Skip to content

Justin's Linklog Posts

Links for 2015-08-31

Published August 31, 2015

Links for 2015-08-28

Published August 28, 2015

  • toxy

    toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions. It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in service-oriented architectures, where toxy may act as intermediate proxy among services. toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.

    (tags: toxy proxies proxy http mitm node.js soa network failures latency slowdown jitter bandwidth tcp)

  • Drone Oversight Is Coming to Construction Sites

    Grim Meathook Future

    (tags: grim-meathook-future drones work panopticon future sacramento building-sites)

  • grsecurity

    Open source security team has had enough of embedded-systems vendors taking the piss with licensing:

    This announcement is our public statement that we’ve had enough. Companies in the embedded industry not playing by the same rules as every other company using our software violates users’ rights, misleads users and developers, and harms our ability to continue our work. Though I’ve only gone into depth in this announcement on the latest trademark violation against us, our experience with two GPL violations over the previous year have caused an incredible amount of frustration. These concerns are echoed by the complaints of many others about the treatment of the GPL by the embedded Linux industry in particular over many years. With that in mind, today’s announcement is concerned with the future availability of our stable series of patches. We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity. Therefore, two weeks from now, we will cease the public dissemination of the stable series and will make it available to sponsors only. The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities. If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat’s, described here or eventually stop the stable series entirely as it will be an unsustainable development model.

    (tags: culture gpl linux opensource security grsecurity via:nelson gentoo arch-linux gnu)

  • London Calling: Two-Factor Authentication Phishing From Iran

    some rather rudimentary anti-2FA attempts, presumably from Iranian security services

    (tags: authentication phishing security iran activism 2fa mfa)

  • Vegemite May Power The Electronics Of The Future

    Professor Marc in het Panhuis at the ARC Centre of Excellence for Electromaterials Science figured out that you can 3D print the paste and use it to carry current, effectively creating Vegemite bio-wires. What does this mean? Soon you can run electricity through your food. “The iconic Australian Vegemite is ideal for 3D printing edible electronics,” said the professor. “It contains water so it’s not a solid and can easily be extruded using a 3D printer. Also, it’s salty, so it conducts electricity.”
    I’m sure the same applies for Marmite…

    (tags: vegemite marmite 3d-printing electronics bread food silly)

  • Beoir.org Community – Recent Attack on McGargles

    bizarre conspiracy theory going around about McGargles microbrewery being owned by Molson in an “astroturf craft beer” operation — they apparently were set up by a bunch of ex-Molson employees. Their beer is getting stickered in off-licenses. Mental!

    (tags: beer craft-beer ireland mcgargles conspiracy-theories bizarre beoir)

Links for 2015-08-27

Published August 27, 2015

  • Mining High-Speed Data Streams: The Hoeffding Tree Algorithm

    This paper proposes a decision tree learner for data streams, the Hoeffding Tree algorithm, which comes with the guarantee that the learned decision tree is asymptotically nearly identical to that of a non-incremental learner using infinitely many examples. This work constitutes a significant step in developing methodology suitable for modern ‘big data’ challenges and has initiated a lot of follow-up research. The Hoeffding Tree algorithm has been covered in various textbooks and is available in several public domain tools, including the WEKA Data Mining platform.

    (tags: hoeffding-tree algorithms data-structures streaming streams cep decision-trees ml learning papers)

  • Chinese scammers are now using Stingray tech to SMS-phish

    A Stingray-style false GSM base station, hidden in a backpack; presumably they detect numbers in the vicinity, and SMS-spam those numbers with phishing messages. Reportedly the scammers used this trick in “Guangzhou, Zhuhai, Shenzhen, Changsha, Wuhan, Zhengzhou and other densely populated cities”. Dodgy machine translation:

    March 26, Zhengzhou police telecommunications fraud cases together, for the first time seized a small backpack can hide pseudo station equipment, and arrested two suspects. Yesterday, the police informed of this case, to remind the general public to pay attention to prevention. “I am the landlord, I changed number, please rent my wife hit the bank card, card number ×××, username ××.” Recently, Jiefang Road, Zhengzhou City Public Security Bureau police station received a number of cases for investigation brigade area of ??the masses police said, frequently received similar phone scam messages. Alarm, the police investigators to determine: the suspect may be in the vicinity of twenty-seven square, large-scale use of mobile pseudo-base release fraudulent information. […] Yesterday afternoon, the Jiefang Road police station, the reporter saw the portable pseudo-base is made up of two batteries, a set-top box the size of the antenna box and a chassis, as well as a pocket computer composed together at most 5 kg.
    (via t byfield and Danny O’Brien)

    (tags: via:mala via:tbyfield privacy scams phishing sms gsm stingray base-stations mobile china)

Links for 2015-08-25

Published August 25, 2015

Links for 2015-08-23

Published August 23, 2015

Links for 2015-08-22

Published August 22, 2015

Links for 2015-08-19

Published August 19, 2015

Links for 2015-08-18

Published August 18, 2015

Links for 2015-08-17

Published August 17, 2015

  • The world beyond batch: Streaming 101 – O’Reilly Media

    To summarize, in this post I’ve: Clarified terminology, specifically narrowing the definition of “streaming” to apply to execution engines only, while using more descriptive terms like unbounded data and approximate/speculative results for distinct concepts often categorized under the “streaming” umbrella. Assessed the relative capabilities of well-designed batch and streaming systems, positing that streaming is in fact a strict superset of batch, and that notions like the Lambda Architecture, which are predicated on streaming being inferior to batch, are destined for retirement as streaming systems mature. Proposed two high-level concepts necessary for streaming systems to both catch up to and ultimately surpass batch, those being correctness and tools for reasoning about time, respectively. Established the important differences between event time and processing time, characterized the difficulties those differences impose when analyzing data in the context of when they occurred, and proposed a shift in approach away from notions of completeness and toward simply adapting to changes in data over time. Looked at the major data processing approaches in common use today for bounded and unbounded data, via both batch and streaming engines, roughly categorizing the unbounded approaches into: time-agnostic, approximation, windowing by processing time, and windowing by event time.

    (tags: streaming batch big-data lambda-architecture dataflow event-processing cep millwheel data data-processing)

  • What the hell is going on with SoundCloud?

    tl;dr: major labels.

    Despite having revenue coming in from ads and subscriptions, SoundCloud still relies on outside investment. While the company received $150 million in a funding round at the end of last year, it pales next to the reported $526 million Spotify gained in June, and if one report is to be believed, SoundCloud is running very low on cash. Furthermore, sources suggest that potential investors are waiting to see what happens with Sony and Universal before ploughing in more money. With the high sums reported to be involved, it’s a stalemate that could potentially break the company whether it decides to pay or not.

    (tags: soundcloud music mp3 copyright sony universal spotify funding startups)

  • GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies

    Holy shit.

    Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone.

    (tags: gsmem gsm exfiltration air-gaps memory radio mobile-phones security papers)

Links for 2015-08-16

Published August 16, 2015

Links for 2015-08-12

Published August 12, 2015

Links for 2015-08-11

Published August 11, 2015

  • Reddit comments from a nuclear-power expert

    Reddit user “Hiddencamper” is a senior nuclear reactor operator in the US, and regularly posts very knowledgeable comments about reactor operations, safety procedures, and other details. It’s fascinating (via Maciej)

    (tags: via:maciej nuclear-power nuclear atomic power energy safety procedures operations history chernobyl scram)

  • Amazon EC2 2015 Benchmark: Testing Speeds Between AWS EC2 and S3 Regions

    Here we are again, a year later, and still no bloody percentiles! Just amateurish averaging. This is not how you measure anything, ffs. Still, better than nothing I suppose

    (tags: fail latency measurement aws ec2 percentiles s3)

  • background doc on the Jeep hack

    “Remote Exploitation of an Unaltered Passenger Vehicle”, by Dr. Charlie Miller (cmiller@openrce.org) and Chris Valasek (cvalasek@gmail.com). QNX, unauthenticated D-Bus, etc.

    ‘Since a vehicle can scan for other vulnerable vehicles and the exploit doesn’t require any user interaction, it would be possible to write a worm. This worm would scan for vulnerable vehicles, exploit them with their payload which would scan for other vulnerable vehicles, etc. This is really interesting and scary. Please don’t do this. Please.’

    (tags: jeep hacks exploits d-bus qnx cars safety risks)

  • Care.data and access to UK health records: patient privacy and public trust

    ‘In 2013, the United Kingdom launched care.data, an NHS England initiative to combine patient records, stored in the machines of general practitioners (GPs), with information from social services and hospitals to make one centralized data archive. One aim of the initiative is to gain a picture of the care being delivered between different parts of the healthcare system and thus identify what is working in health care delivery, and what areas need greater attention and resources. This case study analyzes the complications around the launch of care.data. It explains the historical context of the program and the controversies that emerged in the course of the rollout. It explores problems in management and communications around the centralization effort, competing views on the safety of “anonymous” and “pseudonymous” health data, and the conflicting legal duties imposed on GPs with the introduction of the 2012 Health and Social Care Act. This paper also explores the power struggles in the battle over care.data and outlines the tensions among various stakeholders, including patients, GPs, the Health and Social Care Information Centre (HSCIC), the government, privacy experts and data purchasers. The predominant public policy question that emerges from this review centers on how best to utilize technological advances and simultaneously strike a balance between the many competing interests around health and personal privacy.’

    (tags: care.data privacy healthcare uk nhs trust anonymity anonymization gps medicine)

Links for 2015-08-10

Published August 10, 2015

Links for 2015-08-07

Published August 7, 2015

Links for 2015-08-06

Published August 6, 2015

Links for 2015-08-05

Published August 5, 2015

Links for 2015-08-03

Published August 3, 2015

Links for 2015-07-30

Published July 30, 2015

  • danilop/yas3fs · GitHub

    YAS3FS (Yet Another S3-backed File System) is a Filesystem in Userspace (FUSE) interface to Amazon S3. It was inspired by s3fs but rewritten from scratch to implement a distributed cache synchronized by Amazon SNS notifications. A web console is provided to easily monitor the nodes of a cluster.

    (tags: aws s3 s3fs yas3fs filesystems fuse sns)

  • danilop/runjop · GitHub

    RunJOP (Run Just Once Please) is a distributed execution framework to run a command (i.e. a job) only once in a group of servers [built using AWS DynamoDB and S3].
    nifty! Distributed cron is pretty easy when you’ve got Dynamo doing the heavy lifting.

    (tags: dynamodb cron distributed-cron scheduling runjop danilop hacks aws ops)

Links for 2015-07-29

Published July 29, 2015

Links for 2015-07-28

Published July 28, 2015

  • Taming Complexity with Reversibility

    This is a great post from Kent Beck, putting a lot of recent deployment/rollout patterns in a clear context — that of supporting “reversibility”:

    Development servers. Each engineer has their own copy of the entire site. Engineers can make a change, see the consequences, and reverse the change in seconds without affecting anyone else. Code review. Engineers can propose a change, get feedback, and improve or abandon it in minutes or hours, all before affecting any people using Facebook. Internal usage. Engineers can make a change, get feedback from thousands of employees using the change, and roll it back in an hour. Staged rollout. We can begin deploying a change to a billion people and, if the metrics tank, take it back before problems affect most people using Facebook. Dynamic configuration. If an engineer has planned for it in the code, we can turn off an offending feature in production in seconds. Alternatively, we can dial features up and down in tiny increments (i.e. only 0.1% of people see the feature) to discover and avoid non-linear effects. Correlation. Our correlation tools let us easily see the unexpected consequences of features so we know to turn them off even when those consequences aren’t obvious. IRC. We can roll out features potentially affecting our ability to communicate internally via Facebook because we have uncorrelated communication channels like IRC and phones. Right hand side units. We can add a little bit of functionality to the website and turn it on and off in seconds, all without interfering with people’s primary interaction with NewsFeed. Shadow production. We can experiment with new services under real load, from a tiny trickle to the whole flood, without affecting production. Frequent pushes. Reversing some changes require a code change. On the website we never more than eight hours from the next schedule code push (minutes if a fix is urgent and you are willing to compensate Release Engineering). The time frame for code reversibility on the mobile applications is longer, but the downward trend is clear from six weeks to four to (currently) two. Data-informed decisions. (Thanks to Dave Cleal) Data-informed decisions are inherently reversible (with the exceptions noted below). “We expect this feature to affect this metric. If it doesn’t, it’s gone.” Advance countries. We can roll a feature out to a whole country, generate accurate feedback, and roll it back without affecting most of the people using Facebook. Soft launches. When we roll out a feature or application with a minimum of fanfare it can be pulled back with a minimum of public attention. Double write/bulk migrate/double read. Even as fundamental a decision as storage format is reversible if we follow this format: start writing all new data to the new data store, migrate all the old data, then start reading from the new data store in parallel with the old.
    We do a bunch of these in work, and the rest are on the to-do list. +1 to these!

    (tags: software deployment complexity systems facebook reversibility dark-releases releases ops cd migration)

Links for 2015-07-27

Published July 27, 2015

  • Benchmarking GitHub Enterprise – GitHub Engineering

    Walkthrough of debugging connection timeouts in a load test. Nice graphs (using matplotlib)

    (tags: github listen-backlog tcp debugging timeouts load-testing benchmarking testing ops linux)

  • How .uk came to be (and why it’s not .gb)

    WB: By the late 80s the IANA [the Internet Assigned Numbers Authority, set up in 1988 to manage global IP address allocations] was trying to get all those countries that were trying to join the internet to use the ISO 3166 standard for country codes. It was used for all sorts of things?—?you see it on cars, “GB” for the UK. […] At that point, we’re faced with a problem that Jon Postel would like to have changed it to .gb to be consistent with the rest of the world. Whereas .uk had already been established, with a few tens of thousands of domain names with .uk on them. I remember chairing one of the JANET net workshops that were held every year, and the Northern Irish were adamant that they were part of the UK?—?so the consensus was, we’d try and keep .uk, we’d park .gb and not use it. PK: I didn’t particularly want to change to .gb because I was responsible for Northern Ireland as well. And what’s more, there was a certain question as to whether a research group in the US should be allowed to tell the British what to do. So this argy-bargy continued for a little while and, in the meantime, one of my clients was the Ministry of Defence, and they decided they couldn’t wait this long, and they decided I was going to lose the battle, and so bits of MOD went over to .gb?—?I didn’t care, as I was running .gb and .uk in any case.

    (tags: dot-uk history internet dot-gb britain uk northern-ireland ireland janet)

  • That time the Internet sent a SWAT team to my mom’s house – Boing Boing

    The solution is for social media sites and the police to take threats or jokes about swatting, doxxing, and organized crime seriously. Tweeting about buying a gun and shooting up a school would be taken seriously, and so should the threat of raping, doxxing, swatting or killing someone. Privacy issues and online harassment are directly linked, and online harassment isn’t going anywhere. My fear is that, in reaction to online harassment, laws will be passed that will break down our civil freedoms and rights online, and that more surveillance will be sold to users under the guise of safety. More surveillance, however, would not have helped me or my mother. A platform that takes harassment and threats seriously instead of treating them like jokes would have.

    (tags: twitter gamergate 4chan 8chan privacy doxxing swatting harrassment threats social-media facebook law feminism)

  • Why Google’s Deep Dream Is Future Kitsch

    Deep Dream estranges us from our fears, perhaps, but it doesn’t make them go away. It’s easy to discuss Deep Dream as an independent creature, a foreign intelligence that we interact with for fun. Yet like all kitsch, it comes straight back to its creators.

    (tags: kitsch deep-dream art graphics google inceptionism)

  • It’s Not Climate Change?—?It’s Everything Change

    now this is a Long Read. the inimitable Margaret Atwood on climate change, beautifully illustrated

    (tags: climate climate-change margaret-atwood long-reads change life earth green future)

  • In Praise of the AK-47 — Dear Design Student — Medium

    While someone can certainly make the case that an AK-47, or any other kind of gun or rifle is designed, nothing whose primary purpose is to take away life can be said to be designed well. And that attempting to separate an object from its function in order to appreciate it for purely aesthetic reasons, or to be impressed by its minimal elegance, is a coward’s way of justifying the death they’ve designed into the word, and the money with which they’re lining their pockets.

    (tags: design ux ak-47 kalashnikov guns function work)

Links for 2015-07-22

Published July 22, 2015

Links for 2015-07-21

Published July 21, 2015

  • Java lambdas and performance

    Lambdas in Java 8 introduce some unpredictable performance implications, due to reliance on escape analysis to eliminate object allocation on every lambda invocation. Peter Lawrey has some details

    (tags: lambdas java-8 java performance low-latency optimization peter-lawrey coding escape-analysis)

  • Mikhail Panchenko’s thoughts on the July 2015 CircleCI outage

    an excellent followup operational post on CircleCI’s “database is not a queue” outage

    (tags: database-is-not-a-queue mysql sql databases ops outages postmortems)

  • Men who harass women online are quite literally losers, new study finds

    (1) players are anonymous, and the possibility of “policing individual behavior is almost impossible”; (2) they only encounter each other a few times in passing — it’s very possible to hurl an expletive at another player, and never “see” him or her again; and (3) finally, and perhaps predictably, the sex-ratio of players is biased pretty heavily toward men. (A 2014 survey of gender ratios on Reddit found that r/halo was over 95 percent male.) [….] In each of these environments, Kasumovic suggests, a recent influx of female participants has disrupted a pre-existing social hierarchy. That’s okay for the guys at the top — but for the guys at the bottom, who stand to lose more status, that’s very threatening. (It’s also in keeping with the evolutionary framework on anti-lady hostility, which suggests sexism is a kind of Neanderthal defense mechanism for low-status, non-dominant men trying to maintain a shaky grip on their particular cave’s supply of women.) “As men often rely on aggression to maintain their dominant social status,” Kasumovic writes, “the increase in hostility towards a woman by lower-status males may be an attempt to disregard a female’s performance and suppress her disturbance on the hierarchy to retain their social rank.”

    (tags: losers sexism mysogyny women halo gaming gamergate 4chan abuse harrassment papers bullying social-status)

  • The old suburban office park is the new American ghost town – The Washington Post

    Most analyses of the market indicate that office parks simply aren’t as appealing or profitable as they were in the 20th century and that Americans just aren’t as keen to cloister themselves in workspaces that are reachable only by car.

    (tags: cbd cities work life office-parks commuting america history workplaces)

  • HACKERS REMOTELY KILL A JEEP ON THE HIGHWAY—WITH ME IN IT

    Jaysus, this is terrifying.

    Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.
    Avoid any car which supports this staggeringly-badly-conceived Uconnect feature:
    All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot.
    :facepalm: Also, Chrysler’s response sucks: “Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic.”

    (tags: hacking security cars driving safety brakes jeeps chrysler fiat uconnect can-bus can)

Links for 2015-07-20

Published July 20, 2015

Links for 2015-07-17

Published July 17, 2015

  • Angela Merkel told a sobbing girl she couldn’t save her from deportation. It was a lie. – Vox

    Argentina has, as a matter of constitutional law, effectively open borders. There are no caps or quotas or lottery systems. You can move there legally if you have an employer or family member to sponsor you. That’s all you need. If you don’t have a sponsor, and make your way in illegally, you’re recognized as an “irregular migrant.” Discrimination against irregular migrants in health care or education is illegal, and deportation in noncriminal cases is exceptionally rare. Large-scale amnesties are the norm. Obviously Argentina is not nearly as rich as Germany or the US or the UK. But it’s considerably richer than three of its neighbors (Bolivia, Paraguay, and Brazil). And yet it doesn’t try hard to keep their residents out. It welcomes them — as it should. “One could have expected catastrophe—an uncontrollable flow of poorer immigrants streaming into the country coupled with angry public backlash,” Elizabeth Slater writes in the World Policy Journal. “That hasn’t happened.” Angela Merkel clearly expects catastrophe if she lets people like this weeping young Palestinian girl stay in Germany. That catastrophe is simply a myth; it wouldn’t happen. What would happen is that Germany’s economy would grow, its culture would grow richer, and that girl and more like her could see their lives improve immeasurably.

    (tags: argentina immigration angela-merkel germany eu migrants deportation economics)

Links for 2015-07-16

Published July 16, 2015

Links for 2015-07-15

Published July 15, 2015

Links for 2015-07-14

Published July 14, 2015

Links for 2015-07-13

Published July 13, 2015

  • OkHttp

    A new HTTP client library for Android and Java, with a lot of nice features:

    HTTP/2 and SPDY support allows all requests to the same host to share a socket. Connection pooling reduces request latency (if SPDY isn’t available). Transparent GZIP shrinks download sizes. Response caching avoids the network completely for repeat requests. OkHttp perseveres when the network is troublesome: it will silently recover from common connection problems. If your service has multiple IP addresses OkHttp will attempt alternate addresses if the first connect fails. This is necessary for IPv4+IPv6 and for services hosted in redundant data centers. OkHttp initiates new connections with modern TLS features (SNI, ALPN), and falls back to TLS 1.0 if the handshake fails. Using OkHttp is easy. Its 2.0 API is designed with fluent builders and immutability. It supports both synchronous blocking calls and async calls with callbacks.

    (tags: android http java libraries okhttp http2 spdy microservices jdk)

  • Eircode tech specs

    via Ossian.

    (tags: via:smytho tech-specs specs eircode addresses geocoding ireland mapping)

  • AWS Best Practices for DDoS Resiliency [pdf]

    Reasonably solid white paper

    (tags: ddos amazon aws security dos whitepapers pdf)

Links for 2015-07-11

Published July 11, 2015

Links for 2015-06-25

Published June 25, 2015