Log in
|
Software developer at a big library, cyclist, photographer, hiker, reader. Email: chris@improbable.org
|
1 public comment
> Today’s cars are packed with high-tech gadgetry meant to entertain, comfort and protect occupants. The array of safety equipment now common on cars includes automatic emergency braking, blind-spot detection and lane departure warnings. To give drivers eyes in the back of their head, automotive engineers have embedded cameras, sonar and radar sensors from bumper to bumper. All that technology has driven up the cost of repairing even a minor fender bender.
So they’ve made it more expensive to repair but have all of those features made accidents less likely? (I couldn’t read the rest of the article.)
So they’ve made it more expensive to repair but have all of those features made accidents less likely? (I couldn’t read the rest of the article.)
Saying “tradition must give way to safety,” the University of Southern California on Monday made the unprecedented move of barring an undergraduate valedictorian who has come under fire for her pro-Palestinian views from giving a speech at its May graduation ceremony.
The move, according to USC officials, is the first time the university has banned a valedictorian from the traditional chance to speak onstage at the annual commencement ceremony, which typically draws more than 65,000 people to the Los Angeles campus.
In a campuswide letter, USC Provost Andrew T. Guzman cited unnamed threats that have poured in shortly after the university publicized the valedictorian’s name and biography this month. Guzman said attacks against the student for her pro-Palestinian views have reached an “alarming tenor” and “escalated to the point of creating substantial risks relating to security and disruption at commencement.”
“After careful consideration, we have decided that our student valedictorian will not deliver a speech at commencement. ... There is no free-speech entitlement to speak at a commencement. The issue here is how best to maintain campus security and safety, period,” Guzman wrote.
The student, whom the letter does not name, is biomedical engineering major Asna Tabassum. USC officials chose Tabassum from nearly 100 student applicants who had GPAs of 3.98 or higher.
But after USC President Carol Folt announced her selection, a swarm of on- and off-campus groups attacked Tabassum. They targeted her minor, resistance to genocide, as well as her pro-Palestinian views and “likes” expressed through her Instagram account.
We Are Tov, a group that uses the Hebrew word for “good” and describes itself as “dedicated to combating antisemitism,” posted Tabassum’s image on its Instagram account and said she “openly promotes antisemitic writings.” The group also criticized Tabassum for liking Instagram posts from “Trojans for Palestine.” Tabassum’s Instagram bio links to a landing page that says “learn about what’s happening in Palestine, and how to help.”
The campus group Trojans for Israel also posted on its Instagram account, calling for Folt’s “reconsideration” of Tabassum for what it described as her “antisemitic and anti-Zionist rhetoric.” The group said Tabassum’s Instagram bio linked to a page that called Zionism a “racist settler-colonial ideology.”
In a statement, Tabassum opposed the decision, saying USC has “abandoned” her.
“Although this should have been a time of celebration for my family, friends, professors, and classmates, anti-Muslim and anti-Palestinian voices have subjected me to a campaign of racist hatred because of my uncompromising belief in human rights for all,” said Tabassum, who is Muslim.
“This campaign to prevent me from addressing my peers at commencement has evidently accomplished its goal: today, USC administrators informed me that the university will no longer allow me to speak at commencement due to supposed security concerns,” she wrote.
“I am both shocked by this decision and profoundly disappointed that the university is succumbing to a campaign of hate meant to silence my voice. I am not surprised by those who attempt to propagate hatred. I am surprised that my own university—my home for four years—has abandoned me.”
In an interview, Guzman said the university has been “in close contact with the student” and would “provide her support.” He added that “we weren’t seeking her opinion” on the ban.
“This is a security decision,” he said. “This is not about the identity of the speaker, it’s not about the things the valedictorian has said in the past. We have to put as our top priority ensuring that the campus and community is safe.”
Another campus official who was part of the decision, Erroll Southers, said threats came in via email, phone calls and letters. Southers is USC’s associate senior vice president for safety and risk assurance.
Individuals “say they will come to campus as early as this week,” Southers said. He did not elaborate.
Pro-Palestinian groups, including the Los Angeles chapter of the Council on American-Islamic Relations, have called for USC to reinvite Tabassum to speak.
“USC cannot hide its cowardly decision behind a disingenuous concern for ‘security,’” CAIR-LA Executive Director Hussam Ayloush said in a statement.
In another statement, the USC Palestine Justice Faculty Group said it “unequivocally rejects” Tabassum being uninvited.
“The provost’s action is another example of USC’s egregious pattern of supporting anti-Palestinian and anti-Muslim racism,” the group said.
Times staff writers Jenna Peterson and Angie Orellana Hernandez contributed to this report.
1 public comment
I’m sure all of the old people who were so concerned about freedom of speech on campus will be protesting this. Any minute now. Maybe they need time to finish writing their properly scathing NYT editorials first.
Washington, DC
This is part one of a two-part series. Read part two here.
Sperm whales don’t sing melodious, moaning whale songs like their humpback cousins. The biggest predator on the planet communicates in clicks, called codas. Some compare the sounds to popping popcorn or frying bacon in a pan. For CUNY biologist David Gruber, it resembles “morse code or techno music.”
Gruber, the founding president of Project CETI, the Cetacean Translation Initiative, often listens for hours in his New York office to the sperm whale chats his team has recorded in the Eastern Caribbean.
CETI focuses on sperm whales for several reasons. One reason is that it can build on the audio recordings that whale biologist Shane Gero has already been collecting for 15 years with the Dominica Sperm Whale Project. Gero was able to show that sperm whale families have different dialects, much like British and American English. “Another reason is that the sperm whale has been vilified as a killer, Moby Dick as a leviathan,” Gruber says. “Meanwhile it could be one of the most intelligent, sophisticated communicators on the planet.”
While the humpback whales sing their soprano songs primarily for mating, sperm whales are communicating to socialize and exchange information. CETI has already discovered that the communication patterns are complex. “Their codas are clicks, they are like ones and zeros, which is very good for cryptographers,” Gruber explains. “The combination of advanced machine learning and bioacoustics is slated to be the next microscope or telescope in terms of our ability to really listen more deeply and understand life at a new level.”
CETI’s team operates a giant whale-recording platform from a 40-foot sailboat off the coast of Dominica, a volcanic island in the Caribbean with a stable sperm whale population. Both by tagging the whales and installing whale listening stations with microphones dangling deep down into the ocean on floating buoys, CETI is recording several terabytes of data every month. The scientists are creating a three-dimensional interactive map of the whales within a 20-kilometer radius, combining sounds with data such as the whales’ heart rates.
The post How Do You Say ‘Danger’ in Sperm Whale Clicks? appeared first on Reasons to be Cheerful.
1 public comment
Wow, whale speech!
By Robin Bender Ginn, Executive Director, OpenJS Foundation; and Omkhar Arasaratnam, General Manager, Open Source Security Foundation
The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.
Failed Credible Takeover Attempt
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.
None of these individuals have been given privileged access to the OpenJS-hosted project. The project has security policies in place, including those outlined by the Foundation’s security working group.
The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).
Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.
Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source.
Suspicious patterns in social engineering takeovers:
- Friendly yet aggressive and persistent pursuit of maintainer or their hosted entity (foundation or company) by relatively unknown members of the community.
- Request to be elevated to maintainer status by new or unknown persons.
- Endorsement coming from other unknown members of the community who may also be using false identities, also known as “sock puppets.”
- PRs containing blobs as artifacts.
- For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, as opposed to source code.
- Intentionally obfuscated or difficult to understand source code.
- Gradually escalating security issues.
- For example, the XZ issue started off with a relatively innocuous replacement of safe_fprintf() with fprintf() to see who would notice.
- Deviation from typical project compile, build, and deployment practices that could allow the insertion of external malicious payloads into blobs, zips, or other binary artifacts.
- A false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control.
These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them. Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.
Social engineering attacks like the ones we have witnessed with XZ/liblzma were successfully averted by the OpenJS community. These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering. In the short term, clearly and transparently sharing suspicious activity like those we mentioned above will help other communities stay vigilant. Ensuring our maintainers are well supported is the primary deterrent we have against these social engineering attacks.
Steps to help secure your open source project:
In addition to these recommendations, there are a number of security best practices that can improve the security properties of our projects. While these recommendations will not thwart a persistent social engineering attack, they may help improve your overall security posture of your project.
- Consider following industry-standard security best practices such as OpenSSF Guides.
- Use strong authentication.
- Enable two-factor authentication (2FA) or Multifactor Authentication (MFA).
- Use a secure password manager.
- Preserve your recovery codes in a safe, preferably offline place.
- Do not reuse credentials/passwords across different services.
- Have a security policy including a “coordinated disclosure” process for reports.
- Use best practices for merging new code.
- Enable branch protections and signed commits.
- If possible, have a second developer conduct code reviews before merging, even when the PR comes from a maintainer.
- Enforce readability requirements to ensure new PRs are not obfuscated, and use of opaque binaries is minimized.
- Limit who has npm publish rights.
- Know your committers and maintainers, and do a periodic review. Have you seen them in your working group meetings or met them at events, for example?
- If you run an open source package repository, consider adopting Principles for Package Repository Security.
- Review “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.
Steps for industry and government to help secure critical open source infrastructure:
The pressure to sustain a stable and secure open source project creates pressure on maintainers. For example, many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back.
To solve a problem of this scale, we need vast resources and public/private international coordination. There is already great work underway by the following organizations:
Open source foundations:
The Linux Foundation family of foundations and other similar organizations like ours can help provide a safety net for open source projects. Maintainers often lack the time, people and expertise in areas such as security. Neutral foundations help support the business, marketing, legal and operations behind hundreds of open source projects that so many rely upon. Our goal is to remove any friction outside of coding to support our maintainers and help their projects grow. As vendor-neutral nonprofits, we are uniquely positioned to offer expertise garnered from multiple stakeholders represented in our organizations.
On security, our open source foundations have found that an effective best approach is to provide technical assistance and direct support to open source projects.
Alpha-Omega is an associated project of the OpenSSF, funded by Microsoft, Google, and Amazon, funds critical projects and ecosystems. The project aims to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly. The OpenJS Foundation has experienced how funding developers for security has had a proven impact through Alpha-Omega investments in Node.js and jQuery.
Sovereign Tech Fund:
The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is providing the OpenJS Foundation and more open source organizations significant funding to strengthen infrastructure and security.
They have built a model with detailed reporting and accountability of resources, yet at the same time, have technical expertise on staff to customize security proposals for the variety of open source projects they fund.
It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in critical open source infrastructure through the Sovereign Tech Fund.
We are advocating for more global public investment in initiatives like the Sovereign Tech Fund to invest in open source global that society depends on, complimentary to private funding. We recommend that public institutions learn from, adapt and coordinate with Germany’s Sovereign Tech Fund to support our interconnected open source projects and shared digital economies.
About OpenJS Foundation
The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by corporate and end-user members, including GoDaddy, Google, HeroDevs, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at <a href="http://openssf.org" rel="nofollow">openssf.org</a>.
About the Authors
Robin Bender Ginn is the Executive Director of the OpenJS Foundation, the neutral home to drive broad adoption and ongoing development of key JavaScript and web technologies. She also serves on the leadership team at the Linux Foundation. Robin has led major initiatives advancing open source technologies, community development, and open standards. Previously, Robin spent more than 10 years at Microsoft where she was at the forefront of the company’s shift to openness.
Omkhar Arasaratnam is the General Manager of the Open Source Security Foundation (OpenSSF). He is a veteran cybersecurity and technical risk management executive with more than 25 years of experience leading global organizations. Omkhar began his career as a strong supporter of open source software as a PPC64 maintainer for Gentoo and contributor to the Linux kernel, and that enthusiasm for OSS continues today. Before joining the OpenSSF, he led security and engineering organizations at financial and technology institutions, such as Google, JPMorgan Chase, Credit Suisse, Deutsche Bank, TD Bank Group, and IBM. As a seasoned technology leader, he has revolutionized the effectiveness of secure software engineering, compliance, and cybersecurity controls. He is also an accomplished author and has led contributions to many international standards. Omkhar is also a NYU Cyber Fellow Advisory Council member and a Senior Fellow with the NYU Center for Cybersecurity where he guest lectures Applied Cryptography.
Next Page of Stories