Sunday, October 25, 2015

Things to read, mid-October edition

We took a short trip to the mountains, to see if it was as dry as the reports all said.

It was even worse.

Still, the mountains are beautiful, even when they are parched.

Meanwhile, the reading list only grew while I was gone...

  • In Defense of The New York Times
    In other words, the job of The New York Times is no longer to produce "All the News That’s Fit to Print"; rather, it is to invest in stories that make a difference — stories that start a conversation — and trust that readers will be willing to pay for quality. The content follows from the business model.
  • '10-second' theoretical hack could jog Fitbits into malware-spreading mode
    The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.
  • The NSA and Weak-DH
    They further observed that most servers using this for IPsec, a major Virtual Private Network protocol that encrypts a large amount of business traffic, commonly use the same p and g, and most of these systems are using 1024b Diffie-Hellman.

    So with an NSA-style budget of a few hundred million dollars, one could build a supercomputer that can first perform a huge amount of work, running for months, in order to break a particular 1024b p and g and then, using the same supercomputer, quickly break any key exchange using that particular p and g. This wouldn’t work for longer keys (such as 3072b Diffie-Hellman), elliptic curve Diffie-Hellman, or RSA encryption.

  • I'm Shocked, Shocked to Find There's Cryptanalysis Going On Here (Your plaintext, sir.)
    There's also been unhappiness that IPsec uses a small set of Diffie-Hellman moduli. Back when the IETF standardized those groups, we understood that this was a risk. It's long been known that the discrete log problem is "brittle": you put in a lot of work up front, and you can solve each instance relatively cheaply. The alternative seemed dangerous. The way Diffie-Hellman key exchange works, both parties need to have the same modulus and generator. The modulus has to be prime, and should be of the form 2q+1, where q is also a prime. Where does the modulus come from? Presumably, one party has to pick it. The other party then has to verify its properties; the protocol has to guard against downgrades or other mischief just in agreeing on the modulus. Yes, it probably could have been done. Our judgment was that the risks weren't worth it. The real problem is that neither vendors nor the IETF abandoned the 1024-bit group. RFC 4307, issued ten years ago, warned that the 1024-bit group was likley to be deprecated and that the 2048-bit group was likley to be required in some future document.
  • Fun with recreating an evil merge
    A good news is that, when the evil merge is in a file that also has textual conflicts to resolve, "git rerere" will automatically take care of this situation. All you need to do is to set the configuration rerere.enabled to true before attempting the merge between X and B and recording their merge M, and then attempt a new merge between B and Y. Without even having to type "git rerere", the mechanism is invoked by "git merge" to replay the recorded resolution (which is where the name of the machinery "rerere" comes from). A bad news is that when an evil merge has to be made to a file that is not involved in any textual conflict (i.e. imagine the case where we didn't have "line added by A" vs "line added by X" conflict earlier in the same file in the above example), "rerere" does not even kick in. The question is what to do, knowing B, X, and M, to recreate N while keeping the adjustment needed for semantic conflicts to record M.
  • Storage Technology Roadmaps
    At the recent Library of Congress Storage Architecture workshop, Robert Fontana of IBM gave an excellent overview of the roadmaps for tape, disk, optical and NAND flash (PDF) storage technologies in terms of bit density and thus media capacity. His slides are well worth studying, but here are his highlights for each technology
  • Stacking Up The Next Modern Platform
    When we were building Google Compute Engine, I viewed virtual machines on GCE as a transitional technology. VMs will always be around but there is a better world out there if we get past the local maxima that we are at with the current infrastructure offerings.
  • ARM Server Market
    Clearly Intel still makes the CPU behind more than 90% of the world’s servers (even when taking a very generous interpretation of server). And, just as clear, Intel is a very competent company that has in the past responded quickly to competitive pressure. Intel has also gotten very good at working closely with its major customers and, unlike the bad old days, is actually very good to work with. I’m more impressed with what they have been bringing to market than ever. Nonetheless, there are factors that make it very likely that we are going to see some very good server parts based upon ARM in market in the near future. It’s hard to predict the pace of execution of any of the participants nor where this will end up but, generally, change and competition is good for the industry and great for customers.
  • It's happening - OpenSSH for Windows...from Microsoft
    Sure, it's late, and ya, it should have happened years ago, but it's happening and it'll be built in. SSH will be one less thing to worry about.
  • Overcomplexifying, Underdelivering
    While it is hard to draw definitive lessons from a handful of programs, it is nearly certain that IT modernization efforts will overrun their cost estimates by significant amounts. The chart also demonstrates the challenges of holding these projects accountable when they do: cost overruns, delays, and reduced functionality are so common that even self-proclaimed success-stories have them.

    One solution is to try to make more realistic initial estimates. More data is required (and if you know of a project we're missing, please leave a comment), but trying to combine more than 50 nontrivial legacy government IT systems for less than $400 million to $500 million seems nearly impossible. So we should be skeptical when we see overoptimistic—or outright fraudulent—project estimates that claim to do just that.

  • The Tide Turns on Big Outsourcing – on cloud, agile, and rebuilding skills
    The idea that massive outsourcing contracts don’t suffer from scope creep and related, massive cost overruns, would be funny were it not for the fact that in the public sector at least, it’s our money, paid in taxes, being wasted. The UK government has wasted tens of billions of pounds on failed IT projects over the last 20 years or so, and one huge step forward under the last coalition government was a more sensible approach to citizen service provision.
  • Negative Gross Margins
    We have seen a tremendous number of high growth companies raising money this year with negative gross margins. Which means they sell something for less than it costs them to make it.

    It can be an "on-demand" service provider that subsidizes the cost of the workers on its platform so that the service seems like it costs less than it actually does. Why would an on-demand startup take this approach? To build demand for the service, of course. The idea is get users hooked on a home cleaning service, a ridesharing service, a food delivery service, or a gym roaming service by bringing it to market at a price point that is highly attractive and then, once the users are truly hooked, take the price up.

  • A Pulitzer is no guarantee
    There is a problem with the article. It correctly credits the Internet Archive with its major contribution to Web archiving, and analogizes it to the Library of Alexandria. But it fails to mention any of the other Web archives and, unlike Jill Lepore's New Yorker "Cobweb" article, doesn't draw the lesson from the analogy. Because the Library of Alexandria was by far the largest repository of knowledge in its time, its destruction was a catastrophe. The Internet Archive is by far the largest Web archive, but it is uncomfortably close to several major faults. And backing it up seems to be infeasible.
  • The Little-Known Story Behind Britain's Road Signs
    Kinneir and Calvert created rules for traffic signs that have endured to this day. Consider the wide gaps in letter spacing typically seen on roadside signs: That spacing is derived from research the designers conducted on how type should scale according to the speed of traffic and the amount of information on display. For Transport, the unit of measure for spacing is based on the width of the capital letter ‘I’—a consistency in form which, over time, helped foster a sense of familiarity in drivers.
  • Best Haka Ever
    The dueling Sipi Tau and haka prior to the first-round match between Tonga and New Zealand at Newcastle’s St James Park was the most scintillating, intense, and beautiful performance of the dance in modern rugby history.

    Not only was it breathtaking, the dueling dances grounded the extraordinarily physical tone of the 80 minutes of rugby to follow. “We’re going to tell the whole world that God and Tonga is our inheritance,” Tongan center Siale Piatau explained before Tonga took the turf.

    It was impressive to see the heart with which Tonga—a tiny and impoverished nation—performed the Sipi Tau dressed in their traditional luminous red jerseys that contrasted sharply with New Zealand’s black. The All Blacks response was incendiary, 23 men moving with a razor-sharp unity and collective purpose. The resulting rugby was worthy of the display. Tonga’s superb first half was probably the best they’ve ever played. Meanwhile, the All Blacks, rebounded from an unconvincing victory over surprise darlings Georgia to claim the win, overcoming the Tongans with graft, flair, and legs, scoring seven tries.

  • How Prison Architect Could Liberate Gaming
    After being available for three years as an open, prerelease “alpha,” Prison Architect was officially released two weeks ago and appears destined for long-term cult success. With a current user base of more than 1 million players, many of whom have already been playing for months if not years, the release carried significantly less risk for both players and creators than most project launches, its slow launch limiting its vulnerability to the caprices of the market and the media. I spoke to Introversion Software’s Mark Morris about the company’s approach to crowdfunding, project management, and community relations.

No comments:

Post a Comment