Audit of Unbound DNS by X41 D-Sec – Full Results
> Both the audit team and the Unbound team are happy with the results as they are shown. This project led to a total of 48 changes in unbound that either improve security or fix minor issues that could lead to future security problems as the application grows and evolves over time. The consensus is that Unbound has greatly benefited from the work and that the users and applications that depend on it are now safer than they were prior to our work. A patch will be released tomorrow, December 12th 2019.
> Meet the ZedRipper – a 16-core, 83 MHz Z80 powerhouse as portable as it is impractical. The ZedRipper is my latest attempt to build a fun ‘project’ machine, with a couple of goals in mind:
The Go runtime scheduler's clever way of dealing with system calls
> One of Go’s signature features is goroutines, which are lightweight threads that are managed by the Go runtime. The Go runtime implements goroutines using a M:N work stealing scheduler to multiplex goroutines on to operating system threads. The scheduler has special terminology for three important entities; a G is a goroutine, an M is an OS thread (a ‘machine’), and a P is a ‘processor’, which at its core is a limited resource that must be claimed by an M in order to run Go code. Having a limited supply of Ps is how Go limits how many things it will do at once, so as to not overload the overall system; generally there is one P per actual CPU that the OS reports (the number of Ps is GOMAXPROCS).
Go memory ballast: How I learnt to stop worrying and love the heap
> The heap size is the total size of allocations on the heap. Therefore, if a ballast of 10 GiB is allocated, the next GC will only trigger when the heap size grows to 20 GiB. At that point, there will be roughly 10 GiB of ballast + 10 GiB of other allocations.
Real hardware breakthroughs, and focusing on rustc
> After the addition of the NVMe driver a couple months ago, I have been running Redox OS permanently (from an install to disk) on a System76 Galago Pro (galp3-c), with System76 Open Firmware as well as the un-announced, in-development, GPLv3 System76 EC firmware . This particular hardware has full support for the keyboard, touchpad, storage, and ethernet, making it easy to use with Redox.
> Building Redox OS on Redox OS has always been one of the highest priorities of the project. Rustc seems to be only a few months of work away, after which I can begin to improve the system while running on it permanently, at least on one machine. With Redox OS being a microkernel, it is possible that even the driver level could be recompiled and respawned without downtime, making it incredibly fast to develop for. With this in place, I would work more efficiently on porting more software and tackling more hardware support issues, such as filling in the USB stack and adding graphics drivers.
Some near-term arm64 hardening patches
> The arm64 architecture is found at the core of many, if not most, mobile devices; that means that arm64 devices are destined to be the target of attackers worldwide. That has led to a high level of interest in technologies that can harden these systems. There are currently several such technologies, based in both hardware and software, that are being readied for the arm64 kernel; read on for a survey on what is coming.
Instant stone (just add water!)
> This basic technology has been known since prehistoric times: the kilning of limestone is older than pottery, much older than metalworking, and possibly older than agriculture. But over the millenia, better formulas for cement have been created, with superior mixtures of ingredients and improved processes.
Plus a follow up: https://rootsofprogress.org/cement-redux
Zombie Miles And Napa Weekends: How A Week With Chauffeurs Showed The Major Flaw In Our Self-Driving Car Future
> A few years ago, Mustapha Harb realized there was a problem in his field of research about how autonomous cars will change the way people travel. The solution to the problem he settled on was as simple as it was revealing.
> Using 13 volunteers (a very small sample size due to budgetary constraints) from the San Francisco Bay Area who owned cars, Harb and his team studied their travel patterns using GPS trackers on their cars and phones for one week, then gave them a chauffeur for a week who would drive the participants’ personal vehicles for them. Finally, the researchers observed the subjects for a final week to look for any changes returning to their chauffeur-less life.
The Bytecode Alliance: Building a secure, composable future for WebAssembly
> We have a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations. And based on advances rapidly emerging in the WebAssembly community, we believe we can make this vision real.
> WebAssembly can provide the kind of isolation that makes it safe to run untrusted code. We can have an architecture that’s like Unix’s many small processes, or like containers and microservices. But this isolation is much lighter weight, and the communication between them isn’t much slower than a regular function call. This means you can use them to wrap a single WebAssembly module instance, or a small collection of module instances that want to share things like memory among themselves.
Tearing apart printf()
> If ‘Hello World’ is the first program for C students, then printf() is probably the first function. I’ve had to answer questions about printf() many times over the years, so I’ve finally set aside time for an informal writeup.
> This wild goose chase is not only a great learning experience, but also an interesting test for the dedicated beginner. Will they come back with an answer? If so, how detailed is it? What IS a good answer?
The Google Squeeze
> OTAs have always been a special case when it comes to Aggregation Theory; like Aggregators, they serve customers on a zero marginal cost basis, and they have power over supply (hotels, primarily) by virtue of delivering them demand. The hangup for me is how they acquire that demand: first and foremost from Google.
> This arrangement between OTAs and Google has long been beneficial to both sides. Google drives traffic to the OTAs, which can monetize that traffic via commissions extracted from suppliers.2 Google, meanwhile, not only receives relevant results it could serve to customers, but also makes billions of dollars from OTAs buying search ads.
Rust 2020: GUI and community
> In response to the call for blogs about the vision for Rust for 2020, I’m going to write about GUI. I believe the time is right for a native GUI toolkit written in Rust, and that such a thing would fill a very important niche. There is a demand for performance (which, to me, includes startup time, RAM footprint, and binary size), and Rust is in the best position to deliver on that.
My name causes an issue with any booking
> Whenever I get a ticket through an agent and they put my first name as Amr, it lands as A only in the Airlines system. That happened with many airlines and different agents. That is pretty much annoying, specially during the online check-in.
> In the case of a Travel Agency connected to Amadeus, for example, this means that they are likely using ATE: the Amadeus Terminal Emulator, which as the name implies emulates the terminals of old.
> Check the Quick Reference Guide, p. 33 on how to create a PNR:
> NM1SMITH/JOHN MR
> Using a space, the parsing is unambiguous, however not all agents put a space
How Swift Achieved Dynamic Linking Where Rust Couldn't
> For those who don’t follow Swift’s development, ABI stability has been one of its most ambitious projects and possibly it’s defining feature, and it finally shipped in Swift 5. The result is something I find endlessly fascinating, because I think Swift has pushed the notion of ABI stability farther than any language without much compromise.
Project Silica proof of concept stores Warner Bros. ‘Superman’ movie on quartz glass
> It was the first proof of concept test for Project Silica, a Microsoft Research project that uses recent discoveries in ultrafast laser optics and artificial intelligence to store data in quartz glass. A laser encodes data in glass by creating layers of three-dimensional nanoscale gratings and deformations at various depths and angles. Machine learning algorithms read the data back by decoding images and patterns that are created as polarized light shines through the glass.
Kubernetes made my latency 10x higher
> Problems often appear just because we put some pieces together in the first place.
The July Galileo Outage: What happened and why
> This post is an excerpt of a far longer post on Galileo, its structures and the cause of the outage. Here we’ll only focus on the outage - the potential underlying reasons behind it are described in the full article.
> Since the week-long outage in July I’ve been fascinated by Galileo and, together with a wonderful crew of developers, experts and receiver operators, have learned so much about what I now know are called ‘Global Navigation Satellite Systems’ or GNSS. This has lead to the galmon.eu project, which monitors the health and vital statistics of GPS, Galileo, BeiDou and GLONASS. More about the project can be read in the full article.
I totally missed the fact that there was an outage, but some interesting commentary.
Bypassing GitHub's OAuth flow
> What happens if we send an authenticated HEAD request to https://github.com/login/oauth/authorize? We’ve concluded that the router will treat it like a GET request, so it will get sent to the controller. But once it’s there, the controller will realize that it’s not a GET request, and so the request will be handled by the controller as if it was an authenticated POST request. As a result, GitHub will find the OAuth app specified in the request, and grant it access to the authenticated user’s data.
Help me, framework!
Martin Scorsese: I Said Marvel Movies Aren’t Cinema. Let Me Explain.
> Many franchise films are made by people of considerable talent and artistry. You can see it on the screen. The fact that the films themselves don’t interest me is a matter of personal taste and temperament. I know that if I were younger, if I’d come of age at a later time, I might have been excited by these pictures and maybe even wanted to make one myself. But I grew up when I did and I developed a sense of movies — of what they were and what they could be — that was as far from the Marvel universe as we on Earth are from Alpha Centauri.
Besides a bit of old fashioned hand wringing here and there, a fairly level take, although I’m not sure how much I can bring myself to care.
I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too.
> Little-known companies are amassing your data — like food orders and Airbnb messages — and selling the analysis to clients. Here’s how to get a copy of what they have on you.
> As of this summer, though, Sift does have a file on you, which it can produce upon request. I got mine, and I found it shocking: More than 400 pages long, it contained all the messages I’d ever sent to hosts on Airbnb; years of Yelp delivery orders; a log of every time I’d opened the Coinbase app on my iPhone. Many entries included detailed information about the device I used to do these things, including my IP address at the time.