Everything Tagged "Security"

(In reverse chronological order)

A letter on NSA surveillance

I wish I could make more concrete policy recommendations, but in this case all I can say is “this looks troubling.” Here’s the letter I sent to my representatives today:

Dear Senator Feinstein,

In 2006, we learned that the NSA had secretly tapped all internet traffic flowing through AT&T’s San Francisco peering point. Now, the Guardian’s leaks suggest that the NSA has accrued phone and email records–some metadata, some full content–for millions of US citizens, and stored them for targeted analysis. The criteria for retention and analysis remain poorly understood.

It Boggles the Mind

Microsoft released this little gem today, fixing a bug which allowed remote code execution on all Windows Vista, 6, and Server 2008 versions.

...allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.

Meanwhile, in an aging supervillain’s cavernous lair…

Do not expose Riak to the internet

Major thanks to John Muellerleile (@jrecursive) for his help in crafting this.

Actually, don’t expose pretty much any database directly to untrusted connections. You’re begging for denial-of-service issues; even if the operations are semantically valid, they’re running on a physical substrate with real limits.

Riak, for instance, exposes mapreduce over its HTTP API. Mapreduce is code; code which can have side effects; code which is executed on your cluster. This is an attacker’s dream.

Systems Security: A Primer

The riak-users list receives regular questions about how to secure a Riak cluster. This is an overview of the security problem, and some general techniques to approach it.

Theory

You can skip this, but it may be a helpful primer.

Hello, law enforcement!

Hello, law enforcement. I suspect you’re reading this because, as a TSA supervisor told me recently, “… we are interested in you”.

Yes, I asked to fly selectee–to not provide ID–at Denver International recently. Yes, I’ve done this before. Yes, there was a lot of confusion between TSA employees on whether that was legal or not–eventually M. Gatling of the DIA police told me I was required to display ID. Yes, I opted out of AIT. Yes, it did take no fewer than eight TSA officers, airline representatives, and police about 45 minutes to determine I posed no threat. Yes, I was exceedingly polite, and most of us got along quite well. Yes, I was asked all kinds of questions I was under no obligation to answer (among them my address and phone number), and no, the TSA supervisor was not very pleased that I asked whether I was legally required to respond.

“What is your contact number.”

Breaking Into Cars

Carrie (one of my summer housemates) locked herself out of her car earlier this week. She gave Justin and I a call, asking us to contact a local locksmith. Rather than go to the expense of calling a locksmith after hours, we offered to try to break in first.

I’d never tried, or really thought about, breaking into a car before. I don’t drive my car very often, and I don’t tend to leave my keys behind, so it had never really occurred to me that I might need to know how, but here was a chance to find out. We stopped by the house, picked up a wire coat hanger and a pair of wire cutters, and drove out to the store she had parked in front of. “Thank goodness you’re here,” she exclaimed, and showed us her key-containing purse, neatly tucked away on the back seat.

I unbent the coat hanger and snipped off the twisted end. The door locks were the pull-type, small vertical posts that, in their locked state, remained safely recessed within the door body. There was no chance of extracting them from above, barring the use of strong adhesives, but I imagined that it might be possible to catch whatever locking mechanism connected those posts to the door lock by inserting a hooked wire into the door body at the midline window seal. Then Carrie offered that she had power locks.