Blake Smith's 2010 article, "understanding public key private key concepts" provides the absolute best analogy I've come across.
This brief article lays it as simply and memorably as it gets.
Showing posts with label Computers. Show all posts
Showing posts with label Computers. Show all posts
SSH public-keys and private-keys
Blake Smith's 2010 article, "understanding public key private key concepts" provides the absolute best analogy I've come across.
This brief article lays it as simply and memorably as it gets.
SSH keys beautifully explained
Understanding how SSH keys work and how to properly use them has long baffled even some of the most venerable programmers.
In the physical world, a given key usually fits just one lock. We have to special order multiple locks keyed the same for entry doors and such. To share access to something, we give out multiple copies of these physical keys.
It's thus tempting to imagine the shared "public key" to be analogous to a physical key and the "private key" to be the lock.
Actually, it's the other way around.
Wogan explains in "How to set up public key ssh authentication" (January, 2014).
Interview with Michael Tiemann, open source pioneer
"There are many who have tried to bring the zero-sum game concepts to the open source community," Tiemann says. "They want to wall off some piece of technology, at least from a positioning point of view. They want to force everybody into that particular worldview."Fascinating interview. Fascinating concepts… for software development (as well as finance)…
“Picture a bank, he said, that pays to every one of its patrons an amount of interest based on the sum of all the money it contains.
"In the conventional world, a bank pays interest based on the amount of money that’s deposited. But imagine a bank where no matter how much you deposit, the bank pays interest on the sum total of all the assets to which you make the deposit. So if a whole bunch of my friends all put money into a communal bank account, and then we all get paid the total interest on that sum total, how attractive is that?”
Your Vote Does Not Count
While there is probably still enough restraint to allow a landslide vote the other way to prevail, my own sense is that most single-digit victories probably are fraudulent.
Democratic elections require transparent and verifiable election software at all levels. None is currently allowed in any binding election in this country today.
The reaction to the 2000 presidential election debacle was a masterful use of a crisis to set in motion a campaign to strip away most of the civil rights gains of the last 50 years.
Your vote doesn't count, and neither does mine, until this "electronic ballot-stuffing" is ended.
Shellshock Summary
DESCRIPTION
Twenty-five year old security flaw CVE-2014-6271 found in all versions of bash.
Per http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
"The behavior is implemented as a hack involving specially-formatted environmental variables: in essence, any variable starting with a literal "() {" will be dispatched to the parser just before executing the main program. You can see this in action here:
$ foo='() { echo "hi mom"; }' bash -c 'foo'hi mom
NOTES
- 2014-09-25 14:55:22 Experiments indicate that putting anything in front of the
(), like a name for the function or the keywordfunction, disable the flawed behavior - 2014-10-04 05:02:11 Calling bash from ash still passes all the commands in the variable(s)
RESOURCES
- CVE-2014-6271
- http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-bug-introduced-and-what-is-the-patch-th?rq=1
- http://unix.stackexchange.com/questions/157329/what-does-env-x-something-bash-c-command-do-and-why-is-it-insecure
- http://www.engadget.com/2014/09/24/bash-shell-security-flaw/
Shellshocked?
Should bash shells be replaced with the new patched version?
US-CERT recommends users and administrators review TA14-268A, Vulnerability Note VU#252743 and the Redhat Security Blog (link is external) for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch.
A fact...
A timeline...
- Oct 2012 - "Apple is added to the NSA’s list of penetrated servers"
- Dec 2013 - Apple Says It Has Never Worked With NSA...
- Sep 19, 2014 - Likely that NSA has now demanded Apple's data and they are resisting
- Sep 24, 2014 - US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X
Ramifications...
- The Bash shellshock "vulnerability" has been a "feature" of Bash for 22 years. You'd think in all that time, in all those high-security environments that run Unix or Linux, someone would have worried about misuse.
- Now, every installation of Bash in the world is about to be replaced.
- Though Bash is open-source, few people actually take the time to study the code of such large and complex programs.
- Bash is written in C, which supports embedded assembly-language code. Code that even fewer programmers have the skills to read.
- Bash is written in C, which easily supports treating any block of binary, such as something labeled as data or a small image, as code.
- Thus, a skilled programmer could hide "backdoor" code in plain sight, and it probably wouldn't be discovered unless it caused an error of some kind.
- Extremely high-skilled programmers that break the law are often employed by federal agencies.
HeartBleed - Not So Fast?
I've been programming computers since 1981 and run several in my "home lab." I haven't done anything yet in response to Heartbleed.
Recommendations based on my experience...
Windows Systems -- Watch the tech news for a week or two after patches/upgrades are released to see if they work and don't screw other things up. Then apply and watch for another week to be sure your systems are running okay and give the big services more time to insure they have everything reliably fixed. Then change passwords.
Mac Systems -- Do whatever Apple says to do. It's usually right.
Android Systems -- Most software is automatically updated so nothing to do. Wait a few weeks to change passwords.
Linux Systems --Many systems are using older, unaffected versions of OpenSSL so nothing to do. If you have affected systems and they're running servers, patch/upgrade OpenSSL and related software even though there might be problems. People are depending on you. If you're running as anything else, keep watching tech news for reliability of OpenSSL and related patches/upgrades. Patch/upgrade when everything is stable.
If you don't have "a system" for assigning passwords, this might be a good time to develop one. Change passwords when all the major services you use are fixed. It does no good, and even exposes you more, to change your password and then connect to an unupgraded system.
An Ounce of Prevention
Microsoft misjudges customer loyalty with kill-XP plea
This is what happens when your business model is built on continued dependency, not to mention planned obsolescence.
The Linux community is not immune to this either. The most popular distros like Ubuntu are becoming more Microsoft-like in their O/S design every day.
Any software that depends on continuous upgrades just to maintain existing functionality will always be "extortion-able."
How many of us would own a car that had to be upgraded every year or two just to keep running?
The solution is to stop designing software that allows only one version to be installed on a system at a time. Almost all software is like this today even though multiple copies of the executable itself would usually run just fine together. The problem is that the executables are designed to expect one and one one copy of the config files and other resources.
Docker Software
Docker open source software packages applications and all their dependencies into LXC virtual containers that run on any Linux distribution.
The Docker command line interface (CLI) makes it a building-block tool that can virtually eliminate "dependency hell." Docker may do for application packaging what Git has done for source code management.
Holding a Program In One's Head
 |
| Girl with a Book by José Ferraz de Almeida Júnior |
In August 2007, Paul Graham wrote...
"A good programmer working intensively on his own code can hold it in his mind the way a mathematician holds a problem he's working on. Mathematicians don't answer questions by working them out on paper the way schoolchildren are taught to. They do more in their heads: they try to understand a problem space well enough that they can walk around it the way you can walk around the memory of the house you grew up in. At its best programming is the same. You hold the whole program in your head, and you can manipulate it at will."
LA building's lights interfere with cellular network, FCC says
LA building's lights interfere with cellular network, FCC says
That's not all ...
Many types of electronic equipment found in homes and offices emit electromagnetic radiation, and clashes with outside radio signals once were more common. For example, when cellular add-on cards for laptops first came out, emissions from the CPU sometimes kept the radios from working, Marshall said. In addition, there used to be laptops that put off enough radiation to interfere with onboard navigation systems on planes, said analyst Craig Mathias of Farpoint Group.
In Bash, when to alias, when to script, and when to write a function?
When to write a script ...
- Scripts assemble software components (aka. tools, commands, processes, executables, programs) into more complex components, which may themselves be assembled into still more complex components.
- Scripts are usually made executable so they can be called by name. When called, a new subprocess is spawned for the script to run in. Copies of any
exported variables and/or functions are passed by value to the script. Changes to those variables do not propagate back to the parent script. - Scripts may also be loaded(sourced) as if they were part of the calling script. This is analogous to what some other languages call "import" or "include". When sourced, they execute within the existing process. No subprocess is spawned.
When to write a function ...
Patching Java is Futile
I couldn't agree more!
Having programmed in a lot of languages, I've studied and tried to use Java, but have just never warmed up to it.
At the end of the day, there were always more productive ways to implement the functionality with greater reliability than Java.
Java may be the kind of environment that's useful for very large projects with many developers the way COBOL and Ada are, but it has high development overhead (lots of coding to accomplish little) and resistance to maintainability (updates usually break the dependant applications).
Roger notes that the latest versions have greatly improved things.
But I can't imagine anyone running mission-critical systems would risk upgrading their Java engine without management commitment to extensive testing and allocation of major dollars for the almost guaranteed application upgrades and changes that will be required.
It's just not worth it.
Let's move on.
NASA's "back in harness"
NASA's new "test harness" for its next generation of interplanetary flight systems gets "first light" this month. -- DocSalvage
 |
.@NASA_SLS hardware, software, operating systems integrated & powered up for inaugural run: http://t.co/iw6VJ6yumH pic.twitter.com/uMoVPTS0JX
— NASA (@NASA) January 13, 2014
loading tweet...
Programmers' Hardest Tasks
Here and I thought I was just a dunce.
It's refreshing to learn I'm a real programmer!
Unfortunately, due to the widespread shortage of enlightened programming managers, it also means I'm unemployable.
Ah well ... I'll just keep blogging ...
Top 5 misconceptions about open source in government programs
posted 21 May 2013 by Adam Firestone on opensource.com
Within US government programs, while the use of open source software (OSS) is not mandatory, it is both permissible and often encouraged. However, due to the Byzantine nature of the controlling laws, regulations, policies, and guidance (LRPG) as well as some popular misconceptions, architects, systems engineers, and developers often encounter reactions ranging from unfamiliarity to resistance when recommending the use of OSS. For the remainder of this article, we’ll debug five of the most widespread misconceptions.
Healthcare.gov: Armchair Analysis
The data would go into a queue database that other, back-end software would process sequentially and produce a results dataset with whatever is needed to present a list of plans and prices for that applicant. The applicant logs back in in a couple of days to start comparing plans.
Online Security: Self-Signed Certificates
I've never been comfortable with the idea of Certificate Authorities (CAs). It's always felt like a system built on a single-point-of-failure. And single-points-of-failure are anathema to secure and reliable design of any system, computer or otherwise.Paul Venezia, a system administrator columnist for InfoWorld that I've come to respect, presents a compelling case for a sea change in our approach to online security in his September 16, 2013 column "Restore the right to privacy with self-signed certificates."
NSA surveillance: A guide to staying secure
 |
Bruce Schneier at TheGuardian.com says...
Which means to me...
- Hide
- Encrypt
- Be a needle in a haystack
- Be suspicious of commercial encryption software
- Use software based on public domain standards
Which means to me...
Use open source software!
Can the "imPhone" Be Far Behind?
 |
| University of Michigan |
The next computing paradigm... "implant phones"!
Because this little guy is real. It's not just a chip!
This is a complete computer sporting two (2) processors, memory, battery, solar cell, temperature sensor, radio with antennas and low-res camera imager.
Subscribe to:
Posts
(
Atom
)