... learn, learn, learn, learn
- The Security Impact of HTTPS Interception
As a class, interception products drastically reduce connection security. Most concerningly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities. We investigated popular antivirus and corporate proxies, finding that nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates). While the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences.
- Facebook is terrifying
Now imagine you take a selfie in a crowded place. Like an airport or a train station. There are some people walking on the background. Hundreds of them. Some of them facing the camera. Guess what: the Facebook’s AI has just spotted them.
Even if you’re extremely cautious, even if you never post anything on Facebook, even if you have “location services” disabled on your phone at all times etc. etc. Facebook still knows where you are. You can’t stop other people from taking selfies in an airport.
- On Deniability and Duress
Deniable schemes let you lie about whether you’ve provided full access to some or all of the encrypted text. This is important because, currently, you can’t give the guard in the above example a fake password. He’ll try it, get locked out, and then proceed with the flogging.
I’m convinced that there’s a sociotechnical blind spot in how current technology handles access to personal devices. We, in the infosec community, need to start focusing more on allowing users the flexibility to handle situations of duress rather than just access control. Deniability and duress codes can go a long way in helping us get there.
- Backblaze Hard Drive Stats for 2016
Backblaze has recorded and saved daily hard drive statistics from the drives in our data centers since April 2013. At the end of 2016 we had 73,653 spinning hard drives. Of that number, there were 1,553 boot drives and 72,100 data drives. This post looks at the hard drive statistics of the data drives we monitor. We’ll first look at the stats for Q4 2016, then present the data for all of 2016, and finish with the lifetime statistics for all of the drives Backblaze has used in our cloud storage data centers since we started keeping track. Along the way we’ll share observations and insights on the data presented.
- Building, And Losing, A Career On Facebook
Here's how the money part works: Just like Google and Facebook get paid to post advertisements (in your search and your news feed), Lawler gets paid to posts ads too — in his Facebook page — by a third party, an entity known as an "affiliate link" company. In the complex world of online advertising, these companies are middlemen between big brands like Home Depot and publishers. It's a standard practice for businesses on Facebook to post these advertising links. He'll share a link — it could be for a juice company or a news site — and every time a fan clicks on that link, he gets less than a penny.
But the money adds up. Lawler made anywhere from a couple of hundred dollars a day, to $1,000.
- Asking the wrong questions
However, to me the interesting thing is how often the order is wrong. What we now know to be the hard problems were going to be solved decades before what we now know were the easy ones. So it might take until 2020 to 'fax' a newspaper to your home, and automatic wiretapping might be impossible, but automatic doctors, radar implants for the blind, household robots and machine translation would be all done by 1990 and a machine would be passing human IQ tests at genius level by 2000. Meanwhile, there are a few quite important things missing - there is no general-purpose computing, no internet and no mobile phones. There's no prediction for when everyone on earth would have a pocket computer connected to all the world's knowledge (2020-2025). These aren't random gaps - it's not just that they thought X would work and didn't know we'd invent Y. Rather, what's lacking is an understanding of the structural impetus of computing and software as universal platforms that would shape how all of these things would be created. We didn't make a home newspaper facsimile machine - we made computers.
- Lessons from Real-Time Programming class
This class has been around since at least the 80’s. Currently Bill Cowan teaches this class, and has been for over 20 years.
The equipment have evolved since then, but the underlying challenges have not.
For example, teamwork, setting priorities, and dealing with real (imperfect) systems.
- Cardinality estimation done right: index-based join sampling
The index-based sampling operator can cheaply compute a sample for a join result, but it is not a full solution by itself. We also need a join enumeration strategy which can systematically explore the intermediate results of a query using the sampling operator, while also ensuring that the overall sampling time is limited. If we sampled every possible combination, it would take too long for queries with many joins. In the Join Order Benchmark (JOB), queries with 7 joins have 84-107 intermediate results, and queries with 13 joins have 1,517-2,032. A time limit is set on the sampling phase, after which the algorithm falls back to traditional estimation.
- Vim's 25th anniversary and the release of Vim 8
2016 was a big year for project anniversaries. The Linux kernel, of course, turned 25. And Vim, that other iconic text editor, also celebrated its 25th anniversary.
- Monitoring and Tuning the Linux Networking Stack: Sending Data
This blog post explains how computers running the Linux kernel send packets, as well as how to monitor and tune each component of the networking stack as packets flow from user programs to network hardware.
This post forms a pair with our previous post Monitoring and Tuning the Linux Networking Stack: Receiving Data.
- MIT Lecture: Gödel Escher Bach; an Eternal Golden Braid
MIT Open CourseWare videos investigating Doug Hofstadter's classic book.
- Online migrations at scale
Moving millions of objects from one database table to another is difficult, but it’s something that many companies need to do.
There’s a common 4 step dual writing pattern that people often use to do large online migrations like this. Here’s how it works
- Coronal Mass Ejections (again)
A study published last month by the Cambridge Centre for Risk Studies estimates that a solar storm would have the potential to wipe between $140 billion to $613 billion off the global economy in a five-year time span, depending on the severity of the impact.
- Most of the web really sucks if you have a slow connection
When I was at Google, someone told me a story about a time that “they” completed a big optimization push only to find that measured page load times increased. When they dug into the data, they found that the reason load times had increased was that they got a lot more traffic from Africa after doing the optimizations. The team’s product went from being unusable for people with slow connections to usable, which caused so many users with slow connections to start using the product that load times actually increased.
- Disaggregate: Networking recap
At Facebook, we build our data centers with fully open and disaggregated hardware. This allows us to replace the hardware or the software as soon as better technology becomes available. Because of this, we see compute, storage, and networking gains that scale with our business. We spoke about our latest networking hardware and software — including Wedge 100, Backpack, Voyager, FBOSS and OpenBMC — at the event. We also heard from Apstra, Barefoot, Big Switch Networks, Canonical, Cumulus, and SnapRoute, who talked about their solutions and how they fit in with the rapidly growing ecosystem for open networking.
- Back-to-Basic Weekend Reading: Monte-Carlo Methods
The probabilistic approach may not result in the perfect result, but it may get you very close, and much faster than deterministic techniques (which may even be computationally impossible).
- htop Explained Visually
htop is an interactive process monitor.
- Using tmux Properly
What is a terminal multiplexer? A terminal multiplexer is a souped-up terminal. If you used a plain terminal for a few years and then someone said: "What features do you think we should add?", you'd end up with a multiplexer.
- Against Storytelling
Here at the slightly pretentious hotel (call it “P”) we went down to breakfast early and got eggs. The salt and pepper shakers were tallish, stainless steel, with little plastic windows to see the spice. Atop each is a plunger—meaning each one is a little grinder. Interesting! Except they didn’t work.
- More on GVFS
Looking at the server from the client, it’s just Git. All TFS and Team Services hosted repos are *just* Git repos. Same protocols. Every Git client that I know of in the world works against them. You can choose to use the GVFS client or not. It’s your choice. It’s just Git. If you are happy with your repo performance, don’t use GVFS. If your repo is big and feeling slow, GVFS can save you.
- Considerations On Cost Disease
might the increased regulatory complexity happen not through literal regulations, but through fear of lawsuits? That is, might institutions add extra layers of administration and expense not because they’re forced to, but because they fear being sued if they don’t and then something goes wrong?
I see this all the time in medicine. A patient goes to the hospital with a heart attack. While he’s recovering, he tells his doctor that he’s really upset about all of this. Any normal person would say “You had a heart attack, of course you’re upset, get over it.” But if his doctor says this, and then a year later he commits suicide for some unrelated reason, his family can sue the doctor for “not picking up the warning signs” and win several million dollars. So now the doctor consults a psychiatrist, who does an hour-long evaluation, charges the insurance company $500, and determines using her immense clinical expertise that the patient is upset because he just had a heart attack.
Those outside the field have no idea how much of medicine is built on this principle. People often say that the importance of lawsuits to medical cost increases is overrated because malpractice insurance doesn’t cost that much, but the situation above would never look lawsuit-related; the whole thing only works because everyone involved documents it as well-justified psychiatric consult to investigate depression. Apparently some studies suggest this isn’t happening, but all they do is survey doctors, and with all due respect all the doctors I know say the opposite.
- A Very Comprehensive Guide to Getting Drunk at Disney World
Let’s give credit where credit is due: the staff at Animal Kingdom diligently sourced hard-to-find African beers. Unfortunately, most of them are mundane, flavorless lagers, but since you’ll likely not find these brews at home, they serve their purpose.
Your choices at the Dawa Bar, located in the heart of Harambe Village near Kilimajaro Safari, are quite varied. There’s not much on tap, but the bottled beer selections are quite cheap and include standouts like the Hakim Stout and Bedele Pilsner, both procured from Ethiopia. Two solid American craft beers round out the menu, SweetWater IPA and Victory Golden Monkey Tripel Ale, and while I’m uncertain why they are present at an ostensibly African bar, they are tasty nonetheless. If you’re ambitious enough to visit in the morning, order an African Bloody Mary made with a spiced Ethiopian-style berbere sauce.