Skip to content

Category: Uncategorized

Links for 2015-06-15

Published June 15, 2015

  • How We Moved Our API From Ruby to Go and Saved Our Sanity

    Parse on their ditching-Rails story. I haven't heard a nice thing about Ruby or Rails as an operational, production-quality platform in a long time :(

    (tags: go ruby rails ops parse languages platforms)

  • VPC Flow Logs

    we are introducing Flow Logs for the Amazon Virtual Private Cloud.  Once enabled for a particular VPC, VPC subnet, or Elastic Network Interface (ENI), relevant network traffic will be logged to CloudWatch Logs for storage and analysis by your own applications or third-party tools. You can create alarms that will fire if certain types of traffic are detected; you can also create metrics to help you to identify trends and patterns. The information captured includes information about allowed and denied traffic (based on security group and network ACL rules). It also includes source and destination IP addresses, ports, the IANA protocol number, packet and byte counts, a time interval during which the flow was observed, and an action (ACCEPT or REJECT).

    (tags: ec2 aws vpc logging tracing ops flow-logs network tcpdump packets packet-capture)

  • Tim Hunt "jokes" about women scientists. Or not. (with image, tweets) · deborahblum · Storify

    '[Tim Hunt] said that while he meant to be ironic, he did think it was hard to collaborate with women because they are too emotional - that he was trying to be honest about the problems.' So much for the "nasty twitter took my jokes seriously" claims then.

    (tags: twitter science misogyny women tim-hunt deborah-blum journalism)

  • Why I dislike systemd

    Good post, and hard to disagree.

    One of the "features" of systemd is that it allows you to boot a system without needing a shell at all. This seems like such a senseless manoeuvre that I can't help but think of it as a knee-jerk reaction to the perception of Too Much Shell in sysv init scripts. In exactly which universe is it reasonable to assume that you have a running D-Bus service (or kdbus) and a filesystem containing unit files, all the binaries they refer to, all the libraries they link against, and all the configuration files any of them reference, but that you lack that most ubiquitous of UNIX binaries, /bin/sh?

    (tags: history linux unix systemd bsd system-v init ops dbus)

  • Adrian Colyer reviews the Twitter Heron paper

    ouch, really sounds like Storm didn't cut the muster. 'It’s hard to imagine something more damaging to Apache Storm than this. Having read it through, I’m left with the impression that the paper might as well have been titled “Why Storm Sucks”, which coming from Twitter themselves is quite a statement.' If I was to summarise the lessons learned, it sounds like: backpressure is required; and multi-tenant architectures suck.

    (tags: storm twitter heron big-data streaming realtime backpressure)

Links for 2015-06-14

Published June 14, 2015

  • Security theatre at Allied Irish Banks

    Allied Irish Banks's web and mobile banking portals are ludicrously insecure. Vast numbers of accounts have easily-guessable registration numbers and are thus 'protected' by a level of security that is twice as easy to crack as would be provided by a single password containing only two lowercase letters. A person of malicious intent could easily gain access to hundreds, possibly thousands, of accounts as well as completely overwhelm the branch network by locking an estimated several 100,000s of people out of their online banking. Both AIB and the Irish Financial Services Ombudsman have refused to respond meaningfully to multiple communications each in which these concerns were raised privately.

    (tags: aib banking security ireland hacking ifso online-banking)

  • Leveraging AWS to Build a Scalable Data Pipeline

    Nice detailed description of an auto-scaled SQS worker pool

    (tags: sqs aws ec2 auto-scaling asg worker-pools architecture scalability)

Links for 2015-06-13

Published June 13, 2015

  • China’s Spies Hit the Blackmail Jackpot With Data on 4 Million Federal Workers

    The Daily Beast is scathing re the OPM hack:

    Here’s where things start to get scary. Whoever has OPM’s records knows an astonishing amount about millions of federal workers, members of the military, and security clearance holders. They can now target those Americans for recruitment or influence. After all, they know their vices, every last one—the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side—since all that is recorded in security clearance paperwork. (To get an idea of how detailed this gets, you can see the form, called an SF86, here.) Speaking as a former counterintelligence officer, it really doesn’t get much worse than this.

    (tags: daily-beast sf86 clearance us-government america china cyberwar hacking opm privacy)

Links for 2015-06-11

Published June 11, 2015

  • Facebook Infer

    New static analysis goodnews, freshly open-sourced by Facebook:

    Facebook Infer uses logic to do reasoning about a program's execution, but reasoning at this scale — for large applications built from millions of lines of source code — is hard. Theoretically, the number of possibilities that need to be checked is more than the number of estimated atoms in the observable universe. Furthermore, at Facebook our code is not a fixed artifact but an evolving system, updated frequently and concurrently by many developers. It is not unusual to see more than a thousand modifications to our mobile code submitted for review in a given day. The requirements on the program analyzer then become even more challenging because we expect a tool to report quickly on these code modifications — in the region of 10 minutes — to fit in with developers' workflow. Coping with this scale and velocity requires advanced mathematical techniques. Facebook Infer uses two such techniques: separation logic and bi-abduction. Separation logic is a theory that allows Facebook Infer's analysis to reason about small, independent parts of the application storage, rather than having to consider the entirety of the memory potentially at every step. That would be a daunting task on modern processors with their large addressable virtual memories. Bi-abduction is a logical inference technique that allows Facebook Infer to discover properties about the behavior of independent parts of the application code. By storing these properties between runs, Facebook Infer needs to analyze only the parts of the software that have changed, reusing the results of its previous analysis where it can. By combining these approaches, our analyzer is able to find complex problems in modifications to an application built from millions of lines of code, in minutes.
    (via Bryan O'Sullivan)

    (tags: via:bos infer facebook static-analysis lint code java ios android coding bugs)

  • The Tamborzão Goes to Thailand

    This is great. the story of how cheesy funk carioca tune “A Minha Amiga Fran” managed to become "Kawo Kawo" and become a massive hit in Thailand

    (tags: thai brazil carioca music dance-music kawo-kawo)

Links for 2015-06-10

Published June 10, 2015

Links for 2015-06-08

Published June 8, 2015

Links for 2015-06-04

Published June 4, 2015

Links for 2015-06-03

Published June 3, 2015

  • Performance Testing at LMAX

    Good series of blog posts on the LMAX trading platform's performance testing strategy -- they capture live traffic off the wire, then build statistical models simulating its features. See also http://epickrram.blogspot.co.uk/2014/07/performance-testing-at-lmax-part-two.html and http://epickrram.blogspot.co.uk/2014/08/performance-testing-at-lmax-part-three.html .

    (tags: performance testing tests simulation latency lmax trading sniffing packet-capture)

  • The Violence of Algorithms: Why Big Data Is Only as Smart as Those Who Generate It

    The modern state system is built on a bargain between governments and citizens. States provide collective social goods, and in turn, via a system of norms, institutions, regulations, and ethics to hold this power accountable, citizens give states legitimacy. This bargain created order and stability out of what was an increasingly chaotic global system. If algorithms represent a new ungoverned space, a hidden and potentially ever-evolving unknowable public good, then they are an affront to our democratic system, one that requires transparency and accountability in order to function. A node of power that exists outside of these bounds is a threat to the notion of collective governance itself. This, at its core, is a profoundly undemocratic notion—one that states will have to engage with seriously if they are going to remain relevant and legitimate to their digital citizenry who give them their power.

    (tags: palantir algorithms big-data government democracy transparency accountability analytics surveillance war privacy protest rights)

Links for 2015-06-02

Published June 2, 2015

Links for 2015-05-29

Published May 29, 2015

Links for 2015-05-28

Published May 28, 2015

  • I Fooled Millions Into Thinking Chocolate Helps Weight Loss

    “Slim by Chocolate!” the headlines blared. A team of German researchers had found that people on a low-carb diet lost weight 10 percent faster if they ate a chocolate bar every day. It made the front page of Bild, Europe’s largest daily newspaper, just beneath their update about the Germanwings crash. From there, it ricocheted around the internet and beyond, making news in more than 20 countries and half a dozen languages. It was discussed on television news shows. It appeared in glossy print, most recently in the June issue of Shape magazine (“Why You Must Eat Chocolate Daily”, page 128). Not only does chocolate accelerate weight loss, the study found, but it leads to healthier cholesterol levels and overall increased well-being. The Bild story quotes the study’s lead author, Johannes Bohannon, Ph.D., research director of the Institute of Diet and Health: “The best part is you can buy chocolate everywhere.” I am Johannes Bohannon, Ph.D. Well, actually my name is John, and I’m a journalist. I do have a Ph.D., but it’s in the molecular biology of bacteria, not humans. The Institute of Diet and Health? That’s nothing more than a website. Other than those fibs, the study was 100 percent authentic. My colleagues and I recruited actual human subjects in Germany. We ran an actual clinical trial, with subjects randomly assigned to different diet regimes. And the statistically significant benefits of chocolate that we reported are based on the actual data. It was, in fact, a fairly typical study for the field of diet research. Which is to say: It was terrible science. The results are meaningless, and the health claims that the media blasted out to millions of people around the world are utterly unfounded.
    Interesting bit: the online commenters commenting on the published stories quickly saw through the bullshit. Why can't the churnalising journos do that?

    (tags: chocolate journalism science diet food churnalism pr bild health clinical-trials papers peer-review research)

  • Snake-Oil Superfoods

    mainly interesting for the dataviz and the Google-Doc-driven backend. wish they published the script though

    (tags: google snake-oil superfoods food dataviz bubble-race-chart graphics infographics google-docs spreadsheets)

Links for 2015-05-27

Published May 27, 2015

  • Three Questions to Answer When Reporting an Error

    Very long, but tl;dr:

    the trick to creating an effective error message is to answer the 3 Questions within your message: What is the error? What was the probable cause of the error? What is the probable remedy?

    (tags: errors ui ux reporting logging coding)

  • Volvo says horrible 'self-parking car accident' happened because driver didn't have 'pedestrian detection'

    Grim meathook future, courtesy of Volvo:

    “The Volvo XC60 comes with City Safety as a standard feature however this does not include the Pedestrian detection functionality [...] The pedestrian detection feature [...] costs approximately $3,000.
    However, there's another lesson here, in crappy car UX and the risks thereof:
    But even if it did have the feature, Larsson says the driver would have interfered with it by the way they were driving and “accelerating heavily towards the people in the video.” “The pedestrian detection would likely have been inactivated due to the driver inactivating it by intentionally and actively accelerating,” said Larsson. “Hence, the auto braking function is overrided by the driver and deactivated.” Meanwhile, the people in the video seem to ignore their instincts and trust that the car assumed to be endowed with artificial intelligence knows not to hurt them. It is a sign of our incredible faith in the power of technology, but also, it’s a reminder that companies making AI-assisted vehicles need to make safety features standard and communicate clearly when they aren’t.

    (tags: self-driving-cars cars ai pedestrian computer-vision volvo fail accidents grim-meathook-future)

  • iPhone UTF-8 text vulnerability

    'Due to how the banner notifications process the Unicode text. The banner briefly attempts to present the incoming text and then "gives up" thus the crash'. Apparently the entire Springboard launcher crashes.

    (tags: apple vulnerability iphone utf-8 unicode fail bugs springboard ios via:abetson)

Links for 2015-05-26

Published May 26, 2015

  • Schedule Recurring AWS Lambda Invocations With The Unreliable Town Clock (UTC)

    The Unreliable Town Clock (UTC) is a new, free, public SNS Topic (Amazon Simple Notification Service) that broadcasts a “chime” message every quarter hour to all subscribers. It can send the chimes to AWS Lambda functions, SQS queues, and email addresses. You can use the chime attributes to run your code every fifteen minutes, or only run your code once an hour (e.g., when minute == "00") or once a day (e.g., when hour == "00" and minute == "00") or any other series of intervals. You can even subscribe a function you only want to run only once at a specific time in the future: Have the function ignore all invocations until it’s after the time it wants. When it is time, it can perform its job, then unsubscribe itself from the SNS Topic.

    (tags: alestic aws lambda cron time clock periodic-tasks recurrence hacks)

Links for 2015-05-25

Published May 25, 2015

Links for 2015-05-18

Published May 18, 2015

Links for 2015-05-17

Published May 17, 2015

  • 'Can People Distinguish Pâté from Dog Food?'

    Ugh.

    Considering the similarity of its ingredients, canned dog food could be a suitable and inexpensive substitute for pâté or processed blended meat products such as Spam or liverwurst. However, the social stigma associated with the human consumption of pet food makes an unbiased comparison challenging. To prevent bias, Newman's Own dog food was prepared with a food processor to have the texture and appearance of a liver mousse. In a double-blind test, subjects were presented with five unlabeled blended meat products, one of which was the prepared dog food. After ranking the samples on the basis of taste, subjects were challenged to identify which of the five was dog food. Although 72% of subjects ranked the dog food as the worst of the five samples in terms of taste (Newell and MacFarlane multiple comparison, P<0.05), subjects were not better than random at correctly identifying the dog food.

    (tags: pate food omgwtf science research dog-food meat economics taste flavour)

  • Redditor runs the secret Python code in Ex Machina

    and finds:

    when you run with python2.7 you get the following: ISBN = 9780199226559 Which is Embodiment and the inner life: Cognition and Consciousness in the Space of Possible Minds. and so now I have a lot more respect for the Director.

    (tags: python movies ex-machina cool books easter-eggs)

  • Metalwoman beer recipe

    via the Dublin Ladies Beer Society ;)

    (tags: metalman metalwoman recipes beer brewing hops dlbs)

Links for 2015-05-14

Published May 14, 2015

Links for 2015-05-12

Published May 12, 2015

  • Input: Fonts for Code

    Non-monospaced coding fonts! I'm all in favour...

    As writing and managing code becomes more complex, today’s sophisticated coding environments are evolving to include everything from breakpoint markers to code folding and syntax highlighting. The typography of code should evolve as well, to explore possibilities beyond one font style, one size, and one character width.

    (tags: input fonts via:its typography code coding font text ide monospace)

  • Apache HTrace

    a Zipkin-compatible distributed-system tracing framework in Java, in the Apache Incubator

    (tags: zipkin tracing trace apache incubator java debugging)

  • Intel speeds up etcd throughput using ADR Xeon-only hardware feature

    To reduce the latency impact of storing to disk, Weaver’s team looked to buffering as a means to absorb the writes and sync them to disk periodically, rather than for each entry. Tradeoffs? They knew memory buffers would help, but there would be potential difficulties with smaller clusters if they violated the stable storage requirement. Instead, they turned to Intel’s silicon architects about features available in the Xeon line. After describing the core problem, they found out this had been solved in other areas with ADR. After some work to prove out a Linux OS supported use for this, they were confident they had a best-of-both-worlds angle. And it worked. As Weaver detailed in his CoreOS Fest discussion, the response time proved stable. ADR can grab a section of memory, persist it to disk and power it back. It can return entries back to disk and restore back to the buffer. ADR provides the ability to make small (<100MB) segments of memory “stable” enough for Raft log entries. It means it does not need battery-backed memory. It can be orchestrated using Linux or Windows OS libraries. ADR allows the capability to define target memory and determine where to recover. It can also be exposed directly into libs for runtimes like Golang. And it uses silicon features that are accessible on current Intel servers.

    (tags: kubernetes coreos adr performance intel raft etcd hardware linux persistence disk storage xeon)

Links for 2015-05-11

Published May 11, 2015

  • streamtools: a graphical tool for working with streams of data | nytlabs

    Visual programming, Yahoo! Pipes style, back again:

    we have created streamtools – a new, open source project by The New York Times R&D Lab which provides a general purpose, graphical tool for dealing with streams of data. It provides a vocabulary of operations that can be connected together to create live data processing systems without the need for programming or complicated infrastructure. These systems are assembled using a visual interface that affords both immediate understanding and live manipulation of the system.
    via Aman

    (tags: via:akohli streaming data nytimes visual-programming coding)

  • MappedBus

    a Java based low latency, high throughput message bus, built on top of a memory mapped file; inspired by Java Chronicle with the main difference that it's designed to efficiently support multiple writers – enabling use cases where the order of messages produced by multiple processes are important. MappedBus can be also described as an efficient IPC mechanism which enable several Java programs to communicate by exchanging messages.

    (tags: ipc java jvm mappedbus low-latency mmap message-bus data-structures queue message-passing)

Links for 2015-05-10

Published May 10, 2015

  • Amazon's Drone Delivery Patent Just Feels Like Trolling At This Point

    Oh dear, Amazon.

    These aren’t actual technologies yet. [...] All of which underscores that Amazon might never ever ever ever actually implement delivery drones. The patent paperwork was filed nearly a year after Amazon’s splashy drone program reveal on 60 Minutes. At the time we called it revolutionary marketing because, you know, delivery drones are technical and logistical madness, not to mention that commercial drone use is illegal right now. Although, in fairness the FAA did just relax some rules so that Amazon could test drones. At this point it feels like Amazon is just trolling. It’s trolling us with public relations BS about its future drones, and it’s trolling future competitors -- Google is also apparently working on this -- so that if somebody ever somehow does anything relating to drone delivery, Amazon can sue them. If I’m wrong, I’ll deliver my apology via Airmail.

    (tags: amazon trolling patents uspto delivery drones uavs competition faa)

  • Red Hat on rkt vs Docker

    This is like watching a train-wreck in slow motion on Groundhog Day. We, in the broader Linux and open source community, have been down this path multiple times over the past fifteen years, specifically with package formats. While there needs to be room for experimentation, having two incompatible specs driven by two startups trying to differentiate and in direct competition is *not* a good thing. It would be better for the community and for everyone who depends on our collective efforts if CoreOS and Docker collaborated on a standardized common spec, image format, and distribution protocol. To this end, we at Red Hat will continue to contribute to both initiatives with the goal of driving convergence.

    (tags: rkt docker appc coreos red-hat dpkg rpm linux packaging collaboration open-source)

Links for 2015-05-09

Published May 9, 2015

Links for 2015-05-08

Published May 8, 2015

Links for 2015-05-07

Published May 7, 2015

  • KillBiller

    Excellent mobile-phone plan comparison site for the Irish market, using apps which you install and which analyse your call history, data usage, etc. over the past month to compute the optimal plan based on your usage. Pretty amazing results in my case! The only downside is the privacy policy, which allows the company to resell your usage data (anonymised, and in aggregate) -- I'd really prefer if this wasn't the case :(

    (tags: mobile-phones shopping tesco emobile 3g 4g ireland plans comparison-shopping killbiller via:its)

  • Family in No poster Says YES to Marriage Equality | Amnesty International

    Beyond the politics, the risks of stock photo usage are pretty evident too:

    "In 2014, as a young family, we did a photo shoot with a photographer friend to get some nice shots for the family album. No money was exchanged – we got nice photos for free, they got nice images for their portfolio. As part of this agreement, we agreed to let them upload them to a stock photo album. We knew that these were available for purchase and we gave permission. Perhaps, naïvely, we imagined that on the off chance that any was ever selected, it might be for a small magazine or website. To confirm, we have not received any money for the photo – then or now, and nor do we expect any. We were surprised and upset to see that the photo was being used as part of a campaign with which we do not agree. We completely support same-sex marriage, and we believe that same-sex couples’ should of course be able to adopt, as we believe that they are equally able to provide children with much-needed love and care. To suggest otherwise is offensive to us, and to many others."

    (tags: ssm ireland politics amnesty stock-photos ip rights photos campaigns ads)

  • Lambda: Bees with Frickin' Laser Beams

    a HTTP testing tool in AWS Lambda. nice enough, but still a toy...

    (tags: lambda aws node javascript hacks http load-testing)

Links for 2015-05-06

Published May 6, 2015

Links for 2015-05-05

Published May 5, 2015

  • Smarter testing Java code with Spock Framework

    hmm, looks quite nice as a potential next-gen JUnit replacement for unit tests

    (tags: java testing bdd tests junit unit-tests spock via:trishagee)

  • Tots To Travel

    'Baby Friendly Holidays | Child, Toddler & Family Villas | France | Spain | Portugal | Italy'. Joe swears by it, will give it a go next year

    (tags: holidays vacation travel europe kids children via:joe)

  • How the NSA Converts Spoken Words Into Searchable Text - The Intercept

    This hits the nail on the head, IMO:

    To Phillip Rogaway, a professor of computer science at the University of California, Davis, keyword-search is probably the “least of our problems.” In an email to The Intercept, Rogaway warned that “When the NSA identifies someone as ‘interesting’ based on contemporary NLP methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting'; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.' If the algorithms NSA computers use to identify threats are too complex for humans to understand, it will be impossible to understand the contours of the surveillance apparatus by which one is judged.  All that people will be able to do is to try your best to behave just like everyone else.”

    (tags: privacy security gchq nsa surveillance machine-learning liberty future speech nlp pattern-analysis cs)

  • awslabs/aws-lambda-redshift-loader

    Load data into Redshift from S3 buckets using a pre-canned Lambda function. Looks like it may be a good example of production-quality Lambda

    (tags: lambda aws ec2 redshift s3 loaders etl pipeline)

  • Call me maybe: Aerospike

    'Aerospike offers phenomenal latencies and throughput -- but in terms of data safety, its strongest guarantees are similar to Cassandra or Riak in Last-Write-Wins mode. It may be a safe store for immutable data, but updates to a record can be silently discarded in the event of network disruption. Because Aerospike’s timeouts are so aggressive–on the order of milliseconds -- even small network hiccups are sufficient to trigger data loss. If you are an Aerospike user, you should not expect “immediate”, “read-committed”, or “ACID consistency”; their marketing material quietly assumes you have a magical network, and I assure you this is not the case. It’s certainly not true in cloud environments, and even well-managed physical datacenters can experience horrible network failures.'

    (tags: aerospike outages cap testing jepsen aphyr databases storage reliability)

Links for 2015-05-04

Published May 4, 2015

Links for 2015-05-02

Published May 2, 2015

  • In the privacy of your own home

    I didn't know about this:

    Last spring, as 41,000 runners made their way through the streets of Dublin in the city’s Women’s Mini Marathon, an unassuming redheaded man by the name of Candid Wueest stood on the sidelines with a scanner. He had built it in a couple of hours with $75 worth of parts, and he was using it to surreptitiously pick up data from activity trackers worn on the runners’ wrists. During the race, Wueest managed to collect personal info from 563 racers, including their names, addresses, and passwords, as well as the unique IDs of the devices they were carrying.

    (tags: dublin candid-wueest privacy data marathon running iot activity-trackers)

Links for 2015-04-30

Published April 30, 2015

Links for 2015-04-29

Published April 29, 2015

  • s3.amazonaws.com "certificate verification failed" errors due to crappy Verisign certs and overzealous curl policies

    Seth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the s3.awsamazon.com key is signed with SHA1withRSA: https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com&s=54.231.244.0&hideResults=on At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.
    'This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).' -- @jmhodges This may be a contributory factor to the issue @nelson saw: https://nelsonslog.wordpress.com/2015/04/28/cyberduck-is-responsible-for-my-bad-ssl-certificate/ Curl's ca-certs bundle is also used by Node: https://github.com/joyent/node/issues/8894 and doubtless many other apps and packages. Here's a mailing list thread discussing the issue: http://curl.haxx.se/mail/archive-2014-10/0066.html -- looks like the curl team aren't too bothered about it.

    (tags: curl s3 amazon aws ssl tls certs sha1 rsa key-length security cacerts)

  • Cassandra moving to using G1 as the default recommended GC implementation

    This is a big indicator that G1 is ready for primetime. CMS has long been the go-to GC for production usage, but requires careful, complex hand-tuning -- if G1 is getting to a stage where it's just a case of giving it enough RAM, that'd be great. Also, looks like it'll be the JDK9 default: https://twitter.com/shipilev/status/593175793255219200

    (tags: cassandra tuning ops g1gc cms gc java jvm production performance memory)

  • The Colossal Shop

    ThisIsColossal now have a shop! bookmarking for some lovely gifts

    (tags: art design shop colossal shopping christmas gifts)

Links for 2015-04-28

Published April 28, 2015

Links for 2015-04-27

Published April 27, 2015

Links for 2015-04-26

Published April 26, 2015

  • StackShare

    'Discover and discuss the best dev tools and cloud infrastructure services' -- fun!

    (tags: stackshare architecture stack ops software ranking open-source)

  • OWASP KeyBox

    a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users. Administrators can login using two-factor authentication with FreeOTP or Google Authenticator . From there they can create and manage public SSH keys or connect to their assigned systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.

    (tags: keybox owasp security ssh tls ssl ops)

  • 32-bit overflow in BitGo js code caused an accidental 85 BTC transaction fee

    Yes, this is a fucking 32-bit integer overflow. Whatever software was used, it calculated the sum of all inputs using 32-bit variables, which overflow at about 20 BTC if signed or 40 BTC if not. The fee was supposed to be 0xC350 = 50,000 satoshis, but it turned out to be 0x2,0000,C350 = 8,589,984,592 satoshis. Captains of the industry. If they were captains of any other industry, like say for example automotive, we'd have people dying in car crashes between two stationary vehicles.

    (tags: bitcoin fail bitgo javascript bugs 32-bit overflow btc)

  • Eight Docker Development Patterns

    good Docker tips

    (tags: tips docker ops deployment)

  • Google Online Security Blog: A Javascript-based DDoS Attack [the Greatfire DDoS] as seen by Safe Browsing

    We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult. Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.
    Via Nelson.

    (tags: google security via:nelson ddos javascript tls ssl safe-browsing networking china greatfire)

Links for 2015-04-24

Published April 24, 2015

Links for 2015-04-23

Published April 23, 2015

  • attacks using U+202E - RIGHT-TO-LEFT OVERRIDE

    Security implications of in-band signalling strikes again, 43 years after the "Blue Box" hit the mainstream. Jamie McCarthy on Twitter: ".@cmdrtaco - Remember when we had to block the U+202E code point in Slashdot comments to stop siht ekil stnemmoc? https://t.co/TcHxKkx9Oo" See also http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/ -- GMail was vulnerable too; and http://en.wikipedia.org/wiki/Unicode_control_characters for more inline control chars. http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing has some official recommendations from the Unicode consortium on dealing with bidi override chars.

    (tags: security attacks rlo unicode control-characters codepoints bidi text gmail slashdot sanitization input)

  • Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica

    The AVS WinVote system -- mind-bogglingly shitty security.

    If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place—within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know. I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me—as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.

    (tags: security voting via:johnke winvote avs shoup wep wifi windows)

Links for 2015-04-22

Published April 22, 2015

  • 'Continuous Deployment: The Dirty Details'

    Good slide deck from Etsy's Mike Brittain regarding their CD setup. Some interesting little-known details: Slide 41: database schema changes are not CD'd -- they go out on "Schema change Thursdays". Slide 44: only the webapp is CD'd -- PHP, Apache, memcache components (Etsy.com, support and back-office tools, developer API, gearman async worker queues). The external "services" are not -- databases, Solr/JVM search (rolling restarts), photo storage (filters, proxy cache, S3), payments (PCI-DSS, controlled access). They avoid schema changes and breaking changes using an approach they call "non-breaking expansions" -- expose new version in a service interface; support multiple versions in the consumer. Example from slides 50-63, based around a database schema migration. Slide 66: "dev flags" (rollout oriented) are promoted to "feature flags" (long lived degradation control). Slide 71: some architectural philosophies: deploying is cheap; releasing is cheap; gathering data should be cheap too; treat first iterations as experiments. Slide 102: "Canary pools". They have multiple pools of users for testing in production -- the staff pool, users who have opted in to see prototypes/beta stuff, 0-100% gradual phased rollout.

    (tags: cd deploy etsy slides migrations database schema ops ci version-control feature-flags)

  • Etsy's Release Management process

    Good info on how Etsy use their Deployinator tool, end-to-end. Slide 11: git SHA is visible for each env, allowing easy verification of what code is deployed. Slide 14: Code is deployed to "princess" staging env while CI tests are running; no need to wait for unit/CI tests to complete. Slide 23: smoke tests of pre-prod "princess" (complete after 8 mins elapsed). Slide 31: dashboard link for deployed code is posted during deploy; post-release prod smoke tests are run by Jenkins. (short ones! they complete in 42 seconds)

    (tags: deployment etsy deploy deployinator princess staging ops testing devops smoke-tests production jenkins)

  • Makerbot’s Saddest Hour | TechCrunch

    I’ve been speaking to a few people [at Makerbot] who prefer to remain anonymous and most of my contacts there are gone (the head of PR was apparently fired) and don’t want to talk. But the new from inside is troubling. The mass-layoffs are blamed on low revenue and one former employee wrote “Company was failing. Couldn’t pay vendors, had to downsize.” Do I think Makerbot will sink? At this point I don’t know.

    (tags: makerbot 3d-printing startups downsizing layoffs ouch)

  • credstash

    'CredStash is a very simple, easy to use credential management and distribution system that uses AWS Key Management System (KMS) for key wrapping and master-key storage, and DynamoDB for credential storage and sharing.'

    (tags: aws credstash python security keys key-management secrets kms)

  • ferd.ca -> Lessons Learned while Working on Large-Scale Server Software

    Good advice

    (tags: distributed scalability systems coding server-side erlang devops networking reliability)

Links for 2015-04-20

Published April 20, 2015

  • FBI admits flaws in hair analysis over decades

    Wow, this is staggering.

    The Justice Department and FBI have formally acknowledged that nearly every examiner in an elite FBI forensic unit gave flawed testimony in almost all trials in which they offered evidence against criminal defendants over more than a two-decade period before 2000. [....] The review confirmed that FBI experts systematically testified to the near-certainty of “matches” of crime-scene hairs to defendants, backing their claims by citing incomplete or misleading statistics drawn from their case work. In reality, there is no accepted research on how often hair from different people may appear the same. Since 2000, the lab has used visual hair comparison to rule out someone as a possible source of hair or in combination with more accurate DNA testing. Warnings about the problem have been mounting. In 2002, the FBI reported that its own DNA testing found that examiners reported false hair matches more than 11 percent of the time.

    (tags: fbi false-positives hair dna biometrics trials justice experts crime forensics inaccuracy csi)

  • The missing MtGox bitcoins

    Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox operated at fractional reserve for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox's collapse). MtGox' bitcoins continuously went missing over time, but at a decreasing pace. Again by the middle of 2013, the curve goes more or less flat, matching the hypothesis that by that time there may not have been any more bitcoins left to lose. The rate of loss otherwise seems unusually smooth and at the same time not strictly relative to any readily available factors such as remaining BTC holdings, transaction volumes or the BTC price. Worth pointing out is that, thanks to having matched up most of the deposit/withdrawal log earlier, we can at this point at least rule out the possibility of any large-scale fake deposits — the bitcoins going into MtGox were real, meaning the discrepancy was likely rather caused by bitcoins leaving MtGox without going through valid withdrawals.

    (tags: mtgox bitcoin security fail currency theft crime btc)

  • Bank of the Underworld - The Atlantic

    Prosecutors analyzed approximately 500 of Liberty Reserve’s biggest accounts, which constituted 44 percent of its business. The government contends that 32 of these accounts were connected to the sale of stolen credit cards and 117 were used by Ponzi-scheme operators. All of this activity flourished, prosecutors said, because Liberty Reserve made no real effort to monitor its users for criminal behavior. What’s more, records showed that one of the company’s top tech experts, Mark Marmilev, who was also arrested, appeared to have promoted Liberty Reserve in chat rooms devoted to Ponzi schemes.
    (via Nelson)

    (tags: scams fraud crime currency the-atlantic liberty-reserve ponzi-schemes costa-rica arthur-budovsky banking anonymity cryptocurrency money-laundering carding)

  • I was a Lampedusa refugee. Here’s my story of fleeing Libya – and surviving

    'The boy next to me fell to the floor and for a moment I didn’t know if he had fainted or was dead – then I saw that he was covering his eyes so he didn’t have to see the waves any more. A pregnant woman vomited and started screaming. Below deck, people were shouting that they couldn’t breathe, so the men in charge of the boat went down and started beating them. By the time we saw a rescue helicopter, two days after our boat had left Libya with 250 passengers on board, some people were already dead – flung into the sea by the waves, or suffocated downstairs in the dark.'

    (tags: lampedusa migration asylum europe fortress-europe italy politics immigration libya refugees)

  • Run your own high-end cloud gaming service on EC2

    Using Steam streaming and EC2 g2.2xlarge spot instances -- 'comes out to around $0.52/hr'. That's pretty compelling IMO

    (tags: aws ec2 gaming games graphics spot-instances hacks windows steam)

  • Running Arbitrary Executables in AWS Lambda

    actually an officially-supported mode. huh

    (tags: lambda aws architecture ops node.js javascript unix linux)

Links for 2015-04-18

Published April 18, 2015

Links for 2015-04-17

Published April 17, 2015

Links for 2015-04-16

Published April 16, 2015

  • Extracting Structured Data From Recipes Using Conditional Random Fields

    nice probabilistic/ML approach to recipe parsing

    (tags: nytimes recipes parsing text nlp machine-learning probabilistic crf++ algorithms feature-extraction)

  • Large-scale cluster management at Google with Borg

    Google's Borg system is a cluster manager that runs hundreds of thousands of jobs, from many thousands of different applications, across a number of clusters each with up to tens of thousands of machines. It achieves high utilization by combining admission control, efficient task-packing, over-commitment, and machine sharing with process-level performance isolation. It supports high-availability applications with runtime features that minimize fault-recovery time, and scheduling policies that reduce the probability of correlated failures. Borg simplifies life for its users by offering a declarative job specification language, name service integration, real-time job monitoring, and tools to analyze and simulate system behavior. We present a summary of the Borg system architecture and features, important design decisions, a quantitative analysis of some of its policy decisions, and a qualitative examination of lessons learned from a decade of operational experience with it.
    (via Conall)

    (tags: via:conall clustering google papers scale to-read borg cluster-management deployment packing reliability redundancy)

  • Keeping Your Car Safe From Electronic Thieves - NYTimes.com

    In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet. Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.
    What the hell -- who designed a system that would auto-unlock based on signal strength alone?!!

    (tags: security fail cars keys signal proximity keyless-entry prius toyota crime amplification power-amplifiers 3db keyless)

  • Closed access means people die

    'We've paid 100 BILLION USD over the last 10 years to "publish" science and medicine. Ebola is a massive systems failure.' See also https://www.techdirt.com/articles/20150409/17514230608/dont-think-open-access-is-important-it-might-have-prevented-much-ebola-outbreak.shtml : 'The conventional wisdom among public health authorities is that the Ebola virus, which killed at least 10,000 people in Liberia, Sierra Leone and Guinea, was a new phenomenon, not seen in West Africa before 2013. [...] But, as the team discovered, that "conventional wisdom" was wrong. In fact, they found a bunch of studies, buried behind research paywalls, that revealed that there was significant evidence of antibodies to the Ebola virus in Liberia and in other nearby nations. There was one from 1982 that noted: "medical personnel in Liberian health centers should be aware of the possibility that they may come across active cases and thus be prepared to avoid nosocomial epidemics."

    (tags: deaths liberia ebola open-access papers elsevier science medicine reprints)

  • Making Pinterest — Learn to stop using shiny new things and love MySQL

    'The third reason people go for shiny is because older tech isn’t advertised as aggressively as newer tech. The younger companies needs to differentiate from the old guard and be bolder, more passionate and promise to fulfill your wildest dreams. But most new tech sales pitches aren’t generally forthright about their many failure modes. In our early days, we fell into this third trap. We had a lot of growing pains as we scaled the architecture. The most vocal and excited database companies kept coming to us saying they’d solve all of our scalability problems. But nobody told us of the virtues of MySQL, probably because MySQL just works, and people know about it.' It's true! -- I'm still a happy MySQL user for some use cases, particularly read-mostly relational configuration data...

    (tags: mysql storage databases reliability pinterest architecture)

  • Microservices and elastic resource pools with Amazon EC2 Container Service

    interesting approach to working around ECS' shortcomings -- bit specific to Hailo's microservices arch and IPC mechanism though. aside: I like their version numbering scheme: ISO-8601, YYYYMMDDHHMMSS. keep it simple!

    (tags: versioning microservices hailo aws ec2 ecs docker containers scheduling allocation deployment provisioning qos)

  • Please Kill Me (Eventually) | Motherboard

    There is much that the wise application of technology can do to help us ease off this mortal coil, instead of tormenting ourselves at the natural end of life in a futile, undignified and excruciating attempt to keep it somehow duct-taped on. Train more people in geriatrics, for example. Learn new ways to make life safe, healthy, fun and interesting for the old. Think like a community, a brotherhood, not like atomized competing individuals a few of whom can somehow "beat the system" of the universe. Maybe it is better to examine clearly what we are with a view to understanding and acceptance than it is to try to escape what perhaps should be our inevitable ending.

    (tags: death mortality cryogenics alcor geriatrics life singularity mind-uploading ray-kurzweil)

  • CGA in 1024 Colors - a New Mode: the Illustrated Guide

    awesome hackery. brings me back to my C=64 demo days

    (tags: pc cga graphics hacks art 1024-colours)

Links for 2015-04-15

Published April 15, 2015

  • Keywhiz

    'a secret management and distribution service [from Square] that is now available for everyone. Keywhiz helps us with infrastructure secrets, including TLS certificates and keys, GPG keyrings, symmetric keys, database credentials, API tokens, and SSH keys for external services — and even some non-secrets like TLS trust stores. Automation with Keywhiz allows us to seamlessly distribute and generate the necessary secrets for our services, which provides a consistent and secure environment, and ultimately helps us ship faster. [...] Keywhiz has been extremely useful to Square. It’s supported both widespread internal use of cryptography and a dynamic microservice architecture. Initially, Keywhiz use decoupled many amalgamations of configuration from secret content, which made secrets more secure and configuration more accessible. Over time, improvements have led to engineers not even realizing Keywhiz is there. It just works. Please check it out.'

    (tags: square security ops keys pki key-distribution key-rotation fuse linux deployment secrets keywhiz)

Links for 2015-04-14

Published April 14, 2015

Links for 2015-04-13

Published April 13, 2015

  • Amazon Machine Learning

    Upsides of this new AWS service: * great UI and visualisations. * solid choice of metric to evaluate the results. Maybe things moved on since I was working on it, but the use of AUC, false positives and false negatives was pretty new when I was working on it. (er, 10 years ago!) Downsides: * it could do with more support for unsupervised learning algorithms. Supervised learning means you need to provide training data, which in itself can be hard work. My experience with logistic regression in the past is that it requires very accurate training data, too -- its tolerance for misclassified training examples is poor. * Also, in my experience, 80% of the hard work of using ML algorithms is writing good tokenisation and feature extraction algorithms. I don't see any help for that here unfortunately. (probably not that surprising as it requires really detailed knowledge of the input data to know what classes can be abbreviated into a single class, etc.)

    (tags: amazon aws ml machine-learning auc data-science)

  • Rob Pike's 5 rules of optimization

    these are great. I've run into rule #3 ("fancy algorithms are slow when n is small, and n is usually small") several times...

    (tags: twitter rob-pike via:igrigorik coding rules laws optimization performance algorithms data-structures aphorisms)

  • AWS Lambda Event-Driven Architecture With Amazon SNS

    Any message posted to an SNS topic can trigger the execution of custom code you have written, but you don’t have to maintain any infrastructure to keep that code available to listen for those events and you don’t have to pay for any infrastructure when the code is not being run. This is, in my opinion, the first time that Amazon can truly say that AWS Lambda is event-driven, as we now have a central, independent, event management system (SNS) where any authorized entity can trigger the event (post a message to a topic) and any authorized AWS Lambda function can listen for the event, and neither has to know about the other.

    (tags: aws ec2 lambda sns events cep event-processing coding cloud hacks eric-hammond)

  • Texting at the wheel kills more US teenagers every year than drink-driving

    Texting while behind the wheel has overtaken drink driving as the biggest cause of death among teenagers in America. More than 3,000 teenagers are killed every year in car crashes caused by texting while driving compared to 2,700 from drink driving. The study by Cohen Children’s Medical Center also discovered that 50 per cent of students admit to texting while driving.

    (tags: texting sms us driving car-safety safety drink-driving)

  • China’s Great Cannon

    Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Internet to co-opt arbitrary computers across the web and outside of China to achieve China’s policy ends.  The repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country’s national priorities is a dangerous precedent — contrary to international norms and in violation of widespread domestic laws prohibiting the unauthorized use of computing and networked systems.

    (tags: censorship ddos internet security china great-cannon citizen-lab reports web)

  • Sirius: An open end-to-end voice and vision personal assistant and its implications for future warehouse scale computers

    How to build an Intelligent Personal Assistant: 'Sirius is an open end-to-end standalone speech and vision based intelligent personal assistant (IPA) similar to Apple’s Siri, Google’s Google Now, Microsoft’s Cortana, and Amazon’s Echo. Sirius implements the core functionalities of an IPA including speech recognition, image matching, natural language processing and a question-and-answer system. Sirius is developed by Clarity Lab at the University of Michigan. Sirius is published at the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) 2015.'

    (tags: sirius siri cortana google-now echo ok-google ipa assistants search video audio speech papers clarity nlp wikipedia)

  • Why We Will Not Be Registering easyDNS.SUCKS - blog.easydns.org

    If you're not immersed in the naming business you may find the jargon in it hard to understand. The basic upshot is this: the IPC believes that the mechanisms that were enacted to protect trademark holders during the deluge of new TLD rollouts are being gamed by the .SUCKS TLD operator to extort inflated fees from trademark holders.
    (via Nelson)

    (tags: shakedown business internet domains dns easydns dot-sucks scams tlds trademarks ip)

Links for 2015-04-12

Published April 12, 2015

Links for 2015-04-11

Published April 11, 2015

Links for 2015-04-10

Published April 10, 2015

  • Hacked French network exposed its own passwords during TV interview

    lols

    (tags: passwords post-its fail tv5monde authentication security tv funny)

  • RADStack - an open source Lambda Architecture built on Druid, Kafka and Samza

    'In this paper we presented the RADStack, a collection of complementary technologies that can be used together to power interactive analytic applications. The key pieces of the stack are Kafka, Samza, Hadoop, and Druid. Druid is designed for exploratory analytics and is optimized for low latency data exploration, aggregation, and ingestion, and is well suited for OLAP workflows. Samza and Hadoop complement Druid and add data processing functionality, and Kafka enables high throughput event delivery.'

    (tags: druid samza kafka streaming cep lambda-architecture architecture hadoop big-data olap)

  • outbrain/gruffalo

    an asynchronous Netty based graphite proxy. It protects Graphite from the herds of clients by minimizing context switches and interrupts; by batching and aggregating metrics. Gruffalo also allows you to replicate metrics between Graphite installations for DR scenarios, for example. Gruffalo can easily handle a massive amount of traffic, and thus increase your metrics delivery system availability. At Outbrain, we currently handle over 1700 concurrent connections, and over 2M metrics per minute per instance.

    (tags: graphite backpressure metrics outbrain netty proxies gruffalo ops)

  • Privacy Security Talk in TOG – 22nd April @ 7pm – FREE

    Dublin is lucky enough to have great speakers pass through town on occasion and on Wednesday the 22nd April 2015, Runa A. Sandvik (@runasand) and Per Thorsheim (@thorsheim) have kindly offered to speak in TOG from 7pm. The format for the evening is a general meet and greet, but both speakers have offered to give a presentation on a topic of their choice. Anyone one interested in privacy, security, journalism, Tor and/or has previously attended a CryptoParty would be wise to attend. Doors are from 7pm and bring any projects with you you would like to share with other attendees. This is a free event, open to the public and no need to book. See you Wednesday. Runa A. Sandvik is an independent privacy and security researcher, working at the intersection of technology, law and policy. She contributes to The Tor Project, writes for Forbes, and is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project. Per Thorsheim as founder/organizer of PasswordsCon.org, his topic of choice is of course passwords, but in a much bigger context than most people imagine. Passwords, pins, biometrics, 2-factor authentication, security/usability and all the way into surveillance and protecting your health, kids and life itself.

    (tags: privacy security runa-sandvik per-thorsheim passwords tor truecrypt tog via:oisin events dublin)

Links for 2015-04-09

Published April 9, 2015

Links for 2015-04-08

Published April 8, 2015

Links for 2015-04-07

Published April 7, 2015

Links for 2015-04-06

Published April 6, 2015

Links for 2015-04-03

Published April 3, 2015

  • Twitter’s new anti-harassment filter

    Twitter is calling it a “quality filter,” and it’s been rolling out to verified users running Twitter’s iOS app since last week. It appears to work much like a spam filter, except instead of hiding bots and copy-paste marketers, it screens “threats, offensive language, [and] duplicate content” out of your notifications feed.
    via Nelson

    (tags: via:nelson harassment spam twitter gamergame abuse ml)

  • 5% of Google visitors have ad-injecting malware installed

    Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test. More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed.
    via Nelson.

    (tags: via:nelson ads google chrome ad-injectors malware scummy)

  • On Ruby

    The horrors of monkey-patching:

    I call out the Honeybadger gem specifically because was the most recent time I'd been bit by a seemingly good thing promoted in the community: monkey patching third party code. Now I don't fault Honeybadger for making their product this way. It provides their customers with direct business value: "just require 'honeybadger' and you're done!" I don't agree with this sort of practice. [....] I distrust everything [in Ruby] but a small set of libraries I've personally vetted or are authored by people I respect. Why is this important? Without a certain level of scrutiny you will introduce odd and hard to reproduce bugs. This is especially important because Ruby offers you absolutely zero guarantee whatever the state your program is when a given method is dispatched. Constants are not constants. Methods can be redefined at run time. Someone could have written a time sensitive monkey patch to randomly undefined methods from anything in ObjectSpace because they can. This example is so horribly bad that no one should every do, but the programming language allows this. Much worse, this code be arbitrarily inject by some transitive dependency (do you even know what yours are?).

    (tags: ruby monkey-patching coding reliability bugs dependencies libraries honeybadger sinatra)

Links for 2015-04-02

Published April 2, 2015

Links for 2015-04-01

Published April 1, 2015

Links for 2015-03-31

Published March 31, 2015

Links for 2015-03-30

Published March 30, 2015

Links for 2015-03-26

Published March 26, 2015

Links for 2015-03-25

Published March 25, 2015

Links for 2015-03-24

Published March 24, 2015

Links for 2015-03-23

Published March 23, 2015

Links for 2015-03-22

Published March 22, 2015

Links for 2015-03-19

Published March 19, 2015

  • Stairs to nowhere, trap streets, and other Toronto oddities

    'There’s a set of stairs on Greenwood Avenue that lead nowhere. At the top, a wooden fence at the end of someone’s back yard blocks any further movement, forcing the climber to turn around and descend back to the street. What’s remarkable about the pointless Greenwood stairs, which were built in 1959 as a shortcut to a now-demolished brickyard, is that someone still routinely maintains them: in winter, some kindly soul deposits a scattering of salt lest one of the stairs’ phantom users slip; in summer someone comes with a broom to sweep away leaves. These urban leftovers are lovingly called “Thomassons” after Gary Thomasson, a former slugger for the San Francisco Giants, Oakland As, Yankees, Dodgers, and, most fatefully, the Yomiuri Giants in Tokyo.'

    (tags: trap-streets maps ip google via:bldgblog mapping copyright thomassons orphaned-roads)

Links for 2015-03-18

Published March 18, 2015

  • President's message gets lost in (automated) translation

    In a series of bizarre translations, YouTube’s automated translation service took artistic licence with the [President's] words of warmth. When the head of state sent St Patrick’s Day greetings to viewers, the video sharing site said US comedian Tina Fey was being “particular with me head”. As President Higgins spoke of his admiration for Irish emigrants starting new communities abroad, YouTube said the President referenced blackjack and how he “just couldn’t put the new iPhone” down. And, in perhaps the most unusual moment, as he talked of people whose hearts have sympathy, the President “explained” he was once on a show “that will bar a gift card”.
    (via Daragh O'Brien)

    (tags: lol president ireland michael-d-higgins automation translation machine-learning via:daraghobrien funny blackjack iphone tina-fey st-patrick fail)

  • Irish government under fire for turning its back on basic research : Nature News & Comment

    Pretty much ALL of Ireland's research scientists have put their names to an open letter to the Irish government, decrying the state of science funding, published this week in "Nature". 'Although total spending on research and development grew through the recession, helped by foreign investments, Ireland’s government has cut state spending on research (see ‘Celtic tiger tamed’). It also prioritized grants in 14 narrow areas — ones in which either large global markets exist, or in which Irish companies are competitive. These include marine renewable energy, smart grids, medical devices and computing. The effect has been to asphyxiate the many areas of fundamental science — including astrophysics, particle physics and areas of the life sciences — that have been deprived of funding, several researchers in Ireland told Nature. “The current policies are having a very significant detrimental effect on the health and viability of the Irish scientific ecosystem,” says Kevin Mitchell, a geneticist who studies the basis of neurological disorders at Trinity College Dublin. “Research that cannot be shoehorned into one of the 14 prioritized areas has been ineligible for most funding,” he says.' That's another fine mess Sean Sherlock has gotten us into :(

    (tags: sean-sherlock fail ireland research government funding grants science tcd kevin-mitchell life-sciences nature)

  • Mars One finalist Dr. Joseph Roche rips into the project

    So, here are the facts as we understand them: Mars One has almost no money. Mars One has no contracts with private aerospace suppliers who are building technology for future deep-space missions. Mars One has no TV production partner. Mars One has no publicly known investment partnerships with major brands. Mars One has no plans for a training facility where its candidates would prepare themselves. Mars One’s candidates have been vetted by a single person, in a 10-minute Skype interview. “My nightmare about it is that people continue to support it and give it money and attention, and it then gets to the point where it inevitably falls on its face,” said Roche. If, as a result, “people lose faith in NASA and possibly even in scientists, then that’s the polar opposite of what I’m about. If I was somehow linked to something that could do damage to the public perception of science, that is my nightmare scenario.”

    (tags: science space mars-one tcd joseph-roche nasa mars exploration scams)

Links for 2015-03-17

Published March 17, 2015

Links for 2015-03-13

Published March 13, 2015

  • demonstration of the importance of server-side request timeouts

    from MongoDB, but similar issues often apply in many other TCP/HTTP-based systems

    (tags: tcp http requests timeout mongodb reliability safety)

  • Heka

    an open source stream processing software system developed by Mozilla. Heka is a “Swiss Army Knife” type tool for data processing, useful for a wide variety of different tasks, such as: Loading and parsing log files from a file system. Accepting statsd type metrics data for aggregation and forwarding to upstream time series data stores such as graphite or InfluxDB. Launching external processes to gather operational data from the local system. Performing real time analysis, graphing, and anomaly detection on any data flowing through the Heka pipeline. Shipping data from one location to another via the use of an external transport (such as AMQP) or directly (via TCP). Delivering processed data to one or more persistent data stores.
    Via feylya on twitter. Looks potentially nifty

    (tags: heka mozilla monitoring metrics via:feylya ops statsd graphite stream-processing)

Links for 2015-03-12

Published March 12, 2015

Links for 2015-03-11

Published March 11, 2015

Links for 2015-03-10

Published March 10, 2015

  • Epsilon Interactive breach the Fukushima of the Email Industry (CAUCE)

    Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software. On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially.  Email lists of at least eight financial institutions were stolen.  Thus far, puzzlingly, Epsilon has refused to release the names  of compromised clients. [...] The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.

    (tags: cauce epsilon-interactive esp email pii data-protection spear-phishing phishing identity-theft security ads)

  • In Ukraine, Tomorrow’s Drone War Is Alive Today

    Drones, hackerspaces and crowdfunding:

    The most sophisticated UAV that has come out of the Ukrainian side since the start of the conflict is called the PD-1 from developer Igor Korolenko. It has a wingspan of nearly 10 feet, a five-hour flight time, carries electro-optical and infrared sensors as well as a video camera that broadcasts on a 128 bit encrypted channel. Its most important feature is the autopilot software that allows the drone to return home in the event that the global positioning system link is jammed or lost. Drone-based intelligence gathering is often depicted as risk-free compared to manned aircraft or human intelligence gathering, but, says Korolenko, if the drone isn’t secure or the signature is too obvious, the human coasts can be very, very high. “Russian military sometimes track locations of ground control stations,” he wrote Defense One in an email. “Therefore UAV squads have to follow certain security measures - to relocate frequently, to move out antennas and work from shelter, etc. As far as I know, two members of UAV squads were killed from mortar attacks after [their] positions were tracked by Russian electronic warfare equipment.”
    (via bldgblog)

    (tags: via:bldgblog war drones uav future ukraine russia tech aircraft pd-1 crowdfunding)

  • Javascript Acid Machine

    a 303 and an 808 in your browser. this is deadly

    (tags: acid 303 music javascript hacks via:hn techno)

Links for 2015-03-09

Published March 9, 2015

  • Ubuntu To Officially Switch To systemd Next Monday - Slashdot

    Jesus. This is going to be the biggest shitfest in the history of Linux...

    (tags: linux slashdot ubuntu systemd init unix ops)

  • uselessd

    A project to reduce systemd to a base initd, process supervisor and transactional dependency system, while minimizing intrusiveness and isolationism. Basically, it’s systemd with the superfluous stuff cut out, a (relatively) coherent idea of what it wants to be, support for non-glibc platforms and an approach that aims to minimize complicated design. uselessd is still in its early stages and it is not recommended for regular use or system integration.
    This may be the best option to evade the horrors of systemd.

    (tags: init linux systemd unix ops uselessd)

  • Japan's Robot Dogs Get Funerals as Sony Looks Away

    in July 2014, [Sony's] repairs [of Aibo robot dogs] stopped and owners were left to look elsewhere for help. The Sony stiff has led not only to the formation of support groups--where Aibo enthusiasts can share tips and help each other with repairs--but has fed the bionic pet vet industry. “The people who have them feel their presence and personality,” Nobuyuki Narimatsu, director of A-Fun, a repair company for robot dogs, told AFP. “So we think that somehow, they really have souls.” While concerted repair efforts have kept many an Aibo alive, a shortage of spare parts means that some of their lives have come to an end.

    (tags: sony aibo robots japan dogs pets weird future badiotday iot gadgets)

  • "Cuckoo Filter: Practically Better Than Bloom"

    'We propose a new data structure called the cuckoo filter that can replace Bloom filters for approximate set membership tests. Cuckoo filters support adding and removing items dynamically while achieving even higher performance than Bloom filters. For applications that store many items and target moderately low false positive rates, cuckoo filters have lower space overhead than space-optimized Bloom filters. Our experimental results also show that cuckoo filters outperform previous data structures that extend Bloom filters to support deletions substantially in both time and space.'

    (tags: algorithms paper bloom-filters cuckoo-filters cuckoo-hashing data-structures false-positives big-data probabilistic hashing set-membership approximation)

  • Amazing cutting from Vanity Fair, 1896, for International Women's Day

    "The sisters make a pretty picture on the platform ; but it is not women of their type who need to assert themselves over Man. However, it amuses them--and others ; and I doubt if the tyrant has much to fear from their little arrows." Constance Markievicz was one of those sisters, and the other was Eva Gore-Booth.

    (tags: markievicz history ireland sligo vanity-fair 19th-century dismissal sexism iwd women)

  • Anatomy of a Hack

    Authy doesn't come off well here: 'Authy should have been harder to break. It's an app, like Authenticator, and it never left Davis' phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve's control.'

    (tags: authy security hacking mfa authentication google apps exploits)

  • Ask the Decoder: Did I sign up for a global sleep study?

    How meaningful is this corporate data science, anyway? Given the tech-savvy people in the Bay Area, Jawbone likely had a very dense sample of Jawbone wearers to draw from for its Napa earthquake analysis. That allowed it to look at proximity to the epicenter of the earthquake from location information. Jawbone boasts its sample population of roughly “1 million Up wearers who track their sleep using Up by Jawbone.” But when looking into patterns county by county in the U.S., Jawbone states, it takes certain statistical liberties to show granularity while accounting for places where there may not be many Jawbone users. So while Jawbone data can show us interesting things about sleep patterns across a very large population, we have to remember how selective that population is. Jawbone wearers are people who can afford a $129 wearable fitness gadget and the smartphone or computer to interact with the output from the device. Jawbone is sharing what it learns with the public, but think of all the public health interests or other third parties that might be interested in other research questions from a large scale data set. Yet this data is not collected with scientific processes and controls and is not treated with the rigor and scrutiny that a scientific study requires. Jawbone and other fitness trackers don’t give us the option to use their devices while opting out of contributing to the anonymous data sets they publish. Maybe that ought to change.

    (tags: jawbone privacy data-protection anonymization aggregation data medicine health earthquakes statistics iot wearables)

  • Pinterest's highly-available configuration service

    Stored on S3, update notifications pushed to clients via Zookeeper

    (tags: s3 zookeeper ha pinterest config storage)

  • A Journey into Microservices | Hailo Tech Blog

    Excellent three-parter from Hailo, describing their RabbitMQ+Go-based microservices architecture. Very impressive!

    (tags: hailo go microservices rabbitmq amqp architecture blogs)

  • soundcloud/lhm

    The Large Hadron Migrator is a tool to perform live database migrations in a Rails app without locking.

    The basic idea is to perform the migration online while the system is live, without locking the table. In contrast to OAK and the facebook tool, we only use a copy table and triggers. The Large Hadron is a test driven Ruby solution which can easily be dropped into an ActiveRecord or DataMapper migration. It presumes a single auto incremented numerical primary key called id as per the Rails convention. Unlike the twitter solution, it does not require the presence of an indexed updated_at column.

    (tags: migrations database sql ops mysql rails ruby lhm soundcloud activerecord)

  • Biased Locking in HotSpot (David Dice's Weblog)

    This is pretty nuts. If biased locking in the HotSpot JVM is causing performance issues, it can be turned off:

    You can avoid biased locking on a per-object basis by calling System.identityHashCode(o). If the object is already biased, assigning an identity hashCode will result in revocation, otherwise, the assignment of a hashCode() will make the object ineligible for subsequent biased locking.

    (tags: hashcode jvm java biased-locking locking mutex synchronization locks performance)

Links for 2015-03-07

Published March 7, 2015

  • A Zero-Administration Amazon Redshift Database Loader - AWS Big Data Blog

    nifty!

    (tags: lambda amazon aws redshift etl)

  • Archie Markup Language (ArchieML)

    ArchieML (or "AML") was created at The New York Times to make it easier to write and edit structured text on deadline that could be rendered in web pages, or more specifically, rendered in interactive graphics. One of the main goals was to make it easy to tag text as data, without having type a lot of special characters. Another goal was to allow the document to contain lots of notes and draft text that would not be read into the data. And finally, because we make extensive use of Google Documents's concurrent-editing features — while working on a graphic, we can have several reporters, editors and developers all pouring information into a single document — we wanted to have a format that could survive being edited by users who may never have seen ArchieML or any other markup language at all before.

    (tags: aml archie markup text nytimes archieml writing)

  • California Says Motorcycle Lane-Splitting Is Hella Safe

    A recent yearlong study by the California Office of Traffic Safety has found motorcycle lane-splitting to be a safe practice on public roads. The study looked at collisions involving 7836 motorcyclists reported by 80 police departments between August 2012 and August 2013. “What we learned is, if you lane-split in a safe or prudent manner, it is no more dangerous than motorcycling in any other circumstance,” state spokesman Chris Cochran told the Sacramento Bee. “If you are speeding or have a wide speed differential (with other traffic), that is where the fatalities came about.”

    (tags: lane-splitting cycling motorcycling bikes road-safety driving safety california)

  • Try Server

    Good terminology for this concept:

    The try server runs a similar configuration to the continuous integration server, except that it is triggered not on commits but on "try job request", in order to test code pre-commit.
    See also https://wiki.mozilla.org/ReleaseEngineering/TryServer for the Moz take on it.

    (tags: build ci integration try-server jenkins buildbot chromium development)

  • metrics-sql

    A Dropwizard Metrics extension to instrument JDBC resources and measure SQL execution times.

    (tags: metrics sql jdbc instrumentation dropwizard)

  • HP is trying to patent Continuous Delivery

    This is appalling bollocks from HP:

    On 1st March 2015 I discovered that in 2012 HP had filed a patent (WO2014027990) with the USPO for ‘Performance tests in a continuous deployment pipeline‘ (the patent was granted in 2014). [....] HP has filed several patents covering standard Continuous Delivery (CD) practices. You can help to have these patents revoked by providing ‘prior art’ examples on Stack Exchange.
    In fairness, though, this kind of shit happens in most big tech companies. This is what happens when you have a broken software patenting system, with big rewards for companies who obtain shitty troll patents like these, and in turn have companies who reward the engineers who sell themselves out to write up concepts which they know have prior art. Software patents are broken by design!

    (tags: cd devops hp continuous-deployment testing deployment performance patents swpats prior-art)

Links for 2015-03-05

Published March 5, 2015

Links for 2015-03-04

Published March 4, 2015

Links for 2015-03-02

Published March 2, 2015

  • Glowroot

    "Open source APM for Java" -- profiling in production, with a demo benchmark showing about a 2% performance impact. Wonder about effects on memory/GC, though

    (tags: apm java metrics measurement new-relic profiling glowroot)

  • "Everything you've ever said to Siri/Cortana has been recorded...and I get to listen to it"

    This should be a reminder.

    At first, I though these sound bites were completely random. Then I began to notice a pattern. Soon, I realized that I was hearing peoples commands given to their mobile devices. Guys, I'm telling you, if you've said it to your phone, it's been recorded...and there's a damn good chance a 3rd party is going to hear it.

    (tags: privacy google siri cortana android voice-recognition outsourcing mobile)

  • Halcyon Days

    Fantastic 1997-era book of interviews with the programmers behind some of the greatest games in retrogaming history:

    Halcyon Days: Interviews with Classic Computer and Video Game Programmers was released as a commercial product in March 1997. At the time it was one of the first retrogaming projects to focus on lost history rather than game collecting, and certainly the first entirely devoted to the game authors themselves. Now a good number of the interviewees have their own web sites, but none of them did when I started contacting them in 1995. [...] If you have any of the giddy anticipation that I did whenever I picked up a magazine containing an interview with Mark Turmell or Dan [M.U.L.E.] Bunten, then you want to start reading.

    (tags: book games history coding interviews via:walter)

  • Pub Table Quiz - In Aid of Digital Rights Ireland

    Jason Roe is organising a Table Quiz in Dublin on March 26th to support fundraising efforts by Digital Rights Ireland. We will supply tables, questions and a ready supply of beer and maybe finger food.

    (tags: dri pub-quiz fun dublin quizzes)

  • Why are transhumanists such dicks?

    Good discussion from a transhumanist forum (via Boing Boing):

    "I’ve been around and interviewed quite a lot of self-identified transhumanists in the last couple of years, and I’ve noticed many of them express a fairly stark ideology that is at best libertarian, and at worst Randian. Very much “I want super bionic limbs and screw the rest of the world”. They tend to brush aside the ethical, environmental, social and political ramifications of human augmentation so long as they get to have their toys. There’s also a common expression that if sections of society are harmed by transhumanist progress, then it is unfortunate but necessary for the greater good (the greater good often being bestowed primarily upon those endorsing the transhumanism). That attitude isn’t prevalent on this forum at all – I think the site tends to attract more practical body-modders than theoretical transhumanists – but I wondered if anyone else here had experienced the same attitudes in their own circles? What do you make of it?"

    (tags: transhumanism evolution body-modding surgery philosophy via:boingboing libertarianism society politics)

Links for 2015-02-27

Published February 27, 2015

Links for 2015-02-26

Published February 26, 2015

  • JClarity's Illuminate

    Performance-diagnosis-as-a-service. Cool.

    Users download and install an Illuminate Daemon using a simple installer which starts up a small stand alone Java process. The Daemon sits quietly unless it is asked to start gathering SLA data and/or to trigger a diagnosis. Users can set SLA’s via the dashboard and can opt to collect latency measurements of their transactions manually (using our library) or by asking Illuminate to automatically instrument their code (Servlet and JDBC based transactions are currently supported). SLA latency data for transactions is collected on a short cycle. When the moving average of latency measurements goes above the SLA value (e.g. 150ms), a diagnosis is triggered. The diagnosis is very quick, gathering key data from O/S, JVM(s), virtualisation and other areas of the system. The data is then run through the machine learned algorithm which will quickly narrow down the possible causes and gather a little extra data if needed. Once Illuminate has determined the root cause of the performance problem, the diagnosis report is sent back to the dashboard and an alert is sent to the user. That alert contains a link to the result of the diagnosis which the user can share with colleagues. Illuminate has all sorts of backoff strategies to ensure that users don’t get too many alerts of the same type in rapid succession!

    (tags: illuminate jclarity java jvm scala latency gc tuning performance)

  • grpc.io

    Binary message marshalling, client/server stubs generated by an IDL compiler, bidirectional binary protocol. CORBA is back from the dead! Intro blog post: http://googledevelopers.blogspot.ie/2015/02/introducing-grpc-new-open-source-http2.html Relevant: Steve Vinoski's commentary on protobuf-rpc back in 2008: http://steve.vinoski.net/blog/2008/07/13/protocol-buffers-leaky-rpc/

    (tags: http rpc http2 netty grpc google corba idl messaging)

Links for 2015-02-25

Published February 25, 2015

Links for 2015-02-24

Published February 24, 2015

Links for 2015-02-23

Published February 23, 2015

  • ssls.com

    "Cheap SSL certs from $4.99/yr" -- apparently recommended for cheap, low-end SSL certs

    (tags: ssl certs security https ops)

  • Having Your Cake and Eating It Too: Jointly Optimal Erasure Codes for I/O, Storage, and Network-bandwidth | USENIX

    Erasure codes, such as Reed-Solomon (RS) codes, are increasingly being deployed as an alternative to data-replication for fault tolerance in distributed storage systems. While RS codes provide significant savings in storage space, they can impose a huge burden on the I/O and network resources when reconstructing failed or otherwise unavailable data. A recent class of erasure codes, called minimum-storage-regeneration (MSR) codes, has emerged as a superior alternative to the popular RS codes, in that it minimizes network transfers during reconstruction while also being optimal with respect to storage and reliability. However, existing practical MSR codes do not address the increasingly important problem of I/O overhead incurred during reconstructions, and are, in general, inferior to RS codes in this regard. In this paper, we design erasure codes that are simultaneously optimal in terms of I/O, storage, and network bandwidth. Our design builds on top of a class of powerful practical codes, called the product-matrix-MSR codes. Evaluations show that our proposed design results in a significant reduction the number of I/Os consumed during reconstructions (a 5 reduction for typical parameters), while retaining optimality with respect to storage, reliability, and network bandwidth.

    (tags: erasure-coding reed-solomon compression reliability reconstruction replication fault-tolerance storage bandwidth usenix papers)

  • Everyday I'm Shuffling - Tips for Writing Better Spark Programs [slides]

    Two Spark experts from Databricks provide some good tips

    (tags: spark performance batch ops tips slides emr)

Links for 2015-02-22

Published February 22, 2015

Links for 2015-02-20

Published February 20, 2015

  • 2015-02-19 GCE outage

    40 minutes of multi-zone network outage for majority of instances. 'The internal software system which programs GCE’s virtual network for VM egress traffic stopped issuing updated routing information. The cause of this interruption is still under active investigation. Cached route information provided a defense in depth against missing updates, but GCE VM egress traffic started to be dropped as the cached routes expired.' I wonder if Google Pimms fired the alarms for this ;)

    (tags: google outages gce networking routing pimms multi-az cloud)

  • Listen to a song made from data lost during MP3 conversion

    Ryan McGuire, a PhD student in Composition and Computer Technologies at the University of Virginia Center for Computer Music, has created the project The Ghost In The MP3 [....] For his first trick, McGuire took Suzanne Vega’s ‘Tom’s Diner’ and drained it into a vaporous piece titled ‘moDernisT.” McGuire chose the track he explains on his site because it was famously used as one of the main controls in the listening tests used to develop the MP3 algorithm.

    (tags: mp3 music suzanne-vega compression)

Links for 2015-02-19

Published February 19, 2015

  • pcp2graphite

    A gateway script, now included in PCP

    (tags: pcp2graphite pcp graphite ops metrics system)

  • Performance Co-Pilot

    System performance metrics framework, plugged by Netflix, open-source for ages

    (tags: open-source pcp performance system metrics ops red-hat netflix)

  • Superfish: A History Of Malware Complaints And International Surveillance - Forbes

    Superfish, founded and led by former Intel employee and ex-surveillance boffin Adi Pinhas, has been criticised by users the world over since its inception in 2006.

    (tags: superfish lenovo privacy surveillance ads java windows mac firefox pups ssl tls ad-injection komodia)

  • The Superfish certificate has been cracked, exposing Lenovo users to attack | The Verge

    The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.
    Amazingly stupid.

    (tags: superfish inept ca ssl tls lenovo mitm security)

  • Police have asked Dropcam for video from people's home cameras -- Fusion

    “Like any responsible father, Hugh Morrison had installed cameras in every room in the flat,” is the opening line of Intrusion, a 2012 novel set in the near future. Originally installed so that Hugh and his wife can keep an eye on their kids, the Internet-connected cameras wind up being used later in the novel by police who tap into the feeds to monitor the couple chatting on their couch when they are suspected of anti-societal behavior. As with so many sci-fi scenarios, the novel’s vision was prophetic. People are increasingly putting small Internet-connected cameras into their homes. And law enforcement officials are using the cameras to collect evidence about them.

    (tags: privacy dropcam cameras surveillance law-enforcement)

  • Extracting the SuperFish certificate

    not exactly the most challenging reverse I've ever seen ;)

    (tags: reverse-engineering security crypto hacking tls ssl superfish lenovo)

  • The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle

    Holy shit. Gemalto totally rooted.

    With [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt. [...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.

    (tags: encryption security crypto nsa gchq gemalto smartcards sim-cards privacy surveillance spying)

  • One year of InfluxDB and the road to 1.0

    half of the [Monitorama] attendees were employees and entrepreneurs at monitoring, metrics, DevOps, and server analytics companies. Most of them had a story about how their metrics API was their key intellectual property that took them years to develop. The other half of the attendees were developers at larger organizations that were rolling their own DevOps stack from a collection of open source tools. Almost all of them were creating a “time series database” with a bunch of web services code on top of some other database or just using Graphite. When everyone is repeating the same work, it’s not key intellectual property or a differentiator, it’s a barrier to entry. Not only that, it’s something that is hindering innovation in this space since everyone has to spend their first year or two getting to the point where they can start building something real. It’s like building a web company in 1998. You have to spend millions of dollars and a year building infrastructure, racking servers, and getting everything ready before you could run the application. Monitoring and analytics applications should not be like this.

    (tags: graphite monitoring metrics tsd time-series analytics influxdb open-source)

  • Sysdig Cloud’s JMX Metrics

    Sysdig Cloud users have the ability to view and analyze Java Management Extensions (JMX) metrics out of the box with no additional configuration or setup required.

    (tags: sysdig jmx java jvm)

  • Will the madness never end? Komodia SSL certificates are EVERYWHERE

    I think that at this point it is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method. What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.

    (tags: komodia via:jgc ssl lenovo parental-control censorware mitm)

Links for 2015-02-18

Published February 18, 2015

Links for 2015-02-17

Published February 17, 2015

Links for 2015-02-16

Published February 16, 2015

Links for 2015-02-13

Published February 13, 2015

  • Slack's coming to Dublin

    Butterfield insists that Slack improves on the basic messaging functionality offered by its predecessors. The company plans to expand from 100 employees to 250 this year, open an office in Dublin, and launch a version that supports large companies with multiple teams.

    (tags: slack messaging chat dublin ireland jobs tech)

  • yahoo/kafka-manager

    A tool for managing Apache Kafka. It supports the following : Manage multiple clusters; Easy inspection of cluster state (topics, brokers, replica distribution, partition distribution); Run preferred replica election; Generate partition assignments (based on current state of cluster); Run reassignment of partition (based on generated assignments)

    (tags: yahoo kafka ops tools)

  • Vaurien, the Chaos TCP Proxy — Vaurien 1.8 documentation

    Vaurien is basically a Chaos Monkey for your TCP connections. Vaurien acts as a proxy between your application and any backend. You can use it in your functional tests or even on a real deployment through the command-line. Vaurien is a TCP proxy that simply reads data sent to it and pass it to a backend, and vice-versa. It has built-in protocols: TCP, HTTP, Redis & Memcache. The TCP protocol is the default one and just sucks data on both sides and pass it along. Having higher-level protocols is mandatory in some cases, when Vaurien needs to read a specific amount of data in the sockets, or when you need to be aware of the kind of response you’re waiting for, and so on. Vaurien also has behaviors. A behavior is a class that’s going to be invoked everytime Vaurien proxies a request. That’s how you can impact the behavior of the proxy. For instance, adding a delay or degrading the response can be implemented in a behavior. Both protocols and behaviors are plugins, allowing you to extend Vaurien by adding new ones. Last (but not least), Vaurien provides a couple of APIs you can use to change the behavior of the proxy live. That’s handy when you are doing functional tests against your server: you can for instance start to add big delays and see how your web application reacts.

    (tags: proxy tcp vaurien chaos-monkey testing functional-testing failures sockets redis memcache http)

  • Embed-able Computers are a Thing. — February 12, 2015

    'If it works, a copy of Burgertime for DOS is now in your browser, clickable from my entry. If it doesn’t… well, no Burgertime for you. (Unless you visit the page.) There’s a “share this” link in the new archive.org interface for sharing these in-browser emulations in web pages, weblogs and who knows what else.'

    (tags: sharing embeds html javascript emulation msdos burgertime games archive.org)

  • China’s Internet Censors Now Have Their Own Theme Song, And It Is Glorious - China Real Time Report - WSJ

    According to a report posted Thursday to the website of the state-run China Youth Daily, the Cyberspace Administration of China choral group this week unveiled a new song, “Cyberspace Spirit,” glorifying the cleanliness and clarity of China’s uniquely managed Internet. The song, an orchestral march built around a chorus that proclaims China’s ambition to become an “Internet power,” opens with lyrics describing celestial bodies keeping careful watch over the sky. From there, the lyrics conjure more vivid imagery, comparing the Internet to “a beam of incorruptible sunlight” that unites “the powers of life from all creation.”

    (tags: china great-firewall censorship music songs cyberspace-spirit omgwtfbbq)

Links for 2015-02-12

Published February 12, 2015