto: Don’t be evil. Now, with the firing of a data scientist whose job was to identify and mitigate the harm that the company’s technology could do, it has yet again demonstrated how far it has strayed from that laudable goal.
In one form or another, C has influenced the shape of almost every programming language developed since the 1980s. Some languages like C++, C#, and objective C are intended to be direct successors to the language, while other languages have merely adopted and adapted C’s syntax. A programmer conversant in Java, PHP, Ruby, Python or Perl will have little difficulty understanding simple C programs, and in that sense, C may be thought of almost as a lingua franca among programmers.
This is a rather oversized edition of the weekend reads… because I seem to have saved up a lot more links than usual.
There comes a time in every developer’s life (or daily routine, we’re not here to judge) where they have to go and fix a bug. Back in the days when I used to be a developer, I distinctly remember how each time I would go face to face with a bug, my favorite method to fix it was to add log lines. I mean, why not, right?
Cybersecurity researchers on Thursday disclosed details of a previously undiscovered in-memory Windows backdoor developed by a hacker-for-hire operation that can execute remotely malicious code and steal sensitive information from its targets in Asia, Europe, and the US.
The PC revolution started off life 35 years ago this week. Microsoft launched its first version of Windows on November 20th, 1985, to succeed MS-DOS. It was a huge milestone that paved the way for the modern versions of Windows we use today. While Windows 10 doesn’t look anything like Windows 1.0, it still has many of its original fundamentals like scroll bars, drop-down menus, icons, dialog boxes, and apps like Notepad and MS paint.
Cybersecurity may be far from many of our minds this year, and in light of a pandemic and catastrophic economic disruption, remembering to maintain our own personal privacy and security online isn’t necessarily a priority.
The Tor anonymity network has generated controversy almost constantly since its inception almost two decades ago. Supporters say it’s a vital service for protecting online privacy and circumventing censorship, particularly in countries with poor human rights records. Critics, meanwhile, argue that Tor shields criminals distributing child-abuse images, trafficking in illegal drugs, and engaging in other illicit activities.
Phishing websites rely on camouflage. They need to mimic the real websites as closely as possible, so they can trick people into providing their login information. But there are differences between genuine and fake websites, which can be used to detect them.
Juniper Threat Labs is seeing active attacks on Oracle WebLogic software using CVE-2020-14882. This vulnerability, if successfully exploited, allows unauthenticated remote code execution. As of this writing, we found 3,109 open Oracle WebLogic servers using Shodan.
Imagine someone hacking into an Amazon Alexa device using a laser beam and then doing some online shopping using that person account. This is a scenario presented by a group of researchers who are exploring why digital home assistants and other sensing systems that use sound commands to perform functions can be hacked by light.
Driven by PC gaming, pandemic upgrading and potentially cryptocurrency miners, GPU units hit a healthy 13.4-percent increase in sales over the previous quarter, respected graphics analyst firm Jon Peddie Research said in a report released Tuesday.
Let me be direct: We should be happy that this software, one of the worst ever to plague our lives from a security perspective, is going away, and at the same time, Flash was not a fluke. Security has come a long way, but the ecosystem that allowed Flash to become a software security serial killer still exists and is ready to let it happen again. This time, the stakes are infinitely higher.
The joys of researching and building computing systems are manifold and very individualized. They come at various stages of the whole process. The initial rush when you think you have the germ of a new idea. That rush is a tremendous rush, no matter how many times one has had it. The rumination of the idea adds to the joy … so it is not simply a momentary rush.
A pair of researchers will demonstrate at Black Hat Europe next week how they were able to bypass ML-based, next-generation anti-malware products. Unlike previous research that reverse-engineered the next-generation endpoint tool — such as Skylight’s bypass of Cylance’s endpoint product in 2018 — the researchers instead were able to cheat the so-called static analysis malware classifiers used in some next-gen anti-malware products without reverse engineering them.
Here’s the scenario: A state-sponsored attacker uses a zero day to breach the environment. This foothold lets him run previously unknown, fileless attacks originating from an exploited process. Fortunately, his evil plan is foiled by our next-generation, AI-powered security tool that detected and prevented it in nanoseconds!
In this post, we analyse the hardware that they use to connect to IXPs. We investigate 24 IXPs distributed across fifteen countries, from the EU, US, Africa and Brazil, which together interconnect more than six thousand IXP members. Our goal is to determine if there is market dominance by the some of the hardware vendors among IXP members.
First introduced back in 2005, SP 800-53 has gone through five revisions since its initial release. The fourth revision, released in 2013, featured updated security controls and focused on topics such as insider threats, software security, mobile devices, supply chain security, and privacy. Revision four also gave us the now familiar “eighteen control families,” which have been adopted by numerous federal agencies as well as the private sector.
Over the years, cybercriminals have grown more sophisticated, adapting to changing business practices and diversifying their approaches in non-traditional ways. We have seen security threats continue to evolve in 2020, as many businesses have shifted to a work from home posture due to the COVID-19 pandemic. For example, the phenomenon of “Zoom-bombing” video meetings and online learning sessions had not been a widespread issue until, suddenly, it became one.
When I started writing about science decades ago, artificial intelligence seemed ascendant. IEEE Spectrum, the technology magazine for which I worked, produced a special issue on how AI would transform the world. I edited an article in which computer scientist Frederick Hayes-Roth predicted that AI would soon replace experts in law, medicine, finance and other professions.
Because of the fact that even when all RTR servers die simultaneously we still fail safely (falling back to NotFound), a common misconception is that the entire software stack is completely fail-safe and no harm can be done when some of it fails. Because of this, a network operator may arrive at the erroneous conclusion that neither redundancy nor monitoring is really required (or a priority). Unfortunately, this is not true and other failure scenarios in the software stack have to be considered.
According to last year’s Gartner forecast, public cloud services are anticipated to grow to $USD 266.4 billion by the end of this year, up from $USD 227.8 billion just a year ago. Clearly, cloud computing is making its way to cloud nine, (See what I did there?) leveraging the sweet fruits of being in the spotlight for a decade. However, the threats to public cloud security are growing at the same rate.
Often in technology, we assume that everyone else is as excited about our product as we are. This tends to be a problem across the board in the tech sector (and even amongst teams, like security and developers, or operations and developers).
Developer mistakes and indirect dependencies are the two main sources of vulnerabilities in open source software projects, which together are expected to cause the majority of security alerts in the next year, according to GitHub’s annual Octoverse report, published today.
Edsger Dijkstra’s 1988 paper “On the Cruelty of Really Teaching Computer Science” (in plain text form here) is one of the most well-cited papers on computer science (CS) education. It’s also wrong. A growing body of recent research explores the very topic that Dijkstra tried to warn us away from — how we learn and teach computer science with metaphor.
As convenient as their technology is, the emergence of such dominant corporations should ring alarm bells—not just because they hold so much economic power but also because they wield so much control over political communication.
But as we recognized in the 2019 Global Internet Report, trends of consolidation in the Internet economy, particularly at the application layer and in web services, have spurred concerns and public debates on the need to regulate Big Tech. Among the proposed measures by policymakers, academics, and other thought leaders across the world is for software services and systems to be legally required to provide interoperability or open interfaces.