Saving Science



“I believe one of the greatest dangers in modern society is the possible resurgence and expansion of the ideas of thought control; such ideas as Hitler had, and Stalin in his time, or in the Catholic religion in the Middle Ages. . . . . .”

“I think that one of the greatest dangers is that this shall increase until it encompasses all of the world”

These prophetic words were spoken by Richard P. Feynman at the Galileo Institute in 1964.  Feynman, a Nobel prize-winning physicist, was noted  for his seminal work in quantum mechanics and particle physics. The dangers he described in his 1964 talk have probably never been more under siege as they are today

Science, scientists, and evidence-based policymaking are under attack. Budget cuts, censorship of researchers, disappearing datasets, and threats to dismantle government agencies harm us all, putting our health, food, air, water, climate, and jobs at risk. It is time for people who support science to take a public stand and be counted.

People who value science have remained silent for far too long in the face of policies that ignore scientific evidence and endanger both human life and the future of our world. New policies threaten to further restrict scientists’ ability to research and communicate their findings.

The March For Science is the first step of a global movement to defend the vital role science plays in our health, safety, economies, and government. We face a possible future where people not only ignore scientific evidence, but seek to eliminate it entirely.

Staying silent is a luxury that we can no longer afford.  We must stand together and support science.

Posted in Uncategorized | Leave a comment

Google (Waymo) technology misappropriation claim against Uber

If you are intrigued by technology ‘whodunits’ there is an epic drama unfolding over alleged misappropriation of self-driving vehicle technology. Waymo, the self-driving vehicle unit of Google parent Alphabet, has filed a legal complaint against Uber Technologies for trade secret misappropriation This action could have a potentially crippling impact on Uber’s future business in self-driving cars, in the form of permanent injunctive relief.

It would seem that Uber is fielding a technology solution strikingly similar to that developed by Waymo. Although I am not an expert in intellectual property law, I do have some background in technology IP ‘conflicts’. Based on that, determining whether these two technologies were in fact developed separately, and are similar only coincidentally should be a fairly straightforward process; presumably, those details will be part of the discovery process in the legal action.

The design of a complex, multi-domain systems consisting of hardware, software, sensors, etc. takes considerable time, and involves hundreds of engineers from multiple disciplines. Further, there would be thousands of engineering artifacts, from concept, design, development, and manufacture. The existence (or absence) of proof of these efforts, and existence of the derivative artifacts, should present compelling evidence of what was invented and by whom.

In any case, this will be a fascinating story as it unfolds.

For more details, see Daniel Compton’s blog. He presents a great assessment and timeline about the run-up to the legal filing.

Posted in Uncategorized | Leave a comment

Ominous Trend in Cyberattacks by Foreign Powers

There has been a dangerous escalation in the impact of cyberattacks over the last several years attributed to foreign state actors and their proxies. Attacks from these actors are termed Advanced Persistent Threats (APTs): highly competent, well funded and organized actors, with the discipline to conduct cyber attacks requiring months or years laying groundwork for an eventual attack.

APTs were identified over a decade ago, with traditional targets in recent history being government entities and defense subcontractors; notably the United States Office of Personnel Management (OPM)breach attributed to China. Many assumed APTs to be an ‘espionage problem’ (unless of course you were among the >20M government employees whose private information was exfiltrated in this breach), and not a direct threat to private citizens or businesses.

The SONY data breach, attributed to North Korea, was among the first APT breaches where (in addition to physical damage to computer equipment) entertainment media, corporate emails, and operating data were made available to anyone with an internet connection.

The recent ‘hack’ of the Democratic National Committee, attributed to Russian state actors upped-the-ante, by exfiltrating email data, and subsequently made available to the public via an intermediary, Wikileaks. Manipulation of a US presidential election was the presumed objective; an ominous raising-of-the-stakes.

A more recent and disturbing breach is the ‘hack’ and exfiltration of alleged NSA-developed exploit tools. These ‘tools’ are essentially ‘kits’ that can be downloaded and deployed by amateurs with rudimentary computer skills. Although the most recent of which were developed in 2013, they remain very sophisticated and include zero-day exploits (essentially software vulnerabilities unknown even to the authors of the software).These exploits are being offered on the ‘dark web’; some for ‘free’ and others for a nominal investment.

The most frightening aspect is this: NSA-grade exploits were exfiltrated by a foreign power, and made available indiscriminately to criminals or others with malevolent intentions for a price. This is the internet equivalent of equipping amateur thieves with weapons-of-mass-destruction.

These are extraordinary developments that have the potential to equip more criminals with an upgraded capability to wreak havoc.

Posted in Uncategorized | Leave a comment

Those ‘verification codes’ (for two-factor authentication) sent to your mobile phone via text messaging are vulnerable……….

There are known vulnerabilities in mobile phone networks that enable eavesdropping of voice and SMS (text) communications. What has changed:  NIST issued a DRAFT publication that is now explicitly warning of this vulnerability (NIST Pub 800-63B, Sec. Out of Band Verifiers). Also, an ‘exploit kit’ is available on the ‘Dark Web’ for a few hundred dollars enabling an attacker with minimal technical skill to ‘hack’ your mobile phone (BBC did a great piece with a layman’s description how this works). Consequently, two-factor authentication using ‘verification codes’ via text should not be considered secure.

Posted in Uncategorized | Leave a comment

Cyber Risk – where to begin for small & mid-size firms

Visiongain estimates that the 2015 worldwide spend on cybersecurity solutions at $75.4B. Gartnerestimates project that spend to exceed $100B in 2018. Despite the continuing investment there is no evidence that a precipitous drop in the number of cyber incidents, nor the economic losses per incident, will accompany that spend. There will be exceptions, specifically large corporations, notably those in financial services. Expect to see improvement, based on the sheer size of their investments, and ability to deploy highly sophisticated cybersecurity infrastructure. Cyber risk for a financial services firm is not simply an operational risk; their existence is dependent upon maintaining the information security tenets of confidentiality, integrity, andaccessibility, and the emerging requirements of information attributes of custody, privacy, sensitivity, and acceptable use.

The challenge is more acute for industries that are relatively new at deploying information technology in an environment where their intellectual property and value are increasingly in a digital form. Unlike the financial services industry, where cybersecurity is a required core-competency, it is less intuitive to newcomers to digital transformation, and especially small and medium size firms. Determining what constitutes an adequate information security strategy is elusive. Compounding this challenge are the following dynamics.

Cybersecurity Market Immaturity: A review of the recent RSA Conference, an annual gathering of ~ 30,000 cybersecurity professionals convened in San Francisco shows all the signs of an early technology market. Approximately four hundred exhibitors featured products and/or services in ~ one hundred different categories of information security. Even for cybersecurity practitioners, this is a mind-numbing universe of solutions, which address a wide array of challenges. Small and medium-size enterprises without the resources of a ‘deep bench’ of information security professionals are challenged to comprehend this collection of technology. Prioritization, of which assets to protect, which threats to address, and what technology to be applied are overwhelming to many outside the core cybersecurity professionals. This industry is also characterized by active merger and acquisition activity. Many of the exhibitors at the RSA Conference will survive only as part of an acquisition or merger, not due to deficiency in the technology, but for reasons that may have to do with an inability to fund growth of sales or marketing.

Rate of Technological Change: compounding the complexity of information security solutions being an ‘early market’, are advances in the computing environment that could be described as no less than ‘revolutionary’. VMware’s CEO Pat Gelsinger demonstrated some of this capability on stage at RSA.Microarchitectures present opportunities on how workloads are deployed, utilizing virtualization and containers. Software-defined network architectures have security risks, but also offer opportunities to further secure information assets. The concept of embedding software-based security within application workloads that can be dynamically established and torn-down challenges the very notion of an identifiable perimeter that must be defended. Traditional hardware-based network security will be further challenged. Consider inline intrusion protection analysis, which will become less practical with the migration from 10GbE to 100GbE networks. There is an order-of-magnitude reduction in the time window between frames, not much time to conduct packet analysis. Here is an example where one technology undermines the utility of another. Also consider the proliferation of the sheer number of endpoints, through which new exposures and threats will evolve. In an ‘IoT’ future, many of these endpoints will possess media-rich content streaming capability, (audio, video), and in the case of industrial applications require real-time and high-integrity services; all areas where vulnerabilities and exposures may occur.

Organizational Factors: The gap between demand and supply of cybersecurity professionals is well known, as discussed in this recent Forbes article. My belief is that organizational role definitions exacerbate this shortage, by treating information security as a ‘bolt-on’ responsibility to traditional IT functions (e.g. network administration, etc.). There may be validity to this in some cases, but this dynamic causes a severe shortage of viable candidates. From an organizational structure (particularly in smaller enterprises that perceive scale economies) cybersecurity operations are traditionally part of the information technology organization. This creates the problem of ‘role scope’ previously mentioned, but also creates an environment where budget / investment decisions for information security are arbitrated against IT infrastructure spend. This is sub-optimum risk management. IT organizations are thrust into the realm of risk management, making investment decisions with which they may be wholly unfamiliar. Indeed there are similarities within the two functions (e.g., Business Continuity and Disaster Recovery), but risk and compliance exposures override that combination. The financial, reputational, and regulatory risks through exposure of Personally Identifiable Information (PII), Personal Health records (governed by HIPPA), or payment information can cripple an enterprise.

Conclusion: There are no silver bullets, but there are steps responsible executives can take to find order in this complexity, and implement a baseline of effective cybersecurity policies. The fundamental objectives should be an understanding of cyber risk exposure and managing that risk accordingly, specific to your enterprise. Some good news, the most commonly used cyber threat vectors are well understood, and many of those can be mitigated through controls that are relatively straightforward. There are frameworks and other tools that illustrate the elements of a cybersecurity program, such as the NIST Cyber framework. Also, useful are an overview of controls from the Center For Internet Security. The use of these tools and frameworks implemented by knowledgeable cybersecurity professionals can form the basis of a comprehensive information security management program.

Competitive dis-advantage due to scale of companies and/or new participants in the digital economy cannot be erased. However, clearly identifying the risks specific in your environment, and managing them accordingly are an effective risk management strategy.

Don Guiou

Posted in Cyber Risk, Uncategorized | Leave a comment

Economic Implications of CISA and Sovereign Data Privacy

The European Union Data Protection Directive protects how personal information of EU citizens is collected, used, and retained. It prohibits the transfer of personal information to countries outside the EU that do not have similar standards and policies in place.

A ‘Safe Harbor’ agreement was negotiated between the US Department of Commerce and the EU to make it easier for US companies to comply with the Directive.

In October of this year, in an action brought before the European Court of JusticeMaxmillian Schrems v Data Protection Commissioner , (as well as general angst in the EU of NSA ‘wire-tapping’) that Safe Harbor was ‘struck-down’.

This was a bombshell for information technology firms that promote ‘data without borders’; i.e., the ability to store, and seamlessly access corporate data that includes personal information across the enterprise, wherever it may be.

Amazon Web Services and Microsoft Azure lost no time in announcing plans for new data centers in the EU to address this. Fortune Magazine reports that Microsoft went so far as to vest custodianship of its encryption keys with its partner Deutsche Telekom. It has opened opportunities for smaller, more nimble service providers that can ‘stand-up’ infrastructure ‘in country’; IntraLinks andSyncplicity are two such companies that deliver technology that address compliance issues related to sovereign personal information.

The strike-down of the EU Data Protection Safe Harbor reflects the growing distrust of US-based data custodians. It is not unreasonable to speculate on economic consequences of mis-informed actions of legislators in the name of national security, as you can read here Ferocious Opposition Not Enough To Stop CISA

In a letter appeal to President Obama on July 27, 2015, forty organizations and thirty individuals articulate how CISA will actually make us less safe; Read Her

Posted in Cyber Risk | Leave a comment

The Unintended Consequences of Encryption ‘Backdoors’

For those vested in the integrity of web commerce, there is a must read blog post by Matthew Green, a cryptographer and professor at Johns Hopkins University:

If you are too busy, at least read my summary.

Juniper Networks recently posted a security advisory enumerating two separate CVEs (common vulnerabilities and exposures); CVE 2015-7755 and CVE 2015-7756 in the DHS National Vulnerability Database, a repository of known software flaws that compromise FIPS regulations (Federal Information Processing Standard).

These CVEs describe software flaws in firmware of  Juniper Networks Secure Services Gateway (SSG) models SSG 50 & SSG 5xx. These devices provide ‘firewall’ and VPN gateway services. CVEs score the vulnerability attributes and criticality; CVE 2015-7755 is an authentication’ flaw, with a score of 10.0 (CRITICAL).

These two CVEs in combination provide a ‘back-door’ into the firmware implementing a widely used encryption algorithm for Elliptic Curve Cryptography, but more ominously  involve a ‘backdoor-on-the-backdoor’ which when exploited, allows adversaries to read all communications (thought to be encrypted) in plaintext.

 This illustrates of how requests by ‘three-letter’ federal agencies (to provide encryption keys and/or add backdoors), if implemented,  can introduce yet more dangerous vulnerabilities.

Posted in Cyber Risk | Leave a comment
%d bloggers like this: