Friday, May 31, 2013

some stuff u can get away without paying..

http://www.plasticscm.com/
a distributed version control system that runs on windows and works with visual studio.

http://www.serverscheck.com/monitoring_software/getbonus.asp
free windows server monitoring, 100 monitors.

http://emailrelay.sourceforge.net/
relays mail thru a gmail account

http://www.elbiah.de/hamster/pg/
smtp,nntp and pop3 proxy..runs standalone too..

http://regain.sourceforge.net/
run your own search index..

http://www.trilead.com/Download/
better than nothing. since all the nice esxi backup need vmware subscription..

http://urbackup.sourceforge.net/
agent based. image backup is vhd. 

http://sourceforge.net/projects/fs-inspect/
file/dir size, search, and keeps index...

http://www.duplicati.com/
quick n easy backup to cloudy accounts..


why?

apparently server sales are down. and Gartner says its because people are using The Cloud. instead of buying servers.
http://techcrunch.com/2013/05/29/server-sales-are-down-as-cloud-apps-abound-at-the-expense-of-ibm-enterprise-giants/
it makes no sense to me. at all.

in a simplified view of things...

when i access 500 gb on my nas it goes like..
me -> lan/cifs -> 2*500gb hdd in a nas.

when i access 500gb on the cloud...it goes like...
me -> lan/cifs -> some sort of nas head that mounts s3 -> internet, probably over ssl -> amazon ??? networks -> some sort of object storage system -> many hdd in a humongous disk array.

sure, the latter systems are shared among many people and there may be oppotunities for efficiencies..like deduping the storage..but my message is, the layers have increased significantly..

its not automatic and obvious to me that using the cloud makes server demand go down. cloud providers buy servers too.

Friday, May 24, 2013

samsung needs to explain knox a little, i think

While the majority of released models include an unlocked bootloader, which allows users to flash custom kernels and make other modifications to the software on their own devices, AT&T and Verizon branded devices ship with a locked bootloader that prevents these types of modifications. In this post, I'll provide details on how Samsung implement this locking mechanism, and publish a vulnerability in the implementation that allows bypassing the signature checks to run custom unsigned kernels and recovery images.
http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html

 
So what will you find within the Fort Knox of the smartphone world? It's an IT manager's pipe dream, of sorts. A comprehensive collection of features that include Security Enhanced (SE) Android, secure boot, TrustZone-based Integrity Monitoring (TIMA) for protecting the kernel, Single Sign On (SSO) and that application container concept made famous by BlackBerry, just to name a few. Best of all, Knox will ship pre-installed on select devices, all sold as one SKU -- in other words, consumers and enterprise customers alike will be taking home identical handsets, simplifying the process significantly for BYOD (Bring Your Own Device) businesses. 
http://www.engadget.com/2013/02/25/samsung-safe-with-knox/ 

in other news...

git tries to take over the world..
https://github.com/edu

u r sure u r not like them!
http://io9.com/the-frozen-calm-of-normalcy-bias-486764924

and from https://news.ycombinator.com/item?id=5760627 :

"We need to get programming talent on-board." - I read that more as they don't know the difference between programming and ops.


http://blog.method.ac/announcements/our-servers-hard-drive-is-dead-we-didnt-have-a-backup/

Wednesday, May 22, 2013

ooooooh oooooh ooooooh, maybe worth a billion $


http://highscalability.com/blog/2013/5/20/the-tumblr-architecture-yahoo-bought-for-a-cool-billion-doll.html

Stats

  • 500 million page views a day
  • 15B+ page views month
  • ~20 engineers
  • Peak rate of ~40k requests per second
  • 1+ TB/day into Hadoop cluster
  • Many TB/day into MySQL/HBase/Redis/Memcache
  • Growing at 30% a month
  • ~1000 hardware nodes in production
  • Billions of page visits per month per engineer
  • Posts are about 50GB a day. Follower list updates are about 2.7TB a day.
  • Dashboard runs at a million writes a second, 50K reads a second, and it is growing.

Software

  • OS X for development, Linux (CentOS, Scientific) in production
  • Apache
  • PHP, Scala, Ruby
  • Redis, HBase, MySQL
  • Varnish, HA-Proxy, nginx,
  • Memcache, Gearman, Kafka, Kestrel, Finagle
  • Thrift, HTTP
  • Func - a secure, scriptable remote control framework and API
  • Git, Capistrano, Puppet, Jenkins

Hardware

  • 500 web servers
  • 200 database servers (many of these are part of a spare pool we pulled from for failures)
    • 47 pools
    • 30 shards
  • 30 memcache servers
  • 22 redis servers
  • 15 varnish servers
  • 25 haproxy nodes
  • 8 nginx
  • 14 job queue servers (kestrel + gearman)


We looked at a dozen or so open source and commercial products before coding began. Having an API and flexible workflow were requirements. The intake support for our specific hardware intake process also needed to be accounted for. We also needed something that would support not just virtualized systems, but was more tailored towards physical hardware. We found nothing that met the requirements we had. Things we looked at included:
Some of these are strictly for IPAM, some handled parts of what collins does. None of these were good fits for the initial problems we were trying to solve.
Collins can sit on top of existing asset management systems (we have done this at Tumblr with both SoftLayer and Amazon) or be the infrastructure source of truth for your entire environment. I personally found openstack to be the closest fit for what we were looking for but the number of changes required to make it work for Tumblr were substantial.

just sayin..how about a static site generator?

At the Velocity conference Phil Dixon, from Shopzilla, presented data showing a 5 second speed up resulted in a 25% increase in page views, a 10% increase in revenue, a 50% reduction in hardware, and a 120% increase traffic from Google.

Amazon found every 100ms of latency cost them 1% in sales. Google found an extra .5 seconds in search page generation time dropped traffic by 20%.

http://highscalability.com/blog/2009/7/25/latency-is-everywhere-and-it-costs-you-sales-how-to-crush-it.html

Saturday, May 18, 2013

misc: strongbox,cyphrd,otfbrutus,bdelloida,dario dario

https://www.cyphrd.com/
they sound great.

http://motherboard.vice.com/blog/inside-strongbox-the-hyper-secure-inbox-built-by-aaron-swartz
it sounds great.

http://blog.epzsecurity.com/2013/05/my-wednesday-night-failure-how-to.html
if u not so great..

damn small..
http://www.future-digital.com/aquarium_info/info_freshwater_tropical_fish/dario_dario_7.html

small and intrigueing..
http://en.m.wikipedia.org/wiki/Bdelloidea

and a great read..
http://james-iry.blogspot.dk/2009/05/brief-incomplete-and-mostly-wrong.html


what if one day Google stopped Gmail federation or even deprecated it!!!

so. scratching that itch. i.

ran stunnel.just run the windows setup. input anything when creating your cert. 
i used this config:


cert = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
debug = 7

; Use it for client mode
client = yes

; Service-level configuration

[imap]
accept = 127.0.0.1:1143
connect = imap.gmail.com:993
retry = yes

then i ran imapcopy. with this config


SourceServer 127.0.0.1

SourcePort 1143

DestServer my.own.mailserver

DestPort 143

#       SourceUser SourcePassword   DestinationUser DestinationPassword

Copy    "mygmailuserid"       "mygmailpwd"         "mymailuser"          "mymailpwd"  


ran it first with -t to test. saw it connect. then with -1, checked it with my phone and saw 1 mail per folder come in. then did it again, saw that it copied the same mail again but didnt create 2 of the same mails at the destination. thought its acceptable for now. then ran it with -l to run for real, with logs. 
thats all.

actually my spur-of-imapcopy-moment came because i ran across gmvault, which was beautiful. but to me it was incredibly odd to backup gmail only to be able to restore it back to gmail.
so i actually went looking for imapsync and offlineimap. the former cost something like 50 euros so i didnt touch it despite it sounding real nice. 
the latter i "yum install offlineimap" and yum said it didnt exist so i stopped there...wtf? the state of the art in imap synccing and base,epel,extras,ius,rpmforge,virtualmin and vz repos all dont have...haiz....another day la...
and so i was left with imapcopy. 
i guess its incredibly inefficient if you're into backups..there's also more gui stuff like mailstore home and imapsize..but i wanted the stuff on another mailserver and schedule-able, not on some custom storage format and run manually and thought imapcopy is actually acceptable if done once in a while...

 and er, just a note, if your mail runs into 100s of mbs, take a look at https://support.google.com/a/bin/answer.py?hl=en&answer=1071518 before anyhow testing sync...

Friday, May 17, 2013

What is cloud, definitively

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf


The five essential characteristics are

on-demand self-service,

 broad network access,

 resource pooling,

rapid elasticity

and measured usage.

The service models include cloudifying the infrastructure, platform or application software layers and exposing these as services to customers with those above characteristics and with increasing levels of abstraction away from the underlying servers, storage, switching and systems software.
NIST recognises private clouds (built for exclusive use), public clouds (run by a service provider with capacity and services shared by multiple tenants), and community clouds (organised around a group of users rather than a particular technology).
Hybrid cloud in the NIST definition is a mixture of any two distinct infrastructures but which offers cloud bursting, load balancing and portability across different kinds of clouds.

abstract from http://www.theregister.co.uk/2013/05/17/hybrid_cloud_definitions_analysis/

Thursday, May 16, 2013

google santa claus..

Google App Engine adds the PHP runtime

App Engine 1.8.0 is now available and includes a Limited Preview of the PHP runtime - your top requested feature. We’re bringing one of the most popular web programming languages to App Engine so that you can run open source apps like Wordpress. It also offers deep integration with other parts of Cloud Platform including Google Cloud SQL and Cloud Storage. 

We’ve also heard that we need to make building modularized applications on App Engine easier. We are introducing the ability to partition apps into components with separate scaling, deployments, versioning and performance settings.

http://googlecloudplatform.blogspot.sg/2013/05/ushering-in-next-generation-of.html

Monday, May 13, 2013

as i was thinking about rsync.net..

https://fruux.com/pricing/
they sponsor sabredav..and fruux has free tier too..

https://mist.io/
maybe sometime i actually play with this. sounds damn cool.

its like backblaze but sync.
https://www.bitcasa.com/pricing

and too bad i dun write anything useful...if i app.net dev, this i guess is cool:
http://octopusdeploy.com/purchase

of versions and text files

apparently some use
http://ikiwiki.info/

and some use
http://zim-wiki.org/

and i'm so tempted by this..
http://www.fossil-scm.org/index.html/doc/trunk/www/index.wiki

but actually this is far more realistic...
http://www.plasticscm.com/


Friday, May 10, 2013

difficult tech paid and free

https://readwrite.com/2013/04/29/parse-acquisition-makes-its-rivals-very-happy
paid. sold for a handsome sum.

https://www.gnu.org/software/libmicrohttpd/?
free. i'm guessing electronics(arduino?) people will like it.

it often amazes me. how groups like gnu and apache employ so much expertise to make so many difficult things free. while so much paid software is not nearly as complicated or useful.

watch the videos. oh my.

hysterical literature session 1.

oh my. sex is in the brain. hur hur.

Tuesday, May 7, 2013

Maho x Koyuki - Moon On The Water [BECK] by Chibi Kame



Beck OST - SLY by animaost1



The Beck Mongolian Chop Squad Ultimate Concert by annabz017



Tulip - Kokoro No Tabi by Xuanye1654



アタックNo.1 by runnahakuba



榊原郁恵「しあわせのうた」 by Mako Ishino



夏木マリ「絹の靴下」 by philip8823



奥村チヨ CHIYO OKUMURA - 恋の奴隷 by zzLADIESzz



Katsuko Kanai (金井 克子): "Tanin No Kankei (Like Strangers)" - J-Pop Sexy Downtempo Funk 45 by soulmarcosa70



YmgcMme - Hitonatsu no Keiken 1974 by 1982wtmnk1002



The story around the Linode hack

try reading the original...http://straylig.ht/zines/HTP5/0x02_Linode.txt


Here's an attempt at an explanation/translation:
HTP ("Hack The Planet") is a group that likes to break into things. Another (unnamed) group of people impersonated a third group of people ("ac1db1tch3z") and tried to cause trouble for HTP.
The impersonators located HTP by examining one of HTP's botnets (a collection of compromised computers that are used to launch things like denial of service attacks). Botnets have to receive instructions (e.g., targets to attack) from somewhere, so it's likely that the impersonators followed the path taken by commands to the botnet, and found the network(s) that HTP uses to organize themselves.
HTP realized this, and wanted to get back at the impersonators. They found out that the impersonators used an IRC channel (chat room) hosted on a network called SwiftIRC. If HTP could break into SwiftIRC (which is hosted on Linode), they could cause all sorts of trouble for the impersonators. So HTP decided to break into Linode, so they could break into SwiftIRC, so they could break into the group of impersonators.
To break into Linode, HTP broke into their domain name registar (name.com). They planned to secretly take control of linode.com, and replace it with a version of linode.com would look and feel and work correctly, but had one additional feature -- it would collect the login information that people typed in. HTP probably hoped to gain the login for SwiftIRC directly, or collect the logins for Linode admins and obtain SwiftIRC's login from there.
But, before they enacted the domain takeover (a maneuver that would likely be somewhat difficult to employ without being noticed), an HTP member discovered a new vulnerability in ColdFusion, the server software used by Linode. The ability to discover a new exploit on demand implies a high level of skill within the group. Using this exploit, HTP obtained direct access to Linode. They proceeded to gain access to SwiftIRC, as well as other sites hosted on Linode, including a well-known security site, nmap.org
The FBI apparently had a mole in HTP, and they alerted Linode that HTP had access to nmap.org. This posed a bit of a problem for HTP: if it became public knowledge that they had obtained access to Linode, then perhaps they wouldn't have time to go after the impersonators using their newfound access to SwiftIRC. So, HTP tried to strong-arm Linode into staying quiet until May 1st. HTP had obtained the customer information and credit cards of all the Linode customers. HTP threatened to widely publish all this sensitive information if Linode didn't stay quiet. If Linode complied, then HTP would just delete all the info.
Linode, though, was forced by the FBI to announce that they'd been broken into. HTP told Linode to just publicly acknowledge that HTP was the group that broke into Linode, and they'd delete the sensitive info. Linode did so (https://blog.linode.com/2013/04/16/security-incident-update/).
HTP conducted an internal investigation to determine which group member(s) were working with the FBI. HTP broke into the mole's computer and turned on their webcam, and saw an FBI employee looking over the shoulder of the mole. They kicked the mole out of the group, so the FBI doesn't have access to HTP anymore.
(Remember, this is the story according to HTP.)

https://news.ycombinator.com/item?id=5667027

Monday, May 6, 2013

in case you thought your car's published fuel economy numbers were inaccurate or something

A geometric average of the FTP-75 and HFET results (with city driving weighted at 55 percent and highway driving weighted at 45 percent) produces a vehicle's CAFE fuel economy, which is then incorporated into a manufacturer's corporate average. CAFE is measured using these tests to the present day.

http://www.chron.com/cars/article/Why-is-the-EPA-so-bad-at-estimating-hybrid-fuel-4483222.php?cmpid=hpfsln

Wednesday, May 1, 2013

The Abilene Paradox

On a hot afternoon visiting in Coleman, Texas, the family is comfortably playing dominoes on a porch, until the father-in-law suggests that they take a trip to Abilene [53 miles north] for dinner. The wife says, "Sounds like a great idea." The husband, despite having reservations because the drive is long and hot, thinks that his preferences must be out-of-step with the group and says, "Sounds good to me. I just hope your mother wants to go." The mother-in-law then says, "Of course I want to go. I haven't been to Abilene in a long time."
The drive is hot, dusty, and long. When they arrive at the cafeteria, the food is as bad as the drive. They arrive back home four hours later, exhausted.
One of them dishonestly says, "It was a great trip, wasn't it?" The mother-in-law says that, actually, she would rather have stayed home, but went along since the other three were so enthusiastic. The husband says, "I wasn't delighted to be doing what we were doing. I only went to satisfy the rest of you." The wife says, "I just went along to keep you happy. I would have had to be crazy to want to go out in the heat like that." The father-in-law then says that he only suggested it because he thought the others might be bored.
The group sits back, perplexed that they together decided to take a trip which none of them wanted. They each would have preferred to sit comfortably, but did not admit to it when they still had time to enjoy the afternoon.


https://en.wikipedia.org/wiki/Abilene_paradox

i agree with this logic

The casino is given a license by the state to offer losing odds to customers, thus guaranteeing the casino a (statistical) advantage (and the gov't a cut of the profits). In other words, the casino is allowed to exploit people's greed and credulity that they can beat the odds.
And so, if there is no money-morality at a casino, I don't see why casino patrons shouldn't be allowed any exploit of whatever games the casino offers (card counting, bug exploits, etc)--barring of course any threats or injury to people. If the dealer doesn't shuffle the cards or the game has a bug, up to the gambler to take advantage of it until the casion fixes it.
...
https://news.ycombinator.com/item?id=5638894

a reminder..a cloud storage provider maybe some forgot...

i agree its a nice alert message...

== This is an automated alert. Your rsync.net filesystem ([removed]) is over quota.
Currently you are using 20.318 GB out of 15.0 GB Please note, your usage includes the combined usage of all your accounts, including the parent account and sub account(s).
This is not a major problem, nor do we insist that you remedy the problem immediately. However, your account is only allowed a 10% overage before it will be impossible for you to write additional data to the account. You will never lose the ability to read files from the account.
You may check your quota at any time by running the quota command over ssh:
ssh [removed]@usw-s007.rsync.net quota
Or you may simply log into your web-based Account Manager, here:
https://www.rsync.net/am/dashboard.html?u=[removed]
where you may see your usage on the Summary screen.
You can remedy this by removing files, increasing your account size, or you can simply let it be. You can increase your account size using our web-based Account Manager:
https://www.rsync.net/am/dashboard.html?u=[removed]
or by emailing support@rsync.net and requesting a larger account.
If you have any trouble checking your quota, or would like to disable these notifications for this account, please contact support@rsync.net
Thank You,
rsync.net Support
...
in other news, despite the existence of all sorts of "enterprise" monitoring software(plus the popularity of http://graphite.wikidot.com/), stuff like https://blog.mozilla.org/services/2013/04/30/introducing-heka/ appear every now and then..why? why won't people just use ready to use software?