In a revelation that shows how the National Security Agency was able to systematically spy on many Cisco Systems customers for the better part of a decade, researchers have uncovered an attack that remotely extracts decryption keys from the company’s now-decommissioned line of PIX firewalls. The discovery is significant because the attack code, dubbed BenignCertain, worked on PIX versions Cisco released in 2002 and supported through 2009. Even after Cisco stopped providing PIX bug fixes in July 2009, the company continued offering limited service and support for the product for an additional four years. Unless PIX customers took special precautions, virtually all of them were vulnerable to attacks that surreptitiously eavesdropped on their VPN traffic.
Sadly, this makes sense and I’d have to agree.
Mike Durio, of Phoenix, seemed to sum it up in an email to my office back in April. “Have you considered doing away with the comments sections, or tighter moderation?” he wrote. “The comments have devolved into the Punch-and-Judy-Fest of moronic, un-illuminating observations and petty insults I’ve seen on other pretty much every other Internet site that allows comments.” He added, “This is not in keeping with NPR’s take-a-step-back, take-a-deep-breath reporting,” and noted, “Now, thread hijacking and personal insults are becoming the stock in trade. Frequent posters use the forums to duke it out with one another.” A user named Mary, from Raleigh, N.C., wrote to implore: “Remove the comments section from your articles. The rude, hateful, racist, judgmental comments far outweigh those who may want to engage in some intelligent sideline conversation about the actual subject of the article. I am appalled at the amount of ‘free hate’ that is found on a website that represents honest and unbiased reporting such as NPR. What are you really gaining from all of these rabid comments other than proof that a sad slice of humanity that preys on the weak while spreading their hate?”
The ‘Young British Heritage Society’, aka gam*rgate as a college society
yes, yes it is
Insightful thread from the mechanical sympathy group, regarding the checked-vs-unchecked style question:
Peter Lawrey: Our view is that Checked Exception makes more sense for library writers as they can explicitly pass off errors to the caller. As a caller, especially if you are new to a product, you don’t understand the exceptions or what you can do about them. They add confusion. For this reason we use checked exceptions internally in the lower layers and try to avoid passing them in our higher level interfaces. Note: A high percentage of our fall backs are handling iOExceptons and recovering from them. [….] My experience is that the more complex and layered your libraries the more essential checked exceptions become. I see them as essential for scalability of your software.
This is shaking my world view — although I find it more plausible that (as responses to https://www.theguardian.com/notesandqueries/query/0,5753,-22440,00.html claim) they _did_ work until about 10-20 years ago, by detecting RF emissions from the local oscillator inside the TV. Ross Anderson, at https://www.cl.cam.ac.uk/~rja14/Papers/SE-15.pdf , notes:
During [..] World War II, radio engineering saw advances in radar, passive direction finding, and low-probability-of-intercept techniques, which I’ll discuss in the next chapter. By the 1960s, the stray RF leaking from the local oscillator signals in domestic television sets was being targeted by direction-finding equipment in “TV detector vans,” in Britain, where TV owners must pay an annual license fee that is supposed to support public broadcast services. Its use has since expanded to satellite and cable TV operators, who use detector vans to find pirate decoders. Some people in the computer security community were also aware that information could leak from cross-coupling and stray RF (see, for example, [259, 791]).
Sandler wants to be able to explore the code running her device for programming flaws and vulnerability to hacking, but she can’t. “Because I don’t have access to the source code, I have no power to do anything about it,” she says. In her eyes, it’s a particularly obvious example of a problem that now cuts across much of modern life: proprietary software has become crucial to daily survival, and yet is often locked away from public exploration and discussion by copyright.
‘Researchers learn about wire-fraud scam after Nigerian scammers infect themselves with their own malware.’
The researchers observed Wire-Wire scores of $5,000 to $250,000 with the average between $30,000-$50,000 from small- and medium-sized businesses. The scammers themselves were “well-respected and admired” in their communities.I’ve heard about this scam — it’s nasty, and worst of all, banks won’t reimburse the losses.
A eulogy for Oliver Hughes, founder of the Porterhouse and Dingle Distillery, and arguably the progenitor of Ireland’s craft beer scene. I had the pleasure of sharing a table with him at a beer tasting in Sweeney’s off license a while back, and it was both educational and a good fun night. RIP
‘FakeTime is simulated time.”
When testing RealTime software a simulator is often employed, which injects events into the program which do not occur in RealTime. If you are writing software that controls or monitors some process that exists in the real world, it takes a long time to test it. But if you simulate it, there is no reason in the simulated software (if it is disconnected from the real world completely) not to make the apparent system time inside your software appear to move at a much faster rate. For example, I have written simulators that can verify the operational steps taken by industrial controllers over a 12 hour FakeTime period, which executes in 60 seconds. This allows me to run ’12 hours’ of fake time through my test cases and test scenarios, without waiting 12 hours for the testing to complete. Of course, after a successful fakeTime test, an industrial RealTime system still needs to be tested in non-simulated fashion.
‘Event driven Diagnostic and Remediation Platform’ — aka ‘runbooks as code’
hahaha. gtfo, IOC
excellent explanation and benchmarks of a timer wheel implementation
ECS, Docker, ELB, SQS, SNS, RDS, VPC, and spot instances. Pretty canonical setup these days…
The mytaxi app is also now able to predict daily and weekly spikes. In addition, it has gained the elasticity required to meet demand during special events. Herzberg describes a typical situation on New Year’s Eve: “Shortly before midnight everyone needs a taxi to get to parties, and after midnight people want to go home. In past years we couldn’t keep up with the demand this generated, which was around three and a half times as high as normal. In November 2015 we moved our Docker container architecture to Amazon ECS, and for the first time ever in December we were able to celebrate a new year in which our system could handle the huge number of requests without any crashes or interruptions—an accomplishment that we were extremely proud of. We had faced the biggest night on the calendar without any downtime.”
Honesty is most important. Be sure to carefully explain that (excluding the mountain of evidence to the contrary) there was no way to foresee the [Bitcoin] exchange hacking. Practice phrases like, “this operation was the most trustworthy exchange running out of a vacant building in Singapore” and “no we can’t just call the exchange, they don’t have a phone number”. If your significant other criticizes your decision to buy cryptocurrencies, be sure to fall back on technical merits of cryptocurrencies. Mention, “it’s backed by math” and “[insert cryptocurrency here] didn’t fail, people failed”.
This WIKI collects information about prepaid (or PAYG) mobile phone plans from all over the world. Not just any plans though, they must include good data rates, perfect for smartphone travellers, as well as tablet or mobile modem users.
‘aw yiss comic generator’. AW YISS
Massive, massive copyright fail by Alamy and Getty Images.
Since each violation of copyright in this case allows the plaintiff to seek damages up to $25,000, the statutory damages for Getty’s 18,755 violations amount to $468,875,000. But because the company was found to have violated the same copyright law within the past three years — in 2013, Daniel Morel was awarded $1.2 million in a suit against Getty, after the agency pulled his photos from Twitter and distributed them without permission to several major publications — Highsmith can elect to seek three times that amount: hence the $1 billion suit. “The economic damage that Ms. Highsmith has suffered includes, without limitation, any and all revenue received by the Defendants based on purported licenses sold for the Highsmith Photos. These funds represent money that Ms. Highsmith could have received had she attempted to monetize her photos through the Defendants,” the complaint states. “The injury to Ms. Highsmith’s reputation has been … severe,” it continues. “There is at least one example of a recipient of a threatening letter for use of a Highsmith Photo researching the issue and determining that Ms. Highsmith had made her photos freely available and free to use through the Library website. … Therefore, anyone who sees the Highsmith Photos and knows or learns of her gift to the Library could easily believe her to be a hypocrite.”
Uber bringing the smackdown for the HN postgres fanclub, with some juicy technical details of issues that caused them pain. FWIW, I was bitten by crappy postgres behaviour in the past (specifically around vacuuming and pgbouncer), so I’ve long been a MySQL fan ;)
As recommended by J & F: ‘Most of the campsites we’ve stayed in have had great facilities for kids – pools, activities, entertainment etc – but the problem with that is you spend your day being dragged from one to the other. There’s none of that at Camping Indigo in Noirmoutier apart from a playground, some kayaks and some music in the bar at night but it is on the beach so the kids either run wild around the campsite or play on the beach – it was the best and most relaxing holiday we ever had and we definitely met the coolest people there. There’s a really nice town in the centre of the island and great beaches all around it so hire bikes and roam free.’ Bookmarking for next year’s holiday planning!
his Monitorama 2016 talk, talking about the “deep health checks” concept (which I implemented at Swrve earlier this year ;)
I never knew we had a native take on the sauna, the “teach alluis”:
Sweathouses were used for the treatment for a wide range of ailments up to the late 19th and early 20th centuries, primarily rheumatism but also including sciatica, lameness, sore eyes, gout, skin disorders, psychiatric disorders, impotence and infertility. Surviving records indicate that treatment was often a group activity for 4-8 persons. The sweathouse was heated by filling the interior with fuel (turf, heather, wood etc. as available), and firing the structure for a period of up to two days to heat the stone structure, the hot ashes were then raked out and the interior floor lined with bracken, grass or straw. The bathers entered and blocked the entrance with turves, clothes or some other means. The sweating period could last a number of hours while the structure retained heat. Some authors note that water was thrown on hot stones to create steam. Afterwards, the “patients” would either take a cold plunge in the nearby water source, or go home and rest for a few hours, or simply return to their normal daily activities.(via Aileen)
Course notes from Gerald Jay Sussman’s “Adventures in Advanced Symbolic Programming” class at MIT. Hard to argue with this:
The syntax of the regular-expression language is awful. There are various incompatable forms of the language and the quotation conventions are baroquen [sic]. Nevertheless, there is a great deal of useful software, for example grep, that uses regular expressions to specify the desired behavior. Although regular-expression systems are derived from a perfectly good mathematical formalism, the particular choices made by implementers to expand the formalism into useful software systems are often disastrous: the quotation conventions adopted are highly irregular; the egregious misuse of parentheses, both for grouping and for backward reference, is a miracle to behold. In addition, attempts to increase the expressive power and address shortcomings of earlier designs have led to a proliferation of incompatible derivative languages.(via Rob Pike’s twitter: https://twitter.com/rob_pike/status/755856685923639296)
Mr. Johnson’s fans are not naïve. Handing over their passwords to some strange, cute boy actually constitutes a minor act of youthful rebellion. The whole encounter delivers a heady mix of intimacy and transgression — the closest digital simulation yet to a teenage crush.(via Adam Shostack)
Techdirt has been warning for years that the West’s repeated demands for China to “respect” patents could backfire badly. […] And guess what? That is exactly what has just happened, as The Wall Street Journal reports: ‘Huawei Technologies Co. said it has filed a lawsuit against T-Mobile US Inc., alleging the U.S. telecommunications carrier violated the Chinese company’s patents related to wireless networks. In its complaint filed this week in the U.S. District Court for the Eastern District of Texas, Huawei said T-Mobile is using its patented technology without signing a licensing agreement.’At least this is the most likely scenario to result in patent reform, finally.
So using money from the sale of iStock to Getty, she and Mr. Livingstone set out to create Stocksy, paying photographers 50 to 75 percent of sales. That is well above the going rate of 15 to 45 percent that is typical in the stock photography field. The company also distributes 90 percent of its profit at the end of each year among its photographers. Stocksy is part of a new wave of start-ups that are borrowing the tools of Silicon Valley to create a more genuine “sharing” economy that rewards the individuals generating the value.
eye-poppingly bizarre half-assed safety features of the 1950s — a megaton nuclear weapon rendered safe from accidental criticality accidents only by a plastic bag full of ball bearings
A wonderfully-sweary post on the etymology of swear words, and how they’re not derived from acronyms, really.
shit? Also from an old Germanic root, descended equally to modern German Scheiss (which sounds closer to Scots shite). It shows up in Old English, fully inflected: “Wiþ þon þe men mete untela melte & gecirre on yfele wætan & scittan” (that scittan is an infinitive form of ‘shit’ and was said like “shit-tan”). I can assure you that an acronym Ship High In Transit – supposedly meaning that manure was to be loaded in the upper parts of ships – was not possible in the language in the Old English period, not just because transit was not borrowed from Latin until half a millennium later, or because they didn’t use acronyms like that then, but because what the fuck are you even thinking. They didn’t need to ship manure. Animals produce it on the spot everywhere. Holy shit, fucking seriously.
Invariably, when I see a lot of developer effort in production support I also find an unreliable QA environment. It is both unreliable in that it is frequently not available for testing, and unreliable in the sense that the system’s behavior in QA is not a good predictor of its behavior in production.
Doorman is a solution for Global Distributed Client Side Rate Limiting. Clients that talk to a shared resource (such as a database, a gRPC service, a RESTful API, or whatever) can use Doorman to voluntarily limit their use (usually in requests per second) of the resource. Doorman is written in Go and uses gRPC as its communication protocol. For some high-availability features it needs a distributed lock manager. We currently support etcd, but it should be relatively simple to make it use Zookeeper instead.From google — very interesting to see they’re releasing this as open source, and it doesn’t rely on G-internal services
‘based my observations while I was a Site Reliability Engineer at Google’, courtesy of Rob Ewaschuk
. Seem pretty reasonable
‘Best Plex Media Server’ — this looks pretty superb for EUR240 or thereabouts
‘a small library to manage encrypted secrets using asymmetric encryption.’
The main benefits provided by ejson are: Secrets can be safely stored in a git repo. Changes to secrets are auditable on a line-by-line basis with git blame. Anyone with git commit access has access to write new secrets. Decryption access can easily be locked down to production servers only. Secrets change synchronously with application source (as opposed to secrets provisioned by Configuration Management). Simple, well-tested, easily-auditable source.
Visual impairment intracranial pressure syndrome (VIIP) is named for the leading theory to explain it. On Earth, gravity pulls bodily fluids down toward the feet. That doesn’t happen in space, and it is thought that extra fluid in the skull increases pressure on the brain and the back of the eye.
This pale, amorphous lump of sculpted concrete is designed to resist almost everything in a city that it might come into contact with. Named for the London authority that commissioned it, the Camden Bench has a special coating which makes it impervious to graffiti and vandalism. The squat, featureless surface gives drug dealers nowhere to hide their secret caches. The angled sides repel skateboarders and flyposters, litter and rain. The cambered top throws off rough sleepers. In fact, it is specially crafted to make sure that it is not used as anything except a bench. This makes it a strange artifact, defined far more by what it is not than what it is. The Camden Bench is a concerted effort to create a non-object.
For the famous Apollo 13 near-fatal failure scenario:
‘A customer has had a fairly serious problem with stirring the cryogenic tanks with a circuit fault present. To reproduce: Build CSM; Perform mission up to translunar coast; During translunar coast, attempt to stir cryo tanks If a wiring fault exists, the issue may be replicated. Be aware that this may be hazardous to the tester attempting it.’ Sample response: ‘Does it happens only with translunar coast (sol-3-a), or any moon coasting? It may be a problem with the moon. Just trying to narrow down the issue.’
Karlin on fire:
But there’s lots in this legislation that should scare the public far more. For example, the proposal that the legislation should allow the retention of “superfluous data” gathered in the course of an investigation, which is a direct contravention of the ECJ’s demand that surveillance must be targeted and data held must be specifically relevant, not a trawl to be stored for later perusal “just in case”. Or the claim that interception and retention of data, and access to it, will only be in cases of the most serious crime or terrorism threats. Oh, please. This was, and remains, the supposed basis for our existing, ECJ-invalidated legislation. Yet, as last year’s Gsoc investigation into Garda leaks revealed, it turns out a number of interconnected pieces of national legislation allow at least 10 different agencies access to retained data, including Gsoc, the Competition Authority, local authorities and the Irish Medicines Board.
paying Jason Dixon to work on it, improving the backend, possibly replacing the creaky Whisper format. great news!
npm down for most of the (EU) day. What a shitshow
I haven’t even gotten into the fact that your microservices are an inter-dependent environment, as much as you may wish otherwise, and one service acting up can cause operational problems for the whole team. Maybe if you have Netflix-scale operational hardening that’s not a problem. Do you? Really? Is that the best place to spend your focus and money right now, all so teams can throw shit against the wall to see if it sticks? Don’t sell people fantasies. This is not the reality for a mid-sized tech team working in microservices. There are enough valuable components to building out such a system without the fantastical claims of self-organizing teams who build cool hack projects in 2 week sprints that change the business. Microservices don’t make organizational problems disappear due to self-organization. They allow for some additional degrees of team and process independence and force very explicit decoupling, in exchange, there is overall system complexity and overall system coordination overhead. I personally think that’s enough value, especially when you are coming from a monolith that is failing to scale, but this model is not a panacea.
quotable: “I spend a lot of time on this task. I should write a program automating it!”
Quotable: “how long can work on making a routine task more efficient before you’re spending more time than you save?”
John Rauser on this oft-cited dictum of percentile usage in monitoring, and when it’s wrong and it’s actually possible to reason with averaged percentiles, and when it breaks down.
In their paper at PNAS, they write: “the most common software packages for fMRI analysis (SPM, FSL, AFNI) can result in false-positive rates of up to 70%. These results question the validity of some 40,000 fMRI studies and may have a large impact on the interpretation of neuroimaging results.” For example, a bug that’s been sitting in a package called 3dClustSim for 15 years, fixed in May 2015, produced bad results (3dClustSim is part of the AFNI suite; the others are SPM and FSL). That’s not a gentle nudge that some results might be overstated: it’s more like making a bonfire of thousands of scientific papers. Further: “Our results suggest that the principal cause of the invalid cluster inferences is spatial autocorrelation functions that do not follow the assumed Gaussian shape”. The researchers used published fMRI results, and along the way they swipe the fMRI community for their “lamentable archiving and data-sharing practices” that prevent most of the discipline’s body of work being re-analysed. ®
‘a Ruby regular expression editor and tester’. Great for prototyping regexps with a little set of test data, providing a neat permalink for the results
by avoiding division
Interesting point — self-driving cars are likely to be awash in telemetry data, “phoned home”
Good thread on GCM notifications and their interactions with NAT — they are delivered over a single TCP connection to port 5228 to the google servers, kept alive, and NAT timeouts can hang the conn resulting in delayed notifications. Particularly useful is the *#*#426#*#* dial code, which displays a log screen on Android devices with GCM debugging info.
Really late in bookmarking this, but has some up-to-date sample commandlines for sar, mpstat and iostat on linux
“Dad is making a right turn now,” my 5-year-old son Jack will say as he newscasts the ride to school to a fictional audience. “Don’t forget to subscribe,” his sister Ella, 6, will often interject — again, to no one in particular. When I was their age, I’d pretend to be a soldier or a baseball player. Today, kids apparently aspire to be vloggers. It’s not enough for them to watch their favorite shows. They want to broadcast their lives, banter with commenters and keep their make-believe view counts high.
Law enforcement spokespeople will often point to the handful of homicide or kidnapping investigations successfully closed with the assistance of cell site simulators, but they’ll gloss over the hundreds of mundane deployments performed by officers who will use anything that makes their job easier — even if it’s a tool that’s Constitutionally dubious. Don’t forget, when a cell site simulator is deployed, it gathers cell phone info from everyone in the surrounding area, including those whose chicken wings have been lawfully purchased. And all of this data goes… somewhere and is held onto for as long as the agency feels like it, because most agencies don’t seem to have Stingray data retention policies in place until after they’ve been FOIA’ed/questioned by curious legislators. Regular policework — which seemed to function just fine without cell tracking devices — now apparently can’t be done without thousands of dollars of military equipment. And it’s not just about the chicken wing thieves law enforcement can’t locate. It’s about the murder suspects who are caught but who walk away when the surveillance device wipes its feet on the Fourth Amendment as it serves up questionable, post-facto search warrants and pen register orders.
(x * N) div 2^32 is an equally fair map reduction, but faster on modern 64-bit CPUs
Post-brexit post-mortem from Nicholas Cohen in the grauniad:
The Vote Leave campaign followed the tactics of the sleazy columnist to the letter. First, it came out with the big, bold solution: leave. Then it dismissed all who raised well-founded worries with “the country is sick of experts”. Then, like Johnson the journalist, it lied.
The prime minister evidently thought that the whole debate could be cleanly started and finished in a matter of months. His Eton contemporary Boris Johnson – and, really, can you believe that the political story of the last four months has effectively been a catastrophic contest between two people who went to the same exclusive school? – opportunistically embraced the cause of Brexit in much the same spirit. What they had not figured out was that a diffuse, scattershot popular anger had not yet decisively found a powerful enough outlet, but that the staging of a referendum and the cohering of the leave cause would deliver exactly that. Ukip were held back by both the first-past-the-post electoral system, and the polarising qualities of Farage, but the coalition for Brexit effectively neutralised both. And so it came to pass: the cause of leaving the EU, for so long the preserve of cranks and chancers, attracted a share of the popular vote for which any modern political party would give its eye teeth.
More trial-by-algorithm horrors:
Company officials say the algorithm’s results are backed by research, but they are tight-lipped about its details. They do acknowledge that men and women receive different assessments, as do juveniles, but the factors considered and the weight given to each are kept secret. “The key to our product is the algorithms, and they’re proprietary,” said Jeffrey Harmon, Northpointe’s general manager. “We’ve created them, and we don’t release them because it’s certainly a core piece of our business. It’s not about looking at the algorithms. It’s about looking at the outcomes.” That secrecy is at the heart of Mr. Loomis’s lawsuit. His lawyer, Michael D. Rosenberg, who declined to be interviewed because of the pending appeal, argued that Mr. Loomis should be able to review the algorithm and make arguments about its validity as part of his defense. He also challenges the use of different scales for each sex. The Compas system, Mr. Rosenberg wrote in his brief, “is full of holes and violates the requirement that a sentence be individualized.”
Appearing like trenches dragged into the earth, sunken lanes, also called hollow-ways or holloways, are centuries-old thoroughfares worn down by the traffic of time. They’re one of the few examples of human-made infrastructure still serving its original purpose, although many who walk through holloways don’t realize they’re retracing ancient steps.
So, there you have it: Blocking is necessary, except it is not. Safeguards need to be implemented, except they don’t need to be. This approach is legal, except it isn’t. The text is based on the Child Exploitation Directive, except it isn’t. Is this really how we are going to create credible legislation on terrorism?
After studying other e-voting systems around the world, the team was particularly alarmed by the Estonian I-voting system. It has serious design weaknesses that are exacerbated by weak operational management. It has been built on assumptions which are outdated and do not reflect the contemporary reality of state-level attacks and sophisticated cybercrime. These problems stem from fundamental architectural problems that cannot be resolved with quick fixes or interim steps. While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks — elections could be stolen, disrupted, or cast into disrepute. In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian I-voting system should be immediately discontinued.
Reducing service memory usage from 500MB to 105MB:
We found two specific techniques to be the most beneficial: turning off one of the two JIT compilers enabled by default (the “C2” compiler), and using a 32-bit, rather than a 64-bit, JVM.
from Dr Mark Humphrys in DCU:
A collection of bits and pieces of Internet history. Focusing somewhat (but not exclusively) on: (a) the 1980s, when I first started using the Internet, and: (b) Ireland.
I need to get in touch about the early days of the Irish web!
an online home for stories from Ireland – stories about the country’s long and convoluted relationship with information technology. It aims to gather information on the most significant aspects of this relationship, to compile archives on the selected themes, and to store the assembled records for the benefit of future generations.
This site is a companion effort to the techarchives website, except it is less well-researched, and is primarily a personal view of the development of the Internet in Ireland by your humble author, Niall Murphy.
An old post about Y!’s acquisition of Summly, an iPhone app which uses NLP to summarise news stories. This is an excellent point about modern tech startups:
[Summly] licensed the core engine from another company. They are the quintessential bolt-on engineers, taking a Japanese bike engine, slapping together a badly constructed frame aligned solely by eyeballs, and laying down a marketing blitz. That’s why the story sells. “You, too, can do it.” But do you want to? […] it’s critical to keep tabs on the ratio known as “glue versus thought.” Sure, both imply progress and both are necessary. But the former is eminently mundane, replaceable, and outsource-able. The latter is typically what gives a company its edge, what is generally regarded as a competitive advantage. So, what is Yahoo signaling to the world? “We value glue more than thought.”