Newsletter

open source and cybersecurity news

December 29, 2023

It's 5:05, December 29 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown: December 31st, 1999. The world waits in anticipation of the year 2000 and the potential disasters that might be brought about by the Y2K bug. Just for fun, I set up my home with a remote control to turn off all the lights in my house and the TV our friends would be watching at our New Year’s Eve party. Seconds after midnight, I pushed the remote control in my pocket, and everything went out. There were definitely a few people in my house that night who thought the apocalypse had come.

Edwin Kwan: One of the features of Chrome Safety Check is that it will check if any saved passwords have been compromised. In addition, users will receive alerts in the Chrome menu about flagged dangerous extensions, outdated Chrome versions, or disabled safe browsing.

Olimpiu Pop:  In 2023, the cyber warfare aspect of the Ukraine war provided concrete examples of both resilience and evolving nature of cyber threats. Ukrainian cyber defenses, although not unbreakable, effectively countered a variety of Russian cyber attacks

Shannon Lietz: For the last couple of years, the EU has been talking about how it might address some of the cybersecurity issues that are plaguing its economy. As part of this, addressing the 189 pages of a potential act to come, it’s hard to look at it and be both excited and petrified at the same time. There’s lots to think about.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Google Chrome Safety Check Feature Enhancements

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastGoogle is enhancing the Chrome Safety Check feature to help keep users safe and it will be running automatically in the background.

This is Edwin Kwan from Sydney, Australia.

One of the features of Chrome Safety Check is that it will check if any saved passwords have been compromised. In addition, users will receive alerts in the Chrome menu about flagged dangerous extensions, outdated Chrome versions, or disabled safe browsing.

The update will also allow Safety Check to automatically revoke permissions for websites that haven’t been visited for an extended period. Additionally, the feature will identify less engaged sites bombing users with excessive notifications. Google has also recently rolled out automatic upgrades of insecure HTTP requests to HTTPS for enhanced internet security.

And Google plans to introduce a new Chrome feature enabling users to save tab groups and resume browsing on other desktop devices. This feature should be made available in the coming weeks. The company is also upgrading Chrome’s performance controls for a smoother browsing experience.

Resources
– Bleeping Computer: https://www.bleepingcomputer.com/news/google/google-chrome-now-scans-for-compromised-passwords-in-the-background/

 

Olimpiu Pop
Year in Review: Ukraine and the Cyberwar

Olimpiu Pop, Contributing JournalistIn 2023, the cyber warfare aspect of the Ukraine war provided concrete examples of both resilience and evolving nature of cyber threats. Ukrainian cyber defenses, although not unbreakable, effectively countered a variety of Russian cyber attacks. For instance, despite Russian attacks targeting everything from government agencies to energy substations, Ukraine managed to thwart many of these and quickly recover from others.

These efforts were notably bolstered by early engagement of US Cyber Command teams. Russian cyber operations, instead of executing widespread destructive cyber warfare, concentrated more on misinformation and undermining support for Kiev. Notably, the cyber attacks did not significantly escalate in severity or change in tactics.

This approach aligns with Russia’s broader strategy of focusing on information warfare and propaganda . However, as the war progressed into 2023, there were warnings from threat intelligence firms about Russia potentially escalating its cyber attacks, suggesting a possible shift towards more sophisticated methods.

This potential escalation highlights the evolving nature of cyber threats in the context of international conflicts. And underlines the importance of continued vigilance and adaptation in cybersecurity strategies. Unfortunately, the war will enter its third year by the end of February.

Olympic Pop reported from Sylvania, Romania.

Resources
– Chatham House: https://www.chathamhouse.org/2023/12/russian-cyber-and-information-warfare-practice

 

Shannon Lietz
EU CRA: Win | Lose | Draw

Shannon Lietz, Contributing JournalistFor the last couple of years, the EU has been talking about how it might address some of the cybersecurity issues that are plaguing its economy. As part of this, addressing the 189 pages of a potential act to come, it’s hard to look at it and be both excited and petrified at the same time. There’s lots to think about.

First of all, let’s talk about the winners. The winners here, the EU, ENISA, folks that actually buy software. Some of the disruptors and innovators, cloud providers, lawyers, and product security. When we look at those winners, it’s very clear the reason why they win is because there will be a formal act in place that actually demands cyber security become a big and prominent part of publishing software.

For the last decade plus, we’ve been talking about this. To some extent, this is a provision that we’ve seen coming for a very long time. So if you’ve been on the the side of shifting left, working on improving your software processes, building safer software, this may not actually be that much of an implication for your organization.

But if you haven’t, if you’ve been in the laggards, if you haven’t really thought about how you’re going to address some of these cybersecurity issues that are coming through software you might be publishing, then it is going to be a bigger problem.

And so The losers in this are on the other side of this equation big companies that have had large codebases, lots of legacy software, and lots of software developers who haven’t embraced DevSecOps, or are yet to embrace DevSecOps, are likely going to have architectural challenges, code lineage challenges, they’re going to have to address their SBOM . The way that the Act reads is that this is something that most of these companies are going to have to do by 2025, or face fines and implications.

On the draw end of this, open source. I think it’s really critical to understand that for open source, they’re in a draw moment. This act doesn’t imply more or less really from an open source perspective, although I probably diverge from what the rest of the industry thinks, particularly because the implication of trying to regulate cybersecurity for big companies would actually have an implication on open source regardless of whether it’s actually stipulated in an act or not.

We were talking about open source as being the implication for this point of view. We’ll talk a little bit more about that as we come to the rest of the segment.

Small companies and bug bounty programs are also at a draw. In particular for the bug bounty programs, it’s still not clear whether or not a bug found in a bounty program would need to be reported both to the company in which it’s actually found or to the government as well. So I think that’s going to be interesting.

Let’s come back to open source because I think it’s really critical to understand that for open source. They’re in a draw moment. It’s um, this act doesn’t imply more or less really from an open source perspective, although I probably diverge from what the rest of the industry thinks, uh, particularly because the implication of trying to regulate cybersecurity for big companies.

would actually have an implication on open source regardless of whether it’s actually stipulated in an act or not.

And This comes from, basically, who leverages open source the most. There are lots of folks that use open source and it’s actually created it on a non commercial basis, and for those folks, I believe, that will see some sort of lesser implication by the CRA.

For folks that are seeing commercial, implications associated with their open source, or who are actually trying to make money off of open source, I do think there’s going to be a bigger implication for those companies that are actually leveraging open source as part of their business model, because that’s really what the CRA says.

And while I’m not a lawyer, the point of view here is that, Potentially, regulation is sort of the last step in what is an evolving ecosystem. Cyber has been evolving for decades now. We’ve seen the notion of software security really come into the forefront in the last 10 to 12 years. And At this stage, if you aren’t keeping up, then really you’re going to see lots of debt and lots of warnings and potentially even some fines associated with what you might be accomplishing.

For software developers I also have a heartfelt understanding of what it means to try and build software security. It is something that’s going to have to evolve.

So Ultimately on this one I would say our biggest winners, honestly, all who are innovating and doing DevSecOps, you’re on the forefront. We’re going to see a lot more lawyer interaction because compliance is fast becoming somewhat of a legal challenge in most organizations.

Our biggest losers, folks that are in those big companies, I think it’s time for the CEOs of big software manufacturers to realize that you have to build adversary resilient software from the very beginning. If you’ve got products on the shelf right now that you’re questioning, it’s very likely that the cybersecurity challenge is now starting to exceed what you’re getting in adoption anyways. And, um, it, it does require a lot more attention. And so

We have a lot to think about when it comes to this act. Um, I’m particularly interested in seeing what happens in 2024.

This is Shannon Leitz reporting on the win, lose, or draw of the Cyber Resilience Act and its impact on open source.

Resources
– European Council: https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-resilience-act-council-and-parliament-strike-a-deal-on-security-requirements-for-digital-products/

 

Marcel Brown
This Day, December 29, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown with your technology history for December 29th, December 30th, and why not, December 31st as well. Happy New Year’s Eve, everyone!

December 29th, 1949. Station KC2XAK Bridgeport, Connecticut becomes the first ultra high frequency UHF television station to operate a daily schedule.

How many of you are wondering what UHF TV is? Come on, raise your hands, don’t be shy. Set up as a working experiment by RCA and NBC, the station was used to test if the UHF spectrum was feasible to broadcast TV. Codenamed Operation Bridgeport, after two and a half years of successful transmission, the station was shut down.

The UHF transmitter was purchased, dismantled, and reassembled in Portland, Oregon to power the first commercial UHF station in the United States.

December 30, 1899. American Bell, at the time parent corporation of the AT& T Company, reorganizes and transfers its assets into AT& T. American Bell was incorporated in Massachusetts and AT& T was incorporated in New York.

Massachusetts corporate laws would have limited the growth of American Bell. So by reorganizing, AT& T could bypass Massachusetts law by becoming the parent company of American Bell and the Bell System. Eventually, AT& T would become a legalized monopoly in the United States.

December 31, 1993. Microsoft releases version 3.11 of Windows, a minor upgrade to Windows 3.1. It became the last stable version of Windows before Windows 95 was released in August of 1995.

December 31st, 1999. The world waits in anticipation of the year 2000 and the potential disasters that might be brought about by the Y2K bug. Personally, having worked years in a corporate environment getting ready for Y2K, I was pretty confident that nothing major would happen.

So just for fun, I set up my home with a remote control to turn off all the lights in my house and the TV our friends would be watching at our New Year’s Eve party. Seconds after midnight, I pushed the remote control in my pocket, and everything went out. There were definitely a few people in my house that night who thought the apocalypse had come.

Technology practical jokes are so much fun.

December 31st, 2008. Playfully named Zune 2K Day, after Y2K, owners of Microsoft Zune devices began reporting that their devices had malfunctioned and refused to boot up. The problem turned out to be a bug in the internal clock driver related to the way the device handles a leap year, as described by Microsoft.

The problem would fix itself on January 1st, 2009, if users let the battery run down and then reset the device on that day. Certainly, the publicity from this gaffe couldn’t have helped the perception of the Zune in the marketplace, as by this time, Apple’s iPhone had started its dominant rise.

Microsoft said it would issue a bug fix for the device so that this problem wouldn’t reoccur in 2012, but by that time, Microsoft had already killed the Zune line of devices, so I’m not sure if the problem ever was actually fixed.

And that’s your technology history for today, for the week, and for the year. For more, visit my website, thisdayintechhistory. com, and be on the lookout for the This Day in Tech History podcast starting in January of 2024.

Resources
This Day in Tech History: https://thisdayintechhistory.com/12/29

Contributors:

Comments:

Leave the first comment

Newsletter