LINKDROP #7


OpenBSD all the things!

Security

  • OpenBSD 5.6 is out - Have been a huge fan of OpenBSD for years, don't get to use it as much as I'd like, lots of interesting new stuff in it (and perhaps better, removed from it)

  • Re: how secure is textsecure

    First of all I’d like to point out that to me the main takeaway from the paper is that TextSecure’s protocol can actually be proven to fulfil its claims, albeit so far just in the Random Oracle Model and under the assumption that we have a better way to establish entity authenticity than TextSecure currently provides.

  • Facebook, Google, and the Rise of Open Source Security Software - A commenter links to this paper on the Akami query system

    If you run a large online operation like Facebook, you need more than just off-the-shelf hardware and software to protect the thing. “You can’t just install three appliances and go back to work,” he says. Today’s online operations are so complex, you’re forced to build your own security tools, tailoring software to your particular setup.

  • How Hackers Reportedly Side-Stepped Google's Two-Factor Authentication - Also, comments on hacker news, original post is here

    For as long as I've been using Instagram people have wanted my short, two-letter username. Like here on Ello, I am @gb on Instagram. Some people have asked politely, some have dug up my email address and offered to buy it, but more than anything, multiple times per week I get password reset emails from Instagram that I didn't request, and every so often, I would get authorization code texts for the Gmail account that was tied to my Instagram handle. When I saw that text—the one about my password being changed—I knew someone was after my Instagram account.

  • Poking holes in apparmor profiles - From 2012 but a good read still

  • I'm terrified of my smart tv - ugh, basically a slow, crappy computer that can never be updated and sends all kinds of personal info to the mothership

  • Basic PHP security

  • Facebook, hidden services, and https certs

    I didn't even realize I should include this section, until I heard from a journalist today who hoped to get a quote from me about why Tor users wouldn't ever use Facebook. Putting aside the (still very important) questions of Facebook's privacy habits, their harmful real-name policies, and whether you should or shouldn't tell them anything about you, the key point here is that anonymity isn't just about hiding from your destination. "Tor as a privacy tool to let users control their own data" to "Tor as a communications tool to give users freedom to choose what sites they visit" is a great example of the diversity of uses for Tor: whatever it is you think Tor is for, I guarantee there's a person out there who uses it for something you haven't considered.

  • Threat Introduced via Browser Extensions

  • Cyberthieves

  • Netflix Message Security Layer: A Modern Take on Securing Communication

    One of the largest problems with HTTPS is the PKI infrastructure. There were a number of short-lived incidents where a renewed server certificate caused outages. We had no good way of handling revocation: our attempts to leverage CRL and OCSP technologies resulted in a complex set of workarounds to deal with infrastructure downtimes and configuration mistakes, which ultimately led to a worse user experience and brittle security mechanism with little insight into errors. Recent security breaches at certificate authorities and the issuance of intermediate certificate authorities means placing trust in one actor requires placing trust in a whole chain of actors not necessarily deserving of trust.

  • Cookies Are Dead: User-Based Attribution Models Are The Only Way Forward

    Cookies are the base tracking mechanism for most companies running online marketing initiatives, yet cookies are dying out rapidly because mobile usage is increasing and most mobile browsers don’t support third-party cookies. In fact, cookies simply don’t work across all mobile devices, and multi-device usage is no longer the way of the future; it’s happening now.

  • You can trust an openstack cloud, here's why

OpenStack

The OpenStack conference is in Paris.

Go

Other

  • In Defense of Bare Metal - Not sure if they realized the article doesn't really come out in favor of bare metal

    One software engineer, who attended The New Stack party in Seattle this week and asked not to be named, said that his company switched most of its workloads from AWS to bare metal and it’s been a nightmare. His company recently wanted to order more servers from its provider and the provider wasn’t able to accommodate the request – it didn’t have any to spare and hasn’t been able to build a new data center yet

  • The Disruption Machine

  • Deis breathes new life into Dokku - Dokku is a cool mini-PaaS

  • Pocket super computer

  • The Network Iceberg

    The next revision of compute virtualization is the application. The last significant bastion of efficiency is to remove the OS from the equation and virtualize that application itself. At the helm of the compute disruption is Docker. Depending on a providers oversubscription, a typical ratio of VM/CPU is in the range of 20-50 VMs per physical core.