CVE-2017-1000367 in Sudo’s get_process_ttyname() for Linux | oss-security@…ts.openwall.com

CVE-2017-1000367 in Sudo’s get_process_ttyname() for Linux; On That Certain Mailing List, hosted At OpenWall; 2017-05-30.

tl;dr → patch all the computers; something after circa sudo-1.8.20p1, the advice is not specific.

The AI Now Report: social/economic implications of near-future AI | Boing Boing

The AI Now Report: social/economic implications of near-future AI; Cory Doctorow; In Boing Boing; 2016-09 (one year ago, back before The Bad Times, back in the Obama Administration, back when The Science was a The Thing)

Original Sources

<unavailable>The AI Now Report; Information Law Institute, New York University (NYU); 2016-07.</unavailable>

Mentions

  • National Economic Council
  • Symposium at Information Law Institute, New York University (NYU), 2016-07.
  • Artificial Intelligence Now (AI Now)

Previously

In Boing Boing

Is the First Amendment Obsolete? | Tim Wu

Tim Wu; Is the First Amendment Obsolete?; In Emerging Threats Series; Knight First Amendment Institute, Columbia University; 2017-09; pdf (27 pages).

tl;dr → No. Betteridge’s Law. It is a Modest Proposal.
and → Whereas free speech is dangerous, re-evaluation of the “unfettered” concept is indicated. Options toward remediation are evaluated.

Outline

Is the First Amendment Obsolete?
  1. Core Assumptions of the Political First Amendment
  2. Attentional Scarcity and the Economics of Filter Bubbles
  3. Obsolete Assumptions
    • The Waning of Direct Censorship
    • Troll Armies
    • Reverse Censorship, Flooding, and Propaganda Robots
  4. What Might Be Done
    • Accepting a Limited First Amendment
    • First Amendment Possibilities
    • State Action — Accomplice Liability
    • State Action — Platforms
    • Statutory or Law Enforcement Protection of Speech Environments and the Press
  5. Conclusion

Conclusion

<quote>It is obvious that changes in communications technologies will present new challenges for the First Amendment. For nearly twenty years now, scholars have been debating how the rise of the popular Internet might unsettle what the First Amendment takes for granted. Yet the future retains its capacity to surprise, for the emerging threats to our political speech environment are different from what many predicted. Few forecast that speech itself would become a weapon of censorship. In fact, some might say that celebrants of open and unfettered channels of Internet expression (myself included) are being hoisted on their own petard, as those very same channels are today used as ammunition against disfavored speakers. As such, the emerging methods of speech control present a particularly difficult set of challenges for those who share the commitment to free speech articulated so powerfully in the founding—and increasingly obsolete—generation of First Amendment jurisprudence.</quote>

References

There are 134 references. In the typset version (pdf), the references are sprinkled throughout in the legal style.  The web version places them at the end <ahem>where they don’t get in the way of the argument, and where they belong</ahem>.

CVE-2017-15361 – ROCA – Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli | CRoCS

ROCA: Vulnerable RSA generation (CVE-2017-15361)
The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli (ROCA)
CRoCSCentre for Research on Cryptography and Security

The paper is promoted; embargoed until 2017-10-30.

<tldr>

A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided offline and online detection tools and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method will be released in 2 weeks at the ACM CCS conference as ‘The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli’ (ROCA) research paper.

</tldr>

Mentions

  • An RSA implementation is broken
    • 512 bits.
    • 1024 bits.
    • 2048 bits.
  • <quote>In NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012.</quote>
  • a software implementation,
    embedded in hardware,
    embedded in Trusted Petunia Module (TPM)
  • Infineon Technologies AG.
  • roca-detect/1.0.3, requires a Python stack.

Understanding Emerging Threats to Online Advertising | Budak, Goel, Rao, Zervas

Ceren Budak (Michigan), Sharad Goel (Stanford), Justin Rao (Microsoft), Georgios Zervas (Boston); Understanding Emerging Threats to Online Advertising; Research Paper No. 2505643, School of Management, Boston University; doi:10.1145/2940716.2940787, ssrn:2505643; 265 pages; 2014-10-06 → 2016-06-29.

tl;dr → There is peril to display advertising systems, which are mid-sized linkbaitists and newspapers. Paywalls are indicated.

Abstract

Two recent disruptions to the online advertising market are the widespread use of ad-blocking software and proposed restrictions on third-party tracking, trends that are driven largely by consumer concerns over privacy. Both primarily impact display advertising (as opposed to search and native social ads), and affect how retailers reach customers and how content producers earn revenue. It is, however, unclear what the consequences of these trends are. We investigate using anonymized web browsing histories of 14 million individuals, focusing on “retail sessions” in which users visit online sites that sell goods and services. We find that only 3% of retail sessions are initiated by display ads, a figure that is robust to permissive attribution rules and consistent across widely varying market segments. We further estimate the full distribution of how retail sessions are initiated, and find that search advertising is three times more important than display advertising to retailers, and search advertising is itself roughly three times less important than organic web search. Moving to content providers, we find that display ads are shown by 12% of websites, accounting for 32% of their page views; this reliance is concentrated in online publishing (e.g., news outlets) where the rate is 91%. While most consumption is either in the long-tail of websites that do not show ads, or sites like Facebook that show native, first-party ads, moderately sized web publishers account for a substantial fraction of consumption, and we argue that they will be most affected by changes in the display advertising market. Finally, we use estimates of ad rates to judge the feasibility of replacing lost ad revenue with a freemium or donation-based model.

Building a 300 node Raspberry Pi supercomputer | ZDNet

Building a 300 node Raspberry Pi supercomputer; ; In ZDNet; 2017-09-29.
Teaser: Commodity hardware makes possible massive 100,000 node clusters, because, after all, commodity hardware is “cheap” — if you’re Google. What if you want a lot of cycles but don’t have a few million dollars to spend? Think Raspberry Pi

Original Sources

Affordable and Energy-Efficient Cloud Computing Clusters: The Bolzano Raspberry Pi Cloud Cluster Experiment; Free University of Bozen-Bolzano, Bolzano, Italy; arXiv:1709.06815.
Pekka Abrahamsson, Sven Helmer, Nattakarn Phaphoom, Lorenzo Nicolodi, Nick Preda, Lorenzo Miori, Matteo Angriman, Juha Rikkilä, Xiaofeng Wang, Karim Hamily, and Sara Bugoloni.

Mentions

Architecture

Network

  • “Standard” 802.11 (wireline).
  • Snowflake configuration.
    A hierarchical star configuration.
  • Consumer-grade 1Gb/s.
  • Central meta-star switch
    Peripheral star-switches

Storage

  • Flash SDD is too slow.
  • Must use NAS on HDD on the LAN.

Power design

  • Custom PSU (not “stock” RPi PSU)
  • Repurposed, used, higher-capacity PSUs.
  • Subcluster: 24-nodes/PSU
  • Count: 25 sub-clusters

Mounting (physical design)

  • Bespoke
  • Think it through

Operating System

  • (stock) Debian v7
  • Cannot run OpenStack
  • Bespoke (bare metal) cluster management

Related

  • Some Paper; at Science Direct; no DOI, broken link.
    Basit Qureshia, Yasir Javeda, Anis Koubàa, Mohamed-Foued Sritic, Maram Alajland; Performance of a Low Cost Hadoop Cluster for Image Analysis in Cloud Robotics Environment; In Proceedings of the Symposium on Data Mining Applications (SDMA2016); Riyadh, Saudi Arabia; 2016-03-30 (9 pages).
    tl;dr → Claims to be able to run Hadoop and the Hadoop Image Processing Interface (HIPI) Library for Unmanned Aerial Vehicle (UAV) image processing.
  • Ten (10) Amazing Raspberry Pi Clusters; Some Cub Reporter (SCR); In Network World; WHEN?
  • Some Video; Hosted on YouTube; WHEN?
    tl;dr → Something about using Legos for rack construction, for rack mounting; the physical design of the racks themselves.

Previously

In ZDNet

 

What is the Sawtooth Lake Distributed Ledger? | Hyperledger

What is the Sawtooth Lake Distributed Ledger?; staff; Hyperledger; undated.

tl;dr → it’s blockchain code running inside Intel® Software Guard Extensions® (SGX) enclave.

What’s an enclave?  It’s a computer-within-the-computer because we can’t trust the computer any more; it having been hacked by powers foreign and domestic.  Whereupon the computer-inside-the-Intel-inside being made of The Unhackable, we are safe.

Referenced

DOJ Subpoenas Twitter About Popehat, Dissent Doe And Others Over A Smiley Emoji Tweet | Techdirt

DOJ Subpoenas Twitter About Popehat, Dissent Doe And Others Over A Smiley Emoji Tweet; Mike Masnick; In TechDirt; 2017-10-24.

Are you sharing the same IP address as a criminal? No More CGNs | Europol Law enforcement call for the end of Carrier Grade NAT (CGN) to increase accountability online 17 October 2017

Are you sharing the same IP address as a criminal? Law enforcement call for the end of Carrier Grade NAT (CGN) to increase accountability online; press release; EuroPol; 2017-10-17.

tl;dr → they want IPv6 to definitively tie a single suspect to a single Internet Protocol Address.
and → <quote>A new version of IP address (IPv6) which provides an unlimited number of IP addresses…</quote> ["unlimited" rly?]

Occasion

A workshop, 2017-10-13. With a finding, and a press release.

Mentions

  • Europol
  • Estonian Presidency of the EU Council
  • Carrier Grade Network Address Translation (CGN, CG-NAT)
  • Standing Committee on Operational Cooperation on Internal Security (COSI)
  • Action Plan on Internet and Terrorism
  • Cybercrime Task Force, European Union
  • IPv6

Funding

  • Proximus
  • CISCO
  • ISOC
  • the IPv6 Company
  • European Commission.

Quoted

  • Rob Wainwright, Executive Director, Europol.
  • Steven Wilson, “head” of European Cybercrime Centre, Europol.

How the Frightful Five Put Start-Ups in a Lose-Lose Situation | NYT

How the Frightful Five Put Start-Ups in a Lose-Lose Situation; Farhad Manjoo; In The New York Times (NYT); 2017-10-18.
Teaser: The tech giants are too big. But so what? Hasn’t that always been the case?

tl;dr → Betterid’ge’s Law.  No. ]this time it’s different]
and → Problematizing the space, a jeremiad.
bad → Amazon, Apple, Google, Facebook, Microsoft. branded as “The Frightful Five”

Mentions

  • Frightful Five = Amazon, Apple, Google, Facebook, Microsoft.
    Manjoo’s epithet for the circumscribed scope of these oped pieces ref
  • #sturtups
  • IBM
  • WhatsApp
  • Snapchat
  • Facebppl
  • Snapchat Stproes
  • Instagram
  • IAC
    • Origin
      • Barry Diller [Barry Diller's money]
    • Properties
      • Expedia
      • Match.com
      • Tinder
      • Ask.com
      • Vimeo
      • Angi Homeservices, = Angie’s List + HomeAdvisor.

Who

  • Dara Khosrowshahi, ex-CEO, Expedia.
  • Joey Levin,, chief executive, Uber; ex-chief executive of IAC.
  • Chris Terrill, chief executive, Angi Homeservices.

Pantheon

  • Clayton Christiansen, boffo.
  • Barry Diller, boffo; media tycoon, television.
  • Joseph Shumpeter, boffo.

Referenced

Previously

In archaeological order, in The New York Times (NYT)…