Blogs

Metaphors of Surveillance

Posted By Bruce Schneier

There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...

Reverse Heartbleed

Posted By Bruce Schneier

Heartbleed can affect clients as well as servers....

Overreacting to Risk

Posted By Bruce Schneier

This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...

CL XXVIII: Bigger Glass

Posted By Tim Bray

We did an opening-up overnighter; another year of Cottage Life has begun! Attentive readers will have noticed that Ive become a Fujifilm fanboi, but at the cabin Im still a proud Pentaxian, because my longest Fuji lens only goes to 55mm and things on the island are further away. So lets see what you can do with bigger glass. First of all, you can point the mighty Pentax DA* 50-135 f/2.8 (which, objectively speaking, is still probably the best lens Ive ever owned) at sharp-looking boats. Another option is to wait for the sun to get low  I find that a bottle of good white wine helps  then prop a ridiculous antique like the Tokina SL-400 f5.6 on your knee and point it at faraway objects, large and small.

Twenty-first Century Home Repair

Posted By Tim Bray

What happened was, a horrible windstorm took a big branch off the neighbors maple; it reduced one of our eavestroughs to scrap metal on the way down. Getting it fixed was (surprisingly) Net-mediated and pain-free. I say surprisingly because every homeowner knows the pain of dealing with residential construction/repair contractors. Theyre hard to reach, they tend not to show up on schedule, their interest in your job is inversely proportional to its size, and theyre relentless upsellers: Fix that gutter? Im not sure its worthwhile, why dont we put in new gutters all around and hey, itd be a good time to re-do the roof while were up there! I looked up a couple rain-mitigation businesses online and called them both on a Thursday.

Tails

Posted By Bruce Schneier

Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....

Video: Bart Gellman and me opening for Ed Snowden at SXSW

Posted By Cory Doctorow

Last month, Barton Gellman and I opened for Edward Snowden's first-ever public appearance, at the SXSW conference in Austin. The kind folks at SXSW have put the video online (the Snowden video itself was already up). I think we did a good job of framing the big questions raised by the Snowden leaks.

Book Title

Posted By Bruce Schneier

I previously posted that I am writing a book on security and power. Here are some title suggestions: Permanent Record: The Hidden Battles to Capture Your Data and Control Your World Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World They Already Know: The Hidden Battles to Capture Your Data and Control Your World We...

Auditing TrueCrypt

Posted By Bruce Schneier

Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis. Quick summary: I'm still using it....

Homeland Audiobook

Posted By Cory Doctorow

Wil Wheaton reads this independently produced audio edition of Homeland, which also includes Jacob Appelbaum's reading of his own afterword, and Noah Swartz reading his brother Aaron Swartz's afterword.

SBS on demand: only in emergencies

Posted By Greg Lehey

SBS TV is currently running an interesting series, Putin, Russia and the West, which their terminally broken web site can't find. I started watching the second episode a couple of days ago, but couldn't recall finishing it. Still, never mind, that's what SBS on demand is for: watch recent episodes via the web. So I tried that. What a catastrophe! First I had to log in, and the web page blocked automatic filling in of the user name and password. Finally I had found the information, but after it played some particularly emetic, non-skippable commercials, I get the message this program is currently not available.

Schneier Talks and Interviews

Posted By Bruce Schneier

Here are three articles about me from the last month. Also these three A/V links....

Schneier Speaking Schedule: AprilMay

Posted By Bruce Schneier

Here's my upcoming speaking schedule for April and May: Stanford Law School on April 15. Brown University in Providence, RI -- two times -- on April 24. The Global Summit for Leaders in Information Technology in Washington, DC, on May 7. The Institute of World Politics on May 8. The University of Zurich on May 21. IT Security Inside in...

Solving Fujifilms Problem

Posted By Tim Bray

I got this new camera from Fujifilm; its outstanding, but has a really irritating software problem. Fuji could fix that on the double-quick and at the same time turn the problem into a marketing weapon. How? Two words: Open source. The camera is the X-T1, which has been reviewed to death, for example here and here and here, and is in short-supply, back-ordered at Amazon and everywhere else. Photo credit: Nexus 5. The problem Ill probably write more about the camera, but today I want to focus on its wireless features, of which there are three: You can remote-control the camera from a mobile device.

Time Management training at SpiceWorld Austin, 2014

Posted By Tom Limoncelli

I'll be doing a time management class at SpiceWorld. Read about my talk and the conference at their website. If you register, use code "LIMONCELLI20" to save 20%. See you there!

Interview with LOPSA-East Keynote: Vish Ishaya

Posted By Tom Limoncelli

Vish Ishaya will be giving the opening keynote at LOPSA-East this year. I caught up with him to talk about his keynote, OpenStack, and how he got his start in tech. The conference is May 2-3, 2014 in New Brunswick, NJ. If you haven't registered, do it now! Tom Limoncelli: Tell us about your keynote. What should people expect / expect to learn? Vish Ishaya: The keynote will be about OpenStack as well as the unique challenges of running a cloud in the datacenter. Cloud development methodologies mean different approaches to problems. These approaches bring with them a new set of concerns.

GoGo Wireless Adds Surveillance Capabilities for Government

Posted By Bruce Schneier

The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government....

FreeBSD fixes OpenSSL bugtwice

Posted By Greg Lehey

Yesterday's forced upgrade of my OpenSSL installation also solved the Heartbleed issues. But that was the port security/openssl. There's also a version of OpenSSL in the base system. How do you know which you're using? The base program is /usr/bin/openssl, and the port is /usr/lcal/bin/openssl. Which do you execute? Depends only on the sequence of directories in your PATH environment variable. In my case, it's /usr/local/bin/openssl. You can check the version like this: === grog@eureka (/dev/pts/29) ~ 1 -> /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 === grog@eureka (/dev/pts/29) ~ 2 -> /usr/local/bin/openssl version OpenSSL 1.0.1g 7 Apr 2014 But this is on my old, down-rev system, as the first output shows.

My Futuristic Tales of the Here and Now in Vodos indie science fiction bundle: comics, movies, novels, and more!

Posted By Cory Doctorow

Jamie from Vodo writes, "We've launched Otherworlds, our first indie sci-fi bundle! This pay-what-you-want, crossmedia collection includes the graphic novel collecting Cory's own 'Futuristic Tales of the Here and Now', Jim Munroe's micro-budget sci-fi satire 'Ghosts With Shit Jobs', Robert Venditti's New York Times Bestselling graphic novel 'The Surrogates', and Amber Benson/Adam Busch's alien office … [Read more]

Homeland audiobook, read by Wil Wheaton, is back on downpour.com

Posted By Cory Doctorow

For those of you who missed the audiobook in which Wil Wheaton reads my novel Homeland in the Humble Ebook Bundle, despair no longer! You can buy it DRM-free on the excellent Downpour.com, a site with many DRM-free audio titles. Homeland (audiobook)

Friday Squid Blogging: Bronze Giant Squid Sculpture

Posted By Bruce Schneier

A little too big for my house....

Spring on the Main

Posted By Tim Bray

Which is to say on Vancouvers Main Street, never actually been Main as such and isnt as cool as it thinks, but its my hood and full of life, and when the sun interrupts the long grey Pacific Northwest off-season, you can feel the life in the sidewalks and the buildings that are too old and shitty to gentrify, and even the hipster beards have better curl and loft. Also I got a new camera and that makes pictures seem to just take themselves. Lets ignore the camera for now, its just a prop to help me show off my home turf a bit.

More on Heartbleed

Posted By Bruce Schneier

This is an update to my earlier post. Cloudflare is reporting that its very difficult, if not practically impossible, to steal SSL private keys with this attack. Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not...

Replace Kathleen Sebelius with a sysadmin!

Posted By Tom Limoncelli

Scientists complain that there are only 2 scientists in congress and how difficult they find it to explain basic science to their peers. What about system administrators? How many people in congress or on the president's cabinet have every had the root or administrator password to systems that other people depend on? Health and Human Services Secretary Kathleen Sebelius announced her resignation and the media has been a mix of claiming she's leaving in disgrace after the failed ACA website launch countered with she stuck it out until it was a success, which redeems her. The truth is, folks, how many of you have launched a website and had it work perfectly the first day?

Police Disabling Their own Voice Recorders

Posted By Bruce Schneier

This is not a surprise: The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year. The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officers belt-worn transmitter....

OpenSSL: Upgrade!

Posted By Greg Lehey

OpenSSL is certainly the the topic of the month, but that topic doesn't address my problem: why can I not access qpopper on my new server, while anybody else can (but not login, of course), and I can access qpopper on the old server with the same software? It wasn't a FreeBSD issue: I also tried with Linux both from my network (failed) and externally (worked). Asked on IRC, and most people confirmed that they could access it. Only Jamie Fraser had the same problems as I did. At least that took the emphasis off the network connection. In the meantime, I bitched and moaned about the fact that I had to have a certificate in the first place and have the choice of a paid signature or an untrusted certificate.

LISA CFP Deadline Extended to Fri, 4/18!

Posted By Tom Limoncelli

Whether you are submitting a talk proposal, workshop, tutorial, or research paper, the call for participation submission deadline has been extended to Friday, 4/18! Submit today!

Another OpenSSL issue

Posted By Greg Lehey

Today was the day that the Heartbleed bug was announced. Did I care? I had my own OpenSSL issues. Mainly for Chris Bahlo's sake we run qpopper on our external server, and today I had to migrate it. I failed. I suppose part of the issue is my aversion to the entire thing. It requires certificates, and you have the choice of paying money to somebody to sing the certificates, or be our own certificate authority. Since this is only for our personal use, we're more than happy to take the second choice, and that's what we've been doing for nearly 5 years.

Heartbleed

Posted By Bruce Schneier

Heartbleed is a catastrophic bug in OpenSSL: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows...

Migrating external servers

Posted By Greg Lehey

I had intended to take my time migrating my web server to the new platform. RootBSD have given me a month, and so far it has only been a week. But then I heard from Stephen Rothwell that he's migrating ozlabs.org to a new platform tomorrow. That will involveoh horror!one hour's downtime, and it will also require a change in IP address, which is a bit of work in itself. So: what do I need to do to get the new platform up and running? Web server, mail server (for web-generated error messages) and DNS. The web server's already running, but without PHP.

Interview with LOPSA-East Keynote: Elizabeth Krumbach Joseph

Posted By Tom Limoncelli

Elizabeth Krumbach Joseph will be giving the closing keynote at LOPSA-East this year. I caught up with her to talk about her keynote, source code management, and Star Wars. The conference is May 2-3, 2014 in New Brunswick, NJ. If you haven't registered, do it now! (We'll have an interview with the opening keynote, Vish Ishaya, soon.) Tom Limoncelli: Tell us about your keynote. What should people expect / expect to learn? Elizabeth Krumbach Joseph: Over the past few years there have been a number of high profile incidents and news stories around the subject of women in technology. In my keynote I'll be giving some solid advice for how the technology industry, and each of us, can do a better job of attracting and keeping talent.

Vancouveriana

Posted By Tim Bray

Two pairs of pictures that could only have been taken right here in my hometown. City Hall Its design is, admittedly, vaguely Stalinist; an effect relieved by the disorderly tree-filled jumble around it, and especially by the pink neon clock. Ive seen a million pictures of it but never from this angle before. Since the building is sort of monochrome I decided to try a B&W treatment of another shot, and it worked OK. Disclosure: The building has a flagpole and a radio antenna,but I amputated them. The harbour Its the reason Vancouver exists, so we should respect it. What happened was, I was out with an Ingress flash-farm posse, and I have to say it was really damn pleasant strolling around Waterfront Park with the sun setting, chatting with the people.

"Unbreakable" Encryption Almost Certainly Isn't

Posted By Bruce Schneier

This headline is provocative: "Human biology inspires 'unbreakable' encryption." The article is similarly nonsensical: Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack. Information can be encrypted...

Firmware update, Nikon style

Posted By Greg Lehey

One of my main objections to Olympus' Digital Camera Updater is that it exists. I know from the existence of the Canon Hack Development Kit that Canon/business/imaging.html does it via the memory card. What about Nikon? Checked, and yes, they do it that way too. But in the process I discovered a firmware update for my old CoolPix L1. OK, that's worth trying for comparison's sake, even though the update doesn't reallly mean anything to me: With a PictBridge connection to certain printers, images with a file size greater than 1 MB - those captured at higher quality settings such as 6M* High (2816*) - began printing irregularly part way through the printing process.

A day wasted with Olympus firmware updates

Posted By Greg Lehey

Yesterday I managed to upgrade the firmware for my Olympus Zuiko Digital ED 70-300mm telephoto using the Olympus E-30 and Microsoft Vista, but by then the day was over, so I didn't get round to upgrading the firmware for the E-M1. That should be pretty straightforward with Vista, but I wanted to understand why it didn't work with Windows 7. Called up Olympus support on 1300 659 678 and spoke to Vivian, who told me that it was a Windows error, and that they couldn't help.

C++ and Beyond Encore in 2014: Sep 29  Oct 1, Stuttgart, Germany

Posted By Herb Sutter

A lot of you have been asking me whether there will be some sort of C++ and Beyond in 2014. Also, over the past few years many of you have also asked me if there will ever be a C&B outside North America. I’m pleased to report that we are doing a ‘European Encore’ event […]

The Youngest Security Researcher

Posted By Bruce Schneier

Five-year-old finds login vulnerability in Microsoft Xbox....

Updating firmware, Olympus style

Posted By Greg Lehey

Olympus has released new firmware for the E-M1, so today I tried to install it. What a catastrophe! Other vendors do it correctly and supply a downloadable file that can then be copied to the camera via USB. But Olympus has a special program to do this, and of course it only runs on certain softwareand hardware, it seems. From their system requirements: This software requires a computer with a pre-installed operating system. Operation is not guaranteed when using a home-built PC or upgraded operating system. It's a good thing Olympus doesn't make computers, or they might restrict its use to their own computers.

Springies

Posted By Tim Bray

The name is a back-formation from selfie, obviously. Herewith four botanicals only conceivable in the season after winter. First, a magnolia blossom emerging from its carapace; I didnt open the shutters wide enough to blur out the background but its still kinda cute. Next, a white camellia with red spots; not a terribly common flavor unless my Internet search results mislead me. Does anyone out there know what this kind is called? Finally, Sakura; all sorts of focus problems but still, it made me happy to see them, and I hope it helps your mood too. We have just maybe survived this winter.

How to fill 32 GB memory

Posted By Greg Lehey

While processing my photos this morning, I discovered that I was using 70% (7 GB) of swap. How could that happen? I have 32 GB of memory in this box. Further investigation showed that I had left a wireshark process running, and it had collected in the order of 32 million packetsand stored them all in memory!   PID USERNAME      THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND 14334 root            1  21    0 24819M 20095M select  7  22:26  5.27% wireshark A good reason to keep an eye on these things.

Microsoft space programs: why so slow?

Posted By Greg Lehey

I've been grumblingwith good reasonabout the speed of my Microsoft-based programs for some time. I used to think that DxO Optics Pro was particularly slow, but the other ones I'm using aren't noticeably faster, and Olympus Viewer is significantly slower. In particular, display refreshing is a matter of chance, and some things are orders of magnitude slower than on FreeBSD. Part of this is the insistence on showing unrecognizable images of each file. Today I measured the time it took DxO to start up and get as far as being able to do anything useful: Time       Elapsed       Status ...

Ethical Privacy Choices

Posted By Tim Bray

Heres a little rant I posted to an IETF mailing list thread on whether the IETF should move its public-facing services to private-by-default mode. Someone posted a reply suggesting that the user gets to choose the degree of security that they consider appropriate. Here, I think, is a key issue. I disagree. What?! How can I possibly disagree with user choice? Because, a huge majority of people: Arent aware that there is a choice to be made, and shouldnt need to be, Do not understand the technical issues surrounding the choice, and shouldnt have to, Do not understand the legal/policy issues surrounding the choice, and shouldnt have to.

Friday Squid Blogging: Squid + Security in a Cartoon

Posted By Bruce Schneier

Funny....

Yesterdays Build talk is now online

Posted By Herb Sutter

That was fast! Filed under: C++, Microsoft

How to...

Posted By Tom Limoncelli

Here's a thought to begin your weekend: How to stop time: kiss. How to travel in time: read. How to escape time: music. How to feel time: write. How to waste time: social media.— Matt Haig (@matthaig1) March 8, 2014

Mass Surveillance by Eavesdropping on Web Cookies

Posted By Bruce Schneier

Interesting research: Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the users IP address varies. Using simulated browsing...

... and stoop to build 'em up with worn-out tools

Posted By Greg Lehey

It's been over a day since I got a patch to ls(1) from Kirk McKusick. Why didn't I commit it? First I needed to bring my FreeBSD -CURRENT system up to date. Then I discovered that the disk was PATA and thus no longer fitted into my test box. Still, I had an older box lying around, the remains of my teevee computer after Yet Another Power Surge killed the USB bus and the Ethernet interface, so put the disk into it and started bringing -CURRENT up to date. And that took 24 hours! On rebooting, I didn't have any Ethernet devices!

N5-Cam VII: Long Train Ride

Posted By Tim Bray

On March 1st I went from Barcelona to London by train. It was amusing and relaxing; If you can spare a day and some money, I recommend it. You get on a Spanish Renfe train at 9AM-ish from Barcelona Sants, arrive at Paris Gare de Lyon at 4-ish, get on the Eurostar from Gare du Nord at 5:20-ish, and arrive at London St. Pancras at 6:15. Buying the ticket from Renfe and Eurostar using a computer in Canada turned out to be hard; Web search totally tailed to turn up a useful vendor, but I complained on Twitter and got a pointer to Loco2, who apparently exist to do exactly that.

Reader Q&A: Generic lambdas

Posted By Herb Sutter

Tim just added this comment on the GotW #3 Solution blog post from last year: Are you sure you can use auto in lambda like this?I can not compile the code and I’m pretty sure auto does not work here. If you mean auto as a lambda parameter type, such as [](auto& s){ use(s); } […]

Build talk tomorrow: Modern C++  What you need to know

Posted By Herb Sutter

If you’re at Build in San Francisco tomorrow afternoon, I invite you to swing by and spend an hour with us in session 2-661: Modern C++: What you need to know by Herb Sutter Build 2014, Room 20052:30-3:30 pm, Thursday April 3, 2014 If you’re new to C++, this talk is aimed directly at you. […]

Ephemeral Apps

Posted By Bruce Schneier

Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there's no record. This notion is especially popular with young people,...

Why I dont believe in robots

Posted By Cory Doctorow

My new Guardian column is "Why it is not possible to regulate robots," which discusses where and how robots can be regulated, and whether there is any sensible ground for "robot law" as distinct from "computer law." One thing that is glaringly absent from both the Heinleinian and Asimovian brain is the idea of software … [Read more]

ls: our grandfathers' cruft

Posted By Greg Lehey

Mail from Kirk McKusick today enclosing a patch to ls from Igor Sobrado of the OpenBSD project. It seems that FreeBSD ls (and maybe ls from some other BSDs) doesn't conform to the standard. The -f (don't sort) flag must imply the -a (show entries starting with a dot) flag: -f List the entries in directory operands in the order they appear in the directory. The behavior for non-directory operands is unspecified. This option shall turn on -a. When -f is specified, any occurrences of the -r, -S, and -t options shall be ignored and any occurrences of the -A, [XSI] -g, -l, -n, [XSI] -o, and -s options may be ignored.

New machine

Posted By Greg Lehey

Chris Bahlo and I have had a virtual server with RootBSD for nearly 6 years. Although my professional life was very much related to high availability, this one beat everything I have experienced. It's sad that hardware failure took it down just 2 weeks before the 5 year anniversary, but that's still 1,733 days uptime, nothing to sneeze at. The down side, of course, is that the operating system is 6 years down-rev. In addition, the disk space is minusculeonly 10 GBso I've been hosting my many photos with my friends at Ozlabs. But their conditions are changing, and one of the problems is that I am generating half their traffic.

Introducing the Python Time Travel Debugger

Posted By Tom Limoncelli

Today I'm open sourcing a productivity tool that I've been very excited about: A time-travel extension to the Python Debugger (PDB). Have you ever been using PDB to step through a program and suddenly realize you wish you could jump back in time and know what a variable used to contain? This version of PDB adds the ability to jump back in time to the state of your program as it was in the past. You can examine variables and even continue execution from that point forward (though that is dangerous because it may harm the time space continuum.) How it works: As you know, time is the 4th dimension.

LOPSA-East 2014 is one month away! Register today!

Posted By Tom Limoncelli

I'll be presenting a few different talks at LOPSA-East, in New Brunswick, NJ, May 2-3, 2014. Tutorials: Introduction to Time Management (half day) Evil Genius 101 (half day) Talks: Sneak peek at my next book: The Practice of Cloud Administration (this is the ONLY conference that will be getting a sneak peek before it is released this September) The Stack at Stack Exchange (how stackexchange.com works) Tom's Top 5 Time Management Tips Hope to see you there! Register today! http://lopsa-east.org/2014/

Velocity Santa Clara best price deals end April 3rd

Posted By Tom Limoncelli

Seventh Movie-Plot Threat Contest

Posted By Bruce Schneier

As you might expect, this year's contest has the NSA as the villain: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling...

Wireless camera access: new hardware

Posted By Greg Lehey

On 21 February 2014 I bought a USB wireless LAN adapter on eBay: After a month, there was still no sign of it, so I asked for and got a refund, then purchased a new one. Today the first one arrived: it hadn't been posted until 15 March 2014, over three weeks after purchase and only a couple of days before the refund. No wonder it didn't arrive on time. And how does it work? Mar 31 14:48:32 stable-amd64 root: Unknown USB device: vendor 0x148f product 0x5370 bus uhub3 Still, that's enough to google for, and the first hit related to FreeBSD.