Estonia sues Gemalto for 152 mln euros over ID card flaws
Estonia’s Police and Border Guard Board (PPA) said in a statement Gemalto had created private key codes for individual cards, leaving the government IDs vulnerable to external cyber attack, rather than embedding it on the card’s chip as promised. “It turned out that our partner had violated this principle for years, and we see this as a very serious breach of contract,” PPA’s deputy director-general Krista Aas said in the statement.
If true, this is a big problem…(tags: gemalto fail security smartcards estonia chip-cards)
Defcon Voting Village report: Bug in one system could “flip Electoral College” | Ars Technica
ES&S strike again:
Today, six prominent information-security experts who took part in DEF CON’s Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the authors of the report warned. The machine in question, the ES&S M650, is used for counting both regular and absentee ballots. The device from Election Systems & Software of Omaha, Nebraska, is essentially a networked high-speed scanner like those used for scanning standardized-test sheets, usually run on a network at the county clerk’s office. Based on the QNX 4.2 operating system—a real-time operating system developed and marketed by BlackBerry, currently up to version 7.0—the M650 uses Iomega Zip drives to move election data to and from a Windows-based management system. It also stores results on a 128-megabyte SanDisk Flash storage device directly mounted on the system board. The results of tabulation are output as printed reports on an attached pin-feed printer. The report authors—Matt Blaze of the University of Pennsylvania, Jake Braun of the University of Chicago, David Jefferson of the Verified Voting Foundation, Harri Hursti and Margaret MacAlpine of Nordic Innovation Labs, and DEF CON founder Jeff Moss—documented dozens of other severe vulnerabilities found in voting systems. They found that four major areas of “grave and undeniable” concern need to be addressed urgently. One of the most critical is the lack of any sort of supply-chain security for voting machines—there is no way to test the machines to see if they are trustworthy or if their components have been modified.
(tags: fail security evoting vote-tabulation us-politics voting-machines)
Justin's Linklog Posts
How Triplebyte solved its office Wi-Fi problems
This is good general wi-fi infrastructure advice for home use too
randomised prefixes in S3 are no longer necessary to improve performance
This S3 request rate performance increase removes any previous guidance to randomize object prefixes to achieve faster performance. That means you can now use logical or sequential naming patterns in S3 object naming without any performance implications.
Having said that, it sounds like they may still help to a degree anyway.(tags: s3 coding architecture aws tips)
Do not fall into Oracle’s Java 11 trap
The key part of the terms is as follows: You may not: use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application; The trap is as follows: Download Oracle JDK (because that is what you’ve always done, and it is what the web-search tells you); Use it in production (because you didn’t realise the license changed); Get a nasty phone call from Oracle’s license enforcement teams demanding lots of money In other words, Oracle can rely on inertia from Java developers to cause them to download the wrong (commercial) release of Java. Unless you read the text/warnings/legalese very carefully you might not even realise Oracle JDK is now commercial, and that you are therefore liable to pay Oracle for Java.
(tags: java licensing openjdk open-source oracle software jdk jre)
-
lots of nice graphs and dataviz around Dublin Bikes usage
Common Cyborg | Jillian Weise | Granta
Fantastic essay:
When I tell people I am a cyborg, they often ask if I have read Donna Haraway’s ‘A Cyborg Manifesto’. Of course I have read it. And I disagree with it. The manifesto, published in 1985, promised a cyberfeminist resistance. The resistance would be networked and coded by women and for women to change the course of history and derange sexism beyond recognition. Technology would un-gender us. Instead, it has been so effective at erasing disabled women that even now, in conversation with many feminists, I am no longer surprised that disability does not figure into their notions of bodies and embodiment. Haraway’s manifesto lays claim to cyborgs (‘we are all cyborgs’) and defines the cyborg unilaterally through metaphor. To Haraway, the cyborg is a matter of fiction, a struggle over life and death, a modern war orgy, a map, a condensed image, a creature without gender. The manifesto coopts cyborg identity while eliminating reference to disabled people on which the notion of the cyborg is premised. Disabled people who use tech to live are cyborgs. Our lives are not metaphors.
(Via Tony Finch)(tags: via:dotat cyborg technology feminism essay disability tech jillian-weise granta)
25 Years of WIRED Predictions: Why the Future Never Arrives
These early views of the sharing economy were accurate depictions of the moment, but poor visions of the future. Within a few short years, many of those Uber drivers would be stuck paying off their cars in sub-minimum-wage jobs with no benefits. What began as an earnest insight about bits and atoms quickly turned into an arbitrage opportunity for venture capitalists eager to undercut large, lucrative markets by skirting regulations. To meet the growth and monetization demands of investors, yesterday’s sharing economy became today’s gig economy.
(tags: advertising future technology futurism predictions wired web2.0 history 1990s 2000s)
Customer Service Data Vulnerability, Intercom [Fixed]
good demo of the danger of unrestricted API keys
(tags: api-keys security intercom fail dropmobility web apis)
Peter Flynn caused the first 404
Now that’s a great bit of web trivia :) “[UCC’s] first webmaster was the first person to ever break a link on the web, when he moved the location of a webpage on UCC’s servers without telling TimBL. Such a change resulted in the need to error-handle such an occurrence, and the 404 was born”
(tags: 404 history http web peter-flynn ucc irish-web trivia)
Credit reference agency Equifax fined for security breach
The ICO fines Equifax £500K, the maximum amount possible under the old Data Protection Act (via Privacy Kit)
(tags: via:privacy-kit ico equifax privacy data-protection uk penalties law)
Muting some magic keywords fixes the Twitter timeline
Apparently, turning off some of the shittier recent features:
Muting suggest_recycled_tweet_inline and suggest_activity_tweet actually has fixed my timeline. It’s all chronological and there are barely any “x and y liked” tweets.
(tags: twitter feature-creep muting hacks)
-
TIL! In other words spelling identifiers-like-this, Lisp style
(tags: kebab-case case lisp identifiers coding terminology)
Cindy Sridharan on Twitter: NanoLog by Ousterhout et al.
– just formatting a log typically takes on the order of 1µs! – nanolog achieves high throughput by shifting work out of runtime hot path into compilation + post-execution phases
Basically records symbolic form of logs, and uses a post-processor after the fact to generate readable text.(tags: logging ops coding performance)
Surprisingly Little Evidence for the Accepted Wisdom About Teeth – The New York Times
Turns out there is little evidence for many dental practices:
A systematic review in 2011 concluded that, in adults, toothbrushing with flossing versus toothbrushing alone most likely reduced gingivitis, or inflammation of the gums. But there was really weak evidence that it reduced plaque in the short term. There was no evidence that it reduced cavities. That’s pretty much what we learned recently.
(tags: teeth dentistry dental health medicine statistics science)
Google spent $60 million on building Content ID
That’s how much it costs to build a not-particularly-accurate UGC copyright filter:
Google’s new report takes aim at this claim. It asserts that Content ID is a highly effective solution, with over 98 percent of copyright management on YouTube happening through Content ID, and just 2 percent coming from humans filing copyright removal notices. Google also says the music industry opts to monetize more than 95 percent of its copyright claims, meaning they leave the videos up on the service. It claims a whopping half of the music industry’s YouTube revenue comes from fan content — covers, remixes, dance versions, etc. — claimed via Content ID. The report also puts a hard figure on how much Google has spent so far on Content ID: $60 million.
(tags: filtering copyright eu article-13 copyfight content-id google web ugc)
-
Very interesting! This paper and the one at https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0126438 discuss the increasing evidence that some kinds of IBS may be caused by post-infection autoimmune activity triggered by a gastroenteritis infection — this matches the thing which put me on a restricted diet a few years ago.
(tags: digestion ibs medicine health diet fodmap gastroenteritis papers)
-
Five or six years ago, around the time most people seemed to be spending almost all of their time on the internet, I began to notice a particular kind of online phenomenon, one that I did not have a terminology for. I started to call these moments “artefacts”, borrowing a term from photography that describes the machine-created distortions and ghosts that corrupt digital imagery. “An unintended alteration in data” is one definition, but this new kind of “artefact” was expanding beyond sporadic instances and becoming a persistent sub-theme in discourse at large. The result was a type of semiotic collapse, one that first found its fullest expression in the absurdity of the 2016 presidential campaign, when news stories fabricated in Macedonia found a wider reach than The Washington Post. Countermeasures to interference in the coming 2018 congressional election look ineffectual, perhaps deliberately so.
The British Airways Breach: How Magecart Claimed 380,000 Victims
very detailed and pretty fiendish
(tags: analysis security attacks magecart british-airways web javascript)
UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm
The authenticity of the data stored in India’s controversial Aadhaar identity database, which contains the biometrics and personal information of over 1 billion Indians, has been compromised by a software patch that disables critical security features of the software used to enrol new Aadhaar users, a three month-long investigation by HuffPost India reveals. The patch—freely available for as little as Rs 2,500 (around $35)— allows unauthorised persons, based anywhere in the world, to generate Aadhaar numbers at will, and is still in widespread use. This has significant implications for national security at a time when the Indian government has sought to make Aadhaar numbers the gold standard for citizen identification, and mandatory for everything from using a mobile phone to accessing a bank account.
(tags: security aadhaar identity india privacy databases data-privacy)
Troy Hunt: The Effectiveness of Publicly Shaming Bad Security
Now I don’t know how much of this change was due to my public shaming of their security posture, maybe they were going to get their act together afterward anyway. Who knows. However, what I do know for sure is that I got this DM from someone not long after that post got media attention (reproduced with their permission): Hi Troy, I just want to say thanks for your blog post on the Natwest HTTPS issue you found that the BBC picked up on. I head up the SEO team at a Media agency for a different bank and was hitting my head against a wall trying to communicate this exact thing to them after they too had a non secure public site separate from their online banking. The quote the BBC must have asked from them prompted the change to happen overnight, something their WebDev team assured me would cost hundreds of thousands of pounds and at least a year to implement! I was hitting my head against the desk for 6 months before that so a virtual handshake of thanks from my behalf! Thanks!
(tags: business internet security social-media shame troy-hunt bad-press spin shaming)
Software as Craft: software delivery and open source in a Cloud & Enterprise world
Niall Murphy sends this on:
Microsoft is very pleased to welcome Maggie Pint and Dr. Nicole Forsgren to our new campus, to talk about open source and the deep connections between how software is written, and how successful it is. For those of you who are not aware, Maggie Pint is a software engineering lead in Azure’s Production Infrastructure Engineering (PIE) organization. Maggie’s team works on improving the engineering systems experience for Microsoft’s web-focused developers. She co-ordinates open source and inner source education and execution through Azure PIE. Outside of her day job, Maggie maintains the popular Moment.js JavaScript library, and is the JS Foundation’s delegate to TC39, the standards committee for JavaScript. She is passionate about dogs, coffee, the JavaScript language, and helping others live open source values in their day-to-day work. Dr. Nicole Forsgren is the co-founder and Chief Scientist of the DevOps Research and Assessment joint venture with Jez Humble and Gene Kim, also well-known leaders in the DevOps community. She is best known as a co-author of Accelerate: The Science of Lean Software and DevOps and lead investigator for the largest-scale DevOps studies undertaken to date. She is also member of the ACM Queue editorial board, a research affiliate for a number of universities, and earned her PhD in Management Information Systems from the University of Arizona. This event comprises two public technical talks, with an intended audience of a few hundred software and systems professionals, including technical managers and SREs.
(tags: software coding open-source microsoft maggie-pint nicole-forsgren azure)
gRPC On HTTP/2: Engineering A Robust, High Performance Protocol
Decent writeup on how gRPC uses HTTP/2 efficiently
‘The Internet of Garbage’ by Sarah Jeong
Sarah Jeong’s 2015 book is now free: ‘I think The Internet of Garbage still provides a useful framework to begin to talk about our new dystopia, and it continues to be surprisingly relevant in many ways. But I wrote the book with a tone of optimism I did not feel even at the time, hoping that by reaching the well-meaning policy teams across Silicon Valley, I might be able to spark change for the better. Not only did that change never quite solidify, but the coordinated, orchestrated harassment campaigns of Gamergate that I very briefly touch on in Chapter Two have since overtaken our national political and cultural conversations. These twisted knots of lies, deflection, and rage are not just some weird and terrible online garbage. They shadow executive orders, court rulings, even the newly appointed judiciary. They will haunt us for years to come. We are all victims of fraud in the marketplace of ideas. I hope that in the very near future, I will be putting out a second edition of The Internet of Garbage. In that future edition, I hope to grapple with advertising incentives, engagement traps, international propaganda wars, the American crisis in free speech coinciding with the rise of platform power, and search engine optimization as the new paradigm of speech. In the meantime, I am putting out The Internet of Garbage 1.5 as an interim edition. I wish it were more helpful in our present reality. But as imperfect a tool as it is, I figure we all need as much help as we can get. ‘
(tags: dystopia fake-news internet spam harrassment abuse twitter gamergate politics books free to-read)
-
cOAlition S signals the commitment to implement, by 1 January 2020, the necessary measures to fulfil its main principle: “By 2020 scientific publications that result from research funded by public grants provided by participating national and European research councils and funding bodies, must be published in compliant Open Access Journals or on compliant Open Access Platforms.” The 11 national research funding organisations that form cOAlition S have agreed to implement the 10 principles of Plan S in a coordinated way, together with the European Commission including the ERC. Other research funders from across the world, both public and private, are invited to join cOAlition S.
I am extremely happy to see SFI on this list! (Via Cathal Garvey)(tags: sfi ireland funding science open-access open papers journals via:cathalgarvey)
Mastodon and the challenges of abuse in a federated system
Similar to this thread by CJ Silverio, I’m not thinking about this in terms of whether Wil Wheaton or his detractors were right or wrong. Rather, I’m thinking about how this incident demonstrates that a large-scale harassment attack by motivated actors is not only possible in the fediverse, but is arguably easier than in a centralized system like Twitter or Facebook, where automated tools can help moderators to catch dogpiling as it happens. As someone who both administrates and moderates Mastodon instances, and who believes in Mastodon’s mission to make social media a more pleasant and human-centric place, this post is my attempt to define the attack vector and propose strategies to prevent it in the future.
(tags: mastodon abuse twitter wilw harassment moderation)
Biohackers Encoded Malware in a Strand of DNA
a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.
(tags: hacking malware security sequencing genome biohacking dna)
-
Training an MT model without access to any translation resources at training time (known as unsupervised translation) was the necessary next step. Research we are presenting at EMNLP 2018 outlines our recent accomplishments with that task. Our new approach provides a dramatic improvement over previous state-of-the-art unsupervised approaches and is equivalent to supervised approaches trained with nearly 100,000 reference translations. To give some idea of the level of advancement, an improvement of 1 BLEU point (a common metric for judging the accuracy of MT) is considered a remarkable achievement in this field; our methods showed an improvement of more than 10 BLEU points. This is an important finding for MT in general and especially for the majority of the 6,500 languages in the world for which the pool of available translation training resources is either nonexistent or so small that it cannot be used with existing systems. For low-resource languages, there is now a way to learn to translate between, say, Urdu and English by having access only to text in English and completely unrelated text in Urdu – without having any of the respective translations.
(tags: unsupervised-learning ml machine-learning ai translation facebook)
-
scenes from London transit infrastructure. There’s a fantastic 1960s vibe off these
(tags: london tube public-transport prints art gail-brodholt via:mltshp)
This Music Theory Professor Just Showed How Stupid and Broken Copyright Filters Are – Motherboard
Kaiser then decided to test Google’s system more fully. He opened a new YouTube account named Labeltest, and began sharing additional examples of copyright-free music. “I quickly received Content ID notifications for copyright-free music by Bartok, Schubert, Puccini, and Wagner,” Kaiser said. “Again and again, YouTube told me that I was violating the copyright of these long-dead composers, despite all of my uploads existing in the public domain.” Google’s Content ID is the result of more than $100 million in investment funds and countless development hours. Yet Kaiser found the system was largely incapable of differentiating between copyrighted music and content in the public domain. And the appeals process that Google has erected to tackle these false claims wasn’t any better.
(tags: content-id copyright copyright-filtering youtube fail google public-domain ip music filtering bartok schubert wagner puccini)
Google Online Security Blog: Introducing the Tink cryptographic software library
Tink aims to provide cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Tink is built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, but includes countermeasures to many weaknesses in these libraries, which were discovered by Project Wycheproof, another project from our team. With Tink, many common cryptographic operations such as data encryption, digital signatures, etc. can be done with only a few lines of code.
Yahoo! are scanning your email contents and selling data to advertisers
For example: Amazon will no longer mail full receipt text as advertisers were believed to be extracting it
How network clients need to participate in fault tolerance
Top tips on best practices here:
Colm’s thread on shuffle sharding reminded me of how important it is that clients participate in fault tolerance, and how frustrated I get when a client library *doesn’t* do this by default in my application. Let’s talk about some best practices!
Bottom line: use Hystrix :)(tags: retries fault-tolerance networking tcp http exponential-backoff ip)
Surgical team collaborates with McLaren F1 to improve processes
On the screen was a motor racing grand prix and, as they watched, the two men became aware of the similarities between the handover disciplines from theatre to intensive care and what they were seeing in the pit of a Formula One racing team. From that moment began a collaboration between the leaders of Great Ormond Street’s surgical and intensive care units, first with the McLaren F1 racing team and then with Ferrari’s team chief Jan Todt, technical guru Ross Brawn and, in particular, race technical director Nigel Stepney. They worked together at their home base in Modena, Italy, in the pits of the British Grand Prix and in the Great Ormond Street theatre and intensive care ward. The major restructuring of the patient handover procedure, resulting directly from the input of the F1 pit technicians, will soon be described in two scientific publications. “It is not too early to say that, when we look at the number of critical instances we encounter, they have reduced markedly since we introduced the modified training protocol developed from what we have learned from Formula 1,” said Prof Elliott. The single A4 sheet of paper, which contained the flow diagram of Ferrari’s pit procedure, became several pages of twice that size when Mr Stepney and his colleagues at Ferrari were confronted with the critical transfer from operating theatre to recovery room at Great Ormond Street.
(tags: collaboration cross-discipline surgery formula-1 mclaren pitstops cardiac)
Fixing Slow Macbook WIFI Reconnect after sleep – airbag moments
A command line hack to fix the common Macbook wifi problem where wifi won’t reconnect after opening the lid without a manual reconnect
-
Or as jwz put it, a brief history of generative art
(tags: art generative-art computer-art algorithms graphics via:jwz)
Russian Trolls Used Vaccine Debate to Sow Discord, Study Finds – The New York Times
But instead of picking a side, researchers said, the trolls and bots they programmed hurled insults at both pro- and anti-vaccine advocates. Their only intent, the study concluded, seemed to be to raise the level of hostility. “You see this pattern,” said David A. Broniatowski, a computer engineer at George Washington University and lead author of the study, which was published Thursday in the American Journal of Public Health. “On guns, or race, these accounts take opposite sides in lots of debates. They’re about sowing discord.”
So the Russian strategy is basically more of a “Hail Eris” than a “Hail Mary”?
spotify/dockerfile-maven: A set of Maven tools for dealing with Dockerfiles
‘a Maven plugin and extension which help to seamlessly integrate Docker with Maven. The design goals are: Don’t try to do anything fancy. Dockerfiles are how you build Docker projects; that’s what this plugin uses. They are mandatory. Make the Docker build process integrate with the Maven build process. If you bind the default phases, when you type mvn package, you get a Docker image. When you type mvn deploy, your image gets pushed. Make the goals remember what you are doing. You can type mvn dockerfile:build and later mvn dockerfile:tag and later mvn dockerfile:push without problems. This also eliminates the need for something like mvn dockerfile:build -DalsoPush; instead you can just say mvn dockerfile:build dockerfile:push. Integrate with the Maven build reactor. You can depend on the Docker image of one project in another project, and Maven will build the projects in the correct order. This is useful when you want to run integration tests involving multiple services.’ Looks very nice and well-run — shame it’s Maven instead of Gradle…
One in five genetics papers contains errors thanks to Microsoft Excel | Science | AAAS
‘Autoformatting in Microsoft Excel has caused many a headache — but now, a new study shows that one in five genetics papers in top scientific journals contains errors from the program, The Washington Post reports. The errors often arose when gene names in a spreadsheet were automatically changed to calendar dates or numerical values.’
(tags: science microsoft excel spreadsheets autoformatting clippy fail papers genetics)
Filter before you parse: faster analytics on raw data with Sparser
Super fast JSON parsing. Has some interesting similarities to some code I wrote in SpamAssassin, as it turns out!
(tags: json parsing performance coding algorithms)
I came across this cocktail in Pals, in Catalonia, in 30 degree heat, a few weeks back — I saw it on the menu at the cafe in the square of the old town, and had to give it a go. It’s incredible. Basically, it’s lager mixed with a lemon granita — like a beer slushy. Nothing is better at thirst quenching on a hot day, and best of all it’s quite low in alcohol so no worries about lorrying into it during the daytime :)
This year at Groovefest, our yearly get together/mini-festival, I got to serve up a few, with great results — they were quite popular. So here’s the recipe!
First off, a day or two in advance, make a batch of lemon granita. I based mine on this recipe which I’ll copy here just in case the original goes away:
Lemon Granita
Serves: about 8
Ingredients:
- 3-4 lemons
- 1L water
- 150g of sugar
Method:
Zest the lemons and set the zest aside. Juice the lemons until you have 150ml juice (you may not need all of them).
Add the water and sugar to a large pan and bring to the boil. Reduce to a simmer and cook for 2 minutes, stirring to dissolve the sugar.
Add the lemon juice and zest, remove from the heat and cover. Set aside to cool for 20 minutes.
Strain the mixture into 2 containers that will fit in your freezer and leave to cool to room temperature.
Freeze until the mixture is partially frozen, which should take several hours. (I just left them overnight)
Remove the granita from the freezer and leave at room temperature until you can break it into chunks with a large spoon or fork.
Either transfer to a blender or food processor and blitz, or break it up with a fork. It doesn’t need to be perfectly smooth and snowy — a slushy texture is just right for this drink.
Store in the freezer. Take out 30 minutes before serving and break it up again with a fork.
Clara Con Limón Granizado
To serve: half-fill a half-pint glass with the lemon granita. Pour the beer on top to fill the glass. Stir once or twice to mix. Enjoy!
PS: I think — not sure as my Catalan is pretty terrible — it may be a clara granitzada in Catalonia…
The BARR-C:2018 Embedded C Coding Standard
‘Barr Group’s Embedded C Coding Standard was developed to minimize bugs in firmware by focusing on practical rules that keep bugs out–while also improving the maintainability and portability of embedded software. The coding standard details a set of guiding principles as well as specific naming conventions and other rules for the use of data types, functions, preprocessor macros, variables and much more. Individual rules that have been demonstrated to reduce or eliminate certain types of bugs are highlighted. In this latest version, BARR-C:2018, the stylistic coding rules have been fully harmonized with MISRA C: 2012, while helping embedded system designers reduce defects in firmware written in C and C++.’
Nosferatu is only viewable today due to piracy
‘In 1922 a German court ordered all prints and negatives of Nosferatu destroyed following a copyright dispute with the widow of Bram Stoker. The film only exists today because of piracy. One copy survived and somehow found it’s way to America, where Dracula was already in the public domain. That’s it. That’s the only reason you’ve ever seen the granddaddy of all horror movies.’
(tags: dracula bram-stoker nosferatu piracy licensing movies history)
Anatomy of a tabloid Fortnite front page story
Interesting writeup of how the UK tabloids concoct their scare stories, rustling up “victims” and paying them and their agents fees of thousands of pounds
(tags: fortnite pokemon-go gaming tabloids uk newspapers truth the-sun games)
Hacker Finds Hidden ‘God Mode’ on Old VIA C3 x86 CPUs
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents. He found one — US8341419 — that mentioned jumping from ring 3 to ring 0 and protecting the machine from exploits of model-specific registers (MSRs), manufacturer-created commands that are often limited to certain chipsets. Domas followed the “trail of breadcrumbs,” as he put it, from one patent to another and figured out that certain VIA chipsets were covered by the patents. Then he collected many old VIA C3 machines and spent weeks fuzzing code. He even built a testing rig consisting of seven Nehemiah-based thin clients hooked up to a power relay that would power-cycle the machines every couple of minutes, because his fuzzing attempts would usually crash the systems. After three weeks, he had 15 GB of log data — and the instructions to flip on the backdoor in the hidden RISC chip.
(via Nelson)
How I gained commit access to Homebrew in 30 minutes
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses? This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.
-
Galway-based refurb phone retailer, recommended by co-worker Ciaran where he picked up his Pixel
-
“rsync for cloud storage” – Google Drive, Amazon Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Cloudfiles, Google Cloud Storage, Yandex Files
(tags: backup github sync cloud s3 storage rsync rclone google aws dropbox backblaze yandex onedrive)
People Think This Whole QAnon Conspiracy Theory Is A Prank On Trump Supporters
This, if true, is the most gloriously Discordian thing ever.
“Let us take for granted, for a while, that QAnon started as a prank in order to trigger right-wing weirdos and have a laugh at them. There’s no doubt it has long become something very different. At a certain level it still sounds like a prank. But who’s pulling it on whom?” they [Roberto Bui, Giovanni Cattabriga, and Federico Guglielmi] said.
(tags: q conspiracy politics trump qanon luther-blissett discordianism wu-ming funny crazy)
Why JSON isn’t a good configuration language
solid +1s on these points
(tags: json configuration languages coding formats)
-
Aerial imagery can play an important role in disaster response operations, enabling response teams to identify and prioritize hardest-hit areas, conduct damage assessments, and plan response activities. Existing tools make this relatively easy in connected environments; users can browse high-resolution satellite imagery catalogs and download the relevant imagery, and can process drone imagery using online tools. Current solutions don’t work well in disconnected environments, however. Even offline tools lack the storage space and processing power to be effective for addressing large areas. This blog post shows how rugged, portable Amazon Web Services (AWS) servers can be turned into a kit that’s mega-powerful, deployable, and purpose-built for post-disaster imagery operations. This can help humanitarians and government agencies to more accurately and efficiently conduct damage assessments and identify hardest-hit areas, potentially making a real difference in the aftermath of a natural disaster.
(tags: snowball aws humanitarian emergency-response osm openstreetmap mapping aid disasters)
Labour HQ used Facebook ads to deceive Jeremy Corbyn during election campaign | News | The Times
Campaign chiefs at Labour HQ hoodwinked their own leader because they disapproved of some of Corbyn’s left-wing messages. They convinced him they were following his campaign plans by spending just £5,000 on adverts solely designed to be seen by Corbyn, his aides and their favourite journalists, while pouring far more money into adverts with a different message for ordinary voters.
(tags: advertising politics crazy facebook jeremy-corbyn microtargeting ads uk labour-party)
15 Key Takeaways from the Serverless Talk at AWS Startup Day
Best current practices for AWS Lambda usage. (still pretty messy/hacky/Rube-Goldberg-y from the looks of it tbh)
-
niftierideology on twitter:
Haskell is very simple. Everything is composed of Functads which are themselves a Tormund of Gurmoids, usually defined over the Devons. All you have to do is stick one Devon inside a Tormund and it yields Reverse Functads (Actually Functoids) you use to generate Unbound Gurmoids.
(tags: haskell functors functads tormund-of-gurmoids jargon funny satire coding languages)
Facebook’s new rules for moderators on dealing with far-right pages are awful
This is a total shitshow. Facebook needs to sort this out, it is not remotely desirable.
Facebook: “We allow to call for the creation of white ethno-states.” In other words, Facebook is officially ok with people calling for ethnic cleansing and genocide. The time for Facebook to hire/consult with experts re: the far-right was about three or four years ago. That they now *agree* with the rationale of Alt-Reich rebranding in 2018 shows that this company is simply not fit for purpose. […] t’s quite something that Facebook’s advice to their moderators literally mirrors Nazi propaganda: “Being interested in and caring for one’s kind is not to disparage foreign peoples and races”- Nazi party pamphlet “Why the Aryan Law?” (1934)
(tags: facebook awful moderation far-right nazis fascism ethnic-cleansing genocide social-media fail)
How my research on DNA ancestry tests became “fake news”
I was not surprised to see our research twisted by fake news and satire websites. Conspiracy theories are meant to be just as entertaining as they are convincing. They also provide a way out of confronting reality and reckoning with facts that don’t confirm preexisting worldviews. For white nationalists and racists, if test results showed traces of African American or Jewish ancestry, either the tests did not work, or the results were planted by some ideologically motivated scientists, or the tests were part of a global war against whites. With conspiracy theories, debunking is rarely useful because the individual is often searching for an interpretation that confirms their prior beliefs. As such, DNA conspiracy theories allow white supremacists to plan new escape routes for the traps they laid for themselves long ago. With DNA testing, the one-drop rule—a belief made law in the 1900s that one drop of African blood makes one Black—becomes transmuted genealogically into the one-percent rule, according to which to remain racially white, an individual’s results must show no sign of African or Jewish origin. Through the genealogical lens, American white nationalists consider “one hundred percent European” as good results, which in turn substantiates their “birth right” to the United States as a marker of heredity and conquest.
(tags: racism science fake-news conspiracy genealogy dna dna-testing)
-
Second-hand CPAP machines — decent prices here, recommended by @Searcher on FP
(tags: cpap second-hand appliances)
Using Kindle Fire’s Parental Controls
time to set this up I think
(tags: kindle fire parental-controls devices kids)
The problems with DynamoDB Auto Scaling and how it might be improved
‘Based on these observations, we hypothesize that you can make two modifications to the system to improve its effectiveness: trigger scaling up after 1 threshold breach instead of 5, which is in-line with the mantra of “scale up early, scale down slowly”; trigger scaling activity based on actual request count instead of consumed capacity units, and calculate the new provisioned capacity units using actual request count as well. As part of this experiment, we also prototyped these changes (by hijacking the CloudWatch alarms) to demonstrate their improvement.’
(tags: dynamodb autoscaling ops scalability aws scaling capacity)
Summer Fruit Shrub Recipe – NYT Cooking
as recommended by Nelson — I’ve been meaning to make one
Evolution of Application Data Caching : From RAM to SSD
Memcached provides an external storage shim called extstore, that supports storing of data on SSD (I2) and NVMe (I3). extstore is efficient in terms of cost & storage device utilization without compromising the speed and throughput. All the metadata (key & other metadata) is stored in RAM whereas the actual data is stored on flash.
(tags: memcached netflix services storage memory ssd nvme extstore caching)
Goodbye Microservices: From 100s of problem children to 1 superstar · Segment Blog
Super-happy we resisted many of the microservices gospels and dodged this bullet
(tags: architecture microservices monolith git monorepo)
Centrifuge: a reliable system for delivering billions of events per day
Nice scale-up service to solve the multi-tenant, multi-target queueing problem with good customer isolation from Segment
(tags: queueing architecture dead-letter-queue kafka segment multi-tenant isolation)
-
‘This website has been designed to help you, the passenger, understand your rights and entitlements in the event that your air travel plans are disrupted.’ from the Commission for Aviation Regulation. See also thread from Sinead Ryan at https://twitter.com/sinead_ryan/status/1016628694427885568
(tags: consumer aviation flights ryanair aer-lingus ireland rights flying)
open source ham radio hardware in the Thai cave rescue
the Heyphone, a voice radio designed by UK radio ham, John Hey
(tags: ham-radio heyphone voice radios cave rescue thailand)
-
This is disappointing. Basho was very promising.
An investment fund and its manager have been ordered to pay up $20.3m after “misinformation, threats and combative behaviour” helped put NoSQL database biz Basho on a “greased slide to failure”. As reported by The Register, the once-promising biz, which developed the Riak distributed database, faded away last year amid severe criticisms of the way its major investor, Georgetown Capital Partners, operated. These centred around the control the investment firm and boss Chester Davenport gained over Basho, and how that power was used to block other funders and push out dissenting voices, with the hope of selling the company off fast.
-
S3 + Cloudfront + ACM + Route53, automated.
There are a bunch of free/cheap options for hosting static sites (just html/css/js) out there: github pages, netlify, firebase hosting – but when I want to build a bulletproof static site “for real”, my go-to toolset is S3 for hosting with Cloudfront caching in front of it. I figured that after a few times doing this, I’d automate it. There are a few pre-existing tools for parts of this, but none I could find that did the whole thing from registration through uploading and Cloudfront invalidation.
(tags: cli acm aws s3 cloudfront route53 static-sites web html hosting)
Hospitality boom: What’s happening with Dublin’s bars and restaurants?
Good article with an insider look at what’s going on with venues, bars and restaurants in Dublin:
They call it “meanwhile use” in property developer shorthand. It’s the market or cafe that slots itself temporarily into a building earmarked for redevelopment. Rent is low and terms are flexible. Cheap space is hewn out of a lull. Cool creative things happen. You don’t need the backing of a private equity fund or a multinational developer to set up a cafe or restaurant. No one is asking for a six-figure sum just to hand you the keys. […] That era has gone. Landlords are back in the driving seat. Between the canals the key money, a once-off upfront payment just to get the keys, is mind-boggling. The pace of new openings seems relentless and “not particularly sustainable”, as one industry insider puts it: how many burritos do you have to sell when you’ve paid €500,000 upfront, before the costs of fitting it out, staffing it and paying the rent?
(tags: dublin hospitality bars restaurants pubs nightlife landlords property boom key-money)
-
EUR40 per day from the Dutch Bike Shop in Belfield
(tags: dutch-bikes bakfiets cargo-bikes cycling bikes rental dublin)
Google Cloud Platform Blog: Introducing Jib
‘build Java Docker images better’:
Jib takes advantage of layering in Docker images and integrates with your build system to optimize Java container image builds in the following ways: Simple – Jib is implemented in Java and runs as part of your Maven or Gradle build. You do not need to maintain a Dockerfile, run a Docker daemon, or even worry about creating a fat JAR with all its dependencies. Since Jib tightly integrates with your Java build, it has access to all the necessary information to package your application. Any variations in your Java build are automatically picked up during subsequent container builds. Fast – Jib takes advantage of image layering and registry caching to achieve fast, incremental builds. It reads your build config, organizes your application into distinct layers (dependencies, resources, classes) and only rebuilds and pushes the layers that have changed. When iterating quickly on a project, Jib can save valuable time on each build by only pushing your changed layers to the registry instead of your whole application. Reproducible – Jib supports building container images declaratively from your Maven and Gradle build metadata, and as such can be configured to create reproducible build images as long as your inputs remain the same.
(tags: build google java docker maven gradle coding builds jars fat-jars packaging)
Saving a non-profit six figures a year using Squarespace, Airtable and Glitch.com
Airtable in particular sounds like a lovely tool for small-scale users
(tags: serverless airtable google squarespace glitch tools web ops)
-
PDF with a few good tips on wifi layout, AP placement etc. Also recommended: https://www.youtube.com/watch?v=Adep0SeOjAE&feature=youtu.be&t=17m22s (via irldexter)
(tags: via:irldexter wifi 802.11 wireless ops networking)
What I’ve learned from nearly three years of enterprise Wi-Fi at home
I am happy to note that I’ve grown out of this kind of pain (I think)….
Do you just want better Wi-Fi in every room? Consider buying a Plume or Amplifi or other similar plug-n-go mesh system. On the other hand, are you a technically proficient network kind of person who wants to build an enterprise-lite configuration at home? Do you dream of VLANs and port profiles and lovingly tweaked firewall rules? Does the idea of crawling around in your attic to ceiling-mount some access points sound like a fun way to kill a weekend? Is your office just too quiet for your liking? Buy some Ubiquiti Unifi gear and enter network nerd nirvana.
(tags: networking wifi wireless ubiquiti sdn vlans home ops)
Large breweries ‘pay publicans not to stock smaller companies’ beer, cider’
Good on Alan Kelly TD for raising the issue — it is clearly happening and is clearly anti-competitive market manipulation by the big brewers.
He said a pub in Cork he was in recently had 21 taps of which 19 were from one brewing company and that smaller breweries tried to get some of that business. Mr Kelly claimed similar practices were occurring in pubs across all counties and that the statutory body that deals with anti-competitive practices, the Competition and Consumer Protection Commission (CCPC), had received a number of complaints but did not have the resources to deal with the issue. However, Minister of State Pat Breen said “after a robust examination” the CCPC found it did not have grounds to suspect a breach of the law. Mr Kelly said that “the dogs in the street know what is happening here” and that the Minister’s response was insulting to the industry. He said the CCPC would need large resources to investigate the issue and “large amounts of cash and resources are being used, and these practices are happening in large pubs in all cities and towns in Ireland”.
(tags: ireland brewing beer pubs ccpc anti-competitive business alan-kelly dail)
React Native: A retrospective from the mobile-engineering team at Udacity
I think it’s safe to say they didn’t like it
(tags: react react-native udacity coding javascript android ios)
-
a simple JVMTI agent that forcibly terminates the JVM when it is unable to allocate memory or create a thread. This is important for reliability purposes: an OutOfMemoryError will often leave the JVM in an inconsistent state. Terminating the JVM will allow it to be restarted by an external process manager.
This is apparently still useful despite the existence of ‘-XX:ExitOnOutOfMemoryError’ as of java 8, since that may somehow still fail occasionally. “Stylish” browser extension steals all your internet history | Robert Heaton
‘Stylish, the popular CSS userstyle browser extension [collects] complete browser history, including sites scraped from Google results. Instant uninstall.’ (via Andy Baio)
(tags: privacy browser extensions stylish css history data-protection)
-
There are twice as many people cycling as there are people in cars on the quays in Dublin at the morning rush hour, a video survey by the Dublin Cycling Campaign has found.
This doesn’t surprise me at all — I would be in that number too, except I now avoid the quays as they are too dangerous to cycle on due to the heavy traffic! A segregated cycle route is greatly needed.(tags: cycling dublin safety cars driving dublin-cycling-campaign liffey-cycle-route)
-
Glowforge laser-cut a sundial, customised for your very own corner of planet Earth
Nginx tuning tips: TLS/SSL HTTPS – Improved TTFB/latency
Must do these soon on jmason.org / taint.org et al.
‘Nothing to worry about. The water is fine’: how Flint poisoned its people | News | The Guardian
The anxiety reverberated all the way to the state capital, Lansing, where Governor Rick Snyder was weeks away from winning reelection. His chief legal counsel, Michael Gadola, wrote in an email: “To anyone who grew up in Flint as I did, the notion that I would be getting my drinking water from the Flint River is downright scary. Too bad the [emergency manager] didn’t ask me what I thought, though I’m sure he heard it from plenty of others. My mom is a city resident. Nice to know she’s drinking water with elevated chlorine levels and fecal coliform … They should try to get back on the Detroit system as a stopgap ASAP before this thing gets too far out of control.”
(tags: flint michigan bureaucracy water poisoning corrosion poison us-politics environment taxes)
The iconic _Fountain_ (1917) was not created by Marcel Duchamp
In 1982 a letter written by Duchamp came to light. Dated 11 April 1917, it was written just a few days after that fateful exhibit. It contains one sentence that should have sent shockwaves through the world of modern art: it reveals the true creator behind Fountain – but it was not Duchamp. Instead he wrote that a female friend using a male alias had sent it in for the New York exhibition. Suddenly a few other things began to make sense. Over time Duchamp had told two different stories of how he had created Fountain, but both turned out to be untrue. An art historian who knew Duchamp admitted that he had never asked him about Fountain, he had published a standard-work on Fountain nevertheless. The place from where Fountain was sent raised more questions. That place was Philadelphia, but Duchamp had been living in New York. Who was living in Philadelphia? Who was this ‘female friend’ that had sent the urinal using a pseudonym that Duchamp mentions? That woman was, as Duchamp wrote, the future. Art history knows her as Elsa von Freytag-Loringhoven. She was a brilliant pioneering New York dada artist, and Duchamp knew her well. This glaring truth has been known for some time in the art world, but each time it has to be acknowledged, it is met with indifference and silence. This article addresses the true authorship of Fountain from the perspective of the latest evidence, collected by several experts. The opinions they voice offer their latest insights. Their accumulation of evidence strengthens the case to its final conclusion. To attribute Fountain to a woman and not a man has obvious, far-reaching consequences: the history of modern art has to be rewritten. Modern art did not start with a patriarch, but with a matriarch. What power structure in the world of modern art prohibits this truth to become more widely known and generally accepted? Ultimately this is one of the larger questions looming behind the authorship of Fountain. It sheds light on the place and role of the female artist in the world of modern art.
(tags: elsa-von-freytag-loringhoven marcel-duchamp modern-art history art-history scandals credit art fountain women)
Cory Doctorow: Zuck’s Empire of Oily Rags
the sophisticated targeting systems available through Facebook, Google, Twitter, and other Big Tech ad platforms made it easy to find the racist, xenophobic, fearful, angry people who wanted to believe that foreigners were destroying their country while being bankrolled by George Soros. Remember that elections are generally knife-edge affairs, even for politicians who’ve held their seats for decades with slim margins: 60% of the vote is an excellent win. Remember, too, that the winner in most races is “none of the above,” with huge numbers of voters sitting out the election. If even a small number of these non-voters can be motivated to show up at the polls, safe seats can be made contestable. In a tight race, having a cheap way to reach all the latent Klansmen in a district and quietly inform them that Donald J. Trump is their man is a game-changer. Cambridge Analytica are like stage mentalists: they’re doing something labor-intensive and pretending that it’s something supernatural. A stage mentalist will train for years to learn to quickly memorize a deck of cards and then claim that they can name your card thanks to their psychic powers. You never see the unglamorous, unimpressive memorization practice. Cambridge Analytica uses Facebook to find racist jerks and tell them to vote for Trump and then they claim that they’ve discovered a mystical way to get otherwise sensible people to vote for maniacs.
(tags: facebook politics surveillance cory-doctorow google twitter advertising elections cambridge-analytica racism nazis)