Skip to content


Links for 2014-02-19

  • Belkin managed to put their firmware update private key in the distribution

    ‘The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.’ Using GPG to sign your firmware updates: yay. Accidentally leaving the private key in the distribution: sad trombone.

    (tags: fail wemo belkin firmware embedded-systems security updates distribution gpg crypto public-key pki home-automation ioactive)

  • Video Processing at Dropbox

    On-the-fly video transcoding during live streaming. They’ve done a great job of this!

    At the beginning of the development of this feature, we entertained the idea to simply pre-transcode all the videos in Dropbox to all possible target devices. Soon enough we realized that this simple approach would be too expensive at our scale, so we decided to build a system that allows us to trigger a transcoding process only upon user request and cache the results for subsequent fetches. This on-demand approach: adapts to heterogeneous devices and network conditions, is relatively cheap (everything is relative at our scale), guarantees low latency startup time.

    (tags: ffmpeg dropbox streaming video cdn ec2 hls http mp4 nginx haproxy aws h264)