spectre and the end of langsec — wingolog

spectre and the end of langsec — wingolog:

The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google’s Caja compiler to isolate components from each other, even when they run in the context of the same web page.
But the Spectre and Meltdown attacks have seriously set back this endeavor.

I suggest reading the post to get the full take.
Some of my time is spent talking with clients about secure development life cycle practices and tools to help bolster security early in the process. I’ve abstractly reflected on how I was taught/learned to code using what is referred to as the Unix approach – small, well understood, behaviorally consistent components brought together to make a more complex system.
This was in the days before these large package management systems.
I was reminded of the infamous 11-line JavaScript NPM package, a package that implemented a “left-pad” function, which the developer unpublished. Literally thousands of other packages relied on this simple one, causing the whole dependency “house of cards” to collapse. See https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ for a reminder of the story.
Now think about this: that was a software-based issue that, while hugely impactful, was easy to fix (select 11 lines of code, copy, paste). What happens when hardware isn’t behaviorally consistent or is so fundamentally flawed its insecurity isn’t fixable?
Taking me back even further I’m reminded of the various Intel floating point issues of the 80’s and 90’s
I drifted off topic.
What are your thoughts?

The Apple Pay Japan One Year Mark

The Apple Pay Japan One Year Mark:

Apple Pay in Japan is all about Apple Pay Suica which we already knew. In the Suica home base area, the Kanto region, contactless payments grew from 20% of total transactions to more than 40% in the year that Apple Pay Suica has been available. My analysis is that Apple Pay Suica is responsible for driving that change. What used to be ‘some people some of the time’ is quickly transitioning to ‘most people most of the time’.
One 7-Eleven store owner summed it up nicely: “e-money (Suica) purchases have really taken off this past year.”

(Via Ata Distance)
I will not stop talking about how great Apple Pay Suica is for transit and purchasing. The rest of the world needs this.

Top BBC men take wage cuts in gender pay row

Top BBC men take wage cuts in gender pay row:

Six top male BBC presenters agreed to take wage cuts Friday after the broadcaster’s female China editor quit in protest over unequal pay.
The six, who are among the British Broadcasting Corporation’s top-earning journalists, voluntarily decided to take a pay cut

(Via Japan Today)
Arguably this makes the situation worse. For the BBC or any company it is all about the money. Taking a pay cut, though well intentioned, doesn’t do anything but help the BBC’s bottom line. Two or three years ago, maybe the bad press would kick-start change. Today, not so much.
If the male presenters demanded their full pay while not going on air or protesting the disparity on-air until there is pay parity, that’s meaningful. Or they could take a pay cut and cut their work for the BBC to the same proportion.
As it is, it’s a mindless empty gesture that helps the wrong people, In My Humble Opinion.

Apple to Deprecate Many macOS Server Services

Apple to Deprecate Many macOS Server Services:

Apple will be removing the deprecated services in a future release of macOS Server, so the writing is on the wall — it’s time to start researching alternatives.

(Via TidBITS: Apple News for the Rest of Us)
I would be more upset if the Server App was better – either more intuitive or more configurable. As it is it’s a middling neither mess. I’m a networking and security professional – getting a VPN running this this thing is absurd.
Apple is clearly getting out of the network business. It’s odd they are punting this critical technology.



I thought I’d picked out a sweet spot to camp out at the Japan Brewers Cup 2018 in Yokohama. Turns out it was right in front of where an audience participation magic show will take place.
I found the first lightly populated table as fast as I could before the magic happens.
UPDATE: The sad news was that they are very talented acrobats not at all interested in audience participation beyond wonder. I should have known better.

Rating #ApplePay #Suica Performance in #iOS 11.2.5


Japanese Apple Pay Suica users and iPhone X users are tweeting and blogging about the Apple Pay Suica performance improvements in the iOS 11.2.5 update. So far the reports are very good. But how good is good and can it be even better?

Read the article for the dazzling details. My anecdotal experience is that watchOS/iOS is working well with Suica. None of the momentary failures and seems more spritely in paying.

[PftP] Building a Smart Job Loss Plan

Building a Smart Job Loss Plan:

Imagine that tomorrow – or your next day at work – you go into your workplace only to find a pink slip waiting for you. You’re done. Your employer heard some horrible rumor about you, or maybe your organization is downsizing, or maybe you made a big mistake recently and it’s caught up to you. Whatever it is, your job is no longer yours. You have 15 minutes to clean out your desk and half an hour at HR to sign some papers and then you’re out on the street.
What now? What do you do?

(Via The Simple Dollar The Simple Dollar)
Way back in 2013 (was it that long ago?) I wrote about being laid off from the company where I worked for twelve years. I called my posts “Preparing for the Pink” as in a Pink Slip. This is the traditional American notice of termination of employment though the physical pice of paper is not often used any more.
Anyway, here is an updated version of the same idea. While very focused on people in the United States the general principles should be useful to workers everywhere even where the labor laws are much more liberal.

  1. Keep your resume updated all the time.
  2. Keep your training and education current, preferably using current workplace resources.
  3. Have a set of strong professional contacts in place; do favors and make sure those relationships are strong.
  4. Have a very healthy emergency fund.
  5. Know exactly what benefits you’re due if you were to lose your job and how to get those benefits.
  6. Have a list of people to contact immediately to start finding another job.

This whole article and my earlier ones are a great example of the Stoic idea of Negative Visualization, which the ending of the article sums this up spectacularly:

The key lesson is that thinking about life’s potential problems now and coming up with solutions in a rational and calm way, then taking steps to make those solutions easy to execute in a crisis, goes a long way toward making any and all crises in life much easier to handle.
The little steps you take now, handled with rational thought and just a little effort and a little money, can save you enormous headaches and a great deal of money down the road when an unfortunate event does occur. Preparing for a job loss is just one example of this powerful life strategy.

Trent Hamm’s articles in the Simple Dollar are great. If you’re not reading it on a regular basis, you should.

Fujitsu will replace password, keycards w/ palm scanning for 80K employees in #Japan

Fujitsu will replace passwords and keycards with palm scanning for 80K employees in Japan:

On Thursday, Fujitsu announced that it would replace employee passwords and smartcards with a new authentication measure: Their palm veins. The company will deploy its palm vein authentication technology to about 80,000 employees in Japan this year, allowing them to access their virtual desktops with a wave of their hand.

Fujitsu also wants to replace the smartcard-based authentication installed at the entrances to two offices in Japan with the palm vein authentication. The company will trial this for 5,200 employees working at those locations over the next year, it said in a press release.

(Via Security on TechRepublic)
The article is not much more than a press release.
I would love to see their success criteria, the metrics, ROI calculus, and how they continue to refine their capabilities. The article talks about “efficiency” and getting rid of “the hassle of entering a password”, both convenience use cases, but nothing really about security.
Biometrics, in many implementations, combine identity and authentication into one – think about the fingerprint sensor on a smartphone.
UPDATE: This article from SecurityWeek lists the pros & cons of biometrics.

Kit Tweak for iPad as 2nd Display

I use Duet to leverage my iPad (latest generation) as a second, very laggy, display. My employer-issued MacBook Air is hoisted on a Roost laptop stand.
I need something similar for said iPad to get it to an adjustable eye level.
Enter the Spider Monkey! <- Great movie title, by the way.
I’m about to pull the trigger on this based on reviews and direct feedback. Here is the Amazon US link and the Amazon JP link. I will let you know how this works for me.
By the way, I pan to soon update my overall kit post for in the office, on the road, and at the home. Stay Tuned!