"security" entries

The Intimacy of Things

At what layer do we build privacy into the fabric of devices?

Sign-up to attend Solid 2015 to explore the convergence of privacy, security, and the Internet of Things.

loom_sethoscope_flickr

In 2011, Kashmir Hill, Gizmodo and others alerted us to a privacy gaffe made by Fitbit, a company that makes small devices to help people keep track of their fitness activities. It turns out that Fitbit broadcast the sexual activity of quite a few of their users. Realizing this might not sit well with those users, Fitbit took swift action to remove the search hits, the data, and the identities of those affected. Fitbit, like many other companies, believed that all the data they gathered should be public by default. Oops.

Does anyone think this is the last time such a thing will happen?

Fitness data qualifies as “personal,” but sexual data is clearly in the realm of the “intimate.” It might seem like semantics, but the difference is likely to be felt by people in varying degrees. The theory of contextual integrity says that we feel violations of our privacy when informational contexts are unexpectedly or undesirably crossed. Publicizing my latest workout: good. Publicizing when I’m in flagrante delicto: bad. This episode neatly exemplifies how devices are entering spaces where they’ve not tread before, physically and informationally. Read more…

Comment

Keep me safe

Security is at the heart of the web.

Locks image: CC BY 2.0 Mike Baird https://www.flickr.com/photos/mikebaird/2354116406/  via Flickr

We want to share. We want to buy. We want help. We want to talk.

At the end of the day, though, we want to be able to go to sleep without worrying that all of those great conversations on the open web will endanger the rest of what we do.

Making the web work has always been a balancing act between enabling and forbidding, remembering and forgetting, and public and private. Managing identity, security, and privacy has always been complicated, both because of the challenges in each of those pieces and the tensions among them.

Complicating things further, the web has succeeded in large part because people — myself included — have been willing to lock their paranoias away so long as nothing too terrible happened.

I talked for years about expecting that the NSA was reading all my correspondence, but finding out that yes, indeed they were filtering pretty much everything, opened the door to a whole new set of conversations and concerns about what happens to my information. I made my home address readily available in an IETF RFC document years ago​. In an age of doxxing and SWATting, I wonder whether I was smart to do that. As the costs move from my imagination to reality, it’s harder to keep the door to my paranoia closed. Read more…

Comment
Four short links: 5 February 2015

Four short links: 5 February 2015

Mobile Supply Chain, Regulating the Interwebs, Meh MOOCs, and Security School

  1. The Home and the Mobile Supply Chain (Benedict Evans) — the small hardware start-up, and the cool new gizmos from drones to wearables, are possible because of the low price of components built at the scale required for Apple and other mobile device makers. (via Matt Webb)
  2. FCC Chairman Wheeler Proposes New Rules for Protecting the Open Internet (PDF) — America may yet have freedom. No blocking, no throttling, no paid prioritisation.
  3. The Future of College (Bill Gates) — The MOOC, by itself, doesn’t really change things, except for the very most motivated student. HALLELUJAH!
  4. Breaker 101 — 12-week online security course. $1,750 (cue eyes water). Putting the hacker back in hacker schools …
Comment
Four short links: 2 February 2015

Four short links: 2 February 2015

Weather Forecasting, Better Topic Modelling, Cyberdefense, and Facebook Warriors

  1. Global Forecast System — National Weather Service open sources its weather forecasting software. Hope you have a supercomputer and all the data to make use of it …
  2. High-reproducibility and high-accuracy method for automated topic classificationLatent Dirichlet allocation (LDA) is the state of the art in topic modeling. Here, we perform a systematic theoretical and numerical analysis that demonstrates that current optimization techniques for LDA often yield results that are not accurate in inferring the most suitable model parameters. Adapting approaches from community detection in networks, we propose a new algorithm that displays high reproducibility and high accuracy and also has high computational efficiency. We apply it to a large set of documents in the English Wikipedia and reveal its hierarchical structure.
  3. Army Open Sources Cyberdefense Codegit push is the new “for immediate release”.
  4. British Army Creates Team of Facebook Warriors (The Guardian) — no matter how much I know the arguments for it, it still feels vile.
Comment: 1
Four short links: 29 January 2015

Four short links: 29 January 2015

Security Videos, Network Simulation, UX Book, and Profit in Perspective

  1. ShmooCon 2015 Videos — videos to security talks from ShmooCon 2015.
  2. Comcast (Github) — Comcast is a tool designed to simulate common network problems like latency, bandwidth restrictions, and dropped/reordered/corrupted packets. On BSD-derived systems such as OSX, we use tools like ipfw and pfctl to inject failure. On Linux, we use iptables and tc. Comcast is merely a thin wrapper around these controls.
  3. The UX ReaderThis ebook is a collection of the most popular articles from our [MailChimp] UX Newsletter, along with some exclusive content.
  4. Bad AssumptionsApple lost more money to currency fluctuations than Google makes in a quarter.
Comment
Four short links: 19 January 2015

Four short links: 19 January 2015

Going Offline, AI Ethics, Human Risks, and Deep Learning

  1. Reset (Rowan Simpson) — It was a bit chilling to go back over a whole years worth of tweets and discover how many of them were just junk. Visiting the water cooler is fine, but somebody who spends all day there has no right to talk of being full.
  2. Google’s AI Brain — on the subject of Google’s AI ethics committee … Q: Will you eventually release the names? A: Potentially. That’s something also to be discussed. Q: Transparency is important in this too. A: Sure, sure. Such reassuring.
  3. AVA is now Open Source (Laura Bell) — Assessment, Visualization and Analysis of human organisational information security risk. AVA maps the realities of your organisation, its structures and behaviors. This map of people and interconnected entities can then be tested using a unique suite of customisable, on-demand, and scheduled information security awareness tests.
  4. Deep Learning for Torch (Facebook) — Facebook AI Research open sources faster deep learning modules for Torch, a scientific computing framework with wide support for machine learning algorithms.
Comment
Four short links: 16 January 2015

Four short links: 16 January 2015

RF Snooping, Class and Tech, Nuclear Option, and Carbon Fibre

  1. It’s Getting Easier for Hackers to Spy on Your Computer When It’s Offline (Vice) — surprisingly readable coverage of determining computer activity from RF signals.
  2. An Old Fogey’s Analysis of a Teenager’s View on Social MediaTeens’ use of social media is significantly shaped by race and class, geography, and cultural background.
  3. Putting the Nuclear Option Front and Centre (Tom Armitage) — offering what feels like the nuclear option front and centre, reminding the user that it isn’t a nuclear option. I love this. “Undo” changes your experience profoundly.
  4. 3D-Printing Carbon Fibre (Makezine) — the machine doesn’t produce angular, stealth fighter-esque pieces with the telltale CF pattern seen on racing bikes and souped up Mustangs. Instead, it creates an FDM 3D print out of nylon filament (rather than ABS or PLA), and during the process it layers in a thin strip of carbon fiber, melted into place from carbon fiber fabric using a second extruder head. (It can also add in kevlar or fiberglass.)
Comment
Four short links: 15 January 2015

Four short links: 15 January 2015

Secure Docker Deployment, Devops Identity, Graph Processing, and Hadoop Alternative

  1. Docker Secure Deployment Guidelinesdeployment checklist for securely deploying Docker.
  2. The Devops Identity Crisis (Baron Schwartz) — I saw one framework-retailing bozo saying that devops was the art of ensuring there were no flaws in software. I didn’t know whether to cry or keep firing until the gun clicked.
  3. Apache Giraphan iterative graph processing system built for high scalability. For example, it is currently used at Facebook to analyze the social graph formed by users and their connections.
  4. Apache Flinka data processing system and an alternative to Hadoop’s MapReduce component. It comes with its own runtime, rather than building on top of MapReduce. As such, it can work completely independently of the Hadoop ecosystem. However, Flink can also access Hadoop’s distributed file system (HDFS) to read and write data, and Hadoop’s next-generation resource manager (YARN) to provision cluster resources. Since most Flink users are using Hadoop HDFS to store their data, we ship already the required libraries to access HDFS.
Comment

Security comes from evolution, not revolution

The O'Reilly Radar Podcast: Mike Belshe on making bitcoin secure and easy enough for the mainstream.

locks_Steven_Tom_Flickr

Editor’s note: you can subscribe to the O’Reilly Radar Podcast through iTunes, SoundCloud, or directly through our podcast’s RSS feed.

In this week’s O’Reilly Radar Podcast episode, I caught up with Mike Belshe, CTO and co-founder of BitGo, a company that has developed a multi-signature wallet that works with bitcoin. Belshe talks about about the security issues addressed by multi-signature wallets, how the technology works, and the challenges in bringing cryptocurrencies mainstream. We also talk about his journey into the bitcoin world, and he chimes in on what money will look like in the future. Belshe will address the topics of security and multi-signature technology at our upcoming Bitcoin & the Blockchain Radar Summit on January 27, 2015, in San Francisco — for more on the program and registration information, visit our Bitcoin & the Blockchain website.

Multi-signature technology is exactly what it sounds like: instead of authorizing bitcoin transactions with a single signature and a single key (the traditional method), it requires multiple signatures and/or multiple machines — and any combination thereof. The concept initially was developed as a solution for malware. Belshe explains:

“I’m fully convinced that the folks who have been writing various types of malware that steal fairly trivial identity information — logins and passwords that they sell super cheap — they are retooling their viruses, their scanners, their key loggers for bitcoin. We’ve seen evidence of that over the last 12 months, for sure. Without multi-signature, if you do a bitcoin transaction on a machine that’s got any of this bad stuff on it, you’re pretty much toast. Multi-signature was my hope to fix that. What we do is make one signature happen on the server machine, one signature happen on the client machine, your home machine. That way the attacker has to actually compromise two totally different systems in order to steal your bitcoin. That’s what multi-signature is about.”

Read more…

Comment
Four short links: 13 January 2015

Four short links: 13 January 2015

Slack Culture, Visualizations of Text Analysis, Wearables and Big Data, and Snooping on Keyboards

  1. Building the Workplace We Want (Slack) — culture is the manifestation of what your company values. What you reward, who you hire, how work is done, how decisions are made — all of these things are representations of the things you value and the culture you’ve wittingly or unwittingly created. Nice (in the sense of small, elegant) explanation of what they value at Slack.
  2. Interpretation and Trust: Designing Model-Driven Visualizations for Text Analysis (PDF) — Based on our experiences and a literature review, we distill a set of design recommendations and describe how they promote interpretable and trustworthy visual analysis tools.
  3. The Internet of Things Has Four Big Data Problems (Alistair Croll) — What the IoT needs is data. Big data and the IoT are two sides of the same coin. The IoT collects data from myriad sensors; that data is classified, organized, and used to make automated decisions; and the IoT, in turn, acts on it. It’s precisely this ever-accelerating feedback loop that makes the coin as a whole so compelling. Nowhere are the IoT’s data problems more obvious than with that darling of the connected tomorrow known as the wearable. Yet, few people seem to want to discuss these problems.
  4. Keysweepera stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs, and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity. Designs and demo videos included.
Comment