Profile

Cover photo
Ian McDonald (personal)
Works at SwiftKey
Attended University of Waikato
Lives in London
232 followers|177,642 views
AboutPostsPhotosYouTube+1'sReviews

Stream

Ian McDonald (personal)

Shared publicly  - 
 
Getting Apple USB Ethernet adapter working with Windows 8.1
At work I'm now alternating between Windows 8.1 on a Dell and an Apple Macbook Air. As part of this I just want to switch one USB cable between machines when I switch, that is connected to a USB hub. One of the things I've attached to my USB hub is a USB to...
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
Our co-founders, Jon and Ben, talk all things SwiftKey in today's spread in the London Evening Standard. Check it out! 
In London’s screaming tech industry, where hoodie-sporting, Google Glass-posing entrepreneurs compete to shout the loudest about their fledging dotcoms, SwiftKey stands out.
17 comments on original post
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
SwiftKey pledges to support the scientists of tomorrow
Innovative companies, and the wider economy, depend on people with skills in science, technology, engineering and maths (STEM). That’s why we at SwiftKey are pledging to do our bit to help inspire the next generation of talent. We’ve agreed to join dozens of other leading businesses to make a commitment of what we’ll seek to...
View original post
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
SwiftKey Note now includes landscape mode - find out what else has been updated!
http://www.swiftkey.net/en/blog/new-swiftkey-note-update-brings-landscape-mode/
17 comments on original post
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
10 secrets to success at SwiftKey Innovation Days - check out a behind-the-scenes look at our Innovation Days: 
At SwiftKey, we take innovation very seriously. Every couple of months, we take two days out of our usual schedules to get away from the office, get to know each other better, and primarily to spend time exploring and making fun projects. We are encouraged to forget our everyday work, and pursue what interests and...
10 comments on original post
1
Add a comment...
In his circles
129 people
Have him in circles
232 people
Margaret Csokas's profile photo
amrit ganga's profile photo
Juha Saarinen's profile photo
Richard Nelson's profile photo
Mehdi Ali's profile photo
Annapurna Recruitment's profile photo
Anna McDonald's profile photo
Betty Visser's profile photo
Tim Burke's profile photo

Ian McDonald (personal)

Shared publicly  - 
 
Just documenting things for the Interweb...
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
Hi everyone, As you may have heard, Apple announced this morning at WWDC that with the launch of iOS 8, they are supporting the use of third-party keyboards. Big news! We wanted to make sure to let you all know what our thoughts are, directly from Ben Medlock and Jon Reynolds, SwiftKey’s co-founders: “We’re delighted...
44 comments on original post
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
Are you active in the Media & Publishing industry in Amsterdam? Then join our mid-day event in Amsterdam (June 11), learn from AKQA and Improve Digital how they use the AWS platform and claim $50 worth of AWS credits. http://ow.ly/wTvkG
View original post
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
Interesting.

When you do this the first time, it looks like a simple oversight - left-overs from some debugging perhaps. But when you "fix" it by hiding it, it's very clearly deliberate.

Netgear, Cisco, quick question please? What exactly does it take to actually care about your customers instead of actively trying to screw them?
Researcher finds secret “knock” opens admin for some Linksys, Netgear routers.
118 comments on original post
1
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
Google Compute Engine vs AWS
I've had a few people ask me what I think of Google Compute Engine vs AWS. My take on Google Compute Engine is that it is now a viable alternative to AWS , as is Microsoft Azure for some firms. It is less mature than AWS in many ways and has had a few glitc...
2
Add a comment...

Ian McDonald (personal)

Shared publicly  - 
 
 
The problem that the heartbleed attack demonstrates is that people's private keys are available to a server that is also available (via heartbleed) to the attackers.

Ideally you'd want your TLS keys to be stored in an HSM(hardware security module), where if your machine is compromised they cannot be extracted.   Usually this can be done via PKCS#11, an standard API for asking something else to do the crypto operations for you. This is plausible for client applications on devices with TPMs (eg Thinkpads), but the builtin TPMs are extremely slow, and are not usually available on servers. For example for storing things like client SSH keys, this is ideal.  (You don't need to use the Platform Configuration Registers which is the bit that most people object to, and ideally you'd get a "real" HSM, not just reuse the TPM as a HSM.).

Ideally what you want to do for a web farm is to have a software daemon that pretends to be a HSM, which runs as a separate user than your webserver.  When your webserver needs a crypto operation done that involves your private keys, it asks the software HSM to do the operation for it.  Thus, even if an attacker gains access to the user the webserver is running as (eg remote code execution), they cannot just read out the TLS keys, and probably also the password used to encrypt them from the config file!  If the softHSM running as a separate daemon in a second user account, they need to be able to access that second user (eg by exploiting bugs in the kernel etc) to get the keys, which is a much higher bar (and is not provided for by things like heartbleed).  The attacker, if they did get full access to the webserver account could ask the softHSM to do the operations for it, but when combined with Perfect Foward Security, this doesn't really buy the attacker much that they didn't get just by sniffing the unencrypted streams they already have access to.  If you wanted to later upgrade the security of your machine (eg, you have a TPM added to your server), you could swap out the software HSM's PKCS#11 driver library for your "real" HSM PKCS#11 driver, which is a small configuration change.

Unfortunately, at the moment all the softHSM's I've looked at operate as a shared library, and thus still have problems with key leakage.  I have also not been able to figure out how to get any of the webserver SSL configurations to actually use PKCS#11. So far they only seem to allow you to say "I want to use PKCS#11" but then don't let you configure anything that you need to such as ... which PKCS#11 module to use, or what the User PIN for the HSM is, or which slot, token or certificate to use within the HSM.  The current state of the art appears to recompiling to configure much of this.  Hopefully I'm wrong here.

Heartbleed is bad, but it's not going to be the last bug that we ever see that gives access to the webserver account.   There's going to be bugs in protocol handling (either TLS, or perhaps in new HTTP/2.0 implementations) and there's going to be bugs in websites that mean that file contents are leaked, or allow for varying degrees of remote code execution.  

The best fix here is to not expose your keys to the same process that is exposed to the Internet.  The best standard we have today for this is PKCS#11.  To do this we need a software daemon based PKCS#11 that can run as a separate user and a driver PKCS#11 module for it (communicating over, say, a unix domain socket, perhaps dbus or something), and we need to have webserver vendors support PKCS#11 as a first class citizen in their configuration.
19 comments on original post
1
Add a comment...
People
In his circles
129 people
Have him in circles
232 people
Margaret Csokas's profile photo
amrit ganga's profile photo
Juha Saarinen's profile photo
Richard Nelson's profile photo
Mehdi Ali's profile photo
Annapurna Recruitment's profile photo
Anna McDonald's profile photo
Betty Visser's profile photo
Tim Burke's profile photo
Work
Occupation
Director of IT
Employment
  • SwiftKey
    Director of IT, present
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
London
Links
Story
Introduction
A kiwi now living in London
Education
  • University of Waikato
    Computer Science, 2005 - 2013
    Studied for PhD - waiting for results
  • University of Waikato
    Computer Science, 1988 - 1991
    BCMS - First class Honours
Basic Information
Gender
Male
Relationship
Married
Ian McDonald (personal)'s +1's are the things they like, agree with, or want to recommend.
Spotify Music
market.android.com

Spotify is now free on mobile and tablet. Listen to the right music, wherever you are. With Spotify, you have access to a world of music. Yo

Speedtest.net
market.android.com

Korzystaj z Ookla Speedtest, aby w łatwy sposób, jednym dotknięciem sprawdzić szybkość połączenia internetowego w mniej niż 30 sekund—dokład

The Times & Sunday Times
market.android.com

Enjoy award-winning journalism from The Times and The Sunday Times . The Times and The Sunday Times Smartphone app offers you the following:

Times Sport
market.android.com

The Times Sport app is the home of quality sports news from The Times and The Sunday Times and is now the first place you can watch cricket

Official F1 ® App
market.android.com

Presenting the Official F1® App for AndroidThe Official Formula 1® App is available for free downloadand offers leaderboard, lap times, sect

Yammer
market.android.com

Yammer is the best-in-class enterprise social network that makes your job easier and more productive. It brings together employees, content,

SwiftKey Director of IT talks cloud technology
www.swiftkey.net

Recently our Director of IT, Dr. Ian McDonald, was asked to speak for the Technology Transformation network about cloud technology. Ian has

SwiftKey
plus.google.com

Smarter typing for everyone

Incident Report 27th February 2014 - Voipfone User Forum
www.voipfoneuserforum.com

UK VoIP Telephone Provider - Incident Report 27th February 2014

The Life of a Drupal Developer as Illustrated by Cat GIFs
rjtownsend.com

In one way or another, writing a module or a patch or building a site all comes back to a cat gif. Enjoy.

The Weather Channel
market.android.com

With over 200 meteorologists and our ultra-local TruPoint(sm) forecasting technology, you can trust us to help you plan the best day possibl

Telecom NZ
market.android.com

Description Keep an eye on your mobile usage on the move with the Telecom Smartphone App. Check your Prepaid balance or plan details, see ho

Android 'started over' the day the iPhone was announced
www.theverge.com

Apple's boast that the iPhone changed everything about the mobile industry has received some support from one of Android's original software

YouTube
market.android.com

YouTube a tu manera. Obtén la aplicación YouTube oficial para Android. Conviértete en DJ de inmediato, aprende Kung Fu y comparte tu experie

Teclado SwiftKey
market.android.com

SWIFTKEY: EL TECLADO QUE ADIVINA LO QUE PIENSAS La aplicación número 1 en 58 países con Google Play, más de 200.000 comentarios de ***** “In

Kindle
market.android.com

Die für Android-Geräte optimierte Kindle-Anwendung ermöglicht Ihnen, Kindle eBooks auf einer einfach zu bedienenden Benutzeroberfläche zu le

JUST EAT - Takeaway
market.android.com

Order now from JUST EAT, the UK's largest takeaway and food delivery site! Coming back from sun-bathing in the park and feeling hungry? Use

Fairly standard chippy, not wonderful but not rubbish either. They're not open Sunday though so watch out for that.
Public - a year ago
reviewed a year ago
Quite variable takeaways - used to be very good, but recently has been a bit too oily and not enough meat. Try the Chicken Rezala if you like it hot.
Public - 2 years ago
reviewed 2 years ago
Quite greasy, very quickly good. Not shocking, but not amazing either. Is very cheap though.
Public - 3 years ago
reviewed 3 years ago
4 reviews
Map
Map
Map
They usually do a great job here.
Public - 3 years ago
reviewed 3 years ago