Sunday, May 10, 2015

Stuff I'm reading, mid-May edition

We've entered the seasonal pattern: heavy overcast until about 1 PM, then a glorious and beautiful afternoon.

  • The Discovery of Apache ZooKeeper’s Poison Packet
    After many, many packet captures, we were able to find a single problem packet. It contained a scheme_len of 0x6edd0b51… or about 1.7GB. The lack of a bounds check resulted in ZooKeeper trying to allocate memory for the bogus length, which causes an OutOfMemory exception to be thrown, killing the thread. Cool. Well, not so cool, but now we’re starting to get somewhere. There are still so many questions, but the most pertinent problem is clear: if the leader is dead, why doesn’t it get re-elected?
  • Weak Homegrown Crypto Dooms Open Smart Grid Protocol
    The weaknesses discovered by Jovanovic and Neves enabled them to recover private keys with relative ease: 13 queries to an OMA digest oracle and negligible time complexity in one attack, and another in just four queries and 2^25 time complexity, the paper said.

    "A different approach only requires one arbitrary valid plaintext-tag pair, and recovers the key in an average of 144 message verification queries, or one ciphertext-tag pair and 168 ciphertext verification queries," the researchers wrote.

  • Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol
    The OMA digest algorithm presents multiple flaws. Firstly, it uses a simple zero byte message padding, which results in messages with any number of trailing zeroes sharing the same tag. Secondly, given a tuple (a, m, k) where a is the OMA digest’s state or authentication tag, m a message and k the OMAK, the function is fully reversible (see Algorithm 2) which is a very useful property for the attacks presented in Sections 3.1 and 3.2. Likewise, it is also possible to take an arbitrary internal state, and continue to process it as if to resume a partially digested message.
  • Python Packaging: Hate, hate, hate everywhere
    What I learned of that personally is not so much anything about packaging Python code but to not make any attempts to replace existing infrastructure without understanding all the reasons that lead to its existence. Also since that happened in the past I think it's a good idea to write down a list of design decisions and use cases and why they exist when I make another open source project in the future. A lot of what went into setuptools can only be understood after a long time of using it because the design is not documented enough.
  • go get considered harmful
    This is the practice (of which Godeps is a variant) of sticking all your dependencies in your source code repo and committing them. Which means that upstream changes need to be individually downloaded to each source repo. Godeps at least gives you a way to list your packages, which is a start.

    But you don’t want every upstream commit in your repo’s commit history, so this is typically done by just blowing away the commit history. Or you end up with git submodules, which are brittle as hell.

    And if there are bugs in the upstream, now you have to re-vendor that package for every case you use it across all your repos, instead of just bumping a version number somewhere and testing.

  • Notes on Theory of Distributed Systems CS 465/565: Spring 2014
    These are notes for the Spring 2014 semester version of the Yale course CPSC 465/565 Theory of Distributed Systems.
  • In Mathematics, Mistakes Aren’t What They Used To Be
    Voevodsky decided that the only way he could proceed would be to employ a "proof assistant"—a computer program that would prevent him from wandering too far down errant paths. He had already been investigating the prospects of a computer-assisted formalization of mathematics, since 2003. The error, he says, "was just like a little present for me, to make my argument stronger."

    The experience of working with a proof assistant, as he describes it, is a bit like playing a video game. He’s jousting with the computer. He instructs it to try this, try that—he can even instruct it to try something known to be wrong, just to see what happens. "It’s very interactive," he says. "It can be fun and exciting, and kind of addicting." When he makes a mistake, all the assertions he’s typed in, lines and lines and lines, vanish before his very eyes (though he saves the work in a file called "leftovers").

    This way, once Voevodsky has proved something, he knows for certain it’s true. He doesn’t wonder if there are any mistakes lurking within arguments, and he doesn’t worry about how to convince his colleagues. The proof assistant provides a stamp of authenticity.

  • Fast Approximate Logarithms, Part I: The Basics
    You can find code for approximate logs on the web, but they rarely come with an evaluation of how they compare to the alternatives, or in what sense they might be optimal. That is the gap I'm trying to fill here. The first post in this series covers the basics, but even if you are familiar with this subject I think you will find some interesting nuggets. The second post considers rounding error, and the final post gives the code for a family of fast log functions.
  • MIT alumni in their 50s
    The engineers who’d chosen to work in industry, however, were a varied lot. A woman who’d taken a job at a defense contractor was still there, 30 years later. The super-wizard Lisp Machine programmer was now in a senior technical, but non-supervisory role, at a multi-billion dollar dotcom (not necessarily getting paid more than a competent 30-year-old, however). About half of the engineers, however, talked about being pushed into a financially uncomfortable early retirement and/or not being able to find work.
  • I would have hired Doug, but...
    Unlike Engelbart, I have re-tooled. I now work in JavaScript in the browser and on the server. I had to walk away from the codebase that I loved. I understood that the price of relevance is to give up fighting at some point and settle for a partial victory.
  • Globalization unraveling
    There are myriad reasons why these markets have lagged, some of them unique to specific countries or regions. For instance, China’s one-child policy has produced a penurious generation of young adults who are the sole support for aging family members. And in parts of Southeast Asia and Africa the infrastructure in rural areas, where much of the population lives, is too primitive to support extensive retail activities. But equally problematic is that the growth of the middle class in China and most other developing economies has been slow. And these newly minted consumers face volatile, often expensive prices for housing, food and other staples.
  • The Killing of Osama bin Laden
    The major US source for the account that follows is a retired senior intelligence official who was knowledgeable about the initial intelligence about bin Laden’s presence in Abbottabad. He also was privy to many aspects of the Seals’ training for the raid, and to the various after-action reports. Two other US sources, who had access to corroborating information, have been longtime consultants to the Special Operations Command. I also received information from inside Pakistan about widespread dismay among the senior ISI and military leadership – echoed later by Durrani – over Obama’s decision to go public immediately with news of bin Laden’s death.

No comments:

Post a Comment