"security" entries

Four short links: 30 December 2015

Four short links: 30 December 2015

Bitcoin Patents, Wall-Climbing Robot, English 2 Code, and Decoding USB

  1. Bank of America Loading up on Bitcoin PatentsThe wide-ranging patents cover everything from a “cryptocurrency transaction payment system” which would let users make transactions using cryptocurrency, to risk detection, storing cryptocurrencies offline, and using the blockchain to measure fraudulent activity.
  2. Vertigo: A Wall-Climbing Robot (Disney Research) — watch the video. YOW! (via David Pescovitz)
  3. Synthesizing What I MeanIn this paper, we describe SWIM, a tool which suggests code snippets given API-related natural language queries.
  4. serialusb — this is how you decode USB protocols.
Comment
Four short links: 29 December 2015

Four short links: 29 December 2015

Security Talks, Multi-Truth Discovery, Math Books, and Geek Cultures

  1. 2015 CCC Videos — collected talks from the 32nd Chaos Computer Congress conference.
  2. An Integrated Bayesian Approach for Effective Multi-Truth Discovery (PDF) — Integrating data from multiple sources has been increasingly becoming commonplace in both Web and the emerging Internet of Things (IoT) applications to support collective intelligence and collaborative decision-making. Unfortunately, it is not unusual that the information about a single item comes from different sources, which might be noisy, out-of-date, or even erroneous. It is therefore of paramount importance to resolve such conflicts among the data and to find out which piece of information is more reliable.
  3. Direct Links to Free Springer Books — Springer released a lot of math books.
  4. A Psychological Exploration of Engagement in Geek CultureSeven studies (N = 2354) develop the Geek Culture Engagement Scale (GCES) to quantify geek engagement and assess its relationships to theoretically relevant personality and individual differences variables. These studies present evidence that individuals may engage in geek culture in order to maintain narcissistic self-views (the great fantasy migration hypothesis), to fulfill belongingness needs (the belongingness hypothesis), and to satisfy needs for creative expression (the need for engagement hypothesis). Geek engagement is found to be associated with elevated grandiose narcissism, extraversion, openness to experience, depression, and subjective well-being across multiple samples.
Comment
Four short links: 22 December 2015

Four short links: 22 December 2015

Machine Poetry, Robo Script Kiddies, Big Data of Love, and Virtual Currency and the Nation State

  1. How Machines Write PoetryHarmon would love to have writers or other experts judge FIGURE8’s work, too. Her online subjects tended to rate the similes better if they were obvious. “The snow continued like a heavy rain” got high scores, for example, even though Harmon thought this was quite a bad effort on FIGURE8’s part. She preferred “the snow falls like a dead cat,” which got only middling ratings from humans. “They might have been cat lovers,” she says. FIGURE8 (PDF) system generates figurative language.
  2. The Decisions the Pentagon Wants to Leave to Robots“You cannot have a human operator operating at human speed fighting back at determined cyber tech,” Work said. “You are going to need have a learning machine that does that.” I for one welcome our new robot script kiddie overlords.
  3. Love in the Age of Big DataOver decades, John has observed more than 3,000 couples longitudinally, discovering patterns of argument and subtle behaviors that can predict whether a couple would be happily partnered years later or unhappy or divorced. Turns out, “don’t be a jerk” is good advice for marriages, too. (via Cory Doctorow)
  4. National Security Implications of Virtual Currency (PDF) — Rand research report examining the potential for non-state actor deployment.
Comment
Four short links: 21 December 2015

Four short links: 21 December 2015

Anomaly Detection, Contempt Culture, Deep Learning Robot, and Compromised Firewalls

  1. Bro — open source intrusion and anomaly detection service, turns everything into events that you can run scripts against. Good pedigree (Vern Paxson, a TCP/IP elder god) despite the wince-inducing name (at least it isn’t “brah”).
  2. Contempt Culture (Aurynn) — for a culture that now prides itself on continuous improvement and blameless post-mortems and so on, we’re blind to a contempt culture that produces cults of criticism like “PHP isn’t a real programming language,” etc., where the targets of the criticism are pathways disproportionately taken by women and minorities. I’m embarrassed by how much of 2001-era Nat I recognise in Aurynn’s description.
  3. Deep Learning RobotBuilt for advanced research in robotics and artificial intelligence (deep learning). Pre-installed Google TensorFlow, Robot Operating System (ROS), Caffe, Torch, Theano, CUDA, and cuDNN.
  4. Juniper ScreenOS Backdoor — here’s the ssh password that’ll get you into any unpatched Juniper firewall, courtesy a backdoor that will be keeping network admins and CEOs alike awake and unhappy around the world. The interesting analysis with long-term effects will be “how the hell did it get in there?”
Comment: 1
Four short links: 18 December 2015

Four short links: 18 December 2015

Malicious Traffic, Visual Analysis, C History, and Immersive Gaming

  1. Maltraila malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists[…]. Also, it has (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware). (via Nick Galbreath)
  2. Vega-Litehigh-level grammar for visual analysis, built on top of Vega. (via Curran Kelleher)
  3. C History — Dennis Ritchie’s 1993 notes on the history of the C programming language explains the origins of a.out and arrays as pointers, and has a reminder of how tight those systems were: Of the 24K bytes of memory on the machine, the earliest PDP-11 Unix system used 12K bytes for the operating system, a tiny space for user programs, and the remainder as a RAM disk.
  4. Zero Latency — immersive gaming with Oculus headsets. Detailed and positive.
Comment
Four short links: 15 December 2015

Four short links: 15 December 2015

Barbie Broken, JSON Database, Lightbulb DRM, and Graph Database

  1. Crypto is Hard says Hello BarbieWe discovered several issues with the Hello Barbie app including: it utilizes an authentication credential that can be re-used by attackers; it connects a mobile device to any unsecured Wi-Fi network if it has “Barbie” in the name; it shipped with unused code that serves no function but increases the overall attack surface. On the server side, we also discovered: client certificate authentication credentials can be used outside of the app by attackers to probe any of the Hello Barbie cloud servers; the ToyTalk server domain was on a cloud infrastructure susceptible to the POODLE attack. (via Ars Technica)
  2. Kinto — Mozilla’s open source lightweight JSON storage service with synchronisation and sharing abilities. It is meant to be easy to use and easy to self-host.
  3. Philips Blocks 3rd Party Lightbulbs — DRM for light fixtures. cf @internetofsh*t
  4. gaffer — GCHQ-released open source graph database. …a framework that makes it easy to store large-scale graphs in which the nodes and edges have statistics such as counts, histograms, and sketches. These statistics summarise the properties of the nodes and edges over time windows, and they can be dynamically updated over time. Gaffer is a graph database, rather than a graph processing system. It is optimised for retrieving data on nodes of interest. IHNJH,IJLTS “nodes of interest.”
Comment
Four short links: 14 December 2015

Four short links: 14 December 2015

Design for the Surveilled, Concept Learning, Media Access, and Programming Challenges

  1. Please Stop Making Secure Messaging Systems — how to design for the surveilled, and the kinds of tools they need BEYOND chat.
  2. Human Level Concept Learning through Probabilistic Program Induction — paper and source code for the nifty “learn handwriting from one example” paper that’s blowing minds.
  3. Access Denied (The Awl) — media had power because they had an audience, but social media gives celebrities, sports people, and politicians a bigger audience than media outlets. So, the media outlets aren’t needed, and consequently, they’re losing “access.” A reporter that depends on access to a compelling subject is by definition a reporter compromised. A publication that depends on cooperation from the world that it specializes in is likewise giving up something in terms of its ability to tell the truth about it. And nearly the entire media as it exists today is built around these negotiations.
  4. Stockfightera series of free, fun programming challenges […] suitable for programmers at all experience levels.
Comment
Four short links: 10 December 2015

Four short links: 10 December 2015

Reactive Programming Theory, Attacking HTTP/2, Distributed Systems Explainer, and Auto Futures

  1. Distributed Reactive Programming (A Paper a Day) — this week’s focus on reactive programming has been eye-opening for me. I find the implementation details less interesting than the simple notion that we can define different consistency models for reactive programs and reason about them.
  2. Attacking HTTP/2 ImplementationsOur talk focused on threats, attack vectors, and vulnerabilities found during the course of our research. Two Firefox, two Apache Traffic Server (ATS), and four Node-http2 vulnerabilities will be discussed alongside the release of the first public HTTP/2 fuzzer. We showed how these bugs were found, their root cause, why they occur, and how to trigger them.
  3. What We Talk About When We Talk About Distributed Systems — a great intro/explainer to the different concepts in distributed systems.
  4. The Autonomous Winter is ComingThe future of any given manufacturer will be determined by how successfully they manage their brands in a market split between Mobility customers and Driving customers.
Comment
Four short links: 8 December 2015

Four short links: 8 December 2015

Open Source ZeroDB, HTTP Statuses, Project Activity, and Database Readings

  1. ZeroDB is Open Source — end-to-end encrypted database goes open source (AGPL, *ptui*).
  2. Choosing an HTTP Status Code — or “an alternative to engineers duelling.”
  3. Open Source Monthly — views of open source projects through their GitHub activity.
  4. Readings in Database Science (5ed) — HTML and PDF versions of the papers.
Comment: 1
Four short links: 7 December 2015

Four short links: 7 December 2015

Telepresent Axeman, Toxic Workers, Analysis Code, and Cryptocurrency Attacks

  1. Axe-Wielding Robot w/Telepresence (YouTube) — graphic robot-on-wall action at 2m30s. (via IEEE)
  2. Toxic Workers (PDF) — In comparing the two costs, even if a firm could replace an average worker with one who performs in the top 1%, it would still be better off by replacing a toxic worker with an average worker by more than two-to-one. Harvard Business School research. (via Fortune)
  3. Replacing Sawzall (Google) — At Google, most Sawzall analysis has been replaced by Go […] we’ve developed a set of Go libraries that we call Lingo (for Logs in Go). Lingo includes a table aggregation library that brings the powerful features of Sawzall aggregation tables to Go, using reflection to support user-defined types for table keys and values. It also provides default behavior for setting up and running a MapReduce that reads data from the logs proxy. The result is that Lingo analysis code is often as concise and simple as (and sometimes simpler than) the Sawzall equivalent.
  4. Attacks in the World of Cryptocurrency — a review of some of the discussed weakness, attacks, or oddities in cryptocurrency (esp. bitcoin).
Comment