No, fingerprints are not secure

Authentication is the process by which a system determines whether a particular user is allowed to access it. There are three widely agreed-upon methods to authenticate a user:

  • Something you have.
  • Something you know.
  • Something you are.

When you use your key to unlock your front door, you are authenticating yourself using something you have. In information security, passwords are the most popular method of authentication; they are something you know. Authentication by something you are (i.e., biometrics) has historically been only a niche practice, but in recent years it has caught on in the realm of consumer electronics.

When Apple announced Touch ID in late 2013, security experts immediately voiced their concern. The authentication mechanism was quickly compromised, and there is still very little that Apple can do about it. Why, you ask? Because fingerprints are inherently insecure.

Continue reading No, fingerprints are not secure

Dell joins Lenovo’s MITM bandwagon

Several months ago, news broke that Lenovo was shipping a rogue root certificate with its laptops. It was included as part of a pervasive adware called Superfish, which had already been annoying users (and support techs) for years prior to it being included by default on these machines. More recent news indicates that this is only the least of security concerns for Lenovo users — it appears that there are also backdoors in the hardware itself, and now governments around the world have blacklisted Lenovo as a vendor for this reason.

Dell and Lenovo have been battling over PC market share for years now, and this understandably gave Dell a pretty decent boost in popularity. This makes Dell’s latest action all the more surprising.

Continue reading Dell joins Lenovo’s MITM bandwagon

Is there a war on privacy?

Governments do not trust encrypted data.

Some high-profile names have suggested in the past few months that we encrypt absolutely everything we transmit over the Internet. The reasoning behind this proposal is that if everything is encrypted, then governments cannot apply as much scrutiny to individual messages. If we only encrypt data that we want to hide, then that data will interest them. If the data interests them, the government will easily find a way to obtain (and decrypt) it.

Last week, allegations were made that the US government paid Carnegie Mellon security researchers a large sum of money to defeat Tor’s privacy mechanisms. The federal government certainly has a history over overstepping its boundaries with surveillance, but this is an unprecedented and frightening leap toward a world without privacy.

Continue reading Is there a war on privacy?

Leaked details about Comcast’s data caps infuriate the Internet

Last week, Reddit user M00glemuffins exposed some of Comcast’s internal documentation instructing support personnel on how to deal with calls about its new “Data Usage Plans.” The Internet has condemned the policy as a “data cap” and is exploding with speculation about Comcast’s motives in implementing it.

Continue reading Leaked details about Comcast’s data caps infuriate the Internet

Time clocking at the command line

I often feel inclined to start new projects to avoid working on old ones. In a particularly ironic display of procrastination, I have written a productivity-oriented application in order to avoid actual productivity. The app is called InSTiL, and its goal is to make it easy to log how much time you spend working on various projects. The source is available on Github, and the Readme provides a succinct overview of InSTiL’s functionality.

https://github.com/le1ca/instil

A C++ encapsulation of the Linux inotify API

The inotify API allows you to monitor a file or directory for various events such as file creation, modification, and deletion. It is part of the Linux kernel and the glibc userspace library, however its C API can be cumbersome to use in a C++ application. A C++ binding of inotify does exist, but it still requires the application developer to write an unsightly wait-and-handle loop. My goal for this project was to create an asynchronous event-driven API through which filesystem events can be processed.

Continue reading A C++ encapsulation of the Linux inotify API

RIOT OS ported to TI Tiva C Connected Launchpad

My current project is porting RIOT OS to the EK-TM4C1294XL evaluation board. RIOT is an embedded operating system aimed at the Internet of Things, developed primarily by Free University of Berlin. The EK-TM4C1294XL is a pretty powerful board, featuring an ARM Cortex M4 MCU and built-in Ethernet MAC. So far, I have implemented only the most basic support for the CPU – just timers and UART. However, I’m currently working on the Ethernet drivers (almost done) and my next focus will be drivers for an XBee add-in.

Continue reading RIOT OS ported to TI Tiva C Connected Launchpad

A dumb SVM classifier for Python

Tonight I got bored and implemented a linear SVM in Python. Though Python has its own facilities for solving quadratic programming problems, I chose to write a module which interfaces with Octave instead. My implementation simply writes an Octave script then runs it in order to solve the QP. All other aspects of the SVM are implemented in pure Python.

Continue reading A dumb SVM classifier for Python

Executable Octave scripts with interpreter arguments

I prefer to make my scripts executable, rather than invoking the interpreter explicitly every time I want to run them. Most interpreters are friendly enough to make shebang lines easy to write, but Octave isn’t quite the team player…

Continue reading Executable Octave scripts with interpreter arguments

Roll your own dynamic DNS (Ubuntu)

Dynamic DNS, or DDNS, is a type of DNS configuration which allows hosts with dynamic IP addresses to automatically update their DNS records. Often users will rely on services such as DynDNS or No-IP to manage this type of setup, but it is actually relatively easy to run your own DDNS server. Of course, this requires that you have your own domain name and access to at least one host with a static IP (to use as the DNS server).

Continue reading Roll your own dynamic DNS (Ubuntu)