Frankly Speaking

parislemon:

Apple’s vision for the future of computing versus Microsoft’s vision for the future of computing.

Any questions?

Design Etiquette

This article provides good insight into design etiquette. There is a constant battle between developers and designers when really in reality, both would benefit from better collaboration and interaction. The article outlines common mistakes that irk both sides and some solutions for both developers and designers so that time is spent designing and implementing awesome interfaces rather than in disputes.

http://bit.ly/nLBl5S

Can Darpa Fix the Cybersecurity ‘Problem From Hell?’

infoneer-pulse:

There are computer security threats — and then there are computer security nightmares. Put sabotaged circuits firmly in the second category. Last week, retired Gen. Michael Hayden, the former CIA and NSA chief, called the hazard of hacked hardware “the problem from hell.”

“Frankly, it’s not a problem that can be solved,” he added. “This is a condition that you have to manage.”

» via Wired

Tracking using HTTP redirects

One of the researchers in our security lab came up with a pretty interesting scheme that allows a website to track users that block cookies. The essence of the protocol involves using HTTP 301 redirects. More specific regarding URL redirection can be found at this wikipedia page. http://en.wikipedia.org/wiki/URL_redirection

The way that HTTP 301 redirects works is that when you visit a website such as one that uses bit.ly, it redirects the browser to a URL where the content is permanently located. This is done using a HTTP 301 header. In order to track users, when a user visits a webpage, the website checks to see if there is a unique identifier in the url (trackingwebsite.com/index.php?id=num). If there isn’t, then it uses a HTTP 301 header to redirect to a URL that contains a unique identifier in the header. The browser then caches this website because it believes that the content is permanently located here. 

It is clear that this technique is subject to browser compatibility. More information regarding this scheme and regarding compatibility can be found at http://elie.im/blog/security/tracking-users-that-block-cookies-with-a-http-redirect/ . There are also other blog posts about security that are interesting at this researcher’s blog.

A Journey to Understanding Stuxnet

This is an interesting story from Wired of how Symantec security researchers along with a couple of German researchers initially discovered Stuxnet. It takes you through their discovery of the various complex and sophisticated components of the malware. It really illuminates why Stuxnet was such an interesting and unique piece of malware. Stuxnet used four zero-day vulnerabilities and had 2 forged valid certificates. I encourage anyone with an interest in security to read this article. 

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

Bitcoin Security

I’ve heard a lot of information about Bitcoin in the past few weeks, unfortunately due to the numerous hacks. I found this article on a Cisco security blog that explains the security architecture behind Bitcoin pretty well. It most importantly outlines some potential security threats to Bitcoin.

The blog entry can be found here: http://blogs.cisco.com/security/bitcoin-security-architecture-a-brief-overview/ . I will provide a summary below, but if you want more specifics, please consult the original blog article. 

In addition to the normal economic challenges faced by currency, there are many security considerations when it comes to virtual currency. The most important consideration is the security of the protocols that generate money and validate transactions. If any of these two fail, it is easy to see that using Bitcoins will be problematic. 

First, money generation uses a proof-of-work that uses block validation which in turn uses  the SHA-256 hashing function to serve as a means of timestamping and validation. The concern is that malware can easily disrupt money generation, especially since GPUs are an excellent tool for hackers to exploit the block validation process.

Second, keeping track of the money is a problem. Coins are bound to a user’s public key, and stored over the internet. The user has one or more wallets, which are files that hold the user’s private key that allows them to use the coins. The security is, therefore, highly dependent on the safety of the private key.

There are many weaknesses in the protocol, which the Bitcoin creators reveal in their wiki. They said that if someone were to obtain over 50 percent processing power, it would be possible to reverse or block transactions. Data has shown that Deepbit Mining Pool has been close to reaching the 50 percent point. 

The success of Bitcoin is quite remarkable, but how these security concerns will play out in the long run when it comes to trust and future investments are still unknown.