The Verge: Nissan app developer busted for copying code from Stack Overflow

An article at The Verge describes “a developer working on the NissanConnect EV mobile app just got caught red-handed when a verbatim Stack Overflow answer showed up in the most recent app update.”  The article includes a screenshot of the app, which has the copy+pasted tagline “The spirit of stack overflow is coders helping coders.”  The result once someone at Nissan finally spotted the problem (once the app made it to production)? The coder was fired.

But this failure goes way beyond a single developer.  At a high level it seems to point to a lack of some process controls, such as code reviews, application security, and quality assurance.  This incident could be consider more of an improvement opportunity to identify and implement reviews that help ensure the release of secure and higher quality software.  However, if the only outcome is the firing the coder who made a mistake (and who among us coders has never copy+pasted code?) then this may be viewed as another strike against the company and its approach to software development.

Mirror Update

mirrorI added the Metra train schedule for the station that I use. For this I pull the schedule data from a JSON feed used by Metra’s train schedule web page. I hope to publish the code, but for now it’s not very pretty (uses a Python script to pull the data and make it available by the web server running in the mirror, which the web page that displays in the mirror pulls in via jQuery.  I take the extra step of using an intermiediary Python data pull to get around the XSS protection by the browser.  I look forward to having time to refine the code and making it available for other Metra riders to add to their smart mirror.

I also added a calendar that I have more control over than something like Google Calendar. It pulls a simple text file from my web site.

Raspberry Pi Smart Mirror

My son and I had an old flat screen monitor and Raspberry Pi that wasn’t doing anything, so we decided to put them to use and build a smart mirror.  We followed a few tutorials, many of which can be found here.  We ordered the acrylic 2-way mirror from TAP Plastics which looks great.  The wood working and staining was by far the hardest part of the project.

Learned a few things along the way:

  • The clamps are a must have
  • Painted both sides of the frame because the backside reflected in the mirror
  • The code is customizable, so I replaced the quote of the day with inspirational sayings and removed the calendar code, since I don’t want to make my calendar public
  • Mounted a board on the wall that the box of the mirror hangs onto (with a screw in the top to make sure the mirror doesn’t fall off the wall)

20160206_113407 20160206_131027 20160207_141612 20160217_200048 20160217_200123 20160228_123017 20160228_124127 20160228_151632 20160228_152420

Plans for version 1.1 are:

  • Moving up the news feed 20 pixels or so
  • Adding a calendar that can also be somewhat private
  • Adding a train schedule


Physical Controls Can Prevent Eavesdropping

I was paying for my parking at a ticket machine the other day.  As I patiently followed the sequence instructed by the machine, I thought about how software is increasingly training humans.  And we’re just letting it happen.  That same weekend I observed several headlines about Samsung Smart TV exceptional eavesdropping capability.  From Samsung:  “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”  While this isn’t new news, it got me thinking.  It is another example of how we have to change our behavior to work around software.

We can’t live without the multi-sensor devices we still call “phones.”  We trust software is doing its job and enabling these cameras and microphones only at our request.  We also trust that there are no back doors or malware on the device that enable these eavesdropping features without our knowledge.  But it comes down to well-behaved software to not facilitate eavesdropping.  The hardware, however, is always ready.

I propose getting back to basics.  There should be physical controls in place to disable these cameras and microphones.  Similar to the plastic tab you pull out of a newly-purchased device to enable battery contact, or the plastic key you can yank out of a treadmill if the speed of its ad infinitum path gets too much for you.  With this would be the manufacturer’s certification that these keys, tabs, lens covers…whatever form they take…absolutely block or allow these sensors from being accessible by any software running on the device.

Software has gotten to be too complicated.  Manufacturers can no longer guarantee with certainty that these sensors are not enabled, recording and transmitting without the user’s knowledge or consent.  It’s time to reintroduce physical controls, to bring control back to the consumer.

Cyber Security Basics

Just published my first book on Amazon!


Cyber Security Basics:  Protect your organization by applying the fundamentals



Information security does not have to be complicated. Vulnerability to cyber attacks can be significantly reduced if the basics are practiced. A clear understanding of the fundamentals can help ensure that adequate detective and protective controls are in place, and that a solid information security foundation is established.

This book covers concepts and controls. It is a good primer for those new to the field, and a refresher for the more seasoned practitioner. It is for those who are tasked with creating, leading, supporting or improving an organization’s cyber security program. The goal is to help clear some of the fog that can get in the way of implementing cyber security best practices.

The security controls that are discussed in these 100 concise pages are each assigned a maturity level. This helps the reader determine which controls are most appropriate for it’s organization. Maturity of a program is based on its age, the resources that are available to it, and the amount of leadership support it enjoys. Advanced controls are not appropriate for a newly-established program, for example.

Reading this book will break down cognitive barriers. It will provide security practitioners the best practices necessary to detect and mitigate common and sophisticated attacks. Building a solid information security foundation does not have to be complicated. It can be achieved by applying the fundamentals of cyber security.

Too Much Safety a Bad Thing?

I recently bought 2 tubes of toothpaste.  I opened the sealed box of the first, unscrewed the cap…and I was surprised to see that there was NO tamper seal covering the opening.  I opened the box and cap of the second tube, and it was the same: no safety foil to alert me if the product had been tampered with.   And even though I no longer had this extra security control available, I have to admit I was a little relived.

Security controls can actually reduce our awareness.  There is a concept called Risk Compensation.  Per Wikipedia:  “Risk compensation is a theory which suggests that people typically adjust their behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected.”

Tylenol put in extra tamper protections after the cyanide scare in ’82 (as discussed in a recent Slashdot post.)  But despite the efforts and resources invested, did they actually help?  And with protections measures like these in place, is it possible that we  might actually miss other indications of tampering?

We can get overly-focused, and over-reliant, on single controls to provide all security.  And when attackers know this, they work around these measures.   We need to continue to be engaged and aware, and not just rely on specific indicators to tell us when something is wrong.

I was relieved because the lack of foil, to me, was an indicator that some sanity may be returning to the marketplace.  Perhaps people will become more personally invested in the security of themselves and others.  And if this carries over into PC and mobile security, where device owners keep their systems updated and stop clicking links to malicious content, then cyber security for everyone has a chance to improve.


Alerts that Don’t Notify

I was awakened to the sound of a siren.  It wasn’t a fire truck, ambulance or the police, but a droning, slowly oscillating up and down whine emitting from the direction of downtown.  It was something I hadn’t heard before, and wondered it’s meaning.

How to find out…radio?  I don’t use the over-the-air radio, and even if I did, what station do I turn to?  Internet?  I checked the Facebook page for our neighborhood and village:  nothing.  No emergency notification on my phone either (even though Amber alerts have worked fine in the past.)  Wanting to confirm there wasn’t something I should be doing to prepare against a raging fire, severe weather or a terrorist attack, I called 311 (non-emergency services.)  No answer.  Now I was starting to get concerned.

I ended up calling 911 and immediately said that this was a non-emergency; I wanted to find out why the city’s siren was sounding.  “It’s a fire alarm that is malfunctioning, and they are working on it.”  This sounded like the person who had been providing that stock answer all morning to many callers before me.  Eventually, the siren did stop.

If the siren does go off again, what exactly are people supposed to do?  The only information source apparently is 911, and that could quickly become overwhelmed.  So the two choices appear to be: panic or ignore it.  For most people I assume the latter.

This made me think of security monitoring, detection and prevention solutions  that provide myriad alerts and notifications.  The implementation of any alert  should include a response process.  At a minimum, these questions should answered:

  • What is the value of this alert?
  • How can we be aware that this alert is triggered?
  • What should be done when this alert is triggered?

If any of these can’t be answered, then the alert should not be implemented.  Because if no one knows what to do when a siren sounds, what’s the point?  Panic, if anything, decreases security as it can provide a useful distraction for miscreants.  So deploy alerts and sirens responsibly, and provide quick and easy access to information regarding it.  Leverage social media, and consider the ways people access information nowadays.

A siren only has value if people know what it means, and how to respond to it.  Otherwise, it’s just noise.

A Lofty Example of Limiting Risk

I was looking at pictures of lofts recently (no I’m not moving). Lofts are wide open spaces with an interesting hybrid of industrial and residential features. They are similar to apartments or town homes as neighbors share walls, but lofts also often include rough and unimproved features such as exposed brick and conduit, heating and water pipes that run along the walls, and aluminum ducts snaking along the ceiling.

One loft that I thought particularly interesting had a completely remodeled kitchen. There was no loft-esque features about the room…except for an industrial sprinkler head jutting from the center of the ceiling. This was a conspicuous reminder that this kitchen was not part of a house or apartment, but of a remodeled industrial space that shared not just a roof and walls with other tenants, but an industrial fire suppression system as well.

I wondered:  is it possible for any tenant in the building to cause the water sprinklers to go off in all the units?  If so, what level of due diligence can be done by a prospective buyer in order to reduce the risk of catastrophic water damage to an acceptable level? Below is a partial list I came up with.


  • Interview the building owner and/or landlord. Information about incidents may be limited or omitted, however.
  • Talk to other tenants, though their cooperation is not guaranteed.


  • What are the neighbors like?
  • What is the neighborhood like at night?
  • Can any security features be bypassed (such as by shadowing a resident through the lobby door?)


  • Are the records of the building ever having any fire or flood damage?
  • Is everything up to code (including the fire sprinklers?)
  • What is the reputation of the building owner when it comes to providing a safe living space?

I found this an interesting example, because I believe that finding a safe (and dry) place to live is analogous to evaluating vendor solutions for an organization.

I spoke to security analyst recently who received a vendor solution for her organization. Before installing it on the network, she applied the latest vendor-supplied updates, and then subjected it to a security scan. The scan found that the software included components and libraries that were several versions behind, despite the update. If she didn’t do that pre-installation assessment, those issues would not have been found, and the organization would have become more vulnerable as a result (which is ironic because it was a security appliance.)

Just as installing vulnerable software on a production network puts an organization at risk, in the case of lofts, it takes only one problem tenant to increase risk for everyone in the building. The challenge is to do an adequate evaluation before signing a software purchase order…or a mortgage for a loft.

The Starbucks Security Model

I was in Starbucks the other day, waiting for my hand-crafted drink to be pushed across the counter. I observed as the drinks ordered by the customers before us were called out: “venti latte…tall cappuccino…grande white chocolate mocha not fat with whip…” When the drink is called out, the presumptive person who ordered it takes it.

No formal method was used to match a customer with a drink. Anyone can pick up anyone else’s order, or even take one without paying. There are deterrents (or speed bumps) to reduce the chance of this happening: an observant barista, a miscreant who gives him/herself away, security cameras conspicuously hanging from the ceiling.

The practices vary. Some stores ask for the customer’s name and write it on the drink. This may be an improvement, but this could be circumvented also: an opportunist could eavesdrop the name, then grab the drink if it’s convenient, for example.

And yet, the Starbuck’s model works. Shrinkage (theft) is still at a tolerable level using this informal method of associating orders with individuals. So this made me think: maybe Starbucks has found the ideal balance between security and usability. They don’t have to implement rigid controls to prevent theft, yet don’t suffer an intolerable amount of shrinkage. Perhaps they have found a level of security that is commensurate with what they are protecting.

Finding that balance between usability and security is a never-ending challenge. As I left with my venti latte in hand, I asked myself: is there something to learn from the Starbuck’s approach to security?

UberEATS: Is It Safe?

Uber just announced a new offering that leverages their community of citizen drivers: food delivery. Is it only me who is concerned about the security of this service? Who is delivering these consumables to people throughout two U.S. major cities? Should there be additional scrutiny?

Food handlers are required to obtain a license before being allowed to serve customers, and in some situations food delivery permits are also required. Wouldn’t these conditions apply here as well? Let’s try not to sacrifice safety for convenience (again).