66328497
submission
CowboyRobot writes:
David Chisnall of the University of Cambridge argues that despite the current trend of categorizing processors and accelerators as "general purpose", there really is no such thing and believing in such a device is harmful.
"The problem of dark silicon (the portion of a chip that must be left unpowered) means that it is going to be increasingly viable to have lots of different cores on the same die, as long as most of them are not constantly powered. Efficient designs in such a world will require admitting that there is no one-size-fits-all processor design and that there is a large spectrum, with different trade-offs at different points."
65552055
submission
CowboyRobot writes:
Alex Liu is a senior UI engineer at Netflix and part of the core team leading the migration of Netflix.com to Node.js. He has an article at ACM's Queue in which he describes how JavaScript is used at Netflix. "With increasingly more application logic being shifted to the browser, developers have begun to push the boundaries of what JavaScript was originally intended for. Entire desktop applications are now being rebuilt entirely in JavaScript—the Google Docs office suite is one example. Such large applications require creative solutions to manage the complexity of loading the required JavaScript files and their dependencies. The problem can be compounded when introducing multivariate A/B testing, a concept that is at the core of the Netflix DNA. Multivariate testing introduces a number of problems that JavaScript cannot handle using native constructs, one of which is the focus of this article: managing conditional dependencies."
64897625
submission
CowboyRobot writes:
HTTPS has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents (such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed) have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations (notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale) have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.
64534123
submission
CowboyRobot writes:
We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks.
60883773
submission
CowboyRobot writes:
In ACM's Queue, Thomas Wadlow argues that "Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today."
He gives a checklist of what to look for when evaluating any system for trustworthiness, chock full of fascinating historical examples.
These include NASA opting for a simpler, but more reliable chip; the Terry Childs case; and even an 18th century "semaphore telegraph" that was a very early example of steganographic cryptography.
FTA: "Detecting an anomaly is one thing, but following up on what you've detected is at least as important. In the early days of the Internet, Cliff Stoll, then a graduate student at Lawrence Berkeley Laboratories in California, noticed a 75-cent accounting error on some computer systems he was managing. Many would have ignored it, but it bothered him enough to track it down. That investigation led, step by step, to the discovery of an attacker named Markus Hess, who was arrested, tried, and convicted of espionage and selling information to the Soviet KGB."
59403343
submission
CowboyRobot writes:
Erik Meijer, known for his contributions to Haskell, C#, Visual Basic, Hack, and LINQ, has an article at the ACM in which he argues that "Mostly functional" programming does not work. "The idea of "mostly functional programming" is unfeasible. It is impossible to make imperative programming languages safer by only partially removing implicit side effects. Leaving one kind of effect is often enough to simulate the very effect you just tried to remove. On the other hand, allowing effects to be "forgotten" in a pure language also causes mayhem in its own way. Unfortunately, there is no golden middle, and we are faced with a classic dichotomy: the curse of the excluded middle, which presents the choice of either (a) trying to tame effects using purity annotations, yet fully embracing the fact that your code is still fundamentally effectful; or (b) fully embracing purity by making all effects explicit in the type system and being pragmatic by introducing nonfunctions such as unsafePerformIO. The examples shown here are meant to convince language designers and developers to jump through the mirror and start looking more seriously at fundamentalist functional programming."
59032749
submission
CowboyRobot writes:
Samsung isn’t making it easy for developers. The company may have released a handful of SDKs for its latest devices, but Samsung’s non-committal approach to its Tizen platform is probably going to cost it developer support. Samsung’s first smartwatch, released in October last year, ran a modified version of Google’s Android platform. The device had access to about 80 apps at launch, all of which were managed by a central smartphone app. Samsung offered developers an SDK for the Galaxy Gear so they could create more apps. Developers obliged. Then Samsung changed direction.
56476033
submission
CowboyRobot writes:
Writing for ACM's Queue magazine, Paul Vixie argues, "The edge of the Internet is an unruly place." By design, the Internet core is stupid, and the edge is smart. This design decision has enabled the Internet's wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means we're at the mercy of scale when it comes to the quality of the Internet's aggregate traffic load. Not all device and software builders have the skills and budgets that something the size of the Internet deserves. Furthermore, the resiliency of the Internet means that a device or program that gets something importantly wrong about Internet communication stands a pretty good chance of working "well enough" in spite of this. Witness the endless stream of patches and vulnerability announcements from the vendors of literally every smartphone, laptop, or desktop operating system and application. Bad guys have the time, skills, and motivation to study edge devices for weaknesses, and they are finding as many weaknesses as they need to inject malicious code into our precious devices where they can then copy our data, modify our installed software, spy on us, and steal our identities.
54801169
submission
CowboyRobot writes:
Andrew Koenig at Dr. Dobb's argues that by looking at a program's structure — as opposed to only looking at output — we can sometimes predict circumstances in which it is particularly likely to fail. "For example, any time a program decides to use one or two (or more) algorithms depending on an aspect of its input such as size, we should verify that it works properly as close as possible to the decision boundary on both sides. I've seen quite a few programs that impose arbitrary length limits on, say, the size of an input line or the length of a name. I've also seen far too many such programs that fail when they are presented with input that fits the limit exactly, or is one greater (or less) than the limit. If you know by inspecting the code what those limits are, it is much easier to test for cases near the limits."
54744189
submission
CowboyRobot writes:
If you shop carefully online, you can buy a general purpose enterprise SSD, such as Intel’s DC S3700 for about $2.65/GB or a read oriented drive like the Intel DC S3500 for $1.30/GB. By comparison, a 4TB nearline SATA hard disk such as Western Digital’s RE or Seagate’s Constellation cost under $400 or $0.09/GB. Interestingly, consumer/laptop SSDs are well below the magic $1/GB level with Crucial’s M500 selling for about $0.59/GB — about what hard drives cost in 2005. If we assume that SSD prices will fall at their historical 35% annual rate and hard drive prices will fall at a more conservative 15% by 2020, the enterprise SSD will cost almost 13 cents a gigabyte, more than the hard drive costs today, while the 20TB drives the hard drive vendors are promising for 2020 will cost under 3 cents a GB. The price difference will have shrunk from 30:1 to around 5:1. If drive prices fall at a closer to historical 25%, they’ll still be a tenth the cost of SSDs at the end of the decade.
54476561
submission
CowboyRobot writes:
The Software Inferno is a tale that parallels The Inferno, Part One of The Divine Comedy written by Dante Alighieri in the early 1300s. That literary masterpiece describes the condemnation and punishment faced by a variety of sinners in their hell-spent afterlives as recompense for atrocities committed during their earthly existences. The Software Inferno is a similar account, describing a journey where "sinners against software" are encountered amidst their torment, within their assigned areas of eternal condemnation, and paying their penance.
"CANTO 2 — LUST: As the countess and I approached the Inferno's second circle, pine we did for the relative comfort of the circle we had just departed, as the inundating and blinding light emanating from the circle ahead bothered our eyes. It originally appeared as if the glow ahead was born of a single source, but our ever-growing nearness showed that it was actually an assemblage of many individual light beams, each specifically focused on a single one of the circle's many inhabitants."
53853589
submission
CowboyRobot writes:
David Chisnall, of the University of Cambridge, describes how interfacing between languages is increasingly important. You can no longer expect a nontrivial application to be written in a single language. High-level languages typically call code written in lower-level languages as part of their standard libraries (for example, GUI rendering), but adding calls can be difficult. In particular, interfaces between two languages that are not C are often difficult to construct. Even relatively simple examples, such as bridging between C++ and Java, are not typically handled automatically and require a C interface. The problem of interfacing between languages is going to become increasingly important to compiler writers over the coming years.
53729491
submission
CowboyRobot writes:
In November, Denmark-based Bitcoin Internet Payment System suffered a DDoS attack. Unfortunately for users of the company's free online wallets for storing bitcoins, the DDoS attack was merely a smokescreen for a digital heist that quickly drained numerous wallets, netting the attackers a reported 1,295 bitcoins — worth nearly $1 million — and leaving wallet users with little chance that they'd ever see their money again. Given the potential spoils from a successful online heist, related attacks are becoming more common. But not all bitcoin heists have been executed via hack attacks or malware. For example, a China-based bitcoin exchange called GBL launched in May. Almost 1,000 people used the service to deposit bitcoins worth about $4.1 million. But the exchange was revealed to be an elaborate scam after whoever launched the site shut it down on October 26 and absconded with the funds. The warnings are all the same: "Don't trust any online wallet.", "Find alternative storage solutions as soon as possible.", and "You don't have to keep your Bitcoins online with someone else. You can store your Bitcoins yourself, encrypted and offline."
53654863
submission
CowboyRobot writes:
The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There's money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it. It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim's data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few "interesting" computers will have succumbed along the way is similarly high — providing direct insight in to a pool of high value targets.
53141329
submission
CowboyRobot writes:
The price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity. For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there. Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250.
