"security" entries

Four short links: 31 August 2015

Four short links: 31 August 2015

Linux Security Checklist, Devops for Water Bags, Summarising Reviews, and Exoskeleton with BMI

  1. Linux Workstation Security ChecklistThis is a set of recommendations used by the Linux Foundation for their systems administrators.
  2. Giant Bags of Mostly Water (PDF) — on securing systems that are used by humans. This is what DevOps is about: running Ops like you’re Developing an app, not letting your devs run your ops.
  3. Mining and Summarising Customer Reviews (Paper a Day) — redux of a 2004 paper on sentiment extraction from reviews.
  4. Brain-Machine-Interface for Exoskeleton — no need to worry about the “think of sex every seven seconds” trope, the new system allows users to move forwards, turn left and right, sit and stand simply by staring at one of five flickering LEDs.
Comment
Four short links: 28 August 2015

Four short links: 28 August 2015

Ad Blockers, Self-Evaluation, Blockchain Podcast, and Mobile Fingerprints

  1. 10 Ad Blocking Extensions Tested for Best PerformanceThis test is about the performance of an ad blocker in terms of how quickly it loads a range of ad blocked pages, the maximum amount of memory it uses, and how much stress it puts on the CPU. µBlock Origin wins for Chrome. (via Nelson Minar)
  2. Staff Evaluation of Me (Karl Fisch) — I also tried the Google Form approach. 0 responses, from which I concluded that nobody had any problems with me and DEFINITELY no conclusions could be drawn about my coworkers creating mail filters to mark my messages as spam.
  3. Blockchain (BBC) — episode on the blockchain that does a good job of staying accurate while being comprehensible. (via Sam Kinsley)
  4. Fingerprints On Mobile Devices: Abusing and Leaking (PDF) — We will analyze the mobile fingerprint authentication and authorization frameworks, and discuss several security pitfalls of the current designs, including: Confused Authorization Attack; Unsecure fingerprint data storage; Trusted fingerprint sensors exposed to the untrusted world; Backdoor of pre-embedding fingerprints.
Comment: 1
Four short links: 27 August 2015

Four short links: 27 August 2015

Chrome as APT, Nature's Mimicry, Information Extraction, and Better 3D Printing

  1. The Advanced Persistent Threat You Have: Google Chrome (PDF) — argues that if you can’t detect and classify Google Chrome’s self-updating behavior, you’re not in a position to know when you’re hit by malware that also downloads and executes code from the net that updates executables and system files.
  2. Things Mimicking Other Things — nifty visual catalog/graph of camouflage and imitation in nature.
  3. MITIE — permissively-licensed (Boost) tools for named entity extraction and binary relation detection as well as tools for training custom extractors and relation detectors.
  4. MultiFab Prints 10 Materials At Once — and uses computer vision to self-calibrate and self-correct, as well as letting users embed objects (e.g., circuit boards) in the print. developed by CSAIL researchers from low-cost, off-the-shelf components that cost a total of $7,000
Comment
Four short links: 25 August 2015

Four short links: 25 August 2015

Microservices Anti-Patterns, Reverse Engineering Course, Graph Language, and Automation Research

  1. Seven Microservices Anti-PatternsOne common mistake people made with SOA was misunderstanding how to achieve the reusability of services. Teams mostly focused on technical cohesion rather than functional regarding reusability. For example, several services functioned as a data access layer (ORM) to expose tables as services; they thought it would be highly reusable. This created an artificial physical layer managed by a horizontal team, which caused delivery dependency. Any service created should be highly autonomous – meaning independent of each other.
  2. CSCI 4974 / 6974 Hardware Reverse Engineering — RPI CS course in reverse engineering.
  3. The Gremlin Graph Traversal Language (Slideshare) — preso on a language for navigating graph data structures, which is part of the Apache TinkerPop (“Open Source Graph Computing”) suite.
  4. Why Are There Still So Many Jobs? The History and Future of Workplace Automation (PDF) — paper about the history of technology and labour. The issue is not that middle-class workers are doomed by automation and technology, but instead that human capital investment must be at the heart of any long-term strategy for producing skills that are complemented by rather than substituted for by technological change. Found via Scott Santens’s comprehensive rebuttal.
Comment
Four short links: 24 August 2015

Four short links: 24 August 2015

Real World Security, Car Hacking, News Designs, and Graphs in Shared Memory

  1. This World of Ours (PDF) — funny and accurate skewering of the modern security researcher. In the real world, threat models are much simpler (see Figure 1). Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://.
  2. Highway to Hack: Why We’re Just at the Beginning of the Auto Hacking Era (Ars Technica) — detailed article covering the state of in-car networks and the security risks therein. (via BoingBoing)
  3. 64 Ways to Think about a News Homepage — design and content ideas.
  4. Ligraa lightweight graph processing framework for shared memory. It is particularly suited for implementing parallel graph traversal algorithms where only a subset of the vertices are processed in an iteration.
Comment

Batten down the hatches

Four core questions that every security team must ask itself to develop its strategy in dealing with attacks.

Massive software vulnerabilities have been surfacing with increasingly high visibility, and the world’s computer administrators are repeatedly thrust into the cycle of confusion, anxiety, patching and waiting for the Next Big One. The list of high profile vulnerabilities in widely used software packages and platforms continues to rise. A recent phenomenon has researchers borrowing from the National Hurricane Center’s tradition, to introduce a vulnerability with a formal name. Similar to hurricanes and weather scientists, security researchers, analysts, and practitioners observe and track vulnerabilities as more details unfold and the true extent of the risk (and subsequent damage) is known.

Take for example the Android vulnerability released at the beginning of August, 20151. This vulnerability, named “Stagefright” after its eponymous application, can lead to remote code execution (RCE) through several vectors including MMS, Email, HTTP, Media applications, Bluetooth, and more. These factors coupled with the fact that at its release there were no approved patches available for upwards of 95% of the world’s mobile Android footprint means the vulnerability is serious — especially to any organization with a significant Android population.

Read more…

Comment
Four short links: 19 August 2015

Four short links: 19 August 2015

Privacy-Respecting Algorithms, Dealers Growing, Book Recommendations, and End of Internet Dreams

  1. Efficient Algorithms for Public-Private Social Networks — Google Research paper on privacy-respecting algorithms for social networks. From the overview: the models of privacy we’re landing on (nodes or edges in the graph are marked as “private” by a user) mean that enforcing these privacy guarantees translates to solving a different algorithmic problem for each user in the network, and for this reason, developing algorithms that process these social graphs and respect these privacy guarantees can become computationally expensive. The paper shows how to efficiently approximate some of the graph operations required to run a social network.
  2. Rise of Networked Platforms for Physical World Services (Tim O’Reilly) — the central player begins by feeding its network of suppliers, but eventually begins to compete with it. […] Over time, as networks reach monopoly or near-monopoly status, they must wrestle with the issue of how to create more value than they capture — how much value to take out of the ecosystem, versus how much they must leave for other players in order for the marketplace to continue to thrive.
  3. Book Recommendations from BLDBLOGWinslow memorably pointed out how farmers in the Sinaloa region of Mexico had been swept up into the cartel’s infinitely flexible method of production, and that, despite any ensuing role growing and harvesting marijuana or even poppies, the cartel offered them new jobs in logistics, not agriculture. “They didn’t want to be farmers,” Winslow said at Bookcourt, “they wanted to be FedEx.”
  4. The End of the Internet Dream (Jennifer Granick) — this is all gold. Something resonating with my current meditations: People are sick and tired of crappy software. And they aren’t going to take it any more. The proliferation of networked devices — the Internet of Things — is going to mean all kinds of manufacturers traditionally subject to products liability are also software purveyors. If an autonomous car crashes, or a networked toaster catches on fire, you can bet there is going to be product liability. […] I think software liability is inevitable. I think it’s necessary. I think it will make coding more expensive, and more conservative. I think we’ll do a crappy job of it for a really long time.
Comment
Four short links: 14 August 2015

Four short links: 14 August 2015

Jeep Hack, Blockchain for Beginners, Three Next:Economy Papers, and Signs of Self-Destruction

  1. The Jeep Cherokee Hack (Kaspersky) — details from the Black Hat talk.
  2. The Complete Beginner’s Guide to Blockchain Technology — in case you’ve been slipping on your nerd cred.
  3. Automation Angst (The Economist) — discusses three papers: (1) automation creates new jobs; (2) the sweet-spot of automation has been in mid-range intellectual, mid-rate physical tasks; and (3) know the history of automation/unemployment scares.
  4. Observational Signatures of Self-Destructive Civilisations (arXiv) — Using the Earth as an example, we consider a variety of scenarios in which humans could extinguish their own technological civilisation. Each scenario presents some form of observable signature that could be probed by astronomical campaigns to detect and characterise extrasolar planetary systems. I feel like there’s a business form of this paper, too …
Comment
Four short links: 12 August 2015

Four short links: 12 August 2015

Economic Futures, Space War, State of Security, and Algorithmic Fairness

  1. Possible Economics Models (Jamais Cascio) — economic futures filtered through Doctorovian prose. Griefer Economics: Information is power, especially when it comes to finance, and the increasing use of ultra-fast computers to manipulate markets (and drive out “weaker” competitors) is moving us into a world where market position isn’t determined by having the best offering, but by having the best tool. Rules are gamed, opponents are beaten before they even know they’re playing, and it all feels very much like living on a PvP online game server where the referees have all gone home. Relevant to Next:Economy.
  2. War in Space May Be Closer Than Ever (SciAm) — Today, the situation is much more complicated. Low- and high-Earth orbits have become hotbeds of scientific and commercial activity, filled with hundreds upon hundreds of satellites from about 60 different nations. Despite their largely peaceful purposes, each and every satellite is at risk, in part because not all members of the growing club of military space powers are willing to play by the same rules — and they don’t have to, because the rules remain as yet unwritten. There’s going to be a bitchin’ S-1 risks section when Planet Labs files for IPO.
  3. Not Even Close: The State of Computer Security (Vimeo) — In this bleak, relentlessly morbid talk, James Mickens will describe why making computers secure is an intrinsically impossible task. He will explain why no programming language makes it easy to write secure code. He will then discuss why cloud computing is a black hole for privacy, and only useful for people who want to fill your machine with ads, viruses, or viruses that masquerade as ads. At this point in the talk, an audience member may suggest that bitcoins can make things better. Mickens will laugh at this audience member and then explain why trusting the bitcoin infrastructure is like asking Dracula to become a vegan. Mickens will conclude by describing why true love is a joke and why we are all destined to die alone and tormented. The first ten attendees will get balloon animals, and/or an unconvincing explanation about why Mickens intended to (but did not) bring balloon animals. Mickens will then flee on horseback while shouting “The Prince of Lies escapes again!”
  4. Algorithms and Bias (NYTimes) — interview w/Cynthia Dwork from Microsoft Research. Fairness means that similar people are treated similarly. A true understanding of who should be considered similar for a particular classification task requires knowledge of sensitive attributes, and removing those attributes from consideration can introduce unfairness and harm utility.
Comment

Coming up at Solid Amsterdam

A look at our unified program for unified creators.

Coverlet_-_Google_Art_Project_(6861022)

Register now for Solid Amsterdam 2015, our conference exploring the intersections of manufacturing, design, hardware, software, and business strategy. The event will take place in Amsterdam on October 28, 2015.

Creating a great product means knowing something about many things: design, prototyping, electronics, software, manufacturing, marketing, and business strategy. That’s the blend that Solid brings together: over our one-day program at Solid Amsterdam on October 28, 2015, we’ll walk through a range of inspiration and insight that’s essential for anyone who creates physical products — consumer devices, industrial machines, and everything in between.

Start with design: it’s the first discipline that’s called on to master any new technology, and designers whose work has been confined to the digital realm are now expected to understand hardware and connected systems as well.

Design at Solid begins with our program co-chair, Marko Ahtisaari, who was head of product design at Nokia from 2009 to 2013, and is now CEO and co-founder of The Sync Project. We’ll also hear from Thomas Widdershoven, creative director at Design Academy Eindhoven and co-founder of thonik, a design studio whose work specializes in interaction and motion design. Read more…

Comment