Former DOD Head: The US Needs a New Plan to Beat China on AI


This post is by Nicholas Thompson from Feed: All Latest

In an interview with WIRED, former secretary of defense Ash Carter discussed how to build morality into AI—and make sure other countries do too.

The FBI Has Made Over 100 Arrests Related to the Capitol Riot


This post is by Brian Barrett from Feed: All Latest

Plus: A dark web takedown, a bitcoin scam, and more of the week’s top security news.

The Race Is On to Identify and Stop Inauguration Rioters


This post is by Matt Burgess, WIRED UK from Feed: All Latest

As tech companies scramble to tackle the extreme far-right, police and law enforcement are encasing Washington, DC, in a ring of steel.

Big Tech Can’t Ban Its Way Out of This


This post is by Gilad Edelman from Feed: All Latest

Platforms are scrambling to avoid being used by right-wing extremists targeting the inauguration. But the seeds of this crisis were sown long ago.

Ex-CISA Head Chris Krebs: ‘Impeachment Is the Right Mechanism’


This post is by Brian Barrett from Feed: All Latest

In an interview with WIRED, the famously fired DHS official shared insights on election security, disinformation, SolarWinds—and what to do about Trump.

Hackers Used Zero-Days to Infect Windows and Android Devices


This post is by Dan Goodin, Ars Technica from Feed: All Latest

Google researchers say the campaign, which booby-trapped sites to ensnare targets, was carried out by a “highly sophisticated actor.”

I Am Not a Soldier, but I Have Been Trained to Kill


This post is by Rachel Monroe from Feed: All Latest

A sprawling tactical industry is teaching American civilians how to fight like Special Ops forces. By preparing for violence at home, are they calling it into being?

How Law Enforcement Gets Around Your Smartphone’s Encryption


This post is by Lily Hay Newman from Feed: All Latest

New research has dug into the openings that iOS and Android security provide for anyone with the right tools.

How Amazon Sidewalk Works—and Why You May Want to Turn It Off


This post is by David Nield from Feed: All Latest

The premise is convenient. But the ecommerce giant’s record on privacy isn’t exactly inspiring.

An Absurdly Basic Bug Let Anyone Grab All of Parler’s Data


This post is by Andy Greenberg from Feed: All Latest

The “free speech” social network also allowed unlimited access to every public post, image, and video.

The SolarWinds Hackers Shared Tricks With a Russian Spy Group


This post is by Andy Greenberg from Feed: All Latest

Security researchers have found links between the attackers and Turla, a sophisticated team suspected of operating out of Moscow’s FSB intelligence agency.

The SolarWinds Investigation Ramps Up


This post is by WIRED Staff from Feed: All Latest

Plus:  Covid-19 contact tracing privacy, a Nissan source code leak, and more of the week’s top security news.

WhatsApp Has Shared Your Data With Facebook for Years


This post is by Lily Hay Newman from Feed: All Latest

A pop-up notification has alerted the messaging app’s users to a practice that’s been in place since 2016.

Post-Riot, the Capitol Hill IT Staff Faces a Security Mess


This post is by Lily Hay Newman from Feed: All Latest

Wednesday’s insurrection could have exposed congressional data and devices in ways that have yet to be appreciated.

The Race to Preserve the DC Mob’s Digital Traces


This post is by Kate Knibbs from Feed: All Latest

The pro-Trump mob that stormed the US Capitol livestreamed their actions. As social media platforms scramble to remove dangerous content, what will become of all that footage?

RedHat is acquiring container security company StackRox


This post is by Ron Miller from Fundings & Exits – TechCrunch

RedHat today announced that it’s acquiring container security startup StackRox . The companies did not share the purchase price.

RedHat, which is perhaps best known for its enterprise Linux products has been making the shift to the cloud in recent years. IBM purchased the company in 2018 for a hefty $34 billion and has been leveraging that acquisition as part of a shift to a hybrid cloud strategy under CEO Arvind Krishna.

The acquisition fits nicely with RedHat OpenShift, its container platform, but the company says it will continue to support StackRox usage on other platforms including AWS, Azure and Google Cloud Platform. This approach is consistent with IBM’s strategy of supporting multicloud, hybrid environments.

In fact, Red Hat president and CEO Paul Cormier sees the two companies working together well. “Red Hat adds StackRox’s Kubernetes-native capabilities to OpenShift’s layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints,” he said in a statement.

CEO Kamal Shah, writing in a company blog post announcing the acquisition, explained that the company made a bet a couple of years ago on Kubernetes and it has paid off. “Over two and half years ago, we made a strategic decision to focus exclusively on Kubernetes and pivoted our entire product to be Kubernetes-native. While this seems obvious today; it wasn’t so then. Fast forward to 2020 and Kubernetes has emerged as the de facto operating system for cloud-native applications and hybrid cloud environments,” Shah wrote.

Shah sees the purchase as a way to expand the company and the road map more quickly using the resources of Red Hat (and IBM), a typical argument from CEOs of smaller acquired companies. But the trick is always finding a way to stay relevant inside such a large organization.

StackRox’s acquisition is part of some consolidation we have been seeing in the Kubernetes space in general and the security space more specifically. That includes Palo Alto Networks acquiring competitor TwistLock for $410 million in 2019. Another competitor, Aqua Security, which has raised $130 million, remains independent.

StackRox was founded in 2014 and raised over $65 million, according to Crunchbase data. Investors included Menlo Ventures, Redpoint and Sequoia Capital. The deal is expected to close this quarter subject to normal regulatory scrutiny.

Ticketmaster Pays Up for Hacking a Rival Company


This post is by Dan Goodin, Ars Technica from Feed: All Latest

Employees admitted to using stolen passwords and URL guessing to access confidential data.

Activists Publish a Vast Trove of Ransomware Victims’ Data


This post is by Andy Greenberg from Feed: All Latest

WikiLeaks successor DDoSecrets has amassed a controversial new collection of corporate secrets and is sharing them in the name of transparency.

The UK Denies Assange’s Extradition, Citing Suicide Risk


This post is by Andy Greenberg from Feed: All Latest

The ruling is based not on whether the WikiLeaks founder violated the Espionage Act, but on the implications of subjecting him to the US carceral state.

DNS, DoH, and ODoH, Oh My: Year-in-Review 2020


This post is by Bill Budington from Deeplinks

Government knowledge of what sites activists have visited can put them at risk of serious injury, arrest, or even death. This makes it a vitally important priority to secure DNS. DNS over HTTPS (DoH) is a protocol that encrypts the Domain Name System (DNS) by performing lookups over the secure HTTPS protocol. DNS translates human-readable domain names (such as eff.org) into machine-routable IP addresses (such as 173.239.79.196), but it has traditionally done this via cleartext queries over UDP port 53 (Do53). This allows anyone who can snoop on your connection—whether it’s your government, your ISP, or the hacker next to you on the same coffee shop WiFi—to see what domain you’re accessing and when.

In 2019, the effort to secure DNS through DoH made tremendous progress both in terms of the deployment of DoH infrastructure and in the Internet Engineering Task Force (IETF), an Internet governance body tasked with standardizing the protocols we all rely on. This progress was made despite large pushback by the Internet Service Providers’ Association in the UK, citing difficulties DoH would present to British ISPs, which are mandated by law to filter adult content.

2020 has also seen great strides in the deployment of DNS over HTTPS (DoH). In February, Firefox began the rollout of DoH to its users in the US, using Cloudflare’s DoH infrastructure to provide lookups by default. Google’s Chrome browser followed suit in May by switching users to DoH if their DNS provider supports it. Meanwhile, the list of publicly available DoH resolvers has expanded to the dozens, many of which implement strong privacy policies, such as not keeping connection logs.

This year’s expansion of DoH deployments has alleviated some of the problems critics have cited, such as the centralization of DoH infrastructure. Previously, only a few large Internet technology companies like Cloudflare and Google had deployed DoH servers at scale. This facilitated these companies’ access to large troves of DNS query data, which could theoretically be exploited to mine sensitive data on DoH users. Mozilla has sought to protect their Firefox users from this danger by requiring the browser’s DoH resolvers to observe strict privacy practices, outlined in their Trusted Recursive Resolver (TRR) policy document. Comcast joined Mozilla’s TRR partners Cloudflare and NextDNS in June.

In addition to policy and deployment strategies to alleviate the privacy concerns of DoH infrastructure centralization, a group of University of Washington academics and Cloudflare technologists published a paper late last month proposing a new protocol called Oblivious DNS over HTTPS (ODoH). The protocol introduces a proxy node to the DoH network layout. Instead of directly requesting records via DoH, a client creates a request for the DNS record, along with a symmetric key of their choice. The client then encrypts the request and symmetric key to the public key of the DoH server they wish to act as a resolver. The client sends this request to the proxy, along with the identity of the DoH resolver they wish to use. The proxy removes all identifying pieces of information from the request, such as the requester’s IP address, and forwards the request to the resolver. The resolver decrypts the request and symmetric key, recursively resolves the request, encrypts the response to the symmetric key provided, and sends it back to the ODoH proxy. The proxy forwards the encrypted response to the client, which is then able to decrypt it using the symmetric key it has retained in memory, and retrieve the DNS response. At no point does the proxy see the unencrypted request, nor does the resolver ever see the identity of the client.

ODoH guarantees that, in the absence of collusion between the proxy and the resolver, no one entity is able to determine both the identity of the requester and the content of the request. This is important because if powerful entities (whether it be your government, ISP, or even DNS resolver) know which people accessed what domain (and when), it gives that entity enormous power over those people. ODoH gives users a technological way to ensure that their domain lookups are secure and private so long as they trust that the proxy and the resolver do not join forces. This is a much lower level of trust than trusting that a single entity does not misuse the DNS queries you send them.

Looking ahead, one possibility worries us: using ODoH gives software developers an easy way to comply with the demands of a censorship regime in order to distribute their software without telling the regime the identity of users they’re censoring. If a software developer wished to gain distribution rights in Saudi Arabia or China, for example, they could choose a reputable ODoH proxy to connect to a resolver that refuses to resolve censored domains. A version of their software would be allowed for distribution in these countries, so long as it had a censorious resolver baked in. This would remove any potential culpability that software developers have for revealing the identity of a user to a government that can put them in danger, but it also facilitates the act of censorship. In traditional DoH, this is not possible. Giving developers an easy-out by facilitating “anonymous” censorship is a worrying prospect.

Nevertheless, the expansion of DoH infrastructure and conceptualization of ODoH is a net win for the Internet. Going into 2021, these developments give us hope for a future where our domain lookups will universally be both secure and private. It’s about time.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2020.