Archive

Category Archives for "Security"

Automated localization for unreproducible builds

Automated localization for unreproducible builds Ren et al., ICSE’18

Reproducible builds are an important component of integrity in the software supply chain. Attacks against package repositories and build environments may compromise binaries and produce packages with backdoors (see this report for a recent prominent example of compromised packages on DockerHub). If the same source files always lead to the same binary packages, then an infected binary can be much more easily detected. Unfortunately, reproducible builds have not traditionally been the norm. Non-determinism creeping into build processes means that rebuilding an application from the exact same source, even within a secure build environment, can often lead to a different binary.

Due to the significant benefits, many open-source software repositories have initiated their validation processes. These repositories include GNU/Linux distributions such as Debian and Guix, as well as software systems like Bitcoin.

If you have a non-reproducible build, finding out why can be non-trivial. It takes time and a lot of effort to hunt down and eradicate the causes. For example, Debian unstable for AMD64 still had 2,342 packages with non-reproducible builds as of August 2017. (The number today as I’m writing this is 2,826). You can see a stubbornly persistent Continue reading

IoT Security is the Heart of the Matter

The Internet Society is raising awareness around the issues and challenges with Internet of Things (IoT) devices, and the OTA IoT Trust Framework is promoting best practices in protection of user security and privacy. The importance of this was brought home with the keynote talk at the recent TNC18 Conference, which was given by Marie Moe (SINTEF) who related her experiences with her network-connected heart pacemaker.

Marie is a security researcher (who also formerly worked for NorCERT, the Norwegian National Cybersecurity Centre) who has an implanted pacemaker to monitor and control her heart, and has used the opportunity to investigate the firmware and security issues that have had detrimental and potentially fatal consequences. Quite aside from uncovering misconfigurations that required tweaking (e.g. the maximum heartbeat setting turned out to be set too low for a younger person), and an adverse event that required a firmware upgrade, she was even more concerned to discover that little consideration had gone into the authentication and access aspects that might allow an attacker to take control of the device.

These devices allow their recipients to lead normal lives, and of course being network-connectable has many practical advantages in terms of monitoring and Continue reading

The Week in Internet News: X-Ray I

AI to get X-ray vision: Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory are getting close to creating AI that can see through walls, Geek.com reported. The research team is using AI to analyze radio signals bouncing off human bodies. The result is a neural network-generated stick figure that moves like the targeted person does.

Dr. AI will see you now: Perhaps more useful that looking through walls, some AI technologies are now being used to identify tuberculosis, pneumonia, upper respiratory infection, and bronchitis based on how a cough sounds, said AdWeek. Several companies are exploring other ways to use AI in healthcare settings.

Encryption wars, part 207: Apple has moved to close a security hole that law enforcement agencies used to defeat encryption on iPhones, according to many news reports, including one in the New York Times. The Apple move set off a new round of debate about encrypted devices and law enforcement access, the Washington Post noted.

It appears that at least one company that builds iPhone cracking tools already has a workaround, however, Motherboard reported.

Meanwhile, an FBI official suggested that each encrypted device that law enforcement agencies cannot crack represents a victim without justice, BusinessInsider. Continue reading

Notes on “The President is Missing”

Former president Bill Clinton has contributed to a cyberthriller "The President is Missing", the plot of which is that the president stops a cybervirus from destroying the country. This is scary, because people in Washington D.C. are going to read this book, believe the hacking portrayed has some basis in reality, and base policy on it. This "news analysis" piece in the New York Times is a good example, coming up with policy recommendations based on fictional cliches rather than a reality of what hackers do.


The cybervirus in the book is some all powerful thing, able to infect everything everywhere without being detected. This is fantasy no more real than magic and faeries. Sure, magical faeries is a popular basis for fiction, but in this case, it's lazy fantasy, a cliche. In fiction, viruses are rarely portrayed as anything other than all powerful.

But in the real world, viruses have important limitations. If you knew anything about computer viruses, rather than being impressed by what they can do, you'd be disappointed by what they can't.

Go look at your home router. See the blinky lights. The light flashes every time a packet of data goes across the network. Continue reading

Federated Application Management in Docker Enterprise Edition

Today at DockerCon, we demonstrated new application management capabilities for Docker Enterprise Edition that will allow organizations to federate applications across Docker Enterprise Edition environments deployed on-premises and in the cloud as well as across cloud-hosted Kubernetes. This includes Azure Kubernetes Service (AKS), AWS Elastic Container Service for Kubernetes (EKS), and Google Kubernetes Engine (GKE).

A Single Control Plane for Multi-Cloud Deployments

Most enterprise organizations have a hybrid or multi-cloud strategy and the rise of containers has helped to make applications more portable. However, when organizations start to adopt containers as their default application format, they start to run into the challenges of managing multiple container environments, especially when each of them has a different set of access controls, governance policies, content repositories and operational models. For common hybrid and multi-cloud use cases like bursting applications to the cloud for additional capacity or migrating them from one site to another for availability or compliance reasons, organizations start to realize the need for a singular control plane for all containerized applications – no matter where it will be deployed.

Docker Enterprise Edition is the only enterprise-ready container platform that can deliver federated application management with a secure supply chain. Not only Continue reading

1 92 93 94 95 96 182