129: Ransomware & Cybersecurity, Zero Trust, New Book on Amazon, Waymo, Google GCP + SpaceX Starlink, TSMC AZ 3nm, Light Pollution Map, and Loneliest Man in the Universe

"The fictional Battlestar Galactica series explains a key similarity"

The ancients believed that all celestial objects revolved around the earth in circular orbits.

When it became clear that the observed behavior of the celestial objects did not fit this assumption, those astronomers produced ever-more-complex charts by adding epicycles — intersecting arcs and circles — to fit the heavens to their beliefs.

Many kept this up even after science advanced.

—Zeynep Tufekci

(make sure you aren’t ‘adding epicycles’ to try to fit reality to what you want it to be, rather than updating your view of reality to best reflect ground truth)

🎤 I posted my first non-paywalled podcast yesterday. Thank you for all the encouraging feedback.

It’s such a different medium than text, I’m still figuring out what I want to do with it, but it’s a nice bat-tool to have on the bat-utility-belt. 🦇

🛀 I was thinking about how there’s a bunch of things that are so incredibly useful to our civilization, that have so many other things depend on them or built on top of them, that if they didn’t exist or disappeared, things would change a lot.

For example, what if we couldn’t make plastics. Any plastics. What if we could only make things with metal, glass, wood, ceramics, etc.

Or if chlorine didn’t exist, or didn’t kill micro-organisms.

What if soap didn’t exist, or kinda washed out dirt, but didn’t disinfect (kill and remove bacteria and viruses)..?

What if the Haber–Bosch process for artificial nitrogen fixation to make lots of cheap fertilizer didn’t exist, or worked at 10% or 1% of the current efficiency?

What else, what else…

What if there were no hydrocarbons buried in the Earth’s crust?

What if the speed of light was 1/10th or 1/1000th or 1/1000,000th what it is? How would that impact computers and global communications?

What if the useable electro-magnetic spectrum was orders of magnitude smaller? What if that “pipe” was super narrow, and having a FM radio station in a city meant nobody could have wifi or cellphones? Or cell data transfer maxed out at like 5kbps?

What if the surface tension of water was a few orders of magnitude stronger than it is?

What if water froze at 10 celsius rather than 0? What about -10 or -20C?

I don’t know, just fun to think about, I guess…

🧡 🥃 Become a supporter on orange heart day, it’s the best day to do so, and it only takes 15 seconds if you really hurry through it:

🧡 Subscribe now 🧡


Investing & Business

Colonial Pipelines & Hacked Police Department

There’s a joke in there somewhere 🤔

You know, it's not because you have that name that your IT security needs to be from the colonial era

*rimshot*

Ok, that sucked. Anyway…

I'm very curious what their security setup was before the attack, and what they're doing to beef it up now. A lot of the time, IT systems are such a messy patchwork that it’s almost impossible to secure…

There’s contradicting reports, but it sounds like Colonial paid close to $5m to DarkSide:

Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.

The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack [...]

Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said. (Source)

Yikes 😬

FireEye has a blog post about it:

We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years. Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will acquiesce to paying the ransom prices. 

As one example, in late April 2021, the DARKSIDE operators released a press release stating that they were targeting organizations listed on the NASDAQ and other stock markets. They indicated that they would be willing to give stock traders information about upcoming leaks in order to allow them potential profits due to stock price drops after an announced breach. In another notable example, an attacker was able to obtain the victim's cyber insurance policy and leveraged this information during the ransom negotiation process refusing to lower the ransom amount given their knowledge of the policy limits

That’s some machiavellian shit.

It's certainly the kind of high-profile event — like Solarwinds — that will make many C-suite suits bump IT security up their list of priorities.

It certainly seems to be taken seriously by the feds, with a new executive order, which includes changes to disclosure rules when there are breaches that could impact national security and plans to beef up security for the federal government’s infrastructure.

I’m seeing more reports of these types of attacks lately, and it makes me wonder if there’s just more media coverage (may because of Solarwinds, high-profile enough that a bunch of journalists started looking more closely at the space?) or there’s really more attacks.

The FireEye post certainly shows that DarkSide is doing more, but they’re just a glass of water in the ocean of security threats, so it may not tell us much about the overall level of the tide. Sure does feel like it’s getting worse, though.

Here’s one that could be the premise of a movie:

A ransomware gang that hacked the District of Columbia’s Metropolitan Police Department (MPD) in April posted personnel records on Tuesday that revealed highly sensitive details for almost two dozen officers, including the results of psychological assessments and polygraph tests; driver's license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories. [...]

The operators demanded $4 million in exchange for a promise not to publish any more information and provide a decryption key that would restore the data. [...]

Our final proposal is to offer to pay $100,000 to prevent the release of the stolen data,” the MPD negotiator eventually replied. “If this offer is not acceptable, then it seems our conversation is complete. I think we understand the consequences of not reaching an agreement. We are OK with that outcome.” (Source)

Update: The always thoughtful Zeynep Tufekci has a great Battlestar Galactica analogy on this:

Just like with the pandemic, the alarm has been ringing about digital security for decades, but we are just hitting snooze instead of waking up and dealing with the threat. [...]

The fictional Battlestar Galactica series explains a key similarity: networked systems are vulnerable. That ship survived the initial attack by the Cylons (humanoid robots) simply because it was old and had just been decommissioned in the process of being turned into a museum [...] In pandemic terms, Galactica was an island with no travel to it. [...]

It’s very hard to add security after the fact to a digital system that’s not been built for it. And there is a lot of what’s called “technical debt” all around us. These are programs that work but were written quickly or sometimes decades ago. We don’t touch these rickety layers because it would be very expensive and difficult to do, and messing with them could cause everything else to crumble. [...]

This is such a good point, and a recent example of how hard it is to deal with is how long Microsoft struggled with malware/viruses on Windows in the 2000s.

The problem is by no means solved, but there was a truly atrocious period and it took herculean efforts for the company to get out of it. It took years even with their massive resources and total control over their code base (a lot of other companies must use what others hand them and can’t fix it themselves).

The better question is, why didn’t digital hacks and ransomware happen more if the problem has been so widespread? [...]

one thing that had been missing before was an easy or obvious way to monetize all of this digital malfeasance. Unlike with software, the financial sector is fairly heavily regulated, globally. Despite the possibility of transferring money here and there, it’s really not that easy to get money out of the global financial system if the regulators in a few choke points are dead set against it. Some checkpoints include the SWIFT money transfer systems, the United States Treasury and the OFAC program, and the U.S. attorney for the Southern District of New York, where Wall Street is located. The chokepoints are surprisingly few, and most of them lead back to the United States. [...]

Enter Bitcoin. It’s still not as easy as people might think to use Bitcoin to move truly large amounts of money out of the system [...] But, Bitcoin sure makes it more tempting to try, even for small sums. A lot of ransomware attempts aren’t for huge sums. Thus, Bitcoin and the crypto coin ecology have given ransomware a scalable business model, at least in the minds of its “entrepreneurs.” It makes attacks worth trying, even for small sums, because trying it is so easy.

Well, that’s certain a crypto-use case other than speculation…

So where do we go from here? [...]

Addressing digital insecurity would also entail providing better regulation up and down the technical stack so that the negative externalities became more internalized by the companies—so they are responsible for solving the problems they create. [...]

This is a bit like the pandemic had been for me before 2020: we knew a major threat was afoot, and that our infrastructure had been lacking. We had SARS in 2003, we had the Ebola crisis in 2014-2016, and we had the HIV/AIDS catastrophe starting with the 1980s. Did we move to fix it all? We did not. So here we are again.

Let’s do better on this. An ounce of prevention is worth a pipeline of cure…

Brad Stone’s New Book about Amazon & Jeff Bezos

I bet a large fraction of you have read ‘The Everything Store’. Time really flies, because that book came out in 2013. That was even before the Fire Phone!

At the time, Amazon’s market cap was a little under $120 billion, and that was considered huuuge.

Today the company has a market cap of around $1.6 💫₮ⱤłⱠⱠłØ₦💫.

If you have a sub, Ben Thompson has a great interview with Stone about the book (I recommend the audio version, it’s basically a great podcast).

That’s it, I haven’t read the book yet, so not much to say, but my priors are that it’ll be quite good, since a lot has happened in the past 8 years and Stone is good at getting those stories.

Has Amazon Hired You Yet?

Speaking of Amazon, the scale of their hiring is just bonkers. After hiring a gazillion people in the past year, they’re still pushing hard and hiring another 75,000 for their logistics units:

“We look forward to hiring 75,000 associates across our fulfillment and transportation network” […]

these open roles offer an average starting pay of over $17 per hour, plus sign-on bonuses in many locations of up to $1,000. In addition, the company offers full-time employees industry-leading benefits, which include health, vision, and dental insurance, 401(k) with 50% company match, paid parental leave, and access to various company-funded upskilling opportunities, including Amazon’s innovative Career Choice program, which prepays 95% of tuition for courses in high-demand fields. […]

we’re offering a $100 benefit to new hires who come to Amazon already vaccinated for COVID-19.

Waymo?

In past few weeks, Waymo lost its: CEO, CFO, and 'head of automotive partnerships and corporate development'. Since the beginning of the year:

Chief Safety Officer Deborah Hersman left in December and Tim Willis, who was head of manufacturing and global supply and general manager of Waymo’s Laser Bear lidar business, departed in February. Sherry House, who had been at Waymo since 2017 and was most recently treasurer and head of investor relations, left the company in April. (Source)

I wonder what’s going on there… 🤔

Google’s GCP + SpaceX Starlink to the Moon 🚀🌙 (is that the proper way to say these things in 2021?)

Speaking of Google, looks like they made a deal with SpaceX to handle the Starlink base stations:

SpaceX will begin to locate Starlink ground stations within Google data center properties, enabling the secure, low-latency, and reliable delivery of data from more than 1,500 Starlink satellites launched to orbit to-date to locations at the network edge via Google Cloud. Google Cloud's high-capacity private network will support the delivery of Starlink's global satellite internet service (Source)

I would’ve been surprised if they had picked AWS, because of Musk’s rivalry with Blue Origin and Bezos. Good for GCP, though.

I don’t care if they make a cent on it, low-orbit satellite-constellation base-stations are just cool, m’kay?

TSMC May do a 3nm Fab in AZ? Poaching Intel Talent

company officials are debating whether the next plant should be a more advanced facility that can make chips with so-called 3-nanometer chipmaking technology [...]

The more advanced 3-nanometer plant could cost $23 billion to $25 billion, one person familiar with the matter told Reuters. Details of TSMC's plans for the additional factories at the Arizona site have not been previously reported.

Officials have also sketched out plans for TSMC to make next-generation 2-nanometer and smaller chips as the Phoenix campus is built out the next 10 to 15 years, the person said. [...]

TSMC this year hired Benjamin Miller, a 25-year Intel veteran, as its head of human resources in Arizona. The company says that it has hired 250 engineers there and that about 100 of them, along with their families, have been sent to Tainan, Taiwan, where they will complete a 12- to 18-month training program before returning to Arizona. (Source)

I will never tire of seeing that oil spike downward on long-term commodity charts…

🧡 Subscribe now 🧡


Science & Technology

Light Pollution Map

Interactive light pollution map. Cool project.

If you want to do some astro-photography, or just go show what the night sky actually looks like to your kids, Dark Site Finder is another good resource.

‘Zero Trust’ Says you Shouldn’t Trust ‘Zero Trust’ 🤔

Friend-of-the-show Muji has a great first paid post about Zero Trust.

Here’s his clear, not-too-technical overview of what it is, in case you’ve been wondering about this increasingly popular security buzzword:

Traditionally, the primary usage of an enterprise network is interconnecting infrastructure which runs services hosted internally [...] The old method of castle & moat security, where you maintained a trusted network across all of your enterprise infrastructure, apps, devices and users – with a secure perimeter around it all – is becoming a thing of the past [...]

The basic premise [of Zero Trust] stated that neither external networks (the internet and SaaS services) nor the internal network (enterprise network & WAN) should ever be trusted!

Zero Trust allowed for a software-defined perimeter instead of a network driven one, where you never trust a user requesting access to a particular service. You lose the entire concept of the trusted network – the entire basis of the castle & moat strategy. Users must establish who they are (authentication), and then the system determines the rights of that user to access the given service (authorization).  Once BOTH identity and access rights have been established, the Zero Trust service acts as a proxy to the service, creating an ephemeral network connection to the requested service. The user doesn't need to know where app is hosted – the networking is all handled invisibility to them. Once the user is done, the temporary connection from that user to that service can be severed.

Zero Trust flips the entire process of requesting & securing user access to be application-focused, not network-focused. [...] Zero Trust inherently prevents lateral movement, as users cannot access anything else in that connection except the service they originally requested. [...]

Continuous Analytics is about utilizing ML/AI over all the known identities and devices to establish a base line of expected behavior (what a user or device normally does), then continuously profile the session to flag any risky or anomalous activity it sees. [...]

[f.ex.] Does a user normally always log in from a variety of networks in Chicago during the daylight hours, but is now appearing on one from Beijing at midnight? Does a user normally download megabytes of files, but is now downloading hundreds of gigs?

Once you understand this software-defined network and constant monitoring, and just how complex it is versus the perimeter approach, especially if you have thousands and thousands of users, all with different use cases and permissions and usage patterns, you understand why Nvidia is putting so much computing power in its DPUs.

All this security stuff has an overhead compute cost, and offloading it to accelerators rather than leaving it to server CPUs makes a lot of sense.

You can read the whole Zero Trust piece here (sub $ required).

⛓ Microsoft Shuts Down Azure Blockchain Service ⛓

Microsoft's initial foray into Azure Blockchain as a Service (BaaS) began in 2015 [...]

They were early to the game!

On September 10, 2021, Azure Blockchain will be retired. Please migrate ledger data from Azure Blockchain Service to an alternative offering based on your development status in production or evaluation. (Source)

I guess it turns out that 6 years is long enough to figure out that private blockchains aren’t that useful vs databases, and that there isn’t a thousand flowers blooming there…

🧡 Subscribe now 🧡


The Arts & History

The Loneliest Man in the Universe (for a moment)

Michael Collins took this picture of the lunar lander which Neil Armstrong and Buzz Aldrin where inside. Behind is Earth. The photo has become known as “Everyone in the world except Michael Collins.”

Here’s NASA’s recent statement on the death of Michael Collins.

Interesting that a lot fewer people know Collins’ name than Armstrong & Aldrin because he stayed behind to pilot the orbiter while they went to the surface of the Moon.

But they were together, and he was alone up there, circling around the dark side of the Moon…

👨‍🚀🚀🌙👨‍🚀👨‍🚀 🌎