No, I Don’t Trust You! — One of the Most Alarming Internet Proposals I’ve Ever Seen

Posted on by

The technical details get very complicated very quickly, but what it all amounts to is simple enough. The proposal expects Internet users to provide “informed consent” that they “trust” intermediate sites (e.g. Verizon, AT&T, etc.) to decode their encrypted data, process it in some manner for “presumably” innocent purposes, re-encrypt it, then pass the re-encrypted data along to its original destination.

via Lauren Weinstein’s Blog: No, I Don’t Trust You! — One of the Most Alarming Internet Proposals I’ve Ever Seen.

In essence it’s a kind of sucker bait. Average users could easily believe they were “kinda sorta” doing traditional SSL but they really wouldn’t be, ’cause the ISP would have access to their unencrypted data in the clear. And as the proposal itself suggests, it would take significant knowledge for users to understand the ramifications of this — and most users won’t have that knowledge.

This editorial illustrates that Man In The Middle (MITM) attacks cannot happen without user consent.  This blogger fears that ISPs will require consent for all SSL sessions  making all users’ end to end encryption vulnerable to a “trusted” proxy.  Here is a blurb in the draft.

From the IETF draft:  Explicit Trusted Proxy in HTTP/2.0 draft-loreto-httpbis-trusted-proxy20-01

This document describes two alternative methods for an user-agent to automatically discover and for an user to provide consent for a Trusted Proxy to be securely involved when he or she is requesting an HTTP URI resource over HTTP2 with TLS. The consent is supposed to be per network access. The draft also describes the role of the Trusted Proxy in helping the user to fetch HTTP URIs resource when the user has provided consent to the Trusted Proxy to be involved.

The consent is supposed to be on a per network (or destination) basis which means there may be a reason the user agent will want to use a trusted proxy — perhaps they do not trust the destination network.  The blogger implies ISPs will want blanket consent over all destinations which 1) they could implement now without this standard and 2) this would not make for a good PR move because it would not go unnoticed.

Battery-free technology brings gesture recognition to all devices

Posted on by

The researchers built a small sensor that can be placed on an electronic device such as a smartphone. The sensor uses an ultra-low-power receiver to extract and classify gesture information from wireless transmissions around us. When a person gestures with the hand, it changes the amplitude of the wireless signals in the air. The AllSee sensors then recognize unique amplitude changes created by specific gestures.

via Battery-free technology brings gesture recognition to all devices | UW Today.

Munich opts for open source groupware from Kolab

Posted on by

The Kolab groupware system that was originally developed for the German Federal Office for Information Security (BSI) will be employed as part of Munich’s MigMak project, a abbreviation used by the city to describe the migration of its mail and calendar system, Kolab said. The system is to be provided as completely open-source technology, including the necessary professional support, it added.

All the city’s LiMux PCs and the remaining Windows PCs will be using the Kolab Desktop Client in combination with the Kolab web client based on Kolab Enterprise 13, it said.

via Munich opts for open source groupware from Kolab | ITworld.

From: Kolab’s web site:

What is Kolab?
Kolab is a secure, scalable and reliable groupware server. It is formed by a number of well-known and proven components or the standards tasks such as E-Mail, Directory and Web Service.

Cellular’s open source future is latched to tallest tree in the village

Posted on by

And that network runs on open source. OpenBTS, an all-software cellular transceiver, is at the heart of the network running on that box attached to a treetop. Someday, if those working with the technology have their way, it could do for mobile networks what TCP/IP and open source did for the Internet. The dream is to help mobile break free from the confines of telephone providers’ locked-down spectrum, turning it into a platform for the development of a whole new range of applications that use spectrum “white space” to connect mobile devices of every kind. It could also democratize telecommunications around the world in unexpected ways. Startup Range Networks, the company that developed the open-source software powering the network, has much bigger plans for the technology. It wants to adapt the transceiver to use unlicensed spectrum for small-scale cellular networks all over the world without the need to depend on the generosity of incumbent telecom providers or government regulators.

via Cellular’s open source future is latched to tallest tree in the village | Ars Technica.

OpenBTS is a Unix-based software package that connects to a software-defined radio. On the radio side, it uses the GSM air interface used globally by 2G and 2.5G cellular networks, which makes it compatible with most 2G and 3G handsets. On the backend, it uses a Session Initiation Protocol (SIP) “soft-switch” or a software-based private branch exchange (PBX) server to route calls, so it can be integrated with VoIP phone systems.

ICANN seeks to tackle DNS namespace collision risks

Posted on by

For this “controlled interruption” JAS recommends returning an address within the 127/8 loopback range: “Responding with an address inside 127/8 will likely interrupt any application depending on an NXDOMAIN or some other response, but importantly also prevents traffic from leaving the requestor’s network and blocks a malicious actor’s ability to intercede.”

Instead of the familiar 127.0.0.1 loopback address for localhost, the report suggests “127.0.53.53”. Because the result is so unusual, it’s likely to be flagged in logs and sysadmins who aren’t aware of a name collision issue are likely to search online for information about the address problems.

via ICANN seeks to tackle DNS namespace collision risks – ICANN, Internet Corporation for Assigned Names and Numbers, gTLD, security, domain names – Computerworld.

Bitcoin Exchange Mt. Gox Goes Offline Amid Allegations of $350 Million Hack

Posted on by

A coalition of bitcoin businesses — including bitcoin wallet-makers Coinbase and Blockchain — quickly put out a statement as news of the hack spread. “This tragic violation of the trust of users of Mt. Gox was the result of one company’s abhorrent actions and does not reflect the resilience or value of bitcoin and the digital currency industry,” they said. “There are hundreds of trustworthy and responsible companies involved in bitcoin.”

via Bitcoin Exchange Mt. Gox Goes Offline Amid Allegations of $350 Million Hack | Wired Enterprise | Wired.com.

Coding Horror: App-pocalypse Now

Posted on by

Let’s start with the basics. How do you know which apps you need? How do you get them installed? How do you keep them updated? How many apps can you reasonably keep track of on a phone? On a tablet? Just the home screen? A few screens? A dozen screens? When you have millions of apps out there, this rapidly becomes less of a “slap a few icons on the page” problem and more of a search problem like the greater web. My son’s iPad has more than 10 pages of apps now, we don’t even bother with the pretense of scrolling through pages of icons, we just go straight to search every time.

via Coding Horror: App-pocalypse Now.

Background Monitoring on Non-Jailbroken iOS 7 Devices

Posted on by

We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

via Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation | FireEye Blog.

Before Apple fixes this issue, the only way for iOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring.

Yikes!  This might be a problem for android devices as well.  I have noticed that since a device stays on 24/7 resident apps can build up in the background because even though you think you closed an app it sometimes doesn’t actually close as in terminate until its icon is touched to activate.  The proof of concept above got this “keylogger” through Apple’s App Store which is pretty remarkable.

How to prevent hidden cost of open source software

Posted on by

Following list contains criteria we use to evaluate whether we use an open source or not

  1. Is product sponsored by a company? It is a critical criterion if a product plays a critical role in your application and you do not have an alternative choice for it.
  2. Is open source license suitable for your product? It is illegal for you to deliver a commercial and closed source product include an open source library has a license is GPL
  3. Does open source product has good quality?
  4. Is open source product still be supported by adding new features, bug fix?

via How to prevent hidden cost of open source software – VietNam Software Outsourcing Service Company.

Grammar a bit bad but advice seems well grounded.  All the above answers should be Yes.

20 superb data visualisation tools for web designers

Posted on by

One of the most common questions I get asked is how to get started with data visualisations. Beyond following blogs, you need to practise – and to practise, you need to understand the tools available. In this article, I want to introduce you to 20 different tools for creating visualisations: from simple charts to complex graphs, maps and infographics. Almost everything here is available for free, and some you have probably installed already.

via 20 superb data visualisation tools for web designers | Design | Creative Bloq.