Skip to content

Category: Uncategorized

  • Via arclight on Mastodon ( https://oldbytes.space/@arclight/112367348253414752 ): spreadsheet authors/developers have an accuracy rate of 96%-99% when writing new formulas (and, of course, there are no unit tests in the world of spreadsheets). As they put it: “the uncomfortable truth is that any but the most trivial spreadsheets contain errors. It’s not a question of if there are errors, it’s a question of how many and how severe.”

    In the spreadsheet error community, both academics and practitioners generally have ignored the rich findings produced by a century of human error research. These findings can suggest ways to reduce errors; we can then test these suggestions empirically. In addition, research on human error seems to suggest that several common prescriptions and expectations for reducing errors are likely to be incorrect. Among the key conclusions from human error research are that thinking is bad, that spreadsheets are not the cause of spreadsheet errors, and that reducing errors is extremely difficult. In past EuSpRIG conferences, many papers have shown that most spreadsheets contain errors, even after careful development. Most spreadsheets, in fact, have material errors that are unacceptable in the growing realm of compliance laws. Given harsh penalties for non-compliance, we are under considerable pressure to develop good practice recommendations for spreadsheet developers and testers. If we are to reduce errors, we need to understand errors. Fortunately, human error has been studied for over a century across a number of human cognitive domains, including linguistics, writing, software development and testing, industrial processes, automobile accidents, aircraft accidents, nuclear accidents, and algebra, to name just a few. The research that does exist is disturbing because it shows that humans are unaware of most of their errors. This “error blindness” leads people to many incorrect beliefs about error rates and about the difficulty of detecting errors. In general, they are overconfident, substantially underestimating their own error rates and overestimating their ability to reduce and detect errors. This “illusion of control” also leads them to hold incorrect beliefs about spreadsheet errors, such as a belief that most errors are due to spreadsheet technology or to sloppiness rather than being due primarily to inherent human error.

    (tags: spreadsheets errors programming coding bugs research papers via:arclight)

The Immich core team goes full-time

  • The Immich core team goes full-time

    Interesting — the Immich photo hosting open source project is switching IP ownership, and core team employment, to a private company:

    Since the beginning of this adventure, my goal has always been to create a better world for my children. Memories are priceless, and privacy should not be a luxury. However, building quality open source has its challenges. Over the past two years, it has taken significant dedication, time, and effort. Recently, a company in Austin, Texas, called FUTO contacted the team. FUTO strives to develop quality and sustainable open software. They build software alternatives that focus on giving control to users. From their mission statement: “Computers should belong to you, the people. We develop and fund technology to give them back.” FUTO loved Immich and wanted to see if we’d consider working with them to take the project to the next level. In short, FUTO offered to: Pay the core team to work on Immich full-time Let us keep full autonomy about the project’s direction and leadership Continue to license Immich under AGPL Keep Immich’s development direction with no paywalled features Keep Immich “built for the people” (no ads, data mining/selling, or alternative motives) Provide us with financial, technical, legal, and administrative support
    Here are FUTO’s “three pledges”:
    We will never sell out. All FUTO companies and FUTO-funded projects are expected to remain fiercely independent. They will never exacerbate the monopoly problem by selling out to a monopolist. We will never abuse our customers. All FUTO companies and FUTO-funded projects are expected to maintain an honest relationship with their customers. Revenue, if it exists, comes from customers paying directly for software and services. “The users are our product” revenue models are strictly prohibited. We will always be transparently devoted to making delightful software. All FUTO-funded projects are expected to be open-source or develop a plan to eventually become so. No effort will ever be taken to hide from the people what their computers are doing, to limit how they use them, or to modify their behavior through their software.
    I’m not 100% clear on how FUTO will make money, but this is a very interesting move.

    (tags: futo immich open-source photos agpl ip ownership work how-we-work)

How did Ethernet get its 1500-byte MTU?

  • How did Ethernet get its 1500-byte MTU?

    Now this is a great bit of networking trivia!

    1500 bytes is a bit out there as numbers go, or at least it seems that way if you touch computers for a living. It’s not a power of two or anywhere close, it’s suspiciously base-ten-round, and computers don’t care all that much about base ten, so how did we get here? Well, today I learned that if you add the Ethernet header – 36 bytes – then an MTU of 1500 plus that header is 1536 bytes, which is 12288 bits, which takes 2^12 microseconds to transmit at 3Mb/second, and because the Xerox Alto computer for which Ethernet was invented had an internal data path that ran at 3Mhz, then you could just write the bits into the Alto’s memory at the precise speed at which they arrived, saving the very-expensive-then cost of extra silicon for an interface or any buffering hardware. Now, “we need to pick just the right magic number here so we can take data straight off the wire and blow it directly into the memory of this specific machine over there” is, to any modern sensibilities, lunacy. It’s obviously, dangerously insane, there are far too many computers and bad people with computers in the world for that. But back when the idea of network security didn’t exist because computers barely existed, networks mostly didn’t exist and unvetted and unsanctioned access to those networks definitely didn’t exist, I bet it seemed like a very reasonable tradeoff. It really is amazing how many of the things we sort of ambiently accept as standards today, if we even realize we’re making that decision at all, are what they are only because some now-esoteric property of the now-esoteric hardware on which the tech was first invented let the inventors save a few bucks.

    (tags: ethernet networking magic-numbers via:itc hardware history xerox alto)

American flag sort

  • American flag sort

    An efficient, in-place variant of radix sort that distributes items into hundreds of buckets. The first step counts the number of items in each bucket, and the second step computes where each bucket will start in the array. The last step cyclically permutes items to their proper bucket. Since the buckets are in order in the array, there is no collection step. The name comes by analogy with the Dutch national flag problem in the last step: efficiently partition the array into many “stripes”. Using some efficiency techniques, it is twice as fast as quicksort for large sets of strings. See also histogram sort. Note: This works especially well when sorting a byte at a time, using 256 buckets.

    (tags: algorithms sorting sort radix-sort performance quicksort via:hn)

How web bloat impacts users with slow devices

  • How web bloat impacts users with slow devices

    CPU performance for web apps hasn’t scaled nearly as quickly as bandwidth so, while more of the web is becoming accessible to people with low-end connections, more of the web is becoming inaccessible to people with low-end devices even if they have high-end connections. For example, if I try browsing a “modern” Discourse-powered forum on a Tecno Spark 8C, it sometimes crashes the browser. Between crashes, on measuring the performance, the responsiveness is significantly worse than browsing a BBS with an 8 MHz 286 and a 1200 baud modem.

    (tags: dan-luu performance web bloat cpu hardware internet profiling)

Ex-Amazon AI exec claims she was asked to ignore IP law

  • Ex-Amazon AI exec claims she was asked to ignore IP law

    This is really appalling stuff, on two counts: (a) how does it not surprise me that maternity leave was considered “weak” and grounds for firing. (b) check this shit out:

    According to Ghaderi’s account in the complaint, she returned to work after giving birth in January 2023, inheriting a large language model project. Part of her role was flagging violations of Amazon’s internal copyright policies and escalating these concerns to the in-house legal team. In March 2023, the filing claims, her team director, Andrey Styskin, challenged Ghaderi to understand why Amazon was not meeting its goals on Alexa search quality. The filing alleges she met with a representative from the legal department to explain her concerns and the tension they posed with the “direction she had received from upper management, which advised her to violate the direction from legal.” According to the complaint, Styskin rejected Ghaderi’s concerns, allegedly telling her to ignore copyright policies to improve the results. Referring to rival AI companies, the filing alleges he said: “Everyone else is doing it.”
    Move fast and break laws!

    (tags: aws amazon llms alexa maternity-leave parenting parental-leave work dont-be-evil copyright ip ai)

“Randar” exploit for Minecraft

  • “Randar” exploit for Minecraft

    This is great — I love a good pRNG state-leakage exploit:

    Every time a block is broken in Minecraft versions Beta 1.8 through 1.12.2, the precise coordinates of the dropped item can reveal another player’s location. “Randar” is an exploit for Minecraft which uses LLL lattice reduction to crack the internal state of an incorrectly reused java.util.Random in the Minecraft server, then works backwards from that to locate other players currently loaded into the world.
    Don’t reuse those java.util.Randoms! (via Dan Hon)

    (tags: exploits security infosec minecraft prngs rngs random coding via:danhon)

NHS and OpenSAFELY

  • NHS and OpenSAFELY

    It seems the UK have created a “Trusted Research Environment” for working with the extremely privacy-sensitive datasets around NHS users’ health data, using OpenSAFELY; it is basically a hosting environment allowing the execution of user-submitted Python query code, which must be open source, hosted on Github, designed with care to avoid releasing user-identifying sensitive data, and of course fully auditable. This looks like a decent advance in privacy-sensitive technology! Example code, from the OpenSAFELY tutorial docs: “` from ehrql import create_dataset from ehrql.tables.core import patients, medications dataset = create_dataset() dataset.define_population(patients.date_of_birth.is_on_or_before(“1999-12-31”)) asthma_codes = [“39113311000001107”, “39113611000001102”] latest_asthma_med = ( medications.where(medications.dmd_code.is_in(asthma_codes)) .sort_by(medications.date) .last_for_patient() ) dataset.asthma_med_date = latest_asthma_med.date dataset.asthma_med_code = latest_asthma_med.dmd_code “`

    (tags: privacy data-protection nhs medical-records medicine research python sql opensafely uk)

Recommending Toxicity: How TikTok and YouTube Shorts are bombarding boys and men with misogynist content

  • Recommending Toxicity: How TikTok and YouTube Shorts are bombarding boys and men with misogynist content

    This is, frankly, disgusting.

    A new study from Dublin City University’s Anti-Bullying Centre shows that the recommender algorithms used by social media platforms are rapidly amplifying misogynistic and male supremacist content. The study, conducted by Professor Debbie Ging, Dr Catherine Baker and Dr Maja Andreasen, tracked, recorded and coded the content recommended to 10 experimental or ‘sockpuppet’ accounts on 10 blank smartphones – five on YouTube Shorts and five on TikTok. The researchers found that all of the male-identified accounts were fed masculinist, anti-feminist and other extremist content, irrespective of whether they sought out general or male supremacist-related content, and that they all received this content within the first 23 minutes of the experiment. Once the account showed interest by watching this sort of content, the amount rapidly increased. By the last round of the experiment (after 400 videos or two to three hours viewing), the vast majority of the content being recommended to the phones was toxic (TikTok 76% and YouTube Shorts 78%), primarily falling into the manosphere (alpha male and anti-feminist) category.

    (tags: tiktok youtube hate misogyny dcu research social-media)

How many bathrooms have Neanderthals in the tile?

  • How many bathrooms have Neanderthals in the tile?

    The [Reddit] poster is a dentist and visited his parents house to see the new travertine they installed. It’s no surprise that he recognized something right away: […] A section cut at a slight angle through a very humanlike jaw! […] The Reddit user who posted the story (Kidipadeli75) has followed up with some updates over the course of the day. The travertine was sourced in Turkey, and a close search of some of the other installed panels revealed some other interesting possible fossils, although none are as strikingly identifiable as the mandible. A number of professionals have reached out to offer assistance and I have no doubt that they will be able to learn a lot about the ancient person whose jaw ended up in this rock. This naturally raises a broader question: How many other people have installed travertine with hominin fossils inside?

    (tags: reddit mandibles bones archaeology history neanderthals travertine turkey)

AI and Israel’s Dystopian Promise of War without Responsibility

  • AI and Israel’s Dystopian Promise of War without Responsibility

    From the Center for International Policy:

    In Gaza we see an “indiscriminate” and “over the top” bombing campaign being actively rebranded by Israel as a technological step up, when in actuality there is currently no evidence that their so-called Gospel has produced results qualitatively better than those made by minds of flesh and blood. Instead, Israel’s AI has produced an endless list of targets with a decidedly lower threshold for civilian casualties. Human eyes and intelligence are demoted to rubber stamping a conveyor belt of targets as fast they can be bombed. It’s a path that the US military and policy makers should not only be wary of treading, but should reject loudly and clearly. In the future we may develop technology worthy of the name Artificial Intelligence, but we are not there yet. Currently the only promise a system such as Gospel AI holds is the power to occlude responsibility, to allow blame to fall on the machine picking the victims instead of the mortals providing the data.

    (tags: ai war grim-meathook-future israel gaza automation war-crimes lavender gospel)

Quick plug for Cronitor.IO

Quick plug for a good tool for self-hosting — Cronitor.io. I have been using this for the past year or so as I migrate more of my personal stuff off cloud and back onto self-hosted setups, and it’s been a really nice way to monitor simple cron-driven home workloads, and (together with graphite/grafana alerts) has saved my bacon many times. Integrates nicely with Slack, or even PagerDuty (although that would be overkill for my setup for sure).

90-GWh thermal energy storage facility could heat a city for a year

  • 90-GWh thermal energy storage facility could heat a city for a year

    Some cool green engineering:

    The project has a total volume of 1.1 million cubic meters (38.85 million cubic feet), including processing facilities, and will be built into [Vantaa]’s bedrock at around 100 m (330 ft) below ground – though the deepest parts of the setup could go down as far as 140 m. Three caverns will be created, each measuring 300 m (984.25 ft) in length, 40 m (131.2 ft) in height and 20 m (65.6 ft) in width. These will be filled with hot water by a pair of 60-MW electric boilers, powered by renewables when it’s cheap to do so. Pressure within the space allows for temperatures to get as high as 140 °C (284 °F) without the water boiling over or steaming away. Waste heat from industry will also feed the setup, with a smart control system balancing energy sources. The Varanto facility is reported to have a total thermal capacity of 90 GWh when “fully charged” – enough to meet the year-round domestic heating needs of a “medium-sized Finnish city.”

    (tags: engineering finland district-heating energy energy-storage caves cool)

AWS told to pay $525M in cloud storage patent suit – The Register

leaked Kremlin documents detailing current Russian troll tactics

  • leaked Kremlin documents detailing current Russian troll tactics

    A rare view into Russia’s current propaganda tactics, really useful to spot it in action:

    In an ongoing campaign that seeks to influence congressional and other political debates to stoke anti-Ukraine sentiment, Kremlin-linked political strategists and trolls have written thousands of fabricated news articles, social media posts and comments that promote American isolationism, stir fear over the United States’ border security and attempt to amplify U.S. economic and racial tensions, according to a trove of internal Kremlin documents obtained by a European intelligence service […] One of the political strategists … instructed a troll farm employee working for his firm to write a comment of “no more than 200 characters in the name of a resident of a suburb of a major city.” The strategist suggested that this fictitious American “doesn’t support the military aid that the U.S. is giving Ukraine and considers that the money should be spent defending America’s borders and not Ukraine’s. He sees that Biden’s policies are leading the U.S. toward collapse.” … The files are part of a series of leaks that have allowed a rare glimpse into Moscow’s parallel efforts to weaken support for Ukraine in France and Germany, as well as destabilize Ukraine itself … [via] the creation of websites designed to impersonate legitimate media outlets in Europe, part of a campaign that Western officials have called “Doppelganger”. Plans by Gambashidze’s team refer to using “short-lived” social media accounts aimed at avoiding detection. Social media manipulators have established a technique of using accounts to send out links to material and then deleting their posts or accounts once others have reshared the content. The idea is to obscure the true origin of misleading information and keep the channel open for future influence operations, disinformation researchers said. Propaganda operatives have used another technique to spread just a web address, rather than the words in a post, to frustrate searches for that material, according to the social media research company Alethea, which called the tactic “writing with invisible ink.” Other obfuscation tricks include redirecting viewers through a series of seemingly random websites until they arrive at a deceptive article. One of the documents reviewed by The Post called for the use of Trump’s Truth Social platform as the only way to disseminate posts “without censorship,” while “short-lived” accounts would be created for Facebook, Twitter (now known as X) and YouTube. “You just have to push content every single day … someone will stumble over it, a politician or celebrity will find it over time just based on the availability of content.”
    “Flooding the zone with shit”, as Steve Bannon put it.

    (tags: propaganda russia tactics spam trolls troll-farms destabilization social-media)

How Tech Giants Cut Corners to Harvest Data for A.I. – The New York Times

  • How Tech Giants Cut Corners to Harvest Data for A.I. – The New York Times

    Can’t wait for all the lawsuits around this stuff.

    Meta could not match ChatGPT unless it got more data, Mr. Al-Dahle told colleagues. In March and April 2023, some of the company’s business development leaders, engineers and lawyers met nearly daily to tackle the problem. [….] They also talked about how they had summarized books, essays and other works from the internet without permission and discussed sucking up more, even if that meant facing lawsuits. One lawyer warned of “ethical” concerns around taking intellectual property from artists but was met with silence, according to the recordings.

    (tags: ai copyright data training openai meta google privacy surveillance data-protection ip)

Python Mutable Defaults Are The Source of All Evil

CISA report on the Storm-0558 2023 intrusion into Microsoft Exchange Online

  • CISA report on the Storm-0558 2023 intrusion into Microsoft Exchange Online

    Jesus this is rough!

    In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon. Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key. […] The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on: 1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed; 2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed; 3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not; 4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021; 5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction; 6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and 7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency. Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.
    (via Graham on ITC Slack)

    (tags: cisa reports security infosec microsoft exchange china storm-0558 hacking incidents)

How to set up a Zappi to avoid draining solar batteries

  • How to set up a Zappi to avoid draining solar batteries

    This has been an issue with my solar PV setup; I have a Zappi car charger, feeding from either the grid, solar PV, or a 5kW battery charged from solar. During the daytime, I normally want it to only draw power from the solar PV — I want to save the battery for normal household usage instead of “wasting” it on the car, which can be charged more cheaply at night. This suggestion from the MyEnergi support site details what sounds like a fairly easy way to get this working, by only charging the car when the PV is feeding excess energy back to the grid. This should only happen once either the batteries are full, or there’s more power being generated than can safely be used to charge the batteries (since there’s a limited input power rate for charging those). If this doesn’t work, I have a work-in-progress HomeAssistant script which I’ve been working on, but it’s significantly more complex with many more moving parts, so hopefully can be avoided.

    (tags: solar-pv sustainability home zappi power hacks automation)

‘The machine did it coldly’: Israel used AI to identify 37,000 Hamas targets

OPS-SAT DOOM

  • OPS-SAT DOOM

    DOOM is now running IN SPACE, onboard the ESA OPS-SAT satellite. “How We Got Here — A vision brewing for 13 years: 2011: Georges [Labreche] stumbles on what would become his favorite SMBC comic, thank you Zach! 2020: Georges joins the OPS-SAT-1 mission control team as a Spacecraft Operations Engineer at the European Space Agency (ESA). Visions of running DOOM on a space computer intensifies. 2023: The reality of a 2024 end-of-mission by atmospheric re-entry starts to hit hard. The spacecraft’s impending doom (see what I did there?) is a wake-up call to get serious about running DOOM in space before it’s too late. 2024: Georges has been asking around for help with compiling and deploying DOOM for the spacecraft’s ARM32 onboard computer but isn’t making progress. One night, instead of sleeping, he is trapped doomscrolling (ha!) on Instagram and stumbles on a reel from Ólafur [Waage]’s “Doom on GitHub Actions” talk at NDC TechTown 2023: Playing Video Games One Frame at a Time. After sliding into the DM, the rest is history.”

    (tags: esa ops-sat-1 doom space hacks via:freqout)

Everything I know about the XZ backdoor

  • Everything I know about the XZ backdoor

    This has been the most exciting security event in years. The xz compression library was compromised, in a very specific and careful way, involving years of a “long game”, seemingly to allow remote code execution via crafted public key material, to the OpenSSH sshd: “It is a RCE backdoor, where sshd is used as the first step: It listens for connections, and when so patched, invokes the malignant liblzma, which in turn executes a stage 2 that finally executes the payload which is provided to sshd in a part of the encrypted public key given to it as the credential (which doesn’t need to be authentic to be harmful).” (gentoo bug 928134) More info: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 I hope this drives less use of complex transitive dependency chains in security critical software like OpenSSH. Careful “vendoring” of libraries, and an overall reduction of library code (djb-style!) would help avoid this kind of attack…. if it’s ever really possible to avoid this kind of state-level attack sophistication. I have to send my sympathies to Lasse Collin, the original maintainer of xz-utils, who it appears was conned into passing control to an attacker intent on subverting the lib in order to plant the backdoor. Not a fun spot to be in.

    (tags: oss open-source security openssh ssh xz backdoors rce lzma transitive-dependencies)

Ribbon filter: Practically smaller than Bloom and Xor

  • Ribbon filter: Practically smaller than Bloom and Xor

    Building on some prior lines of research, the Ribbon filter combines a simplified, faster, and more flexible construction algorithm; a data layout optimized for filter queries; and near-continuous configurability to make a practical alternative to static (immutable) Bloom filters. While well-engineered Bloom filters are extremely fast, they use roughly 50 percent more space (overhead) than the information-theoretic lower bound for filters on arbitrary keys. When Bloom filters cannot meet an application’s space efficiency targets, Ribbon filter variants dominate in space-versus-time trade-offs with near continuous configurability and space overhead as low as 1 percent or less. Ribbon filters have O(1) query times and save roughly 1/3 of memory compared with Bloom filters. At Facebook’s scale, we expect Ribbon filters to save several percent of RAM resources, with a tiny increase in CPU usage for some major storage systems. However, we do not implement efficiency gains at all engineering costs, so it’s also important to have a user-friendly data structure. This issue stalled implementation of other Bloom alternatives offering some space savings. The Ribbon filter opens these new trade-offs without introducing notable discontinuities or hazards in the configuration space. In other words, there is some complexity to make Ribbon filters general and highly configurable, but these details can be hidden behind a relatively simple API. You have essentially free choice over any three of the four core performance dimensions — number of keys added to the set, memory usage, CPU efficiency, and accuracy — and the accuracy is automatically well optimized.
    (via Tony Finch)

    (tags: via:fanf algorithms facebook programming ribbon-filters data-structures bloom-filters set-membership papers)

Deep dive into Facebook’s MITM hacking of customer phones

  • Deep dive into Facebook’s MITM hacking of customer phones

    This is frankly disgusting, and I hope FB (and their engineers) get the book thrown at them. Back in 2019, Facebook wanted to snoop on SnapChat, YouTube and Amazon user activity, so they used Onavo, a VPN provider they had acquired in 2013, and added code to their Android VPN app to MITM user SSL traffic to their hosts, then phone home with analytics and logs regarding user activity on those apps and sites. This Twitter thread is a detailed teardown of what the surveillance “VPN” app got up to. The bad news: back in 2019, installing a MITM SSL cert didn’t even pop up a warning on Android. The good news: this is significantly harder to do on modern Android devices, as it requires remounting a system filesystem in read/write mode (which needs a jailbreak).

    (tags: android security mitm exploits hacking facebook onavo snapchat surveillance youtube amazon vpns ssl tls)

Nutrition Science’s Most Preposterous Result

  • Nutrition Science’s Most Preposterous Result

    This is hilarious: “Back in 2018, a Harvard doctoral student … was presenting his research on the relationship between dairy foods and chronic disease to his thesis committee. One of his studies had led him to an unusual conclusion: Among diabetics, eating half a cup of ice cream a day was associated with a lower risk of heart problems.” Of course, suggesting that a dessert loaded with sugar and saturated fat might be good for you was anathema. This paper wasn’t the first to uncover the awkward fact — there had been decades of research attempting to p-hack around it, but with a lack of success:

    The Harvard researchers didn’t like the ice-cream finding: It seemed wrong. But the same paper had given them another result that they liked much better. The team was going all in on yogurt. With a growing reputation as a boon for microbiomes, yogurt was the anti-ice-cream—the healthy person’s dairy treat. “Higher intake of yogurt is associated with a reduced risk” of type 2 diabetes, “whereas other dairy foods and consumption of total dairy are not,” the 2014 paper said. “The conclusions weren’t exactly accurately written,” acknowledged Dariush Mozaffarian, the dean of policy at Tufts’s nutrition school and a co-author of the paper, when he revisited the data with me in an interview. “Saying no foods were associated—ice cream was associated.”

    (tags: p-hacking research ice-cream diabetes health fat sugar diet nutrition)

Rediscovering Things of Science

  • Rediscovering Things of Science

    A page celebrating “Things of Science”, a fantastic hands-on educational program for budding scientists in the 1960s, which came as a series of individual kits, each focusing on a specific topic. I was lucky enough to have been gifted a (second-hand, though barely used) set of Geoffrey Young’s kits during my childhood in the late 1970s, and this brings back memories…

    (tags: science education things-of-science kits ace)

Unpatchable vulnerability in Apple chip leaks secret encryption keys

  • Unpatchable vulnerability in Apple chip leaks secret encryption keys

    Prefetchers are crazy.

    Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The [Data Memory-dependent Prefetcher in M chips] is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it’s actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels. Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value “looks like” an address, and brings the data from this “address” into the cache, which leaks the “address.” We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.
    (via Mike)

    (tags: via:mike prefetchers dmp apple encryption side-channel-attacks cache)

Retailles d’Hosties

  • Retailles d’Hosties

    Absolutely fantastic snack trivia! It seems the ever-sacrilege-loving Quebecois have turned leftover bits of unconsecrated communion wafers into “retailles d’hosties”, or “host cuttings” — a bag of snackable fragments:

    Unsurprisingly, not everyone is a fan of host cuttings. “People are snacking on hosts and host pieces like it’s candy,” one former Catholic missionary complained to the Globe and Mail. “They’re not distinguishing between the body of Christ and something you nibble on at home.”

    (tags: funny catholicism jesus-christ snacks body-of-christ nom quebec)

Fairly Trained

  • Fairly Trained

    Now *this* makes a lot of sense:

    There is a divide emerging between two types of generative AI companies: those who get the consent of training data providers, and those who don’t, claiming they have no legal obligation to do so. We believe there are many consumers and companies who would prefer to work with generative AI companies who train on data provided with the consent of its creators. Fairly Trained exists to make it clear which companies take a more consent-based approach to training, and are therefore treating creators more fairly.

    (tags: ai gen-ai training ml data consent)

What Is A Single-page Application?: HeydonWorks

  • What Is A Single-page Application?: HeydonWorks

    Entertaining rant on the state of web dev nowadays:

    You can’t create a complex modern web application like Google Mail without JavaScript and a SPA architecture. Google Mail is a webmail client and webmail clients existed some time before JavaScript became the language it is today or frameworks like Angular JS or Angular BS existed. However, you cannot create a complex modern web application like Google Mail without JavaScript. Google Mail itself offers a basic HTML version that works perfectly well without JavaScript of any form—let alone a 300KB bundle. But, still, you cannot create a complex modern web application like Google Mail without JavaScript. Just keep saying that. Keep repeating that line in perpetuity. Keep adding more and more JavaScript and calling it good. Incidentally, you do not need to create a complex modern web application like Google Mail with JavaScript or otherwise because it already f**king exists.

    (tags: blog javascript webdev web spa webapps funny rants)

Impacts of active travel interventions on travel behaviour and health: Results from a five-year longitudinal travel survey in Outer London – ScienceDirect

Microplastics found to increase risk of serious outcomes for heart patients

  • Microplastics found to increase risk of serious outcomes for heart patients

    This sounds like a pretty serious issue — “from a prospective study in today’s New England Journal of Medicine: among 257 patients undergoing a surgical carotid endarterectomy procedure (taking out atherosclerotic plaque) with complete follow-up, 58% had microplastics and nanoplastics (MNPs) in their plaque and their presence was linked to a subsequent 4.5 -fold increase of the composite of all-cause mortality, heart attack and stroke […] during 34 month follow-up. [….] The new study takes the worry about micronanoplastics to a new level—getting into our arteries and exacerbating the process of atherosclerosis, the leading global killer— and demands urgent attention.” (via Eric Topol)

    (tags: microplastics plastic sustainability health medicine atherosclerosis papers via:eric-topol)

Ubicloud

  • Ubicloud

    “Open and portable cloud” — an interesting idea:

    Ubicloud provides cloud services on bare metal providers, such as Hetzner, OVH, or AWS Bare Metal. Public cloud providers like AWS, Azure, and Google Cloud made life easier for start-ups and enterprises. But they are closed source, have you rent computers at a huge premium, and lock you in. Ubicloud offers an open alternative, reduces your costs, and returns control of your infrastructure back to you. All without sacrificing the cloud’s convenience.
    Currently supports compute VMs and managed PostgresSQL; no S3-alike service (yet). From the team behind Citus Data, the Postgres scaling product.

    (tags: ubicloud cloud hosting vms ops postgres)

Italy’s “Piracy Shield” blocked Cloudflare

  • Italy’s “Piracy Shield” blocked Cloudflare

    Italy recently installed the AGCOM “anti-pezotto” system — a web filtering system for the entire country, to block piracy. After only a few weeks, it suffered its first major false positive by blocking a Cloudflare IP: “Around 16:13 on Saturday, an IP address within Cloudflare’s AS13335, which currently accounts for 42,243,794 domains according to IPInfo, was targeted for blocking.” The false positive block lasted for 5 hours before being quietly reverted: “Around five hours after the blockade was put in place, reports suggest that the order compelling ISPs to block Cloudflare simply vanished from the Piracy Shield system.” Cloudflare have written about the risk of false positives from IP blocking in the past: https://blog.cloudflare.com/consequences-of-ip-blocking/

    (tags: cloudflare ip-blocks blocking piracy anti-pezzoto agcom fail filtering false-positives networking)

Answers for AWS survey results for 2024

  • Answers for AWS survey results for 2024

    This is actually really useful data about which AWS services are good and which ones suck, as of right now. Some highlights: – Simple Queue Service (SQS) is the most loved AWS service with an overall positive/negative split of 98% [SNS also scoring very well]. – GitHub Actions wins every metric in the CI/CD category. – OpenAI has taken the top usage spot away from Amazon Sagemaker in the AI & Machine Learning category [no surprises there]. – ECS continues its reign as the most used container service. – DynamoDB’s dominance over the NoSQL DBs continues for the second year running. – The most polarizing service is CloudFormation – 30% would not use it ever again, while 56% would.

    (tags: aws services ops infrastructure architecture sqs sns dynamodb github-actions ecs via:lastweekinaws)