Skip to content

Category: Uncategorized

Links for 2017-11-24

Published November 24, 2017

  • Witney Seibold watches all the Academy Award Best Picture winners

    Myself and the missus are in the process of doing this right now!

    (tags: nerdist witney-seibold academy-awards best-picture awards movies)

  • Spam is back | The Outline

    it’s 2017, and spam has clawed itself back from the grave. It shows up on social media and dating sites as bots hoping to lure you into downloading malware or clicking an affiliate link. It creeps onto your phone as text messages and robocalls that ring you five times a day about luxury cruises and fictitious tax bills. Networks associated with the buzzy new cryptocurrency system Ethereum have been plagued with spam. Facebook recently fought a six-month battle against a spam operation that was administering fake accounts in Bangladesh, Indonesia, Saudi Arabia, and other countries. Last year, a Chicago resident sued the Trump campaign for allegedly sending unsolicited text message spam; this past November, ZDNet reported that voters were being inundated with political text messages they never signed up for. Apps can be horrid spam vectors, too — TechCrunch writer Jordan Crook wrote in April about how she idly downloaded an app called Gather that promptly spammed everyone in her contact list. Repeated mass data breaches that include contact information, such as the Yahoo breach in which 3 billion user accounts were exposed, surely haven’t helped. Meanwhile, you, me, and everyone we know is being plagued by robocalls. “There is no recourse for me,” lamented Troy Doliner, a student in Boston who gets robocalls every day. “I am harassed by a faceless entity that I cannot track down.” “I think we had a really unique set of circumstances that created this temporary window where spam was in remission,” said Finn Brunton, an assistant professor at NYU who wrote Spam: A Shadow History of the Internet, “and now we’re on the other side of that, with no end in sight.”
    (via Boing Boing)

    (tags: spam privacy email social-media web robocalls phone ethereum texts abuse)

Links for 2017-11-20

Published November 20, 2017

Links for 2017-11-16

Published November 16, 2017

  • Why is this company tracking where you are on Thanksgiving?

    Creepy:

    To do this, they tapped a company called SafeGraph that provided them with 17 trillion location markers for 10 million smartphones. The data wasn’t just staggering in sheer quantity. It also appears to be extremely granular. Researchers “used this data to identify individuals' home locations, which they defined as the places people were most often located between the hours of 1 and 4 a.m.,” wrote The Washington Post. [....] This means SafeGraph is looking at an individual device and tracking where its owner is going throughout their day. A common defense from companies that creepily collect massive amounts of data is that the data is only analyzed in aggregate; for example, Google’s database BigQuery, which allows organizations to upload big data sets and then query them quickly, promises that all its public data sets are “fully anonymized” and “contain no personally-identifying information.” In multiple press releases from SafeGraph’s partners, the company’s location data is referred to as “anonymized,” but in this case they seem to be interpreting the concept of anonymity quite liberally given the specificity of the data. Most people probably don’t realize that their Thanksgiving habits could end up being scrutinized by strangers. It’s unclear if users realize that their data is being used this way, but all signs point to no. (SafeGraph and the researchers did not immediately respond to questions.) SafeGraph gets location data from “from numerous smartphone apps,” according to the researchers.

    (tags: safegraph apps mobile location tracking surveillance android iphone ios smartphones big-data)

  • Quad9

    Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.  Security: Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 will check the site against the IBM X-Force threat intelligence database of over 40 billion analyzed web pages and images. Quad9 also taps feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike.  Performance: Quad9 systems are distributed worldwide in more than 70 locations at launch, with more than 160 locations in total on schedule for 2018. These servers are located primarily at Internet Exchange points, meaning that the distance and time required to get answers is lower than almost any other solution. These systems are distributed worldwide, not just in high-population areas, meaning users in less well-served areas can see significant improvements in speed on DNS lookups. The systems are “anycast” meaning that queries will automatically be routed to the closest operational system.  Privacy: No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS
    Awesome!

    (tags: quad9 resolvers dns anycast ip networking privacy security)

Links for 2017-11-13

Published November 13, 2017

Links for 2017-11-10

Published November 10, 2017

  • Driverless shuttle in Las Vegas gets in fender bender within an hour

    Like any functioning autonomous vehicle, the shuttle can avoid obstacles and stop in a hurry if needed. What it apparently can’t do is move a couple feet out of the way when it looks like a 20-ton truck is going to back into it. A passenger interviewed by KSNV shared her frustration: The shuttle just stayed still and we were like, ‘oh my gosh, it’s gonna hit us, it’s gonna hit us!’ and then.. it hit us! And the shuttle didn’t have the ability to move back, either. Like, the shuttle just stayed still.

    (tags: ai driverless-cars driving cars las-vegas aaa navya keolis)

  • The naked truth about Facebook’s revenge porn tool

    This is absolutely spot on.

    If Facebook wanted to implement a truly trusted system for revenge porn victims, they could put the photo hashing on the user side of things -- so only the hash is transferred to Facebook. To verify the claim that the image is truly a revenge porn issue, the victim could have the images verified through a trusted revenge porn advocacy organization. Theoretically, the victim then would have a verified, privacy-safe version of the photo, and a hash that could be also sent to Google and other sites.

    (tags: facebook privacy hashing pictures images revenge-porn abuse via:jwz)

Links for 2017-11-09

Published November 9, 2017

Links for 2017-11-08

Published November 8, 2017

  • Facebook asks users for nude photos in project to combat revenge porn

    The photos are hashed, server-side, using the PhotoDNA hashing algorithm. This would have been way way better if it ran locally, on user's phones, instead though. Interesting to note that PhotoDNA claims to have a "1 in 10 billion" false positive rate according to https://www.itu.int/en/cop/case-studies/Documents/ICMEC_PhotoDNA.PDF

    (tags: photodna hashing images facebook revenge-porn messenger nudes photos)

  • The $280M Ethereum bug

    The newly deployed contract, 0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4, contains a vulnerability where its owner was uninitialized. Although, the contract is a library it was possible for devops199 to turn it into a regular multi-sig wallet since for Ethereum there is no real distinction between accounts, libraries, and contracts. The event occurred in two transactions, a first one to take over the library and a second one to kill the library?—?which was used by all multi-sig wallets created after the 20th of July. Since by design smart-contracts themselves can’t be patched easily, this make dependancies on third party libraries very lethal if a mistake happens. The fact that libraries are global is also arguable, this would be shocking if it was how our daily use Operating Systems would work.

    (tags: security bitcoin ethereum lol fail smart-contracts)

  • How Facebook Figures Out Everyone You've Ever Met

    Oh god this is so creepy.

    Facebook’s machinery operates on a scale far beyond normal human interactions. And the results of its People You May Know algorithm are anything but obvious. In the months I’ve been writing about PYMK, as Facebook calls it, I’ve heard more than a hundred bewildering anecdotes: A man who years ago donated sperm to a couple, secretly, so they could have a child—only to have Facebook recommend the child as a person he should know. He still knows the couple but is not friends with them on Facebook. A social worker whose client called her by her nickname on their second visit, because she’d shown up in his People You May Know, despite their not having exchanged contact information. A woman whose father left her family when she was six years old—and saw his then-mistress suggested to her as a Facebook friend 40 years later. An attorney who wrote: “I deleted Facebook after it recommended as PYMK a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email.”

    (tags: facebook privacy surveillance security creepy phones contacts pymk)

  • A Clash of Cultures

    In short, I am in support of Naomi Wu. Rather than let the Internet speculate on why, I am sharing my perspectives on the situation preemptively. As with most Internet controversies, it’s messy and emotional. I will try my best to outline the biases and issues I have observed. Of course, everyone has their perspective; you don’t have to agree with mine. And I suspect many of my core audience will dislike and disagree with this post. However, the beginning of healing starts with sharing and listening. I will share, and I respectfully request that readers read the entire content of this post before attacking any individual point out of context. The key forces I see at play are: Prototype Bias – how assumptions based on stereotypes influence the way we think and feel Idol Effect – the tendency to assign exaggerated capabilities and inflated expectations upon celebrities Power Asymmetry – those with more power have more influence, and should be held to a higher standard of accountability Guanxi Bias – the tendency to give foreign faces more credibility than local faces in China All these forces came together in a perfect storm this past week.

    (tags: culture engineering maker naomi-wu women stereotypes bias idols power china bunnie)

Links for 2017-11-07

Published November 7, 2017

Links for 2017-11-06

Published November 6, 2017

  • How to effectively complain to an Irish broadcaster about a public affairs show

    Simon McGarr: "If you think that a public affairs show has failed to address a matter with proper balance, you can (Tweet) say it to the breeze or complain. There is a process to follow to make an effective complaint 1) complain to broadcaster 2) complain to BAI if unhappy with response." Thread with more details, and yet more at https://twitter.com/IrishTV_films/status/927172642544783360

    (tags: complaining complaints rte bai ireland current-affairs)

  • The 10 Top Recommendations for the AI Field in 2017 from the AI Now Institute

    I am 100% behind this. There's so much potential for hidden bias and unethical discrimination in careless AI/ML deployment.

    While AI holds significant promise, we’re seeing significant challenges in the rapid push to integrate these systems into high stakes domains. In criminal justice, a team at Propublica, and multiple academics since, have investigated how an algorithm used by courts and law enforcement to predict recidivism in criminal defendants may be introducing significant bias against African Americans. In a healthcare setting, a study at the University of Pittsburgh Medical Center observed that an AI system used to triage pneumonia patients was missing a major risk factor for severe complications. In the education field, teachers in Texas successfully sued their school district for evaluating them based on a ‘black box’ algorithm, which was exposed to be deeply flawed. This handful of examples is just the start?—?there’s much more we do not yet know. Part of the challenge is that the industry currently lacks standardized methods for testing and auditing AI systems to ensure they are safe and not amplifying bias. Yet early-stage AI systems are being introduced simultaneously across multiple areas, including healthcare, finance, law, education, and the workplace. These systems are increasingly being used to predict everything from our taste in music, to our likelihood of experiencing mental illness, to our fitness for a job or a loan.

    (tags: ai algorithms machine-learning ai-now ethics bias racism discrimination)

  • Something is wrong on the internet – James Bridle – Medium

    'an essay on YouTube, children's videos, automation, abuse, and violence, which crystallises a lot of my current feelings about the internet through a particularly unpleasant example from it. [...] What we’re talking about is very young children [..] being deliberately targeted with content which will traumatise and disturb them, via networks which are extremely vulnerable to exactly this form of abuse. It’s not about trolls, but about a kind of violence inherent in the combination of digital systems and capitalist incentives. It’s down to that level of the metal.'

    (tags: internet youtube children web automation violence horror 4chan james-bridle)

Links for 2017-11-03

Published November 3, 2017

  • Inside The Great Poop Emoji Feud

    PILE_OF_POO in the news!

    The debate appears to be between some of Unicode’s most prolific contributors and typographers (Unicode was initially established to develop standards for translating alphabets into code that can be read across all computers and operating systems), and those in the consortium who focus primarily on the evolution of emojis. The two chief critics — Michael Everson and Andrew West, both typographers — say that the emoji proposal process has become too commercial and frivolous, thereby cheapening the Unicode Consortium’s long body of work. Their argument centers around “Frowning Pile Of Poo,” one of the emojis under consideration for the June 2018 class. In an Oct. 22 memo to the Unicode Technical Committee, Everson tore into the committee over the submission calling it “damaging ... to the Unicode standard.”

    (tags: pile-of-poo emoji funny michael-everson unicode frowning-poo poo shit)

  • newrelic/sidecar: Gossip-based service discovery. Docker native, but supports static discovery, too.

    An AP gossip-based service-discovery sidecar process.

    Services communicate to each other through an HAproxy instance on each host that is itself managed and configured by Sidecar. It is inspired by Airbnb's SmartStack. But, we believe it has a few advantages over SmartStack: Native support for Docker (works without Docker, too!); No dependence on Zookeeper or other centralized services; Peer-to-peer, so it works on your laptop or on a large cluster; Static binary means it's easy to deploy, and there is no interpreter needed; Tiny memory usage (under 20MB) and few execution threads means its very light weight

    (tags: clustering docker go service-discovery ap sidecar haproxy discovery architecture)

Links for 2017-11-02

Published November 2, 2017

  • aws-vault

    'A vault for securely storing and accessing AWS credentials in development environments'. Scott Piper says: 'You should not use the AWS CLI with MFA without aws-vault, and probably should not use the CLI at all without aws-vault, because of it's benefit of storing your keys outside of ~/.aws/credentials (since every once in a while a developer will decide to upload all their dot-files in their home directory to github so they can use the same .vimrc and .bashrc aliases everywhere, and will end up uploading their AWS creds).'

    (tags: aws vault security cli development coding dotfiles credentials mfa)

  • AWS Service Terms

    57.10 Acceptable Use; Safety-Critical Systems. Your use of the Lumberyard Materials must comply with the AWS Acceptable Use Policy. The Lumberyard Materials are not intended for use with life-critical or safety-critical systems, such as use in operation of medical equipment, automated transportation systems, autonomous vehicles, aircraft or air traffic control, nuclear facilities, manned spacecraft, or military use in connection with live combat. However, this restriction will not apply in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.
    Seems fair enough.

    (tags: aws zombies funny t-and-cs legal civilization just-in-case)

  • How the Guardian found 800,000 paying readers

    The strategy to rescue the Guardian from financial oblivion has attained a landmark position by increasing its revenue from readers to a point where it now outweighs the paper’s income from advertising. This significant shift in the Guardian’s business model, making it less dependent on a highly challenging advertising market for media companies, results largely from a quadrupling in the number of readers making monthly payments under the title’s membership scheme, which has grown from 75,000 to 300,000 members in the past year.
    Wow. Good job Guardian!

    (tags: guardian journalism subscriptions newspapers future membership donations)

  • How to make the function keys the default Touch Bar display

    Gonna need this for the new work laptop

    (tags: touchbar apple ui function-keys keyboard usability it-just-works)

  • 20 Touch Bar Tips & Tricks for the New MacBook Pro - YouTube

    another set of touchbar tips

    (tags: touchbar it-just-works apple ui usability youtube)

Links for 2017-11-01

Published November 1, 2017

  • Fooling Neural Networks in the Physical World with 3D Adversarial Objects · labsix

    This is amazingly weird stuff. Fooling NNs with adversarial objects:

    Here is a 3D-printed turtle that is classified at every viewpoint as a “rifle” by Google’s InceptionV3 image classifier, whereas the unperturbed turtle is consistently classified as “turtle”. We do this using a new algorithm for reliably producing adversarial examples that cause targeted misclassification under transformations like blur, rotation, zoom, or translation, and we use it to generate both 2D printouts and 3D models that fool a standard neural network at any angle. Our process works for arbitrary 3D models - not just turtles! We also made a baseball that classifies as an espresso at every angle! The examples still fool the neural network when we put them in front of semantically relevant backgrounds; for example, you’d never see a rifle underwater, or an espresso in a baseball mitt.

    (tags: ai deep-learning 3d-printing objects security hacking rifles models turtles adversarial-classification classification google inceptionv3 images image-classification)

  • Rich "Lowtax" Kyanka on Twitter's abuse/troll problem

    how did you solve this problem at Something Awful? You said you wrote a bunch of rules but internet pedants will always find ways to get around them. The last rule says we can ban you for any reason. It's like the catch-all. We can ban you if it's too hot in the room, we can ban you if we had a bad day, we can ban you if our finger slips and hits the ban button. And that way people know that if they're doing something and it's not technically breaking any rules but they're obviously trying to push shit as far as they can, we can still ban them. But, unlike Twitter, we actually have what's called the Leper's Colony, which says what they did and has their track record. Twitter just says, “You're gone.”

    (tags: twitter communication discussion history somethingawful lowtax)

Links for 2017-10-25

Published October 25, 2017

Links for 2017-10-24

Published October 24, 2017

Links for 2017-10-19

Published October 19, 2017

  • Open-sourcing RacerD: Fast static race detection at scale | Engineering Blog | Facebook Code

    At Facebook we have been working on automated reasoning about concurrency in our work with the Infer static analyzer. RacerD, our new open source race detector, searches for data races — unsynchronized memory accesses, where one is a write — in Java programs, and it does this without running the program it is analyzing. RacerD employs symbolic reasoning to cover many paths through an app, quickly.
    This sounds extremely interesting...

    (tags: racerd race-conditions data-races thread-safety static-code-analysis coding testing facebook open-source infer)

  • Solera - Wikipedia

    Fascinating stuff -- from Felix Cohen's excellent twitter thread.

    Solera is a process for aging liquids such as wine, beer, vinegar, and brandy, by fractional blending in such a way that the finished product is a mixture of ages, with the average age gradually increasing as the process continues over many years. The purpose of this labor-intensive process is the maintenance of a reliable style and quality of the beverage over time. Solera means literally "on the ground" in Spanish, and it refers to the lower level of the set of barrels or other containers used in the process; the liquid (traditionally transferred from barrel to barrel, top to bottom, the oldest mixtures being in the barrel right "on the ground"), although the containers in today's process are not necessarily stacked physically in the way that this implies, but merely carefully labeled. Products which are often solera aged include Sherry, Madeira, Lillet, Port wine, Marsala, Mavrodafni, Muscat, and Muscadelle wines; Balsamic, Commandaria, some Vins doux naturels, and Sherry vinegars; Brandy de Jerez; beer; rums; and whiskies. Since the origin of this process is undoubtedly out of the Iberian peninsula, most of the traditional terminology was in Spanish, Portuguese, or Catalan.

    (tags: wine aging solera sherry muscat vinegar brandy beer rum whiskey whisky brewing spain)

Links for 2017-10-18

Published October 18, 2017

Links for 2017-10-17

Published October 17, 2017

Links for 2017-10-16

Published October 16, 2017

Links for 2017-10-12

Published October 12, 2017

Links for 2017-10-11

Published October 11, 2017

  • Study: wearing hi-viz clothing does not reduce risk of collision for cyclists

    Journal of Transport & Health, 22 March 2017:

    This study found no evidence that cyclists using conspicuity aids were at reduced risk of a collision crash compared to non-users after adjustment for confounding, but there was some evidence of an increase in risk. Bias and residual confounding from differing route selection and cycling behaviours in users of conspicuity aids are possible explanations for these findings. Conspicuity aids may not be effective in reducing collision crash risk for cyclists in highly-motorised environments when used in the absence of other bicycle crash prevention measures such as increased segregation or lower motor vehicle speeds.

    (tags: health safety hi-viz clothing cycling commute visibility collision crashes papers)

Links for 2017-10-10

Published October 10, 2017

Links for 2017-10-09

Published October 9, 2017

Links for 2017-10-06

Published October 6, 2017

  • The world's first cyber-attack, on the Chappe telegraph system, in Bordeaux in 1834

    The Blanc brothers traded government bonds at the exchange in the city of Bordeaux, where information about market movements took several days to arrive from Paris by mail coach. Accordingly, traders who could get the information more quickly could make money by anticipating these movements. Some tried using messengers and carrier pigeons, but the Blanc brothers found a way to use the telegraph line instead. They bribed the telegraph operator in the city of Tours to introduce deliberate errors into routine government messages being sent over the network. The telegraph’s encoding system included a “backspace” symbol that instructed the transcriber to ignore the previous character. The addition of a spurious character indicating the direction of the previous day’s market movement, followed by a backspace, meant the text of the message being sent was unaffected when it was written out for delivery at the end of the line. But this extra character could be seen by another accomplice: a former telegraph operator who observed the telegraph tower outside Bordeaux with a telescope, and then passed on the news to the Blancs. The scam was only uncovered in 1836, when the crooked operator in Tours fell ill and revealed all to a friend, who he hoped would take his place. The Blanc brothers were put on trial, though they could not be convicted because there was no law against misuse of data networks. But the Blancs’ pioneering misuse of the French network qualifies as the world’s first cyber-attack.

    (tags: bordeaux hacking history security technology cyber-attacks telegraph telegraphes-chappe)

  • Slack 103: Communication and culture

    Interesting note on some emergent Slack communications systems using emoji: "redirect raccoon", voting, and "I'm taking a look at this"

    (tags: slack communications emojis emoji online talk chat)

  • This Future Looks Familiar: Watching Blade Runner in 2017

    I told a lot of people that I was going to watch Blade Runner for the first time, because I know that people have opinions about Blade Runner. All of them gave me a few watery opinions to keep in mind going in—nothing that would spoil me, but things that would help me understand what they assured me would be a Very Strange Film. None of them told me the right things, though.

    (tags: culture movies film blade-runner politics slavery replicants)

  • poor man's profiler

    'Sampling tools like oprofile or dtrace's profile provider don't really provide methods to see what [multithreaded] programs are blocking on - only where they spend CPU time. Though there exist advanced techniques (such as systemtap and dtrace call level probes), it is overkill to build upon that. Poor man doesn't have time. Poor man needs food.' Basically periodically grabbing stack traces from running processes using gdb.

    (tags: gdb profiling linux unix mark-callaghan stack-traces performance)

Links for 2017-10-03

Published October 3, 2017

  • Intel pcj library for persistent memory-oriented data structures

    This is a "pilot" project to develop a library for Java objects stored in persistent memory. Persistent collections are being emphasized because many applications for persistent memory seem to map well to the use of collections. One of this project's goals is to make programming with persistent objects feel natural to a Java developer, for example, by using familiar Java constructs when incorporating persistence elements such as data consistency and object lifetime. The breadth of persistent types is currently limited and the code is not performance-optimized. We are making the code available because we believe it can be useful in experiments to retrofit existing Java code to use persistent memory and to explore persistent Java programming in general.
    (via Mario Fusco)

    (tags: persistent-memory data-structures storage persistence java coding future)

  • Google and Facebook Have Failed Us - The Atlantic

    There’s no hiding behind algorithms anymore. The problems cannot be minimized. The machines have shown they are not up to the task of dealing with rare, breaking news events, and it is unlikely that they will be in the near future. More humans must be added to the decision-making process, and the sooner the better.

    (tags: algorithms facebook google las-vegas news filtering hoaxes 4chan abuse breaking-news responsibility silicon-valley)

Links for 2017-10-02

Published October 2, 2017

Links for 2017-09-29

Published September 29, 2017

  • The Israeli Digital Rights Movement's campaign for privacy | Internet Policy Review

    This study explores the persuasion techniques used by the Israeli Digital Rights Movement in its campaign against Israel’s biometric database. The research was based on analysing the movement's official publications and announcements and the journalistic discourse that surrounded their campaign within the political, judicial, and public arenas in 2009-2017. The results demonstrate how the organisation navigated three persuasion frames to achieve its goals: the unnecessity of a biometric database in democracy; the database’s ineffectiveness; and governmental incompetence in securing it. I conclude by discussing how analysing civil society privacy campaigns can shed light over different regimes of privacy governance. [....] 1. Why the database should be abolished: because it's not necessary - As the organisation highlighted repeatedly throughout the campaign with the backing of cyber experts, there is a significant difference between issuing smart documents and creating a database. Issuing smart documents effectively solves the problem of stealing and forging official documents, but does it necessarily entail the creation of a database? The activists’ answer is no: they declared that while they do support the transition to smart documents (passports and ID cards) for Israeli citizens, they object to the creation of a database due to its violation of citizens' privacy. 2. Why the database should be abolished: because it's ineffective; [...] 3. Why the database should be abolished: because it will be breached - The final argument was that the database should be abolished because the government would not be able to guarantee protection against security breaches, and hence possible identity theft.

    (tags: digital-rights privacy databases id-cards israel psc drm identity-theft security)

Links for 2017-09-28

Published September 28, 2017

Links for 2017-09-27

Published September 27, 2017

Links for 2017-09-25

Published September 25, 2017

  • Legendary aquarium "piscamel" thread from the GotMead forums

    I thought I had detected a studied disinterest for my March 28 questions about raising fish and making mead in the same aquarium --- now I realize that you mazers probably thought I was drunk. My hypothesis was that fish manures would provide valuable fertilizer to the yeast, the aquarium bubbler would keep O2 levels high, and the fish would get a nice honey drink. The result, instead, was 3 "piscamels" flavored by rotting fish.
    This sounds utterly revolting. Mead made with biohazard waste. Those poor fish! (via John Looney)

    (tags: via:johnlooney biohazard mead fish aquarium gotmead forums brewing disgusting)

  • Relicensing React, Jest, Flow, and Immutable.js | Engineering Blog | Facebook Code

    This decision comes after several weeks of disappointment and uncertainty for our community. Although we still believe our BSD + Patents license provides some benefits to users of our projects, we acknowledge that we failed to decisively convince this community.

    (tags: facebook opensource react patents swpats bsd licensing)

  • 'Monitoring Cloudflare's planet-scale edge network with Prometheus' (preso)

    from SRECon EMEA 2017; how Cloudflare are replacing Nagios with Prometheus and grafana

    (tags: metrics monitoring alerting prometheus grafana nagios)

  • European Commission study finds no link between piracy and lower sales of digital content

    According to the report, an average of 51% of adults and 72% of minors in the EU have pirated digital content, with Poland and Spain averaging the highest rates of all countries surveyed. Nevertheless, displacement rates (the impact of piracy on legitimate sales) were found to be negligible or non-existent for music, books and games, while rates for films and TV were in line with previous digital piracy studies. Most interesting is the fact that the study found that illegal game downloads actually lead to an increase in legal purchases. The report concludes that tactics like video game microtransactions are proving effective in converting illegal users to paying users. The full report goes in-depth regarding potential factors influencing piracy and the challenges of accurately tracking its impact on legitimate sales, but the researchers ultimately conclude that there is no robust statistical evidence that illegal downloads reduce legal sales. That's big news, which makes it all the more troubling that the EU effectively buried it for two years.

    (tags: piracy eu studies downloads ec games movies books content)

  • Understanding Uber: It's Not About The App

    the next time you see a link to a petition or someone raging about this decision being ‘anti-innovation’, remember Greyball. Remember the Metropolitan Police letter [regarding several sexual assaults which Uber didn't report to police]. Remember that this is about holding ULL, as a company, to the same set of standards to which every other mini-cab operator in London already complies. Most of all though remember: it is not about the app.

    (tags: uber ull safety crime london assault greyball taxis cabs apps)

Links for 2017-09-21

Published September 21, 2017

Links for 2017-09-20

Published September 20, 2017

  • Locking, Little's Law, and the USL

    Excellent explanatory mailing list post by Martin Thompson to the mechanical-sympathy group, discussing Little's Law vs the USL:

    Little's law can be used to describe a system in steady state from a queuing perspective, i.e. arrival and leaving rates are balanced. In this case it is a crude way of modelling a system with a contention percentage of 100% under Amdahl's law, in that throughput is one over latency. However this is an inaccurate way to model a system with locks. Amdahl's law does not account for coherence costs. For example, if you wrote a microbenchmark with a single thread to measure the lock cost then it is much lower than in a multi-threaded environment where cache coherence, other OS costs such as scheduling, and lock implementations need to be considered. Universal Scalability Law (USL) accounts for both the contention and the coherence costs. http://www.perfdynamics.com/Manifesto/USLscalability.html When modelling locks it is necessary to consider how contention and coherence costs vary given how they can be implemented. Consider in Java how we have biased locking, thin locks, fat locks, inflation, and revoking biases which can cause safe points that bring all threads in the JVM to a stop with a significant coherence component.

    (tags: usl scaling scalability performance locking locks java jvm amdahls-law littles-law system-dynamics modelling systems caching threads schedulers contention)

  • "HTML email, was that your fault?"

    jwz may indeed have invented this feature way back in Netscape Mail. FWIW I think he's right -- Netscape Mail was the first usage of HTML email I recall

    (tags: netscape history html email smtp mime mozilla jwz)

Links for 2017-09-19

Published September 19, 2017

  • Undercover operation 'Close Pass' reduced cyclist injuries by 20% in a year

    An initiative to protect cyclists from dangerous overtaking has been praised, after reducing the amount of cyclists killed or seriously injured on the roads by 20% over the last year. Operation 'Close Pass' was devised by West Midlands Police as a low cost way of preventing accidents caused by motorists who are driving too close for comfort.
    (Via Tony Finch)

    (tags: cycling via:fanf safety overtaking roads bikes)

  • Normietivity: A Review of Angela Nagle's Kill all Normies

    Due to a persistent vagueness in targets and refusal to respond to the best arguments presented by those she loosely groups together, Nagle does not provide the thoroughgoing and immanent treatment of the left which would be required to achieve the profound intervention she clearly intended. Nor does she grapple with the difficult implications figures like Greer (with her transphobic campaign against a vulnerable colleague) and Milo (with his direct advocacy for the nativist and carceral state) present for free speech absolutists. And indeed, the blurring their specifically shared transphobia causes for distinguishing between left and right wing social analysis. In genre terms, Nagle’s writing is best described as travel writing for internet culture. Kill All Normies provides a string of curios and oddities (from neo-nazi cults, to inscrutably gendered teenagers) to an audience expected to find them unfamiliar, and titillating. Nagle attempts to cast herself as an aloof and wry explorer, but at various points her commitments become all too clear. Nagle implicitly casts her reader as the eponymous normies, overlooking those of us who live through lives with transgenders, in the wake of colonialism, despite invisible disabilities (including depression), and all the rest. This is both a shame and a missed opportunity, because the deadly violence the Alt-Right has proven itself capable of is in urgent need of evaluation, but so too are the very real dysfunctions which afflict the left (both online and IRL). After this book patient, discerning, explanatory, and immanent readings of internet culture remain sorely needed. The best that can be said for Kill All Normies is, as the old meme goes, “An attempt was made.”

    (tags: angela-nagle normies books reading transphobia germaine-greer milo alt-right politics internet 4chan)

Links for 2017-09-18

Published September 18, 2017

  • Native Memory Tracking

    Java 8 HotSpot feature to monitor and diagnose native memory leaks

    (tags: java jvm memory native-memory malloc debugging coding nmt java-8 jcmd)

  • This Heroic Captain Defied His Orders and Stopped America From Starting World War III

    Captain William Bassett, a USAF officer stationed at Okinawa on October 28, 1962, can now be added alongside Stanislav Petrov to the list of people who have saved the world from WWIII:

    By [John] Bordne’s account, at the height of the Cuban Missile Crisis, Air Force crews on Okinawa were ordered to launch 32 missiles, each carrying a large nuclear warhead. [...] The Captain told Missile Operations Center over the phone that he either needed to hear that the threat level had been raised to DEFCON 1 and that he should fire the nukes, or that he should stand down. We don’t know exactly what the Missile Operations Center told Captain Bassett, but they finally received confirmation that they should not launch their nukes. After the crisis had passed Bassett reportedly told his men: “None of us will discuss anything that happened here tonight, and I mean anything. No discussions at the barracks, in a bar, or even here at the launch site. You do not even write home about this. Am I making myself perfectly clear on this subject?”

    (tags: wwiii history nukes cuban-missile-crisis 1960s usaf okinawa missiles william-bassett)

  • malware piggybacking on CCleaner

    On September 13, 2017 while conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Talos began initial analysis to determine what was causing this technology to flag CCleaner. We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017.

    (tags: ccleaner malware avast piriform windows security)

Links for 2017-09-15

Published September 15, 2017

  • Malicious typosquatting packages in PyPI

    skcsirt-sa-20170909-pypi vulnerability announcement from SK-CSIRT:

    SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI, posing as well known libraries. A prominent example is a fake package urllib-1.21.1.tar.gz, based upon a well known package urllib3-1.21.1.tar.gz. Such packages may have been downloaded by unwitting developer or administrator by various means, including the popular “pip” utility (pip install urllib). There is evidence that the fake packages have indeed been downloaded and incorporated into software multiple times between June 2017 and September 2017.

    (tags: pypi python typos urllib security malware)

Links for 2017-09-14

Published September 14, 2017

  • London police’s use of AFR facial recognition falls flat on its face

    A “top-of-the-line” automated facial recognition (AFR) system trialled for the second year in a row at London’s Notting Hill Carnival couldn’t even tell the difference between a young woman and a balding man, according to a rights group worker invited to view it in action. Because yes, of course they did it again: London’s Met police used controversial, inaccurate, largely unregulated automated facial recognition (AFR) technology to spot troublemakers. And once again, it did more harm than good. Last year, it proved useless. This year, it proved worse than useless: it blew up in their faces, with 35 false matches and one wrongful arrest of somebody erroneously tagged as being wanted on a warrant for a rioting offense. [...] During a recent, scathing US House oversight committee hearing on the FBI’s use of the technology, it emerged that 80% of the people in the FBI database don’t have any sort of arrest record. Yet the system’s recognition algorithm inaccurately identifies them during criminal searches 15% of the time, with black women most often being misidentified.

    (tags: face-recognition afr london notting-hill-carnival police liberty met-police privacy data-privacy algorithms)

Links for 2017-09-13

Published September 13, 2017

Links for 2017-09-12

Published September 12, 2017

  • "You Can't Stay Here: The Efficacy of Reddit’s 2015 Ban Examined Through Hate Speech"

    In 2015, Reddit closed several subreddits—foremost among them r/fatpeoplehate and r/CoonTown—due to violations of Reddit’s anti-harassment policy. However, the effectiveness of banning as a moderation approach remains unclear: banning might diminish hateful behavior, or it may relocate such behavior to different parts of the site. We study the ban of r/fatpeoplehate and r/CoonTown in terms of its effect on both participating users and affected subreddits. Working from over 100M Reddit posts and comments, we generate hate speech lexicons to examine variations in hate speech usage via causal inference methods. We find that the ban worked for Reddit. More accounts than expected discontinued using the site; those that stayed drastically decreased their hate speech usage—by at least 80%. Though many subreddits saw an influx of r/fatpeoplehate and r/CoonTown “migrants,” those subreddits saw no significant changes in hate speech usage. In other words, other subreddits did not inherit the problem. We conclude by reflecting on the apparent success of the ban, discussing implications for online moderation, Reddit and internet communities more broadly.
    (Via Anil Dash)

    (tags: abuse reddit research hate-speech community moderation racism internet)

  • The Immortal Myths About Online Abuse – Humane Tech – Medium

    After building online communities for two decades, we’ve learned how to fight abuse. It’s a solvable problem. We just have to stop repeating the same myths as excuses not to fix things.
    Here are the 8 myths Anil Dash picks out: 1. False: You can’t fix abusive behavior online. 2. False: Fighting abuse hurts free speech! 3. False: Software can detect abuse using simple rules. 4. False: Most people say “abuse” when they just mean criticism. 5. False: We just need everybody to use their “real” name. 6. False: Just charge a dollar to comment and that’ll fix things. 7. False: You can call the cops! If it’s not illegal, it’s not harmful. 8. False: Abuse can be fixed without dedicated resources.

    (tags: abuse comments community harassment racism reddit anil-dash free-speech)

  • 'Let’s all survive the GDPR'

    Simon McGarr and John Looney's slides from their SRECon '17 presentation

    (tags: simon-mcgarr data-privacy privacy data-protection gdpr slides presentations)

Links for 2017-09-11

Published September 11, 2017

  • The React license for founders and CTOs – James Ide – Medium

    Decent explanation of _why_ Facebook came up with the BSD+Patents license: "Facebook’s patent grant is about sharing its code while preserving its ability to defend itself against patent lawsuits."

    The difficulty of open sourcing code at Facebook, including React in 2013, was one of the reasons the company’s open-source contributions used to be a fraction of what they are today. It didn’t use to have a strong reputation as an open-source contributor to front-end technologies. Facebook wanted to open source code, though; when it grew communities for projects like React, core contributors emerged to help out and interview candidates often cited React and other Facebook open source as one of the reasons they were interested in applying. People at Facebook wanted to make it easier to open source code and not worry as much about patents. Facebook’s solution was the Facebook BSD+Patents license.

    (tags: facebook bsd licenses licensing asf patents swpats react license software-patents open-source rocksdb)

  • HN thread on the new Network Load Balancer AWS product

    looks like @colmmacc works on it. Lots and lots of good details here

    (tags: nlb aws load-balancing ops architecture lbs tcp ip)

  • Java Flame Graphs Introduction: Fire For Everyone!

    lots of good detail on flame graph usage in Java, and the Honest Profiler (honest because it's safepoint-free)

    (tags: profiling java safepoints jvm flame-graphs perf measurement benchmarking testing)

  • Teaching Students to Code - What Works

    Lynn Langit describing her work as part of Microsoft Digigirlz and TKP to teach thousands of kids worldwide to code. Describes a curriculum from "K" (4-6-year olds) learning computational thinking with a block-based programming environment like Scratch, up to University level, solving problems with public clouds like AWS' free tier.

    (tags: education learning coding teaching tkp lynn-langit scratch kids)

  • So much for that Voynich manuscript “solution”

    boo.

    The idea that the book is a medical treatise on women's health, however, might turn out to be correct. But that wasn't Gibbs' discovery. Many scholars and amateur sleuths had already reached that conclusion, using the same evidence that Gibbs did. Essentially, Gibbs rolled together a bunch of already-existing scholarship and did a highly speculative translation, without even consulting the librarians at the institute where the book resides. Gibbs said in the TLS article that he did his research for an unnamed "television network." Given that Gibbs' main claim to fame before this article was a series of books about how to write and sell television screenplays, it seems that his goal in this research was probably to sell a television screenplay of his own. In 2015, Gibbs did an interview where he said that in five years, "I would like to think I could have a returnable series up and running." Considering the dubious accuracy of many History Channel "documentaries," he might just get his wish.

    (tags: crypto history voynich-manuscript historians tls)

  • How to Optimize Garbage Collection in Go

    In this post, we’ll share a few powerful optimizations that mitigate many of the performance problems common to Go’s garbage collection (we will cover “fun with deadlocks” in a follow-up). In particular, we’ll share how embedding structs, using sync.Pool, and reusing backing arrays can minimize memory allocations and reduce garbage collection overhead.

    (tags: garbage performance gc golang go coding)

Links for 2017-09-09

Published September 9, 2017

  • Firms involved in biometric database in India contracted by Irish government

    Two tech firms – one owned by businessman Dermot Desmond – involved in the creation of a controversial biometric database in India, are providing services for the Government’s public services card and passports. Known as the Aadhaar project, the Indian scheme is the world’s largest ever biometric database involving 1.2 billion citizens. Initially voluntary, it became mandatory for obtaining state services, for paying taxes and for opening a bank account. [...] Dermot Casey, a former chief technology officer of Storyful, said that if the Daon system was used to store the data and carry out the facial matching then the Government “appears to have purchased a biometric database system which can be extended to include voice, fingerprint and iris identification at a moment’s notice”. Katherine O’Keefe, a data protection consultant with Castlebridge, said if the departments were using images of people’s faces to single out or identify an individual, they were “by legal definition processing biometric data”.

    (tags: biometrics databases aadhar id-cards ireland psc daon morpho)

Links for 2017-09-08

Published September 8, 2017

Links for 2017-08-30

Published August 30, 2017

  • Comment: 'Mandatory but not compulsory' - what exactly is the justification for the Public Services Card? - Independent.ie

    TJ McIntyre nails the problem here:

    'Mandatory but not compulsory". This ill-judged hair-splitting seems likely to stick to Social Protection Minister Regina Doherty in the same way that "an Irish solution to an Irish problem" and "on mature recollection" did to politicians before her. The minister used that phrase to defend against the criticism that the public services card (PSC) is being rolled out as a national ID card by stealth, without any clear legal basis or public debate. She went on to say that the PSC is not compulsory as "nobody will drag you kicking and screaming to have a card". This is correct, but irrelevant. The Government's strategy is one of making the PSC effectively rather than legally compulsory - by cutting off benefits such as pensions and refusing driving licences and passports unless a person registers. Whether or not the PSC is required by law is immaterial if you cannot function in society without it.

    (tags: psc id-cards ireland social-welfare id privacy data-protection)

Links for 2017-08-28

Published August 28, 2017

Links for 2017-08-24

Published August 24, 2017

Links for 2017-08-21

Published August 21, 2017

  • 48 Hours In Dublin

    good set of tourist tips for a foodie Dublin weekender

    (tags: dublin tourism food eating dining restaurants tips weekend)

  • Linux Load Averages: Solving the Mystery

    Nice bit of OS archaeology by Brendan Gregg.

    In 1993, a Linux engineer found a nonintuitive case with load averages, and with a three-line patch changed them forever from "CPU load averages" to what one might call "system load averages." His change included tasks in the uninterruptible state, so that load averages reflected demand for disk resources and not just CPUs. These system load averages count the number of threads working and waiting to work, and are summarized as a triplet of exponentially-damped moving sum averages that use 1, 5, and 15 minutes as constants in an equation. This triplet of numbers lets you see if load is increasing or decreasing, and their greatest value may be for relative comparisons with themselves.

    (tags: load monitoring linux unix performance ops brendan-gregg history cpu)

  • Distilled Identity

    Gabriel recently bought a distillery in Barbados, where he says the majority of his team is of African descent. “The sugar industry is a painful past for them, but my understanding, from my team, is that they do see it as the past,” Gabriel explained. “There was great suffering, but their take is like, ‘We built this island.’ They are reclaiming it, and we are seeing that in efforts to preserve farming land and not let it all go to tourism.” I rather liked this narrative, or at least the potential of it. Slavery was appalling across the board, but countries and cultures throughout the African Diaspora have managed their paths forward in ways that don’t mimic the American aftermath. A plurality of narratives was possible here, which was thrilling to me. I am often disappointed by the mainstream perception of one-note blackness. One could easily argue the root of colonization is far from removed in the Caribbean. But if I understood Gabriel, and if he accurately captured the sentiments of his Barbadian colleagues, plantation sugarcane offered career opportunities to some, and was perhaps not solely a distressing connection to a shared global history. We chewed on this thought, together, in silence.

    (tags: history distilling rum barbados african-diaspora slavery american-history booze language etymology)

  • cristim/autospotting

    'Easy to use tool that automatically replaces some or even all on-demand AutoScaling group members with similar or larger identically configured spot instances in order to generate significant cost savings on AWS EC2, behaving much like an AutoScaling-backed spot fleet.'

    (tags: asg autoscaling ec2 aws spot-fleet spot-instances cost-saving scaling)

  • Going Multi-Cloud with AWS and GCP: Lessons Learned at Scale

    Metamarkets splits across AWS and GCP, going into heavy detail here

    (tags: aws gcp google ops hosting multi-cloud)

Links for 2017-08-20

Published August 20, 2017

Links for 2017-08-17

Published August 17, 2017

  • NASA's Sound Suppression Water System

    If you’ve ever watched a rocket launch, you’ve probably noticed the billowing clouds around the launch pad during lift-off. What you’re seeing is not actually the rocket’s exhaust but the result of a launch pad and vehicle protection system known in NASA parlance as the Sound Suppression Water System. Exhaust gases from a rocket typically exit at a pressure higher than the ambient atmosphere, which generates shock waves and lots of turbulent mixing between the exhaust and the air. Put differently, launch ignition is incredibly loud, loud enough to cause structural damage to the launchpad and, via reflection, the vehicle and its contents. To mitigate this problem, launch operators use a massive water injection system that pours about 3.5 times as much water as rocket propellant per second. This significantly reduces the noise levels on the launchpad and vehicle and also helps protect the infrastructure from heat damage.

    (tags: water rockets launch nasa space sound-suppression sound science)

  • The White Lies of Craft Culture - Eater

    Besides field laborers, [Southern US] planter and urban communities both depended on proficient carpenters, blacksmiths, gardeners, stable hands, seamstresses, and cooks; the America of the 1700s and 1800s was literally crafted by people of color. Part of this hidden history includes the revelation that six slaves were critical to the operation of George Washington’s distillery, and that the eponymous Jack Daniel learned to make whiskey from an enslaved black man named Nathan “Nearest” Green. As Clay Risen reported for the New York Times last year, contrary to the predominant narrative that views whiskey as an ever “lily-white affair,” black men were the minds and hands behind American whiskey production. “In the same way that white cookbook authors often appropriated recipes from their black cooks, white distillery owners took credit for the whiskey,” he writes. Described as “the best whiskey maker that I know of” by his master, Dan Call, Green taught young Jack Daniel how to run a whiskey still. When Daniel later opened his own distillery, he hired two of Green’s sons. The popular image of moonshine is a product of the white cultural monopoly on all things ‘country’ Over time, that legacy was forgotten, creating a gap in knowledge about American distilling traditions — while English, German, Scottish, and Irish influences exist, that combination alone cannot explain the entirely of American distilling. As bourbon historian Michael Veach suggests, slave culture pieces together an otherwise puzzling intellectual history.

    (tags: history craft-beer craft-culture food drink whiskey distilling black-history jack-daniels nathan-nearest-green)

  • Meet the Espresso Tonic, Iced Coffee's Bubbly New Cousin

    Bit late on this one but YUM

    To make the drink, Box Kite baristas simply load a glass with ice, fill it about three quarters of the way with chilled tonic, and then top it off with an espresso shot — typically from roasters like Madcap (MI) and Ritual (SF). Often, baristas pull the espresso shot directly on top of the tonic and ice mixture, forgoing the process of first pulling it into a cup and then pouring the espresso from cup to glass.

    (tags: tonic-water recipes espresso coffee drinks cocktails)

Links for 2017-08-16

Published August 16, 2017

  • Fsq.io

    Foursquare's open source repo, where they extract reusable components for open sourcing -- I like the approach of using a separate top level module path for OSS bits

    (tags: open-source oss foursquare libraries maintainance coding git monorepos)

  • GTK+ switches build from Autotools to Meson

    'The main change is that now GTK+ takes about ? of the time to build compared to the Autotools build, with likely bigger wins on older/less powerful hardware; the Visual Studio support on Windows should be at least a couple of orders of magnitude easier (shout out to Fan Chun-wei for having spent so, so many hours ensuring that we could even build on Windows with Visual Studio and MSVC); and maintaining the build system should be equally easier for everyone on any platform we currently support.' Looking at http://mesonbuild.com/ it appears to be Python-based and AL2-licensed open source. On the downside, though, the Meson file is basically a Python script, which is something I'm really not fond of :( more details at http://taint.org/2011/02/18/001527a.html .

    (tags: meson build coding dev autotools gtk+ python)

  • Matt Haughey ???????? on Twitter: "high quality LED light tape for bikes and wheels is ridiculously cheap these days"

    good thread on fitting out a bike with crazy LED light tape; see also EL string. Apparently it'll run off a 4.5V (3xAAA) battery pack nowadays which makes it pretty viable!

    (tags: bikes cycling safety led-lights el-tape led-tape hacks via:mathowie)

  • M00N

    a beautifully-glitched photo of the moon by Giacomo Carmagnola; more on his art at http://www.bleaq.com/2015/giacomo-carmagnola . (Via Archillect)

    (tags: via:archillect art giacomo-carmagnola glitch-art moon glitch images)

  • How to shop on AliExpress

    From the aptly-named Aliholic.com. Thanks, Elliot -- the last thing I needed was something to feed my addiction to cheap tat from China!

    (tags: china aliexpress dealextreme gearbest gadgets buying tat aliholic stuff)

  • TIL you shouldn’t use conditioner if you get nuked

    If you shower carefully with soap and shampoo, Karam says [Andrew Karam, radiation expert], the radioactive dust should wash right out. But hair conditioner has particular compounds called cationic surfactants and polymers. If radioactive particles have drifted underneath damaged scales of hair protein, these compounds can pull those scales down to create a smooth strand of hair. "That can trap particles of contamination inside of the scale," Karam says. These conditioner compounds are also oily and have a positive charge on one end that will make them stick to negatively charged sections of a strand of hair, says Perry Romanowski, a cosmetics chemist who has developed personal hygiene formulas and now hosts "The Beauty Brains" podcast on cosmetics chemistry. "Unlike shampoo, conditioners are meant to stay behind on your hair," Romanowski says. If the conditioner comes into contact with radioactive material, these sticky, oily compounds can gum radioactive dust into your hair, he says.

    (tags: factoids conditioner surfactants nuclear-bombs fallout hair bizarre til via:boingboing)

Links for 2017-08-15

Published August 15, 2017

  • Allen curve - Wikipedia

    During the late 1970s, [Professor Thomas J.] Allen undertook a project to determine how the distance between engineers’ offices affects the frequency of technical communication between them. The result of that research, produced what is now known as the Allen Curve, revealed that there is a strong negative correlation between physical distance and the frequency of communication between work stations. The finding also revealed the critical distance of 50 meters for weekly technical communication. With the fast advancement of internet and sharp drop of telecommunication cost, some wonder the observation of Allen Curve in today's corporate environment. In his recently co-authored book, Allen examined this question and the same still holds true. He says[2] "For example, rather than finding that the probability of telephone communication increases with distance, as face-to-face probability decays, our data show a decay in the use of all communication media with distance (following a "near-field" rise)." [p. 58]
    Apparently a few years back in Google, some staff mined the promotion data, and were able to show a Allen-like curve that proved a strong correlation between distance from Jeff Dean's desk, and time to getting promoted.

    (tags: jeff-dean google history allen-curve work communication distance offices workplace teleworking remote-work)

  • Arq Backs Up To B2!

    Arq backup for OSX now supports B2 (as well as S3) as a storage backend. "it’s a super-cheap option ($.005/GB per month) for storing your backups." (that is less than half the price of $0.0125/GB for S3's Infrequent Access class)

    (tags: s3 storage b2 backblaze backups arq macosx ops)

  • After Charlottesville, I Asked My Dad About Selma

    Dad told me that he didn’t think I was going to have to go through what he went through, but now he can see that he was wrong. “This fight is a never-ending fight,” he said. “There’s no end to it. I think after the ‘60s, the whole black revolution, Martin Luther King, H. Rap Brown, Stokely Carmichael and all the rest of the people, after that happened, people went to sleep,” he said. “They thought, ‘this is over.’”

    (tags: selma charlottesville racism nazis america race history civil-rights 1960s)

Links for 2017-08-14

Published August 14, 2017

Links for 2017-08-13

Published August 13, 2017

Links for 2017-08-12

Published August 12, 2017

  • Hyperscan

    a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, yet functions as a standalone library with its own API written in C. Hyperscan uses hybrid automata techniques to allow simultaneous matching of large numbers (up to tens of thousands) of regular expressions, as well as matching of regular expressions across streams of data. Hyperscan is typically used in a DPI library stack. Hyperscan began in 2008, and evolved from a commercial closed-source product 2009-2015. First developed at Sensory Networks Incorporated, and later acquired and released as open source software by Intel in October 2015.  Hyperscan is under a 3-clause BSD license. We welcome outside contributors.
    This is really impressive -- state of the art in parallel regexp matching has improved quite a lot since I was last looking at it. (via Tony Finch)

    (tags: via:fanf regexps regular-expressions text matching pattern-matching intel open-source bsd c dpi scanning sensory-networks)

Links for 2017-08-08

Published August 8, 2017

  • Beard vs Taleb: Scientism and the Nature of Historical Inquiry

    The most interesting aspect of this Twitter war is that it is representative of a malaise that has stricken a good chunk of academics (mostly scientists, with a peppering of philosophers) and an increasing portion of the general public: scientism. I have co-edited an entire book, due out soon, on the topic, which features authors who are pro, con, and somewhere in the middle. Scientism is defined as the belief that the assumptions, methods of research, etc., of the natural sciences are the only ways to gather valuable knowledge or to answer meaningful questions. Everything else, to paraphrase Taleb, is bullshit. Does Taleb engage in scientism? Indubitably. I have already mentioned above his generalization from what one particular historian (Beard) said to “historians” tout court. But there is more, from his Twitter feed: “there is this absence of intellectual rigor in humanities.” “Are historians idiots? Let’s be polite and say that they are in the majority no rocket scientists and operate under a structural bias. It looks like an empirically rigorous view of historiography is missing.”

    (tags: history science scientism nassim-taleb argument debate proof romans britain mary-beard)

  • Google’s Response to Employee’s Anti-Diversity Manifesto Ignores Workplace Discrimination Law – Medium

    A workplace-discrimination lawyer writes:

    Stray remarks are not enough. But a widespread workplace discussion of whether women engineers are biologically capable of performing at the same level as their male counterparts could suffice to create a hostile work environment. As another example, envision the racial hostility of a workplace where employees, as Google put it, “feel safe” to espouse their “alternative view” that their African-American colleagues are not well-represented in management positions because they are not genetically predisposed for leadership roles. In short, a workplace where people “feel safe sharing opinions” based on gender (or racial, ethnic or religious) stereotypes may become so offensive that it legally amounts to actionable discrimination.

    (tags: employment sexism workplace discrimination racism misogyny women beliefs)

  • a list of all the nuclear war scenarios stored in the W.O.P.R. computer

    For fans of the movie WARGAMES: a list of all the nuclear war scenarios stored in the W.O.P.R. computer. (self.movies)
    (via burritojustice)

    (tags: via:burritojustice wargames movies wopr global-thermonuclear-war wwiii)

  • Nextflow - A DSL for parallel and scalable computational pipelines

    Data-driven computational pipelines Nextflow enables scalable and reproducible scientific workflows using software containers. It allows the adaptation of pipelines written in the most common scripting languages. Its fluent DSL simplifies the implementation and the deployment of complex parallel and reactive workflows on clouds and clusters.
    GPLv3 licensed, open source

    (tags: computation workflows pipelines batch docker ops open-source)

Links for 2017-08-02

Published August 2, 2017

  • Malicious packages in npm

    The node.js packaging system is being exploited by bad guys to steal auth tokens at build time. This is the best advice they can come up with:

    Always check the name of packages you’re installing. You can look at the downloads number: if a package is popular but the downloads number is low, something is wrong.
    :facepalm: What a mess. Security needs to become a priority....

    (tags: javascript security npm node packaging packages fail)

Links for 2017-08-01

Published August 1, 2017

  • Air Canada near-miss: Air traffic controllers make split-second decisions in a culture of "psychological safety" — Quartz

    “’Just culture’ as a term emerged from air traffic control in the late 1990s, as concern was mounting that air traffic controllers were unfairly cited or prosecuted for incidents that happened to them while they were on the job,” Sidney Dekker, a professor, writer, and director of the Safety Science Innovation Lab at Griffith University in Australia, explains to Quartz in an email. Eurocontrol, the intergovernmental organization that focuses on the safety of airspace across Europe, has “adopted a harmonized ‘just culture’ that it encourages all member countries and others to apply to their air traffic control organizations.” [...] One tragic example of what can happen when companies don’t create a culture where employees feel empowered to raise questions or admit mistakes came to light in 2014, when an investigation into a faulty ignition switch that caused more than 100 deaths at GM Motors revealed a toxic culture of denying errors and deflecting blame within the firm. The problem was later attributed to one engineer who had not disclosed an obvious issue with the flawed switch, but many employees spoke of extreme pressure to put costs and delivery times before all other considerations, and to hide large and small concerns.
    (via JG)

    (tags: just-culture atc air-traffic-control management post-mortems outages reliability air-canada disasters accidents learning psychological-safety work)

  • Dark forces, Brexit and Irexit

    The EU have made it clear, as they have to, that there will be no frictionless borders between the union and the UK. Brexit will be dislocative.  As smaller irish companies start to go to the wall post Brexit expect the calls for “something to be done” to start to include Irexit [an Irish exit from the EU a la Brexit]. But this way madness lies. [...] we export more in education services than in beverages ; we exportthree times or more manufactured goods than food; we export six times more in chemicals and related; value added by industry or by distribution and transport is more than 10 times that of agriculture. Seeking Irexit on the basis that it would be good for agribusiness is seeking to amputate a hand for a broken finger.

    (tags: agribusiness ireland irexit brexit economics eu politics)

  • APOLLO 13 EARTH ORBITAL CHART | Artsy

    Some nice catalogue details around this Apollo 13 AEO:

    Apollo Earth Orbit Chart (AEO), Apollo Mission 13 for April 1970 Launch Date. March 3, 1970. Color Earth map, first edition. 13 by 42 inches. From the Catalogue: SIGNED and INSCRIBED: “JAMES LOVELL, Apollo 13 CDR and FRED HAISE, Apollo 13 LMP." Additionally INSCRIBED by HAISE with mission events: "Launch at 2:13 pm EST, April 11, 1970" and "Splash – April 17, 1970." He has marked the splashdown area with an "X." Circular plots in black represent the ground station communication coverage areas with the red circle being the tracking ship Vanguard in the Atlantic Ocean. Orbital paths show the full launch range azimuths of 72 to 108 degrees. The first orbit is plotted in light blue with the second orbit in dark blue. The planned TLI (TransLunar Injection) burn occurred on time during the mission and is plotted with a red dashed line. The point above the Earth as Apollo 13 headed toward the Moon is shown with a brown line and continues for 24 hours of mission elapsed time. This line moves over the Pacific Ocean and into the continental United States. Then it moves backwards (relative to the Earth’s rotation) over the Pacific Ocean and ends near the west coast of Africa. The Service Module explosion occurred some 32 hours after end point of the TLI brown line tracking plot.

    (tags: aeo apollo history spaceflight collectibles antiques james-lovell fred-haise 1970 apollo-13 charts)

Links for 2017-07-27

Published July 27, 2017

Links for 2017-07-26

Published July 26, 2017

Links for 2017-07-24

Published July 24, 2017

Links for 2017-07-21

Published July 21, 2017

  • awslabs/aws-ec2rescue-linux

    Amazon Web Services Elastic Compute Cloud (EC2) Rescue for Linux is a python-based tool that allows for the automatic diagnosis of common problems found on EC2 Linux instances.
    Most of the modules appear to be log-greppers looking for common kernel issues.

    (tags: ec2 aws kernel linux ec2rl ops)

Links for 2017-07-20

Published July 20, 2017

Links for 2017-07-17

Published July 17, 2017

Links for 2017-07-13

Published July 13, 2017

  • Novartis CAR-T immunotherapy strongly endorsed by FDA advisory panel

    This is very exciting stuff, cytokine release syndrome risks notwithstanding.

    The new treatment is known as CAR-T cell immunotherapy. It works by removing key immune system cells known as T cells from the patient so scientists can genetically modify them to seek out and attack only cancer cells. That's why some scientists refer to this as a "living drug." Doctors then infuse millions of the genetically modified T cells back into the patient's body so they can try to obliterate the cancer cells and hopefully leave healthy tissue unscathed. "It's truly a paradigm shift," said Dr. David Lebwohl, who heads the CAR-T Franchise Global Program at the drug company Novartis, which is seeking the FDA's approval for the treatment. "It represents a new hope for patients." The drug endorsed by the advisory panel is known as CTL019 or tisagenlecleucel. It was developed to treat children and young adults ages 3 to 25 who have relapsed after undergoing standard treatment for B cell acute lymphoblastic leukemia, which is the most common childhood cancer in the United States. While this blood cell cancer can be highly curable, some patients fail to respond to standard treatments; and a significant proportion of patients experience relapses that don't respond to follow-up therapies. "There is a major unmet medical need for treatment options" for these patients, Dr. Stephen Hunger, who helped study at the Children's Hospital of Philadelphia, told the committee. In the main study that the company submitted as evidence in seeking FDA approval, doctors at 25 sites in 11 countries administered the treatment to 88 patients. The patients, ages 3 to 23, had failed standard treatment or experienced relapses and failed to respond to follow-up standard treatment. CTL019 produced remissions in 83 percent of patients, the company told the committee.

    (tags: car-t immunotherapy cancer novartis trials fda drugs t-cells immune-system medicine leukemia ctl019)

  • Chris's Wiki :: blog/sysadmin/UnderstandingIODNSIssue

    On the ns-a1.io security screwup for the .io CCTLD:

    Using data from glue records instead of looking things up yourself is common but not mandatory, and there are various reasons why a resolver would not do so. Some recursive DNS servers will deliberately try to check glue record information as a security measure; for example, Unbound has the harden-referral-path option (via Tony Finch). Since the original article reported seeing real .io DNS queries being directed to Bryant's DNS server, we know that a decent number of clients were not using the root zone glue records. Probably a lot more clients were still using the glue records, through.
    (via Tony Finch)

    (tags: via:fanf dns security dot-io cctlds glue-records delegation)

Links for 2017-07-12

Published July 12, 2017

  • DoppioJVM

    'A Java Virtual Machine written in 100% JavaScript.' Wrapping outbound TCP traffic in websockets, mad stuff

    (tags: jvm java javascript js hacks browser emulation websockets)

  • One Man's Plan to Make Sure Gene Editing Doesn't Go Haywire - The Atlantic

    Open science - radical transparency where gene-editing and CRISPR is involved. Sounds great.

    “For gene drive, the closed-door model is morally unacceptable. You don’t have the right to go into your lab and build something that is ineluctably designed to affect entire ecosystems. If it escapes into the wild, it would be expected to spread and affect people’s lives in unknown ways. Doing that in secret denies people a voice.”
    Also this is a little scary:
    in 2015, he was shocked to read a paper, due to be published in ... Science, in which Californian researchers had inadvertently created a gene drive in fruit flies, without knowing what gene drives are. They developed it as a research tool for spreading a trait among lab populations, and had no ambitions to alter wild animals. And yet, if any of their insects had escaped, that’s what would have happened.

    (tags: science openness open-source visibility transparency crispr gene-editing mice nantucket gene-drive)

Links for 2017-07-11

Published July 11, 2017

Links for 2017-07-10

Published July 10, 2017

Links for 2017-07-06

Published July 6, 2017

  • The Guardian view on patient data: we need a better approach | Editorial | Opinion | The Guardian

    The use of privacy law to curb the tech giants in this instance, or of competition law in the case of the EU’s dispute with Google, both feel slightly maladapted. They do not address the real worry. It is not enough to say that the algorithms DeepMind develops will benefit patients and save lives. What matters is that they will belong to a private monopoly which developed them using public resources. If software promises to save lives on the scale that drugs now can, big data may be expected to behave as big pharma has done. We are still at the beginning of this revolution and small choices now may turn out to have gigantic consequences later. A long struggle will be needed to avoid a future of digital feudalism. Dame Elizabeth’s report is a welcome start.
    Hear hear.

    (tags: privacy law uk nhs data google deepmind healthcare tech open-source)

  • Why People With Brain Implants Are Afraid to Go Through Automatic Doors

    In 2009, Gary Olhoeft walked into a Best Buy to buy some DVDs. He walked out with his whole body twitching and convulsing. Olhoeft has a brain implant, tiny bits of microelectronic circuitry that deliver electrical impulses to his motor cortex in order to control the debilitating tremors he suffers as a symptom of Parkinson’s disease. It had been working fine. So, what happened when he passed through those double wide doors into consumer electronics paradise? He thinks the theft-prevention system interfered with his implant and turned it off. Olhoeft’s experience isn’t unique. According to the Food and Drug Administration’s MAUDE database of medical device reports, over the past five years there have been at least 374 cases where electromagnetic interference was reportedly a factor in an injury involving medical devices including neural implants, pacemakers and insulin pumps. In those reports, people detailed experiencing problems with their devices when going through airport security, using massagers or simply being near electrical sources like microwaves, cordless drills or “church sound boards.”

    (tags: internet-of-things iot best-buy implants parkinsons-disease emi healthcare devices interference)

  • Undefined Behavior in 2017

    This is an extremely detailed post on the state of dynamic checkers in C/C++ (via the inimitable Marc Brooker):

    Recently we’ve heard a few people imply that problems stemming from undefined behaviors (UB) in C and C++ are largely solved due to ubiquitous availability of dynamic checking tools such as ASan, UBSan, MSan, and TSan. We are here to state the obvious — that, despite the many excellent advances in tooling over the last few years, UB-related problems are far from solved — and to look at the current situation in detail.

    (tags: via:marc-brooker c c++ coding testing debugging dynamic-analysis valgrind asan ubsan tsan)

  • Talos Intelligence review of Nyetya and the M.E.Doc compromise

    Our Threat Intelligence and Interdiction team is concerned that the actor in question burned a significant capability in this attack.  They have now compromised both their backdoor in the M.E.Doc software and their ability to manipulate the server configuration in the update server. In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.

    (tags: security malware nyetya notpetya medoc talos ransomware)

  • Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities

    'describes how you can use AWS WAF, a web application firewall, to address the top application security flaws as named by the Open Web Application Security Project (OWASP). Using AWS WAF, you can write rules to match patterns of exploitation attempts in HTTP requests and block requests from reaching your web servers. This whitepaper discusses manifestations of these security vulnerabilities, AWS WAF–based mitigation strategies, and other AWS services or solutions that can help address these threats.'

    (tags: security waf aws http owasp filtering)

  • welcome datacomp

    Some Mac third party keyboards used to (or maybe still do for all I know) have a little feature where if you didn't type anything for a while they would themselves type 'welcome datacomp'.
    (via RobS)

    (tags: via:rsynnott funny welcome-datacomp keyboards hardware fail ghost-typing haunted)

  • La història del gran tauró blanc de Tossa de Mar

    Amazing pic and newspaper report regarding a great white shark which washed up on the beach at Tossa de Mar in the Costa Brava in the 1980s

    (tags: tossa-de-mar costa-brava spain sharks nature great-white-shark 1980s history photos wildlife)

Links for 2017-07-05

Published July 5, 2017

  • Why did Apple, Amazon, Google stocks crash to the same price today?

    Nasdaq said in a statement that "certain third parties improperly propagated test data that was distributed as part of the normal evening test procedures." "For July 3, 2017, all production data was completed by 5:16 PM as expected per the early close of the markets," the statement continued. "Any data messages received post 5:16 PM should be deemed as test data and purged from direct data recipient's databases. UTP (Unlisted Trading Privileges) is asking all third parties to revert to Nasdaq Official Closing Prices effective at 5:16 PM."

    (tags: testing fail stock-markets nasdaq test-data test production integration-testing test-in-prod)

  • Exactly-once Support in Apache Kafka – Jay Kreps

    If you’re one of the people who think [exactly-once support is impossible], I’d ask you to take an actual look at what we actually know to be possible and impossible, and what has been built in Kafka, and hopefully come to a more informed opinion. So let’s address this in two parts. First, is exactly-once a theoretical impossibility? Second, how does Kafka support it.

    (tags: exactly-once-delivery distributed kafka distcomp jay-kreps coding broadcast)

  • Letters and Liquor

    These are lovely! (via Ben)

    Letters and Liquor illustrates the history of lettering associated with cocktails. From the 1690s to the 1990s, I’ve selected 52 of the most important drinks in the cocktail canon and rendered their names in period-inspired design. I post a new drink each week with history, photos and recipes. Don’t want to miss a single cocktail? Click here for email updates.

    (tags: cocktails text letters typography graphics history booze)

Links for 2017-07-03

Published July 3, 2017

Links for 2017-06-30

Published June 30, 2017

  • Don't Settle For Eventual Consistency

    Quite an argument. Not sure I agree, but worth a bookmark anyway...

    With an AP system, you are giving up consistency, and not really gaining anything in terms of effective availability, the type of availability you really care about.  Some might think you can regain strong consistency in an AP system by using strict quorums (where the number of nodes written + number of nodes read > number of replicas).  Cassandra calls this “tunable consistency”.  However, Kleppmann has shown that even with strict quorums, inconsistencies can result.10  So when choosing (algorithmic) availability over consistency, you are giving up consistency for not much in return, as well as gaining complexity in your clients when they have to deal with inconsistencies.

    (tags: cap-theorem databases storage cap consistency cp ap eventual-consistency)

  • Delivering Billions of Messages Exactly Once · Segment Blog

    holy crap, this is exactly the wrong way to build a massive-scale deduplication system -- with a monster random-access "is this random UUID in the db" lookup

    (tags: deduping architecture horror segment messaging kafka)

Links for 2017-06-28

Published June 28, 2017

  • Mozilla Employee Denied Entry to the United States

    Ugh. every non-USian tech worker's nightmare. curl developer Daniel Stenberg:

    “I can’t think of a single valid reason why they would deny me travel, so what concerns me is that somehow someone did and then I’m worried that I’ll get trouble fixing that issue,” Stenberg said. “I’m a little worried since border crossings are fairly serious matters and getting trouble to visit the US in the future would be a serious blowback for me, both personally with friends and relatives there, and professionally with conferences and events there.”

    (tags: curl travel mozilla esta us-politics usa immigration flying)

Links for 2017-06-27

Published June 27, 2017

  • RIPE Atlas Probes

    Interesting! We discussed similar ideas in $prevjob, good to see one hitting production globally.

    RIPE Atlas probes form the backbone of the RIPE Atlas infrastructure. Volunteers all over the world host these small hardware devices that actively measure Internet connectivity through ping, traceroute, DNS, SSL/TLS, NTP and HTTP measurements. This data is collected and aggregated by the RIPE NCC, which makes the data publicly available. Network operators, engineers, researchers and even home users have used this data for a wide range of purposes, from investigating network outages to DNS anycasting to testing IPv6 connectivity. Anyone can apply to host a RIPE Atlas probe. If your application is successful (based on your location), we will ship you a probe free of charge. Hosts simply need to plug their probe into their home (or other) network. Probes are USB-powered and are connected to an Ethernet port on the host’s router or switch. They then automatically and continuously perform active measurements about the Internet’s connectivity, and this data is sent to the RIPE NCC, where it is aggregated and made publicly available. We also use this data to create several Internet maps and data visualisations. [....] The hardware of the first and second generation probes is a Lantronix XPort Pro module with custom powering and housing built around it. The third generation probe is a modified TP-Link wireless router (model TL-MR 3020) with a small USB thumb drive in it, but this probe does not support WiFi.
    (via irldexter)

    (tags: via:irldexter ripe ncc probing active-monitoring networking ping traceroute dns testing http ipv6 anycast hardware devices isps)

  • "BBC English" was invented by a small team in the 1920s & 30s

    Excellent twitter thread:

    Today we speak of "BBC English" as a standard form of the language, but this form had to be invented by a small team in the 1920s & 30s. 1/ It turned out even within the upper-class London accent that became the basis for BBC English, many words had competing pronunciations. 2/ Thus in 1926, the BBC's first managing director John Reith established an "Advisory Committee on Spoken English" to sort things out. 3/ The committee was chaired by Irish playwright George Bernard Shaw, and also included American essayist Logan Pearsall Smith, 4/ novelist Rose Macaulay, lexicographer (and 4th OED editor) C.T. Onions, art critic Kenneth Clark, journalist Alistair Cooke, 5/ ghost story writer Lady Cynthia Asquith, and evolutionary biologist and eugenicist Julian Huxley. 6/ The 20-person committee held fierce debates, and pronunciations now considered standard were often decided by just a few votes.

    (tags: bbc language english history rp received-pronunciation pronunciation john-reith)

Links for 2017-06-26

Published June 26, 2017

Links for 2017-06-22

Published June 22, 2017

Links for 2017-06-21

Published June 21, 2017

Links for 2017-06-20

Published June 20, 2017

Links for 2017-06-16

Published June 16, 2017

Links for 2017-06-15

Published June 15, 2017

  • Screen time guidelines need to be built on evidence, not hype | Science | The Guardian

    An open letter signed by about 100 scientists 'from different countries and academic fields with research expertise and experience in screen time, child development and evidence-based policy.'

    If the government were to implement guidelines on screen-based technology at this point, as the authors of the letter suggest, this would be on the basis of little to no evidence. This risks the implementation of unnecessary, ineffective or even potentially harmful policies. For guidelines to have a meaningful impact, they need to be grounded in robust research evidence and acknowledge that children’s health and wellbeing is a complex issue affected by many other factors, such as socioeconomic status, relational poverty, and family environment – all of which are likely to be more relevant for children’s health and well-being than screens. For example, there is no consistent evidence that more screen time leads to less outdoor play; if anything the evidence indicates that screen time and physical outdoor activity are unrelated, and reductions in average time spent in outdoor play over time seem to be driven by other factors. Policy efforts to increase outdoor play that focus on screen time are therefore likely to be ineffective.
    (via Damien Mulley)

    (tags: via:damienmulley science children psychology screens screen-time childhood development evidence policy health open-letters)

Links for 2017-06-14

Published June 14, 2017

Links for 2017-06-09

Published June 9, 2017

  • How Turla hackers (ab)used satellites to stay under the radar | Ars Technica

    A very nifty hack. DVB-S broadcasts a subset of unencrypted IP traffic across a 600-mile radius:

    The Turla attackers listen for packets coming from a specific IP address in one of these classes. When certain packets—say, a TCP/IP SYN packet—are identified, the hackers spoof a reply to the source using a conventional Internet line. The legitimate user of the link just ignores the spoofed packet, since it goes to an otherwise unopened port, such as port 80 or 10080. With normal Internet connections, if a packet hits a closed port, the end user will normally send the ISP some indication that something went wrong. But satellite links typically use firewalls that drop packets to closed ports. This allows Turla to stealthily hijack the connections. The hack allowed computers infected with Turla spyware to communicate with Turla C&C servers without disclosing their location. Because the Turla attackers had their own satellite dish receiving the piggybacked signal, they could be anywhere within a 600-mile radius. As a result, researchers were largely stopped from shutting down the operation or gaining clues about who was carrying it out. "It's probably one of the most effective methods of ensuring their operational security, or that nobody will ever find out the physical location of their command and control server," Tanase told Ars. "I cannot think of a way of identifying the location of a command server. It can be anywhere in the range of the satellite beam."

    (tags: turla hacks satellite security dvb dvb-s tcpip command-and-control syn)

Links for 2017-06-07

Published June 7, 2017

Links for 2017-06-06

Published June 6, 2017