Merlin Labs Memo -- Week of April 1-5

Lava Lamps: A Cool Twist on Cybersecurity

Diving into cybersecurity, one might scarcely draw a line to lava lamps as a line of defense. Yet Cloudflare, a leader in digital security, innovates with these retro items. What stands out is their function beyond looks.

In the lively workspace of Cloudflare's San Francisco office lies a fascinating array of lava lamps. These aren't merely decorative but key to protecting countless websites. So, what are they really doing? They're at the core of making strong encryption keys. While the norm has been to rely on complex algorithms for such tasks, Cloudflare turns to the randomness offered by the lamps.

The operation is intriguing: cameras continually capture the unpredictable wax flow within these lamps, translating this randomness into encryption codes. The principle here is simple—the more random the movement, the more challenging it is for adversaries to crack these codes.

This venture into utilizing lava lamps for cybersecurity breaks away from conventional strategies, predominantly mathematical algorithms, which, despite their complexity, pose a risk of being deciphered by astute hackers. However, the chaotic nature of lava lamps introduces a unique level of security.?

Our Take: Cloudflare's creative leap in using lava lamps for cybersecurity reminds us that innovation often stems from the least expected places. Thanks to the unpredictable wax movements in a lamp, users of Cloudflare's services can enjoy a heightened sense of security.

Moreover, this approach illustrates the mix of old and new elements with modern-day challenges, leading to creative solutions. Cloudflare's strategy isn't just about using old-school cool for security; it's a declaration of their innovative spirit and dedication to customer safety.

Amidst a world full of digital threats, Cloudflare's method emerges as a refreshing strategy, focusing on protecting data through methods as unpredictable as the behavior of a lava lamp. This blend of creativity, scientific insight, and commitment to security distinguishes Cloudflare, signaling a new direction in pursuing a safer digital domain. – Daniel McGregor

Additional Reading:

• Lava Lamp Encryption (Cloudflare)
• Randomness 101: LavaRand in Production (Cloudflare)

20240404 - CSRB Provides Hard, Honest Look at Microsoft Exchange Online Breach

The Cyber Safety Review Board (CSRB) recently published its findings regarding the Microsoft Exchange Online breach of 2023 (link below). It makes for a very interesting read, and I recommend very much that interested persons take the time to go through it. What is important is that it does point out security issues within Microsoft in multiple areas, both internally and customer-facing.

The findings should not be seen as specific to Microsoft. This is a warning for all cloud service providers that they must all take security with deep seriousness, as there are massive consequences for failing to protect sensitive data in their hands. In this regard, the CSRB is fulfilling its intended role to be the cyber-equivalent of the National Transportation Safety Board (NTSB), in that it makes recommendations for an entire industry out of observations from failure conditions in security incidents.

Our Take: Microsoft, sadly, has had some deep and profound flaws in both how its software is secured as well as its more fundamental security culture. The leadership at Microsoft is aware of the situation and fully cooperated with the CSRB, an indication that the executives there would like things to be different. While Microsoft may seem “too big to fail”, that’s a short-sighted view of what market erosion from competitors could accomplish in a relatively short time, should Microsoft be unable to retain customers who defect due to security concerns. To remain relevant, Microsoft simply must become more secure, top to bottom, left to right.

More to the point, there are a number of areas regarding the breach that involve unknowns because, even though they could have been tracked, they were not being tracked. This speaks to the need for organizations to consider layered defenses with multiple vendors, so that a failure in one can be backstopped by overlapping coverage from others.

There were other aspects of the breach that could be traced back to devices and personnel that became part of Microsoft through mergers and acquisitions. Microsoft is not the only company in the IT space that is involved in M&A activity, so this is a warning beacon to other firms that they need to be sure their onboarding of new assets is not just done on a corporate timetable, but one with consideration for security as an integral part.

CSRB also calls out the need for all vendors to open up metrics needed for security in all levels of licensing. Just as we don’t have an option to purchase a car without seat belts or brakes, we should not have an option to purchase software or hardware that doesn’t have data necessary for security locked behind a licensing level.

Finally, the CSRB called out a suspension of Microsoft’s own security policy due to a business need. While I understand that officers of a corporation have a fiduciary duty to maximize profits for shareholders, the CSRB has made it clear that those same officers have a public duty to ensure that security measures are not paused or halted for the sake of profits, if they plan to retain government contracts. Rarely in negotiations is the carrot also the stick, but we certainly do see that as the case here. – Dean Webb

Additional Reading:

• Review of the Summer 2023 Microsoft Exchange Online Intrusion (CISA)
• Microsoft’s Security Chickens Have Come Home to Roost (SecurityWeek)

Readers of our Newsletter: What’s working, what’s not, and what’s on your mind? Leave a comment below or email [email protected] . Thank you!