The FCC stipulates as part of the rules around being a licensed amateur, I am unable to encrypt or obscure the the content of any message. I may encode (not encrypt) as long as the ability to decode is part of the public record. The only exception to this is remote control of things like space stations (AMSAT) where the control point needs to be authorized.
This got me to thinking about how such regulations would apply to trusted computing. And now I want to take that to the next level. As an academic exercise, just how far can I take an “air gapped” (as in unplugged from the internet) computer network and still ensure that there is trust. What does trust look like in this scenario? What needs to be trusted?
In Formula 1 news, I’m taking the news that Lewis Hamilton signed a contract to drive for Ferrari in 2025 in stride. It means I have to switch allegiences from the Silver Arrows (Mercedes Petronas) to the prancing horse. At least last year their cars no longer catch fire on a regular basis. 🤣
Don’t get me started on VCARB…. I’m not even going to link that one.
I want to point out this one paragraph and say, bravo!
They need to throw away this poisonous idea of security as a separate profit center and rededicate themselves to shipping products that are secure-by-default while providing all security features to all customers. I understand the need to charge for log storage or human services, but we should no longer accept the idea that Microsoft’s basic enterprise offerings (including those paid for by the US taxpayer) should lack the basic features necessary to protect against likely attacks.
Alex Stamos
If you use Microsoft products on a regular basis in a professional capacity, you see this tendency of Microsoft to upsell what could be basic security features that any organization should employ to protect themselves. Microsoft’s sales people have a tendency to get excited about, and spend a great deal of time praising, a new Microsoft365 or Azure feature and then when pressed on license requirements, will state after the entire presentation, that it requires either an E5 license or is a separate SKU entirely. “Just upgrade to an E5 license and you’re all set! What’s wrong with you!?” I think they know that if they start by saying “new E5 level feature” people will lose interest.
Many organizations choose E3 because it’s “good enough” but I think the real reason is that its cheaper. I don’t blame them. When you start doing the math the E5 license costs can become intolerable real fast. But what do you lose?
In the good old days of on-prem you had all the logging you could want and the only real cost was disk space, or speed if you chose verbose logging options. You could easily clear that up by rotating the logs. And you want to keep logs. Logs are bread and butter in the security world. Threat hunting and incident response would be a shot in the dark without logs.
Enter Microsoft365 and the Azure cloud, and Microsoft’s premium price tag for logging access. Microsoft Azure logging facilities are terrible and you are subject to changes in the “user experience” that can and will break your workflows. If you want better access to those logs, be prepared to pay a premium. The same goes for simply accessing certain logs for security purposes that you would otherwise easily retrieve on-prem at no additional monthly cost.
Microsoft Defender for Endpoint, the EDR incarnation of their Defender antivirus product, has a threat hunting/incident response feature. If you get the EDR license for Defender you don’t get the log query functionality unless you have an even more pricey license per user.
This is not to mention all the other premium security protections that you have to subscribe to in order to fully secure your cloud tenant. This is the “nickel meet dime meet existential danger” problem of the cloud, where it’s not merely costly and inconvenient, it can have real world consequences as we all wait for Microsoft to admit the next breach that “hit a small percentage of our customers” when said customers could have had faster warning had they only subscribed to Microsoft’s coveted E5 license and paid a small fortune for all the other logging access, a dozen or so SKUs that require a monthly fortune.
Cloud security takes a team of security people, and not just Microsoft’s Security Resource Center.
I was struck by two things in this Article. The first is how much we’ve been mislead on what’s really going down in San Francisco. The second is just how much San Francisco’s fate is tied to the whims and machinations of the tech-bro elite.
I supposed I shouldn’t be surprised Starlink made its way over to Russia. I’m hoping to be surprised if Elon does something about it. I’m not holding my breath. Effective altruists don’t really care about the present day and it doesn’t take the chosen one any closer to mars, so….
We should all be watching carefully what is happening to genuine huma produced content. The tech-bro corporate dystopia we find ourselves in hit the creatives hard, and it continues to destroy truly human work in favor of hard algorithms and the “promise of AI” wether we like it or not.
Enlarge / The Rings of Power… now in HDR10+ for ad-tier users. (credit: Prime Video ) On January 29, Amazon started showing ads to Prime Video subscribers in the US unless they pay an additional $2.99 per month. But this wasn’t the only change to the service. Those who don’t pay up also lose features; their accounts no longer support Dolby Vision or Dolby Atmos. As noticed by German tech outlet
Unfortunately this Hackaday article, while starting out strong just drops a cynical load of “everything is bad so just let the internet control your home.”
So-called ‘smart home’ appliances and gadgets have become an ever-more present thing the past years, with nary a coffeemaker, AC unit or light bulb for sale today that doesn’t have an associated smartphone app, cloud service and/or subscription to enable you to control it from the beach during your vacation, or just set up automation routines to take tedium out of your busy schedule. Yet as much
I have yet to meet anyone using insider builds, let alone an expensive Windows Server license for an insider build. Free licensing for insiders would be a boon for Microsoft, provided the licensee can pass some basic requirements (testing, not in prod, etc). But it’s been some years since Microsoft ditched the whole Technet license thing and I don’t think we’ll ever see holistic QA from Microsoft, not when their testers all probably write malware after discovering flaws in early releases. 🤣
I’m catching up on my backlog of interesting links.
https://xkcd.com/2876/
Why Not Use All Three Browsers At Once?
Because I’m a masochist I’m literally using FIrefox, Chrome, and Edge (also Chrome) for various tasks. I have intentionally left ad filtering off for both Chrome and Edge and oh boy is this gonna be fun!
Microsoft® is modifying your keyboard. Can you guess what they’re doing?
Microsoft® is adding a key for Copilot®. I think I’m going to stick with what I have and maybe just continue using Linux?The Windows® key was okay I guess, but adding a new “Copilot® key” just tells me they’re going to force Copilot® on everyone.
I can understand where 23andMe’s lawyers are coming from. Their bias is to their client (or employer). I’m not saying that the company’s response to the class action lawsuit against them is right. In fact I think it’s utterly typical “corporate personhood” BS. At least they said something this time and didn’t just “stay silent” against the naysayers.
I also feel that the thing highlighted below in bold proves how far we in the cybersecurity sector have yet to go.
“Everyone should know better than to use an unhygienic credential,” says Steve Moore, vice president and chief security strategist at Exabeam. “But at the same time, the organization that provides the service ought to have capabilities to limit the risk of that.”
Everyone SHOULD know better. Everyone should know that the best time to deal with a security breach of your account is before it even happens. Not just “assume breach” but actually prevent the breach in the first place by using multifactor, considering hardware tokens, biometrics, passkeys, etc. Just keeping your stuff up to date is only part of the picture, you MUST remain vigilant. Not a paranoid type of vigilant that Hollywood and the news media, and even some cybersecurity companies LOVE to take advantage of (just look at the whole “juice jacking” hype). Just basic things like not re-using passwords, and using long passphrases (with spaces) goes a long way.
And we should be doing this every day when we have conversations with people. We should be educating people and also following our own best practices to boot.
I do have some concern that people could be using ChatGPT for life advice though. It shouldn’t just be concern that people might be out of a job that drives this research. The amount of harm that could already be happening even with guardrails in place is something that should give everyone pause.
Awesome AD Alert!
DO NOT STICK THINGS INTO ELECTRICAL OUTLETS!
ONE SIMPLE TRICK FOR STAYING ALIVE: DO NOT STICK THINGS INTO ELECTRICAL OUTLETS!
I REPEAT! DO NOT STICK THINGS INTO ELECTRICAL OUTLETS!
Is this a war game or an erotic dating sim?
I think its a little from column A, and a little from column B.
I signed up for a free Usenet service a while back with the intention of accessing it with Mozilla Thunderbird and see if newsgroups were still useful as a communications medium. After an hour of viewing what has become of Usenet, at least the alt newsgroups, I can very much understand why Google Groups made this decision (strangely enough I thought they stopped supporting Usenet a long time ago but I digress).
Usenet has many of the same problems that email does, with the added bonus of being even more distributed in a “one to many” way of message flow, by design if you think of it as a forum (it is). Usenet’s cracks are too big to patch and smell of rotten spam. There’s better ways to have discussions on the internet now anyway and I just don’t think there’s reason to go back unless everyone wants to content with an overhauled system when they might as well use something like the Fediverse (Mastodon, Firefish, etc).
Usenet was a springboard in the early Internet, but like Gopher, FTP, etc, we’ve evolved passed it.
AI is capable of running entire companies call center scams now.
Now if only they could only just learn how to properly “human” their necks, ear-rings, glasses, shirt collars, clothing dimensions, etc, that’d be great.
The source of the image above is here, and yes this is a fax/call center scam site: https://webenvy.io/?page_id=2808
I see a possible future where our interaction with data on the internet is through language models exclusively. You will have no choice because your browser will require it and all the open source browsers with poor market share will also not work very well with the new web standards. “WebAI” (let’s just call it that) is on the horizon and right now its looking outright dystopian.
Mozilla pivoting to AI and possibly ditching Firefox? Firefox already has usable forks but what does that really mean for the future whenever everyone is using Chrome (Google) and Edge (Microsoft), content and ad delivery systems with baked in tracking and AI disguised as web browsers?
I think the answer is be aware of this and keep pushing for open source that isn’t tied to a major corporate name.
No really. I’m totally shocked Cisco will put a SKU on an AI product.
In their ongoing effort to put as many price tags as possible on every single thing they sell, Cisco decided to Cisco their wording in the only way Cisco knows how.
There’s an ongoing trend in cybersecurity where the vendors are vowing to integrate narrow AI into all their products. The problem with this, I feel as a person who is in no way an AI expert, is that NAI (Narrow AI) can nominally train on a concept but has no way to train on context. I believe contextualization requires general AI.
Now I am a cybersecurity professional and I feel that I’m in some degree an expert at certain intricacies in the field, and I understand in my daily work that context is everything. Yes NAI will be a great tool but it shouldn’t be a trusted authority. I do think using NAI to find a flaw in a firewall config is a great idea, but it absolutely should not be depended upon 100%. If the NAI says “everything is great, your firewall is fine…”
And you trust it without going in and doing your own verification, well, here’s a thumbs up for you.
