There will be a total lunar eclipse tomorrow night. The entire eclipse will be visible from anywhere in the Americas and Europe. Here on Whidbey Island, the eclipse starts at 7:33pm and ends at 10:50pm; totality runs from 8:41 to 9:43pm. This is going to be a glorious eclipse. According to Astronomy Picture of the Day, the next total lunar eclipse visible from anywhere on the planet will be on May 26, 2021, and will last 15 minutes.
Details, and times for your location, can be found at: Total Lunar Eclipse on January 20–21, 2019 – Where and When to See
ETA: of course, this is the Pacific Northwest. It will probably be raining.
Signal boost: jesse_the_k | Markdown Simplifies Formatting Your DW Posts.
Markdown is a popular plain-text markup language that strongly resembles
the conventions of email. In fact, posting by email has used markdown for
a long time; you can now use it for posting by using the HTML editor and
starting your post with
!markdown. It also works if you're
using a client that takes raw HTML, such as
MakeStuff. See Jesse's post for the cheat-sheet, or go to
the official spec, at https://daringfireball.net/projects/
From king5.com :
In case of an emergency and you can't get through by dialing 911, you can dial the following numbers for dispatch centers:
Chelan/Douglas County 911 Countywide 911 Center for Police and Fire (509) 663-9911 Clallam County 911 Countywide 911 Center for Police and Fire 360-417-2259/2459 or 360-417-4970 Grays Harbor 911 Countywide 911 Center for Police and Fire (800) 281-6944 Island County 911 Countywide 911 Center for Police and Fire (360) 678-6116 Jefferson County 911 Countywide 911 Center for Police and Fire 360-385-3831 or 360-344-9779 EXT. 0 or text 911 King County 911 Bothell Police (425) 486-1254 Enumclaw Police (360) 417-2259 Lake Forrest Park Police (425) 486-1254 Issaquah Police (425) 837- 3200 Redmond Police (425) 556-2500 Snoqualmie Police (425) 888-3333 Seattle Police (206) 625-5011 Seattle Fire (206) 583-2111 Norcom (425) 577-5656 Fire Departments – Bellevue FD, Bothell FD, Duvall FD, Eastside Fire and Rescue, Fall City FD, Kirkland FD, Mercer Island FD, Northshore FD, Redmond FD, Shoreline FD, Skykomish FD, Snoqualmie FD, Snoqualmie Pass Fire and Rescue and Woodinville Fire and Rescue Police Departments – Bellevue PD, Clyde Hill PD, Medina PD, Kirkland PD, Mercer Island PD and Normandy Park Police. Valley Com (253) 852-2121 Fire Departments - Valley Regional Fire Authority (Algona, Pacific and Auburn), South King Fire and Rescue (Federal Way and Des Moines), Puget Sound Regional Fire Authority (Kent, Seatac, Covington and Maple Valley), Tukwila FD, Renton FD, Burien /Normandy Park FD, Skyway Fire, Mountain View Fire and Rescue, Palmer Selleck Fire Districts, Vashon Island Fire and Rescue, Enumclaw FD, King County Airport (Boeing Field) and King County Medic One Police Departments - Algona PD, Pacific PD, Auburn PD, Des Moines PD, Federal Way PD, Kent PD, Renton PD and Tukwila PD. King County Sheriff’s Office (206) 296-3311 Town of Beaux Arts, City of Burien, City of Carnation, City of Covington, City of Kenmore, King County Airport Police (Boeing Field), City of Maple Valley, King County Metro Transit, Muckleshoot Indian Tribe, City of Newcastle, City of Sammamish, City of Seatac, City of Shoreline, Town of Skykomish, Sound Transit and City of Woodinville. Kitsap County 911 Countywide 911 Center for Police and Fire (360)-308-5400 Kittitas County 911 Lower County: 509 925 8534 Upper County: 509 674 2584, select 1, then select 1 for KITTCOM Lewis County 911 Countywide 911 Center for Police and Fire (360) 740-1105 Mason County 911 Countywide 911 Center for Police and Fire (360) 426-4441 Pacific County 911 Countywide 911 Center for Police and Fire (360) 875-9397 Pierce County 911 Countywide 911 Center for Police and Fire (253) 798-4722 *Except Tacoma, Fircrest, Fife and Ruston - call Tacoma Fire Dispatch (253)627-0151 San Juan County 911 Countywide 911 Center for Police and Fire (360) 378-4151 Skagit County 911 Countywide 911 Center for Police and Fire (360) 428-3211 Snohomish County 911 Countywide 911 Center for Police and Fire (425) 407-3999 Thurston County 911 Countywide 911 Center for Police and Fire (360) 704-2740 Whatcom County 911 Whatcom County Fire (360) 676-6814 Whatcom County Sheriff (360) 676-6911
Last night around 11pm I was awakened by an alert on my phone telling me
that 911 service was down, and giving me an alternat number to call. By
morning, it was clear that it wasn't a local problem. A quick search
showed that the problem was caused by CenturyLink, which tweeted, blaming it on a
a network element that was impacting
customer services and saying that they estimated it would be fixed in
about four hours.
It was more like twelve here on Whidbey Island, and some parts of the country are still (as of 2pm) offline, according to Outage.Report. The FCC is investigating.
If you live in Washington, king5.com has a handy list of numbers to call, by county. (The news article also has auto-playing video - you may want to mute your speakers.)
Winterfaire 2018 is open at The Wordsmith's Forge. Browse! Shop! Buy!
I may set up a booth later; I have to look around the pavilion and see whether I have any stock left.
NaBloPoMo stats: 15537 words in 29 posts this month (average 535/post) 56 words in 1 post today 2 days with no posts
There’s an article about a security problem getting a bit of attention lately,
Apache Access Vulnerability Could Affect Thousands of
Sounds really scary. Here’s a better article about it, Zero-day in popular jQuery plugin actively
exploited for at least three
Looking at those titles you might think that the problem is either with a
jQuery plugin, or Apache’s
.htaccess files. It’s neither. The real
situation is more complicated. You might think that if you’re not using this
plugin on your website, you’d be safe. You’d be wrong. You might think that
patching the plugin, or the Apache web server, would solve the problem. You’d
be wrong about that, too. The real problem is still there, waiting to bite
you in the tail. If you don’t have a website, or don’t allow file uploads,
you can stop reading now unless you’re curious. If you do, stick around
(or jump to the last section if all you want is the fix).
The problem being reported
You may have noticed that the two titles up there are highlighting different
aspects of the problem. There’s that “popular jQuery plugin”,
People building websites use it to allow their users to upload files (e.g.,
cat pictures). It’s really popular – 7800 forks on GitHub, 29,000 stars;
probably tens or hundreds of thousands of sites using it. And then there’s
the Apache web server. Apache is even more
popular – it runs some 45% of the
web. Since there
are presently just short of two
(although all but a couple of hundred million are currently active). And more
specifically and specifically
files, which are used
to override certain server configuration options (including security options,
which is almost as scary as it sounds, but doesn’t have to be).
The specific problem is this: jQuery-File-Upload lets visitors to a web site upload their cat pictures. These get put in a directory somewhere in the server’s file system. If you’re running a website and have any sense, you’ll put that directory someplace where it can’t be seen from the web, but of course that means that your visitors can’t see the cat pictures they’ve uploaded, without you or your software doing some work, and that could be tricky.
If you have a directory that’s part of your website that you want to be
invisble from the web, or visible safely (we’ll get into that a little later),
there are two ways to set that up. If you have access to Apache’s
configuration files, you do it there. Unfortunately that requires root
access, and most of us are using shared servers and our hosting sites don’t
allow that, because it would be a huge security hole if they did. The other
way of configuring your site is to put a file called
.htaccess somewhere on
your site, and it will apply configuration overrides to that directory and
everything below it. That’s a little dicey, because it’s possible to get that
wrong, especially if you’re not an experienced system administrator, but if
you’re operating a shared hosting service like the one I use, you have to give
your users some way of setting parameters, and
.htaccess is the only game
Finally there’s the fact that, some ten years ago, Apache changed the
defaults on their server so that
.htaccess files are disabled, so the
administrator has to specifically re-enable them. What does that mean?
Well, if you are allowing users to upload files, and if you put the upload
directory where it can be seen from the web (meaning that people can
download from it), and if you were counting on a
.htaccess file to
protect that directory, and if you upgraded Apache any time in the last
ten years, and if you or your system administrator didn’t re-enable
.htaccess files, and if you thought that your
.htaccess file was
still protecting you, then you have a problem. That’s a lot of “if”s, but
there are an awful lot of websites.
Here’s how this situation can be exploited, as reported by a security researcher at Akamai named Larry Cashdollar, in an article titled Having The Security Rug Pulled Out From Under You.
If you can upload files to a website, all you have to do is:
It’s not hard. The first line there creates a one-line file with some PHP
code in it. The second line uploads it. Now you have a file called
shell.php on the server. You can send a request for that file with a query
string attached to it, and PHP will helpfully pass that string to the
system, which runs it. Boom.
The problem with the reporting
Here are a couple of passages quoted from the ZDNet article:
The developer’s investigation identified the true source of the vulnerability not in the plugin’s code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin’s expected behavior on Apache servers.
Starting with [version2.3.9], the Apache HTTPD server got an option that would allow server owners to ignore custom security settings made to individual folders via .htaccess files. This setting was made for security reasons, was enabled by default.
Actually, what happened was that the server disabled
.htaccess files by
default, and it was done for performance reasons – having to read
.htaccess files with every request is a big performance hit. Here’s what
the Apache documentation says about it:
.htaccessfiles should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration. [emphasis mine]
The DARKReading Article adds,
A security vulnerability is born, Cashdollar said, when a developer looks at very old documentation and uses .htaccess for authentication instead of one of the methods now suggested by the Apache Foundation.
Well, no. The documentation is still current, and it’s very clearly marked
as something you shouldn’t use unless you have to. And most of the people who
have vulnerable websites aren’t developers, don’t have any choice about
whether to use
.htaccess, and aren’t reading the docs. They’re just doing
cut-and-paste from the quick-start documents that their web host provides.
What’s the real problem?
There are a couple of things that the articles I’ve refererred to didn’t mention, or just glossed over.
The first is that uploading files is a problem, and it’s been a problem
since long before there was a World Wide Web! I first ran into this while
running an FTP server. There are all sorts of ways file uploads can be
abused. Somebody can bring down your server by uploading junk and filling
your disk. They can upload malware. It has nothing at all to do with
jQuery-File-Upload; this has been a problem since day 1.
The solution, if you must allow uploads, is to upload them to someplace safely
outside of your website, and process them immediately – either with your
server-side code, or a
cron job. This is just as much common sense as not
using any form data until it’s been validated and sanitized. Some
languages, like Perl, give you some help with this. This is true on the
that one last week, you may remember.
The second problem is PHP. Actually, the problem is putting executable files in your website instead of someplace like a CGI script directory, or a web server. But PHP is the biggest offender. It was designed to make it so easy to build a website that anyone could do it. And everyone did.
The biggest problem with PHP is that it works by mixing executable executable code with the documents you’re serving to the user. Sure, it’s convenient. It’s also bad design – it’s a series of disasters waiting to happen, and this is only the most recent one.
What should you do?
- Obviously, if you have access to your server’s configuration, you should
.htaccessand do everything at the server level. That’s not always possible.
- If you aren’t using PHP on your website, disable it.
- At the very least, disable PHP in your upload directory!
- If you want to let users upload files, put them someplace outside your document root and keep them there until you or your software can review them for safety. (When I was running an FTP server, I had separate ‘incoming’ and ‘outgoing’ directories.)
You may find Disable PHP in a directory with Apache .htaccess - Electric
helpful: just put these three lines into an .
htaccess file, either at the
top level of your site, or down in any directories where it’s not needed
(which includes not only your upload directory but also image directories and
other assets, just to be sure).
RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off
While you’re at it, make it so that the web server – and anyone else who isn’t you – can’t write into your website files:
Have fun, be safe out there, and don’t use PHP.
Another fine post from The Computer Curmudgeon.
TL;DR: if you bought anything from Newegg between August 14th and September 18th, call your bank and get a new credit card. You can find more details in these articles: NewEgg cracked in breach, hosted card-stealing code within its own checkout | Ars Technica // Hackers stole customer credit cards in Newegg data breach | TechCrunch // Magecart Strikes Again: Newegg in the Crosshairs | Volexity // Another Victim of the Magecart Assault Emerges: Newegg
The credit-card skimming attack appears to have been done by Magecart, the organization behind earlier attacks on British Airways and Ticketmaster. If you are one of the customers victimized by one of these attacks, it's not your fault, and there isn't much you could have done to protect yourself (but read on for some tips). Sorry about that.
This article, Compromised E-commerce Sites Lead to "Magecart", gives some useful advice. (It's way at the end, of course; search for "Conclusion and Guidance".) The most relevant for users is
An effective control that can prevent attacks such as Magecart is the use of web content whitelisting plugins such as NoScript (for Mozilla’s Firefox). These types of add-ons function by allowing the end user to specify which websites are “trusted” and prevents the execution of scripts and other high-risk web content. Using such a tool, the malicious sites hosting the credit card stealer scripts would not be loaded by the browser, preventing the script logic from accessing payment card details.
Note that I haven't tried NoScript myself -- yet. I'll give you a review when I do. They also advise selecting your online retailers carefully, but I'm not sure I'd consider, say, British Airlines to be all that dubious. (Ticketmaster is another matter.)
Shy away from sites that require entering payment details on their own page. Instead prefer the websites that send you to a payment organization (PayPal, payment gateway, bank, etc) to complete the purchase. These payment organizations are required to have very strict security policies on their websites, with regular assessments, so they are less likely to be hacked or miss some unauthorized modifications in their backend code.
They also suggest checking to see whether the website has had recent security issues, and using credit cards with additional levels of authentication (e.g. 2FA -- two-factor authentication).
Things are more difficult for retailers, but the best advice (from this article, again) is
Stay away from processing payment details on your site. If your site never has access to clients’ payment details, it can’t be used to steal them even if it is hacked. Just outsource payments to some trusted third-party service as PayPal, Stripe, Google Wallet, Authorize.net, etc.
Which is the flip side of what they recommend for shoppers. If the credit card info isn't collected on your site, you're not completely safe, but it avoids many of the problems, including Magecart. Keep your site patched anyway.
If you insist on taking payment info on your own site, and even if you don't, the high-order bit is this paragraph:
E-commerce site administrators must ensure familiarity and conformance to recommended security controls and best practices related to e-commerce, and particularly, the software packages utilized. All operating system software and web stack software must be kept up to date. It is critical to remain abreast of security advisories from the software developers and to ensure that appropriate patch application follows, not only for the core package but also third-party plugins and related components. [emphasis mine]
Be careful out there! ( links )
Actually two PSAs.
First: Especially if you're running Windows, you ought to go read The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED. It's the story of how a worldwide shipping company was taken out as collateral damage in the ongoing cyberwar between Russia and the Ukraine. Three takeaways:
- If you're running Windows, keep your patches up to date.
- If you're running a version of Windows that's no longer supported (which means that you can't keep it patched, by definition), either never under any circumstances connect that box to a network, or wipe it and install an OS that's supported.
- If at all possible, keep encrypted offline backups of anything really important. (I'm not doing that at the moment either. I need to fix that.) If you're not a corporation and not using cryptocurrency, cloud backups encrypted on the client side are probably good enough.
Second: I don't really expect that any of you out there are running an onion service. (If you had to click on that link to find out what it is, you're not.) But just in case you are, you need to read Public IP Addresses of Tor Sites Exposed via SSL Certificates, and make sure that the web server for your service is listening to 127.0.0.1 (localhost) and not 0.0.0.0 or *. That's the way the instructions (at the "onion service" link above) say to set it up, but some people are lazy. Or think they can get away with putting a public website on the same box. They can't.
If you're curious and baffled by the preceeding paragraph, Tor (The Onion Router) is a system for wrapping data packets on the internet in multiple layers of encryption and passing them through multiple intermediaries between you and whatever web site you're connecting with. This will protect both your identity and your information as long as you're careful! An onion service is a web server that's only reachable via Tor.
Onion services are part of what's sometimes called "the dark web".
Be safe! The network isn't the warm, fuzzy, safe space it was in the 20th Century.
Another public service announcement from The Computer Curmudgeon.
If you're using the popular social/money-transfer phone app Venmo check your privacy settings!! It seems that the default is that every transaction you make is public! It is difficult for me to express just how broken this is. In case you're having trouble grasping the implications, just go to PUBLIC BY DEFAULT - Venmo Stories of 2017. There you will find profiles of five unsuspecting Venmo users -- one of them is a cannabis retailer -- whose transactions were among the over two hundred thousand exposed to public view during 2017.
The site is a project of Mozilla Media Fellow Hang Do Thi Duc. She has some other interesting things on her site.
It's worth noting that Venmo is owned by PayPal, and that according to a PayPal spokesperson quoted in this article on Gizmodo the public-by-default nature of person-to-person transfers (person-to-business transactions are private) is apparently a deliberate feature, not a bug.
“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” a company spokesperson told Gizmodo, asserting that the “safety and privacy” of its users is a “top priority.”
"We make it default because it's fun to share [information] with friends in the social world," a Venmo representative told CNET Friday. "[We've seen that] people open up Venmo to see what their family and friends are up to."
Because it's fun. Kind of puts it in the same category as other "fun" things like cocaine, binge drinking, and unprotected sex, doesn't it?
If your mail client automatically decrypts mail, read this!
There's no need to panic, but you should immediately disable and/or uninstall plugins that automatically decrypt PGP-encrypted or S/MIME email. The linked article tells you how.
The vulnerability is called EFAIL (the obligatory website with clever name), and allows an attacker to read your encrypted email, in effect "over your shoulder", by sending you a modified version of the encrypted message. They can do this by evesdropping, compromising an email account or server, etc. The attack is based on the way active content, such as images, is handled in HTML email.
Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.
Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.
@ EFAIL Paper [PDF] @ Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now [Updated] @ Attention PGP Users: New Vulnerabilities Require You To Take Action Now | EFF @ Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw | EFF
This has been a public service announcement from The Computer Curmudgeon.
Public Service Announcement: RainbowCon 2.1 is now in progress. Last night we had Cat Faber's concert and the Poker Chip Bardic. Programming resumes at 11am today, with workshops and gaming in the afternoon and Gwen's concert and the Player's Choice circle after dinner.
We're about an hour and a half North of Seattle; more if the ferry is backed up.
Public Service Announcement: RainbowCon 2.1 is next weekend! It's our second annual house-con (last year would have been just before we closed on selling Rainbow's End). Details at the link. Come visit our island paradise. It'll be awesome.
I seem to be finally, gradually, getting off my arse with projects -- I've installed Elm and cleared out some space in my working tree -- though not actually started coding. Probably later today.
No progress on finding a job. I've noticed that I have a strong tendency to ignore problems and paperwork, apparetly thinking they'll go away if I don't look at them. I think I have to try -- again -- to get myself on a tight work schedule, with set times for job search, coding, and music. I suspect that the Pomodoro Technique -- 25-minute sprints -- may be about right. It's probably time to start using a "25min" tag.
Tuesday I cashed out my Amazon 401K. Net after taxes and transferring the Amazon shares to my brokerage account was enough to cover the rest of the remodeling, and maybe a month or two beyond that if nothing goes seriously wrong. I'm also getting a pretty substantial tax refund, mostly from the electric vehicle credit. I'll get another once I find the rest of the receipts for the work we did on Rainbow's End the year or so after we moved in. That will make the sale a pretty substantial net loss. :P
It's still a slow-motion trainwreck.
Cashing out the 401k required five phone calls -- I was a total wreck most of the afternoon.
In other news, our cat-lock -- a sliding gate across the entryway that keeps our cats from dashing out the front door the moment it's opened -- has become useless. Bronx (of course) learned that he could jump over it. Even turning the gate (a re-purposed whiteboard) 90 degrees to make it four feet high instead of three didn't work. N called Bronx "an agent of Chaos and Cuteness."
Public Service Announcement: RainbowCon 2.1 is happening here the first weekend in May.
Word of the week: Trumpery. noun, plural trumperies.
1. something without use or value; rubbish; trash; worthless stuff.
2. nonsense; twaddle. (h/t to ysabetwordsmith)
Another bad week. My finances are dangerously close to the edge; if I don't get a job within the next couple of months I'll be in serious trouble. N. points out that I only have to work for a year or so to both replace the hit to my savings and keep the household above water for the rest of the five years we're planning to stay here. But that assumes that I find work, and my track record is not encouraging.
Case in point: I've done a little more Project Planning, and quite a bit of research into languages and frameworks, but no actual programming. Talk's cheap. (If I were getting paid for it, that would be another matter. But I don't think I can offer much of value for patrons at this point. Working on it.)
The careful reader may have noticed that neither self confidence nor self care are among my strong points.
TL;DR: Patch your computer NOW! (Or as soon as you can, if you're running Windows or Ubuntu and reading this on Monday -- the official release date for this information was supposed to have been Tuesday January 9th.)
Unless you've been hiding under a rock all weekend, you probably know that Meltdown and Spectre have nothing to do with either nuclear powerplants or shady investments: they are, instead, recently-revealed, dangerous design flaws in almost all recent computers. Meltdown affects primarily Intel processors (i.e. most desktops, laptops, and servers), and will be mitigated (Don't you just love that word? It doesn't mean "fixed", it means "made less severe". That's accurate.) by the recent patches to Linux, Windows, and MacOS. Spectre is harder to exploit, but also harder to fix, and may well present serious problems going forward.
But what the heck are they? I'm going to try to explain that in terms a non-geek can understand. Geeks can find the rest of the details in the links, if they haven't already chased them down themselves. (And if you're in software or IT and you haven't, you haven't been paying attention.)
Briefly, these bugs are hardware design problems that allow programs to get at information belonging to other programs. In the case of Meltdown, the other program is the operating system; with Spectre, it's other application programs. The information at risk includes things like passwords, credit card and bank account numbers, and cryptographic keys. Scared yet?
Basically, it all comes down to something called "speculative execution", which means something like "getting stuff done ahead of time just in case it's needed." And carefully putting things back the way they were if it turned out you didn't. That's where it gets tricky.
Modern computers are superscalar, which means that they achieve a lot of their impressive speed by doing more than one operation at once, and playing fast-and-loose with the order they do them in when it doesn't matter. Sometimes they make tests (like, "is this number greater than zero?", or "is that a location the program doesn't have permission to read?"), and do something different depending on the result. That's called a "branch", because the program can take either of two paths.
But if the computer is merrily going along executing instructions before it needs their results, it doesn't know which path to take. So, in the case of Spectre, it speculates that it's going to be the same path as last time. If it guesses wrong (and Spectre makes sure that it will by going down the safe path first), the computer will get an instruction or two down the wrong path before it has to turn back and throw away any results it got. Spectre makes it do something with those results that leaves a trace.
In the case of Meltdown, the test that's going down the wrong path is to see whether the program is trying to read from memory that belongs to the operating system kernel -- that's the part of the OS that's always there, managing resources like memory and files, creating and scheduling processes, and keeping programs from getting into places where they aren't permitted. (There's a lot of information in the kernel's memory, including personal data and passwords; for this discussion you just need to know that leaking it would be BAD.) When this happens, the memory-management hardware interrupts the program before it receives its ill-gotten data; normally the result is that the program is killed. End of story. On Intel processors, though, there's a way the program can say something like "if this instruction causes an interrupt, just pretend it never happened." The illegally-loaded data is, of course, thrown away.
Meltdown works because the operating system's memory is -- or was -- part of the same "address space" as the application program. The application can try to read the kernel's memory; it just gets stopped if it tries. After Tuesday's patch, the two address spaces are going to be completely separate, so the program can't even try -- the kernel's address space simply isn't there. (There's a performance hit, because switching between the two address spaces takes time -- that's why they were together in the first place.)
At this point you know what Spectre and Meltdown do, but you may be wondering how they manage to look at data that simply isn't there any more, because the instruction that loaded it was canceled. (If you're not wondering that, you can stop here.) The key is in the phrase "any more". During the brief time when the data is there, the attacker can do something with it that can still be detected later. The simplest way is by warming the cache.
Suppose you go out to your car on an icy morning and the hood feels warm. Maybe one of the local hoodlums took it out for a joyride, or maybe one of the neighbor's cows was sitting on it. You can tell which it was by starting the engine and seeing whether it's already warmed up. (We're assuming that the cow doesn't know how to hotwire a car.) The attack program does almost the same thing.
The computer's CPU (Central Processing Unit) chip is really fast. It can execute an instruction in less than a nanosecond. Memory, on the other hand, is comparatively slow, in part because it's not part of the CPU chip -- electrical signals travel at pretty close to the speed of light, which is roughly a foot per nanosecond. There's also some additional hardware in the way (including the protection stuff that Meltdown is sneaking past), which slows things down even further. We can get into page tables another time.
The solution is for the CPU to load more memory than it needs and stash (or cache) it away in very fast memory that it can get to quickly, on the very sensible grounds that if it needs something from location X now, it's probably going to want the data at X+1 or somewhere else in the neighborhood pretty soon. The cache is divided into chunks called "lines" that are all loaded into the cache together. (Main memory is divided into "pages", but as I mentioned in the previous paragraph that's another story.)
When it starts a load operation, the first thing the CPU does is check to see whether the data it's loading is in the cache. If it is, that's great. Otherwise the computer has to go load it and the other bytes in the cache line from wherever it is in main memory, "warming up" the cache line in the process so that the next access will be fast. (If it turns out not to be anyplace the program has access to, we get the kind of "illegal access exception" that Meltdown takes advantage of.)
The point is, it takes a lot longer to load data if it's not in the cache. If one of the instructions that got thrown away loaded data that wasn't in the cache, that cache line will still be warm and it will take less time to load data from it. So one thing the attack program can do is to look at a bit in the data it's not supposed to see, and if it's a "1", load something that it knows isn't in the cache. That takes only two short instructions, so it can easily sneak in and get pre-executed.
Here under the cut are a basic set of references, should you wish to look further. Good stuff to read while your patches are loading.
( Notes & links )
Rough week. Especially yesterday, when N and I took a very sick Bronx to the emergency vet in Seattle. He had a fever of 106; apparently I can't tell at all from his nose and ears. He was also throwing up and not eating, and wasn't anywhere near his usual rambunctious self.
Note: apparently a virus. He's recovering well, and we'll be taking him home tomorrow.
The house seems very quiet and lonely without our Bronx boy. Brooklyn and even Ticia are rambuncting as best they can, but it isn't the same. Meanwhile, apparently cats really are liquids. Or should I say that cat is a liquid?
Thursday, one of our neighbor's cows got loose in our yard. One of those things that's very funny in retrospect. We've also been having a hard time finding a caregiver for Colleen.
As I said, rough week.
Two public service announcements:
- Breach at Equifax May Impact 143M Americans; How I Learned to Stop Worrying and Embrace the Security Freeze
- If you happen to be on Whidbey Island next Sunday (the 24th, a week from today), drop by our house for music and food. "The usual potluck bash", as we used to say of the Starport.
I'm trying to establish a schedule, so that I actually get things done, have some time for Colleen, and don't spend all my spare time online. 9-11 on Tuesdays and Thursdays are earmarked for "Unpleasant Chores" - unpacking, cleaning litter boxes, finishing up the taxes, taking out the garbage, and so on. Tag "UC:"
Somewhat eventful week, and I see that I didn't get it posted yesterday. Grumph. And today is a busy one, so this will be worked on only in the interstices.
This was our first week of school for both of N's kids, and in particular of homeschooling for j. N and I are taking turns, with N on Tuesday and Thursday, and me on Monday and Wednesday (when C has a caregiver in, although it's a little more hectic right now because we're between caregivers). Friday is for catch-up and projects. J also got the first weekly call from his teacher, where we were able to determine that we have a lot more freedom to choose which activities (e.g. science experiments) we actually do. It's still a bit of a scramble.
This weekend (ok, last weekend -- I'm finishing this up on Tuesday at this point) one of our neighbors, Dean, threw a huge party. He apparently does this every year for his birthday. He's 67, and has been building his house and "landscaping" his property since sometime in the '70s. It's awesome. "Landscaping" in quotes because landscaping doesn't normally include secret tunnels, grottos, and water slides. I only found out about it because I was standing behind him in line at the grocery store. Fairly large amount of music. He's a fiddler! We have a lot of songs that could use fiddle. He also repairs pianos.
The hash I made of "Wheelin'" on Saturday afternoon prompted me to finally reprint the LgF songbook -- two-sided, using my new style definitions. Worked great. There are still a few glitches, but on the whole it's a big improvement.
I made fudgies for the party. Recipe in the notes.
We hired a new caregiver for Colleen. As soon as we saw her purple hair we knew she was going to be a good fit. She'll start on the 25th, after giving two weeks' notice at her previous job.
RainbowCon 2.1 (our second convention, in our third year, thanks to a brief hiatus for moving) will be held on May 4-6, 2018! North American Guest of Honor is Cat Faber; Overseas Guest of Honor is Gwen Knighton Raftery. We are hoping there will be a toastmaster, but we don't have a name to announce for that yet.
Location is 4414 Skyline Drive, Freeland WA (on beautiful Whidbey Island), and there is information about local hotel options for people who want them. The new location has two acres of outdoor space in which we can spread out, hold our traditional maypole dance, and have outdoor song circles around the fire pit. Keep your eyes open for our neighborhood deer, who like to browse on the lawn.
We're still doing free membership but accepting donations to offset the out-of-pocket expenses of bringing our guests here and running this thing, for those who are able and willing to contribute. We welcome members who want to run events -- workshops, games, theme circles, or whatever. RainbowCon is a participatory event... everyone's welcome to take a turn at leading if they want to, but nobody is required to do more than show up and have fun!
Please contact nrivkis at fastmail with membership requests, or questions about the convention. Ditto if you want to be part of the programming. It will be really helpful to us if we can get early memberships, because then we'll be able to block out hotel space nearby.
We look forward to seeing you here!
Before you abandon LJ altogether, or even if you don't intend to leave at all, go over to your Dreamwidth account and claim your LiveJournal OpenID (see instructions here)
Doing that ensures that all the comments you made over on LiveJournal will link to your Dreamwidth account when people import them. And if you haven't imported your LJ yet, do it soon before LJ notices that it's going on and blocks it.
If you use Livejournal, you will already have seen the pop-up demanding that you agree to their new terms of service. med_cat has an excellent partial translation and analysis. A full copy of the agreement can be found in archangelbeth | And the translation of the New User Agreement for Livejournal
I will add more as they come in. The salient points are:
- [The user must] Mark Content estimated by Russian legislation as
inappropriate for children (0 −18) as “adult material” by using Service
Who the heck knows what this includes? Play it safe.
- The user may not:
- without the Administration’s special permit, use
automatic scripts (bots, crawlers etc.) to collect information from the
Service and/or to interact with the Service;
Which arguably covers backing up to DW or your local hard drive.
- post advertising and/or political solicitation
materials unless otherwise directly specified in a separate agreement
between User and the Administration;
This presumably covers promoting one's CDs or other ventures.
- without the Administration’s special permit, use automatic scripts (bots, crawlers etc.) to collect information from the Service and/or to interact with the Service;
Many of my friends are leaving altogether. I don't blame them.
What I have done:
- I post no original content on LJ -- it's all cross-posted from here on Dreamwidth.
- Copied all LJ content -- posts and comments -- over to Dreamwidth.
- Comments on cross-posts are disabled; the footer has a link to the corresponding DW post.
- I use LJ only to read comments and posts that are not on Dreamwidth. I read DW first so that I can skip cross-posts that don't have comments.
- I have started to take people who no longer allow comments on LJ off my friends list.
- Effective immediately, I am marking my journal as "adult content", and disabled my participation in "user rankings".
- I have reduced the amount of information shown in my profile. In particular, I have removed my list of interests.
- I have taken my website link off the journal headers and out of my profile. If you want more information, look at my DW profile.
- Sometime in mid-April, I will disable comments altogether on LJ, at which point all existing comments will be hidden. They've already been copied over to Dreamwidth, so nothing will be lost. This is for your protection, in case you've posted a comment that could be construed as violating Russian law.
- At some point, I will stop cross-posting, both because of the legal risk and as a protest.
- At some further point, I may delete all or most of my posts, or possibly replace them with links to the corresponding posts on DW.
Sorry, LJ. We had a great time together, but I think it's best for both of us if we go back to being just friends. OK?
And I'm not saying you treated me unkind / You could have done better, but I don't mind / You just kinda wasted my precious time. / Don't think twice, it's all right.
I opened up LJ this evening to find that the posts it's showing are out of sequence -- the top post on my friends' feed is from yesterday sometime, and there's a later one further down the page. It isn't most recent comment, either: both of those are from an account that turns comments off on crossposts.
My conclusion is that either they're using some kind of ranking system which they're not telling us about (and which I didn't see any setting for that that might fix it), or possibly that crossposts are arriving weirdly out of sequence. So...
PSA #1: If you're posting on LJ and not DW, or posting different content on LJ, I might not see your posts.
PSA #2: If you're crossposting and redirect all your comments to DW, I'm going to stop reading you on LJ to cut down on clutter. (If you allow comments on LJ I'll still go over there and read them, if I can find your post. That is, obviously, no longer guaranteed.)
I'm not going to go as far as some people, but I'm going to turn off comments on my crossposts, for several reasons:
- to save me the trouble of having to import them into Dreamwidth,
- to reduce my presence on Livejournal, now that it's wholly owned by Putin and Trump,
- to encourage people to move to Dreamwidth.
Apropos of that, if you have a DW account that I'm not reading yet, just comment on this post and I'll add you.
It was a long year last week. 2016 is dead and buried; it wouldn't be hard to do better, but I don't expect 2017 to make the effort.
I was going to put a summary of the year here. I'm not up for it. See my previous post for a wrap-up of what I mostly didn't do. I can't think of any major accomplishments to report, except maybe living through it. That may have to do.
Thanks to a heads-up from madfilkentist, I can now confirm that LJ's servers were, in fact, moved to Moscow. The lag was presumably due to DNS propagation delay, which sometimes takes up to a week.
Geolocation data from IP2Location (Product: DB6, updated on 2016-12-5) Domain Name Country Region City mdlbear.livejournal.com Russian Federation Moskva Moscow ISP Organization Latitude Longitude Rambler Internet Holding LLC Not Available 55.752220153809 37.615558624268 (End of the road for LiveJournal [The Mad Filkentist])
See also my previous post on the topic, mdlbear | Dirty deeds afoot on LJ
One thing I forgot to mention: after you've set up an account on Dreamwidth, you should claim your Livejournal OpenId. That links your DW and LJ identities, so that anyone importing data from LJ will see comments as coming from your DW account even if you wrote them on LJ.
Several security-minded people on my reading list have been moving from Livejournal to Dreamwidth; some have even deleted their LJ accounts. Meanwhile, huge numbers of Russians have been moving their blogs to Dreamwidth. Apparently LJ has quietly moved all of their servers from the US to Russia. That LJ availability glitch a couple of days ago? Yeah, that. A large spike in the number of new Dreamwidth accounts being created by Russians.
As for me, I'm not changing much: I don't lock posts (I think I have maybe two or three, and those are merely somewhat embarrassing), I post only to DW, and I and have it set up to crosspost to LJ. I have permanent accounts in both places, so dropping LJ wouldn't be denying them any money at this point.
There are some things you can do:
- Get an account at Dreamwidth.org if you don't already have one.
- Set it up to crosspost to your LJ account. Unlike LJ, Dreamwidth is a US-based organization that, unlike LJ, is entirely supported by its users.
- Every so often, back up your LJ journal to DW.
- Subscribe to the DW journals of all your old LJ friends. Note that DW separates your access-control list from your reading list -- none of this abuse of the term "friend" that LJ does.
- Don't post any secrets! Especially not to livejournal. Go back and delete anything you wouldn't want to be read by any three-letter agency on either side of the pond.
Let's put it this way: regardless of whether LJ has actually transferred your journal to a server in Russia, you should consider the privacy of your livejournal to have been breached.
Sorry to be the bear of bad news.
As some people have pointed out, this doesn't change very much. Sure, it adds support for the notion that LJ's Russian owners are slime, but we already knew that. Move to DW, set up crossposting, delete all non-public posts, don't give LJ any more money, and carry on.
ETA 12-30 Looks like DNS updates have finally propagated:
: Geolocation data from IP2Location (Product: DB6, updated on 2016-12-5) Domain Name Country Region City mdlbear.livejournal.com Russian Federation Moskva Moscow ISP Organization Latitude Longitude Rambler Internet Holding LLC Not Available 55.752220153809 37.615558624268
(thanks to: The Mad Filkentist)
Not that it's likely to apply to anyone reading this, but mail from charities with no return address (so that I have to open it to see whether it's important) will be dumped. So will anything with the name of a celebrity or public figure. If they want to communicate with me in person they can damned well call.
A "highly critical public service announcement" from Drupal [LWN.net] "Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."
Impressive. I think this is an appropriate place to quote one of my father's aphorisms: "A locked car with an open window is NOT a locked car."
If PHP is your open window, you may as well leave the keys on the dashboard where they're easy to see.
(This bit of nonfiction is being written in response to recent events; it also seems to fit the "communication" part of the theme, "Community & Communication", of this month's Crowdfunding Creative Jam)
Someone died recently and left his widow with a problem: his computer's hard drive is encrypted, and he didn't leave the recovery key or his password anywhere that she can find.
This is not unlike losing track of the key to the safe deposit box, forgetting the combination to the safe, or neglecting to make out a will. "But I have all that in a file on my computer!" I hear you cry.
You need a JustIn Case file, someplace where it's safe but reasonably easy to find if anything happens to you. (I'm talking to myself here, too, by the way.) The bare minimum is whatever it takes to get into your computer (a FileVault recovery key, BitLocker PIN, or alternate admin password) and possibly into your password file, browser keychain, or whatever. *That* information needs to be in a couple of different places known to your family! At least one place should be outside your house, e.g. with a trusted relative, your lawyer, your safe deposit box, or the like. The other place should be in your house, e.g. in a locked filing cabinet (they're pretty easy to break into if necessary). Lable the file "Justin Case".
Even if almost everything is on your hard drive, there's a minimum set of things that have to be written down on hardcopy:
- Your master password, recovery key, or whatever it takes to get into your data. Or at least all of your data that you don't want effectively burned when you're gone. (Keep that separate.)
- The location of your will, safe deposit box, offsite backups, retirement and bank accounts, life insurance policies, and so on.
- The name of your executor/executrix.
- Any important information that your family is likely to need
My plan is to add an SD card with my most important files on it -- I checked, and the directory with all my passwords, tax information, receipts, and so on is only about 200MB. Perfect use for an old 500MB card or thumb drive that's too small to be useful for anything else.
Don't forget to update it if you change your password! That, after all, is the main point of this little exercise.
I'm available. I don't promise to be coherent after 11pm, but you can call any time. 408 - 896 - 6133.
(Inspired by ysabetwordsmith | Moment of Silence: Robin Williams. His death has, understandably, shaken up a lot of people.) (The userpic? Citalopram.)
Doing somewhat better tonight -- it's hard to be depressed with a cat on one's lap. (I can do it, but it's harder.) Anyway, today I'm thankful for...
- A house big enough for concerts, like Tracy Grammer here this Saturday night!
- A cat who has finally decided that my lap is an ok place to hang out sometimes. Better than drugs.
- Friends willing to drive a U-Haul over 800 miles after loading it up with the last of our stuff from the Starport. Friends help you move.
- Not having a need for good friends from the previously-referenced joke.
- Nice weather.
- Not being woken in the middle of the night. (Not thankful for Monday night.)
- Refactoring operations in Eclipse.
- Leftovers for breakfast. Especially when they include something I can make into fried rice.
I'll do one of my usual "done recently" posts tomorrow, maybe. For now, the big news: Yesterday Colleen's orthopedist told her she can go back to using her formerly-broken ankle. It's healed!
She has another week and a half of fairly intensive physical therapy to go before she comes home, but I'm getting my wife back!
(For those of you just dropping in from other planets, Colleen broke her ankle the day we moved into the house, on May 24th, and has been home precisely once, for half a day, since then.)
Rainbow's End, in West Seattle, is hosting its first housefilk today, with special guest Alexa Klettner, from Germany. Starts nominally around 2pm, but show up any time.
From the West Seattle Bridge turn right on Genesee (one block past the first traffic light, which is 35th Ave), take the second right onto 37th, and park. Look for the sign on the fence; you can't miss it. If you get lost, call me: 408-896-6133.
I've just paid $10 for "The Cybernetic Sorcerers" by YsabetWordsmith -- you can get yours at The Wordsmith's Forge - Unsold Poetry from the October 2-3, 2012 Poetry Fishbowl. Ysabet is my favorite web poet, by far. Check out her Serial Poetry page and you'll get some idea of why.
Because of the recent major increase in anonymous spam comments on LJ, I have disabled them there. Either register, or come on over to Dreamwidth where anonymous comments are still enabled. Besides, I can always use more comments on the DW side.
Also, I've pretty much stopped posting "hippo birdie" posts, in part because the LJ portal is going away, and in part because I've taken the LJ portal and home page off my "AM" list. They were pretty useless to begin with and have become more so. With the demise of birthday posts, I now have no unique content on LJ -- it's all cross-posted from DW.
Move-out day is a week from today; we won't be here. There are still some things up for grabs, including a largeish pile of old computers and cases.
Meanwhile, things are mostly sorted and packed, the main exceptions being tools in the garage, and some random debris in the office and bedroom. Come enjoy the pizza, and be amazed at our new bamboo floor, walls without bookshelves, garage without shelving units, and other seldom seen wonders of the modern world.
Quote of the day:
Colleen (raising glass): To the move!
me (raising glass): To adventure!
Colleen: To adventure!
YD (walking by): Hobbit!
Public Service Announcement: The Starport House-Cooling Party is today! Lots of stuff being given away, including books. Potluck, as usual.
I refreshed my job application at LabKey, this time via StackOverflow. And put in for a couple of jobs at Facebook. And did a little music practice in the morning, which is a habit I want to get back into. And a walk! I'm trying to get back into a productive routine, and not doing all that well at it.
I realized, during my walk, that I had probably made a copy of my pension paperwork. And indeed I had, so I'll mail that in today.
Did some more packing and organizing in the office.
Some links.( raw notes )
A week from yesterday, on Saturday, June 9th, we're having our last party at Grand Central Starport. It's been a long run, and a good one. We've thrown at least two parties each year since we moved in 36 years ago, and four most years. Over a hundred parties.
Moving out, moving North, and moving on. Parties at the Starport will probably continue -- our renters are fannish. We will certainly continue to have parties, though perhaps not until we move from our apartment to a house, a year or so down the road.
But... our household, our Starport... yeah. Last chance.
We're also downsizing. A lot. So a lot of things will be up for grabs. We're giving away a lot of books, because we'd rather see them go to good homes than get a few cents for them at a used bookshop. A goodly pile of other stuff. Get it while it's hot.
There will be potluck, and soft drinks in the tub -- bring something you know you can eat, plus enough to share. There will be filking. There will be nostalgia.
The maps and directions are, as usual, on the web at the Grand Central Starport Home Page.
Bonus Song for Sunday: "So Long It's Been Good To Know Yuh" by Woody Guthrie [YouTube].
I am going to be in Seattle from Thursday, 4/5 through Wednesday, 4/11. I'll be arriving at my hotel, the Coast Gateway sometime after 9pm Thursday, and leaving on the 7:30pm flight Wednesday.
Friday through Sunday I'll be at Norwescon, but since I'm not scheduled for anything I'll be available for conversations or phone interviews on a few minutes' notice.
Monday noonish through Wednesday afternoon I'll be looking at apartments and, and hopefully, going to job interviews. You can get to all my relevant information, including my resume, at stephen.savitzky.net.
I'll be going up again in early July for Westercon; I'll take a trip up before that if there are interviews to be had.
We expect to be moving up permanently sometime between July and September, most likely sometime in August.
Wednesday was a pretty good day, though I didn't take a walk. I drove home toward a gorgeous full moon rising, with wild geese flying overhead. You know, I should have been suspicious at that point.
In the evening, jilara brought over the yukata that she had taken home to hem, and I found its belt tucked away at the bottom of one sleeve. It's lovely.
Thursday morning I got in to work and was greeted by $BOSS and $CFO, and
the news that I'd been laid off. Along with two other researchers in my
at least two people in
Public service announcements:
- New tag: 8.3%
- Party tomorrow at Grand Central Starport. I will have copies of my resume.
- I am currently looking for work in the San Jose and Seattle areas.
Please address job-related correspondance to
- I will be available to start work any time after April 1st
Felt very restless yesterday evening. Should have taken a walk.( raw notes )
A very special Thankful Thursday today. Today I am thankful for:
- Three weeks' notice and 6 months of severance pay
- A great set of soon-to-be-ex coworkers
- My skill as a programmer and software architect
- My 65th birthday, in less than a week
- The Starport's annual "It's Green" party on Saturday.
Yup. Laid off, after 19.5 years at Ricoh. It's been a good run. I can't afford to retire; I took about half the equity out of my house, and the housing market has taken almost all of the other half. I'll consider work either locally (Silicon Valley) or in the Seattle area, broadening to include Oregon and Utah if it becomes necessary in a couple of months.
I'll have copies of my resume at the party on Saturday. See you there?
I've actually gotten quite a lot done, including no less than three complete run-throughs of my Consonance set (plus some discussion with Naomi about it). Well, ok -- that plus my tech reports is about all I got done. A short walk on Tuesday.
Public Service Announcement: My Consonance concert will be at 7:30pm on Friday, March 2nd. That's, like, tomorrow night. Actually, I feel ready for this one.
Another PSA: Grand Central Starport's annual "It's Green" party will, as usual, be the Saturday after Consonance, March 10.
Quite a few links. They're pretty much all good; just look in the notes and take your pick.( raw notes )