ENTRIES TAGGED "security"

Four short links: 13 May 2014

Four short links: 13 May 2014

Reverse Engineering, Incident Response, 3D Museum, and Social Prediction

  1. Reverse Engineering for Beginners (GitHub) — from assembly language through stack overflows, dongles, and more.
  2. Incident Response at Heroku — the difference between good and bad shops is that good shops have a routine for exceptions.
  3. 3D Petrie MuseumThe Petrie Museum of Egyptian Archaeology has one of the largest ancient Egyptian and Sudanese collections in the world and they’ve put 3D models of their goods online. Not (yet) available for download, only viewing which seem a bug.
  4. Sandy Pentland on Wearables (The Verge) — Pentland was also Nathan Eagle’s graduate advisor, and behind the Reality Mining work at MIT. Check out his sociometer: One study revealed that the sociometer helps discern when someone is bluffing at poker roughly 70 percent of the time; another found that a wearer can determine who will win a negotiation within the first five minutes with 87 percent accuracy; yet another concluded that one can accurately predict the success of a speed date before the participants do.
Comment
Four short links: 12 May 2014

Four short links: 12 May 2014

Design Review, Open Source IDS, Myths of Autonomy, and Rich Text Widget

  1. Questions I Ask When Reviewing a Design (Jason Fried) — a good list of questions to frown and stroke one’s chin while asking.
  2. Bro — open source network security monitor/IDS.
  3. Seven Deadly Myths of Autonomy (PDF) — it’s easy to fall prey to the fallacy that automated assistance is a simple substitute or multiplier of human capability because, from the point of view of an outsider observing the assisted human, it seems that—in successful cases, at least—the people are able to perform the task faster or better than they could without help. In reality, however, help of whatever kind doesn’t simply enhance our abilities to perform the task: it changes the nature of the task.
  4. Quill — open source in-browser rich text editor. People, while you keep making me type into naked TEXTBOX fields, I’m going to keep posting links to these things.
Comment
Four short links: 9 May 2014

Four short links: 9 May 2014

Hardening Android, Samsung Connivery, Scalable WebSockets, and Hardware Machine Learning

  1. Hardening Android for Security and Privacy — a brilliant project! prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently.
  2. The Great Smartphone War (Vanity Fair) — “I represented [the Swedish telecommunications company] Ericsson, and they couldn’t lie if their lives depended on it, and I represented Samsung and they couldn’t tell the truth if their lives depended on it.” That’s the most catching quote, but interesting to see Samsung’s patent strategy described as copying others, delaying the lawsuits, settling before judgement, and in the meanwhile ramping up their own innovation. Perhaps the other glory part is the description of Samsung employee shredding and eating incriminating documents while stalling lawyers out front. An excellent read.
  3. socketclusterhighly scalable realtime WebSockets based on Engine.io. They have screenshots of 100k messages/second on an 8-core EC2 m3.2xlarge instance.
  4. Machine Learning on a Board — everything good becomes hardware, whether in GPUs or specialist CPUs. This one has a “Machine Learning Co-Processor”. Interesting idea, to package up inputs and outputs with specialist CPU, but I wonder whether it’s a solution in search of a problem. (via Pete Warden)
Comment: 1

Heartbleed’s lessons

All trust is misplaced. And that's probably the way it should be.

In the wake of Heartbleed, there’s been a chorus of “you can’t trust open source! We knew it all along.”

It’s amazing how short memories are. They’ve already forgotten Apple’s GOTO FAIL bug, and their sloppy rollout of patches. They’ve also evidently forgotten weaknesses intentionally inserted into commercial security products at the request of certain government agencies. It may be more excusable that they’ve forgotten hundreds, if not thousands, of Microsoft vulnerabilities over the years, many of which continue to do significant harm.

Yes, we should all be a bit spooked by Heartbleed. I would be the last person to argue that open source software is flawless. As Eric Raymond said, “With enough eyes, all bugs are shallow,” and Heartbleed was certainly shallow enough, once those eyes saw it. Shallow, but hardly inconsequential. And even enough eyes can have trouble finding bugs in a rat’s nest of poorly maintained code. The Core Infrastructure Initiative, which promises to provide better funding (and better scrutiny) for mission-critical projects such as OpenSSL, is a step forward, but it’s not a magic bullet that will make vulnerabilities go away.

Read more…

Comments: 5
Four short links: 28 April 2014

Four short links: 28 April 2014

Retail Student Data, Hacking Hospitals, Testing APIs, and Becoming Superhuman

  1. UK Government to Sell Its Students’ Data (Wired UK) — The National Pupil Database (NPD) contains detailed information about pupils in schools and colleges in England, including test and exam results, progression at each key stage, gender, ethnicity, pupil absence and exclusions, special educational needs, first language. The UK is becoming patient zero for national data self-harm.
  2. It’s Insanely Easy to Hack Hospital Equipment (Wired) — Erven won’t identify specific product brands that are vulnerable because he’s still trying to get some of the problems fixed. But he said a wide cross-section of devices shared a handful of common security holes, including lack of authentication to access or manipulate the equipment; weak passwords or default and hardcoded vendor passwords like “admin” or “1234″; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.
  3. Postman — API testing tool.
  4. App Controlled Hearing Aid Improves Even Normal Hearing (NYTimes) — It’s only a slight exaggeration to say that the latest crop of advanced hearing aids are better than the ears most of us were born with. Human augmentation with software and hardware.
Comment

iBeacons, privacy, and security

The technology is at risk of dying off — and that would be a shame.

iBeacons and various BLE technologies have the potential to shake up many established ways of doing business by streamlining interactions. Although there are potentially many uses for iBeacons, much of the initial discussion has focused on retail. (I’ll follow up with some examples of iBeacon applications outside retail in a future post.)

As I described in my initial post in this series, all an iBeacon does is send out advertisement packets. iBeacon transmissions let a receiver perform two tasks: uniquely identify what things they are near and estimate the distance to them. With such a simple protocol, iBeacons cannot:

  • Receive anything. (Many iBeacon devices will have two-way Bluetooth interfaces so they can receive configurations, but the iBeacon specification does not require reception.)
  • Report on clients they have seen. Wi-Fi based proximity systems use transmissions from mobile devices to uniquely identify visitors to a space. If you take a smartphone into an area covered by a Wi-Fi proximity system, you can be uniquely identified. Because an iBeacon is only a transmitter, it does not receive Bluetooth messages from mobile devices to uniquely identify visitors.
  • Read more…

Comments: 9
Four short links: 22 April 2014

Four short links: 22 April 2014

In-Browser Data Filtering, Alternative to OpenSSL, Game Mechanics, and Selling Private Data

  1. PourOver — NYT open source Javascript for very fast in-browser filtering and sorting of large collections.
  2. LibreSSL — OpenBSD take on OpenSSL. Unclear how sustainable this effort is, or how well adopted it will be. Competing with OpenSSL is obviously an alternative to tackling the OpenSSL sustainability question by funding and supporting the existing OpenSSL team.
  3. Game Mechanic Explorer — helps learners by turning what they see in games into the simple code and math that makes it happen.
  4. HMRC to Sell Taxpayers’ Data (The Guardian) — between this and the UK govt’s plans to sell patient healthcare data, it’s clear that the new government question isn’t whether data have value, but rather whether the collective has the right to retail the individual’s privacy.
Comment
Four short links: 15 April 2014

Four short links: 15 April 2014

Open Access, Lego Scanner, Humans Return, and Designing Security into IoT

  1. Funders Punish Open Access Dodgers (Nature) — US’s NIH and UK’s Wellcome Trust are withholding funding from academics who haven’t released their data despite it being a condition of past funding. It’s open access’s grab twist and pull move.
  2. Digitize Books with Mindstorms and Raspberry Pi — Lego to turn the page, Pi to take photo.
  3. Humans Steal Jobs from Robots at Toyota (Bloomberg) — Toyota’s next step forward is counter-intuitive in an age of automation: Humans are taking the place of machines in plants across Japan so workers can develop new skills and figure out ways to improve production lines and the car-building process.
  4. Implementer’s Guide to Security for Internet of Things, Devices and Beyond (PDF) — This white paper outlines a set of practical and pragmatic security considerations for organisations designing, developing and, testing Internet of Things (IoT) devices and solutions. The purpose of this white paper is to provide practical advice for consideration as part of the product development lifecycle.
Comment

Security and the Internet of stuff in your life

The IoT isn't just a new attack surface to get into your enterprise — it's giving the Internet eyes and arms.

Your computer is important. It has access to your Amazon account, probably your bank, your tax returns, and maybe even your medical records. It’s scary when it gets pwnd, and it gets pwned regularly because it’s essentially impossible to fully secure a general purpose computing device. But the good news is that, at least for now, your computer can’t climb up the stairs and bludgeon you to death in your sleep. The things it manipulates are important to you, but they are (mostly) contained in the abstract virtual realm of money and likes.

The Internet of Things is different. We are embarking on an era where the things we own will be as vulnerable as our PCs, but now they interact with the real world via sensors and actuators. They have eyes and arms, and some of them in the not-too-distant future really will be able to climb the stairs and punch you in the face.

This piece from the New York Times has been getting some attention because it highlights how smart things represent an increased attack surface for infiltration. It views smart devices as springboards into an enterprise rather than the object of the attack, and that will certainly be true in many cases. Read more…

Comments: 3
Four short links: 7 April 2014

Four short links: 7 April 2014

Auto Ethics, Baio on Medium, Internet of Insecure Things, New Unlicensed Spectrum

  1. Can We Design Systems to Automate Ethics — code in self-driving cars will implement a solution to the trolley problem. But which solution?
  2. My First Post on Medium (Andy Baio) — one or two glitches but otherwise fine demonstration of what’s possible with Medium.
  3. SCADA Vulnerability: 7600 Plants at Risk (BBC) — the vulnerabilities are in unpatched Centum CS 3000 software. The real business for IoT is secure remote updates and monitoring. (via Slashdot)
  4. New Unlicensed SpectrumThe unanimous vote frees up 100 MHz of airwaves in the lower part of 5 GHz spectrum band. Previously, the FCC reserved those airwaves for exclusive use by a satellite phone company. The FCC vote opens those unlicensed airwaves so they can be used by consumer electronics equipment, including Wi-Fi routers. With the new airwaves, Wi-Fi equipment can handle more traffic at higher speeds.
Comment: 1