While the kernel has had support for asynchronous
I/O (AIO) since the 2.5
development cycle, it has also had people complaining about AIO for about
that long. The current interface is seen as difficult to use and
inefficient; additionally, some types of I/O are better supported than
situation may be about to change with the introduction of a proposed
new interface from Jens Axboe called “io_uring”. As might be expected
from the name,
io_uring introduces just what the kernel needed more than anything else:
yet another ring buffer.
It is that time of year again: Google is looking
for mentor projects for the 2019 Summer of Code. “GSoC is a
global program that draws university student developers from around the
world to contribute to open source. Each student spends three months
working on a coding project, with the support of volunteer mentors, for
participating open source organizations from late May to August. Last year
1,264 students worked with 206 open source organizations.” The
application deadline is February 6.
In this episode, Simon speaks with Andrew Crudge (Senior Product Manager, FSx) about this newly released service, capabilities available to customers and how to make the best use of it in your environment.
The AWS Podcast is a cloud platform podcast for developers, dev ops, and cloud professionals seeking the latest news and trends in storage, security, infrastructure, serverless, and more. Join Simon Elisha and Jeff Barr for regular updates, deep dives and interviews. Whether you’re building machine learning and AI models, open source projects, or hybrid cloud solutions, the AWS Podcast has something for you. Subscribe with one of the following:
Like the Podcast?
Rate us on iTunes and send your suggestions, show ideas, and comments to [email protected]. We want to hear from you!
“User tracking” is generally contentious in free-software communities—even
if the “tracking” is not really intended to do so. It is often
distributions that have the most interest in counting their users, but
Linux users tend to be more privacy conscious than users of more mainstream
desktop operating systems. The Fedora project recently discussed how to
count its users and ways to preserve their privacy while doing so.
Security updates have been issued by Arch Linux (irssi and systemd), CentOS (systemd), Debian (xen and zeromq3), Fedora (gnutls, kernel, kernel-headers, kernel-tools, and nbdkit), Oracle (libvncserver and systemd), Red Hat (libvncserver), and Ubuntu (haproxy, libarchive, and php-pear).
An advisory from Harry Sintonen describes several vulnerabilities in the scp clients shipped with OpenSSH, PuTTY, and others. “Many
scp clients fail to verify if the objects returned by the scp server match
those it asked for. This issue dates back to 1983 and rcp, on which scp is
based. A separate flaw in the client allows the target directory attributes
to be changed arbitrarily. Finally, two vulnerabilities in clients may
allow server to spoof the client output.” The outcome is that a
hostile (or compromised) server can overwrite arbitrary files on the client
side. There do not yet appear to be patches available to address these
Former Facebook CISO Alex Stamos argues that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off — which would be more profitable for them and bad for society.
If we ask tech companies to fix ancient societal ills that are now reflected online with moderation, then we will end up with huge, democratically-unaccountable organizations controlling our lives in ways we never intended. And those ills will still exist below the surface.
This has been a surreal and difficult year, but everything turned out much better in the end.
I can’t possibly do the whole story justice, and I’m not eager to rehash it anyway, so here’s the incredibly short version. The players are myself, my partner Ash (formerly Mel, aka glip), and their (at the time) husband Marl.
Helpful context: for years, Ash has been the target of a stalking slash gossip campaign. A group of folks on a forum infamous for this sort of thing likes to dig through our online footprints for dirt and compile lengthy lists of awful things we’ve allegedly done. Every time this happened, we dropped everything and investigated. It’s exhausting. Virtually everything we’ve been accused of has been some combination of long since resolved, wildly embellished, carefully trimmed to remove any explanatory context, completely misunderstood, distorted through rounds of telephone, or occasionally outright fabricated — and what’s not, we gladly apologize for and try to repair. But there are so many fractalline complaints that no casual observer could possibly double-check the evidence (it sometimes takes weeks for us to comb through it all), and we can’t respond effectively without producing a massive tome that no one will bother to read.
This is where we’re starting from.
In early April, someone posted logs from 2012 of Marl having horny chats with someone who was 15/16 and suggesting a variety of other shady behavior. The teenager in question was someone Marl had briefly hired to help him assemble con merch; Ash and I had barely interacted with her at all and didn’t even know they’d spoken outside of that. Nevertheless, “warnings” about all three of us began to circulate rapidly, Ash’s friends started getting doxxed, and folks bailed on us in droves — all while Ash and I were still trying to grasp what was even going on.
Marl offered a general apology, told us the logs were bogus, then became upset and withdrew. He didn’t keep logs of his own, so we had little else to go on and had to trust him. I found some oddities in the logs: enough to make me skeptical of them and more trusting of Marl, but nothing concrete.
Ash was completely exhausted with this, which was by no means the first accusation leveled at them over events they hadn’t even known about. They couldn’t take any more, were on the verge of a breakdown, and decided to abandon the internet altogether. That left me as the obvious conduit for anyone trying to get at Ash, and I am very bad at not grouching about something annoying, so this presented a very tangible risk. Ash is more important to me than being online, so I left as well.
For various reasons, not least of which is that the forum had our address and was still whipping a rather lot of people into a bloodthirsty frenzy, we no longer felt safe in our home. We left that too.
We stayed with Marl’s parents for a while, which gave Ash time to think. They started to feel the full weight of a lot of things, big and small, that Marl had done over the course of their ten-year marriage: lots of breaches of trust; stretching Ash’s patience as far as it would go and then promising to improve for just long enough; leaving us to deal with accusations levelled against him with zero information more than once.
He also eventually admitted that the logs were not entirely bogus, although he never clarified more specifically, so I have no way to know what he actually did or not. At the very least, he did slide into the DMs of a high schooler (who was also his employee, no less).
We subsequently evicted him from our lives, leaving him with his parents when we moved to a new place.
I’m told the teenager dropped off the forum (which she’d been posting on anonymously), and no one but Marl knows her identity, so she’s effectively vanished. We haven’t had contact with Marl in months. That just leaves us.
I’ve explained a lot of this in gratuitous detail on Twitter, and it’s been relatively quiet for a while now, but the initial confused mess can’t be undone. Gossip cannot be un-spread. To this day, we still get folks trying to warn people away from us, based primarily on what Marl did behind our backs.
Oh, well. Can’t please everyone, right? Does that actually apply here?
It drives me nuts to be misrepresented, but on the other hand, maybe it’s okay that people who take gossip at face value are self-selecting themselves out of my internet experience.
Anyway, that’s why my output was a bit low last year: I was chased from my home and thought I would be leaving the internet forever! Then I had to spend a few months getting settled. Plus I’ve been on and off ADHD meds since May, which has kind of thrown me for a loop, but I finally got that all sorted out just a few days ago. Now I can finally get back to, um, whatever it is that I do.
In lighter news!
We live in Colorado Springs now! It’s beautiful and lovely and actually has weather, which is a nice change after five years in Vegas.
I changed my name! It was in part to stay out of public records so we wouldn’t be doxxed again, but then they doxxed the name change, so, that didn’t work. Oh, well, I’m still happy I did it. I’m Evelyn Woods now. That’s right: I legally changed my name to Eevee.
Ash and I are engaged! Also I love them a lot. Marl injected a lot of invisible, ambiguous tension into the household; without that smothering us, we are flourishing. We went through hell together and made it out the other side. I’m… well, I’m really happy.
We got a new cat: Cheeseball, a Lykoi! He loves to make friends and also fight them, and his antics helped a lot over the summer. He’s very good.
So good, in fact, that over the summer I started working on Cheezball Rising, a game about Cheeseball for the Game Boy Color! It is hard and I am not very far along. Also I’ve been in outer space and haven’t worked on it much in several months. But I’ve been blogging the whole thing which is at least moderately interesting.
I also wrote a stub of a game for the GBAin Rust over the past week for a game jam, though it hasn’t gotten especially far either.
And, some other games? Probably? I think Alice’s Day Off was this most recent February, right? God, that feels like it was a decade ago. So much for finishing it by June.
I kinda-sorta kept up with art over the summer, but art requires a certain kind of mood for me, and I… wasn’t in it. Which is a shame, because I was starting to feel like I was getting somewhere.
I slopped together little Pelican-based art galleries for my SFW and NSFW art, which I’d been meaning to do for a while!
I don’t know. I stopped tracking what I was doing every day quite so closely, since I wasn’t doing much every day for a while there. Maybe I’ll start the weekly roundup posts back up? Did anyone read those?
What about 2019, then?
I feel unleashed and am absolutely certain this will be a fantastic year. Mostly I have to catch up on everything I didn’t do last year. Well, that’s fine. Let’s see, what do I even have in the air right now:
Cheezball Rising, the GBC game
fox flux advance, the GBA game, maybe
fox flux, the continuation of the desktop game
Alice’s Day Off, which was only released as a demo
I recently read two differentessays that make the point that while Internet security is terrible, it really doesn’t affect people enough to make it an issue.
This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data.
Security updates have been issued by Arch Linux (python-django and python2-django), Debian (sqlite3, systemd, and vlc), Fedora (mingw-nettle and polkit), Mageia (graphicsmagick, python-django, spice-vdagent, and to), openSUSE (aria2, discount, gpg2, GraphicsMagick, gthumb, haproxy, irssi, java-1_7_0-openjdk, java-1_8_0-openjdk, libgit2, LibVNCServer, and sssd), Red Hat (systemd), Scientific Linux (systemd), Slackware (irssi and zsh), SUSE (LibVNCServer and sssd), and Ubuntu (gnome-bluetooth and systemd).
We are excited to announce that we will host the first-ever Scratch Conference Europe in the UK this summer: from Friday 23 to Sunday 25 August at Churchill College, Cambridge!
Scratch Conference is a participatory event that gives hundreds of educators the chance to explore the creative ways in which people are programming and learning with Scratch. In even-numbered years, the conference is held at the MIT Media Lab, the birthplace of Scratch; in odd-numbered years, it takes place in other places around the globe.
Since 2019 is also the launch year of Scratch 3, we think it’s a fantastic opportunity for us to bring Scratch Conference Europe to the UK for the first time.
What you can look forward to
Hands-on, easy-to-follow workshops across a range of topics, including the new Scratch 3
Interactive projects to play with
Thought-provoking talks and keynotes
Plenty of informal chats, meetups, and opportunities for you to connect with other educators
Join us to become part of a growing community, discover how the Raspberry Pi Foundation can support you further, and develop your skills with Scratch as a creative tool for helping your students learn to code.
Contribute to Scratch Conference Europe
Would you like to contribute your own content at the event? We are looking for you in the community to share or host:
We warmly welcome young people under 18 as content contributors; they must be supported by an adult. All content contributors will be able to attend the whole event for free.
The second 5.0 prepatch is out for testing.
“So the merge window had somewhat unusual timing with the holidays,
and I was afraid that would affect stragglers in rc2, but honestly, that
doesn’t seem to have happened much. rc2 looks pretty normal.”
So I had this naive idea that it would be easy to do certificate transparency verification as part of each request in addition to certificate validity checks (in Java).
With half of the weekend sacrificed, I can attest it’s not that trivial. But what is certificate transparency? In short – it’s a publicly available log of all TLS certificates in the world (which are still called SSL certificates even though SSL is obsolete). You can check if a log is published in that log and if it’s not, then something is suspicious, as CAs have to push all of their issued certificates to the log. There are other use-cases, for example registering for notifications for new certificates for your domains to detect potentially hijacked DNS admin panels or CAs (Facebook offers such a tool for free).
What I wanted to do is the former – make each request from a Java application verify the other side’s certificate in the certificate transparency log. It seems that this is not available out of the box (if it is, I couldn’t find it. In one discussion about JEP 244 it seems that the TLS extension related to certificate transparency was discussed, but I couldn’t find whether it’s supported in the end).
I started by thinking you could simply get the certificate, and check its inclusion in the log by the fingerprint of the certificate. That would’ve been too easy – the logs to allow for checking by hash, however it’s not the fingerprint of a certificate, but instead a signed certificate timestamp – a signature issued by the log prior to inclusion. To quote the CT RFC:
The SCT (signed certificate timestamp) is the log’s promise to incorporate the certificate in the Merkle Tree
A merkle tree is a very cool data structure that allows external actors to be convinced that something is within the log by providing an “inclusion proof” which is much shorter than the whole log (thus saving a lot of bandwidth). In fact the coolness of merkle trees is why I was interested in certificate transparency in the first place (as we use merkle trees in my current log-oriented company)
Obtaining the SCT can be done in three ways, depending on what the server and/or log and/or CA have chosen to support: the SCT can be included in the certificate, or it can be provided as a TLS extension during the TLS handshake, or can be included in the TLS stapling response, again during the handshake. Unfortunately, the few certificates that I checked didn’t have the SCT stored within them, so I had to go to a lower level and debug the TLS handshake.
I enabled TLS hadnshake verbose output, and lo and behold – there was nothing there. Google does include SCTs as a TLS extension (according to Qualys), but the Java output didn’t say anything about it.
Fortunately (?) Google has released Conscrypt – a Java security provider based Google’s fork of OpenSSL. Things started to get messy…but I went for it, included Conscrypt and registered it as a security provider. I had to make a connection using the Conscrypt TrustManager (initialized with all the trusted certs in the JDK):
And of course it didn’t work initially, because Conscrypt doesn’t provide implementations of some core interfaces needed – the CTLogStore and CTPolicy classes. The CTLogStore actually is the important bit that holds information about all the known logs (I still find it odd to call a “log provider” simply “log”, but that’s the accepted terminology). There is a list of known logs, in JSON form, which is cool, except it took me a while to figure (with external help) what are exactly those public keys. What are they – RSA, ECC? How are they encoded? You can’t find that in the RFC, nor in the documentation. It can be seen here that it’s ” DER encoding of the SubjectPublicKeyInfo ASN.1 structure “. Ugh.
BouncyCastle to the rescue. My relationship with BouncyCastle is a love-hate one. I hate how unintuitive it is and how convoluted its APIs are, but I love that it has (almost) everything cryptography-related that you may ever need. After some time wasted with trying to figure how exactly to get that public key converted to a PublicKey object, I found that using PublicKeyFactory.createKey(Base64.getDecoder().decode(base64Key)); gives you the parameters of whatever algorithm is used – it can return Elliptic curve key parameters or RSA key parameters. You just have to then wrap them in another class and pass them to another factory (typical BouncyCastle), and hurray, you have the public key.
Of course now Google’s Conscrypt didn’t work again, because after the transformations the publicKey’s encoded version was not identical to the original bytes, and so the log ID calculation was wrong. But I fixed that by some reflection, and finally, it worked – the certificate transparency log was queried and the certificate was shown to be valid and properly included in the log.
The whole code can be found here. And yes, it uses several security providers, some odd BouncyCastle APIs and some simple implementations that are missing in Google’s provider. Known certificates may be cached so that repeated calls to the log are not performed, but that’s beyond the scope of my experiment.
Certificate transparency seems like a thing that’s core to the internet nowadays. And yet, it’s so obscure and hard to work with.
Why the type of public key in the list is not documented (they should at least put an OID next to the public key, because as it turns out, not all logs use elliptic curves – two of them use RSA). Probably there’s a good explanation, but why include the SCT in the log rather than the fingerprint of the certificate? Why not then mandate inclusion of the SCT in the certificate, which would require no additional configuration of the servers and clients, as opposed to including it in the TLS handshake, which does require upgrades?
As far as I know, the certificate transparency initiative is now facing scalability issues because of the millions of Let’s encrypt certificates out there. Every log (provider) should serve the whole log to everyone that requests it. It is not a trivial thing to solve, and efforts are being put in that direction, but no obvious solution is available at the moment.
And finally, if Java doesn’t have an easy way to do that, with all the crypto libraries available, I wonder what’ the case for other languages. Do they support certificate transparency or they need upgrades?
And maybe we’re all good because browsers supports it, but browsers are not the only thing that makes HTTP requests. API calls are a massive use-case and if they can be hijacked, the damage can be even bigger than individual users being phished. So I think more effort should be put in two things: 1. improving the RFC and 2. improving the programming ecosystem. I hope this post contributes at least a little bit.
Две таблици, които показват общи нагласи. Nieman Lab извежда в заглавие акцента, че една трета не очакват помощ. Но приблизително толкова разчитат на фондации и неправителствения сектор, докато само един от всеки девет има очаквания, свързани с държавата:
Въпреки че вниманието към връзката с аудиторията се покачва непрекъснато и абонаментът заема все по-важно място в източниците на финансиране, рекламата остава важна, подчертава изданието:
През 2017 г. домакинствата в Европейския съюз (ЕС) изразходват 8,5% от общите си разходи за потребление за отдих и култура. Това представлява общ разход от над 710 милиарда евро – 4,6% от БВП на ЕС или 1400 EUR на всеки жител на ЕС.
Дания и Швеция изразходват най-голям дял от разходите на домакинствата за отдих и култура, а Гърция – най-малко:
Между 2007 и 2017 г. делът на разходите за отдих и култура в общите разходи на домакинствата спада в повечето държави от ЕС. Покачване се отбелязва в Словакия (от 9,0% през 2007 г. до 10,4% през 2017 г.) и Литва.
Слабо покачване има и в България (от 7.5% на 7.9%), но нивото остава под средното за Съюза.
As the Backblaze team grows, our marketing team is growing with it. To help expand our Backblaze B2 Cloud Storage business we needed some industry veterans, and we were lucky when Janet came on board! Lets learn a bit more about Janet shall we?
What is your Backblaze Title?
Senior Product Marketing Manager, B2 Media and Entertainment.
Where are you originally from?
I was born and raised in Baton Rouge. I fell in love with California during a summer internship and never looked back. Momma still isn’t happy about it.
What attracted you to Backblaze?
With my experience in storage, backup and archive, Backblaze is a natural fit. I like how it feels like a startup, even though it’s been steadily building a business for a decade. I’m not a big company person.
What do you expect to learn while being at Backblaze?
I expect to learn things I never expected to learn.
Where else have you worked?
Most recently I’ve been marketing storage products for the media & entertainment market at Quantum and Atempo, a backup and archive company. Before that, I was developing CAD software for Cadence and coding object recognition algorithms at Lockheed.
Where did you go to school?
I’m a third generation graduate of Louisiana State University, where I studied Computer Science. Geaux Tigers!
What’s your dream job?
One where I work with a great team on interesting projects and we all get fabulously wealthy.
Favorite place you’ve traveled?
Visiting extended family in Singapore and Malaysia, where every meal was a culinary feast with a different tropical fruit for dessert. And yes, I like durian.
Lately I’ve been obsessed with family history research. I’ve dug up so many incredible stories in the historic newspaper archives: deadly gunfights, embezzlers, brothel owners, and even a bigamist. If you think your family is boring, you haven’t dug deep enough.
Of what achievement are you most proud?
In 2014, I founded Bike to Shop Day, a one-day event where businesses offered discounts or other perks to people who arrived by bike. We recruited 90 businesses in San Mateo and Santa Clara County the first year, then grew to 130 the second year. Our goal was to raise awareness with shop owners and shoppers that bicycling for errands
Star Trek or Star Wars?
Star Wars, but I’m really more into Indiana Jones. Because Harrison Ford.
Coke or Pepsi?
I’m a Southerner, so I have to say Coke. To be honest, I prefer sparkling water. Call it the Californian in me.
Lay’s potato chips. I can’t eat just one.
Why do you like certain things?
I like things that make me think. I like things that make me imagine.
Anything else you’d like you’d like to tell us?
Eight years ago I decided to ride my bicycle to work every day. Now I bike and take transit almost everywhere and my car gathers dust in the driveway.
Janet has one of the coolest bikes on the planet, it folds up and sometimes hangs out next to her desk! Welcome aboard Janet!
Прочетох статията на Ивайло Дичев за DW и наблюденията ми съвпадат с неговите.
Бежанската вълна в Германия съвсем не е без проблеми, също както е и емиграционната. Големият проблем на политиката на Меркел е, че не постави правилни очаквания – не обясни че решение има, но е нужно да се случи. Вместо това само се говореше, че всичко е наред и няма проблем. Истината обаче е, че нито престъпността, нито заболеваемостта се са качили забележимо. Точно обратното – като цяло намаляват постоянно.
Това неразбиране стана инструмент в кампанията на страх на AfD, но нито то, нито самите емигранти са причина техните „патрЕоти“ да се борят за втора политическа сила. Причината всъщност е разтваряща се ножица на доходите, свиващият се стандарт на голяма част от немците независимо, че икономиката расте и Германия е една от най-силните и стабилни страни. Обикновеният немец не го вижда това и му е писнало да му говорят, че много мрънка, щом ситуацията е супер (познато?). Ефектът от този растеж обаче помага само на малък процент от елита – по модела на щатите, макар все още в доста по-малък контраст. Пенсионерите имат също голям проблем, но културните различия с южна Европа все още помагат, както описах вече. Затова е много лесно за популисти да яхнат вълната на социално недоволство и да посочат за „виновни“ най-лесните жертви – бежанци, емигранти, „другите“. Същото го виждаме и в България.
Тази промяна в популацията, за която говори Дичев, обаче е неизбежна – немският демографски проблем е много по-голям от нашия и населението не намалява само заради емиграцията и бежанците. Дори така обаче анализи сочат, че Германия има нужда от още няколко милиона емигранти отгоре на очаквания поток, за да не започне да се свива икономиката в следващите години. Също както в България не достигат всякакви служители – дори неквалифицирани. Тези анализи бяха причината за рязък завой на политиката и говоренето по темата в кабинета на Меркел преди години, когато доста от министрите ѝ, а и масовите медии залитаха по анти-български и румънски изказвания по подобие на британците.
Интересен момент е, че политиката на интеграция донесе също ползи за най-бедните и безработните – отвориха се много работни места в социалните програми – чиновници, учители (след кратък курс) и т.н. Има дори програма помагаща на пенсионерите да бъдат активни – хваща една немска баба 2-3-ма бежанци и ги развежда из града и по институциите. Самият процес на интеграция обаче е доста проблемен и то на политическа и административна основа. Имаше доста скандали, парите потъвали и това беше една от основните теми по изборите наскоро. Отдавна се предупреждава, че дискриминацията в немската образователна система е голяма пречка не само за интегриране на бежанците, а и на сегашните емигранти и дори деца второ поколение немци.
Иначе за руснаците – те са не само много, но и паралелна държава в Германия. Има много вицове за турците в Германия, но турците общуват, работят и са активна част от обществото и политиката. Руснаците имат свои градини, училища, курсове и всякакви аспекти от ежедневието. Едно дете родено в руско семейство може да навърши пълнолетие без да излиза от затвореният им кръг. Това е много по-голям проблем за Германия от бежанците.