"security" entries

Four short links: 21 December 2015

Four short links: 21 December 2015

Anomaly Detection, Contempt Culture, Deep Learning Robot, and Compromised Firewalls

  1. Bro — open source intrusion and anomaly detection service, turns everything into events that you can run scripts against. Good pedigree (Vern Paxson, a TCP/IP elder god) despite the wince-inducing name (at least it isn’t “brah”).
  2. Contempt Culture (Aurynn) — for a culture that now prides itself on continuous improvement and blameless post-mortems and so on, we’re blind to a contempt culture that produces cults of criticism like “PHP isn’t a real programming language,” etc., where the targets of the criticism are pathways disproportionately taken by women and minorities. I’m embarrassed by how much of 2001-era Nat I recognise in Aurynn’s description.
  3. Deep Learning RobotBuilt for advanced research in robotics and artificial intelligence (deep learning). Pre-installed Google TensorFlow, Robot Operating System (ROS), Caffe, Torch, Theano, CUDA, and cuDNN.
  4. Juniper ScreenOS Backdoor — here’s the ssh password that’ll get you into any unpatched Juniper firewall, courtesy a backdoor that will be keeping network admins and CEOs alike awake and unhappy around the world. The interesting analysis with long-term effects will be “how the hell did it get in there?”
Comment: 1
Four short links: 18 December 2015

Four short links: 18 December 2015

Malicious Traffic, Visual Analysis, C History, and Immersive Gaming

  1. Maltraila malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists[…]. Also, it has (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware). (via Nick Galbreath)
  2. Vega-Litehigh-level grammar for visual analysis, built on top of Vega. (via Curran Kelleher)
  3. C History — Dennis Ritchie’s 1993 notes on the history of the C programming language explains the origins of a.out and arrays as pointers, and has a reminder of how tight those systems were: Of the 24K bytes of memory on the machine, the earliest PDP-11 Unix system used 12K bytes for the operating system, a tiny space for user programs, and the remainder as a RAM disk.
  4. Zero Latency — immersive gaming with Oculus headsets. Detailed and positive.
Comment
Four short links: 15 December 2015

Four short links: 15 December 2015

Barbie Broken, JSON Database, Lightbulb DRM, and Graph Database

  1. Crypto is Hard says Hello BarbieWe discovered several issues with the Hello Barbie app including: it utilizes an authentication credential that can be re-used by attackers; it connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name; it shipped with unused code that serves no function but increases the overall attack surface. On the server side, we also discovered: client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers; the ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack. (via Ars Technica)
  2. Kinto — Mozilla’s open source lightweight JSON storage service with synchronisation and sharing abilities. It is meant to be easy to use and easy to self-host.
  3. Philips Blocks 3rd Party Lightbulbs — DRM for light fixtures. cf @internetofsh*t
  4. gaffer — GCHQ-released open source graph database. …a framework that makes it easy to store large-scale graphs in which the nodes and edges have statistics such as counts, histograms, and sketches. These statistics summarise the properties of the nodes and edges over time windows, and they can be dynamically updated over time. Gaffer is a graph database, rather than a graph processing system. It is optimised for retrieving data on nodes of interest. IHNJH,IJLTS “nodes of interest.”
Comment
Four short links: 14 December 2015

Four short links: 14 December 2015

Design for the Surveilled, Concept Learning, Media Access, and Programming Challenges

  1. Please Stop Making Secure Messaging Systems — how to design for the surveilled, and the kinds of tools they need BEYOND chat.
  2. Human Level Concept Learning through Probabilistic Program Induction — paper and source code for the nifty “learn handwriting from one example” paper that’s blowing minds.
  3. Access Denied (The Awl) — media had power because they had an audience, but social media gives celebrities, sports people, and politicians a bigger audience than media outlets. So, the media outlets aren’t needed, and consequently, they’re losing “access.” A reporter that depends on access to a compelling subject is by definition a reporter compromised. A publication that depends on cooperation from the world that it specializes in is likewise giving up something in terms of its ability to tell the truth about it. And nearly the entire media as it exists today is built around these negotiations.
  4. Stockfightera series of free, fun programming challenges […] suitable for programmers at all experience levels.
Comment
Four short links: 10 December 2015

Four short links: 10 December 2015

Reactive Programming Theory, Attacking HTTP/2, Distributed Systems Explainer, and Auto Futures

  1. Distributed Reactive Programming (A Paper a Day) — this week’s focus on reactive programming has been eye-opening for me. I find the implementation details less interesting than the simple notion that we can define different consistency models for reactive programs and reason about them.
  2. Attacking HTTP/2 ImplementationsOur talk focused on threats, attack vectors, and vulnerabilities found during the course of our research. Two Firefox, two Apache Traffic Server (ATS), and four Node-http2 vulnerabilities will be discussed alongside the release of the first public HTTP/2 fuzzer. We showed how these bugs were found, their root cause, why they occur, and how to trigger them.
  3. What We Talk About When We Talk About Distributed Systems — a great intro/explainer to the different concepts in distributed systems.
  4. The Autonomous Winter is ComingThe future of any given manufacturer will be determined by how successfully they manage their brands in a market split between Mobility customers and Driving customers.
Comment
Four short links: 8 December 2015

Four short links: 8 December 2015

Open Source ZeroDB, HTTP Statuses, Project Activity, and Database Readings

  1. ZeroDB is Open Source — end-to-end encrypted database goes open source (AGPL, *ptui*).
  2. Choosing an HTTP Status Code — or “an alternative to engineers duelling.”
  3. Open Source Monthly — views of open source projects through their GitHub activity.
  4. Readings in Database Science (5ed) — HTML and PDF versions of the papers.
Comment: 1
Four short links: 7 December 2015

Four short links: 7 December 2015

Telepresent Axeman, Toxic Workers, Analysis Code, and Cryptocurrency Attacks

  1. Axe-Wielding Robot w/Telepresence (YouTube) — graphic robot-on-wall action at 2m30s. (via IEEE)
  2. Toxic Workers (PDF) — In comparing the two costs, even if a firm could replace an average worker with one who performs in the top 1%, it would still be better off by replacing a toxic worker with an average worker by more than two-to-one. Harvard Business School research. (via Fortune)
  3. Replacing Sawzall (Google) — At Google, most Sawzall analysis has been replaced by Go […] we’ve developed a set of Go libraries that we call Lingo (for Logs in Go). Lingo includes a table aggregation library that brings the powerful features of Sawzall aggregation tables to Go, using reflection to support user-defined types for table keys and values. It also provides default behavior for setting up and running a MapReduce that reads data from the logs proxy. The result is that Lingo analysis code is often as concise and simple as (and sometimes simpler than) the Sawzall equivalent.
  4. Attacks in the World of Cryptocurrency — a review of some of the discussed weakness, attacks, or oddities in cryptocurrency (esp. bitcoin).
Comment
Four short links: 4 December 2015

Four short links: 4 December 2015

Bacterial Research, Open Source Swift, Deep Forger, and Prudent Crypto Engineering

  1. New Antibiotics Research Direction — most people don’t know that we can’t cultivate and isolate most of the microbes we know about.
  2. Swift now Open Source — Apache v2-licensed. An Apple exec is talking about it and its roadmap.
  3. Deep Forger User Guideclever Twitter bot converting your photos into paintings in the style of famous artists, using deep learning tech.
  4. Prudent Engineering Practice for Cryptographic Protocols (PDF) — paper from the ’90s that is still useful today. Those principles are good for API design too. (via Adrian Colyer)
Comment

Ari Gesher and Kipp Bradford on security and the Internet of Things

The O’Reilly Hardware Podcast: Evolving expectations for privacy.

Subscribe to the O’Reilly Hardware Podcast for insight and analysis about the Internet of Things and the worlds of hardware, software, and manufacturing.

350px-CCTV_Alexandre_Dulaunoy

In this episode of our newly renamed Hardware Podcast, I talk with Ari Gesher, engineering ambassador at Palantir Technologies, and Kipp Bradford, research scientist at the MIT Media Lab.

Gesher is the co-author of The Architecture of Privacy: On Engineering Technologies that Can Deliver Trustworthy Safeguards. Bradford is co-author of Distributed Network Data: From Hardware to Data to Visualization, and he’s spoken twice at Solid.

Discussion points:

  • The difference between security and privacy
  • Ari’s notion of what it means to be “polite” in a world where everything is recorded
  • The need and rationale for standards and protocols for IoT devices

Read more…

Comment
Four short links: 3 December 2015

Four short links: 3 December 2015

Touchable Holograms, Cloud Vision API, State of Computer Security, and Product Prioritization

  1. Japanese Scientists Create Touchable Holograms (Reuters) — Using femtosecond laser technology, the researchers developed ‘Fairy Lights, a system that can fire high-frequency laser pulses that last one millionth of one billionth of a second. The pulses respond to human touch, so that – when interrupted – the hologram’s pixels can be manipulated in mid-air.
  2. Google Cloud Vision APIclassifies images into thousands of categories (e.g., “boat,” “lion,” “Eiffel Tower”), detects faces with associated emotions, and recognizes printed words in many languages.
  3. Not Even Close: The State of Computer Security (Vimeo) — hilarious James Mickens talk with the best description ever.
  4. 20 Product Prioritization Techniques: A Map and Guided Tour — excellent collection of techniques for ordering possible product work.
Comment