Weekend Reads 081321


The US military’s AI experiments are growing particularly ambitious. The Drive reports that US Northern Command recently completed a string of tests for Global Information Dominance Experiments (GIDE) …


This whitepaper puts particular focus on cloud-native security controls offered by Amazon Web Services (AWS), one of the most common public cloud infrastructure providers used by organizations today. The controls in Network Security and Endpoint as well as Services Security can help security engineers to protect the AWS infrastructure and ensure that they function effectively.


People make up an important part of an organization’s security posture. That’s because some employees have the rights necessary for accessing sensitive data as well as the privileges for viewing and/or editing critical systems.


The more interesting and nerdy news is how Intel is achieving double bandwidth. It’s using Pulse Amplitude Modulation (PAM), which uses a combination of two numbers in the binary to transmit two bits of data in each cycle, unlike traditional transmission methods that only carry a single bit of data.


PolarProxy is a transparent TLS proxy that outputs decrypted TLS traffic as PCAP files. PolarProxy doesn’t interfere with the tunnelled data in any way, it simply takes the incoming TLS stream, decrypts it, re-encrypts it and forwards it to the destination.


Search engines, and more generally, information retrieval systems, play a central role in almost all of today’s technical stacks. Information retrieval started in the beginning of computer science.


But hyperlinks are a double-edged sword; for all of the internet’s boundlessness, what’s found on the Web can also be modified, moved, or entirely vanished.


Cybersecurity researchers on Wednesday disclosed 14 vulnerabilities affecting a commonly-used TCP/IP stack used in millions of Operational Technology (OT) devices manufactured by no fewer than 200 vendors and deployed in manufacturing plants, power generation, water treatment, and critical infrastructure sectors.


By Warren Buffett’s logic, if cryptocurrencies are rat poison squared, non-fungible tokens are rat poison to an infinite power. But is that all there is to be said about them?


In this article, we will implement a Java based microservices solution with gRPC as the integration technology.


At the recent Intel Accelerated event, the company teased a road map through 2025. Instead of talking about specific products, Intel focused on different ways to make a processor. Now, a leaker may have pu


Networking equipment major Cisco has rolled out patches to address critical vulnerabilities impacting its Small Business VPN routers that could be abused by a remote attacker to execute arbitrary code and even cause a denial-of-service (DoS) condition.


Every time I ask an employee if they’ve enjoyed their one-on-one with a manager, the answer is unanimously “no.” And every time I ask a manager if they’ve enjoyed their one-on-one with an employee, the answer is unanimously “no, but I have to do it.”


The events of 2020 accelerated many organizations’ efforts to converge their information technology (IT) and operational technology (OT) environments. Now that they’re immersed in this journey, some organizations are finding that it’s not quite as smooth as they were expecting.


AMD has dominated the desktop crowd for the past few years. Both Newegg’s and Amazon’s best sellers lists are washed in a sea of red, with the recent Ryzen 5000 processors occupying nearly all of the top slots

Weekend Reads 080621


M of N is how you carve up ownership of necessary information to use a cryptographic hardware security module (HSM) to ensure a process that is visible to the community.


Last November, the European Council published the resolution “Security through encryption and security despite encryption.” It stated that law enforcement “must be able to access data in a lawful and targeted manner,” and called on stakeholders to find “technical solutions” to provide law enforcement access to end-to-end encrypted communications.


Intel’s Data Center Group has just turned in the third best revenue quarter in its history, just behind the two thirteen-week periods that started off 2020, which was before the coronavirus pandemic had hit and just after it hit and the full effects were not seen as yet.


Logos play a significant role in whether or not we open an email and how we assess the importance of each message.


The unpleasant truth of the matter is that this will certainly not be the last time society is disrupted due to attackers targeting critical industrial control systems (ICS). The impact of such an attack is amplified by the growing reliance on automation and antiquated protocols throughout many OT networks.


Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals.


The fewer applications you’ve got on your laptop, the better—it means more room for the apps you actually use, less of a strain on your computer, and fewer potential security holes to worry about.


For at least a decade, privacy advocates dreamed of a universal, legally enforceable “do not track” setting. Now, at least in the most populous state in the US, that dream has become a reality. So why isn’t Apple—a company that increasingly uses privacy as a selling point—helping its customers take advantage of it?


Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday.


Forget the home office — 45% of American teleworkers regularly work from a couch, 38% regularly work from bed and 20% often work outside, according to a study by the home improvement marketing firm CraftJack.


All across the United States, the leaders at large tech companies like Apple, Google, and Facebook are engaged in a delicate dance with thousands of employees who have recently become convinced that physically commuting to an office every day is an empty and unacceptable demand from their employers.


A tractor. A refrigerator. A smartphone. A ventilator. They may not seem to have much in common, but in fact they all share increasingly high tech features. And when they break, they need fixing.


The main issue with Bitcoin is with its wallet, where your Bitcoin is stored. Cryptocurrency wallets are generally pseudonymous rather than anonymous.


The short version: It’s an upgrade on the standard SMS/MMS texting standards that smartphones have been using from the beginning. It brings better support for all the cool add-ons we’re used to in our messaging apps, like read receipts and images, and it adds some extra security layers too.


For enterprise users, it’s unsettling to constantly read that attackers have wiggled into our networks. Just recently, we found out that “80% of Microsoft email accounts used by employees in the four U.S. attorney offices in New York were breached,” according to the AP.

Weekend Reads 073021


One of the hottest areas of scientific research that peripherally will affect every tech industry is battery research. It seems like every year there are big breakthroughs in battery capability. Today I look at four of the recent announcements.


Tech companies have a long history of mishandling contacts, and the industry has been slow to give people more control.


However, ColdQuanta is betting that a modality that its founders and engineers have been working on for 15 years – cold atom – will establish itself as a method that will establish itself as quantum computing moves from a developing technology to an established global market.


Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that’s used by 12.7% of all websites on the internet.


The end-users of these platforms are not in control of their virtual presence; if anything, they are at the mercy of these platforms to a large extent.


Cyber hygiene and patching are key measures towards protecting data and systems. However, it’s not always possible or practical to patch when vulnerabilities and associated patches are announced. This problem gives rise to day one exploits.


Data-localization policies are spreading rapidly around the world. This measurably reduces trade, slows productivity, and increases prices for affected industries. Like-minded nations must work together to stem the tide and build an open, rules-based, and innovative digital economy.


DDR5 RAM is the next generation of system memory, and it’s just around the corner. It promises greater bandwidth, increased capacity, and lower power demands than existing DDR4, helping to make the most of not only modern CPUs but onboard graphics, too.


If the HPC and AI markets need anything right now, it is not more compute but rather more memory capacity at a very high bandwidth.


It comes with a screwdriver included in the box, and customizing, updating, and repairing of all kinds is highly encouraged. A piece of technology that doesn’t run out of steam in a couple of product cycles? Now, there’s a novel idea.


In 2019, Mozilla Corporation introduced its Trusted Recursive Resolver (TRR) program to complement the addition of support for DNS-over-HTTPS (DoH) by its Firefox browser.

Weekend Reads 072321


The next tech talent wars may be less about the free stuff, and more about the freedom to work from anywhere in the world. Those famously expensive Silicon Valley campuses that double as adult playgrounds, with their nap pods and herb gardens and bike-shares, are competing with a newfound love for the home office.


There are some features in any architecture that are essential, foundational, and non-negotiable. Right up to the moment that some clever architect shows us that this is not so.


Looking at the Resource Public Key Infrastructure (RPKI) landscape today, it is vastly different from two to three years ago. At the time, resource holders around the world had created a considerable amount of Route Origin Authorization (ROAs), but actually using RPKI data to perform Route Origin Validation (ROV) was only done by a handful of networks


A newly discovered breed of cyber assault is threatening corporate networks. Dubbed “FragAttacks” (Fragmentation and Aggregation Attacks) by Mathy Vanhoef, the researcher who discovered them, these security breaches are a subcategory of digital airborne attacks performed over Wi-Fi networks.


While there’s enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword. Cybercriminals and other threat actors can engage the same techniques or manipulate the automated systems businesses employ.


Most carriers don’t order 200,000 5G base stations, so they will pay more, but that’s the actual price for the joint procurement of China Telecom and China Unicom.


The seemingly endless battle against copyright infringement has caused plenty of collateral damage. But now that damages is reaching new levels, as copyright holders target providers of basic internet services. For example, Sony Music has persuaded a German court to order a Swiss domain name service (DNS) provider, Quad9, to block a site that simply indexes other sites suspected of copyright infringement.


Organizations report it’s becoming increasingly difficult to maintain the security of their Web applications and APIs with a patchwork of security tools and a rising wave of false positive alerts.


In most circumstances, I think it is bad practice for a vendor to do anything other than having patch and advisory publication synchronized. There may be exceptions to this, such as when a vulnerability is under active attack before a patch is available, but there are risks worth considering on either side of a synchronized release.


Why all this talk about an obscure game? Well, the game came to mind the other day as I was working my way through some security data trying to pinpoint a specific piece of information. The problem I had was that there are many signals (like the players looking the wrong way) that distracted from what I was looking for, and even when I started to zoom in on a general area, assessing the space was difficult.


For example, the crazy gyrations in bitcoin prices are ample evidence that financial markets are not efficient. Since bitcoins generate no income, their intrinsic value is zero, yet people have paid hundreds, thousands, and tens of thousands of dollars for bitcoins.


And one of the central tenets of that belief is that, given how many HPC and AI applications are bound by memory bandwidth – not compute capacity or even memory capacity – that some form of extremely close, very high bandwidth memory would come to all manner of calculating chips: GPUs, CPUs, FPGAs, vector engines, whatever.


The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).


The RIPE NCC is very invested in Resource Public Key Infrastructure (RPKI) and runs a Trust Anchor (one of the root certificate authorities (CAs). It also hosts a platform for maintaining Route Origin Authorizations (ROAs). The NCC also offers a publication server accessible over rsync and RRDP.


The way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software.

Weekend Reads 071621


Social media platforms like Instagram and Facebook have become key places for businesses to communicate with customers and even sell directly to consumers. Yet when it comes to actually making a purchase, do consumers trust a social media site over a domain?


Ransomware payouts are putting the squeeze on cyber-insurance companies and resulting in higher premiums for organizations that want protection against the threat.


Christopher Belfi was waiting tables in a lakeside resort near this Upstate New York town a decade ago when he got the career break he’d been waiting for — an invitation to work at a semiconductor factory


Until we can solve the cybersecurity problem for the user at home, threats will remain a concern even for enterprises, with many having large numbers of work-from-home employees.


Prompted in part by devastating attacks such as those on SolarWinds Orion, Microsoft Exchange, and Colonial Pipeline, the White House issued an executive order on cybersecurity in May.


The InfiniBand interconnect emerged from the ashes of a fight about the future of server I/O at the end of the last millennium, and instead of becoming that generic I/O it became a low latency, high bandwidth interconnect used for high performance computing.


It is a microkernel operating system aimed primarily at midrange to high-end processors such as RISC-V with a memory management unit (MMU) and provides a competitive software platform for all industries in the embedded space.


Having your laptop stolen isn’t just stressful because you need to replace a pricey piece of hardware—it also poses a threat to your digital security. Fortunately, there are steps you can take to protect yourself both before and after your laptop goes missing.


Businesses in need of chips are taking supply-chain risks they wouldn’t have considered before, only to find that what they buy doesn’t work. Dubious sellers are buying ads on search engines to lure desperate buyers. Sales of X-ray machines that can detect fake parts have boomed.


In a nutshell, GDPR states that the personally identifiable information of EU citizens must be protected against disclosures, and there are laws in the US that require precisely such disclosures (FISA with its section 702 and the CLOUD Act).


The current discourse about AI and cybersecurity often confuses the different perspectives, as if the intersection of disciplines is monolithic and one-dimensional.


SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.

Controversial Reads 071021


According to the company’s market research, just about every demographic wants more data privacy: young, old, male, female, urban, rural. Public polling backs that up, though the results vary based on how the question is asked. One recent survey found that “93 percent of Americans would switch to a company that prioritizes data privacy if given the option.”


Once upon a very different internet era, law professor Tim Wu rose to intellectual prominence warning of the doom to come without “net neutrality,” a term he coined.


In a blog post on March 3, Google announced that it would be removing third-party cookies from its Chrome browser—a decision that would effectively end use of third-party cookies. Google also pledged to avoid any other technology for tracking individuals as they browse the web.


The $35 million contract given to SKDKnickerbocker was controversial. The state controller refused to pay it, pointing to the fact that there was no authorization in the budget for that spending.


The Judiciary Committee of the U.S. House of Representatives recently released a comprehensive series of bills designed to curb the excesses of Big Tech. One of them, the Platform Competition and Opportunity Act, addresses one of the biggest, most obvious problems among the largest tech companies: that they use their deep pockets to buy up services and companies which might have one day competed with them.


Work is one of the primary means by which we fulfill our true purpose: to glorify God, serve the common good and further God’s Kingdom. God reminds us of this on the seventh day of creation.


The robot revolution is always allegedly just around the corner. In the utopian vision, technology emancipates human labor from repetitive, mundane tasks, freeing us to be more productive and take on more fulfilling work.


In the competitive pursuit of speedrunning, gamers vie to complete a given video game as quickly as humanly possible.


For de Vesine, Google’s attempt to corral its employees after a year of remote work has been marked by indecision and backpedaling.


Today’s online consumer is drowning indeed — in the deluge of privacy policies, cookie pop-ups, and various web and app tracking permissions.

Weekend Reads 070921


A long-standing, generally accepted norm in the computing field distinguishes between software interfaces and implementations: Programmers should have to write their own implementing code, but they should be free to reimplement other developers’ program interfaces.


The traditional approach to statistical disclosure control (SDC) for privacy protection is utility-first. Since the 1970s, national statistical institutes have been using anonymization methods with heuristic parameter choice and suitable utility preservation properties to protect data before release.


Shared libraries encourage code reuse, promote consistency across teams, and ultimately improve product velocity and quality. But application developers are still left to choose the right libraries, figure out how to correctly configure them, and wire everything together.


When October 5 came, there was no vulnerability advisory being published and I still had not heard a CVSS or CVE for the issue, so I reached out again to their PSIRT who this time replied that the release had been postponed until October 14th now due to a delay in QA.


Organizations relying on traditional signature-based tools to detect security threats would likely have missed roughly three-quarters of malware samples that hit their networks and systems last quarter, a new analysis shows.


But as attacks have increased in scope and sophistication, so have we. Microsoft has a clear vision for how to help protect our customers now and in the future and we know our approach works.


PolarProxy is a transparent TLS proxy that outputs decrypted TLS traffic as PCAP files. PolarProxy doesn’t interfere with the tunnelled data in any way, it simply takes the incoming TLS stream, decrypts it, re-encrypts it and forwards it to the destination.


Google has launched an updated version of Scorecards, its automated security tool that produces a “risk score” for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis.


Scammers are increasingly resourceful when coming up with scam techniques. But they often rely on long-standing persuasion techniques for the scam to work


Now one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.


There was an outside chance that China might pull a surprise on the HPC community and launch the first true exascale system – meaning capable of more than 1 exaflops of peak theoretical 64-bit floating point performance if you want to be generous, and 1 exaflops sustained on the High Performance Linpack (HPL) benchmark if you don’t – but that didn’t happen. And so, we wait.


These days, it’s not a matter if your password will be breached but when. Major websites experience massive data breaches at an alarming rate.


When we talk about supporting a global Internet, it’s important to remember that the majority of the world does not speak English as a first language.


It’s well known the code is buggy; that’s why software updates for anything from apps to operating systems are now the norm. But if the public understands this, the courts have not followed suit.


A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.