"security" entries

Four short links: 15 January 2015

Four short links: 15 January 2015

Secure Docker Deployment, Devops Identity, Graph Processing, and Hadoop Alternative

  1. Docker Secure Deployment Guidelinesdeployment checklist for securely deploying Docker.
  2. The Devops Identity Crisis (Baron Schwartz) — I saw one framework-retailing bozo saying that devops was the art of ensuring there were no flaws in software. I didn’t know whether to cry or keep firing until the gun clicked.
  3. Apache Giraphan iterative graph processing system built for high scalability. For example, it is currently used at Facebook to analyze the social graph formed by users and their connections.
  4. Apache Flinka data processing system and an alternative to Hadoop’s MapReduce component. It comes with its own runtime, rather than building on top of MapReduce. As such, it can work completely independently of the Hadoop ecosystem. However, Flink can also access Hadoop’s distributed file system (HDFS) to read and write data, and Hadoop’s next-generation resource manager (YARN) to provision cluster resources. Since most Flink users are using Hadoop HDFS to store their data, we ship already the required libraries to access HDFS.
Comment

Security comes from evolution, not revolution

The O'Reilly Radar Podcast: Mike Belshe on making bitcoin secure and easy enough for the mainstream.

locks_Steven_Tom_Flickr

Editor’s note: you can subscribe to the O’Reilly Radar Podcast through iTunes, SoundCloud, or directly through our podcast’s RSS feed.

In this week’s O’Reilly Radar Podcast episode, I caught up with Mike Belshe, CTO and co-founder of BitGo, a company that has developed a multi-signature wallet that works with bitcoin. Belshe talks about about the security issues addressed by multi-signature wallets, how the technology works, and the challenges in bringing cryptocurrencies mainstream. We also talk about his journey into the bitcoin world, and he chimes in on what money will look like in the future. Belshe will address the topics of security and multi-signature technology at our upcoming Bitcoin & the Blockchain Radar Summit on January 27, 2015, in San Francisco — for more on the program and registration information, visit our Bitcoin & the Blockchain website.

Multi-signature technology is exactly what it sounds like: instead of authorizing bitcoin transactions with a single signature and a single key (the traditional method), it requires multiple signatures and/or multiple machines — and any combination thereof. The concept initially was developed as a solution for malware. Belshe explains:

“I’m fully convinced that the folks who have been writing various types of malware that steal fairly trivial identity information — logins and passwords that they sell super cheap — they are retooling their viruses, their scanners, their key loggers for bitcoin. We’ve seen evidence of that over the last 12 months, for sure. Without multi-signature, if you do a bitcoin transaction on a machine that’s got any of this bad stuff on it, you’re pretty much toast. Multi-signature was my hope to fix that. What we do is make one signature happen on the server machine, one signature happen on the client machine, your home machine. That way the attacker has to actually compromise two totally different systems in order to steal your bitcoin. That’s what multi-signature is about.”

Read more…

Comment
Four short links: 13 January 2015

Four short links: 13 January 2015

Slack Culture, Visualizations of Text Analysis, Wearables and Big Data, and Snooping on Keyboards

  1. Building the Workplace We Want (Slack) — culture is the manifestation of what your company values. What you reward, who you hire, how work is done, how decisions are made — all of these things are representations of the things you value and the culture you’ve wittingly or unwittingly created. Nice (in the sense of small, elegant) explanation of what they value at Slack.
  2. Interpretation and Trust: Designing Model-Driven Visualizations for Text Analysis (PDF) — Based on our experiences and a literature review, we distill a set of design recommendations and describe how they promote interpretable and trustworthy visual analysis tools.
  3. The Internet of Things Has Four Big Data Problems (Alistair Croll) — What the IoT needs is data. Big data and the IoT are two sides of the same coin. The IoT collects data from myriad sensors; that data is classified, organized, and used to make automated decisions; and the IoT, in turn, acts on it. It’s precisely this ever-accelerating feedback loop that makes the coin as a whole so compelling. Nowhere are the IoT’s data problems more obvious than with that darling of the connected tomorrow known as the wearable. Yet, few people seem to want to discuss these problems.
  4. Keysweepera stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs, and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity. Designs and demo videos included.
Comment

Security principles of bitcoin

The core principle in bitcoin is decentralization, and it has important implications for security.

Editor’s note: this is an excerpt from Chapter 10 of our recently released book Mastering Bitcoin, by Andreas Antonopoulos. You can read the full chapter here. Antonopoulos will be speaking at our upcoming event Bitcoin & the Blockchain, January 27, 2015, in San Francisco. Find out more about the event and reserve your spot here.

Securing bitcoin is challenging because bitcoin is not an abstract reference to value, like a balance in a bank account. Bitcoin is very much like digital cash or gold. You’ve probably heard the expression “Possession is nine tenths of the law.” Well, in bitcoin, possession is ten tenths of the law. Possession of the keys to unlock the bitcoin, is equivalent to possession of cash or a chunk of precious metal. You can lose it, misplace it, have it stolen, or accidentally give the wrong amount to someone. In every one of those cases, end users would have no recourse, just as if they dropped cash on a public sidewalk.

However, bitcoin has capabilities that cash, gold, and bank accounts do not. A bitcoin wallet, containing your keys, can be backed up like any file. It can be stored in multiple copies, even printed on paper for hardcopy backup. You can’t “backup” cash, gold, or bank accounts. Bitcoin is different enough from anything that has come before that we need to think about bitcoin security in a novel way too.

Security principles

The core principle in bitcoin is decentralization and it has important implications for security. A centralized model, such as a traditional bank or payment network, depends on access control and vetting to keep bad actors out of the system. By comparison, a decentralized system like bitcoin pushes the responsibility and control to the end users. Because security of the network is based on Proof-Of-Work, not access control, the network can be open and no encryption is required for bitcoin traffic. Read more…

Comments: 3
Four short links: 6 January 2015

Four short links: 6 January 2015

IoT Protocols, Predictive Limits, Machine Learning and Security, and 3D-Printing Electronics

  1. Exploring the Protocols of the Internet of Things (Sparkfun) — Arduino and Arduino-like IoT “things” especially, with their limited flash and SRAM, can benefit from specially crafted IoT protocols.
  2. Complexity Salon: Ebola (willowbl00) — These notes were taken at the 2014.Dec.18 New England Complex Systems Institute Salon focused on Ebola. […] Why don’t we engage in risks in a more serious way? Everyone thinks their prior experience indicates what will happen in the future. Look at past Ebola! It died down before going far, surely it won’t be bad in the future.
  3. Machine Learning Methods for Computer Security (PDF) — papers on topics such as adversarial machine learning, attacking pattern recognition systems, data privacy and machine learning, machine learning in forensics, and deceiving authorship detection.
  4. voxel8Using Voxel8’s 3D printer, you can co-print matrix materials such as thermoplastics and highly conductive silver inks enabling customized electronic devices like quadcopters, electromagnets and fully functional 3D electromechanical assemblies.
Comment
Four short links: 2 January 2015

Four short links: 2 January 2015

Privacy Philosophy, Bitcoin Risks, Modelling Emotion, and Opinion Formation

  1. Google’s Philosopher — interesting take on privacy. Now that the mining and manipulation of personal information has spread to almost all aspects of life, for instance, one of the most common such questions is, “Who owns your data?” According to Floridi, it’s a misguided query. Your personal information, he argues, should be considered as much a part of you as, say, your left arm. “Anything done to your information,” he has written, “is done to you, not to your belongings.” Identity theft and invasions of privacy thus become more akin to kidnapping than stealing or trespassing. Informational privacy is “a fundamental and inalienable right,” he argues, one that can’t be overridden by concerns about national security, say, or public safety. “Any society (even a utopian one) in which no informational privacy is possible,” he has written, “is one in which no personal identity can be maintained.”
  2. S-1 for a Bitcoin Trust (SEC) — always interesting to read through the risks list to see what’s there and what’s not.
  3. Computationally Modelling Human Emotion (ACM) — our work seeks to create true synergies between computational and psychological approaches to understanding emotion. We are not satisfied simply to show our models “fit” human data but rather seek to show they are generative in the sense of producing new insights or novel predictions that can inform understanding. From this perspective, computational models are simply theories, albeit more concrete ones that afford a level of hypothesis generation and experimentation difficult to achieve through traditional theories.
  4. Opinion Formation Models on a Gradient (PLoSONE) — Many opinion formation models embedded in two-dimensional space have only one stable solution, namely complete consensus, in particular when they implement deterministic rules. In reality, however, deterministic social behavior and perfect agreement are rare – at least one small village of indomitable Gauls always holds out against the Romans. […] In this article we tackle the open question: can opinion dynamics, with or without a stochastic element, fundamentally alter percolation properties such as the clusters’ fractal dimensions or the cluster size distribution? We show that in many cases we retrieve the scaling laws of independent percolation. Moreover, we also give one example where a slight change of the dynamic rules leads to a radically different scaling behavior.
Comment
Four short links: 31 December 2014

Four short links: 31 December 2014

Feudal Employment, Untrusted Computing, Nerd Entitlement, and Paxos Explained

  1. Governance for the New Class of Worker (Matt Webb) — there is a new class of worker. They’re not inside the company – not benefiting from job security or healthcare – but their livelihoods in large part dependent on it, the transaction cost of moving to a competitor deliberately kept high. Or the worker is, without seeing any of the upside of success, taking on the risk or bearing the cost of the company’s expansion and operation.
  2. Hidden Code in Your Chipset (Slideshare) — there’s a processor that supervises your processor, and it’s astonishingly fully-featured (to the point of having privileged access to the network and being able to run Java code).
  3. On Nerd EntitlementPrivilege doesn’t mean you don’t suffer. The best part of 2014 was the tech/net feminist consciousness-raising/uprising. That’s probably the wrong label for it, but bullshit is being called that was ignored years ago. I think we’ve collectively found the next thing we fix that future generations will look back on us and wonder why it went unremarked-upon for so long.
  4. Understanding Paxos — a simple introduction, with animations, to one of the key algorithms in distributed systems.
Comment
Four short links: 30 December 2014

Four short links: 30 December 2014

DevOps Security, Bit Twiddling, Design Debates, and Chinese IP

  1. DevOoops (Slideshare) — many ways in which your devops efforts can undermine your security efforts.
  2. Matters Computational (PDF) — low-level bit-twiddling and algorithms with source code. (via Jarkko Hietaniemi)
  3. Top 5 Game Design Debates I Ignored in 2014 (Daniel Cook) — Stretch your humanity.
  4. From Gongkai to Open Source (Bunnie Huang) — The West has a “broadcast” view of IP and ownership: good ideas and innovation are credited to a clearly specified set of authors or inventors, and society pays them a royalty for their initiative and good works. China has a “network” view of IP and ownership: the far-sight necessary to create good ideas and innovations is attained by standing on the shoulders of others, and as such there is a network of people who trade these ideas as favors among each other. In a system with such a loose attitude toward IP, sharing with the network is necessary as tomorrow it could be your friend standing on your shoulders, and you’ll be looking to them for favors. This is unlike the West, where rule of law enables IP to be amassed over a long period of time, creating impenetrable monopoly positions. It’s good for the guys on top, but tough for the upstarts.
Comment
Four short links: 23 December 2014

Four short links: 23 December 2014

Useful Metrics, Trouble at Mill, Drug R&D, and Disruptive Opportunities

  1. Metrics for Operational Performance — you’d be surprised how many places around your business you can meaningfully and productively track time-to-detection and time-to-resolution.
  2. Steel Mill Hacked — damage includes a blast furnace that couldn’t be shut down properly.
  3. Cerebros — drug-smuggling’s equivalent of corporate R&D. (via Regine Debatty)
  4. Ramble About Bitcoin (Matt Webb) — the meta I’m trying to figure out is: when you spot that one of these deep value chains is at the beginning of a big reconfiguration, what do you do? How do you enter it as a small business? How, as a national economy, do you help it along and make sure the transition happens healthily?
Comment
Four short links: 19 December 2014

Four short links: 19 December 2014

Statistical Causality, Clustering Bitcoin, Hardware Security, and A Language for Scripts

  1. Distinguishing Cause and Effect using Observational Data — research paper evaluating effectiveness of the “additive noise” test, a nifty statistical trick to identify causal relationships from observational data. (via Slashdot)
  2. Clustering Bitcoin Accounts Using Heuristics (O’Reilly Radar) — In theory, a user can go by many different pseudonyms. If that user is careful and keeps the activity of those different pseudonyms separate, completely distinct from one another, then they can really maintain a level of, maybe not anonymity, but again, cryptographically it’s called pseudo-anonymity. […] It turns out in reality, though, the way most users and services are using bitcoin, was really not following any of the guidelines that you would need to follow in order to achieve this notion of pseudo-anonymity. So, basically, what we were able to do is develop certain heuristics for clustering together different public keys, or different pseudonyms.
  3. A Primer on Hardware Security: Models, Methods, and Metrics (PDF) — Camouflaging: This is a layout-level technique to hamper image-processing-based extraction of gate-level netlist. In one embodiment of camouflaging, the layouts of standard cells are designed to look alike, resulting in incorrect extraction of the netlist. The layout of nand cell and the layout of nor cell look different and hence their functionality can be extracted. However, the layout of a camouflaged nand cell and the layout of camouflaged nor cell can be made to look identical and hence an attacker cannot unambiguously extract their functionality.
  4. Prompter: A Domain-Specific Language for Versu (PDF) — literally a scripting language (you write theatrical-style scripts, characters, dialogues, and events) for an inference engine that lets you talk to characters and have a different story play out each time.
Comment