Showing posts from January, 2018

Lies and More Lies

Following the release of the Spectre and Meltdown CPU attacks, the security community wondered if other researchers would find related speculative attack problems. When the following appeared, we were concerned: "Skyfall and Solace More vulnerabilities in modern computers. Following the recent release of the Meltdown and Spectre vulnerabilities, CVE-2017-5175, CVE-2017-5753 and CVE-2017-5754, there has been considerable speculation as to whether all the issues described can be fully mitigated.  Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre. Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches. Watch this space..." It turns out this was a hoax. The latest version of the site says, in part: "With little more than a couple of quickly registered domain names, thousands of people were hooked... Skyfall The idea he

Addressing Innumeracy in Reporting

Anyone involved in cybersecurity reporting needs a strong sense of numeracy, or mathematical literacy. I see two sorts of examples of innumeracy repeatedly in the media. The first involves the time value of money. Recently CNN claimed Amazon CEO Jeff Bezos was the "richest person in history" and Recode said Bezos was "now worth more than Bill Gates ever was." Thankfully both Richard Steinnon and Noah Kirsch recognized the foolishness of these reports, correctly noting that Bezos would only rank number 17 on a list where wealth was adjusted for inflation . This failure to recognize the time value of money is pervasive. Just today I heard the host of a podcast claim that the 1998 Jackie Chan movie Rush Hour was "the top grossing martial arts film of all time." According to Box Office Mojo , Rush Hour earned $244,386,864 worldwide. Adjusting for inflation , in 2017 dollars that's $367,509,865.67 -- impressive! For comparison, I researched the

Remembering When APT Became Public

Last week I Tweeted the following on the 8th anniversary of Google's blog post about its compromise by Chinese threat actors : This intrusion made the term APT mainstream. I was the first to associate it with Aurora, in this post My first APT post was a careful reference in 2007, when we all feared being accused of "leaking classified" re China: I should have added the term "publicly" to my original Tweet. There were consultants with years of APT experience involved in the Google incident response, and they recognized the work of APT17 at that company and others. Those consultants honored their NDAs and have stayed quiet. I wrote my original Tweet as a reminder that "APT" was not a popular, recognized term until the Google announcement on 12 January 2010. In my Google v China blog post  I wrote: Welco

Happy 15th Birthday TaoSecurity Blog

Today, 8 January 2018, is the 15th birthday of TaoSecurity Blog! This is also my 3,020th blog post. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. I don't believe I've released statistics for the blog before, so here are a few. Blogger started providing statistics in May 2010, so these apply to roughly the past 8 years only! As of today, since May 2010 the blog has nearly 7.7 million all time page views. Here are the most popular posts as of today: Twitter continues to play a role in the way I communicate. When I last reported on a blog birthday two years ago, I said that I had nearly 36,000 Twitter followers for  @taosecurity , with roughly 16,000 Tweets. Today I have nearly 49,000 followers with less than 18,000 Tweets. As with most people on social media, blogging has taken a back seat to more instant forms of communication. These days I am active on Instagram as  @taosecurity as well. That account i

Spectre and Meltdown from a CNO Perspective

Longtime readers know that I have no problem with foreign countries replacing American vendors with local alternatives. For example, see Five Reasons I Want China Running Its Own Software . This is not a universal principle, but as an American I am fine with it. Putting my computer network operations (CNO) hat on, I want to share a few thoughts about the intersection of the anti-American vendor mindset with the recent Spectre and Meltdown attacks . There are probably non-Americans, who, for a variety of reasons, feel that it would be "safer" for them to run their cloud computing workloads on non-American infrastructure. Perhaps they feel that it puts their data beyond the reach of the American Department of Justice. (I personally feel that it's an over-reach by DoJ to try to access data beyond American borders, eg Microsoft Corp. v. United States .) The American intelligence community and computer network operators, however, might prefer to have that data outside Am