Entries Tagged as 'The New Web'

Debian installer on a USB key

I couldn’t find a concise article about creating a Debian installer USB key with a writable file system, so here is my take.  This assumes you have an available Linux system.  Note that some old BIOSes might not happily boot USB drives created in this way.

  • Install syslinux
  • Insert the USB key and find the device using dmesg (assumed to be at /dev/sdg below)
  • Create a FAT partition, mark it bootable (assumed at /dev/sdg1 below)
  • Put mbr.bin on the key (cat /usr/lib/syslinux/mbr.bin > /dev/sdg)
  • Mount the FAT partition and put the following files on it:
  • Unmount the FAT partition if it was mounted (umount /dev/sdg1)
  • Run syslinux /dev/sdg1

You can also automate the installation.  See: http://www.debian.org/releases/stable/amd64/apb.html.en.  The preseed.cfg file should go into the root folder of the USB key.  You can then change the syslinux.cfg file to:


default vmlinuz

append initrd=initrd.gz auto file=/hd-media/preseed.cfg locale=en_US console-keymaps-at/keymap=us

 You now have a bootable USB key that you can also easily modify.

 

USENIX Security Conference 2011

I am attending the USENIX security conference this week. Sessions are available online. Here are my notes from sessions that I found interesting (bold for extra):

Network Security in the Medium Term: 2061–2561 AD, Charles Stross

Stross is one of my favorite science fiction authors. The main direction of the talk was the future political importance of information security. This is due to the intrusiveness of future information breaches once lifelogging, bioinformatics and other very intimate technologies are adopted.

Fast and Precise Sanitizer Analysis with BEK, Pieter Hooimeijer, et al

  • Compared different HTML sanitizers using an automated harness. Sanitizers from MS included (4), as well as new implementations (3).
  • Four of these were equivalent.
  • Only one protected against all the examples from the XSS Cheat Sheet

Toward Secure Embedded Web Interfaces, Baptiste Gourdin, et al

  • 50 security vulnerabilities reported to CERT
  • All manufacturers had vulnerabilities (XSS, CSRf, …)
  • Author proposes WebDroid security distribution for embedded web interfaces (framework as “firewall”)

Comprehensive Experimental Analyses of Automotive Attack Surfaces, Stephen Checkoway, et al

  • Cars have an instrument bus
  • access to the bus gives complete control
  • can disable breaks, engine, even while in motion
  • attack surface:
    • bus extends to media ports and charging
    • bluetooth
    • remote keyless entry
    • wifi
    • digital radio
    • telematics: automated crash reporting / roadside assistance
  • completely compromised by author: bluetooth, media ports, more
    • crafted cdrom (iso-9660, wma)
    • strcpy in bluetooth stack – craft trojan in android
    • bruteforce pin for pairing (hours)
    • undetectable to users
    • telematics compromise through cellular interface
  • compromise is silent and attacks can be triggered later

Privacy in the Age of Augmented Reality, Alessandro Acquisti, et al

  • De-identified faces matched to identified (FB, …)
  • 10% of FB profiles are pseudonymous
  • Experiments:
    • Unidentified: dating site photos
    • Identified: FB profiles
    • Only match to highest ranked matched from matching algorithm:
    • 10% success rate for re-identification
    • Against pittpatt (acquired by google)
    • 30% success
    • Predicting SSN from DOB, etc.
    • 5 digits matched in four attempts
    • iPhone app for real-time re-identification
  • PPI – personally predictable information

Secure In-Band Wireless Pairing, Shyamnath Gollakota, et al

  • Authors present a method for secure wireless pairing
  • No secondary channel (display, keyboard, infrared, …)
  • secure against MITM
  • Tamper evident message
  • cannot be altered, hidden, prevented without being detected
  • patterns of silence based on hash of message
  • sync pattern longer than any collision

TRESOR Runs Encryption Securely Outside RAM, Tilo Müller and Felix C. Freiling:

  • Prevents cold book attack
  • Uses AES-NI instruction set

A Study of Android Application Security, William Enck, et al

  • Decompiled and statically analyzed 21 millions lines of free Android apps
  • Pervasive misuse of private info and bad security practices
  • High market penetration of ad networks

Permission Re-Delegation: Attacks and Defenses, Adrienne Porter Felt, et al

  • I call this “cross app request forgery” 😉
  • A large fraction of apps mistakenly expose sensitive functionality through intents
  • Malicious apps can abuse this
  • For example, turn on BT, Wifi, GPS
  • Suggests a way to mitigate through dynamic privilege reduction

Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, et al

  • Telex converts innocuous, unblocked websites into proxies, without their explicit collaboration
  • Trigger routing to a proxy while accessing an “innocent” web site by putting a special nonce in the TLS negotiation
  • Could be used to bypass state censorship
  • To be deployed by ISPs on routers
  • Idea: consider deploying on web servers

Three Researchers, Five Conjectures: An Empirical Analysis of TOM-Skype Censorship and Surveillance, Jeffrey Knockel, et al

  • Detailed analysis of Chinese censorship through the compromised version of Skype used in China (with Skype’s cooperation)
  • Application uses a list of keywords to flag conversations for surveillance
  • Keywords triggering surveillance include mostly political and location words
  • Conjectures by authors include:
    “Censorship is effective, despite attempts to evade it.” ,
    “Censored memes spread differently than uncensored memes.”,
    “Keyword based censorship is more effective when the censored keywords are unknown and on-line activity is, or is believed to be, under constant surveillance.”,
    “The types of keywords censored in peer-to-peer communications are fundamentally different than the types of keywords censored in client-server communications.”,
    “Neologisms are an effective technique in evading keyword based censorship, but censors frequently learn of their existence.”
  • Complete lists with translations of the censorship and surveillance keywords for TOM-Skype are available at http://cs.unm.edu/~jeffk/tom-skype/

Moving your Android Contact List to a New Phone

This is a somewhat technical article and assumes knowledge of Android and Linux.

Just got a Nexus S, and had some issues moving my contact list from my old phone. So I decided to write this up.

You have two options:

* If you come from a ROM that allows export to SD, just use Import/Export to USB storage, copy the file over, then import it

* Option #2 would have been to use Titanium Backup. However, it doesn’t seem to work right for restoring on the Nexus S (yet).

* Otherwise, you can copy the contacts2.db file. Of course, you have to root your target phone first. Then copy the db file to the sdcard.

As root, do (assuming standard layout):


cd /data/data/com.android.providers.contacts/databases
rm contacts2.db
cat /sdcard/contacts2.db > contacts2.db
chmod 660 contacts2.db
ls -l .. # see who owns this directory
chown contats2.db

You might have to restart your phone for the contacts to be re-read.

Atomically Precise Fabrication

Zyvex can now build atomically precise 3-D structures from silicon.  That’s a nano equivalent to the MakerBot.

Arbitrary structures can be used to build templates and tools that can further build other tools, bootstrapping a new industry.

Eben Moglen’s Talk – Freedom in the Cloud

A very insightful talk about how we lost our freedom and how to regain it

You can also read the full transcript linked from there.

Motivation and Background for the User Controlled Web

Here are some background pointers:

list of projects in this space.  The Diaspora project is listed under “deployable on commodity webhosting”.  I was under the impression that they are actually more of a p2p application.

set of ideas for this space on the GNU Social wiki.

Adriana Lukas talks about the user-controlled web and the mine project.   (She coins a fun acronym: Relationships on Individuals’ Own Terms – RIOT. )

(flash video removed June 2016)

There seems to be quite a bit of activity with 20-30 projects, but the efforts are fragmented.  Different projects have different goals and approaches.  Some focus on a piece of the user experience and others focus on technology.  For example, the Mine! project is a technology piece focused on rich sharing of data (including links, photos) with strong user control.  OneSocialWeb is focused on messaging.  With Elgg you can create social networks – but it’s not really user controlled.

Diversity is great, but one or two well-thought out efforts need to win.   Critical mass is a must in order to win in this space.

The Diaspora Project and the User Controlled Web

I’m pretty excited about the Diaspora project generating a groundswell of support. They managed to raise $170K in two weeks through kickstarter (they asked for $10K).

Why am I excited? I’ve written before about walled gardens and user controlled Internet apps. It is crucial that we invert the control structure of the web if we want to be in control of our destiny.

There are some critical challenges that a user-controlled system must face:

  • Secure software distribution – users will want to install applets inside their environments.  Third party audit and signing of code will be necessary in order to keep the apps flowing, but without compromising users’ instances.  Applets will also have to be firewalled from each-other – as some will be more trusted and some less.  I’ve previously written a couple of posts about the challenges of secure software distribution.
  • Peer to peer naming and search – it should be easy to find stuff, without necessarily knowing their URLs.  A global, fully distributed naming and search system will be important.
  • A distributed reputation system will be a natural fit for a distributed social network.
  • Memory footprint – current web application frameworks are designed for high volume apps, and therefore take up quite a bit of memory to load application code. These frameworks can afford to do so, because they expect to amortize the memory over many users. However, a user-controlled system will have one user per instance. Clever memory sharing among instances will be necessary.

I can’t wait to see what the first prototype looks like.

There are some additional projects along these lines that are worth a look and are actually further along:

Maybe none of these will make it.  But the $170K is a signal – that people care about this.

DNA not Patentable

Sanity prevails in federal court!  News at 11.

Brain Preservation Tech Prize

As a Cryonics member, I became interested in a new initiative to fixate the brain in a plastic medium: brainpreservation.org

Would be excellent to have a high fidelity preservation procedure that doesn’t require maintenance (such as liquid nitrogen in the case of Cryonics).

Quantified Self: CMS50 Oximeter

After attending a couple of Quantified Self meetups, I was inspired to quantify various aspects of myself and my life.  For example, I was wondering if I am breathing well while I sleep, since I have been waking up tired on occasion.

I bought the Contec CMS50-F oximeter from here.

The software that comes with the CMS50 could be more reliable and user-friendly, and only runs on Windows.  I ended up spending a day  reverse engineering the USB protocol and writing a Python program to acquire and graph the data.  The software is on Gitorious.

Here are some of the charts you can get:

Blue Brain Project Documentary – Year 1

Noah Hutton’s company Couple 3 Films has released year 1 of a 10 year documentary project documenting the Blue Brain project.  The project includes Henry Markham’s work on reverse engineering the brain, scaling up from rodents to humans by 2010.

The work is funded by the Swiss government.

$3000 Whole Genome Sequencing Cost

Life Technologies announces $3,000 marginal cost (later this year) for sequencing complete human genomes.  This is after Illumina announced the same for $10,000 (now).  So a $1,000 genome early next year?

Here comes personalized medicine.

Attack Scenarios on Software Distributions

I’ve been asked to outline specific scenarios after I posted a previous entry on the Google’s network compromise.  Here are some, from most serious to least serious:

  • Build host – the machines that compile the source into binary packages are compromised.  In this scenario, code can be injected by the malicious party into the package just before it is signed and prepared for distribution.  All clients that install the updated packages are affected.  A software audit cannot identify the altered packages because the alteration happens after binaries are generated.
  • Distribution host and Signing key – the machines that host the packages for distribution (web servers) are compromised and the package signing key is compromised.  The effect of this is the same as a build host compromise.
  • Source repository – the machines that host the software source-code are compromised.  This allows code to be injected and all clients are affected.  However, a software audit can uncover the injected code.
  • Insider threats – an insider can insert non-obvious security holes into software they are responsible for.
  • Signing key – the key used to sign the software distribution is compromised.  This would allow the malicious party to compromise only specific targeted clients through a “man-in-the-middle” attack and DNS poisoning

How would multiple independent auditors help?  If the auditors can verify that a binary was produced from certain source, the build host compromise would be much harder, since the altered binary would not signed by the uncompromised auditors.  Similarly, a signing key compromise, if it is limited to a subset of auditors, would fail to get a full set of signatures on the altered package.

Source repository compromise and Insider injection of security holes would be more difficult to detect for subtle exploits, but again, multiple entities looking at the code increases the chances that the alteration would be caught.

(Note: verification that a certain binary was produced from certain source code requires a deterministic build system. Although such a system is relatively straightforward to implement, I have not run across one before I implemented Gitian.  I did find mention of it by Conifer Systems.)

Doubling in Incidence of Malicious Data Breaches

CNet reports on Ponemon institute’s survey showing a doubling of data breach incidents.

Average cost per record in the surveyed group is around $200.

Operation Aurora and Software Distributions as Single Points of Security Failure

Operation Aurora (Google’s compromise by China) highlights the possibility that software distributions may be targeted for code injection by malicious parties.  If Apple, Microsoft or a linux distributors are compromised, a large percentage of individuals, businesses and governments could be consequentially compromised when they install software updates.

One way to mitigate such a risk is to have multiple independent security auditors sign software distributions.  This is more likely to be successful in an open-source environment, where source is available and can easily be inspected.  I started such an initiative in late 2009 – Gitian.org.

Nasal flu vaccine

Alex and I got nasal H1N1 vaccines on Tue. I felt tired on Wed and Alex has a sore throat. Nasal is live-attenuated instead of dead virus.

Apparently symptoms are more likely with the nasal. On the up-side – no preservatives!

Does the nasal-spray flu vaccine LAIV (FluMist) contain thimerosal?

No, the nasal-spray flu vaccine LAIV (FluMist) does not contain thimerosal or any other preservative.

The computation market becomes more liquid

The Register tells us that Amazon will auction their excess capacity.  We’re a couple of steps away from computation becoming a liquid commodity.  The next step is for a couple of additional providers to arise (Google?).  The step after that is for the APIs to be brought in sync by the providers or by a third party intermediary.

How I stopped worrying and learned to love technofixes

Peter Thiel writes regarding the failure of Democracy to preserve freedom and some possible technofix strategies. He includes are thoughts about creating freedom in Cyberspace, Outer space or on the high seas. I think it would be interesting to build certain distributed Internet apps that could change the dynamics of freedom, including reputation systems, gifting/barter systems and user-controlled Internet apps.
[Read more →]

Freedom is generative

I’ve been thinking about what we learned about freedom from the open-source movement.

I think one of the more important benefits of freedom is that it is generative. You can glue things together in ways that create completely new things. For example, you can take the Internet, existing computers and the ability to write software (originally the Mosaic browser) and create a whole new ecosystem – the World Wide Web.

What if you didn’t have the freedom to transmit arbitrary data on wires? You’d have the telco monopoly and no Internet. If you couldn’t talk to anybody you want? You’d get the original walled-garden AOL. If you couldn’t write arbitrary software?

But there’s nothing specific to software in this lesson. What if you couldn’t freely associate? If you couldn’t invest in arbitrary ideas? If someone else made the decisions for you?

Another question is how much could we go beyond the current state of affairs. I think we could have significantly more freedom in technology and obtain much richer outcomes.

For example, if reputations systems were not stuck in walled gardens, such as eBay and Amazon seller ratings, we could have a global reputation system. Such a system will be immensely more useful, since it could be used to guide us in every interaction rather than just the current 1%. I would guess that such a system could guide you to interesting content and interaction with uncanny accuracy. Such a system would have to be decentralized and user-controlled to protect the users’ interests.

Another promising direction is the Google Android phone OS. If you buy one of the unlocked ones (also known as dev phones), you can re-compile and install the OS and any applications you want. Google maps is one mobile killer app, but there will be more, and I would guess the truly groundbreaking ones will not pass the iPhone store gateway keepers. (see here, here and many others).

I sometime pay a price for being an early adopter and eschewing closed solutions. Yes, the iPhone is very slick and music from the iTunes store was tempting even when it was all DRM. But I think in the long term open solutions will be much more valuable. The original AOL was nice for the time, but it’s dead now.

Reputation Economies symposium

O’Reilly Radar has a blog post about the Yale symposium on reputation economies in cyberspace.