gredinger
gredinger's JournalIntroduction Thread
Hi everyone! My first intro thread went downhill pretty quickly... so lets try it again! This time, without causing a panic.
I'm Gene, I'm running for congress (US House). I hold a CEH certificate, and am employed in IT. I'm also a beekeeper with a single hive. I'm planning on planting a robust victory garden this year and have already started growing some plants indoors.
I'm married, a home owner, and enjoy posting on forums. ( https://xkcd.com/386/ )
Hopefully, we can all be friends.
Intellectual Property Reform.
I wasn't quite sure where to post this... but a thought occurred to me regarding intellectual property; Bambi.
Bambi was released in 1942, you know, during WW2. The original authors and animators are probably either near end of life or dead. Why is it that this film still cost $15? Why can't I share this work with friends or family?
Normally, works only last the author's lifetime. The constitution says intellectual property will be protected for a "limited" time. Why is the limited time more than a lifetime?
I'm pretty sure the reason is Disney fighting for more restrictive intellectual property rights and continuous expansion of these "rights". They've done so by buying politicians to do so. When will politicians say "enough is enough" and reform intellectual property?
RPKI deployment - ISPs must act.
A couple years back, there was an attack on the Internet; a BGP leak. For a few minutes, internet traffic was rerouted through nodes that advertised BGP routes that were not their own. (Read more about an actual attack here: https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/ )
Normally, these sort of "attacks" are attributed to human error. Fat-fingering a command on a core internet router taking down chunks of the Internet is pretty scary, but it has happened (and will probably happen again).
However, there's a technology that can prevent these sort of leaks in the future. RPKI implements private key infrastructure (you know, the 'S' part of HTTPS) for BGP. It's pretty simple, an ISP generates their private/public keypair. Adds their key set to their router, and then sends over the public key to their regional internet registry.
It really just requires more providers only trusting BGP advertisements from those with signed messages.
ARIN's not government regulated, but US law could force ISPs to implement this standard here in America. Disregarding non-signed advertisements would force other nations (and ISPs) to adopt similar measures.
Thoughts/concerns/comments?
APT28/APT29 & Iowa Primary Caucus
Why does it seem that every couple years, Democrats drop the ball on technology pretty heavily?
Cozy Bear was an effective APT. Even a secure organization could be impacted by a similar attack. I'd give them a pass on this hack if it weren't for APT28 (Fancy Bear).
The thing is, we never knew the external damage. In 2016, a lot of accounts were compromised, but how much data was actually compromised?
For example, most candidates use software called "NGP VAN". This software contains a lot of private information that campaigns have access to; a lot of voter information. If credentials were compromised on these systems (two-factor authentication wasn't required at the time...), then this data was compromised. The effectiveness of this attack leads me to believe members of the DNC used the same credentials across multiple services...
Just imagine giving the opposition party every single one of your records you gathered for the past 8 years. That's effectively what would have happened in 2016, and there's not a single report saying that occurred during the attack.
It is still amazing to me that the *entire* attack was started by spearphishing. If these people actually checked what they clicked on the email, it wouldn't have occurred. Security awareness training should be mandatory for all DNC members.
----
Iowa Primary Caucus was another recent IT failure. The application failed hard. In the IT world, we do something called "postmortems"; i.e. we figure out what went wrong, how to prevent it from going wrong in the future, and learn from the mistakes.
https://landing.google.com/sre/sre-book/chapters/postmortem-culture/
The lack of transparency bothers me. Why can a private corporation release ( https://status.cloud.google.com/incident/cloud-networking/19009 ) more details on a technical failure than a private company designing software for the public and democracy?
if I were chair of the DNC, I'd demand a full postmortem, along with open sourcing the application for public review. We need more transparency in democracy, not less. Let's learn from our mistakes and remain blameless, not ignore past mistakes and cover them up.
Profile Information
Member since: Fri Feb 28, 2020, 04:38 PMNumber of posts: 86
