Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror

Submission + - Britain's nuclear submarine software built by Belarusian engineers (telegraph.co.uk) 1

Submitted by Anonymous Coward
An anonymous reader writes: Britain’s nuclear submarine engineers use software that was designed in Russia and Belarus, in contravention of Ministry of Defence rules, The Telegraph can reveal.

The software should have been created by UK-based staff with security clearance, but its design was partially outsourced to developers in Siberia and Minsk, the capital of Belarus.

Submission + - CrowdStrike, Delta, Shareholders and Asymmetry Make for Messy Security (thecyberexpress.com)

Submitted by storagedude
storagedude writes: It’s been two weeks since the global CrowdStrike outage crashed 8.5 million Windows machines, and the lawyers have taken over: Shareholders and Delta are suing CrowdStrike, while CrowdStrike is suing — wait for it — parody sites.

One undiscussed underlying cause of the outage and its extensive damage could be the “shareholder first” mentality that has dominated U.S. companies since the Reagan era, writes longtime Slashdot contributor Paul Shread in an article in The Cyber Express.

“The ‘shareholder first’ doctrine means that companies try to get by with minimal investment while pushing employees and productivity as much as possible,” Shread writes. “That creates fragile systems, and an incident like CrowdStrike-Microsoft-Delta shows just how fragile that chain is, when inadequate testing, a rushed update, a fragile operating system and inadequate recovery processes come together to create a $500 million loss. And that’s just one customer; total outage losses have been estimated at $15 billion by cyber insurer Parametrix.

“With the ‘shareholder first’ focus on maximum profitability, marketing gets ahead of the technology and companies overpromise and underdeliver, and lawyers are brought in to make sure the company can retain every advantage.

“So you get onerous terms and conditions like CrowdStrike’s, where damages are limited to refunds and you get curious language like the following that seems incongruent with a company that has carefully built a reputation as a supplier to organizations with high security needs (the caps are CrowdStrike’s):

“’THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations.’

“CrowdStrike is hardly the only security vendor with terms like that, but it sure doesn’t give you confidence in the security of our critical infrastructure.

“One top industry official — Alex Stamos, SentinelOne’s new CISO — essentially accused CrowdStrike of negligence in a podcast earlier this week, and competitors like Fortinet and Sophos have been revealing how they handle kernel updates to reassure customers.

“But it’s fair to ask: How secure are our security tools? The answer is murky, in part because there are few industries that suffer from greater ‘information asymmetry’ than cybersecurity, where sellers know much more than buyers about how well these products actually work and there are no standards for efficacy.

“A Picus Security report published this week found that security tools miss an alarming number of attacks. While prevention effectiveness rose from 59% in the 2023 report to 69% in 2024, detection effectiveness, and alert scores in particular, dropped from 16% to 12%. ‘This means we are better at preventing some attacks, we are still struggling to detect them promptly,’ Picus said.”
Desktops (Apple)

Mac Certificate Check Stokes Fear That Apple Logs Every App You Run (arstechnica.com) 74

Posted by BeauHD from the privacy-worries dept.
Last week, Apple released macOS Big Sur and the rollout was anything but smooth. The mass upgrade caused the Apple servers responsible for checking if a user opens an app not downloaded from the App Store to slow to a crawl. Apple eventually fixed the problem, "but concerns about paralyzed Macs were soon replaced by an even bigger worry -- the vast amount of personal data Apple, and possibly others, can glean from Macs performing certificate checks each time a user opens an app that didn't come from the App Store," writes Dan Goodin via Ars Technica. From the report: Before Apple allows an app into the App Store, it must first pass a review that vets its security. Users can configure the macOS feature known as Gatekeeper to allow only these approved apps, or they can choose a setting that also allows the installation of third-party apps, as long as these apps are signed with a developer certificate issued by Apple. To make sure the certificate hasn't been revoked, macOS uses OCSP -- short for the industry standard Online Certificate Status Protocol -- to check its validity. [...] Somehow, the mass number of people upgrading to Big Sur on Thursday seems to have caused the servers at ocsp.apple.com to become overloaded but not fall over completely. The server couldn't provide the all clear, but it also didn't return an error that would trigger the soft fail. The result was huge numbers of Mac users left in limbo.

The post Your Computer Isn't Yours was one of the catalysts for the mass concern. It noted that the simple HTML get-requests performed by OCSP were unencrypted. That meant that not only was Apple able to build profiles based on our minute-by-minute Mac usage, but so could ISPs or anyone else who could view traffic passing over the network. (To prevent falling into an infinite authentication loop, virtually all OCSP traffic is unencrypted, although responses are digitally signed.) Fortunately, less alarmist posts like this one provided more helpful background. The hashes being transmitted weren't unique to the app itself but rather the Apple-issued developer certificate. That still allowed people to infer when an app such as Tor, Signal, Firefox, or Thunderbird was being used, but it was still less granular than many people first assumed. The larger point was that, in most respects, the data collection by ocsp.apple.com wasn't much different from the information that already gets transmitted in real time through OCSP every time we visit a website. [...] In short, though, the takeaway was the same: the potential loss of privacy from OCSP is a trade-off we make in an effort to check the validity of the certificate authenticating a website we want to visit or a piece of software we want to install.

In an attempt to further assure Mac users, Apple on Monday published this post. It explains what the company does and doesn't do with the information collected through Gatekeeper and a separate feature known as notarization, which checks the security even of non-App Store apps. The post went on to say that in the next year, Apple will provide a new protocol to check if developer certificates have been revoked, provide "strong protections against server failure," and present a new OS setting for users who want to opt out of all of this. [...] People who don't trust OCSP checks for Mac apps can turn them off by editing the Mac hosts file. Everyone else can move along.

Comment Re:With such an extreme wealth gap (Score 1) 110

As someone who is 40 years old, I can tell you that between 1999 and 2004 getting a full time job with just a high school diploma would have been quite difficult. Getting a full time job with a bachelors degree was certainly no cake walk either. While I sympathize with you, you would do well to remember that many generations have fallen victim to or benefited from the boom and bust cycles of our economy. I'm not a historian, but I'm thinking you would probably have to go back to the post WWII period to find a time when employment was practically guaranteed.

Slashdot Top Deals

I am more bored than you could ever possibly be. Go back to work.

Close