2012 01 29

From TheCommandLineWiki

Jump to: navigation, search

Contents

News Cast for 2012-01-29

(00:00:17.453) Intro

  • Ohio Linux Fest call for papers is open
  • More Flattr vouchers, see last week's episode
  • Tease for a future feature on switching my wife back to Linux

(00:04:03.853) Security alerts

(00:04:20.769) Passwords not going away any time soon

  • http://www.wired.com/wiredenterprise/2012/01/simple-pw/all/1
  • Robert Macmillan at Wired's Enterprise blog has a solid survey
    • Of the state of the password as a security measure
  • Most of the work in the post has been done by Paul C. van Oorschot
    • A computer science professor at Ottawa’s Carleton University
    • And Cormac Herley a researcher at Microsoft
  • Rather than lamenting weak passwords or urging towards stronger ones
    • The pair look at the consequences of how common passwords are
  • More and more services come online every day choosing passwords
    • As a cheap and largely effective way to handle registration and security
  • One of the few recommendations they make is to use different passwords to limit risk
    • Regardless of the strength of any given password
  • They provided some examples informing their views
    • And even look back to the first introduction of passwords in the 60s
      • As a part of the advent of interactive multi-user computing
      • As opposed to the earlier batch processing
  • Following that history forward about, they attribute the poor state of advice around passwords
    • That is pegging their security on approaches that are just as hard on users as attackers
      • To a premature and ultimately wrong prediction of the death of passwords
      • By none other than Bill Gates
  • Whether you agree with their urgings to use simpler, easier to recall passwords
    • Coupled with other mechanisms for mitigating risk
    • Or with the received wisdom on strong passwords everywhere
      • I think they make a good point about the state of research
  • Focusing on smart cards and other advanced tools sapped attention from passwords
    • While at the same time the commercialization of the internet
      • Was growing the number of people in need of some sort of solution
  • It isn't hard to see that smart cards and other systems designed for the enterprise
    • With controlled user populations and corporate budgets
      • Simply wouldn't scale to open to register, public services like Wikipedia and Twitter
  • Hopefully the pair's research will help prod the world of security
    • Towards continued evolution of passwords and practices around them
      • Based not on anecdote or common myths but on more research, preferably holistic studies
        • That take into account usability as much as the risks and trade offs

(00:08:04.195) Wasting hackers' time to keep websites safe

  • https://www.technologyreview.com/computing/39521/?ref=rss
  • Technology Review explains the new offering from the security firm Mykonos
    • That builds on the well established idea of a honey pot
      • To try to alter the economics of automated attacks against web sites
  • There are plenty of good details around how the Mykonos tool distinguishes
    • Between a legitimate site visitor and an attacker
  • In particular, I love the idea that they are using near undeletable super cookies
    • To tag an attacker in a way that is hard for them to remove
  • Scripted attacks are particular effective for the same reason a lot of malware and spam is
  • The cost to deploy attacks is so low that a mass volume can be launched
    • With a very low expectation of return as a single juicy target
      • More than makes up for the time and resources needed for a successful exploit
  • What Mykonos is doing is similar to grey filters for spam
    • That add a small incremental cost to legitimate users that is almost unnoticeable
      • But adds enough drag on mass emailings that it can potentially make spam less cost effective
  • The article does include a cautionary vote, from Sven Dietrich
    • Aan expert on computer security and a professor at Stevens Institute of Technology
  • Dietrich warns that some attackers on realizing they have been duped
    • May be prone to seeking some sort of retribution
  • This assumes that such an irked attacker has the skills to get past reasonable, automated defenses
    • Which Mykonos may be counting on as not the case for the majority of attacks
  • David Koretz, the CEO of Mykonos, acknowledges the concern
    • But likens it to any number of other reasons a scripted attack may fail
  • Within the context of a high volume of scripted attacks against a large quantity of sites
    • He is skeptical an attacker will look that closely at any given failure
      • Having a stronger incentive to simply move on to the next target
  • In most cases, I suspect he is right but it it worth being aware of unusual attackers
    • Like Anonymous that often use the same tools but often for motivations other than cheap gains
  • Dietrich also reminds us that many of the systems roped into pulling of an attack
    • Are themselves victims such as the nodes in a botnet
  • Injecting trackers and super cookies may not be entirely fair in this case
    • Putting a burden on an innocent bystander who has also fallen prey to mass scale attacks
  • All the same, Dietrich predicts these sorts of deceptive tactics may become more common
    • As complements to more traditional approaches and simply keeping systems up to date

(00:12:21.284) News

(00:12:35.027) The Pirate Bay launches promo platform for artists

  • There is plenty of evidence that the crew behind The Pirate Bay
    • One of if not the most high profile bit torrent site
    • Are not flat out pirates, despite their name, profiting at the expense of everyone else
  • Peter Sunde is working very hard on Flattr at the moment
    • A service that is expressly about supporting creators of all kinds
  • https://torrentfreak.com/the-pirate-bay-launches-promo-platform-for-artists-120116/
  • Ernesto at TorrentFreak has the latest actio by the site operators
    • Supporting this notion that they understand more about post-network business models
      • Than the traditional entertainment companies that routinely target them
  • The Promo Bay is a program where artists can submit a link and a doodle
    • Along with a list of three countries preferred for displaying them
  • Submitters must have something free on offer at the link
    • Whether that is a stream or a download
    • But otherwise there are no restrictions to enter
  • There are also no guarantees of who the site will display in place of its usual logo
  • The fact that the page describing the rules calls the logo a doodle is no coincidence I think
  • Google has display custom versions of its logo with this same label
    • For years driven by a random, arbitrary logic only that company understands
  • The Pirate Bay crew have made it clear they will also select whatever doodles they like
    • From the pool of those that are submitted
  • If they genuinely like the artist and work being promoted
    • They may even show it now just to the desired countries
      • But to all visitors to the intensely popular torrent site
  • Ernesto furnishes some other examples of collaborations like this
    • Between more clueful creators and The Pirate Bay
  • The site is heavily involved in supporting the new distribution network VODO
  • Artists like NIN and Radiohead have routinely released their albums on the site
  • The potential exposure is staggering
  • Ernesto mentions they receive something on the order of 1.8 million page views a month
  • Not only is the up-side pretty incredible but the target of that link
    • Had better be pretty well optimized and supported to withstand that potential load
  • I was hoping for something perhaps a bit smaller in terms of volume
    • But more distributed, involving more sites
  • I'd love as a creator both to have help promoting my work
    • But also to help promote the work of others
  • A model involving more people would do more good over the long haul, I think
  • Replacing their logo with someone else's image and link is pretty low hanging fruit
    • And will no doubt be very effective
  • It may even push their already astronomic traffic stats up a bit more
    • As more people visit the site to see what, if anything, is being promoted
  • I'm sure both those facts enter into their calculus in terms of cost and benefit
    • Both to themselves and those receiving their help
  • All the same, the site does provide a very valuable service in terms
    • Of both discovery and distribution
  • Perhaps The Promo Bay will get more creators thinking about how they could use
    • All of the services on offer, in addition to the big obvious one
  • The guys behind the site also seem pretty approachable and clueful
  • I very much doubt this will be the last effort on their part
    • To do something constructive to help prove new practices and business models
      • Can be just as effective as the old ones given a solid enough understanding of the net

(00:16:23.334) Quantum computing could head to "the cloud", study says

  • As much as I follow quantum computing, its improvements over classic computing
    • Are far from settled, especially as the scale of current systems is very limited
  • Maxing out at only a few quantum bits, as much as those probabilistic elements
    • Can encode far more information than their classical counterpart
      • Prevents doing anything more than trivial computation
  • The most promising applications are still purely theoretical
    • The performance of them in practice requiring much larger quantum systems
      • Than are available at present
  • http://www.bbc.co.uk/news/science-environment-16636580
  • The BBC highlights some new research from University of Vienna
    • By quantum computing pioneer Anton Zeilinger
    • And a team of international scientists
      • That is timely and of clear benefit
  • The article includes a brief backgrounder on quantum computation
    • And of a field that is arguable closer to practical, quantum cryptography
  • The Viennese work combines aspects of both to achieve a result
    • Of supreme interest as questions about security and privacy rage around the net
  • The idea is for a regular user to create a series of qubits and encode some information into them
  • Like the polarized photons frequently used in quantum crypto
    • If this input information is read before some computation runs, it would be destroyed
  • The user would send these qubits to some cloud service, to a remote quantum system
    • Along with the program they want executed
  • Without the input, the instructions would be fairly opaque to the owner of the remote system
  • The inscrutable nature of the program and input notwithstanding
    • A series of quantum computation steps could still be performed, blind as it were
  • The result could then be shipped back to the user who would measure the qubits
    • Getting their answer, destroying the qubits in the process
  • There are many glosses in the article in terms of what would be required
  • As I've noted, we'd need quantum computers of a scale that could do something useful
  • Users would need some means of produce and entangle qubits at home
  • And lastly we'd need a way to send quantum information as easily as classical bits
  • The researchers claim that home creation of qubits and transport are feasible
    • With existing electronics and infrastructure
  • The implication is that only a killer application, such as this blind computing, is required
  • The value of this idea presumes that such computers would at least initially be so costly
    • As to be beyond the reach of the average consumer
  • Or regardless of direct cost, that there would be some other advantage
    • To computing on a non-local machine
  • One aspect of quantum computers is that they can emulate classical computers
    • So if we already had them, then we could take advantage of the qualities advanced in this research
      • To add a layer of security not easily possible with existing servers on the net
  • Until we see breakthroughs in the scale and cost of quantum computers themselves
    • The question is a little bit moot
  • It is entirely possible that this particular application
    • May encourage more research than some of the existing ideas around cryptanalysis and simulation
      • That so far have been the most promising applications if not as meaningful to typical users
  • The interest in blind quantum computation may also help bolster similar efforts
    • In particular homomorphic encryption that promise similar protections
      • For existing computers and computation hosted on the network

(00:22:00.168) Smallest-ever nanotube transistors outperform silicon

  • Another more certain form of future computers I follow
    • Is that of alternative substrates to silicon
  • As transistors and other processor elements continue to shrink
    • They increasingly encounter quantum and electrical effects
      • That are either a consequence of scale or the resulting dense packing of features on a chip
  • Graphene has been getting a lot of attention as well as molybdenite
  • Whether either of these materials will replace or merely complement silicon is unclear
  • http://www.technologyreview.com/computing/39532/?ref=rss
  • Technology Review point to some research into a much more studied form of carbon
    • Than the single atomic sheets that make of graphene
  • Carbon nanotubes are of interest for the variety of electrical properties
    • Not the least of which are semi-conductivity useful for the electrical switching used by computers
      • But they also can be made super conductive under other circumstances
  • Researchers at IBM have crafted transistors, the basic building blocks of computer chips
    • From nanotubes at a scale not demonstrated before
  • Current feature sizes in silicon that are still useful are at or just above 10 nm
  • A nanometer is one billionth of a meter
  • For context, a helium atom is one tenth of a nanometer
  • If any material is going to succeed silicon, it has to show lower power consumption
    • At scales smaller than 10 nm as well as lower volumes of waste heat
  • That seems to be the case with the transistors the IBM researchers have demonstrated
  • They actually explored transistors at a variety of scales to characterize and compare them
  • Not only were the 9 nm transistors comparable to silicon
    • But showed much lower power consumption and a much higher capacity to carry current
  • The first means more powerful computers with battery battery life
    • And the latter improves the signal of the chip, helping to overcome sources of errors
      • At such incredibly small scales
  • By comparison, the articles notes that efforts in silicon are exploring different geometries in silicon
    • Such as ultrathin body transistors or three dimensional ones to improve signal and power
  • The article concludes with the usual caveats in terms of the remaining challenges
  • In particular a method for placing nanotubes on an insulating material with perfect alignment
    • Is needed in order to scale up from single transistors to actual complete processors
  • A means of producing the nanotubes in large quantities will also be needed
    • But there is a lot of demand for a solution to this latter problem
      • As any number of applications for the material will demand large, cheap quantities of them
  • Nanotubes possess all kinds of other interesting properties, depending on their shape and construction
  • I think exploring how to take advantage of their optical or magnetic qualities in a chip design
    • Would be a fascinating near term expansion while waiting for improvements in production techniques
  • The article quotes the lead researcher saying nanotubes could replace or complement silicon
  • Bringing novel effects into chips might be feasible, even in small quantities
  • I have hinted at this before, that a bridging strategy may be to introduce
    • New elements into traditional chip designs
      • That in some ways mimic how those designs evolved in the first place
  • I am not the only one, I am sure, who recalls the early x86 systems
    • Where the absence of process of a math co-processor often differentiated different models
  • Imagining a new chip design that has or lacks some nanotube based element is pretty easy to imagine
  • I believe the same sort of thing has happened with other research fields, like spintronics
    • For consumer facing devices such as hard drives
      • So it certainly seems within the realm of possibility in the next handful of years

(00:27:39.546) Google reveals a single, consolidated privacy policy

  • http://www.wired.com/epicenter/2012/01/google-streamlines-privacy/
  • Tim Carmody at Wired's Epicenter was one of many to note the release
    • Of a new privacy policy from Google that will go into effect March 1st
  • Google has also been emailing their users and blogging about the new policy
    • Consistently pushing a message of streamlining and easier reading
  • As simple as the new policy is, how Google may combine data from multiple services
    • Remains distressingly unclear
  • Only one example is mentioned in the policy itself, a trivial one that implies
    • They will combine and de-duplicate your social graph across services
  • The FAQ mentions that Google is already combining data across services
    • The policy change then is merely a way to make it simpler for them to do
      • On the promise of some unclear future value to the user
  • Despite Google holding to a commitment to transparency and user control
    • The existing tools don't shed any more light on how this data is being combined
  • The account profile, privacy dashboard and data liberation front
    • Continue to show the data in the buckets in which it is originally collected
  • There is as of yet no view of the synthesized data hinted at
  • The permutations of personal information may be entirely innocuous
  • At present it is impossible to audit and the incentives for allowing users to do so
    • Do not exist, quite the opposite
  • Much of the language Google has added around the combination of data
    • Makes it clear they consider this as necessary to improve their core products like search
      • And to develop new offerings
  • Both of these circumstances are ones about which Google has been secretive in the past
  • The problem with the destruction of the incidental compartments to your data at Google
    • Is that is also removes organic barriers to data being shared places you don't expect
  • The past default was for data to stay with the services where it was collected
  • The user didn't have to imagine how some personal info entered into Blogger
    • Might bubble out via Plus, Gmail or search because that was less likely
  • Carmody points out how even another example offered by Google isn't as innocuous to all users
    • As the search giant makes it out
  • They presume that if someone has your email, showing them a personal name and photo is acceptable
  • If the pseudonym issues with Plus have taught them anything
    • It should be that you should respect the user's discretion about how much to share to whom
  • Thinking more on this particular case bears uncomfortable similarity to Buzz
    • Where the company got into trouble for assuming on behalf of the user what to share
  • The potential problem is magnified by the overall scale of a user's footprint on all services
    • And the number of new audiences that information may no be cross shared
      • Either directly or more likely as the result of some synthesis or extrapolation
      • Presumed to be more convenient to the end user, and hence more valuable
  • There is no way to assess the risk to get at the most critical fraction
  • Worse, there is no way to opt out of the internal sharing and combination of data
  • In a stunningly tone deaf maneuver, the policy recommends that users export their data
    • And delete their account if they don't like the policy
  • Sadly, this is not entirely new, being consistent with the company's responses
    • To other criticisms, especially around the original prohibition on pseudonyms on Plus
  • Worse, with a single policy for all of their services, the take a hike option
    • Is far more like a thermonuclear scorching than shopping for one alternative, to one offering
  • The inability for users to directly assess how the combinations of their data will be used and seen
    • Also sits uncomfortably close to the Facebook approach, intentionally or not
      • Where changes made under the rubric of simplification more often
      • Made user judgment and their expression of desired control more difficult
  • In the absence of a clear dimension along which to move for more or less privacy
    • Companies should strive to make the difference between user expectation and reality narrower
  • The headlines from many sources point to a strong reaction but bear reading
  • Danny Sullivan, from Search Engine Land, writing for Gizmodo
    • Hits on many of the same points in a piece titled
    • "Google's Broken Promise: The end of 'Don't be evil'"
  • http://gizmodo.com/5878987/its-official-google-is-evil-now
  • The tone is more one of disappointment than outrage, taking the company to task
    • For building its success to date one on set of principles
      • That the new privacy policy at least partially guts with regards to user agency
  • Google has posted a response to the wave of criticism and questions
  • http://googlepublicpolicy.blogspot.com/2012/01/setting-record-straight-about-our.html
  • It ignores the services that have move towards requiring accounts
    • But does provide a litany of others, many quite popular like YouTube
      • That do not require registration and presumably agreeing to the policy
  • If Google has already shifted some services to requiring an account
    • The question has to be asked how long before the next new requirement
      • Especially given the very large benefit they are affording themselves
      • With the free hand to combine and analyze data in this sweeping way
  • I have to return to my frustration with Google's avoidance of open standards
    • Like those allowing for social services to be federated like email already is
  • Their response of take it or leave it would be less chilling
    • If there was a more vibrant web of openly interoperating systems
      • Instead of this seemingly unabated run of not-invented-here syndrome

(00:35:09.428) Following Up

(00:35:26.895) Mozilla offers alternative to OpenID

  • https://www.net-security.org/secworld.php?id=12259
  • Slashdot linked to a Help Net Security piece following up
    • On Mozilla's efforts around their browser based authentication scheme, Browser ID
  • In a nutshell, Mozilla's design keeps identification and authentication rooted
    • Where the user has control rather than abdicating to 3rd parties, even single sign-on services
  • The update in the past couple of weeks is that they have finally enabled all their own sites
    • To make use of their proposed technology
  • http://www.h-online.com/open/news/item/Mozilla-s-BrowserID-moves-forward-1419193.html
  • The H's Open Source channel has more details of the rollout which was announced in November
    • And was undertaken over the last few months, spanning the new year
  • Both articles link to details for those looking to implement support on their sites
  • Undoubtedly being their own first customer has afforded Mozilla
    • An excellent opportunity to improve their implementation
      • And the documentation for others wanting to use the technology
  • Both OpenID, the notional predecessor to BrowserID, and the browser maker's efforts
    • Are counter examples, as limited as they may be
      • To the first security alert that in part lamented the lack of research into passwords
  • Both take similar approaches to limiting risk by de-coupling identification and authentication
  • They are not strictly password schemes but still rely on them
    • And in so doing seek ways to shore up the weaknesses
      • Mainly in the need in other schemes to share credentials in some form or another

(00:36:49.984) EFF and Everything is a Remix want you to ask the Copyright Office for the right to remix

  • https://www.ripmixmake.org/
  • Cory at Boing Boing pointed at a collaboration between EFF and Kirby Ferguson
    • To gather a large number of signatures on a petition to the US Copyright Registrar
      • To consider as part of the every three year exemption process under the DMCA
      • An allowance for the act of remixing copyrighted works
  • Kirby Ferguson is the film maker behind the wonderful series, Everything is a Remix
  • The installments so far have comprehensively presented not the sort of YouTube powered remix
    • Of which critics of remix culture are so often scathingly skeptical
  • Rather Ferguson focuses on many established works and artists
    • That are very little different in how directly they re-use the works that influenced them
  • The ask builds on a previous exemption allowing breaking of DVD encryption for non-commercial use
  • The request is ambitious but does indeed speak to a shifting norm
    • Where the low cost of tools and sharing does indeed support
      • More people remaking and spreading more works
  • Take a moment to read Kerby's letter and if you agree, add your voice
  • As of this recording, there are 11 days before this plea has to be turned in
  • The DMCA exemption process too easily leads to being discouraged
  • Kirby's letter and EFF's support are an easy and excellent way to exercise a little optimism

(00:38:40.035) Outro

Retrieved from "http://thecommandline.net/wiki/2012_01_29"
Personal tools