Surveilled #68–Cybersecurity and semiconductor geopolitics, risky default domains and remote working
Surveilled
Issue 68
A shorter issue this week, I didn’t come across anything that seemed to warrant the “One Big Story” treatment, but still six interesting things below.
Six Links
Facebook announced a sophisticated attack by Chinese hackers on Uyghurs across the world–Even though the attack in itself is not particularly interesting (they relied on “watering hole” attacks, setting up websites that look like the original but steal data), it garnered a lot of attention in the media. To me there are two takeaways here, one old and one new. The old one is the vast multitude of channels available to attackers, compounding the risks of having so much of our data online. The new one is perhaps even more difficult to grapple with: these are cross-border attacks, most likely by state-sponsored actors. At which point does this escalate into broader and more visible hostilities, and how is this factored into national security policies? Read (Rest of World)
The fraught geopolitics of semiconductors–The ever-shrinking size of microchips is a key factor in producing more powerful and more energy efficient electronic devices. As of today, the world leader in semiconductor manufacturing technology is Taiwan Semiconductor (TSMC), whose production capacity is entirely concentrated in Taiwan (see Surveilled #54). The knowledge and scale of investment required to match their ability is practically out of reach of all competitors elsewhere, including such names as Intel, and all the mainland Chinese manufacturers. The world depends on TSMC in other words, and against the backdrop of rising tensions between mainland China and Taiwan, that increasingly starts to look like a very fragile situation. Read (FT $)
The debate about Bitcoin starts to coalesce around stability and energy use–With the huge run up in Bitcoin, more institutional investors are making a case for investing in it, while others remain firmly in the skeptics camp. Among the latter is Norway’s sovereign wealth fund, who highlight Bitcoin’s volatility and its unsustainable energy use as two key reasons not to invest. Incidentally, the same arguments also applies to NFTs, discussed in issue 66. Read (The Edge)
How corporate dysfunction ends up creating security vulnerabilities–Fiserv is one of the largest providers of online banking and other financial software, which should make it no stranger to overpromises, tight deadlines and the odd cut corner with unexpected consequences. One such example: their products used a default website domain, meant to be replaced by the customers’ real domain. This domain is included in emails sent to the customers’ customers, for example “contact support@defaultdomain.com if you have any issues.” So far so good, the real problem was that this default domain was available for purchase on the internet. An eagle-eyed IT contractor spotted this, bought the domain and then monitored the email received for a while, and yes, received all manner of interesting info, including One Time Passwords, password-reset links, etc. On the heels of the Solarwinds and Microsoft Exchange (Surveilled #66) hacks, yet another illustration of the real challenges big corporates face in delivering truly secure software. Read (Krebs on Security)
”If you can do your job from anywhere, someone anywhere can do your job”–Successful fully remote companies existed before the pandemic (Basecamp and Todoist, to name two), but after the lockdown-induced global experiment, the idea is now poised to really shift the market dynamics for highly skilled jobs in expensive cities. Pendulum swing or tectonic shift? Read (FT $)
One of Twitter’s most popular users leaves the platform because of harassment–Stories of toxic social media have receded from the news with Donald Trump gone, but the problem hasn’t gone away, as this sadly illustrates. Read (The Verge)