Planet Russell

,

Planet DebianDirk Eddelbuettel: RcppCCTZ 0.2.6

A shiny new release 0.2.6 of RcppCCTZ is now at CRAN.

RcppCCTZ uses Rcpp to bring CCTZ to R. CCTZ is a C++ library for translating between absolute and civil times using the rules of a time zone. In fact, it is two libraries. One for dealing with civil time: human-readable dates and times, and one for converting between between absolute and civil times via time zones. And while CCTZ is made by Google(rs), it is not an official Google product. The RcppCCTZ page has a few usage examples and details. This package was the first CRAN package to use CCTZ; by now at least three others do—using copies in their packages which remains less than ideal.

This version updates to CCTZ release 2.3 from April, plus changes accrued since then. It also switches to tinytest which, among other benefits, permits continued testing of the installed package.

Changes in version 0.2.6 (2019-08-03)

  • Synchronized with upstream CCTZ release 2.3 plus commits accrued since then (Dirk in #30).

  • The package now uses tinytest for unit tests (Dirk in #31).

We also have a diff to the previous version thanks to CRANberries. More details are at the RcppCCTZ page; code, issue tickets etc at the GitHub repository.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianBits from Debian: New Debian Developers and Maintainers (May and June 2019)

The following contributors got their Debian Developer accounts in the last two months:

  • Jean-Philippe Mengual (jpmengual)
  • Taowa Munene-Tardif (taowa)
  • Georg Faerber (georg)
  • Kyle Robbertze (paddatrapper)
  • Andy Li (andyli)
  • Michal Arbet (kevko)
  • Sruthi Chandran (srud)
  • Alban Vidal (zordhak)
  • Denis Briand (denis)
  • Jakob Haufe (sur5r)

The following contributors were added as Debian Maintainers in the last two months:

  • Bobby de Vos
  • Jongmin Kim
  • Bastian Germann
  • Francesco Poli

Congratulations!

,

Krebs on SecurityWhat We Can Learn from the Capital One Hack

On Monday, a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years.

What follows is based on interviews with almost a dozen security experts, including one who is privy to details about the ongoing breach investigation. Because this incident deals with somewhat jargon-laced and esoteric concepts, much of what is described below has been dramatically simplified. Anyone seeking a more technical explanation of the basic concepts referenced here should explore some of the many links included in this story.

According to a source with direct knowledge of the breach investigation, the problem stemmed in part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services (AWS).

Known as “ModSecurity,” this WAF is deployed along with the open-source Apache Web server to provide protections against several classes of vulnerabilities that attackers most commonly use to compromise the security of Web-based applications.

The misconfiguration of the WAF allowed the intruder to trick the firewall into relaying requests to a key back-end resource on the AWS platform. This resource, known as the “metadata” service, is responsible for handing out temporary information to a cloud server, including current credentials sent from a security service to access any resource in the cloud to which that server has access.

In AWS, exactly what those credentials can be used for hinges on the permissions assigned to the resource that is requesting them. In Capital One’s case, the misconfigured WAF for whatever reason was assigned too many permissions, i.e. it was allowed to list all of the files in any buckets of data, and to read the contents of each of those files.

The type of vulnerability exploited by the intruder in the Capital One hack is a well-known method called a “Server Side Request Forgery” (SSRF) attack, in which a server (in this case, CapOne’s WAF) can be tricked into running commands that it should never have been permitted to run, including those that allow it to talk to the metadata service.

Evan Johnson, manager of the product security team at Cloudflare, recently penned an easily digestible column on the Capital One hack and the challenges of detecting and blocking SSRF attacks targeting cloud services. Johnson said it’s worth noting that SSRF attacks are not among the dozen or so attack methods for which detection rules are shipped by default in the WAF exploited as part of the Capital One intrusion.

“SSRF has become the most serious vulnerability facing organizations that use public clouds,” Johnson wrote. “The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform.”

Johnson said AWS could address this shortcoming by including extra identifying information in any request sent to the metadata service, as Google has already done with its cloud hosting platform. He also acknowledged that doing so could break a lot of backwards compatibility within AWS.

“There’s a lot of specialized knowledge that comes with operating a service within AWS, and to someone without specialized knowledge of AWS, [SSRF attacks are] not something that would show up on any critical configuration guide,” Johnson said in an interview with KrebsOnSecurity.

“You have to learn how EC2 works, understand Amazon’s Identity and Access Management (IAM) system, and how to authenticate with other AWS services,” he continued. “A lot of people using AWS will interface with dozens of AWS services and write software that orchestrates and automates new services, but in the end people really lean into AWS a ton, and with that comes a lot of specialized knowledge that is hard to learn and hard to get right.”

In a statement provided to KrebsOnSecurity, Amazon said it is inaccurate to argue that the Capital One breach was caused by AWS IAM, the instance metadata service, or the AWS WAF in any way.

“The intrusion was caused by a misconfiguration of a web application firewall and not the underlying infrastructure or the location of the infrastructure,” the statement reads. “AWS is constantly delivering services and functionality to anticipate new threats at scale, offering more security capabilities and layers than customers can find anywhere else including within their own datacenters, and when broadly used, properly configured and monitored, offer unmatched security—and the track record for customers over 13+ years in securely using AWS provides unambiguous proof that these layers work.”

Amazon pointed to several (mostly a la carte) services it offers AWS customers to help mitigate many of the threats that were key factors in this breach, including:

Access Advisor, which helps identify and scope down AWS roles that may have more permissions than they need;
GuardDuty, designed to raise alarms when someone is scanning for potentially vulnerable systems or moving unusually large amounts of data to or from unexpected places;
The AWS WAF, which Amazon says can detect common exploitation techniques, including SSRF attacks;
Amazon Macie, designed to automatically discover, classify and protect sensitive data stored in AWS.

William Bengston, formerly a senior security engineer at Netflix, wrote a series of blog posts last year on how Netflix built its own systems for detecting and preventing credential compromises in AWS. Interestingly, Bengston was hired roughly two months ago to be director of cloud security for Capital One. My guess is Capital One now wishes they had somehow managed to lure him away sooner.

Rich Mogull is founder and chief technology officer with DisruptOPS, a firm that helps companies secure their cloud infrastructure. Mogull said one major challenge for companies moving their operations from sprawling, expensive physical data centers to the cloud is that very often the employees responsible for handling that transition are application and software developers who may not be as steeped as they should in security.

“There is a basic skills and knowledge gap that everyone in the industry is fighting to deal with right now,” Mogull said. “For these big companies making that move, they have to learn all this new stuff while maintaining their old stuff. I can get you more secure in the cloud more easily than on-premise at a physical data center, but there’s going to be a transition period as you’re acquiring that new knowledge.”

Image: Capital One

Since news of the Capital One breach broke on Monday, KrebsOnSecurity has received numerous emails and phone calls from security executives who are desperate for more information about how they can avoid falling prey to the missteps that led to this colossal breach (indeed, those requests were part of the impetus behind this story).

Some of those people included executives at big competing banks that haven’t yet taken the plunge into the cloud quite as deeply as Capital One has. But it’s probably not much of a stretch to say they’re all lining up in front of the diving board.

It’s been interesting to watch over the past couple of years how various cloud providers have responded to major outages on their platforms — very often soon after publishing detailed post-mortems on the underlying causes of the outage and what they are doing to prevent such occurrences in the future. In the same vein, it would be wonderful if this kind of public accounting extended to other big companies in the wake of a massive breach.

I’m not holding out much hope that we will get such detail officially from Capital One, which declined to comment on the record and referred me to their statement on the breach and to the Justice Department’s complaint against the hacker. That’s probably to be expected, seeing as the company is already facing a class action lawsuit over the breach and is likely to be targeted by more lawsuits going forward.

But as long as the public and private response to data breaches remains orchestrated primarily by attorneys (which is certainly the case now at most major corporations), everyone else will continue to lack the benefit of being able to learn from and avoid those same mistakes.

CryptogramFriday Squid Blogging: Piglet Squid Video

Really neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramMore on Backdooring (or Not) WhatsApp

Yesterday, I blogged about a Facebook plan to backdoor WhatsApp by adding client-side scanning and filtering. It seems that I was wrong, and there are no such plans.

The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference.

Leetaru extrapolated a lot out of very little. I watched the video (the relevant section is at the 23:00 mark), and it doesn't talk about client-side scanning of messages. It doesn't talk about messaging apps at all. It discusses using AI techniques to find bad content on Facebook, and the difficulties that arise from dynamic content:

So far, we have been keeping this fight [against bad actors and harmful content] on familiar grounds. And that is, we have been training our AI models on the server and making inferences on the server when all the data are flooding into our data centers.

While this works for most scenarios, it is not the ideal setup for some unique integrity challenges. URL masking is one such problem which is very hard to do. We have the traditional way of server-side inference. What is URL masking? Let us imagine that a user sees a link on the app and decides to click on it. When they click on it, Facebook actually logs the URL to crawl it at a later date. But...the publisher can dynamically change the content of the webpage to make it look more legitimate [to Facebook]. But then our users click on the same link, they see something completely different -- oftentimes it is disturbing; oftentimes it violates our policy standards. Of course, this creates a bad experience for our community that we would like to avoid. This and similar integrity problems are best solved with AI on the device.

That might be true, but it also would hand whatever secret-AI sauce Facebook has to every one of its users to reverse engineer -- which means it's probably not going to happen. And it is a dumb idea, for reasons Steve Bellovin has pointed out.

Facebook's first published response was a comment on the Hacker News website from a user named "wcathcart," which Cardozo assures me is Will Cathcart, the vice president of WhatsApp. (I have no reason to doubt his identity, but surely there is a more official news channel that Facebook could have chosen to use if they wanted to.) Cathcart wrote:

We haven't added a backdoor to WhatsApp. The Forbes contributor referred to a technical talk about client side AI in general to conclude that we might do client side scanning of content on WhatsApp for anti-abuse purposes.

To be crystal clear, we have not done this, have zero plans to do so, and if we ever did it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise which is why we are opposed to it.

Facebook's second published response was a comment on my original blog post, which has been confirmed to me by the WhatsApp people as authentic. It's more of the same.

So, this was a false alarm. And, to be fair, Alec Muffet called foul on the first Forbes piece:

So, here's my pre-emptive finger wag: Civil Society's pack mentality can make us our own worst enemies. If we go around repeating one man's Germanic conspiracy theory, we may doom ourselves to precisely what we fear. Instead, we should ­ we must ­ take steps to constructively demand what we actually want: End to End Encryption which is worthy of the name.

Blame accepted. But in general, this is the sort of thing we need to watch for. End-to-end encryption only secures data in transit. The data has to be in the clear on the device where it is created, and it has to be in the clear on the device where it is consumed. Those are the obvious places for an eavesdropper to get a copy.

This has been a long process. Facebook desperately wanted to convince me to correct the record, while at the same time not wanting to write something on their own letterhead (just a couple of comments, so far). I spoke at length with Privacy Policy Manager Nate Cardozo, whom Facebook hired last December from EFF. (Back then, I remember thinking of him -- and the two other new privacy hires -- as basically human warrant canaries. If they ever leave Facebook under non-obvious circumstances, we know that things are bad.) He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this. I am trusting him, while also reminding everyone that Facebook has broken so many privacy promises that they really can't be trusted.

Final note: If they want to be trusted, Adam Shostack and I gave them a road map.

Hacker News thread.

CryptogramDisabling Security Cameras with Lasers

There's a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved.

CryptogramFacebook Plans on Backdooring WhatsApp

This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp:

In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service.

Facebook's model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.

Once this is in place, it's easy for the government to demand that Facebook add another filter -- one that searches for communications that they care about -- and alert them when it gets triggered.

Of course alternatives like Signal will exist for those who don't want to be subject to Facebook's content moderation, but what happens when this filtering technology is built into operating systems?

The problem is that if Facebook's model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape. Embedding content scanning tools directly into phones would make it possible to scan all apps, including ones like Signal, effectively ending the era of encrypted communications.

I don't think this will happen -- why does AT&T care about content moderation -- but it is something to watch?

EDITED TO ADD (8/2): This story is wrong. Read my correction.

Planet DebianSven Hoexter: From 30 to 230 docker container per host

I could not find much information on the interwebs how many containers you can run per host. So here are mine and the issues we ran into along the way.

The Beginning

In the beginning there were virtual machines running with 8 vCPUs and 60GB of RAM. They started to serve around 30 containers per VM. Later on we managed to squeeze around 50 containers per VM.

Initial orchestration was done with swarm, later on we moved to nomad. Access was initially fronted by nginx with consul-template generating the config. When it did not scale anymore nginx was replaced by Traefik. Service discovery is managed by consul. Log shipping was initially handled by logspout in a container, later on we switched to filebeat. Log transformation is handled by logstash. All of this is running on Debian GNU/Linux with docker-ce.

At some point it did not make sense anymore to use VMs. We've no state inside the containerized applications anyway. So we decided to move to dedicated hardware for our production setup. We settled with HPe DL360G10 with 24 physical cores and 128GB of RAM.

THP and Defragmentation

When we moved to the dedicated bare metal hosts we were running Debian/stretch + Linux from stretch-backports. At that time Linux 4.17. These machnes were sized to run 95+ containers. Once we were above 55 containers we started to see occasional hiccups. First occurences lasted only for 20s, then 2min, and suddenly some lasted for around 20min. Our system metrics, as collected by prometheus-node-exporter, could only provide vague hints. The metric export did work, so processes were executed. But the CPU usage and subsequently the network throughput went down to close to zero.

I've seen similar hiccups in the past with Postgresql running on a host with THP (Transparent Huge Pages) enabled. So a good bet was to look into that area. By default /sys/kernel/mm/transparent_hugepage/enabled is set to always, so THP are enabled. We stick to that, but changed the defrag mode /sys/kernel/mm/transparent_hugepage/defrag (since Linux 4.12) from the default madavise to defer+madvise.

This moves page reclaims and compaction for pages which were not allocated with madvise to the background, which was enough to get rid of those hiccups. See also the upstream documentation. Since there is no sysctl like facility to adjust sysfs values, we're using the sysfsutils package to adjust this setting after every reboot.

Conntrack Table

Since the default docker networking setup involves a shitload of NAT, it shouldn't be surprising that nf_conntrack will start to drop packets at some point. We're currently fine with setting the sysctl tunable

net.netfilter.nf_conntrack_max = 524288

but that's very much up to your network setup and traffic characteristics.

Inotify Watches and Cadvisor

Along the way cadvisor refused to start at one point. Turned out that the default settings (again sysctl tunables) for

fs.inotify.max_user_instances = 128
fs.inotify.max_user_watches = 8192

are too low. We increased to

fs.inotify.max_user_instances = 4096
fs.inotify.max_user_watches = 32768

Ephemeral Ports

We didn't ran into an issue with running out of ephemeral ports directly, but dockerd has a constant issue of keeping track of ports in use and we already see collisions to appear regularly. Very unscientifically we set the sysctl

net.ipv4.ip_local_port_range = 11000 60999

NOFILE limits and Nomad

Initially we restricted nomad (via systemd) with

LimitNOFILE=65536

which apparently is not enough for our setup once we were crossing the 100 container per host limit. Though the error message we saw was hard to understand:

[ERROR] client.alloc_runner.task_runner: prestart failed: alloc_id=93c6b94b-e122-30ba-7250-1050e0107f4d task=mycontainer error="prestart hook "logmon" failed: Unrecognized remote plugin message:

This was solved by following the official recommendation and setting

LimitNOFILE=infinity
LimitNPROC=infinity
TasksMax=infinity

The main lead here was looking into the "hashicorp/go-plugin" library source, and understanding that they try to read the stdout of some other process, which sounded roughly like someone would have to open at some point a file.

Running out of PIDs

Once we were close to 200 containers per host (test environment with 256GB RAM per host), we started to experience failures of all kinds because processes could no longer be forked. Since that was also true for completely fresh user sessions, it was clear that we're hitting some global limitation and nothing bound to session via a pam module.

It's important to understand that most of our workloads are written in Java, and a lot of the other software we use is written in go. So we've a lot of Threads, which in Linux are presented as "Lightweight Process" (LWP). So every LWP still exists with a distinct PID out of the global PID space.

With /proc/sys/kernel/pid_max defaulting to 32768 we actually ran out of PIDs. We increased that limit vastly, probably way beyond what we currently need, to 500000. Actuall limit on 64bit systems is 222 according to man 5 proc.

CryptogramHow Privacy Laws Hurt Defendants

Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don't have the same level of access to aid in their defense:

The proposed privacy laws would make this situation worse. Lawmakers may not have set out to make the criminal process even more unfair, but the unjust result is not surprising. When lawmakers propose privacy bills to protect sensitive information, law enforcement agencies lobby for exceptions so they can continue to access the information. Few lobby for the accused to have similar rights. Just as the privacy interests of poor, minority and heavily policed communities are often ignored in the lawmaking process, so too are the interests of criminal defendants, many from those same communities.

In criminal cases, both the prosecution and the accused have a right to subpoena evidence so that juries can hear both sides of the case. The new privacy bills need to ensure that law enforcement and defense investigators operate under the same rules when they subpoena digital data. If lawmakers believe otherwise, they should have to explain and justify that view.

For more detail, see her paper.

Planet DebianVincent Bernat: Securing BGP on the host with origin validation

An increasingly popular design for a datacenter network is BGP on the host: each host ships with a BGP daemon to advertise the IPs it handles and receives the routes to its fellow servers. Compared to a L2-based design, it is very scalable, resilient, cross-vendor and safe to operate.1 Take a look at “L3 routing to the hypervisor with BGP” for a usage example.

Spine-leaf fabric two spine routers, six leaf routers and nine physical hosts. All links have a BGP session established over them. Some of the servers have a speech balloon expliciting the IP prefix they want to handle.
BGP on the host with a spine-leaf IP fabric. A BGP session is established over each link and each host advertises its own IP prefixes.

While routing on the host eliminates the security problems related to Ethernet networks, a server may announce any IP prefix. In the above picture, two of them are announcing 2001:db8:cc::/64. This could be a legit use of anycast or a prefix hijack. BGP offers several solutions to improve this aspect and one of them is to reuse the features around the RPKI.

Short introduction to the RPKI

On the Internet, BGP is mostly relying on trust. This contributes to various incidents due to operator errors, like the one that affected Cloudflare a few months ago, or to malicious attackers, like the hijack of Amazon DNS to steal cryptocurrency wallets. RFC 7454 explains the best practices to avoid such issues.

IP addresses are allocated by five Regional Internet Registries (RIR). Each of them maintains a database of the assigned Internet resources, notably the IP addresses and the associated AS numbers. These databases may not be totally reliable but are widely used to build ACLs to ensure peers only announce the prefixes they are expected to. Here is an example of ACLs generated by bgpq3 when peering directly with Apple:2

$ bgpq3 -l v6-IMPORT-APPLE -6 -R 48 -m 48 -A -J -E AS-APPLE
policy-options {
 policy-statement v6-IMPORT-APPLE {
replace:
  from {
    route-filter 2403:300::/32 upto /48;
    route-filter 2620:0:1b00::/47 prefix-length-range /48-/48;
    route-filter 2620:0:1b02::/48 exact;
    route-filter 2620:0:1b04::/47 prefix-length-range /48-/48;
    route-filter 2620:149::/32 upto /48;
    route-filter 2a01:b740::/32 upto /48;
    route-filter 2a01:b747::/32 upto /48;
  }
 }
}

The RPKI (RFC 6480) adds public-key cryptography on top of it to sign the authorization for an AS to be the origin of an IP prefix. Such record is a Route Origination Authorization (ROA). You can browse the databases of these ROAs through the RIPE’s RPKI Validator instance:

Screenshot from an instance of RPKI validator showing the validity of 85.190.88.0/21 for AS 64476
RPKI validator shows one ROA for 85.190.88.0/21

BGP daemons do not have to download the databases or to check digital signatures to validate the received prefixes. Instead, they offload these tasks to a local RPKI validator implementing the “RPKI-to-Router Protocol” (RTR, RFC 6810).

For more details, have a look at “RPKI and BGP: our path to securing Internet Routing.”

Using origin validation in the datacenter

While it is possible to create our own RPKI for use inside the datacenter, we can take a shortcut and use a validator implementing RTR, like GoRTR, and accepting another source of truth. Let’s work on the following topology:

Spine-leaf fabric two spine routers, six leaf routers and nine physical hosts. All links have a BGP session established over them. Three of the physical hosts are validators and RTR sessions are established between them and the top-of-the-rack routers—except their own top-of-the-racks.
BGP on the host with prefix validation using RTR. Each server has its own AS number. The leaf routers establish RTR sessions to the validators.

You assume we have a place to maintain a mapping between the private AS numbers used by each host and the allowed prefixes:3

ASN Allowed prefixes
AS 65005 2001:db8:aa::/64
AS 65006 2001:db8:bb::/64,
2001:db8:11::/64
AS 65007 2001:db8:cc::/64
AS 65008 2001:db8:dd::/64
AS 65009 2001:db8:ee::/64,
2001:db8:11::/64
AS 65010 2001:db8:ff::/64

From this table, we build a JSON file for GoRTR, assuming each host can announce the provided prefixes or longer ones (like 2001:db8:aa::­42:d9ff:­fefc:287a/128 for AS 65005):

{
  "roas": [
    {
      "prefix": "2001:db8:aa::/64",
      "maxLength": 128,
      "asn": "AS65005"
    }, {
      "…": "…"
    }, {
      "prefix": "2001:db8:ff::/64",
      "maxLength": 128,
      "asn": "AS65010"
    }, {
      "prefix": "2001:db8:11::/64",
      "maxLength": 128,
      "asn": "AS65006"
    }, {
      "prefix": "2001:db8:11::/64",
      "maxLength": 128,
      "asn": "AS65009"
    }
  ]
}

This file is deployed to all validators and served by a web server. GoRTR is configured to fetch it and update it every 10 minutes:

$ gortr -refresh=600 \
        -verify=false -checktime=false \
        -cache=http://127.0.0.1/rpki.json
INFO[0000] New update (7 uniques, 8 total prefixes). 0 bytes. Updating sha256 hash  -> 68a1d3b52db8d654bd8263788319f08e3f5384ae54064a7034e9dbaee236ce96
INFO[0000] Updated added, new serial 1

The refresh time could be lowered but GoRTR can be notified of an update using the SIGHUP signal. Clients are immediately notified of the change.

The next step is to configure the leaf routers to validate the received prefixes using the farm of validators. Most vendors support RTR:

Platform Over TCP? Over SSH?
Juniper JunOS ✔️
Cisco IOS XR ✔️ ✔️
Cisco IOS XE ✔️
Cisco IOS ✔️
Arista EOS
BIRD ✔️ ✔️
FRR ✔️ ✔️
GoBGP ✔️

Configuring JunOS

JunOS only supports plain-text TCP. First, let’s configure the connections to the validation servers:

routing-options {
    validation {
        group RPKI {
            session validator1 {
                hold-time 60;         # session is considered down after 1 minute
                record-lifetime 3600; # cache is kept for 1 hour
                refresh-time 30;      # cache is refreshed every 30 seconds
                port 8282;
            }
            session validator2 { /* OMITTED */ }
            session validator3 { /* OMITTED */ }
        }
    }
}

By default, at most two sessions are randomly established at the same time. This provides a good way to load-balance them among the validators while maintaining good availability. The second step is to define the policy for route validation:

policy-options {
    policy-statement ACCEPT-VALID {
        term valid {
            from {
                protocol bgp;
                validation-database valid;
            }
            then {
                validation-state valid;
                accept;
            }
        }
        term invalid {
            from {
                protocol bgp;
                validation-database invalid;
            }
            then {
                validation-state invalid;
                reject;
            }
        }
    }
    policy-statement REJECT-ALL {
        then reject;
    }
}

The policy statement ACCEPT-VALID turns the validation state of a prefix from unknown to valid if the ROA database says it is valid. It also accepts the route. If the prefix is invalid, the prefix is marked as such and rejected. We have also prepared a REJECT-ALL statement to reject everything else, notably unknown prefixes.

A ROA only certifies the origin of a prefix. A malicious actor can therefore prepend the expected AS number to the AS path to circumvent the validation. For example, AS 65007 could annonce 2001:db8:dd::/64, a prefix allocated to AS 65006, by advertising it with the AS path 65007 65006. To avoid that, we define an additional policy statement to reject AS paths with more than one AS:

policy-options {
    as-path EXACTLY-ONE-ASN "^.$";
    policy-statement ONLY-DIRECTLY-CONNECTED {
        term exactly-one-asn {
            from {
                protocol bgp;
                as-path EXACTLY-ONE-ASN;
            }
            then next policy;
        }
        then reject;
    }
}

The last step is to configure the BGP sessions:

protocols {
    bgp {
        group HOSTS {
            local-as 65100;
            type external;
            # export [ … ];
            import [ ONLY-DIRECTLY-CONNECTED ACCEPT-VALID REJECT-ALL ];
            enforce-first-as;
            neighbor 2001:db8:42::a10 {
                peer-as 65005;
            }
            neighbor 2001:db8:42::a12 {
                peer-as 65006;
            }
            neighbor 2001:db8:42::a14 {
                peer-as 65007;
            }
        }
    }
}

The import policy rejects any AS path longer than one AS, accepts any validated prefix and rejects everything else. The enforce-first-as directive is also pretty important: it ensures the first (and, here, only) AS in the AS path matches the peer AS. Without it, a malicious neighbor could inject a prefix using an AS different than its own, defeating our purpose.4

Let’s check the state of the RTR sessions and the database:

> show validation session
Session                                  State   Flaps     Uptime #IPv4/IPv6 records
2001:db8:4242::10                        Up          0   00:16:09 0/9
2001:db8:4242::11                        Up          0   00:16:07 0/9
2001:db8:4242::12                        Connect     0            0/0

> show validation database
RV database for instance master

Prefix                 Origin-AS Session                                 State   Mismatch
2001:db8:11::/64-128       65006 2001:db8:4242::10                       valid
2001:db8:11::/64-128       65006 2001:db8:4242::11                       valid
2001:db8:11::/64-128       65009 2001:db8:4242::10                       valid
2001:db8:11::/64-128       65009 2001:db8:4242::11                       valid
2001:db8:aa::/64-128       65005 2001:db8:4242::10                       valid
2001:db8:aa::/64-128       65005 2001:db8:4242::11                       valid
2001:db8:bb::/64-128       65006 2001:db8:4242::10                       valid
2001:db8:bb::/64-128       65006 2001:db8:4242::11                       valid
2001:db8:cc::/64-128       65007 2001:db8:4242::10                       valid
2001:db8:cc::/64-128       65007 2001:db8:4242::11                       valid
2001:db8:dd::/64-128       65008 2001:db8:4242::10                       valid
2001:db8:dd::/64-128       65008 2001:db8:4242::11                       valid
2001:db8:ee::/64-128       65009 2001:db8:4242::10                       valid
2001:db8:ee::/64-128       65009 2001:db8:4242::11                       valid
2001:db8:ff::/64-128       65010 2001:db8:4242::10                       valid
2001:db8:ff::/64-128       65010 2001:db8:4242::11                       valid

  IPv4 records: 0
  IPv6 records: 18

Here is an example of accepted route:

> show route protocol bgp table inet6 extensive all
inet6.0: 11 destinations, 11 routes (8 active, 0 holddown, 3 hidden)
2001:db8:bb::42/128 (1 entry, 0 announced)
        *BGP    Preference: 170/-101
                Next hop type: Router, Next hop index: 0
                Address: 0xd050470
                Next-hop reference count: 4
                Source: 2001:db8:42::a12
                Next hop: 2001:db8:42::a12 via em1.0, selected
                Session Id: 0x0
                State: <Active NotInstall Ext>
                Local AS: 65006 Peer AS: 65000
                Age: 12:11
                Validation State: valid
                Task: BGP_65000.2001:db8:42::a12+179
                AS path: 65006 I
                Accepted
                Localpref: 100
                Router ID: 1.1.1.1

A rejected route would be similar with the reason “rejected by import policy” shown in the details and the validation state would be invalid.

Configuring BIRD

BIRD supports both plain-text TCP and SSH. Let’s configure it to use SSH. We need to generate keypairs for both the leaf router and the validators (they can all share the same keypair). We also have to create a known_hosts file for BIRD:

(validatorX)$ ssh-keygen -qN "" -t rsa -f /etc/gortr/ssh_key
(validatorX)$ echo -n "validatorX:8283 " ; \
              cat /etc/bird/ssh_key_rtr.pub
validatorX:8283 ssh-rsa AAAAB3[…]Rk5TW0=
(leaf1)$ ssh-keygen -qN "" -t rsa -f /etc/bird/ssh_key
(leaf1)$ echo 'validator1:8283 ssh-rsa AAAAB3[…]Rk5TW0=' >> /etc/bird/known_hosts
(leaf1)$ echo 'validator2:8283 ssh-rsa AAAAB3[…]Rk5TW0=' >> /etc/bird/known_hosts
(leaf1)$ cat /etc/bird/ssh_key.pub
ssh-rsa AAAAB3[…]byQ7s=
(validatorX)$ echo 'ssh-rsa AAAAB3[…]byQ7s=' >> /etc/gortr/authorized_keys

GoRTR needs additional flags to allow connections over SSH:

$ gortr -refresh=600 -verify=false -checktime=false \
      -cache=http://127.0.0.1/rpki.json \
      -ssh.bind=:8283 \
      -ssh.key=/etc/gortr/ssh_key \
      -ssh.method.key=true \
      -ssh.auth.user=rpki \
      -ssh.auth.key.file=/etc/gortr/authorized_keys
INFO[0000] Enabling ssh with the following authentications: password=false, key=true
INFO[0000] New update (7 uniques, 8 total prefixes). 0 bytes. Updating sha256 hash  -> 68a1d3b52db8d654bd8263788319f08e3f5384ae54064a7034e9dbaee236ce96
INFO[0000] Updated added, new serial 1

Then, we can configure BIRD to use these RTR servers:

roa6 table ROA6;
template rpki VALIDATOR {
   roa6 { table ROA6; };
   transport ssh {
     user "rpki";
     remote public key "/etc/bird/known_hosts";
     bird private key "/etc/bird/ssh_key";
   };
   refresh keep 30;
   retry keep 30;
   expire keep 3600;
}
protocol rpki VALIDATOR1 from VALIDATOR {
   remote validator1 port 8283;
}
protocol rpki VALIDATOR2 from VALIDATOR {
   remote validator2 port 8283;
}

Unlike JunOS, BIRD doesn’t have a feature to only use a subset of validators. Therefore, we only configure two of them. As a safety measure, if both connections become unavailable, BIRD will keep the ROAs for one hour.

We can query the state of the RTR sessions and the database:

> show protocols all VALIDATOR1
Name       Proto      Table      State  Since         Info
VALIDATOR1 RPKI       ---        up     17:28:56.321  Established
  Cache server:     rpki@validator1:8283
  Status:           Established
  Transport:        SSHv2
  Protocol version: 1
  Session ID:       0
  Serial number:    1
  Last update:      before 25.212 s
  Refresh timer   : 4.787/30
  Retry timer     : ---
  Expire timer    : 3574.787/3600
  No roa4 channel
  Channel roa6
    State:          UP
    Table:          ROA6
    Preference:     100
    Input filter:   ACCEPT
    Output filter:  REJECT
    Routes:         9 imported, 0 exported, 9 preferred
    Route change stats:     received   rejected   filtered    ignored   accepted
      Import updates:              9          0          0          0          9
      Import withdraws:            0          0        ---          0          0
      Export updates:              0          0          0        ---          0
      Export withdraws:            0        ---        ---        ---          0

> show route table ROA6
Table ROA6:
    2001:db8:11::/64-128 AS65006  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:11::/64-128 AS65009  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:aa::/64-128 AS65005  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:bb::/64-128 AS65006  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:cc::/64-128 AS65007  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:dd::/64-128 AS65008  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:ee::/64-128 AS65009  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)
    2001:db8:ff::/64-128 AS65010  [VALIDATOR1 17:28:56.333] * (100)
                                  [VALIDATOR2 17:28:56.414] (100)

Like for the JunOS case, a malicious actor could try to workaround the validation by building an AS path where the last AS number is the legitimate one. BIRD is flexible enough to allow us to use any AS to check the IP prefix. Instead of checking the origin AS, we ask it to check the peer AS with this function, without looking at the AS path:

function validated(int peeras) {
   if (roa_check(ROA6, net, peeras) != ROA_VALID) then {
      print "Ignore invalid ROA ", net, " for ASN ", peeras;
      reject;
   }
   accept;
}

The BGP instance is then configured to use the above function as the import policy:

protocol bgp PEER1 {
   local as 65100;
   neighbor 2001:db8:42::a10 as 65005;
   ipv6 {
      import keep filtered;
      import where validated(65005);
      # export …;
   };
}

You can view the rejected routes with show route filtered, but BIRD does not store information about the validation state in the routes. You can also watch the logs:

2019-07-31 17:29:08.491 <INFO> Ignore invalid ROA 2001:db8:bb::40:/126 for ASN 65005

Currently, BIRD does not reevaluate the prefixes when the ROAs are updated. There is work in progress to fix this. If this feature is important to you, have a look at FRR instead: it also supports the RTR protocol and triggers a soft reconfiguration of the BGP sessions when ROAs are updated.


  1. Notably, the data flow and the control plane are separated. A node can remove itself by notifying its peers without losing a single packet. ↩︎

  2. People often use AS sets, like AS-APPLE in this example, as they are convenient if you have multiple AS numbers or customers. However, there is currently nothing preventing a rogue actor to add arbitrary AS numbers to their AS set. ↩︎

  3. We are using 16-bit AS numbers for readability. Because we need to assign a different AS number for each host in the datacenter, in an actual deployment, we would use 32-bit AS numbers. ↩︎

  4. Cisco routers and FRR enforce the first AS by default. It is a tunable value to allow the use of route servers: they distribute prefixes on behalf of other routers. ↩︎

Worse Than FailureError'd: Choice is but an Illusion

"If you choose not to decide which button to press, you still have made a choice," Rob H. wrote.

 

"If you have a large breed cat, or small dog, the name doesn't matter, it just has to get the job done," writes Bryan.

 

Mike R. wrote, "Thanks Dropbox. Becuase your survey can't add, I missed out on my chance to win a gift card. Way to go guys..."

 

"There was a magnitude 7.1 earthquake near Ridgecrest, CA on 7/5/2019 at 8:25PM PDT. I visited the USGS earthquakes page, clicked on the earthquake link, and clickedd on the 'Did you feel it?' link, because we DID feel it here in Sacramento, CA, 290 miles away," Ken M. wrote, "Based on what I'm seeing though, I think they may call it a 'bat-quake' instead."

 

Benjamin writes, "Apparently Verizon is trying to cast a spell on me because I used too much data."

 

Daniel writes, "German telekom's customer center site is making iFrames sexy again."

 

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

Planet DebianJunichi Uekawa: Started wanting to move stuff to docker.

Started wanting to move stuff to docker. Especially around build systems. If things are mutable they will go bad and fixing them is annoying.

,

Cory DoctorowPaul Di Filippo on Radicalized: “Upton-Sinclairish muckraking, and Dickensian-Hugonian ashcan realism”

I was incredibly gratified and excited to read Paul Di Filippo’s Locus review of my latest book, Radicalized; Di Filippo is a superb writer, one of the original, Mirrorshades cyberpunks, and he is a superb and insightful literary critic, so when I read his superlative-laden review of my book today, it was an absolute thrill (I haven’t been this excited about a review since Bruce Sterling reviewed Walkaway).


There’s so much to be delighted by in this review, not least a comparison to Rod Serling (!). Below, a couple paras of especial note.

His latest, a collection of four novellas, subtitled “Four Tales of Our Present Moment”, fits the template perfectly, and extends his vision further into a realm where impassioned advocacy, Upton-Sinclairish muckraking, and Dickensian-Hugonian ashcan realism drives a kind of partisan or Cassandran science fiction seen before mostly during the post-WWII atomic bomb panic (think On the Beach) and 1960s New Wave-Age of Aquarius agitation (think Bug Jack Barron). Those earlier troubled eras resonate with our current quandary, but the “present moment” under Doctorow’s microscope – or is that a sniper’s crosshairs? – has its own unique features that he seeks to elucidate. These stories walk a razor’s edge between literature and propaganda, aesthetics and bludgeoning, subtlety and stridency, rant and revelation. The only guaranteed outcome after reading is that no one can be indifferent to them…

…The Radicalized collection strikes me in some sense as an episode of a primo TV anthology series – Night Gallery in the classical mode, or maybe in a more modern version, Philip K. Dick’s Electric Dreams. It gives us polymath Cory Doctorow as talented Rod Serling – himself both a dreamer and a social crusader – telling us that he’s going to show us, as vividly as he can, several nightmares or future hells, but that somehow the human spirit and soul will emerge intact and even triumphant.


Paul Di Filippo Reviews Radicalized by Cory Doctorow [Paul Di Filippo/Locus]

Planet DebianMike Gabriel: My Work on Debian LTS/ELTS (July 2019)

In July 2019, I have worked on the Debian LTS project for 15.75 hours (of 18.5 hours planned) and on the Debian ELTS project for another 12 hours (as planned) as a paid contributor.

LTS Work

  • Upload to jessie-security: libssh2 (DLA 1730-3) [1]
  • Upload to jessie-security: libssh2 (DLA 1730-4) [2]
  • Upload to jessie-security: glib2.0 (DLA 1866-1) [3]
  • Upload to jessie-security: wpa (DLA 1867-1) [4]

The Debian Security package archive only has arch-any buildds attached, so source packages that build at least one arch-all bin:pkg must include the arch-all DEBs from a local build. So, ideally, we upload source + arch-all builds and leave the arch-any builds to the buildds. However, this seems to be problematic when doing the builds using sbuild. So, I spent a little time on...

  • sbuild: Try to understand the mechanism of building arch-all + source package (i.e. omit arch-any uploads)... Unfortunately, there is no "-g" option (like in dpkg-buildpackage). Neither does the parameter combination ''--source --arch-all --no-arch-any'' result in a source + arch-all build. More investigation / communication with the developers of sbuild required here. To be continued...

ELTS Work

  • Upload to wheezy-lts: freetype (ELA 149-1) [5]
  • Upload to wheezy-lts: libssh2 (ELA 99-3) [6]

References

Planet DebianGunnar Wolf: Goodbye, pgp.gwolf.org

I started running an SKS keyserver a couple of years ago (don't really remember, but I think it was around 2014). I am, as you probably expect me to be given my lines of work, a believer of the Web-of-Trust model upon which the PGP network is built. I have published a couple of academic papers (Strengthening a Curated Web of Trust in a Geographically Distributed Project, with Gina Gallegos, Cryptologia 2016, and Insights on the large-scale deployment of a curated Web-of-Trust: the Debian project’s cryptographic keyring, with Victor González Quiroga, Journal of Internet Services and Applications, 2018) and presented several conferences regarding some aspects of it, mainly in relation to the Debian project.

Even in light of the recent flooding attacks (more info by dkg, Daniel Lange, Michael Altfield, others available; GnuPG task tracker). I still believe in the model. But I have had enough of the implementation's brittleness. I don't know how much to blame SKS and how much to blame myself, but I cannot devote more time to fiddling around to try to get it to work as it should — I was providing an unstable service. Besides, this year I had to rebuild the database three times already due to it getting corrupted... And yesterday I just could not get past of segfaults when importing.

So, I have taken the unhappy decision to shut down my service. I have contacted both the SKS mailing list and the servers I was peering with. Due to the narrow scope of a single SKS server, possibly this post is not needed... But it won't hurt, so here it goes.

Planet DebianThomas Goirand: My work during DebCamp / DebConf

Lots of uploads

Grepping my IRC log for the BTS bot output shows that I uploaded roughly 244 times in Curitiba.

Removing Python 2 from OpenStack by uploading OpenStack Stein in Sid

Most of these uploads were uploading OpenStack Stein from Experimental to Sid, with a breaking record of 96 uploads in a single day. As the work for Python 2 removal was done before the Buster release (uploads in Experimental), this effectively removed a lot of Python 2 support.

Removing Python 2 from Django packages

But once that was done, I started uploading some Django packages. Indeed, since Django 2.2 was uploaded to Sid with the removal of Python 2 support, a lot of dangling python-django-* needed to be fixed. Not only Python 2 support needed to be removed from them, but often, patches were needed in order to fix at least unit tests since Django 2.2 removed a lot of things that were deprecated since a few earlier versions. I went through all of the django packages we have in Debian, and I believe I fixed most of them. I uploaded 43 times some Django packages, fixing 39 packages.

Removing Python 2 support from non-django or OpenStack packages

During the Python BoF at Curitiba, we collectively decided it was time to remove Python 2, and that we’ll try to do as much of that work as possible before Bullseye. Details of this will come from our dear leader p1otr, so I’ll let him write the document and wont comment (yet) on how we’re going to proceed. Anyway, we already have a “python2-rm” release tracker. After the Python BOF, I then also started removing Python 2 support on a few package with more generic usage. Hopefully, touching only leaf packages, without breaking things. I’m not sure of the total count of packages that I touched, probably a bit less than a dozen.

Horizon broken in Sid since the beginning of July

Unfortunately, Horizon, the OpenStack dashboard, is currently still broken in Debian Sid. Indeed, since Django 1.11, the login() function in views.py has been deprecated in the favor of a LoginView class. And in Django 2.2, the support for the function has been removed. As a consequence, since the 9th of July, when Django 2.2 was uploaded, Horizon’s openstack_auth/views.py is boken. Upstream says they are targeting Django 2.2 for next February. That’s a way too late. Hopefully, someone will be able to fix this situation with me (it’s probably a bit too much for Django my skills). Once this is fixed, I’ll be able to work on all the Horizon plugins which are still in Experimental. Note that I already fixed all of Horizon’s reverse dependencies in Sid, but some of the patches need to be upstreamed.

Next work (from home): fixing piuparts

I’ve already written a first attempt at a patch for piuparts, so that it uses Python 3 and not Python 2 anymore. That patch is already as a merge request in Salsa, though I haven’t had the time to test it yet. What’s remaining to do is: actually test using Puiparts with this patch, and fix debian/control so that it switches to Python 2.

Planet DebianSylvain Beucler: Debian LTS - July 2019

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18.5h.

My time was mostly spend on Front-Desk duties, as well as improving our scripts&docs.

Current vulnerabilities triage:

  • CVE-2019-13117/libxslt CVE-2019-13118/libxslt: triage (affected, dla-needed)
  • CVE-2019-12781/python-django: triage (affected)
  • CVE-2019-12970/squirrelmail: triage (affected)
  • CVE-2019-13147/audiofile: triage (postponed)
  • CVE-2019-12493/poppler: jessie triage (postponed)
  • CVE-2019-13173/node-fstream: jessie triage (node-* not supported)
  • exiv2: jessie triage (5 CVEs, none to fix - CVE-2019-13108 CVE-2019-13109 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114)
  • CVE-2019-13207/nsd: jessie triage (affected, posponed)
  • CVE-2019-11272/libspring-security-2.0-java: jessie triage (affected, dla-needed)
  • CVE-2019-13312/ffmpeg: (libav) jessie triage (not affected)
  • CVE-2019-13313/libosinfo: jessie triage (affected, postponed)
  • CVE-2019-13290/mupdf: jessie triage (not-affected)
  • CVE-2019-13351/jackd2: jessie triage (affected, postponed)
  • CVE-2019-13345/squid3: jessie triage (2 XSS: 1 unaffected, 1 reflected affected, dla-needed)
  • CVE-2019-11841/golang-go.crypto: jessie triage (affected, dla-needed)
  • Call for triagers for the upcoming weeks

Past undermined issues triage:

  • libgig: contact maintainer about 17 pending undetermined CVEs
  • libsixel: contact maintainer about 6 pending undetermined CVEs
  • netpbm-free - actually an old Debian-specific fork: contact original reporter for PoCs and attach them to BTS; CVE-2017-2579 and CVE-2017-2580 not-affected, doubts about CVE-2017-2581

Documentation:

Tooling - bin/lts-cve-triage.py:

  • filter out 'undetermined' but explicitely 'ignored' packages (e.g. jasperreports)
  • fix formatting with no-colors output, hint that color output is available
  • display lts' nodsa sub-states
  • upgrade unsupported packages list to jessie

Worse Than FailureCodeSOD: Close to the Point

Lena inherited some C++ code which had issues regarding a timeout. While skimming through the code, one block in particular leapt out. This was production code which had been running in this state for some time.

if((pFile) && (pFile != (FILE *)(0xcdcdcdcd))) {
    fclose(pFile);
    pFile = NULL;
}

The purpose of this code is, as you might gather from the call to fclose, to close a file handle represented by pFile, a pointer to the handle. This code mostly is fine, but with one, big, glaring “hunh?” and it’s this bit here: (pFile != (FILE *)(0xcdcdcdcd))

(FILE *)(0xcdcdcdcd) casts the number 0xcdcdcdcd to a file pointer- essentially it creates a pointer pointing at memory address 0xcdcdcdcd. If pFile points to that address, we won’t close pFile. Is there a reason for this? Not that Lena could determine from the code. Did the 0xcdcdcdcd come from anywhere specific? Probably a previous developer trying to track down a bug and dumping addresses from the debugger. How did it get into production code? How long had it been there? It was impossible to tell. It was also impossible to tell if it was secretly doing something important, so Lena made a note to dig into it later, but focused on solving the timeout bug which had started this endeavor.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Planet DebianSteve Kemp: Building a computer - part 3

This is part three in my slow journey towards creating a home-brew Z80-based computer. My previous post demonstrated writing some simple code, and getting it running under an emulator. It also described my planned approach:

  • Hookup a Z80 processor to an Arduino Mega.
  • Run code on the Arduino to emulate RAM reads/writes and I/O.
  • Profit, via the learning process.

I expect I'll have to get my hands-dirty with a breadboard and naked chips in the near future, but for the moment I decided to start with the least effort. Erturk Kocalar has a website where he sells "shields" (read: expansion-boards) which contain a Z80, and which is designed to plug into an Arduino Mega with no fuss. This is a simple design, I've seen a bunch of people demonstrate how to wire up by hand, for example this post.

Anyway I figured I'd order one of those, and get started on the easy-part, the software. There was some sample code available from Erturk, but it wasn't ideal from my point of view because it mixed driving the Z80 with doing "other stuff". So I abstracted the core code required to interface with the Z80 and packaged it as a simple library.

The end result is that I have a z80 retroshield library which uses an Arduino mega to drive a Z80 with something as simple as this:

#include <z80retroshield.h>


//
// Our program, as hex.
//
unsigned char rom[32] =
{
    0x3e, 0x48, 0xd3, 0x01, 0x3e, 0x65, 0xd3, 0x01, 0x3e, 0x6c, 0xd3, 0x01,
    0xd3, 0x01, 0x3e, 0x6f, 0xd3, 0x01, 0x3e, 0x0a, 0xd3, 0x01, 0xc3, 0x16,
    0x00
};


//
// Our helper-object
//
Z80RetroShield cpu;


//
// RAM I/O function handler.
//
char ram_read(int address)
{
    return (rom[address]) ;
}


// I/O function handler.
void io_write(int address, char byte)
{
    if (address == 1)
        Serial.write(byte);
}


// Setup routine: Called once.
void setup()
{
    Serial.begin(115200);


    //
    // Setup callbacks.
    //
    // We have to setup a RAM-read callback, otherwise the program
    // won't be fetched from RAM and executed.
    //
    cpu.set_ram_read(ram_read);

    //
    // Then we setup a callback to be executed every time an "out (x),y"
    // instruction is encountered.
    //
    cpu.set_io_write(io_write);

    //
    // Configured.
    //
    Serial.println("Z80 configured; launching program.");
}


//
// Loop function: Called forever.
//
void loop()
{
    // Step the CPU.
    cpu.Tick();
}

All the logic of the program is contained in the Arduino-sketch, and all the use of pins/ram/IO is hidden away. As a recap the Z80 will make requests for memory-contents, to fetch the instructions it wants to execute. For general purpose input/output there are two instructions that are used:

IN A, (1)   ; Read a character from STDIN, store in A-register.
OUT (1), A  ; Write the character in A-register to STDOUT

Here 1 is the I/O address, and this is an 8 bit number. At the moment I've just configured the callback such that any write to I/O address 1 is dumped to the serial console.

Anyway I put together a couple of examples of increasing complexity, allowing me to prove that RAM read/writes work, and that I/O reads and writes work.

I guess the next part is where I jump in complexity:

  • I need to wire a physical Z80 to a board.
  • I need to wire a PROM to it.
    • This will contain the program to be executed - hardcoded.
  • I need to provide power, and a clock to make the processor tick.

With a bunch of LEDs I'll have a Z80-system running, but it'll be isolated and hard to program. (Since I'll need to reflash the RAM/ROM-chip).

The next step would be getting it hooked up to a serial-console of some sort. And at that point I'll have a genuinely programmable standalone Z80 system.

Planet DebianKurt Kremitzki: Summer Update for FreeCAD & Debian Science Work

Hello, and welcome to my "summer update" on my free software work on FreeCAD and the Debian Science team. I call it a summer update because it was winter when I last wrote, and quite some time has elapsed since I fell out of the monthly update habit. This is a high-level summary of what I've been working on since March.

FreeCAD 0.18 Release & Debian 10 Full Freeze Timing

/images/freecadsplash.png


The official release date of FreeCAD 0.18 ( release notes ) is March 12, 2019, although the git tag for it wasn't pushed until March 14th. This timing was a bit unfortunate as the full freeze for Debian 10 went into effect March 12th, with a de-facto freeze date of March 2nd due to the 10 day testing migration period. To compound things, since this was my first Debian release as a packaging contributor, I didn't do things quite right such that while I probably could have gotten FreeCAD 0.18 into Debian 10, I didn't. Instead, what's available is a pre-release version from about a month before the release which is missing a few bugfixes and refinements.

On the positive side, this is an impetus for me to learn about Debian Backports, a way to provide non-bugfix updates to Debian Stable users. The 0.18 release line has already had several bugfix releases; I've currently got Debian Testing/Unstable as well as the Ubuntu Stable PPA up-to-date with version 0.18.3. As soon as I'm able, I'll get this version into Debian Backports, too.

FreeCAD PPA Improvements

Another nice improvement I've recently made is migrating the packaging for the Ubuntu Stable and Daily PPAs to Debian's GitLab instance at https://salsa.debian.org/science-team/freecad by creating the ppa/master and ppa/daily branches. Having all the Debian and Ubuntu packaging in one place means that propagating updates has become a matter of git merging and pushing. Once any changes are in place, I simply have to trigger an import and build on Launchpad for the stable releases. For the daily builds, changes are automatically synced and the debian directory from Salsa is combined with the latest synced upstream source from GitHub, so daily builds no longer have to be triggered manually. However, this has uncovered another problem in our process which being worked on at the FreeCAD forums. (Thread: Finding a solution for the 'version.h' issue

Science Team Package Updates

/images/bunny.png


The main Science Team packages I've been working on recently have been OpenCASCADE, Netgen, Gmsh, and OpenFOAM.

For OpenCASCADE, I have uploaded the third bugfix release in the 7.3.0 series. Unfortunately, their versioning scheme is a bit unusual, so this version is tagged 7.3.0p3. This is unfortunate because dpkg --compare-versions 7.3.0p3+dfsg1 gt 7.3.0+dfsg1 evaluates to false. As such, I've uploaded this package as 7.3.3, with plans to contact upstream to discuss their bugfix release versioning scheme. Currently, version 7.4.0 has an upstream target release date for the end of August, so there will be an opportunity to convince them to release 7.4.1 instead of 7.4.0p1. If you're interested in the changes contained in this upload, you can refer to the upstream git log for more information.

In collaboration with Nico Schlömer and Anton Gladky, the newest Gmsh, version 4.4.1, has been uploaded to wait in the Debian NEW queue. See the upstream changelog for more information on what's new.

I've also prepared the package for the newest version of Netgen, 6.2.1905. Unfortunately, uploading this is blocked because 6.2.1810 is still in Debian NEW. However, I've tested compiling FreeCAD against Netgen, and I've been able to get the integration with it working again, so once I'm able to do this upload, I'll be able to upload a new and improved FreeCAD with the power of Netgen meshing.

I've also begun working on packaging the latest OpenFOAM release, 1906. I've gotten a little sidetracked, though, as a pecularity in the way upstream prepares their tarballs seems to be triggering a bug in GNU tar. I should have this one uploaded soon. For a preview in what'll be coming, see the release notes for version 1906.

GitLab CI Experimentation with salsa.debian.org

Some incredibly awesome Debian contributors have set up the ability to use GitLab CI to automate the testing of Debian packages (see documentation.)

I did a bit of experimentation with it. Unfortunately, both OpenCASCADE and FreeCAD exceeded the 2 hour time limit. There's a lot of promise in it for smaller packages, though!

Python 2 Removal in Debian Underway

/images/deadsnakes.jpeg


Per pythonclock.org, Python 2 has less than 5 months until it's end-of-life, so the task of removing it for the next version of Debian has begun. For now, it's mainly limited to leaf packages with nothing depending on them. As such, I've uploaded Python 3-only packages for new upstream releases of python-fluids (a fluid dynamics engineering & design library) and python-ulmo (provides clean & simple access to public hydrology and climatology data).

Debian Developer Application

I've finally applied to become a full Debian Developer, which is an exciting prospect. I'll be more able to enact improvements without having to bug, well, mostly Anton, Andreas, and Tobias. (Thanks!) I'm also looking forward to having access to more resources to improve my packages on other architectures, particularly arm64 now that the Raspberry Pi 4 is out and potentially a serious candidate for a low-powered FreeCAD workstation.

The process is slow and calculating, as it should be, so it'll be some time before I'm officially in, but it sure will be cause for celebration.

Google Summer of Code Mentoring

/images/gsoc.png

CC-BY-SA-4.0, Aswinshenoy.


I'm mentoring a Google Summer of Code project for FreeCAD this year! (See forum thread.) My student is quite new to FreeCAD and Debian/Ubuntu, so the first half of the project has involved relatively the deep-end topics of using Debian packaging to distribute bugfixes for FreeCAD and to learn by exploring related packages in its ecosystem. In particular, focus was given to OpenCAMLib, since there is a lot of user and developer interest in FreeCAD's potential for generating toolpaths for machining and manufacturing the models created in the program.

Now that he's officially swimming and not sinking, the next phase is working on making development and packaging-related improvements for FreeCAD on Windows, which is in even rougher shape than Debian/Ubuntu, but more his area of familiarity. Stay tuned for the final results!

Thanks to my sponsors

This work is made possible in part by contributions from readers like you! You can send moral support my way via Twitter @thekurtwk. Financial support is also appreciated at any level and possible on several platforms: Patreon, Liberapay, and PayPal.

Planet DebianPaul Wise: FLOSS Activities July 2019

Changes

Issues

Review

Administration

  • apt-xapian-index: migrated repo to Salsa, merged some branches and patches
  • Debian: redirect user support request, answer porterbox access query,
  • Debian wiki: ping team member, re-enable accounts, unblock IP addresses, whitelist domains, whitelist email addresses, send unsubscribe info, redirect support requests
  • Debian QA services: deploy changes
  • Debian PTS: deploy changes
  • Debian derivatives census: disable cron job due to design flaws

Communication

Sponsors

The File::LibMagic, purple-discord, librecaptcha & harmony work was sponsored by my employer. All other work was done on a volunteer basis.

,

Planet DebianJonathan Carter: Free Software Activities (2019-07)

DC19 Group Photo

Group photo above taken at DebConf19 by Agairs Mahinovs.

2019-07-03: Upload calamares-settings-debian (10.0.20-1) (CVE 2019-13179) to debian unstable.

2019-07-05: Upload calamares-settings-debian (10.0.25-1) to debian unstable.

2019-07-06: Debian Buster Live final ISO testing for release, also attended Cape Town buster release party.

2019-07-08: Sponsor package ddupdate (0.6.4-1) for debian unstable (mentors.debian.net request, RFS: #931582)

2019-07-08: Upload package btfs (2.19-1) to debian unstable.

2019-07-08: Upload package calamares (3.2.11-1) to debian unstable.

2019-07-08: Request update for util-linux (BTS: #931613).

2019-07-08: Upload package gnome-shell-extension-dashtodock (66-1) to debian unstable.

2019-07-08: Upload package gnome-shell-extension-multi-monitors (18-1) to debian unstable.

2019-07-08: Upload package gnome-shell-extension-system-monitor (38-1) to debian unstable.

2019-07-08: Upload package gnome-shell-extension-tilix-dropdown (7-1) to debian unstable.

2019-07-08: Upload package python3-aniso8601 (7.0.0-1) to debian unstable.

2019-07-08: Upload package python-3-flask-restful (0.3.7-2) to debian unstable.

2019-07-08: Upload package xfce4-screensaver (0.1.6) to debian unstable.

2019-07-09: Sponsor package wordplay (8.0-1) (mentors.debian.net request).

2019-07-09: Sponsor package blastem (0.6.3.2-1) (mentors.debian.net request) (Closes RFS: #931263).

2019-07-09: Upload gnome-shell-extension-workspaces-to-dock (50-1) to debian unstable.

2019-07-09: Upload bundlewrap (3.6.1-2) to debian unstable.

2019-07-09: Upload connectagram (1.2.9-6) to debian unstable.

2019-07-09: Upload fracplanet (0.5.1-5) to debian unstable.

2019-07-09: Upload fractalnow (0.8.2-4) to debian unstable.

2019-07-09: Upload gnome-shell-extension-dash-to-panel (19-2) to debian unstable.

2019-07-09: Upload powerlevel9k (0.6.7-2) to debian unstable.

2019-07-09: Upload speedtest-cli (2.1.1-2) to debian unstable.

2019-07-11: Upload tetzle (2.1.4+dfsg1-2) to debian unstable.

2019-07-11: Review mentors.debian.net package hipercontracer (1.4.1-1).

2019-07-15 – 2019-07-28: Attend DebCamp and DebConf!

My DebConf19 mini-report:

There is really too much to write about that happened at DebConf, I hope to get some time and write seperate blog entries on those really soon.

  • Participated in Bursaries BoF, I was chief admin of DebConf bursaries in this cycle. Thanks to everyone who already stepped up to help with next year.
  • Gave a lightning talk titled “Can you install Debian within a lightning talk slot?” where I showed off Calamares on the latest official live media. Spoiler alert: it barely doesn’t fit in the allotted time, something to fix for bullseye!
  • Participated in a panel called “Surprise, you’re a manager!“.
  • Hosted “Debian Live BoF” – we made some improvements for the live images during the buster cycle, but there’s still a lot of work to do so we held a session to cut out our initial work for Debian 11.
  • Got the debbug and missed the day trip, I hope to return to this part of Brazil one day, so much to explore in just the surrounding cities.
  • The talk selection this year was good, there’s a lot that I learned and caught up on that I probably wouldn’t have done if it wasn’t for DebConf. Talks are recorded so (http archive, YouTube). PS: If you find something funny, please link (with time stamp) on the FunnyMoments wiki page (that page is way too bare right now).

Planet DebianChris Lamb: Free software activities in July 2019

Here is my monthly update covering what I have been doing in the free software world during July 2019 (previous month):


Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.


This month:

I spent significant amount of time working on our website this month, including:

  • Split out our non-fiscal sponsors with a description [...] and make them non-display three-in-a-row [...].
  • Correct references to "1&1 IONOS" (née Profitbricks). [...]
  • Lets not promote yet more ambiguity in our environment names! [...]
  • Recreate the badge image, saving the .svg alongside it. [...]
  • Update our fiscal sponsors. [...][...][...]
  • Tidy the weekly reports section on the news page [...], fixup the typography on the documentation page [...] and make all headlines stand out a bit more [...].
  • Drop some old CSS files and fonts. [...]
  • Tidy news page a bit. [...]
  • Fixup a number of issues in the report template and previous reports. [...][...][...][...][...][...]

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Add support for Java .jmod modules (#60). However, not all versions of file(1) support detection of these files yet, so we perform a manual comparison instead [...].
  • If a command fails to execute but does not print anything to standard error, try and include the first line of standard output in the message we include in the difference. This was motivated by readelf(1) returning its error messages on standard output. [#59) [...]
  • Add general support for file(1) 5.37 (#57) but also adjust the code to not fail in tests when, eg, we do not have sufficiently newer or older version of file(1) (#931881).
  • Factor out the ability to ignore the exit codes of zipinfo and zipinfo -v in the presence of non-standard headers. [...] but only override the exit code from our special-cased calls to zipinfo(1) if they are 1 or 2 to avoid potentially masking real errors [...].
  • Cease ignoring test failures in stable-backports. [...]
  • Add missing textual DESCRIPTION headers for .zip and "Mozilla"-optimised .zip files. [...]
  • Merge two overlapping environment variables into a single DIFFOSCOPE_FAIL_TESTS_ON_MISSING_TOOLS. [...]
  • Update some reporting:
    • Re-add "return code" noun to "Command foo exited with X" error messages. [...]
    • Use repr(..)-style output when printing DIFFOSCOPE_TESTS_FAIL_ON_MISSING_TOOLS in skipped test rationale text. [...]
    • Skip the extra newline in Output:\nfoo. [...]
  • Add some explicit return values to appease Pylint, etc. [...]
  • Also include the python3-tlsh in the Debian test dependencies. [...]
  • Released and uploaded releasing versions 116, 117, 118, 119 & 120. [...][...][...][...][...]


strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

  • Support OpenJDK ".jmod" files. [...]
  • Identify data files from the COmmon Data Access (CODA) framework as being .zip files. [...]
  • Pass --no-sandbox if necessary to bypass seccomp-enabled version of file(1) which was causing a huge number of regressions in our testing framework.
  • Don't just run the tests but build the Debian package instead using Salsa's centralised scripts so that we get code coverage, Lintian, autopkgtests, etc. [...][...]
  • Update tests:
    • Don't build release Git tags on salsa.debian.org. [...]
    • Merge the debian branch into the master branch to simplify testing and deployment [...] and update debian/gbp.conf to match [...].
  • Drop misleading and outdated MANIFEST and MANIFEST.SKIP files as they are not used by our release process. [...]

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS (ELTS) project.


Uploads

I also made "sourceful" uploads to unstable to ensure migration to testing after recent changes that prevent maintainer-supplied packages entering bullseye for bfs (1.5-3), redis (5:5.0.5-2), lastpass-cli (1.3.3-2), python-daiquiri (1.5.0-3) and I finally performed a sponsored upload of elpy (1.29.1+40.gb929013-1).


FTP Team

As a Debian FTP assistant I ACCEPTed 19 packages: aiorwlock, bolt, caja-mediainfo, cflow, cwidget, dgit, fonts-smc-gayathri, gmt, gnuastro, guile-gcrypt, guile-sqlite3, guile-ssh, hepmc3, intel-gmmlib, iptables, mescc-tools, nyacc, python-pdal & scheme-bytestructures. I additionally filed a bug against scheme-bytestructures for having a seemingly-incomplete debian/copyright file. (#932466)

CryptogramAnother Attack Against Driverless Cars

In this piece of research, attackers successfully attack a driverless car system -- Renault Captur's "Level 0" autopilot (Level 0 systems advise human drivers but do not directly operate cars) -- by following them with drones that project images of fake road signs in 100ms bursts. The time is too short for human perception, but long enough to fool the autopilot's sensors.

Boing Boing post.

Planet DebianMichael Prokop: Some useful bits about Linux hardware support and patched Kernel packages

Disclaimer: I started writing this blog post in May 2018, when Debian/stretch was the current stable release of Debian, but published this article in August 2019, so please keep the version information (Debian releases + kernels not being up2date) in mind.

The kernel version of Debian/stretch (4.9.0) didn’t support the RAID controller as present in Lenovo ThinkSystem SN550 blade servers yet. The RAID controller was known to be supported with Ubuntu 18.10 using kernel v4.15 as well as with Grml ISOs using kernel v4.15 and newer. Using a more recent Debian kernel version wasn’t really an option for my customer, as there was no LTS kernel version that could be relied on. Using the kernel version from stretch-backports could have be an option, though it would be our last resort only, since the customer where this applied to controls the Debian repositories in usage and we’d have to track security issues more closely, test new versions of the kernel on different kinds of hardware more often,… whereas the kernel version from Debian/stable is known to be working fine and is less in a flux than the ones from backports. Alright, so it doesn’t support this new hardware model yet, but how to identify the relevant changes in the kernel to have a chance to get it supported in the stable Debian kernel?

Some bits about PCI IDs and related kernel drivers

We start by identifying the relevant hardware:

root@grml ~ # lspci | grep 'LSI.*RAID'
08:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID Tri-Mode SAS3404 (rev 01)
root@grml ~ # lspci -s '08:00.0'
08:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID Tri-Mode SAS3404 (rev 01)

Which driver gets used for this device?

root@grml ~ # lspci -k -s '08:00.0'
08:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID Tri-Mode SAS3404 (rev 01)
        Subsystem: Lenovo ThinkSystem RAID 530-4i Flex Adapter
        Kernel driver in use: megaraid_sas
        Kernel modules: megaraid_sas

So it’s the megaraid_sas driver, let’s check some version information:

root@grml ~ # modinfo megaraid_sas | grep version
version:        07.703.05.00-rc1
srcversion:     442923A12415C892220D5F0
vermagic:       4.15.0-1-grml-amd64 SMP mod_unload modversions

But how does the kernel know which driver should be used for this device? We start by listing further details about the hardware device:

root@grml ~ # lspci -n -s 0000:08:00.0
08:00.0 0104: 1000:001c (rev 01)

The 08:00.0 describes the hardware slot information ([domain:]bus:device.function), the 0104 describes the class (with 0104 being of type RAID bus controller, also see /usr/share/misc/pci.ids by searching for ‘C 01’ -> ’04`), the (rev 01) obviously describes the revision number. We’re interested in the 1000:001c though. The 1000 identifies the vendor:

% grep '^1000' /usr/share/misc/pci.ids
1000  LSI Logic / Symbios Logic

The `001c` finally identifies the actual model. Having this information available, we can check the mapping of the megaraid_sas driver, using the `modules.alias` file of the kernel:

root@grml ~ # grep -i '1000.*001c' /lib/modules/$(uname -r)/modules.alias
alias pci:v00001000d0000001Csv*sd*bc*sc*i* megaraid_sas
root@grml ~ # modinfo megaraid_sas | grep -i 001c
alias:          pci:v00001000d0000001Csv*sd*bc*sc*i*

Bingo! Now we can check this against the Debian/stretch kernel, which doesn’t support this device yet:

root@stretch:~# modinfo megaraid_sas | grep version
version:        06.811.02.00-rc1
srcversion:     64B34706678212A7A9CC1B1
vermagic:       4.9.0-6-amd64 SMP mod_unload modversions
root@stretch:~# modinfo megaraid_sas | grep -i 001c
root@stretch:~#

No match here – bingo²! Now we know for sure that the ID 001c is relevant for us. How do we identify the corresponding change in the Linux kernel though?

The file drivers/scsi/megaraid/megaraid_sas.h of the kernel source lists the PCI device IDs supported by the megaraid_sas driver. Since we know that kernel v4.9 doesn’t support it yet, while it’s supported with v4.15 we can run "git log v4.9..v4.15 drivers/scsi/megaraid/megaraid_sas.h" in the git repository of the kernel to go through the relevant changes. It’s easier to run "git blame drivers/scsi/megaraid/megaraid_sas.h" though – then we’ll stumble upon our ID from before – `0x001C` – right at the top:

[...]
45f4f2eb3da3c (Sasikumar Chandrasekaran   2017-01-10 18:20:43 -0500   59) #define PCI_DEVICE_ID_LSI_VENTURA                 0x0014
754f1bae0f1e3 (Shivasharan S              2017-10-19 02:48:49 -0700   60) #define PCI_DEVICE_ID_LSI_CRUSADER                0x0015
45f4f2eb3da3c (Sasikumar Chandrasekaran   2017-01-10 18:20:43 -0500   61) #define PCI_DEVICE_ID_LSI_HARPOON                 0x0016
45f4f2eb3da3c (Sasikumar Chandrasekaran   2017-01-10 18:20:43 -0500   62) #define PCI_DEVICE_ID_LSI_TOMCAT                  0x0017
45f4f2eb3da3c (Sasikumar Chandrasekaran   2017-01-10 18:20:43 -0500   63) #define PCI_DEVICE_ID_LSI_VENTURA_4PORT               0x001B
45f4f2eb3da3c (Sasikumar Chandrasekaran   2017-01-10 18:20:43 -0500   64) #define PCI_DEVICE_ID_LSI_CRUSADER_4PORT      0x001C
[...]

Alright, the relevant change was commit 45f4f2eb3da3c:

commit 45f4f2eb3da3cbff02c3d77c784c81320c733056
Author: Sasikumar Chandrasekaran […]
Date:   Tue Jan 10 18:20:43 2017 -0500

    scsi: megaraid_sas: Add new pci device Ids for SAS3.5 Generic Megaraid Controllers
    
    This patch contains new pci device ids for SAS3.5 Generic Megaraid Controllers
    
    Signed-off-by: Sasikumar Chandrasekaran […]
    Reviewed-by: Tomas Henzl […]
    Signed-off-by: Martin K. Petersen […]

diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h
index fdd519c1dd57..cb82195a8be1 100644
--- a/drivers/scsi/megaraid/megaraid_sas.h
+++ b/drivers/scsi/megaraid/megaraid_sas.h
@@ -56,6 +56,11 @@
 #define PCI_DEVICE_ID_LSI_INTRUDER_24          0x00cf
 #define PCI_DEVICE_ID_LSI_CUTLASS_52           0x0052
 #define PCI_DEVICE_ID_LSI_CUTLASS_53           0x0053
+#define PCI_DEVICE_ID_LSI_VENTURA                  0x0014
+#define PCI_DEVICE_ID_LSI_HARPOON                  0x0016
+#define PCI_DEVICE_ID_LSI_TOMCAT                   0x0017
+#define PCI_DEVICE_ID_LSI_VENTURA_4PORT                0x001B
+#define PCI_DEVICE_ID_LSI_CRUSADER_4PORT       0x001C
[...]

Custom Debian kernel packages for testing

Now that we identified the relevant change, what’s the easiest way to test this change? There’s an easy way how to build a custom Debian package, based on the official Debian kernel but including further patch(es), thanks to Ben Hutchings. Make sure to have a Debian system available (I was running this inside an amd64 system, building for amd64), with according deb-src entries in your apt’s sources.list and enough free disk space, then run:

% sudo apt install dpkg-dev build-essential devscripts fakeroot
% apt-get source -t stretch linux
% cd linux-*
% sudo apt-get build-dep linux
% bash debian/bin/test-patches -f amd64 -s none 0001-scsi-megaraid_sas-Add-new-pci-device-Ids-for-SAS3.5-.patch

This generates something like a linux-image-4.9.0-6-amd64_4.9.88-1+deb9u1a~test_amd64.deb for you (next to further Debian packages like linux-headers-4.9.0-6-amd64_4.9.88-1+deb9u1a~test_amd64.deb + linux-image-4.9.0-6-amd64-dbg_4.9.88-1+deb9u1a~test_amd64.deb), ready for installing and testing on the affected system. The Kernel Handbook documents this procedure as well, I just wasn’t aware of this handy `debian/bin/test-patches` so far though.

JFTR: sadly the patch with the additional PCI_DEVICE_ID* was not enough (also see #900349), we seem to need further patches from the changes between v4.9 and v4.15, though this turned up to be no longer relevant for my customer and it’s also working with Debian/buster nowadays.

Worse Than FailureCodeSOD: What a Happy Date

As is the case with pretty much any language these days, Python comes with robust date handling functionality. If you want to know something like what the day of the month is? datetime.now().day will tell you. Simple, easy, and of course, just an invitation for someone to invent their own.

Jan was witness to a little date-time related office politics. This particular political battle started during a code review. Klaus had written some date mangling code, relying heavily on strftime to parse dates out to strings and then parse them back in as integers. Richard, quite reasonably, pointed out that Klaus was taking the long way around, and maybe Klaus should possibly think about doing it in a simpler fashion.

“So, you don’t understand the code?” Klaus asked.

“No, I understand it,” Richard replied. “But it’s far too complicated. You’re doing a simple task- getting the day of the month! The code should be simple.”

“Ah, so it’s too complicated, so you can’t understand it.”

“Just… write it the simple way. Use the built-in accessor.”

So, Klaus made his revisions, and merged the revised code.

import datetime
# ...
now = datetime.datetime.now()  # Richard
date = now.strftime("%d")  # Richard, this is a string over here
date_int = int(date)  # day number, int("08") = 8, so no problem here
hour = now.hour  # Richard :)))))
hour_int = int(hour)  # int hour, e.g. if it's 22:36 then hour = 22

Richard did not have a big :))))) on his face when he saw that in the master branch.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

TEDStages of Life: Notes from Session 5 of TEDSummit 2019

Yilian Cañizares rocks the TED stage with a jubilant performance of her signature blend of classic jazz and Cuban rhythms. She performs at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

The penultimate session of TEDSummit 2019 had a bit of everything — new thoughts on aging, loneliness and happiness as well as breakthrough science, music and even a bit of comedy.

The event: TEDSummit 2019, Session 5: Stages of Life, hosted by Kelly Stoetzel and Alex Moura

When and where: Wednesday, July 24, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Nicola Sturgeon, Sonia Livingstone, Howard Taylor, Sara-Jane Dunn, Fay Bound Alberti, Carl Honoré

Opening: Raconteur Mackenzie Dalrymple telling the story of the Goodman of Ballengeich

Music: Yilian Cañizares and her band, rocking the TED stage with a jubilant performance that blends classic jazz and Cuban rhythms

Comedy: Amidst a head-spinning program of big (and often heavy) ideas, a welcomed break from comedian Omid Djalili, who lightens the session with a little self-deprecation and a few barbed cultural observations

The talks in brief:

“In the world we live in today, with growing divides and inequalities, with disaffection and alienation, it is more important than ever that we … promote a vision of society that has well-being, not just wealth, at its very heart,” says Nicola Sturgeon, First Minister of Scotland. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Nicola Sturgeon, First Minister of Scotland

Big idea: It’s time to challenge the monolithic importance of GDP as a quality-of-life metric — and paint a broader picture that also encompasses well-being.

How? In 2018, Scotland, Iceland and New Zealand established the Wellbeing Economy Governments group to challenge the supremacy of GDP. The leaders of these countries — who are, incidentally, all women — believe policies that promote happiness (including equal pay, childcare and paternity rights) could help decrease alienation in its citizens and, in turn, build resolve to confront global challenges like inequality and climate change.

Quote of the talk: “Growth in GDP should not be pursued at any and all cost … The goal of economic policy should be collective well-being: how happy and healthy a population is, not just how wealthy a population is.”


Sonia Livingstone, social psychologist

Big idea: Parents often view technology as either a beacon of hope or a developmental poison, but the biggest influence on their children’s life choices is how they help them navigate this unavoidable digital landscape. Society as a whole can positively impact these efforts.

How? Sonia Livingstone’s own childhood was relatively analog, but her research has been focused on how families embrace new technology today. Changes abound in the past few decades — whether it’s intensified educational pressures, migration, or rising inequality — yet it’s the digital revolution that remains the focus of our collective apprehension. Livingstone’s research suggests that policing screen time isn’t the answer to raising a well-rounded child, especially at a time when parents are trying to live more democratically with their children by sharing decision-making around activities like gaming and exploring the internet. Leaders and institutions alike can support a positive digital future for children by partnering with parents to guide activities within and outside of the home. Instead of criticizing families for their digital activities, Livingstone thinks we should identify what real-world challenges they’re facing, what options are available to them and how we can support them better.

Quote of the talk: “Screen time advice is causing conflict in the family, and there’s no solid evidence that more screen time increases childhood problems — especially compared with socio-economic or psychological factors. Restricting children breeds resistance, while guiding them builds judgment.”


Howard Taylor, child safety advocate

Big idea: Violence against children is an endemic issue worldwide, with rates of reported incidence increasing in some countries. We are at a historical moment that presents us with a unique opportunity to end the epidemic, and some countries are already leading the way.

How? Howard Taylor draws attention to Sweden and Uganda, two very different countries that share an explicit commitment to ending violence against children. Through high-level political buy-in, data-driven strategy and tactical legislative initiatives, the two countries have already made progress on. These solutions and others are all part of INSPIRE, a set of strategies created by an alliance of global organizations as a roadmap to eliminating the problem. If we put in the work, Taylor says, a new normal will emerge: generations whose paths in life will be shaped by what they do — not what was done to them.

Quote of the talk: “What would it really mean if we actually end violence against children? Multiply the social, cultural and economic benefits of this change by every family, every community, village, town, city and country, and suddenly you have a new normal emerging. A generation would grow up without experiencing violence.”


“The first half of this century is going to be transformed by a new software revolution: the living software revolution. Its impact will be so enormous that it will make the first software revolution pale in comparison,” says computational biologist Sara-Jane Dunn. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Sara-Jane Dunn, computational biologist

Big idea: In the 20th century, computer scientists inscribed machine-readable instructions on tiny silicon chips, completely revolutionizing our lives and workplaces. Today, a “living software” revolution centered around organisms built from programmable cells is poised to transform medicine, agriculture and energy in ways we can scarcely predict.

How? By studying how embryonic stem cells “decide” to become neurons, lung cells, bone cells or anything else in the body, Sara-Jane Dunn seeks to uncover the biological code that dictates cellular behavior. Using mathematical models, Dunn and her team analyze the expected function of a cellular system to determine the “genetic program” that leads to that result. While they’re still a long way from compiling living software, they’ve taken a crucial early step.

Quote of the talk: “We are at the beginning of a technological revolution. Understanding this ancient type of biological computation is the critical first step. And if we can realize this, we would enter into the era of an operating system that runs living software.”


Fay Bound Alberti, cultural historian

Big idea: We need to recognize the complexity of loneliness and its ever-transforming history. It’s not just an individual and psychological problem — it’s a social and physical one.

Why? Loneliness is a modern-day epidemic, with a history that’s often recognized solely as a product of the mind. Fay Bound Alberti believes that interpretation is limiting. “We’ve neglected [loneliness’s] physical effects — and loneliness is physical,” she says. She points to how crucial touch, smell, sound, human interaction and even nostalgic memories of sensory experiences are to coping with loneliness, making people feel important, seen and helping to produce endorphins. By reframing our perspective on this feeling of isolation, we can better understand how to heal it.

Quote of talk: “I am suggesting we need to turn to the physical body, we need to understand the physical and emotional experiences of loneliness to be able to tackle a modern epidemic. After all, it’s through our bodies, our sensory bodies, that we engage with the world.”

Fun fact: “Before 1800 there was no word for loneliness in the English language. There was something called: ‘oneliness’ and there were ‘lonely places,’ but both simply meant the state of being alone. There was no corresponding emotional lack and no modern state of loneliness.”


“Whatever age you are: own it — and then go out there and show the world what you can do!” says Carl Honoré. He speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Carl Honoré, writer, thinker and activist

Big idea: Stop the lazy thinking around age and the “cult of youth” — it’s not all downhill from 40.

How? We need to debunk the myths and stereotypes surrounding age — beliefs like “older people can’t learn new things” and “creativity belongs to the young.” There are plenty of trailblazers and changemakers who came into their own later in life, from artists and musicians to physicists and business leaders. Studies show that people who fear and feel bad about aging are more likely to suffer physical effects as if age is an actual affliction rather than just a number. The first step to getting past that is by creating new, more positive societal narratives. Honoré offers a set of simple solutions — the two most important being: check your language and own your age. Embrace aging as an adventure, a process of opening rather than closing doors. We need to feel better about aging in order to age better.

Quote of the talk: “Whatever age you are: own it — and then go out there and show the world what you can do!”

TEDWhat Brexit means for Scotland: A Q&A with First Minister Nicola Sturgeon

First Minister of Scotland Nicola Sturgeon spoke at TEDSummit on Wednesday in Edinburgh about her vision for making collective well-being the main aim of public policy and the economy. (Watch her full talk on TED.com.) That same morning, Boris Johnson assumed office as Prime Minister of the United Kingdom, the latest episode of the Brexit drama that has engulfed UK politics. During the 2016 referendum, Scotland voted against Brexit.

After her talk, Chris Anderson, the Head of TED, joined Sturgeon, who’s been vocally critical of Johnson, to ask a few questions about the current political landscape. Watch their exchange below.

,

Cory DoctorowHoustonites! Come see Hank Green and me in conversation tomorrow night!

Hank Green and I are doing a double act tomorrow night, July 31, as part of the tour for the paperback of his debut novel, An Absolutely Remarkable Thing. It’s a ticketed event (admission includes a copy of Hank’s book), and we’re presenting at 7PM at Spring Forest Middle School in association with Blue Willow Bookshop. Hope to see you there!

Krebs on SecurityCapital One Data Theft Impacts 106M People

Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.

Paige “erratic” Thompson, in an undated photo posted to her Slack channel.

On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.

That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.

“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”

The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.

The tip that alerted Capital One to its data breach.

The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.

Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.

The Twitter user “erratic” posting about tools and processes used to access various Amazon cloud instances.

According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”

KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.

That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:

According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.

Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.

None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.

Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.

“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”

“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.

In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.

Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.

A copy of the complaint against Thompson is available here.

Update, 3:38 p.m. ET: I’ve reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:

“Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker’s alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed.”

CryptogramACLU on the GCHQ Backdoor Proposal

Back in January, two senior GCHQ officials proposed a specific backdoor for communications systems. It was universally derided as unworkable -- by me, as well. Now Jon Callas of the ACLU explains why.

CryptogramAttorney General William Barr on Encryption Policy

Yesterday, Attorney General William Barr gave a major speech on encryption policy -- what is commonly known as "going dark." Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it.

Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.

Moreover, even if there was, in theory, a slight risk differential, its significance should not be judged solely by the extent to which it falls short of theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society. After all, we are not talking about protecting the Nation's nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications. If one already has an effective level of security say, by way of illustration, one that protects against 99 percent of foreseeable threats is it reasonable to incur massive further costs to move slightly closer to optimality and attain a 99.5 percent level of protection? A company would not make that expenditure; nor should society. Here, some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety. This is untenable. If the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, on the other hand, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcements [sic] access to zero percent the choice for society is clear.

I think this is a major change in government position. Previously, the FBI, the Justice Department and so on had claimed that backdoors for law enforcement could be added without any loss of security. They maintained that technologists just need to figure out how: 足an approach we have derisively named "nerd harder."

With this change, we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having足not the fake one about whether or not we can have both security and surveillance.

Barr makes the point that this is about "consumer cybersecurity," and not "nuclear launch codes." This is true, but ignores the huge amount of national security-related communications between those two poles. The same consumer communications and computing devices are used by our lawmakers, CEOs, legislators, law enforcement officers, nuclear power plant operators, election officials and so on. There's no longer a difference between consumer tech and government tech -- it's all the same tech.

Barr also says:

Further, the burden is not as onerous as some make it out to be. I served for many years as the general counsel of a large telecommunications concern. During my tenure, we dealt with these issues and lived through the passage and implementation of CALEA the Communications Assistance for Law Enforcement Act. CALEA imposes a statutory duty on telecommunications carriers to maintain the capability to provide lawful access to communications over their facilities. Companies bear the cost of compliance but have some flexibility in how they achieve it, and the system has by and large worked. I therefore reserve a heavy dose of skepticism for those who claim that maintaining a mechanism for lawful access would impose an unreasonable burden on tech firms especially the big ones. It is absurd to think that we would preserve lawful access by mandating that physical telecommunications facilities be accessible to law enforcement for the purpose of obtaining content, while allowing tech providers to block law enforcement from obtaining that very content.

That telecommunications company was GTE足which became Verizon. Barr conveniently ignores that CALEA-enabled phone switches were used to spy on government officials in Greece in 2003 -- which seems to have been an NSA operation -- and on a variety of people in Italy in 2006. Moreover, in 2012 every CALEA-enabled switch sold to the Defense Department had security vulnerabilities. (I wrote about all this, and more, in 2013.)

The final thing I noticed about the speech is that is it not about iPhones and data at rest. It is about communications: 足data in transit. The "going dark" debate has bounced back and forth between those two aspects for decades. It seems to be bouncing once again.

I hope that Barr's latest speech signals that we can finally move on from the fake security vs. privacy debate, and to the real security vs. security debate. I know where I stand on that: As computers continue to permeate every aspect of our lives, society, and critical infrastructure, it is much more important to ensure that they are secure from everybody -- even at the cost of law-enforcement access -- than it is to allow access at the cost of security. Barr is wrong, it kind of is like these systems are protecting nuclear launch codes.

This essay previously appeared on Lawfare.com.

EDITED TO ADD: More news articles.

EDITED TO ADD (7/28): Gen. Hayden comments.

EDITED TO ADD (7/30): Good response by Robert Graham.

Worse Than FailureThis Process is Nuts

A great man once said "I used to be over by the window, and I could see the squirrels, and they were merry." As pleasing of a sight as that was, what if the squirrels weren't merry?

Grady had an unpleasant experience with bushy-tailed rodents at a former job. Before starting at the Fintech firm as a data scientist, he was assured the Business Intelligence department was very advanced and run by an expert. They needed Grady to manipulate large data sets and implement machine learning to help out Lenny, the resident BI "expert". It quickly became apparent that Lenny didn't put the "Intelligence" in Business Intelligence.

Lenny was a long-term contractor who started the BI initiative from the ground-up. His previous work as a front-end developer led to his decision to use PHP for the ETL process. This one-of-a-kind monstrosity made it as unstable as a house of cards in a hurricane and the resultant data warehouse was more like a data cesspool.

"This here is the best piece of software in the whole company," Lenny boasted. "They tell me you're really smart, so you'll figure out how it works on your own. My work is far too important and advanced for me to be bothered with questions!" Lenny told Grady sternly.

Grady, left to fend for himself, spent weeks stumbling through code with very few comments and no existing documentation. He managed to deduce the main workflow for the ETL and warehouse process and it wasn't pretty. The first part of the ETL process deleted the entire existing data warehouse, allowing for a "fresh start" each day. If an error occurred during the ETL, rather than fail gracefully, the whole process crashed without restoring the data warehouse that was wiped out.

Grady found that the morning ETL run failed more often than not. Since Lenny never bothered to stroll in until 10 AM, the people that depended on data warehouse reports loudly complained to Grady. Having no clue how to fix it, he would tell them to be patient. Lenny would saunter in and start berating him "Seriously? Why haven't you figured out how to fix this yet?!" Lenny would spend an hour doing damage control, then disappear for a 90 minute lunch break.

One day, an email arrived informing everyone that Lenny was no longer with the company after exercising an obscure opt-out clause in his contract. Grady suddenly became the senior-most BI developer and inherited Lenny's trash pile. Determined to find the cause of the errors, he dug into parts of the code Lenny strictly forbade him to enter. Hoping to find any semblance of logging that might help, he scoured for hours.

Grady finally started seeing commands called "WritetoSkype". It sounded absurd, but it almost seemed like Lenny was logging to a Skype channel during the ETL run. Grady created a Skype account and subscribed to LennysETLLogging. All he found there was a bunch of dancing penguin emoticons, written one at a time.

Grady scrolled and scrolled and scrolled some more as thousands of dancing penguins written during the day's run performed for him. He finally reached the bottom and found an emoticon of a squirrel eating an acorn. Looking back at the code, WritetoSkype sent (dancingpenguin) when a step succeeded and (heidy) when a step failed. It was far from useful logging, but Grady now had a clear mission - Exterminate all the squirrels.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

,

Krebs on SecurityNo Jail Time for “WannaCry Hero”

Marcus Hutchins, the “accidental hero” who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

The British security enthusiast enjoyed instant fame after the U.K. media revealed he’d registered and sinkholed a domain name that researchers later understood served as a hidden “kill switch” inside WannaCry, a fast-spreading, highly destructive strain of ransomware which propagated through a Microsoft Windows exploit developed by and subsequently stolen from the U.S. National Security Agency.

In August 2017, FBI agents arrested then 23-year-old Hutchins on suspicion of authoring and spreading the “Kronos” banking trojan and a related malware tool called UPAS Kit. Hutchins was released shortly after his arrest, but ordered to remain in the United States pending trial.

Many in the security community leaped to his defense at the time, noting that the FBI’s case appeared flimsy and that Hutchins had worked tirelessly through his blog to expose cybercriminals and their malicious tools. Hundreds of people donated to his legal defense fund.

In September 2017, KrebsOnSecurity published research which strongly suggested Hutchins’ dozens of alter egos online had a fairly lengthy history of developing and selling various malware tools and services. In April 2019, Hutchins pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

At his sentencing hearing July 26, U.S. District Judge Joseph Peter Stadtmueller said Hutchins’ action in halting the spread of WannaCry was far more consequential than the two malware strains he admitted authoring, and sentenced him to time served plus one year of supervised release. 

Marcy Wheeler, an independent journalist who live-tweeted and blogged about the sentencing hearing last week, observed that prosecutors failed to show convincing evidence of specific financial losses tied to any banking trojan victims, virtually all of whom were overseas — particularly in Hutchins’ home in the U.K.

“When it comes to matter of loss or gain,” Wheeler wrote, quoting Judge Stadtmeuller. “the most striking is comparison between you passing Kronos and WannaCry, if one looks at loss & numbers of infections, over 8B throughout world w/WannaCry, and >120M in UK.”

“This case should never have been prosecuted in the first place,” Wheeler wrote. “And when Hutchins tried to challenge the details of the case — most notably the one largely ceded today, that the government really doesn’t have evidence that 10 computers were damaged by anything Hutchins did — the government doubled down and issued a superseding indictment that, because of the false statements charge, posed a real risk of conviction.”

Hutchins’ conviction means he will no longer be allowed to stay in or visit the United States, although Judge Stadtmeuller reportedly suggested Hutchins should seek a presidential pardon, which would enable him to return and work here.

“Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,” Hutchins tweeted immediately after the sentencing. “Once t[h]ings settle down I plan to focus on educational blog posts and livestreams again.”

Cory DoctorowPodcast: Adblocking: How About Nah?

In my latest podcast (MP3), I read my essay Adblocking: How About Nah?, published last week on EFF’s Deeplinks; it’s the latest installment in my series about “adversarial interoperability,” and the role it has historically played in keeping tech open and competitive, and how that role is changing now that yesterday’s scrappy startups have become today’s bloated incumbents, determined to prevent anyone from disrupting them they way they disrupted tech in their early days.

At the height of the pop-up wars, it seemed like there was no end in sight: the future of the Web would be one where humans adapted to pop-ups, then pop-ups found new, obnoxious ways to command humans’ attention, which would wane, until pop-ups got even more obnoxious.

But that’s not how it happened. Instead, browser vendors (beginning with Opera) started to ship on-by-default pop-up blockers. What’s more, users—who hated pop-up ads—started to choose browsers that blocked pop-ups, marginalizing holdouts like Microsoft’s Internet Explorer, until they, too, added pop-up blockers.

Chances are, those blockers are in your browser today. But here’s a funny thing: if you turn them off, you won’t see a million pop-up ads that have been lurking unseen for all these years.

Because once pop-up ads became invisible by default to an ever-larger swathe of Internet users, advertisers stopped demanding that publishers serve pop-up ads. The point of pop-ups was to get people’s attention, but something that is never seen in the first place can’t possibly do that.

MP3

Rondam RamblingsFedex: when it absolutely, positively has to get stuck in the system for over two months

I have seen some pretty serious corporate bureaucratic dysfunction over the years, but I think this one takes the cake: on May 23, we shipped a package via Fedex from California to Colorado.  The package required a signature.  It turned out that the person we sent it to had moved, and so was not able to sign for the package, and so it was not delivered. Now, the package has our return address on

CryptogramWanted: Cybersecurity Imagery

Eli Sugarman of the Hewlettt Foundation laments about the sorry state of cybersecurity imagery:

The state of cybersecurity imagery is, in a word, abysmal. A simple Google Image search for the term proves the point: It's all white men in hoodies hovering menacingly over keyboards, green "Matrix"-style 1s and 0s, glowing locks and server racks, or some random combination of those elements -- sometimes the hoodie-clad men even wear burglar masks. Each of these images fails to convey anything about either the importance or the complexity of the topic­ -- or the huge stakes for governments, industry and ordinary people alike inherent in topics like encryption, surveillance and cyber conflict.

I agree that this is a problem. It's not something I noticed until recently. I work in words. I think in words. I don't use PowerPoint (or anything similar) when I give presentations. I don't need visuals.

But recently, I started teaching at the Harvard Kennedy School, and I constantly use visuals in my class. I made those same image searches, and I came up with similarly unacceptable results.

But unlike me, Hewlett is doing something about it. You can help: participate in the Cybersecurity Visuals Challenge.

Planet DebianCandy Tsai: Outreachy Week 8 – Week 9: Remote or In-Office Working

The Week 9 blog prompt recommended by Outreachy was to write about my career goals. To be honest, this is a really hard topic for me. As long as a career path involves some form of coding, creating and learning new things, I’m willing to take it on. The best situation could be that it is also doing something good for the society. This might be because that “something that I am too passionate for� doesn’t yet exist in my life. For now, I wish I’d still be coding 5 years from now. It’s just that simple. The only thing that I would like to see improvement upon is gender balance for this industry.

As for working environment, I would like to share some thoughts after having experienced both extremes of totally remote work and complete in-office work. There are a lot of articles out there comparing the pros and cons. Here are just my opinions on the time spent not working:

  • Dozing off
  • Socializing

Dozing off

Our concentration time is limited and there definitely will be times when we doze off a bit. Just a list of things that I had done before in both places. I think I’m being too honest here �

Office:

  • Browsing random pages
  • Checking useless e-mails
  • Talk to someone else also dozing off
  • Using social apps (e.g. Messenger)

Hoping people don’t think I’m doing these things for the whole day.

Remote:

  • Cook something to eat
  • Laundry or other house chores
  • Watch videos
  • Have a German lesson for an hour

I actually don’t take breaks between meals when working remotely.

In conclusion, I think dozing off in an office really really fits the definition of purely wasting time. You have peer pressure to look productive the whole 8 hours which just simply isn’t human. The things I do when I’m working remotely are actually things done after work from office. So I’ll give a vote for remote here.

Socializing

Office:

I had colleagues that I would love to go out with outside of work when I had an office job. One of the reasons that I stayed in a job is because of my colleagues. They were wonderful people and also great “friends�.

Remote:

The main means of communication is either text or video chat. Usually, they are for “work� purposes. I think my mentors are already kind enough to be there to support me whenever I’m stuck and I’m grateful for that! Don’t want to let them feel like they need to spend that much time on me. Although this might be different than “real� remote work, but I think it probably won’t be too distant from what I’m experiencing right now. I wouldn’t really want to specifically open a video chat just to talk about our daily lives through it.

I would vote for an office environment in this case since you can work and make friends at the same time which is pretty convenient for an introvert like me. If I don’t feel like making new friends, then probably I would choose remote work. I think I probably will change my preference as I get older.

Last but not least, as always my progress report for debci.

Video Report of the Internship

Link: https://youtu.be/89r4HqJL8KE

Week 8

  • Filming and editing my video for sharing the debci project for DebConf 2019
  • Fixing merge requests

Week 9

Worse Than FailureCodeSOD: Some Kind of Magic

We all have our little bits of sloppiness and our bad habits. Most of us have more than one. One place I'm likely to get lazy, especially as I'm feeling my way around a problem, is with magic numbers. I always mean to go back and replace them with a constant, but sometimes there's another fire you need to put out and you just don't get back to it till somebody calls it out in a code review.

Then, of course, there are the folks who go too far. I once got a note complaining that I shouldn't have used 2*PI, but instead should have created a new constant, TAU. I disavow the need for tau, but my critic said magic numbers, like two, were disallowed, so I said "ciao" and tau is there now.

Angela A, who's had some experience with bad constants before, has found a new one.

// Decimal constant for value of 1 static constant float THIRTY = 30.0f;

The decimal constant for the value of 1 is THIRTY.

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

Planet DebianRuss Allbery: Review: All the Birds in the Sky

Review: All the Birds in the Sky, by Charlie Jane Anders

Publisher: Tor
Copyright: January 2016
ISBN: 1-4668-7112-1
Format: Kindle
Pages: 315

When Patricia was six years old, she rescued a wounded bird, protected it from her sister, discovered that she could talk to animals, and found her way to the Parliament Tree. There, she was asked the Endless Question, which she didn't know how to answer, and was dumped back into her everyday life. Her magic apparently disappeared again, except not quite entirely.

Laurence liked video games and building things. From schematics he found on the Internet, he built a wrist-watch time machine that could send him two seconds forward into the future. That was his badge of welcome, the thing that marked him as part of the group of cool scientists and engineers, when he managed to sneak away to visit a rocket launch.

Patricia and Laurence meet in junior high school, where both of them are bullied and awkward and otherwise friendless. They strike up an unlikely friendship based on actually listening to each other, Patricia getting Laurence out of endless outdoor adventures arranged by his parents, and the supercomputer Laurence is building in his closet. But it's not clear whether that friendship can survive endless abuse, the attention of an assassin, and their eventual recruitment into a battle between magic and technology of which they're barely aware.

So, first, the world-building in All the Birds in the Sky is subtly brilliant. I had been avoiding this book because I'd gotten the impression it was surreal and weird, which often doesn't work for me. But it's not, and that's due to careful and deft authorial control. This is a book in which two kids are sitting in a shopping mall watching people's feet go by on an escalator and guessing at their profession, and this happens:

The man in black slippers and worn gray socks was an assassin, said Patricia, a member of a secret society of trained killers who stalked their prey, looking for the perfect moment to strike and kill them undetected.

"It's amazing how much you can tell about people from their feet," said Patricia. "Shoes tell the whole story."

"Except us," said Laurence. "Our shoes are totally boring. You can't tell anything about us."

"That's because our parents pick out our shoes," said Patricia. "Just wait until we're grown up. Our shoes will be insane."

In fact, Patricia had been correct about the man in the gray socks and black shoes. His name was Theodolphus Rose, and he was a member of the Nameless Order of Assassins. He had learned 873 ways to murder someone without leaving even a whisper of evidence, and he'd had to kill 419 people to reach the number nine spot in the NOA hierarchy. He would have been very annoyed to learn that his shoes had given him away, because he prided himself on blending with his surroundings.

Anders maintains that tone throughout the book: dry, a little wry, matter-of-fact with a quirked smile, and utterly certain. The oddity of this world is laid out on the page without apologies, clear and comprehensible and orderly even when it's wildly strange. It's very easy as a reader to just start nodding along with magical academies and trans-dimensional experiments because Anders gives you the structure, pacing, and description that you need to build a coherent image.

The background work is worthy of this book's Nebula award. I just wish I'd liked the story better.

The core of my dislike is the characters, although for two very different reasons. Laurence is straight out of YA science fiction: geeky, curious, bullied, desperate to belong to something, loyal, and somewhere between stubborn and indecisive. But below that set of common traits, I never connected with him. He was just... there, doing predictable Laurence things and never surprising me or seeming to grow very much.

Laurence eventually goes to work for the Ten Percent Project, which is trying to send 10% of the population into space because clearly the planet is doomed. The blindness of that goal, and the degree to which the founder of that project resembled Elon Musk, was a bit too real to be funny. I kept waiting for Anders to either make a sharper satirical point or to let Laurence develop his own character outside of the depressing reality of techno-utopianism, but the story stayed finely balanced on that knife edge until it stopped being funny and started being awful.

Patricia, on the other hand, I liked from the very beginning. She's independent, determined, angry, empathetic, principled, and thoughtful, and immediately became the character I was cheering for. And every other major character in this novel is absolutely horrific to her.

The sheer amount of abusive gaslighting Patricia is subjected to in this book made me ill. Everyone from her family to her friends to her fellow magicians demean her, squash her, ignore her, trivialize her, shove her into boxes, try to get her to stop believing in things that happened to her, and twist every bit of natural ambition she has into new forms of prison. Even Laurence participates in this; although he's too clueless to be a major source of it, he's set up as her one port in the storm and then basically abandons her. I started the book feeling sorry for her; by the end of the book, I wanted Patricia to burn her life down with fire and start over with a completely new batch of humans. There's no way that she could do worse.

I want to be clear: I think this is an intentional authorial choice. I think Anders is entirely aware of how awful people are being, and the story of Laurence and Patricia barely managing to keep their heads above water despite them is the story she chose to write. A lot of other people loved it; this is more of a taste mismatch with the book than a structural flaw. But there are only so many paternalistic, abusive assholes passing themselves off as authority figures I can take in one book, and this book flew past my threshold and just kept going. Patricia and Laurence are mostly helpless against these people and have to let their worlds be shaped by them even when they know it's wrong, which makes it so, so much harder to bear.

The place where I think Anders did lose control of the plot, at least a little, is the ending. I can't fairly say that it came out of nowhere, since Anders was dropping hints throughout the book, but I did feel like it robbed the characters of agency in a way that I found emotionally unsatisfying as a reader, particularly since everyone in the book had been trying to take away Patricia's agency from nearly the first page. To have the ending then do the same thing added insult to injury in a way that I couldn't stomach. I can see the levels of symbolism knit together by this choice of endings, but, at least in my opinion, it would have been so much more satisfying, and somewhat redeeming of all the shit that Patricia had to go through, if she had been in firm control of how the symbolism came together.

This one's going to be a matter of taste, I think, and the world-building is truly excellent and much better than I had been expecting. But it's firmly in the "not for me" pile.

Rating: 5 out of 10

,

CryptogramFriday Squid Blogging: Humbolt Squid in Mexico Are Getting Smaller

The Humbolt squid are getting smaller:

Rawley and the other researchers found a flurry of factors that drove the jumbo squid's demise. The Gulf of California historically cycled between warm-water El Niño conditions and cool-water La Niña phases. The warm El Niño waters were inhospitable to jumbo squid­more specifically to the squid's prey­but subsequent La Niñas would allow squid populations to recover. But recent years have seen a drought of La Niñas, resulting in increasingly and more consistently warm waters. Frawley calls it an "oceanographic drought," and says that conditions like these will become more and more common with climate change. "But saying this specific instance is climate change is more than we can claim in the scope of our work," he adds. "I'm not willing to make that connection absolutely."

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianKeith Packard: snekboard-0.2

Snekboard v0.2 Update

I've built six prototypes of snekboard version 0.2. They're working great and I'm happy with the design.

New Motor Driver

Having discovered that the TI DRV8838 wasn't up to driving the Lego Power Functions Medium motor (8883) because of it's start-up current draw, I went back and reworked the snekboard circuit to use TI DRV8800 instead. That controller can provide up to 2.8A and doesn't have any trouble with this motor.

The DRV8800 is larger than the DRV8838, so it took a bit of re-wiring to fit them on the circuit board.

New Power Source Selector

In version 0.1, I was using two DFLS130L Schottky diodes to automatically select between the on-board lithium polymer battery and USB to power the board. That "worked", except that there was enough leakage back through them that when the USB connector was unplugged, the battery charge indicator LEDs both lit up, which left me with the choice of disabling those indicators or draining the battery.

To fix that, I found an automatic power selector (with current limit!) part, the TPS2121. This should avoid frying the board when you short the motor controller outputs, although those also have current limiting circuits. Defense in depth!

One issue I found was that this circuit draws current even when the output is disconnected, so I changed the power switch from a SPST to DPST and now control USB and battery power separately.

CircuitPython

I included a W25Q16 2MB NOR flash chip on the board so that it could also run CircuitPython. Before finalizing the design, I thought it might be a good idea to actually get that running.

I've submitted a pull request with the necessary changes. I hope to see that merged at some point, which will allow users to select between CircuitPython and snek.

Smoothing Speed Changes

While the 9V supply on snekboard is designed to supply plenty of current for the motors, if you ask it to suddenly change how much it is producing, it places a huge load on the battery. When this happens, the battery voltage drops below the brown-out value for the SoC and the board resets.

I experimented with how to resolve this by ramping the power up and down in the snek application. That worked great; the motors could easily switch from full speed in one direction to full speed in the other direction.

Instead of having users add code to every snek application, I decided to move this functionality down into the snek implementation. I did this by modifying the PWM and direction pins values in a function called from the timer interrupt. This lets the application continue to run at full speed, while the motor controller slowly adjusts its output. No more resets when switching from full forward to full reverse.

Future Plans

I've got the six v0.2 prototypes that I'll be able to use in for the upcoming class year, but I'm unsure of whether there would be enough interest in the broader community to have more of them made. Let me know if you'd be interested in purchasing snekboards; if I get enough responses, I'll look at running them through Crowd Supply or similar.

Planet DebianDirk Eddelbuettel: anytime 0.3.5

A new release of the anytime package is arriving on CRAN. This is the sixteenth release, and comes a good month after the 0.3.4 release.

anytime is a very focused package aiming to do just one thing really well: to convert anything in integer, numeric, character, factor, ordered, … format to either POSIXct or Date objects – and to do so without requiring a format string. See the anytime page, or the GitHub README.md for a few examples.

This release brings a reworked fallback mechanism enabled via the useR=TRUE option. Because Windows remains a challenging platform which, among other more important ailments, also does not provide timezone information, we no longer rely on the RApiDatetime package which exposes parts of the R API. This works everywhere where timezone information is available, but less so on Windows. Instead, we now use Rcpp::Function to call directly back into R. This received a considerable amount of testing, and the package should now work even better when either a timezone is set, or the Windows fallback is used, or both. My thanks to Christoph Sax for patiently testing and helping to debug this, as well as for his two pull requests contributing to this release (even if one of these is now redundant as we no longer use RApiDatetime).

The full list of changes follows.

Changes in anytime version 0.3.5 (2019-07-28)

  • Fix use of Rcpp::Function-accessed Sys.setenv(), name all arguments in call to C++ (Christoph Sax in #95).

  • Relax constraint on Windows testing in several test files (Christoph Sax in #97).

  • Fix an issue related to TZ environment variable setting (Dirk in #101).

  • Change useR=TRUE behaviour by directly calling R via Rcpp (Dirk in #103 fixing #96).

  • Several updates to unit testing files aiming for more robust behaviour across platforms.

  • Updated documentation in manual pages, README and vignette.

Courtesy of CRANberries, there is a comparison to the previous release. More information is on the anytime page. The issue tracker tracker off the GitHub repo can be use for questions and comments.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianJoachim Breitner: Custom firmware for the YQ8003 bicycle light

This blog post is about 18 months late, but better late than never...

The YQ8003

1½ years ago, when I was still a daredevil that was biking in Philly I got interested in these fancy strips of LED lights that you put into your bike wheel and when you drive fast enough, they form a stable image, both because of the additional visibility and safety, but also because the seem to be fun gadgets.

There are brands like Monkey Lights, but they are pretty expensive, and there are cheaper similar no-name products available, such as the YQ8003, which you can either order from China or hope to find on eBay for around $30 per piece.

The YQ8003 bike light

The YQ8003 bike light

Sucky software

The hardware is nice: water proof, easy to install, bright, long-lasting battery. But the software, oh my!

You need Windows to load your own pictures onto the device, and the application is really unpleasant to use, you can’t easily save your edits and sequences of images and so on.

But also the software on the device itself (which sports a microcontroller) was unsatisfying: The transformation it applies to the image assumes that the bar of LEDs goes through the center of the wheel. Obviously that is wrong, as there is the hub. With a small hub the difference is not so bad, but I have rather large hubs (a generator in the front hub, and internal gears in the rear hub), and this make the image not stable, but jump back and forth a bit.

Time to DIY!

So obviously I had to do something about it. At first I planned to to just find out how to load my own pictures onto the hardware, using the existing software on the device. So I needed to find out the protocol.

I was running their program on Windows in VirtualBox, and quickly noticed that the USB connection that you use to load your data onto the YQ8003 is actually a serial-over-USB port. I found a sniffer for serial communication and used that to dump what the Windows app sent to the device. That was all pretty hairy, and I only did it once (and deleted the Windows setup soon), but luckily one dump was sufficient.

I did not find out where in the data sent to the light the image was encoded. But I did find that the protocol used to talk to the device is a standard protocol to talk to microcontrollers, something called “STC ISP”. With that information, I could find out that the microcontroller is a STC12LE5A60S2 with 22MHz and 60KB of RAM, and that it is “8051 compatible”, whatever that means.

So this is how I, for the first and so far only time, ventured into microcontroller territory. It was pretty straight-forward to get a toolchain to compile programs for this microcontroller (using sdcc) and to upload code to it (using stcgal), and I could talk to my code over the serial port. This is promising!

Reverse engineering

I also quickly found out how the magnet (which the device uses to notice when the wheel has done one rotation) is accessed: It triggers interrupt 0.

But finding out how to actually access the LEDs and might them light up was very tricky. This kind of information is not specific to the microcontroller (STC12LE5A60S2), for which I could find documentation, but really depends on how it is wired up.

I was able to extract, from the serial port communication dump mentioned earlier, the firmware in a way I could send it to the microcontroller. So I could always go back to a working state. Moreover I could disassemble that code, and try to make sense of it. But I could not make sense of it, i.e. could not understand .

So if thinking does not help, maybe brute force does? I wrote a program that would take the working firmware, zero out parts of it. Then I would try that firmware and note if it still works. This way, my program would zero out ever more of the firmware, until only a few instructions are left that would still make the LEDs light up.

In the end I had, I think, 13 instructions left that made the LEDs light up lightly. Success! Or so I thought … the resulting program was pretty non-sensical. It essentially increments a value and writes another value to the address stored in the first value. So it just spews data all over the address range, wrapping around when at the end. No surprise it triggers the LEDs somewhere along the way…

(Still, I published the program to minimize binary data under the name bisect-binary – maybe you’ll find it useful for something.)

I actually don’t remember how I eventually figured out what to do, and which bytes and bits to toggle in which order. Maybe more reading, and some advice to look for from people who know more about LEDs.

bSpokeLight

With that knowledge I could finally write my own firmware and user application. The part that goes onto the device is written in C and compiled with sdcc. And the part that runs on your computer is a command line application written in Haskell, that takes the pictures and animations you want, applies the necessary transformations (now taking the width of your hub into account!) and embeds that into the compiled C code to produce a firmware file that you can load onto your device using stcgal.

It support images in all common formats, produces 8 colors and can store up to 8 images on the device, which then circle according to the time you specify. I dubbed the software bSpokeLight.

The light in action with more lights at the GPN19 (The short shutter speed of the camera prevents the visual effect in the eye that allows you to see the images)

The light in action with more lights at the GPN19 (The short shutter speed of the camera prevents the visual effect in the eye that allows you to see the images)

It actually supports reading GIF animations, but I found that they are much harder to recognize later, unless I rotate the wheel very fast and you know what to look for. I am not sure if this is a limitation of the hardware (and our eyes), a problem with my code or a problem with the particular animations I have tried. Will need to experiment more.

Can you see the swing dancing couple?

Can you see the swing dancing couple?

As always, I am sharing the code in the hope that others find it useful as well. Thanks to Haskell, Nix and the iohk-nix project I can easily provide pre-compiled binaries for Windows and Linux, statically compiled for the latter for distribution-independence. Let me know if you try to use it and how that went.

Planet DebianHolger Levsen: 20190728-minidebcamp-fosdem

Mini DebCamp Fosdem 2020?

So someone from Belgium just brought up the excellent idea of having a Mini DebCamp before and/or after FOSDEM 2020. I like it! What do you think?

On Monday after FOSDEM there will be again the Copyleft-Event from SFC, so maybe 3 days of hacking before FOSDEM would be better, but still, whatever, for planing these details there's now #debconf-fosdem on OFTC ;)

It's just an idea, but seriously, we'd only need to rent/find a room for 23-42 hackers nearby, and we'd be set. Debian people are good at self organizing, if they have network and a roof.

Also, there might be beer in Belgium, someone from Belgium just confirmed.

,

Planet DebianBits from Debian: DebConf19 closes in Curitiba and DebConf20 dates announced

DebConf19 group photo - click to enlarge

Today, Saturday 27 July 2019, the annual Debian Developers and Contributors Conference came to a close. Hosting more than 380 attendees from 50 different countries over a combined 145 event talks, discussion sessions, Birds of a Feather (BoF) gatherings, workshops, and activities, DebConf19 was a large success.

The conference was preceded by the annual DebCamp held 14 July to 19 July which focused on individual work and team sprints for in-person collaboration toward developing Debian and host to a 3-day packaging workshop where new contributors were able to start on Debian packaging.

The Open Day held on July 20, with over 250 attendees, enjoyed presentations and workshops of interest to the wider audience, a Job Fair with booths from several of the DebConf19 sponsors and a Debian install fest.

The actual Debian Developers Conference started on Sunday 21 July 2019. Together with plenaries such as the the traditional 'Bits from the DPL', lightning talks, live demos and the announcement of next year's DebConf (DebConf20 in Haifa, Israel), there were several sessions related to the recent release of Debian 10 buster and some of its new features, as well as news updates on several projects and internal Debian teams, discussion sessions (BoFs) from the language, ports, infrastructure, and community teams, along with many other events of interest regarding Debian and free software.

The schedule was updated each day with planned and ad-hoc activities introduced by attendees over the course of the entire conference.

For those who were not able to attend, most of the talks and sessions were recorded for live streams with videos made, available through the Debian meetings archive website. Almost all of the sessions facilitated remote participation via IRC messaging apps or online collaborative text documents.

The DebConf19 website will remain active for archival purposes and will continue to offer links to the presentations and videos of talks and events.

Next year, DebConf20 will be held in Haifa, Israel, from 23 August to 29 August 2020. As tradition follows before the next DebConf the local organizers in Israel will start the conference activites with DebCamp (16 August to 22 August), with particular focus on individual and team work toward improving the distribution.

DebConf is committed to a safe and welcome environment for all participants. During the conference, several teams (Front Desk, Welcome team and Anti-Harassment team) are available to help so both on-site and remote participants get their best experience in the conference, and find solutions to any issue that may arise. See the web page about the Code of Conduct in DebConf19 website for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf19, particularly our Platinum Sponsors: Infomaniak, Google and Lenovo.

About Debian

The Debian Project was founded in 1993 by Ian Murdock to be a truly free community project. Since then the project has grown to be one of the largest and most influential open source projects. Thousands of volunteers from all over the world work together to create and maintain Debian software. Available in 70 languages, and supporting a huge range of computer types, Debian calls itself the universal operating system.

About DebConf

DebConf is the Debian Project's developer conference. In addition to a full schedule of technical, social and policy talks, DebConf provides an opportunity for developers, contributors and other interested people to meet in person and work together more closely. It has taken place annually since 2000 in locations as varied as Scotland, Argentina, and Bosnia and Herzegovina. More information about DebConf is available from https://debconf.org/.

About Infomaniak

Infomaniak is Switzerland's largest web-hosting company, also offering backup and storage services, solutions for event organizers, live-streaming and video on demand services. It wholly owns its datacenters and all elements critical to the functioning of the services and products provided by the company (both software and hardware).

About Google

Google is one of the largest technology companies in the world, providing a wide range of Internet-related services and products such as online advertising technologies, search, cloud computing, software, and hardware.

Google has been supporting Debian by sponsoring DebConf for more than ten years, and is also a Debian partner sponsoring parts of Salsa's continuous integration infrastructure within Google Cloud Platform.

About Lenovo

As a global technology leader manufacturing a wide portfolio of connected products, including smartphones, tablets, PCs and workstations as well as AR/VR devices, smart home/office and data center solutions, Lenovo understands how critical open systems and platforms are to a connected world.

Contact Information

For further information, please visit the DebConf19 web page at https://debconf19.debconf.org/ or send mail to press@debian.org.

Planet DebianBen Hutchings: Debian LTS work, July 2019

I was assigned 18.5 hours of work by Freexian's Debian LTS initiative and worked all those hours this month.

I prepared and released Linux 3.16.70 with various fixes from upstream. I then rebased jessie's linux package on this. Later in the month, I picked the fix for CVE-2019-13272, uploaded the package, and issued DLA-1862-1. I also released Linux 3.16.71 with just that fix.

I backported the latest security update for Linux 4.9 from stretch to jessie and issued DLA-1863-1.

Planet DebianBen Hutchings: Talk: What's new in the Linux kernel (and what's missing in Debian)

As planned, I presented my annual talk about Linux kernel changes at DebConf on Monday—remotely. (I think this was a DebConf first.)

A video recording is already available (high quality, low quality). The slides are linked from my talks page and from the DebConf event page.

Thanks again to the video team for taking the time to work out video and audio routing with me.

Planet DebianLaura Arjona Reina: A new home for Debian in the Mastodon / ActivityPub fediverse: follow @debian@framapiaf.org (and possible future moves)

TL;DR

Recent events in the fediverse in general and related to fosstodon.org instance in particular have made me rethink the place where I’d like to handle the @debian account in the Mastodon/GNU Social/ActivityPub fediverse.
I couldn’t decide a “final” place yet, but I’m exploring options (including selfhosting).

For now, I’ve moved the account to @debian@framapiaf.org – Please follow @debian there. Thank you Framasoft for administering and providing the service.

(Some) context

Note: This paragraph is updated (2019-07-28), thanks to the people pointing to me that it was unclear, I hope this new wording and details clarifies more my position.

For a summary of what happened plus some thoughts thrown to the table you can read this article by Brandon ‘LinuxLiaison’ Nolet and this one by ’emsenn’. I’ve been thinking about all this, and I decided to leave the fosstodon.org instance because I believe there are underlying issues that the provided apology does not solve, and do not help to foster the welcoming, diverse and inclusive environment where I’d like to be, for me, and for this non-official debian account. There is more info out there and several different personal opinions, so I guess people interested in learn more about the context can find by themselves.

Roadmap

  • Starting 2019-07-28 I’ll post the micronews.debian.org RSS feed in @debian@framapiaf.org
  • I will continue posting the micronews.debian.org RSS feed to @debian@fosstodon.org too, to give time for this news to spread and people to move.
  • I will fix a toot to this blog post in both accounts, because  @debian@framapiaf.org may be temporary (or not. we’ll see).
  • On 1 September I will stop sending the micronews feed to @debian@fosstodon.org  and I will only post a toot to this blog post from time to time.
  • On 1 October I will stop posting anything from @debian@fosstodon.org and close the account or make it dormant or whatever.
  • I don’t think I will take a new decision of a final or future move before October. I will try to put time on exploring options from September until the end of the year. Depending on my availability and the available help from Debian friends, the final home of the @debian account in the fediverse will be settled soon or later… you know, “when it’s ready”.

Thanks for understanding, and for your help

All this caught me in a “bad moment” (very busy with Debian and non-Debian stuff + personally, lower energy than usually). I apologise for not giving much details and also for not reacting quicker.

I appreciate if you can spread this news so people follow the new account easily.
I would like to thank the friends that gave me some heads up about what was happening, and helped me to understand in a time where I could have not much time to read everything, and also were patient to wait for me to take a decision.

Reminder: the account, wherever it’s hosted, is a mirror of micronews.debian.org

Finally, I would like to remind everybody that the @debian account in the fediverse, wherever is hosted, is not official. It just posts the RSS feed provided by https://micronews.debian.org, which is one the official source of news about Debian. Micronews includes short news produced or selected by the Debian Publicity team and also broadcasts links to the longer official announcements posted in the other official channels: the Debian blog, the Debian website or the Debian announce and news mailing lists.

Planet DebianEnrico Zini: Opinion Sort

«Bullshit is unavoidable whenever circumstances require someone to talk without knowing what he is talking about. Thus the production of bullshit is stimulated whenever a person’s obligations or opportunities to speak about some topic are more excessive than his knowledge of the facts that are relevant to that topic.

This discrepancy is common in public life, where people are frequently impelled— whether by their own propensities or by the demands of others—to speak extensively about matters of which they are to some degree ignorant.

Closely related instances arise from the widespread conviction that it is the responsibility of a citizen in a democracy to have opinions about everything, or at least everything that pertains to the conduct of his country’s affairs.

The lack of any significant connection between a person’s opinions and his apprehension of reality will be even more severe, needless to say, for someone who believes it his responsibility, as a conscientious moral agent, to evaluate events and conditions in all parts of the world.»

(From Harry G. Frankfurt's On Bullshit)

Opinion Sort

In a world where it is more important to have a quick opinion than a thorough understanding, I propose this novel sorting algoritihm.

def opinion_sort(list: List[Any], post: Callable[List]):
    """
    list: a list of elements to sort in place
    post: a callable that requires a sorted list as input and does
          proper error checking, as they should do
    """
    if list[0] > list[1]:
        swap(list[0], list[1])
    while True:
        try:
            # Assert opinion: "It is a sorted list!"
            post(list)
        except NotSortedException as e:
            # Someone disagrees, and they have a good point
            swap(list[e.unsorted_idx_1], list[e.unsorted_idx_2])
        else:
            break
    # The list is now sorted, and the callable has to agree

This algorithm is the most efficient sorting algorithm, because it can sort a list by only looking at the first two elements.

Planet DebianEnrico Zini: Opinion Sort

«Bullshit is unavoidable whenever circumstances require someone to talk without knowing what he is talking about. Thus the production of bullshit is stimulated whenever a person’s obligations or opportunities to speak about some topic are more excessive than his knowledge of the facts that are relevant to that topic.

This discrepancy is common in public life, where people are frequently impelled— whether by their own propensities or by the demands of others—to speak extensively about matters of which they are to some degree ignorant.

Closely related instances arise from the widespread conviction that it is the responsibility of a citizen in a democracy to have opinions about everything, or at least everything that pertains to the conduct of his country’s affairs.

The lack of any significant connection between a person’s opinions and his apprehension of reality will be even more severe, needless to say, for someone who believes it his responsibility, as a conscientious moral agent, to evaluate events and conditions in all parts of the world.»

(From Harry G. Frankfurt's On Bullshit)

Opinion Sort

In a world where it is more important to have a quick opinion than a thorough understanding, I propose this novel sorting algoritihm.

def opinion_sort(list: List[Any], post: Callable[List]):
    """
    list: a list of elements to sort in place
    post: a callable that requires a sorted list as input and does
          proper error checking, as they should do
    """
    if list[0] > list[1]:
        swap(list[0], list[1])
    while True:
        try:
            # Assert opinion: "It is a sorted list!"
            post(list)
        except NotSortedException as e:
            # Someone disagrees, and they have a good point
            swap(list[e.unsorted_idx_1], list[e.unsorted_idx_2])
        else:
            break
    # The list is now sorted, and the callable has to agree

This algorithm is the most efficient sorting algorithm, because it can sort a list by only looking at the first two elements.

,

Planet DebianEddy Petrișor: Rust: How do we teach "Implementing traits in no_std for generics using lifetimes" without students going mad?

Update 2019-Jul-27: In the code below my StackVec type was more complicated than it had to be, I had been using StackVec<'a, &'a mut T> instead of StackVec<'a, T> where T: 'a. I am unsure how I ended up making the type so complicated, but I suspect the lifetimes mismatch errors and the attempt to implement IntoIterator were the reason why I made the original mistake.

Corrected code accordingly.



I'm trying to go through Sergio Benitez's CS140E class and I am currently at Implementing StackVec. StackVec is something that currently, looks like this:

/// A contiguous array type backed by a slice.
///
/// `StackVec`'s functionality is similar to that of `std::Vec`. You can `push`
/// and `pop` and iterate over the vector. Unlike `Vec`, however, `StackVec`
/// requires no memory allocation as it is backed by a user-supplied slice. As a
/// result, `StackVec`'s capacity is _bounded_ by the user-supplied slice. This
/// results in `push` being fallible: if `push` is called when the vector is
/// full, an `Err` is returned.
#[derive(Debug)]
pub struct StackVec<'a, T: 'a> {
    storage: &'a mut [T],
    len: usize,
    capacity: usize,
}
The initial skeleton did not contain the derive Debug and the capacity field, I added them myself.

Now I am trying to understand what needs to happens behind:
  1. IntoIterator
  2. when in no_std
  3. with a custom type which has generics
  4. and has to use lifetimes
I don't now what I'm doing, I might have managed to do it:

pub struct StackVecIntoIterator<'a, T: 'a> {
    stackvec: StackVec<'a, T>,
    index: usize,
}

impl<'a, T: Clone + 'a> IntoIterator for StackVec<'a, &'a mut T> {
    type Item = &'a mut T;
    type IntoIter = StackVecIntoIterator<'a, T>;

    fn into_iter(self) -> Self::IntoIter {
        StackVecIntoIterator {
            stackvec: self,
            index: 0,
        }
    }
}

impl<'a, T: Clone + 'a> Iterator for StackVecIntoIterator<'a, T> {
    type Item = &'a mut T;

    fn next(&mut self) -> Option {
        let result = self.stackvec.pop();
        self.index += 1;

        result
    }
}

Corrected code as of 2019-Jul-27:
pub struct StackVecIntoIterator<'a, T: 'a> {
    stackvec: StackVec<'a, T>,
    index: usize,
}

impl<'a, T: Clone + 'a> IntoIterator for StackVec<'a, T> {
    type Item = T;
    type IntoIter = StackVecIntoIterator<'a, T>;

    fn into_iter(self) -> Self::IntoIter {
        StackVecIntoIterator {
            stackvec: self,
            index: 0,
        }
    }
}

impl<'a, T: Clone + 'a> Iterator for StackVecIntoIterator<'a, T> {
    type Item = T;

    fn next(&mut self) -> Option {
        let result = self.stackvec.pop().clone();
        self.index += 1;

        result
    }
}



I was really struggling to understand what should the returned iterator type be in my case, since, obviously, std::vec is out because a) I am trying to do a no_std implementation of something that should look a little like b) a std::vec.

That was until I found this wonderful example on a custom type without using any already implemented Iterator, but defining the helper PixelIntoIterator struct and its associated impl block:

struct Pixel {
    r: i8,
    g: i8,
    b: i8,
}

impl IntoIterator for Pixel {
    type Item = i8;
    type IntoIter = PixelIntoIterator;

    fn into_iter(self) -> Self::IntoIter {
        PixelIntoIterator {
            pixel: self,
            index: 0,
        }

    }
}

struct PixelIntoIterator {
    pixel: Pixel,
    index: usize,
}

impl Iterator for PixelIntoIterator {
    type Item = i8;
    fn next(&mut self) -> Option {
        let result = match self.index {
            0 => self.pixel.r,
            1 => self.pixel.g,
            2 => self.pixel.b,
            _ => return None,
        };
        self.index += 1;
        Some(result)
    }
}


fn main() {
    let p = Pixel {
        r: 54,
        g: 23,
        b: 74,
    };
    for component in p {
        println!("{}", component);
    }
}
The part in bold was what I was actually missing. Once I had that missing link, I was able to struggle through the generics part.

Note that, once I had only one new thing, the generics - luckly the lifetime part seemed it to be simply considered part of the generic thing - everything was easier to navigate.


Still, the fact there are so many new things at once, one of them being lifetimes - which can not be taught, only experienced @oli_obk - makes things very confusing.

Even if I think I managed it for IntoIterator, I am similarly confused about implementing "Deref for StackVec" for the same reasons.

I think I am seeing on my own skin what Oliver Scherer was saying about big infodumps at once at the beginning is not the way to go. I feel that if Sergio's class was now in its second year, things would have improved. OTOH, I am now very curious how does your curriculum look like, Oli?

All that aside, what should be the signature of the impl? Is this OK?

impl<'a, T: Clone + 'a> Deref for StackVec<'a, &'a mut T> {
    type Target = T;

    fn deref(&self) -> &Self::Target;
}
Trivial examples like wrapper structs over basic Copy types u8 make it more obvious what Target should be, but in this case it's so unclear, at least to me, at this point. And because of that I am unsure what should the implementation even look like.

I don't know what I'm doing, but I hope things will become clear with more exercise.

Planet DebianJonathan Wiltshire: Daisy and George at Debian’s Conference Dinner

Daisy and George have spent the week at the Debian Conference. Tonight is the conference dinner.

The menu is more complicated than usual, because it is in both Portuguese and English.

Daisy and George have made many friends this week.

Dinner is over. It’s time for some serious work.

Planet DebianGiovanni Mascellani: My take on OpenPGP best practices

After having seen a few talks at DebConf on GnuPG and related things, I would like to document here how I currently manage my OpenPGP keys, in the hope they can be useful for other people or for discussion. This is not a tutorial, meaning that I do not give you the commands to do what I am saying, otherwise it would become way too long. If there is the need to better document how to implement these best practices, I will try to write another post.

I actually do have two OpenPGP certificates, D9AB457E and E535FA6D. The first one is RSA 4096 and the second one is Curve25519. The reason for having two certificates is algorithm diversity: I don't know which one between RSA and Curve25519 will be the first to be considered less secure or insecure, therefore I would like to be ready for both scenarios. Having two certificates already allows me to do signature hunting on both, in such a way that it is easy to transition from one to the other as soon as there is the need.

The key I currently use is the RSA one, which is also the one available in the Debian keyring.

(If you search on the keyservers you will find many other keys with my name; they are obsolete, meant for my internal usage or otherwise not in use; just ignore them!)

Even if the two primary keys are different, their subkeys are the same (apart from some older cruft now revoked), meaning that they have the same key material. This is useful, because I can use the same hardware token for both keys (most hardware token only have three key slot, one for each subkey capability, so to have two primary keys ready for use you need two tokens, unless the two keys share their subkeys). I have one subkey for each subkey capability (sign, encrypt and authentication), wich are Curve25519 keys and are stored in a Nitrokey Start token. I also have, but tend to not use, one RSA subkey for each capability, which are stored on a OpenPGP card. Thanks to some date tweaking, both certificates are configured in such a way that Curve25519 subkeys are always preferred over RSA subkeys, but I also want to retain the RSA keys for corner cases where Curve25519 is not available.

The reason to choose Curve25519 over RSA for default usage is that they are faster and generate smaller signatures. I have no idea which one is considered more secure, but I believe that neither of them is the weak link in my security chain.

The primary keys have an expiration date, which is always my birthday. Such choice is for remembering, a couple of months in advance, to extend it of one year, so that the key remains valid. Choosing the update interval here is of course a compromise between security and convenience. One year seems fine. I see no advantage in setting an expiration date on subkeys, since I can always use the primary key to revoke them. It might be useful to set an expiration date if I had a subkey rotation strategy, but I don't, and unfortunately with OpenPGP is a bit difficult to have one, since all subkeys are stored forever in the certificate, which would quickly become bloated.

The primary keys' private material is stored in a external disk that is normally disconnected from any computer, so completely inaccessible from the Internet. I connect it to my computer when I need to do operations that require the primary key, like signing other keys, managing subkeys or extending the key validity. This setup is not ideal, because it would be better to only connect the external storage to a machine that is always offline (and therefore is less likely to have been compromised). But that would require maintaining another machine, and as usual one has to compromise between security and convenience. Also, that external disk also contains other data, so it gets connected to my laptop also for other operations than working with OpenPGP certificates. I could improve here, but it is still better than bringing the primary key as a file in my computer.

I also have copies of my keys' private material (both for primary keys and subkeys) and revokation certificates on a bunch of paper sheets hidden somewhere in my house, just in case the external disk should fail. A common tool for this step is paperkey, although I did follow this tutorial to encode the secret key in a number of data matrices.

Overall, while my setup is perfectible, I believe it also reasonably secure for my use case, and quite convenient to use.

Planet DebianSteinar H. Gunderson: Vote craziness

Of all the things I've seen in Debian, spamming DDs with a vote that's not a vote (“which of these terrible things the DPL did are the worst causes of everything that's wrong in the world”) has to be among the craziest. (I won't link to it here.)

Planet DebianMichael Prokop: Debian buster: changes in coreutils #newinbuster

Debian buster is there, and similar to what we had with #newinwheezy, #newinjessie and #newinstretch it’s time for #newinbuster!

One package that isn’t new but its tools are used by many of us is coreutils, providing many essential system utilities. We have coreutils v8.26-3 in Debian/stretch and coreutils v8.30-3 in Debian/buster. Compared to the changes between jessie and stretch there are no new tools, but there are some new options available that I’d like to point out.

New features/options

b2sum + md5sum + sha1sum + sha224sum + sha256sum + sha384sum + sha512sum (compute and check message digest):

  -z, --zero           end each output line with NUL, not newline, nd disable file name escaping

cp (copy files and directories):

  Use --reflink=never to ensure a standard copy is performed.

env (run a program in a modified environment):

  -C, --chdir=DIR      change working directory to DIR
  -S, --split-string=S  process and split S into separate arguments;
                        used to pass multiple arguments on shebang lines
  -v, --debug          print verbose information for each processing step

ls (list directory contents), dir + vdir (list directory contents):

  --hyperlink[=WHEN]     hyperlink file names; WHEN can be 'always' (default if omitted), 'auto', or 'never'

This –hyperlink option is especially worth mentioning if you’re using a recent terminal emulator (especially based on VTE), see Hyperlinks (a.k.a. HTML-like anchors) in terminal emulators for further information.

rm (remove files or directories):

  --preserve-root=all   do not remove '/' (default); with 'all', reject any command line argument on a separate device from its parent

split (split a file into pieces):

  -x                      use hex suffixes starting at 0, not alphabetic
  --hex-suffixes[=FROM]  same as -x, but allow setting the start value

timeout (run a command with a time limit):

  -v, --verbose  diagnose to stderr any signal sent upon timeout

Changes:

date (print or set the system date and time):

--rfc-2822 (AKA -R) was renamed into --rfc-email, while --rfc-2822 is still supported

nl (write each FILE to standard output, with line numbers added):

Old default options: -bt        -fn -hn -i1 -l1 -nrn   -sTAB   -v1 -w6 
New default options: -bt -d'\:' -fn -hn -i1 -l1 -n'rn' -s<tab> -v1 -w6

Planet DebianMichael Prokop: Debian buster: changes in util-linux #newinbuster

Debian buster is there, and similar to what we had with #newinwheezy, #newinjessie and #newinstretch it’s time for #newinbuster!

Update on 2019-07-26 22:55 UTC: Cyril Brulebois pointed out, that findmnt (find a filesystem) was available in Debian/stretch already as part of the mount package, updated the blog post accordingly

One package that isn’t new but its tools are used by many of us is util-linux, providing many essential system utilities. We have util-linux v2.29.2-1+deb9u1 in Debian/stretch and util-linux v2.33.1-0.1 in Debian/buster. There are many new options available and we also have a few new tools available.

Tools that have been taken over from / moved to other packages

  • cfdisk + fdisk + sfdisk (tools to display or manipulate a disk partition table) were moved from util-linux to fdisk
  • findmnt (find a filesystem) is no longer shipped via the mount binary package (of util-linux source package) but part of the util-linux binary package itself nowadays
  • setpriv (run a program with different Linux privilege settings) is no longer shipped as separate binary package of util-linux but part of the util-linux binary package itself nowadays
  • su (change user ID or become superuser) was moved from login package (kudos to Andreas Henriksson for this!)

Deprecated / removed tools

Tools that are no longer shipped with util-linux as of Debian/buster:

  • line binary (copies one line (up to a newline) from standard input to standard output), the head binary is its suggested replacement
  • pg binary (browse pagewise through text files), it’s marked deprecated in POSIX since 1997
  • tailf binary (follow the growth of a log file), it was deprecated in 2017 and `tail -f` from coreutils works fine
  • tunelp binary (set various parameters for the lp device), parallel port printers are suspected to be extinct by now

New tools

blkzone (run zone command on a device):

Usage:
 blkzone <command> [options] <device>

Run zone command on the given block device.

Commands:
 report       Report zone information about the given device
 reset        Reset a range of zones.

Options:
 -o, --offset <sector>  start sector of zone to act (in 512-byte sectors)
 -l, --length <sectors> maximum sectors to act (in 512-byte sectors)
 -c, --count <number>   maximum number of zones
 -v, --verbose          display more details

 -h, --help             display this help
 -V, --version          display version

For more details see blkzone(8).

chmem (configure memory, set a particular size or range of memory online or offline):

Usage:
 chmem [options] [SIZE|RANGE|BLOCKRANGE]

Set a particular size or range of memory online or offline.

Options:
 -e, --enable       enable memory
 -d, --disable      disable memory
 -b, --blocks       use memory blocks
 -z, --zone <name>  select memory zone (see below)
 -v, --verbose      verbose output
 -h, --help         display this help
 -V, --version      display version

Supported zones:
 DMA
 DMA32
 Normal
 Highmem
 Movable
 Device

For more details see chmem(8).

choom (display and adjust OOM-killer score):

Usage:
 choom [options] -p pid
 choom [options] -n number -p pid
 choom [options] -n number command [args...]]

Display and adjust OOM-killer score.

Options:
 -n, --adjust <num>     specify the adjust score value
 -p, --pid <num>        process ID

 -h, --help             display this help
 -V, --version          display version

For more details see choom(1).

fincore (count pages of file contents in core):

Usage:
 fincore [options] file...

Options:
 -J, --json            use JSON output format
 -b, --bytes           print sizes in bytes rather than in human readable format
 -n, --noheadings      don't print headings
 -o, --output <list>   output columns
 -r, --raw             use raw output format

 -h, --help            display this help
 -V, --version         display version

Available output columns:
       PAGES  file data resident in memory in pages
        SIZE  size of the file
        FILE  file name
         RES  file data resident in memory in bytes

For more details see fincore(1).

lsmem (list the ranges of available memory with their online status):

Usage:
 lsmem [options]

List the ranges of available memory with their online status.

Options:
 -J, --json           use JSON output format
 -P, --pairs          use key="value" output format
 -a, --all            list each individual memory block
 -b, --bytes          print SIZE in bytes rather than in human readable format
 -n, --noheadings     don't print headings
 -o, --output <list>  output columns
     --output-all     output all columns
 -r, --raw            use raw output format
 -S, --split <list>   split ranges by specified columns
 -s, --sysroot <dir>  use the specified directory as system root
     --summary[=when] print summary information (never,always or only)

 -h, --help           display this help
 -V, --version        display version

Available output columns:
      RANGE  start and end address of the memory range
       SIZE  size of the memory range
      STATE  online status of the memory range
  REMOVABLE  memory is removable
      BLOCK  memory block number or blocks range
       NODE  numa node of memory
      ZONES  valid zones for the memory range

For more details see lsmem(1).

New features/options

agetty + getty (alternative Linux getty):

  --list-speeds          display supported baud rates

blkid (locate/print block device attributes) gained a bunch of long options:

Options:

  --cache-file          same as -c 
  --no-encoding         same as -d
  --garbage-collect     same as -g
  --output              same as -o
  --list-filesystems    same as -k
  --match-tag           same as -s
  --match-token         same as -t
  --list-one            same as -l
  --label               same as -L
  --uuid                same as -U

Low-level probing options:

  --probe               same as -p
  --info                same as -i
  --size                same as -S
  --offset              same as -O
  --usages              same as -u
  --match-types         same as -n

dmesg (print or control the kernel ring buffer):

  -p, --force-prefix          force timestamp output on each line of multi-line messages

fallocate (preallocate or deallocate space to a file):

  -i, --insert-range   insert a hole at range, shifting existing data
  -x, --posix          use posix_fallocate(3) instead of fallocate(2)

findmnt (find a filesystem):

  --output-all       output all available columns
  --pseudo           print only pseudo-filesystems
  --real             print only real filesystems
  --tree             enable tree format output is possible

fstrim (discard unused blocks on a mounted filesystem):

  -A, --fstab         trim all supported mounted filesystems from /etc/fstab
  -n, --dry-run       does everything, but trim

hwlock (read or set the hardware clock (RTC)):

  -l                 same as --localtime
  --delay <sec>      delay used when set new RTC time
  -v, --verbose      display more details

lsblk (list block devices):

Options:

  -z, --zoned          print zone model
  -T, --tree           use tree format output
  --sysroot >dir<  use specified directory as system root

Available output columns:

  PATH     path to the device node
  FSAVAIL  filesystem size available
  FSSIZE   filesystem size
  FSUSED   filesystem size used
  FSUSE%   filesystem use percentage
  PTUUID   partition table identifier (usually UUID)
  PTTYPE   partition table type
  ZONED    zone model

lscpu (display information about the CPU architecture):

  -J, --json              use JSON for default or extended format

lslocks (list local system locks):

Options:

  -b, --bytes            print SIZE in bytes rather than in human readable format
      --output-all       output all columns

Available output columns:

  TYPE  kind of lock

lslogins (display information about known users in the system):

Options:

      --output-all         output all columns

Available output columns:

  PWD-METHOD  password encryption method

lsns (list namespaces):

Options:

      --output-all       output all columns
  -W, --nowrap           don't use multi-line representation

Available output columns:

  NETNSID  namespace ID as used by network subsystem
     NSFS  nsfs mountpoint (usually used network subsystem)

nsenter (run program with namespaces of other processes):

  -a, --all              enter all namespaces
      --output-all     output all columns
  -S, --sector-size <num>  overwrite sector size
      --list-types     list supported partition types and exit

rename.ul (rename files):

  -n, --no-act        do not make any changes
  -o, --no-overwrite  don't overwrite existing files
  -i, --interactive   prompt before overwrite

runuser (run a command with substitute user and group ID):

  -w, --whitelist-environment <list>  don't reset specified variables
  -P, --pty                       create a new pseudo-terminal

setsid (run a program in a new session):

  -f, --fork     always fork

setterm (set terminal attributes):

  --resize                          reset terminal rows and columns

unshare (run program with some namespaces unshared from parent):

  --kill-child[=<signame>]  when dying, kill the forked child (implies --fork), defaults to SIGKILL

wipefs (wipe a signature from a device):

Options:

  -i, --noheadings    don't print headings
  -J, --json          use JSON output format
  -O, --output <list> COLUMNS to display (see below)

Available output columns:
     UUID  partition/filesystem UUID
    LABEL  filesystem LABEL
   LENGTH  magic string length
     TYPE  superblok type
   OFFSET  magic string offset
    USAGE  type description
   DEVICE  block device name

zramctl (set up and control zram devices):

  -a, --algorithm lzo|lz4|lz4hc|deflate|842   compression algorithm to use (new compression algorithms lz4hc, deflate + 842)
       --output-all          output all columns

Deprecated and removed options

hwlock (read or set the hardware clock (RTC)):

  --badyear        ignore RTC's year because the BIOS is broken
  -c, --compare    periodically compare the system clock with the CMOS clock
  --getepoch       print out the kernel's hardware clock epoch value
  --setepoch       set the kernel's hardware clock epoch value to the value given with --epoch

unshare (run program with some namespaces unshared from parent):

  -s     (use --setgroups instead)

CryptogramInsider Logic Bombs

Add to the "not very smart criminals" file:

According to court documents, Tinley provided software services for Siemens' Monroeville, PA offices for nearly ten years. Among the work he was asked to perform was the creation of spreadsheets that the company was using to manage equipment orders.

The spreadsheets included custom scripts that would update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management.

But while Tinley's files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called "logic bombs" that would trigger after a certain date, and crash the files.

Every time the scripts would crash, Siemens would call Tinley, who'd fix the files for a fee.

Worse Than FailureError'd: Nice Day for Golf (in Hades)

"A coworker was looking up what the weather was going to be like for his tee time. He said he’s definitely wearing shorts," writes Angela A.

 

"I guess whenever a company lists welding in their LinkedIn job posting you know that they're REEAALLY serious about computer hardware," Andrew I. writes.

 

Chris A. wrote, "It was game, set, and match, but unfortunately, someone struck out."

 

Bruce C. writes, "I'm not surprised that NULL is missing some deals....that File Not Found person must be getting it all."

 

"Learning to use Docker with the 'Get Started' tutorials and had to wonder...is there some theme here?" Dave E. wondered.

 

"Ever type up an email and hit 'send' too early? Well...here's an example," writes Charlie.

 

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Planet DebianDirk Eddelbuettel: Rcpp 1.0.2: Small Polish

The second maintenance release of Rcpp, following up on the 10th anniversary and the 1.0.0. release, was prepared last Saturday and released to both the Rcpp drat repo and CRAN. Following all the manual inspection (including a false positive result from reverse dependencies), it has finally arrived on CRAN earlier today. The corresponding Debian package was also uploaded, and binaries have since been built.

Just like for Rcpp 1.0.1, we have a four month gap between releases which seems appropriate given both the changes still being made (see below) and the relative stability of Rcpp. It still takes work to release this as we run multiple extensive sets of reverse dependency checks so maybe one day we will switch to six month cycle.

Rcpp has become the most popular way of enhancing GNU R with C or C++ code. As of today, 1713 packages on CRAN depend on Rcpp for making analytical code go faster and further, along with 176 in BioConductor. Per the (partial) logs of CRAN downloads, we have had over one million downloads a month following the previous release.

This release features a number of different pull requests by four different contributors as detailed below.

Changes in Rcpp version 1.0.2 (2019-07-20)

  • Changes in Rcpp API:

    • Files in src/ are now consistentely lowercase (Dirk in #956).

    • The Rcpp 'API Version' is now accessible via getRcppVersion() (Dirk in #963).

  • Changes in Rcpp Attributes:

    • The second END wrapper macro also gets UNPROTECT and a variable reference suppressing compiler warnings (Dirk in #953 fixing #951).

    • Default function arguments are parsed correctly (Pierrick Roger in #977 fixing #975)

  • Changes in Rcpp Sugar:

    • Added decreasing parameter to sort_unique() (James Balamuta in #958 addressing #950).
  • Changes in Rcpp Deployment:

    • Travis CI unit tests are now always running irrespective of the package version (Dirk in #954).
  • Changes in Rcpp Documentation:

    • The Rcpp-modules vignette now covers the RCPP_EXPOSED_* macros, and the Rcpp-extending vignette references it (Ralf Stubner in #959 fixing #952)

Thanks to CRANberries, you can also look at a diff to the previous release. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

TEDIt’s not about privacy — it’s about power: Carole Cadwalladr speaks at TEDSummit 2019

Three months after her landmark talk, Carole Cadwalladr is back at TED. In conversation with curator Bruno Giussani, Cadwalladr discusses the latest on her reporting on the Facebook-Cambridge Analytica scandal and what we still don’t know about the transatlantic links between Brexit and the 2016 US presidential election.

“Who has the information, who has the data about you, that is where power now lies,” Cadwalladr says.

Cadwalladr appears in The Great Hack, a documentary by Karim Amer and TED Prize winner Jehane Noujaim that explores how Cambridge Analytica has come to symbolize the dark side of social media. The documentary was screened for TEDSummit participants today. Watch it in select theaters and on Netflix starting July 24.

Learn more about how you can support Cadwalladr’s investigation into data, disinformation and democracy.

TEDNot All Is Broken: Notes from Session 6 of TEDSummit 2019

Raconteur Mackenzie Dalrymple regales the TEDSummit audience with a classic Scottish story. He speaks at TEDSummit: A Community Beyond Borders, July 25, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

In the final session of TEDSummit 2019, the themes from the week — our search for belonging and community, our digital future, our inextricable connection to the environment — ring out with clarity and insight. From the mysterious ways our emotions impact our biological hearts, to a tour-de-force talk on the languages we all speak, it’s a fitting close to a week of revelation, laughter, tears and wonder.

The event: TEDSummit 2019, Session 6: Not All Is Broken, hosted by Chris Anderson and Bruno Giussani

When and where: Thursday, July 25, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Johann Hari, Sandeep Jauhar, Anna Piperal, Eli Pariser, Poet Ali

Interlude: Mackenzie Dalrymple sharing the tale of an uncle and nephew competing to become Lord of the Isles

Music: Djazia Satour, blending 1950s Chaabi (a genre of North African folk music) with modern grooves

The talks in brief:

Johann Hari, journalist

Big idea: The cultural narrative and definitions of depression and anxiety need to change.

Why? We need to talk less about chemical imbalances and more about imbalances in the way we live. Johann Hari met with experts around the world, boiling down his research into a surprisingly simple thesis: all humans have physical needs (food, shelter, water) as well as psychological needs (feeling that you belong, that your life has meaning and purpose). Though antidepressant drugs work for some, biology isn’t the whole picture, and any treatment must be paired with a social approach. Our best bet is to listen to the signals of our bodies, instead of dismissing them as signs of weakness madness. If we take time to investigate our red flags of depression and anxiety — and take the time to reevaluate how we build meaning and purpose, especially through social connections — we can start to heal in a society deemed the loneliest in human history.

Quote of the talk: “If you’re depressed, if you’re anxious — you’re not weak. You’re not crazy. You’re not a machine with broken parts. You’re a human being with unmet needs.”


“Even if emotions are not contained inside our hearts, the emotional heart overlaps its biological counterpart in surprising and mysterious ways,” says cardiologist Sandeep Jauhar. He speaks at TEDSummit: A Community Beyond Borders, July 21-25, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Sandeep Jauhar, cardiologist

Big Idea: Emotional stress can be a matter of life and death. Let’s factor that into how we care for our hearts.

How? “The heart may not originate our feelings, but it is highly responsive to them,” says Sandeep Jauhar. In his practice as a cardiologist, he has seen extensive evidence of this: grief and fear can cause profound cardiac injury. “Takotsubo cardiomyopathy,” or broken heart syndrome, has been found to occur when the heart weakens after the death of a loved one or the stress of a large-scale natural disaster. It comes with none of the other usual symptoms of heart disease, and it can resolve in just a few weeks. But it can also prove fatal. In response, Jauhar says that we need a new paradigm of care, one that considers the heart as more than “a machine that can be manipulated and controlled” — and recognizes that emotional stress is as important as cholesterol.

Quote of the talk: “Even if emotions are not contained inside our hearts, the emotional heart overlaps its biological counterpart in surprising and mysterious ways.”


“In most countries, people don’t trust their governments, and the governments don’t trust them back. All the complicated paper-based formal procedures are supposed to solve that problem. Except that they don’t. They just make life more complicated,” says e-governance expert Anna Piperal. She speaks at TEDSummit: A Community Beyond Borders, July 25, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Anna Piperal, e-governance expert 

Big idea: Bureaucracy can be eradicated by going digital — but we’ll need to build in commitment and trust.

How? Estonia is one of the most digital societies on earth. After gaining independence 30 years ago, and subsequently building itself up from scratch, the country decided not only to digitize existing bureaucracy but also to create an entirely new system. Now citizens can conduct everything online, from running a business to voting and managing their healthcare records, and only need to show up in person for literally three things: to claim their identity card, marry or divorce, or sell a property. Anna Piperal explains how, using a form of blockchain technology, e-Estonia builds trust through the “once-only” principle, through which the state cannot ask for information more than once nor store it in more than one place. The country is working to redefine bureaucracy by making it more efficient, granting citizens full ownership of their data — and serving as a model for the rest of the world to do the same.

Quote of the talk: “In most countries, people don’t trust their governments, and the governments don’t trust them back. All the complicated paper-based formal procedures are supposed to solve that problem. Except that they don’t. They just make life more complicated.”


Eli Pariser, CEO of Upworthy

Big idea: We can find ways to make our online spaces civil and safe, much like our best cities.

How? Social media is a chaotic and sometimes dangerous place. With its trolls, criminals and segregated spaces, it’s a lot like New York City in the 1970s. But like New York City, it’s also a vibrant space in which people can innovate and find new ideas. So Eli Pariser asks: What if we design social media like we design cities, taking cues from social scientists and urban planners like Jane Jacobs? Built around empowered communities, one-on-one interactions and public censure for those who act out, platforms could encourage trust and discourse, discourage antisocial behavior and diminish the sense of chaos that leads some to embrace authoritarianism.

Quote of the talk: “If online digital spaces are going to be our new home, let’s make them a comfortable, beautiful place to live — a place we all feel not just included, but actually some ownership of. A place we get to know each other. A place you’d actually want not just to visit, but to bring your kids.”


“Every language we learn is a portal by which we can access another language. The more you know, the more you can speak. … That’s why languages are so important, because they give us access to new worlds,” says Poet Ali. He speaks at at TEDSummit: A Community Beyond Borders, July 25, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Poet Ali, architect of human connection

Big idea: You speak far more languages than you realize, with each language representing a gateway to understanding different societies, cultures and experiences.

How? Whether it’s the recognized tongue of your country or profession, or the social norms of your community, every “language” you speak is more than a lexicon of words: it also encompasses feelings like laughter, solidarity, even a sense of being left out. These latter languages are universal, and the more we embrace their commonality — and acknowledge our fluency in them — the more we can empathize with our fellow humans, regardless of our differences.

Quote of the talk: “Every language we learn is a portal by which we can access another language. The more you know, the more you can speak. … That’s why languages are so important, because they give us access to new worlds.”

TEDBusiness Unusual: Notes from Session 4 of TEDSummit 2019

ELEW and Marcus Miller blend jazz improvisation with rock in a musical cocktail of “rock-jazz.” They perform at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

To keep pace with our ever-changing world, we need out-of-the-box ideas that are bigger and more imaginative than ever. The speakers and performers from this session explore these possibilities, challenging us to think harder about the notions we’ve come to accept.

The event: TEDSummit 2019, Session 4: Business Unusual, hosted by Whitney Pennington Rodgers and Cloe Shasha

When and where: Wednesday, July 24, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Margaret Heffernan, Bob Langert, Rose Mutiso, Mariana Mazzucato, Diego Prilusky

Music: A virtuosic violin performance by Min Kym, and a closing performance by ELEW featuring Marcus Miller, blending jazz improvisation with rock in a musical cocktail of “rock-jazz.”

The talks in brief:

“The more we let machines think for us, the less we can think for ourselves,” says Margaret Heffernan. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Margaret Heffernan, entrepreneur, former CEO and writer 

Big idea: The more we rely on technology to make us efficient, the fewer skills we have to confront the unexpected. That’s why we must start practicing “just-in-case” management — anticipating the events (climate catastrophes, epidemics, financial crises) that will almost certainly happen but are ambiguous in timing, scale and specifics. 

Why? In our complex, unpredictable world, changes can occur out of the blue and have outsize impacts. When governments, businesses and individuals prioritize efficiency above all else, it keeps them from responding quickly, effectively and creatively. That’s why we all need to focus on cultivating what Heffernan calls our “unpredictable, messy human skills.” These include exercising our social abilities to build strong relationships and coalitions; humility to admit we don’t have all the answers; imagination to dream up never-before-seen solutions; and bravery to keep experimenting.

Quote of the talk: “The harder, deeper truth is that the future is uncharted, that we can’t map it until we get there. But that’s OK because we have so much capacity for imagination — if we use it. We have deep talents for inventiveness and exploration — if we apply them. We are brave enough to invent things we’ve never seen before. Lose these skills and we are adrift. But hone and develop them, and we can make any future we choose.”


Bob Langert, sustainability expert and VP of sustainability at McDonald’s

Big idea: Adversaries can be your best allies.

How? Three simple steps: reach out, listen and learn. As a “corporate suit” (his words), Bob Langert collaborates with his company’s strongest critics to find business-friendly solutions for society. Instead of denying and pushing back, he tries to embrace their perspectives and suggestions. He encourages others in positions of power to do the same, driven by this mindset: assume the best intentions of your critics; focus on the truth, the science and facts; and be open and transparent in order to turn critics into allies. The worst-case scenario? You’ll become better, your organization will become better — and you might make some friends along the way.

Fun fact: After working with NGOs in the 1990s, McDonald’s reduced 300 million pounds of waste over 10 years.


“When we talk about providing energy for growth, it is not just about innovating the technology: it’s the slow and hard work of improving governance, institutions and a broader macro-environment,” says Rose Mutiso. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Rose Mutiso, energy scientist

Big Idea: In order to grow out of poverty, African countries need a steady supply of abundant and affordable electricity.

Why? Energy poverty, or the lack of access to electricity and other basic energy services, affects nearly two-thirds of Sub-Saharan Africa. As the region’s population continues to grow, we have the opportunity to build a new energy system — from scratch — to grow with it, says Rose Mutiso. It starts with naming the systemic holes that current solutions (solar, LED and battery technology) overlook: we don’t have a clear consensus on what energy poverty is; there’s too much reliance on quick fixes; and we’re misdirecting our climate change concerns. What we need, Mutiso says, is nuanced, large-scale solutions with a diverse range of energy sources. For instance, the region has significant hydroelectric potential, yet less than 10 percent of this potential is currently being utilized. If we work hard to find new solutions to our energy deficits now, everybody benefits.

Quote of talk:Countries cannot grow out of poverty without access to a steady supply of abundant, affordable and reliable energy to power these productive sectors — what I call energy for growth.”


Mariana Mazzucato, economist and policy influencer

Big idea: We’ve forgotten how to tell the difference between the value extractors in the C-suites and finance sectors and the value producers, the workers and taxpayers who actually fuel innovation and productivity. And recently we’ve neglected the importance of even questioning what the difference between the two.

How? Economists must redefine and recognize true value creators, envisioning a system that rewards them just as much as CEOs, investors and bankers. We need to rethink how we value education, childcare and other “free” services — which don’t have a price but clearly contribute to sustaining our economies. We need to make sure that our entire society not only shares risks but also rewards.

Quote of the talk: “[During the bank bailouts] we didn’t hear the taxpayers bragging that they were value creators. But, obviously, having bailed out the biggest ‘value-creating’ productive companies, perhaps they should have.”


Diego Prilusky demos his immersive storytelling technology, bringing Grease to the TED stage. He speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Diego Prilusky, video pioneer

Big idea: Get ready for the next revolution in visual storytelling: volumetric video, which aims to do nothing less than recreate reality as a cinematic experience.

How? Movies have been around for more than 100 years, but we’re still making (and watching) them in basically the same way. Can movies exist beyond the flat screen? Yes, says Diego Prilusky, but we’ll first need to completely rethink how they’re made. With his team at Intel Studios, Prilusky is pioneering volumetric video, a data-intensive medium powered by hundreds of sensors that capture light and motion from every possible direction. The result is like being inside a movie, which you could explore from different perspectives (or even through a character’s own eyes). In a live tech demo, Prilusky takes us inside a reshoot of an iconic dance number from the 1978 hit Grease. As actors twirl and sing “You’re the One That I Want,” he positions and repositions his perspective on the scene — moving, around, in front of and in between the performers. Film buffs can rest easy, though: the aim isn’t to replace traditional movies, he says, but to empower creators to tell stories in new ways, across multiple vantage points.

Quote of the talk: “We’re opening the gates for new possibilities of immersive storytelling.”

TEDThe Big Rethink: Notes from Session 3 of TEDSummit 2019

Marco Tempest and his quadcopters perform a mind-bending display that feels equal parts science and magic at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

In an incredible session, speakers and performers laid out the biggest problems facing the world — from political and economic catastrophe to rising violence and deepfakes — and some new thinking on solutions.

The event: TEDSummit 2019, Session 3: The Big Rethink, hosted by Corey Hajim and Cyndi Stivers

When and where: Tuesday, July 23, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: George Monbiot, Nick Hanauer, Raghuram Rajan, Marco Tempest, Rachel Kleinfeld, Danielle Citron, Patrick Chappatte

Music: KT Tunstall sharing how she found her signature sound and playing her hits “Miniature Disasters,” “Black Horse and the Cherry Tree” and “Suddenly I See.”

The talks in brief:

“We are a society of altruists, but we are governed by psychopaths,” says George Monbiot. He speaks at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

George Monbiot, investigative journalist and self-described “professional troublemaker”

Big idea: To get out of the political mess we’re in, we need a new story that captures the minds of people across fault lines.

Why? “Welcome to neoliberalism, the zombie doctrine that never seems to die,” says George Monbiot. We have been induced by politicians and economists into accepting an ideology of extreme competition and individualism, weakening the social bonds that make our lives worth living. And despite the 2008 financial crisis, which exposed the blatant shortcomings of neoliberalism, it still dominates our lives. Why? We haven’t yet produced a new story to replace it — a new narrative to help us make sense of the present and guide the future. So, Monbiot proposes his own: the “politics of belonging,” founded on the belief that most people are fundamentally altruistic, empathetic and socially minded. If we can tap into our fundamental urge to cooperate — namely, by building generous, inclusive communities around the shared sphere of the commons — we can build a better world. With a new story to light the way, we just might make it there.

Quote of the talk: “We are a society of altruists, but we are governed by psychopaths.”


Nick Hanauer, entrepreneur and venture capitalist.

Big idea: Economics has ceased to be a rational science in the service of the “greater good” of society. It’s time to ditch neoliberal economics and create tools that address inequality and injustice.

How? Today, under the banner of unfettered growth through lower taxes, fewer regulations, and lower wages, economics has become a tool that enforces the growing gap between the rich and poor. Nick Hanauer thinks that we must recognize that our society functions not because it’s a ruthless competition between its economically fittest members but because cooperation between people and institutions produces innovation. Competition shouldn’t be between the powerful at the expense of everyone else but between ideas battling it out in a well-managed marketplace in which everyone can participate.

Quote of the talk: “Successful economies are not jungles, they’re gardens — which is to say that markets, like gardens, must be tended … Unconstrained by social norms or democratic regulation, markets inevitably create more problems than they solve.”


Raghuram Rajan shares his idea for “inclusive localism” — giving communities the tools to turn themselves around while establishing standards tp prevent discrimination and corruption — at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Raghuram Rajan, economist and former Governor of the Reserve Bank of India

Big idea: As markets grow and governments focus on solving economic problems from the top-down, small communities and neighborhoods are losing their voices — and their livelihoods. But if nations lack the tools to address local problems, it’s time to turn to grass-roots communities for solutions.

How? Raghuram Rajan believes that nations must exercise “inclusive localism”: giving communities the tools to turn themselves around while establishing standards tp prevent discrimination and corruption. As local leaders step forward, citizens become active, and communities receive needed resources from philanthropists and through economic incentives, neighborhoods will thrive and rebuild their social fabric.

Quote of the talk: “What we really need [are] bottom-up policies devised by the community itself to repair the links between the local community and the national — as well as thriving international — economies.”


Marco Tempest, cyber illusionist

Big idea: Illusions that set our imaginations soaring are created when magic and science come together.

Why? “Is it possible to create illusions in a world where technology makes anything possible?” asks techno-magician Marco Tempest, as he interacts with his group of small flying machines called quadcopters. The drones dance around him, reacting buoyantly to his gestures and making it easy to anthropomorphize or attribute personality traits. Tempest’s buzzing buddies swerve, hover and pause, moving in formation as he orchestrates them. His mind-bending display will have you asking yourself: Was that science or magic? Maybe it’s both.

Quote to remember: “Magicians are interesting, their illusions accomplish what technology cannot, but what happens when the technology of today seems almost magical?”


Rachel Kleinfeld, democracy advisor and author

Big idea: It’s possible to quell violence — in the wider world and in our own backyards — with democracy and a lot of political TLC.

How? Compassion-concentrated action. We need to dispel the idea that some people deserve violence because of where they live, the communities they’re a part of or their socio-economic background. Kleinfeld calls this particular, inequality-based vein of violence “privilege violence,” explaining how it evolves in stages and the ways we can eradicate it. By deprogramming how we view violence and its origins and victims, we can move forward and build safer, more secure societies.

Quote of the talk: “The most important thing we can do is abandon the notion that some lives are just worth less than others.”


“Not only do we believe fakes, we are starting to doubt the truth,” says Danielle Citron, revealing the threat deepfakes pose to the truth and democracy. She speaks at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Danielle Citron, professor of law and deepfake scholar

Big idea: Deepfakes — machine learning technology used to manipulate or fabricate audio and video content — can cause significant harm to individuals and society. We need a comprehensive legislative and educational approach to the problem.

How? The use of deepfake technology to manipulate video and audio for malicious purposes — whether it’s to stoke violence against minorities or to defame politicians and journalists — is becoming ubiquitous. With tools being made more accessible and their products more realistic, what becomes of that key ingredient for democratic processes: the truth? As Danielle Citron points out, “Not only do we believe fakes, we are starting to doubt the truth.” The fix, she suggests, cannot be merely technological. Legislation worldwide must be tailored to fighting digital impersonations that invade privacy and ruin lives. Educational initiatives are needed to teach the media how to identify fakes, persuade law enforcement that the perpetrators are worth prosecuting and convince the public at large that the future of democracy really is at stake.

Quote of the talk: “Technologists expect that advances in AI will soon make it impossible to distinguish a fake video and a real one. How can truths emerge in a deepfake ridden ‘marketplace of ideas?’ Will we take the path of least resistance and just believe what we want to believe, truth be damned?”


“Freedom of expression is not incompatible with dialogue and listening to each other, but it is incompatible with intolerance,” says editorial cartoonist Patrick Chappatte. He speaks at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Patrick Chappatte, editorial cartoonist and graphic journalist

Big idea: We need humor like we need the air we breathe. We shouldn’t risk compromising our freedom of speech by censoring ourselves in the name of political correctness.

How? Our social media-saturated world is both a blessing and a curse for political cartoonists like Patrick Chappatte, whose satirical work can go viral while also making them, and the publications they work for, a target. Be it a prison sentence, firing or the outright dissolution of cartoon features in newspapers, editorial cartoonists worldwide are increasingly penalized for their art. Chappatte emphasizes the importance of the art form in political discourse by guiding us through 20 years of editorial cartoons that are equal parts humorous and caustic. In an age where social media platforms often provide places for fury instead of debate, he suggests that traditional media shouldn’t shy away from these online kingdoms, and neither should we. Now is the time to resist preventative self-censorship; if we don’t, we risk waking up in a sanitized world without freedom of expression.

Quote of the talk: “Freedom of expression is not incompatible with dialogue and listening to each other, but it is incompatible with intolerance.”

TEDAnthropo Impact: Notes from Session 2 of TEDSummit 2019

Radio Science Orchestra performs the musical odyssey “Prelude, Landing, Legacy” in celebration of the 50th anniversary of the Apollo 11 moon landing at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Session 2 of TEDSummit 2019 is all about impact: the actions we can take to solve humanity’s toughest challenges. Speakers and performers explore the perils — from melting glaciers to air pollution — along with some potential fixes — like ocean-going seaweed farms and radical proposals for how we can build the future.

The event: TEDSummit 2019, Session 2: Anthropo Impact, hosted by David Biello and Chee Pearlman

When and where: Monday, July 22, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Tshering Tobgay, María Neira, Tim Flannery, Kelly Wanser, Anthony Veneziale, Nicola Jones, Marwa Al-Sabouni, Ma Yansong

Music: Radio Science Orchestra, performing the musical odyssey “Prelude, Landing, Legacy” in celebration of the 50th anniversary of the Apollo 11 moon landing (and the 100th anniversary of the theremin’s invention)

… and something completely different: Improv maestro Anthony Veneziale, delivering a made-up-on-the-spot TED Talk based on a deck of slides he’d never seen and an audience-suggested topic: “the power of potatoes.” The result was … surprisingly profound.

The talks in brief:

Tshering Tobgay, politician, environmentalist and former Prime Minister of Bhutan

Big idea: We must save the Hindu Kush Himalayan glaciers from melting — or else face dire, irreversible consequences for one-fifth of the global population.

Why? The Hindu Kush Himalayan glaciers are the pulse of the planet: their rivers alone supply water to 1.6 billion people, and their melting would massively impact the 240 million people across eight countries within their reach. Think in extremes — more intense rains, flash floods and landslides along with unimaginable destruction and millions of climate refugees. Tshering Togbay telegraphs the future we’re headed towards unless we act fast, calling for a new intergovernmental agency: the Third Pole Council. This council would be tasked with monitoring the glaciers’ health, implementing policies to protect them and, by proxy, the billions of who depend of them.

Fun fact: The Hindu Kush Himalayan glaciers are the world’s third-largest repository of ice (after the North and South poles). They’re known as the “Third Pole” and the “Water Towers of Asia.”


Air pollution isn’t just bad for the environment — it’s also bad for our brains, says María Neira. She speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

María Neira, public health leader

Big idea: Air pollution isn’t just bad for our lungs — it’s bad for our brains, too.

Why? Globally, poor air quality causes seven million premature deaths per year. And all this pollution isn’t just affecting our lungs, says María Neira. An emerging field of research is shedding a light on the link between air pollution and our central nervous systems. The fine particulate matter in air pollution travels through our bloodstreams to our major organs, including the brain — which can slow down neurological development in kids and speed up cognitive decline in adults. In short: air pollution is making us less intelligent. We all have a role to play in curbing air pollution — and we can start by reducing traffic in cities, investing in clean energy and changing the way we consume.

Quote of the talk: “We need to exercise our rights and put pressure on politicians to make sure they will tackle the causes of air pollution. This is the first thing we need to do to protect our health and our beautiful brains.”


Tim Flannery, environmentalist, explorer and professor

Big idea: Seaweed could help us drawdown atmospheric carbon and curb global warming.

How? You know the story: the blanket of CO2 above our heads is driving adverse climate changes and will continue to do so until we get it out of the air (a process known as “drawdown”). Tim Flannery thinks seaweed could help: it grows fast, is made out of productive, photosynthetic tissue and, when sunk more than a kilometer deep into the ocean, can lock up carbon long-term. If we cover nine percent of the ocean surface in seaweed farms, for instance, we could sequester the same amount of CO2 we currently put into the atmosphere. There’s still a lot to figure, Flannery notes —  like how growing seaweed at scale on the ocean surface will affect biodiversity down below — but the drawdown potential is too great to allow uncertainty to stymie progress.

Fun fact: Seaweed is the most ancient multicellular life known, with more genetic diversity than all other multicellular life combined.


Could cloud brightening help curb global warming? Kelly Wanser speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. Photo: Bret Hartman / TED

Kelly Wanser, geoengineering expert and executive director of SilverLining

Big idea: The practice of cloud brightening — seeding clouds with sea salt or other particulates to reflect sunshine back into space — could partially offset global warming, giving us crucial time while we figure out game-changing, long-term solutions.

How: Starting in 2020, new global regulations will require ships to cut emissions by 85 percent. This is a good thing, right? Not entirely, says Kelly Wanser. It turns out that when particulate emissions (like those from ships) mix with clouds, they make the clouds brighter — enabling them to reflect sunshine into space and temporarily cool our climate. (Think of it as the ibuprofen for our fevered climate.) Wanser’s team and others are coming up with experiments to see if “cloud-brightening” proves safe and effective; some scientists believe increasing the atmosphere’s reflectivity by one or two percent could offset the two degrees celsius of warming that’s been forecasted for earth. As with other climate interventions, there’s much yet to learn, but the potential benefits make those efforts worth it. 

An encouraging fact: The global community has rallied to pull off this kind of atmospheric intervention in the past, with the 1989 Montreal Protocol.


Nicola Jones, science journalist

Big idea: Noise in our oceans — from boat motors to seismic surveys — is an acute threat to underwater life. Unless we quiet down, we will irreparably damage marine ecosystems and may even drive some species to extinction.

How? We usually think of noise pollution as a problem in big cities on dry land. But ocean noise may be the culprit behind marine disruptions like whale strandings, fish kills and drops in plankton populations. Fortunately, compared to other climate change solutions, it’s relatively quick and easy to dial down our noise levels and keep our oceans quiet. Better ship propellor design, speed limits near harbors and quieter methods for oil and gas prospecting will all help humans restore peace and quiet to our neighbors in the sea.

Quote of the talk: “Sonar can be as loud as, or nearly as loud as, an underwater volcano. A supertanker can be as loud as the call of a blue whale.”


TED curator Chee Pearlman (left) speaks with architect Marwa Al-Sabouni at TEDSummit: A Community Beyond Borders. July 22, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Marwa Al-Sabouni, architect, interviewed by TED curator Chee Pearlman

Big idea: Architecture can exacerbate the social disruptions that lead to armed conflict.

How? Since the time of the French Mandate, officials in Syria have shrunk the communal spaces that traditionally united citizens of varying backgrounds. This contributed to a sense of alienation and rootlessness — a volatile cocktail that built conditions for unrest and, eventually, war. Marwa Al-Sabouni, a resident of Homs, Syria, saw firsthand how this unraveled social fabric helped reduce the city to rubble during the civil war. Now, she’s taking part in the city’s slow reconstruction — conducted by citizens with little or no government aid. As she explains in her book The Battle for Home, architects have the power (and the responsibility) to connect a city’s residents to a shared urban identity, rather than to opposing sectarian groups.

Quote of the talk: “Syria had a very unfortunate destiny, but it should be a lesson for the rest of the world: to take notice of how our cities are making us very alienated from each other, and from the place we used to call home.”


“Architecture is no longer a function or a machine for living. It also reflects the nature around us. It also reflects our soul and the spirit,” says Ma Yansong. He speaks at TEDSummit: A Community Beyond Borders. July 22, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Ma Yansong, architect and artist

Big Idea: By creating architecture that blends with nature, we can break free from the “matchbox” sameness of many city buildings.

How? Ma Yansong paints a vivid image of what happens when nature collides with architecture — from a pair of curvy skyscrapers that “dance” with each other to buildings that burst out of a village’s mountains like contour lines. Yansong embraces the shapes of nature — which never repeat themselves, he notes — and the randomness of hand-sketched designs, creating a kind of “emotional scenery.” When we think beyond the boxy geometry of modern cities, he says, the results can be breathtaking.

Quote of talk: “Architecture is no longer a function or a machine for living. It also reflects the nature around us. It also reflects our soul and the spirit.”

TED10 years of TED Fellows: Notes from the Fellows Session of TEDSummit 2019

TED Fellows celebrate the 10-year anniversary of the program at TEDSummit: A Community Beyond Borders, July 22, 2019 in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

The event: TEDSummit 2019, Fellows Session, hosted by Shoham Arad and Lily Whitsitt

When and where: Monday, July 22, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Carl Joshua Ncube, Suzanne Lee, Sonaar Luthra, Jon Lowenstein, Alicia Eggert, Lauren Sallan, Laura Boykin

Opening: A quick, witty performance from Carl Joshua Ncube, one of Zimbabwe’s best-known comedians, who uses humor to approach culturally taboo topics from his home country.

Music: An opening from visual artist and cellist Paul Rucker of the hauntingly beautiful “Criminalization of Survival,” a piece he created to explore issues related to mass incarceration, racially motivated violence, police brutality and the impact of slavery in the US.

And a dynamic closing from hip-hop artist and filmmaker Blitz Bazawule and his band, who tells stories of the polyphonic African diaspora.

The talks in brief:

Laura Boykin, computational biologist at the University of Western Australia

Big idea: If we’re going to solve the world’s toughest challenges — like food scarcity for millions of people living in extreme poverty — science needs to be more diverse and inclusive. 

How? Collaborating with smallholder farmers in sub-Saharan Africa, Laura Boykin uses genomics and supercomputing to help control whiteflies and viruses, which cause devastation to cassava crops. Cassava is a staple food that feeds more than 500 million people in East Africa and 800 million people globally. Boykin’s work transforms farmers’ lives, taking them from being unable to feed their families to having enough crops to sell and enough income to thrive. 

Quote of the talk: “I never dreamt the best science I would ever do would be sitting on a blanket under a tree in East Africa, using the highest tech genomics gadgets. Our team imagined a world where farmers could detect crop viruses in three hours instead of six months — and then we did it.”


Lauren Sallan, paleobiologist at the University of Pennsylvania

Big idea: Paleontology is about so much more than dinosaurs.

How? The history of life on earth is rich, varied and … entirely too focused on dinosaurs, according to Lauren Sallan. The fossil record shows that earth has a dramatic past, with four mass extinctions occurring before dinosaurs even came along. From fish with fingers to galloping crocodiles and armored squid, the variety of life that has lived on our changing planet can teach us more about how we got here, and what the future holds, if we take the time to look.

Quote of the talk: “We have learned a lot about dinosaurs, but there’s so much left to learn from the other 99.9 percent of things that have ever lived, and that’s paleontology.”


“If we applied the same energy we currently do suppressing forms of life towards cultivating life, we’d turn the negative image of the urban jungle into one that literally embodies a thriving, living ecosystem,” says Suzanne Lee. She speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Suzanne Lee, designer, biofabricator

Big idea: What if we could grow bricks, furniture and even ready-made fabric for clothes?

How? Suzanne Lee is a fashion designer turned biofabrication pioneer who is part of a global community of innovators who are figuring how to grow their own materials. By utilizing living microbial organisms like bacteria and fungi, we can replace plastic, cement and other waste-generating materials with alternatives that can help reduce pollution.

Quote of the talk: If we applied the same energy we currently do suppressing forms of life towards cultivating life, we’d turn the negative image of the urban jungle into one that literally embodies a thriving, living ecosystem.”


Sonaar Luthra, founder and CEO of Water Canary

Big idea: We need to get better at monitoring the world’s water supplies — and we need to do it fast.

How? Building a global weather service for water would help governments, businesses and communities manage 21st-century water risk. Sonaar Luthra’s company Water Canary aims to develop technologies that more efficiently monitor water quality and availability around the world, avoiding the unforecasted shortages that happen now. Businesses and governments must also invest more in water, he says, and the largest polluters and misusers of water must be held accountable.

Quote of the talk: “It is in the public interest to measure and to share everything we can discover and learn about the risks we face in water. Reality doesn’t exist until it’s measured. It doesn’t just take technology to measure it — it takes our collective will.”


Jon Lowenstein shares photos from the migrant journey in Latin America at TEDSummit: A Community Beyond Borders. July 22, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Jon Lowenstein, documentary photographer, filmmaker and visual artist

Big idea: We need to care about the humanity of migrants in order to understand the desperate journeys they’re making across borders.

How? For the past two decades, Jon Lowenstein has captured the experiences of undocumented Latin Americans living in the United States to show the real stories of the men and women who make up the largest transnational migration in world history. Lowenstein specializes in long-term, in-depth documentary explorations that confront power, poverty and violence. 

Quote of the talk: “With these photographs, I place you squarely in the middle of these moments and ask you to think about [the people in them] as if you knew them. This body of work is a historical document — a time capsule — that can teach us not only about migration, but about society and ourselves.”


Alicia Eggert’s art asks us to recognize where we are now as individuals and as a society, and to identify where we want to be in the future. She speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Alicia Eggert, interdisciplinary artist

Big idea: A brighter, more equitable future depends upon our ability to imagine it.  

How? Alicia Eggert creates art that explores how light travels across space and time, revealing the relationship between reality and possibility. Her work has been installed on rooftops in Philadelphia, bridges in Amsterdam and uninhabited islands in Maine. Like navigational signs, Eggert’s artwork asks us to recognize where we are now as individuals and as a society, to identify where we want to be in the future — and to imagine the routes we can take to get there.

Quote of the talk: “Signs often help to orient us in the world by telling us where we are now and what’s happening in the present moment. But they can also help us zoom out, shift our perspective and get a sense of the bigger picture.”

TEDWeaving Community: Notes from Session 1 of TEDSummit 2019

Hosts Bruno Giussani and Helen Walters open Session 1: Weaving Community on July 21, 2019, Edinburgh, Scotland. (Photo: Bret Hartman / TED)

The stage is set for TEDSummit 2019: A Community Beyond Borders! During the opening session, speakers and performers explored themes of competition, political engagement and longing — and celebrated the TED communities (representing 84 countries) gathered in Edinburgh, Scotland to forge TED’s next chapter.

The event: TEDSummit 2019, Session 1: Weaving Community, hosted by Bruno Giussani and Helen Walters

When and where: Sunday, July 21, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Pico Iyer, Jochen Wegner, Hajer Sharief, Mariana Lin, Carole Cadwalladr, Susan Cain with Min Kym

Opening: A warm Scottish welcome from raconteur Mackenzie Dalrymple

Music: Findlay Napier and Gillian Frame performing selections from The Ledger, a series of Scottish folk songs

The talks in brief:

“Seeming happiness can stand in the way of true joy even more than misery does,” says writer Pico Iyer. (Photo: Ryan Lash / TED)

Pico Iyer, novelist and nonfiction author

Big idea: The opposite of winning isn’t losing; it’s failing to see the larger picture.

Why? As a child in England, Iyer believed the point of competition was to win, to vanquish one’s opponent. Now, some 50 years later and a resident of Japan, he’s realized that competition can be “more like an act of love.” A few times a week, he plays ping-pong at his local health club. Games are played as doubles, and partners are changed every five minutes. As a result, nobody ends up winning — or losing — for long. Iyer has found liberation and wisdom in this approach. Just as in a choir, he says, “Your only job is to play your small part perfectly, to hit your notes with feeling and by so doing help to create a beautiful harmony that’s much greater than the sum of its parts.”

Quote of the talk: “Seeming happiness can stand in the way of true joy even more than misery does.”


Jochen Wegner, journalist and editor of Zeit Online

Big idea: The spectrum of belief is as multifaceted as humanity itself. As social media segments us according to our interests, and as algorithms deliver us increasingly homogenous content that reinforces our beliefs, we become resistant to any ideas — or even facts — that contradict our worldview. The more we sequester ourselves, the more divided we become. How can we learn to bridge our differences?

How? Inspired by research showing that one-on-one conversations are a powerful tool for helping people learn to trust each other, Zeit Online built Germany Talks, a “Tinder for politics” that facilitates “political arguments” and face-to-face meetings between users in an attempt to bridge their points-of-view on issues ranging from immigration to same-sex marriage. With Germany Talks (and now My Country Talks and Europe Talks) Zeit has facilitated conversations between thousands of Europeans from 33 countries.

Quote of the talk: “What matters here is not the numbers, obviously. What matters here is whenever two people meet to talk in person for hours, without anyone else listening, they change — and so do our societies. They change, little by little, discussion by discussion.”


“The systems we have nowadays for political decision-making are not from the people for the people — they have been established by the few, for the few,” says activist Hajer Sharief. She speaks at TEDSummit: A Community Beyond Borders, July 21, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Hajer Sharief, activist and cofounder of the Together We Build It Foundation

Big Idea: People of all genders, ages, races, beliefs and socioeconomic statuses should participate in politics.

Why? Hajer Sharief’s native Libya is recovering from 40 years of authoritarian rule and civil war. She sheds light on the way politics are involved in every aspect of life: “By not participating in it, you are literally allowing other people to decide what you can eat, wear, if you can have access to healthcare, free education, how much tax you pay, when can you retire, what is your pension,” she says. “Other people are also deciding whether your race is enough to consider you a criminal, or if your religion or nationality are enough to put you on a terrorist list.” When Sharief was growing up, her family held weekly meetings to discuss family issues, abiding by certain rules to ensured everyone was respectful and felt free to voice their thoughts. She recounts a meeting that went badly for her 10-year-old self, resulting in her boycotting them altogether for many years — until an issue came about which forced her to participate again. Rejoining the meetings was a political assertion, and it helped her realize an important lesson: you are never too young to use your voice — but you need to be present for it to work.

Quote of talk: “Politics is not only activism — it’s awareness, it’s keeping ourselves informed, it’s caring for facts. When it’s possible, it is casting a vote. Politics is the tool through which we structure ourselves as groups and societies.”


Mariana Lin, AI character designer and principal writer for Siri

Big idea: Let’s inject AI personalities with the essence of life: creativity, weirdness, curiosity, fun.

Why? Tech companies are going in two different directions when it comes to creating AI personas: they’re either building systems that are safe, flat, stripped of quirks and humor — or, worse, they’re building ones that are fully customizable, programmed to say just what you want to hear, just how you like to hear it. While this might sound nice at first, we’re losing part of what makes us human in the process: the friction and discomfort of relating with others, the hard work of building trusting relationships. Mariana Lin calls for tech companies to try harder to truly bring AI to life — in all its messy, complicated, uncomfortable glory. For starters, she says, companies can hire a diverse range of writers, creatives, artists and social thinkers to work on AI teams. If the people creating these personalities are as diverse as the people using it — from poets and philosophers to bankers and beekeepers — then the future of AI looks bright.

Quote of the talk: “If we do away with the discomfort of relating with others not exactly like us, with views not exactly like ours — we do away with what makes us human.”


In 2018, Carole Cadwalladr exposed Cambridge Analytica’s attempt to influence the UK Brexit vote and the 2016 US presidential election via personal data on Facebook. She’s still working to sound the alarm. She speaks at TEDSummit: A Community Beyond Borders, July 21, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Carole Cadwalladr, investigative journalist, interviewed by TED curator Bruno Giussani

Big idea: Companies that collect and hoard our information, like Facebook, have become unthinkably powerful global players — perhaps more powerful than governments. It’s time for the public hold them accountable.

How? Tech companies with offices in different countries must obey the laws of those nations. It’s up to leaders to make sure those laws are enforced — and it’s up to citizens to pressure lawmakers to further tighten protections. Despite legal and personal threats from her adversaries, Carole Cadwalladr continues to explore the ways in which corporations and politicians manipulate data to consolidate their power.

Quote to remember: “In Britain, Brexit is this thing which is reported on as this British phenomenon, that’s all about what’s happening in Westminster. The fact that actually we are part of something which is happening globally — this rise of populism and authoritarianism — that’s just completely overlooked. These transatlantic links between what is going on in Trump’s America are very, very closely linked to what is going on in Britain.”


Susan Cain meditates on how the feeling of longing can guide us to a deeper understanding of ourselves, accompanied by Min Kym on violin, at TEDSummit: A Community Beyond Borders. July 21, 2019, Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Susan Cain, quiet revolutionary, with violinist Min Kym

Big idea: Life is steeped in sublime magic that you can tap into, opening a whole world filled with passion and delight.

How? By forgoing constant positivity for a state of mind more exquisite and fleeting — a place where light (joy) and darkness (sorrow) meet, known to us all as longing. Susan Cain weaves her journey in search for the sublime with the splendid sounds of Min Kym on violin, sharing how the feeling of yearning connects us to each other and helps us to better understand what moves us deep down.

Quote of the talk: “Follow your longing where it’s telling you to go, and may it carry you straight to the beating heart of the perfect and beautiful world.”

Krebs on SecurityThe Unsexy Threat to Election Security

Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.

California has a civil grand jury system designed to serve as an independent oversight of local government functions, and each county impanels jurors to perform this service annually. On Wednesday, a grand jury from San Mateo County in northern California released a report which envisions the havoc that might be wrought on the election process if malicious hackers were able to hijack social media and/or email accounts and disseminate false voting instructions or phony election results.

“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public,” the report reads.

“Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report continues. “Alternatively, imagine that a hacker hijacks the County’s elections website before an election and circulates false voting instructions designed to frustrate the efforts of some voters to participate in the election. In that case, the interference could affect the election outcome, or at least call the results into question.”

In San Mateo County, the office of the Assessor-County Clerk-Recorder and Elections (ACRE) is responsible for carrying out elections and announcing local results. The ACRE sends election information to some 43,000 registered voters who’ve subscribed to receive sample ballots and voter information, and its Web site publishes voter eligibility information along with instructions on how and where to cast ballots.

The report notes that concerns about the security of these channels are hardly theoretical: In 2010, intruders hijacked ACRE’s election results Web page, and in 2016, cyber thieves successfully breached several county employee email accounts in a spear-phishing attack.

In the wake of the 2016 attack, San Mateo County instituted two-factor authentication for its email accounts — requiring each user to log in with a password and a one-time code sent via text message to their mobile device. However, the county uses its own Twitter, Facebook, Instagram and YouTube accounts to share election information, and these accounts are not currently secured by two-factor authentication, the report found.

“The Grand Jury finds that the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure.”

The jury recommended the county take full advantage of the most secure two-factor authentication now offered by all of these social media platforms: The use of a FIDO physical security key, a small hardware device which allows the user to complete the login process simply by inserting the USB device and pressing a button. The key works without the need for any special software drivers [full disclosure: Yubico, a major manufacturer of security keys, is currently an advertiser on this site.]

Additionally, the report urges election officials to migrate away from one-time codes sent via text message, as these can be intercepted via man-in-the-middle (MitM) and SIM-swapping attacks.  MitM attacks use counterfeit login pages to steal credentials and one-time codes.

An unauthorized SIM swap is an increasingly rampant form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Samy Tarazi is a sergeant with the sheriff’s office in nearby Santa Clara County and a supervisor with the REACT Task Force, a team of law enforcement officers that has been tracking down individuals perpetrating SIM swapping attacks. Tarazi said he fully expects SIM swapping to emerge as a real threat to state and local election workers, as well as to staff and volunteers working for candidates.

“I wouldn’t be surprised if some major candidate or their staff has an email or social media account with tons of important stuff on there [whose password] can be reset with just a text message,” Tarazi told KrebsOnSecurity. “I hope that doesn’t happen, but politicians are regular people who use the same tools we use.”

A copy of the San Mateo County grand jury report is available here (PDF).

Planet DebianJonathan Dowland: Beatrice Dowland

My second daughter, Beatrice Dowland, was born in the last week or so; we are all healthy and happy (but tired). I'm taking most of August off from work (and similar activities). See you soon!

(previously)

CryptogramSoftware Developers and Security

According to a survey: "68% of the security professionals surveyed believe it's a programmer's job to write secure code, but they also think less than half of developers can spot security holes." And that's a problem.

Nearly half of security pros surveyed, 49%, said they struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle. Roughly half of security professionals said they most often found bugs after code is merged in a test environment.

At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan."

Another problem is it seems many companies don't take security seriously enough. Nearly 44% of those surveyed reported that they're not judged on their security vulnerabilities.

Worse Than FailureCodeSOD: Null Thought

These days, it almost seems like most of the developers writing code for the Java Virtual Machine aren’t doing it in Java. It’s honestly an interesting thing for programming language development, as more and more folks put together languages with fundamentally different principles from Java that still work on the JVM.

Like Kotlin. Kotlin blends functional programming styles with object-oriented principles and syntactic features built around writing more compact, concise code than equivalent Java. And it’s not even limited to Java- it can compile down into JavaScript or even target LLVM.

And since you can write bad code in any language, you can write bad code in Kotlin. Keith inherited a Kotlin-developed Android app.

In Kotlin, if you wanted to execute some code specifically if a previous step failed, you might use a try/catch exception handler. It’s built into Kotlin. But maybe you want to do some sort of error handling in your pipeline of function calls. So maybe you want something which looks more like:

response.code
    .wasSuccess()
    .takeIf { false }
    ?.run { doErrorThing(it) } 

wasSuccess in this example returns a boolean. The takeIf checks to see if the return value was false- if it wasn’t, the takeIf returns a null, and the run call doesn’t execute (the question mark is our nullable operator).

Kotlin has a weird relationship with nulls, and unless you’re explicit about where you expect nulls, it is going to complain at you. Which is why Keith got annoyed at this block:

/**
     * Handles error and returns NULL if an error was found, true if everything was good
     */
    inline fun Int.wasSuccessOrNull() : Boolean? {
        return if (handleConnectionErrors(this))
            null
        else
            true
    }
    /**
     * Return true if any connection issues were found, false if everything okay
     */
    fun handleConnectionErrors(errorCode: Int) : Boolean {
        return when (errorCode)
        {
            Error.EXPIRED_TOKEN -> { requiresSignIn.value = true;  true}
            Error.NO_CONNECTION -> { connectionIssue.value = true; true}
            Error.INACTIVE_ACCOUNT -> { inactiveAccountIssue.value = true; true}
            Error.BAD_GATEWAY -> { badGatewayIssue.value = true;  true}
            Error.SERVICE_UNAVAILABLE -> { badGatewayIssue.value = true;  true}
            else -> {
                if (badGatewayIssue.value == true) {
                    badGatewayIssue.value = false
                }
                noErrors.value = true
                false
            }
        }
    }

wasSuccessOrNull returns true, if the status code is successful, otherwise it returns… null? Why a null? Just so that a nullable ?.run… call can be used? It’s a weird choice. If we’re just going to return non-true/false values from our boolean methods, there are other options we could use.

But honestly, handleConnectionErrors, which it calls, is even more worrisome. If an error did occur, this causes a side effect. Each error condition sets a variable outside of the scope of this function. Presumably these are class members, but who knows? It could just as easily be globals.

If the error code isn’t an error, we explicitly clear the badGatewayIssue, but we don’t clear any of the other errors. Presumably that does happen, somewhere, but again, who knows? This is the kind of code where trying to guess at what works and what doesn’t is a bad idea.

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

Planet DebianJose M. Calhariz: at daemon 3.2.0

There is a new version of at daemon, 3.2.0. It was implemented some new features, so the bump on the minor version.

You can download the source and the signature from http://software.calhariz.com/at/

The changelog:

at 3.2.0 (2019-07-24):
  Jose M Calhariz
        Print time of new job before the input of the commands, Closes #863045
        Do not drop seconds on -t option, Closes #792040
        Start using nice levels from 0 instead of 2. Closes #519716
        Correctly handle DST when specifying a UTC time. Closes #364975
  Gerhard Poul:
        Add flag to send email to other user. MR 5

Krebs on SecurityNeo-Nazi SWATters Target Dozens of Journalists

Nearly three dozen journalists at a broad range of major publications have been targeted by a far-right group that maintains a Deep Web database listing the personal information of people who threaten their views. This group specializes in encouraging others to harass those targeted by their ire, and has claimed responsibility for dozens of bomb threats and “swatting” incidents, where police are tricked into visiting potentially deadly force on the target’s address.

At issue is a site called the “Doxbin,” which hosts the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family.

A significant number of the 400+ entries on the Doxbin are for journalists (32 at last count, including Yours Truly), although the curators of Doxbin have targeted everyone from federal judges to executives at major corporations. In January 2019, the group behind Doxbin claimed responsibility for doxing and swatting a top Facebook executive.

At least two of the journalists listed on the Doxbin have been swatted in the past six months, including Pulitzer prize winning columnist Leonard G. Pitts Jr.

In some cases, as in the entries for reporters from CNN, Politico, ProPublica and Vox, no reason is mentioned for their inclusion. But in many others, the explanation seems connected to stories the journalist has published dealing with race or the anti-fascist (antifa) movement.

“Anti-white race/politics writer,” reads the note next to Pitts’ entry in the Doxbin.

Many of those listed on the site soon find themselves on the receiving end of extended threats and harassment. Carey Holzman, a computer technician who runs a Youtube channel on repairing and modding computers, was swatted in January, at about the same time his personal information showed up on the Doxbin.

More recently, his tormentors started calling his mobile phone at all hours of the night, threatening to hire a hit man to kill him. They even promised to have drugs ordered off the Dark Web and sent to his home, as part of a plan to get him arrested for drug possession.

“They said they were going to send me three grams of cocaine,” Holzman told KrebsOnSecurity.

Sure enough, earlier this month a small vial of white powder arrived via the U.S. Postal Service. Holzman said he didn’t open the vial, but instead handed it over to the local police for testing.

On the bright side, Holzman said, he is now on a first-name basis with some of the local police, which isn’t a bad idea for anyone who is being threatened with swatting attacks.

“When I told one officer who came out to my house that they threatened to send me drugs, he said ‘Okay, well just let me know when the cocaine arrives,'” Holzman recalled. “It was pretty funny because the other responding officer approached us and only caught the last thing his partner said, and suddenly looked at the other officer with deadly seriousness.”

The Doxbin is tied to an open IRC chat channel in which the core members discuss alt-right and racist tropes, doxing and swatting people, and posting videos or audio news recordings of their attacks.

The individual who appears to maintain the Doxbin is a fixture of this IRC channel, and he’s stated that he also was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason.

Mason’s various written works call on followers to start a violent race war in the United States. Those works have become the de facto bible for the Atomwaffen Division, an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Courtney Radsch, advocacy director at the nonprofit Committee to Protect Journalists, said lists that single out journalists for harassment unfortunately are not uncommon.

“We saw in the Ukraine, for example, there were lists of journalists compiled that led to harassment and threats against reporters there,” Radsch said. “We saw it in Malta where there were reports that the prime minister was part of a secret Facebook group used to coordinate harassment campaigns against a journalist who was later murdered. And we’ve seen the American government — the Customs and Border Protection — compiling lists of reporters and activists who’ve been singled out for questioning.”

Radsch said when CPJ became aware that the personal information of several journalists were listed on a doxing site, they reached out and provided information on relevant safety resources.

“It does seem that some of these campaigns by extremist groups are being coordinated in secret chat groups or dark web forums, where they can talk about the messaging before they bring it out into the public sphere,” she said.

In some ways, the Doxbin represents a far more extreme version of Exposed[.]su, a site erected briefly in 2013 by a gang of online hoodlums that doxed and swatted celebrities and public figures. The core members of that group were later arrested and charged with various crimes — including numerous swatting attacks.

One of the men in that group — convicted serial swatter and stalker Mir Islam — was arrested last year in the Philippines and charged with murder after he and an associate allegedly dumped the body of a friend in a local river.

Swatting attacks can quickly turn deadly. In March 2019, 26-year-old serial swatter Tyler Barriss was sentenced to 20 years in prison for making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident.

My hope is that law enforcement officials can shut down this Doxbin gang before someone else gets killed.

Sociological ImagesHappy Birthday, SocImages!

This month, Sociological Images turns twelve! It has been a busy year with some big changes backstage, so today I’m rounding up a dozen of our top posts as we look forward to a new academic year.

The biggest news is that the blog has a new home. It still lives on my computer (and The Society Pages’ network), but that home has moved east as I start as an assistant professor at UMass Boston Sociology. It’s a great department with wonderful colleagues who share a commitment to publicly-oriented scholarship, and I am excited to see what we can build in Boston! 

This year, readers loved the recent discovery that many of the players on the US Women’s National Team were sociology majors and a look at the the sociology of streetwear. We covered high-class hoaxes in the wake of the Fyre Festival documentaries, looked at who gets to win board games on TV, and followed the spooky side of science for the 200th anniversary of FrankensteinGender reveal parties were literally booming, unfortunately.

We also had a bunch of stellar guest posts this year, tackling all kinds of big questions like why people freaked out about fast food at the White House, why Green Book was a weird Oscar win, why people sometimes collect racist memorabilia, and why we often avoid reading the news. My personal favorites included a research roundup on women’s expertise and a look at the boom in bisexual identification in the United States. Please keep sending in guest posts! I want to feature your work. Guidelines are here, and you can always reach out via email or Twitter DM.

Finally, big thanks to all of you who read the blog actively, pass along posts to friends and family, and bring it into your classes. We keep this blog running on a zero-dollar budget, Creative Commons licensing, and a heavy dose of the sociological imagination that comes with your support. Happy reading!

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston (Fall, 2019). You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

Planet DebianHideki Yamane: mmdebstrap is nice tool, but newest deboostrap is not so bad :)

mmdebstrap is fast because it uses apt for package dependency resolution and download. Yeah, it's true, almost right - but most of the reason for "fast" is just about "downloading packages", I guess.

debootstrap uses wget for download packages, it's serial execution so it waits for each download and mmdebstrap - apt does not do so. If you use "--cache-dir" option for debootstrap, exec time is almost the same.

$ time sudo mmdebstrap unstable unstable-chroot
(snip)
real 2m58.670s
user 0m23.559s
sys 0m26.387s

$ time sudo debootstrap sid sid
(snip)
real 7m22.955s
user 0m57.450s
sys 0m37.894s
$ time sudo debootstrap --cache-dir=/home/henrich/tmp/cache sid sid
(snip)
real 2m44.752s

user 0m54.504s
sys 0m33.666s

Anyway, I should consider "--use-apt" option or something for debootstrap - for future release :)

Worse Than FailureCodeSOD: A Long Conversion

Let’s talk a little bit about .NET’s TryParse method. Many types, especially the built in numerics, support it, alongside a Parse. The key difference between Parse and TryParse is that TryParse bakes the exception handling logic in it. Instead of using exceptions to tell you if it can parse or not, it returns a boolean value, instead.

If, for example, you wanted to take an input, and either store it as an integer in a database, or store a null, you might do something like this:

int result;
if (int.TryParse(data, out result)) {
  rowData[column] = result;
} else {
  rowData[column] = DBNull.Value;
}

There are certainly better, cleaner ways to handle this. Russell F. has a co-worker that has a much uglier way to handle this.

private void BuildIntColumns(string data, DataRow rowData, int startIndex, int length, string columnName, FileInfo file, string tableName)
{
    if (data.Trim().Length > startIndex)
    {
        try
        {
            int resultOut;

            if (data.Substring(startIndex, length).Trim() == "" || string.IsNullOrEmpty(data.Substring(startIndex, length).Trim()))
            {
                rowData[columnName] = DBNull.Value;
            }
            else if (int.TryParse(data.Substring(startIndex, length).Trim(), out resultOut) == false)
            {
                rowData[columnName] = DBNull.Value;
            }
            else
            {
                rowData[columnName] = Convert.ToInt32(data.Substring(startIndex, length).Trim());
            }
        }
        catch (Exception e)
        {
            rowData[columnName] = DBNull.Value;
            SaveErrorData(file, data, e.Message, tableName);
        }
    }
}

private void BuildLongColumns(string data, DataRow rowData, int startIndex, int length, string columnName, FileInfo file, string tableName)
{
    if (data.Trim().Length > startIndex)
    {
        try
        {
            int resultOut;

            if (data.Substring(startIndex, length).Trim() == "" || string.IsNullOrEmpty(data.Substring(startIndex, length).Trim()))
            {
                rowData[columnName] = DBNull.Value;
            }
            else if (int.TryParse(data.Substring(startIndex, length).Trim(), out resultOut) == false)
            {
                rowData[columnName] = DBNull.Value;
            }
            else
            {
                rowData[columnName] = Convert.ToInt64(data.Substring(startIndex, length).Trim());
            }
        }
        catch (Exception e)
        {
            rowData[columnName] = DBNull.Value;
            SaveErrorData(file, data, e.Message, tableName);
        }
    }
}

Here’s a case where the developer knows that methods like int.TryParse and string.IsNullOrEmpty exist, but they don’t understand them. More worrying, every operation has to be on a Substring for some reason, which implies that they’re processing strings which contain multiple fields of data. Presumably that means there’s a mainframe with fixed-width records someplace in the backend, but certainly splitting while converting falls is a bad practice.

For bonus points, compare the BuildIntColumns with BuildLongColumns. There’s an extremely subtle bug in the BuildLongColumns- specifically, they still do an int.TryParse, but this isn’t an int, it’s a long. If you actually tried to feed it a long integer, it would consider it invalid.

Russell adds: “I found this in an old file – no clue who wrote it or how it came to exist (I guess I could go through the commit logs, but that sounds like a lot of work).”

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

Planet DebianElana Hashman: How to grant (Tom Marble) Debian Maintainer access

I run the Debian Clojure Team, which means that occasionally folks volunteer to help out with Clojure packaging. This is awesome! Since I'm lazy, I don't want to have to sponsor every package upload for folks who have proven their aptitude at packaging. Hence, sometimes I need to grant Debian Maintainers upload access to team packages.

Folks typically point at this email as documentation of how to grant DM access on packages. However, I have zero desire to hand-craft artisanal dak commands. So, I try to leverage some existing tools I already have installed on my system to help me out—namely, the dcut tool from the dput-ng package.

The commands

Tom Marble wanted DM access to the libjava-jdbc-clojure package, after I suggested he try doing a new version upload for it. I previously gave him DM access to maintain shimdandy and com-hypirion-io-clojure. But I couldn't remember exactly how I did it...

According to the dcut manpage, this should be as simple as running

dcut dm --uid "Tom Marble" --allow libjava-jdbc-clojure

However, there is a slight problem: I don't normally run dput (or dcut) on a machine with my Debian key present, since I keep my only copy on my laptop. For various reasons (mostly related to intertia, external monitors, and wifi drivers), I run Linux Mint on my laptop, and the version of dcut available there doesn't actually work properly, so I can't just run dcut locally...

What to do about this?

It turns out that there is an undocumented flag, -S or --save, that will save the generated commands locally.

dcut -s -S dm --uid "Tom Marble" --allow libjava-jdbc-clojure

The -s flag, or --simulate, ensures that we don't try to upload the file to the archive just yet. This will produce a file in the current directory with a name similar to ehashman-1564016122.dak-commands. Take a look:

ehashman@corn-syrup:~$ cat ehashman-1564016122.dak-commands

Archive: ftp.upload.debian.org
Uploader: Elana Hashman <ehashman@debian.org>

Action: dm
Fingerprint: 884A52C4AC8ABB931D158FA840BFEE868B055D9A
Allow: libjava-jdbc-clojure

Now is a good time to verify that the key and package is correct. You can then sign this file:

gpg --sign --armour --clearsign ehashman-1564016122.dak-commands

And use dcut to upload it:

dcut upload -f ehashman-1564016122.dak-commands

Once the file has been processed, check the FTP Master DM log to make sure your DM changes have been set correctly.

See you on the next episode of "me creating problems for myself with scary Debian tools" 👋

References

,

Planet DebianAigars Mahinovs: Debconf 19 photos

The main feed for my photos from Debconf 19 in Curitiba, Brazil is currently in my GPhoto album. I will later also sync it to Debconf git share.

The first batch is up, but now the hardest part comes - the group photo will be happening a bit later today :)

Update: the group photo is ready! The smaller version is in the GPhoto album, but full version is linked from DebConf/19/Photos

Update 2: The day trip phtos are up and also the photos are in Debconf Git LFS share.

Planet DebianMolly de Blanc: Free software activities (June 2019)

I know this is almost a month late, but I am sharing it nonetheless. My June was dominated by my professional and personal life, leaving little time for expansive free software activities. I’ll write a little more in my OSI report for June.

A photo of a multi-use path with trees in the background. There is a short pole in the foreground with a "Catuion Newt Crossing."

Activities (Personal)

  • The biggest thing I did was head over to the Other Cambridge (a.k.a. Cambridge Prime, a.k.a. Cambridge, UK) for a Debian sprint with the Debian Project Leader, Debian Account Managers, and Debian Anti-Harassment team.
  • We had some Anti-Harassment meetings.
  • We had some Outreach meetings.
  • I helped both teams prep for DebConf.

Activities (Professional)

  • Worked on organizing sponsorships for GUADEC. If you’re interested in attending or sponsoring GUADEC, I highly recommend it!
  • Wrote profiles of members of the GNOME community for the GNOME Engagement blog. I also wrote a newsletter for Friends of GNOME. You can see both online.
  • Attended Diversity & Inclusion team meetings, participated in the Engagement team discussions, and spoke with several GUADEC organizers.

TEDA new mission to mobilize 2 million women in US politics … and more TED news

TED2019 may be past, but the TED community is busy as ever. Below, a few highlights.

Amplifying 2 million women across the U.S. Activist Ai-jen Poo, Black Lives Matter co-founder Alicia Garza and Planned Parenthood past president Cecile Richards have joined forces to launch Supermajority, which aims to train 2 million women in the United States to become activists and political leaders. To scale, the political hub plans to partner with local nonprofits across the country; as a first step, the co-founders will embark on a nationwide listening tour this summer. (Watch Poo’s, Garza’s and Richards’ TED Talks.)

Sneaker reseller set to break billion-dollar record. Sneakerheads, rejoice! StockX, the sneaker-reselling digital marketplace led by data expert Josh Luber, will soon become the first company of its kind with a billion-dollar valuation, thanks to a new round of venture funding.  StockX — a platform where collectible and limited-edition sneakers are bought and exchanged through real-time bidding — is an evolution of Campless, Luber’s site that collected data on rare sneakers. In an interview with The New York Times, Luber said that StockX pulls in around $2 million in gross sales every day. (Watch Luber’s TED Talk.)

A move to protect iconic African-American photo archives. Investment expert Mellody Hobson and her husband, filmmaker George Lucas, filed a motion to acquire the rich photo archives of iconic African-American lifestyle magazines Ebony and Jet. The archives are owned by the recently bankrupt Johnson Publishing Company; Hobson and Lucas intend to gain control over them through their company, Capital Holdings V. The collections include over 5 million photos of notable events and people in African American history, particularly during the Civil Rights Movement. In a statement, Capital Holdings V said: “The Johnson Publishing archives are an essential part of American history and have been critical in telling the extraordinary stories of African-American culture for decades. We want to be sure the archives are protected for generations to come.” (Watch Hobson’s TED Talk.)

10 TED speakers chosen for the TIME100. TIME’s annual round-up of the 100 most influential people in the world include climate activist Greta Thunberg, primatologist and environmentalist Jane Goodall, astrophysicist Sheperd Doeleman and educational entrepreneur Fred Swaniker — also Nancy Pelosi, the Pope, Leana Wen, Michelle Obama, Gayle King (who interviewed Serena Williams and now co-hosts CBS This Morning home to TED segment), and Jeanne Gang. Thunberg was honored for her work igniting climate change activism among teenagers across the world; Goodall for her extraordinary life work of research into the natural world and her steadfast environmentalism; Doeleman for his contribution to the Harvard team of astronomers who took the first photo of a black hole; and Swaniker for the work he’s done to educate and cultivate the next generation of African leaders. Bonus: TIME100 luminaries are introduced in short, sharp essays, and this year many of them came from TEDsters including JR, Shonda Rhimes, Bill Gates, Jennifer Doudna, Dolores Huerta, Hans Ulrich Obrest, Tarana Burke, Kai-Fu Lee, Ian Bremmer, Stacey Abrams, Madeleine Albright, Anna Deavere Smith and Margarethe Vestager. (Watch Thunberg’s, Goodall’s, Doeleman’s, Pelosi’s, Pope Francis’, Wen’s, Obama’s, King’s, Gang’s and Swaniker’s TED Talks.)

Meet Sports Illustrated’s first hijab-wearing model. Model and activist Halima Aden will be the first hijab-wearing model featured in Sports Illustrated’s annual swimsuit issue, debuting May 8. Aden will wear two custom burkinis, modestly designed swimsuits. “Being in Sports Illustrated is so much bigger than me,” Aden said in a statement, “It’s sending a message to my community and the world that women of all different backgrounds, looks, upbringings can stand together and be celebrated.” (Watch Aden’s TED Talk.)

Scotland post-surgical deaths drop by a third, and checklists are to thank. A study indicated a 37 percent decrease in post-surgical deaths in Scotland since 2008, which it attributed to the implementation of a safety checklist. The 19-item list created by the World Health Organization is supposed to encourage teamwork and communication during operations. The death rate fell to 0.46 per 100 procedures between 2000 and 2014, analysis of 6.8 million operations showed. Dr. Atul Gawande, who introduced the checklist and co-authored the study, published in the British Journal of Surgery, said to the BBC: “Scotland’s health system is to be congratulated for a multi-year effort that has produced some of the largest population-wide reductions in surgical deaths ever documented.” (Watch Gawanda’s TED Talk.) — BG

And finally … After the actor Luke Perry died unexpectedly of a stroke in February, he was buried according to his wishes: on his Tennessee family farm, wearing a suit embedded with spores that will help his body decompose naturally and return to the earth. His Infinity Burial Suit was made by Coeio, led by designer, artist and TED Fellow Jae Rhim Lee. Back in 2011, Lee demo’ed the mushroom burial suit onstage at TEDGlobal; now she’s focused on testing and creating suits for more people. On April 13, Lee spoke at Perry’s memorial service, held at Warner Bros. Studios in Burbank; Perry’s daughter revealed his story in a thoughtful instagram post this past weekend. (Watch Lee’s TED Talk.) — EM

CryptogramScience Fiction Writers Helping Imagine Future Threats

The French army is going to put together a team of science fiction writers to help imagine future threats.

Leaving aside the question of whether science fiction writers are better or worse at envisioning nonfictional futures, this isn't new. The US Department of Homeland Security did the same thing over a decade ago, and I wrote about it back then:

A couple of years ago, the Department of Homeland Security hired a bunch of science fiction writers to come in for a day and think of ways terrorists could attack America. If our inability to prevent 9/11 marked a failure of imagination, as some said at the time, then who better than science fiction writers to inject a little imagination into counterterrorism planning?

I discounted the exercise at the time, calling it "embarrassing." I never thought that 9/11 was a failure of imagination. I thought, and still think, that 9/11 was primarily a confluence of three things: the dual failure of centralized coordination and local control within the FBI, and some lucky breaks on the part of the attackers. More imagination leads to more movie-plot threats -- which contributes to overall fear and overestimation of the risks. And that doesn't help keep us safe at all.

Science fiction writers are creative, and creativity helps in any future scenario brainstorming. But please, keep the people who actually know science and technology in charge.

Last month, at the 2009 Homeland Security Science & Technology Stakeholders Conference in Washington D.C., science fiction writers helped the attendees think differently about security. This seems like a far better use of their talents than imagining some of the zillions of ways terrorists can attack America.

Worse Than FailureCodeSOD: Break my Validation

Linda inherited an inner-platform front-end framework. It was the kind of UI framework with an average file size of 1,000 lines of code, and an average test coverage of 0%.

Like most UI frameworks, it had a system for doing client side validation. Like most inner-platform UI frameworks, the validation system was fragile, confusing, and impossible to understand.

This code illustrates some of the problems:

/**
 * Modify a validator key, e.g change minValue or disable required
 *
 * @param fieldName
 * @param validatorKey - of the specific validator
 * @param key - the key to change
 * @param value - the value to set
 */
modifyValidatorValue: function (fieldName, validatorKey, key, value) {

	if (!helper.isNullOrUndefined(fieldName)) {
		// Iterate over fields
		for (var i in this.fields) {
			if (this.fields.hasOwnProperty(i)) {
				var field = this.fields[i];
				if (field.name === fieldName) {
					if (!helper.isNullOrUndefined(validatorKey)) {
						if (field.hasOwnProperty('validators')) {
							// Iterate over validators
							for (var j in field.validators) {
								if (field.validators.hasOwnProperty(j)) {
									var validator = field.validators[j];
									if (validator.key === validatorKey) {
										if (!helper.isNullOrUndefined(key) && !helper.isNullOrUndefined(value)) {
											if (validator.hasOwnProperty(key)) {
												validator[key] = value;
											}
										}
										break;
									}
								}
							}
						}
					}
					break;
				}
			}
		}
	}

}

What this code needs to do is find the field for a given name, check the list of validators for that field, and update a value on that validator.

Normally, in JavaScript, you’d do this by using an object/dictionary and accessing things directly by their keys. This, instead, iterates across all the fields on the object and all the validators on that field.

It’s smart code, though, as the developer knew that once they found the fields in question, they could exit the loops, so they added a few breaks to exit. I think those breaks are in the right place. To be sure, I’d need to count curly braces, and I’m worried that I don’t have enough fingers and toes to count them all in this case.

According to the git log, this code was added in exactly this form, and hasn’t been touched since.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Planet DebianDavid Bremner: Yet another buildinfo database.

What?

I previously posted about my extremely quick-and-dirty buildinfo database using buildinfo-sqlite. This year at DebConf, I re-implimented this using PostgreSQL backend, added into some new features.

There is already buildinfo and buildinfos. I was informed I need to think up a name that clearly distinguishes from those two. Thus I give you builtin-pho.

There's a README for how to set up a local database. You'll need 12GB of disk space for the buildinfo files and another 4GB for the database (pro tip: you might want to move the localation of your PostgreSQL data_directory, depending on how roomy your /var is)

Demo 1: find things build against old / buggy Build-Depends

select distinct p.source,p.version,d.version, b.path
from
      binary_packages p, builds b, depends d
where
      p.suite=&apossid&apos and b.source=p.source and
      b.arch_all and p.arch = &aposall&apos
      and p.version = b.version
      and d.id=b.id and d.depend=&aposdh-elpa&apos
      and d.version < debversion &apos1.16&apos

Demo 2: find packages in sid without buildinfo files

select distinct p.source,p.version
from
      binary_packages p
where
      p.suite=&apossid&apos
except
        select p.source,p.version
from binary_packages p, builds b
where
      b.source=p.source
      and p.version=b.version
      and ( (b.arch_all and p.arch=&aposall&apos) or
            (b.arch_amd64 and p.arch=&aposamd64&apos) )

Disclaimer

Work in progress by an SQL newbie.

,

Cory DoctorowPodcast: Adversarial Interoperability is Judo for Network Effects

In my latest podcast (MP3), I read my essay SAMBA versus SMB: Adversarial Interoperability is Judo for Network Effects, published last week on EFF’s Deeplinks; it’s a furhter exploration of the idea of “adversarial interoperability” and the role it has played in fighting monopolies and preserving competition, and how we could use it to restore competition today.

In tech, “network effects” can be a powerful force to maintain market dominance: if everyone is using Facebook, then your Facebook replacement doesn’t just have to be better than Facebook, it has to be so much better than Facebook that it’s worth using, even though all the people you want to talk to are still on Facebook. That’s a tall order.

Adversarial interoperability is judo for network effects, using incumbents’ dominance against them. To see how that works, let’s look at a historical example of adversarial interoperability role in helping to unseat a monopolist’s dominance.

The first skirmishes of the PC wars were fought with incompatible file formats and even data-storage formats: Apple users couldn’t open files made by Microsoft users, and vice-versa. Even when file formats were (more or less) harmonized, there was still the problems of storage media: the SCSI drive you plugged into your Mac needed a special add-on and flaky driver software to work on your Windows machine; the ZIP cartridge you formatted for your PC wouldn’t play nice with Macs.

MP3

Krebs on SecurityWhat You Should Know About the Equifax Data Breach Settlement

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the rest of the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $650 million seems like a lot. Is that some kind of record?

A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.

Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?

A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.

Q: Uh, that doesn’t look like Equifax’s site…

A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:

Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.

Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.

Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.

Q: Does this cover my kids/dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

Update: The eligibility site is now active, at this link.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.

He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).

ANALYSIS

We’ll see how this unfolds, but I’ll be amazed if anything related to taking advantage of this settlement is painless. I still can’t even get a free copy of my credit report from Equifax, as I’m entitled to under the law for free each year. I’ve even requested a copy by mail, according to their instructions. So far nothing.

But let’s say for the sake of argument that our questioner is basically right — that this settlement breaks down to about $3 worth of flesh extracted from Equifax for each affected person. The thing is, this figure probably is less than what Equifax makes selling your credit history to potential creditors each year.

In a 2017 story about the Equifax breach, I quoted financial fraud expert Avivah Litan saying the credit bureaus make about $1 every time they sell your credit file to a potential creditor (or identity thief posing as you). According to recent stats from the New York Federal Reserve, there were around 145 million hard credit pulls in the fourth quarter of 2018 (it’s not known how many of those were legitimate or desired).

But there is something you can do to stop Equifax and the other bureaus from profiting this way: Freeze your credit files with them.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you. And it’s now free for all Americans.

This post explains in detail what’s involved in freezing your files; how to place, thaw or remove a freeze; the limitations of a freeze and potential side effects; and alternatives to freezes.

What’s wrong with just using credit monitoring, you might ask? These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

If past experience is any teacher, anyone with a freeze on their credit file will need to briefly thaw their file at Equifax before successfully signing up for the service when it’s offered. Since a law mandating free freezes across the land went into effect, all three bureaus have made it significantly easier to place and lift security freezes.

Probably too easy, in fact. Especially for people who had freezes in place before Equifax revamped its freeze portal. Those folks were issued a numeric PIN to lift, thaw or remove a freeze, but Equifax no longer lets those users do any of those things online with just the PIN.

These days, that PIN doesn’t play a role in any freeze or thaw process. To create an account at the MyEquifax portal, one need only supply name, address, Social Security number, date of birth, any phone number  (all data points exposed in the Equifax breach, and in any case widely available for sale in the cybercrime underground) and answer 4 multiple-guess questions whose answers are often available in public records or on social media.

And so this is yet another reason why you should freeze your credit: If you don’t sign up as you at MyEquifax, someone else might do it for you.

What else can you do in the meantime? Be wary of any phone calls or emails you didn’t sign up for that invoke this data breach settlement and ask you to provide personal and/or financial information.

And if you haven’t done so lately, go get a free copy of your credit report from annualcreditreport.com; by law all Americans are entitled to a free report from each of the major bureaus annually. You can opt for one report, or all three at once. Either way, make sure to read the report(s) closely and dispute anything that looks amiss.

It has long been my opinion that the big three bureaus are massively stifling innovation and offering consumers so little choice or say in the bargain that’s being made on the backs of their hard work, integrity and honesty. The real question is, if someone or something eventually serves to dis-intermediate the big three and throw the doors wide open to competition, what would the net effect for consumers?

Obviously, there is no way to know for sure, but a company that truly offered to pay consumers anywhere near what their data is actually worth would probably wipe these digital dinosaurs from the face of the earth.

That is, if the banks could get on board. After all, the banks and their various fingers are what drive the credit industry. And these giants don’t move very nimbly. They’re massively hard to turn on the simplest changes. And they’re not known for quickly warming to an entirely new model of doing business (i.e. huge cost investments).

My hometown Sen. Mark Warner (D-Va.) seems to suggest the $650 million settlement was about half what it should be.

“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner sponsored a bill along with Sen. Elizabeth Warren (D-Ma.) called “The Data Breach Prevention and Compensation Act,” which calls for “robust compensation to consumers for stolen data; mandatory penalties on credit reporting agencies (CRAs) for data breaches; and giving the FTC more direct supervisory authority over data security at CRAs.

“Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information,” Warner’s statement concludes.

Update, 4:44 pm: Added statement from Sen. Warner.

CryptogramHackers Expose Russian FSB Cyberattack Projects

More nation-state activity in cyberspace, this time from Russia:

Per the different reports in Russian media, the files indicate that SyTech had worked since 2009 on a multitude of projects since 2009 for FSB unit 71330 and for fellow contractor Quantum. Projects include:

  • Nautilus -- a project for collecting data about social media users (such as Facebook, MySpace, and LinkedIn).

  • Nautilus-S -- a project for deanonymizing Tor traffic with the help of rogue Tor servers.

  • Reward -- a project to covertly penetrate P2P networks, like the one used for torrents.

  • Mentor -- a project to monitor and search email communications on the servers of Russian companies.

  • Hope -- a project to investigate the topology of the Russian internet and how it connects to other countries' network.

  • Tax-3 -- a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state's IT networks.

BBC Russia, who received the full trove of documents, claims there were other older projects for researching other network protocols such as Jabber (instant messaging), ED2K (eDonkey), and OpenFT (enterprise file transfer).

Other files posted on the Digital Revolution Twitter account claimed that the FSB was also tracking students and pensioners.

Planet DebianCandy Tsai: Outreachy Week 6 – Week 7: Getting Code Merge

Already half way through the internship! I have implemented some features and opened a merge request. So… what now? Let’s get those changes merged once and for all! Since I’m already at mid-point, there’s also a video shared on what I’ve done so far in this project.

  • Breaking large merge request into smaller pieces
  • Thoughts on remote pair programming
  • Video sharing for the current progress with the project

Making that video was probably the most time-consuming part. Paying great respects to all YouTubers out there!

Breaking The Merge Request

When I looked back at my merge request, it actually started out quite small and precise. After discussions in the merge request, I started to fix things in the same merge request and then it just got bigger and bigger and we had to seperate out the “mergable parts” to make actual progress in this project.

Remote Pair Programming

You can’t overhear what others are doing or learn something about your colleagues through gossip over lunch break when working remotely. So after being stuck for quite a bit, terceiro suggested that we try pair programming.

After our first remote pair programming session, I think there should be no difference in pair programming in person. We shared the same terminal, looked at the same code and discussed just like people standing side by side.

Through our pair programming session, I found out that I had a bad habit. I didn’t run tests on my code that often, so when I had failing tests that didn’t fail before, I spent more time debugging than I should have. Pair programming gave insight to how others work and I think little improvements go a long way.

Week 6

And then I took almost a week off, so my week 7 was delayed.

Week 7

I found out that I can make small merge requests and list the merge requests it depends on. Gitlab will automatically handle the rest for me once a request is merged.

  • finally finished breaking down my large merge request
  • added the history section

Worse Than FailureAn Indispensible Guru

Simple budgeting spreadsheet eg

Business Intelligence is the oxymoron that makes modern capitalism possible. In order for a company the size of a Fortune 500 to operate, key people have to know key numbers: how the finances are doing, what sales looks like, whether they're trending on target to meet their business goals or above or below that mystical number.

Once upon a time, Initech had a single person in charge of their Business Intelligence reports. When that person left for greener pastures, the company had a problem. They had no idea how he'd done what he did, just that he'd gotten numbers to people who'd needed them on time every month. There was no documentation about how he'd generated the numbers, nothing to pass on to his successor. They were entirely in the dark.

Recognizing the weakness of having a single point of failure, they set up a small team to create and manage the BI reporting duties and to provide continuity in the event that somebody else were to leave. This new team consisted of four people: Charles, a senior engineer; Liam, his junior sidekick; and two business folks who could provide context around what numbers were needed where and when.

Charles knew Excel. Intimately. Charles could make Excel do frankly astonishing things. Our submitter has worked in IT for three decades, and yet has never seen the like: spreadsheets so chock-full with array formulae, vlookups, hlookups, database functions, macros, and all manner of cascading sheets that they were virtually unreadable. Granted, Charles also had Microsoft Access. However, to Charles, the only thing Access was useful for was the initial downloading of all the raw data from the IBM AS/400 mainframe. Everything else was done in Excel.

Nobody doubted the accuracy of Charles' reports. However, actually running a report involved getting Excel primed and ready to go, hitting the "manual recalculate" button, then sitting back and waiting 45 minutes for the various formulae and macros to do all the things they did. On a good day, Charles could run five, maybe six reports. On a bad day? Three, at best.

By contrast, Liam was very much the "junior" role. He was younger, and did not have the experience that Charles did. That said, Liam was a smart cookie. He took one look at the spreadsheet monstrosity and knew it was a sledgehammer to crack a walnut. Unfortunately, he was the junior member of the engineering half of the team. His objections were taken as evidence of his inexperience, not his intelligence, and his suggestions were generally overlooked.

Eventually, Charles also left for bigger and brighter things, and Liam inherited all of his reports. Almost before the door had stopped swinging, Liam solicited our submitter's assistance in recreating just one of Charles' reports in Access. This took a combined four days; it mostly consisted of the submitter asking "So, Sheet 1, cell A1 ... where does that number come from?", and Liam pointing out the six other sheets they needed to pivot, fold, spindle, and mutilate in order to calculate the number. "Right, so, Sheet 1, cell A2 ... where does that one come from?" ...

Finally, it was done, and the replacement was ready to test. They agreed to run the existing report alongside the new one, so they could determine that the new reports were producing the same output as the old ones. Liam pressed "manual recalculate" while our submitter did the honors of running the new Access report. Thirty seconds later, the Access report gave up and spat out numbers.

"Damn," our submitter muttered. "Something's wrong, it must have died or aborted or something."

"I dunno," replied Liam, "those numbers do look kinda right."

Forty minutes later, when Excel finally finished running its version, lo and behold the outputs were identical. The new report was simply three orders of magnitude faster than the old one.

Enthused by this success, they not only converted all the other reports to run in Access, but also expanded them to run Region- and Area- level variants, essentially running the report about 54 times in the same time it took the original report to run once. They also set up an automatic distribution process so that the reports were emailed out to the appropriate department heads and sales managers. Management was happy; business was happy; developers were happy.

"Why didn't we do this sooner?" was the constant refrain from all involved.

Liam was able to give our submitter the real skinny: "Charles used the long run times to prove how complex the reports were, and therefore, how irreplaceable he was. 'Job security,' he used to call it."

To this day, Charles' LinkedIn profile shows that he was basically running Initech. Liam's has a little more humility about the whole matter. Which just goes to show you shouldn't undersell your achievements in your resume. On paper, Charles still looks like a genius who single-handedly solved all the BI issues in the whole company.

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

Planet DebianDaniel Lange: Cleaning a broken GnuPG (gpg) key

I've long said that the main tools in the Open Source security space, OpenSSL and GnuPG (gpg), are broken and only a complete re-write will solve this. And that is still pending as nobody came forward with the funding. It's not a sexy topic, so it has to get really bad before it'll get better.

Gpg has a UI that is close to useless. That won't substantially change with more bolted-on improvements.

Now Robert J. Hansen and Daniel Kahn Gillmor had somebody add ~50k signatures (read 1, 2, 3, 4 for the g{l}ory details) to their keys and - oops - they say that breaks gpg.

But does it?

I downloaded Robert J. Hansen's key off the SKS-Keyserver network. It's a nice 45MB file when de-ascii-armored (gpg --dearmor broken_key.asc ; mv broken_key.asc.gpg broken_key.gpg).

Now a friendly:

$ /usr/bin/time -v gpg --no-default-keyring --keyring ./broken_key.gpg --batch --quiet --edit-key 0x1DCBDC01B44427C7 clean save quit

pub  rsa3072/0x1DCBDC01B44427C7
     erzeugt: 2015-07-16  verfällt: niemals     Nutzung: SC  
     Vertrauen: unbekannt     Gültigkeit: unbekannt
sub  ed25519/0xA83CAE94D3DC3873
     erzeugt: 2017-04-05  verfällt: niemals     Nutzung: S  
sub  cv25519/0xAA24CC81B8AED08B
     erzeugt: 2017-04-05  verfällt: niemals     Nutzung: E  
sub  rsa3072/0xDC0F82625FA6AADE
     erzeugt: 2015-07-16  verfällt: niemals     Nutzung: E  
[ unbekannt ] (1). Robert J. Hansen <rjh@sixdemonbag.org>
[ unbekannt ] (2)  Robert J. Hansen <rob@enigmail.net>
[ unbekannt ] (3)  Robert J. Hansen <rob@hansen.engineering>

User-ID "Robert J. Hansen <rjh@sixdemonbag.org>": 49705 Signaturen entfernt
User-ID "Robert J. Hansen <rob@enigmail.net>": 49704 Signaturen entfernt
User-ID "Robert J. Hansen <rob@hansen.engineering>": 49701 Signaturen entfernt

pub  rsa3072/0x1DCBDC01B44427C7
     erzeugt: 2015-07-16  verfällt: niemals     Nutzung: SC  
     Vertrauen: unbekannt     Gültigkeit: unbekannt
sub  ed25519/0xA83CAE94D3DC3873
     erzeugt: 2017-04-05  verfällt: niemals     Nutzung: S  
sub  cv25519/0xAA24CC81B8AED08B
     erzeugt: 2017-04-05  verfällt: niemals     Nutzung: E  
sub  rsa3072/0xDC0F82625FA6AADE
     erzeugt: 2015-07-16  verfällt: niemals     Nutzung: E  
[ unbekannt ] (1). Robert J. Hansen <rjh@sixdemonbag.org>
[ unbekannt ] (2)  Robert J. Hansen <rob@enigmail.net>
[ unbekannt ] (3)  Robert J. Hansen <rob@hansen.engineering>

        Command being timed: "gpg --no-default-keyring --keyring ./broken_key.gpg --batch --quiet --edit-key 0x1DCBDC01B44427C7 clean save quit"
        User time (seconds): 3911.14
        System time (seconds): 2442.87
        Percent of CPU this job got: 99%
        Elapsed (wall clock) time (h:mm:ss or m:ss): 1:45:56
        Average shared text size (kbytes): 0
        Average unshared data size (kbytes): 0
        Average stack size (kbytes): 0
        Average total size (kbytes): 0
        Maximum resident set size (kbytes): 107660
        Average resident set size (kbytes): 0
        Major (requiring I/O) page faults: 1
        Minor (reclaiming a frame) page faults: 26630
        Voluntary context switches: 43
        Involuntary context switches: 59439
        Swaps: 0
        File system inputs: 112
        File system outputs: 48
        Socket messages sent: 0
        Socket messages received: 0
        Signals delivered: 0
        Page size (bytes): 4096
        Exit status: 0
 

And the result is a nicely useable 3835 byte file of the clean public key. If you supply a keyring instead of --no-default-keyring it will also keep the non-self signatures that are useful for you (as you apparently know the signing party).

So it does not break gpg. It does break things that call gpg at runtime and not asynchronously. I heard Enigmail is affected, quelle surprise.

Now the main problem here is the runtime. 1h45min is just ridiculous. As Filippo Valsorda puts it:

Someone added a few thousand entries to a list that lets anyone append to it. GnuPG, software supposed to defeat state actors, suddenly takes minutes to process entries. How big is that list you ask? 17 MiB. Not GiB, 17 MiB. Like a large picture. https://dev.gnupg.org/T4592

If I were a gpg / SKS keyserver developer, I'd

  • speed this up so the edit-key run above completes in less than 10 s (just getting rid of the lseek/read dance and deferring all time-based decisions should get close)
  • (ideally) make the drop-sig import-filter syntax useful (date-ranges, non-reciprocal signatures, ...)
  • clean affected keys on the SKS keyservers (needs coordination of sysops, drop servers from unreachable people)
  • (ideally) use the opportunity to clean all keyserver filesystem and the message board over pgp key servers keys, too
  • only accept new keys and new signatures on keys extending the strong set (rather small change to the existing codebase)

That way another key can only be added to the keyserver network if it contains at least one signature from a previously known strong-set key. Attacking the keyserver network would become at least non-trivial. And the web-of-trust thing may make sense again.

Update

09.07.2019

GnuPG 2.2.17 has been released with another set of quickly bolted together fixes:

  * gpg: Ignore all key-signatures received from keyservers.  This
    change is required to mitigate a DoS due to keys flooded with
    faked key-signatures.  The old behaviour can be achieved by adding
    keyserver-options no-self-sigs-only,no-import-clean
    to your gpg.conf.  [#4607]
  * gpg: If an imported keyblocks is too large to be stored in the
    keybox (pubring.kbx) do not error out but fallback to an import
    using the options "self-sigs-only,import-clean".  [#4591]
  * gpg: New command --locate-external-key which can be used to
    refresh keys from the Web Key Directory or via other methods
    configured with --auto-key-locate.
  * gpg: New import option "self-sigs-only".
  * gpg: In --auto-key-retrieve prefer WKD over keyservers.  [#4595]
  * dirmngr: Support the "openpgpkey" subdomain feature from
    draft-koch-openpgp-webkey-service-07. [#4590].
  * dirmngr: Add an exception for the "openpgpkey" subdomain to the
    CSRF protection.  [#4603]
  * dirmngr: Fix endless loop due to http errors 503 and 504.  [#4600]
  * dirmngr: Fix TLS bug during redirection of HKP requests.  [#4566]
  * gpgconf: Fix a race condition when killing components.  [#4577]

Bug T4607 shows that these changes are all but well thought-out. They introduce artificial limits, like 64kB for WKD-distributed keys or 5MB for local signature imports (Bug T4591) which weaken the web-of-trust further.

I recommend to not run gpg 2.2.17 in production environments without extensive testing as these limits and the unverified network traffic may bite you. Do validate your upgrade with valid and broken keys that have segments (packet groups) surpassing the above mentioned limits. You may be surprised what gpg does. On the upside: you can now refresh keys (sans signatures) via WKD. So if your buddies still believe in limiting their subkey validities, you can more easily update them bypassing the SKS keyserver network. NB: I have not tested that functionality. So test before deploying.

Planet DebianDaniel Lange: Security is hard, open source security unnecessarily harder

Now it is a commonplace that security is hard. It involves advanced mathematics and a single, tiny mistake or omission in implementation can spoil everything.

And the only sane IT security can be open source security. Because you need to assess the algorithms and their implementation and you need to be able to completely verify the implementation. You simply can't if you don't have the code and can compile it yourself to produce a trusted (ideally reproducible) build. A no-brainer for everybody in the field.

But we make it unbelievably hard for people to use security tools. Because these have grown over decades fostered by highly intelligent people with no interest in UX.
"It was hard to write, so it should be hard to use as well."
And then complain about adoption.

PGP / gpg has received quite some fire this year and the good news is this has resulted in funding for the sole gpg developer. Which will obviously not solve the UX problem.

But the much worse offender is OpenSSL. It is so hard to use that even experienced hackers fail.

IRC wallop on hackint

Now, securely encrypting a mass communication media like IRC is not possible at all. Read Trust is not transitive: or why IRC over SSL is pointless1.
Still it makes wiretapping harder and that may be a good thing these days.

LibreSSL has forked the OpenSSL code base "with goals of modernizing the codebase, improving security, and applying best practice development processes". No UX improvement. A cleaner code for the chosen few. Duh.

I predict the re-implementations and gradual improvement scenarios will fail. The nearly-impossible-to-use-right situation with both gpg and (much more importantly) OpenSSL cannot be fixed by gradual improvements and however thorough code reviews.

Now the "there's an App for this" security movement won't work out on a grand scale either:

  1. Most often not open source. Notable exceptions: ChatSecure, TextSecure.
  2. No reference implementations with excellent test servers and well documented test suites but products. "Use my App.", "No, use MY App!!!".
  3. Only secures chat or email. So the VC-powered ("next WhatsApp") mass-adoption markets but not the really interesting things to improve upon (CA, code signing, FDE, ...).
  4. While everybody is focusing on mobile adoption the heavy lifting is still on servers. We need sane libraries and APIs. No App for that.

So we need a new development, a new code, a new open source product. Sadly so the Core Infrastructure Initiative so far only funds existing open source projects in dire needs and people bug hunting.

It basically makes the bad solutions of today a bit more secure and ensures maintenance of decade old crufty code bases. That way it extends the suffering of everybody using the inadequate solutions of today.

That's inevitable until we have a better stack but we need to look into getting rid of gpg and OpenSSL and replacing it with something new. Something designed well from the ground up, technically and from a user experience perspective.

Now who's in for a five year funding plan? $3m2 annually. ROCE 0. But a very good chance to get the OBE awarded.

Keep calm and enjoy the silence

Updates:

21.07.19: A current essay on "The PGP problem" is making rounds and lists some valid issues with the file format, RFCs and the gpg implementation. The GnuPG-users mailing list has a discussion thread on the issues listed in the essay.

19.01.19: Daniel Kahn Gillmor, a Senior Staff Technologist at the ACLU, tried to get his gpg key transition correct. He put a huge amount of thought and preparation into the transition. To support Autocrypt (another try to get GPG usable for more people than a small technical elite), he specifically created different identities for him as a person and his two main email addresses. Two days later he has to invalidate his new gpg key and back-off to less "modern" identity layouts because many of the brittle pieces of infrastructure around gpg from emacs to gpg signature management frontends to mailing list managers fell over dead.

28.11.18: Changed the Quakenet link on why encrypting IRC is useless to an archive.org one as they have removed the original content.

13.03.17: Chris Wellons writes about why GPG is a failure and created a small portable application Enchive to replace it for asymmetric encryption.

24.02.17: Stefan Marsiske has written a blog article: On PGP. He argues about adversary models and when gpg is "probably" 3 still good enough to use. To me a security tool can never be a sane choice if the UI is so convoluted that only a chosen few stand at least a chance of using it correctly. Doesn't matter who or what your adversary is.
Stefan concludes his blog article:

PGP for encryption as in RFC 4880 should be retired, some sunk-cost-biases to be coped with, but we all should rejoice that the last 3-4 years had so much innovation in this field, that RFC 4880 is being rewritten[Citation needed] with many of the above in mind and that hopefully there'll be more and better tools. [..]

He gives an extensive list of tools he considers worth watching in his article. Go and check whether something in there looks like a possible replacement for gpg to you. Stefan also gave a talk on the OpenPGP conference 2016 with similar content, slides.

14.02.17: James Stanley has written up a nice account of his two hour venture to get encrypted email set up. The process is speckled with bugs and inconsistent nomenclature capable of confusing even a technically inclined person. There has been no progress in the last ~two years since I wrote this piece. We're all still riding dead horses. James summarizes:

Encrypted email is nothing new (PGP was initially released in 1991 - 26 years ago!), but it still has a huge barrier to entry for anyone who isn't already familiar with how to use it.

04.09.16: Greg Kroah-Hartman ends an analysis of the Evil32 PGP keyid collisions with:

gpg really is horrible to use and almost impossible to use correctly.

14.11.15:
Scott Ruoti, Jeff Andersen, Daniel Zappala and Kent Seamons of BYU, Utah, have analysed the usability [local mirror, 173kB] of Mailvelope, a webmail PGP/GPG add-on based on a Javascript PGP implementation. They describe the results as "disheartening":

In our study of 20 participants, grouped into 10 pairs of participants who attempted to exchange encrypted email, only one pair was able to successfully complete the assigned tasks using Mailvelope. All other participants were unable to complete the assigned task in the one hour allotted to the study. Even though a decade has passed since the last formal study of PGP, our results show that Johnny has still not gotten any closer to encrypt his email using PGP.

  1. Quakenet has removed that article citing "near constant misrepresentation of the presented argument" sometime in 2018. The contents (not misrepresented) are still valid so I have added and archive.org Wayback machine link instead. 

  2. The estimate was $2m until end of 2018. The longer we wait, the more expensive it'll get. And - obviously - ever harder. E.g. nobody needed to care about sidechannel attacks on big-LITTLE five years ago. But now they start to hit servers and security-sensitive edge devices. 

  3. Stefan says "probably" five times in one paragraph. Probably needs an editor. The person not the application. 

Planet DebianGiovanni Mascellani: Bootstrappable Debian BoF

Greetings from DebConf 19 in Curitiba! Just a quick reminder that I will run a Bootstrappable Debian BoF on Tuesday 23rd, at 13.30 Brasilia time (which is 16.30 UTC, if I am not mistaken). If you are curious about bootstrappability in Debian, why do we want it and where we are right now, you are welcome to come in person if you are at DebCon or to follow the streaming.

,

Planet DebianVincent Bernat: A Makefile for your Go project (2019)

My most loathed feature of Go was the mandatory use of GOPATH: I do not want to put my own code next to its dependencies. I was not alone and people devised tools or crafted their own Makefile to avoid organizing their code around GOPATH.

Hopefully, since Go 1.11, it is possible to use Go’s modules to manage dependencies without relying on GOPATH. First, you need to convert your project to a module:1

$ go mod init hellogopher
go: creating new go.mod: module hellogopher
$ cat go.mod
module hellogopher

Then, you can invoke the usual commands, like go build or go test. The go command resolves imports by using versions listed in go.mod. When it runs into an import of a package not present in go.mod, it automatically looks up the module containing that package using the latest version and adds it.

$ go test ./...
go: finding github.com/spf13/cobra v0.0.5
go: downloading github.com/spf13/cobra v0.0.5
?       hellogopher     [no test files]
?       hellogopher/cmd [no test files]
ok      hellogopher/hello       0.001s
$ cat go.mod
module hellogopher

require github.com/spf13/cobra v0.0.5

If you want a specific version, you can either edit go.mod or invoke go get:

$ go get github.com/spf13/cobra@v0.0.4
go: finding github.com/spf13/cobra v0.0.4
go: downloading github.com/spf13/cobra v0.0.4
$ cat go.mod
module hellogopher

require github.com/spf13/cobra v0.0.4

Add go.mod to your version control system. Optionally, you can also add go.sum as a safety net against overriden tags. If you really want to vendor the dependencies, you can invoke go mod vendor and add the vendor/ directory to your version control system.

Thanks to the modules, in my opinion, Go’s dependency management is now on a par with other languages, like Ruby. While it is possible to run day-to-day operations—building and testing—with only the go command, a Makefile can still be useful to organize common tasks, a bit like Python’s setup.py or Ruby’s Rakefile. Let me describe mine.

Using third-party tools

Most projects need some third-party tools for testing or building. We can either expect them to be already installed or compile them on the fly. For example, here is how code linting is done with Golint:

BIN = $(CURDIR)/bin
$(BIN):
    @mkdir -p $@
$(BIN)/%: | $(BIN)
    @tmp=$$(mktemp -d); \
       env GO111MODULE=off GOPATH=$$tmp GOBIN=$(BIN) go get $(PACKAGE) \
        || ret=$$?; \
       rm -rf $$tmp ; exit $$ret

$(BIN)/golint: PACKAGE=golang.org/x/lint/golint

GOLINT = $(BIN)/golint
lint: | $(GOLINT)
    $(GOLINT) -set_exit_status ./...

The first block defines how a third-party tool is built: go get is invoked with the package name matching the tool we want to install. We do not want to pollute our dependency management and therefore, we are working in an empty GOPATH. The generated binaries are put in bin/.

The second block extends the pattern rule defined in the first block by providing the package name for golint. Additional tools can be added by just adding another line like this.

The last block defines the recipe to lint the code. The default linting tool is the golint built using the first block but it can be overrided with make GOLINT=/usr/bin/golint.

Tests

Here are some rules to help running tests:

TIMEOUT  = 20
PKGS     = $(or $(PKG),$(shell env GO111MODULE=on $(GO) list ./...))
TESTPKGS = $(shell env GO111MODULE=on $(GO) list -f \
            '{{ if or .TestGoFiles .XTestGoFiles }}{{ .ImportPath }}{{ end }}' \
            $(PKGS))

TEST_TARGETS := test-default test-bench test-short test-verbose test-race
test-bench:   ARGS=-run=__absolutelynothing__ -bench=.
test-short:   ARGS=-short
test-verbose: ARGS=-v
test-race:    ARGS=-race
$(TEST_TARGETS): test
check test tests: fmt lint
    go test -timeout $(TIMEOUT)s $(ARGS) $(TESTPKGS)

A user can invoke tests in different ways:

  • make test runs all tests;
  • make test TIMEOUT=10 runs all tests with a timeout of 10 seconds;
  • make test PKG=hellogopher/cmd only runs tests for the cmd package;
  • make test ARGS="-v -short" runs tests with the specified arguments;
  • make test-race runs tests with race detector enabled.

go test includes a test coverage tool. Unfortunately, it only handles one package at a time and you have to explicitely list the packages to be instrumented, otherwise the instrumentation is limited to the currently tested package. If you provide too many packages, the compilation time will skyrocket. Moreover, if you want an output compatible with Jenkins, you need some additional tools.

COVERAGE_MODE    = atomic
COVERAGE_PROFILE = $(COVERAGE_DIR)/profile.out
COVERAGE_XML     = $(COVERAGE_DIR)/coverage.xml
COVERAGE_HTML    = $(COVERAGE_DIR)/index.html
test-coverage-tools: | $(GOCOVMERGE) $(GOCOV) $(GOCOVXML) # ❶
test-coverage: COVERAGE_DIR := $(CURDIR)/test/coverage.$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
test-coverage: fmt lint test-coverage-tools
    @mkdir -p $(COVERAGE_DIR)/coverage
    @for pkg in $(TESTPKGS); do \ # ❷
        go test \
            -coverpkg=$$(go list -f '{{ join .Deps "\n" }}' $$pkg | \
                    grep '^$(MODULE)/' | \
                    tr '\n' ',')$$pkg \
            -covermode=$(COVERAGE_MODE) \
            -coverprofile="$(COVERAGE_DIR)/coverage/`echo $$pkg | tr "/" "-"`.cover" $$pkg ;\
     done
    @$(GOCOVMERGE) $(COVERAGE_DIR)/coverage/*.cover > $(COVERAGE_PROFILE)
    @go tool cover -html=$(COVERAGE_PROFILE) -o $(COVERAGE_HTML)
    @$(GOCOV) convert $(COVERAGE_PROFILE) | $(GOCOVXML) > $(COVERAGE_XML)

First, we define some variables to let the user override them. In ❶, we require the following tools—built like golint previously:

  • gocovmerge merges profiles from different runs into a single one;
  • gocov-xml converts a coverage profile to the Cobertura format, for Jenkins;
  • gocov is needed to convert a coverage profile to a format handled by gocov-xml.

In ❷, for each package to test, we run go test with the -coverprofile argument. We also explicitely provide the list of packages to instrument to -coverpkg by using go list to get a list of dependencies for the tested package and keeping only our owns.

Build

Another useful recipe is to build the program. While this could be done with just go build, it is not uncommon to have to specify build tags, additional flags, or to execute supplementary build steps. In the following example, the version is extracted from Git tags. It will replace the value of the Version variable in the hellogopher/cmd package.

VERSION ?= $(shell git describe --tags --always --dirty --match=v* 2> /dev/null || \
            echo v0)
all: fmt lint | $(BIN)
    go build \
        -tags release \
        -ldflags '-X hellogopher/cmd.Version=$(VERSION)' \
        -o $(BIN)/hellogopher main.go

The recipe also runs code formatting and linting.


The excerpts provided in this post are a bit simplified. Have a look at the final result for more perks, including fancy output and integrated help!


  1. For an application not meant to be used as a library, I prefer to use a short name instead of a name derived from an URL, like github.com/vincentbernat/hellogopher. It makes it easier to read import sections:

    import (
            "fmt"
            "os"
    
            "hellogopher/cmd"
    
            "github.com/pkg/errors"
            "github.com/spf13/cobra"
    )
    

    ↩︎

Planet DebianBits from Debian: DebConf19 starts today in Curitiba

DebConf19 logo

DebConf19, the 20th annual Debian Conference, is taking place in Curitiba, Brazil from from July 21 to 28, 2019.

Debian contributors from all over the world have come together at Federal University of Technology - Paraná (UTFPR) in Curitiba, Brazil, to participate and work in a conference exclusively run by volunteers.

Today the main conference starts with over 350 attendants expected and 121 activities scheduled, including 45- and 20-minute talks and team meetings ("BoF"), workshops, a job fair as well as a variety of other events.

The full schedule at https://debconf19.debconf.org/schedule/ is updated every day, including activities planned ad-hoc by attendees during the whole conference.

If you want to engage remotely, you can follow the video streaming available from the DebConf19 website of the events happening in the three talk rooms: Auditório (the main auditorium), Miniauditório and Sala de Videoconferencia. Or you can join the conversation about what is happening in the talk rooms: #debconf-auditorio, #debconf-miniauditorio and #debconf-videoconferencia (all those channels in the OFTC IRC network).

You can also follow the live coverage of news about DebConf19 on https://micronews.debian.org or the @debian profile in your favorite social network.

DebConf is committed to a safe and welcome environment for all participants. During the conference, several teams (Front Desk, Welcome team and Anti-Harassment team) are available to help so both on-site and remote participants get their best experience in the conference, and find solutions to any issue that may arise. See the web page about the Code of Conduct in DebConf19 website for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf19, particularly our Platinum Sponsors: Infomaniak, Google and Lenovo.

TEDGetting ready for TEDSummit 2019: Photo gallery

TEDSummit banners are hung at the entrance of the Edinburgh Convention Centre, our home for the week. (Photo: Bret Hartman / TED)

TEDSummit 2019 officially kicks off today! Members of the TED community from 84 countries — TEDx’ers, TED Translators, TED Fellows, TED-Ed Educators, past speakers and more — have gathered in Edinburgh, Scotland to dream up what’s next for TED. Over the next week, the community will share adventures around the city, more than 100 Discovery Sessions and, of course, seven sessions of TED Talks.

Below, check out some photo highlights from the lead-up to TEDSummit and pre-conference activities. (And view our full photostream here.)

It takes a small (and mighty) army to get the theater ready for TED Talks.

(Photo: Bret Hartman / TED)

(Photo: Ryan Lash / TED)

(Photo: Bret Hartman / TED)

TED Translators get the week started with a trip to Edinburgh Castle, complete with high tea in the Queen Anne Tea Room, and a welcome reception.

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

A bit of Scottish rain couldn’t stop the TED Fellows from enjoying a hike up Arthur’s Seat. Weather wasn’t a problem at a welcome dinner.

(Photo: Ryan Lash / TED)

(Photo: Ryan Lash / TED)

(Photo: Ryan Lash / TED)

TEDx’ers kick off the week with workshops, panel discussions and a welcome reception.

(Photo: Dian Lofton / TED)

(Photo: Dian Lofton / TED)

(Photo: Ryan Lash / TED)

It’s all sun and blue skies for the speaker community’s trip to Edinburgh Castle and reception at the Playfair Library.

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

Cheers to an amazing week ahead!

(Photo: Ryan Lash / TED)

Planet DebianHolger Levsen: 20190721-piuparts-was-not-down

piuparts.debian.org was not down for maintenance

I hadn't shut down piuparts.debian.org for maintenance, I just said so, to make you attend my talk, as my last call for help at DebConf17 was attended by 3 people only...

So please join the session about piuparts(d.o.) today at 14:30 localtime.

Please help help help!

Planet DebianSylvain Beucler: Planet clean-up

planet.gnu.org logo

I did some clean-up / resync on the planet.gnu.org setup :)

  • Fix issue with newer https websites (SNI)
  • Re-sync Debian base config, scripts and packaging, update documentation; the planet-venus package is still in bad shape though, it's not officially orphaned but the maintainer is unreachable AFAICS
  • Fetch all Savannah feeds using https
  • Update feeds with redirections, which seem to mess-up caching

TEDA first glimpse at the TEDSummit 2019 speaker lineup

At TEDSummit 2019, more than 1,000 members of the TED community will gather for five days of performances, workshops, brainstorming, outdoor activities, future-focused discussions and, of course, an eclectic program of TED Talks — curated by TED Global curator Bruno Giussani, pictured above. (Photo: Marla Aufmuth / TED)

With TEDSummit 2019 just two months away, it’s time to unveil the first group of speakers that will take to the stage in Edinburgh, Scotland, from July 21-25.

Three years ago, more than 1,000 members of the TED global community convened in Banff, Canada, for the first-ever TEDSummit. We talked about the fracturing state of the world, the impact of technology and the accelerating urgency of climate change. And we drew wisdom and inspiration from the speakers — and from each other.

These themes are equally pressing today, and we’ll bring them to the stage in novel, more developed ways in Edinburgh. We’ll also address a wide range of additional topics that demand attention — looking not only for analysis but also antidotes and solutions. To catalyze this process, half of the TEDSummit conference program will take place outside the theatre, as experts host an array of Discovery Sessions in the form of hands-on workshops, activities, debates and conversations.

Check out a glimpse of the lineup of speakers who will share their future-focused ideas below. Some are past TED speakers returning to give new talks; others will step onto the red circle for the first time. All will help us understand the world we currently live in.

Here we go! (More will be added in the coming weeks):

Anna Piperal, digital country expert

Bob Langert, corporate changemaker

Carl Honoré, author

Carole Cadwalladr, investigative journalist

Diego Prilusky, immersive media technologist

Eli Pariser, organizer and author

Fay Bound Alberti, historian

George Monbiot, thinker and author

Hajer Sharief, youth inclusion activist

Howard Taylor, children safety advocate

Jochen Wegner, editor and dialogue creator

Kelly Wanser, geoengineering expert

Ma Yansong, architect

Marco Tempest, technology magician

Margaret Heffernan, business thinker

María Neira, global public health official

Mariana Lin, AI personalities writer

Mariana Mazzucato, economist

Marwa Al-Sabouni, architect

Nick Hanauer, capitalism redesigner

Nicola Jones, science writer

Nicola Sturgeon, First Minister of Scotland

Omid Djalili, comedian

Patrick Chappatte, editorial cartoonist

Pico Iyer, global author

Poet Ali, Philosopher, poet

Rachel Kleinfeld, violence scholar

Raghuram Rajan, former central banker

Rose Mutiso, energy for Africa activist

Sandeep Jauhar, cardiologist

Sara-Jane Dunn, computational biologist

Sheperd Doeleman, black hole scientist

Sonia Livingstone, social psychologist

Susan Cain, quiet revolutionary

Tim Flannery, carbon-negative tech scholar

Tshering Tobgay, former Prime Minister of Bhutan

 

With them, a number of artists will also join us at TEDSummit, including:

Djazia Satour, singer

ELEW, pianist and DJ

KT Tunstall, singer and songwriter

Min Kym, virtuoso violinist

Radio Science Orchestra, space-music orchestra

Yilian Cañizares, singer and songwriter

 

Registration for TEDSummit is open for active members of our various communities: TED conference members, Fellows, past TED speakers, TEDx organizers, Educators, Partners, Translators and more. If you’re part of one of these communities and would like to attend, please visit the TEDSummit website.

TED7 things you can do in Edinburgh and nowhere else

Edinburgh, Scotland will host TEDSummit this summer, from July 21-25. The city was selected because of its special blend of history, culture and beauty, and for its significance to the TED community (TEDGlobal 2011, 2012 and 2013 were all held there). We asked longtime TEDster Ellen Maloney to share some of her favorite activities that showcase Edinburgh’s unique flavor.

 

From the Castle that dominates the skyline to Arthur’s Seat, an extinct volcano with hiking trails offering panoramic views of the city. Having lived here for most of my adult life, I am still discovering captivating and quirky places to explore. You probably won’t find the sites listed below on the typical “top things to do in Edinburgh” rundowns, but I recommend them to people coming for the upcoming TEDSummit 2019 who love the idea of experiencing this lovely city through a different lens.

St. Cecilia’s Hall and Music Museum

Originally built in 1762 by the University of Edinburgh’s Music Society, this was Scotland’s first venue intentionally built to be a concert hall. Its Music Museum has an impressive collection of musical instruments from around the globe, and it’s claimed to be the only place in the world where you can listen to 18th-century instruments played in an 18th-century setting — some of its ancient harpsichords are indeed playable. Learn how keyboards were once status symbols, and how technology has changed the devices that humans use to make sounds. The museum is open to the public, and the hall regularly hosts concerts and other events.

Innocent Railway Tunnel

This 19th-century former railway tunnel runs beneath the city for 1,696 feet (about 520 meters). One of the first railway tunnels in the United Kingdom and part of the first public railway tunnel in Scotland, it was in use from 1831 until 1968. Today it’s open to walkers and cyclists and connects to a lovely outdoor cycleway. The origin of its name is a mystery, but one theory is that it alludes to the fact that no fatal accidents occurred during its construction. Visitors, however, will find that walking through the tunnel doesn’t feel quite so benign — it’s cold and the wind whistles through.

The Library of Mistakes

This free library dedicated to one subject and one subject only: the human behavior and historical patterns that led to world-shaking financial mistakes. It contains research materials, photos and relics that tell the stories of the bad decisions that shaped our world. Yes, you can read about well-known wrongdoers such Charles Ponzi, but there are plenty of lesser-known schemes and people to discover. For instance, you can learn about the story behind the line “bought and sold for English gold” from the poem by Scotsman Robert Burns. While the library is free and open to the public, viewing is strictly by appointment so you’ll need to book ahead.

Blair Street Vaults

Just off the Royal Mile is Blair Street, which leads to an underground world of 19 cavernous vaults. These lie beneath the bridge that was built in 1788 to connect the Southside of the city with the university area. The archways were once home to a bustling marketplace of cobblers, milliners and other vendors. But it was taken over by less salubrious forces. Its darkness made it an attractive place for anyone who didn’t want to be seen, including thieves and 19th-century murderers William Burke and William Hare, who hid corpses there — there was a convenient opening that led directly to the medical school where they sold the bodies for dissection. Sometime in the 19th century, the vaults were declared too dangerous for use and the entryway was bricked up. Today they can be visited by tour. A warning that paranormal activity has been reported there.  

Sanctuary Stones and Holyrood Abbey

At the foot of the Royal Mile lies Abbey Strand, which leads down to the gates of Holyrood Palace (the Queen’s primary royal residence in Scotland). Look carefully on the road at Abbey Strand, and you will see three stones marked with a golden “S” on them. These stones mark part of what used to be a five-mile radius known as Abbey Sanctuary, where criminals could seek refuge from civil law under the auspices of Holyrood Abbey. In the 16th century, when land came under royal control, sanctuary was reserved for financial debtors. In 1880, a change in law meant debtors could no longer be jailed, so the sanctuary was no longer needed. As you walk the Royal Mile, be sure to appreciate these remnants of Scotland’s history. The Abbey, now a scenic ruin, can be accessed through Holyrood Palace.

White Stuff fitting rooms

This may look like an ordinary store — and yes, you can purchase clothes, home goods and gifts here —  until you head upstairs to the 10 fitting rooms. Open the door to your cubicle and instead of the usual unflattering mirror and bad lighting, you’ll find individually themed rooms. From a 1940s kitchen pantry stocked with cans of gravy and marrowfat peas to a room filled with cuddly toys, these are fitting rooms that you’ll actually want to spend time in (there is room for you to try on clothes). Most of the rooms were designed by AMD Interior Architects, but a few were winning designs from a school competition. The crafty should take a break in the “meet and make” area where they can enjoy arts and crafts while sipping tea from vintage teacups.

Jupiter Artland

Just 10 miles outside of Edinburgh, Jupiter Artland is a sculpture park set among hundreds of acres of gardens and woodlands. It’s located on the grounds of Bonnington House, a 17th-century Jacobean Manor house. While visitors are provided with a map of different artworks, there is no set route to follow. Turn left, turn right, go backwards, go forwards. Look out for the peacocks and geese. Be amazed, be delighted, be stunned. A visit to Jupiter Artland is a mini-adventure in itself.

TEDSummit is a celebration of the different communities and people that make up TED and help spread its world-changing ideas. Learn more about TEDSummit 2019. And to find even more to do in Edinburgh and Scotland, visit Scotland.org.

 

,

CryptogramFriday Squid Blogging: Squid Mural

Large squid mural in the Bushwick neighborhood of Brooklyn.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Krebs on SecurityQuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack

Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident.

A message from iNSYNQ to customers.

Gig Harbor, Wash.-based iNSYNQ specializes in providing cloud-based QuickBooks accounting software and services. In a statement posted to its status page, iNSYNQ said it experienced a ransomware attack on July 16, and took its network offline in a bid to contain the spread of the malware.

“The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.”

iNSYNQ said it has engaged outside cybersecurity assistance and to determine whether any customer data was accessed without authorization, but that so far it has no estimate for when those files might be available again to customers.

Meanwhile, iNSYNQ’s customers — many of them accountants who manage financial data for a number of their own clients — have taken to Twitter to vent their frustration over a lack of updates since that initial message to users.

In response, the company appears to have simply deleted or deactivated its Twitter account (a cached copy from June 2019 is available here). Several customers venting about the outage on Twitter also accused the company of unpublishing negative comments about the incident from its Facebook page.

Some of those customers also said iNSYNQ initially blamed the outage on an alleged problem with U.S.-based nationwide cable ISP giant Comcast. Meanwhile, competing cloud hosting providers have been piling on to the tweetstorms about the iNSYNQ outage by marketing their own services, claiming they would never subject their customers to a three-day outage.

iNSYNQ has not yet responded to requests for comment.

Update, 4:35 p.m. ET: I just heard from iNSYNQ’s CEO Elliot Luchansky, who shared the following:

While we have continually updated our website and have emailed customers once if not twice daily during this malware attack, I acknowledge we’ve had to keep the detail fairly minimal.

Unfortunately, and as I’m sure you’re familiar with, the lack of detailed information we’ve shared has been purposeful and in an effort to protect our customers and their data- we’re in a behind the scenes trench warfare doing everything we possibly can to secure and restore our system and customer data and backups. I understand why our customers are frustrated, and we want more than anything to share every piece of information that we have.

Our customers and their businesses are our number one priority right now. Our team is working around the clock to secure and restore access to all impacted data, and we believe we have an end in sight in the near future.

You know as well as we that no one is 100% impervious to this – businesses large and small, governments and individuals are susceptible. iNSYNQ and our customers were the victims of a malware attack that’s a totally new variant that hadn’t been detected before, confirmed by the experienced and knowledgeable cybersecurity team we’ve employed.

Original story: There is no question that a ransomware infestation at any business — let alone a cloud data provider — can quickly turn into an all-hands-on-deck, hair-on-fire emergency that diverts all attention to fixing the problem as soon as possible.

But that is no excuse for leaving customers in the dark, and for not providing frequent and transparent updates about what the victim organization is doing to remediate the matter. Particularly when the cloud provider in question posts constantly to its blog about how companies can minimize their risk from such incidents by trusting it with their data.

Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings, as these businesses are completely unable to serve their customers while a ransomware infestation is active.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.

In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can send many customers scrambling to find new providers. As a result, the temptation to simply pay up may become stronger with each passing day.

That’s exactly what happened in February, when cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

KrebsOnSecurity will endeavor to update this story as more details become available. Any iNSYNQ affected by the outage is welcome to contact this author via Twitter (my direct messages are open to all) or at krebsonsecurity @ gmail.com.

Cory DoctorowAppearance on the Jim Rutt Podcast

Jim Rutt — former chairman of the Santa Fe Institute and ex-Network Solutions CEO — just launched his new podcast, and included me in the first season! (MP3) It was a characteristically wide-ranging, interdisciplinary kind of interview, covering competition and adversarial interoperability, technological self-determination and human rights, conspiracy theories and corruption. There’s a full transcript here.

CryptogramJohn Paul Stevens Was a Cryptographer

I didn't know that Supreme Court Justice John Paul Stevens "was also a cryptographer for the Navy during World War II." He was a proponent of individual privacy.

Worse Than FailureError'd: The Parameter was NOT Set

"Spotted this in front of a retro-looking record player in an Italian tech shop. I don't think anybody had any idea how to categorize it so they just left it up to the system," Marco D. writes.

 

George C. wrote, "Never thought it would come to this, but it looks like LinkedIn can't keep up with all of my connections!"

 

"Apparently opening a particular SharePoint link using anything else other than Internet Explorer made Excel absolutely lose its mind," wrote Arno P.

 

Dima R. writes, "OH! My bad, Edge, I only tried to access a file:// URL while I was offline."

 

"This display at the Vancouver airport doesn't have a lot of fans," Bruce R. wrote.

 

"Woo hoo! This is what I'm talking about! A septillion percentage gain!!" John G. writes.

 

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

,

Sociological ImagesCrowding Out Crime

Buzzfeed News recently ran a story about reputation management companies using fake online personas to help their clients cover up convictions for fraud. These firms buy up domains and create personal websites for a crowd of fake professionals (stock photo headshots and all) who share the same name as the client. The idea is that search results for the client’s name will return these websites instead, hiding any news about white collar crime.

In a sea of profiles with the same name, how do you vet a new hire? Image source: anon617, Flickr CC

This is a fascinating response to a big trend in criminal justice where private companies are hosting mugshots, criminal histories, and other personal information online. Sociologist Sarah Lageson studies these sites, and her research shows that these databases are often unregulated, inaccurate, and hard to correct. The result is more inequality as people struggle to fix their digital history and often have to pay private firms to clean up these records. This makes it harder to get a job, or even just to move into a new neighborhood.

The Buzzfeed story shows how this pattern flips for wealthy clients, whose money goes toward making information about their past difficult to find and difficult to trust. Beyond the criminal justice world, this is an important point about the sociology of deception and “fake news.” The goal is not necessarily to fool people with outright deception, but to create just enough uncertainty so that it isn’t worth the effort to figure out whether the information you have is correct. The time and money that come with social class make it easier to navigate uncertainty, and we need to talk about how those class inequalities can also create a motive to keep things complicated in public policy, the legal system, and other large bureaucracies.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston (Fall, 2019). You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

CryptogramIdentity Theft on the Job Market

Identity theft is getting more subtle: "My job application was withdrawn by someone pretending to be me":

When Mr Fearn applied for a job at the company he didn't hear back.

He said the recruitment team said they'd get back to him by Friday, but they never did.

At first, he assumed he was unsuccessful, but after emailing his contact there, it turned out someone had created a Gmail account in his name and asked the company to withdraw his application.

Mr Fearn said the talent assistant told him they were confused because he had apparently emailed them to withdraw his application on Wednesday.

"They forwarded the email, which was sent from an account using my name."

He said he felt "really shocked and violated" to find out that someone had created an email account in his name just to tarnish his chances of getting a role.

This is about as low-tech as it gets. It's trivially simple for me to open a new Gmail account using a random first and last name. But because people innately trust email, it works.

Worse Than FailureThe Hardware Virus

Dvi-cable

Jen was a few weeks into her new helpdesk job. Unlike past jobs, she started getting her own support tickets quickly—but a more veteran employee, Stanley, had been tasked with showing her the ropes. He also got notification of Jen's tickets, and they worked on them together. A new ticket had just come in, asking for someone to replace the DVI cable that'd gone missing from Conference Room 3. Such cables were the means by which coworkers connected their laptops to projectors for presentations.

Easy enough. Jen left her cube to head for the hardware "closet"—really, more of a room crammed full of cables, peripherals, and computer parts. On a dusty shelf in a remote corner, she spotted what she was looking for. The coiled cable was a bit grimy with age, but looked serviceable. She picked it up and headed to Stanley's cube, leaning against the threshold when she got there.

"That ticket that just came in? I found the cable they want. I'll go walk it down." Jen held it up and waggled it.

Stanley was seated, facing away from her at first. He swiveled to face her, eyed the cable, then went pale. "Where did you find that?"

"In the closet. What, is it—?"

"I thought they'd been purged." Stanley beckoned her forward. "Get in here!"

Jen inched deeper into the cube. As soon as he could reach it, Stanley snatched the cable out of her hand, threw it into the trash can sitting on the floor beside him, and dumped out his full mug of coffee on it for good measure.

"What the hell are you doing?" Jen blurted.

Stanley looked up at her desperately. "Have you used it already?"

"Uh, no?"

"Thank the gods!" He collapsed back in his swivel chair with relief, then feebly kicked at the trash can. The contents sloshed around inside, but the bin remained upright.

"What's this about?" Jen demanded. "What's wrong with the cable?"

Under the harsh office lighting, Stanley seemed to have aged thirty years. He motioned for Jen to take the empty chair across from his. Once she'd sat down, he continued nervously and quietly. "I don't know if you'll believe me. The powers-that-be would be angry if word were to spread. But, you've seen it. You very nearly fell victim to it. I must relate the tale, no matter how vile."

Jen frowned. "Of what?"

Stanley hesitated. "I need more coffee."

He picked up his mug and walked out, literally leaving Jen at the edge of her seat. She managed to sit back, but her mind was restless, wondering just what had her mentor so upset.

Eventually, Stanley returned with a fresh mug of coffee. Once he'd returned to his chair, he placed the mug on his desk and seemed to forget all about it. With clear reluctance, he focused on Jen. "I don't know where to start. The beginning, I suppose. It fell upon us from out of nowhere. Some say it's the spawn of a Sales meeting; others blame a code review gone horribly wrong. In the end, it matters little. It came alive and spread like fire, leaving destruction and chaos in its wake."

Jen's heart thumped with apprehension. "What? What came alive?"

Stanley's voice dropped to a whisper. "The hardware virus."

"Hardware virus?" Jen repeated, eyes wide.

Stanley glared. "You're going to tell me there's no such thing, but I tell you, I've seen it! The DVI cables ..."

He trailed off helplessly, reclining in his chair. When he straightened and resumed, his demeanor was calmer, but weary.

"At some godforsaken point in space and time, a single pin on one of our DVI cables was irrevocably bent. This was the source of the contagion," he explained. "Whenever the cable was plugged into a laptop, it cracked the plastic composing the laptop's DVI port, contorting it in a way that resisted all mortal attempt at repair. Any time another DVI cable was plugged into that laptop, its pin was bent in just the same way as with the original cable.

"That was how it spread. Cable infected laptop, laptop infected cable, all with vicious speed. There was no hope for the infected. We ... we were forced to round up and replace every single victim. I was knee-deep in the carnage, Jen. I see it in my nightmares. The waste, the despair, the endless reimaging!"

Stanley buried his head in his hands. It was a while before he raised his haunted gaze again. "I don't know how long it took, but it ran its course; the support tickets stopped coming in. Our superiors consider the matter resolved ... but I've never been able to let my guard down." He glanced warily at the trash can, then made eye contact with Jen. "Take no chances with any DVI cables you find within this building. Buy your own, and keep them with you at all times. If you see any more of those—" he pointed an accusing finger at the bin "—don't go near them, don't try taking a paperclip to them. There's everything to lose, and nothing to gain. Do you understand?"

Unable to manage words, Jen nodded instead.

"Good." The haunted expression vanished in favor of grim determination. Stanley stood, then rummaged through a desk drawer loaded with office supplies. He handed Jen a pair of scissors, and armed himself with a brassy letter opener.

"Our job now is to track down the missing cable that resulted in your support ticket," he continued. "If we're lucky, someone's absent-mindedly walked off with it. If we're not, we may find that this is step one in the virus' plan to re-invade. Off we go!"

Jen's mind reeled, but she sprang to her feet and followed Stanley out of the cubicle, telling herself to be ready for anything.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

,

Krebs on SecurityParty Like a Russian, Carder’s Edition

“It takes a certain kind of man with a certain reputation
To alleviate the cash from a whole entire nation…”

KrebsOnSecurity has seen some creative yet truly bizarre ads for dodgy services in the cybercrime underground, but the following animated advertisement for a popular credit card fraud shop likely takes the cake.

The name of this particular card shop won’t be mentioned here, and its various domain names featured in the video have been pixelated so as not to further promote the online store in question.

But points for knowing your customers, and understanding how to push emotional buttons among a clientele that mostly views America’s financial system as one giant ATM that never seems to run out of cash.

WARNING: Some viewers may find this video disturbing. Also, it is almost certainly Not Safe for Work.

The above commercial is vaguely reminiscent of the slick ads produced for and promoted by convicted Ukrainian credit card fraudster Vladislav “BadB” Horohorin, who was sentenced in 2013 to serve 88 months in prison for his role in the theft of more than $9 million from RBS Worldpay, an Atlanta-based credit card processor. (In February 2017, Horohorin was released and deported from the United States. He now works as a private cybersecurity consultant).

The clip above is loosely based on the 2016 music video, “Party Like a Russian,” produced by British singer-songwriter Robbie Williams.

Tip of the hat to Alex Holden of Hold Security for finding and sharing this video.

TEDApply to be a TED2020 Fellow

Apply to be a TED2020 Fellow

Since launching the TED Fellows program ten years ago, we’ve gotten to know and support some of the brightest, most ambitious thinkers, change-makers and culture-shakers from nearly every discipline and corner of the world. The numbers speak for themselves:

  • 472 Fellows covering a vast array of disciplines, from astrophysics to the arts
  • 96 countries represented
  • More than 1.3 million views per TED Talk given by Fellows (on average)
  • At least 90 new businesses and 46 nonprofits fostered within the program

Whether it’s discovering new galaxies, leading social movements or making waves in environmental conservation, with the support of TED, our Fellows are dedicated to making the world a better place through their innovative work. And you could be one of them.

Apply now to be a TED Fellow by August 27, 2019.

What’s in it for you?

  • The opportunity to give a talk on the TED mainstage
  • Career coaching and speaker training
  • Mentorship, professional development and public relations guidance
  • The opportunity to be part of a diverse, collaborative community of more than 450 thought leaders
  • Participation in the global TED2020 conference in Vancouver, BC

What are the requirements?

  • An idea worth spreading!
  • A completed online application consisting of general biographical information, short essays on your work and three references (It’s short, fun, and it’ll make you think…)
  • You must be at least 18 years old to apply.
  • You must be fluent in English.
  • You must be available to be in Vancouver, BC from April 17 to April 25, 2020.

What do you have to lose?

The deadline to apply is August 27, 2019 at 11:59pm UTC. To learn more about the TED Fellows program and apply, head here. Don’t wait until the last minute! We do not accept late applications. Really.

Worse Than FailureAnnouncements: Meetup in Kansas City: Dinner and a Pint after KCDC

The Kansas City Developer Conference is this week, followed by PubConf. Between these two events on Friday evening is plenty of time for a TDWTF dinner, and that's exactly what we're planning!

If you find yourself in Kansas City Missouri this Friday, for KCDC, PubConf, or perhaps because you live here, please come out to the Dubliner at 5:30 PM for dinner and a pint. I'll be there along with Martine Dowden and some TDWTF swag to give away. We'll talk software, discuss what we took away from the conference, and can head over to PubConf together.

If you would like to join us at 5:30 PM CT on Friday, July 19 please contact me at @mrdowden (Twitter) or drop me an email: Michael (at) Andromeda16.com

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Worse Than FailureCodeSOD: Nothing Direct About directAddCartEntry

It’s old hat, but every function, every class, every code unit you write, should all have a single, well-defined purpose. “Do one thing, and do it well,” as it were.

Of course, sometimes, it’s easier said that done, and mindlessly following that advice can lead to premature abstraction, and then you’ll have quite a mess on your hands. Still, it’s good advice, and a great design goal, even if you don’t head straight there.

Marigold found some code which, well, has a long way to go. A looooooong way to go.

directAddCartEntry = function (matnr, menge,updateByField,m,redu){
 
    var that=this;
    var produkt=new Object;
    var target = document.getElementById('content');
    spinner.spin(target);
   
    if (produkt.BACK_PREIS!=undefined && produkt.BACK_PREIS!=""){
        produkt.PREIS = produkt.BACK_PREIS  
    }  
    var Kundennummer = app.getModel("userData").getData().KUNDENNR;
    var Land  = app.getModel("userData").getData().LAND;       
    var Euland = app.getModel("userData").getData().ISTEULAND;
    var Kundennummer_u_Euland = Kundennummer+"|"+Euland+"|"+Land;
    var verpackungseinheit = "";
    sap.ui.getCore().byId("app").getModel("kategorie").read("/PRODUKT_SET(MATNR='"+matnr+"',VKORG='"+VKORG+"',SPRAS='de',KAMPAGNE='"+Kundennummer_u_Euland+"',VTWEG='10')?$expand=MERKMAL",null,null,false,function(oData,response){
        produkt=oData;     
        var mindestbestellmenge = produkt.BOMRABATT;
        verpackungseinheit =  produkt.VERPACKUNGSEINHEIT
        if (mindestbestellmenge!="0.000 "&& mindestbestellmenge!=""  &&  mindestbestellmenge != undefined){        
            mindestbestellmenge=mindestbestellmenge.split(".")[0]
            var mindestbestellmenge = parseInt(mindestbestellmenge);
            produkt.BOMRABATT=mindestbestellmenge          
            if (menge != mindestbestellmenge && vielfacher(menge,mindestbestellmenge)==false && redu!=true){
                var dialog = new sap.m.Dialog({
                    showHeader: false,
                    content: [
                        new sap.ui.layout.HorizontalLayout({
                            content: [
                                new sap.m.Image({
                                    src: "Image/helia_small.png",
                                }),
                                new sap.m.Text({
                                    //text: sap.ui.getCore().byId("app").getModel("i18n").getProperty("dialogUsersonlyFooter")
                                }).addStyleClass('dialog__usersonlySmall'),
                            ]
                        }).addStyleClass('dialog__usersonlyHeader'),
                   
                        new sap.ui.layout.Grid({
                            hSpacing: 1,
                            vSpacing: 1,
                            layoutData: new sap.ui.layout.GridData({
                                span: "L12 M12 S12",
                            }),
                            content: [
                                new sap.ui.core.HTML({ 
                                    layoutData: new sap.ui.layout.GridData({
                                        span: "L12 M12 S12",
                                    }),
                                    content: verpackungseinheit=="ZS" ? sap.ui.getCore().byId("navContainer").getModel("i18n").getProperty("infozigarette") : sap.ui.getCore().byId("navContainer").getModel("i18n").getResourceBundle().getText("infonormal", produkt.BOMRABATT)
                                }).addStyleClass("dialog__usersonlyTitle"),
                               
                                new sap.m.Select("dialogSelect",{
                                    layoutData: new sap.ui.layout.GridData({
                                        span: "L2 M2 S2",
                                    }),
//                                  items: productListItems2("zweier","","","")
                                    items: productListItems4(null,null,produkt.MAXMENGE,produkt.BOMRABATT)
                                })/*.attachBrowserEvent(
                    "click",function(evt){
                      var _numProductsSelected = parseInt( this.getSelectedKey() );
                      var _i  = +_numProductsSelected;
                      var plus=+_i;
                      this.destroyItems();
                      for (_i;_i<=999;_i=_i+plus){
                        // XXX
                        this.addItem(new sap.ui.core.ListItem({ text: _i,  key: _i }))                                  
                      }
                      this.setSelectedKey( _numProductsSelected );
                    }
                ).attachBrowserEvent(
                    "tap",function(evt){
                      var _numProductsSelected = parseInt( this.getSelectedKey() );
                      var _i  = +_numProductsSelected;
                      var plus=+_i;
                      this.destroyItems();
                      for (_i;_i<=999;_i=_i+plus){
                        // XXX
                        this.addItem(new sap.ui.core.ListItem({ text: _i,  key: _i }))                                  
                      }
                      this.setSelectedKey( _numProductsSelected );
                    }
                )*/,
                                new sap.m.Button({
                                    text: "OK",
                                    press: function(oEvent) {
                                        var new_menge=sap.ui.getCore().byId("dialogSelect").getSelectedItem().mProperties.text
                                        dialog.destroy();
                                        directAddCartEntry  (matnr, new_menge,updateByField,m)
                                        simulateOrder()
                                        directController.setPreiseundRabatte();                        
                                    },
                                    layoutData: new sap.ui.layout.GridData({
                                        span: "L1 M1 S1",
                                    })
                                }),                        
                               
                                new sap.m.Button({
                                    text: app.getModel("i18n").getProperty("pwdabort"),
                                    press: function() {
                                        dialog.destroy();
                                    },
                                    layoutData: new sap.ui.layout.GridData({
                                        span: "L2 M2 S2",
                                    })
                                }),
                            ]
                        }),
                        //.addStyleClass('dialog__usersonlyChoice'),
 
                   
                       
                    ]
                }).addStyleClass('dialog__usersonlyChoice');
                dialog.open()
                spinner.stop();
                return;
               
            }
            else{
              if (istmindestmenge (oData,"","call")==true && redu!=true){
//              var menge2=menge/2 
                var menge2=menge/oData.BOMRABATT;
                directAddCartEntry (matnr, menge2,updateByField,m,true)
                return
               
              }
              else{
                produkt.MENGE = menge;
              }
             
            }          
           
        }else{
          if (istmindestmenge (oData,"","call")==true && redu!=true){
//          var menge2=menge/2  
            menge/oData.BOMRABATT;
        directAddCartEntry (matnr, menge2,updateByField,m,true)
            return
      }
      else{
        produkt.MENGE = menge;
      }
        }          
        var Preis;
        var model = m;
        var data = model.getData();
        var POSITIONEN = data.WK_POSITIONEN;
        var POSITION = null;
        var POSITIONIndex = -1;
        if (produkt.BACK_PREIS!=undefined && produkt.BACK_PREIS!=""){
            produkt.PREIS = produkt.BACK_PREIS  
        }
        //Position suchen
        for (var zxy = 0 ; zxy < POSITIONEN.length ; zxy ++) {
            if (POSITIONEN[zxy].MATNR === produkt.MATNR) {
                POSITION = POSITIONEN[zxy];
                POSITIONIndex = zxy;
                break;
            }
        }
        //Wenn Position nicht gefunden, neu hinzuf?gen...
        if (POSITION === null) {
            produkt.PAKETPREIS = produkt.PREIS;
            produkt.SPARPREIS = 0;
           
            //Aktionsstaffelpreise und Staffelpreise ber?cksichtigen           
             var Preis = parseFloat(produkt.PREIS).toFixed(2);
 
             if (produkt.STAFFELPREIS3!=""){
                if( (parseFloat(produkt.MENGE) >= parseFloat(produkt.STAFFELPREIS6)) && ( parseFloat(produkt.STAFFELPREIS3) < parseFloat(produkt.PREIS) ) ) {
                    produkt.PAKETPREIS  = produkt.STAFFELPREIS3;
                    produkt.SPARPREIS = ( parseFloat(produkt.PREIS) - parseFloat(produkt.STAFFELPREIS3));
                    var Preis = produkt.STAFFELPREIS3
                }
            }
            if (produkt.AKTIONSPREIS3!=""){
                if( (parseFloat(produkt.MENGE) >= parseFloat(produkt.AKTIONSPREIS6)) && ( parseFloat(produkt.AKTIONSPREIS3) < parseFloat(produkt.PREIS) ) ) {
                    produkt.PAKETPREIS  = produkt.AKTIONSPREIS3;
                    produkt.SPARPREIS = ( parseFloat(produkt.PREIS) - parseFloat(produkt.AKTIONSPREIS3));
                    var Preis = produkt.AKTIONSPREIS3
                }              
            }
            if (parseFloat(produkt.AKTIONSPREIS)< parseFloat(produkt.PREIS) && produkt.AKTIONSPREIS!=""){
                 var Preis = parseFloat(produkt.AKTIONSPREIS).toFixed(2);              
            }           // Vergleich Staffelpreis zu Aktionspreis, VRU 21.06.2016
            if ( (parseFloat(produkt.MENGE) >= parseFloat(produkt.AKTIONSPREIS6)) && (parseFloat(produkt.AKTIONSPREIS3)<parseFloat(produkt.STAFFELPREIS3)) && produkt.AKTIONSPREIS3!=""){
                var Preis = parseFloat(produkt.AKTIONSPREIS3).toFixed(2);  
            }
           
//          if( (produkt.MENGE >= 6) && ( parseFloat(produkt.AKTIONSPREIS6) < parseFloat(produkt.PREIS) ) ) {
//              produkt.PAKETPREIS  = produkt.AKTIONSPREIS6;
//              produkt.SPARPREIS = ( parseFloat(produkt.PREIS) - parseFloat(produkt.AKTIONSPREIS6));
//          }
//          if( (produkt.MENGE >= 12) && ( parseFloat(produkt.AKTIONSPREIS12) < parseFloat(produkt.PREIS) ) ) {
//              produkt.PAKETPREIS  = produkt.AKTIONSPREIS12;
//              produkt.SPARPREIS = ( parseFloat(produkt.PREIS) - parseFloat(produkt.AKTIONSPREIS12));
//          }
            produkt.GESAMTPREIS = parseFloat(Preis * menge).toFixed(2);
//          produkt.GESAMTPREIS = parseFloat(produkt.PAKETPREIS * produkt.MENGE).toFixed(2);
            produkt.GESAMTSPARPREIS = produkt.SPARPREIS * produkt.MENGE;
       
            produkt.MENGE=parseInt(produkt.MENGE);
          if (redu==true){
//        produkt.MENGE=produkt.MENGE*2
        produkt.MENGE=produkt.MENGE*produkt.BOMRABATT
      }
            // create new entry
            POSITION = {
                    MATNR:produkt.MATNR,
                    MAKTX:produkt.MAKTX,
                    MENGE:produkt.MENGE,
                    MAXMENGE:produkt.MAXMENGE,
                    KATTEXTKURZ:produkt.KATTEXTKURZ,
                    IMG_BIG:produkt.IMG_BIG.replace(locStatic,""),
                    IMG_THUMB:produkt.IMG_THUMB.replace(locStatic,""),
                    BACK_PREIS: produkt.PREIS,
                    PREIS:Preis,
                    GESAMTPREIS:parseFloat(produkt.GESAMTPREIS).toFixed(2),
                    STAFFELPREIS:produkt.STAFFELPREIS,
                    AKTIONSPREIS:produkt.AKTIONSPREIS,
                    WAEHRUNG:produkt.WAEHRUNG,
                    PAKETPREIS:produkt.PAKETPREIS,
                    SPARPREIS:produkt.SPARPREIS,
                    GESAMTSPARPREIS:produkt.GESAMTSPARPREIS,
                    AKTIONSPREIS3 : produkt.AKTIONSPREIS3,
                    AKTIONSPREIS6 : produkt.AKTIONSPREIS6,     
                    STAFFELPREIS3 : produkt.STAFFELPREIS3,
                    STAFFELPREIS6 : produkt.STAFFELPREIS6,
                    BOMRABATT: produkt.BOMRABATT,
                    VERPACKUNGSEINHEIT:produkt.VERPACKUNGSEINHEIT
            };
            data.WK_POSITIONEN[data.WK_POSITIONEN.length] = POSITION;
        } else {
        //...Ansonsten Menge aendern
            if(updateByField){
                POSITION.MENGE=parseInt(POSITION.MENGE) + parseInt(produkt.MENGE)
                if (redu!=undefined && redu ==true){
                  POSITION.MENGE = POSITION.MENGE/2 + parseInt(produkt.MENGE)/2  
                }
                var Preis = parseFloat(produkt.PREIS).toFixed(2);              
                if (produkt.STAFFELPREIS3!=""){                    
                    if( (parseFloat(POSITION.MENGE) >= parseFloat(produkt.STAFFELPREIS6)) && ( parseFloat(produkt.STAFFELPREIS3) < parseFloat(produkt.PREIS) ) ) {
                        POSITION.PAKETPREIS = produkt.STAFFELPREIS3;
                        POSITION.SPARPREIS = ( parseFloat(produkt.PREIS) - parseFloat(produkt.STAFFELPREIS3));
                        var Preis = produkt.STAFFELPREIS3
                    }
                }
                if (produkt.AKTIONSPREIS3!=""){                
                    if( (parseFloat(POSITION.MENGE) >= parseFloat(produkt.AKTIONSPREIS6)) && ( parseFloat(produkt.AKTIONSPREIS3) < parseFloat(produkt.PREIS) ) ) {
                        POSITION.PAKETPREIS = produkt.AKTIONSPREIS3;
                        POSITION.SPARPREIS = ( parseFloat(produkt.PREIS) - parseFloat(produkt.AKTIONSPREIS3));
                        var Preis = produkt.AKTIONSPREIS3
                    }              
                }
                if (parseFloat(produkt.AKTIONSPREIS)< parseFloat(produkt.PREIS) && produkt.AKTIONSPREIS!=""){
                     var Preis = parseFloat(produkt.AKTIONSPREIS).toFixed(2);              
                }
                // Vergleich Staffelpreis zu Aktionspreis, VRU 21.06.2016
                if ( (parseFloat(POSITION.MENGE) >= parseFloat(produkt.AKTIONSPREIS6)) && (parseFloat(produkt.AKTIONSPREIS3)<parseFloat(produkt.STAFFELPREIS3)) && produkt.AKTIONSPREIS3!=""){
                    var Preis = parseFloat(produkt.AKTIONSPREIS3).toFixed(2);  
                }
                POSITION.AKTIONSPREIS3 = produkt.AKTIONSPREIS3
                POSITION.AKTIONSPREIS6 = produkt.AKTIONSPREIS6     
                POSITION.STAFFELPREIS3 = produkt.STAFFELPREIS3
                POSITION.STAFFELPREIS6 = produkt.STAFFELPREIS6             
                POSITION.BACK_PREIS= produkt.PREIS,            
                POSITION.PREIS = parseFloat(Preis).toFixed(2);
                POSITION.AKTIONSPREIS6 = produkt.AKTIONSPREIS6;
                POSITION.AKTIONSPREIS12 = produkt.AKTIONSPREIS12;
                POSITION.PAKETPREIS = POSITION.PREIS;
                POSITION.SPARPREIS = 0;
//              if( (POSITION.MENGE >= 6) && ( parseFloat(POSITION.AKTIONSPREIS6) < parseFloat(POSITION.PREIS) ) ) {
//                  POSITION.PAKETPREIS = POSITION.AKTIONSPREIS6;  
//                  POSITION.SPARPREIS = ( parseFloat(POSITION.PREIS) - parseFloat(POSITION.AKTIONSPREIS6));
//              }
//              if( (POSITION.MENGE >= 12) && ( parseFloat(POSITION.AKTIONSPREIS12) < parseFloat(POSITION.PREIS) ) ) {
//                  POSITION.PAKETPREIS = POSITION.AKTIONSPREIS12; 
//                  POSITION.SPARPREIS = ( parseFloat(POSITION.PREIS) - parseFloat(POSITION.AKTIONSPREIS12));
//              }
                POSITION.GESAMTPREIS = parseFloat(POSITION.MENGE*POSITION.PAKETPREIS).toFixed(2);
                POSITION.GESAMTSPARPREIS = POSITION.MENGE*POSITION.SPARPREIS;
                POSITION.STAFFELPREIS = produkt.STAFFELPREIS;
                POSITION.AKTIONSPREIS = produkt.AKTIONSPREIS;
                POSITION.WAEHRUNG = produkt.WAEHRUNG;
                if (redu!=undefined && redu ==true){
//          POSITION.MENGE = POSITION.MENGE*2  
          POSITION.MENGE = POSITION.MENGE*POSITION.BOMRABATT
        }
               
            }else{
            }
            POSITION.AKTIONSPREIS3 = produkt.AKTIONSPREIS3
            POSITION.AKTIONSPREIS6 = produkt.AKTIONSPREIS6     
            POSITION.STAFFELPREIS3 = produkt.STAFFELPREIS3
            POSITION.STAFFELPREIS6 = produkt.STAFFELPREIS6
            POSITION.BOMRABATT = produkt.BOMRABATT
           
            POSITION.BACK_PREIS= produkt.PREIS,
            POSITION.PREIS = Preis;
            POSITION.GESAMTPREIS= toFixed(POSITION.GESAMTPREIS,2);
            POSITION.GESAMTSPARPREIS= toFixed(POSITION.GESAMTSPARPREIS,2);
            POSITIONEN[POSITIONIndex] = POSITION;
            data.WK_POSITIONEN = POSITIONEN;
        }
        // Gesamtpreis neu berechnen
        data.GESAMTPREIS = 0;
        data.GESAMTMENGE = 0;
        data.ZWISCHENSUMME = 0;
        data.GESAMTSPARPREIS = 0;      
        for (var xxy = 0 ; xxy < data.WK_POSITIONEN.length ; xxy ++) {
            data.GESAMTPREIS += parseFloat(data.WK_POSITIONEN[xxy].GESAMTPREIS);
            if (istmindestmenge (data.WK_POSITIONEN[xxy],"","call")==true && redu==true){
              data.GESAMTMENGE += parseInt(data.WK_POSITIONEN[xxy].MENGE);
            }else{
               data.GESAMTMENGE += parseInt(data.WK_POSITIONEN[xxy].MENGE);
            }
            //hier Gesamtmenge wieder erhoehen
           
           
            data.ZWISCHENSUMME += parseFloat(data.WK_POSITIONEN[xxy].GESAMTPREIS);
            data.GESAMTSPARPREIS += parseFloat(data.WK_POSITIONEN[xxy].GESAMTSPARPREIS);           
        }
        data.GESAMTPREIS = parseFloat(data.GESAMTPREIS).toFixed(2)
        data.GESAMTSPARPREIS = parseFloat(data.GESAMTSPARPREIS).toFixed(2);
//      data.INTERNETRABATT = parseFloat(menge) + parseFloat(menge)
//      data.GESAMTPREIS= parseFloat(data.GESAMTPREIS).toFixed(2);
        data.ENDPREIS=parseFloat(data.GESAMTPREIS).toFixed(2) - parseFloat(data.INTERNETRABATT).toFixed(2);
        data.ZWISCHENSUMME= toFixed(data.ZWISCHENSUMME,2);
        data.GESAMTSPARPREIS= toFixed(data.GESAMTSPARPREIS,2);
        data.ERSATZLIEFERUNG = data.ERSATZLIEFERUNG;
        data.LIEFERART=data.LIEFERART;
        data.LIEFERDATUM = data.LIEFERDATUM;
        data.KUNDENNACHRICHT=data.KUNDENNACHRICHT;
//      if(parseFloat(oData.INTERNETRABATT)>0){
//          //sap.ui.getCore().byId("app").getModel("warenkorb").setProperty("/INTERNETRABATT",parseFloat(oData.INTERNETRABATT).toFixed(2));
//          sap.ui.getCore().byId("app").getModel("warenkorb").setProperty("/ENDPREIS",(parseFloat(sap.ui.getCore().byId("app").getModel("warenkorb").getProperty("/GESAMTPREIS")) - parseFloat(oData.INTERNETRABATT)).toFixed(2));
//      }
//      // Model updaten
        model.setData(data,"warenkorb");
       
        if($.cookie("cookieUser")!=undefined){
            setBackendWK(sap.ui.getCore().byId("app").getModel("kategorie"),sap.ui.getCore().byId("app").getModel("userData").oData.KUNDENNR);
        }else{
            setCookieCart(model);
        }
        if (redu==true){
//        menge=menge*2;
          menge=menge*produkt.BOMRABATT;
        }
        showToastMessage(menge,produkt.MAKTX,produkt.MERKMAL.results);
        //Speichern des Warenkorbes in einen Cookie
        simulateOrder();
        spinner.stop();
    },function(oError){
        spinner.stop();
        messageToast(app.getModel("i18n").getProperty("keineWare"));
    });
};

Marigold adds: “I have no words for this. Make something up. I don’t care.”

It isn’t about what this code does, as much as the sheer mass of it, the weight of 350+ lines of code in one gigantic method which seems to do everything, makes me want to do nothing but eat a box of “einen Cookies” in one sitting.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

,

CryptogramZoom Vulnerability

The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer's camera.

It's a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.

Zoom didn't take the vulnerability seriously:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a 'quick fix' Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom's planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the 'quick fix' solution originally suggested.

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

Krebs on SecurityMeet the World’s Biggest ‘Bulletproof’ Hoster

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today.

Image: Intel471

KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation.

Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure, and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals.

I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS.

After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure.

In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com, which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done.

WHO IS YALISHANDA?

The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (亚历山大).

Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz:

-Based in Asia and Europe.
-It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc.
-Passive SPAM is allowed (you can spam sites that are hosted by us).
-Web spam is allowed (Hrumer, A-Poster ….)

-Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks)

There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!!

Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru.

In a talk given at the Black Hat security conference in 2017, researchers from Cisco and cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.

“Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters, Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.”

Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting.

KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport.

That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old.

The passport for Alexander Volosovyk, a.k.a. “Yalishanda,” a major operator of bulletproof hosting services.

According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago.

His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.

ARMOR-PIERCING BULLETS?

Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States).

That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done.

However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.

The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov, a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.”

Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua.

In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackersVladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time.

According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere.

Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement.

Intel 471’s Passwaters said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche, a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks.

Prior to that takedown, Passwaters said, somehow an individual using the nickname “Sosweet” who was connected to another bulletproof hoster that occurred around the same time as Avalanche got a tip about an impending raid.

“Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwaters said.

The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker, a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry.

So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses?

Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities.

That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, was authored by researchers at New York University, Delft University of Technology, King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it.

The study examined the day-to-day operations of MaxiDed, a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red.

“We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.”

Worse Than FailureCodeSOD: Brütäl Glöbs

Noam and a few friends decided it was time for them to launch their own product. They were young, optimistic about their career, and had some opinions about the best way to handle some basic network monitoring and scanning tasks. So they iterated on the idea a few times, until one day the program just started hanging. At first, Noam thought it was just a hang, but after walking away from the machine for a few minutes in frustration, he discovered that it was just running really slow.

After a little investigation, he tracked down the problem to the function responsible for checking if an IP matched a filter. That filter could contain globs, which made things a bit tricky, but his partner had some ideas about how best to handle them.

def ip_check(ip, rule):
    ret_value = False # Return Value
    if ip == rule['host']: # Compare against rule
        ret_value = True
    elif '*' in rule['host']: # Handle wildcards
        mask = rule['host'].split('.')
        length = mask.count('*')
        final = []
        for subset in itertools.permutations(range(256), length):
            final.append(list(subset))
        for item in final:
            address = rule['host'].split('.')
            for index in range(length):
                address[address.index('*')] = str(item[index])
            address = '.'.join(address)
            if address == ip:
                ret_value = True
    return ret_value

This code takes a long way around.

We start with for subset in itertools.permutations(range(256), length):. itertools.permutations does exactly what you think- in this case, it creates every possible permutation of the numbers in the range 0–255, taken length at a time- where length is the number of wildcards. So, for example, 10.1.*.*, is a mere 65,280 entries. *.*.*.*, which is what Noam was doing when testing, is a lot more. 4,195,023,360 entries, to be exact.

Then we iterate across every possible combination to put them into the final list. The permutations method is smart, it lazily evaluates the permutations, calculating the next one when you need it. As you can see, Python does allow you to iterate across it. So we don’t need the final variable at all, we could have simply done for item in itertols.permutations(…) and that would have been fine. Well, not fine, none of this is fine.

So, we populate a list with every possible permutation, then we iterate across every permutation. We incorrectly slam the permuted values into the test string, and if that test string matches our IP, we set the ret_value to True. And then we keep looping. This block doesn’t even take the simplest optimization of simply quitting when it finds what it’s looking for.

Noam rewrote this function, replacing it with a much simpler 3-line function using built-in methods. Then Noam went on to have a long conversation with his team about how something like this happened.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Cory DoctorowPodcast: Occupy Gotham

In my latest podcast (MP3), I read my essay Occupy Gotham, published in Detective Comics: 80 Years of Batman, commemorating the 1000th issue of Batman comics. It’s an essay about the serious hard problem of trusting billionaires to solve your problems, given the likelihood that billionaires are the cause of your problems.

A thousand issues have gone by, nearly 80 years have passed, and Batman still hasn’t cleaned up Gotham. If the formal definition of insanity it trying the same thing and expecting a different outcome, then Bruce Wayne belongs in a group therapy session in Arkham Asylum. Seriously, get that guy some Cognitive Behavioral Therapy before he gets into some *serious* trouble.

As Upton Sinclair wrote in his limited run of *Batman: Class War*[1], “It’s impossible to get a man to understand something when his paycheck depends on his not understanding it.”

Gotham is a city riven by inequality. In 1939, that prospect had a very different valence than it has in 2018. Back in 1939, the wealth of the world’s elites had been seriously eroded, first by the Great War, then by the Great Crash and the interwar Great Depression, and what was left of those vast fortunes was being incinerated on the bonfire of WWII. Billionaire plutocrats were a curious relic of a nostalgic time before the intrinsic instability of extreme wealth inequality plunged the world into conflict.

MP3

,

Krebs on SecurityIs ‘REvil’ the New GandCrab Ransomware?

The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”

“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.”

However, it now appears the GandCrab team had already begun preparations to re-brand under a far more private ransomware-as-a-service offering months before their official “retirement.”

In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to deploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A month later, GandCrab would announce its closure.

A payment page for a victim of REvil, a.k.a. Sodin and Sodinokibi.

Meanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling more than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were meant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet unnamed ransomware-as-a-service offering.

“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new RaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”

Asked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being.

Unknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.

The prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install affiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention from local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities and extortionists in their hometowns).

But Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that affiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.

What’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to all pictures of his deceased children after his computer got infected with GandCrab.

“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?”

That heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a decryption key that let all GandCrab victims in Syria unlock their files for free.

But this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s because a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project released a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement offices from a number of countries and security firm Bitdefender.

The GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the entropy used by the random number generator for the ransomware’s master key to be calculated. Approximately 24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable to decrypt files.

There are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of the infection process, according a recent report from Dutch security firm Tesorion.

“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion observed.

My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.

CryptogramPalantir's Surveillance Service for Law Enforcement

Motherboard got its hands on Palantir's Gotham user's manual, which is used by the police to get information on people:

The Palantir user guide shows that police can start with almost no information about a person of interest and instantly know extremely intimate details about their lives. The capabilities are staggering, according to the guide:

  • If police have a name that's associated with a license plate, they can use automatic license plate reader data to find out where they've been, and when they've been there. This can give a complete account of where someone has driven over any time period.

  • With a name, police can also find a person's email address, phone numbers, current and previous addresses, bank accounts, social security number(s), business relationships, family relationships, and license information like height, weight, and eye color, as long as it's in the agency's database.

  • The software can map out a person's family members and business associates of a suspect, and theoretically, find the above information about them, too.

All of this information is aggregated and synthesized in a way that gives law enforcement nearly omniscient knowledge over any suspect they decide to surveil.

Read the whole article -- it has a lot of details. This seems like a commercial version of the NSA's XKEYSCORE.

Boing Boing post.

Meanwhile:

The FBI wants to gather more information from social media. Today, it issued a call for contracts for a new social media monitoring tool. According to a request-for-proposals (RFP), it's looking for an "early alerting tool" that would help it monitor terrorist groups, domestic threats, criminal activity and the like.

The tool would provide the FBI with access to the full social media profiles of persons-of-interest. That could include information like user IDs, emails, IP addresses and telephone numbers. The tool would also allow the FBI to track people based on location, enable persistent keyword monitoring and provide access to personal social media history. According to the RFP, "The mission-critical exploitation of social media will enable the Bureau to detect, disrupt, and investigate an ever growing diverse range of threats to U.S. National interests."

Google AdsenseUpcoming changes to the AdSense mobile experience

The web is mobile.

Nearly 70% of AdSense audiences experience the web on mobile devices. With new mobile web technologies such as responsive mobile sites, Accelerated Mobile Pages (AMP) and Progressive Web Apps (PWA) the mobile web works better and faster than ever.

We understand that using AdSense on the go is important to you. More than a third of our users access AdSense from mobile devices and this is an area where we continue to invest.

Our vision is an AdSense that does more to keep your account healthy, letting you focus on creating great content, and comes to you when issues or opportunities need your attention.

With this in mind, we have reviewed our mobile strategy. As a result, we will be focusing our investment on the AdSense mobile web interface and sunsetting the current iOS and Android apps. By investing in a common web application that supports all platforms, we will be able to deliver AdSense features optimized for mobile much faster than we can today.

Later this year we will announce improvements to the AdSense mobile web interface. The AdSense Android and iOS apps will be deprecated in the coming months, and will be discontinued and removed from the app stores by the end of 2019.

Like our publishers who have built their businesses around the mobile web, we look forward to leveraging great new web technologies to deliver an even better, more automated, and more useful mobile experience. Stay tuned for further announcements throughout the rest of the year.


Posted by: Andrew Gildfind
AdSense Product Manager

Worse Than FailureThe Enterprise Backup Batch

If a piece of software is described in any way, shape or form as being "enterprise", it's a safe bet that you don't actually want to use it. As a general rule, "enterprise" software packages mix the Inner-Platform Effect with trying to be all things to all customers, with thousands upon thousands of lines of legacy code that can't be touched because at least one customer depends on those quirks. There doesn't tend to be much competition in the "enterprise" space, so none of the vendors actually put any thought into making their products good. That's what salesbeasts and lawyers are for.

Kristoph M supports a deployment of Initech's data warehouse system. Since this system is a mix of stored procedures and SSIS packages, Kristoph can actually read a good portion of the code which makes the product work. They just choose not to. And that's usually a good choice.

But one day, while debugging, Kristoph decided that they needed a simple answer to a simple question: "For a SQLAgent Job, how do you create a backup of the database with the day appended to the filename?"

SQLAgent is SQL Server's scheduling system, used for triggering tasks. SSIS is SQL Server's "drag and drop" dataflow tool, designed to let users draw data pipelines to handle extract-transform-load tasks.

In this case, the SQLAgent job's first step was to launch an SSIS package. Already, we're in questionable territory. SSIS is, as stated, an ETL tool. Yes, you can use it to extract data, it's not really meant as a replacement for an actual database backup.

The good news is that this SSIS package doesn't actually do anything to backup the database. Instead, it contains a single task, and it isn't a data flow task, it's a "Visual Basic Script Task". Yes, SSIS lets you run a stripped down Visual Basic dialect in its context. What does this task do?

Public Sub Main() ' ' Add your code here ' Dim sToday As Date = Now Dim sDay As String = sToday.Day.ToString If CInt(sDay) < 10 Then sDay = "0" & sDay Dim sMonth As String = MonthName(Month(sToday), True) Dim sYear As String = Year(sToday).ToString Dim sPara1 As String = sDay '& sMonth & sYear Dim sPath As String = "D:\Initech\DailyProcess\" Using fso As StreamWriter = New StreamWriter(sPath & "runBackupBatch.bat") fso.WriteLine(sPath & "DailyExtractBackup.bat " & sPara1) fso.Close() End Using Dts.TaskResult = ScriptResults.Success End Sub

This figures out the current day, and then writes out a runBackupBatch.bat file with contents like this:

D:\Initech\DailyProcess\DailyExtractBackup.bat 02

Once that step is completed, the SQLAgent job continues, and runs the runBackupBatch.bat, which in turn runs DailyExtractBackup.bat, which does this:

D:\Initech\DailyProcess\DailyExtractBackup.bat @echo off @echo Dumping DailyExtract database... osql -E -Slocalhost -oD:\Initech\DailyProcess\DailyExtractDump.log -Q"backup database DailyExtract to DISK='D:\Initech\MSSQL\Backup\DailyExtractDump%1.bak' with INIT" if errorlevel 1 goto dumperror REM Check for SQL Errors findstr "Msg" D:\Initech\DailyProcess\DailyExtractDump.log if not errorlevel 1 goto dumperror :OK @echo All Done!! exit 0 :dumperror @echo Error dumping database. exit 1

The osql call is about the first reasonable step in this process. That actually does the backup using SQL server's backup tools. Then again, the mechanism to see if there were any errors in the logfile is troubling. findstr sets the errorlevel to 1 if Msg is not found in the log file. So, if Msg is not not found in the logfile, we'll go to dumperror.

After reading through this process, Kristoph decide it was best to take a step outside, get some air, and stop thinking about the other horrible things that might be lurking in Initech's data warehouse product.

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

CryptogramUpcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I'm speaking at Black Hat USA 2019 in Las Vegas on Wednesday, August 7 and Thursday, August 8, 2019.

  • I'm speaking on "Information Security in the Public Interest" at DefCon 27 in Las Vegas on Saturday, August 10, 2019.

The list is maintained on this page.

Cory DoctorowI appeared on Nanowrimo’s awesome Write-Minded podcast to talk about Radicalized

It turned out really well!

Today’s dystopian fiction seems to be closer to reality than the dystopian fiction of the past. Brooke and Grant explore this new reality with Cory Doctorow, whose socially conscientious science fiction novels delve into topics of political consequence. From the ways in which anxieties fuel science fiction writers to how fiction has the power to change the way we think and operate in the world, today’s episode emphasizes the importance of dystopian fiction for its capacity to shed light on what is true, and what might happen, ideally, as Cory suggests, so that we might fix things before it’s too late.

,

CryptogramFriday Squid Blogging: When the Octopus and Squid Lost Their Shells

Cephalopod ancestors once had shells. When did they lose them?

With the molecular clock technique, which allowed him to use DNA to map out the evolutionary history of the cephalopods, he found that today's cuttlefish, squids and octopuses began to appear 160 to 100 million years ago, during the so-called Mesozoic Marine Revolution.

During the revolution, underwater life underwent a rapid change, including a burst in fish diversity. Some predators became better suited for crushing shellfish, while some smaller fish became faster and more agile.

"There's a continual arms race between the prey and the predators," said Mr. Tanner. "The shells are getting smaller, and the squids are getting faster."

The evolutionary pressures favored being nimble over being armored, and cephalopods started to lose their shells, according to Mr. Tanner. The adaptation allowed them to outcompete their shelled relatives for fast food, and they were able to better evade predators. They were also able to keep up with competitors seeking the same prey.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Sociological ImagesSoccer Stars & Soc Majors

Sociology Twitter lit up after the US Women’s National Team’s World Cup win with the revelation that many of their players were sociology majors in college. It is an inspiration to see the team succeed at the highest levels and call for social change while doing so.

This news also raised an interesting question: do student athletes major in sociology because it is a compelling field (yay, us!) or because they are tracked into the major by academic advisors who see it as an “easy” choice to balance with sports?

According to data from the NCAA, the most common majors for both student athletes and the wider student body at Division 1 schools are business, STEM, and social sciences. Trend data show the biggest difference is in the choice between business and STEM; both groups seem to pick up social science majors at similar rates.

Source: NCAA D1 Diploma Dashboard

While the rate of majors is not that different, there is something special that sociology can do for these students. Student athlete lives are heavily administered. Between practice, conditioning, scheduled events, meals, and classes, many barely have a few hours to complete a full load of course work. In grad school, I tutored many student athletes who were sociology majors, and I watched them juggle their work with the demands of heavy travel schedules and intense workouts, all under the watchful eye of an army of advisors, coaches, mentors, and doctors. The experience is very close to what Erving Goffman called a “total institution” in Asylums:

“A total institution may be defined as a place of residence and work where a large number of like-situated individuals, cut off from the wider society for an appreciable period of time, together lead an enclosed, formally administered round of life. (1961, p. xiii)”

We usually associate total institutions with prisons and punishment, but this definition highlights the intense management that defines the college experience for many student athletes. When I tutored athletes in sociology, we spent a lot of time comparing their readings to the world around them. Sociological thinking about institutions, bureaucracy, and work gave them a language to think about and talk about their experiences in context.

Athletic programs can be complicated for colleges and universities, and there is ongoing debate about how the “student” status in student athlete shapes their obligation to pay for all this work. As debates about college athletics continue, it is important for players, fans, and administrators to think sociologically about their industry to see how it can better serve players as both students and athletes.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston (Fall, 2019). You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

Cory DoctorowWhere to catch me at San Diego Comic-Con!

I’m headed back to San Diego for Comic-Con next weekend, and you can catch me on Friday, Saturday and Sunday:

Friday, 5PM: Signing in AA04

Saturday, 5PM: Panel: Writing: Craft, Community, and Crossover (with James Killen, Seanan McGuire, Charlie Jane Anders,, Annalee Newitz, and Sarah Gailey), Room 23ABC

Sunday, 10AM: Signing and giveaway for Radicalized, Tor Booth, #2701.

I hope to see you there!

CryptogramPresidential Candidate Andrew Yang Has Quantum Encryption Policy

At least one presidential candidate has a policy about quantum computing and encryption.

It has two basic planks. One: fund quantum-resistant encryption standards. (Note: NIST is already doing this.) Two, fund quantum computing. (Unlike many far more pressing computer security problems, the market seems to be doing this on its own quite nicely.)

Okay, so not the greatest policy -- but at least one candidate has a policy. Do any of the other candidates have anything else in this area?

Yang has also talked about blockchain: "

"I believe that blockchain needs to be a big part of our future," Yang told a crowded room at the Consensus conference in New York, where he gave a keynote address Wednesday. "If I'm in the White House, oh boy are we going to have some fun in terms of the crypto currency community."

Okay, so that's not so great, either. But again, I don't think anyone else talks about this.

Note: this is not an invitation to talk more general politics. Not even an invitation to explain how good or bad Andrew Yang's chances are. Or anyone else's. Please.

LongNowBrian Eno’s Soundtrack for the Apollo 11 Moon Landing

50 years ago, the Apollo 11 moon landing was televised live to some 600 million viewers back on planet Earth. One of them was future Long Now co-founder Brian Eno, then 21. He found himself underwhelmed by what he saw. 

Footage from the television transmission of the moon landing.

Surely, there was more gravitas to the experience than the grainy, black and white footage suggested. In the months that followed, the same few seconds of Neil Armstrong’s small steps played on an endless loop on TV as anchors and journalists offered their analysis and patriotic platitudes as a soundtrack. The experts, he later wrote, “[obscured] the grandeur and strangeness of the event with a patina of down-to-earth chatter.”

In 01983, Eno decided to add his own soundtrack to the momentous event. His ninth solo album, Apollo: Atmospheres and Soundtracks was produced to accompany a documentary, Apollo, that consisted solely of 35mm footage from the Apollo 11 mission, with no narration. The first iteration of the film was too experimental for most audiences; it was recut with commentary from Apollo astronauts when it was eventually re-released as For All Mankind in 01989. 

The remastered and extended edition of Brian Eno’s Apollo album will be released on July 19.

This year, on the occasion of the moon landing’s 50th anniversary, Eno has revisited the Apollo project. He reunited with original producers Daniel Lanois and Roger Eno to remaster the album and record 11 new instrumental compositions. The album, Apollo: Extended Edition, will be released on July 19. A new music video for the album’s most well-known track, “An Ending (Ascent)” has also been released with visuals from a 02016 Earth overview.

A new music video for Brian Eno’s “An Ending (Ascent).”

To celebrate the album’s release and the moon landing anniversary, Long Now will be hosting a Brian Eno album listening event at The Interval on the evenings of July 23, 24, 30, and 31. 

The album will be played on our Meyer Sound System, accompanied by footage of the Apollo missions as well as a special mini menu of cocktails inspired by the album. Tickets are $20 and are expected to go quickly. 

The Apollo missions have always been a point of inspiration for Long Now over the years, both for the Big Here perspective they provided as well as for the long-term thinking they utilized. Below are links to some of our Apollo-related blog posts and articles:

Worse Than FailureError'd: Errors Don't Always Ad up

"You know, I'm thinking that The guys working on AT&T's DIRECTV service must have not done well with fractions in school," Andrew T. writes.

 

"Come on, DNS Exit, you shouldn't objectify your users!" writes Lance G.

 

Tom G. wrote, "I guess if I wanted my actual name to appear here I should have signed in with my Microsoft account and not my 20 year old Skype account."

 

Michael P. wrote, "Tripp Lite's site is pretty smart to detect a mismatched password before I've even registered on their site!"

 

"I was using my Ubuntu laptop, when my app crashed," writes Will B., "I didn't realize that my OS needed to crash my app whenever it was ready."

 

"Well, it looks like I'm about to enter the Matrix. So, do I click the gray pill or the white pill?" writes Jim S.

 

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

Krebs on SecurityFEC: Campaigns Can Use Discounted Cybersecurity Services

The U.S. Federal Election Commission (FEC) said today political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws, provided those companies already do the same for other non-political entities. The decision comes amid much jostling on Capitol Hill over election security at the state level, and fresh warnings from U.S. intelligence agencies about impending cyber attacks targeting candidates in the lead up to the 2020 election.

Current campaign finance law prohibits corporate contributions to campaigns, and election experts have worried this could give some candidates pause about whether they can legally accept low- to no-cost services from cybersecurity companies.

But at an FEC meeting today, the commission issued an advisory opinion (PDF) that such assistance does not constitute an in-kind contribution, as long as the cybersecurity firm already offers discounted solutions to similarly situated non-political organizations, such as small nonprofits.

The FEC’s ruling comes in response to a petition by California-based Area 1 Security, whose core offering focuses on helping clients detect and block phishing attacks. The company said it asked the FEC’s opinion on the matter after several campaigns that had reached out about teaming up expressed hesitation given the commission’s existing rules.

In June, Area 1 petitioned the FEC for clarification on the matter, saying it currently offers free and low-cost services to certain clients which are capped at $1,337. The FEC responded with a draft opinion indicating such offering likely would amount to an in-kind contribution that might curry favor among politicians, and urged the company to resubmit its request focusing on the capped-price offering.

Area 1 did so, and at today’s hearing the FEC said “because Area 1 is proposing to charge qualified federal candidates and political committees the same as it charges its qualified non-political clients, the Commission concludes that its proposal is consistent with Area 1’s ordinary business practices and therefore would not result in Area 1 making prohibited in-kind contributions to such federal candidates and political committees.”

POLICY BY PIECEMEAL

The decision is the latest in a string of somewhat narrowly tailored advisories from the FEC related to cybersecurity offerings aimed at federal candidates and political committees. Most recently, the commission ruled that the nonprofit organization Defending Digital Campaigns could provide free cybersecurity services to candidates, but according to The New York Times that decision only applied to nonpartisan, nonprofit groups that offer the same services to all campaigns.

Last year, the FEC granted a similar exemption to Microsoft Corp., ruling that the software giant could offer “enhanced online account security services to its election-sensitive customers at no additional cost” because Microsoft would be shoring up defenses for its existing customers and not seeking to win favor among political candidates.

Dan Petalas is a former general counsel at the FEC who represents Area 1 as an attorney at the law firm Garvey Schubert Barer. Petalas praised today’s ruling, but said action by Congress is probably necessary to clarify the matter once and for all.

“Congress could take the uncertainty away by amending the law to say security services provided to campaigns to do not constitute an in-kind contribution,” Petalas said. “These candidates are super vulnerable and not well prepared to address cybersecurity threats, and I think that would be a smart thing for Congress to do given the situation we’re in now.”

‘A RECIPE FOR DISASTER’

The FEC’s decision comes as federal authorities are issuing increasingly dire warnings that the Russian phishing attacks, voter database probing, and disinformation campaigns that marked the election cycles in 2016 and 2018 were merely a dry run for what campaigns could expect to face in 2020.

In April, FBI Director Christopher Wray warned that Russian election meddling posed an ongoing “significant counterintelligence threat,” and that the shenanigans from 2016 — including the hacking of the Democratic National Committee and the phishing of Hillary Clinton’s campaign chairman and the subsequent mass leak of internal emails — were just “a dress rehearsal for the big show in 2020.”

Adav Noti, a former FEC general counsel who is now senior director of the nonprofit, nonpartisan Campaign Legal Center, said the commission is “incredibly unsuited to the danger that the system is facing,” and that Congress should be taking a more active roll.

“The FEC is an agency that can’t even do the most basic things properly and timely, and to ask them to solve this problem quickly before the next election in an area where they don’t really have any expertise is a recipe for disaster,” Noti said. “Which is why we see these weird advisory opinions from them with no real legal basis or rationale. They’re sort of making it up as they go along.”

In May, Sen. Ron Wyden (D-Ore.) introduced the Federal Campaign Cybersecurity Assistance Act, which would allow national party committees to provide cybersecurity assistance to state parties, individuals running for office and their campaigns.

Sen. Wyden also has joined at least a dozen other senators — including many who are currently running as Democratic candidates in the 2020 presidential race — in introducing the “Protecting American Votes and Elections (PAVE) Act,” which would mandate the use of paper ballots in U.S. elections and ban all internet, Wi-Fi and mobile connections to voting machines in order to limit the potential for cyber interference.

As Politico reports, Wyden’s bill also would give the Department of Homeland Security the power to set minimum cybersecurity standards for U.S. voting machines, authorize a one-time $500 million grant program for states to buy ballot-scanning machines to count paper ballots, and require states to conduct risk-limiting audits of all federal elections in order to detect any cyber hacks.

BIPARTISAN BLUES

Earlier this week, FBI Director Wray and Director of National Intelligence Dan Coats briefed lawmakers in the House and Senate on threats to the 2020 election in classified hearings. But so far, action on any legislative measures to change the status quo has been limited.

Democrats blame Senate Majority Leader Mitch McConnell for blocking any action on the bipartisan bills to address election security. Prior to meeting with intelligence officials, McConnell took to the Senate floor Wednesday to allege Democrats had “already made up their minds before we hear from the experts today that a brand-new, sweeping Washington, D.C. intervention is just what the doctor ordered.”

“Make no mistake,” McConnell said. “Many of the proposals labeled by Democrats to be ‘election security’ measures are indeed election reform measures that are part of the left’s wish list I’ve called the Democrat Politician Protection Act.”

But as Politico reporter Eric Geller tweeted yesterday, if lawmakers are opposed to requiring states to follow the almost universally agreed-upon best practices for election security, they should just say so.

“Experts have been urging Congress to adopt tougher standards for years,” Geller said. “Suggesting that the jury is still out on what those best practices are is factually inaccurate.”

Noti said he had hoped election security would emerge as a rare bipartisan issue in this Congress. After all, no candidate wants to have their campaign hacked or elections tampered with by foreign powers — which could well call into question the results of a race for both sides.

These days he’s not so sanguine.

“This is a matter of national security, which is one of the core functions of the federal government,” Noti said. “Members of Congress are aware of this issue and there is a desire to do something about it. But right now the prospect of Congress doing something — even if most lawmakers would agree with it — is small.”

CryptogramResetting Your GE Smart Light Bulb

If you need to reset the software in your GE smart light bulb -- firmware version 2.8 or later -- just follow these easy instructions:

Start with your bulb off for at least 5 seconds.

  1. Turn on for 8 seconds
  2. Turn off for 2 seconds
  3. Turn on for 8 seconds
  4. Turn off for 2 seconds
  5. Turn on for 8 seconds
  6. Turn off for 2 seconds
  7. Turn on for 8 seconds
  8. Turn off for 2 seconds
  9. Turn on for 8 seconds
  10. Turn off for 2 seconds
  11. Turn on
Bulb will flash on and off 3 times if it has been successfully reset.

Welcome to the future!

Sam VargheseThe Rise and Fall of the Tamil Tigers is full of errors

How many mistakes should one accept in a book before it is pulled from sale? In the normal course, when a book is accepted for publication by a recognised publishing company, there are experienced editors who go through the text, correct it and ensure that there are no major bloopers.

Then there are fact-checkers who ensure that what is stated within the book is, at least, mostly aligned with public versions of events from reliable sources.

In the case of The Rise and Fall of the Tamil Tigers, a third-rate book that is being sold by some outlets online, neither of these exercises has been carried out. And it shows.

If the author, Damian Tangram, had voiced his views or even put the entire book online as a free offering, that would be fine. He is entitled to his opinion. But when he is trying to trick people into buying what is a very poor-quality book, then warnings are in order.

Here are just a few of the screw-ups in the first 14 pages (the book is 375 pages!):

In the foreword, the words “Civil War” are capitalised. This is incorrect and would be right only if the civil war were exclusive to Sri Lanka. This is not the case; there are numerous civil wars occurring around the world.

Next, the foreword claims the war started in 1985. This, again, is incorrect. It began in July 1983. The next claim is that this war “had its origins in the post-war political exploitation of socially divisive policies.” Really? Post-war means after the war – this conflict must be the first in the world to begin after it was over!

There is a further line indicating that the author does not know how to measure time: “After spanning three decades…” A decade is 10 years, three decades would be 30 years. The war lasted a little less than 26 years – July 23, 1983 to May 19, 2009.

Again, in the foreword, the author claims that the Liberation Tigers of Tamil Eelam “grew from being a small despot insurgency to the most dangerous and effective terrorist organizations the world has ever seen.” The LTTE was started by Velupillai Pirapaharan in the 1970s. By 1983, it was already a well-organised fighting force. Further, the English is all wonky here, the word should be “organization”, not the plural “organizations”.

And this is just the first paragraph of the book!

The second paragraph of the foreword claims about the year 2006: “Just when things could not be worse Sri Lanka was plunged into all-out war.” The war started much earlier and was in a brief hiatus. The final effort to eliminate the LTTE began on April 25, 2006. And a comma would be handy there.

Then again, the book claims in the foreword that the only person who refused to compromise in the conflict had been Pirapaharan. This is incorrect as the government was also equally stubborn until 2002.

To go on, the foreword says the book gives “an example of how a terrorist organisation like the LTTE can proliferate and spread its murderous ambitions”. The book suffers from numerous generalisations of this kind, all of which are standout examples of malapropism. And one’s ambitions grow, one does not “spread ambitions”.

Again, and we are still in the foreword, the book says the LTTE “was a force that lasted for more than twenty-five years…” Given that it took shape in the 1970s, this is again incorrect.

Next, there is a section titled “About this Book”. Again, misplaced capitalisation of the word “Book”. The author says he visited Sri Lanka for the first time in 1989 soon after he “met and married wife….” Great use of butler English, that. Additionally, he could not have married his wife; the woman in question became his wife only after he married her.

That year, he claims the “most frightening organization” was the JVP or Janata Vimukti Peramuna or People’s Liberation Front. Two years later, when he returned for a visit, the JVP had been defeated but “the enemy to peace was the LTTE”. This is incorrect as the LTTE did not offer any let-up while the JVP was engaging the Sri Lankan army.

Of the Tigers he says, “the power that they had acquired over those short years had turned them into a mythical unstoppable force.” This is incorrect; the Tigers became a force to be reckoned with many years earlier. They did not undergo any major evolution between 1989 and 1991.

The author’s only connection to Sri Lanka is through marrying a Sri Lankan woman. This, plus his visits, he claims give him a “close connection” to the island!

So we go on: “I returned to Sri Lankan several times…” The word is Lanka, not Lankan. More proof of a lack of editing, if any is needed by now.

“Lives were being lost; freedoms restricted and the economy being crushed under a financial burden.” The use of that semi-colon illustrates Tangram’s level of ignorance of English. Factually, this is all stating the bleeding obvious as all these fallouts of the war had begun much earlier.

The author claims that one generation started the war, a second continued to fight and a third was about to grow up and be thrown into a conflict. How three generations can come and go in the space of 26 years is a mystery and more evidence that this man just flings words about and hopes that they make sense.

More in this same section: “To know Sri Lanka without war was once an impossible dream…” Rubbish, I lived in Sri Lanka from 1957 till 1972 and I knew peace most of the time.

Ending this section is another screw-up: “I returned to Sri Lanka in 2012, after the war had ended, to witness the one thing I had not seen in over 25 years: Peace.” Leaving aside the wrong capitalisation of the word “peace”, since the author’s first visit was in 1989, how does 2012 make it “over 25 years”? By any calculation, that comes to 23 years. This is a ruse used throughout the book to give the impression that the author has a long connection to Sri Lanka when in reality he is just an opportunist trying to turn some bogus observations about a conflict he knows nothing about into a cash cow.

And so far I have covered hardly three full pages!!!

Let’s have a brief look at Ch-1 (one presumes that means Chapter 1) which is titled “Understanding Sri Lanka” with a sub-heading “Introduction Understanding Sri Lanka: The impossible puzzle”. (If it is impossible as claimed, how does the author claim he can explain it?)

So we begin: “…there is very little information being proliferated into the general media about the nation of Sri Lanka.” The author obviously does not own a dictionary and is unaware how the word “proliferated” should be used.

There are several strange conglomerations of words which mean nothing; for example, take this: “Without referring to a map most people would struggle to name any other city than Colombo. Even the name of the island may reflect some kind of echo of when it changed from being called Ceylon to when it became Sri Lanka.” Apart from all the missing punctuation, and the mixing up of the order of words, what the hell does this mean? Echo?

On the next page, the book says: “At the bottom corner of India is the small teardrop-shaped island of Sri Lankan.” That sentence could have done without the last “n”. Once again, no editor. Only Tangram the great.

The word Sinhalese is spelt that way; there is nobody who spells it “Singhalese”. But since the author is unable to read Sinhala, the local language, he makes errors of this kind over and over again. Again, common convention for the usage of numbers in print dictates that one to nine be spelt out and any higher number be used as a figure. The author is blissfully unaware of this too.

The percentage of Sinhalese-speakers is given as “about 70%” when the actual figure is 74.9%. And then in another illustration of his sloppiness, the author writes “The next largest groups are the Tamils who make up about 15% of the population.” The Tamils are not a single group, being made up of plantation Tamils who were brought in by the British from India to work in the tea estates (4.2%) and the local Tamils (11.2%) who have been there much longer.

He then refers to a group whom he calls Burgers – which is something sold in a fast-food outlet. The Sri Lankan ethnic group is called Burghers, who are the product of inter-marriages between Sinhalese and Portuguese, British or Dutch invaders. There is a reference made to a group of indigenous people, whom the author calls “Vedthas.” Later, on the same page, he calls these people Veddhas. This is not the first time that it is clear that he could not be bothered to spell-check this bogus tome.

There’s more: the “Singhalese” (the author’s spelling) are claimed to be of “Arian” origin. The word is Aryan. Then there is a claim that the Veddhas are related to the “Australian Indigenous Aborigines”. One has yet to hear of any non-Indigenous Aborigines. Redundant words are one thing at which Tangram excels.

There is reference to some king of Sri Lanka known as King Dutigama. The man’s name was Dutugemunu. But then what’s the difference, eh? We might as well have called him Charlie Chaplin!

Referring to the religious groups in Sri Lanka, Tangram writes: “Hinduism also has a long history in Sri Lanka with Kovils…” The word is temples, unless one is writing in the vernacular. He claims Buddhists make up 80%; the correct figure is 70.2%.

Then referring to the Bo tree under which Gautama Buddha is claimed to have found enlightenment, Tangram claims it is more than 2000 years old and the oldest cultivated tree alive today. He does not know about the Bristlecone pine trees that date back more than 4700 years. Or the redwoods that carbon dating has shown to be more than 3000 years old.

This brings me to page 14 and I have crossed 1500 words! The entire book would probably take me a week to cover. But this number of errors should serve to prove my point: this book should not be sold. It is a fraud on the public.

Worse Than FailureCodeSOD: Null Error Handling

Oliver works for a very large company. Just recently, someone decided that it was time to try out those “newfangled REST services.”

Since this was “new”, at least within the confines of the organization, that meant there were a lot more eyes on the project and a more thorough than average code review process. That’s how Oliver found this.

@SuppressWarning("null")
public void uploadData(Payload payload) {
  // preparation of payload and httpClient
  //...
  @NonNull
  HttpResponse response = null;
  response = httpClient.execute(request);
  if (response.getStatus() != 200) {
    throw new RuntimeException(
      String.format(
        "Http request failed with status %s",
        response.getStatus()
      );
  }
}

The purpose of this code is to upload a JSON-wrapped payload to one of the restful endpoints.

Let’s start with the error handling. Requiring a 200 status code is probably not a great idea. Hope the server side doesn’t say, “Oh, this creates a new resource, I had better return a 201.” And you might be thinking to yourself, “Wait, shouldn’t any reasonable HTTP client raise an exception if the status code isn’t a success?” You’d be right, and that is what this httpClient object does. So if the status isn’t a success code, the error throw statement will never execute, meaning we only error if there isn't one.

The HttpResponse variable is annotated with a @NonNull annotation, which means at compile time, any attempt to set the variable to null should trigger an error. Which, you’ll note, is exactly what happens on the same line.

It’s okay, though, as the dependency setup in the build file was completely wrong, and they never loaded the library which enforced those annotations in the first place. So @NonNull was just for decoration, and had absolutely no function anyway.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

,

CryptogramDetails of the Cloud Hopper Attacks

Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported.

The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.

Yet the campaign ensnared at least six more major technology firms, touching five of the world's 10 biggest tech service providers.

Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.

Waves of hacking victims emanate from those six plus HPE and IBM: their clients. Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America's nuclear submarines at a Virginia shipyard.


Worse Than FailureCodeSOD: Structured Searching

It’s hard to do any non-trivial programming in C without having to use a struct. Structs are great! A single variable holds access to multiple pieces of data, and all the nasty details of how they’re laid out in memory are handled by the compiler.

In more modern OO languages, we take that kind of thing for granted. We’re so abstracted from the details of how memory is laid out it’s easy to forget how tricky and difficult actually managing that kind of memory layout is.

Of course, if you’re Jean-Yves R’s co-worker, letting structs manage your memory layout is beginner mode stuff.

Jean-Yves was trying to understand why a bunch of structs were taking up huge amounts of memory, relative to how much they should take. Every bit of memory mattered, as this was an embedded application. Already, these structs weren’t actually stored in RAM, but in the flash memory on the device. They served as a database- when a request came in over Modbus or CAN or I2C, the ID on the request would be used to look up the struct containing metadata for handling that request. It was complex software, so there were a lot of these structs taking up flash memory.

It didn’t take long to see that the structs were defined with padding to ensure every field fell on a multiple of 32-bits, which meant there were huge gaps in every struct. Why? Well, this is an example of how they’d search the database:

/* These lines are actually in an included header */
#define DAT_calcOffset(address,offset)	 (address += offset)
#define DAT_MODBUS_ID_OFFSET					0x00000002	/* (32 bits pointer) */

/*
 * Database search code
 */
/*
 * Setting up start adress at beginning of flash zone + an 
 * offset corresponding to the member of struct
 */
DAT_calcOffset(pu32SearchBaseAddress,DAT_MODBUS_ID_OFFSET);
            
/* Return : Status */
if(u16ModBusID >= 0x8000)
{
    u16ModBusID -= 0x8000;
    bReturnStatus = TRUE;
}


/* Increment until we find the correct ID  */
while((*pu32SearchBaseAddress != u16ModBusID) && (u16Index < u16NbOfData))
{
    pu32SearchBaseAddress += (sizeof(DAT_typDataArray)/4);
    u16Index++;
}

if(u16Index == u16NbOfData)
{
    if(penFlagReturn)
        *penFlagReturn = (DAT_typFlag)DAT_enCFlagErrOF;

    xSemaphoreGive(DAT_tMutexDatabase);
    return DAT_tNullStr;
}

pu32SearchBaseAddress is a pointer to a struct in the flash memory, at least until the DAT_calcOffset macro does a little pointer arithmetic to point it at a field within the struct- specifically the modbus message ID. Then, in the while loop, we keep incrementing that pointer based on sizeof(DAT_typDataArray)/4- which is the size of our struct.

You might be wondering, why not do something sane and readable, like pu32SearchBaseAddress->modbus_id? Well, obviously this is “optimized”.

Like all “optimizations”, this one is a tradeoff. In this case, the memory layout of the structs is now fixed, and the structs cannot ever evolve in the future without completely breaking this code. It’s also not portable, due to memory sizes.

On the flip side, this also offers many benefits. The code is cryptic and unreadable, which helps ensure job security. The fact that each type of message- modbus, CANbus, I2C, etc.- has its own database means that this code has to be written for each one of those protocols, ensuring that the developer always has lots of code to copy/paste between those datasets with minor changes to constants and variable names. This keeps their lines-of-code count up in the source control metrics.

It probably didn’t do anything for performance of course, as pretty much any C compiler is going to compile the -> operator into a static memory offset anyway, thus making this “optimization” pretty useless for performance.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

,

Cory DoctorowSteering with the Windshield Wipers

In my latest podcast (MP3), I read my May Locus column: Steering with the Windshield Wipers. It makes the argument that much of the dysfunction of tech regulation — from botched anti-sex-trafficking laws to the EU’s plan to impose mass surveillance and censorship to root out copyright infringement — are the result of trying to jury-rig tools to fix the problems of monopolies, without using anti-monopoly laws, because they have been systematically gutted for 40 years.

A lack of competition rewards bullies, and bullies have insatiable appetites. If your kid is starving because they keep getting beaten up for their lunch money, you can’t solve the problem by giving them more lunch money – the bullies will take that money too. Likewise: in the wildly unequal Borkean inferno we all inhabit, giving artists more copyright will just enrich the companies that control the markets we sell our works into – the media companies, who will demand that we sign over those rights as a condition of their patronage. Of course, these companies will be subsequently menaced and expropriated by the internet distribution companies. And while the media companies are reluctant to share their bounties with us artists, they reliably expect us to share their pain – a bad quarter often means canceled projects, late payments, and lower advances.

And yet, when a lack of competition creates inequities, we do not, by and large, reach for pro-competitive answers. We are the fallen descendants of a lost civilization, destroyed by Robert Bork in the 1970s, and we have forgotten that once we had a mighty tool for correcting our problems in the form of pro-competitive, antitrust enforcement: the power to block mergers, to break up conglomerates, to regulate anticompetitive conduct in the marketplace.

But just because we know where to find the copyright lever, it doesn’t follow that yanking on it hard enough will make it do the work of antitrust law.

MP3

Krebs on SecurityPatch Tuesday Lowdown, July 2019 Edition

Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.

Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “Windows DHCP server.”

The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019.

Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond has addressed such a critical flaw in the Windows DHCP client.

All told, only 15 of the 77 flaws fixed today earned Microsoft’s most dire “critical” rating, a label assigned to flaws that malware or miscreants could exploit to commandeer computers with little or no help from users. It should be noted that 11 of the 15 critical flaws are present in or are a key component of the browsers built into Windows — namely, Edge and Internet Exploder Explorer.

One of the zero-day flaws — CVE-2019-1132 — affects Windows 7 and Server 2008 systems. The other — CVE-2019-0880 — is present in Windows 8.1, Server 2012 and later operating systems. Both would allow an attacker to take complete control over an affected system, although each is what’s known as an “elevation of privilege” vulnerability, meaning an attacker would already need to have some level of access to the targeted system.

CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could be used to tie up system resources on an affected Windows 8 computer. It was publicly disclosed a month ago by Google’s Project Zero bug-hunting operation after Microsoft reportedly failed to address it within Project Zero’s stated 90-day disclosure deadline.

The other flaw publicly detailed prior to today is CVE-2019-0887, which is a remote code execution flaw in the Remote Desktop Services (RDP) component of Windows. However, this bug also would require an attacker to already have compromised a target system.

Mercifully, there do not appear to be any security updates for Adobe Flash Player this month.

Standard disclaimer: Patching is important, but it usually doesn’t hurt to wait a few days before Microsoft irons out any wrinkles in the fixes, which sometimes introduce stability or usability issues with Windows after updating (KrebsOnSecurity will endeavor to update this post in the event that any big issues with these patches emerge).

As such, it’s a good idea to get in the habit of backing up your system — or at the very least your data — before applying any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and decide for you when that should be done (often this is in the middle of the night). But that setting can be changed.

If you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a better-than-even chance that other readers have experienced the same and may even chime in with some helpful advice and tips.

Further reading:

Qualys Patch Tuesday Blog

Rapid7

Tenable [full disclosure: Tenable is an advertiser on this blog].

LongNowThe Global Tree Restoration Potential

Earlier this month, a study appeared in Science that found that a global reforestation effort could capture 205 gigatons of CO2 over the next 40-100 years—two thirds of all the CO2 humans have generated since the industrial revolution:

The restoration of trees remains among the most effective strategies for climate change mitigation. We mapped the global potential tree coverage to show that 4.4 billion hectares of canopy cover could exist under the current climate. Excluding existing trees and agricultural and urban areas, we found that there is room for an extra 0.9 billion hectares of canopy cover, which could store 205 gigatonnes of carbon in areas that would naturally support woodlands and forests. This highlights global tree restoration as our most effective climate change solution to date. However, climate change will alter this potential tree coverage. We estimate that if we cannot deviate from the current trajectory, the global potential canopy cover may shrink by ~223 million hectares by 2050, with the vast majority of losses occurring in the tropics. Our results highlight the opportunity of climate change mitigation through global tree restoration but also the urgent need for action.

Via Science.

Scientific American unpacked the study and its potential implications:

The study team analyzed almost 80,000 satellite photo measurements of tree cover worldwide and combined them with enormous global databases about soil and climate conditions, evaluating one hectare at a time. The exercise generated a detailed map of how many trees the earth could naturally support—where forests grow now and where they could grow, outside of areas such as deserts and savannahs that support very few or no trees. The team then subtracted existing forests and also urban areas and land used for agriculture. That left 0.9 billion hectares that could be forested but have not been. If those spaces were filled with trees that already flourish nearby, the new growth could store 205 gigatons of carbon by the time the forests mature.

After 40 to 100 years, of course, the storage rate would flatten as forest growth levels off—but the researchers say the 205 gigatons would be maintained as old trees die and new ones grow. There would be “a bank of excess carbon that is no longer in the atmosphere,” Crowther says.

Via Scientific American.

CryptogramCell Networks Hacked by (Probable) Nation-State Attackers

A sophisticated attacker has successfuly infiltrated cell providers to collect information on specific users:

The hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records -- including times and dates of calls, and their cell-based locations -- on at least 20 individuals.

[...]

Cybereason researchers said they first detected the attacks about a year ago. Before and since then, the hackers broke into one cell provider after the other to gain continued and persistent access to the networks. Their goal, the researchers believe, is to obtain and download rolling records on the target from the cell provider's database without having to deploy malware on each target's device.

[...]

The researchers found the hackers got into one of the cell networks by exploiting a vulnerability on an internet-connected web server to gain a foothold onto the provider's internal network. From there, the hackers continued to exploit each machine they found by stealing credentials to gain deeper access.

Who did it?

Cybereason did say it was with "very high probability" that the hackers were backed by a nation state but the researchers were reluctant to definitively pin the blame.

The tools and the techniques ­- such as the malware used by the hackers ­- appeared to be "textbook APT 10," referring to a hacker group believed to be backed by China, but Div said it was either APT 10, "or someone that wants us to go public and say it's [APT 10]."

Original report:

Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers.

The attack was aiming to obtain CDR records of a large telecommunications provider.

The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

The tools and TTPs used are commonly associated with Chinese threat actors.

During the persistent attack, the attackers worked in waves -- abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.

Boing Boing post.

Worse Than FailureProcess by Management

Alice's team was thirty developers, taking up most of the floor of a nondescript office building in yet another office park. Their team was a contractor-to-a-contractor for a branch of the US military, which meant a variety of things. First, bringing a thumb drive into the office was a firing offense. Second, they were used to a certain level of bureaucracy. You couldn't change a line of code unless you had four different documents confirming the change was necessary and was authorized, and actually deploying a change was a milestone event with code freezes and expected extra hours.

Despite all this, the thirty person team had built a great working relationship. They had made their process as efficient as they could, and their PM, Doug, understood the work well enough to keep things streamlined. In fact, Doug did such a good job that Doug got promoted. Enter Millie, his replacement.

Millie had done a stint in the Air Force and then went back to school for her MBA. She had bounced around a few different companies, and had managed to turn every job change into a small promotion. This was Millie's first time overseeing a pool of software developers, but she had an MBA. Management was management, and there was no reason she had to understand what developers did, so long as she understood the key performance indicators (KPI).

Like the quantity of defects. That was a great KPI, because it was measurable, had a clear negative impact, and it could be mitigated. Mitigated with a process.

After a few weeks of getting her bearings, Millie called a meeting. "Alright, everyone, I've been observing a little bit of how we work, and I think there may be some communication and organization issues, so I wanted to address that. I've looked at our current workflow, and I've made a few small changes that I wanted to review."

On one side of the white board, she drew a bubble labeled "In Production". "This is where we want our code to be, right? Working, quality-controlled code, in production, with no defects." On the opposite side of the board, she added a bubble for "PCCB Ticket." "And any code change starts with one of these- the Product Change Control Board reviews an open ticket. They'll then turn that ticket into a Functional Requirement Document." Millie added another bubble for that.

Alice had some questions already, but not quite about the inputs or outputs.

A simple bubble diagram

"Great, okay, so… we need to iterate on the FRD, and once the PCCB signs off we'll convert that to a System Requirement Document. Either a PM or a SME will decompose the SRD into one or more Work Packages."

Millie continued scribbling furiously as she explained exactly what a work package was, as this wasn't currently a term in use at their organization. Her explanation wasn't terribly clear, as Millie explained it as the set of steps required to implement a single feature, but a Functional Requirement was a feature, so how was the Work Package (WP) any different than the FRD?

"Please, hold your questions until the end, we have a lot to get through."

a more complex bubble diagram

Finally, once the Work Package was analyzed, you could create a "Ticket Lifecycle Document", a new document which would hold all information about all of the efforts put towards the PCCB ticket. Which meante the TLD contained all the WPs, which raised questions about the point of adding work packages. From the TLD to a new PCCB ticket- a "Ready" ticket, then finally those requirements could go onto a Release backlog and a release management plan could be created.

"Finally," Milile explained, "we're ready to write code." In the center of the board, she added a single bubble: "Code".

the kind of bubble diagram that gives you hives

And on and on the meeting went. The diagram grew. Lines kept getting added. Bubbles got inserted between existing bubbles. Arrows pointed to labels, or to bubbles, or maybe to arrows? By the end of Millie's meeting, it looked something like this.

a bubble diagram that could be used to summon the elder things from beyond the realm of darkness

"There, that lays out the correct pattern for getting our software to production, with a feedback loop that prevents defects. Any questions?"

There weren't any questions at the meeting, no. But boy, were there questions. Loads of questions. Questions like, "What font should I use on my resume?" and "is it time to stop listing my VBA experience on my resume?"

Over the next few months, under Millie's leadership, 17 developers from the 30 person team left the company, Alice among them. Every once in awhile, Alice checks the job listings for that company, to see if those developer positions have been filled. They're still hiring for software developers. Unfortunately, Alice hasn't seen any openings for a PM, so Millie is probably still there.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

,

Rondam RamblingsThe Trouble with Many Worlds

Ten years ago I wrote an essay entitled "The Trouble with Shadow Photons" describing a problem with the dramatic narrative of what is commonly called the "many-worlds" interpretation of quantum mechanics (but which was originally and IMHO more appropriately called the "relative state" interpretation) as presented by David Deutsch in his (otherwise excellent) book, "The Fabric of Reality."  At the

CryptogramCardiac Biometric

MIT Technology Review is reporting about an infrared laser device that can identify people by their unique cardiac signature at a distance:

A new device, developed for the Pentagon after US Special Forces requested it, can identify people without seeing their face: instead it detects their unique cardiac signature with an infrared laser. While it works at 200 meters (219 yards), longer distances could be possible with a better laser. "I don't want to say you could do it from space," says Steward Remaly, of the Pentagon's Combatting Terrorism Technical Support Office, "but longer ranges should be possible."

Contact infrared sensors are often used to automatically record a patient's pulse. They work by detecting the changes in reflection of infrared light caused by blood flow. By contrast, the new device, called Jetson, uses a technique known as laser vibrometry to detect the surface movement caused by the heartbeat. This works though typical clothing like a shirt and a jacket (though not thicker clothing such as a winter coat).

[...]

Remaly's team then developed algorithms capable of extracting a cardiac signature from the laser signals. He claims that Jetson can achieve over 95% accuracy under good conditions, and this might be further improved. In practice, it's likely that Jetson would be used alongside facial recognition or other identification methods.

Wenyao Xu of the State University of New York at Buffalo has also developed a remote cardiac sensor, although it works only up to 20 meters away and uses radar. He believes the cardiac approach is far more robust than facial recognition. "Compared with face, cardiac biometrics are more stable and can reach more than 98% accuracy," he says.


I have my usual questions about false positives vs false negatives, how stable the biometric is over time, and whether it works better or worse against particular sub-populations. But interesting nonetheless.

Krebs on SecurityWho’s Behind the GandCrab Ransomware?

The crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly successful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after allegedly having earned more than $2 billion in extortion payouts from victims. What follows is a deep dive into who may be responsible for recruiting new members to help spread the contagion.

Image: Malwarebytes.

Like most ransomware strains, the GandCrab ransomware-as-a-service offering held files on infected systems hostage unless and until victims agreed to pay the demanded sum. But GandCrab far eclipsed the success of competing ransomware affiliate programs largely because its authors worked assiduously to update the malware so that it could evade antivirus and other security defenses.

In the 15-month span of the GandCrab affiliate enterprise beginning in January 2018, its curators shipped five major revisions to the code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

“In one year, people who worked with us have earned over US $2 billion,” read the farewell post by the eponymous GandCrab identity on the cybercrime forum Exploit[.]in, where the group recruited many of its distributors. “Our name became a generic term for ransomware in the underground. The average weekly income of the project was equal to US $2.5 million.”

The message continued:

“We ourselves have earned over US $150 million in one year. This money has been successfully cashed out and invested in various legal projects, both online and offline ones. It has been a pleasure to work with you. But, like we said, all things come to an end. We are getting a well-deserved retirement. We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

Evil indeed, when one considers the damage inflicted on so many individuals and businesses hit by GandCrab — easily the most rapacious and predatory malware of 2018 and well into 2019.

The GandCrab identity on Exploit[.]in periodically posted updates about victim counts and ransom payouts. For example, in late July 2018, GandCrab crowed that a single affiliate of the ransomware rental service had infected 27,031 victims in the previous month alone, receiving about $125,000 in commissions.

The following month, GandCrab bragged that the program in July 2018 netted almost 425,000 victims and extorted more than one million dollars worth of cryptocurrencies, much of which went to affiliates who helped to spread the infections.

Russian security firm Kaspersky Lab estimated that by the time the program ceased operations, GandCrab accounted for up to half of the global ransomware market.

ONEIILK2

It remains unclear how many individuals were active in the core GandCrab malware development team. But KrebsOnSecurity located a number of clues that point to the real-life identity of a Russian man who appears to have been put in charge of recruiting new affiliates for the program.

In November 2018, a GandCrab affiliate posted a screenshot on the Exploit[.]in cybercrime forum of a private message between himself and a forum member known variously as “oneiilk2” and “oneillk2” that showed the latter was in charge of recruiting new members to the ransomware earnings program.

Oneiilk2 also was a successful GandCrab affiliate in his own right. In May 2018, he could be seen in multiple Exploit[.]in threads asking for urgent help obtaining access to hacked businesses in South Korea. These solicitations go on for several weeks that month — with Oneiilk2 saying he’s willing to pay top dollar for the requested resources. At the same time, Oneiilk2 can be seen on Exploit asking for help figuring out how to craft a convincing malware lure using the Korean alphabet.

Later in the month, Oneiilk2 says he no longer needs assistance on that request. Just a few weeks later, security firms began warning that attackers were staging a spam campaign to target South Korean businesses with version 4.3 of GandCrab.

HOTTABYCH

When Oneiilk2 registered on Exploit in January 2015, he used the email address hottabych_k2@mail.ru. That email address and nickname had been used since 2009 to register multiple identities on more than a half dozen cybercrime forums.

In 2010, the hottabych_k2 address was used to register the domain name dedserver[.]ru, a site which marketed dedicated Web servers to individuals involved in various cybercrime projects. That domain registration record included the Russian phone number +7-951-7805896, which mail.ru’s password recovery function says is indeed the phone number used to register the hottabych_k2 email account.

At least four posts made in 2010 to the hosting review service makeserver.ru advertise Dedserver and include images watermarked with the nickname “oneillk2.”

Dedserver also heavily promoted a virtual private networking (VPN) service called vpn-service[.]us to help users obfuscate their true online locations. It’s unclear how closely connected these businesses were, although a cached copy of the Dedserver homepage at Archive.org from 2010 suggests the site’s owners claimed it as their own.

Vpn-service[.]us was registered to the email address sec-service@mail.ru by an individual who used the nickname (and sometimes password) — “Metall2” — across multiple cybercrime forums.

Around the same time the GandCrab affiliate program was kicking into high gear, Oneiilk2 had emerged as one of the most trusted members of Exploit and several other forums. This was evident by measuring the total “reputation points” assigned to him, which are positive or negative feedback awarded by other members with whom the member has previously transacted.

In late 2018, Oneiilk2 was one of the top 20 highest-rated members among thousands of denizens on the Exploit forum, thanks in no small part to his association with the GandCrab enterprise.

Searching on Oneiilk2’s registration email address hottabych_k2@mail.ru via sites that track hacked or leaked databases turned up some curious results. Those records show this individual routinely re-used the same password across multiple accounts: 16061991.

For instance, that email address and password shows up in hacked password databases for an account “oneillk2” at zismo[.]biz, a Russian-language forum dedicated to news about various online money-making affiliate programs.

In a post made on Zismo in 2017, Oneiilk2 states that he lives in a small town with a population of around 400,000, and is engaged in the manufacture of furniture.

HEAVY METALL

Further digging revealed that the hottabych_k2@mail.ru address had also been used to register at least two accounts on the social networking site Vkontakte, the Russian-language equivalent of Facebook.

One of those accounts was registered to a “Igor Kashkov” from Magnitogorsk, Russia, a metal-rich industrial town in southern Russia of around 410,000 residents which is home to the largest iron and steel works in the country.

The Kashkov account used the password “hottabychk2,” the phone number 890808981338, and at one point provided the alternative email address “prokopenko_k2@bk.ru.” However, this appears to have been simply an abandoned account, or at least there are only a couple of sparse updates to the profile.

The more interesting Vkontakte account tied to the hottabych_k2@mail.ru address belongs to a profile under the name “Igor Prokopenko,” who says he also lives in Magnitogorsk. The Igor Prokopenko profile says he has studied and is interested in various types of metallurgy.

There is also a Skype voice-over-IP account tied to an “Igor” from Magnitogorsk whose listed birthday is June 16, 1991. In addition, there is a fairly active Youtube account dating back to 2015 — youtube.com/user/Oneillk2 — that belongs to an Igor Prokopenko from Magnitogorsk.

That Youtube account includes mostly short videos of Mr. Prokopenko angling for fish in a local river and diagnosing problems with his Lada Kalina — a Russian-made automobile line that is quite common across Russia. An account created in January 2018 using the Oneillk2 nickname on a forum for Lada enthusiasts says its owner is 28 years old and lives in Magnitogorsk.

Sources with the ability to check Russian citizenship records identified an Igor Vladimirovich Prokopenko from Magnitogorsk who was born on June 16, 1991.  Recall that “16061991” was the password used by countless online accounts tied to both hottabych_k2@mail.ru and the Oneiilk2/Oneillk2 identities.

To bring all of the above research full circle, Vkontakte’s password reset page shows that the Igor Prokopenko profile is tied to the mobile phone number +7-951-7805896, which is the same number used to set up the email account hottabych_k2@mail.ru almost 10 years ago.

Mr. Prokopenko did not respond to multiple requests for comment.

It is entirely possible that whoever is responsible for operating the GandCrab affiliate program developed an elaborate, years-long disinformation campaign to lead future would-be researchers to an innocent party.

At the same time, it is not uncommon for many Russian malefactors to do little to hide their true identities — at least early on in their careers — perhaps in part because they perceive that there is little likelihood that someone will bother connecting the dots later on, or because maybe they don’t fear arrest and/or prosecution while they reside in Russia. Anyone doubtful about this dynamic would do well to consult the Breadcrumbs series on this blog, which used similar methods as described above to unmask dozens of other major malware purveyors.

It should be noted that the GandCrab affiliate program took measures to prevent the installation of its ransomware on computers residing in Russia or in any of the countries that were previously part of the Soviet Union — referred to as the Commonwealth of Independent States and including Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. This is a typical precaution taken by cybercriminals running malware operations from one of those countries, as they try to avoid making trouble in their own backyards that might attract attention from local law enforcement.

KrebsOnSecurity would like to thank domaintools.com (an advertiser on this site), as well as cyber intelligence firms Intel471, Hold Security and 4IQ for their assistance in researching this post.

Update, July 9, 2:53 p.m. ET: Mr. Prokopenko responded to my requests for comment, although he declined to answer any of the questions I put to him about the above findings. His response was simply, “Hey. You’re wrong. I’m not doing this.” Silly me.

CryptogramRansomware Recovery Firms Who Secretly Pay Hackers

ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims.

Worse Than FailureCodeSOD: The Bogus Animation

Animations have become such an omnipresent part of our UI designs anymore that we tend to only notice them when they're bad.

Ben is working on an iOS application which appeared to have a "bad" animation. In this case, it's bad because it's slow. How slow? Well, they have a table view with ten items in it, and the items should quickly tween to their new state- position, text, colors all could change in this process. And it was taking four seconds.

Four seconds to update ten items is a lot. Now, their application does have a lot of animations, and the first suspicion was that there was some ugly interaction between animations that was causing it to take a long time. But upon digging in, Ben discovered it wasn't the animations at all.

- (NSArray<NSString *> *)_combineTitles:(NSArray<NSString *> *)oldTitles with:(NSArray<NSString *> *)newTitles { NSMutableSet<NSString *> *mergedSet = [NSMutableSet setWithArray:oldTitles]; [mergedSet unionSet:[NSSet setWithArray:newTitles]]; NSMutableArray<NSString *> *combinedTitles = [mergedSet.allObjects mutableCopy]; // TODO - this is a terrible method! // We should be able to properly determine the/a correct order of combinedTitles, not // simply trying random orders until we find the right one // Note unless the assumption stated in _reloadTableDataAnimatedAdvanced is met, this could loop forever // A better way to do this would be to consider the diff between oldTitles and newTitles // E.g. the diff for ABC -> CDE has insertions at 1, 2 and deletions at 0, 1 and therefore the diff is based // on the deletions being performed first - instead we want to construct the intermediate ABCDE which has insertions at 3, 4 while (YES) { DiffUpdate *diffUpdate1 = [DifferUtils getDiffWithOldData:oldTitles newData:combinedTitles]; DiffUpdate *diffUpdate2 = [DifferUtils getDiffWithOldData:combinedTitles newData:newTitles]; if (diffUpdate1.moves.count == 0 && diffUpdate2.moves.count == 0) { return [NSArray arrayWithArray:combinedTitles]; } // Fisher-Yates shuffle // https://stackoverflow.com/a/33840745 for (NSUInteger i = combinedTitles.count; i > 1; i--) { [combinedTitles exchangeObjectAtIndex:i - 1 withObjectAtIndex:arc4random_uniform((u_int32_t)i)]; } } return nil; }

Obj-C is a bit odd to read, but this defines a method that combines a list of old item titles with a list of new item titles. The resulting output should be sorted based on the insertion order of the items. And how do we do this in this code?

Well, we check if the output list is in the right order by taking a diff between the output and the two inputs. If it's in the right order, great, return our results. If it's not… we do a Fisher-Yates shuffle, which is to say, this is an actual bogosort in the wild.

At least the documentation is useful. Not only does it include the accurate This is a terrible method, but goes on to lay out exactly what a better method might look like.

That's not the best part of the comment, though. It's this one:

// Note unless the assumption stated in _reloadTableDataAnimatedAdvanced is met, this could loop forever

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

CryptogramFriday Squid Blogging: Squid Cars

Jalopnik asks the important question: "If squids ruled the earth, what would their cars be like?"

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramApplied Cryptography is Banned in Oregon Prisons

My Applied Cryptography is on a list of books banned in Oregon prisons. It's not me -- and it's not cryptography -- it's that the prisons ban books that teach people to code. The subtitle is "Algorithms, Protocols, and Source Code in C" -- and that's the reason.

My more recent Cryptography Engineering is a much better book for prisoners, anyway.

CryptogramResearch on Human Honesty

New research from Science: "Civic honesty around the globe":

Abstract: Civic honesty is essential to social capital and economic development, but is often in conflict with material self-interest. We examine the trade-off between honesty and self-interest using field experiments in 355 cities spanning 40 countries around the globe. We turned in over 17,000 lost wallets with varying amounts of money at public and private institutions, and measured whether recipients contacted the owner to return the wallets. In virtually all countries citizens were more likely to return wallets that contained more money. Both non-experts and professional economists were unable to predict this result. Additional data suggest our main findings can be explained by a combination of altruistic concerns and an aversion to viewing oneself as a thief, which increase with the material benefits of dishonesty.

I am surprised, too.

Worse Than FailureClassic WTF: Working Around, Over and Through the Process

It's still a holiday weekend in the US; after playing with fireworks yesterday, most of us have to spend today trying to find the fingers we lost. There are no fireworks in this classic story, but there may be some karma… Original --Remy

When Kevin landed a job at Townbank in the late 1980s, he came face-to-face with the same thing that thousands of newly minted developers had encountered before and since – there is more to being a corporate programmer than just writing code – there’s the process.

Second only, perhaps, to the strict rules commanded by the world’s religions, the process keeps the code consistent. Glory to the process – praised be the process - the process is good, the process should always be followed, and above all, the process is good for you!

For nearly everybody, the process isn’t all that bad. It just takes some getting used to. Fill out a form, get a sign off, file the test plan, write a build document - all in a day's work. However, as Kevin would soon find out, at Townbank, there were some processes both veterans and new grads alike couldn’t adjust to.

The Shiva Factor

Kevin’s first assignment was to work within a group involved with Townbank’s IT department’s largest project to date - their huge migration from their aging mainframe to a row of shiny new VAX systems. On paper, the process looked good - consultants met with the business to identify which systems would be migrated, specs would be written, developers would be assigned, QA would confirm that the new system worked like the old one and the code would be promoted into production.

When the project managers first set up the process, the expectation was that the extra steps would only ever be responsible for a small fraction of the total cost or amount of time necessary for implementing a feature, and at first, this was the case. However, as the project continued and more environments were finally brought online, Kevin and his fellow developers knew to add an extra bit of padding to their estimates. Officially, the developers called it many names – systems integration testing, server configuration, environment compatibility testing, but only in hushed voices could it be called out by its true name: “The Shiva Factor”

Serious Business Indeed!

Now, it wasn’t that Shiva was an incompetent or inexperienced system administrator – not by a long shot. In fact, at Townbank, when the decision was made to migrate away from the mainframe to VAX, Shiva’s name was at the top of a very short list of individuals who should manage the infrastructure migration and Shiva took his responsibility very seriously and enacted several of his own policies to address what he felt to be loopholes in the process. For example, every morning, before any developers, analysts, and QA staff could sign-in to an environment, they first had to literally sign-in on a clipboard on Shiva’s desk, to confirm their physical presence. Also, feeling that the process did not track developer actions to a high enough granularity, Shiva arranged source control security so that every code check in and promote between environments required a write up with 2 signatures and had to be performed using his user id. At his terminal.

On quiet days, a quick change could be turned around in one day, however, the quiet days were often holidays or weekends. Frustrated developers took their case to upper management arguing that the policies were hindering progress and seemed to be completely useless. In response, management shrugged – Shiva made his case at the beginning of the project – the environments secure and free from cross-contamination by other instances and developer incompetence because, after all, the VAX servers were still very new and even many of the senior developers were not entirely up to speed.

The masses grumbled and cursed under their breath, but rather than rising up and overthrowing Shiva and ending his iron-fisted reign, everybody just kind of sucked it up and moved forward. Albeit annoying, the process continued in spite of Shiva’s efforts, however there was one situation that Shiva seemingly neglected – what if he was unavailable?

Programmers' Little Helper

Though Kevin’s terminal showed that he was on a clone of the Production environment, his tell-tale customer names “Nosmo King” and “Joe Blow” made him realize the he had made a grave error – the application was connecting to the Development environment’s database by mistake and it was to be tested by the QA team later that afternoon. Ordinarily, fixing this was a piece of cake - make a few changes to the config file in the Development environment and re-promote, however, as fate would have it, Shiva was in a day-long meeting and would not be available until the next day.

Hoping that maybe Shiva left his meeting early, Kevin stopped by Shiva’s desk but was met with only his empty chair, however, a detail about Shiva’s keyboard stood out. The letters A, S, V, H, and I all had their letters worn away. Kevin knew that Shiva was drunk with power, but was he so narcissistic so as to type his name in over and over? …or perhaps it was a hint. For fun, Kevin navigated to a command prompt and typed in “shiva” for both the username and password. Expecting Shiva to sneak up on him at any moment, Kevin pressed enter and was shocked and amazed to discover that he was now logged in.

This was amazing. This was huge. Kevin knew he had to find someone to share his discovery with, however, after tracking down and relaying his discovery with one of the gray beards who had mentored him earlier in his tenure, the reaction was not at all what Kevin expected.

As it turned out, Shiva’s username and password combination were a favorite Townbank “secret” that carried over from Shiva’s days as a mainframe admin.

“To keep Shiva from catching on,” the more senior developer explained, “we would play Shiva’s game once every other promotion.”

“Also, for future reference,” he continued,” if you want to avoid getting caught, and ruining it for everybody else, you might want to log in from your own terminal and NOT from his desk.”

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

Sam VargheseWhatever happened to the ABC’s story of the century?

In the first three weeks of June last year, the ABC’s Sarah Ferguson presented a three-part saga on the channel’s Four Corners program, which the ABC claimed was the “story of the century”.

It was a rehashing of all the claims against US President Donald Trump, which the American TV stations had gone over with a fine-toothed comb but which Ferguson seemed convinced still had something to chew over.

At the time, a special counsel, former FBI chief Robert Mueller, was conducting an investigation into claims that Trump colluded with Russia to win the presidential election.

Earlier this year, Mueller announced the results of his probe: zilch. Zero. Nada. Nothing. A big cipher.

Given that Ferguson echoed all the same claims by interviewing a number of rather dubious individuals, one would think that it was time for a mea culpa – that is, if one had even a semblance of integrity, a shred of honesty in one’s being.

But Ferguson seems to have disappeared off the face of the earth. The ABC has been silent about it too. Given that she and her entourage spent the better part of six weeks traipsing the streets and corridors of power in the US and the UK, considerable funds would have been spent.

This, by an organisation that is always weeping about its budget cuts. One would think that such a publicly-funded organisation would be a little more circumspect and not allow anyone to indulge in such an exercise of vanity.

If Ferguson had unearthed even one morsel of truth, one titbit of information that the American media had not found, then one would not be writing this. But she did nothing of the sort; she just raked over all the old bones.

One hears Ferguson is now preparing a program on the antics that the government indulged in last year by dumping its leader, Malcolm Turnbull. This issue has also been done to death and there has already been a two-part investigation by the Sky News’ presenter David Speers, a fine reporter. There has been one book published, by the former political aide Niki Savva, and more are due.

It looks like Ferguson will again be acting in the manner of a dog that returns to its own vomit. She appears to have cultivated considerable skill in this art.