Saturday, August 1, 2015

A week in review

Happy August! (White Rabbit)

  • At Last: An Ebola Vaccine That Might Actually Work
    The results are so promising, in fact, that the research itself has changed. Instead of using two randomized groups of subjects—one that receives the vaccine immediately after potential exposure and one that receives the vaccine 21 days after—the researchers are now giving the vaccine to every subject immediately.
  • How a Piece of Malaysian Flight 370 Drifted 2,300 Miles
    In retrospect, the absence of any physical evidence from the crash shouldn’t have been that much of a mystery. By the time the search shifted to the Indian Ocean 10 days after the jet disappeared, the flaperon was already on its way and riding the current towards Africa.
  • Drones and Spyware: The Bizarre Tale of a Brutal Kidnapping
    FBI court filings unsealed last week showed how Denise Huskins’ kidnappers used anonymous remailers, image sharing sites, Tor, and other people’s Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.
  • Mare Island Kidnapping: Denise Huskins was not the intended target
    “At some point, that member of the team informed me that the person we had was Victim F and not [Victim M’s ex-fiance]. This threw a monkey wrench into our plans. Disagreement broke out among the three of us. I insisted that we should continue and carry out the operation, that it was a training mission anyhow, and that we needed the experience so that we could have successful missions later. So we continued,” the sender wrote.
  • One font vulnerability to rule them all #1: Introducing the BLEND vulnerability
    To make a long story short, the one vulnerability mentioned in the title is CVE-2015-0093 (also dubbed CVE-2015-3052 by Adobe). What makes it unique is the fact that it provides an extremely powerful primitive, making it possible to perform arbitrary PostScript operations (e.g. arithmetic, logic, conditional and other) anywhere on the exploited thread’s stack, with full control over what is overwritten and how. This, in turn, could be used by an attacker to craft a self-contained malicious Type 1 font which, once loaded in the vulnerable environment, reliably and deterministically builds a ROP chain in the Charstring program, consequently defeating all modern exploit mitigations techniques such as stack cookies, DEP, ASLR, SMEP and so on. It also affected both Adobe Reader and the Windows kernel (32-bit), enabling the creation of a single PDF file, which would first achieve arbitrary code execution within the PDF viewer’s process, and further escape the sandbox by exploiting the very same bug in the operating system, elevating chosen process’ privileges in the system and removing the associated job’s restrictions.
  • The adblocking revolution is months away (with iOS 9) – with trouble for advertisers, publishers and Google
    User experience is what Apple puts above pretty much everything else, and they’ve decided that they don’t like it the experience available through the ad-supported web, and so they’re going to do something about it. Hence content blockers for Safari (and all web views) on iOS 9, which wasn’t announced onstage at WWDC but was one of those “Whoa!” moments on browsing through the Settings in the first iOS 9 beta. (Do read the link in the previous sentence, which explains what iOS 9 content blockers are, and are not.) Hence also Apple News, which is basically “all those sites but with the crap taken out”.
  • Newegg wins TQP patent case after challenging judge over delays
    TQP, which was owned by well-known patent asserter Erich Spangenberg, claimed that the 5,412,730 patent covered any website using the SSL together with the RC4 cipher, a common Web encryption scheme for retailers and other sites. Under Spangenberg's guidance, the TQP patent was used to sue more than 100 companies, garnering some $45 million in settlements by the time of the Newegg trial.

    In post-trial motions, Newegg argued that it couldn't be found to infringe, because it doesn't change "key values" with each block that's transmitted. Gilstrap's new order embraces that argument, vacates the jury's verdict, and finds that Newegg doesn't infringe the patent.

  • HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group
    We have broken down the malware communication process into five stages to explain how the tool operates, receives instructions, and extracts information from victim networks. The stages include information on what APT29 does outside of the compromised network to communicate with HAMMERTOSS and a brief assessment of the tool’s ability to mask its activity.
  • Can't Touch This: 'Hammertoss' Russian Cyberspies Hide In Plain Sight
    The attackers automatically rotate Twitter handles daily for sending commands to infected machines, and use images embedded with encrypted command information and then upload stolen information to cloud storage services, for example. They also recruit legitimate web servers that they infect as part of the command and control infrastructure.
  • Git 2.5
    The latest feature release Git v2.5.0 is now available at the usual places. It is comprised of 583 non-merge commits since v2.4.0, contributed by 70 people, 21 of which are new faces.
  • Dat Goes Beta
    Dat is a data collaboration tool. We think most people will use it to simplify the process of downloading and updating datasets, but we are also very excited about how people will use it to fork, collaborate on, and publish new datasets for others to consume.
  • TIMELY: RTT-based Congestion Control for the Datacenter
    We show using experiments with up to hundreds of machines on a Clos network topology that it provides excellent performance: turning on TIMELY for OS-bypass messaging over a fabric with PFC lowers 99 percentile tail latency by 9X while maintaining near line-rate throughput. Our system also outperforms DCTCP running in an optimized kernel, reducing tail latency by 13X. To the best of our knowledge, TIMELY is the first delay-based congestion control protocol for use in the datacenter, and it achieves its results despite having an order of magnitude fewer RTT signals (due to NIC offload) than earlier delay-based schemes such as Vegas.
  • Challenges to Adopting Stronger Consistency at Scale
    There have been many recent advances in distributed systems that provide stronger semantics for geo-replicated data stores like those underlying Facebook. These research systems provide a range of consistency models and transactional abilities while demonstrating good performance and scalability on experimental workloads. At Facebook we are excited by these lines of research, but fundamental and operational challenges currently make it infeasible to incorporate these advances into deployed systems.
  • Jupiter Rising: A Decade of Clos Topologies and Centralized Control in Google’s Datacenter Network
    We present our approach for overcoming the cost, operational complexity, and limited scale endemic to datacenter networks a decade ago.

    ...

    Our datacenter networks run at dozens of sites across the planet, scaling in capacity by 100x over ten years to more than 1Pbps of bisection bandwidth

  • Stop pushing the web forward
    The moratorium would hit Chrome much harder than it would the other browsers, since it’s Google that is proposing most of the new features nowadays. That may not be entirely fair, but it’s an unavoidable consequence of Chrome’s current position as the top browser — not only in market share, but also in supported features. Also, the fact that Google’s documentation ranges from lousy to non-existent doesn’t help its case.
  • Java in Flames
    Java mixed-mode flame graphs provide a complete visualization of CPU usage and have just been made possible by a new JDK option: -XX:+PreserveFramePointer. We've been developing these at Netflix for everyday Java performance analysis as they can identify all CPU consumers and issues, including those that are hidden from other profilers.
  • Tuning Tomcat For A High Throughput, Fail Fast System
    Since this was a mid tier service, there was not much use of apache. So, instead of tuning two systems (apache and tomcat), it was decided to simplify the stack and get rid of apache. To understand why too many tomcat threads got busy, let's understand the tomcat threading model.
  • Freshwater Feedback Part 1: “Everybody does it”
    In a series of three posts that summarize what I have learned since publishing that paper, I will try to stick to positive assertions, that is assertions about the facts, concerning this difference between the premises that freshwater economists take for granted and the premises that I and other economists take for granted.
  • Feynman Integrity
    My conjecture is that the fundamental problem in macro-economics, and the explanation for the puzzle I noted in my reply to Luis, is that a type of siege mentality encouraged people in this group to ignore criticism from the outside and fostered a definition of in-group loyalty that delegitimized the open criticism that is an essential part of the scientific method. Once this mentality got established, it fed on itself.
  • Managing Change: The Sailboat Tack Principle
    That is, the skipper does not actually begin the maneuver until every involved crew member has indicated they are ready. This prevents partial execution, people getting hit in the head with booms, and people getting knocked off the boat. It also implicitly makes clear when we are discussing a possible course change (e.g., “I think we should set course that direction”) from when we are actually doing it (e.g., “Ready about”).

    For those with CS degrees, the sailboat tack principle is a two-phase commit protocol, used commonly in distributed transaction processing systems.

  • Even If The State Of Georgia Can Copyright Legal Annotations, Should It?
    The state of Georgia hired LexisNexis to create these annotations, and LexisNexis then assigns the copyright that it receives on those annotations over to the state of Georgia. Part of the deal between Georgia and LexisNexis is that LexisNexis does the work and the state gets the copyright, but then LexisNexis gets to host the "official" copies of the laws of the state, while selling that annotated version (in both digital and paper versions). The state argues that this arrangement is actually more beneficial to consumers, because rather than relying on taxpayer funds to do this, LexisNexis gets to recoup the costs in the form of customer fees.
  • Getting Started with Windows 10
    Windows 10 comes out July 29th, and it takes what was familiar about Windows 7 and what was great about Windows 8 and takes it forward. It's nice on a tablet, it's nice on a laptop, and I'm on my desktop with it now. Features like game streaming from an Xbox are amazing. The Office Touch apps look great.
  • Researchers Disclose Further Vulnerabilities in Google App Engine
    A Polish research group claims there are still several outstanding vulnerabilities in Google App Engines for Java, including three complete Java sandbox escapes. After three weeks of radio silence from Google, it decided to disclose on Friday the vulnerabilities, along with proof of concept code.
  • The Wheels of Justice Turn Slowly
    On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I’ve recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that “swatting” incident had pleaded guilty to a felony conspiracy charge.
  • John Horton Conway: the world’s most charismatic mathematician
    The students loved their new lecturer as much for his mind as his high jinks. He had a homely lecturing style, discussing abstract concepts in terms of trains and cars, cats and dogs. In lecturing on symmetry and the Platonic solids, he sometimes brought a large turnip and a carving knife to class, transforming the vegetable one slice at a time into an icosahedron with 20 triangular faces, eating the scraps as he went.
  • Playing Chess With the Devil
    Today Ken and I wish to talk about whether we can ever play perfect chess—or at least better chess than any one chess program—by combining output from multiple programs that sometimes might “lie.”
  • The Miracle of SolarCity
    SolarCity, which focuses on putting solar panels on the roofs of homes and buildings, didn’t invent the solar panel. But, like Ford Motor Co. did a century ago, it has put together and perfected a combination of functions and disciplines—efficient assembly, economies of scale, vertical integration, and innovative financing techniques—that could make mass adoption possible. And it continually seeks and finds ways to expand its market.
  • Book: Armada
    Ernest Cline’s second book, Armada, is almost as wonderful as his first book, Ready Player One. While plenty of folks on Amazon are giving it mediocre ratings, I think it’s because they don’t understand what Cline really did here.
  • Meet Syd Mead, the Artist Who Illustrates the Future
    For decades, his groundbreaking designs and artwork for a variety of corporations, creative firms, and cinematic projects have become synonymous with looking forward. His film work alone, which includes Blade Runner, Aliens and TRON, gave a generation a glimpse into what technology and design may have in store. Mead says that he would use architecture as a sort of "magical background" in his work. Curbed spoke with him about his architectural influences and his current views on the future of urban design.

No comments:

Post a Comment