Microsoft's ARM-based Surface Pro X tablet is not having a good time, and neither are its owners. From a report: According to multiple reports, the tablet's cameras stopped working out of the blue, showing a cryptic error when trying to launch the Windows Camera app or other software: "Something went wrong. If you need it, here's the error code: 0xA00F4271 (0x80004005)."

The first thing that comes to the user's mind when experiencing issues like this is reinstalling the corresponding driver. However, this is not true with Surface Pro X's botched cameras. Affected customers say removing and installing camera drivers on the Surface Pro X has no effect and leaves them stranded, unable to join video calls, take pictures, and perform other camera-related tasks. More importantly, the bug also breaks facial recognition, forcing customers to use their PIN codes instead.

schwit1 shares a report from TechXplore: Chinese researchers say they successfully bypassed fingerprint authentication safeguards on smartphones by staging a brute force attack. Researchers at Zhejiang University and Tencent Labs capitalized on vulnerabilities of modern smartphone fingerprint scanners to stage their break-in operation, which they named BrutePrint. Their findings are published on the arXiv preprint server.

A flaw in the Match-After-Lock feature, which is supposed to bar authentication activity once a device is in lockout mode, was overridden to allow a researcher to continue submitting an unlimited number of fingerprint samples. Inadequate protection of biometric data stored on the Serial Peripheral Interface of fingerprint sensors enables attackers to steal fingerprint images. Samples also can be easily obtained from academic datasets or from biometric data leaks.

And a feature designed to limit the number of unsuccessful fingerprint matching attempts -- Cancel-After-Match-Fail (CAMF) -- has a flaw that allowed researchers to inject a checksum error disabling CAMF protection. In addition, BrutePrint altered illicitly obtained fingerprint images to appear as though they were scanned by the targeted device. This step improved the chances that images would be deemed valid by fingerprint scanners. To launch a successful break-in, an attacker requires physical access to a targeted phone for several hours, a printed circuit board easily obtainable for $15, and access to fingerprint images.

An anonymous reader shares a report: Then, at some point, someone at Microsoft must have gotten fed up with rushing their .rar operations the way I have for 20 years and thought, there must be a better way. And so, under the subheading of "Reducing toil," we have a few helpful UI updates, then casually and apropos of nothing, this:

"In addition... We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows."

An anonymous reader quotes a report from Wired: Spain has advocated banning encryption for hundreds of millions of people within the European Union, according to a leaked document obtained by WIRED that reveals strong support among EU member states for proposals to scan private messages for illegal content. The document, a European Council survey of member countries' views on encryption regulation, offered officials' behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe. The proposed law would require tech companies to scan their platforms, including users' private messages, to find illegal material. However, the proposal from Ylva Johansson, the EU commissioner in charge of home affairs, has drawn ire from cryptographers, technologists, and privacy advocates for its potential impact on end-to-end encryption.

For years, EU states have debated whether end-to-end encrypted communication platforms, such as WhatsApp and Signal, should be protected as a way for Europeans to exercise a fundamental right to privacy -- or weakened to keep criminals from being able to communicate outside the reach of law enforcement. Experts who reviewed the document at WIRED's request say it provides important insight into which EU countries plan to support a proposal that threatens to reshape encryption and the future of online privacy. Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain's position emerging as the most extreme. "Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption," Spanish representatives said in the document. The source of the document declined to comment and requested anonymity because they were not authorized to share it.

In its response, Spain said it is "imperative that we have access to the data" and suggests that it should be possible for encrypted communications to be decrypted. Spain's interior minister, Fernando Grande-Marlaska, has been outspoken about what he considers the threat posted by encryption. When reached for comment about the leaked document, Daniel Campos de Diego, a spokesperson for Spain's Ministry of Interior, says the country's position on this matter is widely known and has been publicly disseminated on several occasions. Edging close to Spain, Poland advocated in the leaked document for mechanisms through which encryption could be lifted by court order and for parents to have the power to decrypt children's communications. Several other countries say they would give law enforcement access to people's encrypted messages and communications. "Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge," says Ella Jakubowska, a senior policy advisor at European Digital Rights (EDRI) who reviewed the document. "They are seeing this law is going far beyond what DG home is claiming that it's there for."

A prosecutor in Germany has indicted former executives of surveillance technology company FinFisher GmbH, accusing them of unlawfully supplying the Turkish secret services with spyware that could be used to hack into phones and computers. From a report: In an announcement on Monday, a spokesperson for the Munich Public Prosecutor's said that the office had carried out an "extensive and complex" investigation of the company following searches of 15 properties. Four of the company's managing directors had violated foreign trade laws, according to the prosecutor's office. The prosecutor's office named the indicted directors only as "G," "H," "T" and "D." FinFisher, prosecutors say, signed a contact in January 2015 worth $5.4 million to supply spyware to Turkey's National Intelligence Organization, but did not receive the necessary export approval from German authorities. Instead, company executives sought to conceal the deal by transferring the technology through another company they had established in Bulgaria, according to the prosecutor, though all business activities were still controlled and coordinated out of Munich.

Violations of export licensing requirements under Germany's Foreign Trade and Payments can be punishable with a prison sentence of between three months and five years. The prosecutor's office pointed to a particular provision of the law that states a prison sentence of not less than one year shall be imposed if a person if found to have acted for the secret service of a foreign power. The Munich prosecutor began investigating FinFisher in the summer of 2019, after a coalition of advocacy groups filed a criminal complaint against the company, alleging that it had supplied its spyware to Turkey without obtaining the required license from Germany's federal government. The spyware had been used in Turkey to infect the phones of government critics, monitoring their calls, text messages, photos and location data, according to a technical report published by the digital rights group Access Now.

On Saturday PyPI, the official third-party registry of open source Python packages, "temporarily suspended new users from signing up, and new projects from being uploaded to the platform" reports BleepingComputer.

"The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," stated an incident notice posted by PyPI admins Saturday.

Hours ago they posted a four-word update: "Suspension has been lifted." No details were provided, but The Hacker News writes the incident "comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments." Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.

Time magazine once described Lauren Weinstein as an internet-policy expert and privacy advocate. Also a long-time Slashdot reader, he now brings this cautionary blog post "to share with you an example of what Google account recovery failure means to the people involved..."

In this case it's a 90-year-old woman who "For at least the last decade... was just using the stored password to login and check her email," according to an email Weinstein received: When her ancient iPad finally died, she tried to add the gmail account to her new replacement iPad. However, she couldn't remember the password in order to login.... I don't know if you've ever attempted to contact a human being at google tech support, but it's pretty much impossible. They also don't seem to have an exception mechanism for cases like this.

So she had to abandon hopes of viewing the google photos of her (now deceased) beloved pet, her contacts, her email subscriptions, reminders, calendar entries, etc... [I]t's difficult to know what to say to someone like this when she asks "what can we do now" and there are no options... It's tough to explain that your treasured photos can't be retrieved because you're not the sort of user that Google had in mind.
Weinstein adds "this is by no means the worst such case I've seen — not even close, unfortunately." I've been discussing these issues with Google for many years. I've suggested "ombudspeople", account escalation and appeal procedures that ordinary people could understand, and many other concepts. They've all basically hit the brick wall of Google suggesting that at their scale, nothing can be done about such "edge" cases.
Here's Google's page for providing an alternate recovery email address and phone number. Unfortunately, the 90-year-old woman's account "was created so long ago that she didn't need to provide any 'recovery' contacts at that time," according to the email, "or she may have used a landline phone number that's long been cancelled now..."

"Multiple lines of Android devices came with preinstalled malware," reports Ars Technica, "that couldn't be removed without users taking heroic measures."

Their article cites two reports released Thursday — one from Trend Micro and one from TechCrunch: Trend Micro researchers following up on a presentation delivered at the Black Hat security conference in Singapore reported that as many as 8.9 million phones comprising as many as 50 different brands were infected with malware... ["It's highly likely that more devices have been preinfected," the report clarified, "but have not exchanged communication with the Command & Control server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market... The threat actor has spread this malware over the last five years. "]

"Guerrilla" opens a backdoor that causes infected devices to regularly communicate with a remote command-and-control server to check if there are any new malicious updates for them to install. These malicious updates collect data about the users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then surreptitiously installs aggressive ad platforms that can deplete battery reserves and degrade the user experience... Guerrilla is a massive platform with nearly a dozen plugins that can hijack users' WhatsApp sessions to send unwanted messages, establish a reverse proxy from an infected phone to use the network resources of the affected mobile device, and inject ads into legitimate apps...

TechCrunch detailed several lines of Android-based TV boxes sold through Amazon that are laced with malware. The TV boxes, reported to be T95 models with an h616, report to a command-and-control server that, just like the Guerrilla servers, can install any application the malware creators want. The default malware preinstalled on the boxes is known as a clickbot. It generates advertising revenue by surreptitiously tapping on ads in the background...

Android devices that come with malware straight out of the factory box are, unfortunately, nothing new. Ars has reported on such incidents at least five times in recent years (here, here, here, here, and here). All the affected models were in the budget tier.

People in the market for an Android phone should steer toward known brands like Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory. To date, there have never been reports of higher-end Android devices coming with malware preinstalled. There are similarly no such reports for iPhones.

Bandcamp is music streaming platform helping fans support independent musicians. And Bandcamp United describes itself as "a union of workers at Bandcamp — we are project managers, we are engineers, we are designers, we are vinyl campaign managers, we are support staff, we are editors and writers..."

Friday Bandcamp United issued this statement: Today, a majority of eligible Bandcamp workers voted 31-7 in favor of forming Bandcamp United, a union represented by the Office and Professional Employees International Union (OPEIU). The vote results now await certification by the National Labor Relations Board, with a collective bargaining process to follow.

Below is a joint statement from Bandcamp co-founder Ethan Diamond and Bandcamp United:

â "Bandcamp United and Bandcamp management are committed to working together to continue to advance fair economic conditions for our workers and the artists who rely on us. We look forward to negotiating with an open mind and working in good faith to promote the best interests of all of our staff and the artist and label community we serve."

A recent move by Google to populate the Internet with eight new top-level domains is prompting concerns that two of the additions could be a boon to online scammers who trick people into clicking on malicious links. From a report: Two weeks ago, Google added eight new TLDs to the Internet, bringing the total number of TLDs to 1,480, according to the Internet Assigned Numbers Authority, the governing body that oversees the DNS Root, IP addressing, and other Internet protocol resources. Two of Google's new TLDs -- .zip and .mov -- have sparked scorn in some security circles. While Google marketers say the aim is to designate "tying things together or moving really fast" and "moving pictures and whatever moves you," respectively, these suffixes are already widely used to designate something altogether different. Specifically, .zip is an extension used in archive files that use a compression format known as zip. The format .mov, meanwhile, appears at the end of video files, usually when they were created in Apple's QuickTime format. Many security practitioners are warning that these two TLDs will cause confusion when they're displayed in emails, on social media, and elsewhere. The reason is that many sites and software automatically convert strings like "arstechnica.com" or "mastodon.social" into a URL that, when clicked, leads a user to the corresponding domain. The worry is that emails and social media posts that refer to a file such as setup.zip or vacation.mov will automatically turn them into clickable links -- and that scammers will seize on the ambiguity.

Nvidia has officially announced its RTX 4060 family of GPUs. This includes the RTX 4060 Ti, which will debut next week on May 24th starting at $399, and -- perhaps the biggest news -- the RTX 4060, which will be available in July for just $299, $30 less than the RTX 3060's original retail price. A 16GB version of the RTX 4060 Ti is also due in July for $499. From a report: Nvidia's 60-class GPUs are the most popular among PC gamers on Steam, and the launch of the RTX 4060 family marks the first time we've seen Nvidia's latest RTX 40-series cards available under the $500 price point, let alone under $300. The $399 RTX 4060 Ti will ship on May 24th with just 8GB of VRAM, while a 16GB model is due in July priced at $499. There's an ongoing debate over the value of 8GB cards in the PC gaming community right now, particularly with the arrival of more demanding games that really push the limits of GPU memory even at 1080p (if you want all the max settings enabled, that is). It's a much bigger issue at 1440p and, of course, 4K resolutions, but Nvidia appears to be positioning its RTX 4060 Ti card for the 1080p market. [...] Specs-wise, the RTX 4060 Ti will be a 22 teraflop card with AV1 encoder support and more efficient energy usage. The total graphics power is 160 watts on both the RTX 4060 Ti 8GB and 16GB models, with Nvidia claiming the average gaming power usage will be around 140 watts. The RTX 3060 Ti had a total graphics power of 200 watts, and Nvidia says it uses 197 watts during games on average, so there are some impressive power efficiency improvements here.

An anonymous reader shares a report: Google's Privacy Sandbox aims to replace third-party cookies with a more privacy-conscious approach, allowing users to manage their interests and grouping them into cohorts based on similar browsing patterns. That's a major change for the online advertising industry, and after years of talking about it and releasing various experiments, it's about to get real for the online advertising industry. Starting in early 2024, Google plans to migrate 1% of Chrome users to Privacy Sandbox and disable third-party cookies for them, the company announced today. Google's plan to completely deprecate third-party cookies in the second half of 2024 remains on track.

In addition, with the launch of the Chrome 115 release in July, Google is making Privacy Sandbox's relevance and measurement APIs generally available to all Chrome users, making it easy for developers to test these APIs with live traffic. Google doesn't plan to make any significant changes to the API after this release. Deprecating third-party cookies for 1% of Chrome users doesn't sound like it would have a major impact, but as Google's Victor Wong, who leads product for Private Advertising Technology within Privacy Sandbox, told me, it will help developers assess their real-world readiness for the larger changes coming in late 2024. To get ready for this, developers will also be able to simulate their third-party cookie deprecation readiness starting in Q4 2023, when they'll be able to test their solutions by moving a configurable percentage of their users to Privacy Sandbox.

An anonymous reader quotes a report from Ars Technica: Researchers on Tuesday unveiled a major discovery -- malicious firmware that can wrangle a wide range of residential and small office routers into a network that stealthily relays traffic to command-and-control servers maintained by Chinese state-sponsored hackers. A firmware implant, revealed in a write-up from Check Point Research, contains a full-featured backdoor that allows attackers to establish communications and file transfers with infected devices, remotely issue commands, and upload, download, and delete files. The implant came in the form of firmware images for TP-Link routers. The well-written C++ code, however, took pains to implement its functionality in a "firmware-agnostic" manner, meaning it would be trivial to modify it to run on other router models.

The main purpose of the malware appears to relay traffic between an infected target and the attackers' command and control servers in a way that obscures the origins and destinations of the communication. With further analysis, Check Point Research eventually discovered that the control infrastructure was operated by hackers tied to Mustang Panda, an advanced persistent threat actor that both the Avast and ESET security firms say works on behalf of the Chinese government.

The researchers discovered the implant while investigating a series of targeted attacks against European foreign affairs entities. The chief component is a backdoor with the internal name Horse Shell. The three main functions of Horse Shell are: a remote shell for executing commands on the infected device; file transfer for uploading and downloading files to and from the infected device; and the exchange of data between two devices using SOCKS5, a protocol for proxying TCP connections to an arbitrary IP address and providing a means for UDP packets to be forwarded. The SOCKS5 functionality seems to be the ultimate purpose of the implant. By creating a chain of infected devices that establish encrypted connections with only the closest two nodes (one in each direction), it's difficult for anyone who stumbles upon one of them to learn the origin or ultimate destination or the true purpose of the infection. As Check Point researchers wrote: "Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control," Check Point researchers wrote in a shorter write-up. "In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal."

An anonymous reader shares a report: IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firm's blog post is full of interesting details about how this device works (and doesn't), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemo's own apps -- with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

The other key takeaway is that Wemo-maker Belkin told Sternum that it would not be patching this flaw because the Mini Smart Plug V2 is "at the end of its life and, as a result, the vulnerability will not be addressed." We've reached out to Belkin to ask if it has comments or updates. Sternum states that it notified Belkin on January 9, received a response on February 22, and disclosed the vulnerability on March 14.

An anonymous reader quotes a report from KrebsOnSecurity: Countless smartphones seized in arrests and searches by police forces across the United States are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found (PDF). In response, the largest online marketplace for items seized in U.S. law enforcement investigations says it now ensures that all phones sold through its platform will be data-wiped prior to auction.

Researchers at the University of Maryland last year purchased 228 smartphones sold "as-is" from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top-40 most popular PIN or swipe patterns. Phones may end up in police custody for any number of reasons -- such as its owner was involved in identity theft -- and in these cases the phone itself was used as a tool to commit the crime. "We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner," the researchers explained in a paper released this month. "Unfortunately, that expectation has proven false in practice."

Beyond what you would expect from unwiped second hand phones -- every text message, picture, email, browser history, location history, etc. -- the 61 phones they were able to access also contained significant amounts of data pertaining to crime -- including victims' data -- the researchers found. [...] Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients. "We informed [PropertyRoom] of our research in October 2022, and they responded that they would review our findings internally," said Dave Levin, an assistant professor of computer science at University of Maryland. "They stopped selling them for a while, but then it slowly came back, and then we made sure we won every auction. And all of the ones we got from that were indeed wiped, except there were four devices that had external SD [storage] cards in them that weren't wiped."

A Russian man was charged by US authorities in connection with his alleged role with multiple ransomware gangs that attacked hospitals, schools and police departments. From a report: Mikhail Pavlovich Matveev, who was known online as Wazawaka, was an active member of three ransomware gangs that collectively demanded $400 million from victims and received nearly $200 million in ransom payments, according to the Department of Justice. Ransomware groups typically hack into computer networks and deploy malicious software that encrypts computers and makes them unusable. The groups demand extortion payments in cryptocurrency and threaten to leak stolen data online if the ransom is not paid.

Matveev was allegedly a member of the Lockbit, Babuk and Hive ransomware gangs. Those groups are "ranked among the most active and destructive cybercriminal threats in the world," Philip Sellinger, the US attorney for the district of New Jersey, wrote in an indictment. Matveev, along with other members of the ransomware gangs, attacked as many as 2,800 victims in the US and around the world, Sellinger wrote. The alleged victims include the Metropolitan Police Department in the District of Columbia, which was attacked with ransomware in 2021. The hackers proceeded to publish dozens of stolen personnel files. The groups also targeted churches and nonprofits, the Department of Justice said.

Alphabet's Google on Tuesday said it would delete accounts that had remained unused for two years starting December, in a bid to prevent security threats including hacks. From a report: The company said that if a Google account had not been used or signed into for at least two years, it might delete the account and content across Google Workspace, which includes Gmail, Docs, Drive, Meet and Calendar, as well as YouTube and Google Photos. The policy change only applies to personal Google Accounts and not to those for organizations like schools or businesses. In 2020, Google had said it would remove content stored in an inactive account, but not delete the account itself. Starting Tuesday, Google will send multiple notifications to the account email address and recovery mail of the inactive accounts before deletion.

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users' zip files, even when they're protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.

While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password "infected." "While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples," Brandt wrote. "The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs."

Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it's protected with one of the passwords contained in a list. "If you mail yourself something and type something like 'ZIP password is Soph0s', ZIP up EICAR and ZIP password it with Soph0s, it'll find (the) password, extract and find (and feed MS detection)," he wrote. "A Google representative said the company doesn't scan password-protected zip files, though Gmail does flag them when users receive such a file," notes Ars.

"One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can't be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files."

Ilya Pozin made a bunch of money when Viacom bought Pluto TV, the free video-streaming company he co-founded, for $340 million four years ago. Since exiting Pluto about a year after that deal closed, Pozin has been working on another startup venture -- one he thinks will be a much bigger deal. From a report: On Monday, Pozin's brainchild, Telly, comes out of stealth after two years in development. Telly wants to ship out thousands (and eventually millions) of free 4K HDTVs, which would cost more than $1,000 at retail, according Pozin. The 55-inch main screen is a regular TV panel, with three HDMI inputs and an over-the-air tuner, plus an integrated soundbar. The Telly TVs don't actually run any streaming apps that let you access services like Netflix, Prime Video or Disney+; instead, they're bundled with a free Chromecast with Google TV adapter.

What's new and different: The unit has a 9-inch-high second screen, affixed to the bottom of the set, which is real estate Telly will use for displaying news, sports scores, weather or stocks, or even letting users play video games. And, critically, Telly's second screen features a dedicated space on the right-hand side that will display advertising -- ads you can't skip past and ads that stay on the screen the whole time you're watching TV... and even when you're not.

Slashdot reader storagedude writes: If cloud service providers are the only ones who can get security right, will everyone eventually move to the cloud?

That's one of the questions longtime IT systems architect Henry Newman asks in a new article on eSecurity Planet.

"The concept of zero trust has been around since 2010, when Forrester Research analyst John Kindervag created the zero trust security model. Yet two years after the devastating Colonial Pipeline attack and strong advocacy from the U.S. government and others, we are still no closer to seeing zero trust architecture widely adopted," Newman writes. "The only exception, it seems, has been cloud service providers, who boast an enviable record when it comes to cybersecurity, thanks to rigorous security practices like Google's continuous patching."

"As security breaches continue to happen hourly, sooner or later zero trust requirements are going to be forced upon all organizations, given the impact and cost to society. The Biden Administration is already pushing ambitious cybersecurity legislation, but it's unlikely to get very far in the current Congress. I am very surprised that the cyber insurance industry has not required zero trust architecture already, but perhaps the $1.4 billion Merck judgment that went against the industry last week will begin to change that.

"The central question is, can any organization implement a full zero trust stack, buy hardware and software from various vendors and put it together, or will we all have to move to cloud service providers (CSPs) to get zero trust security?

"Old arguments that cloud profit margins will eventually make on-premises IT infrastructure seem like the cheaper alternative failed to anticipate an era when security became so difficult that only cloud service providers could get it right."

Cloud service providers have one key advantage when it comes to security, Newman notes: They control, write and build much of their software and hardware stacks.

Newman concludes: "I am somewhat surprised that cloud service providers don't tout their security advantages more than they do, and I am equally surprised that the commercial off-the-shelf vendors do not band together faster than they have been to work on zero trust. But what surprises me the most is the lack of pressure on everyone to move to zero trust and get a leg or two up on the current attack techniques and make the attack plane much smaller than it is."