Your Social Media Fingerprint — thoughts…

October 12, 2016 2 comments

Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you’re signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.

via Your Social Media Fingerprint — thoughts…

Categories: Interesting

DNS Crash Course: A, AAAA AND PTR Records

October 10, 2016 Leave a comment

I usually contribute posts to my blog to share a new concept or to review an awesome new piece of software. However, every once an a while I feel it necessary to contribute to the general knowledge of the Internet by bringing you posts like these.

I plan to publish a series of articles called DNS Crash Course and over the next several weeks, I’ll be explaining about DNS records – those pesky things that can make or break your website, email, and other services critical to a business or organization. I consider myself something of a subject matter expert on DNS as it relates to web hosting, being involved with Fox Design Werx. These articles will focus on a particular record type or types, if appropriate to be discussed together.

In this inaugural article, I’ll be discussing the most basic of all DNS records: the A record. By extension, I’ll also be explaining a reverse lookup record, also known as a PTR record, and something called AAAA or ‘quad-A’ records. First things first…

Categories: Interesting

Three Infrastructure mistakes your company must not make

October 7, 2016 Leave a comment

When Avi Freedman was getting ready to graduate Temple University in 1992, there was no way to buy internet service in Philadelphia. Literally. If you wanted to send someone money to get a dial-up account, there was nobody to send it to. But Freedman had already been running public access Unix machines and letting people he knew log into them. So he decided to turn his personal frustration into a company that would offer dial-up Internet access to everyone in the area.

He thought, “Well, it can’t be that hard. I’ll just buy a commercial 24-7 internet access link and add some modems.” Not long afterward, Freedman founded Philadelphia’s first ISP. That early experience has served him well. Netaxs and many similar ISPs that built out the commercial internet spawned a community of people that now run some of the largest enterprise, web, and cloud and service provider infrastructures around the world.

Freedman has since wended his way through the networking world. He ran engineering for AboveNet, a global backbone provider (now part of Zayo); spent 10 years at Akamai, running the network group and creating infrastructure-focused services; and then served as CTO for the hosting and cloud company ServerCentral. Two and a half years ago, he founded Kentik to give companies complete visibility into their network traffic, performance and security. Having seen over 100 startups scale their infrastructure, he’s one of the best sources of advice we could have found to talk about technical infrastructure.

In this exclusive article, Freedman shares the three biggest (often company-ending) mistakes startups make when it comes to setting up their systems:

* They land themselves in Cloud Jail.
* They get sucked in by “hipster tools.”
* They don’t design for monitorability.

But don’t worry if you spot symptoms of these where you work. It’s possible to avoid these pitfalls if you’re aware of them as you build your company.

Categories: Interesting

Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World

September 27, 2016 Leave a comment

Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R.B. Butler, University of Florida


Mobile money, also known as branchless banking, brings much-needed financial services to the unbanked in the developing world. Leveraging ubiquitous cellular networks, these services are now being deployed as smart phone apps, providing an electronic payment infrastructure where alternatives such as credit cards generally do not exist. Although widely marketed as a more secure option to cash, these applications are often not subject to the traditional regulations applied in the financial sector, leaving doubt as to the veracity of such claims. In this paper, we evaluate these claims and perform the first in-depth measurement analysis of branchless banking applications. We first perform an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money providers and demonstrate that automated analysis fails to provide reliable insights. We subsequently perform comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15% of these apps. We uncover pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records. These findings confirm that the majority of these apps fail to provide the protections needed by financial services. Finally, through inspection of providers’ terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion.

Categories: Interesting

apt-get notes

September 26, 2016 Leave a comment

A nice summary of some apt-get commands.

# Installs the selected package from repositories listed in
# /etc/apt/sources.list
$ apt-get install <package>

# Installs the selected package from repositories listed in
# /etc/apt/sources.list
$ apt-get install <package>

# Removes the selected package from your system
$ apt-get remove <package> 

# Updates the list of packages available on the repositories listed in
# /etc/apt/sources.list
$ apt-get update

# Installs the latest available versions of all your installed software
$ apt-get upgrade

# Installs the latest available software related to your configuration
$ apt-get dist-upgrade 

# Restarts/Starts the configuration script inside the package, 
# which will bring up the menu-based dialogs in the same way as after installation
$ dpkg-reconfigure

# Prints detailed information about the software package
$ apt-cache show <package> 

# Prints information on the installed software package
$ dpkg -l <package>

# Lists all files installed by the software package
$ dpkg -L <package>

# Installs a local (.deb) file to your system
$ dpkg -i <file>

# Prints information about the software package owning <file>
$ dpkg -S <file>

# Searches apt database for packages containing <string> in their 
# name and description
$ apt-cache search <string>

OpenVPN: Building and Integrating Virtual Private Networks

Categories: bash, debian, notes Tags: ,

Raymond Hettinger, “Being a Core Developer in Python”, PyBay2016

September 24, 2016 Leave a comment

Published on Sep 17, 2016
PyBay 2016 Keynote

What I’ve learned from being a maintainer and core developer for the past 15 years. Thoughts on channeling Guido, stability, hyper-generalization, Sturgeon’s law and egativity, evaluating submissions, inability to predict the future, user centric design, treating mature code differently, believing in or doubting your predecessors, lever arguments and completers, problems of too many choices, implementation details, how much to document, needs of the standard library versus the needs of users, code that is dead on arrival and how PyPI changed everything, orthogonality, importance of skill and expertise, consistency and foolish consistency, optimization and premature optimization, security tautologies, argument ordering, operator abuse, avoiding race to implementation (we can all write working code), the naming of parts, economy of force and complexity balance, feature creep, developing for others, over reliance on Guido, great minds don’t think alike, preference for compactness, and aversion to deprecations. What it means to be completely reliant on long term unpaid volunteers.

Raymond has been a prolific contributor to the CPython project for over a decade, having implemented and maintained many of Python’s great features. He has been instrumental in modules like bisect, collections, decimal, functools, itertools, math, random, with types like namedtuple, sets, dictionaries, and in many other places around the codebase. He has contributed to the modification of nearly 90,000 lines of code in the CPython repository, and has made over 160 changes in the PEP repository.

Raymond has also served as a director of the Python Software Foundation, and has mentored many people over the years on their contributions to the python-dev community. He’s also well known for his contributions to the Python Cookbook, and shares many pieces of Python wisdom on Twitter. He received the Distinguished Service Award at PyCon 2014 for his exceptional contributions to the python community.

Categories: Interesting, python

The Cryptographic Key That Secures the Web Is Being Changed for the First Time

September 23, 2016 Leave a comment

The Cryptographic Key That Secures the Web Is Being Changed for the First Time

Soon, one of the most important cryptographic key pairs on the internet will be changed for the first time.

The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based non-profit responsible for various internet infrastructure tasks, will change the key pair that creates the first link in a long chain of cryptographic trust that lies underneath the Domain Name System, or DNS, the “phone book” of the internet.

This key ensures that when web users try to visit a website, they get sent to the correct address. Without it, many internet users could be directed to imposter sites crafted by hackers, such as phishing websites designed to steal information.


Categories: news