|There are great benefits to connectedness, but we haven't wrapped our minds around the costs.|
|| 9:45 am EST, Nov 1, 2015
Paul F. Roberts:
New functionality means new code, and new code invariably means vulnerabilities, explains Mark Litchfield. But, just as often, it is legacy code that is often rife with exploitable holes. And for researchers working on bounty programs, holes mean money.
Seaborn and Dullien (2015) forcefully illustrated that what is normally a reliability issue can become a security issue very fast.
CyberX says it has used an "innovative technique" to identify and exploit the vulnerabilities in MicroLogix PLCs. Researchers developed a piece of firmware that uses a special algorithm for searching the firmware code and mapping potentially vulnerable functions. The firmware is uploaded to a test device by bypassing a security mechanism for firmware validation, allowing experts to easily develop working exploits that can later be used against equipment that hasn't been tampered with.
|| 9:44 am EST, Nov 1, 2015
The privacy tug-of-war between individuals and organizations has become a tug with no war.
ACR software recognizes the video being displayed, matches it up and phones home the data. According to Vizio, its Inscape platform can pull some 100 billion anonymized datapoints from 8 million of its connected TVs every day.
Nearly all the players exploring the burgeoning Telecom Data as a Service field, or TDaaS for short, are reluctant to provide the details of their operations, much less freely name their clients.
But the rewards may outweigh the possible tangles with government regulators, consumer advocates and even squeamish board members.
Unlike other types of location tracking, such as beacon technologies that work only with mobile apps that people have agreed to let track them, many services employing telco data require no explicit opt-ins by consumers. Companies like SAP instead rely on carriers' terms and conditions with their subscribers, calling acceptance of the terms equivalent to opting in.
|| 5:51 am EDT, Oct 30, 2015
If scientists at NASA's Jet Propulsion Laboratory in Pasadena are correct, a moderately-sized earthquake is expected within the next two-and-a-half years.
Their [simulation] results produced a shocking 99-percent chance of a magnitude 5.0 or greater in Los Angeles within three years.
Life is full of risk. [And] the fear-industrial complex continues to dominate national priorities.
When people say 'Roach, I can't believe you're a prepper', I reply with, 'I can't believe you aren't'. It's important we don't underestimate how quickly things could turn sour.
Former FBI assistant director Thomas Fuentes:
Keep Fear Alive. Keep it alive.
We need to consider two questions about the rationality of this mindset: the first concerns the process of arriving at it; the second concerns the consequences of adopting it.
The only way to reason with an illusion is to stop believing it.
|| 5:48 am EDT, Oct 30, 2015
Adriel Desautels told us that, in 2015, [Netragard's] average time for initial penetration of infrastructure -- without the use of zero-days -- was "about an hour." In 2014, however, it was just "four minutes."
Sean Michael Kerner:
What Synack does is bring together top security researchers from around the world and provide a platform that pays those researchers for bugs they find in an enterprise's Web and mobile applications as well as infrastructure components.
The data under scrutiny is, as usual, the data that can be gathered. Unfortunately the data that can't be gathered is where the insight into what is happening may lie.
The key is not to think outside the box, but to think without the box.
Ideas don't always carry the day.
While poorly trained algorithms can lead to poor outcomes, the same is true of poorly trained humans.
|| 5:46 am EDT, Oct 30, 2015
It is unclear how an insurer should interpret the responses [to a cyber security questionnaire]. While most people would agree that having a firewall or proper network access control is better than not having a firewall and no access control, it is unclear how an underwriter would interpret and operationalize the answers to these questions.
While our processes and approach are based on the industry best practices that we helped create, we have immediately put in place additional processes and technical controls to eliminate the possibility of human error.
The vast majority of vulnerabilities are exploited within days of them becoming known.
Malicious actors began exploiting a patched critical vulnerability found in Joomla -- a popular open-source content management system -- just four hours after its details were disclosed. For popular sites, webmasters likely only have a couple of hours, from disclosure to attack, making it critical for them to react fast.
||the future you didn't know you wanted
|| 5:44 am EDT, Oct 30, 2015
What I really like doing is what I call Import and Export. I like taking ideas from one place and putting them into another place and seeing what happens when you do that.
It's not where you take things from -- it's where you take them to.
A one-word intention -- "Cake" -- could lead to a thousand rabbit holes; a wordless traversal of everything you've ever hoped for. Emerging from the lucid dream of visual search, you see a gridded still life symbolizing the future you didn't know you wanted.
More than just affording us serial opportunities to try to pin down the meanings of things, Pinterest invites us to view all the images the internet offers as advertisements. We are asked to scrutinize them for the bundle of affects they might contain, and then to perform the work that will liberate those qualities and allow them to circulate more freely as detached signifieds. It permits us to let an accumulative, shopping mentality govern everything we do online.
The magazine will feature visual artists, with their work dotted through the pages, in part because research revealed that younger people are drawn to art.
|| 9:13 pm EDT, Oct 28, 2015
CISOs and other security leaders are asking, "How do I assess the real security risks to my company? How can I best communicate that risk to the broader organization and manage expectations? Even if I succeed at that, do I have the skills, resources and tools for success?" These are all important questions.
The administration should develop the capability to take asymmetric actions that target adversary core interests, but in a way that leverages our strengths against their weaknesses.
We are not where we need to be in terms of federal cybersecurity.
The ultimate Russian hack on the United States could involve severing the fiber-optic cables at some of their hardest-to-access locations ... where the cables are hard to monitor and breaks are hard to find and repair.
There's good evidence that people are playing serious malicious games with the routing table.
The only way to win the game is simply not to play.
||11:15 pm EDT, Oct 27, 2015
If you can frame the narrative, you win.
David A. Ochmanek:
China has been increasing its defense spending at double-digit rates, fielding an impressive array of modern weapons and conducting a more assertive regional strategy.
America's Finest News Source:
Despite devoting countless resources toward rectifying the issue, Chinese government officials announced Monday that the country has struggled to recruit hackers fast enough to keep pace with vulnerabilities in US security systems.
The United States is currently in a deep deterrence hole with respect to China in the cyber domain ...
We need to take the gloves off on "active defense" ...
Martin Libicki, Lillian Ablon, and Tim Webb:
The concept of active defense has multiple meanings, no standard definition, and evokes little enthusiasm.
|| 8:57 pm EDT, Oct 26, 2015
The urge to enrich the Database of Intentions is irresistible.
We need to make sure that the data and algorithms are continuously reviewed and vetted by a broad class of people. Think of representative democracy, forging algorithms rather than laws.
People are pawns in a process. We ride rather than drive the innovation wave. Technology will find its inventors, rather than vice versa. Short of bumping off half the population, there is little that we can do to stop it from happening, and even that might not work.
The new welfare state built by Silicon Valley is not built to advance the welfare of citizens -- it's built to freeride on the activities of citizens in order to advance the welfare of corporations. The citizens might, of course, get relatively useful services but those pale in comparison to the benefits harvested by technology companies, which, in addition to the lucrative procurement contracts with governments and cities, also get to rip the data generated by the users.
Whatever you need me to be, I'll be that.
||the necessary work of wooing
||11:26 am EDT, Oct 25, 2015
I believe the huge sums of unlimited and often secret money pouring into our politics is a fundamental threat to our democracy. And I really mean that. I think it's a fundamental threat.
Joe Biden's dilemma is that he seemed to want to be the nominee of his party without having to do the necessary work of wooing the partisans that dominate the process.
Moe: You gotta ... think hard, and come up with a slogan that appeals to all the lazy slobs out there.
Homer: Can't someone else do it?
The center is dead in American politics. The candidates who thrive are the ones who understand that wooing and taming party partisans is the only path to victory.
Donald Trump has made his independence from wealthy donors a hallmark of his campaign and has said he does not know anything about the super PACs claiming to back him.
We have confirmed that there is spooky action at a distance.