- Reverse Engineering for Beginners (GitHub) — from assembly language through stack overflows, dongles, and more.
- Incident Response at Heroku — the difference between good and bad shops is that good shops have a routine for exceptions.
- 3D Petrie Museum — The Petrie Museum of Egyptian Archaeology has one of the largest ancient Egyptian and Sudanese collections in the world and they’ve put 3D models of their goods online. Not (yet) available for download, only viewing which seem a bug.
- Sandy Pentland on Wearables (The Verge) — Pentland was also Nathan Eagle’s graduate advisor, and behind the Reality Mining work at MIT. Check out his sociometer: One study revealed that the sociometer helps discern when someone is bluffing at poker roughly 70 percent of the time; another found that a wearer can determine who will win a negotiation within the first five minutes with 87 percent accuracy; yet another concluded that one can accurately predict the success of a speed date before the participants do.
ENTRIES TAGGED "security"
All trust is misplaced. And that's probably the way it should be.
In the wake of Heartbleed, there’s been a chorus of “you can’t trust open source! We knew it all along.”
It’s amazing how short memories are. They’ve already forgotten Apple’s GOTO FAIL bug, and their sloppy rollout of patches. They’ve also evidently forgotten weaknesses intentionally inserted into commercial security products at the request of certain government agencies. It may be more excusable that they’ve forgotten hundreds, if not thousands, of Microsoft vulnerabilities over the years, many of which continue to do significant harm.
Yes, we should all be a bit spooked by Heartbleed. I would be the last person to argue that open source software is flawless. As Eric Raymond said, “With enough eyes, all bugs are shallow,” and Heartbleed was certainly shallow enough, once those eyes saw it. Shallow, but hardly inconsequential. And even enough eyes can have trouble finding bugs in a rat’s nest of poorly maintained code. The Core Infrastructure Initiative, which promises to provide better funding (and better scrutiny) for mission-critical projects such as OpenSSL, is a step forward, but it’s not a magic bullet that will make vulnerabilities go away.
The technology is at risk of dying off — and that would be a shame.
iBeacons and various BLE technologies have the potential to shake up many established ways of doing business by streamlining interactions. Although there are potentially many uses for iBeacons, much of the initial discussion has focused on retail. (I’ll follow up with some examples of iBeacon applications outside retail in a future post.)
As I described in my initial post in this series, all an iBeacon does is send out advertisement packets. iBeacon transmissions let a receiver perform two tasks: uniquely identify what things they are near and estimate the distance to them. With such a simple protocol, iBeacons cannot:
- Receive anything. (Many iBeacon devices will have two-way Bluetooth interfaces so they can receive configurations, but the iBeacon specification does not require reception.)
- Report on clients they have seen. Wi-Fi based proximity systems use transmissions from mobile devices to uniquely identify visitors to a space. If you take a smartphone into an area covered by a Wi-Fi proximity system, you can be uniquely identified. Because an iBeacon is only a transmitter, it does not receive Bluetooth messages from mobile devices to uniquely identify visitors.
The IoT isn't just a new attack surface to get into your enterprise — it's giving the Internet eyes and arms.
Your computer is important. It has access to your Amazon account, probably your bank, your tax returns, and maybe even your medical records. It’s scary when it gets pwnd, and it gets pwned regularly because it’s essentially impossible to fully secure a general purpose computing device. But the good news is that, at least for now, your computer can’t climb up the stairs and bludgeon you to death in your sleep. The things it manipulates are important to you, but they are (mostly) contained in the abstract virtual realm of money and likes.
The Internet of Things is different. We are embarking on an era where the things we own will be as vulnerable as our PCs, but now they interact with the real world via sensors and actuators. They have eyes and arms, and some of them in the not-too-distant future really will be able to climb the stairs and punch you in the face.
This piece from the New York Times has been getting some attention because it highlights how smart things represent an increased attack surface for infiltration. It views smart devices as springboards into an enterprise rather than the object of the attack, and that will certainly be true in many cases. Read more…