How Good Are FiveThirtyEight Forecasts?
https://projects.fivethirtyeight.com/checking-our-work/ [projects.fivethirtyeight.com]
2023-05-19 16:30
tags:
factcheck
math
visualization
Here, we’re looking at two main things: the calibration of a forecast — that is, whether events that we said would happen 30 percent of the time actually happened about 30 percent of the time — and how our forecast compared with an unskilled estimate that relies solely on historical averages. We can answer those questions using calibration plots and skill scores, respectively.
See this page fetch itself, byte by byte, over TLS
https://subtls.pages.dev/ [subtls.pages.dev]
2023-05-11 21:08
tags:
interactive
networking
security
visualization
This page performs a live, annotated https: request for its own source. It’s inspired by The Illustrated TLS 1.3 Connection and Julia Evans’ toy TLS 1.3.
source: L
FAAS in Go with WASM, WASI and Rust
https://eli.thegreenplace.net/2023/faas-in-go-with-wasm-wasi-and-rust/ [eli.thegreenplace.net]
2023-05-11 21:07
tags:
go
programming
rust
wasm
web
This post is best described as a technology demonstration; it melds together web servers, plugins, WebAssembly, Go, Rust and ABIs. Here’s what it shows:
How to load WASM code with WASI in a Go environment and hook it up to a web server.
How to implement web server plugins in any language that can be compiled to WASM.
How to translate Go programs into WASM that uses WASI.
How to translate Rust programs into WASM that uses WASI.
How to write WAT (WebAssembly Text) code that uses WASI to interact with a non-JS environment.
source: L
Memoirs from the old web: The KEYGEN element
https://www.devever.net/~hl/web-keygen [www.devever.net]
2023-04-29 20:49
tags:
browser
html
retro
security
turtles
ux
web
The purpose of the <keygen/> element was to allow a web browser to generate a private/public keypair upon submitting a form, in a way that allowed a web browser to be enrolled in a new client certificate.
source: L
gefs - good enough file system
https://orib.dev/gefs.html [orib.dev]
2023-04-28 23:50
tags:
fs
plan9
systems
Gefs is a new file system built for Plan 9. It aims to be a crash-safe, corruption-detecting, simple, and fast snapshotting file system, in that order. Gefs achieves these goals by building a traditional 9p file system interface on top of a forest of copy-on-write Bε trees. It doesn’t try to be optimal on all axes, but good enough for daily use.
source: L
Beautiful Branchless Binary Search
https://probablydance.com/2023/04/27/beautiful-branchless-binary-search/ [probablydance.com]
2023-04-28 23:45
tags:
compsci
cxx
programming
I read a blog post by Alex Muscar, “Beautiful Binary Search in D“. It describes a binary search called “Shar’s algorithm”. I’d never heard of it and it’s impossible to google, but looking at the algorithm I couldn’t help but think “this is branchless.” And who knew that there could be a branchless binary search? So I did the work to translate it into a algorithm for C++ iterators, no longer requiring one-based indexing or fixed-size arrays.
https://muscar.eu/shar-binary-search-meta.html
source: L
Of Sun Ray laptops, MIPS and getting root on them
http://oldvcr.blogspot.com/2023/04/of-sun-ray-laptops-mips-and-getting.html [oldvcr.blogspot.com]
2023-04-28 17:45
tags:
hardware
retro
systems
The bottom line is, as we’ll demonstrate in the next few screenshots, this laptop isn’t just a MIPS laptop: it’s three apparently completely independent RISC systems with their own memory, flash and operating system on an internal Ethernet network. All those NIC and switch chips are the internal communication interfaces from the Au1550 to the IXP425 and the AR2316A, but using the IDE bus lines instead of actual twisted pair. That’s not what I was expecting to find in a Sun Ray!
source: HN
You didn’t just do that, Heroku
https://openfolder.sh/heroku-anti-dx [openfolder.sh]
2023-04-18 05:50
tags:
cloud
development
I inspected Heroku’s logs again and saw that it wasn’t just this specific task that was being dispatched twice, all of them were:
See, at this point the celerybeat dyno shouldn’t even exist. It was nowhere to be found on my list of dynos. But here it is, alive, well, and scheduling tasks.
source: HN
Ultra-long YouTube highlight videos are ruining sports — and I’m fine with that
https://www.theverge.com/2023/4/16/23683820/youtube-extended-highlights-sports-soccer-nba-nfl [www.theverge.com]
2023-04-17 02:42
tags:
hoipolloi
sports
tv
A few months ago, I discovered a new genre of YouTube video. It’s called the “extended highlight,” and it typically takes the form of a video somewhere between eight and 18 minutes long, with rapid-fire jump cuts between all the most important parts of a game.
Understanding Mr. Brightside
https://www.youtube.com/watch?v=ZgpXoEtaVcg [www.youtube.com]
2023-04-17 02:07
tags:
music
video
A Cryptographic Near Miss
https://words.filippo.io/dispatches/near-miss/ [words.filippo.io]
2023-04-11 20:00
tags:
bugfix
crypto
go
math
security
Go 1.20.2 fixed a small vulnerability in the crypto/elliptic package. The impact was minor, to the point that I don’t think any application was impacted, but the issue was interesting to look at as a near-miss, and to learn from.
source: L
CAN Injection: keyless car theft
https://kentindell.github.io/2023/04/03/can-injection/ [kentindell.github.io]
2023-04-07 15:28
tags:
cars
exploit
hardware
hoipolloi
investigation
security
solder
This is a detective story about how a car was stolen - and how it uncovered an epidemic of high-tech car theft.
Now that people know how a relay attack works generally possible to defeat it: car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won’t receive the radio message from the car). Faced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: by-passing the entire smart key system. They do this with a new attack: CAN Injection.
Dumb bugs: the PCI device that wasn't
https://sthbrx.github.io/blog/2023/04/04/dumb-bugs-the-pci-device-that-wasnt/ [sthbrx.github.io]
2023-04-05 18:21
tags:
bugfix
c
linux
programming
So pci_notify() gets called with our VIO device (somehow), and we’re converting that struct device into a struct pci_dev with no error checking. We could solve this particular bug by just checking that our device is actually a PCI device before we proceed - but we’re in a function called pci_notify, we’re expecting a PCI device to come in, so this would just be a bandaid.
source: L
MMC2 Magic - How Punch-Out's Graphics Work
https://www.youtube.com/watch?v=Zfl1dvu5gBo [www.youtube.com]
2023-03-31 05:27
tags:
gaming
graphics
investigation
retro
video
Two boxers. No flicker? How is this possible? The MMC2 Mapper chip: Explained
How to draw too many sprites by making one a background, then how to smoothly animate it by side scrolling.
Mechanical Watch
https://ciechanow.ski/mechanical-watch/ [ciechanow.ski]
2023-03-31 02:44
tags:
interactive
physics
tech
visualization
In the world of modern portable devices, it may be hard to believe that merely a few decades ago the most convenient way to keep track of time was a mechanical watch. Unlike their quartz and smart siblings, mechanical watches can run without using any batteries or other electronic components.
Over the course of this article I’ll explain the workings of the mechanism seen in the demonstration below. You can drag the device around to change your viewing angle, and you can use the slider to peek at what’s going on inside:
gotraceui - an efficient frontend for Go execution traces
https://github.com/dominikh/gotraceui [github.com]
2023-03-31 02:29
tags:
development
go
perf
swtools
Gotraceui is a tool for visualizing and analyzing Go execution traces. It is meant to be a faster, more accessible, and more powerful alternative to go tool trace. Unlike go tool trace, Gotraceui doesn’t use deprecated browser APIs (or a browser at all), and its UI is tuned specifically to the unique characteristics of Go traces.
source: L
Charts.css
https://chartscss.org/ [chartscss.org]
2023-03-31 02:28
tags:
html
library
visualization
web
Charts.css is a modern CSS framework. It uses CSS utility classes to style HTML elements as charts.
source: L
The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders
https://wrv.github.io/h26forge.pdf [wrv.github.io]
2023-03-28 18:51
tags:
exploit
format
fuzzing
paper
pdf
security
turtles
video
Modern video encoding standards such as H.264 are a marvel of hidden complexity. But with hidden complexity comes hidden security risk. Decoding video in practice means interacting with dedicated hardware accelerators and the proprietary, privileged software components used to drive them. The video decoder ecosystem is obscure, opaque, diverse, highly privileged, largely untested, and highly exposed—a dangerous combination.
We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files. Using H26FORGE, we uncover insecurity in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS, memory corruption bugs in Firefox and VLC for Windows, and video accelerator and application processor kernel memory bugs in multiple Android devices.
https://github.com/h26forge/h26forge
Synthetic Memory Protections - An update on ROP mitigations
https://www.openbsd.org/papers/csw2023.pdf [www.openbsd.org]
2023-03-25 19:35
tags:
cpu
defense
malloc
openbsd
pdf
security
slides
systems
ROP methods have become increasingly sophisticated
But we can identify system behaviours which only ROP code requires
We can contrast this to what Regular Control Flow code needs
And then, find behaviours to block
source: HN
A fork() in the road
https://www.microsoft.com/en-us/research/uploads/prod/2019/04/fork-hotos19.pdf [www.microsoft.com]
2023-03-25 04:02
tags:
malloc
paper
pdf
programming
systems
unix
The received wisdom suggests that Unix’s unusual combination of fork() and exec() for process creation was an inspired design. In this paper, we argue that fork was a clever hack for machines and programs of the 1970s that has long outlived its usefulness and is now a liability. We catalog the ways in which fork is a terrible abstraction for the modern programmer to use, describe how it compromises OS implementations, and propose alternatives.
source: L