COVID-19 Resource Page

I started a COVID-19 resource page.

Debian installer on a USB key

I couldn’t find a concise article about creating a Debian installer USB key with a writable file system, so here is my take.  This assumes you have an available Linux system.  Note that some old BIOSes might not happily boot USB drives created in this way.

  • Install syslinux
  • Insert the USB key and find the device using dmesg (assumed to be at /dev/sdg below)
  • Create a FAT partition, mark it bootable (assumed at /dev/sdg1 below)
  • Put mbr.bin on the key (cat /usr/lib/syslinux/mbr.bin > /dev/sdg)
  • Mount the FAT partition and put the following files on it:
  • Unmount the FAT partition if it was mounted (umount /dev/sdg1)
  • Run syslinux /dev/sdg1

You can also automate the installation.  See: http://www.debian.org/releases/stable/amd64/apb.html.en.  The preseed.cfg file should go into the root folder of the USB key.  You can then change the syslinux.cfg file to:


default vmlinuz

append initrd=initrd.gz auto file=/hd-media/preseed.cfg locale=en_US console-keymaps-at/keymap=us

 You now have a bootable USB key that you can also easily modify.

 

USENIX Security Conference 2011

I am attending the USENIX security conference this week. Sessions are available online. Here are my notes from sessions that I found interesting (bold for extra):

Network Security in the Medium Term: 2061–2561 AD, Charles Stross

Stross is one of my favorite science fiction authors. The main direction of the talk was the future political importance of information security. This is due to the intrusiveness of future information breaches once lifelogging, bioinformatics and other very intimate technologies are adopted.

Fast and Precise Sanitizer Analysis with BEK, Pieter Hooimeijer, et al

  • Compared different HTML sanitizers using an automated harness. Sanitizers from MS included (4), as well as new implementations (3).
  • Four of these were equivalent.
  • Only one protected against all the examples from the XSS Cheat Sheet

Toward Secure Embedded Web Interfaces, Baptiste Gourdin, et al

  • 50 security vulnerabilities reported to CERT
  • All manufacturers had vulnerabilities (XSS, CSRf, …)
  • Author proposes WebDroid security distribution for embedded web interfaces (framework as “firewall”)

Comprehensive Experimental Analyses of Automotive Attack Surfaces, Stephen Checkoway, et al

  • Cars have an instrument bus
  • access to the bus gives complete control
  • can disable breaks, engine, even while in motion
  • attack surface:
    • bus extends to media ports and charging
    • bluetooth
    • remote keyless entry
    • wifi
    • digital radio
    • telematics: automated crash reporting / roadside assistance
  • completely compromised by author: bluetooth, media ports, more
    • crafted cdrom (iso-9660, wma)
    • strcpy in bluetooth stack – craft trojan in android
    • bruteforce pin for pairing (hours)
    • undetectable to users
    • telematics compromise through cellular interface
  • compromise is silent and attacks can be triggered later

Privacy in the Age of Augmented Reality, Alessandro Acquisti, et al

  • De-identified faces matched to identified (FB, …)
  • 10% of FB profiles are pseudonymous
  • Experiments:
    • Unidentified: dating site photos
    • Identified: FB profiles
    • Only match to highest ranked matched from matching algorithm:
    • 10% success rate for re-identification
    • Against pittpatt (acquired by google)
    • 30% success
    • Predicting SSN from DOB, etc.
    • 5 digits matched in four attempts
    • iPhone app for real-time re-identification
  • PPI – personally predictable information

Secure In-Band Wireless Pairing, Shyamnath Gollakota, et al

  • Authors present a method for secure wireless pairing
  • No secondary channel (display, keyboard, infrared, …)
  • secure against MITM
  • Tamper evident message
  • cannot be altered, hidden, prevented without being detected
  • patterns of silence based on hash of message
  • sync pattern longer than any collision

TRESOR Runs Encryption Securely Outside RAM, Tilo Müller and Felix C. Freiling:

  • Prevents cold book attack
  • Uses AES-NI instruction set

A Study of Android Application Security, William Enck, et al

  • Decompiled and statically analyzed 21 millions lines of free Android apps
  • Pervasive misuse of private info and bad security practices
  • High market penetration of ad networks

Permission Re-Delegation: Attacks and Defenses, Adrienne Porter Felt, et al

  • I call this “cross app request forgery” 😉
  • A large fraction of apps mistakenly expose sensitive functionality through intents
  • Malicious apps can abuse this
  • For example, turn on BT, Wifi, GPS
  • Suggests a way to mitigate through dynamic privilege reduction

Telex: Anticensorship in the Network Infrastructure, Eric Wustrow, et al

  • Telex converts innocuous, unblocked websites into proxies, without their explicit collaboration
  • Trigger routing to a proxy while accessing an “innocent” web site by putting a special nonce in the TLS negotiation
  • Could be used to bypass state censorship
  • To be deployed by ISPs on routers
  • Idea: consider deploying on web servers

Three Researchers, Five Conjectures: An Empirical Analysis of TOM-Skype Censorship and Surveillance, Jeffrey Knockel, et al

  • Detailed analysis of Chinese censorship through the compromised version of Skype used in China (with Skype’s cooperation)
  • Application uses a list of keywords to flag conversations for surveillance
  • Keywords triggering surveillance include mostly political and location words
  • Conjectures by authors include:
    “Censorship is effective, despite attempts to evade it.” ,
    “Censored memes spread differently than uncensored memes.”,
    “Keyword based censorship is more effective when the censored keywords are unknown and on-line activity is, or is believed to be, under constant surveillance.”,
    “The types of keywords censored in peer-to-peer communications are fundamentally different than the types of keywords censored in client-server communications.”,
    “Neologisms are an effective technique in evading keyword based censorship, but censors frequently learn of their existence.”
  • Complete lists with translations of the censorship and surveillance keywords for TOM-Skype are available at http://cs.unm.edu/~jeffk/tom-skype/

Moving your Android Contact List to a New Phone

This is a somewhat technical article and assumes knowledge of Android and Linux.

Just got a Nexus S, and had some issues moving my contact list from my old phone. So I decided to write this up.

You have two options:

* If you come from a ROM that allows export to SD, just use Import/Export to USB storage, copy the file over, then import it

* Option #2 would have been to use Titanium Backup. However, it doesn’t seem to work right for restoring on the Nexus S (yet).

* Otherwise, you can copy the contacts2.db file. Of course, you have to root your target phone first. Then copy the db file to the sdcard.

As root, do (assuming standard layout):


cd /data/data/com.android.providers.contacts/databases
rm contacts2.db
cat /sdcard/contacts2.db > contacts2.db
chmod 660 contacts2.db
ls -l .. # see who owns this directory
chown contats2.db

You might have to restart your phone for the contacts to be re-read.

Atomically Precise Fabrication

Zyvex can now build atomically precise 3-D structures from silicon.  That’s a nano equivalent to the MakerBot.

Arbitrary structures can be used to build templates and tools that can further build other tools, bootstrapping a new industry.

Eben Moglen’s Talk – Freedom in the Cloud

A very insightful talk about how we lost our freedom and how to regain it

You can also read the full transcript linked from there.

Motivation and Background for the User Controlled Web

Here are some background pointers:

A list of projects in this space.  The Diaspora project is listed under “deployable on commodity webhosting”.  I was under the impression that they are actually more of a p2p application.

A set of ideas for this space on the GNU Social wiki.

Adriana Lukas talks about the user-controlled web and the mine project.   (She coins a fun acronym: Relationships on Individuals’ Own Terms - RIOT. )

(flash video removed June 2016)

There seems to be quite a bit of activity with 20-30 projects, but the efforts are fragmented.  Different projects have different goals and approaches.  Some focus on a piece of the user experience and others focus on technology.  For example, the Mine! project is a technology piece focused on rich sharing of data (including links, photos) with strong user control.  OneSocialWeb is focused on messaging.  With Elgg you can create social networks – but it’s not really user controlled.

Diversity is great, but one or two well-thought out efforts need to win.   Critical mass is a must in order to win in this space.

DNA not Patentable

Sanity prevails in federal court!  News at 11.

Brain Preservation Tech Prize

As a Cryonics member, I became interested in a new initiative to fixate the brain in a plastic medium: brainpreservation.org

Would be excellent to have a high fidelity preservation procedure that doesn’t require maintenance (such as liquid nitrogen in the case of Cryonics).

Quantified Self: CMS50 Oximeter

After attending a couple of Quantified Self meetups, I was inspired to quantify various aspects of myself and my life.  For example, I was wondering if I am breathing well while I sleep, since I have been waking up tired on occasion.

I bought the Contec CMS50-F oximeter from here.

The software that comes with the CMS50 could be more reliable and user-friendly, and only runs on Windows.  I ended up spending a day  reverse engineering the USB protocol and writing a Python program to acquire and graph the data.  The software is on Gitorious.

Here are some of the charts you can get:

Blue Brain Project Documentary – Year 1

Noah Hutton’s company Couple 3 Films has released year 1 of a 10 year documentary project documenting the Blue Brain project.  The project includes Henry Markham’s work on reverse engineering the brain, scaling up from rodents to humans by 2010.

The work is funded by the Swiss government.

$3000 Whole Genome Sequencing Cost

Life Technologies announces $3,000 marginal cost (later this year) for sequencing complete human genomes.  This is after Illumina announced the same for $10,000 (now).  So a $1,000 genome early next year?

Here comes personalized medicine.

Doubling in Incidence of Malicious Data Breaches

CNet reports on Ponemon institute’s survey showing a doubling of data breach incidents.

Average cost per record in the surveyed group is around $200.

Nasal flu vaccine

Alex and I got nasal H1N1 vaccines on Tue. I felt tired on Wed and Alex has a sore throat. Nasal is live-attenuated instead of dead virus.

Apparently symptoms are more likely with the nasal. On the up-side – no preservatives!

Does the nasal-spray flu vaccine LAIV (FluMist) contain thimerosal?

No, the nasal-spray flu vaccine LAIV (FluMist) does not contain thimerosal or any other preservative.

How I stopped worrying and learned to love technofixes

Peter Thiel writes regarding the failure of Democracy to preserve freedom and some possible technofix strategies. He includes are thoughts about creating freedom in Cyberspace, Outer space or on the high seas. I think it would be interesting to build certain distributed Internet apps that could change the dynamics of freedom, including reputation systems, gifting/barter systems and user-controlled Internet apps.
[Read more →]

OpenSocial insecurity – no user to app authentication

I was pretty excited to hear about Google trying to set a standard for social network applications. I wasn’t so happy to notice a serious omission in the way security is handled.

Executive Summary: no user authentication! Any user can forge anybody else’s identity when interacting with any OpenSocial application. As it currently stands, it is not possible to write secure social applications on the platform.

[Read more →]

OpenSocial vs. Facebook API – an analysis

Executive Summary

  • OpenSocial applications will have diverging look-and-feel, from each other and from the containers. This is because the containers do not provide common elements to blend the application into the container.
  • OpenSocial applications may not be vertically resizable, since they will exist in an iframe. However, Google has an API For resizing that some or all of the networks may implement
  • Facebook has additional API functionality that is not present in OpenSocial
  • The Facebook API is server oriented, whereas the OpenSocial/Google Gadgets API is client-side JavaScript oriented

[Read more →]

Stanford Delta Scan and Technologies for Cooperation

Stanford’s Delta Scan makes predictions similar to my take on Web 3.0, including:

  • Trust over Social networks / Social accounting methods (i.e. reputation systems)
  • the rise of computing grids
  • Social mobile computing
  • Knowledge collectives
  • Mesh networks

Giving rise to:

  • Adhocracies
  • Faster innovation
  • Faster/better decision making
  • Increase in effectiveness of online economies

Web 3.0, according to Miron

Here is what I think Web 3.0 will have:

  •  A global and open Reputation Network
  •  A distributed and open Computing and Storage Platform

Reputation Network

What does it mean for a Reputation Network to be global?  Currently, we have propietary reputation systems, such as the reputation scores for sellers (and buyers) at Amazon and eBay.  However, that reputation is not portable.  This means that if an Amazon third-party seller wants to start selling on eBay, they have to start from scratch, as if their business is new.  Trust is an integral ingredient to transactions.  It becomes crucial on the internet, when a buyer and a seller are likely to never have heard of each-other.  With portable reputations, a trust metric can be made available in all interactions.

What about the open part?  A global reputation system owned by one entity is a non-starter.  Why would one trust a single entity to provide basic infrastructure that affects all commerce and other interaction?  Reputation should be like TCP/IP – based on open standards so that different vendors can provide different levels of service and create a robust overall system.  The individual reputation systems can remain under the control of Amazon, eBay and others.  However, they can inter-operate so that they can create a global reputation network.
Reputation should be subjective. End-users should be able to subscribe to different raters, and thereby compute different scores for the same target. End-users have diverse values and preferences. One number cannot capture this diversity.

Storage and Computing

What about storage and computing?  Currently, people have presence on the Web through Blogs, Wikis, Storefronts, IM, e-mail, etc. .  However, creating a new Web application faces certain barriers.  The application creator has to acquire servers, manage them, ensure that the data is safe and face scalability issues as the application grows in popularity.  Also, interoprability between applications is difficult.  A standardized computing and storage abstraction will allow new application to be installed by the user into their virtual computing appliance.  Users will have control of which application they run and how the applications communicate.  Applications and data will migrate to physical hardware based on what the user is willing to pay and what scalability requires.

The division of labor is:  the application provider does what they are good at – writing applications.  The computing and storage providers provide efficient and reliable computing and storage (and if they don’t – the application can migrate easily or even automatically).  The end-user does what they do best – connect the dots and provide content.

People Aggregator – unification of social networks?

Federated, single-signon, standards based. What’s not to like?

BroadBand Mechanics presents People Aggregator

Web site is not fully functional yet, so have to wait.

Blogged with Flock