Interesting Stuff on the Web Feb 1st-7th

Docker

Docker have started talking about a new framework, calling it a Container-As-A-Service. There aren’t many details out yet, outside of a white paper, but it sounds like it will be a complete integration of the different docker services. More information will be provided at an upcoming webinar on Feb 16th, 1PM EST!

caas_diagram

Finally this week showed many awesome steps forward with Docker Compose including the ability to set custom IPs and host aliases on containers! Also the Splunk integration will hopefully help get Docker more use in enterprise,

AWS

With the recent release of the AWS Certificate Manager and the ability to get SSL certificates for free, the base assumption is that you would use these everywhere! Ryan Brown points out the integration between AWS Cloudfront and Cert Manager isn’t quite there yet.. and then provides the full set of code for you to create a new Type to provide the integration!

This wasn’t the only awesome post by Ryan, he spoke with Speaker and provided another in-depth post of implementing the AWS API Gateway as a method of being a proxy passthrough to other APIs, and to keep the costs down, using AWS Lambdas!

Finally to wrap up some of the AWS stuff, was a new whitepaper by Puppet Labs, where they have been working to make managing nodes in the cloud easier by generating certificates based on the instance id, and keeping a track of running instances.

Puppet AWS Integration

Git

Git hooks are very powerful, and this post really starts diving into some of the possible use-cases! I really like the post checkout check to include the branch’s current build status.

Git Hooks

Github posted about sub modules – linking and embedding projects in one repo. As they point out, this is an edge case, embedding external dependencies. I hadn’t even realized that git has these commands to make this easier to manage and thankfully the post goes step by step through a use case of implementing this with an existing project.

Finally one of the best things I saw this week was the Git Large File Storage. This was always a pain – debating what should go into source control, what is an artifact.. Turns out we could have just been using this, where you can configure it to store certain file types into lfs and the rest to your repo!

Coding

After college I rarely ever think about the underlying structures behind my code – the network stack, how the code is converted into assembly.. this is what made this post about firewalls and TCP sequence numbers so interesting.

Laura Frank posted a great introduction to Go concurrency patterns, starting off with what concurrency is, how it is implemented and end with a couple of great links including this one to help you visualize concurrency!

Go Concurrency Fanning

Cool stuff

Well now for some stuff that just doesn’t really fit anywhere else.. and first off are these awesome eagles.. sorry.. Anti-Drone devices 😉

Anti Drones

You don’t need to worry that this will boost the eagles confidence enough to take on us – thankfully science has thought ahead and we now have exoskeletons to combat the future eagle army!

This started off sounding awesome – the second life of the VR realm, AltspaceVR had just been released for the Gear VR.. Sadly it turns out that this is only for the consumer edition and no joy for the Note 4 users.

Now for anyone who likes leds, and trying to make Arduino led cubes, then you will love the 512 led Tittle and its awesome implementation! Hopefully they set this up with IFTTT integration, using this as a build light could be great fun 😉

And finally, for anyone who really wants to excel as a developer this Monday-Friday guide is a life saver!

Trusted Networks on the Intertubes

trustWe have been thrown a challenge by our lecturer, Scott O. Bradner, on coming up with a project for Security, Privacy, and Usability. One idea we kicked around in college was to design a network that would ensure all users had met in real life. Our view was that it had become too easy to pass invites to some unknown person and compromise a network, that requiring a demonstration of physical contact would show a greater familiarity.

The real hang up was on trying to figure out how to demonstrate that the physical contact actually occurred. Getting pictures of people together and doing facial recognition has to be immediately discarded – the thought of keeping everyone’s picture is distasteful plus it would make the entire network insecure if the server was exploited.

On the technical side also, images can be doctored. Sadly most of our thoughts on the technical side could be duplicated and transferred online. Even integrating some aspect of custom hardware into the mix would just be a delaying tactic. Eventually someone would examine the input/output and figure out what algorithm had been implemented.

And so the project had languished till now. With the class and my many hours of 24/NCIS/CSI and other shows I’m wondering if there is some tactic used by clandestine cell systems that permits new members being validated by a trusted 3rd party.

The first aspect, introduction, appears to require several things:

1. The member who extended the invite and invitee meeting up.

2. Having another trusted 3rd party proximity.

3. The 3rd party should not know who the member and invitee are, and vice-versa.

4. A method to confirm the member and invitee are both the two people in the presence of the 3rd party.

A type of one time private network that can be established between the three with authentication is required. How to get around the problem of the member simply operating two laptops or having a person impersonate the invitee are still unknown. The resources to vet the person is beyond the network’s capabilities – so in effect we are still relying on one person’s judgement. The requirement for physical contact would hopefully ensure that the two people do know each other rather than being #randominternetperson.

Once a person joins the network we would have to examine how cells interact. Some thing like only permitting you access to contacts where you have a intermediate contact you both have met – very linkedin. More random thoughts on this later – there may have to be alcohol to get the creative thoughts flowing…

 

Security Evaluation: How It Fails

crypto“security must be evaluated not based on how it works, but on how it fails”

-Bruce Schneier

Bruce Schneier is a computer security expert that I highly recommend following for any serious into cryptography. This quote comes an old article he wrote on national security. The quote puts me in mind of one of the basic tenants of security – Kerckhoffs’s principle:

It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience;

No matter what the security is, you must assume that you are not invulnerable. You should examine your system and ignore how difficult it would be to penetrate the system, but once done – what could an attacker achieve? Do they have access to account data? Financial data? Can they perform actions that would impact the customer?

If the actions are not irreparable then we look at the possibility of the attacker gaining access.  A popular method is to examine attack maps – where we can estimate the financial cost to attacking the system successfully. If the cost of an attacker accessing the system is greater then the cost to attack it them additional security measures are required.

Note that one part of attack maps estimates the likelihood of the attack vector, I’d caution folks to keep Feynman‘s article “Personal observations on the reliability of the Shuttle in mind. The disconnection between engineer estimates on failures and management is amusing if not for being so close to the truth…

More musing to follow..

Compare and contrast Pad Locks to Passwords

padlockThere is a good paper, Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks Blaze (2002),  relating cryptography to a physical lock – not just in the terminology but the actual attacks.

Matt Blaze points out that a lock can not in itself guarantee security – attacks can target more vulnerable vectors or if they are knowledgeable about an issue with the manufacture’s implementation. It could be a bug that does not check security of the application or it could be a problem with the security verification making it insecure.

I particular like his attack relating the computation to figuring out a master key!

With the latest home security innovations being monitoring systems that alert you to shut down appliances, check who is at home etc, there is definitely a correlation between these actions and log monitoring tools. I wonder if there is a security tool that displays who is accessing your servers and what applications that they are currently logged into in an intuitive way – to come back to the physical security, I see my dog then I am happy and don’t care, I see random folks.. worries kick in.