security

banking.senate.gov banking.senate.gov
image by @thedansherman
"...there exists a sphere of life that should remain outside public scrutiny, in which we can be sure that our words, actions, thoughts and feelings are not being indelibly recorded. This includes not only intimate spaces like the home, but also the many semi-private places where people gather and engage with one another in the common activities of daily life—the workplace, church, club or union hall. As these interactions move online, our privacy in this deeper sense withers away."
Maciej Cegłowski, owner and operator of old-school bookmarking service Pinboard (which I use to power posts like this) spoke to the Senate Banking Committee about online privacy. His thoughtful written statement is an excellent description of privacy in our current tech environment and has some ideas about how regulation could change things. I have no idea how this public statement came about, but I hope our leaders were listening. The gif here is by @thedansherman.
Twilio Twilio
image from Twilio
These security and perfomance changes for websites are easy to add and include some new browser features I wasn't aware of before. I went with the recommendation here for a simple CSP header but it looks like you could really batten down the https hatches with that one if you read through the spec.
null program null program
“This program opens a socket and pretends to be an SSH server. However, it actually just ties up SSH clients with false promises indefinitely...”
Discouraging bots is a fun hobby I approve of. I like this simple Python script that exploits an RFC loophole.
pi-hole.net pi-hole.net
image from pi-hole.net
I'm a big fan of goofing around with a Raspberry Pi. At times I've used mine as a game emulator, media center, and caller ID server. Recently it has been sitting in a box, but now it's a DNS server that blocks ads on my home network thanks to Pi-hole. Pi-hole is software you install on a raspberry pi that filters the addresses you or your devices request through shared lists of known advertisers. It's simple to set up and it just works. I'm seeing 98% fewer ads across the web—no browser ad-blocker required. Once installed it has a nice web admin interface and it gives you statistics about which domains have been blocked. (8.7% of all my DNS queries have been blocked as I write this.) It was also easy to add my favorite ad-supported sites to a whitelist so they'll still get paid. It does bother me that this kind of tool leads to a nerds vs. everyone else experience (great interview, btw) but tracking, malware, and general browsing performance has gotten so bad due to ads that we need these tools. If you already have a tiny computer, Pi-hole plus an hour to set it up on a weekend will improve your web experience.
washingtonpost.com washingtonpost.com
We have recently had regular E. coli outbreaks while the FDA was fully staffed. It seems like a bad idea to understaff them right now.

Update (1/11): Oh good.
Medium Medium | Javascript
image from Medium
The headline is a little alarmist, but this is a great explanation of some bitcoin scam code that someone placed into a popular node package. I agree that building businesses on top of volunteers is not sustainable and I hope the Node community can work on a solution. Reusing community code is a fast way to develop but you trade away some security.
Freedom to Tinker Freedom to Tinker
With elections on our minds (vote Tuesday!) here's Ed Felton describing a new voting system called E2E-V. I'm not sure I get the nuances of the coin-flip challenge voters but it sounds like a much better system than our current black-box, insecure, privately owned machines. And of course my favorite system is Oregon's statewide mail-in system. I'm sure it's not as secure as end-to-end verifiable cryptography but I think the convenience and ease of understanding how it works means more people participate.
Strange Loop IP Spoofing Talk

An engineer at Cloudflare shares some data from the front lines of fighting DDoS attacks. He also makes the connection between DDoS and service centralization and offers some potential solutions. (Unfortunately I don't see any incentive for big companies to fix this problem.)
  • This is a fantastic idea! You install a bit of software on your server to automate the security certificate garbage. It'd be great for low-stakes sites where the hassle of setup is the barrier.
  • Leonard has a great summary of the Apple security problem: "Either Apple’s security was so incompetent or negligent that they have not been aware of what was going on, or they knew, but actively ignored the issue and decided that it was not worth fixing."
« Older posts  /  Newer posts »