spectre and the end of langsec — wingolog

spectre and the end of langsec — wingolog:

The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google’s Caja compiler to isolate components from each other, even when they run in the context of the same web page.

But the Spectre and Meltdown attacks have seriously set back this endeavor.

I suggest reading the post to get the full take.

Some of my time is spent talking with clients about secure development life cycle practices and tools to help bolster security early in the process. I’ve abstractly reflected on how I was taught/learned to code using what is referred to as the Unix approach – small, well understood, behaviorally consistent components brought together to make a more complex system.

This was in the days before these large package management systems.

I was reminded of the infamous 11-line JavaScript NPM package, a package that implemented a “left-pad” function, which the developer unpublished. Literally thousands of other packages relied on this simple one, causing the whole dependency “house of cards” to collapse. See https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ for a reminder of the story.

Now think about this: that was a software-based issue that, while hugely impactful, was easy to fix (select 11 lines of code, copy, paste). What happens when hardware isn’t behaviorally consistent or is so fundamentally flawed its insecurity isn’t fixable?

Taking me back even further I’m reminded of the various Intel floating point issues of the 80’s and 90’s

I drifted off topic.

What are your thoughts?

The Apple Pay Japan One Year Mark

The Apple Pay Japan One Year Mark:

Apple Pay in Japan is all about Apple Pay Suica which we already knew. In the Suica home base area, the Kanto region, contactless payments grew from 20% of total transactions to more than 40% in the year that Apple Pay Suica has been available. My analysis is that Apple Pay Suica is responsible for driving that change. What used to be ‘some people some of the time’ is quickly transitioning to ‘most people most of the time’.

One 7-Eleven store owner summed it up nicely: “e-money (Suica) purchases have really taken off this past year.”

(Via Ata Distance)

I will not stop talking about how great Apple Pay Suica is for transit and purchasing. The rest of the world needs this.

Top BBC men take wage cuts in gender pay row

Top BBC men take wage cuts in gender pay row:

Six top male BBC presenters agreed to take wage cuts Friday after the broadcaster’s female China editor quit in protest over unequal pay.

The six, who are among the British Broadcasting Corporation’s top-earning journalists, voluntarily decided to take a pay cut

(Via Japan Today)

Arguably this makes the situation worse. For the BBC or any company it is all about the money. Taking a pay cut, though well intentioned, doesn’t do anything but help the BBC’s bottom line. Two or three years ago, maybe the bad press would kick-start change. Today, not so much.

If the male presenters demanded their full pay while not going on air or protesting the disparity on-air until there is pay parity, that’s meaningful. Or they could take a pay cut and cut their work for the BBC to the same proportion.

As it is, it’s a mindless empty gesture that helps the wrong people, In My Humble Opinion.

Apple to Deprecate Many macOS Server Services

Apple to Deprecate Many macOS Server Services:

Apple will be removing the deprecated services in a future release of macOS Server, so the writing is on the wall — it’s time to start researching alternatives.

(Via TidBITS: Apple News for the Rest of Us)

I would be more upset if the Server App was better – either more intuitive or more configurable. As it is it’s a middling neither mess. I’m a networking and security professional – getting a VPN running this this thing is absurd.

Apple is clearly getting out of the network business. It’s odd they are punting this critical technology.


I thought I’d picked out a sweet spot to camp out at the Japan Brewers Cup 2018 in Yokohama. Turns out it was right in front of where an audience participation magic show will take place.

I found the first lightly populated table as fast as I could before the magic happens.

UPDATE: The sad news was that they are very talented acrobats not at all interested in audience participation beyond wonder. I should have known better.

Rating #ApplePay #Suica Performance in #iOS 11.2.5


Japanese Apple Pay Suica users and iPhone X users are tweeting and blogging about the Apple Pay Suica performance improvements in the iOS 11.2.5 update. So far the reports are very good. But how good is good and can it be even better?

Read the article for the dazzling details. My anecdotal experience is that watchOS/iOS is working well with Suica. None of the momentary failures and seems more spritely in paying.

[Preparing for the Pink] Building a Smart Job Loss Plan

Building a Smart Job Loss Plan:

Imagine that tomorrow – or your next day at work – you go into your workplace only to find a pink slip waiting for you. You’re done. Your employer heard some horrible rumor about you, or maybe your organization is downsizing, or maybe you made a big mistake recently and it’s caught up to you. Whatever it is, your job is no longer yours. You have 15 minutes to clean out your desk and half an hour at HR to sign some papers and then you’re out on the street.

What now? What do you do?

(Via The Simple Dollar The Simple Dollar)

Way back in 2013 (was it that long ago?) I wrote about being laid off from the company where I worked for twelve years. I called my posts “Preparing for the Pink” as in a Pink Slip. This is the traditional American notice of termination of employment though the physical pice of paper is not often used any more.

Anyway, here is an updated version of the same idea. While very focused on people in the United States the general principles should be useful to workers everywhere even where the labor laws are much more liberal.

  1. Keep your resume updated all the time.
  2. Keep your training and education current, preferably using current workplace resources.
  3. Have a set of strong professional contacts in place; do favors and make sure those relationships are strong.
  4. Have a very healthy emergency fund.
  5. Know exactly what benefits you’re due if you were to lose your job and how to get those benefits.
  6. Have a list of people to contact immediately to start finding another job.

This whole article and my earlier ones are a great example of the Stoic idea of Negative Visualization, which the ending of the article sums this up spectacularly:

The key lesson is that thinking about life’s potential problems now and coming up with solutions in a rational and calm way, then taking steps to make those solutions easy to execute in a crisis, goes a long way toward making any and all crises in life much easier to handle.

The little steps you take now, handled with rational thought and just a little effort and a little money, can save you enormous headaches and a great deal of money down the road when an unfortunate event does occur. Preparing for a job loss is just one example of this powerful life strategy.

Trent Hamm’s articles in the Simple Dollar are great. If you’re not reading it on a regular basis, you should.