Archive

Category Archives for "Security"

That anti-Trump Recode article is terrible

Trump's a dangerous populist. However, the left-wing media's anti-Trump fetishism is doing nothing to stop Trump. It's no better than "fake news" -- it gets passed around a lot on social-media, but is intellectually bankrupt, unlikely to change anybody's mind. A good example is this op-ed on Re/Code [*] about Silicon Valley leaders visiting Trump.

The most important feature of that Re/code article is that it contains no criticism of Trump other than the fact that he's a Republican. Half the country voted for Trump. Half the country voted Republican. It's not just Trump that this piece imagines as being unreasonable, but half the country. It's a fashionable bigotry among some of Silicon Valley's leftist elite.

But CEOs live in a world where half their customers are Republican, where half their share holders are Republican. They cannot lightly take political positions that differ from their investors/customers. The Re/code piece claims CEOs said "we are duty-bound as American citizens to attend". No, what they said was "we are duty-bound as officers of our corporations to attend".

The word "officer", as in "Chief Operating Officer", isn't an arbitrary title like "Senior Software Engineer" that has no real meaning. Instead, "officer" Continue reading

Some notes on a Hamilton election

At least one elector for Trump has promised to switch his vote, becoming a "Hamilton Elector". Assuming 36 more electors (about 10% of Trump's total) do likewise, and Trump fails to get the 270 absolute majority, then what happens? Since all of the constitutional law scholars I follow haven't taken a stab at this, I thought I would write up some notes.


Foreign powers and populists

In Federalist #68, Alexander Hamilton laid out the reasons why electors should switch their vote. The founders feared bad candidates unduly influenced by foreign powers, and demagogues. Trump is unabashedly both. He criticizes our own CIA claiming what every American knows, that Russia interfered in our election. Trump is the worst sort of populist demagogue, offering no solution to problems other than he'll be a strong leader.

Therefore, electors have good reasons to change their votes. I'm not suggesting they should, only that doing so is consistent with our Constitutional principles and history.

So if 10% of Trump's electors defect, how would this actually work?

Failure to get 270 vote absolute majority (math)

Well, to start with, let's count up the number of electors. Each state gets one elector for every House Representative Continue reading

Tips for Troubleshooting Apps in Production with Docker Datacenter

If you have been using Docker for some time, after the initial phases of building Dockerfiles and running a container here and there, the real work begins in building, deploying and operating multi-container applications in a production environment.  Are you operationally ready to take your application to production? Docker Datacenter provides an integrated management framework for your Dockerized environment and applications and when coupled with clear strategies in approaching and resolving anomalies, IT ops teams can be assured in successfully operationalizing Docker.

Let’s use a sports metaphor to approach troubleshooting:

  • Pre-Game will cover the planning phase for your applications
  • Game Time will cover troubleshooting tools available in Docker Datacenter
  • Post-Game will discuss complementary tools to aid in ongoing insights

Pre-Game

Whether or not you are sports fan, you can appreciate the importance of the planning out any task. This is no different than what you would do for your applications. Health checks are a great way to provide a deeper level of insight into how your application is performing. Since Docker 1.12 there is a new HEALTHCHECK directive. We can use this directive to signal to the Docker Engine whether or not the application is healthy.

There are a two ways to implement the HEALTHCHECK Continue reading

Technology Short Take #74

Welcome to Technology Short Take #74! The end of 2016 is nearly upon us, and it looks as if there will be only one more Technology Short Take before the end of the year. So, let’s get on with the content—time is short!

Networking

  • If you haven’t heard of Apstra, David Varnum has a great introduction to Apstra available on his site.
  • Will Robinson talks about how to structure your Ansible playbooks in the context of using Ansible to control your network gear.
  • This is an interesting project to watch, I think—it’s porting OVN (Open Virtual Network) from a “traditional” OvS back-end to an IOVisor-based back-end (IOVisor implements the data plane in eBPF).
  • If you’re interested in playing around with OVN, I’ve built a Vagrant-based environment running OVS/OVN 2.6.0 on Ubuntu 16.04. Have a look here.

Servers/Hardware

Nothing this time, but I’ll stay alert for content to include in the future.

Security

Orin’s flawed argument on IP address privacy

In the PlayPen cases, judges have ruled that if you use the Tor network, then you don't have a reasonable expectation of privacy. It's a silly demonstration of how the law is out of sync with reality, since the entire point of using Tor is privacy.

Law prof Orin Kerr has a post discussing it. His conclusion is correct, that when the FBI exploits 0day and runs malware on your computer, then it's a search under the Fourth Amendment, requiring a warrant upon probable cause.

However, his reasoning is partly flawed. The title of his piece, "Remotely accessing an IP address inside a target computer is a search", is factually wrong. The IP address in question is not inside a target computer. This may be meaningful.


First, let's discuss how the judge reasons that there's no expectation of privacy with Tor. This is a straightforward application if the Third Party Doctrine, that as soon as you give something to a third party, your privacy rights are lost. Since you give your IP address to Tor, you lose privacy rights over it. You don't have a reasonable expectation of privacy: yes, you have an expectation of privacy, Continue reading

Get all the Docker talks from Tech Field Day 12

Tech Field DayAs 2016 comes to a close, we are excited to have participated in a few of the Tech Field Day and inaugural Cloud Field Day events to share the Docker technology with the IT leaders and evangelists that Stephen Foskett and Tom Hollingsworth have cultivated into this fantastic group.  The final event was Tech Field Day 12 hosting in Silicon Valley.

In case you missed the live stream, check out videos of the sessions here.

Session 1: Introduction to Docker and Docker Datacenter

Session 2: Securing the Software Supply Chain with Docker

Session 3: Docker for Windows Server and Windows Containers

Session 4: Docker for AWS and Azure

Session 5: Docker Networking Fabric

These are great overviews of the Docker technology applied to enterprise app pipelines, operations, and  diverse operating systems and cloud environments. And most importantly, this was a great opportunity to meet some new people and get them excited about what we are excited about.

 

Visit the Tech Field Day site to watch more videos from previous events, read articles written by delegates or view the conversation online.

New #Docker videos from #TFD12 @TechFieldDay w/ @SFoskett @GestaltIT Continue reading

That “Commission on Enhancing Cybersecurity” is absurd

An Obama commission has publish a report on how to "Enhance Cybersecurity". It's promoted as having been written by neutral, bipartisan, technical experts. Instead, it's almost entirely dominated by special interests and the Democrat politics of the outgoing administration.

In this post, I'm going through a random list of some of the 53 "action items" proposed by the documents. I show how they are policy issues, not technical issues. Indeed, much of the time the technical details are warped to conform to special interests.


IoT passwords

The recommendations include such things as Action Item 2.1.4:
Initial best practices should include requirements to mandate that IoT devices be rendered unusable until users first change default usernames and passwords. 
This recommendation for changing default passwords is repeated many times. It comes from the way the Mirai worm exploits devices by using hardcoded/default passwords.

But this is a misunderstanding of how these devices work. Take, for example, the infamous Xiongmai camera. It has user accounts on the web server to control the camera. If the user forgets the password, the camera can be reset to factory defaults by pressing a button on the outside of the camera.

But here's the Continue reading

Traffic Pattern Attacks: A Real Threat

Assume, for a moment, that you have a configuration something like this—

db-key-traffic-attack

Some host, A, is sending queries to, and receiving responses from, a database at C. An observer, B, has access to the packets on the wire, but neither the host nor the server. All the information between the host and the server is encrypted. There is nothing the observer, B, can learn about the information being carried between the client and the server? Given the traffic is encrypted, you might think… “not very much.”

A recent research paper published at CCS ’16 in Vienna argues the observer could know a lot more. In fact, based on just the patterns of traffic between the server and the client, given the database uses atomic operations and encrypts each record separately, it’s possible to infer the key used to query the database (not the cryptographic key). The paper can be found here. Specifically:

We then develop generic reconstruction attacks on any system supporting range queries where either access pattern or communication volume is leaked. These attacks are in a rather weak passive adversarial model, where the untrusted server knows only the underlying query distribution. In particular, to perform our attack Continue reading

Electoral college should ignore Lessig

Reading this exchange between law profs disappoints me. [1] [2] [3] [4] [5]

The decision Bush v Gore cites the same principle as Lessig, that our system is based on "one person one vote". But it uses that argument to explain why votes should not be changed once they are cast:
Having once granted the right to vote on equal terms, the State may not, by later arbitrary and disparate treatment, value one person's vote over that of another.
Lessig cites the principle of "one person one vote", but in a new and novel way. He applies in an arbitrary way that devalues some of the votes that have already been cast. Specifically, he claims that votes cast for state electors should now be re-valued as direct votes for a candidate.

The United States isn't a union of people. It's a union of states. It says so right in the name. Compromises between the power of the states and power of the people have been with us for forever. That's why states get two Senators regardless of size, but Representatives to the House are assigned proportional to population. The Presidential Continue reading
1 134 135 136 137 138 181