Security Leftovers
-
CISA and NSA Publish Open Radio Access Network Security Considerations [Ed: But NSA is pursuing back doors in everything, which is the exact opposite of security]
CISA and the National Security Agency (NSA) have published Open Radio Access Network Security Considerations. This product—generated by the Enduring Security Framework (ESF) Open Radio Access Network (RAN) Working Panel, a subgroup within the cross-sector working group— assessed the benefits and security considerations associated with implementing an Open RAN architecture. Focusing on current designs and specification standards, the ESF Open RAN Working Panel examined how security compares with, and is distinct from, traditional, proprietary RANs.
-
The Rust Programming Language Blog: Const Eval (Un)Safety Rules [Ed: Rust is not about security; Rust itself is a security risk. More complexity, more bugs, more threats to security.]
In a recent Rust issue (#99923), a developer noted that the upcoming 1.64-beta version of Rust had started signalling errors on their crate, icu4x. The icu4x crate uses unsafe code during const evaluation. Const evaluation, or just "const-eval", runs at compile-time but produces values that may end up embedded in the final object code that executes at runtime.
Rust's const-eval system supports both safe and unsafe Rust, but the rules for what unsafe code is allowed to do during const-eval are even more strict than what is allowed for unsafe code at runtime. This post is going to go into detail about one of those rules.
-
Department of Commerce Gives Industry What it asked for Regarding the Entity List - ConsortiumInfo.orgConsortiumInfo.org
The U.S. Department of Commerce Bureau of Industry and Security (BIS) added Chinese 5G technology giant Huawei to its Entity List more than three years ago. The immediate result was the spread of uncertainty and doubt among the hundreds of standards setting organizations (SSOs) in which Huawei participated as well as throughout the multitudes of U.S. companies who participated in those organizations. The reason was that the rules bar U.S. companies from disclosing a broad array of technology to Entity List companies, and that’s what can happen in standards working groups. Many SSOs either refused or failed to make adequate changes to their operations to fit within the vague exemptions available to avoid the concern. In consequence, many American companies believed they needed to drop out of SSOs creating the standards those companies most wanted to influence.
On September 9, following several prior BIS releases of interim guidance and the submission of ongoing comments and requests for relief from industry (many of which we facilitated), the Department of Commerce and BIS have finally released a new Interim Final Rule that provides virtually everything commenters have asked for, and in language that in most cases is clear and actionable. While complexities and nuances remain (e.g., relating to the type of technical work being undertaken) that will still require legal analysis, the good news is that the way is clear for most SSOs to allow any Entity List company to fully participate in standards development, as well as in related activities such as conformance assessment.
-
CISA Adds Six Known Exploited Vulnerabilities to Catalog
CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates.