Second Interdisciplinary Workshop on Reimagining Democracy

Read Time:3 Minute, 4 Second

Last month, I convened the Second Interdisciplinary Workshop on Reimagining Democracy (IWORD 2023) at the Harvard Kennedy School Ash Center. As with IWORD 2022, the goal was to bring together a diverse set of thinkers and practitioners to talk about how democracy might be reimagined for the twenty-first century.

My thinking is very broad here. Modern democracy was invented in the mid-eighteenth century, using mid-eighteenth-century technology. Were democracy to be invented from scratch today, with today’s technologies, it would look very different. Representation would look different. Adjudication would look different. Resource allocation and reallocation would look different. Everything would look different, because we would have much more powerful technology to build on and no legacy systems to worry about.

Such speculation is not realistic, of course, but it’s still valuable. Everyone seems to be talking about ways to reform our existing systems. That’s critically important, but it’s also myopic. It represents a hill-climbing strategy of continuous improvements. We also need to think about discontinuous changes that you can’t easily get to from here; otherwise, we’ll be forever stuck at local maxima.

I wrote about the philosophy more in this essay about IWORD 2022. IWORD 2023 was equally fantastic, easily the most intellectually stimulating two days of my year. The event is like that; the format results in a firehose of interesting.

Summaries of all the talks are in the first set of comments below. (You can read a similar summary of IWORD 2022 here.) Thank you to the Ash Center and the Belfer Center at Harvard Kennedy School, and the Knight Foundation, for the funding to make this possible.

Next year, I hope to take the workshop out of Harvard and somewhere else. I would like it to live on for as long as it is valuable.

Now, I really want to explain the format in detail, because it works so well.

I used a workshop format I and others invented for another interdisciplinary workshop: Security and Human Behavior, or SHB. It’s a two-day event. Each day has four ninety-minute panels. Each panel has six speakers, each of whom presents for ten minutes. Then there are thirty minutes of questions and comments from the audience. Breaks and meals round out the day.

The workshop is limited to forty-eight attendees, which means that everyone is on a panel. This is important: every attendee is a speaker. And attendees commit to being there for the whole workshop; no giving your talk and then leaving. This makes for a very collaborative environment. The short presentations means that no one can get too deep into details or jargon. This is important for an interdisciplinary event. Everyone is interesting for ten minutes.

The final piece of the workshop is the social events. We have a night-before opening reception, a conference dinner after the first day, and a final closing reception after the second day. Good food is essential.

Honestly, it’s great but it’s also it’s exhausting. Everybody is interesting for ten minutes. There’s no down time to zone out or check email. And even though a shorter event would be easier to deal with, the numbers all fit together in a way that’s hard to change. A one-day event means only twenty-four attendees/speakers, and that’s not a critical mass. More people per panel doesn’t work. Not everyone speaking creates a speaker/audience hierarchy, which I want to avoid. And a three-day, slower-paced event is too long. I’ve thought about it long and hard; the format I’m using is optimal.

Read More

USN-6499-2: GnuTLS vulnerability

Read Time:15 Second

USN-6499-1 fixed vulnerabilities in GnuTLS. This update provides the
corresponding update for Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that GnuTLS had a timing side-channel when handling
certain RSA-PSK key exchanges. A remote attacker could possibly use this
issue to recover sensitive information.

Read More

The Botnet siege: How your toaster could topple a corporation

Read Time:7 Minute, 7 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In addition to the overt signs of cyber threats we’ve become conditioned to recognize, like ransomware emails and strange login requests, malicious actors are now utilizing another way to achieve their nefarious purposes — by using your everyday devices. These hidden dangers are known as botnets.

Unbeknownst to most, our everyday devices, from toasters to smart fridges, can unwittingly be enlisted as footsoldiers in a digital army with the potential to bring down even corporate giants.

This insidious force operates in silence, escaping the notice of even the most vigilant users.

A recent report by Nokia shows that criminals are now using these devices more to orchestrate their attacks. In fact, cyber attacks targeting IoT devices are expected to double by 2025, further muddying the already murky waters.

Let us go to the battlements of this siege, and we’ll tackle the topic in more depth.

What is a botnet?

Derived from the words “robot” and “network.”, a botnet refers to a group of devices that have been infected with malicious software. Once infected, these devices are controlled remotely by a central server and are often used to carry out malicious activities such as cyber attacks, espionage, financial fraud, spam email campaigns, stealing sensitive information, or simply the further propagation of malware.

How does a botnet attack work?

A botnet attack begins with the infection of individual devices. Cybercriminals use various tactics to compromise these devices, such as sending malicious emails, exploiting software vulnerabilities, or tricking users into downloading malware.

Everyday tech is notoriously prone to intrusion. The initial stages of building a botnet are often achieved with deceptively simple yet elegant tactics.

Recently, a major US energy company fell prey to one such attack, owing to hundreds of phishing emails. By using QR code generators, the attacks combined two seemingly benign elements into a campaign that hit manufacturing, insurance, technology, and financial services companies, apart from the aforementioned energy companies. This new attack vector is now being referred to as Quishing — and unfortunately, it’s only going to become more prevalent.

Once a device has been compromised, it becomes part of the botnet. The cybercriminal gains control over these infected devices, which are then ready to follow the attacker’s commands.

The attacker is then able to operate the botnet from a central command-and-control server to launch various types of attacks. Common ones include:

Distributed denial-of-service (DDoS). The botnet floods a target website or server with overwhelming traffic, causing it to become inaccessible to legitimate users.
Spam emails. Bots can be used to send out massive volumes of spam emails, often containing phishing scams or malware.
Data theft. Botnets can steal sensitive information, such as login credentials or personal data, from the infected devices.
Propagation. Some botnets are designed to spread malware further by infecting additional devices.

But what makes a device eligible to be a part of a botnet?  Well, malicious actors first look for vulnerabilities, lack of monitoring, and even the brand of the toaster or any other IoT device you might be using. Aside from unknowingly assisting criminals, things such as virtual debit cards, PayPal accounts, and personal information may all be stolen, especially if your computer and IoT devices are on the same network — and they usually are.

Why are botnets attacks more dangerous?

Botnets operate stealthily, staying under the radar by blending in with regular internet traffic. They often use encryption and other techniques to ensure their activities remain hidden. Unlike other forms of cyberattacks, botnets aim to remain undetected for as long as possible. This makes it extremely difficult for individuals and organizations to realize that their devices have been compromised.

The most concerning aspect of botnets is their destructive potential. If they infect enough devices they can amass significant computational power and bandwidth.

With this collective strength, they can launch massive attacks on targets, including critical infrastructure like energy grids, agriculture systems, and healthcare facilities.

Additionally, the average layperson is blissfully unaware of botnets and how they work. In fact, most people don’t have a clue how to identify a cyber threat or how to prevent identity theft — the fact that their devices can be used as unwitting proxies in a malware attack is far beyond their ken.

How botnet attacks can cause serious damage to businesses

We’ve discussed how the covert nature, ability to spread, and computational power of botnets — these factors coalesce into a lot of destructive potential.

Even large businesses are not immune — one of the most notorious botnets, Mirai, was used in a DDoS attack against domain name provider Dyn, mobilizing as much as 1.2 terabytes (yes, terabytes) of data each second. Tech titans like Spotify, Amazon, and Airbnb were affected, and over 14,000 online services dropped Dyn as a result of the attack. Although the incident was resolved within two hours, quantifying the volume of business lost is hard to imagine.

The attacks don’t have to be wholly digital either — botnets may also be used in conjunction with real-life breaches, with car dealerships being a prominent target because of their high-value and easily sellable goods. Oftentimes, criminals will use the botnet to perform a data breach to find more info about the facility.

Then, they might try to access the dealership’s security camera management system, and effectively get to choose when they want to break in. And yes, this can all stem from your toaster or your smart fridge.

Other sectors that extensively use IoT are also particularly vulnerable to botnet attacks. Energy, agriculture, and healthcare organizations have become increasingly reliant on IoT — and while the benefits are apparent, the heightened vulnerability to botnets is rarely discussed.

These sectors heavily rely on Real-Time Location System (RTLS) security to ensure the smooth operation of critical systems. While it may seem improbable for a single hacker to take down well-funded hospitals with their seven-digit security budgets, the dynamics change drastically when a multitude of Internet of Things (IoT) devices join forces.

How to protect yourself against botnet attacks

To successfully foil an attack from an army of devices is no easy task — and that question deserves a long, exhaustive answer. However, we can start small — with a couple of steps that can be taken without requiring large investments or a lot of time to put into play.

Keep your devices updated

Updates often include security patches that fix vulnerabilities hackers might exploit. Make sure to enable automatic updates whenever possible. Don’t delay or ignore these updates, as outdated devices are easier targets for botnet recruitment.

Install reliable security software

These programs can detect and remove malicious software that might be used to recruit your device into a botnet. We might be retreading old ground here, and although it goes without saying, it still bears repeating — ensure that your security software is up to date and set to run regular scans.

Segment your network

If you have multiple IoT (Internet of Things) devices, segmenting your network is another action you should consider. Keep your IoT devices on a separate network from your computers and smartphones. This way, even if an IoT device is compromised, it won’t provide a direct pathway to your more sensitive data or other devices to infect, thereby minimizing the impact and damage of infection.

Be cautious with email and links

Oftentimes, the human element is the weakest link when it comes to cybersecurity, and phishing attacks are a common method for recruiting devices into botnets. Exercise caution when opening email attachments or clicking on links, especially if the sender is unknown or the message seems suspicious. Always verify the legitimacy of the source before taking any action.

Conclusion

Botnets present a new paradigm of risk in cybersecurity — apart from simply being another method by which we can be attacked, botnets are unique in that they seek to recruit our hardware for their own nefarious purposes.

While this is still a relatively new phenomenon, and we’re sure to see a lot of evolution in this arena in the next couple of years, being aware of what the threat is, how it works, and how to implement best practices are good first steps — so long as we stay the course and keep our ears to the ground, we can keep up with malicious actors.

Read More