Blog Archive: March 2015
Survey of Americans' Privacy Habits Post-Snowden
Pew Research has a new survey on Americans' privacy habits in a post-Snowden world. The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies: 34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide...
Narrow Road, Deep North
The last parking lot in Aotearoa: fall cyclone fluting. A few minutes walk from that last parking lot and youre at the top left corner of New Zealand: Cape Reinga. Some days, they say, you can see the Pacific oceans waters meet the Tasman seas. But I couldnt. Look right: that last headland is the Surville Cliffs, actually NZs northernmost point. Look left: There really was music in the parking lot; by a little shelter with murals, the path to the lighthouse leads through it. I was sure there had to be a hippie up on its roof playing vaguely Asian riffs on a wood-flute; then falling silent.
Chinese CA Issuing Fraudulent Certificates
There's a Chinese CA that's issuing fraudulent Google certificates. Yet another example of why the CA model is so broken....
European Union Data Protection Authorities Approve Amazon Web Services Data Processing Agreement
As you all know security, privacy, and protection of our customers data is our number one priority and as such we work very closely with regulators to ensure that customers can be assured that they are getting the right protections when processing and storing data in the AWS. I am especially pleased that the group of European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws. The media alert below that went out today gives the details: European Union Data Protection Authorities Approve Amazon Web Services Data Processing Agreement Customers All Over the World Are Assured that AWS Agreement Meets Rigorous EU Privacy Laws Brussels March 31, 2015 Amazon Web Services (AWS) today announced that the group of European Union (EU) data protection authorities ...
European Union Data Protection Authorities Approve Amazon Web Services? Data Processing Agreement
As you all know security, privacy, and protection of our customer?s data is our number one priority and as such we work very closely with regulators to ensure that customers can be assured that they are getting the right protections when processing and storing data in the AWS. I am especially pleased that the group of European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws.
European Union Data Protection Authorities Approve Amazon Web Services Data Processing Agreement
As you all know security, privacy, and protection of our customers data is our number one priority and as such we work very closely with regulators to ensure that customers can be assured that they are getting the right protections when processing and storing data in the AWS. I am especially pleased that the group of European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws. The media alert below that went out today gives the details: European Union Data Protection Authorities Approve Amazon Web Services Data Processing Agreement Customers All Over the World Are Assured that AWS Agreement Meets Rigorous EU Privacy Laws Brussels March 31, 2015 Amazon Web Services (AWS) today announced that the group of European Union (EU) data protection authorities ...
Australia Outlaws Warrant Canaries
In the US, certain types of warrants can come with gag orders preventing the recipient from disclosing the existence of warrant to anyone else. A warrant canary is basically a legal hack of that prohibition. Instead of saying "I just received a warrant with a gag order," the potential recipient keeps repeating "I have not received any warrants." If the...
Commodore diagnostics
To Ballarat Central Auto Electrics with the Commodore to see if they could find any diagnostic information from the ECU. Yes, indeed: two coils failed. And that will cost us round $700! Tony, the bloke who did the test, also has a VZ Commodore, and has just changed his coils: it seems to be a common problem with them. And it was with our old the VT Commodore. So why do they make it so difficult to change them, and why are they so expensive? And, of course, it means that my ELM327 clone is useless. What a waste of $5.99!
Mori Snapshots
The Mori people, who arrived in what they call Aotearoa in 1300 or so, have since the 1600s been sharing the islands with New Zealanders of Euro-extraction, for example my wife and children. They and their culture are definitely part of the package a tourist like myself sees and photographs. I have no information or insights to offer beyond what you can read online, so youre not going to learn anything about these people here, aside from what some of them and their works of art look like. Its interesting that they are so tourist-visible compared to my own countrys aboriginal peoples; you could easily spend a couple of weeks in Canada and your only contact would be place-names and the occasional totem pole.
Clean Reader is a free speech issue
My latest Guardian column, Allow Clean Reader to swap ‘bad’ words in books it’s a matter of free speech expands on last week’s editorial about the controversial ebook reader, which lets readers mangle the books they read by programatically swapping swear-words for milder alternatives. I agree with the writers who say that the app... more
Clean Reader is a free speech issue
My latest Guardian column, Allow Clean Reader to swap ‘bad’ words in books it’s a matter of free speech expands on last week’s editorial about the controversial ebook reader, which lets readers mangle the books they read by programatically swapping swear-words for milder alternatives. I agree with the writers who say that the app... more
Brute-Forcing iPhone PINs
This is a clever attack, using a black box that attaches to the iPhone via USB: As you know, an iPhone keeps a count of how many wrong PINs have been entered, in case you have turned on the Erase Data option on the Settings | Touch ID & Passcode screen. That's a highly-recommended option, because it wipes your device...
Google + 1yr
As of this month, Ive been an ex-Googler for a year. Sometimes I miss it, but my rearview-mirror feelings are mixed. What I miss Most of all, the bug tracker. Any employee can file a bug against any product and be certain that someone on the engineering team will at least look at it. There are certain internal-social-engineering techniques you can use to focus attention on an issue you think isnt getting enough. Lots of bug reports are feature-requests and others are feature-removal demands, and thats fine. Given Googles global impact, that bug tracker is one of the single most powerful world-changing tools that most people will never have access to.
Auckland
I sure enjoyed visiting it but Im not sure Id want to live there. Green, maritime, rounded, not obviously scalable. With back story and of course pictures. Back story Attentive readers will have deduced from the recent cricket coverage that Ive been in New Zealand; heres why. In 1994 I met a nice software geek then living in Germany and we hit it off. Ive been married to Lauren Wood, a fifth-generation New Zealander, for a long time now, and we have two children who are also NZ citizens. Laurens family had scattered round the globe and connections had frayed; shed not been home in a long time.
DPI's ugly head
Talking with Chris Bahlo this evening about the fun day she had had at work today. They have a new coworker, and she managed to pessimize a web site by putting in overly large images. How large? 300 dpi. What does that mean on a web page? Should it scale to the monitor resolution? No, it seems that people still can't get used to the fact that image resolutions are measured in pixels (these images were apparently 1200×900 or so, clearly too large). Admittedly pixel dimensions aren't ideal either, but what earthly use are dpi specifications? ACM only downloads articles once.
Diagnosing Yvonne's car problems
Another attempt with the ELM327 clone today to find out what's wrong with Yvonne's car. Once again it claimed that there was no error code stored. Tried to speak to Paul Sperber of Ballarat Automotive, but was blocked by his wife, who went in, discussed something with him, and said that they weren't interested in doing the work, and that I should go to Ballarat Central Auto Electrics. Called them, and eventually spoke to Wayne, who confirmed that it would be difficult to diagnose if the problem wasn't presenting itself, but that they'd try. Otherwise he suspects coils, which isn't out of the question, but I'd like some certainty before spending $600 on the off chance.
Friday Squid Blogging: Using Squid Proteins for Commercial Camouflage Products
More research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Usenix LISA 2015 Call For Participation (3 weeks left!)
Only 3 weeks left to submit talk and paper proposals for LISA 2015. This year's conference is in Washington D.C. on November 8-13. This might be a good weekend to spend time writing your first draft! https://www.usenix.org/conference/lisa15/call-for-participation Don't be afraid to submit proposals early. Unsure of your topic? Contact the chairs and bounce ideas off of them.
Yet Another Computer Side Channel
Researchers have managed to get two computers to communicate using heat and thermal sensors. It's not really viable communication -- the bit rate is eight per hour over fifteen inches -- but it's neat....
That Cricket Match
I spent many hours last Tuesday in Auckland watching the Cricket World Cup semifinal between South Africa and New Zealand. It was insanely intense. I will probably spend most of Saturday night up watching the final. Herewith words and pictures, including a bit of overview for us New-Worlders to whom cricket is (mostly) foreign. How I got there Back in January, an Aussie friend told us that the CWC would be on while we were visiting New Zealand. I checked, and impulse-bought tickets for a semifinal. I had no idea how big a deal this would be. Some of the 45,000-strong crowd.
New Zealand's XKEYSCORE Use
The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I'm not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It's interesting to see how primitive the keyword targeting is,...
The State of DevOps Report
Where does it come from? Have you read the 2014 State of DevOps report? The analysis is done by some of the world's best IT researchers and statisticians. Be included in the 2015 edition! A lot of the data used to create the report comes from the annual survey done by Puppet Labs. I encourage everyone to take 15 minutes to complete this survey. It is important that your voice and experience is represented in next year's report. Take the survey But I'm not important enough! Yes you are. If you think "I'm not DevOps enough" or "I'm not important enough" then it is even more important that you fill out the survey.
Capabilities of Canada's Communications Security Establishment
There's a new story about the hacking capabilities of Canada's Communications Security Establishment (CSE), based on the Snowden documents....
More GPS navigator fun
Today was the first time I used the new GPS navigator in the city. Of course it tried to take me through places that didn't exist, but the most surprising thing was what happened when I tried to find alternative ways from the city to Surrey Hills: it kept changing its mind, wanting to take me north of Victoria Street (probably correctly) and south of Victoria Street (very definitely wrong). And when we changed our minds to go to Springvale, Victoria instead, it tried to take me straight through the middle of town instead of the designated way to the freeway.
A new low in user interfaces
Parking at the Victoria market was made no easier by the parking meters. They're modern and electronic, of course, with a low-contrast, reflective LCD display: Today was overcast, so the display was marginally legible. On a sunny day I would have been facing into the sun, so things would have been much worse. Even so, to read the display you need either to be about 1.50 m tall or kneel down in front of it.
2015 DevOps Survey
Have you taken the 2015 DevOps survey? The data from this survey influences many industry executives and helps push them towards better IT processes (and removing the insanity we find in IT today). You definitely want your voice represented. It takes only 15 minutes. Take the 2015 DevOps Survey Now
Reforming the FISA Court
The Brennan Center has a long report on what's wrong with the FISA Court and how to fix it. At the time of its creation, many lawmakers saw constitutional problems in a court that operated in total secrecy and outside the normal "adversarial" process.... But the majority of Congress was reassured by similarities between FISA Court proceedings and the hearings...
RFC 7493: The I-JSON Message Format
The Olde ASCII is at rfc7493.txt. Ill put a nicely-formatted HTML version here as soon as I pull a few pieces together. This is really, really simple stuff and should be about as controversy-free as an RFC can be. Back story Basically, RFC 7159 is the JSON RFC; it describes the existing panoply of JSON specs, and also more-or-less unifies the (small) incompatibilities between them. The history is here, from which I quote: If youre interested, I recommend opening up the HTML version and searching forward for the string interop. There are 17 occurrences. If youre generating JSON something a lot of us do all the time and make sure you avoid the mistakes highlighted in those 17 places, youre very unlikely to cause pain or breakage in software thats receiving it.
BIOS Hacking
We've learned a lot about the NSA's abilities to hack a computer's BIOS so that the hack survives reinstalling the OS. Now we have a research presentation about it. From Wired: The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually...
Cheap toner: the truth
As planned earlier this week, I bought some cheap toner for my laser printer. How do you install it? Easy, in principle. But there's a little problem. Here are the new cartridge on the top (still with protective cover) and the old one below: Half the cartridge is missing! Am I supposed to re-use the old one? If so, the least they could have done was to tell me how to do it. The other difference showed up when I read the printer instructions.
Y2K catches up
Last night's pepper steak required a little stock powder. We really don't use much, and the jars I have are long past their use-by date: It's interesting that they changed date format between the two jars. I had half expected them to have changed back, but it seems they haven't. The older jar has got so hard that I couldn't get anything out of it. I don't suppose it's too soon to throw it out. ACM only downloads articles once.
Understanding Google Plus
Some months ago, when I was complaining about Facebook, Peter Jeremy (a Google employee) suggested that I use Google Plus instead. I signed up, took a look, and found it confusing. It also didn't address the issue that I don't like the concept anyway. So I forgot about it again. Then today Peter was analysing the display of my web pages on mobile devices. I asked him for screen shots, and got the reply: <groggyhimself> Can you send me a screen shot? <peter> groggyhimself: I've shared them with you. <groggyhimself> ? <peter> groggyhimself: Look in Google+.
Still more network problems
I was out of the office most of the morning, but when I got back I found: Start time End time Duration Badness from to (seconds) 1426893625 1426895771 2146 0.005 # 21 March 2015 10:20:25 21 March 2015 10:56:11 1424453814 1424645964 192150 0.026 # 21 February 2015 04:36:54 23 February 2015 09:59:24 1425657732 1425657839 107 0.004 # 7 March 2015 03:02:12 7 March 2015 03:03:59 1426077275 1426077511 236 0.009 # 11 March 2015 23:34:35 11 March 2015 23:38:31 1426081952 1426083273 1321 0.811 # 12 March 2015 00:52:32 12 March 2015 01:14:33 1426083535 1426084719 1184 13.740 # 12 March 2015 01:18:55 12 March 2015 01:38:39 1426084979 1426085070 91 13.846 # 12 March 2015 01:42:59 12 March 2015 01:44:30 1426086004 1426086758 ...
Another variation on forging the Wolf's Tooth Pattern
Friday Squid Blogging: Squid Pen
Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
New Paper on Digital Intelligence
David Omand -- GCHQ director from 1996-1997, and the UK's security and intelligence coordinator from 2000-2005 -- has just published a new paper: "Understanding Digital Intelligence and the Norms That Might Govern It." Executive Summary: This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency...
Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception
Last May, we learned that the NSA intercepts equipment being shipped around the world and installs eavesdropping implants. There were photos of NSA employees opening up a Cisco box. Cisco's CEO John Chambers personally complained to President Obama about this practice, which is not exactly a selling point for Cisco equipment abroad. Der Spiegel published the more complete document, along...
Out of date, part 2
Mail from Google (really!) today: Date: Wed, 18 Mar 2015 18:29:15 -0700 (PDT) From: Google Webmaster Tools Team <wmx-[email protected]> Subject: Fix mobile usability issues found on http://www.lemis.com/ Google systems have tested 3,000 pages from your site and found that 100% of them have critical mobile usability errors. The errors on these 3,000 pages severely affect how mobile users are able to experience your website. These pages will not be seen as mobile-friendly by Google Search, and will therefore be displayed and ranked appropriately for smartphone users. What's that? There are lots of links, of course.
SpamAssassin: past use-by date?
I've been finding that SpamAssassin has flagged more and more legitimate mail as spam lately. The reason is always the same: 2.7 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org Lately, though, I've noticed that even well-known senders are getting flagged like this. That's serious because I have set my maximum score to 3, so just about anything else will cause it to be classified as spam. It really hit home when my system classified local mail as spam. Clearly time to weaken the score. Went looking and found, in /usr/local/share/spamassassin/50_scores.cf: score DNS_FROM_AHBL_RHSBL 0 0.306 0 0.231 Huh?
More Data and Goliath News
Right now, the book is #6 on the New York Times best-seller list in hardcover nonfiction, and #13 in combined print and e-book nonfiction. This is the March 22 list, and covers sales from the first week of March. The March 29 list -- covering sales from the second week of March -- is not yet on the Internet. On...
Understanding the Organizational Failures of Terrorist Organizations
New research: Max Abrahms and Philip B.K. Potter, "Explaining Terrorism: Leadership Deficits and Militant Group Tactics," International Organizations. Abstract: Certain types of militant groups -- those suffering from leadership deficits -- are more likely to attack civilians. Their leadership deficits exacerbate the principal-agent problem between leaders and foot soldiers, who have stronger incentives to harm civilians. We establish the validity...
How We Become Habituated to Security Warnings on Computers
New research: "How Polymorphic Warnings Reduce Habituation in the Brain - Insights from an fMRI Study." Abstract: Research on security warnings consistently points to habituation as a key reason why users ignore security warnings. However, because habituation as a mental state is difficult to observe, previous research has examined habituation indirectly by observing its influence on security behaviors. This study...
Toner prices
The black toner for our Brother HL-3170CDW laser printer is running low. aI've had it for 8 months, so it was to be expected. Took a look on eBay and found the toner cartridge (TN-251) for $25.30, including free postage. While in town, dropped in at Officeworks. Yes, they had it in stockfor $129! That's ridiculous. OK, the cartridges on eBay are almost certainly replacements, but they have the chips, and there can't be that much difference in quality. The printer cost $249, so this single cartridge costs more than half the purchase price. A complete set of 4 would cost more than double the purchase price.
See you tonight at LSPE (Sunnyvale, CA)
See you at 6pm! The meeting is at Yahoo! URL's Cafeteria, 701 1st Ave, Sunnyvale, CA. Please RSVP. http://www.meetup.com/SF-Bay-Area-Large-Scale-Production-Engineering/events/221111762/
Details on Hacking Team Software Used by Ethiopian Government
The Citizen Lab at the University of Toronto published a new report on the use of spyware from the Italian cyberweapons arms manufacturer Hacking Team by the Ethiopian intelligence service. We previously learned that the government used this software to target US-based Ethiopian journalists. News articles. Human Rights Watch press release....
Microsoft error reporting
Earthworks invoice from Warwick Pitcher today. Needs to be scanned and sent to CVI. All went wellbut where was the image? Tried again, and again it didn't appear. This is Epson software under Microsoft. Had it decided to store the image somewhere else? Spent some time looking for the configuration menu which specifies where the document should go. Where is it? It proved to be this meaningless icon: Selected that and got another confusing menu: Only three choices of location: My Documents, My Pictures, or anything else.
How the CIA Might Target Apple's XCode
The Intercept recently posted a story on the CIA's attempts to hack the iOS operating system. Most interesting was the speculation that they hacked XCode, which would mean that any apps developed using that tool would be compromised. The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance...
More network investigations
More work on my network status page today, without making it really pretty. One thing of interest is the TCP speed plot, in blue: This shows the reciprocal of the time it takes to load a small document from the other end of the world. It's surprisingly constant. But for some reason the value increased round 10 March. Looking at the raw log data shows: 1425966865 0.70 # Tue 10 Mar 2015 16:54:26 EST 1425966926 0.71 # Tue 10 Mar 2015 16:55:27 EST 1425966987 0.72 # Tue 10 Mar 2015 16:56:28 EST 1425967049 0.71 # Tue 10 Mar 2015 16:57:29 EST 1425967110 0.55 # Tue 10 Mar 2015 16:58:30 EST 1425967171 0.57 # Tue 10 Mar 2015 16:59:32 EST 1425967232 0.55 # Tue 10 ...
Analysing yesterday's disaster
Network connectivity came back this morning at almost exactly midnight. I had traced the network since about 8:30 yesterday, but of course by the time I stopped it, we had about 200,000 packets and a 235 MB trace file. All that interested me was the time up to the restoration of service. How do I do that? With Edwin Groothuis' help discovered the wireshark export function. You can specify a packet range, in my case 1-8212. And sure enough, it saved a file with just those packets. Tried to read it back in again. The file "/home/grog/public_html/Day/20150313/offnet.trace" isn't a capture file in a format Wireshark understands.
Friday Squid Blogging: Squid Stir-Fry
Spicy squid masala stir-fry. Easy and delicious. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Fall Seminar on Catastrophic Risk
I am planning a study group at Harvard University (in Boston) for the Fall semester, on catastrophic risk. Berkman Study Group -- Catastrophic Risk: Technologies and Policy Technology empowers, for both good and bad. A broad history of "attack" technologies shows trends of empowerment, as individuals wield ever more destructive power. The natural endgame is a nuclear bomb in everybody's...
Threats to Information Integrity
Every year, the Director of National Intelligence publishes an unclassified "Worldwide Threat Assessment." This year's report was published two weeks ago. "Cyber" is the first threat listed, and includes most of what you'd expect from a report like this. More interesting is this comment about information integrity: Most of the public discussion regarding cyber threats has focused on the confidentiality...
Internode: Why PPPoE?
Time to change my ISP, I'm afraid. Whom should I choose? Internode has the best reputation. They offer a similar product as Aussie Broadband: 300 GB per month for $75 compared to 250 GB per month for $60. The price difference is real: I never use 250 GB, so the additional 50 GB from Internode are of no interest. Called them up and got the usual message, that I had a wait of between 5 and 9 minutes before I could speak to anybody. Accepted the offer of a call back when somebody was available. And the call back came almost immediately, followed by a 6 minute wait before I was connected to Alex.
Just announced: I'll be speaking at the LSPE (Sunnyvale) meeting on Tuesday
I'll be talking about our new book, The Practice of Cloud System Administration, at the SF/Bay Area Large-Scale Production Engineering, which meets at Yahoo! URL's Cafe in Sunnyvale, CA on Tue. Mar 17 at 6:00PM. More info on their MeetUp page. Hope to see you there!
NBN reliability: worse than satellite?
Yvonne dragged me out of bed this morning to tell me that we were off the net. It took me a while to understand, but in to the office, and sure enough, we had been off the net for hours. The usual thing: DHCPDISCOVER going out, no reply. Called up Aussie Broadband support, spoke to Kylie, who relatively quickly connected me to Jerom, who is (ahem!) 3rd level support. He confirmed that they were receiving the DHCPDISCOVER and replying correctly with a DHCPOFFER. But that reply never made it back here. Shades of last month? In any case, it's not acceptable. Got him to transfer me to Kevin, the manager, who told me that it was part of a more general outage, that the problem was within the National Broadband Network, with whom a ticket had been raised, and that hopefully things would soon come back to normal.
Data and Goliath Makes New York Times Best-Seller List
The March 22 best-seller list from the New York Times will list me as #6 in the hardcover nonfiction category, and #13 in the combined paper/e-book category. This is amazing, really. The book just barely crossed #400 on Amazon this week, but it seems that other booksellers did more. There are new reviews from the LA Times, >i>Lawfare, EFF, and...
The Changing Economics of Surveillance
Cory Doctorow examines the changing economics of surveillance and what it means: The Stasi employed one snitch for every 50 or 60 people it watched. We can't be sure of the size of the entire Five Eyes global surveillance workforce, but there are only about 1.4 million Americans with Top Secret clearance, and many of them don't work at or...
A conversation about privacy and trust in open education
For Open Education Week, Jonathan Worth convened a conversation about privacy and trust in open education called Speaking Openly in which educators and scholars recorded a series of videos responding to one another’s thoughts on the subject. The takes are extremely varied, and come from Audrey Waters, Nishant Shah, Ulrich Boser, Dan Gillmor, and me,... more
A conversation about privacy and trust in open education
For Open Education Week, Jonathan Worth convened a conversation about privacy and trust in open education called Speaking Openly in which educators and scholars recorded a series of videos responding to one another’s thoughts on the subject. The takes are extremely varied, and come from Audrey Waters, Nishant Shah, Ulrich Boser, Dan Gillmor, and me,... more
Equation Group Update
More information about the Equation Group, aka the NSA. Kaspersky Labs has published more information about the Equation Group -- that's the NSA -- and its sophisticated malware platform. Ars Technica article....
Observations on the Importance of Cloud-based Analytics
Cloud computing is enabling amazing new innovations both in consumer and enterprise products, as it became the new normal for organizations of all sizes. So many exciting new areas are being empowered by cloud that it is fascinating to watch. AWS is enabling innovations in areas such as healthcare, automotive, life sciences, retail, media, energy, robotics that it is mind boggling and humbling.
Observations on the Importance of Cloud-based Analytics
Cloud computing is enabling amazing new innovations both in consumer and enterprise products, as it became the new normal for organizations of all sizes. So many exciting new areas are being empowered by cloud that it is fascinating to watch. AWS is enabling innovations in areas such as healthcare, automotive, life sciences, retail, media, energy, robotics that it is mind boggling and humbling. Despite all of the amazing innovations we have already seen, we are still on Day One in the Cloud; at AWS we will continue to use our inventive powers to build new tools and services to enable even more exciting innovations by our customers that will touch every area of our lives.
Forging and Cutting Teeth for Wolf's Tooth Pattern
Hardware Bit-Flipping Attack
The Project Zero team at Google has posted details of a new attack that targets a computer's' DRAM. It's called Rowhammer. Here's a good description: Here's how Rowhammer gets its name: In the Dynamic Random Access Memory (DRAM) used in some laptops, a hacker can run a program designed to repeatedly access a certain row of transistors in the computer's...
Join me at SXSW 2015
Every year I enjoy travelling to the South-by-South-West (SXSW) festival as it is ons of the biggest event with many Amazon customers present. Thousand of AWS customers and partners will be in Austin for SXSW Interactive and given the free flowing networking it is a very important feedback opportunity for us.
Join me at SXSW 2015
Every year I enjoy travelling to the South-by-South-West (SXSW) festival as it is ons of the biggest event with many Amazon customers present. Thousand of AWS customers and partners will be in Austin for SXSW Interactive and given the free flowing networking it is a very important feedback opportunity for us. But also many Amazon customers will be there for the Film and the Music festival, and I always enjoy getting feedback from those Amazon consumers and producers that are attending these festivals. The program is always a bit in flux, but here are the events in the beginning of the week that I am taking part in: Sunday 3/15 1-2pm - I will give a talk at Techstars on "The History of Microcroservices at Amazon".
Can the NSA Break Microsoft's BitLocker?
The Intercept has a new story on the CIA's -- yes, the CIA, not the NSA -- efforts to break encryption. These are from the Snowden documents, and talk about a conference called the Trusted Computing Base Jamboree. There are some interesting documents associated with the article, but not a lot of hard information. There's a paragraph about Microsoft's BitLocker,...
Geotagging Twitter Users by Mining Their Social Graphs
New research: Geotagging One Hundred Million Twitter Accounts with Total Variation Minimization," by Ryan Compton, David Jurgens, and David Allen. Abstract: Geographically annotated social media is extremely valuable for modern information retrieval. However, when researchers can only access publicly-visible data, one quickly finds that social media users rarely publish location information. In this work, we provide a method which can...
Touch screens and other obscenities
Yvonne's photos of the ride didn't come out quite as she had intended. Here's one of them:
Identifying When Someone is Operating a Computer Remotely
Here's an interesting technique to detect Remote Access Trojans, or RATS: differences in how local and remote users use the keyboard and mouse: By using biometric analysis tools, we are able to analyze cognitive traits such as hand-eye coordination, usage preferences, as well as device interaction patterns to identify a delay or latency often associated with remote access attacks. Simply...
Attack Attribution and Cyber Conflict
The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn't buy Washington's claim that North Korea was the culprit. What's both amazing -- and perhaps a bit frightening -- about that dispute over who hacked Sony is that it happened in the first place. But what it highlights...
Tektronix 555: Final photos?
Taking the photos of the Tektronix 555 oscilloscope has been surprisingly painful. But enough is enough. Tried again today with flash and the long telephoto lens, this time concentrating on the mainframe. Moving the lens further away also allowed me to put the flash units closer together, with good results. Here my five tries of the CA plug-in: The first was just with studio flash.
Questing for the Wolf's Tooth Pattern
Telstra and bandwidth cost
On IRC today, Jürgen Lock pointed us at this comparison of network costs around the world. He's in Germany, but the take-home message, at least for me, was: Telstra .... charges some of the highest transit pricing in the world 20x the benchmark ($200/Mbps). So why hasn't the National Broadband Network changed that? I had thought that the geography was part of the problem, but the same article also says: Given that Australia is one large land mass with relatively concentrated population centers, it's difficult to justify the pricing based on anything other than Telstra's market power.
Forge Diaries: Episode 5: Refining and Carburizing Wrought Iron
The Only Sane Transit Vote
Vancouver is having a Transportation & Transit Referendum this spring: Yes or No on a 0.5% local sales-tax hike to pay for transit infrastructure, mostly public-transit train lines. The only sane vote is Yes; heres why. Strong bones Vancouvers a child among cities. As Doug Coupland (I think it was him) said: In 100 years, Paris will still be Paris and Tokyo will still be Tokyo. What will Vancouver be? Nobody knows. Growing children need strong bones, and thats what the votes about. Voting Yes: Its buying milk for your kids, and making them drink it before they go out to play.
Back-to-Basics Weekend Reading - Experience with Grapevine: The Growth of a Distributed System
Grapevine was one of the first systems designed to be fully distributed. It was built at the famous Xerox PARC (Palo Alto Research Center) Computer Science Laboratory as an exercise in discovering what is needed as the fundamental building blocks of a distributed system; messaging, naming, discovery, location, routing, authentication, encryption, replication, etc.
Back-to-Basics Weekend Reading - Experience with Grapevine: The Growth of a Distributed System
Grapevine was one of the first systems designed to be fully distributed. It was built at the famous Xerox PARC (Palo Alto Research Center) Computer Science Laboratory as an exercise in discovering what is needed as the fundamental building blocks of a distributed system; messaging, naming, discovery, location, routing, authentication, encryption, replication, etc. The origins of the system are described in Grapevine: An Exercise in Distributed Computing by researchers who all went on to become grandmasters in distributed computing: Andrew Birrell, Roy Levin, Roger Needham, and Mike Schroeder. For this weekend's reading we will use a followup paper that focusses on the learnings with running Grapevine for several years under substantial load.
Friday Squid Blogging: Biodegradable Thermoplastic Inspired by Squid Teeth
There's a new 3D-printable biodegradable thermoplastic: Pennsylvania State University researchers have synthesized a biodegradable thermoplastic that can be used for molding, extrusion, 3D printing, as an adhesive, or a coating using structural proteins from the ring teeth on squid tentacles. Another article: The researchers took genes from a squid and put it into E. coli bacteria. "You can insert genes...
Data and Goliath's Big Idea
Data and Goliath is a book about surveillance, both government and corporate. It's an exploration in three parts: what's happening, why it matters, and what to do about it. This is a big and important issue, and one that I've been working on for decades now. We've been on a headlong path of more and more surveillance, fueled by fear--of...
FREAK: Security Rollback Attack Against SSL
This week we learned about an attack called "FREAK" -- "Factoring Attack on RSA-EXPORT Keys" -- that can break the encryption of many websites. Basically, some sites' implementations of secure sockets layer technology, or SSL, contain both strong encryption algorithms and weak encryption algorithms. Connections are supposed to use the strong algorithms, but in many cases an attacker can force...
The TSA's FAST Personality Screening Program Violates the Fourth Amendment
New law journal article: "A Slow March Towards Thought Crime: How the Department of Homeland Security's FAST Program Violates the Fourth Amendment," by Christopher A. Rogers. From the abstract: FAST is currently designed for deployment at airports, where heightened security threats justify warrantless searches under the administrative search exception to the Fourth Amendment. FAST scans, however, exceed the scope of...
Now Corporate Drones are Spying on Cell Phones
The marketing firm Adnear is using drones to track cell phone users: The capture does not involve conversations or personally identifiable information, according to director of marketing and research Smriti Kataria. It uses signal strength, cell tower triangulation, and other indicators to determine where the device is, and that information is then used to map the user's travel patterns. "Let's...
At Work
More reportage from inside the AWS factory. Looking for leaks or marketing? Nope. Seems Ive been here three months. It still feels weird to dig in and work on software without breaking frequently to explain it to the world. The main current project is stretching some envelopes so my explain-it energy is finding plenty of internal outlets. News flash! One of the things you get at any big tech company is an onboarding task; a little product feature or bugfix, the kind of thing that would take a person who knows the software and toolset about fifteen minutes. It took me a week and small change, learning how to check code out and build it and stage it and so on.
Tom Ridge Can Find Terrorists Anywhere
One of the problems with our current discourse about terrorism and terrorist policies is that the people entrusted with counterterrorism -- those whose job it is to surveil, study, or defend against terrorism -- become so consumed with their role that they literally start seeing terrorists everywhere. So it comes as no surprise that if you ask Tom Ridge, the...
Audiobook of Someone Comes to Town, Someone Leaves Town
Blackstone has adapted my 2005 urban fantasy novel Someone Comes to Town, Someone Leaves Town for audiobook, narrated by Bronson Pinchot, who does a stunning job. It’s available as a DRM-free audiobook at all the usual places, including the DRM-free audiobook store Downpour. However, Itunes and Audible refuse to carry this — or any of... more
Audiobook of Someone Comes to Town, Someone Leaves Town
Blackstone has adapted my 2005 urban fantasy novel Someone Comes to Town, Someone Leaves Town for audiobook, narrated by Bronson Pinchot, who does a stunning job. It’s available as a DRM-free audiobook at all the usual places, including the DRM-free audiobook store Downpour. However, Itunes and Audible refuse to carry this — or any of... more
BigPond email: We don't need no steenking security
Sent a mail message to Gary Murray today. It didn't go through: <[email protected]>: host extmail.bigpond.com[61.9.168.122] said: 552 5.2.0 yrRW1p01Q1sUVRc01rRYpC Suspected spam message rejected. IB704 (in reply to end of DATA command) I've seen this before. BigPond is too stupid to distinguish digital signatures from spam. So they reject messages on the mere suspicion of spam. Is this in their users' interests? A good reason for any BigPond user to choose a competent mail service provider. I'm still amazed how incompetent everything to do with Telstra is.
Data and Goliath: Reviews and Excerpts
On the net right now, there are excerpts from the Introduction on Scientific American, Chapter 5 on the Atlantic, Chapter 6 on the Blaze, Chapter 8 on Ars Technica, Chapter 15 on Slate, and Chapter 16 on Motherboard. That might seem like a lot, but it's only 9,000 of the book's 80,000 words: barely 10%. There are also a few...
Hiring a network engineer for SRE team (NYC only)
Stack Exchange, Inc. is looking to hire a sysadmin/network admin/SRE/DevOps engineer that will focus on network-related projects. The position will work out of the NYC office, so you must be in NYC or be willing to relocate. If 3 or more of these project sound like fun to you, contact us! Automate Cisco LAN port configuration via Puppet Make our site-to-site VPN more reliable Tune NIC parameters for maximum performance / lowest latency Lead the network design of our global datacenter network deployment strategy Wrangle our BGP configurations for ease of updating and security Establish operational procedures for when ISPs report they can't reach us Sounds interesting?
Google Backs Away from Default Lollipop Encryption
Lillipop encryption by default is still in the future. No consipricy here; it seems like they don't have the appropriate drivers yet. But while relaxing the requirement might make sense technically, it's not a good public relations move. Android compatibility document. Slashdot story...
Understanding NBN
Call today from Kevin, the support manager of Aussie Broadband, addressing last weekend's outage. He wasn't able to help; despite the claims on the web site, they really don't have any real support at weekends, at least not for residential customers. Apparently they do for business customers. Does that makes sense? A two day outage will annoy any VoIP user, whether business or residential. But Kevin promised to get somebody from the business team to contact me to talk about pricing. That's good, because they don't have anything about National Broadband Network for business customers on their web site. He also promised to bring it up at the next management meeting.
The Democratization of Cyberattack
The thing about infrastructure is that everyone uses it. If it's secure, it's secure for everyone. And if it's insecure, it's insecure for everyone. This forces some hard policy choices. When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's...
Understanding programming language syntax
Somebody posted this today: Amusing, yes. But it does beg the question about the use of the punctuation at the right. It's not until you run into weird bugs that you realize that they're on your side. One of the issues that (not only) I still have with Python ACM only downloads articles once.
Chasing the photo data corruption
A couple of days ago I discovered that there was a discrepancy between a photo file on my photo disk and on a backup disk. What was wrong? Today was time to make backups to the other disk, so clearly it was time to investigate before overwriting the good version. A good thing I did, too: most of the contents of the file on my primary disk was replaced by binary zeroes, exactly the scenario that I suggested a couple of days ago. === grog@eureka (/dev/pts/10) ~/Photos/20100717/orig 193 -> md5 P7178579*F MD5 (P7178579-archived.ORF) = 56fef8f95e9fdc9caad4c4fc8049feed MD5 (P7178579.ORF) = eae72bccd667956bedcfb5273de6dd69 === grog@eureka (/dev/pts/10) ~/Photos/20100717/orig 194 -> cmp P7178579*F P7178579-archived.ORF P7178579.ORF differ: char 6617089, line 31915 6617089 is not a number that immediately jumps out and grabs you.