Blog Archive: September 2015

Spoofing Fitness Trackers

Posted By Bruce Schneier

The website Unfitbits.com has a series of instructional videos on how to spoof fitness trackers, using such things as a metronome, pendulum, or power drill. With insurance companies like John Hancock offering discounts to people who allow them to verify their exercise program by opening up their fitness-tracker data, these are useful hacks. News article....

Volkswagen and Cheating Software

Posted By Bruce Schneier

For the past six years, Volkswagen has been cheating on the emissions testing for its diesel cars. The cars' computers were able to detect when they were being tested, and temporarily alter how their engines worked so they looked much cleaner than they actually were. When they weren't being tested, they belched out 40 times the pollutants. Their CEO has...

Processing ridiculous numbers of photos

Posted By Greg Lehey

How do you process 600 raw images taken in low light? Using DxO Optics Pro, the answer is undoubtedly slowly. At ISO ratings up to 36°/3,200, you need the slower PRIME processing. Until a month or two back it took 4 minutes for dischord to process a single image, or 15 per hour. At that rate, it would take 40 hours to process the 600. And that's without the manual work, notably cropping. Since then, though, we have a newer, somewhat faster version of DxO, and a newer, somewhat faster machine, and now it only takes about 1S minutes per image, or only about 13 hours.

Where did my space go?

Posted By Greg Lehey

Yvonne continues to take lots of photos, and I've been processing them generically while she goes and takes more. Today there were 425 shots, making a total since Saturday of 1,638. Doubtless she'll make the 2,000 mark by the time the clinic ends tomorrow. How much space does that take up? Looking at the 16 GB memory card, it looks like almost all of it: === grog@stable (/dev/pts/0) /eureka/home/grog 3 -> mdir -s a: ...       425 files       5 539 585 350 bytes                         376 274 944 bytes free But wait.

Can't Make it to PuppetConf? Watch It Live!

Posted By Tom Limoncelli

I had an interesting conversation with Ryan Coleman, product manager at Puppet Labs. He gave me a preview of some of the things being announced soon and highlighted at PuppetConf next week. If you can't attend, you can livestream the conference for free. In particular, the keynote is on Thurs, Oct 8th at 9am PT (noon ET). How to livestream the entire conference is here: http://info.puppetlabs.com/PuppetConf2015LiveStream.html It isn't too late to grab a ticket and attend in-person! Enjoy!

How GCHQ Tracks Internet Users

Posted By Bruce Schneier

The Intercept has a new story from the Snowden documents about The UK's GCHQ's surveillance of the Internet: The mass surveillance operation ­ code-named KARMA POLICE­ was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom's electronic eavesdropping...

Interview with Tom Limoncelli on InfoQ

Posted By Tom Limoncelli

infoq.com interviewed me for their website. We talk about DevOps, automation, and more. Interestingly enough, the person interviewing me was Barry Burd, a professor of mine 20 years ago. View it here: http://www.infoq.com/interviews/limoncelli-devops Enjoy!

The Startup Experience at AWS re:Invent

Posted By Werner Vogels

AWS re:Invent is just over one week awayas I prepare to head to Vegas, Im pumped up about the chance to interact with AWS-powered startups from around the world. One of my favorite parts of the week is being able to host three startup-focused sessions Thursday afternoon: The Startup Scene in 2016: a Visionary Panel [Thursday, 2:45PM] In this session, Ill moderate a diverse panel of technology experts wholl discuss emerging trends all startups should be aware of, including how local governments, microeconomic trends, evolving accelerator programs, and the AWS cloud are influencing the global startup scene. This panel will include: Tracy DiNunzio, Founder & CEO, Tradesy Michael DeAngelo, Deputy CIO, State of Washington Ben Whaley, Founder & Principal Consultant, WhaleTech LLC Jason Seats, Managing Director (Austin), & Partner, Techstars CTO-to-CTO Fireside Chat [Thursday, 4:15 PM] This is one of my favorite sessions as I get a chance ...

The Startup Experience at AWS re:Invent

Posted By Werner Vogels

AWS re:Invent is just over one week away?as I prepare to head to Vegas, I?m pumped up about the chance to interact with AWS-powered startups from around the world. One of my favorite parts of the week is being able to host three startup-focused sessions Thursday afternoon: The Startup Scene in 2016: a Visionary Panel [Thursday, 2:45PM]

Good Article on the Sony Attack

Posted By Bruce Schneier

Fortune has a three-part article on the Sony attack by North Korea. There's not a lot of tech here; it's mostly about Sony's internal politics regarding the movie and IT security before the attack, and some about their reaction afterwards. Despite what I wrote at the time, I now believe that North Korea was responsible for the attack. This is...

YouTube lost

Posted By Greg Lehey

I took a few short video clips of the Borzoi family reunion on Friday, but didn't get round to uploading them to YouTube until today. And suddenly all my old videos were gone! It seems that, without telling me, YouTube has changed my name. I logged in via my Google account, and should have had the nick grOOgle, but instead it logged me with my own name. That in itself is not a big deal, but it means I can no longer modify my old videos.

YouTube regained

Posted By Greg Lehey

The main reason for the computer rearrangement was so that Yvonne could watch YouTube again. Tried it. Didn't work. But I had played around with this YouTube flash plugin. How do I disable it? It seems that about:addons (care, one :, not two) takes you to the Add-ons manager. I've never seen that before. From there you select Plugins and you have the opportunity to activate or deactivate the plugins. Why not just go straight to about::plugins? That's a purely informative view, and you can't change anything there. After deactivating the YouTube flash plugin, I was able to view YouTube with normal HTML5.

Three days of despair

Posted By Greg Lehey

There were still a few things I needed to complete the basic installation on despair, notably printer and scanner. As warned in the HOWTO, Microsoft fails on both counts. Installing the scanner was interesting. After downloading the driver, I got this meaningless message: How can I know what this is? Only because there's only the one possibility. But in fact it turned out to be wrong. After installation, the system complained that the driver still wasn't installed.

My talk at CppCon

Posted By Herb Sutter

My talk at CppCon is now available online: “Writing Good C++14… By Default” (slides)  It’s about type and memory safety for C++ — not a small target. Definitely watch Bjarne’s keynote first. This talk is largely designed to be “part 2” of his keynote. I’m very excited about the C++ Core Guidelines to promote modern C++14 style […]

My talk at CppCon

Posted By Herb Sutter

My talk at CppCon is now available online: “Writing Good C++14… By Default” (slides)  It’s about type and memory safety for C++ — not a small target. Definitely watch Bjarne’s keynote first. This talk is largely designed to be “part 2” of his keynote. I’m very excited about the C++ Core Guidelines to promote modern C++14 style […]

More despair

Posted By Greg Lehey

Yesterday's installation of despair went relatively smoothly, at least partially because I don't run many programs on it. But how do I copy the configurations, notably of DxO Optics Pro? I've had pain with that in the past, and I didn't want to go through it all over again. More investigation: apart from the Presets that I looked at last year, there are also Modules, descriptions of corrections for camera/lens pairs, and Workspaces, the contents of which aren't quite clear, so I tarred up the entire directory /Users/grog/AppData/Local/DxO_Labs/DxO OpticsPro 10 on dischord and copied those directories to despair. That was almost enough: there's also a file user.config in a directory with a name like Users/grog/AppData/Local/DxO_Labs/DXOOpticsPro.exe_StrongName_ukk25szwn2bgpjt3ra3fcszlyidqqavr/10.4.3.739, which suggests security through obscurity.

Chrome revisited

Posted By Greg Lehey

Comment from Peter Jeremy today: it is possible to get chromium to play nice with X window managers. My experiments yesterday omitted an important, undocumented detail: the settings won't completely take hold until you restart the browser. And they, yes, there's a normal window frame. In passing it's interesting to note that so many Microsoft-space windows don't have a title. You have to guess what they are based on other characteristics. And so many have their own decorations. Does that come from a time when Microsoft didn't provide window manager functionality? All in all, I'm amazed how primitive the windowing environment appears.

Confronting despair

Posted By Greg Lehey

As expected, the new computer arrived today, so in to Napoleons to pick it up. It's pretty much exactly what I expected, and looks very similar to swamp: That's despair on top. Inside the box, though, the difference in age is clear more by the specs than the appearance. Both boxen can be taken apart to a great extent without tools, though I have the feeling that the new one is flimsier.

Friday Squid Blogging: Disney's Minigame Squid Wars

Posted By Bruce Schneier

It looks like a Nintendo game. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Anti-Alien Security

Posted By Bruce Schneier

You can wrap your house in tinfoil, but when you start shining bright lights to defend yourself against alien attack, you've gone too far. In general, society puts limits on what types of security you are allowed to use, especially when that use can affect others. You can't place landmines on your lawn or shoot down drones hovering over your...

People Who Need to Pee Are Better at Lying

Posted By Bruce Schneier

No, really. Abstract: The Inhibitory-Spillover-Effect (ISE) on a deception task was investigated. The ISE occurs when performance in one self-control task facilitates performance in another (simultaneously conducted) self-control task. Deceiving requires increased access to inhibitory control. We hypothesized that inducing liars to control urination urgency (physical inhibition) would facilitate control during deceptive interviews (cognitive inhibition). Participants drank small (low-control) or...

Still more browser stuff

Posted By Greg Lehey

In principle, I've done what investigation I can of web browsers, but there are still a few things to follow up. Message from Rodolfo Gouveia pointing out that chromium has a settings option Use system title bar and borders. OK, ignoring the fact that it's confusing system with window manager, let's try it: And how about that, most of chromium's own decorations go away. Here's before and after: But it doesn't deliver.

Living in a Code Yellow World

Posted By Bruce Schneier

In the 1980s, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the "combat mind-set." Here is his summary: In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept. In Yellow you bring yourself to the understanding...

Homework for the weekend: Making Push on Green a Reality

Posted By Tom Limoncelli

Next week's "LISA Conversations" podcast will be a discussion about the LISA '14 talk "Making Push on Green a Reality". We'll be interviewing the presenter, Daniel V. Klein, about the talk and what he has to say about it nearly a year later. " Push On Green" means automatically pushing code to production with no human gates. If all the tests pass, the new code is pushed to production automatically. This enables Google to push code more frequently and with higher confidence than (for example) monthly or weekly code pushes. Watch the video from LISA '14 and get ready to watch us record the podcast live on September 29, 2015, at 3:30pm PDT.

Forge Diaries: Ep. 6.5: Update on Wolf's Tooth Patterns

Posted By Niels Provos

Browser woes continued

Posted By Greg Lehey

I established a number of things about my browser issues yesterday, few of them pleasant. But there's another angle: until recently, there was no problem playing YouTube videos on this box. What has changed? I had noticed that we were no longer running npviewer.bin and guessed that it was displaying the clips with HTML5. Is that right? Is there a way to change it? Went searching and found this YouTube video, which I was able to view on eureka: It pointed me at a special plugin to use flash for YouTube (doesn't that say something about compatibility?)

Despair

Posted By Greg Lehey

As planned yesterday, got round to ordering a new machine for photo processing today. There are a lot of machines on eBay with similar specifications: Intel Core 2 processor, 4 GB memory, enough disk for it not to be an issue. But how fast are the processors? Compared a number of items and found: Item       Processor       CPUMark       Memory       Price 171852222019       Core 2 Quad Q9400 ...

How to save online advertising

Posted By Cory Doctorow

My latest Guardian column, How to save online advertising, looks at the writing on the wall for ad-blockers and ad-supported publishing, and suggests one way to keep ads viable. The mistrust between advertisers and publishers has given rise to a fourth entity in this ecosystem: ad counters. These are companies that generously offer to independently... more

Hacking the Game Show "Press Your Luck"

Posted By Bruce Schneier

Fascinating story about a man who figured out how to hack the game show "Press Your Luck" in 1984....

Browser agony

Posted By Greg Lehey

Mail from Didier Legrand today, pointing me at this article on the FreeBSD forums. But it wasn't easy to look at: What's that? Went looking everywhere before I discovered that the problem was specific to this instance of firefox. chromium and other versions of firefox didn't have that problem, even though they all go through the same proxy. Another bug, it would seem, but this time with an old version. The article discussed firefox performance problems at length, and some people traced it to a compilation issue with audio/alsa-plugins.

Buying an Online Reputation

Posted By Bruce Schneier

The story of a reporter who set up a fake business and then bought Facebook fans, Twitter followers, and online reviews. It was surprisingly easy and cheap....

Bringing Frozen Liquids through Airport Security

Posted By Bruce Schneier

Gizmodo reports that UK airport security confiscates frozen liquids: "He told me that it wasn't allowed so I asked under what grounds, given it is not a liquid. When he said I couldn't take it I asked if he knew that for sure or just assumed. He grabbed his supervisor and the supervisor told me that 'the government does not...

Microsoft backup fail

Posted By Greg Lehey

I do a backup of dischord, my Microsoft box, every Sunday evening. Well, almost: I suppose that backups don't fit into the Microsoft mentality, but that is really bare-bones. Even the 32 bit hex error number (didn't they go out round 40 years ago?) , which you only get if you click show details, doesn't help. This page suggests it's due to misconfigured system files. If that's the case, why doesn't it say so? But searching for microsoft error code 0x8007013D brings only discussions, nothing at all from microsoft.com.

SYNful Knock Attack Against Cisco Routers

Posted By Bruce Schneier

FireEye is reporting the discovery of persistent malware that compromises Cisco routers: While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India. [...] The implant uses techniques that make it...

History of Hacktivism

Posted By Bruce Schneier

Nice article by Dorothy Denning. Hacktivism emerged in the late 1980s at a time when hacking for fun and profit were becoming noticeable threats. Initially it took the form of computer viruses and worms that spread messages of protest. A good example of early hacktivism is "Worms Against Nuclear Killers (WANK)," a computer worm that anti-nuclear activists in Australia unleashed...

TV Alerts

Posted By Tom Limoncelli

Monday, Sept 21: Big Bang Theory (new season!) Tuesday, Sept 21: The Muppets (new show! OMG! OMG!)ÿ YOU'RE WELCOME!!! (the links point to Tivo's page to set up 1-step recording for that series)

Guess your nationality, Facebook style

Posted By Greg Lehey

Somebody posted this URL on Facebook today. 15 questions or so, mainly technical or historical, and all very easy. Two of them were obviously US-centric: when the declaration of independence was signed (which declaration of independence?) , and in which hand the Statue of Liberty holds her torch. That was the only one I couldn't answer off the top of my head, and I assume that I got all the answers right. The result? Why Japanese? None of the other questions showed any national bias at all. And the original poster thought that the questionnaire itself came from Sweden. But then it wouldn't take for granted that some things are US American.

Browser pain revisited

Posted By Greg Lehey

Now that I have X running on stable, I can compare browser performance. Went to the same YouTube video that caused lagoon to hang. It didn't hang. But it used an inordinate amount of CPU time:   PID USERNAME      THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND  2361 grog           64  20    0   829M   355M uwait   0  10:16 150.00% firefox  2323 root            1   4    0   131M 51104K RUN     1   1:10  13.87% Xorg And it stayed there, bouncing a bit between 120% and 150% CPU.

pkg: not there yet

Posted By Greg Lehey

While getting X running on stable, discovered that xearth wasn't installed. OK, that's trivial: === root@stable (/dev/pts/0) /etc/X11 14 -> pkg install xearth ... New packages to be INSTALLED:         xearth: 1.2         jpeg-turbo: 1.4.1 Installed packages to be UPGRADED:         wx28-gtk2: 2.8.12_5 -> 2.8.12_6 Proceed with this action? [y/N]: y Fetching xearth-1.2.txz: 100%  111 KiB 113.5kB/s    00:01 Fetching jpeg-turbo-1.4.1.txz: 100%  270 KiB 276.5kB/s    00:01 Fetching wx28-gtk2-2.8.12_6.txz: 100%    2 MiB 312.8kB/s    00:07 Conflicts with the existing packages have been found. The following 5 package(s) will be affected (of 0 checked): Installed packages to be REMOVED:         gnuplot-4.6.6_1         hugin-2013.0.0_6         audacity-2.1.0_4         xchm-1.23_2 New packages to be INSTALLED:         xearth: 1.2 Proceed with this action?

X on stable

Posted By Greg Lehey

Why couldn't I run X on stable? In principle X should now start without any configuration file at all. Removed the badly designed configuration file, and there was no change: I had an old /etc/xorg.conf, and coincidentally it contained a 2 head configuration. Removed that, and X started with no problems. Did X -config get confused by it? Unfortunately, the problems aren't over. Switching to a different virtual terminal freezes the display. But at least I now have a way to compare the browser problems on lagoon. ACM only downloads articles once.

Understanding PHP error messages

Posted By Greg Lehey

The source of this diary includes a liberal spreading of PHP calls, like this present one:       <?php pubdate ("2015-09-20T23:26:55+00:00"); ?>       <?php texttopic ("co", "Understanding PHP error messages"); ?>       <p>         The source of this diary includes a liberal spreading of <?php href ("http://www.php.net/",         "PHP"); ?> calls, like this present one:       </p>       <?php endtopic (); ?> So it's clear that there's a good possibility of getting errors, and the parser is always good for cryptic messages unrelated to the user's view of the syntax.

Revisiting OI.Share

Posted By Greg Lehey

Yesterday's selfies were greatly hampered by the lack of viewfinder. But there's a solution to that: use a smart phone or tablet and OI.Share. Tried that again today. What a pain these Android devices are! Tried to connect to the camera, and it failed. Why? It's far too sensitive of my feelings to upset me with the truth, so it said nothing. But the camera has been repaired since the last time I used it, so it seems reasonable to guess that the password has changed. How do you update the stored password? After 15 minutes messing around with the damn thing, I still couldn't find a way.

Configuring X

Posted By Greg Lehey

Another alternative for Yvonne is to give her stable, the machine that I use for software upgrades. But I've never run X on it: I just access it from eureka. Ran X -config and tried to run the resultant configuration file. It crashed. Further examination showed that it didn't recognize the (Intel) chip set, and it created a multi-headed configuration for a single-head chip and a single monitor. People, I've really been running X for over a quarter of a century, since April 1990. When I started using BSD not quite 24 years ago, I had some difficulties, which in those days didn't surprise me.

No Youtube!

Posted By Greg Lehey

Yvonne recently told me that she can no longer view YouTube on her machine. And it's been like that for a while, so I don't even know what could have caused it. Checked and confirmed that it didn't work. firefox started off using 400% CPU (quite a feat on a single processor machine), and apparently the system didn't have enough power to run it. Now I've seen this before, but it ran until recently. There was some talk on IRC a while back about firefox problems, but I was able to repeat the problem with chromium and Opera. Problems with npviewer.bin?

Bad Tory Craziness

Posted By Tim Bray

Were having an election, one thats more entertaining than usual, and while our politics in Canada are in general a little saner than our southern neighbors (and our elections mercifully shorter), we shouldnt get too smug; heres the evidence. This turd showed up on my doorstep, apparently an effort to convince me to vote for the Conservative (Tory, we say) candidate. That is, the candidate of the currently-governing party; which apparently thinks that the citizens of central Vancouver are frightened of hypothetical local jihadis, and approve of us joining other rich countries in dropping bombs on the Middle East. Notice the local candidates name?

Money and Ads on the Web

Posted By Tim Bray

My goodness, the iOS-9 ad-blocker tech is rattling cages all over the Internet. Herewith some links, including a couple you likely havent seen, and one to a possible solution to the problem, from Google. Eric Meyer Content Blocking Primer. From which: &the entire industry is being given a do-over here. Not the ad industry; the web industry. Charlie Stross A question about the future of the world wide web. From which: &it looks like the current state of the ad-funded web is a death-spiral and a race to the bottom. Marco Arment Just doesnt feel good. From which: Ad-blocking is a kind of war  a first-world, low-stakes, both-sides-are-fortunate-to-have-this-kind-of-problem war, but a war nonetheless, with damage hitting both sides. Im particularly impressed by Marcos action, because his app has instantly been replaced by lots of others.

Friday Squid Blogging; Giant Squid Sculpture at Burning Man

Posted By Bruce Schneier

It looks impressive, maybe 20-30 feet long: "I think this might be the coolest thing I have ever built," said Barry Crawford about his giant, metal squid that was installed at Burning Man. The sculpture is entirely made of found objects including half of a dropped airplane tank and a metal vegetable strainer. The eyeball opens and closes and the...

Drone Speedboat

Posted By Bruce Schneier

It's a thing....

Smart Watch that Monitors Typing

Posted By Bruce Schneier

Here's a watch that monitors the movements of your hand and can guess what you're typing. Using the watch's built-in motion sensors, more specifically data from the accelerometer and gyroscope, researchers were able to create a 3D map of the user's hand movements while typing on a keyboard. The researchers then created two algorithms, one for detecting what keys were...

Blast from the past

Posted By Greg Lehey

Round 20 years ago, Microsoft discovered the Internet and embarked on a campaign to bend it to its own ideas. One of the innovations was the graphical mailer, preferably in HTML. We were young and foolish in those days and thought that we could teach people the errors of their ways. Thus I wrote a number of pages explaining to people how to configure and use their MUAs. They're completely out of date now, but I've left them there for historical interest. And today I got an error message: missing image in http://www.lemis.com/email/fixing-communicator.html (written in February 2000 by Wes Peters). I've fixed that, but reading the old documentation shows me how little has changed: just the names of the products.

Next LISA Conversations guest: Daniel V. Klein

Posted By Tom Limoncelli

We'll be recording Episode 3 of Usenix LISA Conversations on Tuesday, September 29, 2015. Our next conversation will be with Daniel V. Klein who presented "Making Push on Green a Reality" at LISA14. Watch his talk beforehand, and then join us at 3:30 pm PDT/6:30 pm EDT on Tuesday, September 29, 2015, at the Google Hangout On Air. We'll discuss the talk and what he's been doing since. If you miss the live session, you can view the recording on the USENIX YouTube channel. This month's hosts will be Lee Damon and Tom Limoncelli (me!) .

Two Security Companies Battling It Out over Disclosures

Posted By Bruce Schneier

Okay, this is weird. FireEye has gone to court to prevent ERNW from disclosing vulnerabilities in FireEye products. FireEye should know better. Here's FireEye's statement, BTW....

Self-Destructing Computer Chip

Posted By Bruce Schneier

The chip is built on glass: Shattering the glass is straightforward. When the proper circuit is toggled, a small resistor within the substrate heats up until the glass shatters. According to Corning, it will continue shattering even after the initial break, rendering the entire chip unusable. The demo chip resistor was triggered by a photo diode that switched the circuit...

Measuring air speeds

Posted By Greg Lehey

I still have a number of issues with JG King, including the extremely poor throughput of the range hood. The service people didn't even try to measure the throughput: they only checked whether it could hold A4 paper against the filter (result: 1 out of 3 filters managed it, and that was good enough for them). At the beginning of last month I ordered an anemometer on eBay, and it didn't arrive until yesterday evening. OK, let's measure the throughput. As discussed last month, the air flow through the air conditioner filter should be 2.5 m/s. Clearly it won't be even across the whole surface, so I divided each panel into 9 sections and measured the throughput at the centre of each section.

Anonymous Browsing at the Library

Posted By Bruce Schneier

A rural New Hampshire library decided to install Tor on their computers and allow anonymous Internet browsing. The Department of Homeland pressured them to stop: A special agent in a Boston DHS office forwarded the article to the New Hampshire police, who forwarded it to a sergeant at the Lebanon Police Department. DHS spokesman Shawn Neudauer said the agent was...

Child Arrested Because Adults Are Stupid

Posted By Bruce Schneier

A Texas 9th-grader makes an electronic clock and brings it to school. Teachers immediately become stupid and call the police: The bell rang at least twice, he said, while the officers searched his belongings and questioned his intentions. The principal threatened to expel him if he didn't make a written statement, he said. "They were like, 'So you tried to...

Obama and the Security of the Waldorf Astoria Hotel

Posted By Bruce Schneier

President Obama won't stay at the Waldorf Astoria Hotel in New York because of security concerns. The hotel "was bought last year by Chinese investors with deep ties to Beijing's ruling elite..." Why can't they just erect the security tent for him?...

Hacking Team, Computer Vulnerabilities, and the NSA

Posted By Bruce Schneier

When the National Security Administration (NSA) -- or any government agency -- discovers a vulnerability in a popular computer system, should it disclose it or not? The debate exists because vulnerabilities have both offensive and defensive uses. Offensively, vulnerabilities can be exploited to penetrate others' computers and networks, either for espionage or destructive purposes. Defensively, publicly revealing security flaws can...

DxO memory leak?

Posted By Greg Lehey

DxO Optics Pro seems to get slower the longer you use it. I don't really understand Microsoft, but at least the Windows Task Manager produces some useful output. Today I took a look at memory usage: This starts when DxO was running but idle, and system memory use was round 6 GB. I stopped it (big step downwards, to about 3 GB), and then restarted it and allowed it to become idle again (4.4 GB). So has it really leaked 1.6 GB of memory?

Security Cartoon

Posted By Bruce Schneier

"Security vs. privacy."...

Programming Errors Weaken bcrypt Hashes of Ashley Madison Passwords

Posted By Bruce Schneier

Ashley Madison encrypted users' passwords using the bcrypt function. It's a secure password-encryption function, but two implemention programming mistakes allow millions of passwords to be easily decrypted. Ars Technica explains the problems....

Mr. DeMille, I'm ready for my close-up

Posted By Tom Limoncelli

After listening to Jon Taffer's interview on The Nerdist Podcast about "Bar Rescue", I'm convinced that I should do a TV show called "IT Rescue" where we visit an IT department that is failing hard and set them up for success. Hollywood... call me!

Anatomy of a snipe

Posted By Greg Lehey

I'm looking for a new lens for Yvonne again. The standard 14-42 mm lens on her Olympus E-PM2 makes the camera too big to fit into a jacket pocket. I had previously rejected the M.ZUIKO DIGITAL ED 14-42mm f3.5-5.6 EZ because it had electric zoom. Instead, in succession I bought a 15 mm body cap lens with particularly bad optical properties, and later a M.Zuiko Digital 17mm F2.8 Pancake lens. They're both much smaller, but the 17 mm is of course not a zoom, and it still has the issue of the particularly fiddly lens cap. The 14-42 EZ comes with an optional automatic lens cap.

My novel Utopia will hit shelves in 2017

Posted By Cory Doctorow

My biggest (and, IMO, best) adult novel has just sold to Tor for a very pleasing sum of money; it will hit shelves in 2017. Here’s my editor in Publishers Weekly: The novel, which marks Doctorows first solo adult fiction effort since 2009s Makers, is set in the latter part of this century; Hayden described... more

New reviews of The Practice of Cloud System Administration

Posted By Tom Limoncelli

I hadn't realized that Google Play permits book reviews. Strata, Christine and I are very please to read these: Ivan Dimitrov wrote: Simplely the best book for system administrators and their managers. Packed with great stuff from first page to the last. If you have to read one chapter - it's the Appendix A :) Adrian Colley wrote: This book covers about 85% of what any programmer needs to know to be a fully competent Google Site Reliability Engineer. It's written like a textbook for a training course, but it serves well as a reference text.

Friday Squid Blogging: The Chemistry of Squid Camouflage

Posted By Bruce Schneier

Interesting research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Wanted: Cryptography Products for Worldwide Survey

Posted By Bruce Schneier

In 1999, Lance Hoffman, David Balenson, and others published a survey of non-US cryptographic products. The point of the survey was to illustrate that there was a robust international market in these products, and that US-only export restrictions on strong encryption did nothing to prevent its adoption and everything to disadvantage US corporations. This was an important contribution during the...

Drone Self-Defense and the Law

Posted By Bruce Schneier

Last month, a Kentucky man shot down a drone that was hovering near his backyard. WDRB News reported that the camera drone's owners soon showed up at the home of the shooter, William H. Merideth: "Four guys came over to confront me about it, and I happened to be armed, so that changed their minds," Merideth said. "They asked me,...

Cheating News from the Chess World

Posted By Bruce Schneier

Chess player caught cheating at a tournament: I kept on looking at him. He was always sitting down, he never got up. It was very strange; we are taking about hours and hours of playing. But most suspicious of all, he always had his arms folded with his thumb under his armpit. He never took it out." Mr Coqueraut said...

FBI and Apple's Encryption

Posted By Bruce Schneier

The New York Times is reporting that Apple encryption is hampering an FBI investigation: In an investigation involving guns and drugs, the Justice Department obtained a court order this summer demanding that Apple turn over, in real time, text messages between suspects using iPhones. Apple's response: Its iMessage system was encrypted and the company could not comply. Government officials had...

Animals vs. Drones

Posted By Bruce Schneier

It's not just humans who dislike the small flying objects. YouTube has videos of drones being stared at quizzically by a moose, harassed by a raven, attacked by a hawk, butted by a ram, knocked out of the sky by a chimpanzee (who planned the whole thing) and a goose, and punched out of the sky by a kangaroo. And...

NYC to-do: Art, Design, and The Future of Privacy, Sept 17

Posted By Cory Doctorow

A night of talks and conversations about privacy and tech, centered on humane design and user-experience — I’m speaking there! There’s a really full roster of hackers, cryptographers, designers, writers, architects, critical theorists, sociologists and others appearing. The event’s at 1930h at Brooklyn’s Pioneer Works, and it’s free! Join artists, cryptographers, critical theorists, architects, designers,... more

Dear Internet of Things: human beings are not things

Posted By Cory Doctorow

My new Locus column is What If People Were Sensors, Not Things to be Sensed? The column’s argument is that the Facebook model for the IoT is a nightmare: your devices are emissaries of distant corporations that gather data on you and decide what information to derive from it and to feed back to you.... more

The Security Risks of Third-Party Data

Posted By Bruce Schneier

Most of us get to be thoroughly relieved that our e-mails weren't in the Ashley Madison database. But don't get too comfortable. Whatever secrets you have, even the ones you don't think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there's largely nothing you can do about it....

iTunes again?

Posted By Greg Lehey

My investigations of CD databases established what I knew years ago: the CDDB database format is poorly adapted to classical music. But I can't access Gracenote because it's commercial. On the other hand, programs like iTunes do have access, and I have an old, mouldy Apple PowerMac G4 lying around, and it has iTunes, of course. Spent some time connecting it upit seems it's been about 9 months since it was last powered onand rediscovered some of the nice, intuitive Apple features that I had happily forgotten. The display driver seems to ignore EDID, and the highest resolution I could get out of it was 1280×1024this on a 1920×1080 display, so the aspect ratio was terrible.

Little Brother optioned by Paramount

Posted By Cory Doctorow

My bestselling 2008 novel YA novel Little Brother has been optioned by Paramount, with Don Murphy (Natural Born Killers, Transformers) as the producer. Suffice it to say, I’m pretty excited about this. The rights to the Orwellian-themed novel were picked up by Angry Films in 2010, with Don Murphy now bringing the property to Paramount.... more

The AWS Pop-up Lofts are opening in London and Berlin

Posted By Werner Vogels

Amazon Web Services (AWS) has been working closely with the startup community in London, and Europe, since we launched back in 2006. We have grown substantially in that time and today more than two thirds of the UKs startups with valuations of over a billion dollars, including Skyscanner, JustEat, Powa, Fanduel and Shazam, are all leveraging our platform to deliver innovative services to customers around the world. This week I will have the pleasure of meeting up with our startup customers to we celebrate the opening of the first of the AWS Pop-up Lofts to open outside of the US in one of the greatest cities in the World, London.

The AWS Pop-up Lofts are opening in London and Berlin

Posted By Werner Vogels

Amazon Web Services (AWS) has been working closely with the startup community in London, and Europe, since we launched back in 2006. We have grown substantially in that time and today more than two thirds of the UK?s startups with valuations of over a billion dollars, including Skyscanner, JustEat, Powa, Fanduel and Shazam, are all leveraging our platform to deliver innovative services to customers around the world.

Updating ports, a year later

Posted By Greg Lehey

FreeBSD's new pkg facility has gradually settled down, and I can keep my ports up to date with minimum impact. But today we had a different issue: Chris Bahlo wanted to install sudo on www.lemis.com. Why? Real BSD users don't use sudo. But it's trivial to install: pkg install sudo. Well, that's what I thought. The ports on www date back to January 2014. It first wanted to modify 116 packages, including removing Emacs and Apacheand not reinstalling them! Exactly what you want for a web server machine. OK, let's upgrade the Ports Tree. How do you do that? With subversion, of course. Not installed.

More ripping fun

Posted By Greg Lehey

Ripping CDs with ripperX is relatively straightforward. There are two main issues, one serious, the other less so. The less serious one is that handling is less than completely smooth: CDs aren't recognized immediately, and I still need to tell it to look up the tracks (two mouse clicks). And when the CD is finished, it doesn't eject automatically. grip can do all thatif it works at all. Tried building it from the ports collection. Bingo! It workedsort of. For some reason, after recognizing a CD, the display cycled continuously through all tracks. It didn't stop it working, but it was irritating.

Reorganizing a wiki or documentation system

Posted By Tom Limoncelli

Someone wrote to me recently asking for advice about how to re-organize his company's documentation stash. Basically they had a directory on a fileserver that had become a free-for-all, collect everything, "cosmic abyss" (his words). Tons of documents. No organizations. Most of it out-of-date or of unknown quality. Did I have any advice that didn't involve complex document control philosophy and best practices? Sure! Here's a strategy I've used at 2 different organizations. It is very simple and low-overhead: Find a way to mark all old docs as "old", then find a way to review docs and mark them as "reviewed".

Ripping CDs, revisited

Posted By Greg Lehey

Some years ago I played with copying my CDs to disk for easier access. The results were not encouraging. My first attempts were with iTunes, and they drove me to distraction. It wasn't all iTunes' fault: the CD database (in this case Gracenote) made it almost impossible to understand the output. Later I tried grip, though the only mention of it in my diary was of failure. Tried it again today. It couldn't find the CD device, because my config file contained /dev/acd0 instead of /dev/cd0. OK, fix that. But it didn't seem to care. On the other hand, it offers a whole lot of configuration tabs in its interfacebut not a way to save the configuration!

Girls and Axes

Posted By Tim Bray

Im talking about Rock-&-Roll as sung by charismatic young women accompanied by proficient electric guitar. I dunno if its a trend or anything, but Im hearing a lot of it and I sure like it. Some of the artists are wolves. Sidebar: Mens voices? A dozen years ago I was asking Why does everybody sound like Eddie Vedder? and while I dont terribly miss those days, I notice that at this point in this century all the interesting voices are womens, and I wonder when well have some Y-chromosome voices behind the microphones I like to listen to. Chelsea Wolfe Wow, its a couple of years since I ran across Unknown Rooms, which you can get at Amazon but I didnt, I got the full-rez bits at BandCamp and you probably should too; unless you burn for the vinyl, which you can get from her own site.

Fixing the RSS feed

Posted By Greg Lehey

More information from Rodolfo Gouveia today, mail forwarded from the developer of his RSS reading app. When reading an RSS feed with a smart phone, there's a question of storage usage, which is why his app stops after 30 items. That got me thinking: my strategy is to assume that some people will only read my diary infrequently, so just feeding the last two days could result in items getting lost. Instead, my feed comes from the monthly diary, and for good measure it includes the last week of the previous month. That can result in files of over 100 kB in size.

CfP: USENIX Container Management Summit (UCMS '15)

Posted By Tom Limoncelli

The 2015 USENIX Container Management Summit (UCMS '15) will take place November 9, 2015, during LISA15 in Washington, D.C. Important Dates Submissions due: September 5, 2015, 11:59 p.m. PDT Notification to participants: September 19, 2015 Program announced: Late September 2015 (quoting the press release): UCMS '15 is looking for relevant and engaging speakers and workshop facilitators for our event on November 9, 2015, in Washington, D.C. UCMS brings together people from all areas of containerization--system administrators, developers, managers, and others--to identify and help the community learn how to effectively use containers. Submissions Proposals may be 45- or 90-minute formal presentations, panel discussions, or open workshops.

CfP: USENIX Release Engineering Summit (URES '15)

Posted By Tom Limoncelli

Hey all you devops, CI/CD/CD people! Hey all you packagers, launchers, and shippers. Hey all your containers mavins and site reliability engineers! Submissions due: September 4, 2015 - 11:59 pm (quoting the press release): At the third USENIX Release Engineering Summit (URES '15), members of the release engineering community will come together to advance the state of release engineering, discuss its problems and solutions, and provide a forum for communication for members of this quickly growing field. We are excited that this year LISA attendees will be able to drop in on talks so we expect a large audience.

RSS reader problems

Posted By Greg Lehey

Mail from Rodolfo Gouveia today. He's been reading this diaryfor 10 years!via the RSS feed, and his RSS app (apparently on iOS) displays my feed (and apparently only my feed) in chronological order. That's particularly bad for him, because the feed has dozens of items, and the app only displays the first 30. I write the diary in chronological order, of course: it's a chronology, and I have a horror of reverse chronological documents. But RSS should go by publication date. I tried it with NewsFox, and it worked as expected. Bad app? Maybe. The developer of the app suggested using Feedly, which at least suggests that it's not a configuration issue.

FreeBSD Journal Reviews TPOSANA

Posted By Tom Limoncelli

Greg Lehey wrote an excellent review of The Practice of System and Network Administration in the new issue of The FreeBSD journal. Even though the book isn't FreeBSD-specific, I'm glad FJ was drawn to reviewing the book. For more about the FreeBSD Journal, including how to subscribe or purchase single issues, visit their website: https://www.freebsdfoundation.org/journal I'm a subscribed to the journal and I highly recommend it. The articles are top notch. Even if you don't use FreeBSD, the articles are a great way to learn about advanced technology and keep up with the industry.

GPS: Use Google Maps

Posted By Greg Lehey

Considerable commentary on IRC today about my last rant on GPS navigation. Andy Snow said that Google Maps on Android was the answer to all my issues. That hasn't been my experience in the past, but it was worth trying again. Tried the route from here to Steve Zuideveld in Warrandyte. It gave me a nice, clean map of the start of the journey, with directions on the left, just like I know from Google maps on a real computer: But how do I show the whole itinerary?