Larry Hosken: New: Tag: capabilities

Book Report: Data and Goliath

Bruce Schneier once again writing a normal-person-understandable policy-ish book about implications of computer security SNAFU.

Plenty of organizations gather info about us. Some of this information is online stuff: who we call, who we know on social networks, and on and on. Some of this information is real-world stuff: where our cars' license plates have been spotted, where we've traveled, and on and on.

Who/what has access to this information? Some people/things that make sense. I'm glad Gmail knows who sent me that email* so it can show me the From: field. Some people/things that don't make sense. I'm sad the NSA knows who's sending me emails since they're not using it for anything useful and employ some creepy folks who like to peek at such things.

Even if you're glad that some organization has your info, you might not be so glad if you knew how poorly they keep it safe. Users of the Ashley Madison adultery-hookup site were presumably glad to give private info to the site. They were presumably sad when hackers got past the site's not-so-great security and published the users' private no-longer-private info.

What can users do? Some things, but maybe not much. When you choose a service to work with, you might choose the one you trust to keep your data safe and/or to "forget" that data when it's no longer useful. But how do you know which services to trust? If you'd ask me to guess whether an adultery-hookup site would have good security, I'd have guessed it would (such private info)… and I would have been wrong. And sometimes all the choices are bad. And often, we don't choose. If I choose to move to another country, the NSA won't stop trying to snoop on my emails; it just won't be breaking US law when it does so. (So I guess I'd be helping to stop illegal spying? kinda?)

Policy-makers can do more. If in a secret police force, you might be a policy-maker; you can choose to snoop less. If you're in a company, you might be a policy-maker: you can choose to "forget" data if the risk of retaining it is > the benefit of keeping it around.

It's a thoughtful book.

*Yeah, email can be spoofed. Anyhow.

Permalink
& Comments

Job search is done: I accepted an offer at Token, which writes software to help banks do bank-y things on the internet. Many thanks and appreciations to folks who pointed me at places, pointed places at me, feedback-ified my resume, were encouraging, and/or otherwise did good things.

About ten years ago, I watched some talks about "capabilities," a way of keeping track of permissions for computer-y things. When I look at what Token is doing, it reminds me of some good ideas I saw in those lectures. So I'm excited.

Permalink
& Comments

Book Report: Dragnet Nation In which a reporter explores preserving privacy, trying out tools and processes to keep governments and companies from learning about her. This book could easily have devolved into tinfoil-hattery, b...

Permalink & Comments

I'm kind of embarrassed about how long it took me to install Signal. I assumed it would take a while to set up. It's a security app written by security people. Surely there would be questions I didn'...

Permalink & Comments

Book Report: The Quantum Thief Yes it's been a few weeks since my most recent Book Report. I've been busy. Also, my shelf of New Yorkers filled up. I keep around old issues of the New Yorker to read on occasions it doesn't make se...

Permalink & Comments

Book Report: Countdown to Zero Day The story of Stuxnet, the little virus that crept into Iranian control systems and convinced them to destroy some centrifuges. I already knew the basics, but I learned from this book. Over time, ther...

Permalink & Comments

Book Report: No Place to Hide It's reporter Glenn Greenwald's perspective on the Edward Snowden story. As such, it's pretty scary. Most reporters don't know how to communicate using encryption. Thus, if you're a whistleblower han...

Permalink & Comments

Book Report: Threat Modeling There are unhelpful ways to fret over computer security. This book shows ways to channel those tendencies towards something useful. It also points out the Elevation of Privelege card game, an excuse ...

Permalink & Comments

If you lost count of the recent NSA citizen-snooping outrages but figure there are enough to justify nudging your legislators, The Day We Fight Back is a web site to guide you through that. ...

Permalink & Comments

Book Report: Exploding the Phone There are plenty of little articles about phreaking floating around; this book does a good job of pulling lots of little bits together into a flow of history. Along the way, I learned some things. E....

Permalink & Comments

Book Report: Liars and Outliers It's a book about security. It's a book about how to think your way through security problems. Not just thinking about where to throw up barriers—also about how to think up policies that won't ...

Permalink & Comments

Book Report: Broken Ballots A few people want to steal elections. A few billion people want fair elections. How do you make an election un-stealable? It's not easy. Elections do't run themselves; we need election officials. Fol...

Permalink & Comments

Book Report: The Tangled Web The Tangled Web talks about why web programming is doomed to be insecure for a long time to come. Nothing works quite right: networks, name servers, OSs, browsers, web servers, headers, cookies, form...

Permalink & Comments

Link: Cosmo, the Hacker "God" Who Fell to Earth This article about an identy thief is pretty amazing. Perhaps 25% of its amazing-ness comes from the story itself: how on earth does a 15-year old kid get so good at navigating bureaucracy that he ca...

Permalink & Comments

Book Report: Digital Forensics with Open Source Tools It's a book about how to look over a hard drive and find out "what happened here?" This is a useful skill for computer security—you might want to figure out how a virus or hacker took over a ma...

Permalink & Comments

Book Report: The Art of Intrusion It's a book of hacker anecdotes. "Kevin Mitnick" is the author name on the cover, but these are stories from other hackers. They're good stories. They're not all true stories; some of them have par...

Permalink & Comments

Book Report: Zero Day Happy USA Buy Nothing Day 2011, aka #OCCUPYXMAS. To celebrate, here's a report on a book I'm glad I checked out from the library: Zero Day. Maybe it's not quite accurate to say "I'm glad I checked o...

Permalink & Comments

Book Report: Fatal System Error It's a book about the era of botnets. It doesn't go into the technical stuff, but comes at the story from the point of view of law-enforcement folks investigating things the old-fashioned way: talkin...

Permalink & Comments

Book Report: Kingpin This book was a tough read, but not for the usual reasons. It's a biography of l33t Hax0r Max Vision. It's good, it makes sense, the facts hold together (better than you can hope for in most technica...

Permalink & Comments

Book Report: Underground I've read a few books about l33t hax0rz; so far, Underground is my favorite. It has short bios of young hackers in the 90s. There were a bunch of networks; there was an Ur-internet rising up above t...

Permalink & Comments

Puzzle Hunts are Everywhere, even Meridian High School in Idaho Tonight I played in a puzzle event. The puzzles were pretty cool! They were designed by Mike Selinker, Thomas Snyder, Tyler Hinman... and maybe others? Eric Harshbarger designed the prizes; he's a ...

Permalink & Comments

Set apartment wifi to password "openopen". Put password in the SSID so neighbors can still use it. Hackers can still snoop, but they'll have to work harder. ...

Permalink & Comments

Book Report: Nmap Network Scanning I just got back from a 9-day tour of various western USA places as the Grand Tetons, Yellowstone, Kodachrome, and Zion National Park. Along the way, I busted my travel laptop, so I haven't been upda...

Permalink & Comments

Book Report: Tetraktys I read this novel because it was recommended via a computer security discussion group at work. That doesn't sound like a good way to make decisions, does it? Oh, Amazon.com recommendations, why do I ...

Permalink & Comments

Book Report: Wiring up the Big Brother Machine Google stopped censoring in China; as a result, more Google search results are censored. The Chinese people can find less stuff now. Why? Because of the "Great Firewall". The Chinese government c...

Permalink & Comments

Link: California Secretary of State on Voting Systems I'm doing taxes today. In my California tax booklet, there's a form asking me if I'm registered to vote. That's great. We citizens are supposed to get angry about taxation without representation. ...

Permalink & Comments

chris451's comment on Caja [Edited to add: If you have questions or concerns about Caja, the Google Caja Discuss group is a good place to ask them.] Since I switched blogging software, people who think they're commenting on m...

Permalink & Comments

Book Report: Between Silk and Cyanide It's the autobiography of the codemaster of the SOE an English spy organization during WWII. Wait! Dont' run away! It's not just math and cryptography and war. There's good stuff in here, too. Th...

Permalink & Comments

OpenID, OAuth, Learning by Gossip Last weekend, I did some programming. Well, not much programming. Mostly I did research preparatory to programming. Well, not exactly research. It was more un-research. I started out learning ho...

Permalink & Comments

Book Report: Security Engineering This book is humongous! It's a survey of security computer engineering. It doesn't go into depth on any one topic, but it's got plenty of breadth. In areas where I already knew something, this boo...

Permalink & Comments

Link: AllMyData I occasionally backed up my files. But it was always ad-hoc: zip up an archive of some files, upload it to my web server. Done by hand when I got around to it (not often). Then there was the time ...

Permalink & Comments

Link: Caja's HTML sanitizer for Javascript [Edited to add: If you have questions or concerns about Caja, the Google Caja Discuss group is a good place to ask them.] When you write a program that's supposed to be secure, you have to plan on ...

Permalink & Comments

Link: Some thoughts on security after ten years of qmail 1.0 This guy Hans Boehm came and gave a talk at work today about upcoming C++ support for threads. That's support built into the language. It sounds like sometime in the next few years, we will have at...

Permalink & Comments

Link: Lectures on Authorization Based Access Control If you're a programmer, you might be interested in watching some lectures about Authorization Based Access Control. Some folks from an HP research lab lectured at the GooglePlex about better & e...

Permalink & Comments

Tags