Archive for September, 2016

Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World

September 27, 2016 Leave a comment

Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R.B. Butler, University of Florida


Mobile money, also known as branchless banking, brings much-needed financial services to the unbanked in the developing world. Leveraging ubiquitous cellular networks, these services are now being deployed as smart phone apps, providing an electronic payment infrastructure where alternatives such as credit cards generally do not exist. Although widely marketed as a more secure option to cash, these applications are often not subject to the traditional regulations applied in the financial sector, leaving doubt as to the veracity of such claims. In this paper, we evaluate these claims and perform the first in-depth measurement analysis of branchless banking applications. We first perform an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money providers and demonstrate that automated analysis fails to provide reliable insights. We subsequently perform comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15% of these apps. We uncover pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records. These findings confirm that the majority of these apps fail to provide the protections needed by financial services. Finally, through inspection of providers’ terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion.

Categories: Interesting

apt-get notes

September 26, 2016 Leave a comment

A nice summary of some apt-get commands.

# Installs the selected package from repositories listed in
# /etc/apt/sources.list
$ apt-get install <package>

# Installs the selected package from repositories listed in
# /etc/apt/sources.list
$ apt-get install <package>

# Removes the selected package from your system
$ apt-get remove <package> 

# Updates the list of packages available on the repositories listed in
# /etc/apt/sources.list
$ apt-get update

# Installs the latest available versions of all your installed software
$ apt-get upgrade

# Installs the latest available software related to your configuration
$ apt-get dist-upgrade 

# Restarts/Starts the configuration script inside the package, 
# which will bring up the menu-based dialogs in the same way as after installation
$ dpkg-reconfigure

# Prints detailed information about the software package
$ apt-cache show <package> 

# Prints information on the installed software package
$ dpkg -l <package>

# Lists all files installed by the software package
$ dpkg -L <package>

# Installs a local (.deb) file to your system
$ dpkg -i <file>

# Prints information about the software package owning <file>
$ dpkg -S <file>

# Searches apt database for packages containing <string> in their 
# name and description
$ apt-cache search <string>

OpenVPN: Building and Integrating Virtual Private Networks

Categories: bash, debian, notes Tags: ,

Raymond Hettinger, “Being a Core Developer in Python”, PyBay2016

September 24, 2016 Leave a comment

Published on Sep 17, 2016
PyBay 2016 Keynote

What I’ve learned from being a maintainer and core developer for the past 15 years. Thoughts on channeling Guido, stability, hyper-generalization, Sturgeon’s law and egativity, evaluating submissions, inability to predict the future, user centric design, treating mature code differently, believing in or doubting your predecessors, lever arguments and completers, problems of too many choices, implementation details, how much to document, needs of the standard library versus the needs of users, code that is dead on arrival and how PyPI changed everything, orthogonality, importance of skill and expertise, consistency and foolish consistency, optimization and premature optimization, security tautologies, argument ordering, operator abuse, avoiding race to implementation (we can all write working code), the naming of parts, economy of force and complexity balance, feature creep, developing for others, over reliance on Guido, great minds don’t think alike, preference for compactness, and aversion to deprecations. What it means to be completely reliant on long term unpaid volunteers.

Raymond has been a prolific contributor to the CPython project for over a decade, having implemented and maintained many of Python’s great features. He has been instrumental in modules like bisect, collections, decimal, functools, itertools, math, random, with types like namedtuple, sets, dictionaries, and in many other places around the codebase. He has contributed to the modification of nearly 90,000 lines of code in the CPython repository, and has made over 160 changes in the PEP repository.

Raymond has also served as a director of the Python Software Foundation, and has mentored many people over the years on their contributions to the python-dev community. He’s also well known for his contributions to the Python Cookbook, and shares many pieces of Python wisdom on Twitter. He received the Distinguished Service Award at PyCon 2014 for his exceptional contributions to the python community.

Categories: Interesting, python

The Cryptographic Key That Secures the Web Is Being Changed for the First Time

September 23, 2016 Leave a comment

The Cryptographic Key That Secures the Web Is Being Changed for the First Time

Soon, one of the most important cryptographic key pairs on the internet will be changed for the first time.

The Internet Corporation for Assigned Names and Numbers (ICANN), the US-based non-profit responsible for various internet infrastructure tasks, will change the key pair that creates the first link in a long chain of cryptographic trust that lies underneath the Domain Name System, or DNS, the “phone book” of the internet.

This key ensures that when web users try to visit a website, they get sent to the correct address. Without it, many internet users could be directed to imposter sites crafted by hackers, such as phishing websites designed to steal information.


Categories: news

GPG notes

September 22, 2016 Leave a comment

GPG Notes

1. Getting a gpg public key
You need to know the recipients key id

gpg2 --keyserver --recv-keys <recipient_key_id>

2. Sending a gpg public key to a key server

gpg2 --keyserver hkp:// --send-keys <key_id>

3. Encrypt a file (I locked myself out doing this. So if you want to read that file again later use the other option below)

gpg2 --output file.txt.gpg --sign --encrypt --recipient <recipient_key_id> 
--recipient <recipient_key_id> file.txt

4. Encrypt a file that you would later want to decrypt

gpg2 --output file.txt.gpg --sign --encrypt --recipient(yourself) <your_key_id> 
--recipient <recipient_key_id> --recipient <recipient_key_id> file.txt

More reading

Creating a new GPG key with subkeys

Categories: bash

Researchers show off remote attack against Tesla Model S

September 22, 2016 Leave a comment

Researchers show off remote attack against Tesla Model S

The researchers were able to remotely control the braking system, sunroof, door locks, trunk, side-view mirrors and more

Tesla Motors is considered one of the most cybersecurity-conscious car manufacturers in the world — among other things, it has a bug bounty program. But that doesn’t mean the software in its cars is free of security flaws.

Researchers from Chinese technology company Tencent found a series of vulnerabilities that, when combined, allowed them to remotely take over a Tesla Model S car and control its sunroof, central display, door locks and even the braking system. The attack allowed the researchers to access the car’s controller area network (CAN) bus, which lets the vehicle’s specialized computers communicate with each other.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers from Tencent’s Keen Security Lab said in a blog post Monday. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”


Categories: news Tags:

How HipChat Stores and Indexes Billions of Messages Using ElasticSearch and Redis

September 21, 2016 Leave a comment
Categories: Interesting