Blog Archive: May 2014
Good Reads, May 2014
A summary of the interesting articles I've found this month. What is Site Reliability Engineering? An interview with Ben Treynor (Google VP, Site Reliability Engineering) -- SRE isn't just a new name for system administration, it is an entirely new business philosophy. Distributed Systems and the End of the API -- APIs are like assembly language. Nobody programs in assembly language any more. So what's the high-level equivalent? Big Cable says broadband investment is flourishing, but their own data says it's falling -- Remember folks, these are the companies that keep telling the media that people don't want gigabit broadband. The Unreasonable Effectiveness of Checklists -- Checklists are awesome...
Friday Squid Blogging: Squid-Shaped Pancakes
Here are pictures of squid-shaped pancakes. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Camera Combo Fun
What happened was, I got an adapter and slapped a Pentax 100mm Telephoto-Macro on my Fujifilm X-T1, leading to a ridiculous amount of fun. Herewith pictures of irises, flamenco, and a muscle car; and of course the baroque camera/lens combo. But there are things to watch out for. For those with a short attention span: Fujifilm X-cam shooters might want to run out and buy this lens (but there are cheaper alternatives) and an PK-to-FX adapter (but not the one I bought). I have lots of Pentax lenses, but without hesitation I slapped on the D-FA 100mm f2.8 because whats not to like about a prime mid-telephoto with MACRO written in big letters on the side?
Clarion SF/F writeathon: write, sponsor writers, help a new generation
Once again, it's time for the Clarion Writers Workshop writeathon - we need writers and sponsors to help fund the Clarion Workshop, the respected, long-running science fiction writers' bootcamp. A writeathon is just what is sounds like: a fundraiser where writers ask their friends to sponsor their writing. I'm writing 1,000 words a day, five … [Read more]
More NiZn insights
The NiZn batteries in my mouse were discharged and needed changing today. There are two, and they're in parallel. On removal the voltages were 0.387 V and 0.630 V. That's surprising for two reasons: firstly, being in parallel the voltages should have been very close. Secondly, they're far too low: a discharged NiZn battery has about 1.55 V. But until yesterday evening the mouse worked normally. What happened? One issue with batteries in parallel is that they need to discharge at the same rate. That implies very consistent characteristics. The fact that the two batteries had such markedly different voltages after discharge shows that that's not the case here.
Vulnerabilities Found in Law Enforcement Surveillance System
SEC Consult has published an advisory warning people not to use a government eavesdropping product called Recording eXpress, sold by the Israeli company Nice Systems. Basically, attackers can completely compromise the system. There are good stories on this by Brian Krebs and Dan Goodin....
Where Is Your Data Safe?
You can store it on a USB stick or your mobile or your personal computer or your company servers or out there in the cloud. Where is it safe? Thats not a simple question, but heres my answer: Your own personal computer, if you take a few basic precautions, can be a pretty safe place to store things that matter, including secrets that matter. Lets assume Concerning the Personal Computer Im talking about: You bought it yourself, from its maker. You havent let anybody, in particular your employers IT group, install anything on it. The chances of an employer installing spyware, whether through policy or incompetence, are high.
TrueCrypt WTF
I have no idea what's going on with TrueCrypt. Good summary of story is a ArsTechnica, and SlashDot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow. Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait...
Facebook tracks me!
BSDCan is over, but not forgotten. David Maxwell posted a photo of a whole lot of us, including not only me, but also Jordan Hubbard, Kirk McKusick and Randi Harper. Problem: none of us were there. Jordan and Randi confirmed it,and I can't see Kirk there. In fact, I haven't been out of Australia for 8 years, coincidentally after returning from BSDCan 2006. Why did David claim we were there? Why, did David claim we were there? No. It seems that Facebook decided that it recognized us there. It's clearly not very clever: as far as I can see, all the people in the photo are male, but it seems that Tamara Colby (whom I don't know) is female, and so is Randi.
Eben Moglen on Snowden and Surveillance
This is well worth reading. It's based on a series of talks he gave last fall....
Comments on NIST Draft SP 800-160
[I emailed these comments to NIST last week. I've never read NIST standards documents before, so my response may be entirely naive, but since it is my tax dollars at work, I thought I'd put in my two cents.] Subject: Draft SP 800-160 Comments I read with great interest the DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems http://csrc.nist.gov/publications/PubsDrafts.html#800-160 I'd like to comment on two sections, "2.3.4 Security Risk Management" and "Chapter 3: Lifecycle". 2.3.4 Security Risk Management This discusses ways to deal with risk: Avoid, Accept, Mitigate, Transfer. This is a very traditional view of risk.
Talking with NPR Marketplace about the Disneyland prospectus
I was on NPR’s Marketplace yesterday talking (MP3) about our posting of a rarer-than-rare Disney treasure, the never-before-seen original prospectus for Disneyland, scanned before it was sold to noted jerkface Glenn Beck, who has squirreled it away in his private Scrooge McDuck vault.
What Programmers Do
I contributed a morsel of code, connective tissue linking two moderately-popular pieces of publicly-available software. The technology and culture that enable this? Theyre the water and computer programmers are the fish, we cant see it any more. By an accident of history I could this time; and want to write about it. Sidebar: For non-geeks Whenever youre sitting in front of a computer or fiddling with your mobile, youre interacting with software. How that software gets built, and the culture out of which it rises, are processes that affect your life; just like the tech and culture and people that manage airline schedules and commute-route closures and TV programming.
The Economics of Bulk Surveillance
Ross Anderson has an important new paper on the economics that drive government-on-population bulk surveillance: My first big point is that all the three factors which lead to monopoly network effects, low marginal costs and technical lock-in are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily...
Privacy Levels
You should be able to exchange messages privately using the Internet. My profession should be working on making this easy for everyone, including non-geek civilians who dont shouldnt need to understand cryptography. Ive been thinking about this a lot and even slinging little bits & pieces of code; before I write any more, I think itd be helpful to define terms. So lets start with a question: How private do you want to be? There are three obvious levels, which Ill call Basic, Common, and Strong. Basic Privacy We can all agree that we want privacy from random strangers sniffing WiFi signals, from crooks looking for bank account numbers, and from agents of the Chinese government looking for dirt on dissidents.
Product Idea: Real-time re-living the moon landing
I was only 7 months old when Neil Armstrong became the very first man to walk on the moon. I don't remember it very well. Today I was reminded that most of what we see of the moon landings are highlights. 10-second little clips. I would like to know what the entire 8 days were like. I'm sure there are audio and video recordings of the entire thing. All of NASAs recordings are public domain, so they must be available somewhere. Here's my thought for a product. A kit that includes audio and video recordings and other stuff to help you re-live the entire 8 day experience.
Chinese Garden, Right Side Up
Earlier, in Chinese Garden Reflections I ran some pictures of greenery reflected in the ponds of Vancouvers Dr. Sun Yat-Sen Classical Chinese Garden. Here are are more photos, unreflected. The first three of the five are in the public (free) part of the garden. Did I mention that its a really nice place to visit?
Friday Squid Blogging: Squid Ink Cocktail
Del Campo, a restaurant in Washington DC, has a Bloody Mary made with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Alan Watts on the Harms of Surveillance
Biologist Alan Watts makes some good points: Mammals dont respond well to surveillance. We consider it a threat. It makes us paranoid, and aggressive and vengeful. [...] "Natural selection favors the paranoid," Watts said. Those who run away. In the earliest days of man on the savannah, when we roamed among the predatory, wild animals, someone realized pretty quickly that...
Mail address harvesters
Spam's a fact of life, of course, but occasionally I see things that are a little unusual: 740 N 21-05-2014 PlatinumPfizer To bloedmann ( 12) N Mr. bloedmann, Ready For 71% OFF? 743 N F 21-05-2014 To freebeer To freebeer ( 12) N F Mr. freebeer, Ready For 71% OFF? 745 N + 22-05-2014 PlatinumPfizer To brewer ( 12) + Mr. brewer, Ready For 71% OFF? 747 N 21-05-2014 PlatinumPfizer To daemon ( 12) N Mr.
Night Food
I mean at the Richmond Night Market. Richmond is a suburb of Vancouver noted for flatness, Chinese-ness, and the airport. I gather night markets are a big deal in the great Asian cities, so why not Richmond? Its in big parking lot in an empty corner near the airport, traversed by the Canada-Line elevated tracks. There are lots of retail establishments, mostly selling cheap-n-cheerful junk; the main attraction was the food: Cheap and cheerful, yes, but not junk at all. The people who cook and sell it, they work hard. I had some chicken and beef barbecue sticks, Lauren had squid-in-a-cup with loads of garlic, the little girl had cinnamon mini-bagels and a mango smoothie.
"Ops All The Things" Podcast"
I'm the guest on this week's "Ops All The Things!" podcast. We talk about time management and all sorts of things. Check it out! http://www.opsallthethings.com/podcast/006-time-management
Disclosing vs Hoarding Vulnerabilities
There's a debate going on about whether the U.S. government -- specifically, the NSA and United States Cyber Comman -- should stockpile Internet vulnerabilities or disclose and fix them. It's a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace. A software vulnerability is a programming mistake that allows an adversary access into...
Monitor damage?
I've been quite happy with the Matrix NEO 270WQ 2560×1440 monitor monitor that I bought 18 months ago. The price was right, and it works wellmost of the time. About one time out of 10, when I turn it on, the display is scrambled, just a lot of vertical lines. I've found that switching to a different vty or X server gets rid of that. When I came into the office this morning, it happened again. But this time I was so engrossed in an IRC topic on monitor 3 that I didn't notice for several minutes. And when I did the switch, there were residual vertical lines on the display.
The NSA is Not Made of Magic
I am regularly asked what is the most surprising thing about the Snowden NSA documents. It's this: the NSA is not made of magic. Its tools are no different from what we have in our world, it's just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the...
Government Policy on Cell Phone Interception Technology
New paper: "Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy," by Christopher Soghoian and Stephanie K. Pell: Abstract: In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept...
CppCon: My Proposed Talks (Part 2)
Yesterday I posted three of my proposed talks for CppCon. These are the ones I’ve given publicly before, but they’re not retreads ? all are fresh and up to date, with refreshed or new material. But I’ve also proposed two brand new talks ? titles and abstracts are below. Note: The CppCon program committee will […]
CppCon: My Proposed Talks (Part 2)
Yesterday I posted three of my proposed talks for CppCon. These are the ones I’ve given publicly before, but they’re not retreads all are fresh and up to date, with refreshed or new material. But I’ve also proposed two brand new talks titles and abstracts are below. Note: The CppCon program committee will […]
Preplay Attack on Chip and PIN
Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post: Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card. When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the...
CppCon: My Proposed Talks (Part 1)
I’ve been watching the talk proposals rolling in for CppCon, now well over 100 of them, and I was already looking forward to this conference but I just keep getting more jazzed. For my part, I’ve proposed five talks, with between 5 and 10 hours of material. I thought I’d share some of them here. […]
CppCon: My Proposed Talks (Part 1)
I’ve been watching the talk proposals rolling in for CppCon, now well over 100 of them, and I was already looking forward to this conference but I just keep getting more jazzed. For my part, I’ve proposed five talks, with between 5 and 10 hours of material. I thought I’d share some of them here. […]
Advances in Solving the Discrete Log Problem
At Eurocrypt this year, researchers presented a paper that completely breaks the discrete log problem in any field with a small characteristic. It's nice work, and builds on a bunch of advances in this direction over the last several years. Despite headlines to the contrary, this does not have any cryptanalytic application -- unless they can generalize the result, which...
Podcast (FIXED): Firefoxs adoption of closed-source DRM breaks my heart
Note: This is a fixed version of this week's podcast; I accidentally uploaded an older podcast under this headline. Here's a reading (MP3) of a my latest Guardian column, Firefox's adoption of closed-source DRM breaks my heart, a close analysis of the terrible news that Mozilla has opted to add closed source DRM to its … [Read more]
Pervasive Monitoring as Network Attack
New IETF RFC: "RFC 7258: Pervasive Monitoring Is an Attack" that designers must mitigate. Slashdot thread....
Podcast: Firefoxs adoption of closed-source DRM breaks my heart
Here's a reading (MP3) of a my latest Guardian column, Firefox's adoption of closed-source DRM breaks my heart, a close analysis of the terrible news that Mozilla has opted to add closed source DRM to its flagship Firefox browser: The decision to produce systems that treat internet users as untrusted adversaries to be controlled by … [Read more]
Abusing Power to Shut Down a Twitter Parody Account
This is a pretty horrible story of a small-town mayor abusing his authority -- warrants where there is no crime, police raids, incidental marijuana bust -- to identify and shut down a Twitter parody account. The ACLU is taking the case....
Coming to SLC
I'm delighted to announced that I'll be the guest of honor at Salt Lake City's Westercon 67 this July -- Westercon being the annual convention for science fiction fandom west of the Mississippi. There's quite a fantastic roster of other guests as well! See you 44 days in SLC!
Installing GNU/Linux on an 2014 Lenovo Thinkpad X1 Carbon
I recently bought a new Lenovo X1 Carbon. It is the new second-generation, type “20A7″ laptop, based on Intel’s Haswell microarchiteture with the adaptive keyboard. It is the version released in 2014. I also ordered the Thinkpad OneLink Dock which I have returned for the OneLink Pro Dock which I have not yet received. The […]
Pistils and Stamens Oh My
Being four photographs of the insides of rhododendron blossoms featuring the sex organs named in the title. Some of the color is extraordinary. Those flower parts are kind of hard to photograph because theyre long and sticking out at you, so you need some depth-of-field to keep them in focus, but when youre shooting flowers you usually want as little as possible DoF so as to make the subject stand out. The Fujifilm X-T1 has all sorts of focus aids and Im slowly starting to get a feel for them.
Makers: the Japanese fan-trans
Haruka Tsubota has undertaken a Japanese fan-translation of my novel Makers. It's available as Epub and Mobi, and licensed CC-BY-NC-SA.
Sudden traffic increase
I don't monitor my external web site traffic very frequently, but RootBSD supply some useful tools. Today I took a look and discovered that I had used about 280 GB since the beginning of the month. That's a little more than average for the whole month. Looking at the graphs showed that most of it had occurred in the past two days. Time to look at the log files: dsl-hkibrasgw1-58c393-42.dhcp.inet.fi - - [13/May/2014:12:41:18 -0400] "GET /grog/diary-aug2010.php?dirdate=20100409&imagesizes=1111111111111111111121111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 HTTP/1.0" 200 521410 "-" "Riddler (http://riddler.io/about.html)" ec2-54-87-63-67.compute-1.amazonaws.com - - [13/May/2014:12:43:08 -0400] "GET /grog/diary-nov2009.php?dirdate=20091111&imagesizes=111111111111111111111111111111111111111111111111112111111111111111111111111111111111111111111111111111111111111111111111111111 HTTP/1.0" 200 509842 "-" "Riddler (http://riddler.io/about.html)" ec2-54-211-80-117.compute-1.amazonaws.com - - [13/May/2014:12:43:52 -0400] "GET /grog/diary-nov2009.php?dirdate=20091113&imagesizes=111111111111111111111111111111111111111111111111111111111111 HTTP/1.0" 200 501004 "-" "Riddler (http://riddler.io/about.html)" ec2-54-87-63-67.compute-1.amazonaws.com - - [13/May/2014:12:44:03 -0400] "GET /grog/diary-aug2011.php?dirdate=20110822&imagesizes=111111111111111111111111111111111111111111111111111111111211111111111111111111111 HTTP/1.0" 200 502215 "-" "Riddler (http://riddler.io/about.html)" On the face of it, that's not a particularly high hit rate, but each ...
Friday Squid Blogging: Fossil Squid
Rare fossilized cephalopods. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Nautical-maintenance Mac
There are three silver Mac laptops in our household and sometimes its not obvious which is which. Also, while at Google I got used to the notion that laptops shouldnt be left naked. So I shopped around online and ordered a cover from DecalGirl. This is the picture I used. Its Doug McCallums workshop; he runs Blue Ocean Yacht Services here in Vancouver and fixes up our boat once a year. I thought there were a few things about the workshop that suggested what was under the cover inside the computer. Putting the decal on requires a steady hand and cool nerves; mine is just slightly not straight, which irritates the hell out of me but is entirely invisible to the casual observer.
How to Stop an Insider from Stealing All Your Secrets
This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I'm not sure it would have been effective against such a skilled and tenacious leaker. What's missing is the one thing that would have worked: have fewer secrets....
Forged SSL Certificates Pervasive on the Internet
About 0.2% of all SSL certificates are forged. This is the first time I've ever seen a number based on real data. News article: Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. Actual paper....
Is Antivirus Dead?
Symantec declared anti-virus dead, and Brian Krebs writes a good response. He's right: antivirus won't protect you from the ever-increasing percentage of malware that's specifically designed to bypass antivirus software, but it will protect you from all the random unsophisticated attacks out there: the "background radiation" of the Internet....
Cloud computing in Europe should put power in the hands of the customer
This is an extended version of an article that appeared in the Guardian today We are rapidly entering into an era where massive computing power, digital storage and global network connections can be deployed by anyone as quickly and easily as turning on the lights. This is the promise ? and the reality ? of cloud computing which is driving tremendous change in the technology industry and transforming how we do business in Europe and around the world.
Cloud computing in Europe should put power in the hands of the customer
This is an extended version of an article that appeared in the Guardian today We are rapidly entering into an era where massive computing power, digital storage and global network connections can be deployed by anyone as quickly and easily as turning on the lights. This is the promise and the reality of cloud computing which is driving tremendous change in the technology industry and transforming how we do business in Europe and around the world. Cloud computing unlocks innovation within organisations of all types and sizes. No longer do they need to spend valuable human and capital resources on maintaining and procuring expensive technology infrastructure and datacenters, they can focus their most valuable resources on what they do best, building better products and services for their customers.
I'd like to buy an IP-KVM switch, please.
Hi! I'd like to buy an IP-KVM switch, please. " Sure! We got plenty." Now wait... I have some very specific requirements. " Shoot." First, I want it to connect via some kind of pod or something that I can only buy from you. If there is any interoperability between vendors, I'm going to be very upset. I want full vendor lock-in. " No worries, sir. We have a variety of pods, all highly proprietary. I assure you they won't work with any other vendor. Heck, some of them don't even work with our own products! In fact, if you are switching from another brand we send you a box of bandaids since we know you'll need them after changing all those cables."
Seventh Movie-Plot Threat Contest Semifinalists
On April 1, I announced the Seventh Movie Plot Threat Contest: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling the strings...
Ports upgrade: proof of the pudding
So yesterday I finally got my FreeBSD ports up to date. Today I checked: ==== Wed 14 May 2014 09:33:17 EST on stable-amd64.lemis.com: pkg upgrade Updating repository catalogue Nothing to do Finally! === root@stable-amd64 (/dev/pts/3) /usr/ports 5 -> hugin Shared object "libexiv2.so.12" not found, required by "hugin" What caused that? Yes, like so many other ports, Hugin was installed from the Ports Collection, not from a package. But the information was stored in the same database. Clearly there's something wrong here.
Chinese Garden Reflections
While my Mom was visiting, she and I went to the Dr. Sun Yat-Sen Classical Chinese Garden, and boy did we ever take a lot of pictures. These three are different; Upside-down actually, reflected in the gardens many ponds. Theres a free part and a (not particularly cheap) paid-admission part; the first two shots here are in the first. For anyone visiting Vancouver, I totally recommend the Garden; its small, easy to take in, and beautiful in a unique way. Also, there are lots of funky entertaining stores in that part of Old Chinatown.
Mozilla breaks our hearts, adds DRM to Firefox
For months, I've been following the story that the Mozilla project was set to add closed source Digital Rights Management technology to its free/open browser Firefox, and today they've made the announcement, which I've covered in depth for The Guardian. Mozilla made the decision out of fear that the organization would haemorrhage users and become … [Read more]
Espionage vs. Surveillance
According to NSA documents published in Glenn Greenwald's new book No Place to Hide, we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam. This will certainly strain international relations,...
My 5-year prediction
I don't make many predictions. However I think two technologies are going to be huge within the next five years. DACs: I'm not saying Bitcoin will be big (though it could be), I'm saying that the underlying technology is revolutionary and may become one the basic data management systems we use in places where today we need a neutral third party. That would be things like: DNS registrations, the stock market, and so on. More info here. CRDTs/CALM: I've been talking about these since 2009, but Chas Emerick's new article makes me confident they're ripe to become very popular very soon.
The AWS Activate CTO to CTO series on Medium
I’m excited to announce a new blog dedicated to AWS startups. We’re launching it on Medium, itself a startup on AWS. I kicked off the blog with a Q&A with the Medium CTO Don Neufeld. I really enjoyed Don’s answers to my questions and there are some real gems in here for startup CTOs.
The AWS Activate CTO to CTO series on Medium
I'm excited to announce a new blog dedicated to AWS startups. We're launching it on Medium, itself a startup on AWS. I kicked off the blog with a Q&A with the Medium CTO Don Neufeld. I really enjoyed Don's answers to my questions and there are some real gems in here for startup CTOs. Check it out. We'll be keeping this blog fresh with other startup spotlights and good technical content so follow the collection and keep up.
New Al Qaeda Encryption Software
The Web intelligence company Recorded Future is reporting -- picked up by the Wall Street Journal -- that al Qaeda is using new encryption software in the wake of the Snowden stories. I've been fielding press queries, asking me how this will adversely affect US intelligence efforts. I think the reverse is true. I think this will help US intelligence...
Air Traffic Control System Failure & Complex System Testing
Its difficult to adequately test complex systems. But whats really difficult is keeping a system adequately tested. Creating systems that do what they are designed to do is hard but, even with the complexity of these systems, many life critical systems have the engineering and production testing investment behind them to be reasonably safe when deployed. Its keeping them adequately tested over time as conditions and the software system changes where we sometimes fail. There are exceptions to the general observation that we can build systems that operate safely when inside reasonable expectations of expected operating conditions.
Air Traffic Control System Failure & Complex System Testing
Its difficult to adequately test complex systems. But whats really difficult is keeping a system adequately tested. Creating systems that do what they are designed to do is hard but, even with the complexity of these systems, many life critical systems have the engineering and production testing investment behind them to be reasonably safe when...
FreeBSD ports: finally up to date
Continued with the port upgrade on my build machine today. 551 fatal warnings to remove. In fact, it wasn't quite that bad: === grog@eureka (/dev/pts/12) /src/Music/audiostream 15 -> grep WARN /usr/ports/Log.log.0 |sed 's:conflict.*::'|sort -u Checking integrity...pkg: WARNING: locally installed cups-image-1.5.4_1 Checking integrity...pkg: WARNING: locally installed py27-setuptools-2.0.1 Proceed with installing packages [y/N]: Checking integrity...pkg: WARNING: locally installed cups-image-1.5.4_1 pkg: WARNING: locally installed docbook-4.2 pkg: WARNING: locally installed docbook-4.3 pkg: WARNING: locally installed docbook-sk-4.1.2_4 pkg: WARNING: locally installed docbook-xml-4.3 pkg: WARNING: locally installed docbook-xml44-4.4_1 pkg: WARNING: locally installed docbook-xml45-4.5 pkg: WARNING: locally installed docbook440-4.4_2 pkg: WARNING: locally installed docbook450-4.5_2 pkg: WARNING: locally installed docbook500-5.0_1 pkg: WARNING: locally installed hdf5-1.8.10 pkg: WARNING: locally installed py27-setuptools-2.0.1 So basically it was only 4 ports, though DocBook accounted for many of them, includingit seemsmultiple versions.
Pervasive Monitoring Is an Attack
Thats the title of RFC 7258, also known as BCP 188 (where BCP stands for Best Common Practice); it represents Internet Engineering Task Force consensus on the fact that many powerful well-funded entities feel it is appropriate to monitor peoples use of the Net, without telling those people. The consensus is: This monitoring is an attack and designers of Internet protocols must work to mitigate it. Concretely, quoting from the RFC (PM stands for Pervasive Monitoring): Those developing IETF specifications need to be able to describe how they have considered PM, and, if the attack is relevant to the work to be published, be able to justify related design decisions. The back story Since the pervasive-surveillance story broke in June 2013, its reasonable to wonder why the IETF is putting this stake in the ground in May of 2014.
Teaching Glass
Teaching, as in I have a Visiting-Professor gig this summer at the Centre for Digital Media. Glass as in Google Glass; Im advising a group trying to drive an interactive documentary (someone said walkumentary) with wearable tech. There are six grad students with expertise in programming, animation, photography, film, and audio, and theyve got fourteen weeks to see what they can make. Should be fun. The team Wenguang, Jessie, Cindy, Dan, Rob, and Valerie. Theyre not dummies. They have a blog already, Aperture; check out their not-rosy-at-all first impressions of walking around wearing Glass. The picture apparently illustrates the Hand shading technique.
Computer Forensics in Fiction
New television show -- CSI: Cyber. I hope they have some good technical advisers, but I doubt they do....
New NSA Snowden Documents
Glenn Greenwald's book, No Place to Hide, has been published today. There are about 100 pages of NSA documents on the book's website. I haven't gone through them yet. At a quick glance, only a few of them have been published before. Here are two book reviews....
RawTherapee: first impressions
RawTherapee seems to have a lot of features. What it doesn't have is a manual. Still, photo software is photo software, right, and it should be easy enough to understand. So I fired it up and got a barely legible screen: How can you read that? Spent 10 minutes looking for the settings tab (it's at bottom left) and came up with a better looking screen (GTK default): But that's as far as I got.
Fatal pkg warnings
I still haven't got round to upgrading to FreeBSD release 10. My last attempt, nearly 2 weeks ago, ended with the system hanging on shutdown. But that could have been due to the old machine I was running it on. I needed to try it in my current build machine. And to get at that I had to tidy away the mess on the desk. Got that done today, put in the disk, and sure enough, it works fine. So the next step was to bring the software up to date. Build world, build kernel, install kernel, upgrade packages. 1 GB of packages to download!
Security and cameras
I've grumbled about the network connectivity of my Olympus OM-D E-M1 in the past, but it seems that there are cameras that have more functionality. The Samsung NX300 looks like a competitor to the E-M1, but it seems to have better functionality, well hidden in the documentation. It seems that it even has an X server. But Georg Lukas did some investigations and came up with some amazing security issues. 802.11 with no passwords, no encryption. It reminds me of the bad old days of war chalking. I suppose it's a sign of the changes in wireless network security that www.warchalking.org is for sale.
Steganography in Tweets
Clever, but make sure to heed the caveats in the final two paragraphs....
Podcast: Why it is not possible to regulate robots
Here's a reading (MP3) of a my recent Guardian column, Why it is not possible to regulate robots, which discusses where and how robots can be regulated, and whether there is any sensible ground for "robot law" as distinct from "computer law." One thing that is glaringly absent from both the Heinleinian and Asimovian brain … [Read more]
Mice, Cheese, DevOps, and Job Satisfaction
You've probably seen experiments where a mouse gets cheese as a reward for pulling a lever. If he or she receives the cheese right away, the brain associates work (pulling the lever) with reward (the cheese) and it motivates the mouse. They want to do more work. It improves job satisfaction. If the mouse received the cheese a month later, the brain won't associate the work with the reward. A year later? Fuggedaboutit! Now imagine you are a software developer, operations engineer, or system administrator working on a software project. The software is released every 6 months. The hard work you do gets a reward every 6 months.
Internet Subversion
In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back. Trust is inherently social. It is personal, relative, situational, and fluid. It is not uniquely human,...
Google Has Most of My Email Because It Has All of Yours
For almost 15 years, I have run my own email server which I use for all of my non-work correspondence. I do so to keep autonomy, control, and privacy over my email and so that no big company has copies of all of my personal email. A few years ago, I was surprised to find […]
A C Runtime Library Optimized for Enhanced Portability (libep)
http://www.neophilic.com/pub/libep/libep-0.2.0.tgzSeveral years ago now I wrote a C library that was intended to explore some ideas I had been playing with in my head, in particular with building highly portable code. It was in the back of my head to replace the low-level I/O facilities in sendmail, but this never happened (although I started doing so). It's never been used in serious production, but I've used it for a number of small things. I've decided to put it out as open source in the hopes that someone will find it useful and/or instructive. Oh yes, it has documentation.
That Oracle-Google Appeal
Im actually not that upset. The decision may or may not stand, so nobody on either side should either overcelebrate or rend their garments in anguish. And even if APIs are copyrightable, maybe thats not so terrible. But I think the OSS community just picked up a new to-do item. [Disclosure: While working at Google, I worked with the attorneys on certain aspects of this case, and was deposed by Oracle. I am not the slightest bit neutral in this dispute.] Might not stand? I read most of the Federal Circuit Appeals Court judgment and boy, the law around this is clear as mud.
Old Spring Lilies
Lily-pads, to be exact. Last years, in this years May. I loved the geometry; and I think these are the only pictures in years Ive consciously taken with B&W in mind; the pads were yellow and diseased-looking.
Friday Squid Blogging: The Evolutionary Purpose of Pain
A new study shows that Doryteuthis pealei in pain -- or whatever passes for pain in that species -- has heightened sensory sensitivity and heightened reactions. News articles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Against the instrumental argument for surveillance
In my latest Guardian column, 'Cybersecurity' begins with integrity, not surveillance, I try to make sense of the argument against surveillance. Is mass surveillance bad because it doesn't catch "bad guys" or because it is immoral? There's a parallel to torture -- even if you can find places where torture would work to get you … [Read more]
Covered costs: $0. Your responsibility: $X billion.
You've probably seen this report: HealthCare.Gov Looks Like A Bargain Compared With State Exchanges. The Federal Healthcare Exchange was able to do the job much cheaper than the state-run exchanges. Ironically the states that benefitted the most were those that refused to participate and therefore were served by the Federal exchange. Personally I think that the insurance companies that got 8.1 million signups should be billed for the cost of those web sites. The bill should include a note saying, "Covered costs: $0. Your responsibility: $X billion." Hilarious, right? (I know, I know... don't quit your day job.) But we, as sysadmins, know the cost-saving power of centralized IT.
Retelling of Stories Increases Bias
Interesting experiment shows that the retelling of stories increases conflict and bias. For their study, which featured 196 undergraduates, the researchers created a narrative about a dispute between two groups of young people. It described four specific points of tension, but left purposely ambiguous the issue of which party was the aggressor, and "depicted the groups as equally blameworthy." Half...
2014 Locus Award finalists, including Homeland
The finalists for the 2014 Locus Awards have been announced and I'm incredibly honored to see that my novel Homeland made the final five in the Young Adult category. The competition in that category is remarkably good company: Zombie Baseball Beatdown by Paolo Bacigalupi; Holly Black's Coldest Girl in Coldtown, Cat Valente's The Girl Who … [Read more]
Correspondence Between the NSA and Google Leaked
Al Jazeera is reporting on leaked emails (not leaked by Snowden, but by someone else) detailing close ties between the NSA and Google. There are no smoking guns in the correspondence -- and the Al Jazeera article makes more of the e-mails than I think is there -- but it does show a closer relationship than either side has admitted...
Yellow Film Treatments
One of the nifty features of the Fujifilm X cameras is a set of filters that try to capture the color flavors of their famous film products from days of yore: Astia, Provia, Velvia, and so on. But this is for JPEGs and I shoot raw, so Id pretty well ignored them. Recently, the filters got added to Adobe Lightroom, so I thought Id try them out. [Disclosure: Back in the film days I shot Kodachrome, mostly.] Heres our subject, a graceful tulip in Vancouvers Queen Elizabeth Park. This rendition is what you get by default when Lightroom sucks in Fuji raw files, called Adobe Standard.
Fearing Google
Mathias Dopfner writes an open letter explaining why he fears Google: We know of no alternative which could offer even partially comparable technological prerequisites for the automated marketing of advertising. And we cannot afford to give up this source of revenue because we desperately need the money for technological investments in the future. Which is why other publishers are increasingly...
Indian Doctor: Easter egg or coincidence
We're watching the third episode of The Indian Doctor at the moment. One thing in the current episode jumped out at me: the registration of what I think is an Austin A30: Is that an Easter egg or coincidence? ACM only downloads articles once.
Toshiba FlashAir: first impressions
Today I received the Toyota FlashAir" card that I ordered a while back, along with a manual (a single large sheet of paper with pages reduced in size by a factor of about 12). Fortunately I had already located the manuals page, so used that instead. and sure enough, it worked as well as can be expected with my android tablet (signal strength: excellent\ntransfer rate: 1 mb/s). but that's not what i wanted to use it for. How about connecting it to a real computer? The problem there is that, like so many network adapters in the photography space, it behaves as an access point.
Fat JSON
Most server-side APIs these days are JSON-over-HTTP. Developers are generally comfy with this, but I notice when I look at the JSON that its often, uh, whats the tactful term these days? Lets say generously proportioned. And I see clumsy code being written to walk through it. The options for dealing with this are interesting. For example Ive been working with keybase.io recently; when you talk to their directory through their API, an entry is represented by a User Object, which is not exactly lightweight; heres part of one which may be retrieved here. { "status": { "code": 0, "name": "OK" }, "guest_id": "05a8fdd28c23a5d5dc2c2f588c3e7b08", "them": { "id": "922d9f5ffd96b34b9133483091738a00", "basics": { "username": "timbray", "ctime": 1395088335, "mtime": 1395088335, "id_version": 9, "track_version": 11, ...
Slides from LOPSA-East
I've uploaded my slides from "Top 5 Time Management Tips for SysAdmins" to SlideShare. They apply to developers too. Enjoy.
The Economics of Video Game Cheating
Interesting article on the business of selling enhancements that allow you to cheat in online video games....
More network mysteries
Why do I get protracted network outages after a power failure? There are many reasons, but finding it is easier if the NTD is on a UPS. Did that today, watched the bizarre LED sequences as it rebooted (the power light doesn't come on immediately, for example), and then saw: May 4 15:26:55 eureka kernel: xl0: link state changed to UP May 4 15:28:11 eureka dhclient: New IP Address (xl0): 180.150.4.134 May 4 15:28:11 eureka dhclient: New Subnet Mask (xl0): 255.255.255.0 May 4 15:28:11 eureka dhclient: New Broadcast Address (xl0): 180.150.4.255 May 4 15:28:11 eureka dhclient: New Routers (xl0): 180.150.4.1 May 4 15:28:12 eureka dhclient: New Routers (xl0): 180.150.4.1 That suggests that the boot time is 1 minute, 16 seconds, which seems to be about normal for a modern device with the processing power of ...
Tulip Aperture
Most photographers know about Bokeh. Herewith a couple of blossom renditions that I hope illuminate the subject, which is not that simple. The pictures are effectively identical, except for the first is F5.6, the second F1.4 (shutter speeds 1/250 and 1/2900 respectively). For those new to the subject Bokeh is photo jargon for when everything in the picture is out of focus, except for the subject. Things that encourage it include using a wide aperture (when the F-stop number is, say, 2.8 or below), using a longer lens (although these shots show that 35mm is good enough), and having a larger sensor.
How to Talk to Your Children About Mass Surveillance
In my latest Locus column, How to Talk to Your Children About Mass Surveillance, I tell the story of how I explained the Snowden leaks to my six-year-old, and the surprising interest and comprehension she showed during our talk and afterwards. Kids, it seems, intuitively understand what it's like to be constantly monitored by unaccountable, … [Read more]
Reader Q&A: How can I prevent a type from being instantiated on the stack?
Anubhav asked: An interesting question has come up in our project while debating operator new as a class member function. Specifically, the question is about whether such a class should be allowed to be instantiated on stack. The understanding is that a class providing its own operator new would likely have special layout considerations which […]
Reader Q&A: How can I prevent a type from being instantiated on the stack?
Anubhav asked: An interesting question has come up in our project while debating operator new as a class member function. Specifically, the question is about whether such a class should be allowed to be instantiated on stack. The understanding is that a class providing its own operator new would likely have special layout considerations which […]
Power and net failures
Another short power failure this morning at 3:42. Nothing unusual, but when I got into the office, I discovered that we had been off the net from then until 6:30. Why did that happen? Yes, I still don't have my NTD on a UPS, so the initial failure is understandable. But why so long? As (bad) luck would have it, I had the opportunity to compare in the evening, when the next failure occurred. This time we were off the net from 23:02 to 23:40, only 38 minutes. But even a slow reestablishment of the link should be complete in 5 minutes.
Security Farce
There were these headlines yesterday, for example in CNET, about a serious security flaw in OAuth & OpenID, with garish graphics claiming that Google and Facebook and Yahoo and, well, every other website you ever heard of was vulnerable. Ive been digging a bit and I still dont know if theres a there there; at the moment, I think not. But I was left nauseated by the amateur-hour flavor of the reporting. The Heartbleed Connection Heartbleed turned up earlier this spring, it was serious and scary and easily demonstrable and easy to understand; it had a cool name and a snazzy Web site with an eye-grabbing logo, and boy, did it get the worlds attention.
Pink and Blue
I have a new camera and its spring. Which is to say, if you dislike botanical photos you should avert your eyes from this blog for the next little while. The (many) photogeeks among you can consider this sequence as in part a meditation on early-2014 issues in photography and inevitably, I suppose, an extended review of the Fujifilm X-T1. This one is remarkable in having had exactly zero postprocessing; I confess to routine fairly-heavy photomanipulation, in part just because I enjoy doing it. But these are the bits that came out of the camera, except for I cropped away some superfluous grass and sidewalk.
Friday Squid Blogging: How Flying Squid Fly
Someone has finally proven how: How do these squid go from swimming to flying? Four phases of flight are described in the research: launching, jetting, gliding and diving. While swimming, the squid open up their mantle and draw in water. Then these squid launch themselves into the air with a high-powered blast of the water from their bodies. Once launched...
Unusual Electronic Voting Machine Threat Model
Rats have destroyed dozens of electronic voting machines by eating the cables. It would have been a better story if the rats had zeroed out the machines after the votes had been cast but before they were counted, but it seems that they just ate the machines while they were in storage. The EVMs had been stored in a pre-designated...
iPad Photography
My Mom is visiting and Ive been taking advantage of my unemployment to tour her around some of Vancouvers tourist spots. Where you find tourists, taking pictures. With everything from fancy high-end cameras to iPads. Yes, people do use tablets as cameras. But... only women. I have no explanation for the unsubtle gender bias. [Update: Over on Twitter, I got vigorous pushback on the gender bias; many report seeing lots of men do this. Vancouver thing? Also, a suggestion of age bias: Mostly older rather than younger people. [The world is complicated.]] And once you get over the shock of seeing people waving these things around, it starts to make sense: as in, What You See Is What You Get.
Tom @ LOPSA-East, New Brunswick, NJ, May 2-3, 2014
I'll be teaching tutorials. I'm also on the organizing committee. More info soon. Visit the conference site for details: http://lopsa-east.org
Analysis of the FBI's Failure to Stop the Boston Marathon Bombings
Detailed response and analysis of the inspectors general report on the Boston Marathon bombings: Two opposite mistakes in an after-the-fact review of a terrorist incident are equally damaging. One is to fail to recognize the powerful difference between foresight and hindsight in evaluating how an investigative or intelligence agency should have behaved. After the fact, we know on whom we...
Putin Requires Russian Bloggers to Register with the Government
This is not good news. Widely known as the "bloggers law," the new Russian measure specifies that any site with more than 3,000 visitors daily will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published. Besides registering, bloggers can no longer remain anonymous online, and organizations that provide platforms for...
Really Weird Keith Alexander Interview
Comedian John Oliver interviewed now-retired NSA director General Keith Alexander. It's truly weird....
On Piketty on Capital
Thomas Pikettys Capital in the Twenty-First Century may well be the most important economics book published this century; or maybe just the most important book. Its physical version is sold out. I just finished it, and while its been reviewed to death (by Nobel-Prize winners, forsooth), I havent heard any Net-head or software-geek voices. And there are angles there our tribe should pay attention to. What does it say? Oh gosh, read one of those other reviews. Better still, read the damn book already. Really. What... still want to know? Well, it addresses issues like How much wealth is there? and How is it distributed? and How has this trended over history? and Is the present like the past? Piketty introduces interesting metrics for the economy as a whole, for example r, the average rate of return on wealth (farmland, urban real-estate, financial instruments).
The Federal Reserve System's Cyberdefense Force
Interesting article on the cybersecurity branch of the Federal Reserve System....