07 May

Google’s Buildings Hackable

We reported this issue to the Google Vulnerability Rewards Program (VRP). After much heckling from my former colleagues at Google, they quickly pulled this system offline. We also applaud Google for creating a program like the VRP and giving us the chance to share our story with a wider audience. At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations. Thank you Google for helping us raise awareness on this issue! I asked that any proceeds from the VRP be donated to the Wounded Warrior Project, but apparently this issue doesn’t qualify for VRP rewards.

If you have a corporate campus or a modern building of any sort… you’re likely running similar systems someplace on your network. We’ve already discovered over twenty five thousand of these systems facing the Internet… one down, twenty four thousand, nine hundred, ninety nine to go 🙂

If Google can fall victim to an ICS attack, anyone can.

Hacking systems that control a building infrastructure.

15 Feb

Incubaid Research – Rediscovering the RSync Algorithm

Don’t walk the folder and ‘rsync’ each file you encounter. A small calculation will show you how bad it really is.

Suppose you have 20000 files, each 1KB. Suppose 1 rsync costs you about 0.1s (reading the file, sending over the signature, building the stream of updates, applying them). This costs you about 2000s or more than half an hour.

System administrators know better:they would not hesitate: “tar the tree, sync the tars, and untar the synced tar”.

Suppose each of the actions takes 5s (overestimating) you’re still synced in 15s.

via Incubaid Research – Rediscovering the RSync Algorithm. The right way to synch two remote file systems.

16 Jan

O’Reilly Radar – The President’s challenge

All I can think is: we gave you the Internet. We gave you the Web. We gave you MP3 and MP4. We gave you e-commerce, micropayments, PayPal, Netflix, iTunes, Amazon, the iPad, the iPhone, the laptop, 3G, wifi–hell, you can even get online while you’re on an AIRPLANE. What the hell more do you want from us?

Take the truck, the boat, the helicopter, that we’ve sent you. Don’t wait for the time machine, because we’re never going to invent something that returns you to 1965 when copying was hard and you could treat the customer’s convenience with contempt.

via O’Reilly Radar – The President’s challenge. Cory Doctorow has a wonderful saying “Copying is never going to get harder than it is now.” The idea that we’ll be able to go back in time and make it harder for people to get digital information/media/anything is just wrong. Businesses (hello entertainment industry) seems to ignore that fact time and time again. Businesses can either accept that getting media via the internet is getting easier and easier and try to make it simpler for consumers to get it legally or they will fail.

06 Jan

Mike’s Lookout – SPDY of the Future Might Blow Your Mind Today

Despite its coolness, there is an aspect of SPDY that doesn’t get much press yet (because nobody is doing it). Kudos for Amazon’s Kindle Fire for inspiring me to write about it. I spent a fair amount of time running network traces of the Kindle Fire, and I honestly don’t know quite what they’re doing yet. I hope to learn more about it soon. But based on what I’ve seen so far, it’s clear to me that they’re taking SPDY far beyond where Chrome or Firefox can.

The big drawback of the previous picture of SPDY is that it requires sites to individually switch to SPDY. This is advantageous from a migration point of view, but it means it will take a long time to roll out everywhere. But, if you’re willing to use a SPDY gateway for all of your traffic, a new door opens. Could mobile operators and carriers do this today? You bet!

Check out the next picture of a SPDY browser with a SPDY gateway. Because SPDY can multiplex many connections, the browser can now put literally EVERY request onto a single SPDY connection. Now, any time the browser needs to fetch a request, it can send the request right away, without needing to do a DNS lookup, or a TCP handshake, or even an SSL handshake. On top of that, every request is secure, not just those that go to SSL sites.

via Mike’s Lookout – SPDY of the Future Might Blow Your Mind Today. The pictures give a really good sense of what is going on.

16 Dec

The Year of C.E.O. Failures Explained – NYTimes.com

Last spring, I taught a class at the Columbia Business School called “What Makes a Hit a Hit—and a Flop a Flop.” I focused on consumer-tech success stories and disasters.

I distinctly remember the day I focused on products that were rushed to market when they were full of bugs — and the company knew it (can you say “BlackBerry Storm?”). I sagely told my class full of twentysomethings that I was proud to talk to them now, when they were young and impressionable — that I hoped I could instill some sense of Doing What’s Right before they became corrupted by the corporate world.

But it was too late.

To my astonishment, hands shot up all over the room. These budding chief executives wound up telling me, politely, that I was wrong. That there’s a solid business case for shipping half-finished software. “You get the revenue flowing,” one young lady told me. “You don’t want to let your investors down, right? You can always fix the software later.”

You can always fix the software later. Wow.

That’s right. Use your customers as beta testers. Don’t worry about burning them. Don’t worry about souring them on your company name forever. There will always be more customers where those came from, right?

That “ignore the customer” approach hasn’t worked out so well for Hewlett-Packard, Netflix and Cisco. All three suffered enormous public black eyes. All three looked like they had no idea what they were doing.

Maybe all of those M.B.A.’s pouring into the workplace know something we don’t. Maybe there’s actually a shrewd master plan that the common folk can’t even fathom.

But maybe, too, there’s a solid business case to be made for factoring public reaction and the customer’s interest into big business decisions. And maybe, just maybe, that idea will become other C.E.O.s’ 2011 New Year’s resolution.

via NYTimes.com – The Year of C.E.O. Failures Explained. I’m not certain if business school teach that only thing matters is the profit you can make or if it is the result of something else. However, business schools seem to create an environment that rewards not making happy customers, not doing the ethical thing, not doing the thing that protects the environment down the road. One of the ways in which Apple succeeds is by releasing products when they are fully finished and not half-baked.

06 Dec

Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks

In the rush to create mobile apps that work across the leading smartphones and tablets, many developers have leaned heavily on web development tools and use embedded browsers as part of their packaged applications. But security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting.

via Ars Technica – Google Earth, other mobile apps leave door open for scripting attacks. Oops, just because it doesn’t look like a browser doesn’t mean it doesn’t suffer the same security holes.

27 Nov

life and times of sha.ddih – Why wireless mesh networks won’t save us from censorship

It’s exciting to see so much interest of late in the Darknet Plan hatched by redditors to build a second, people-owned, censorship-free Internet using a large-scale wireless mesh network. Freedom of speech on the Internet is an important issue and it’s important for all of us to take it seriously. Additionally, as someone who thinks wireless networks are the bee’s knees (and who does research on wireless networks in his day job), it’s exciting to see so much interest in using wireless to circumvent censorship.

That’s why it’s painful for me to say, “hey guys, this isn’t going to work”.

I got into this space about five years ago to build a community-owned Internet using solar power and wireless mesh networks — censorship circumvention wasn’t an explicit goal, but it was part of the broader vision. I actually wound up building a couple sizable networks using equipment like this (Orangemesh grew out of this work). After a couple years I developed a pretty good understanding that wireless mesh networks aren’t actually a good way to build a real network. These are a few of those reasons.

via life and times of sha.ddih – Why wireless mesh networks won’t save us from censorship. This is a really compelling argument as to why unplanned wireless mesh networks won’t work at scale.

24 Nov

BBC News – Google kills off seven more products including Wave

Google has announced that it is dropping seven more products in an effort to simplify its range of services.

The out-of-season "spring clean" brings an end to services including Google Wave, Knol and Google Gears.

It is the third time that the US firm has announced a cull of several of its products at the same time after they had failed to take off.

via BBC News – Google kills off seven more products including Wave. So most of the products make sense to kill off they either never generated much traction or were already supposed to be cut. However the big thing that got cut that I want to know more about is the “Renewable Energy Cheaper than Coal”. Why was it cut, the goal was unachievable, just pure business decisions or money better spent in other renewable energy projects?

20 Nov

Review of the Kindle Touch

TL;DR Review

The Kindle Touch is the Kindle that I’ve been waiting to purchase ever since the first Kindle was announced. The Kindle Touch feels good in the hand and is easy to read off of for hours on end. The touchscreen is surprisingly effective. Overall my opinion of the Touch is extremely positive, with some minor reservations. If you’ve been holding off on getting a Kindle because you didn’t like the keyboard or wanted something that was easier to navigate than the old Kindle, I would recommend getting this Kindle.

Shipping/Packaging

Amazon has been making a push towards packaging that they call Frustration Free, a nice step away from the ridiculous clamshell packaging that businesses seem to love. The Touch follows in this ethos, the shipping box is completely recyclable and easy to open with a single pull.

Once you get inside the Kindle Touch has some quick instructions for both using the Kindle and to charge it before use. The Kindle includes a USB charger that when connected to your computer enables you to transfer files to the Kindle. The Kindle used to come with an AC adapter to plug the cable into the wall to act as a charger, Amazon apparently cut that to keep the price down. You can still purchase one for $10 and I would recommend it if you wanted to have less cables around your computer.

Navigation

There are only two buttons on the Touch, a power button on the bottom, and a home button that looks somewhat like a speaker grille on the center of front bottom of the device. The power button is in a weird position being on the bottom as most hardware devices I’m used to typically put the power button on the top. However, the button in actual practice works fine and once you get used to reaching to the bottom to turn off the device works well enough. I have yet to have accidentally hit the button while reading which was my largest concern with the button placement. The home button does one thing and only one thing, regardless of where you are it takes you to the top of your home screen. On page 9 of 20 pages of your list of books, it goes to page 1, in the middle of a book, takes you to page 1 of the home screen, and so on.

The touch screen works much as you expect in terms of navigating around. Open a book by pressing the book’s title, hold when selecting a book and you are presented with actions to perform on the book. The largest complaints with the Kindle Touch reside here. The screen on occasion is slow or even fails to respond to touches. The screen will on occasion fail to load what you want and you have to back out and re-perform the action. Sometimes even the screen will over respond and think you made multiple touches, especially while reading I’ve had the Touch jump forward several pages as opposed to just one. Considering this is the first touch screen Kindle Amazon has shipped, I’m not sure how much is based upon the hardware or how much is fixable in the software itself. All that being said the screen performs quite well most of the time and the few times it messes up haven’t detracted much from my pleasure in using the device.

Typing

Typing works somewhat shockingly well on the Touch. E-Ink screens typically don’t fit the mold of what would make sense for typing on the screen but the Touch performs really well here. I’ve been able to type fairly quickly and the Touch keeps up. While it’s far away from what I could do on a real keyboard, I feel very comfortable using the Touch to search for books, enter in passwords and notes, etc.

Typing on the Kindle Touch

Reading

The whole point of owning a Kindle is to read on it. Here is where the Touch really shows off it’s stuff. The new Pearl e-ink screen is a joy to look at. The Kindle Touch also includes a new ability to only flash the screen every 6 pages and instead does a half flash between each page being read. This makes it much faster to go back and forth between pages. One reason I held off on a Kindle for so long was the full page refresh did throw me off while reading. The half flash is a very nice comprise that makes the majority of page flips faster and less distracting. The side effect of not performing a full page refresh is that the Kindle will develop artifacts on the screen as you read. While, I’ve seen these artifacts they have yet to be a distraction especially in comparison to the full page refresh.

While reading there is minimal chrome to deal with just you and the book. To flip forward, tap the right hand to center side of the screen or drag your finger from the right side of the screen to the left. To go back a page, touch the left hand side of the screen or drag your finger from the left to the right. Bringing up the menu to search, sync, change the typeface and size of the font and other options you tap the upper 1/4 of the screen. Overall this works extremely well and the touch screen feels easier to use than the former Kindle’s buttons especially because you don’t naturally rest your fingers on those buttons making accidental taps a much rarer occurrence.

I’ve read two short books on the Kindle and it’s great. The Kindle is easy enough to comfortably hold in one hand (for me my left using my right hand to hit the screen to flip pages), for long periods of time without feeling heavy or even more importantly unlike a real book having to adjust as you get further along in a book. The Kindle is a little bit smaller than a standard paperback book but not by much, this also makes the screen hold close to the same amount of text depending upon your settings.

Summation

The Kindle Touch is a great purchase for anybody who has bought into ebooks and reads more than a few books a year. The few issues I’ve had with the Touch didn’t detract from the main use, just sitting down and reading on the device. To be fair there is a cheaper Kindle that does not have a touch screen that is also lighter that I did not review or have been able to play with. Some reviewers have recommended that one over the Touch for people who will not do a lot of typing on their Kindle. There is a $20 price difference between these two Kindles with Special Offers (on-screen advertising that is on the standard off screen and at the bottom of the home screen), or a $30 price difference between the two without Special Offers.

My initial impression of the Kindle has stayed much the same throughout using the device, overall it’s great and well worth purchasing.

16 Nov

Amazon’s cloud is the world’s 42nd fastest supercomputer

The list of the world’s 500 fastest supercomputers came out yesterday with a top 10 that was unchanged from the previous ranking issued in June. But further down the list, a familiar name is making a charge: Amazon, with its Elastic Compute Cloud service, built a 17,024-core, 240-teraflop cluster that now ranks as the 42nd fastest supercomputer in the world.

Amazon previously built a 7,040-core, 41.8-teraflop cloud cluster that hit number 233 on the list, then fell to 451st. But Amazon submitted an updated Linpack benchmark test with the addition of a new type of high-performance computing instance known as "Cluster Compute Eight Extra Large," which each have two Intel Xeon processors, 16 cores, 60GB of RAM and 3.37TB of storage. The full cluster on the Top 500 list is Linux-based, with 17,024 cores, 66,000GB of memory, and a 10 Gigabit Ethernet interconnect.

via Amazon’s cloud is the world’s 42nd fastest supercomputer. I posted about this on Twitter, but it’s still a little astonding. Amazon built EC2 primarly to serve as their internal infrastructure, today a piece of it made it on the list of the fastest supercomputers in the world.