Mornings With Mark

Diving deeper into the issues behind the Facebook / Cambridge Analytica scandal, we look at terms of service for Facebook and other application/networks you use and get a little nit-picky about the term "data breach". Near the end of the episode, I give an (unrelated) shout out to Troy Hunt. He's the engine behind https://HaveIBeenPwned.com which is a fantastic and growing resource for the community

Unfortunately there was a tragic death involving a self-driving car in AZ. This highlights the very different challenges facing technology in the real-world when compared to IT. OT (Operational Technology) has a completely different risk equation and it's one not a lot of teams are ready to deal with...

A discussion on the budding Facebook / Cambridge Analytica scandal. It's an interesting situation as the data was harvested through the API (so technically possible) but is a clear breach of their terms of service. This isn't going away and will get worse.

In this episode I tackle the AMDFlaws issue, ICO failures, and the actual promise of blockchain as an approach to a few specific use cases...not the ridiculous levels of hype it's receiving right now.

Recorded in Austin, TX a couple hours before I went on stage to deliver a talk ("Rogue Robots and the Potential for Cyber Attack"), this episode looks at my first impressions of the festival and some of the challenges getting back up on stage after a bit of a break.

This week a security company announced several flaws in modern AMD architectures. There are a number of issues around how they made the announcement and thankfully it's not getting a ton of sustained attention. The issues seem legitimate but they also need an existing, privileged foothold in order to be taken advantage of. This case is a perfect example of all the bad things around informing the public of security issues.

My talk at SXSW, "Rogue Robots and the Potential for Cyber Attack", went well and afterwards, I had a few discussions with some folks smarter than I about audience level. I think there's a serious gap between the level most security and privacy information is presented at and where it should be. There's a number of reasons for this but primarily because of the way we view cybersecurity and privacy. We see them as separate disciplines and not aspects of everything.

GitHub was taken offline for 8m under a record setting 1.35 Tbps DDoS attack. This is a not a good record. The previous record was set under a wave of compromised IoT devices (specifically security cameras) and I was fully expecting the same here. Not quite. This time it was unsecured application components (specifically memcached servers). This ties to a bigger issue. What are your responsibilities to the larger internet community? How much do you owe to your neighbours? More on the GitHub attack from Lily Hay Newman at WIRED

One of the biggest challenges in cybersecurity today is the tendency to secure components instead of the larger system. It's understandable but also leaves a lot of gaps. How can we change this approach?

In this episode we do a quick recap of the Canadian federal budget announcements around cybersecurity, talk about SXW, and the upcoming launch of the new markn.ca

This is one of those frustrating days where I really want to dive into one topics (the new Apple iOS Security Guide) but have other commitments (namely the Canadian federal budget and SXSW). File this one under, "more coming ASAP".

Never one to shy away from the big issues, this episode looks at the possibility of a big budget carve out for Canadian cybersecurity. The rumour is that various departments and agencies have requested a billion dollars in funding. Will it be enough? Will it actually address the issue at all?

Security "awareness" programs p--s me off. I don't really hide that too well in this episode. The security community really needs to do a better job in educating users and helping them to make better decisions about security and privacy.

Troy Hunt published v2 of PwnedPasswords which is a massive archive of hashed passwords. The goal is to provide a resource so builders can check new passwords against these commonly used ones. This lead to a bit of a discussion on my workflow and goal with this show. I'm hoping to get some time to do a deeper dive on Troy's dataset.

A news article was posted highlighting a wave of exposed management interfaces and at least one team's AWS API keys were exposed in a 3rd party tool as a result. This is something that comes up in conversations I have often. The cloud amplifies ability but it also puts more of the teams shoulders. Are teams overloaded in a DevOps culture?

Wired had a fantastic article on the huge uptake of voice interfaces. This echoes one of the main themes at AWS re:Invent 2017. In this episode, I was thinking about the benefits as well as some of the security and privacy challenges.

Apple had a critical issue that needed to be addressed. Sending a simple Telegu character to an Apple device causing most applications that processed that character to crash continuously. This brings up the bigger issues of software quality and integrating security into your technology and teams.

Ugh, I hate buzzwords. Still, I felt it necessary to tackle blockchain in this episode mainly because of the work Microsoft announced digital identities backed by a blockchain architecture. This is a good use of the technology. Can't wait to see where this goes.

Building on the theme of perspectives from the first two episodes, I dive into the lack of quantitative data for risk assessments. Basically, the community does a lot of guessing when it comes to evaluating risk...and that's not a great thing. References; the NIST guide for risk assessments the Canadian Harmonized Threat & Risk Assessment guidelines

In the pilot episode, I talked about the importance of perspectives. The 2018 Winter Olympic Games confirmed that they were attacked on Friday during the opening ceremonies and their statement showed a lot of perspective. The Games said they had responded quickly to the attack but weren't worrying about "who" was behind it until after the event. It's hard but necessary to show that kind of perspective when responding to an incident.