Security: Antipatterns in IoT Security, Signing Programs for Linux, and Guide to Two-Factor Authentication

• Antipatterns in IoT security

  Security for Internet of Things (IoT) devices is something of a hot topic over the last year or more. Marti Bolivar presented an overview of some of the antipatterns that are leading to the lack of security for these devices at a session at the 2017 Open Source Summit North America in Los Angeles. He also had some specific recommendations for IoT developers on how to think about these problems and where to turn for help in making security a part of the normal development process. A big portion of the talk was about antipatterns that he has seen—and even fallen prey to—in security engineering, he said. It was intended to help engineers develop more secure products on a schedule. It was not meant to be a detailed look at security technologies like cryptography, nor even a guide to what technical solutions to use. Instead, it targeted how to think about security with regard to developing IoT products.

• Signing programs for Linux

  At his 2017 Open Source Summit North America talk, Matthew Garrett looked at the state of cryptographic signing and verification of programs for Linux. Allowing policies that would restrict Linux from executing programs that are not signed would provide a measure of security for those systems, but there is work to be done to get there. Garrett started by talking about "binaries", but programs come in other forms (e.g. scripts) so any solution must look beyond simply binary executables. There are a few different reasons to sign programs. The first is to provide an indication of the provenance of a program; whoever controls the key actually did sign it at some point. So if something is signed by a Debian or Red Hat key, it is strong evidence that it came from those organizations (assuming the keys have been securely handled). A signed program might be given different privileges based on the trust you place in a particular organization, as well.

• A Guide to Common Types of Two-Factor Authentication on the Web

  Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it's becoming much more common across the web. With often just a few clicks in a given account's settings, 2FA adds an extra layer of security to your online accounts on top of your password. In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key). Once you put in your password, you'll grab a code from a text or app on your phone or plug in your security key before you are allowed to log in. Some platforms call 2FA different things—Multi-Factor Authentication (MFA), Two Step Verification (2SV), or Login Approvals—but no matter the name, the idea is the same: Even if someone gets your password, they won't be able to access your accounts unless they also have your phone or security key. There are four main types of 2FA in common use by consumer websites, and it's useful to know the differences. Some sites offer only one option; other sites offer a few different options. We recommend checking twofactorauth.org to find out which sites support 2FA and how, and turning on 2FA for as many of your online accounts as possible. For more visual learners, this infographic from Access Now offers additional information. Finally, the extra layer of protection from 2FA doesn't mean you should use a weak password. Always make unique, strong passwords for each of your accounts, and then put 2FA on top of those for even better log-in security.

Linux panel PC offers IP69K protection against jet spray

TechNexion has launched a 10.1 inch, 1280 x 800 capacitive touch panel PC that runs Linux or Android on an i.MX6, and offers IP69K protection. TechNexion, which has long been a provider of COMs and SBCs based on Freescale/NXP i.MX SoCs, also sells a line of Linux- and Android-friendly i.MX6, i.MX6UL, and i.MX7 based panel PCs. The latest is a 10.1 inch TWP-1010-IMX6 model that shares many of the same features of its 15.6-inch TWP-1560-IMX6 sibling, including NXP’s i.MX6 SoC, M12 connectors, and a SUS 304 stainless steel case with an IP69K water- and dust-proofing certification. Also: Mongoose OS for IoT prototyping

10 Open Source Skills, Data Analysis Skills and Programming Languages

• 10 Open Source Skills That Can Lead to Higher Pay

  Last month, The Linux Foundation and the online job board Dice released the results of a survey about open source hiring. It found that 67 percent of managers expected their hiring of open source professionals to increase more than their hiring of other types of IT workers. In addition, 42 percent of managers surveyed said they need to hire more open source talent because they were increasing their use of open source technologies, and 30 said open source was becoming core to their business. A vast majority — 89 percent — of hiring managers said that they were finding it difficult to find the open source talent they need to fill positions.

• If you want to upgrade your data analysis skills, which programming language should you learn?

  For a growing number of people, data analysis is a central part of their job. Increased data availability, more powerful computing, and an emphasis on analytics-driven decision in business has made it a heyday for data science. According to a report from IBM, in 2015 there were 2.35 million openings for data analytics jobs in the US. It estimates that number will rise to 2.72 million by 2020. A significant share of people who crunch numbers for a living use Microsoft Excel or other spreadsheet programs like Google Sheets. Others use proprietary statistical software like SAS, Stata, or SPSS that they often first learned in school.

• std::bind

  In digging through the ASIO C++ library examples, I came across an actual use of std::bind. Its entry in cppreference seemed like buzzword salad, so I never previously had paid it any attention.

Visual revamp of GNOME To Do

I’m a fan of productivity. It is not a coincidence that I’m the maintainer of Calendar and To Do. And even though I’m not a power user, I’m a heavy user of productivity applications. For some time now, I’m finding the overall experience of GNOME To Do clumsy and far from ideal. Recently, I received a thank you email from a fellow user, and I asked they what they think that could be improved. It was not a surprise when they said To Do’s interface is clumsy too.