Connect with us

Technology

So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into • The Register

Voice Of EU

Published

on

Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.

Details of holes cannot be publicized until the bugs are fixed. Malicious exploit code cannot be released. There are restrictions on disclosing details of flaws to foreign organizations. And vendors will be under pressure to address these vulnerabilities as soon as they can and set up bounty programs to reward researchers.

The regulations are intended to tighten up the nation’s cyber-security defenses, crack down on the handling and dissemination of bugs, and keep China’s elite up to speed on exploitable flaws present in Chinese-made communications systems, wherever in the world that technology may be deployed.

It appears these rules ensure Beijing will be among the first to know of security weaknesses in equipment and software potentially present in foreign infrastructure and networks as well as domestic deployments. The rules were issued on Tuesday, come into effect on September 1, and apply to people and organizations operating within China. The following articles stuck out to us:

Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers. These sorts of regulations matter a lot: infosec experts in the Middle Kingdom earlier pulled out of exploit contests like Pwn2Own due to changes to the law within China.

“Chinese teams stopped participating in Pwn2Own after 2017 when there were regulatory changes that no longer allowed for participation in global exploit contests,” Brian Gorenc, head of ZDI and Pwn2Own at Trend Micro, told The Register on Wednesday.

It will also complicate matters for those hoping to engage with foreign bug bounty programs, which may or may not follow China’s strict rules – particularly articles 7 and 9 – creating legal uncertainty for those participating.

“The law looks rather unclear,” Katie Moussouris, founder of Luta Security and a pioneer in designing bug bounties, told The Register. “There are Chinese bug bounty programs but whether or not Western based companies would comply is a question that needs answering. We’ll need to see a case emerge where the Chinese authorities attempt to exert the directive to see.”

Another part of the order that worries Moussouris is the central Chinese vulnerability database that will be created to house all of these reported bugs: it’s an obvious target for espionage. Then there’s the fact that two days is not long enough to triage a bug report.

“Two days isn’t enough for a thorough investigation for a flaw and certainly not enough time to make a fix that works,” she said.

“It’s also a dangerous place to be for an unpatched-vulnerabilities database, which would be an incredibly attractive target for adversaries – our people will be targeting it, I’m sure.”

Who could forget Uncle Sam’s Office of Personnel Management, which was ransacked in 2015 by Chinese cyber-spies who made off with sensitive records on more than 20 million US govt staff. Former NSA boss Michael Hayden said the United States, given the opportunity, would have done the same to a foreign power.

“If I as director of CIA or NSA would have had the opportunity to grab the equivalent from the Chinese system, I would not have thought twice, I would not have asked permission, I’d have launched the Star Fleet and we’d have brought those suckers home at the speed of light,” Hayden said.

There’s also the question of what the Chinese government will do with its haul of vulnerability reports. With some in the West hurrying to remove Chinese vendors’ kit from networks, this edict may intensify such efforts for fear a zero-day in such equipment will be exploited by Beijing. ®

Source link

Technology

This start-up is offering stressed techies the chance to switch off at its cabins

Voice Of EU

Published

on

Slow Cabins is coming to Ireland and aiming to tap into the trend for low-impact, sustainable, digital-free tourism.

A hospitality rental company targeting techies who want to digitally detox is preparing to welcome its first guests in Ireland.

Founded in 2017, Slow Cabins seeks to offer people the opportunity to spend time away from their tech lives in relaxed, remote and eco-friendly surroundings.

It is currently taking bookings in Ireland and will open its first cabins here from 1 August. As well as Ireland, the start-up has operations in Belgium and the Netherlands.

All of its cabin locations are secret to purposely encourage guests to switch off and detox from their day-to-day stresses. Guests book their cabins without knowing the exact location, but all cabins are located within a two-and-a-half hour drive from major cities.

Within about two weeks of the trip, guests receive details with the exact location of their cabin. Even then, they may have to park their cars and hike to get to their accommodation.

The idea behind Slow Cabins comes from low-impact and sustainable tourism. Cabins are equipped with queen-sized beds, log burners, solar panels, dry toilets, fire pits, grills and large windows. Each cabin is powered naturally by sunlight and water.

“Recent European studies show that our resilience improves and stress levels decrease by up to 70pc after a stay in nature,” said Slow Cabins Ireland director Matthew Parkinson.

“Getting away from it all brings peace, energy and a sense of perspective. And that’s where Slow Cabins have an interesting role to play in a fast ‘always-on’ society. Profit is not our only goal, but rather a means to create more positive social and environmental impact,” he added.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Technology

Best podcasts of the week: Sam Smith charts 40 years of progress on HIV and Aids | Podcasts

Voice Of EU

Published

on

Picks of the week

A Positive Life: HIV from Terrence Higgins to Today
BBC Sounds, episodes weekly from 1 Jul
Sam Smith presents this series about the legacy of Terrence Higgins, one of the first people to die of Aids in the UK. The opening episodes tell the story of Terry, “the swashbuckler of life”, with London friends sharing their grief and confusion at his death. There’s optimism, too, as Smith hears from those who fought to make treatment available, and those living with HIV 40 years on. Hannah Verdier

The Last Bohemians
Widely available from 6 Jul

LA’s unsung heroines of rock’n’roll get their moment in the spotlight in the new series of Kate Hutchinson’s fierce female-applauding podcast. As always, the more offbeat characters are the best, starting with Angelyne, the “billboard queen” and hustler. Punk widow Linda Ramone and surrealist Penny Slinger are also coming up. HV

Dear Poetry
Audible, episodes weekly

Luisa Beck believes in the healing power of poetry and she’s spreading the love in a new podcast, with writers suggesting soothing texts to solve people’s problems. At one memorable point, author Luther Hughes gives a 21-year-old looking for love a poem with a powerful message: “You are that bitch – it’s gonna happen when it happens”. HV

Project Unabom
Apple Podcasts, episodes weekly

Notorious serial bomber Ted Kaczynski was the subject of an 18-year manhunt, and this podcast looks at what happened in that time. Host Eric Benson recalls Kacynski’s threats to stage more attacks if the Washington Post didn’t publish his manifesto, and shares interviews with a Dungeons and Dragons club that became the FBI’s initial suspects. HV

Algorithms
Audible, all episodes available

Comic Sadie Clark creates a podcast from her Edinburgh show – once called a “bisexual Bridget Jones for the online generation”. It opens with main character Brooke’s mum (Alison Steadman) spying explicit photos of her online. One breakup later and she’s using the dating app she writes the algorithm for, with pleasingly clumsy results. HV

There’s a podcast for that

Kristin Davis, Sarah Jessica Parker, Cynthia Nixon and Kim Cattrall filming Sex and the City: The Movie in 2007.
Kristin Davis, Sarah Jessica Parker, Cynthia Nixon and Kim Cattrall filming Sex and the City: The Movie in 2007. Photograph: James Devaney/WireImage

This week, Hannah Verdier chooses five of the best TV companion podcasts, from Dolly Alderton’s Sex and the City show to a Scrubs rewatch with stars Zach Braff and Donald Faison.

Obsessed With …
The BBC’s companion series to talked-about shows including Killing Eve, Peaky Blinders and Normal People is always high quality. Line of Duty brought out the big guns with Craig Parkinson, Vicky McClure and Martin Compston all giving their theories ahead of the big reveal, while Sophie Duker secured Michaela Coel for the finale of I May Destroy You. But watchalongs don’t always need high drama, as Evanna Lynch and Riyadh Khalaf proved as they bravely tackled the slowly shifting quadrangle of Conversations with Friends.

Sentimental and the City
If you initially had problems with And Just Like That’s faux-wokery but then grew to love it like a Botoxed old friend, Caroline O’Donoghue and Dolly Alderton hear you. These are women who know their stuff, with O’Donaghue uttering the words: “I don’t like the look of Big on that Peloton and I’m worried” after seeing just the trailer. Their Sentimental Garbage miniseries on the Sex and the City sequel is a place where debate about the divisive depiction of ageing, sexuality and diversity sits perfectly with lighter moments, like giggling over Charlotte’s robot lines.

Squirrel Friends: The Official RuPaul’s Drag Race Podcast
There’s not exactly a shortage of RuPaul-related pods out there, but this one comes from inside the Drag Race community, with hosts Loni Love and Alec Mapa who’ve been there and done the guest judging. Cackling and spilling of the hottest tea comes as standard as they recap All Stars season seven, dissecting all the entrance looks, performances and personalities. Their love for RuPaul never waivers, as they dish out compliments, one-liners and behind-the-scenes gossip after every episode of the hit show.

The Stranger Things Podcast
All-American father-daughter duo Addi Darnell and Darrell Darnell gently mock each other while going into the intricacies of the disturbingly lovable drama in podcast episodes that are even longer than the latest instalments. Is “whet your appetite” a thing? What’s the difference between hellfire and heckfire? And why is Eddie still languishing in high school when his teachers must be so desperate to see the back of him? No fan question is left unanswered in the deepest dive out there.

Fake Doctors, Real Friends with Zach and Donald
With nine seasons of the US medical comedy-drama Scrubs settling into its new home on Disney+, it’s the ideal time to rewatch your favourite episodes – along with its two main stars . JD and Turk (Zach Braff and Donald Faison) are now six seasons into their recaps, screeching with laughter at on-set moments and fondly remembering the times they broke down and cried. Their friendship and unmistakable chemistry is as tight off-screen as on, but occasionally they stop nattering for long enough to welcome guests such as Heather Locklear and Seth Green.

Why not try …

  • The stranger than fiction story of “Ohio’s bear king”, complete with music from Grandaddy’s Jason Lytle in Beast Master.

  • A special dose of summer spookiness, with a trio of new episodes from Danny Robins’s Uncanny.

If you want to read the complete version of the newsletter please subscribe to receive Hear Here in your inbox every Thursday

Source link

Continue Reading

Technology

W3C overrules Google, Mozilla’s objections to identifiers • The Register

Voice Of EU

Published

on

The World Wide Web Consortium (W3C) has rejected Google’s and Mozilla’s objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month.

The two tech companies worry that the open-ended nature of the spec will promote chaos through a namespace land rush that encourages a proliferation of non-interoperable method specifications. They also have concerns about the ethics of relying on proof-of-work blockchains to handle DIDs.

The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple) as a verifying entity.

“They are designed to enable individuals and organizations to generate their own identifiers using systems they trust,” the specification explains. “These new identifiers enable entities to prove control over them by authenticating using cryptographic proofs such as digital signatures.”

The goal for DIDs is to have: no central issuing agency; an identifier that persists independent of any specific organization; the ability to cryptographically prove control of an identifier; and the ability to fetch metadata about the identifier.

These identifiers can refer to people, organizations, documents, or other data.

DIDs conform to the URI schema: did:example:123456789abcdefghi. Here “did” represents the scheme, “example” represents the DID method, and “123456789abcdefghi” represents the DID method-specific identifier.

“DID methods are the mechanism by which a particular type of DID and its associated DID document are created, resolved, updated, and deactivated,” the documentation explains.

This would be expressed in a DID document, which is just a JSON Object that contains other key-value data describing things like how to verify the DID controller (the entity able to change the DID document, typically through control of cryptographic keys) in order to have a trusted, pseudonymous interaction.

What Google and Mozilla object to is that the DID method is left undefined, so there’s no way to evaluate how DIDs will function nor determine how interoperation will be handled.

“DID-core is only useful with the use of ‘DID methods’, which need their own specifications,” Google argued. “… It’s impossible to review the impact of the core DID specification on the web without concurrently reviewing the methods it’s going to be used with.”

A DID method specification represents a novel URI scheme, like the http scheme [RFC7230] but each being different. For example, there’s the trx DID method specification, the web DID method specification, and the meme DID method specification.

These get documented somewhere, such as GitHub, and recorded in a verifiable data registry, which in case you haven’t guessed by now is likely to be a blockchain – a distributed, decentralized public ledger.

However, there is a point of centralization: the W3C DID Working Group, which has been assigned to handle dispute resolution over DID method specs that violate any of the eight registration process policies.

Mozilla argues the specification is fundamentally broken and should not be advanced to a W3C Recommendation.

“The DID architectural approach appears to encourage divergence rather than convergence & interoperability,” wrote Tantek Çelik, web standards lead at Mozilla, in a mailing list post last year. “The presence of 50+ entries in the registry, without any actual interoperability, seems to imply that there are greater incentives to introduce a new method, than to attempt to interoperate with any one of a number of growing existing methods.”

Mozilla significantly undercounted. There are currently 135 entities listed by the W3C’s DID Working Group, up from 105 in June 2021 and 86 in February 2021 as the spec was being developed. If significant interest develops in creating DID methods, the W3C – which this week said it is pursuing public-interest non-profit status – may find itself unprepared to oversee things.

Google and Mozilla also raised other objections during debates about the spec last year. As recounted in a mailing list discussion by Manu Sporny, co-founder and CEO of Digital Bazaar, Google representatives felt the spec needed to address DID methods that violate ethical or privacy norms by, for example, allowing pervasive tracking.

Both companies also objected to the environmental harm of blockchains.

“We (W3C) can no longer take a wait-and-see or neutral position on technologies with egregious energy use,” Çelik said. “We must instead firmly oppose such proof-of-work technologies including to the best of our ability blocking them from being incorporated or enabled (even optionally) by any specifications we develop.”

Despite these concerns, as well as resistance from Apple and Microsoft, the W3C overruled the objections in a published decision, a requirement for advancing the spec’s status. ®

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!