Don’t Panic: Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

From Hacker News:

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer’s components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.

Fascinating research for sure. If you happen to be one of the few working in an environment where air-gapping and Faraday cages are common, this highlights that they are not 100% effective in isolation (no pun intended). This is a reminder of the value of good security hygiene, physical and analog and digital, and occasional validation of assumptions.

For the other 99.999% of security professionals, there are more practical and pragmatic risks requiring addressing with a higher return on investment. This is a reminder of the value of good security hygiene, physical and analog and digital, and occasional validation of assumptions.

See what I did there?

See Also:

TechRepublic

Infosecurity

Another Take on Engineering Notebooks

Another Take on Engineering Notebooks:

Kleiman’s post can be useful for a wide range of users. The main takeaway, for me at least, is that your tools and specific procedures are not as important as organizing your data and scripts and keeping careful notes on what problem you’re trying to solve and the steps you’ve taken to solve it.

(Via Emacs – Irreal)

Here is the original article that kicked this off. As I’ve been trying to simplify my workflows to better manage my data my thinking has informally been tending toward what Dan Kleiman wrote. I don’t have code any more, replaced by the constant flood of documentation coming my way for various projects. Something like this could would for me with a few small changes.

HomePod and the Apple Music Japanese Metadata Mess

HomePod and the Apple Music Japanese Metadata Mess:

Japan is one of most profitable music markets after the US market. If Apple wants to sell HomePod in Japan at some point, they’ll have to get their Apple Music Japanese metadata problem sorted out first.

(Via Ata Distance)

Read the whole article for examples of how Apple Music/iCloud Music/iTunes Match is a “hot mess”.

The Shallowness of Google Translate

Despite my negativism, Google Translate offers a service many people value highly: It effects quick-and-dirty conversions of meaningful passages written in language A into not necessarily meaningful strings of words in language B. As long as the text in language B is somewhat comprehensible, many people feel perfectly satisfied with the end product. If they can “get the basic idea” of a passage in a language they don’t know, they’re happy. This isn’t what I personally think the word “translation” means, but to some people it’s a great service, and to them it qualifies as translation. Well, I can see what they want, and I understand that they’re happy. Lucky them!

https://www.theatlantic.com/technology/archive/2018/01/the-shallowness-of-google-translate/551570/?single_page=true

Douglass Hofstadter, as quoted above, gets the gist of my use of Google Translate though it is clearly not the thesis of the piece. My value in Google Translate lies in its very shallowness: give me the key points quickly so I can best judge how to proceed. It works much better for me and is more respectful of my friends’ & colleagues’ time if I can pose salient specific questions instead of shoving an email in their face asking “What does this say?”, only to discover that it is yet another Nigerian Prince.

By the way, Hofstadter has a book, “Gödel, Escher, Bach“, of which I am a particular fan. Get it here: 🇯🇵 Japan Kindle and 🇺🇸 US Kindle

Photo by Drew Collins on Unsplash

OpSec Fail Indeed

From motherboard.vice.com …

All the encryption in the world is not going to help if someone can read over your shoulder

https://motherboard.vice.com/en_us/article/8xvwmz/carles-puigdemont-catalan-independence-signal-messages-opsec-fail

Using a secure messaging app to communicate with your political allies is a great idea in this day and age, where government hackers actively try to break into the email accounts of high-profile politicians and staffers in order to plaster them online. But all the unbreakable encryption in the world isn’t going to save you if you read the supposedly secret messages in front of a camera.

Sometimes you can’t make this stuff up.

spectre and the end of langsec — wingolog

spectre and the end of langsec — wingolog:

The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google’s Caja compiler to isolate components from each other, even when they run in the context of the same web page.

But the Spectre and Meltdown attacks have seriously set back this endeavor.

I suggest reading the post to get the full take.

Some of my time is spent talking with clients about secure development life cycle practices and tools to help bolster security early in the process. I’ve abstractly reflected on how I was taught/learned to code using what is referred to as the Unix approach – small, well understood, behaviorally consistent components brought together to make a more complex system.

This was in the days before these large package management systems.

I was reminded of the infamous 11-line JavaScript NPM package, a package that implemented a “left-pad” function, which the developer unpublished. Literally thousands of other packages relied on this simple one, causing the whole dependency “house of cards” to collapse. See https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ for a reminder of the story.

Now think about this: that was a software-based issue that, while hugely impactful, was easy to fix (select 11 lines of code, copy, paste). What happens when hardware isn’t behaviorally consistent or is so fundamentally flawed its insecurity isn’t fixable?

Taking me back even further I’m reminded of the various Intel floating point issues of the 80’s and 90’s

I drifted off topic.

What are your thoughts?

Apple to Deprecate Many macOS Server Services

Apple to Deprecate Many macOS Server Services:

Apple will be removing the deprecated services in a future release of macOS Server, so the writing is on the wall — it’s time to start researching alternatives.

(Via TidBITS: Apple News for the Rest of Us)

I would be more upset if the Server App was better – either more intuitive or more configurable. As it is it’s a middling neither mess. I’m a networking and security professional – getting a VPN running this this thing is absurd.

Apple is clearly getting out of the network business. It’s odd they are punting this critical technology.