When AI goes offline. - CyberWire Daily

Summary8 min read

CyberWire Daily: Episode Summary – "When AI Goes Offline"

Release Date: December 12, 2024
Host/Author: N2K Networks

The December 12, 2024, episode of CyberWire Daily, hosted by Dave Buettner and produced by N2K Networks, delves into a spectrum of pressing cybersecurity issues, from significant AI outages to emerging malware threats and critical vulnerabilities across major software platforms. The episode features insightful discussions, expert interviews, and timely analyses essential for cybersecurity professionals and enthusiasts alike.

1. AI Service Outages: The Fragility of Dependence

The episode opens with a discussion on the recent global outages affecting two of the tech giants in AI services: OpenAI's ChatGPT and Meta's suite of applications.

OpenAI's ChatGPT Outage: On Thursday morning, OpenAI's ChatGPT experienced a significant outage lasting nearly three hours, disrupting millions of users and businesses. This downtime impacted not only ChatGPT but also OpenAI's API and Sora platforms. The host notes the immediate user frustration, citing over 28,000 reports on Down Detector and widespread complaints on social media. OpenAI acknowledged the issue swiftly on X Twitter, restoring full functionality by mid-morning.

Quote:
Dave Buettner [00:02]:
"The outage highlighted growing reliance on AI tools and the operational challenges posed by such disruptions."

Meta's Similar Disruption: Just a day prior, Meta faced widespread outages affecting Facebook, Instagram, WhatsApp, and Threads for several hours. These incidents collectively underscore the vulnerabilities inherent in digital infrastructure and the cascading impacts on global user bases.

Insights:

Reliance on AI and Digital Platforms: The outages illuminate how deeply integrated AI and digital services have become in daily operations for businesses and individuals.
Need for Robust Reliability: The swift response by OpenAI was appreciated but also emphasized the necessity for enhanced reliability measures to mitigate future disruptions.

2. Government Cybersecurity Leadership: Potential Split of NSA and Cyber Command

Advisers to President-elect Donald Trump are reconsidering the structural relationship between the U.S. Cyber Command (Cybercom) and the National Security Agency (NSA). Currently, both entities share leadership under a dual-hatted structure established in 2010.

Quote:
Dave Buettner [12:34]:
"Advisers to President-elect Donald Trump are revisiting plans to separate U.S. Cyber Command and the National Security Agency, currently led under a dual hat structure."

Key Points:

Proponents' View: Arguing the dual roles are too expansive for a single leader, advocating for specialized focus on each entity.
Critics' Concerns: Highlighting potential operational inefficiencies and risks to NSA's intelligence functions if split.
Historical Context: President Biden's 2022 review favored maintaining the dual structure, reflecting ongoing debates across administrations.
Legal and Operational Hurdles: While executive actions might bypass congressional approval, significant restructuring questions and effectiveness dilution remain.

Conclusion:
As of now, the dual-hatted leadership structure remains unchanged, with ongoing discussions reflecting the complexities of cybersecurity governance.

3. Critical Software Vulnerabilities and Malware Threats

The episode delves into several high-severity vulnerabilities affecting widely used software and the emergence of sophisticated malware.

Apache Struts 2 Vulnerability: A critical vulnerability with near-maximum severity has been disclosed in Apache Struts 2, enabling remote code execution via malicious file uploads. The flaw lacks a workaround, necessitating immediate patching to the latest version.

Quote:
Dave Buettner [14:21]:
"This vulnerability underscores risks, recalling Strut's role in the 2017 Equifax breach."

Microsoft Authquake Vulnerability: Oasis Security revealed "Authquake," a critical flaw in Microsoft's multifactor authentication (MFA) system, allowing attackers to bypass MFA protections. Exploiting this flaw required only the target's username and password, facilitating access to sensitive services like Outlook and Azure.

Quote:
Dave Buettner [17:27]:
"Oasis highlighted the severity given Microsoft's 400 plus million Office 365 seats."

Nova Keylogger Malware: Security researchers identified "Nova," a sophisticated variant of the Snake keylogger malware. Built in VB.net, Nova employs advanced data-stealing and evasion techniques, including process hollowing and heavily obfuscated code, to capture credentials, screenshots, and more.

Adobe's Critical Vulnerabilities: Adobe released updates addressing critical vulnerabilities across its product line, including Acrobat, Photoshop, Illustrator, and Substance 3D. These flaws, with CVSS scores up to 9.3, could enable remote code execution or privilege escalation, urging users to update immediately as no workarounds are available.

4. Espionage and Surveillance: Chinese Law Enforcement's Spyware Use

A report from cybersecurity firm Lookout exposes that Chinese law enforcement has been utilizing spyware, specifically "Eagle Message Spy," to collect extensive data from Android devices since 2017. Developed by Wuhan Chinasoft Token Information Technology, the spyware requires physical access to install and captures SMS, app communications, call logs, contacts, GPS data, as well as screen recordings and audio.

Quote:
Dave Buettner [19:04]:
"Eagle Message Spy's source code suggests a potential connection to surveillance tools like carbon steel, previously used to monitor minorities such as Uighurs and Tibetans."

Key Findings:

Data Collection Methods: The spyware collects a wide array of personal data, stored in encrypted directories and transmitted to command and control servers.
Operational Connections: Linked to local Chinese policy bureaus, indicating state-supported surveillance efforts.
Limitations: No iOS version has been identified, limiting the scope to Android devices.

5. Hardware and Firmware Security Gaps

A new report by HP Wolff, titled "Securing the Device Lifestyle from Factory to Fingertips," reveals significant gaps in hardware and firmware security management within global organizations. Surveying 6,000 workers and 800 IT/security decision-makers, the report highlights:

Quote:
Dave Buettner [20:34]:
"The report underscores the need for prioritizing hardware and firmware security to enhance resilience, sustainability and cost efficiency."

Key Issues Identified:

Procurement and Security: Over half of organizations report limited collaboration between procurement and IT security teams, leading to inadequate verification of supplier security claims.
Knowledge Gaps: More than 79% acknowledge substantial gaps in hardware and firmware knowledge, increasing vulnerability throughout device lifecycles.
Operational Challenges: Weak BIOS password practices, delays in firmware updates, and insufficient hardware threat detection mechanisms.
Endpoint Risks: Issues persist at device retirement, with 70% of employees retaining old devices, risking data leaks.

Recommendations:

Enhance collaboration between procurement and IT security.
Improve hardware and firmware knowledge and practices.
Prioritize security measures across the entire device lifecycle.

6. Krispy Kreme’s Online Cyberattack

Krispy Kreme encountered a cyberattack on November 29, disrupting its U.S. online ordering system while leaving in-person orders and deliveries unaffected. The attack significantly impacted digital sales, which constitute over 15% of the company's revenue, leading to a 2% drop in stock value following the incident.

Quote:
Dave Buettner [21:14]:
"Even donuts can't escape these sticky fingers of cybercriminals."

Impact and Response:

Operational Disruption: While physical operations remained stable, the online segment faced notable revenue losses.
Mitigation Efforts: Krispy Kreme engaged cybersecurity experts to contain and investigate the breach, though the full scope remains unclear.
Uncertainty: The nature of the attack, including potential ransomware involvement, has not been confirmed, and no threat groups have claimed responsibility.
Ongoing Recovery: Efforts to restore operations continue without a specified resolution timeline.

7. Expert Insight: Cryptographic Agility in the Financial Sector

A significant portion of the episode features an interview with Mike Silverman, Chief Strategy and Information Officer at the FS ISAC, discussing the recently published report on cryptographic agility within the financial sector.

Understanding Cryptographic Agility: Cryptographic agility refers to the ability to swiftly and seamlessly replace cryptographic algorithms and components in response to vulnerabilities or advancements in cryptanalysis. It's both a capability and a design principle aimed at minimizing disruption during transitions.

Quote:
Mike Silverman [15:49]:
"Cryptographic agility is a design principle... to build the capability so that when you switch these cryptographic algorithms and infrastructure, you do so with no or very minimal disruption to the business."

Key Challenges:

Technical Complexity: Rewriting application code, managing key rotations, handling certificate storage, and ensuring compatibility across diverse hardware endpoints.
Holistic Approach: Addressing every facet of the cryptographic infrastructure, from endpoints like point-of-sale devices to large-scale servers.
Evolving Threats: Preparing for advancements such as quantum computing, which pose significant risks to current cryptographic standards.

Importance for Financial Services: FS ISAC emphasizes that preserving trust within the financial ecosystem necessitates robust cryptographic practices. With quantum computing on the horizon, the financial sector must adopt cryptographic agility to safeguard sensitive transactions and maintain operational integrity.

Quote:
Mike Silverman [19:17]:
"If quantum computers become sufficiently advanced, they could compromise the foundational cryptographic protocols like RSA, undermining the entire trust infrastructure of financial services."

Conclusion: The report advocates for financial institutions to integrate cryptographic agility into their security frameworks proactively, ensuring they are prepared for inevitable cryptographic transitions without compromising business continuity.

8. The Demise of "Do Not Track" and the Evolution of Privacy Tools

In a bittersweet development, Firefox has officially retired its "Do Not Track" (DNT) feature with its latest browser version, marking the end of a decade-long privacy initiative.

Quote:
Dave Buettner [22:59]:
"The dream of Do Not Track may be dead, but the fight for privacy continues, just with sharper tools."

Background and Failure:

Original Intent: DNT was designed to provide users with a straightforward method to signal their preference against being tracked by advertisers.
Lack of Compliance: Advertisers largely ignored or failed to honor DNT requests, rendering the feature ineffective.
Industry Shift: Other browsers like Chrome and Edge maintain the setting in a symbolic gesture, while Apple abandoned DNT years earlier, citing its ineffectiveness against advanced tracking methods like fingerprinting.

Emerging Alternatives:

Global Privacy Control (GPC): A newer technology offering more robust privacy protection compared to DNT.
User Strategies: Increased reliance on VPNs and cookie blockers to navigate and mitigate tracking pervasive in the digital landscape.

Implications: Mozilla's decision to retire DNT reflects a pragmatic acceptance of its limitations and a pivot towards more effective privacy measures. It underscores the necessity for enforceable privacy standards rather than voluntary compliance from advertisers.

Conclusion

The episode of CyberWire Daily offers a comprehensive overview of the current cybersecurity landscape, highlighting the intricate challenges and evolving threats that organizations and individuals face. From the vulnerabilities in leading software platforms and the sophistication of emerging malware to the critical need for cryptographic agility in the financial sector and the shifting paradigms in privacy protection, the discussions provide valuable insights into safeguarding digital assets in an increasingly interconnected world.

For those seeking to stay informed and ahead in the realm of cybersecurity, this episode serves as an essential briefing on the latest developments and strategic considerations shaping the industry.

For more detailed information on the topics discussed, listeners are encouraged to visit CyberWire Daily and access the full transcripts and reports referenced in this summary.

Loading summary

Transcript18 lines

[00:02]
Dave Buettner
You're listening to the CyberWire network, powered by N2K. Quick question. Do your end users always, and I mean always without exception, work on company owned devices and IT approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1Password has an answer to this Extended Access Management 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. And it's now available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Check it out@1Password.com cyberwire that's 1Password.com cyberwire chatgpt and meta face widespread outages Trump advisors explore splitting NSA and Cybercom leadership roles a critical vulnerability in Apache Struts 2 has been disclosed. Authquake allows attackers to bypass Microsoft MFA protections. Researchers identify nova, a sophisticated variant of the Snake keylogger malware. Adobe addresses critical vulnerabilities across their product line. Chinese law enforcement has been using spyware to collect data from Android devices since 2017. A new report highlights the gaps in hardware in firmware security management. A crispy cream cyber attack creates a sticky situation N2K's executive editor Brandon Karpf speaks with guest Mike so Silverman, Chief Strategy and Information Officer at the FS isac, discussing cryptographic agility and Do Not Track bids a fond farewell. It's Thursday, December 12, 2024. I'm Dave Buettner and this is your CyberWire Intel Brief. Thanks for joining us here today. Great to have you with us. OpenAI's ChatGPT faced a global outage on Thursday morning, impacting millions of users and businesses relying on its services. The disruption lasted nearly three hours and also affected OpenAI's API and Sora platforms. Frustrated users flooded social media with complaints about errors and degraded performance. Over 28,000 reports were logged on down detector. OpenAI quickly acknowledged the issue on X Twitter and worked to resolve it, restoring full functionality by mid morning. The outage highlighted growing reliance on AI tools and the operational challenges posed by such disruptions. Meanwhile, Meta experienced a similar issue the day before, with widespread outages affecting Facebook, Instagram, WhatsApp and threads for hours. Both incidents underline vulnerabilities in digital infrastructure and the cascading effects on global users. While OpenAI's swift response was appreciated, it reinforces the need for robust reliability as AI becomes central in modern life. Advisers to President elect Donald Trump are revisiting plans to separate U.S. cyber Command and the National Security Agency, currently led under a dual hat structure. This idea, previously explored during Trump's first term, has resurfaced within the transition team and right wing think tanks. Proponents argue the roles are too vast for one leader, while critics warn of operational inefficiencies and risks to NSA's intelligence gathering integrity. The arrangement established in 2010 has sparked debates across administrations, with President Biden's 2022 review favoring its retention. Legal hurdles exist, but Trump could bypass Congress with executive actions. A split would raise complex restructuring questions and could dilute Cybercom's and NSA's effectiveness. Lawmakers remain skeptical, emphasizing the need for clear justification. Critics also highlight the irony of Trump's anti bureaucracy stance driving a move that could create new administrative challenges. For now, the dual hatch structure remains intact. A critical vulnerability in Apache Struts 2 has been disclosed with a near maximum severity score. This flaw allows remote code execution via malicious file uploads and lacks a workaround, making patching to the latest version essential. Applications not using the deprecated file upload interceptor are unaffected. Updating requires rewriting actions for compatibility. Despite alternatives, Struts 2 remains popular with significant downloads monthly. This vulnerability underscores risks. Recalling Strut's role in the 2017 Equifax breach, Oasis Security revealed details of a critical vulnerability in Microsoft's multifactor authentication system, dubbed Authquake, which allowed attackers to bypass MFA protections. Reported in June. The flaw was temporarily patched within days with a permanent fix issued in October. Exploiting the flaw required only the target's username and password, enabling access to sensitive services like Outlook, OneDrive, Teams, and Azure. The attack method allowed repeated Attempts to guess 6 digit MFA codes within 3 minute validity windows. By launching multiple simultaneous sessions, attackers could achieve over a 50% success rate within 70 minutes without alerting victims. Oasis highlighted the severity given Microsoft's 400 plus million Office 365 seats. Microsoft's fix implemented stricter rate limits, halting attempts after several failures for approximately half a day, mitigating brute force risks. Security researchers from any.run have identified Nova, a sophisticated variant of the Snake keylogger malware showcasing advanced data stealing and evasion capabilities. Built in VB.net, nova employs techniques like process hollowing to inject payloads into suspended processes alongside heavily obfuscated code. Using tools like NET Reactor Obfuscator, it targets credentials, captures screenshots, monitors, clipboards, and exfiltrates data via Telegram, FTP and SMTP spreading through phishing campaigns. Nova also employs geolocation tracking and browser password decryption. Adobe has released security updates addressing critical vulnerabilities across various software, including Acrobat, photoshop, illustrator, and substance 3D. Flaws like buffer overflows, out of bounds writes, and use after free vulnerabilities could enable remote code execution or privilege escalation. Affected products include Substance 3D, Painter, Animate, Framemaker, Connect, and others impacting both Windows and macOS. Users are urged to update to patched versions as no workarounds are available. These vulnerabilities, with CVSS scores up to 9.3, highlight the importance of timely updates. Cybersecurity firm Lookout reports that Chinese law enforcement has been using spyware dubbed Eagle Message Spy to collect extensive data from Android devices since 2017. Developed by Wuhan Chinasoft Token Information Technology, the tool requires physical access to unlock devices for installation. The spyware collects SMS messages, app communications, call logs, contacts and GPS data, and records screens and audio. Data is stored in a hidden directory, encrypted and sent to a command and control server with an admin panel while linked to local Chinese policy bureaus, Eagle Message Spy's source code suggests a potential connection to surveillance tools like carbon steel, previously used to monitor minorities such as Uighurs and Tibetans. An iOS version has not been found. A new report from HP Wolff titled Securing the Device Lifestyle from Factory to Fingertips highlights critical gaps in hardware and firmware security management across global organizations. Based on a survey of 6,000 workers and 800 IT and security decision makers referred to in the report as ITSDMS, the findings reveal that procurement processes rarely involve IT security teams, with 52% admitting limited collaboration with procurement to verify supplier security claims. Over 79% acknowledge major gaps in hardware and firmware knowledge, leaving organizations vulnerable throughout the device life cycles. Key issues include weak BIOS password practices, delays in firmware updates, and blind spots in hardware threat detection. Additionally, over 60% struggle to detect or remediate hardware vulnerabilities, while frustrated employees sometimes resort to unauthorized repairs. Endpoint risks persist at device retirement, with 70% of employees keeping old devices risking data leaks. The report underscores the need for prioritizing hardware and firmware security to enhance resilience, sustainability and cost efficiency. Krispy Kreme experienced a cyberattack on November 29, disrupting its online ordering system in the United States but leaving in person orders and deliveries unaffected. The company immediately engaged cybersecurity experts to contain and investigate the breach, although the full scope and nature remain unclear. Digital sales, which account for just over 15% of Krispy Kreme's revenue, are significantly impacted, leading to a reasonable financial loss from decreased revenue and recovery costs. The company's stock fell 2% following the disclosure. Krispy Kreme has not confirmed whether ransomware was involved and no groups have claimed responsibility. The company continues to restore operations while working to mitigate further impact. Despite the disruption, global operations and partnerships such as with McDonald's remain unaffected. Recovery efforts are ongoing, but no timeline for resolution has been provided. Even donuts can't escape these sticky fingers of cybercriminals. Is nothing sacred? Coming up after the break, Brandon Karpf speaks with Mike Silverman from the FS ISAC and Do Not Track bids a fond farewell. Stay with us.
[12:34]
Brandon Karpf
And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show. Identity Architects and engineers modernize your identity systems with Strata. Integrate legacy apps with any idp, ensure seamless identity failover, and apply MFA without touching app code.
[14:21]
Dave Buettner
Strata offers robust, efficient identity management, reducing.
[14:25]
Brandon Karpf
Tech debt and enhancing security. Gain peace of mind and operational efficiency with Strata's comprehensive solutions. Visit Strada IO, share your biggest identity challenge and enjoy free AirPods Pro.
[14:41]
Dave Buettner
Optimize your identity solutions today. Visit Strada IO CyberWire and our thanks.
[14:48]
Brandon Karpf
To Strata for being a longtime friend.
[14:50]
Dave Buettner
And supporter of this podcast. Mike Silverman is Chief Strategy and Innovation Officer at the FS ISAC. He recently sat down with N2K's Executive Editor, Brandon Karpf, to discuss cryptographic agility.
[15:14]
Mike Silverman
And we are joined today by Mike Silverman, Chief strategy and Innovation Officer at the FS isac, good friends of the podcast. Mike, so great to have you on the show.
[15:24]
Oh, it's a pleasure. Thank you for having me here.
[15:26]
So what we're talking today about is a recent publication from FS ISAC on building cryptographic agility in the financial sector, just published in October 2024. And this is coming out, I imagine, for a few reasons. But before we get into the details of this publication, Mike, I'd be really curious. What is cryptographic agility?
[15:49]
You know, it's a funny question. I run the post Quantum Cryptography working group at FS ISAC, which is 30 or so cryptography and cybersecurity experts at financial services firms from around the globe all working together for this common cause. And actually, the genesis of the paper was there was no definition of cryptographic agility. That's why we actually came together and it took us three months to actually come up with a concise enough definition that made us feel comfortable to share with others. Okay, I'll say it's two parts. One, there's the direct piece, which is to be able to swap out a cryptographic algorithm and all of its components, certificates and other sort of things when needed as a result of a vulnerability or a cryptanalysis attack or some sort of reason for needing to switch this cryptographic infrastructure. But the other part is that cryptographic agility is a design principle. It's a maturity that you try to obtain today. None of us are cryptographically agile. If we had a switch, it'd be a one off manual effort. The idea here is that the goal would be, over time, build the capability so that when you switch these cryptographic algorithms and infrastructure, you do so with no or very minimal disruption to the business. That's the ultimate goal, and you have to design for that. That is not something that you can just wave a magic wand or just ask one developer to do. This is an ecosystem infrastructure process, and people change to make this happen.
[17:28]
So I think back to when I was doing cryptographic type work and how many pieces of our technical and operational infrastructure were touched by our use of cryptology and cryptographic systems. So when you talk about crypto agility, I mean, what are some of these key challenges that organizations face in implementing a change like that? If there's a recent attack or something that affects the integrity of a cryptographic system for an organization to actually change their use of a system or change their system entirely, what are they going to be confronted with?
[18:04]
Everything gets touched. When it starts to come to crypto agility, it is the code written in applications. If we're thinking digital signatures or asymmetric cryptography, we're thinking of all of those keys that need to be rotated or changed from the old to the new. There's questions. Do you preserve the old and put the new on top of that? Do you decrypt and then re encrypt with the new? There's a lot of challenges to think about that way. There's certificates and where you store these keys and the parameters you use on these things. There's some consideration of the end point. Is this a point of sale device that's very limited in hardware versus a full blown server? Your point of sale systems may not be able to embrace the newest, latest, biggest algorithms that you want to use elsewhere in your ecosystem. I could keep going, but I think you get the idea. This is a very holistic sort of approach.
[19:04]
This is hard. Yeah, this is hard. And so you know, why now? What was, what was the genesis? Right, sure, needing a definition of crypto agility, but, but why is the FS ISAC publishing this work today?
[19:17]
The biggest reason why we're starting now is, and it's FS isac's raison d'etre is to preserve trust within the financial services sector. Our system is built on trust. Right? You need to know that as a customer of a financial institution, you put money in, you get the right amount of money back out. Institutions need to be able to trade with one another and know that they're going to take the other side of that trade, good or bad, you know, positive or negative, that's the only way this system works. Right. So we, let me go back to the basics. We use cryptography for confidentiality, for integrity, for non repudiation, for authentication. Right. Authenticity. The basics of that is all of those aspects help build to preserve the trust within the ecosystem. So introduce this attack vector of quantum computers. Now quantum computers have an amazing upside. They will help research and chemistry and risk analysis in many different dimensions, solving huge mathematical problems we can't do on classic computers today. There's the downside risk though, which is when a quantum computer becomes sufficiently large or a cryptographically relevant quantum computer, or crqc, it will be able to factor huge prime numbers. And factoring huge prime numbers is the basis for asymmetric cryptography today. RSA is built on that. That is the public private Key and how we establish most web sessions today, if that gets compromised, essentially anyone could be listening in at the start of a web session and be monitoring that traffic going forward. And so for us, that is a huge problem and we need to get ahead of it. Now. Financial services has been through quite a few cryptographic transitions before. Single DEs, the Triple DEs, Triple DEs, the AES, RSA 1024-2048, right. There have been these things, but we have always been treating these as one offs. Just get to the next one and this algorithm will work for our lifetime. Get to the next one, this will work the lifetime. And what we're realizing over and over and over again is we should not be taking that as fait accompli anymore. These transitions are going to keep coming and the size of these transitions are just growing in speed, in complexity. The number of endpoints are growing, the amount of electronic transactions that occur versus physical transactions, the speed. Every transition has been bigger and bigger, exponentially bigger and bigger than the last one. And if we have, if once we're realizing we can no longer take our, our algorithms to last 30 years, we need to think differently and we need to design for the fact that these algorithms are going to change, which is a new concept for us. But we have to design for that. That's what cryptographic agility does to design, expect these things to maybe fail so that we can preserve the trust within the ecosystem.
[22:28]
I love that approach and that way of thinking that let's make this modular. Let's build or design or engineer what you all have termed the crypto agility into our systems. Well, the report is building cryptographic agility in the financial sector, published by the FS isac. We of course will have a link to that in the show. Notes. It's a great report. There is a lot in here. Mike, so great having you on the show. We will have you back soon.
[22:56]
Oh, my pleasure. Thank you so much for having me, friends.
[23:00]
Dave Buettner
That's Mike silverman from the FS ISAC speaking to N2K executive editor Brandon Carpenter. And finally, in a bittersweet farewell, Firefox has decided to retire its do not Track or DNT feature in the latest version, signaling the final unraveling of an idealistic privacy movement born over a decade ago. Once hailed as the browser world's equivalent of a no trespassing sign, DNT was meant to give users a simple way to say hands off to advertisers. Sadly, it turns out that advertisers did not read the sign or they just ignored it. Mozilla championed DNT early on, hoping the advertising industry would voluntarily respect user privacy preferences. But like a New Year's resolution to go to the gym, compliance waned. Other browsers, like Chrome and Edge, still offer the setting, although they admit it's mostly symbolic. Meanwhile, Apple abandoned Do Not Track years ago, pointing out it did more to enable tracking via fingerprinting than to stop it. So why the failure? No teeth without enforcement, Do Not Track was a polite suggestion in a world of ruthless data mining. Advertisers preferred to define their own privacy friendly practices, and even industry pledges fizzled. Eventually, newer technologies like global privacy control emerged, while Users turned to VPNs and cookie blockers to navigate the tracking minefield. Mozilla's move to axe Do Not Track is less a tragedy and more a long overdue acknowledgement of reality. While people clearly value privacy, they've learned they can't rely on advertisers to protect it. The dream of Do Not Track maybe dead, but the fight for privacy continues, just with Sharper tools. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher, and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow.