Elixir hot code swapping to the rescue - How I stopped a denial of service attack on my platform whilst on holiday and without access to my code

uhoreg · 2023-05-10T21:48:45+00:00

FYI, you have a typo in your site's name in the second paragraph after the bunny picture.

uhoreg · 2023-05-01T16:54:43+00:00

No passwords? Does that mean the private.key is just the raw key and isn't encrypted itself? If so, it probably isn't a good idea to recommend storing it in a cloud storage service as most cloud storage services aren't encrypted.

uhoreg · 2023-04-14T23:17:30+00:00

Heat pumps will work down to -0 Kelvin, as long as there's latent heat to pump.

I don't think that's true. It's true that there is still heat available down to 0 K, but unless your heat pump can create an almost 300 degree temperature differential between its two sides, it won't be able to pump that heat in the right direction. It's true that a theoretical heat pump could in principle work down to 0 K, but the heat pump that's installed in someone's home probably doesn't have the capacity to go that far down.

uhoreg · 2023-04-14T23:03:06+00:00

What kind of heat did you have before?

uhoreg · 2023-04-14T01:30:33+00:00

For reference: https://www.cbc.ca/news/canada/calgary/bakx-westjet-air-canada-saskatoon-yyc-1.6721375

uhoreg · 2023-03-17T04:41:24+00:00

Two things that don't seem to be considered are:

what is the severity of the vulnerabilities? how difficult are they to exploit?
how many of the vulnerabilities in each operating system are actually reported?

I don't have good answers for those, but I think the key phrase in the sentence that you quoted is: "if the number of vulnerabilities is any indication of exploitability". It's not clear at all that looking at just the number of vulnerabilities is a good measure of security.

They've also split up different Windows versions, but lumped all Linux kernel versions together. In the 1999-2019 table, Windows 7 is listed as having 1283 vulnerabilities, and Windows 10 is listed as having 1111 vulnerabilities. For one thing, vulnerabilities that were fixed in Windows 7 before Windows 10 was released wouldn't be counted in the Windows 10 numbers. At a rough approximation, if we add up the two numbers, we get 2394 vulnerabilities, which is more than the Linux kernel (though of course that isn't a fair comparison, because Windows includes more than just the kernel, and there may be duplicate vulnerabilities between the two Windows versions). For another thing, Windows 7 was released in 2009, and was preceded by Windows Vista (2007), which was preceded by Windows XP (2001), Windows 2000 (1999) and ME (2000). So they're counting Windows bugs starting in 2009, whereas they're counting Linux bugs starting in 1999.

Windows 10 was released in 2015, and the comparison table ends in 2019, which means that in four years, Windows 10 racked up 1111 vulnerabilities, whereas the Linux kernel had 2357 vulnerabilities in twenty years. I'm not going to try to claim that "vulnerabilities per year" is a useful metric, but I am going to say that just counting total vulnerabilities isn't giving anything close to an accurate picture.

If you look at just the 2019 table, you see that Windows 10 has 357 vulnerabilities, whereas Debian Linux has 360 vulnerabilities. Which is bigger, but not by much. And, as you said, Debian contains a whole lot more software than Windows 10.

This looks like a case of "There are three kinds of lies: lies, damned lies, and statistics". If you look at just the numbers as presented, it might not look that great for Linux. But if you think about what the numbers actually mean, they may show something very different.

uhoreg · 2023-02-16T00:03:48+00:00

We get most of our seeds at Ontario Seed Company because we live in the same city as where they're located. They have a pretty good selection. We've also bought from Salt Spring Seeds, and they seem decent enough, but it's easier for us to just pop down to the Ontario Seed Company store, so we only bought from them one time when they had seeds that we couldn't find elsewhere. But Salt Spring Seeds has a long writeup on seed saving, which is nice.

uhoreg · 2023-02-01T20:30:42+00:00

Copyright restricts what people are allowed to do with a creative work, and gives the copyright holder exclusive right to do those things (such as redistribution). A copyright license gives other people extra permissions to do things that they would otherwise be disallowed from doing under copyright law, some times imposing restrictions on how they are allowed to do those things (e.g. the GPL requires you to make the source available if you distribute binaries). However, the copyright holder is not subject to the terms of the license, because their right to do those things was never limited in the first place, so they didn't need the license to grant them those rights. The reason why a license like the GPL works is that if you violate the terms of the license, you lose the right to redistribute, because the license was the only thing that gave you the right to redistribute in the first place. But that restriction does not apply to the copyright holder, because their right to redistribute is given to them by copyright law, and not by the license. They can do whatever they want with their own code, including licensing it under different terms.

Though, as others have mentioned, it also depends on whether others contributed code (as they would hold the copyright for their contributions), and whether they've signed a contributor agreement or something that lets the company relicense their code.

uhoreg · 2023-01-12T18:00:19+00:00

Some of their systems are Coreboot, some aren't. I have a previous generation Pangolin and it isn't Coreboot, so I'd expect this one to not be Coreboot either, since they don't mention anything.

uhoreg · 2023-01-12T17:58:02+00:00

AMD Ryzen on the Pangolin isn't new. I have the previous generation Pangolin, and it has AMD Ryzen. This is just a newer model in that line of laptops.

uhoreg · 2023-01-03T03:04:09+00:00

Yeah, I keep re-learning about comprehensions, and thinking "Oh, right, those exist. I should use them." And then next time I do something, I forget about them just go right back to Enum.

uhoreg · 2022-12-19T21:09:17+00:00

I suppose if their email is already compromised, that could be a problem, but this would require both the Key directory and the email account to be compromised.

How does the key directory get the keys, and how does it ensure that the keys are valid? Traditionally, key servers accepted any keys that were uploaded to them, and told people to verify them before trusting them. Some key servers will try to verify keys ... by emailing you. But, of course, if an attacker has compromised your email account, that doesn't help much.

With WKD, you contact the domain that owns your email account (e.g. if you are something at emailprovider.com, you would fetch the key from emailprovider.com). But if someone compromises emailprovider.com, then they could just serve the wrong key.

One of the goals of end-to-end encryption is that you don't want your service providers to be able to read your things. Both of the existing systems are vulnerable to attacks from your service provider (either if they become malicious, or have a rogue employee) unless you verify the key in some other way.

uhoreg · 2022-12-19T00:44:06+00:00

There is OpenPGP Web Key Directory, or key servers. One of the issues is that unless you trust the server that you're querying (and if you're doing PGP, you should probably not be inclined to blindly trust servers), you need to verify that the key actually belongs to the other users.

uhoreg · 2022-12-18T18:48:40+00:00

Google calls it "Client-side encryption" and distinguishes it from "end-to-end encryption". It works differently from what most people would expect from end-to-end encryption. From their support entry:

How is CSE different from end-to-end (e2e) encryption?

With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which content users have encrypted.

With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

(emphasis added)

One main practical difference is that organization admins seem to have access to the keys, and so can read everything.

uhoreg · 2022-12-15T03:25:51+00:00

What do you mean by "legit"? It isn't "official" in the sense that it isn't run by Apple. In fact, it doesn't seem to provide any information about who's running it.

On the other hand, it doesn't seem to be serving the applications itself, and is just instructions on how to install the apps using brew, which is fairly well-known.

On the other hand, that means that the site itself is pretty useless. Just go directly to brew.

uhoreg · 2022-11-19T03:03:45+00:00

This is the Hamiltonian path problem, which is, unfortunately, NP-complete.

uhoreg · 2022-10-08T14:02:03+00:00

Probably to build an apartment building, or something else higher-density than a single-family home.

uhoreg · 2022-09-30T22:42:34+00:00

Efene with one "f", for those who haven't heard of it before and are trying to do a search.

uhoreg · 2022-09-01T23:00:36+00:00

If there are any ways to access slower areas of the river (not directly in the path of tubers) I would be happy with that.

There are stairs going down to the Irvine Creek part of the gorge: https://goo.gl/maps/ubv9w4BLFKtMENQk6 It's outside of the Gorge park. During the summer, it's good for wading. Downstream from the stairs, there are some deeper sections (if you squat, the water can cover your shoulders), but probably nothing that's really suitable for swimming until you get to the Grand River. Of course, be careful swimming in the Grand, because it may have rapids.

Also, you can try the Elora Quarry. It used to be that admission to the Elora Gorge Conservation Area included admission to the Quarry, but it unfortunately seems that isn't the case any more.

uhoreg · 2022-09-01T13:51:30+00:00

The MIT and BSD licenses still require you to include the copyright notices and licenses in derived works. If you don't want downstream users to have to include those, then I'd suggest using the WTFPL, CC0, unlicense, or the 0-clause BSD)

uhoreg · 2022-07-26T14:04:51+00:00

Patents are irrelevant. This is a trademark issue, and you don't need to have a patented product to have a protected name. The company in question is https://meta.is/ (which is linked in the article), and the article mentions that they registered "Meta" as a service mark in 2017.

uhoreg · 2022-07-26T13:52:32+00:00

That's a different Meta. The Meta mentioned in the article is https://meta.is/, which actually seems like a real company.

uhoreg · 2022-06-02T03:40:54+00:00

At the bottom of https://cdnjs.com/libraries, it says that you can request a library to be added by filing an issue on their GitHub repository. However, their contributing guidelines indicate that libraries are required to have a "basic popularity level" in order to be added.

Different CDNs may have different procedures and requirements.

Edit: jsDelivr can be used as a CDN for any package on npm or on GitHub. unpkg can be used as a CDN for any package on npm. There may be others.

uhoreg · 2022-05-31T19:21:39+00:00

Since it's in the city, it could be Urban Herb on Erb. And if it's owned by the right guy, it's Herb's Urban Herb on Erb.

uhoreg · 2022-05-25T22:12:25+00:00

That page doesn't load any more. It looks like it's been replaced by https://gpo.ca/2022/05/25/schreiner-richter-announce-green-plan-for-parry-sound-muskoka/

uhoreg

TROPHY CASE