(I am one of the developers of Doorman). Some background, from osquery's site: "osquery allows you to easily ask questions about your Linux, Windows, and OS X infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company."
I wrote Doorman as a way of utilizing osquery's TLS remoting endpoints, allowing me to dynamically configure an endpoint with custom queries, as well as run ad-hoc queries. We use osquery and Doorman at my company to gain visibility into our laptops in a manner many remote control based applications don't provide. Besides gaining remote administration functionality to osquery, we developed Doorman with a security-first attitude. We favor tools like osquery that don't expose remote command and control capabilities over tools like Chef or Puppet that concentrates super powers in the hands of a few people.
One of the stronger points of Doorman is it's builtin rules and alerting engine. It is one of the few security tools that I honestly can say I "set and forget" with respects to the rules we write. Want to know every time someone installs a new Chrome extension? All listening sockets on external interfaces, and the process name and user/group its owned by? New root certificate authorities added to the keychain? Done, all thanks to osquery introspection capabilities coupled with Doorman.
Matt Levine sheds more light on this story[1], backed by evidence whereas the NYTimes is just hearsay. Why would Barclay's screw over institutional investors who account for a large majority of their $4 billion in revenue for HFT who bring in only $3 million? Because without HFT (which is a bad, bad word to the ATG's ears), nobody would be trading on it, and nobody wants to admit that. It just doesn't make sense.
I don't understand how a darkpool could exist without rogue HF traders bumping up the revenue from stock trades. If the current stock market won't allow for it, what makes them think a private market will? At the end of the day whoever operates the pool has to foot the bill if they're trading outside of the official exchange.. Unless they turn it into a Ponzi-type scenario or outright lie to their investors.
The basic theory of a dark pool is that by restricting who can access the other participants in the market, you can provide for your dark pool's clients better execution costs.
That is, by only allowing similar market participants (think other hedge funds, pension funds, etc) and excluding "predatory" speculative market participants (HFT, day traders, pit traders, etc.) you can match "natural" trades to each other, without paying the middle man.
In reality, this never happens. Speculative "predatory" traders are a necessary component of the market and without them there isn't sufficient liquidity for the market to operate.
In this particular case, an ibank stands accused of lying about this fundamental fact to their clients. It has nothing to do with the underlying validity of the market structure.
HFT add liquidity on a second by second basis, but nothing on even a short term basis. Market makers speed up transactions slightly, but the cost for doing so is vary high.
IEX is trying something slightly different to get around allowing/paying market makers into their dark pool. They are using publicity and Michael Lewis to try to convince retail investors to provide free liquidity for their backers.
I guess "for free" was a bad phrase. I meant that IEX is hoping for retail investors to make up for the lack of market makers who get paid via the bid/ask spread.
The article explains why it makes sense. The institutional investors' trades don't match up that often. If you allow HFT's then they will buy/sell on other exchanges (or in other dark pools) that match the other side of your (barclays in this example) dark pool's institutional investors trades.
You don't charge the HFT firms since they allow you to charge your other investors.
Whatever part of the newspaper it appears in, the article provides a nice illustration of data presentation. Use of colours, sampling, even the choice of axes and time-scales.
In addition to SQL injection, many "advanced search" engines will compile regular expression patterns from user input. Depending on the language, this can range from a simple Regex DoS to Code Execution (I'm looking at you PHP).
If all of the Javascript code and application functionality is bundled into the add-on, it's trivial to avoid XSS. There's no "site" to script into via the URL, and rendering of dynamic elements can be done via a sandboxed iFrame, preventing any scripts from running within dynamic data. This is fairly basic security that any add-on developer should be aware of: http://developer.chrome.com/apps/sandboxingEval.html
"XSS isn't the only way either." That's about as illuminating as saying "something bad could happen."
No one is saying JavaScript or browser security is perfect, but if you actually know what you're doing, it can be done properly.
The original "JavaScript security is doomed" Matasano article is extremely out of date at this point, and yet people keep referring to it like it's gospel.
I don't like the article either, but you're wrong about it being "extremely out of date", and you'd have a very hard time defending your argument with evidence. Do try.
Right, like getting access to the DOM was ever a hard thing to do. I was specifically referring to web apps in that point, but because you insist, I'll just reference [1].
Another vector to get rogue JS into a user's browser is cache-poisoning, something the article also brings up.
Cache poisoning won't work if an extension loads all of its code from its own bundle. So I fail to see how this applies to an app that is fully self-contained within an extension (extensions themselves are signed, so it's not like you could MitM the extension bundle itself...)
And that's your problem. I was the same way, though I live in NYC. With every pay raise I upgraded my lifestyle. Whether I was making $50k/year or $100k/year, I wasn't saving anything more besides the shit I was contributing to my 401k. My savings actually grew smaller over the years, until I made a conscious effort to save money. An effort so simple, I kick myself for not realizing it sooner.
Several simple ways I found to save money living in NYC (not SF, but close enough). Note these figures are on a per-year basis.
- Scrap web hosting, move to AWS and S3 (~120 saved)
- Get rid of cable, stick with cheap Internet (~1000 saved, Internet ~40/mo)
- One night less at the bar each week (~2500 saved, that's just for a $40 tab)
- Skip buying coffee every day (~500 saved)
- Get a cheaper phone package (~120 saved)
In the end, I think a good rule of thumb is to keep your daily expenses under $20. You want to dress well? Wait for Banana Republic to have a 40% off everything sale, and buy clothes then. Buy clothes you're actually going to wear more than once (this is easy for guys, women have it harder).
I don't know your lifestyle or actually care what you spend money on, but complaining you can't save money is a bullshit excuse. I was bullshitting myself too, and I think everyone's got spending habits they can curb without impacting their lifestyle.
I'm not complaining about anything, I'm just pointing out that for some people saving money isn't their first or only priority, but doesn't mean they have no priorities.
Quitting social networks and using Tor and PGP isn't going to protect you from a nation-state intelligence agency. To suggest so is laughable and naive. We're not even at amateur hour yet.
You're better off reading Grugq's post[1] on developing good OPSEC, and even then you're far and away from it.
Did you read the article?! It's a straw-man pointing out that the only way to ensure privacy is with the protection of law:
>If we really want to protect our privacy on the net what we need is more than better technology, we need fundamental changes in our laws and how we enforce the privacy laws we do have. Then, and only then, will we have a fighting chance of keeping our privacy on the Internet.
You're right but I don't think this very likely. I think changing your online behavior is the only real way to escape surveillance. That basically means either not using the web or only using it when you don't care about who's watching.
Changing the laws and/or enforcing them would be ideal but then it seems we'd end up right where we are again. Part of the reason for the secrecy of these programs isn't only national security but a way to circumvent the laws. From what we know about the current NSA controversy, these programs are mostly legal and being enforced just fine. Courts are ruling in favor of these things. That's not to say a debate over the 4th amendment isn't unreasonable.
Sometimes I feel there's a part of me that believes we could change the laws. The problem may not be our representatives exactly but rather the power that's been given to the military industrial complex. It's like a totally separate government unto itself, creating problems to solve to justify its own existence.
Yeah, but even that is wrong. It isn't fundamental changes in our laws; it's fundamental changes in the way we interact with our governments. And that's far too much to ask a privacy advocate to do.
I agree. First of all, what I have read so far, we the "public" don't know the capabilities of that agency, so by definition, you can't know whether some technique will protect you.
Correct me if I am wrong, but a common sense tells me, that if they are able to monitor all Internet traffic, and also can run their own Tor nodes, and also possess software to analyze those big amounts of data that the monitoring will produce, I just can't see how you cannot be ultimately tracked even on Tor.
As I see it, many of those defenses just assume that your adversary is not able to "cache" the whole Internet traffic, and that he also don't have such a strong computer to crack PGP. But relating to nation-state agency, those are already nothing more than assumptions.
Anyway, the points in the article are quite efficient against the lesser capable hackers. It never hurts to put less amount of private data to the Internet, for example.
I hear people say all the time they drink a lot of water, but when you ask them to measure it out, it's a joke.
The answer to this problem is to sit at your desk with a gallon of water. You'll find you've finished at least 3/4 before the end of the day contrast to the 2-3 cups you'd usually drink.
Yeah, the difference between the amount of water I drink if I am not paying attention to it and the amount of water that I drink if I am actually making a point to drink water is fairly stunning; often up to 3 liters difference.
When I worked in machining, we all had anti-fatigue mats at our stations. Everyone wore Red Wing boots (sneakers are terrible for you), and I heard no complaints of foot pain.
Shoes are huge, yeah. You can go to a local restaurant supply store and get perfectly cromulent anti-fatigue mats, btw. People in kitchens have been struggling with this longer than us nerds.
I wrote Doorman as a way of utilizing osquery's TLS remoting endpoints, allowing me to dynamically configure an endpoint with custom queries, as well as run ad-hoc queries. We use osquery and Doorman at my company to gain visibility into our laptops in a manner many remote control based applications don't provide. Besides gaining remote administration functionality to osquery, we developed Doorman with a security-first attitude. We favor tools like osquery that don't expose remote command and control capabilities over tools like Chef or Puppet that concentrates super powers in the hands of a few people.
One of the stronger points of Doorman is it's builtin rules and alerting engine. It is one of the few security tools that I honestly can say I "set and forget" with respects to the rules we write. Want to know every time someone installs a new Chrome extension? All listening sockets on external interfaces, and the process name and user/group its owned by? New root certificate authorities added to the keychain? Done, all thanks to osquery introspection capabilities coupled with Doorman.