Jul 192024

So everyone is talking about the major IT outage today (which actually turned out to be two unrelated outages, the second due to a since-remedied issue with Microsoft Azure platform), namely the fact that millions of physical computers and virtual machines around the world are crashing due to a driver failure in what is known as CrowdStrike Falcon.

I admit I have not heard of CrowdStrike Falcon before. I had to look it up. So I went to the most authoritative source: the company’s Web site.

“Cybersecurity’s AI-native platform for the XDR era,” it tells me, and “We stop breaches”. XDR is supposedly “extended detection and response”. Wikipedia tells me that “the system works by collecting and correlating data across various network points such as servers, email, cloud workloads, and endpoints”. Microsoft tells me that XDR “is a holistic security solution that utilizes automation and AI to reduce response time across multiple workloads”.

Going back to CrowdStrike, I learn that it yields $6 of return for every $1 invested. (How?) That it identifies 96% more potential threats. (More than what? More dentists use…) It tells me that it is leads to 2x as effective security teams with 66% faster investigations… compared to what?

Okay, scrolling down… it’s “cloud-native”, “single-platform” and an “open and extensible ecosystem”. It is “data-centric” and “AI-native” with “workflow automation”.

So far there is one thing I have not yet learned: What the bleepety-bleep does it do?

Of course I can guess. I know what security solutions are supposed to do, and I have no doubt that CrowdStrike delivers… more or less, probably not any better than its major competitors. But they certainly have good marketing, with all the right buzzwords!

Unfortunately, behind these buzzwords there is a flawed mentality. The implication that all it takes is a fancy software solution to protect your enterprise. Never mind that a good chunk of the threats (I was going to say, “vast majority”, but I have no data to back that up) are not in the form of malware. If I communicate with a senior manager at a bank and convince them to initiate an important transfer that later turns out to be fraudulent, no cybersecurity is going to prevent that.

And as today’s example shows, protection from malware and other technological threats is just one element of a successful cybersecurity policy. A comprehensive policy must be based not just on prevention but also the recognition that sometimes, despite your best efforts, excrement can hit the ventilator. How do you detect it? What do you do?

That leaves us to these main points that must be on everyone’s cybersecurity checklist, whether you are a small company or a major international enterprise. Here, in no particular order, and I am sure I left some things out:

  • Threat prevention (technological prevention, such as antivirus software, network firewalls, real-time monitoring)
  • Data collection (comprehensive logs that may be used for threat detection, forensic analysis, mitigation)
  • Compartmentalization (user privileges, user access management, network architectures)
  • User relationships (user education, use management — treating users as partners not as threats)
  • Backup and recovery procedures and policies, tested (!) and validated
  • Intrusion detection
  • Intrusion response (emergency operations, fallback operations including manual operations if needed, notification policy)
  • Mitigation, self and third-party impact
  • Recovery
  • Forensic analysis and prevention
  • Auditing and risk analysis (including third party dependence)

I mean, come on, CrowdStrike’s graphic is eye-catching but I swear I drew much more informative diagrams well over a decade ago when educating customers about the need for comprehensive security. Like these, for instance.

Sure, comprehensive cybersecurity technology can help with some of these points. But not all. For instance, no cybersecurity solution will help you if broad dependence on a third-party component in your enterprise suddenly causes a widespread outage. That dependence can be anywhere, could be a simple messaging app or a complex cybersecurity suite. If it causes systems to crash, and you have no proven, tested policies and practices to detect, mitigate, and recover from an event like that, you’re in deep doo-doo.

Oh wait. That’s exactly what happened to far too many companies today.

 Posted by at 6:33 pm
Jul 192024

I admit I almost lost it last night.

I was attempting to sign up as an author with a notable scientific journal (who shall remain nameless as I am cowardly and I hope to remain in their good graces.) I was confronted with a questionnaire asking about some personal details.

Okay, so they want to know about my name, e-mail address, office phone and institution. All perfectly reasonable, even though I do not have a formal affiliation which sometimes means going through extra hoops, trying to convince the software that I am nonetheless legit. Then came more personal questions such as my gender and age. But then… race, ethnicity, sexual orientation…

Sexual orientation???

I beg your pardon?

Say what? I apologize for language that’s rude and crude, but what the fuck do my scientific contributions have to do with the privacy of my bedroom and how is that your fucking business?

I generally consider my ideological affiliation left-of-center, which is to say more likely leaning towards a progressive liberal attitude. But this? Granted, there was the option, “prefer not to answer”. Nonetheless, I was beyond offended. In this context, the question is downright creepy. What are they going to ask next from prospective authors? How often do you masturbate? Do you prefer conventional or unconventional positions while copulating? Are you into S&M?

I mean, seriously, all I am trying to do is to submit a physics paper to a scientific publication. Not interrogated about my bedroom habits.

Of course I know the answer. This is checkbox-driven DEI virtue-signaling. Someone, somewhere, will write a report about how well (or how badly) this scientific publication represents various communities. Never mind that the actual science should have absolutely nothing to do with race, ethnicity, or sexual orientation. They now have checkboxes, and no doubt, folks patting themselves on the back being proud of what they have accomplished, making the world more inclusive and all.

Except that they didn’t. Except that these forms of aggressive, self-serving episodes of virtue signaling achieve the exact opposite: instead of steering the world towards a future in which such superficial characteristics no longer matter, instead of a world in which we are all judged by the content of our character, they not only keep divisions alive, they are actively deepening them.

And that’s why we can’t have nice things anymore.

 Posted by at 6:16 pm
Jul 132024

This is a picture perfect moment. For all the wrong reasons, but this image is destined for the history books.

July 13, 2024. I have the feeling that it will be remembered like a day almost precisely 80 years ago, July 20, 1944, when another defiant leader emerged, mostly unscathed, from an assassination attempt.

Assassinations do not restore or strengthen democracy. We’ve known that at least since the times of ancient Rome, since Marcus Junius Brutus and co-conspirators assassinated Julius Caesar almost two thousand years ago. Rather than saving the Roman Republic, they hastened its demise.

The only thing worse than the assassination of a tyrant (or a would-be tyrant, as some see Trump) is a failed assassination. Which is what happened 80 years ago in the famed Wolf’s Lair. Ironically, Hitler was also injured in his ears. But far from weakening him, the assassination attempt likely played a role in Germany fighting all the way to the bitter end, as Hitler viewed his survival as a divine moment. What the fallout from the attempt on Trump’s life will be is yet an open question, but there is one thing of which I am sure: it’s going to be bad news for his political opponents and, by extension, for all of us who worry about the future of the Western democratic world order.

 Posted by at 11:27 pm
Jul 102024

Throughout her life my Mom earned a living as a artisan textile dyer in Hungary. Nothing fancy, her usual work involved bringing home to her workshop a few hundred, e.g., silk sheets, hand-dying them with predetermined, preapproved patterns (mostly fashionable headscarves, which were very popular in Europe in the 1960s, 1970s), then returning them to the warehouse, which then sent them out for further processing (steam fixing, hemming, etc.)

One day in 1984 she was asked to do something different: To prepare several silk sheets, using the designs, and under the supervision, of a well-known artist (Judit Szabó), for public display in a community hall in a small Hungarian town (Földeák).

She was reminded of this during our recent conversation. Though I had no high expectations, I searched for it using the name of the town and the artist. To our no small astonishment (and to my Mom’s great delight), I found it. The silk sheets are still there (or at least, they were back in 2021), adorning the walls of the town’s wedding hall. Not only that, someone actually took the trouble to take some decent photographs of it and publish it on a nice Hungarian-language Web site.

 Posted by at 1:13 pm
Jul 102024

I was so busy with things like Linux updates, I forgot to celebrate. My main Internet domain, vttoth.com, was 30 years old just ten days ago.

$ whois vttoth.com | grep "^Creation Date"
Creation Date: 1994-06-30T23:00:00Z

To be sure, it’s not the oldest domain in existence, not by a longshot.

$ whois oracle.com | grep "^Creation Date"
Creation Date: 1988-12-02T05:00:00+0000

But then, look at these guys:

$ whois facebook.com | grep "^Creation Date"
Creation Date: 1997-03-29T05:00:00Z
$ whois google.com | grep "^Creation Date"
Creation Date: 1997-09-15T07:00:00+0000
$ whois whitehouse.gov | grep "Creation Date"
Creation Date: 1997-10-02T01:29:32Z

So yes, I suppose I’ve been around. Here’s the earliest version of my Web site as remembered by The Wayback Machine:

Well, I suppose Web sites have become a tad more sophisticated since then.

 Posted by at 1:12 am