Podcasting: 5 dos and 5 don’ts

About 10 years ago (or was it 11 years… or 12 years… let’s cap it at 10 before I start to feel too old), I got a Sansa Clip. I loved my Sansa Clip. The killer app for me was podcasts. Today, my Sansa Clip is long gone, but I’m still a voracious podcast listener.

I’ve come to realise that there are things I like to hear in podcasts, and things that I don’t like. In this post I’m going to list 5 things I like, and 5 things I don’t like. If you produce a podcast, read on – you just might find something to make your podcast a little bit better.

As a bonus, you’ll see me specifically mention some of the podcasts I listen to – while this post isn’t really about recommending podcasts, I suppose you could infer that since these are shows I listen to, I must think they’re pretty good. And I do.

Continue reading

Posted in Uncategorized | Tagged , , | Leave a comment

The cyber killchain: wrong, but is it useful?

All models are wrong, but some are useful. The trick is to determine in what circumstances a model may be useful. This is where mistakes are made.

Today I was at a seminar on cybersecurity in the context of individuas, and I asked the speakers about whether the cyber killchain is useful in the context of personal cybersecurity or if there are other models that are more appropriate.

What surprised me was the attitude of one of the speakers towards the model itself – something along the lines of:

“I think we need to get away from the militarisation of cyber security*”

(*I’m paraphrasing because I can’t remember the precise words used, but that was the meaning conveyed).

I don’t know if there is a science to deciding if a model is useful, but I feel confident that the provenance of a model is not the best discriminant. It’s tempting to say an idea born in the military is going to be too militaristic in perspective, but ideas move between fields all the time, and in this era where interdisciplinary approaches yield the most progress, I think the default position should be it doesn’t matter where it came from, what matters is how we can use it.

Yes, the cyber killchain concept came from the military industrial complex. Does that mean it has no place in the civilian non-enterprise Internet?

If there was a better model, then great. But if not, something is better than nothing, and the cyber killchain is something. The stages (Recon, Weaponisation, Delivery etc) are understandable, relatable, relatively generic, and I suspect they could kind of map to the individual context. Maybe they wouldn’t map well, but it would be a start. It would be something.

It seems to me like the current offering to concerned individuals doesn’t amount to much more than a laundry list of horror stories (“you know what happened to this person? Well first they revealed their birthday, and then the scammers used that to get their phone number, and then bla bla bla”), and a list of chores (“always update, always backup bla bla bla”).

Why doesn’t that work? Because there is no model, so there is no comprehension. I think that’s why it doesn’t stick and people are left exposed.

And then they are told that they are to blame because they didn’t do all their chores.

Maybe they need to hear more horror stories…

Posted in Uncategorized | Leave a comment

Should Australia join ASEAN?

Former Australian Prime Minister Paul Keating believes that Australia should join ASEAN. This is a call that he has repeated since the surprise victory of Donald Trump. There are concerns about whether or not Australia could join ASEAN – certainly this is something that requires more seriousness than, say, Eurovision participation – but as they say, where there’s a will there’s a way.

So, is there a will to include Australia in the ASEAN community? Political leaders will always have their own individualistic take on things, but I’m curious about how the common man feels about this fuzzy question. Personally I lack the means to carry out “rigorous polling” (whatever that even means anymore), but I do have a Twitter account and a few hundred bucks to spare. So with that, I ran a small experiment to gauge public sentiment for Australian membership into ASEAN.

Here’s what I found.

Continue reading

Posted in Uncategorized | Tagged , , | Leave a comment

A high-level evaluation of the OpenBSM audit system in OS X

One of the BSD legacy security mechanisms included with OS X is OpenBSM. This is an audit mechanism. In contrast, TrustedBSD (also included with OS X) is a mandatory access control mechanism which can block system calls based on some policy. Audit doesn’t block anything, it only reports what happened. Also unlike TrustedBSD, the audit implementation is quite a full-stack offering, including user space tools to control the kernel audit system and even to parse audit records.

What does this system look like on a high-level, and how does it perform? Read on…

Continue reading

Posted in Uncategorized | Tagged , | Leave a comment

Disabling revoked cert checking for malware research on OS X

Malware research involves running malware samples, typically in VMs. Because developer codesigning certificates are trivial to acquire in the Apple ecosystem, OS X malware samples are very often code signed. When malware is discovered, Apple can and often does revoke the associated cert. While this is a good thing for end-users, it can be a hindrance for malware research.


This app has a revoked certificate

Fortunately, it is easy enough to disable this security feature.

Continue reading

Posted in Uncategorized | Tagged , | Leave a comment

httrack for downloading websites

Scraping web pages for offline hosting can be handy for testing. I’m a long-time wget fan, but for pulling down entire web pages, CSS/JS bits and all, it just trips up too easily, so I needed something better. Some quick googling revealed the venerable httrack tool.

There are loads of positive comments about httrack all over the Interwebs, so after a quick brew install httrack I pointed it at http://www.cnn.com.

The initial experience was not great, but then I realized where the problem was: http://www.cnn.com redirects to http://edition.cnn.com/, and I guess the redirect confuses httrack. Pointing httrack directly to the redirected url produces a much better result.

I’d also read that sometimes robots.txt files will mask CSS and JS files. Luckily httrack provides an argument to ignore robots.txt.

Finally, aided by the interactive-mode wizard, the httrack command I ended up with looks as follows:

httrack http://edition.cnn.com  -O "/tmp/webscrapetests/httrack/cnn1/f3" --mirrorlinks -%v --robots=3 -r4

That is a rather heavy weight approach:

Bytes saved: 	145,02MiB	       Links scanned: 	74/651 (+556)
Time: 	12min37s	               Files written: 	567
Transfer rate: 	24,26KiB/s (24,95KiB/s)Files updated: 	0
Active connections: 	4	       Errors: 	15

Current job: parsing HTML file (54%)
 request - 	i2.cdn.turner.com/cnnnext/dam/assets/160323081635-money-consumer-reports-smartphone-large-tease.jpg 	0B / 	8,00KiB
 receive - 	i2.cdn.turner.com/cnnnext/dam/assets/160307120744-future-of-adventure-concept-bike-4-large-tease.jpg 	9,48KiB / 	21,43KiB
 receive - 	i2.cdn.turner.com/cnnnext/dam/assets/160403134416-money-toshiba-battery-recall-large-tease.jpg 	2,11KiB / 	41,15KiB
 receive - 	i2.cdn.turner.com/cnnnext/dam/assets/160413092137-money-amazon-kindle-oasis-large-tease.jpg 	17,65KiB / 	32,34KiB

But since it’s a one-off operation, doesn’t seem like such a problem. Once it’s done, fire up python -m SimpleHTTPServer 8000, disable your wifi, then point your browser at localhost port 8000 – some things may be broken, like ads (win?), but most of the page should load just fine.

Posted in Uncategorized | Tagged , | Leave a comment

Do you really need a blockchain?

There’s a scene in Angels and Demons where the Camerlengo asks Robert Langdon if he believes in God. Professor Langdon replies “faith is a gift I have yet to receive“. I found this interesting because, despite not being part of the church, Langdon has skills that are crucial to it’s survival.

I’m no Robert Langdon, but perhaps another reason why that scene resonated with me is because it kind of describes my relationship with blockchain technologies. On a technical level I could not be more enthusiastic about blockchain technology. A while back I even did some paid consulting work involving blockchains. The issues are all fascinating, from a high-level with the Byzantine General’s Problem, right down to lower level stuff like the bounded control-flow of the scripting language, and even to seemingly simple things like memory buffer eviction policies designed for resilience against abuse. It’s all fun stuff.


Because DISRUPTION. Right?

However, beyond the pleasure of intellectual pursuit, for now I am firmly a blockchain skeptic. It just doesn’t seem like blockchain is as widely applicable as people say it is. Some areas like syndicated loans may be ripe for blockchains, but that’s a very niche field with high barriers to entry, and very few projects actually operate at that level. And yes, I realise there’s plenty of institutional support even on the retail end of finance, but I really don’t know if there’s much more to it than FOMO – after all, if you’re in banking, spending a bit on blockchain projects is cheap insurance.

In real conversations the skepticism often manifests as point objections, such as:

  • Full confirmation is too slow for most use cases.
  • What do you mean bitcoin enables micro-transactions? Microtransactions have been powering the Internet for a long time. Sure with Bitcoin you don’t need a prepaid model, but prepaid hasn’t been that much of a problem thus far, so who cares? And anyway many microtransactions require low latencies which again are just fundamentally at odds with the blockchain model.
  • Are you sure using a blockchain results in a cheaper solution, or is it just that more of the costs are kept off your books?

Each of the above will have pro-blockchain counter-arguments, such as SPV instead of full confirmation, but it just ends up going in circles.

These objection handling conversations can get a bit frustrating, so maybe we should stop starting from the premise that something should have a blockchain component, and then try to find flaws in the idea. What if we approached it from the other perspective: why should this thing have a blockchain?

The trouble is, in my experience, there is a tendency for people to argue that trust (or trustless-ness) is an intrinsic property of blockchain technology, and when they see a problem with some trust component they immediately think of incorporating blockchain as part of the solution. Is that reasoning really good enough? Or is trust merely a confusing straw man in this situation? We should be very clear on when and why a blockchain is needed, because it is expensive technology, and introduces major limitations on what users and operators can do.

Let’s start from first principles. What is a blockchain? And building on that, in what situations does one need a blockchain? For me, the penny dropped when I happened upon a gem in the a16z podcast. I feel Adam Ludwin really nails it about 30 minutes in, when he says (I’m paraphrasing for conciseness):

A blockchain is a database of assets that is shared with participants in the network, where a given asset is controlled by the participant who owns the asset, and not controlled by whoever controls the database.

The key thing is that whoever controls the database does not control the data. What does that mean? Let’s spell it out plainly.

If you take a copy of a database that is stored on some infrastructure that you control, e.g. the full blockchain that is downloaded by a Bitcoin client on your computer, you can go ahead and change the data as you like. It is your data. It lives on your computer. However, the data is structured in such a way that by making these arbitrary changes, you would have violated the integrity of the database, and consequently the database ceases to be valid, and is effectively no longer usable. It’s not a question of knowing how Bitcoin works – you can know everything there is about Bitcoin, but even armed with perfect understanding, you will never be able to make just the right edits to the data. The only way changes to your local copy of the database can be made without breaking the database is for the “owner” of the relevant entries within the database to make the required changes.

This the key property of blockchain technology: a copy of a dataset can exist anywhere, but to maintain the integrity of the dataset, individual items of data within the dataset can only be manipulated by a specific actor.

The word “only” in the above must be interpreted in the strictest technical sense, not “entrepreneur-level strictness”; there is no assumed database administrator with a secret key who can make the right binary-level edits or whatever. That’s the cryptographic magic of blockchain. It is absolute.

Do you need that magic? Are you sure you can’t just use a properly secured website with a normal database backend, to which you can make edits should customers screw up a request and need you to do a rollback? I mean if you’re building a solution for people to trade unused cellular hours, having Vodafone as an all-powerful database owner doesn’t seem so bad. The same could be said for a loyalty points trading platform.

It’s not a technical choice, it’s a business case choice. For your idea to work, do you need a database where there is no database owner who can make arbitrary updates?

If you answered yes, then congratulations, you indeed have a problem that may require a blockchain. Otherwise, you should default to a traditional database solution instead of needlessly accepting all the expense and loss of control that comes with a blockchain.

Maybe one day I will receive the gift of faith. But until then, I test every idea against the key requirement described above. Regardless, I’ll try to find some spare time to learn about things like lightning networks and segregated witness, just for the intellectual fun of it.

Posted in Uncategorized | Tagged | 1 Comment