Level1 News July 24 2018: 99 Data Balloons | Level One Techs


This is a companion discussion topic for the original entry at https://level1techs.com/video/level1-news-july-24-2018-99-data-balloons

I posted a couple of links here:

The crApple i9 issue could be far worse than simple thermal throttling. The thermals are complete horseshit but apparently its VRM issues that are creating the throttling. Not only that there is no more tool to get your data off of the box once the VRM’s crap out (if they spike the chip, if they don’t you can replace the individual components… for a price, and not from crApple) as the SSD’s are soldered to the motherboard. Excuse me… logic board.

I happen to have an Amazon switch. It’s pretty old, 10gbe SFP+ quanta LB8 hardware with a Cumulus derived OS. My analysis of it on my github.

Linux lb8.rai 3.2.35-almach+ #1 SMP Tue Dec 16 22:53:15 UTC 2014 ppc
    _    _                      _
   / \  | |_ __ ___   __ _  ___| |__
  / _ \ | | '_ ` _ \ / _` |/ __| '_ \
 / ___ \| | | | | | | (_| | (__| | | |
/_/   \_\_|_| |_| |_|\__,_|\___|_| |_|

The Amazon software stack for commodity network devices.
Help   : /usr/bin/almach-help   
Runbook: https://w.amazon.com/index.php/Almach/HowToUseAlmach
Contact: [email protected]

built 2014-12-16

(Publishing law)

It seems that since ignorance of the law is never an excuse, secretive or hushed laws are completely counter-intuitive. Where laws are kept from the public, an excuse is created.

(FBI and encryption / governance and distributed security measures)

Distributed security measures should be on the tongues of all leaders right now; but instead it’s social control, due to financial difficulties. The main concern seems to be over the possibility of mass dissent and even revolt. This is because of increasing disparity; common to the end of the crisis cycle. It’s a game theoretical observation that disparity is always punished on a large scale. That being the case, I’m of course in favor of legal means of punitive measures over revolt; but even that is being circumvented. This is bad news not only for the general public; but also the powers that be as well. The concerns of possible revolt are very real; and come from a very visceral place in human behavior.

The FBI and all of the other three letter admins need to be very careful right now; and they are choosing not to. They are looking for mass dissent. That’s what they are doing; and they are lying with bold faces when they suggest otherwise. From a behavioral view, it’s the disparity that should concern them the most; and I guarantee that that is what is concerning them the most. They are more concerned about the general public’s knowledge that they are being extracted from for the sake of corporate welfare.

The control of the media, the war on distributed security measures, the war on substances that promote the expansion of thought and many other campaigns are to prevent mass dissent. This is a well studied and understood part of Sociology ,Social Psychology and Political Science.

For this I would reference the follow up on John Nash’s “Game Theory” by the political scientist Robert Axelrod.

(Net Neutrality)

Both the notions of net neutrality and privacy are probably a red herring from the start. The systemic functions should probably dictate the nomenclature on both accounts. Net neutrality should probably be called anti-gouging; because that is it’s systemic function. Big tech and communications companies are just gouging in a state of growth maximum to create new shareholder value. It’s really that simple; and it’s probably the reason that it has and will probably continue to fail. These companies are grea$ing wheels to increase profit margins… to keep shareholders and VCs happy. This model eventually breaks down to the point that it can no longer function; and then comes the change. Little will probably change until then.

When talking of the personal data of administrations or large companies the term security is used; yet when the conversation turns to the personal data of private citizens, it’s privacy. See the problem? Is your data secure? You would have to be catatonic, on some pretty powerful tranquilizers, completely brainwashed or suffering from Stockholm Syndrome to answer yes to that question. Right now security measures are turned against the citizenry. That is and obvious fact.

1 Like

Hmm, End screen seems to be broken:


The Apple Keyboard story you already had last week though?

was about the new apple memo leak which, since recording, apple is furiously sending takedowns. I think.

which confirmed last weeks hypothesis that yes, its not to quiet the keyboard, but to fix it. and by not admitting that its an attempt to minimize liability

Ah OK thought as much, only seemed like a side note in the video though :smiley:

But yeah, this is most likely about the lawsuit anyway. If they were to admit that the old ones are broken they’d basically loose that lawsuit on their own.

1 Like

Just now watching the news, regarding the voting booths (https://youtu.be/pf6weEbLXRs?t=29m55s), I find it interesting that this would have been much much less likely if the federal government was responsible for voting OR if FISMA (or some version of it) applied to state governments.

Let’s say some 3 letter federal agency wants to buy an information system (software and/or hardware) or host their information system on a non-government resource (AWS, Azure, GCP), that third party (i.e. amazon, google, microsoft, HP) has to follow a pretty strict process for getting their service or hardware approved for government use because of FISMA.

What’s great about FISMA is that it didn’t mandate some old standard, if it did we would be stuck in the stone age more so than we are right now. Paraphrasing a bit, but essentially it allows an independent agency in conjunction with the executive branch (the OMB if you’re curious) to appoint an organization to make the standards and then create a new group to audit the standards.

NIST (National Institute of Standards and Technology) is the group that sets the security standards (the most current of which can be found here https://nvd.nist.gov/800-53/Rev4). and FedRAMP is the group helping federal agencies and private corporations wishing to sell to those entities meet and audit the standards. The auditing is done through third parties (3PAO or 3rd Party Assessment Organization) who are accredited by the A2LA (American Association for Laboratory Accreditation).

Now I can only speak to the auditing of cloud service providers (azure, office 365, aws, gcp), but these audits are pretty intense and the operational requirements that companies like Microsoft, Amazon, and Google have to hit is pretty immense. Obviously everything isn’t perfect, for instance we’ve had to submit a “deviation request” for a team using tls 1.3 when they “should” be using 1.2 as it’s the standard set by NIST (new revision is coming out soon…). If Microsoft or Amazon want to sell to the government, they have to go through a ~1-3 month long audit per service. So if Microsoft offers Office 365 and Azure, those are 2 audits that will take a pretty large team of people to get through and it will still take them 1-3 months each. It involves interviewing developers, reviewing source code, checking production servers for host firewall settings, intrusion detection, and god knows what else (I know what else). Then the 3rd party auditor creates an assessment package and sends that off to FedRAMP for final questions and either a yes or a no.

But compare this to the state process:

Step 1: Check budget
Step 2: Contact sales person and tell them the budget and what you need to get done
Step 3: Get PO approved by the designated official in your state
Step 4: ???
Step 5: Voting equipment has remote access software on it for somewhere between 0 and all machines, and for somewhere between 0 and 100 years, with no recourse possible to the offending manufacturer.

Now I’m NOT suggesting grinding states to a halt by making them all hit FedRAMP standards. For instance, Amazon might have to perform a pretty lengthy audit process once a year, but once they pass that they can sell to ANY federal agency with only a minor review required (exceptions are people like the DoD or NSA who will have higher standards in addition to FedRAMP High certification like DISA L4/L5 if you’re interested).

What I am suggesting is that there should be some sort of independent vetting process where if you want to sell voting booths to any state, it should probably have to be approved and audited by someone who isn’t the state. Just like how the guidelines for the federal systems aren’t written or audited by the federal agency themselves.

tl;dr sorry for the word vomit, long day at work and then listening to this enraged me with state government incompetence (I used to do a lot of IT work for town and state government). There should be something similar to FISMA passed for states so that they can’t just buy anything for certain information systems of adequate impact level.

1 Like