Kevin Hartnett, Senior Writer at Quanta Magazine, expounds on the notion of formal code verification when used to provide assurance of attack-proof code... Similar to unsinkable ocean liners? Or, is it only a matter of time before a successful attack is mounted thereupon? Is attack-proof code provable utilizing proofs (as in mathematical proofs)? You be the judge.
'“They were not able to break out and disrupt the operation in any way,” said Kathleen Fisher, a professor of computer science at Tufts University and the founding program manager of the High-Assurance Cyber Military Systems (HACMS) project. “That result made all of DARPA stand up and say, oh my goodness, we can actually use this technology in systems we care about.”' - via Kevin Hartnett, Senior Writer at Quanta Magazine
The beginning of May 2018 saw problematic internetworking operational issues revolving around the notion of robust router security (in reality, the lack thereof...). Today's Must Read comes from ISOC personnel Megan Kruse and Aftab Siddiqui, and lightly details the initiative entitled Mutually Aagreed Norms for Routing Security (MANRS). No resolution of this issue has been unequivocally accepted, but hope does spring eternal, as such, you can learn much more about MANRS here. Enjoy the Norms, and have a go with the MANRS for Network Operators document.
via Chris Williams, Editor in Chief of The Register, comes this surprising/yet not surprising fourth security flaw that now joins the Spectre/Meltdown Speculative Execution flaw in modern CPUs. Bad news for all.
"Variant 4 is referred to as a speculative store bypass. It is yet another "wait, why didn't I think of that?" design oversight in modern out-of-order-execution engineering. And it was found by Google Project Zero's Jann Horn, who helped uncover the earlier Spectre and Meltdown bugs, and Ken Johnson of Microsoft." - via Chris Williams, Editor in Chief of The Register targeting the fourth known Spectre/Meltdown flaw.
Yes, you read it right. If you lease a Comcast Modem with WiFi, Comcast has been providing the password to your WiFi network in the clear, with only minimal identity management (snippets of your address for example) (therefor granting access to the world); all courtesy of a nasty little overlooked bug in their code. A nearly perfect example of the apparent lack of application security oversight at the company, of which, alludes to systemic and blatant security incompetence.
The company is claiming to have fixed the access issue as of this writing. Question is, what other flaws exist in the company's deployments? One bright spot to this debacle - currently, customers that supplied their own hardware routers were not among the mutitude of customers affected.
Unintended Consequences... via Alastair Paterson, writing as he often does at SecurityWeek, comes this commom sense post detailing issues with the European Union's General Data Protection Regulations (GDPR) as that regulation interfere's with what-may-seem-like-age-old-internetworking-tools - in this case Whois. Highly recommended and Today's MustRead!