CyberSecurity News Chum

Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:

  • NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.
  • Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows.  Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.
  • Encryption and Protection. Protection is good. Just ask porn site Pornhub, home to things like thumbzilla and youporn. They’ve gone to always on encryption, meaning that although your ISP knows you’re going to pornhub, they don’t know what you’re looking at. Others are turning to VPNs, and here’s a good summary of how to use one.  Lastly, for those worried about your ISP seeing where you go, one thing you should do is not use the ISP’s DNS. I use openDNS: and
  • Verizon and Spyware. Note that if you use Verizon Wireless, they may be pre-installing spyware on your phone.
  • JavaScript Popups. Google is making some changes to eliminate those popup dialogs that don’t let you leave. Such popups are occasionally useful as alerts, but their fix sounds reasonable.
  • Congrats to North Hollywood High. They won a national cybersecurity competition. Disclosure: My employer helped sponsor the team, although I was not involved.
  • Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.



The Good Old Days

XKCD EditorsA recent XKCD on editors reminded me that I’ve been accumulating a number of articles on computer history I should clear out, because I’m a computing dinosaur.

  • With respect to the xkcd, there’s nothing new under the sun. I remember the days at UCLA when there was a pitched battle between the supporters of the Rand window editor (“e”, formally “ned”), and the vi editor (for those clueless, vim is a later reimplementation of vi, and of course, vi was the visual version of ex, which competed with the ed editor on Unix). Then there were the TECO stalwarts that came from the DEC world (I used TECO on RSTS/E), the editors such as TSO and URSA on the IBM 360/91 (later 370/3033), and the battles between emacs and vi stalwarts.
  • At the same time we were dealing with URSA and TSO, we were printing on a IBM 1403 Lineprinter. This wasn’t a dot matrix or a laser printer, kids: this used a chain of type and printed super fast. You could even play music, if you did your boldface right. IEEE Spectrum has a fascinating article on how the 1403 was able to print so fast, including the fact that it didn’t press the type against the paper — it pressed the paper (from behind) against the type.
  • Back in those days, we didn’t program in C++ or Java or even Ada. It was FORTRAN and COBOL and Algol and… Guess what? Folks are still using those languages. I had a CSSF submittal this year that was programmed in FORTRAN, and you can make a slew of money in banking if you can program in COBOL. All the old-time COBOL programmers are retiring (sometimes feet-first); and these newfangled kids don’t want to learn it. [As a PS: Dan Berry at one time had a cartoon that showed a 1950s housewife labeled COBOL, a 1950s engineer labeled FORTRAN, and a baby labeled PL/I…. and the milkman walking down the driveway labeled ALGOL. The caption: “Funny dear, he doesn’t look like me.” Does anyone have a scan of that cartoon?]
  • Jumping up to the 1980s: The news these days are filled with items on the death of support of Windows Vista and the first version of Windows 10. But there’s another milestone: Windows 3.1. Twenty years have passed, and we’re still living with many of the notions 3.1 introduced (it was the first stable and popular Windows version, cementing the fact that you should never trust even numbered Windows variants, remembering that Windows 10 is really Windows 9, but they screwed things up with 95 and 98)
  • Turning to the hardware: Chips used to be simple: instructions sets, memory mapping and such. Intel is starting to change all that, with multiple processor instruction sets on a single chip. One of Intel’s changes is a mix-and-match heterogeneous design where different types of cores can be put in a single chip package. Under the new design, it’ll be possible to mix different architectures on a single chip. Chip packages could also have cores made using different manufacturing processes. Now ask yourself: with hardware this complex, how do we know it is correctly implemented?