Your presumption about the aftermath is at least as uninformed as his. Shout all you want, you're displaying a truly amazing level of mind reading.
2323 posts • joined 23 Jan 2015
Google Cloud's Intrusion Detection Service attempts to make security 'invisible' but cost will be the big giveaway
Security as a Service?
On the one hand, there can be a lot of expertise brought to bear. On the other, security is one of those places where diversity is _really_ important--as we seem to see here on almost a weekly basis of late.
Given that the industry is suffering badly with far too few people considering security to be part of their job already, it's not at all clear that, even conceptually, this is a step in the right direction.
Ably blog claims company doesn't need Kubernetes to scale, surge in traffic takes down entire website
On the surface, K8s has some...disturbing features
Like default networking policy of "allow all". Like "secrets" being entered in base64. And so on. Things like this suggest that there are likely to be very serious problems deep in the system.
In the end, it still feels like it's intended to be used by people whose job is something other than "software engineer". I expect that many, many companies are likely to improve their situation by moving to it. I expect that the bulk of them would do better to have a real software engineer come in and design and build a system for service management.
I'm reminded of a project I owned at IBM. The build requirements were so complex that I was directed to file a software patent for the makefile. By the time that patent went through, I had abandoned make and moved to custom scripts. I see the same kind of thing happening here.
Everyone cites that 'bugs are 100x more expensive to fix in production' research, but the study might not even exist
NSO is a weapons manufacturer
They need to be treated the same way as a foreign Raytheon or any other such company. From what anecdotal evidence I have, I'm betting that AWS doesn't have processes in place for handling such things. Oh well.
Of course, technology is moving a lot faster than the law, and it's pretty clear that they are turning a rather blind eye to just what their customers are doing with the arms they are receiving. Given who they are and what they are doing, I would be disappointed if this "Shocked, shocked!" moment by Amazon had a noticeable effect on their operations for fifteen minutes. It's entirely possible that it had none at all.
Honestly, it's a bit disappointing that Amazon was even able to identify which accounts they are using. Oh well. Lessons learned, and all that. I expect that there will be a Swiss LLC (or equivalent) created before the end of this week that just happens to handle traffic that has rather... similar characteristics to what was previously attributed to the NSO.
UK and chums call out Chinese Ministry of State Security for Hafnium Microsoft Exchange Server attacks
You might have claimed the same about Russia prior to WWII.
Times change, and the military buildup of China today can be compared to what Japan did post-Perry.
Their hypersonic torpedoes are a major threat to our carriers. They are trying, and to a significant extent succeeding, in buying up the best & brightest for military AI.
And once you can get an AI close to a human in an F-15, you redesign the thing to routinely pull 8-10gs--and dance rings around anything that cares about the human cargo.
As for computers, who cares who is doing the design? What percent of global manufacturing of components is currently happening there?
Moreover, their research in biowarfare and human genetic engineering proceeds at full steam while we have almost none.
Remember, war is only something you do if you cannot achieve the changes you want on the ground without it.
They are using the openness of our society to fund chunks of pro-China activity in our major universities--and social media, to include the comments here.
Losing generals are well known for fighting the last war. The next one looks scarier by the year.
You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found
So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into
Re: FRT - never ready for prime time
I'm not at all happy with our de-facto surveillance state, but your getting quite a bit wrong here.
You don't need to be "in the lab"--just get permission to pull the video from some convenience store in advance, send subjects in front of the camera, and you've got HIGHLY representative data to work with.
Moreover, while I've not worked with AI myself (well, there was that one program on my TRS-80, but I don't think it should count), from what I've seen, FRT is focused on the geometries of the subject--distance between features, primarily. That data survives a lot of fuzzying pretty well.
The core issue looks to be overconfidence, and especially the presumption that these systems can do more than narrow the list of people who might be on camera. "Matching" a photograph should not, by itself, be probable cause. Not now, and not for a very long time.
1) DevOps was NEVER about eliminating the distinction between devs and operations. NEVER. It was about relieving the explosion of operational load that was triggered by the move from waterfall to Agile. That mostly involved a lot of education of the devs as to what actually happened after they "threw it over the wall." In particular, defining "MVP" to include a hard requirement that it not force the ops guys out of bed every other night to fix what just broke.
2) Single source of truth was NEVER about a single source of all truth, but of any particular truth. If, as this article seems to imply, the ultimate source of truth is external to your systems, that does not change anything other than the particulars about how the updates occur.
3) Access control within a repo is a solved problem--with Perforce at Google, at least. I'm pretty sure IBM had it solved decades earlier with whatever system they were using. Git doesn't directly support access control at all, but layering it is isn't really that big of a deal. Not that Github supports it.
4) The distinction between desired state and actual state isn't really as hard to get as the article implies. In order for processes to be meaningful, they need to be expressed a datapoints in the same space. In order for the processes to be successful, you need to have a clear method to conform the later to the former. There is nothing new here, but lots of folks do get this wrong, somehow.
If you cannot reduce your entire desired state to a series of bits in some dataspace, then you don't really understand your desired state. Once so realized, it becomes natural to take those bits and manipulate them as bits rather than the things those bits represent. GitOps is nothing more and nothing less than a exploitation of these facts.
Re: Crossed the hallway
I spent a decade playing at the level of assembly language. I ocassionaly poked my head into what the compiler guys are up to.
Almost all of the artifacts that I have seen published regarding the identification of these groups beyond native language strike me as being pretty easy to fake at the compiler level. The only question is if these teams have anyone with the current skills to do so.
Of course, if they're not stripping the symbol table, they're just being lazy.
My point is that I'm pretty sure that a team with the skills one would expect of a (more or less) major state actor can reskin more easily than their counterparts can reattribute.
What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft
Re: Maybe (but probably not)
When the customer gets fed up with non-performing products, or $1000 devices that won't be usable next Christmas, that is when we will see reliable systems--and not before.
To quote the CEO of IBM (in 2000), "One of these days, the customer is going to say 'E-nough!' But until he does, it's e-everything."
The other route is regulation. That worked for seat belts. This is a much tougher environment, however.
Linux Mint 20.2 is a bit more insistent about updating but not as annoying as Windows or Mac, team promises
Fix symptoms, not problems
As mentioned, the issue is the sheer number transitive dependencies. (And as a rubyist, I'm looking at YOU, DHH.) The idea that getting code out the door NOW is functionally the most important thing is what is driving this.
But, as I keep harping, in the end, the customer is king.
Someone posted a mention of James Dean's seatbelt. For those who do know know (such as myself, an hour ago), James Dean died in an automobile accident. Investigators determined that if he had been belted in, he would have survived. At the time, however, very few cars even had an option for seat belts. The article goes on to trace the history of seat belt usage, crediting this incident as getting the ball rolling. I was about 18 when the laws were being passed. I contemplated stopping wearing in protest of the blatantly unconstitutional process by which those laws came about.
I'm afraid that the solution is going to involve legislation. Insurance looks like it is going to fail. (The costs are too high, companies will just ignore the risks.) Liability for directors/board members seems the most likely. The situation with Kaseya is a pretty good demonstration of why.
IBM insiders say CEO Arvind Krishna downplayed impact of email troubles, asked for a week to sort things out
Re: "reason to expect that they did"
No. We had plenty of evidence that stars form from nebula. We had an example that planets could form along side a star. We had models of nebula evolution & star formation that naturally evolved planets.
In other words: we had a well-grounded theory, and an example where it actually happened.
That's not "speculation" any more than the finding of Neptune was based on "speculation".
As mentioned above, this case highlights the major failure mode of "responsible disclosure". Kaseya had a major problem. They knew they had a major problem. They refused to do anything to protect their customers that might have damaged their reputation. Now this.
The motto of SRE at Google is "spes consilium non est". Kaseya better hope that they don't get sued by each and every end user whose system was compromised because they knowingly, willingly, left them twisting in the wind.
Re: Obligatory B5 misquote
That scene had the potential to be perhaps the best ever. Unfortunately, the multi-season gap between the setup and delivery meant that the director felt compelled to add the flashback. I mean, I get it from a marketing/pr perspective, but it destroyed the art of that moment.