"security" entries

Four short links: 5 May 2015

Four short links: 5 May 2015

Agile Hardware, Time Series Data, Data Loss, and Automating Security

  1. How We Do Agile Hardware Development at MeldIn every sprint we built both hardware and software. This doesn’t mean we had a fully fabricated new board rev once a week. […] We couldn’t build a complete new board every week, and early on we didn’t even know for sure what parts we wanted in our final BOM (Bill of Materials) so we used eval boards. These stories of how companies iterated fast will eventually build a set of best practices for hardware startups, similar to those in software.
  2. Recording Time Series — if data arrives with variable latency, timestamps are really probabilistic ranges. How do you store your data for searches and calculations that reflect reality, and are not erroneous because you’re ignoring a simplification you made to store the data more conveniently?
  3. Call Me Maybe, ElasticSearch 1.5.0To be precise, Elasticsearch’s transaction log does not put your data safety first. It puts it anywhere from zero to five seconds later. In this test we kill random Elasticsearch processes with kill -9 and restart them. In a datastore like Zookeeper, Postgres, BerkeleyDB, SQLite, or MySQL, this is safe: transactions are written to the transaction log and fsynced before acknowledgement. In Mongo, the fsync flags ensure this property as well. In Elasticsearch, write acknowledgement takes place before the transaction is flushed to disk, which means you can lose up to five seconds of writes by default. In this particular run, ES lost about 10% of acknowledged writes.
  4. FIDO — Netflix’s open source system for automatically analyzing security events and responding to security incidents.
Comment
Four short links: 29 April 2015

Four short links: 29 April 2015

Deceptive Visualisation, Small Robots, Managing Secrets, and Large Time Series

  1. Disinformation Visualisation: How to Lie with DatavisWe don’t spread visual lies by presenting false data. That would be lying. We lie by misrepresenting the data to tell the very specific story we’re interested in telling. If this is making you slightly uncomfortable, that’s a good thing; it should. If you’re concerned about adopting this new and scary habit, well, don’t worry; it’s not new. Just open your CV to be reminded you’ve lied with truthful data before. This time, however, it will be explicit and visual. (via Regine Debatty)
  2. Microtugsa new type of small robot that can apply orders of magnitude more force than it weighs. This is in stark contrast to previous small robots that have become progressively better at moving and sensing, but lacked the ability to change the world through the application of human-scale loads.
  3. Vaulta tool for securely managing secrets and encrypting data in-transit.
  4. iSAX: Indexing and Mining Terabyte Sized Time Series (PDF) — Our approach allows both fast exact search and ultra-fast approximate search. We show how to exploit the combination of both types of search as sub-routines in data mining algorithms, allowing for the exact mining of truly massive real-world data sets, containing millions of time series. (via Benjamin Black)
Comment
Four short links: 22 April 2015

Four short links: 22 April 2015

Perfect Security, Distributing Secrets, Stale Reads, and Digital Conversions

  1. Perfect Security (99% Invisible) — Since we lost perfect security in the 1850s, it has has remained elusive. Despite tremendous leaps forward in security technology, we have never been able to get perfect security back. History of physical security, relevant to digital security today.
  2. keywhiz a system for managing and distributing secrets. It can fit well with a service oriented architecture (SOA).
  3. Call Me Maybe: MongoDB Stale Reads — a master class in understanding modern distributed systems. Kyle’s blog is consistently some of the best technical writing around today.
  4. Users Convert to Digital Subscribers at a Rate of 1% (Julie Starr) — and other highlights of Jeff Jarvis’s new book, Geeks Bearing Gifts.
Comment
Four short links: 20 April 2015

Four short links: 20 April 2015

Edtech Advice, MEMS Sensors, Security in Go, and Building Teams

  1. Ed Tech Developer’s Guide (PDF) — U.S. government’s largely reasonable advice for educational technology startups. Nonetheless, take with a healthy dose of The Audrey Test.
  2. The Crazy-Tiny Next Generation of Computers — 1 cubic millimeter-sized sensors are coming. The only sound you might hear is a prolonged groan. That’s because these computers are just one cubic millimeter in size, and once they hit the floor, they’re gone. “We just lose them,” Dutta says. “It’s worse than jewelry.”
  3. Looking for Security Trouble Spots in Go — brief summary of the known security issues in and around Go code.
  4. The New Science of Building Great Teams (Sandy Pentland) — fascinating discussion of MIT’s Human Dynamics lab’s research into how great teams function. The data also reveal, at a higher level, that successful teams share several defining characteristics: 1. Everyone on the team talks and listens in roughly equal measure, keeping contributions short and sweet. 2. Members face one another, and their conversations and gestures are energetic. 3. Members connect directly with one another—not just with the team leader. 4. Members carry on back-channel or side conversations within the team. 5. Members periodically break, go exploring outside the team, and bring information back.
Comment
Four short links: 14 April 2015

Four short links: 14 April 2015

Technical Debt, A/A Testing, NSA's Latest, and John von Neumann

  1. Pycon 2015: Technical Debt, The Monster in Your Closet (YouTube) — excellent talk from PyCon. See also slides.
  2. A/A TestingIn an A/A test, you run a test using the exact same options for both “variants” in your test. That’s right, there’s no difference between “A” and “B” in an A/A test. It sounds stupid, until you see the “results.” (via Nelson Minar)
  3. NSA Declares War on General-Purpose Computing (BoingBoing) — NSA director Michael S Rogers says his agency wants “front doors” to all cryptography used in the USA, so that no one can have secrets it can’t spy on — but what he really means is that he wants to be in charge of which software can run on any general purpose computer.
  4. John von Neumann Documentary (YouTube) — 1966 documentary from the American Mathematical Association on the father of digital computing, who also is hailed as the father of game theory and much much more. (via Paul Walker)
Comment
Four short links: 30 March 2015

Four short links: 30 March 2015

Philosophical Research, Reading Turing, Security Exercises, and Golang Madness

  1. The Trolley and the PsychopathNot only does a “utilitarian” response (“just kill the fat guy”) not actually reflect a utilitarian outlook, it may actually be driven by broad antisocial tendencies, such as lowered empathy and a reduced aversion to causing someone harm. Questionably expanding scope of claims in the behavioural philosophy research. (via Ed Yong)
  2. Summary of Computing Machinery and Intelligence (1950) by Alan Turing (Jack Hoy) — still interesting and relevant today. cf Why Aren’t We Reading Turing
  3. Exploit Exercisesa variety of virtual machines, documentation, and challenges that can be used to learn about a variety of computer security issues, such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.
  4. GopherJS — golang to Javascript compiler so you can experience the ease of typed compiled languages in the security and stability of the browser platform.
Comment
Four short links: 27 March 2015

Four short links: 27 March 2015

Welfare and Entrepreneurialism, Infrastructure Secrets, Insectoid Robots, Hacking Hexbugs

  1. Welfare Makes America More Entrepreneurial (The Atlantic) — In a 2014 paper, Olds examined the link between entrepreneurship and food stamps, and found that the expansion of the program in some states in the early 2000s increased the chance that newly eligible households would own an incorporated business by 16%. (Incorporated firms are a better proxy for job-creating startups than unincorporated ones.)
  2. Security of Infrastructure Secrets — everything has a key that’s just one compromise or accidental drop away.
  3. Festo’s Fantastical Insectoid Robots Include Bionic Ants and Butterflies (IEEE) — Each butterfly has a 50-centimeter wingspan and weighs just 32 grams, but carries along two servo motors to independently actuate the wings, an IMU, accelerometer, gyro, and compass, along with two tiny 90-mAh lithium-polymer batteries. With a wing beat frequency of between one and two flaps per second, top speed is 2.5 m/s, with a flight time of three to four minutes before needing a 15-minute charge. The wings themselves use impossibly thin carbon rods for structure, and are covered with an even thinner elastic capacitor film.
  4. Arduino Celebration and Hexbugs hacking with Bob Martin (SparkFun) — The Hunter demo is a combination of object detection and object avoidance. It uses an IR sensor array to determine objects around it. Objects that appear and then disappear quickly, say in a second or two are targets which it will walk towards; however, a target that stays constant will be avoided. I’m still trying to find the perfect balance between making a decision between fleeing prey and a wall using only simple proximity samples from an IR detector array.
Comment

What the IoT can learn from the health care industry

Federated authentication and authorization could provide security solutions for the Internet of Things.

Adrian Gropper co-authored this post.

Nyckel_erik_forsberg_FlickrAfter a short period of excitement and rosy prospects in the movement we’ve come to call the Internet of Things (IoT), designers are coming to realize that it will survive or implode around the twin issues of security and user control: a few electrical failures could scare people away for decades, while a nagging sense that someone is exploiting our data without our consent could sour our enthusiasm. Early indicators already point to a heightened level of scrutiny — Senator Ed Markey’s office, for example, recently put the automobile industry under the microscope for computer and network security.

In this context, what can the IoT draw from well-established technologies in federated trust? Federated trust in technologies as diverse as the Kerberos and SAML has allowed large groups of users to collaborate securely, never having to share passwords with people they don’t trust. OpenID was probably the first truly mass-market application of federated trust.

OpenID and OAuth, which have proven their value on the Web, have an equally vital role in the exchange of data in health care. This task — often cast as the interoperability of electronic health records — can reasonably be described as the primary challenge facing the health care industry today, at least in the IT space. Reformers across the health care industry (and even Congress) have pressured the federal government to make data exchange the top priority, and the Office of the National Coordinator for Health Information Technology has declared it the centerpiece of upcoming regulations. Read more…

Comment
Four short links: 13 March 2015

Four short links: 13 March 2015

Sad Sysadminning, Data Workflow, Ambiguous "Database," and Creepy Barbie

  1. The Sad State of Sysadmin in the Age of Containers (Erich Schubert) — a Grumpy Old Man rant, but solid. And since nobody is still able to compile things from scratch, everybody just downloads precompiled binaries from random websites. Often without any authentication or signature.
  2. Pinball — Pinterest open-sourced their data workflow manager.
  3. Disambiguating Databases (ACM) — The scope of the term database is vast. Technically speaking, anything that stores data for later retrieval is a database. Even by that broad definition, there is functionality that is common to most databases. This article enumerates those features at a high level. The intent is to provide readers with a toolset with which they might evaluate databases on their relative merits.
  4. Hello Barbie — I just can’t imagine a business not wanting to mine and repurpose the streams of audio data coming into their servers. “You listen to Katy Perry a lot. So do I! You have a birthday coming up. Have you told your parents about the Katy Perry brand official action figurines from Mattel? Kids love ’em, and demo data and representative testing indicates you will, too!” Or just offer a subscription service where parents can listen in on what their kids say when they play in the other room with their friends. Or identify product mentions and cross-market offline. Or …
Comment
Four short links: 4 March 2015

Four short links: 4 March 2015

Go Microservices, Watch Experience, Multithreading Bugs, and Spooks Ahoy

  1. Microservices in Go — tale of rewriting a Ruby monolith as Go microservices. Interesting, though being delivered at Gophercon India suggests the ending is probably not unhappy.
  2. Watch & Wear (John Cross Neumann) — Android watch as predictor of the value and experience of an Apple Watch. I believe this is the true sweet spot for meaningful wearable experiences. Information that matters to you in the moment, but requires no intervention. Wear actually does this extremely well through Google Now. Traffic, Time to Home, Reminders, Friend’s Birthdays, and Travel Information all work beautifully. […] After some real experience with Wear, I think what is more important is to consider what Apple Watch is missing: Google Services. Google Services are a big component of what can make wearing a tiny screen on your wrist meaningful and personal. I wouldn’t be surprised after the initial wave of apps through the app store if Google Now ends up being the killer app for Apple Watch.
  3. Solving 11 Likely Problems In Your Multithreaded Code (Joe Duffy) — a good breakdown of concurrency problems, including lower-level ones than high-level languages expose. But beware. If you try this [accessing variables with synchronisation] on a misaligned memory location, or a location that isn’t naturally sized, you can encounter a read or write tearing. Tearing occurs because reading or writing such locations actually involves multiple physical memory operations. Concurrent updates can happen in between these, potentially causing the resultant value to be some blend of the before and after values.
  4. Obama Sharply Criticizes China’s Plans for New Technology Rules (Reuters) — In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access. Goose sauce is NOT gander sauce! NOT! Mmm, delicious spook sauce.
Comment