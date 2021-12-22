So, why hasn’t Putin sent his ransomware hounds swarming over European and American networks in an unbridled orgy of encryption, chaos and crypto? An important first step to answering this question is to understand where ransomware fits within the Russian state’s cyber arsenal. And here is where I think we have collectively misjudged the dynamics of ransomware and the state. I am guilty of this myself. We have overestimated the control, underestimated the greed/financial motivation for the hackers, and we have misconstrued Putin’s understanding of his strategic cyber assets.

A few months after the snippet tax was agreed to as part of the EU Copyright Directive, Australia indicated it wanted to take the same route. The government there planned to make Internet companies pay newspapers for sending the latter extra traffic, by imposing something called the News Media Bargaining Code. In a blog post from December 2020, Mel Silva, VP, Google Australia & New Zealand, gave a good analysis of why Australia’s proposed Code was antithetical to the way the Web worked, including the following:

In this video for Help Net Security, Chris Westphal, Cybersecurity Evangelist at Ordr, talks about an alert that came out recently from CISA and the Department of Energy (DOE), about potential threats to uninterruptible power supply (UPS) devices that are connected to the internet. UPS devices are used to provide emergency power, they’re usually connected to critical infrastructure. They’re basically batteries that provide temporary power when the power goes out and until a generator kicks in to provide longer term temporary power.

Last month we outlined our plans for the next generation of Pro-grade PINE64 hardware – the QuartzPro64. In case you missed the original announcement, the QuartzPro64 is a powerful development board featuring an 8 core SoC which comes paired with 16GB of RAM and 64GB of expandable eMMC flash storage as well as an impressive array of IO options. I’m not going to repeat the entire spec list below since it was covered in detail last month – if this is news to you, then I suggest you go back and read the March update and pick up reading this section after.

ASROCK Industrial has recently unveiled three 4X4 BOX-5000 mini PCs(4X4 BOX-5800U, 4X4 BOX-5600U, and 4X4 BOX-5400U) equipped with AMD Zen 3 Ryzen 5000 U-series processors. By using AMD’s Zen 3 architecture, ASRock plans to capture business and home applications such as Kiosks, digital signage and other remote access applications. ASRock’s newest mini-PCs incorporate AMD’s Ryzen 7 5800U, Ryzen 5 5600U, and Ryzen 3 5400U processors which feature up to 8 cores/16 threads to enhance computing performance. The newest architecture also features an improved AMD Radeon Graphics controller to increase the visual experience. According to ASRock, the mini-PCs integrated with Zen 3 processors achieve up to 17% single-thread and multi-thread performance compared to the previous Zen 2 processor architecture.

You may have read Pine64’s April’s Fools spoof about the PineBuds and PinePod earlier this month. It turns out those will be real, and the Pine64 PineSound development board will be used to bring the PineBuds earbuds and PinePod digital audio player to market. The PineSound board features Bestechnic BES2300 Bluetooth 5.0 audio chip, two coaxial & optical input and output, a 3.5mm headphone jack, 4.4mm and 2.5mm balanced jacks, an SMA connector, a USB Type-C connector, plus interfaces for a touchscreen display.

Monitoring the kernel.org Transparency Log for a year Clearly we can do more and improve things. I noted in the beginning that git is not a transparency log, sadly the kernel.org transparency log is a git repository. It’s not a true transparency log and trying to prove the that a commit is present on the log needs one to replay the entire log before comparing the state of the main log and the monitor. This isn’t ideal. A big improvement would be to move this over to an actual transparency log. Sigstore attempts to be a general purpose transparency log for build artifacts. I did start working on a patch to include git-push certificates in Rekor, their transparency log implementation. But this has stalled because I lack the time and I think it would need a bit of code on the remote end to function properly. If you are into OpenSSF projects, the SLSA project lists several requirements to protect a supply chain. A Transparency Log for git-push certificates neatly fits into the B Threat, “Compromise source control platform”. However mitigations like transparency logs are not widely cited as being possible mitigation to this threat. One can speculate why this is the case, but I think the lack of support in Git forges is the main issue. Gitlab supports server hooks and I think you could implement a git-push monitor with a bit of manual maintenance. Github does not support this, and I think that is something Github should improve on. Generally these sort of server-side configurations are not very accessible but very much needed. I’d love to have my own Another improvement on the monitor would be to look more into the code the Trillian team at Google has been doing. Currently they have written a few concepts for a standardized Witness protocol for different transparency logs, and I think it would be neat to provide the same interface for the kernel.org log. This would make it easier to have standardized clients across different logs to validate entries.