Weekend Reads 092520

Cybercrime rewards innovative organizations. These can innovate at the tactical level (e.g. new or updated tactics, techniques, and procedures (TTP)), the strategic level (e.g. new monetisation methods), or at the operational level—the management of resources and personnel to achieve strategic objectives. This is operational art.

Enterprises cannot afford to ignore the threat posed by encrypted inbound network traffic. Adversaries now commonly use encrypted traffic flows to cloak cyberattacks, slipping malware, ransomware, and other malicious content past perimeter detection systems.

Major cloud services providers are about half as likely (46%) to experience a data breach compared with large enterprises, a new study suggests.

In short: The Trolley Problem is not the kind of a problem that is open to a solution. The Trolley Problem is not for solving, it’s for teaching—for stimulating, for illustrating, for provoking, for exposing predilections and contradictions. It’s a thought experiment. (Philosophy also performs thought experiments with zombies.) The point is not to work out the answer to a riddle; the point is to think about the implications of the circumstances. We open Pandora’s Box, but we don’t intend to catch the demons and stuff them back in; we let them fly around wreaking havoc because we intend to examine the damage.

One of the papers that particularly speaks to undergraduate CS teachers was by Jamie Gorson and Eleanor O’Rourke “Why do CS1 Students Think They’re Bad at Programming?: Investigating self-efficacy and self-assessment at three universities.”

According to the researchers, the protocols that both Android and iOS follow when linking up to another Bluetooth-powered device—like, say, a pair of speakers—can be effectively hijacked to give an attacker access to any bluetooth-powered app or service on the phone.

As Kubernetes group membership is handled externally to the API itself by an Identity Provider (IdP), the cluster administrator needs to interact with the Identity Provider administrator to setup those group memberships, making the workflow potentially cumbersome.Identity Providers may not provide group membership at all, forcing the cluster administrator to handle access on a per-user basis, i.e. Kubernetes RoleBindings containing the “full” list of allowed end-users.

For those of us involved in programming computers to play chess, it has been a great adventure. Our ACM annual tournaments began in 1970 — fifty years ago! — and were hosted year after year for a quarter century by the organization. They were terrific catalysts for progress in the field. They deserve major credit for the eventual 1997 defeat of the-then World Champion Garry Kasparov.

Estimating how much you are spending (or wasting) on a particular Kubernetes workload is hard. The good news is that there are some reasonable strategies for estimating how much a given workload costs.

Fraunhofer HHI, Europe’s largest research organization recently announced a new video codec, H.266, or Versatile Video Coding (VVC). This represents a huge breakthrough in video compression technology and promises to reduce the size of transmitted video by 50%. This is big news for ISPs since video drives a large percentage of network traffic.

The network plays a crucial role in service experience and customer satisfaction. As such, how the network is designed and managed influences customer perception of several service experience metrics, including service fidelity or quality of experience, availability, time to value and of course, security.

If you are writing down “rules” and insisting that developers abide by them, it’s probably because your developers are continuously doing things you wish they wouldn’t. Usually, this isn’t because your developers don’t understand “the rules” and / or don’t like you—it’s because they know what the organization values, and those values are in conflict with your “rules,” and they’re trying to deliver that value.

In 2018, the US Trade Representative found that Chinese theft of American intellectual property (IP) costs between $225 billion and $600 billion annually. The FBI is investigating 1,000 cases of Chinese IP theft. The push for profit at all costs has resulted in lawsuits, damaged competitiveness, and if a company competes for federal government contracts — as Google and Amazon do — it can also be a matter of national security.

“Devastating.” That’s how Bishop Fox lead researcher Jake Miller described this new new form of HTTP request smuggling — dubbed “h2c smuggling” — in a September blog post. H2c is established protocol shorthand for HTTP/2 initiated by a HTTP/1.1 Upgrade header sent over cleartext communication. The attack occurs when a hacker uses h2c to send requests to an intermediary server (known as a proxy server), which can then evade the server access controls.

It might seem prudent to choose a 4,096-bit Rivest–Shamir–Adleman (RSA) key over the typical 2,048-bit variety, especially when there is a need to protect information that is encrypted today for many years into the future. To explain why this decision is not so straightforward, we need to examine the function of the TLS certificate and the cryptographic operations used by TLS. Let’s dig in.