Paul Lindner

Today I attended the "Designing for At Risk Users" course. I find it incredibly galling to hear what Youtube did today given the targeted harassment and doxing.

It flies in the face of what was taught and own standards about giving targets the means to "make it stop".

https://standards.google/guidelines/google-material/usability/at-risk-users.html#user-identities

While anyone can experience a privacy or security event, at-risk users face a variety of life circumstances that might put them at unusually greater risk:

.....

Who they are: Anyone could be targeted at some point in their lives simply based on a personal characteristic such as age, gender, ethnicity, reputation, financial stability, sexual orientation, or education.

.....

Active Event

Where possible, users should be able to quickly and easily access practical guidance as they experience a privacy or security event, such as cyberstalking, online impersonation, surveillance, spear-phishing, or account hijacking. Users will likely want to understand what is happening and take steps to respond. They are likely to feel high levels of stress in this state, so easy-to-use designs will be especially helpful.

#googplus

One of the better public Postmortems I've seen.

Keep those SSH keys safe!

https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/

#googplus

I guess just in case I was running some perl script I downloaded off of Matt's Script Archive on port 7888

plindner@arcwelder:[beaker]/google3$ host 172.25.65.58
58.65.25.172.in-addr.arpa domain name pointer security-scanner-amer-3.cbf.corp.google.com.

But it appears I can't make it stop :(

https://scarf.googleplex.com/checkip?target=100.109.7.129&list=

05:52:51.515942 IP 172.25.65.58.43577 > 100.109.7.129.7888: Flags [P.], seq 0:432, ack 1, win 229, options [nop,nop,TS val 1188697399 ecr 2097041011], length 432
        0x0000:  4560 01e4 1784 4000 3b06 ccee ac19 413a  E.....@.;.....A:
        0x0010:  646d 0781 aa39 1ed0 c325 02b0 5897 25e2  dm...9...%..X.%.
        0x0020:  8018 00e5 069a 0000 0101 080a 46da 1537  ............F..7
        0x0030:  7cfe 4e73 4745 5420 2f66 6f72 6d2f 6175  |.NsGET./form/au
        0x0040:  6b74 696f 6e2e 6367 693f 6d65 6e75 653d  ktion.cgi?menue=
        0x0050:  2e2e 2f2e 2e2f 2e2e 2f2e 2e2f 2e2e 2f2e  ../../../../../.
        0x0060:  2e2f 2e2e 2f2e 2e2f 2e2e 2f65 7463 2f70  ./../../../etc/p
        0x0070:  6173 7377 6420 4854 5450 2f31 2e31 0d0a  asswd.HTTP/1.1..
        0x0080:  486f 7374 3a20 6172 6377 656c 6465 722e  Host:.arcwelder.
        0x0090:  6d74 762e 636f 7270 2e67 6f6f 676c 652e  mtv.corp.google.
        0x00a0:  636f 6d3a 3738 3838 0d0a 4163 6365 7074  com:7888..Accept
        0x00b0:  2d43 6861 7273 6574 3a20 6973 6f2d 3838  -Charset:.iso-88
        0x00c0:  3539 2d31 2c75 7466 2d38 3b71 3d30 2e39  59-1,utf-8;q=0.9
        0x00d0:  2c2a 3b71 3d30 2e31 0d0a 4163 6365 7074  ,*;q=0.1..Accept
        0x00e0:  2d4c 616e 6775 6167 653a 2065 6e0d 0a43  -Language:.en..C

#googplus

It's been a week, so time for a writeup of what went down at DWS. The press below covers some details, but I'm going to talk about the _feels_.

tl;dr - Electric atmosphere, technology on the cusp, very unclear future.

I found out about this too late to attend the first day, but I followed along via the live stream while reading up on the underlying technologies and chatting with attendees using federation features of Slack.

I went in person for day 2 and immediately felt the deja vu. O'Reilly FOOCamp meets early Google I/O meets the original GopherCon. You had wise sages (or as Wendy Hanamura put it _Orignal Gangstas_) working side-by-side with the new blockchain Gangstas. The only thing missing was a game of werewolf.

The breakout sessions were tech heavy but the crowd didn't need their hand held to pull down git repos and run/modify code. Many quick demos were created.

Lightning talks (available online) had thoughtful live questions and were broad enough to cover both the underlying technology and the potential results of applying it to society. I appreciated the inclusivity and diversity.

That said the ghosts of breathless tech conferences past were all there:

*Mobile* No real demos on phones. Many talks started with 'enter this on the command line'. That said most of the p2p systems on display have really good mobile properties: eventual consistency. offline sync, etc.

*UX* Little to no focus on UI/Usability problems. There was some discussion on the "Why PGP failed" talk, and passing references here and there. But very little about how this tech would be better for users.

*Economics* This new tech is competing with dirt-cheap VPS hosts out there and a generation of software designed for centralized client-server. Privacy and long-term effects on the ecosystem are low on users feature list. With the fintech bubble about to pop, who's going to fund the development; let alone the ongoing governance. Will new bitcoin funding models be the solution? Will the incumbents embrace or reject?

*Complexity* writing cryptographic serverless code is difficult and it's easy to make mistakes. libp2p is a good start, but the tooling isn't there yet.

Despite these serious issues this is the most excited I've been about our technology space in a long time. The electricity and optimism about what might emerge from this soup of technologies was palpable. I have hope that people won't want to repeat past mistakes, and that the new stack can achieve some 10x gains. Here's some initial thoughts:

- What if your phone could pull down entire sites for use offline and have deltas propagated when connected?
- How about having all of your physical devices syncing between themselves instead of up and down to the cloud.
- How about a better UI for managing your identity public/private keys?
- What about your OnHub being your persistent home on the network?
- What about being able to archive and 'play back' entire web sites like you would a git repo?
- How about having easy micropayments as a way to break free from our current ad-supported mess?
- How about Android APKs that travel from device to device with the security of knowing that you're running the exact same code as everyone else.

... more to come.

http://spectrum.ieee.org/view-from-the-valley/telecom/internet/the-fathers-of-the-internet-revolutio...

#googplus

#googplus

Comcast called me. Said I was running UDP portmapper on my external IP. Oops.

This was leftover from an experiment running NFSv4 across the net. [it sucked, used sshfs instead]

Also for those who've never experienced a reflection attack it's NASTY. Attacker sends forged source-address UDP packets so all responses go to the victim host. In the past NTP and DNS provided the vectors. Back in 2006 it was PharmaMaster and Blue Security:

http://www.securityfocus.com/news/11392

http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-indu...

#googplus

#googplus

New Security Vulnerabilities channel on Comcast channel 997. Fedora Core 10 was EOLed in 2009...

#googplus

Anyone gutsy enough to try the Xfinity Wifi 'security profile' ?

It generates an XFINITY.mobileconfig. Peeking into the file it appears to contain my username, password and some certificates.

/me walks slowly backwards...

<key>EAPClientConfiguration</key>

                        <dict>

                                <key>UserName</key>

                                <string>paullindner09@comcast.net</string>

                                <key>UserPassword</key>

                                <string></string>

                                <key>AcceptEAPTypes</key>

                                <array>

                                        <integer>21</integer>

                                </array>

                                <key>TLSTrustedServerNames</key>

                                <array>

                                        <string>*.aaa.wifi.comcast.com</string>

                                        <string>*.aaa.wifi.xfinity.com</string>

                                </array>

                                <key>TTLSInnerAuthentication</key>

                                <string>PAP</string>

                        </dict>

http://wifi.xfinity.com/faq.php

#googplus

Not sure where to get feedback for this so tossing into the ether...

I've been getting many PM interviews for Technical Hat; I wonder what others think of this line of questioning?

- We have a SMB with 1000 devices and 20 servers
- These machines generate log files (1st question, does candidate know what a log file is?)
- Your product needs to meet the needs of the following users
- Sysadmins need to be able to diagnose problems, do postmortems.
- Auditors need to enforce rules on system usage
- A security team wants to detect intrusions, malware etc.

I then ask the candidate to ask clarifying questions and try to get them to give me any/all of the following through progressive probing:

- Min viable features of the product
- Do they suggest graphs? notifications? email alerts?
- What about user provisioning? Admin features?
- What kind of UI? Web? Mobile? Command line?
- Search?
- A high level technical design showing how the we get from Logs -> UI
- Push vs pull?
- Where/when does parsing happen?
- Technical
- How do you store the data? How do you transform it? Batch?
- What database? How many QPS?
- Redundancy? Failover?
- On site / off site?
- Insights
- Does the candidate understand privacy/security concerns? (Mention wipeout, retention for the auditor use case)

So far I've gotten some decent responses, but most fall into the run reports on files and store those.

For the good candidates we are able to progress to phase II where we design for a multinational fortune 500 scenario.

So WDYT? Good question?

PMs? How do you think you'd do on my question?

#googplus

#googplus

I call mine my "Macbook-C"  Seriously awesome hardware.

Originally shared by Google Chrome

Introducing the HP Chromebook 11, designed and built in partnership with our friends at HP. It has all the speed, simplicity and security benefits you've come to expect from a Chromebook, with unique design elements that makes it easier to get stuff done. And all for $279. 

Look for it starting today in the US at Best Buy , Amazon.com and Google Play and in the UK at Currys, PC World and more. It will also be coming to other countries in time for the holidays.  

Find out more on the Chrome blog: http://goo.gl/tzyHvs

#chromebook #foreveryone  

#chromebook #foreveryone #gplus

Would people be interested in a periodic hangout where me and my weekly Google guest makeover your web site with Googley features? We'd have a special guest each time and go over things like authorship markup, security, performance, APIs, widgets etc?

+1 this post if you're interested. Feel free to nominate your favorite site you'd like me to put under the microscope in the comments...

[nifty CC BY-NC-SA 2.0 photo from flickr user spike55151]

#gplus