ENTRIES TAGGED "security"

Stop hacking random stuff. It’s getting trivial.

Once we acknowledge nearly everything is insecure, we can engage in a more nuanced discussion about security.

Keep_Gate_Closed_mt2ri_FlickrI was gratified to read Dave Aitel’s rant about junk hacking last week [via Peter Lewis and abridged below]:

“Yes, we get it. Cars, boats, buses, and those singing fish plaques are all hackable and have no security. Most conferences these days have a whole track called ‘Junk I found around my house and how I am going to scare you by hacking it.’ That stuff is always going to be hackable whetherornotyouarethecalvalry.org.

“Yes, there is Junk in your garage, and you can hack it, and if
you find someone else who happens to have that exact same Junk, you can probably hack that, too, but maybe not, because testing is hard.

“Cars are the pinnacle of junk hacking, because they are meant to be in your garage. Obviously there is no security on car computers. Nor (and I hate to break the suspense) *will there ever be*. Yes, you can connect a device to my midlife crisis car and update the CPU of the battery itself with malware, which can in theory explode my whole car on the way to BJJ. I personally hope you don’t. But I know it’s possible the same way I know it’s possible to secretly rewire my toaster oven to overcook my toast every time even when I put it on the lowest setting, driving me slowly but surely insane.

“So in any case, enough with the Junk Hacking, and enough with being amazed when people hack their junk.”

Read more…

Comment
Four short links: 25 September 2014

Four short links: 25 September 2014

Elevation Data, Soft Robots, Clean Data, and Security Souk

  1. NGA Releases Hi-Res Elevation Data — 30-meter topographic data for the world.
  2. Soft Roboticsa collection of shared resources to support the design, fabrication, modeling, characterization, and control of soft robotic devices. From Harvard.
  3. OpenGovIn many domains, it’s not so much about “big data” yet as it is about “clean data.”
  4. Mitnick’s Zero-Day Exploit Shop — marketplace connecting “corporate and government” buyers and sellers of zero-day exploits. Claims to vet buyers. Another hidden economy becoming public.
Comment
Four short links: 22 September 2014

Four short links: 22 September 2014

OS X Javascript, Social Key Party, E-Fail, and Microservices Testing

  1. Significance of Javascript For OS X Scripting — not just for shell scripting-type automation, now you can build Cocoa applications with Javascript. This is huge.
  2. keybase.io — social media as trust vector.
  3. I Banned E-Mail At My CompanyEmail should not be used to share information. Especially if that information is a resource that might be useful again in the future.
  4. Building Microservices at KarmaThe biggest challenge with microservices is testing. With a regular web application, an end-to-end test is easy: just click somewhere on the website, and see what changes in the database. But in our case, actions and eventual results are so far from another that it’s difficult to see exact cause and effect. A problem might bubble up from a chain, but where in the chain did it go wrong? It’s something we still haven’t solved.
Comment
Four short links: 19 September 2014

Four short links: 19 September 2014

Deep Learning Bibliography, Go Playground, Tweet-a-Program, and Memory Management

  1. Deep Learning Bibliographyan annotated bibliography of recent publications (2014-) related to Deep Learning.
  2. Inside the Go Playground — on safely offering a REPL over the web to strangers.
  3. Wolfram Tweet-a-Program — clever marketing trick, and reminiscent of Perl Golf-style “how much can you fit into how little” contests.
  4. Memory Management Reference — almost all you ever wanted to know about memory management.
Comment
Four short links: 18 September 2014

Four short links: 18 September 2014

Writing Testable Code, Magical UIs, High-Performance ssh, and BASIC Lessons

  1. Guide to Writing Testable Code (PDF) — Google’s testable code suggestions, though C++-centric.
  2. Enchanted Objects (YouTube) — David Rose at Google talking about the UX of magical UIs. (via Mary Treseler)
  3. hpn-sshHigh Performance SSH/SCP.
  4. Lost Lessons from an 8-bit BASICThe little language that fueled the home computer revolution has been long buried beneath an avalanche of derision, or at least disregarded as a relic from primitive times. That’s too bad, because while the language itself has serious shortcomings, the overall 8-bit BASIC experience has high points that are worth remembering.
Comments: 2
Four short links: 15 September 2014

Four short links: 15 September 2014

Weird Machines, Libraries May Scan, Causal Effects, and Crappy Dashboards

  1. The Care and Feeding of Weird Machines Found in Executable Metadata (YouTube) — talk from 29th Chaos Communication Congress, on using tricking the ELF linker/loader into arbitrary computation from the metadata supplied. Yes, there’s a brainfuck compiler that turns code into metadata which is then, through a supernatural mix of pixies, steam engines, and binary, executed. This will make your brain leak. Weird machines are everywhere.
  2. European Libraries May Digitise Books Without Permission“The right of libraries to communicate, by dedicated terminals, the works they hold in their collections would risk being rendered largely meaningless, or indeed ineffective, if they did not have an ancillary right to digitize the works in question,” the court said. Even if the rights holder offers a library the possibility of licensing his works on appropriate terms, the library can use the exception to publish works on electronic terminals, the court ruled. “Otherwise, the library could not realize its core mission or promote the public interest in promoting research and private study,” it said.
  3. CausalImpact (GitHub) — Google’s R package for estimating the causal effect of a designed intervention on a time series. (via Google Open Source Blog)
  4. Laws of Crappy Dashboards — (caution, NSFW language … “crappy” is my paraphrase) so true. Not talking to users will result in a [crappy] dashboard. You don’t know if the dashboard is going to be useful. But you don’t talk to the users to figure it out. Or you just show it to them for a minute (with someone else’s data), never giving them a chance to figure out what the hell they could do with it if you gave it to them.
Comment: 1
Four short links: 8 September 2014

Four short links: 8 September 2014

Glasshole Wiper, Complex Failures, Mail Startup, and Digital Media Disappointments

  1. Cyborg UnPlug — sits on your wifi network and will alert you if it finds Google Glass, Dropcam, spycams, and other unwanted wifi Klingons. Or it can automatically send deauth packets to those devices to try and boot them off the network.
  2. How Complex Systems Fail (PDF) — That practitioner actions are gambles appears clear after accidents; in general, post hoc analysis regards these gambles as poor ones. But the converse: that successful outcomes are also the result of gambles; is not widely appreciated.
  3. Schnail Mail — exciting new startup idea.
  4. Mapping Digital Media (Open Society) — analysis of media, online and off, in various regions and discussion of how it’s changing. Among the global findings: digitization has brought no pressure to reform state broadcasters, less than one-third of countries found that digital media have helped to expand the social impact of investigative journalism, and digitization has not significantly affected total news diversity.
Comment: 1
Four short links: 4 September 2014

Four short links: 4 September 2014

Makerspace Libraries, xkcd Author Profiled, On Victim Shaming, and Generated Covers

  1. Makerspaces Coming to Libraries (Wired) — [W]hile I’m just as sentimental about the primacy of hard copy, the librarians aren’t. As they all tell me, their job is helping with access to knowledge—not all of which comes in codex form and much of which is deeply social. Libraries aren’t just warehouses for documents; they’re places to exchange information.
  2. Rolling Stone Feature on Randall MunroeWhen you’re talking about pure research, every year it’s a longer trip to the cutting edge. Students have to spend a larger percentage of their careers catching up to the people who have gone before them. My solution to that is to tackle problems that are so weird that no one serious has ever spent any time on them. (via BoingBoing)
  3. Not Safe for Working On (Dan Kaminsky) — some things that needed to be said, and which couldn’t have been said better, about security, victim shaming, and separating the 2% from the 98%.
  4. Generative eBook Covers — very cool (with code) system for programmatically generating aesthetic and interesting ebook covers. I particularly like the face-recognition-in-engravings look.
Comment
Four short links: 3 September 2014

Four short links: 3 September 2014

Distributed Systems Theory, Chinese Manufacturing, Quantified Infant, and Celebrity Data Theft

  1. Distributed Systems Theory for the Distributed Systems EngineerI tried to come up with a list of what I consider the basic concepts that are applicable to my every-day job as a distributed systems engineer; what I consider ‘table stakes’ for distributed systems engineers competent enough to design a new system.
  2. Shenzhen Trip Report (Joi Ito) — full of fascinating observations about how the balance of manufacturing strength has shifted in surprising ways. The retail price of the cheapest full featured phone is about $9. Yes. $9. This could not be designed in the US – this could only be designed by engineers with tooling grease under their fingernails who knew the manufacturing equipment inside and out, as well as the state of the art of high-end mobile phones.
  3. SproutlingThe world’s first sensing, learning, predicting baby monitor. A wearable band for your baby, a smart charger and a mobile app work together to not only monitor more effectively but learn and predict your baby’s sleep habits and optimal sleep conditions. (via Wired)
  4. Notes on the Celebrity Data Theft — wonderfully detailed analysis of how photos were lifted, and the underground industry built around them. This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data.
Comment
Four short links: 28 August 2014

Four short links: 28 August 2014

Visual Python, Scraping and Screenshotting, Un-free Speech, IP Law Textbook

  1. PlotDeviceA Python-based graphics language for designers, developers, and tinkerers. More in the easy-to-get-started + visual realm, like Processing. (via Andy Baio)
  2. Scumblr and Sketchy Search — Netflix open sourcing some scraping, screenshot, and workflow tools their security team uses to monitor discussion of themselves.
  3. Should Twitter, Facebook and Google Executives be the Arbiters of What We See and Read? (Glenn Greenwald) — In the digital age, we are nearing the point where an idea banished by Twitter, Facebook and Google all but vanishes from public discourse entirely, and that is only going to become more true as those companies grow even further. Whatever else is true, the implications of having those companies make lists of permitted and prohibited ideas are far more significant than when ordinary private companies do the same thing.
  4. Intellectual Property: Law and the Information Society; Cases and Materials (PDF) — James Boyle and Jennifer Jenkins’ open law textbook on IP (which even explores the question of whether that’s a valid and meaningful term). (via James Boyle)
Comment