2018 has been an amazing year for Apple products, but there were a bunch of other tech companies that put out some incredible new gadgets that we’ve fallen in love with.

Instead of focusing on the flashiest, most popular products of 2018, we’ve rounded up a list of goodies that we’ve personally been using throughout the year and can’t imagine living without, whether they were created in Cupertino or not. Hopefully, you’ll find something great you haven’t heard about yet.

The Libratone Zipp sounds amazing.

Photo: Libratone

If you haven’t heard of Libratone before, you’re probably not alone. The speaker manufacturer has been around for a few years, making incredible wireless speakers. Its Zipp speaker connects to your wireless network and can be grouped (through its companion app) for multiroom audio or set as a stereo pair for a wider sound stage.

In 2018, Libratone added support for AirPlay 2, allowing you to use the Zipp in conjunction with HomePods and other AirPlay 2 devices around your house, adding to their versatility. What makes the Zipp even better is support for Spotify Connect streaming, as well as Tidal integration and streaming radio, and auxiliary input, and built-in Bluetooth. This means that there’s almost no limit to how you can pump sound into the Zipp speakers.

The Zipp also pack a built-in battery for use on-the-go, or can be powered through an AC wall adapter. The speaker’s fabric cover is replaceable and comes in a variety of colors, allowing it to blend in ― or stand out ― in any room.

Buy from: Amazon ― $249.99

2018 would not have been nearly as magical for me without DJI’s Mavic Air. I’ve been flying drones for a couple years and the Mavic Air is the perfect embodiment of everything you could want in a drone. It’s absolutely tiny but still snaps some of the most stunning pictures and videos I’ve ever captured.

This summer I drove from Tijuana, Mexica to Jasper National Park in Canada and the Mavic Air was with me the entire time. It’s so portable that I never hesitated to take it on a hike or any of the cliff jumping shenanigans I got into. And the biggest surprise is how good the camera is. It shoots 120fps slo-mo video at 1080p and 4K video at 30fps. Slap on some ND filters to get your exposure just right and you’re able to get some truly incredible shots.

Not only is Mavic Air’s hardware good but DJI’s software game is top-notch. There are a number of intelligent shooting modes that make it easy to capture cinematic footage with minimal experience. The obstacle avoidance is solid too. Despite crashing my old drone nearly a dozen times, I’ve never had an accident with the Mavic Air. If you’re looking to get into droning, this is the bird for you.

Buy from: DJI

The iPhone XS Max is almost too beautiful.

Photo: Apple

Every year Apple comes out with “the best iPhone ever” but goddamn does the iPhone XS Max truly feel like the greatest smartphone ever. The screen is drop-dead gorgeous. Photos and video look more amazing than ever with the new camera. And Face ID continues to be one of the most under-rated features Apple’s put out.

It’s cliche to pick the newest iPhone as one of the best gadgets of the year, but the iPhone XS Max lives up to the hype. Every minute with the XS Max is delightful. Whether I’m watching movies, scrolling through Instagram, shooting videos on my friends, editing photos or playing games, using the XS Max feels like the future has finally arrived.

Buy from: Apple

Electric skateboards still don’t seem like they’re quite ready to go mainstream but Boosted Board’s new Mini X shows that it won’t be long until they takeover cityscapes. The Mini X is smaller than the first generation board the company came out with. It doesn’t lack for power though. You can cruise on it up to 20mph and climb hills with a steep grade of up to 20 degrees.

The biggest limitation on electric skateboards has been their size to range ratio. Most of them are big and bulky and can’t go past 7 miles. With the Mini X you got a board you can actually carry around comfortably and it has a range of 14 miles. Best of all, the Mini X is one of the more affordable boards out there.

I’ve been ripping around Phoenix on a Mini X for a few months now and it’s one of the most fun things I’ve ever ridden. Going uphill in a car garage is absolutely thrilling. A lot of times, I feel like my friends just wanna hang out at lunch so they can cruise around on the Boosted Board for a bit, and I can’t blame them.

Buy from: Amazon ― $999.00

Ever looked at your iPad and thought “It’d be rad if it looked like a tiny iMac”? No? It doesn’t matter, because you’ll love the Abovetek iPad stand anyway. It’s a super-sturdy aluminum bracket with a set of rotating, silicone-lined jaws that clamp the iPad gently but firmly into place.

You can use it in portrait or landscape, at any angle you like, and there’s even a hole to pass cables through. It’s the best desk stand I’ve ever used.

Buy from: Amazon ― $39.99

Imagine a piano keyboard that is also a multitouch surface.

Photo: Charlie Sorrel/Cult of Mac

This is the perfect way to shut up the annoying table-drummer in your life. Paired with an iPhone (or Mac iPad), the Roli Lightblock brings relief to everyone. It’s a pressure-sensitive silicone-topped block that doubles as a screen, and the bright colored patterns correspond to drum pads, music scales, even control sliders for your favorite music apps. It’s Bluetooth, it’s MIDI, and it’s awesome.

Buy from: Amazon ― $199.95

The bigger display is so nice.

Photo: Ste Smith/Cult of Mac

2018 was the year Apple Watch hardware finally caught up with Cupertino’s grand vision for the smartwatch. With a subtle redesign, superior internals and a bigger, brighter screen, Apple Watch Series 4 left its predecessors ― and its struggling competitors ― in the dust.

While the modest 2mm increase in screen sizes sounds negligible on paper, it actually looks rather startling on the wrist. And the vivid new screen on Apple Watch Series 4 is something you can’t unsee. (Hold it next to your Series 3 in the Apple store and I know you’ll succumb to serious upgrade fever.) Add in the power punch of Apple’s new S4 chip, and vastly improved battery life, and you’ve got a Watch that’s finally ready for prime time.

New features like fall detection, ECG and Walkie-Talkie proved nice, but Series 4 hardware upgrades took the Apple Watch experience from good to OMG this year. ― Lewis Wallace

Buy from: Amazon ― Check on Amazon

A range of SimpliSafe sensors can tackle all your home security challenges.

Photo: SimpliSafe

SimpliSafe set out to disrupt the home security industry. With an updated wireless system launched in 2018, SimpliSafe really blew it up.

Rather than signing up with an expensive home security service and paying to have a system hardwired into your home, you just order the proper sensors online. (SimpliSafe offers standard door and window sensors as well as glass-break sensors, smoke alarms and more.)

Once you get your gear, you can get this DIY security system up and running in less than an hour. It’s easy to install and costs far less than other services, without the contracts and commitments that SimpliSafe’s competitors made infamous. An unassuming design looks pleasant enough. And, more importantly, a frictionless user interface makes this system straightforward to use.

Basic monitoring starts at just $15 a month. It’s especially ideal for remote homes with no internet because SimpliSafe works via a built-in cellular connection. The whole thing costs less than my previous home security setup ― and I was able to disconnect the landline that the old-school system required. All the security at a fraction of the price! ― Lewis Wallace

Buy from: Amazon ― $125.00

A single Thunderbolt 3 port from your laptop expands to 15 ports!

Photo: Caldigit

Cal Digit’s TS3 Plus is one of the finest Thunderbolt 3 cocks on the market. It includes future-thinking technology like a UHS II SD Card slot, and the fastest USB 3 ports available today. But most importantly, it restores all the beloved ports Apple removed from your Mac notebook.

https://www.secrss.com/articles/7263

参考来源：

https://www.hackeye.net/securityevent/18023.aspx

参考来源：

https://www.oschina.net/news/102885/ie-cve-2018-8653

参考来源：

https://www.easyaq.com/news/32708545.shtml

参考来源：

https://www.CodeSec.Net/

参考来源：

https://www.cnbeta.com/articles/tech/800641.htm

参考来源：

https://www.solidot.org/story?sid=59037

安全帮，是中国电信北京研究院旗下安全团队，致力于成为“SaaS安全服务领导者”。目前拥有“1+4”产品体系：一个SaaS电商(www.anquanbang.vip) 、四个平台（SDS软件定义安全平台、安全能力开放平台、安全大数据平台、安全态势感知平台）。

There were cops unlocking iPhoneswith corpses. Australia mandated backdoors. Applecame out swinging against accusations they were infiltrated by Chinese spy chips. Japan's Cybersecurity minister said he's never used a computer . The head of DC's top cyber think tank turned out to be a con man . A Russian spy claiming to be a cybersecurity aficionado faked her way into the GOP and NRA.

All that, and it seemed like every business big and small had a breach or exposed our private data in some way. Here's our roundup of the nuttiest fruitcakes no one wanted this year, but that we ended up getting anyway.

Between the lack of action by officials to secure the midterms, to voting machine vulnerabilities gone wild, this was the year American election security went beyond critical.

At the yearly hacking conference DEF CON, the Voting Village flipped the script on voting machine makers (and those who benefit from their insecurity) by exposing the whole sordid mess. They bought surplus decommissioned machines on eBay to probe for vulnerabilities, which caused the makers to panic and try to stop researchers from getting their hands on the gear. The DEF CON event made headlines as researchers of all ages successfully hacked machines and simulations of election websites with terrifying ease ― which got the researchers attacked by people who accused them of aiding foreign adversaries. Those working to fix the issues disagreed, to say the least .

DEF CON's Voting Village then compiled a report of everything they found, as well as their conclusions about the issues in digital voting machines. The report was presented to lawmakers on Capitol Hill. Terrifyingly, the findings "highlighted a decade-old vulnerability in a ballot-counting machine used in more than half the states." DEF CON founder Jeff Moss described "a 'civil war' going on at big US voting-equipment vendors between employees who want to proactively address security vulnerabilities and those who stubbornly oppose doing that."

Then the elections happened. There were lots of problems, but perhaps the biggest was Brian Kemp hacking the Georgia election in his favor by doing everything possible to keep people from fixing the well-known security holes in his state's system. Evil clown, away with you!

For its year in security, the White House basically acted like a guy walking down the street who saw a pile of poop on the sidewalk, and aimed for it.

Especially when, in May, it was revealed the President of the United States had long ago decided that securing his phone was just " too inconvenient ." This prompted press outlets to declare that he had "gone rogue" with the security of his personal electronics. "The president has kept features at risk for hacking and resisted efforts by staff to inspect the phones he uses for tweeting," wrote Politico, prompting another round of collective terror at the state of our state's security.

"The president," the outlet reported, "who relies on cellphones to reach his friends and millions of Twitter followers, has rebuffed staff efforts to strengthen security around his phone use, according to the administration officials."

The very next month, Ireported that John Bolton had eradicated the White House positions (and people) who should be standing between the United States and cyberattacks against our voting processes, our infrastructure and the tatters of our democracy. Next, Bolton appointed a cyber-deputy aide with zero experience in cybersecurity. Fred Fleitz, who now plays a critical role in coordinating national security policy and is a self-appointed cybersecurity policy expert, went on the record saying that all those US intelligence community reports on Russia's election tampering were a setup. "Fleitz has also said it's "impossible" to know if Russia was responsible for election-related hacks," wrote Daily Beast.

Fleitz, a Fox News pundit and op-ed writer, stated that the "intelligence assessments were rigged for political purposes." Defending Russia, WikiLeaks, and RT, he undermined both the ODNI and DHS, and stressed that there was no evidence of Russian involvement.

To bring it all home, near the end of 2018 we found out about Ivanka's personal email account, making her "the worst offender in the White House."

In short, the cybersecurity practices of our government's highest leadership can best be described as "pissing into the wind." It's no wonder the US refused to sign the international "Paris call for trust and security in cyberspace."

This year proved that even when given every opportunity to do so, Facebook will never do the right thing when it comes to user privacy or security. In fact, an argument could be made that people at the company have no idea what the words mean. Though, maybe they're just working from radically different definitions than the rest of the world.

There's simply too much horrible, no-good, awful, and deeply distressing Facebook privacy and security news this year to cover in one go. But the highlights (er, lowlights) say a lot.

The API access stories, where companies were given beyond-the-pale access to user information, have been a yearlong liturgy of privacy horrors. Yet the massive, yearlong hack and the company's ad-profiteering off user security information are two things that look more like maliciousness than carelessness by the day. Both of which the company admitted to with evident reluctance.

We found out that the world's largest, most powerful and influential social network (and identity registrar) actively took user security information and gave it to advertisers. I'm talking about Facebook's two-factor security betrayal , where it was revealed the company took phone numbers under the guise of account security and used them to sell ads (and ad access to users).

Then, there was the massive and egregiousbreach revealed in October ― which had gone on for at least a year. The number of directly affected users was29 million, which is at least three Londons (population 8+ million), three New Yorks (population 8.5 million) or around half of the entire United Kingdom.

It was an extreme breach ― Facebook revealed to users that unknown attackers got their "username, birthdate, gender, location, relationship status, religion, hometown, self-reported current city, education, work, the devices they used to access Facebook and the last 10 places they checked into (or were tagged in) on the site" as well as the past ten searches affected users did on the site. Caveat for those "last ten" claims ― remember, the attack was active and available for nearly a year.

The attackers got all that, plus useraccess tokens, which facilitate leapfrog entrance into connected apps. Facebook claimed at the time that no other sites were accessed -- but Facebook didn't cooperate with affected sites to help connected apps find affected users (Tinder resorted to appealing to Facebook for a list of affected accounts through CNN), we should be more than skeptical about this claim.

Talk about a dream come true for identity thieves. And in case you think Facebook would at least try to do the right thing by its users, the company has stated it would not be providing identity protection to those affected. So, in light of all those real names they collected, all those IDs they forced people to upload ... let's just say the worst thing possible happened with that information.

As the year comes to a close (and not a moment too soon) it's interesting to reflect that ten years ago, it seemed like no one outside IT and hacking conferences really talked about cybersecurity, our data or digital privacy.

Now these three things are practically all anyone talks about. Which is good, but also why it's mind-bending that it's all such a disaster. Honestly, there are now a whole lot of people who know better. And there's no excuse for what we've seen go down on the main stage in the cybers this year.

Here's to hoping there's nowhere to go in 2019 but up.

The Verodin team and I have spent many quarters traveling all across the US and abroad. When we’ve been out there giving talks, we’ve also been collecting security statistics from hundreds of audience members via real-time polling software.

The results of these polls have created an interesting cross-section of perspectives. My audiences generally include red and blue security teams, auditors, security executives, and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare, and oil & gas, just to name a few.

For this blog, let’s take a look at the polling question: How much of your security is based on assumptions instead of evidence?

Not unsurprisingly, a whopping 97 percent of the poll responders said that at least some of their security is based on assumptions. 81 percent expressed that at least half of their security was based on assumptions and 10 percent claimed that all of their security was based on assumptions.

I’m not at all shocked by these statistics. In fact, the Verodin Security Effectiveness Report found similar numbers when customers initially starting using Verodin SIP―specifically, in regards to how effective security tools were in production across measures like prevention, detection, and correlation. Basing security on assumptions instead of evidence is one of the main causes of reduced value from security tools and reduced overall security effectiveness. SIP’s ongoing approach addresses this specifically, since instrumentation isn’t about highlighting that only 20 percent of your security is effective―it’s about getting the other 80 percent and keeping it.

These organizations realize that basing security on assumptions isn’t a valid approach. However, until the onset of platforms like the Verodin Security Instrumentation Platform or SIP , even with the best tools and the best people, it was almost impossible to validate security controls with any level of empiric evidence. As such, security was and still is in many cases assumption-based.

Assumptions waste time, money, and resources. And they have the added disadvantage of not even effectively mitigating risk. A legacy approach that many organizations took before SIP was a constant scan-patch-scan methodology but the approach that should be taken includes specifically measuring, tuning, monitoring, and communicating the security effectiveness of actual security tools. For reference, see Verodin’s recent security blog that shared some statistics on this approach, titled “What’s most important to your security program?”

Once the shift is made from assumption-based security to evidence-based security, it becomes possible to start rationalizing security tools. You can address questions like, “What’s working, what’s not, what should be replaced, where do you need to invest, and how should you be prioritizing changes?” Managing security with proof regarding effectiveness changes the entire paradigm of security management and allows organizations to get real value from their current security investments and prove the value that those investments are yielding.

Check out how the Verodin Security Instrumentation Platform (SIP) can help move you from assumption-based security to evidence-based security. Get a demo.

In my novel “ Influence ”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In this series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN , the Onion Browser , Kali linux and using VHF radios . I’ve talked about HTTPS and VPNs so far, now we’re going to discuss the Onion Browser and the Tor network.

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Tor is an abbreviation for The Onion Router. You tend to see Tor and Onion used interchangeably. Nowadays Tor tends to refer to the Tor network and Onion to the open source browser that utilizes the Tor network to browse the web.

The Tor network and Onion Browser were developed by a group of people dedicated to security, privacy and anonymity. The Tor network depends on thousands of volunteers operating Tor network nodes (servers). When you use the Onion browser, each server connection that you use goes through a different random path through these Tor network nodes. Each node acts like a VPN, encrypting communications and hiding the location of the original request. To some degree using the Tor network is like using a set of different VPNs for each website you visit. This makes tracking you down very hard.

The Onion Browser is an open source Internet browser that performs all it’s requests through the Tor network.

The dark web consist of a number of websites that aren’t linked to from the regular web. They only accept requests over the Tor network and you have to find out about them through means other than Googling. This so-called dark web has been know to host all sorts of “bad” e-commerce sites dealing in illegal drugs, human trafficking and child pornography. Whenever law enforcement tries to ban encryption or anonymity, they always use these sites as excuses to be able to track and spy on normal people’s web activity.

On the other hand in highly repressive states which block a lot of Internet traffic with the outside world, the Tor network and the dark web are the only way that dissidents can freely communicate, or that regular citizens can browse the web at all. Generally governments spend way more time tracking dissidents than they ever spend tracking down the illegal websites they claimed to be upset about.

That all sounds pretty good, so why doesn’t J@ck just use the Onion browser and just not bother with all the other things he does? For one thing, government security services spend a lot of time trying to crack the Tor network. Many of the thousands of nodes in the Tor network are actually operated by government agencies. If one of these is your exit node, then they can get quite a bit of info on you. It’s a bit of a race between the developers of the Tor network and government departments like Homeland Security as to how safe the network is at any time.

Another problem is that even though, say Google can trace who you are from the network traffic, they can record things like your typing patterns and mouse movement patterns. These are apparently just like fingerprints and can be used to identify you. Other means are required to disguise these sort of things.

A general maxim in security is never trust anything entirely. The original name of the Onion browser was based on this idea of having many layers of security like the layers of an Onion. Tor provides several layers, but you can add more layers to be more secure.

Every server that you hit introduces a delay as that server receives, processes and then transmits your network packets of information. With the Tor network, you introduce a bunch of these delays to give you better security and privacy. Further, not all the Tor nodes have the greatest Internet bandwidth or server power. After all they are paid for and operated by volunteers. This all adds up to the Tor network being very slow. If you ever try to download a movie of the Tor network it will take forever. This is why people pay for VPNs with decent bandwidth and performance, rather than using Tor. If you aren’t downloading movies, and just doing small queries then it is usable. This is what J@ck tends to be doing.

The Tor network and Onion Browser are key tools used by every hacker. It provides great security and anonymity at the cost of access speed. If you want to check out the dark web then you need to use the Onion Browser.

今天遇到一个需求：用户传递一个字符串过来，跟当前的时间拼在一起取哈希值，作为唯一标识。

举个例子，假如用户传递的字符串是abc，当前时间是123，我们来看看标准答案：

看起来很简单，就写了下面这段测试代码：

我们来运行一下：

嗯哼？结果好像不太对？于是取查了一下Solidity的文档，有这么一段描述：

sha256(...) returns (bytes32) :

compute the SHA-256 hash of the (tightly packed) arguments

keccak256(...) returns (bytes32) :

compute the Ethereum-SHA-3 (Keccak-256) hash of the (tightly packed) arguments

In the above, “tightly packed” means that the arguments are concatenated without padding. This means that the following are all identical:

我们想计算abc123的哈希，实际上就是要计算0x616263313233的哈希，而上面的代码计算的则是0x6162637B的哈希（123=0x7B）。

知道了问题所在，也就好解决了，把时间转换成对应的ASCII码不就行了：

我们再来运行一下：

这回结果就对了，perfect～～

另外，如果你想测试其他的哈希算法比如keccak256，推荐用下面的网站验证结果，非常全：

http://emn178.github.io/online-tools/

更多文章欢迎关注“鑫鑫点灯”专栏： https://blog.csdn.net/turkeycock

加密货币和区块链的成功，离不开行业先驱的前仆后继。

译者 | Moni

编辑 | 卢晓明

出品 | Odaily星球日报（ID：o-daily）

编者按：本文原名《加密叛军》，首发于 1993 年 Wired，作者 Steven Levy，也是《黑客》的作者，讲述了一段斗争者如何为网络隐私保护争取绝对隐私、及现今被广泛使用的公私钥加密算 法的诞生故事。

加密算法本来被国家安全局“垄断”，在二战时期苏美两国用于情报传递。加密无法被大规模应用也有两个技术原因，一个是原来加密内容和解密都要靠一套规则，这套规则就像钥匙，钥匙怎么传送就成了问题；二是如果所有人都能用加密，那就会需要很多把钥匙，如果设计一个专门的钥匙库来存放钥匙，那这个数据库就成了权力中心。

1975 年，一位 31 岁的电脑天才发明了公私钥密码系统，打破了这个垄断。他就是 Whitfield Diffie，后来的图灵奖得主。

此后，数位狂热者将该方法付诸实践。三位科学家基于上述想法发明了 RSA 加密算法，后者比美国政府批准的 DES 还强大。美国政治活跃分子 Phil Zimmermann 从银行申请了五笔贷款，研发了一个能让个人计算机使用的加密工具――让别人看不到你发的电子邮件和文件是什么内容。

加密技术是个人保护隐私的重要手段，应该人人均可以轻易使用――类似思想获得了拥戴者，以湾区工程师最盛。因价值而且聚在一起的人逐渐成立了一个松散的组织“密码朋克”。最近逝世的前英特尔工程师Timothy C. May 是该组织的发起者之一，也是《加密无政府主义者宣言》的作者。

类似的思潮始终受到美国国家安全局的抵制。安全局认为类似思想属于“违禁品”，威胁到了美国国家安全。当时的美国国家安全局局长 Bobby Inman 甚至认为，美国国家安全局对密码具有控制权，就像美国能源局对核电具有控制权样。不过这些“叛军”们似乎不为所动。

直到今天，无限制的加密或隐私保护依然饱受争议。密码朋克认为：“我的家就是我的城堡，我的事不需要你管。”而另一种观点认为：“那你有什么可隐藏的？如果你没有什么可隐瞒的，你就不会使用加密技术。你想保守秘密，只会引起怀疑。”

正文：

凭借为用户提供免费软件创造出的一种特殊盈利模式，Cygnus Support 公司获得了飞速成长。

作为硅谷新贵，这家的办公环境让人仿佛回到了过去那个黑客自由驰骋的年代。Cygnus 公司坐落在一个类似购物中心的工业园区，正好在美国最西部国道――加州境内 101 号国道的覆盖范围之内。这家公司的天花板极高，如同教堂的穹顶高悬，笼罩在其中的是一批批集中的工作隔间，它们呈不规则的球形分布。房椽中间甚至还塞着一个床垫，前台后面的过道有个厨房，里面堆满了零食和软饮料。

（注：Cygnus Support 是 Cygnus Solutions 公司的前身，是一家由 John Gilmore、Michael、David Henkel-Wallace 于 1989 年创办的信息技术公司，旨在为自由软件提供商业支持。它的口号是："让自由软件使用无忧 (Making free software affordable)"。Cygnus 是 "Cygnus, Your GNU Support" 的递归式首字母缩写词。）

一个星期六的早上，公司只有稀稀拉拉几个员工前来工作，而在俯瞰这些办公隔间的小会议室里，一些经常在网络空间聚会的极客们正在现实世界开碰头会。他们都对密码学感兴趣，这门学科研究秘密的代码和密码设计。这个组织的存在意味着，加密领域将要转上超高速的赛道，也将会成为一个有态度的学科，这个组织的名称――“密码朋克”就是这种态度最完美的代名词。

虽然会议定为下午一点举行，但实际上到了将近三点才真正开始。临近三点，大概15位支持公民自由权利的电脑极客围坐在桌边，有的在会议室内走来走去，有的干脆躺在地板上，一边听大家谈话，一边两眼盯着天花板。大部分人都蓄着胡子，留着长发，看起来仿佛是一群传统美国农场兄弟突然走进了全新的数字领域。

这一天的讨论范围很广，既有最近一场密码学会议的相关报道，又有对熵如何让信息系统退化的一种解释。会上特别演示了一款新产品――美国电信巨头 AT&T 的一款安全电话，它号称全球首款防窃听的电话，用起来就和普通的电话一样。这帮对加密学颇感兴趣的“朋克”们饶有兴趣地观看了演示，整个过程中，包括美国最出色的密码学专家在内 ，两个该组织的成员一时之间不知道怎么使用这款电话（这个场面就好似吉他之神 Eric Clapton 努力要摆弄清楚一把简易使用的新型吉他）。会上随时兴起一些讨论。虽然没有明说，但这些技术人才讨论的所有事都有一个潜在的主题： 让密码学为公益服务至关重要。

会议室的人希望创造一个这样的世界：无论是有关人工流产的观点，还是真正的流产医疗记录数据，所有与个人足迹有关的信息都只有在个人选择披露的时候才可以被追踪；在这个世界里，通过网络和微波可以在全球传递协调的讯息，但侵入者和联邦政府如果企图从中捕捉蛛丝马迹，却只能捞到一些无意义的内容；在这个全新的世界里，窥探隐私的工具将会被改造成保护隐私的装置。

在这些理想之中，只有一个会成为现实，那就是得到广泛应用的密码学。它在技术上有可行性吗？绝对有。但障碍来自政治方面，最有权力的一些政府要人致力于控制这些工具。简而言之，这是一个战场，对战双方一派希望自由运用密码学，一派要压制它。那天，齐聚会议室的一批人看起来并没有危害社会，他们代表的是亲密码学的先锋。他们的战场似乎还比较遥远，但风险却并非遥不可及：这场争斗的结局可能决定二十一世纪的社会能给我们多大的自有。对密码朋克来说，自由这个问题是值得为之冒一些险的。

密码朋克的一位成员这样鼓动说道：

“挺身而出吧，除了铁丝网围墙，你们什么都不会失去。”

摧毁加密垄断

只要你对冷战还记忆犹新，可能就会以为，那期间美国国家安全局（NSA）一直负责保护美国人的各种密码，并且尝试破获敌人（苏联人）的密码。有人觉得冷战可能是美国国家安全局三十年历程中第一次游刃有余行事的时期――其实不然，那段日子，美国国家安全局正在经历问世以来最可怕的梦魇。

事实上，美国国家安全局的加密垄断早已不复存在。二十年前，没有哪个不属于政府部门的人、或者至少没有为政府工作的人能掌控或是从事任何密码学领域的重要工作。政府的垄断地位在 1975 年戛然而止。那一年，31岁的电脑天才 Whitfield Diffie 发明了一套新系统，名为“公钥”密码，它成为加密世界无保护屏障的核武器。美国国家安全局坐落于美国马里兰州城市米德堡的总部曾经像堡垒一样坚不可摧，但面对 Whitfield Diffie 这一发明，他们感受到的冲击也最为深切。

Whitfield Diffie 从小沉迷于密码学，孩提时代就通读了自己可能找到的一切密码领域图书。当然，密码和神秘的指环、阴谋这些事物有关。对勇敢的男孩来说，这些秘密总是那么有吸引力。作为一名历史学家的儿子，Whitfield Diffie非常认真地看待这类秘密。他曾经在故乡城市的大学图书馆里搜罗所有密码学信息，而后，他的兴趣暂时低落了一段时间。直到上世纪六十年代中期，他成为麻省理工学院（MIT）电脑黑客圈子的一名成员，对密码学的兴趣才卷土重来。

即使在还是个毛头小子的年纪，Whitfield Diffie 对个人隐私也已经很感兴趣，同样强烈的是，他对解决以数学为核心的技术性问题也满怀热情。因此，他顺理成章地提议建立一套精密的麻省理工学院多用户电脑系统，开始面对这样一个难题：如何让记录个人工作、有时甚至是个人私密的系统真正安全。要解决这个问题，如果用传统的由上至下方式，应该用用户的密码保护文件，然后由可信的系统管理员存入电子保险库，但这种方法的效果并不令人满意。系统的弱点是显而易见的：用户的隐私有多安全，完全取决于管理员有多大的意愿去保护它。 Whitfield Diffie 不留情面又一阵见血地指出：

“你本来可能已经设了文件保护，但如果系统管理者收到一张传票，那对你没有任何好处。管理员们会出卖你，因为他们没有兴趣冒坐牢的险。”

Whitfield Diffie 认识到，真正的解决方案就在去中心化的系统里，在这种系统，人人都有一把保护个人隐私的钥匙。他试图激发大家的兴趣，吸引人攻克发明这样一种系统的数学挑战，但没有谁愿意迎难而上。直到上世纪七十年代，一些人开始运行当今互联网的前身 APRAnet，他们在为这个网络的成员探寻安全的选择方法，在这种背景下，Whitfield Diffie 决定自己担负起这个重任。那时他在斯坦福大学工作，迷上了密码学专家 David Kahn 在 1967 年出版的作品《破译者》。这部作品清晰又详尽地介绍了密码学的发展史，侧重讲述了而是世纪美国的军方活动，包括美国国家安全局的工作。

Whitfield Diffie 回忆道：“它让一些沉寂的人挺身而出，我当然就是其中一员，我（读《破译者》）可能比其他所有人读得都仔细。到 1973 年末，我满脑子想的都是这个，没有别的。”

他开始了一段周游世界的旅程，计划在一路搜集相关的信息。获得信息是一项艰难的工作，因为几乎所有现代密码学的消息都被归为一类，只有美国国家安全局这类机构和相关科研工作者才能获取。Whitfield Diffie 的旅途最远抵达了美国东海岸，在那里逗留期间，他邂逅了一位女士，最后成为了他的新娘。他带着未婚妻回到斯坦福大学，在那里掀起了密码学的一场革命。

具体而言，在 Whitfield Diffe 开创新系统以前，密码学原有系统的问题是，设为安全保护的信息要通过不安全的渠道传送。换句话说，讯息可能在接收者收到以前就被破译了。保护信息安全的传统做法是，用一把“钥匙”给原始讯息的“原文”加密。这把要是会改变原讯息的所有字母，这样一来，试图读取讯息的人看到的只会是不可理解的“密文”。转换为密文的讯息抵达目的地后，接收者会用同一把“钥匙”解开代码，将它再次破译为原文。这套机制的难点在于，要把“钥匙”从一方传递给另一方，如果传送“钥匙”的渠道不安全，谁能阻止外人破解密码，利用它解开此后一切相关的加密讯息？

倘若有人想大规模加密讯息，那么这个问题就更麻烦了。唯一的办法只有设计一些数据仓库、或者说数字资源库，把“钥匙”都存在这种地方。而在 Whitfield Diffie 看来，这样的系统本身就很糟糕，因为你最终不得不信赖那个管理仓库的人。这种想法其实否定了加密学的核心理念：通过自己的交流掌握所有的隐私。

Whitfield Diffie 还预见到，未来人们不但会以电子方式沟通，还会以这种方式做生意，届时将需要电子形式的合同和公证文书。那么，要怎样不但让签名留在纸上，还能轻易以电子形式复制，实现所谓“电子签名”？

1975 年 5 月，在斯坦福计算机科学家 Martin Hellman 配合下，Whitfield Diffie 解决了以上两个问题。他提出的方案被称为公钥加密。这是一种高明的对策，它让系统内的所有用户每人拥有两把钥匙，一把是公钥，另一把是私钥。公钥可以广泛传播，同时不会降低安全性。但私钥比用户的 ATM 自动取款密码还要私密，用户不能让其他任何人获得。基于一些对普通人来说比较难以理解的数学原理，如果一条讯息既可以用公钥加密，它就可以用私钥解密。比如我想发给你一封保密的信函，我得到你的许可，用你的公钥给它加了密，发给你密文，你就可以用你的私钥解密。同样地，假如你要传给我一条讯息，你也可以用我的公钥加密，我用我的私钥就可以把密文转换为原文。

这一规则也适用于验证身份。这世界上只有一个人能用我的私钥给原文加密，那个人就是我。如果你能用我的公钥解密一条讯息，毫无疑问，那条讯息必须得是从我的机子上发给你的。这条讯息实质上带有我的数字签名。

用 David Kahn 的话说，公钥加密不仅是“文艺复兴时期以来最具革命性的新理念”，也是完全在政府统辖之外诞生的成果，它完全出于一位隐私的狂热爱好者之手。1975 年末，当 Whitfield Diffie 和 Martin Hellman 开始把他们的方案电子刊前版本广泛传播时，密码学的学术界掀起了一场独立运动。一批新生代密码学专家此前读过 David Kahn 的作品，更重要的是，他们认识到，电脑加速得到应用意味着，密码学领域会迎来高速发展。这个研究群体很快开始定期开会，最终刊发了自己的科研期刊。

到 1977 年，这个新群体的三名成员发明了一套新算法，用来执行 Diffie-Hellman 方案。作为这个 RSA 加密演算法的发明者，三位麻省理工学院科学家 Rivest、Shamir 和 Adleman 提供了一种可能比政府批准的不适用公钥方法――数据加密标准（DES）更强大的加密方式。基于密钥的加密系统能力如何主要取决于密钥的大小，换言之，钥匙由有多少位数的信息构成。钥匙越大，这种系统设置的密码就越难破译。IBM 旗下研究实验室设计的 DES 只能将钥匙最大设为 56 位。而 RSA 算法的密钥大小可以任意设置（为此付出的代价是，密钥越大越难控制，而且RSA运行的速度也 DES 慢得多。）但 DES 还有一个外界添加的负担。当时流传一条消息，称美国国家安全局强迫 IBM 故意削弱这个系统的加密能力，让政府可能破解 DES 加密的讯息，而 RSA 算法就没有这种污点。（美国国家安全局已经否认了这一传闻。）

抛开流言不论，RSA 算法实质上是一种运行公钥的系统，因此它不存在此前所有系统的致命缺陷：需要安全交换私钥。因此，它可以灵活用于满足未来大批量的加密需求。三名科学家最终获得了新算法的专利，并将它授权给一家名为 RSA Data Security 的公司使用。该公司的宗旨是打造保护隐私和验证身份的工具。

作为公钥专利的所有者，RSA Data Security 公司拥有理想的条件，将保护隐私和验证身份的设备出售给其他企业。包括苹果、微软、WordPerfect、Novell 和 AT&T 在内的一些公司购买它的产品，计划将 RSA 软件与公司自身的系统结合。RSA Data Security 公司总裁 Jim Bidzos 本人并不是密码学专家，可他很善于表达隐私的需求。他将自己的形象塑造成美国国家安全局的敌人，同时也是反抗政府对该公司产品出售限制的斗士。他甚至还含糊地暗示，美国国家安全局利用一些秘密渠道妨碍自己公司的产品流通。

不过，很多保护隐私的活跃人士对 Bidzos 和他的公司保持警惕，其中包括个人电脑业的先驱 Jim Warren。在 1991 年主持首届“电脑、自由和隐私大会”时，Jim Warren 就曾对一家公司掌握公钥加密这种理论影响广泛的国内专利表示不满。还有些人甚至担心，即使是 RSA Data Security 这样受到业内尊敬的公司，未来也无法成功抵制一切政府的压力，将被迫限制所售加密产品的能力。

在密码朋克的眼中，密码学太过重要，不能任由它落到政府手中，哪怕是出于善意利用的企业也不行。为了保证大众都可以获得隐私工具，需要采取个人英雄主义行动。谈到这里，有必要介绍大家了解一下 Phil Zimmermann。

一场“漂亮”的加密革命

Phil Zimmermann 是一位美国政治活跃分子，他参加反核武器，两次因此受到监禁。 一直以来，他都担任政治候选人的军事政策分析师。不过，他的专长一直在计算机领域，而且也一直着迷于密码学。之前，他是一个有着拯救世界梦想的程序员。他一直苦苦思索，程序员如何才能拯救世界呢? 当他第一次听说公钥密码时，他灵机一闪， 为什么不使用 RSA 算法在个人计算机上实现公钥系统？

1977 年左右，Phil Zimmermann 提出了这个问题，但直到 1984 年才开始认真回答这个问题。在思考问题的过程中，他越来越觉得密码和隐私保护异常重要。正如他后来在产品文档中写道：

“你可能正在计划政治竞选，讨论税收提案，或表达你对于非法行为的看法。又或者，你可能正在做一些自己觉得不应该违法，实际已经违法的事情。但是，无论是什么，你都不希望其他人阅读您的私人电子邮件或机密文件。维护隐私并没有错，就像维护宪法一样。”

我们想象一下，如果世界上的每个人都相信遵纪守法的公民应该使用明信片来邮寄信件。这时，如果一些勇敢的人试图通过使用信封来保密他的隐私，那就会引起怀疑。也许当局会打开他的邮件，看看他藏匿的是什么。幸运的是，我们并没有生活在这样的世界中，因为每个人都用信封保护他们的大部分邮件。所以没有人通过用信封宣称他们的隐私而引起怀疑。数字安全也一样，如果所有人都经常使用加密来处理他们所有的电子邮件，每一个人都保护隐私，那么无论他们是否是无辜的，都不会引起怀疑。其实，这种状况非常好，非常利于团结。

如果隐私是非法的，那么只有不法分子才拥有隐私权。情报机构可以使用良好的加密技术，大武器拥有者和贩毒者也是如此。但普通民众和基层政治组织大多没有获得负担得起的军用级公钥加密技术，直到现在也一样。

This is part 1 of a series of posts on my experience trying to build a object detection setup for my home security cameras. Here I'm going over some preliminary results and talking about the history to this point. I plan to graph my results and look at what I have in future posts.

Deep Learning is all the rage these days. I get it, the idea of letting a computer extract out features and find things is amazing. I love it. In fact while, working on my Masters at Georgia Tech I took any Machine Learning class I could get my hands on and the Reinforcement Learning course that was also offered. They were AWESOME and they really opened my eyes to how a lot of this stuff worked.

A few months back I started with using darknet and the tiny YOLO approach. I setup an RTSP server on my raspberry pi in python to pull images and wanted to see how it did, I experimented on a few images, but to my surprise, (although in retrospect, unsurprisingly) it failed.... pretty bad. The first attempt it actually saw the car on the side of my yard, which was utterly amazing. I ran it again mere minutes later and it never saw the car again... after multiple attempts. Of course this was all running quite slow, if I recall on the order of 60 seconds per image. I decided that as long as there was some kind of "motion" that zoneminder detected then I could have it process on that. I was slightly less concerned about realtime than I was about just simply notifying me at some point in the future if something odd was going on.

I decided that over the holiday break I would try to work on this detector more. I started downloading all my camera data (which is really not all that old), and it turned out I had about 65GB of image data from motion captures using zoneminder. First off, sharing that is difficult if I wanted to with anyone to work on this, so I am working on pairing it down, it is at least broken down by camera, so I should be able to divy it up that way.

I decided to try out using the image recognition to even detect anything out of these images as a first pass. I got everything setup and used https://www.tensorflow.org/tutorials/images/image_recognition

I modified it to run through an entire folder, it then spits out 3 different files. First is a mapping of image -> human string, score and index. The index is used for looking up the human string in the mapping. The second file is a listing of the index with all images which had that index (didn't matter the score as long as it was in the top 5). Finally, I output the index to human string mapping, so I could easily look things up. The files are named image_filtering_analysis, image_filter_mapping, and image_filtering_by_class. I opened up the image_filtering_by_class and looked up the first thing I saw, which was 160. This translated to "wire-haired fox terrier". This was a view of my driveway and I thought....well I mean I suppose that might be possible.

Ok so first one is not very awesome. Though to be really fair, I looked up the confidence score and that one got 0.016631886. Interestingly these were the top 5 scores.

submarine, pigboat, sub, U-boat, 0.27390754 patio, terrace, 0.064846955 steam locomotive, 0.040173832 fountain, 0.023076175 wire-haired fox terrier, 0.016631886

I looked up what some of the labels were in the dataset they used. I didn't see any just plain "car" labels. This is just odd to me. I will likely have to re-train on my data, but for now I need to figure out a way to find common features.

So of course improvements could be to require the scoring to at least reach some threshold, so suppose we set it to 50%, this would prevent seeing that particular failure. Searching through my data (which by the way hasn't finished running). It found another version of the same image above but called it a patio, terrace with over a 90% confidence. In fact the image with the highest confidence was also labeled a patio, terrace . Here it is.

I can only speculate that the poor pixelated images on the left is well me, looking at it closely it sort of looks like a body. It's in the images for a few frames and it appears there are arms. I am pretty sure I was bringing a package in that day.

I wonder if someone could (maybe me ;)) build a form of a feature detector much like is used in CV, but instead of being trained to a specific task, it's generic. This might enable a way to group common features across images and make creating a supervised dataset easier.

I'll post more interesting ones as I come across them. I think at this point most of my image recognition's are at night and will eventually hit daytime which I think will show some even more humorous results.

For now, it's suffice to say. This detection is not doing well. I wanted to at least run this with the hopes that it would find cars or other things for building up a supervised set, however I don't think that's going to happen.

An Active Directory forest (AD forest) is the top most logical container in anActive Directory configuration that contains domains, users, computers, and group policies.

“But wait?” you say. “I thought Active Directory was just one domain?”

A single Active Directory configuration can contain more than one domain, and we call the tier above domain the AD forest. Under each domain, you can have several trees, and it can be tough to see the forest for the trees

This additional top-level layer creates security challenges and increased potential for exploitation, but it can also mean greater isolation and autonomy when necessary: the trick is to understand AD forests and different strategies to protect them .

Say you want to create a forest, or (and more likely) you have inherited a forest that you need to clean up. It’s common to see several different domains andGPOs in one or more forests that try to coexist due to earlier attempts at consolidation or acquisition.

First, determine if there are any organizational requirements that require a completely separate set of security policies. Frame the conversation with a focus on data security:

Once you have the “autonomy and isolation” requirements documented, the design team can build the forest, domains, and GPOs according to each team or organization’s needs.

In some cases, it might be necessary to create separate AD forests based on the autonomy or isolation requirements. Adding additional forests multiplies the complexity to manage the AD schema. There are some considerations to make if you decide to add another forest to your AD schema:

A single AD forest is a simpler solution long-term and generally considered best practice. It’s possible to create a secure environment without the additional overhead of a 2nd AD forest with multiple domains by leveraging GPOs, established data owners, and a least privilege model.

Multi-forests do provide an extra layer of security across the two domains, but at a significant increase to IT cost. Multi-forests do not make you more secure by default. You still need toconfigure GPOs and permissions appropriately for each AD forest.

There are three primary ways to design an AD forest: you can mix and match those designs to meet your organization’s security needs. Every Active Directory has at least one AD forest, and there are cases where multiple AD forests are required to meet business and security objectives. Here are a few different Forest Models. Each model has different advantages and disadvantage, and unique use cases.

In an organizational forest, user accounts and resources are stored and managed together. This is the standard configuration.

A resource forest separates user accounts and resources into different forests. You would use this configuration to separate a manufacturing system or mission-critical system from the primary forest, so any problems with one forest allow the other to continue operation.

A restricted access forest totally isolates the users and resources in it from other forests. You would use this configuration to completely secure data and limit users to specific datasets.

AD forests have been around since 2000, so there are many different theories about the best way to configure Active Directory and forests. Current best practices include:

If Active Directory holds the keys to the kingdom, the AD forest is the keyring for some of those keys: it’s important not only to secure Active Directory , but to understand how to configure and manage the AD forest in order to prevent data breaches and reduce security vulnerabilities.

How is Diffie-Hellman Key Exchange Different than RSA?

kdobieski

Fri, 12/21/2018 10:37

Diffie-Hellman key exchange , also called exponential key exchange, is a method of digital encryption that uses numbers raised to specific powers to produce decryption keys on the basis of components that are never directly transmitted, making the task of an intended code breaker mathematically overwhelming. Diffie Hellman key exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network and actually uses public key techniques to allow the exchange of a private encryption key.

In order to simplify the explanation of how the algorithm works, we will use small positive integers. In reality, the algorithm uses large numbers. In addition, you may find fairly easy explanations on Wikipedia and Khan Academy .

Communicating in the clear, Alice and Bob agree on two positive integers, a prime number, and a generator. A generator is a number that, when raised to positive whole-number powers less than the prime number, never produces the same result for any two such whole numbers. Let us assume that Alice will use the prime number 17 and Bob the generator 3. Then Alice selects a private random number, say 15, and calculates 3 15 mod17 which equals 6 and sends the result publicly to Bob. Then Bob selects his private random number, say 13, calculates 3 13 mod17 and sends the result (which is 12) publicly to Alice. The heart of the trick is the following computation. Alice takes Bob’s public result (=12) and calculates 12 15 mod17 . The result (=10) is their shared secret key. On the other hand, Bob takes Alice’s public result (=6) and calculates 6 13 mod17 which results again to the same shared secret. Now Alice and Bob can communicate using the symmetric algorithm of their choice and the shared secret key, which was never transmitted over the insecure circuit.

If a third party was listening to the exchange, it would be computationally difficult for this party to determine the secret key. In fact, when using large numbers, this action is computationally expensive for modern supercomputers to do in a reasonable amount of time.

RSA is a cryptosystem for public-key encryption and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. RSA was first described in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman of the Massachusetts Institute of Technology. Public-key cryptography, also known as asymmetric cryptography, uses two different but mathematically linked keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. In RSA cryptography, both the public and the private keys can encrypt a message; the opposite key from the one used to encrypt a message is used to decrypt it. This attribute is one reason why RSA has become the most widely used asymmetric algorithm: It provides a method of assuring the confidentiality, integrity, authenticity, and non-reputability of electronic communications and data storage.

RSA derives its security from the difficulty of factoring large integers that are the product of two large prime numbers. Multiplying these two numbers is easy, but determining the original prime numbers from the total, that’s factoring, is considered infeasible due to the time it would take even using today’s super computers. The RSA algorithm involves four steps : key generation, key distribution, encryption, and decryption. The public and the private key-generation algorithm is the most complex part of RSA cryptography and falls beyond the scope of this post. You may find an example on Tech Target .

Both RSA and Diffie-Hellman are public key encryption algorithms strong enough for commercial purposes because they are both based on supposedly intractable problems, the difficulty of factoring large numbers and exponentiation and modular arithmetic respectively. The minimum recommended key length for encryption systems is 128 bits, and both exceed that with their 1,024-bit keys. Both have been subjected to scrutiny by mathematicians and cryptographers, but given correct implementation, neither is significantly less secure than the other.

The nature of the Diffie-Hellman key exchange, however, makes it susceptible to man-in-the-middle (MITM) attacks, since it doesn’t authenticate either party involved in the exchange. The MITM maneuver can also create a key pair and spoof messages between the two parties, who think they’re both communicating with each other. This is why Diffie-Hellman is used in combination with an additional authentication method, generally digital signatures.

Unlike Diffie-Hellman, the RSA algorithm can be used for signing digital signatures as well as symmetric key exchange, but it does require the exchange of a public key beforehand. However, recent research has demonstrated that even 2048-bits long RSA keys can be effectively downgraded via either man-in-yhe-browser or padding oracle attacks. The report suggests that the safest countermeasure is to deprecate the RSA key exchange and switch to (Elliptic Curve) Diffie-Hellman key exchanges.

Which one is the best? That’s a difficult question to answer and there has been a great discussion on various forums . So, the answer as usual is “it depends”. You will usually prefer RSA over Diffie-Hellman, or Diffie-Hellman over RSA, based on interoperability constraints and depending on the context. Performance rarely matters and as for security, from a high-level view, a 1024-bit Diffie-Hellman key is as robust against cryptanalysis as a 1024-bit RSA key. The choice is up to you.

Guest Blogger: Anastasios Arampatzis

Encryption should not be seen as the ultimate answer to any information security problem but only as one part of the security equation. This concept should always be considered when choosing a public key algorithm. Before delving into any encryption project, however, perform a thorough risk analysis of your data and systems to determine what you need. Obviously, high-risk data, such as sensitive customer data, needs better encryption than marketing plans, which would have a much lower impact on the business if divulged.

Second, in terms of performance, a thorough analysis of your network architecture and the traffic load it can bear will help decide which encryption route to choose. In general, public key encryption, or asymmetric encryption, is about 10,000 times slower than private key encryption. This is because of asymmetric encryption’s creation and exchange of the two keys versus the single one in private or symmetric encryption.

The Diffie-Hellman Key Exchange and RSA (named after its inventors Rivest Shamir Adleman) are two of the most popular encryption algorithms. How are they different from each other? Which one should an organization use? In order to provide an answer, let us examine concisely both.

Download our Dummies Guide.

Explore now.

Recent Articles By Author

Australia’s New Encryption Laws Are Disappointing Let’s Talk about Murphy’s Law for SSL/TLS x.509 Certificate Outages How Does Elliptic Curve Cryptography Work? More from kdobieski

*** This is a Security Bloggers Network syndicated blog from Rss blog authored bykdobieski. Read the original post at: https://www.venafi.com/blog/how-diffie-hellman-key-exchange-different-rsa

1、本月利用肉鸡发起DDoS攻击的控制端中，境外控制端最多位于美国；境内控制端最多位于江苏省，其次是贵州省、广东省和浙江省，按归属运营商统计，电信占的比例最大。

2、本月参与攻击较多的肉鸡地址主要位于江苏省、广东省、山东省和福建省，其中大量肉鸡地址归属于电信运营商。2018年以来监测到的持续活跃的肉鸡资源中，位于山东省、福建省、江苏省占的比例最大。

3、本月被利用发起Memcached反射攻击境内反射服务器数量按省份统计排名前三名的省份是河南省、山东省和广东省；数量最多的归属运营商是电信。被利用发起NTP反射攻击的境内反射服务器数量按省份统计排名前三名的省份是河南省、河北省和山东省；数量最多的归属运营商是联通。被利用发起SSDP反射攻击的境内反射服务器数量按省份统计排名前三名的省份是辽宁省、浙江省和吉林省；数量最多的归属运营商是联通。

4、本月转发伪造跨域攻击流量的路由器中，归属于北京市的路由器参与的攻击事件数量最多，2018年以来被持续利用的跨域伪造流量来源路由器中，归属于北京市、江苏省和上海市路由器数量最多。

5、本月转发伪造本地攻击流量的路由器中，归属于吉林省联通的路由器参与的攻击事件数量最多，2018年以来被持续利用的本地伪造流量来源路由器中，归属于河南省、北京市、广东省和山东省路由器数量最多。

本报告为2018年11月份的DDoS攻击资源月度分析报告。围绕互联网环境威胁治理问题，基于CNCERT监测的DDoS攻击事件数据进行抽样分析，重点对“DDoS攻击是从哪些网络资源上发起的”这个问题进行分析。主要分析的攻击资源包括：

1、控制端资源，指用来控制大量的僵尸主机节点向攻击目标发起DDoS攻击的木马或僵尸网络控制端。

2、肉鸡资源，指被控制端利用，向攻击目标发起DDoS攻击的僵尸主机节点。

3、反射服务器资源，指能够被黑客利用发起反射攻击的服务器、主机等设施，它们提供的网络服务中，如果存在某些网络服务，不需要进行认证并且具有放大效果，又在互联网上大量部署（如DNS服务器，NTP服务器等），它们就可能成为被利用发起DDoS攻击的网络资源。

4、跨域伪造流量来源路由器，是指转发了大量任意伪造IP攻击流量的路由器。由于我国要求运营商在接入网上进行源地址验证，因此跨域伪造流量的存在，说明该路由器或其下路由器的源地址验证配置可能存在缺陷，且该路由器下的网络中存在发动DDoS攻击的设备。

5、本地伪造流量来源路由器，是指转发了大量伪造本区域IP攻击流量的路由器。说明该路由器下的网络中存在发动DDoS攻击的设备。

在本报告中，一次DDoS攻击事件是指在经验攻击周期内，不同的攻击资源针对固定目标的单个DDoS攻击，攻击周期时长不超过24小时。如果相同的攻击目标被相同的攻击资源所攻击，但间隔为24小时或更多，则该事件被认为是两次攻击。此外，DDoS攻击资源及攻击目标地址均指其IP地址，它们的地理位置由它的IP地址定位得到。

根据CNCERT抽样监测数据，2018年11月，利用肉鸡发起DDoS攻击的控制端有239个，其中，37个控制端位于我国境内，202个控制端位于境外。

位于境外的控制端按国家或地区分布，美国占的比例最大，占42.6%，其次是法国和中国香港，如图1所示。

图1 本月发起DDoS攻击的境外控制端数量按国家或地区分布

位于境内的控制端按省份统计，江苏省占的比例最大，占35.1%，其次是贵州省、广东省和浙江省；按运营商统计，电信占的比例最大，占67.6%，联通占13.5%，移动占2.7%，如图2所示。

图2 本月发起DDoS攻击的境内控制端数量按省份和运营商分布

本月发起攻击最多的境内控制端前二十名及归属如表1所示，位于贵州省的数量最多。

表1 本月发起攻击最多的境内控制端TOP20

2018年1月至今监测到的控制端中，4.3%的控制端在本月仍处于活跃状态，共计76个，其中位于我国境内的控制端数量为10个，位于贵州省的数量最多；位于境外的控制端数量为56个。持续活跃的境内控制端及归属如表2所示。

表2 2018年以来持续活跃发起DDOS攻击的境内控制端

根据CNCERT抽样监测数据，2018年11月，共有317,219个肉鸡地址参与真实地址攻击（包含真实地址攻击与其它攻击的混合攻击）。

这些肉鸡资源按省份统计，江苏省占的比例最大，为17.0%，其次是广东省、山东省和福建省；按运营商统计，电信占的比例最大，为77.2%，联通占19.6%，移动占2.0%，如图3所示。

图3 本月肉鸡地址数量按省份和运营商分布

本月参与攻击最多的肉鸡地址前二十名及归属如表3所示，位于山东省的地址最多。

表3 本月参与攻击最多的肉鸡地址TOP20

2018年1月至今监测到的肉鸡资源中，共计58,847个肉鸡在本月仍处于活跃状态，其中位于我国境内的肉鸡数量为54,715个，位于境外的肉鸡数量为4,132个。2018年1月至今被利用发起DDoS攻击最多的肉鸡TOP20及归属如表4所示。

表4 2018年以来被利用发起DDoS攻击数量排名TOP20,且在本月持续活跃的肉鸡地址

2018年1月至今持续活跃的境内肉鸡资源按省份统计，山东省占的比例最大，占20.6%，其次是福建省、江苏省和广东省；按运营商统计，电信占的比例最大，占79.6%，联通占13.4%，移动占2.8%，如图4所示。

图4 2018年以来持续活跃的肉鸡数量按省份和运营商分布

根据CNCERT抽样监测数据，2018年11月，利用反射服务器发起的三类重点反射攻击共涉及3,016,768台反射服务器，其中境内反射服务器1,843,949台，境外反射服务器1,172,819台。反射攻击所利用Memcached反射服务器发起反射攻击的反射服务器有11,912台，占比0.4%，其中境内反射服务器8,354台，境外反射服务器3,558台；利用NTP反射发起反射攻击的反射服务器有1,032,106台，占比34.2%，其中境内反射服务器554,981台，境外反射服务器477,125台；利用SSDP反射发起反射攻击的反射服务器有1,972,750台，占比65.4%，其中境内反射服务器1,280,614台，境外反射服务器692,136台。

Memcached反射攻击利用了在互联网上暴露的大批量Memcached服务器（一种分布式缓存系统）存在的认证和设计缺陷，攻击者通过向Memcached服务器IP地址的默认端口11211发送伪造受害者IP地址的特定指令UDP数据包，使Memcached服务器向受害者IP地址返回比请求数据包大数倍的数据，从而进行反射攻击。

根据CNCERT抽样监测数据，2018年11月，利用Memcached服务器实施反射攻击的事件共涉及境内8,354台反射服务器，境外3,558台反射服务器，数量较上月有所下降。

本月境内反射服务器数量按省份统计，河南省占的比例最大，占27.9%，其次是山东省、广东省和浙江省；按归属运营商或云服务商统计，电信占的比例最大，占45.7%，联通占比18.6%，移动占比18.0%，阿里云占比9.1%，如图5所示。

图5 本月境内Memcached反射服务器数量按省份、运营商或云服务商分布

本月境外反射服务器数量按国家或地区统计，美国占的比例最大，占24.6%，其次是俄罗斯、法国和中国香港，如图6所示。

图6 本月境外反射服务器数量按国家或地区分布

本月被利用发起Memcached反射攻击的境内反射服务器按被利用发起攻击数量排名TOP30的反射服务器及归属如表5所示，位于北京市的地址最多。

表5 本月境内被利用发起Memcached反射攻击事件数量中排名TOP30的反射服务器

近两月被利用发起攻击的Memcached反射服务器中，共计3,847个在本月仍处于活跃状态。近两月被持续利用发起攻击的Memcached反射服务器按省份统计，广东省占的比例最大，占16.8%，其次是浙江省、北京市、山东省和河南省；按运营商或云服务统计，电信占的比例最大，占25.9%，阿里云占22.7%，移动占20.3%，联通占18.1%，如图7所示。

图7 近两月被持续利用发起攻击的Memcached反射服务器数量按省份运营商或云服务商分布

NTP反射攻击利用了NTP（一种通过互联网服务于计算机时钟同步的协议）服务器存在的协议脆弱性，攻击者通过向NTP服务器IP地址的默认端口123发送伪造受害者IP地址的Monlist指令数据包，使NTP服务器向受害者IP地址反射返回比原始数据包大数倍的数据，从而进行反射攻击。

根据CNCERT抽样监测数据，2018年11月，NTP反射攻击事件共涉及我国境内554,981台反射服务器，境外477,125台反射服务器。

本月被利用发起NTP反射攻击的境内反射服务器数量按省份统计，河南省占的比例最大，占18.2%，其次是河北省、山东省和湖北省；按归属运营商统计，联通占的比例最大，占41.0%，移动占比34.8%，电信占比23.8%，如图8所示。

图8 本月被利用发起NTP反射攻击的境内反射服务器数量按省份和运营商分布

本月被利用发起NTP反射攻击的境外反射服务器数量按国家或地区统计，越南占的比例最大，占61.8%，其次是澳大利亚、巴西和美国，如图9所示。

图9 本月被利用发起NTP反射攻击的境外反射服务器数量按国家或地区分布

本月被利用发起NTP反射攻击的境内反射服务器按被利用发起攻击数量排名TOP30及归属如表6所示，位于山西省的地址最多。

表6 本月境内被利用发起NTP反射攻击的反射服务器按涉事件数量TOP30

近两月被持续利用发起攻击的NTP反射服务器中，共计271,947个在本月仍处于活跃状态，其中175,108个位于境内，96,839个位于境外。持续活跃的NTP反射服务器按省份统计，河北省占的比例最大，占24.6%，其次是湖北省、山东省和河南省；按运营商统计，联通占的比例最大，占44.1%，移动占34.5%，电信占20.9%，如图10所示。

图10 近两月被持续利用发起攻击的NTP反射服务器数量按省份运营商分布

SSDP反射攻击利用了SSDP（一种应用层协议，是构成通用即插即用(UPnP)技术的核心协议之一）服务器存在的协议脆弱性，攻击者通过向SSDP服务器IP地址的默认端口1900发送伪造受害者IP地址的查询请求，使SSDP服务器向受害者IP地址反射返回比原始数据包大数倍的应答数据包，从而进行反射攻击。

根据CNCERT抽样监测数据，2018年11月，SSDP反射攻击事件共涉及境内1,280,614台反射服务器，境外692,136台反射服务器。

本月被利用发起SSDP反射攻击的境内反射服务器数量按省份统计，辽宁省占的比例最大，占21.8%，其次是浙江省、吉林省和广东省；按归属运营商统计，联通占的比例最大，占61.7%，电信占比36.5%，移动占比1.5%，如图11所示。

图11 本月被利用发起SSDP反射攻击的境内反射服务器数量按省份和运营商分布

本月被利用发起SSDP反射攻击的境外反射服务器数量按国家或地区统计，俄罗斯占的比例最大，占22.4%，其次是中国台湾、意大利和美国，如图12所示。

图12 本月被利用发起SSDP反射攻击的境外反射服务器数量按国家或地区或地区分布

本月被利用发起SSDP反射攻击的境内反射服务器按被利用发起攻击数量排名TOP30的反射服务器及归属如表7所示，位于上海市的地址最多。

表7 本月境内被利用发起SSDP反射攻击事件数量中排名TOP30的反射服务器

近两月被持续利用发起攻击的SSDP反射服务器中，共计350,918个在本月仍处于活跃状态，其中343,363个位于境内，7,555个位于境外。近两月持续活跃的参与大量攻击事件的SSDP反射服务器按省份统计，河北省占的比例最大，占16.2%，其次是辽宁省、山东省和湖北省；按运营商统计，联通占的比例最大，占52.1%，电信占27.8%，移动占19.5%，如图13所示。

图13 近两月被持续利用发起攻击的SSDP反射服务器数量按省份运营商分布

1. 跨域伪造流量来源路由器

根据CNCERT抽样监测数据，2018年11月，通过跨域伪造流量发起攻击的流量来源于113个路由器。根据参与攻击事件的数量统计，归属于北京市的路由器（222.X.X.201、222.X.X.200、150.X.X.1、150.X.X.2、222.X.X.200）参与的攻击事件数量最多，其次是归属于内蒙古自治区联通（110.X.X.2）的路由器，如表8所示。

表8 本月参与攻击最多的跨域伪造流量来源路由器TOP25

跨域伪造流量涉及路由器按省份分布统计，北京市占的比例最大，占33.6%，其次是江苏省和上海市；按路由器所属运营商统计，电信占的比例最大，占27.5%，联通占比18.3%，移动占比16.7%，如图14所示。

图14 跨域伪造流量来源路由器数量按省份和运营商分布

2018年度被持续利用转发DDoS攻击的跨域伪造流量来源路由器中，监测发现有91个在本月仍活跃，存活率为18.8%。按省份分布统计，北京市占的比例最大，占38.5%，其次是江苏省和上海市；按路由器所属运营商统计，电信占的比例最大，占24.7%，移动占比17.5%，联通占比15.5%，如图15所示。

图15 2018年被持续利用转发跨域伪造攻击流量本月仍活跃路由器数量按省份和运营商分布

2. 本地伪造流量来源路由器

根据CNCERT抽样监测数据，2018年11月，通过本地伪造流量发起攻击的流量来源于206个路由器。根据参与攻击事件的数量统计，归属于吉林省联通的路由器（222.X.X.3、222.X.X.2、222.X.X.4、222.X.X.1）参与的攻击事件数量最多，其次是归属于北京市电信的路由器（220.X.X.243），如表9所示。

表9 本月参与攻击最多的本地伪造流量来源路由器TOP25

本月本地伪造流量涉及路由器按省份分布，河南省占的比例最大，占11.7%，其次是北京市、广东省和山东省；按路由器所属运营商统计，电信占的比例最大，占51.9%，联通占比22.0%，移动占比14.5%，如图16所示。

图16 本地伪造流量来源路由器数量按省份和运营商分布

2018年被持续利用转发本地伪造流量DDoS攻击的路由器中，监测发现有186个在本月仍活跃，存活率为20.9%。按省份统计，河南省占的比例最大，占10.8%，其次是北京市、广东省和浙江省；按路由器所属运营商统计，电信占的比例最大，占52.6%，联通占比19.1%，移动占比16.0%，如图17所示。

图17 2018年被持续利用且本月仍活跃的本地伪造流量来源路由器数量按省份运营商分布

下载完整报告：http://www.cert.org.cn/publish/main/upload/File/201811DDoS.pdf

声明：本文来自国家互联网应急中心CNCERT，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

These days, security has to speak the language of business. These KPIs will get you started.

1 of 8

(Image: Moritz320 )

Peter Drucker, aka the founder of modern management, is credited with writing, "If you can't measure it, you can't improve it." Over time, that has been broadened to, "If you can't measure it, you can't manage it," a statement that is taken as holy writ for most modern executives.

Indeed, business in the 21st century is all about metrics. Cybersecurity has plenty, measuring everything from port probes to login attempts. It's expected that cybersecurity managers will have a good handle on all of these metrics and know what they're saying about their organizations. But in today's business organization, these security metrics aren't enough.

In order to protect the business, security has to speak the language of business. The last decade has seen a growing, if sometimes grudging, acknowledgment of this by security professionals. The question for many security pros is, "Which business metrics should I know?"

Each organization may have its own unique key performance indicators (KPIs) to take into consideration. But certain metrics matter regardless of the particular business. To cover all of them is the subject of an MBA, but we've put together a list that includes some basics, some that might escape first notice, and some that have a particular interest from a security perspective.

In each case, these are metrics that cybersecurity pros should understand and pay attention to. Do you use them in your security practice? What other metrics do you think should be on this list? Let us know in the comments.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ...View Full Bio

1 of 8

Is there a serverless identity security solution worth considering? As more IT management tools move to the cloud, IT admins are searching for innovative IAM solutions to help protect their organizations by securing identities. Identity breaches represent the number one way that organizations are hacked, in fact, 81% of breaches relating to hacks are the result of stolen or weak passwords. With a figure as such in tow, it makes sense that IT admins are searching for new identity security solutions.

Today’s IT network is diverse and all over the world from a wide range of providers. Data centers have been replaced by AWS . G Suite and Office 365 replaced Exchange. Windows systems, too, have been replaced by Macs and open source linux machines. Controlling access to all of these disparate IT resources is not an easy task. And with traditional identity providers, like Microsoft Active Directory , the implementation time to get these resources to cooperate is burdensome. As a result, a tremendous surface for potential identity breaches exists due to these new resources.

The outcome of all this change is that IT admins are searching for new approaches to protecting identities . Thus, bringing us back to the idea of serverless identity security. The good news is that a new generation of cloud identity management solution is emerging to help IT organizations with this initiative. Because it is delivered from the cloud, there is no need for on-prem server configuration, maintenance, and securing, which frees IT admins to work on implementing new initiatives or higher-value tasks.

Called Directory-as-a-Service (DaaS), this cloud identity provider (Read more...)

病毒与为其提供生存环境的宿主（细菌）之间，总是上演着“猫捉老鼠”的游戏。一旦发现病毒的踪迹，宿主的免疫系统就会启动，誓要将它们赶尽杀绝。 对此，病毒也绝不会束手待毙。最新研究显示，通过监视宿主行为，有些病毒可交换信息，等待时机，然后协调行动。

图：普林斯顿大学生物学家邦妮巴斯勒（Bonnie Bassler）与学生贾斯汀西尔普（Justin Silpe）发现，有些病毒可监视宿主行为，并协调发动攻击

当细菌之间进行交流时，邦妮巴斯勒（Bonnie Bassler）会仔细倾听。她只是从来没有想到，病毒也在监视其宿主的行为。自上世纪90年代以来，这位普林斯顿大学生物学家一直在研究称为“群体感应”（quorum sensing）的现象。在这种情况下，细菌会释放出分子，表明周围有多少同类。通过这些信息，它们可以协调自己的行为，等到数量积累到足够多的时候，才会采取某些集体行动，如发动传染性攻击。

巴斯勒的学生贾斯汀西尔普（Justin Silpe）现在发现，病毒也可以窃听这些信号，以达到邪恶的目的。这种病毒是一种噬菌体，即能感染并杀死细菌的蜘蛛状物质。一旦它感染了宿主，可能采用两种模式：等待或展开杀戮。如果选择后者，它会使大量子病毒通过宿主大规模爆发，从而感染其他宿主。但是如果周围没有其他宿主呢？巴斯勒说:“如果你是病毒，如果你不进入宿主体内，那你就完蛋了。”

正如西尔普所发现的，噬菌体通过检测细菌用来测量同类数量的群体感应信号，来避免这种命运。它可以等待在某个宿主体内数量达到充足程度时，才会杀死一个宿主，以便让它的后代有更多宿主可供感染。巴斯勒说：“偷听群体感应分子是非常狡猾的行为，以前没人见过。”

群体感应已经是个革命性的概念。几十年来，巴斯勒发现了它的更多细节，她和其他研究人员震惊地意识到，像细菌这样的简单生物体也能够交流和协调。但是病毒更简单。从技术上讲，它们甚至都不是活着的，它们与细菌是完全不同的实体，但它们拦截并解读了相同的分子信息。

这一发现的种子是几年前埋下的，当时巴斯勒的团队在霍乱弧菌（Vibrio cholerae）中发现了一种新的群体感应系统。霍乱弧菌是能够引起霍乱的细菌，它分泌一种叫做DPO的信号分子，并利用被称为VqmA的蛋白质来检测这种分子。当细菌开始感染宿主时，宿主周围的细菌并不多，它们产生的DPO信号就会飘散。但随着它们的数量膨胀，信号变得更加集中，并开始降落在VqmA探测器上。

当这种情况发生时，它会触发一系列基因对细菌进行重新编程，关闭细菌的感染能力，开启细菌的扩散能力。巴斯勒说，这就是为何霍乱属于一种潜伏疾病的部分原因。通过群体感应，霍乱弧菌可以等到时机成熟后，才“在宿主体内成千上万地释放出来，进而感染更多宿主”。

通过在线 数据库 搜索，西尔普发现，许多密切相关的霍乱弧菌也有类似VqmA的检测器。但很显然，名为VP882的病毒噬菌体也是如此。10年前，几位中国台湾研究人员从一种海洋弧菌中发现了这种噬菌体。这是偶然的巧合吗？亦或是数据库中的错误？或者，就像西尔普所言的那样，病毒可能以某种方式窃取了宿主的信息？

巴斯勒指出：“我想，我们要在这上面浪费很多时间，因为这是个疯狂的错误，但我们就是这么做的。”发现VP882病毒的研究人员已经退休，但在此之前，他们将宿主细菌的样本放入了储存库中。西尔普花了6个月的时间才找到那个珍贵的样本.幸运的是，那些细菌里仍然含有一些病毒。

通过仔细的实验，西尔普证明了他的预感是正确的，病毒版本的VqmA确实可以检测到细菌释放的同样的DPO信号。当它们这样做的时候，它们会促使处于无害等待状态的病毒开始杀死宿主。巴斯勒称：“这里面有个十分有趣的逻辑：在较高的密度下，霍乱这种寄生细菌想要离开宿主，进入其他宿主体内。在高密度下，作为细菌寄生体的病毒，也想要离开它的宿主，进入另一个宿主体内。它们在做同样的事情，并使用相同的信号分子。”

病毒也不仅仅是窃听信息，还记得霍乱细菌是如何利用VqmA检测器从感染转移到传播的吗？西尔普发现，病毒版本的VqmA可以启动相同的遗传程序，迫使其细菌宿主分散。巴斯勒解释称：“噬菌体在准备杀死霍乱细菌的同时，也在干扰数以百计的细菌基因。”也许这都是相同策略的重要组成部分：噬菌体不仅确保其后代有足够多的宿主可以感染，而且还确保这些宿主传播得更远更广。

VP882病毒还有一个奇怪的特性：与大多数仅限于特定宿主的噬菌体不同，它可以感染多种细菌。它只监听霍乱弧菌交换的信息，但是西尔普设法使它能够窃听其他细菌释放的信息，包括沙门氏菌和大肠杆菌。当它检测到只存在于目标体内的分子时，就会杀死它们。这种随机的病毒现在是一种可编程的刺客，西尔普可以设置它来追踪特定的目标。巴斯勒称：“这就像是进化给我们的礼物。”

几十年来，科学家们一直试图用噬菌体来治疗细菌性疾病，而这些噬菌体疗法现在看起来前景似乎特别光明，因为许多细菌已经进化到能够抵抗传统抗生素的水平。但有一个问题：噬菌体在宿主体内通常很挑剔，因此研究人员需要为每一种想要治疗的细菌感染找到一种特定的病毒。

西尔普的研究提供了另一种策略。美国加州大学旧金山分校研究噬菌体的阿戴尔博尔赫斯(Adair Borges)说：“他们建议使用一种混杂的噬菌体，这种噬菌体可以感染许多不同种类的细菌，但只会在预先设定的信号下杀死细菌。这是噬菌体疗法的一个有趣尝试，它能让被杀死的细菌具有更强的特异性和控制力。”

然而巴斯勒警告说：“这还不是噬菌体疗法。”她和西尔普只在试管中测试了他们的可编程噬菌体，其他研究人员需要看看同样的方法是否适用于临床。他们更感兴趣的是研究噬菌体在自然界中是如何工作的，他们注意到研究人员长期以来低估了这些病毒。

例如，由魏茨曼科学研究所的罗特姆索雷克(Rotem Sorek)去年领导的研究小组发现，有些噬菌体拥有自己版本的群体感应能力，它们交换信息，告诉自己什么时候杀死宿主。巴斯勒说:“这些都是非生物的病毒，古老的交流机制是多么美妙！”

Predicting the future of security is no easy feat. Technological and organizational requirements are constantly changing, threats are emerging with no end in sight, and security resources are as strained as ever.

The one constant in security is that there will always be someone or something ready to exploit the first signs of vulnerability. Organizations try to shore up our defenses in an attempt to stop these attacks―creating more integrations, following more regulations and standards, and constantly pivoting to protect a broader attack surface. But somehow, the news of the latest record breach seems to be just around the corner.

Although we'd love to say hackers and threats are a thing of the past, it won’t be the case in 2019. Organizations will still have to adopt new technologies and methodologies to keep themselves and their customers safe. Fortunately, they won’t have to go at it alone.

Along with the increased risk 2019 brings―think more data sources and devices, increasing interconnection that breaks down segmentation, and more―new trends and technology will help security professionals keep pace.

Alert fatigue? It might be a thing of the past with the emergence of virtual analysts. Experienced security teams are hard to come by and are often understaffed and overworked , butmachine learning-based analytics, orchestration and automation are quickly infiltrating SOCs across the globe. And don’t worry, jobs won’t go away in the process but instead evolve with new roles and opportunities.

Compliance? Standards and regulations are a must in security. The enforcement of regulations like E.U.’s GDPR will continue and will likely influence other regions and industries to take up their own standards. This will mean more tedious data management and security workflows. But again, virtual assistant-type technology will likely take the brunt of the hit.

Once seen in a skeptical light, smart technology will take a greater role in security efforts across businesses and organization big and small―and this is just the beginning.

If you’d like to read more about what’s to come forsecurity―not to mention AI andmachine learning, IT ,IoT and beyond―read our Splunk 2019 Predictions .

i am using GeddyJs with a heroku cedar app deployment. I am using Heroku Postgres services for the database.

I have configured the username/password/hostname/dbname in the config file on geddyjs but when i go to run node app.js it throws an error for no pg_hba.conf i know this related to SSL not being used while accessing the db remotely but i have no clue how to force SSL on the connection..

Problem courtesy of: gorelative

You need to add ssl: true to your postgres config.

Geddy simply passes this config object to the pg module. Check the pg.client wiki page for more info.

Solution courtesy of: Miguel Madero

If you are trying to connect from outside heroku you need to connect with SSL. We only allow connections from outside heroku if they are encrypted with SSL

error: no pg_hba.conf entry for host "70.199.196.17", user "12345", database "database1", SSL off says that you can't connect with SSL off.

Also you may be sanitizing your database name with database1, but if you're not, I can guarantee you that your database name is not, in fact, database1.

Also you should NOT NOT NOT be hard-coding your credentials in a file. Read them out of your environment.

Discussion courtesy of: Will

This recipe can be found in it's original form on Stack Over Flow .

任何公司企业都免不了数据泄露事件。但这些事件会以哪种形式出现？攻击者是怎么获得访问权的？他们会窃取或破坏什么？到底是什么驱使着他们尝试这些攻击？数据泄露的本质和后果在来年会有怎样的改变？在此，业界专家们就网络罪犯明年入侵网络盗取数据的目标、途径和原因作出了他们的预测。

黑掉联网汽车并夺取其控制权已被证明是可行的。此类黑客行为不仅仅能关闭汽车的引擎，还可以禁用汽车的安全功能，比如防抱死系统或安全气囊。随着汽车联网程度的增加和无人驾驶汽车的发展，黑客也有了更多的机会造成真正的伤害。

2019年，激进黑客团体或民族国家黑客组织会将分布式拒绝服务(DDoS)攻击推上全新的高度，尝试大面积搞瘫互联网进行敲诈勒索。2016年时袭击DNS托管提供商Dyn的一场DDoS攻击，就让包括推特、Reddit和Amazon.com在内的多家流行网站掉线了。安全专家 Bruce Schneier 指出，攻击者正在探索其他关键互联网服务的潜在弱点。

Verisign这样的主要域名注册机构如果遭到这种级别的DDoS攻击，可能整个顶级域名(TLD)网站都会掉线。甚至驱动互联网本身的协议――边界网关协议(BGP)，也很大程度上依赖信誉系统。互联网地址仅10%具备有效资源公钥基础设施(RPKI)记录以抵御路由劫持。更糟的是，仅0.1%的互联网自治系统启用了路有源验证，也就是说另外99.9%都对路由劫持敞开大门。总之，互联网本身就是有资源DDoS攻击多个关键节点或滥用底层协议的黑客囊中之物――只要他们想要。

一个无聊的黑客最近接管了5万台打印机，指挥它们打印出无数文档声援YouTube网红PewDiePie。控制企业打印机和复印机网络有多容易由此可见一斑。虽然该黑客事件相对无害，但打印机和复印机确实可以发起更具破坏性的攻击。手握概念验证代码，黑客便可在2019年成功利用打印机网络发起重大网络攻击。

联网打印机上的IoT类安全漏洞将成为更为常见的攻击途径。新旧设备、型号和品牌混杂的复杂性令打印环境很难防护，但安全人员可以施为的空间很大。建立良好的打印安全过程就是个不错的起点，但总体上看这是一个需要更多关注的领域。像对其他IT基础设施一样重视打印安全的责任不仅仅在终端用户企业一侧，也在打印机制造商、托管服务提供商和安全解决方案供应商身上。

此类攻击会盗取数百万消费者的个人信息，甚至搞瘫一个国家的无线通信。与关键基础设施攻击类似，无线网络的中断可能令国家陷入停滞。有时候攻击者仅仅只是想要造成大范围的混乱，而攻击无线环境就能暂停国家运转。无线通信断绝可以有效切断全国通信，影响业务运营，甚至令紧急救援服务停摆。

大多数网络罪犯通过互联网从犯罪软件贩子手中获得所需工具。2019年，恐怖分子也会这么做，只不过，他们的所图比普通黑客要大得多，不仅仅是用勒索软件绑架系统，而是利用新工具对目标和组织机构进行伤害性攻击。从对数据完整性的攻击令计算机不得不强制更换硬件，到利用新技术执行物理袭击(如近期的委内瑞拉无人机攻击事件)，攻击界面在不断扩张，而敌人不会放过这个加以利用的大好机会。

类似的，明年里民族国家可能会开展“fire sale”式网络攻击。Fire Sale 本意指火灾后的大甩卖，但此处的 fire sale 概念是从电影《虎胆龙威》系列中借用的，指的是对一座城市或一个国家的交通运营、金融系统、民生设施和通信基础设施展开三管齐下的网络攻击。在电影中，恐怖分子利用该攻击导致的恐惧和混乱偷偷抽取大量资金。最近几年的网络安全事件表明民族国家和恐怖分子已经掌握了此类能力，2019年可能是此类多管齐下的攻击被用于掩盖隐秘行动的元年。

生物特征识别身份验证因普及程度的提高而受到黑客的青睐。Experian《2019数据泄露行业预测》报告显示：我们将看到暴露出 touch ID 传感器、人脸识别和密码中漏洞的数据泄露。黑客不仅仅利用生物特征识别身份验证硬件和设备中的缺陷，还利用数据存储上的漏洞。涉生物特征识别的大型攻击出现只是时间问题，黑客要么黑进生物特征识别系统攫取访问权，要么伪造生物特征数据。医疗保健、政府和金融行业是生物特征识别黑客攻击风险最大的领域。

DevOps方法论的流行催生了满是安全隐患的环境。由于公司企业目标设置不现实、员工培训不恰当、监视或控制工具欠考虑，曾经运行良好的Kubernetes/DevOps机器将开始磕磕绊绊，给外部威胁留下轻松访问企业核心IT系统的机会。2019年，恶意黑客会利用安全漏洞渗漏敏感数据，制造出前所未有的超大型数据泄露事件。

API的广泛运用会暴露出更多企业敏感信息，攻击者将利用API漏洞盗取数据和个人可识别信息(PII)，造成巨大的损失和信誉伤害。因为对过时IT安全系统及脆弱API管理框架和工具包的过度依赖，大多数客户直到攻击已经执行了才会意识到这些入侵。

截至目前，涉及AWS之类云服务提供商的重大数据泄露都是客户误操作导致的。但这些云服务提供商直接遭遇数据泄露也不过是时间问题。之前的数据泄露对供应商一侧的整体安全性提出了质疑。黑客还有多久就能省去“中间人”直接攻击云的源头呢？世界大型企业和海量数据受到影响的日子哪天到来？

隐秘信用卡信息刮取设备常被用于盗取卡片信息和密码，但罪犯将把目光放到银行网络上以攫取更大的利益。他们会通过往计算机系统中加载恶意软件对单个ATM机实施旁路攻击，就像Magecart团伙对Newegg和Ticketmaster等网站干的一样。此类信息刮取恶意软件的好处是可以悄悄混入公司基础设施，让黑客在出现任何问题指征之前就做了很多破坏。利用恶意软件刮取金融和个人信息的做法还处在早期阶段，网络罪犯才刚刚开始看到此类攻击的价值。目前从事此类犯罪的人还很少，但基于恶意软件的信息刮取攻击还在进化发展中。

中型银行是2019年里罪犯热衷的目标，因为他们持有大量金钱却未必会对安全相当重视。但攻击者可能会更注重将小型银行用作攻击链中的一环。黑客可以从小型银行员工的计算机向大型银行发送网络钓鱼电子邮件。网络罪犯仍将继续使用网络钓鱼来渗透银行基础设施。所用工具和恶意软件会更加错综复杂。黑客可能会砸下大笔金钱购买暗网上售卖的未公开零日漏洞利用程序。

在线游戏社区是黑客关注的新兴领域，网络罪犯注册玩家并获取可信玩家电脑的访问权并入手其个人数据。游戏世界中不仅仅是个人PII或信用卡信息值钱，令牌、武器和其他游戏装备在游戏社区也是价值万金。只要拿到一个口令――玩家的口令防护习惯都不太好，黑客就能悄无声息地接管他人在游戏中的头像和身份，带着大量游戏装备扬长而去。

今天的互联商业环境中，一家公司的安全取决于其供应链和合作伙伴网络的最弱一环。这就是攻击者总是针对这些较弱网络来获得通往更大利益的入口的原因。所以，2019年，供应商或供应链合作伙伴身上发生的网络入侵可能会导致关键基础设施公司服务交付的延迟或停滞。主要国防承包商也会经历敏感国家安全信息的重大泄露。作为回应，国防部将会增加强制性动作，要求国防承包商实现额外的网络安全控制。

师从业内最佳操作人士的网络罪犯才会获得成功。而这些业内最佳显然就是政府雇佣的或国家支持的黑客。成功的网络罪犯不仅复制他们的技巧，还会将某些工具流入黑市，供普通罪犯使用。政府囤积的零日漏洞利用若被泄露，也是网络罪犯争相利用的对象，而这在2019年可能造成很大的问题。

这些越来越先进的攻击给大型云提供商造成的一大难题是，他们现在也可能被黑客利用尚无补丁可用的新漏洞加以攻击。虽然目前还没出现如此之新的漏洞被成功利用的案例，但流氓民族国家和某些国家之间的网络冷战预示着这种情况终有一天会发生。

“ Google Cloud Platform and Firebase gives Hacker Noon the flexibility to craft a custom publishing platform optimized for technologists,” said Hacker Noon Interim CTO Dane Lyons . “Our serverless infrastructure will generate static content and pipe it into the low latency, low-cost Google Cloud CDN . We’re excited to focus on important product details and worry less about devops and cost optimizations.”

As a startup working to free ourselves from platform dependency , it’s humbling to have Google support our own infrastructure. These resources make our future more secure, our monthly burn rate more manageable, and ultimately provide a stronger partner for serving high volumes of traffic in the long-term. We’re very excited about launching the next iteration of Hacker Noon with Google Cloud Platform and Firebase!

Deploy A Backend App As An Android Engineer (& Part 2 ) by Adam Hurwitz

Android App Architectures: Example of MVP with Kotlin by Rohit Surwase

Can Google’s AI Make Better AI Than the Googlers? by The Next Web

Google’s AI Based AutoDraw Turns Your Rough Scribbles Into Beautiful Icons For Free by Vinoth George

Chrome Extension Development: Lessons Learned by Sam Jarman

Optical Character Recognition With Google Cloud Vision API by Evelyn Chan

Launch a GPU-backed Google Compute Engine instance and setup Tensorflow, Keras and Jupyter by Steve Domin

Google Search Analysis: Rich Search Results and Structured Data by Garrett Vorce

The Art of Searching something on the Internet. by Vikas Yadav

Building Google’s Art and Culture Portrait Matcher by Grant Holtes

70% of People Worry About Fake News ― And How Google Combats It by Chhavi Shrivastava

Getting Started with Firebase ML for iOS by Mohammad Azam

Firebase to the Rescue: Dynamic Routing via Hosting + Functions Integration by Peter LoBue

How to Build a Product Loved by Millions and Get Acquired by Google: The Firebase Story by Founder Collective

Infinite Scrolling In Firebase by Linas M

Introduction to Firebase by GeekyAnts

It’s a beautiful weekend, and I thought hey lets get something quick done in the home-lab before going out to the movies %). The other guy on the other end (the lab) says: DREAM ON!!!

I’m tinerking with vCloud Director 9.5 and I needed to connect with the cells via PowerCLI (simple, right?). I launched PowerShell, typed Connect-CIServer fqdn and all thoughts of going to the movies splintered into smithereens.

After exchausting what could be done, I sent a message over Slack on the PowerCLI group and I got help from Kyle Ruddy and after going through what I did, he pointed me out to this script Resolve-Error ( what turned to be a real gem ), what the script does is that after you run the command-let you’d call out the function and it will output all of the exceptions in details, and here is the output from mine (the output is huge, so I will only show the part which was relevant to resolving the issue):

Status : SecureChannelFailure

Response :

Message : The request was aborted: Could not create SSL/TLS secure channel.

Data : {}

InnerException :

TargetSite : System.Net.WebResponse EndGetResponse(System.IAsyncResult)

StackTrace : at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

HelpLink :

Source : System

HResult : -2146233079

Apparently PowerShell had issues with my SSL certificates after all, but it was too shy to tell me directly!! (Thank you Kyle). So I did another round of investigation but now I was keen on something:

On my jump box I tend to use Chrome, so I don’t touch on IE that much, on the other hand for the sake of testing things out I attempted to access my vCD cells through IE and surprisingly I couldn’t, so we’re on to something apparently.

I downloaded the updates, ran them one after the other, rebooted my jump machine, saw a blue screen on one of the restarts, restarted again, life goes on, and the machine is up %). Fired-up PowerShell, invoked the Connect-CIServer command and EURIKA! It worked! Launched IE and attempted to access the vCD cells FQDN and it worked fine as well.

There you have it people, its 11:00PM as of now and my secure channel skills are at +1 :-P.

I hope this was joyful,

(Abdullah)^2

Clip art resource: FCIT

83 Total Views 18 Views Today

I’ve been developing android apps for over 3 years now and I’m also a security enthusiast. During this journey, most of the new talks and blogs in the Android community were talking about the new shiny app architecture, latest libraries, trends in Android :rocket:, etc. But I didn’t see anyone talking about security on mobile very few folks talk about it. Actually, most users don’t care about your MV.. whatever architecture or new dependency injection framework you introduced to your app as much as they care about their app data and personal info to be secure and not to be compromised :grimacing:. After all, when we finish our jobs we are also users and we want the apps we use on a daily basis to be secure :pray:. So I decided to make some researches in this area. I spent the last couple of months downloading random apps from google play with high downloads number and in the charts section to try to identify common security issues for researching purposes and make this article possible to help developers improve their security habits when developing to ensure maximum security for you and for the user.

I saw many bad practices that lead to many security vulnerabilities in these apps :scream:. I started a thread about that on twitter you can find it here but it’s in Arabic so I will summarize it in my points and give a more comprehensive view about this topic :man::computer:.

This article will be quite long so grab a cup of coffee and let’s dive into these 16 tips with detailed resources that will increase your app security . Note I’m not a security expert by any meaning I will just provide my point of view on this topic so If I had said something wrong please correct me to change it

Let’s hack it!

You may be wondering why I put this as the first point and there are more important things to do to secure your app. And you are right but this, in my opinion, is the most important one because it will obfuscate your code and will make it unreadable so if someone tries to reverse engineer your app with some simple tools that anyone with little experience can do to access your code and see it crystal clear as if you gave it to him on a golden plate. Code obfuscation has many benefits first of all even if your app has some security vulnerabilities it will be very hard for hackers to reach them, will also prevent some people from stealing your code, recompiling it and publishing it in the store again with some ads and make a profit from your hard work. To enable it’s pretty easy in your build.gradle file.

This will also make your APK smaller since it will remove unused code from your APK.

But let’s be real here it’s not just these three lines to make your app work with Proguard/R8 :crying_cat_face: you need to modify some of your code to play nice with code obfuscation and it’s really a pain in the ass to debug Proguard errors and crashes and the build will take longer time. But the benefits of it are huge this awesome blog post will show you a real-world example to avoid these kinds of problems. If you want to be even more secure and take your security to the next level you can use a paid obfustication service like DexGuard .

Most of the apps nowadays interact with some API to grab or post some data and many of them have an API key so you can’t directly call the API endpoints without this key. Unfortunately, some apps from my sample don’t have these Keys. I know it’s not an android related problem but it will affect your users and your servers severely if a hacker finds out about them. In some apps, I was able to make some requests into the API and some of them are user related endpoints. Someone can write a small script and DDOS attack your servers or steal your users’ data and both of them will ruin your business and your integrity in front of the users. So please add a key to your API and bonus point add a user token in the request header so if you see a malicious activity from one user you can immediately block it without affecting other users. I’m not an expert in this area maybe Backend developers can help us here since it’s their work . Now we have an awesome API key. How to store in the code to make it extremely hard to access it? Native code yeah :tada:. Personally, I don’t ship any application with an API key store in Java/Kotlin code because they are pretty easy to access even with Proguard enabled. So you can store it in a C/C++ file using NDK. I know when some people here the word NDK and native code they get afraid and I agree with you NDK is hard but doing this simple task of storing some strings there it’s pretty simple. You will store your API keys and other sensitive static data there and you will call it from Kotlin/Java code.

Here is a blog post to help you make that and another one here . They are quite dated so maybe I will write another article on how to do it. I didn’t do it here because this article is long enough :sleepy:.

Last thing here never ever put a server secret key in the client code :-1:

Example of that when you are dealing with a payment API like Stripe they give you two keys a client key you can use in android(Store it in native code)and server key for payment transactions normally this key will live in your server but some folks want to take a short path to deliver the product faster so they put it in the client. Never do this because if some hacker finds it you are pretty much F*cked up.

We all love Firebase :heart: It’s one of the best things that happened in the tech space lately. Many apps nowadays use firebase real-time database or Firestore to store some data in it and that is perfectly fine. The problem here is that developers don’t write the database security rules for that database and that is similar to you inviting a thief to come and steal your home while you are watching something on Netflix.

When you build your app firebase SDK insert the database URL in your strings file like this