Skip to content Skip to navigation

Friday Cyber News, January 5 2018

Cyber technology-related news and links from around the web, for the week of 12/30 - 1/5:

1. The new year delivered an actual Y2K-level security flaw, with the reveal of two bugs, Meltdown (whose logo is a dripping creamsicle-colored shield) and Spectre (an angrily grinning ghost holding a stick), that both attack the past decade's worth of Intel processors, allowing unprotected programs to read protected kernel memory, in some cases via Javascript delivered through a web browser. On a shared server, the vulnerabilities would also allow users to spy on one another's processes. (A fun explanation of Meltdown is here). Patches for the vulnerabilities (mostly for Meltdown, which is more easily mitigated) are expected to degrade performance by 5%-30%, but it's a necessary price to pay for such a widespread and fundamental flaw. (Good thing we just found the 50th Mersenne prime, before the slowdown, I suppose). Spectre also affects AMD and ARM processors, and the effects of patches for those processors are undetermined. Developers have been working on patches since June, making it suspicious that Intel CEO Brian Krzanich sold $24M in Intel shares in late November, before the vulnerabilities were disclosed, bringing his ownership down to his contractually mandated minimum of 250,000 shares. [Meltdownattack; Medium; Cyberscoop; Mersenne.org; BGR]

2. An Indian newspaper reported that it was able to purchase administrator access to India's Aadhaar biometric identification database for about $8, via an offer made in a WhatsApp group. The Unique Identification Authority of India claimed that no biometric data was breached, only demographic details, but also said "no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach." [Guardian; Tribune India] 

3. In Pittsburgh, the Department of Children, Youth, and Families is using a predictive analytics tool to determine which initial reports should be "screened out" and which should precipitate a follow-up home visit. Unlike sentencing algorithms that have been criticized for their opacity, the algorithm the DCYF is using is open for analysis and town hall meeting debate, and thus far is doing better at identifying high-risk family situations than human screeners were. [NY Times] 

4. Twitter decided that alluding to nuclear war is not the same as "making specific threats of violence [toward] an individual or group of people." Great, thanks Twitter. [The Hill]

5. A DHS database with information on 247,167 current and former employees was breached, as a result of a former employee copying and retaining too much data. [ZDnet]

6.​ Tacotron synthesizes speech from text more realistically and accurately than, for example, Chrome's built-in speech reader, and its challenge problems--"Tacotron or Human?" at the bottom of the page--are legitimately difficult (I couldn't find the answers, so my guesses are that 1, 2, 1, and 2 are Tacotron, respectively, though I could be wrong). This is going to make verifying incriminating recordings more difficult, an issue the paper doesn't address directly. Disappointingly, Tacotron's voice is not based on Dutch-Indonesian musician Taco. [Google; Inc; Wikipedia] 

7. Lethal autonomous weapons are going to sneak up on us, worries former Air Force general Robert Latiff, because the DoD has not clarified its "human in the loop" policy. [Bloomberg]

8. The European Commissioner for Competition is taking a different stance on big data than US regulators, viewing data as an asset that could preclude the entrance of competitors in a market where one company owns unique data that is not obtainable through other outlets. [WSJ]

9. In case you were wondering who owns hundreds of millions of dollars worth of bitcoin, one answer is Peter Thiel, via his VC fund. And hey, if he captures the body heat of those youths whose blood he supposedly wants to inject, he could mine an extra one bitcoin per month. This is how the Matrix starts, right? [WSJ; Vanity Fair; Vice]

10. Zuckerberg says that fixing Facebook's harassment, election interference, and time-suck problems are his personal goal for 2018--so, doing his job--that he's interested in "how best to use" cryptocurrencies on Facebook (ServerFarmville!), and names centralization as a problem with the overall development of technology while recommitting himself to the growth of his own highly centralized platform. Fixing Facebook's problems is important because the platform drives the behavior, and captures the attention, of an estimated 2 billion active users worldwide, and inherent in the scope of that audience is the responsibility to consider both how bad actors will attempt to manipulate the platform (e.g., Duterte) and how the absence of explicit rules will itself guide user behaviors (e.g., default privacy settings, removing some sanctioned political figures but not others). The implication that Facebook as a whole hasn't already been taking problems of harassment and election interference seriously is likely false, but the converse implication that while the company had seriously committed itself to fixing these problems, Zuckerberg hadn't, and that he believes that turning his attention to the problem now will deliver a solution through the effects of his personal education on the issues, is baffling. However, Zuckerberg frames his declaration by implying that we shall know by his sartorial choices when he's taking a problem seriously; he notes that his yearly challenges began in the same year as his adoption of a necktie as a kind of Recession Awareness ribbon ("I started doing these challenges in 2009 [...] It was a serious year, and I wore a tie every day as a reminder.") Thus begins Zuckerberg neckwear watch 2018. [The Verge; Guardian]

Thanks for reading,
Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)