ENTRIES TAGGED "security"

Four short links: 28 April 2014

Four short links: 28 April 2014

Retail Student Data, Hacking Hospitals, Testing APIs, and Becoming Superhuman

  1. UK Government to Sell Its Students’ Data (Wired UK) — The National Pupil Database (NPD) contains detailed information about pupils in schools and colleges in England, including test and exam results, progression at each key stage, gender, ethnicity, pupil absence and exclusions, special educational needs, first language. The UK is becoming patient zero for national data self-harm.
  2. It’s Insanely Easy to Hack Hospital Equipment (Wired) — Erven won’t identify specific product brands that are vulnerable because he’s still trying to get some of the problems fixed. But he said a wide cross-section of devices shared a handful of common security holes, including lack of authentication to access or manipulate the equipment; weak passwords or default and hardcoded vendor passwords like “admin” or “1234″; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.
  3. Postman — API testing tool.
  4. App Controlled Hearing Aid Improves Even Normal Hearing (NYTimes) — It’s only a slight exaggeration to say that the latest crop of advanced hearing aids are better than the ears most of us were born with. Human augmentation with software and hardware.
Comment

iBeacons, privacy, and security

The technology is at risk of dying off — and that would be a shame.

iBeacons and various BLE technologies have the potential to shake up many established ways of doing business by streamlining interactions. Although there are potentially many uses for iBeacons, much of the initial discussion has focused on retail. (I’ll follow up with some examples of iBeacon applications outside retail in a future post.)

As I described in my initial post in this series, all an iBeacon does is send out advertisement packets. iBeacon transmissions let a receiver perform two tasks: uniquely identify what things they are near and estimate the distance to them. With such a simple protocol, iBeacons cannot:

  • Receive anything. (Many iBeacon devices will have two-way Bluetooth interfaces so they can receive configurations, but the iBeacon specification does not require reception.)
  • Report on clients they have seen. Wi-Fi based proximity systems use transmissions from mobile devices to uniquely identify visitors to a space. If you take a smartphone into an area covered by a Wi-Fi proximity system, you can be uniquely identified. Because an iBeacon is only a transmitter, it does not receive Bluetooth messages from mobile devices to uniquely identify visitors.
  • Read more…

Comments: 9
Four short links: 22 April 2014

Four short links: 22 April 2014

In-Browser Data Filtering, Alternative to OpenSSL, Game Mechanics, and Selling Private Data

  1. PourOver — NYT open source Javascript for very fast in-browser filtering and sorting of large collections.
  2. LibreSSL — OpenBSD take on OpenSSL. Unclear how sustainable this effort is, or how well adopted it will be. Competing with OpenSSL is obviously an alternative to tackling the OpenSSL sustainability question by funding and supporting the existing OpenSSL team.
  3. Game Mechanic Explorer — helps learners by turning what they see in games into the simple code and math that makes it happen.
  4. HMRC to Sell Taxpayers’ Data (The Guardian) — between this and the UK govt’s plans to sell patient healthcare data, it’s clear that the new government question isn’t whether data have value, but rather whether the collective has the right to retail the individual’s privacy.
Comment
Four short links: 15 April 2014

Four short links: 15 April 2014

Open Access, Lego Scanner, Humans Return, and Designing Security into IoT

  1. Funders Punish Open Access Dodgers (Nature) — US’s NIH and UK’s Wellcome Trust are withholding funding from academics who haven’t released their data despite it being a condition of past funding. It’s open access’s grab twist and pull move.
  2. Digitize Books with Mindstorms and Raspberry Pi — Lego to turn the page, Pi to take photo.
  3. Humans Steal Jobs from Robots at Toyota (Bloomberg) — Toyota’s next step forward is counter-intuitive in an age of automation: Humans are taking the place of machines in plants across Japan so workers can develop new skills and figure out ways to improve production lines and the car-building process.
  4. Implementer’s Guide to Security for Internet of Things, Devices and Beyond (PDF) — This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of Things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle.
Comment

Security and the Internet of stuff in your life

The IoT isn't just a new attack surface to get into your enterprise — it's giving the Internet eyes and arms.

Your computer is important. It has access to your Amazon account, probably your bank, your tax returns, and maybe even your medical records. It’s scary when it gets pwnd, and it gets pwned regularly because it’s essentially impossible to fully secure a general purpose computing device. But the good news is that, at least for now, your computer can’t climb up the stairs and bludgeon you to death in your sleep. The things it manipulates are important to you, but they are (mostly) contained in the abstract virtual realm of money and likes.

The Internet of Things is different. We are embarking on an era where the things we own will be as vulnerable as our PCs, but now they interact with the real world via sensors and actuators. They have eyes and arms, and some of them in the not-too-distant future really will be able to climb the stairs and punch you in the face.

This piece from the New York Times has been getting some attention because it highlights how smart things represent an increased attack surface for infiltration. It views smart devices as springboards into an enterprise rather than the object of the attack, and that will certainly be true in many cases. Read more…

Comments: 3
Four short links: 7 April 2014

Four short links: 7 April 2014

Auto Ethics, Baio on Medium, Internet of Insecure Things, New Unlicensed Spectrum

  1. Can We Design Systems to Automate Ethics — code in self-driving cars will implement a solution to the trolley problem. But which solution?
  2. My First Post on Medium (Andy Baio) — one or two glitches but otherwise fine demonstration of what’s possible with Medium.
  3. SCADA Vulnerability: 7600 Plants at Risk (BBC) — the vulnerabilities are in unpatched Centum CS 3000 software. The real business for IoT is secure remote updates and monitoring. (via Slashdot)
  4. New Unlicensed SpectrumThe unanimous vote frees up 100 MHz of airwaves in the lower part of 5 GHz spectrum band. Previously, the FCC reserved those airwaves for exclusive use by a satellite phone company. The FCC vote opens those unlicensed airwaves so they can be used by consumer electronics equipment, including Wi-Fi routers. With the new airwaves, Wi-Fi equipment can handle more traffic at higher speeds.
Comment: 1

Pursuing adoption of free and open source software in governments

LibrePlanet explores hopes and hurdles.

Free and open source software creates a natural — and even necessary — fit with government. I joined a panel this past weekend at the Free Software Foundation conference LibrePlanet on this topic and have covered it previously in a journal article and talk. Our panel focused on barriers to its adoption and steps that free software advocates could take to reach out to government agencies.

LibrePlanet itself is a unique conference: a techfest with mission — an entirely serious, feasible exploration of a world that could be different. Participants constantly ask: how can we replace the current computing environment of locked-down systems, opaque interfaces, intrusive advertising-dominated services, and expensive communications systems with those that are open and free? I’ll report a bit on this unusual gathering after talking about government.
Read more…

Comment: 1
Four short links: 20 March 2014

Four short links: 20 March 2014

Smart Objects, Crypto Course, Culture Design, and Security v Usability

  1. Smart Interaction Lab — some interesting prototyping work designing for smart objects.
  2. Crypto 101 — self-directory crypto instruction. (via BoingBoing)
  3. Chipotle Culture — interesting piece on Chipotle’s approach to building positive feedback loops around training. Reminded me of Ben Horowitz’s “Why You Should Train Your People”.
  4. Keybase.io Writeup (Tim Bray) — Tim’s right, that removing the centralised attack point creates a usability problem. Systems that are hardest to attack are also the ones that are hardest for Normal People to use. (Can I coin this as the Torkington Conjecture, with the corollary that sufficiently stupid users are indistinguishable from intelligent attackers?)
Comment
Four short links: 17 March 2014

Four short links: 17 March 2014

Wireframe Quiz, Business Values, Mobile Dev, and the Bad Guy Mindset

  1. De-Design the Web — quiz, can you recognise common websites from just their wireframes? For the non-designer (like myself) it’s a potent reminder of the power of design. Design’s front of mind as we chew on the Internet of Affordances. (via USvsTHEM)
  2. Words I Hold Dear (Slideshare) — short but effective presentation on values in business. If you are confident that you can bear responsibility, and will not do anything immoral, illegal, or unethical, then it is not too hard to choose the path that promises the most adventure.
  3. Android Development for iOS Devs — in case you had forgotten that developing for multiple mobile platforms is like a case of fire-breathing butt warts. (not good)
  4. The World Through the Eyes of Hackers (PDF) — I’ve long thought that the real problem is that schools trains subordinates to meet expectations and think like a Nice Person, but defence is only possible when you know how to break expectations and think like a Bad Guy.
Comment: 1
Four short links: 11 March 2014

Four short links: 11 March 2014

Game Analysis, Brave New (Disney)World, Internet of Deadly Things, and Engagement vs Sharing

  1. In-Game Graph Analysis (The Economist) — one MLB team has bought a Cray Ulrika graph-processing appliance for in-game analysis of data. Please hold, boggling. (via Courtney Nash)
  2. Disney Bets $1B on Technology (BusinessWeek) — MyMagic+ promises far more radical change. It’s a sweeping reservation and ride planning system that allows for bookings months in advance on a website or smartphone app. Bracelets called MagicBands, which link electronically to an encrypted database of visitor information, serve as admission tickets, hotel keys, and credit or debit cards; a tap against a sensor pays for food or trinkets. The bands have radio frequency identification (RFID) chips—which critics derisively call spychips because of their ability to monitor people and things. (via Jim Stogdill)
  3. Stupid Smart Stuff (Don Norman) — In the airplane, the pilots are not attending, but when trouble does arise, the extremely well-trained pilots have several minutes to respond. In the automobile, when trouble arises, the ill-trained drivers will have one or two seconds to respond. Automobile designers – and law makers – have ignored this information.
  4. What You Think You Know About the Web Is WrongChartbeat looked at deep user behavior across 2 billion visits across the web over the course of a month and found that most people who click don’t read. In fact, a stunning 55% spent fewer than 15 seconds actively on a page. The stats get a little better if you filter purely for article pages, but even then one in every three visitors spend less than 15 seconds reading articles they land on. The entire article makes some powerful points about the difference between what’s engaged with and what’s shared. Articles that were clicked on and engaged with tended to be actual news. In August, the best performers were Obamacare, Edward Snowden, Syria and George Zimmerman, while in January the debates around Woody Allen and Richard Sherman dominated. The most clicked on but least deeply engaged-with articles had topics that were more generic. In August, the worst performers included Top, Best, Biggest, Fictional etc while in January the worst performers included Hairstyles, Positions, Nude and, for some reason, Virginia. That’s data for you.
Comment