Controversial Reads 121022

Simply put, we have been right all along, and we now have the conflicting circuit court precedent to prove it. The Supreme Court needs to consider the Fourth Circuit’s arguments and address this split between circuits.

Do we let Big Tech have access to our private communications and free email accounts because it’s so easy? Once you’ve said yes — and who among us has not? — it’s not a stretch to think that Big Data already has almost all your information, so why get picky at the next juncture?

Internet infrastructure services—the heart of a secure and resilient internet where free speech and expression flows—should continue to focus their energy on making the web an essential resource for users and, with rare exceptions, avoid content policing.

Then Elon announced Apple, the most powerful company in the world, threatened to remove Twitter from the app store.

A California judge has cleared the way for a potentially massive class-action lawsuit against Google, which stands accused – again – of anticompetitive practices surrounding its Play store.

There is a growing trend in American culture of what the literary theorist Peter Brooks calls “storification.”

Targeted advertising’s days may be numbered. The Wall Street Journal and Reuters report that the European Data Protection Board has ruled that Meta cannot continue targeting ads based on user’s online activity without affirmative, opt-in consent.

The Council of the European Union this week adopted new language for regulations governing internet systems that may put the security of your browser at greater risk.

Since the dawn of digital marketing, people have been asked to provide their personal information in exchange for information online. This “information swap” is still a common digital tactic.

Weekend Reads 120922

In this article, I will explain how SSHFP DNS records can help mitigate such risks and share the results of our large-scale analysis.

A vulnerability in IBM Cloud databases for PostgreSQL could have allowed attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted system’s internal image-building process.

Amazon Web Services has signaled that the future of cloud computing cannot rely alone on general-purpose chips with its new Graviton3E silicon, joining AMD and Intel in introducing specialized central processing units that are meant to perform certain applications faster and more efficiently.

A recent statement from Italy’s data protection authority, the Garante, opens a new chapter in the never-ending story of profiling cookies.

While analyzing its capabilities, Akamai researchers have accidentally taken down a cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks.

Biometrics is supposed to be one of the underpinnings of a modern authentication system. But many biometric implementations (whether that be fingerprint scanes or face recognition) can be wildly inaccurate, and the only universally positive thing to say about them is they’re better than nothing.

Geolocation providers usually focus on locating end user devices at the edge of the Internet. But what about the machines that make up the infrastructure in the middle?

There are certainly plenty of myths in the industry about OpenRAN, and today I hope to eradicate one of them: OpenRAN will be deployed anywhere and everywhere, including the busy city centres.

The SMO provides a central interface for application configuration and provisioning. It also automates both infrastructure management processes and the creation of new services through southbound APIs (O2-IMS & O2-DMS).

There is a common misconception that all problems have clear, straightforward solutions — as long as you look hard enough. While this is a bold and ambitious goal, it’s misguided when applied to cybersecurity.

How valuable is it to keep older solutions like this running? Well, organizations don’t enjoy running old legacy systems just for the pleasure of it, but they’re often forced to keep them running because it’s their only option, or at least the only cost-effective option available to them.

Securing critical infrastructure is complicated because of the vast network of facilities and management systems. Threats targeting this sector can have dire consequences, and when attacks do happen, they’re often accompanied by a media storm.

The European tech industry saw $400 billion in value wiped out this year and an 18% decline in venture capital funding, according to a report from venture capital firm Atomico.

Fondly referred to as “spinning rust” among some computer nerds, mechanical hard drives seem almost quaint compared to hyper-fast SSDs. Yet, the idea that mechanical hard drives are ready for the trash pile may be more than a little premature.

Conventional wisdom says that trying to attach system memory to the PCI-Express bus is a bad idea if you care at all about latency. The further the memory is from the CPU, the higher the latency gets, which is why memory DIMMs are usually crammed as close to the socket as possible.

Weekend Reads 120222

Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.

75% of lookalike domains are registered with unrelated third parties and target these companies.

China’s antitrust watchdog, the State Administration for Market Regulation (SAMR), has proposed a revision of the nation’s competition law that targets tech firms.

A new report claims that Meta’s tracking Pixel has been used to collect your financial information when using popular tax filing services to send in your return.

Did you know that a Magniber ransomware infection can cost you a ransom of as much as US$2,500?

New York State has banned a practice becoming more common in the crypto-mining industry – the rescuing and repurposing of mothballed fossil fuel plants to exclusively provide energy for mining digital currency.

DDoS attacks target certain networks, flooding them with unwanted traffic from many different sources and causing interruptions to online services for legitimate users.

John the Ripper (JtR) is a popular password-cracking tool. John supports many encryption technologies for Windows and Unix systems (Mac included).

While in the near future most devices in the car will be connected through zonal switches, cameras are the exception. They will continue to connect to processors over point-to-point protocol (P2PP) links using proprietary networking protocols such as low-voltage differential signaling (LVDS), Maxim’s GMSL or TI’s FPD-Link.

Before we start, let’s get one thing perfectly clear: The entire and only reason for writing reports like this one is to avoid repeating the same mistake—no more, no less. Assigning guilt, placing blame, exposing incompetence, or getting people fired is not CSRB’s job. It investigates; the rest of us act.

U.S. regulators have imposed a ban on electronic equipment created by several major Chinese tech corporations, citing national security concerns.

Controversial Reads 111922

So in terms of the daily lived experience of most people reading this, truly autonomous vehicles just aren’t going to happen.

When the federal government gets together with social media giants to censor critics of the government, is that free speech or censorship?

If you own an advanced Android phone, you may find that Google Assistant will interrupt conversations to offer its own “insights”. Google is also pursuing “prebunking” of what it considers “misinformation” with preemptive propaganda campaigns.

The outcomes of such a system are incentives to not be the new person on a team, to not ask questions, to not work on new and unfamiliar efforts, and to not work together at all generally. Those behaviors become embedded in an organization’s DNA, despite whatever is advertised publicly.

Today’s business headlines herald a harsh reality for Big Tech: tumult at Twitter; meltdown at Meta; atrophy at Alphabet; adjustments at Amazon. Layoffs, sliding stock and shrinking valuations are hallmarks of the moment.

To understand the sudden downfall of the now-collapsed crypto exchange FTX, you have to go back to the beginning.

Twitter was their home. Elon broke into their home. Then he kicked out their friends, and told everyone left to do their laundry.

Weekend Reads 111822

Internet users are being tricked into installing browser extensions that can hijack their web searches.

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

Silicon Valley startup Eliyan thinks its technology for enabling chiplet-based designs can best those from semiconductor giants Intel and TSMC by providing better performance, higher efficiency, fewer manufacturing issues, and more supply chain options.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

Qualcomm and Arm have been engaged in one of those very entertainingly bitter court fist-fights that the industry throws up when friends fall out over money.

Unbound 1.16.0 adds support for Extended DNS Errors (EDEs) as codified in RFC 8914.

I suspect this reflects a significant change in the economics of the sector. For the last 20 years, Silicon Valley has had the wind at its back thanks to rapid adoption of new technologies like the internet and smartphones. As a result, the industry fared better than the broader economy during and after the 2008 recession.

By playing unexpected moves outside of KataGo’s training set, a much weaker adversarial Go-playing program (that amateur humans can defeat) can trick KataGo into losing.

New research released this week reveals the process used by third party advertisers to target online users can be viewed or manipulated by online adversaries using only their target’s email address.

On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework.

This raises an important question: How do you take what is good about these patterns for creating innovation? Specifically, how do you apply open source principles and practices as appropriate? That’s what we’ve sought to accomplish with Red Hat Research.

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

That’s opened major questions about how these now-forever-roaming workers are connected to information resources and to each other.

A novel attack method has been disclosed against a crucial piece of technology called time-triggered ethernet (TTE) that’s used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft.

Weekend Reads 111122

User-first security must begin with an understanding of how people use computing technology. We have to ask: What is it that makes users vulnerable to hacking via email, messaging, social media, browsing, file sharing?

How does the industry effectively assess software security, enabling an approved list (allowlist) of software and libraries on distributed systems across multiple industries?

The COVID pandemic pushed a lot of school coursework to the internet, with an increased reliance on true/false and multiple-choice tests that can be taken online and graded quickly and conveniently.

Top chipmakers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development.

Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect.

Several models have been proposed to the Multi-State Information Sharing and Analysis Center (MS-ISAC) and other ISACs for a role in software assurance for supply chains using the Software Bill of Material (SBOM) information and associated digital signatures.

A lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Tests show that deploying malware in a persistent manner on load balancer firmware is within reach of less sophisticated attackers.

This fall, Microsoft claimed to have addressed anticompetitive cloud infrastructure complaints from a few smaller cloud services providers in Europe.

The findings suggest a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.

Meta, formerly Facebook, once seemed an impenetrable fortress, but it’s now showing big cracks.

As a security researcher, common vulnerabilities and exposures (CVEs) are an issue for me — but not for the reason you might think.

That will be one of the reasons crypto has been plummeting for most of this year but recent events have intensified the sense of crisis.

Weekend Reads 110422

The recent rise of HTTP request smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.

Eternity typically keeps its activities on the down low—in the Dark Web. Still, we sought to determine if LilithBot and Eternity also engaged in dealings on the Surface Web.

The Financial Conduct Authority, the UK’s financial services regulator, has begun discussions with the aim of understanding the impact of Big Tech on industry competition.

You really shouldn’t be trying to manage your own passwords when high-performance graphics cards featuring GPUs as powerful as Nvidia’s GeForce RTX 4090 could be in use by hackers.

The U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization.

In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse.

Finding new ways to collect information about a network and limit the meta-data exposed to others is a constant struggle we see in research as this data can be used for both benign and malicious intentions.

BlackEnergy first appeared in 2007. Designed to launch distributed denial-of-service (DDoS) attacks or download customized spam or banking data-stealer plug-ins, it was again used to target the State Bar of Georgia last May.

Over the last two years, office workers of the world have gotten a tantalizing taste of either fully remote work or partially remote hybrid work. Many don’t want to go back to commuting to a workplace full-time, no matter the cost.

An issue with this approach is that it assumes the recommended resolvers offer improved protection versus the one currently being used. In reality, the existing resolver may support one or more encrypted DNS protocols and the connection may already be encrypted.

Comcast has a problem—it isn’t signing up many new broadband customers. But Comcast also has a solution—get more money from existing subscribers.

There are many opinions about encryption and its role in our society, and many of those opinions are contradictory. Still, the general public is largely unaware of the nuances of this issue, which can lead to confusion or misunderstanding about what encryption really is and why it is crucial to all internet users.

Most pressingly, there is a general lack of demand for 5G services from enterprises. This means that service providers, eager to place themselves at the head of the race to deliver 5G services, are struggling to sell the potential benefits to their customers.

LastPass today released findings from its fifth annual Psychology of Password findings, which revealed even with cybersecurity education on the rise, password hygiene has not improved.

Some room-temperature takes on yesterday’s not-quite-RCE vulnerabilities in OpenSSL 3.0, and on what there is to learn about safe cryptography engineering.

Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar clean-up bill stemming from the sprawling NotPetya ransomware attack in 2017.