In the early morning of April 11th, 2021 an explosion rocked the desert surrounding Natanz, a nuclear enrichment facility within Iran’s nuclear power infrastructure. Later that day, the Iranian government issued a statement that Iran was the subject of a powerful cyberattack that physically (and dangerously) sabotaged the facility’s nuclear enrichment capabilities.
The 2021 Natanz attacks are already making waves across a security community still reeling from the Solarwinds attacks. State sponsored hacking is already a concern for most organizations working in critical infrastructure. …
What I learned from a confusing, painful year
It’s been almost four years since my last personal post. And while I planned on doing one for 2020, this wasn’t the post I was planning to write. But that’s 2020: a year where so many things we planned were irrevocably altered by a virus that changed the world.
Like most of the world, COVID-19 and 2020 have changed my life. I’ve lost family and friends during the outbreak here in the US, and it was likely a major contributor to losing a two year long relationship. …
Cryptography is critical to protecting our information online. In a pandemic-wracked world where companies and countries are being forced at gunpoint into the digital age, figuring out whether or not some cryptography is “good” enough to use for protecting secrets is a very big problem.
Unfortunately there isn’t a commonly accepted way to verify good cryptography in 2020. Outside of a US/Canadian government standard that’s relatively unknown unless you work in defense, there isn’t a commonly accepted way of verifying “strong” encryption that is globally accepted.
As COVID-19 wracks the world, most countries have enacted some form of non-essential business shutdown and/or social distancing protocols to stop the spread of this lethal virus. These measures have had a dramatic impact on the global economy, ensuring that countries like the United States have seen sharp declines in their GDP at levels unseen since the Great Depression.
Shutdown and social distancing are largely efforts to deal with COVID’s high rate of transmission (currently understood to be over twice that of the 1918 H1N1 pandemic in some strains/locations) and a lack of readily available testing at scale. Without a…
The Millennium Prize Problems are a series of mathematical questions that represent hard boundaries in our understanding of mathematics. Answering these questions would rapidly advance our understanding of math — and empower fields like physics, biology, and chemistry accordingly with new tools to describe reality and our universe.
But sometimes knowledge can be a double edged sword. The discoveries that would come from solutions to some of the outstanding Millennium Prize problems could have significant consequences for cybersecurity and cryptography, and require us to reframe how we think about security communication and data in a post-Millennial Problem world:
We have a lot of standards in security. Regulations like GDPR, COPPA, PCI-DSS, and HIPAA are so common that they make their way into the plots of TV shows and movies. But while we have a sea of acronyms to describe and measure the security of areas like identity, access control, and even threat intelligence, cryptography remains comparatively ill-defined.
This is not to say there are no standards for cryptography. NIST’s FIPS 140–2, the US federal government’s standards for cryptographic modules, is a frequent standard for judging the strength of a cryptography.
Figuring out what’s next in infrastructure computing after containers and serverless
Ten years ago deploying a development environment sucked.
Heroku and AWS were in their infancy, relegated to that special set of developer tools best left to people with beards who listened to Interpol and only drank pour-over coffee. Most of the world still relied on colos — colocated computing centers where you rented a raw physical server or a virtual machine running out from a remote, managed data center.
This meant that deploying an app was a lengthy, painful process. I’d first have to set up an operating system…
There’s a scene in Monty Python and the Holy Grail where the Knights of the Round Table stand marveling at the mythical castle of Camelot.
“Look my liege,” one of his knights proclaims. The group begins to cry out in wonder: “Camelot! Camelot! Camelot!”
Then from the back, their squire dejectedly sighs: “it’s only a model.”
Random numbers are critical to our modern world. They select lottery numbers. They help maintain the quality testing for new medicine or studying diseases. And in the case of cryptography, random numbers are critical to protecting secrets.
But not all numbers are generated equally randomly. Even when using the same computer running the same hardware and operating system, requesting random numbers typically requires you to specify how random of a number you want. We measure that randomness through entropy, a statistical quality that describes just how random a system can be in selecting and generating bits or numbers.
Why disrupting cloud infrastructure requires major economic, not just technological, innovation
When I was fourteen I wanted to run a Counter-Strike server.
This was easier said than done in the early 2000’s. Even in Silicon Valley, finding remotely managed computing power that with a reliable, strong network connection was expensive and difficult. Back then my only options for getting a Linux-based computer I could use to run a CS 1.4 server were the following:
Rent a server from a colo (colocation) provider.
This was what most e-commerce businesses did back then, and while it was the most reliable option it…