Author: Lorin Olsen

The Power To Print And Distribute Money Without A Central Power

Lorin Olsen

Cryptocurrency has been the rage ever since its introduction almost a decade ago. On October 31, 2008, Satoshi Nakamoto published his paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System“.  Since then, Bitcoin (and its enthusiasts and detractors) have been on a wild ride.

I won’t burden this article with a summary of Bitcoin’s history. [For a good summary of that, take a look here.] But one thing is clear: Bitcoin was designed to take power from the existing financial institutions and hopefully vest it into the hands of “the people”.

But its history has shown that the early Bitcoin “ecosystem” was just shifting power from banks and governments towards speculators and members of the tech intelligentsia. Exchanges like Mt. Gox appeared, thrived (for a time), and then were dis-empowered as everyone noticed that con artists were the real beneficiaries.

As blockchain technology has arisen (and matured), the notion of a decentralized ledger has belatedly emerged as the most lasting vestige of the original anti-establishment craze.  Everyone and their brother is now implementing blockchain technology. I even think that I saw a Blockchain slushee the last time that I went into a Quick-Trip. [Note: That actually makes some sense when you consider that convenience stores sell currency futures in the form of state-based lottery tickets.]

But the anti-establishment heritage of Bitcoin is now giving way to the centralized management of our government and corporate overlords. As banks and governments erect/impose management systems (i.e., barriers) around the blockchain infrastructure, you should be reminded of the example where governments are controlling access to waterways and irrigation systems. While the water is free, moving water through the dams and controlled waterways costs a whole lot of money. And the banks and governments happen to have a whole lot of money to use as they erect barriers against the vandals who are trying to overrun Rome.

Today, I ran across a really good thought piece about these very subjects. Medium just posted an article by Daniel Jeffries. In his article, Jeffries states, “The true power of cryptocurrencies is the power to print and distribute money without a central power.” And Jeffries is absolutely right. Of course, this means that cryptocurrency is an existential threat to the banks and to the state-supported central banks. Consequently, cryptocurrency has provoked their “immune response” mechanisms.

The outcome of this tension is not yet known. We might actually see decentralized capitalism emerge. Or we might see the stranglehold of financial institutions worsen. Finally, we might see governments further exercise their fiat power over money. This dance will end with either chaos or absolute control.

As for me, I’m hoping for something in between. And I hope that initiatives like Cicada will help to cement some of the really good seismic changes that can come out of cryptocurrency and the blockchain.

https://hackernoon.com/why-everyone-missed-the-most-mind-blowing-feature-of-cryptocurrency-860c3f25f1fb

Yes – But There Is A Difference This Time

Lorin Olsen


 
In the seventies, I visited the National Bureau of Standards in Gaithersburg, Maryland. And while there, I saw my first Tokamak reactor. It was a small device – about the size of a large room. But I saw a real world example of the fantasies that I had read about for several years. So I started to get really excited.

That excitement waned. Over the decades since then, the sci-fi fantasies continued to be fueled while the real science seemed to be flagging. And the “cold fusion” idiocy didn’t help things much.

But there have been waves of breakthroughs. Each new experimental wave brought about another wave of anticipation. Today, plasma has been contained for multiple seconds. In fact, we can easily see the time when we can indefinitely sustain a usable plasma. Of course,the real trick is to get more power out of the reaction than we put into the process.

At 10:30 in the above video, Joe Scott lets us know that there is a real difference between fusion reactor claims of the past and the progress that is anticipated in the relatively near future. His conclusion is that the addition of private industry will propel fusion reactors from the university to the power plant. Given what Elon Musk and SpaceX have done to spur interplanetary expeditions, I tend to agree with Joe. And if we can just increase the competitive pressure further, we may see sustainable fusion power in our lifetimes.

In Praise of Pascal

Lorin Olsen

View at Medium.com

Zat Rana has written an exceptional piece about the impact of Blaise Pascal on modern social sciences. As a man of faith (as well as a student of both the physical and social sciences), I have always looked up to Pascal. And this article is a gentle reminder that I need to re-read Pensées yet again.

In his article entitled “The Most Important Skill Nobody Taught You”, Zat Rana asserts that one of the fundamental lessons from Pascal is the adoption of solitude as a personal growth practice. As I read and considered this, I was left wondering if I (and the social media literati) could ever stop tweeting, blogging, and posting long enough to spend even a few moments in contemplative solitude.

Rana states, “At its core, it’s not necessarily that we are addicted to a TV set because there is something uniquely satisfying about it, just like we are not addicted to most stimulants because the benefits outweigh the downsides. Rather, what we are really addicted to is a state of not-being-bored.”
Unfortunately, I have to agree. I spend so much time trying to do something (nay anything) that I miss the chance to do nothing. And when I empty a moment of all of its burdens, it is then that I can hear the still small voice of God speaking to me.

Chick-Fil-A…Runs Kubernetes…At Every Store

Lorin Olsen


How many of you thought that Chick-fil-A would have a tech blog? And how many of you thought that they would be clustering edge nodes at every store? When I read this article, I was surprised – and quite excited.

The basic use case is that every Chick-fil-A store needs to run certain basic management apps. These apps run at the edge but are connected to the central office. These apps include network and IT management stuff. But they also include some of the “mundane” back-office apps that keep a company going.

Routine stuff, right? But in the Chick-fil-A case, these apps/systems need to be remote and resilient. The hardware must be installed and maintained by non-technical (or semi-technical) employees (and/or contractors). If a node fails, the recovery must be as simple as unplugging the failed device and plugging in a replacement device. Similarly, the node enrollment, software distribution, and system recovery capabilities have to be automated – and flawless.

Here is where containers and Kubernetes enters the picture.

The secret to Chick-Fil-A’s success is the recipe that they use to assemble all of the parts into a yummy solution. The servers (i.e., Intel NUC devices) power up, download the relevant software, and join the local cluster. The most exciting part of this solution is its dependence upon commodity components and open source software to build a resilient platform for the company’s “secret sauce” (i.e., their proprietary apps).

The next time you go into a Chick-fil-A, remember that they are using leading-edge tech to ensure that you get the sandwich that you so desperately want to eat.

View at Medium.com

Default Passwords = Bad; Continuous Testing = Good

Lorin Olsen


Well, the verdict is in. The drone documents found on the dark web were drone maintenance documents. These documents were found behind a Netgear router whose FTP (file transfer protocol) password had not been changed.

This is a simple mistake. You might even say that this was a “rookie” mistake. Nevertheless, I am stunned that this kind of mistake would be made on a program that had already been granted its authority to operate (ATO). But the fact that this has happened proves that continuous vulnerability testing and compliance monitoring are keys to ensuring the ongoing (and safe) operations of a program.

And if this is true for the U.S. Department of Defense, then it is also true for each of us. So here is my simple question: have you changed default passwords on every system that you access?

Learn From Drone Documents Found on the Dark Web

Lorin Olsen

Today, the Wall Street Journal reported that secret data about combat drones had been stolen and had been made available on the “dark web”. This revelation should not be surprising. In a world where every document and every conversation can be digitized, there is ample opportunity for data to fall into unexpected hands.

Is this a problem with the “dark web” itself? No, not really. Yes, the dark web is inhabited by denizens. But it is also inhabited by those seeking relief from oppressive political regimes. The real problem here is that either secure systems have been breached or someone within the “military-industrial complex” has released sensitive data to an unauthorized recipient.

I am sure that an inspector general is already investigating. In the meantime, there are lessons to be learned – and applied – for your personal assets:

  1. Know your data. While you should protect everything, you should be able to say what data is truly valuable.
  2. Protect your valuable data. Have  layers of security. This should include strong (and unique) passwords, multi-factor authentication, encrypted “data at rest”, and also encrypted communications for valuable data.
  3. Review your protection plans on a regular basis. Perform threat simulations wherever possible. This is not something that should be done just by governments and corporations. You should do this for your own data – lest you be awoken to the sad truth that you have been hacked.
  4. Review all access attempts to determine if you have been breached. This means that you should check access logs (if possible) to see if they match what you actually did. For example, check last login times on tools like Facebook and Twitter. But this also means using tools like “Have I Been Pwned” so that you know whether your credentials have been compromised. You might even want to use tools from credit sources (like Experian).
  5. Always have a remediation plan if your data is compromised. This should include contacting service providers (especially banks), changing passwords, etc.

You may not have military-grade secrets to protect. But with a little investment of time, you can be craftier than the slower antelopes.

JWST Delayed – Again

Lorin Olsen

In February 2018, the Government Accountability Office (GAO) noted that the James Webb Space Telescope (JWST) would be delayed.  For those who don’t follow NASA, the JWST was originally scheduled for a 4Q2018 launch. But delays in testing and integration led NASA (and the GAO) to reset the launch clock. The new launch date would be June 2019.

But last week, NASA provided another launch date: March 30, 2021. And there will be up to $1B of additional costs. Of course, this extended delay may be immensely challenging. The service life of the Ariane 5 rocket will be coming to a close in 2022. So any further delays might cause the launch date to slip past the retirement date of this launch system. If that happens, then  the entire project might be faced with the need to re-engineer the delivery vehicle to fit a different flight system. In short, even further delays.

The JWST will be a jewel worth whatever investment we make. But I can’t help but feel frustrated.

  • As a wannabe rocket scientist and space enthusiast, I am still jazzed to see this project begin – regardless of the delays.
  • As a citizen, I hate the fact that we can build rockets and complex research instruments, but we can’t manage the projects that will deliver the anticipated results.
  • As a project/program manager, I am stunned by this project. It is one of those projects where everything that can go wrong will go wrong.  And while NASA is exhausting its pre-launch alternatives, it dare not accelerate and increase the risk in the actual post-launch phase. This project must work on the first try because we can’t just go out and repair the device – like we did with Hubble.

From my vantage point, I see so many good lessons:

  • Don’t assume success. Plan for success – while acknowledging the potential for failure.
  • Plan your contingencies – and be ready to execute them when needed.
  • Remember that all contingencies incur real costs – both in delivery date and in real dollars.
  • Choose whether to minimize costs or to maximize the chance for success. Some contingencies just won’t work. So the real trick is to pick those contingencies that maximize the likelihood of achieving a successful outcome while minimizing costs. It’s a tough balancing act. But in the case of JWST, we really can’t launch without testing. That could be disastrous. We might strand a multi-billion dollar investment somewhere out past L2.

In the final analysis, we need to fish or cut bait. And since valuable exploration always incurs real risks, we need to be resolute. This won’t be like our Super Conducting Super Collider. In that case, we just moved the resources to the LHC – which was further ahead. In this case, there is no other alternative that we can bet upon. We must move forward or lose the opportunity for a generation.

BTW, let’s remind our President and Congress about its new Space Force commitment. And then let’s remind them that we – as a peaceful people – want to see our interplanetary future move forward. We’ve been resting comfortably for too long. It’s time to leave the nest once again.

If Vigilance Is Required At Home…

Lorin Olsen
… then how much more important is it at work?
It is well said that the price of freedom is eternal vigilance. Similarly the price of personal freedom must be paid on a recurring basis. For me, activity during the week focuses upon work. And updating of security at home is almost always deferred until the weekend change window – when my wife (i.e., the CAB chairperson) can accept a more protracted outage.
So the change was scheduled for last night. And what were the contents of the change? Security updates were the sole focus.
Last month, the Talos team (at Cisco) issued a warning about an old threat (i.e., VPNFilter) that had returned from the dead – in a much more virulent form. Talos (and the FBI) recommended immediate reboots of home routers. I did this the same day of the warning. But after Talos (and the FBI) repeated their warnings about VPNFilter, I determined that it was time to rebuild the router from scratch following a factory reset. So once my wife disconnected from her “work” network, I started the changes. And it went reasonably well.
 
Since I coupled the change with a complete renumbering of the IP address space at home, the time before service restoration was longer than it would otherwise have been. In fact, the total rebuild of the router – and the assignment of new IP addresses across the network – took about two hours. After that window, normal services were successfully restored. But it took another two hours to clean up a few items – including the rebuilding of my Home Assistant hub. So the total change window lasted approximately four hours. At the end of the change window, we had a completely rebuilt home network.
 
When I got up this morning, I realized that it was also time to further secure my browser. My posture was immeasurably better than most of my neighbors. I browse via a VPN. I use uBlock Origin and Pi-hole to block ads. I use Privacy Badger for another layer of browser protection. But “good enough” is not good enough for me. So I decided to deploy uMatrix as an additional means of both understanding all network interactions and controlling those interactions.
 
For those not familiar with uMatrix (which is pronounced “micro matrix”), think of it as the next step beyond the NoScript tool. With uMatrix, you see a matrix of external sites and access types used when you load pages from any site (or domain). And you can allow access on either a temporary or a permanent basis. Once you get past the first shock of seeing all of the cross-site and cross-domain activity, you realize that uMatrix does provide you with incredibly granular control over how pages are rendered in your browser.
 
The first thing that I realized when I started to dig deeper was that securing my browsing experience almost always results in a “broken” user experience. This was not a new revelation. When I first used NoScript, I had to whitelist a whole lot of sites – or live with reduced functionality. So the process of evaluating sites and functions was both expected and welcomed.
 
The first sites that I decided to validate were those associated with security-related podcasts. And as expected, every podcast was accompanied by necessary changes to enable streaming. The most ironic thing that I saw was just how much cross-site activity was required to even listen to security podcasts. But knowing the precise elements that were needed by a page allowed me to open just those elements that were truly required. Basically, uMatrix provided me with fine-grained access control. And it also reminded me that “free” almost always means trading function/feature access against limited access to me (and my data) by advertising agencies/networks.
 
Once I dealt with the security podcasts, I wanted to see just how pernicious Facebook access was. Currently, I do not use any Facebook “apps”. Instead, I use a simple browser. I run their browser pages inside of a “container” that limits data leakage. Nevertheless, I still expected some additional cross-site activity. What I saw was positively astonishing. Over two-hundred elements requiring cross-domain access were requested. And that was after ad blocking was done by my Pi-hole and by uBlock Origin. Am I surprised? No, not really. But the scope of what remained – even after ad blocking – was positively astonishing.
 
So what are the key takeaways from yesterday and today?
 
  1. Change control is always needed – even at home. Of course, the discipline that you follow at home will depend upon the willingness of family members. But this is no different than how things function at the office. Build your processes to meet your stakeholders’ and customers’ needs. Please remember that there are differences between the needs of both groups. At home, you and your spouse are the stakeholders while your kids (and guests) are the customers. As the stakeholders, you need to make the choices about how much security is too much security. And I guarantee that whatever you decide, your kids will probably disagree with you. 😉
  2. There is no such thing as secure enough. You can always do more in order to be even more secure. And if you do nothing, you will just lose ground over time. To stay secure, you need to always do more.
  3. Always remember that “free” just means that the price may not be immediately discernible or quantifiable. Use tools that help you discern the heretofore indiscernible. I do recommend uMatrix. But other tools can be used.

The work of ensuring security is never complete. Your home is not safe just because you have a door lock. You need to lock it. And then you need to realize that your windows are a threat vector. In the same way, information security is not just about having an ISP-provided router and a password on you primary system. But whether you are totally insecure or currently “state-of-the-art” in your practices, there is always more that you can do. So take the next steps to further secure your home. Then remember, your workplace is no different than your home. It requires constant tending – by both the security professionals and by every employee.

“The Dark Web”: New Bogeyman…of Madison Avenue

Lorin Olsen

Every conflict needs a villain. This is true for Thanos, the Mad Titan (i.e., the protagonist of the latest “Avengers” movie). It is true for worldwide safety and security (e.g., terrorism in general and weapons of mass destruction in particular). It is also apparently true for online security services.

While doing my casual morning browsing of news sites, I ran across an ad for “dark web” scanning (linked below). I am not necessarily recommending the services offered by Experian. I am sure that it is a fine, general-purpose service. But I did want to highlight the use of fear and uncertainty as a motivation. Today, the “dark web” is the undeniable ‘big bad’ for online users. We are now told that it isn’t trusted companies (who abuse your identity for their revenue). It apparently isn’t the NSA (who collects everything about you in order to “protect” you). Listen carefully: according to Experian, it is the ‘dark web’ that seeks to hurt you.

Please don’t misunderstand my subtle (and not-so-subtle) prodding. The ‘dark web’ does provide a hideout for those who wish to lurk. At the same time, it provides a sanctuary for those escaping tyrannical pursuit (by hostile governments or hostile corporations). The ‘dark web’ is not – in an of itself – something to be feared. Rather, it is something to be understood.

At its foundation, the ‘dark web’ is a non-indexed part of the Internet whose content is obscured via encryption. So if you desire to be anonymous (and untraceable) while on the Internet, then you are a potential user of the dark web. And if you want to host content that is neither indexed (by Google) nor unencrypted, then you are seeking some of the attributes of the dark web.

Yes, Experian (and other companies) are offering you a “detector” that will let you know whether key pieces of your identity have been compromised by known individuals, groups, or sites that are identified as part of the “dark web”. Of course, they cannot tell you if some unknown individual, group, or site has your PII data. Unfortunately, it is the unknown threat that should concern you.

So here is a novel thought: assume that anyone can access the information that you move across the Internet. If you assume that everything is possible to compromise, then you will take the right steps to protect essential data that must move across the Internet. Don’t let someone else do the hard work for you. You must decide what is important to you. And you must decide which steps are appropriate and which are too onerous. For some folks, remembering to lock their back door is an onerous task – until they learn that their neighbors experienced a break in. Then, all of a sudden, locking the doors is not too onerous. So assume that your neighbors have been ransacked. And assume that your nosy neighbor wants more than just a smile in return. Be charitable. Be gracious. And be prepared.

And if you want to check out some free resources, then consider https://haveibeenpwned.com/.

http://bit.ly/2L5Uxny