-
My bank stole 9 cents
At the end of each month I spend about half an hour doing accounting for
my Tarsnap online backup service.
I record the number and total amount of incoming payments, the fees
charged by PayPal, the amount of backup usage which Tarsnap users were
charged for, the website hosting costs, et cetera. A few days later,
when Amazon Web Services finishes its monthly accounting I record that
number as well, at which point I know how much profit Tarsnap made in
the month. Today I took some extra time to compare numbers, and I came
to an unsettling realization: My bank stole my money -- 0.09 US dollars
of it, to be precise.
-
The never-ending finite loop
It's easy to write a loop which looks infinite but in fact completes
quite quickly; for instance, in the C code
for (int i = 1; i > 0; i++);
the variable i starts at 1 and counts upwards "infinitely", but
in fact the loop terminates due to the integer type overflowing and the
value i becoming negative.
A recent
discussion led me to ponder the opposite problem: Can we write a
theoretically finite loop which is nevertheless guaranteed to not
complete?
It turns out that the answer, subject to some qualifications,
is yes. The 48-character line of C99 code
char i,x[99];for(x[98]=i=1;x[98];i++)i*=!++x[i];
takes a finite number of steps to complete; but nevertheless is —
subject to our current understanding of physics and the assumption that
the process responsible for
baryogenesis
can be reversed to cause
proton decay
— guaranteed to never be (non-erronously) completed by a
baryonic computer in the observable universe.
-
Hacker News Daily
I've been a member of the Hacker
News website (formerly "Startup News") for slightly over 3 years,
and it has grown significantly over that time. Three years ago, I could
read every article which was posted, and still have time plenty of time
to work on Tarsnap. It's no longer
possible to read everything; even reading a small fraction of the articles
can take a significant amount of time away from other activities -- a
fact which even the site's creator has said he "worries about a lot".
-
Keep your eyes open
In October, I saw the following lines in the HTTP logs for the
Tarsnap website (the
private network IP address is due to my use of
jailed stunnel for
terminating the SSL connection):
www.tarsnap.com 192.168.0.44 - - [27/Oct/2009:22:02:14 +0000]
"POST /confirm.cgi HTTP/1.1" 303 -
"https://www.tarsnap.com/confirm.cgi?address=XXXXXX&cookie=XXXXXX"
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us)
AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9"
www.tarsnap.com 192.168.0.44 - - [27/Oct/2009:22:02:16 +0000] "GET
/confirmed.html HTTP/1.1" 200 2009
"https://www.tarsnap.com/confirm.cgi?address=XXXXXX&cookie=XXXXXX"
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us)
AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9"
I sent an email to Apple, and earlier this week they released large
number of security updates for Safari, including the following:
WebKit
CVE-ID: CVE-2010-1406
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.8, Mac OS X Server v10.5.8,
Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later,
Windows 7, Vista, XP SP2 or later
Impact: Visiting an HTTPS site which redirects to an HTTP site may
lead to an information disclosure
Description: When WebKit is redirected from an HTTPS site to an HTTP
site, the Referer header is passed to the HTTP site. This can lead to
the disclosure of sensitive information contained in the URL of the
HTTPS site. This issue is addressed by not passing the Referer header
when an HTTPS site redirects to an HTTP site. Credit to Colin
Percival of Tarsnap for reporting this issue.
-
Looking for wannabe FreeBSD/EC2 users
I want to use FreeBSD in
Amazon EC2. Based on feedback
I've had in the past, I know I'm not alone. Unfortunately there is some
work which needs to be done in FreeBSD to make it work on EC2.
If you want to use FreeBSD on EC2, please
send me
an email with as much as possible of the following information:
-
How many instances, of which types, would you expect to use?
-
If you had to pick one or the other, would you prefer i386 support
(32-bit -- EC2 small and medium instances) or amd64 support (64-bit --
EC2 large, XL, 2XL, and 4XL instances)?
-
What purpose would you be using EC2 for (e.g., web servers, video
encoding, high performance computing, et cetera)?
-
What applications would you be running? (This is relevant for
testing purposes.)
-
Can you provide any funding for development? (If yes, how much can
you contribute?)
-
I Vespri Siciliani
... and now for something completely different. Over the past weekend I
played two concerts in the first violin section of Vancouver's
West Coast Symphony
Orchestra: Verdi's Overture to I Vespri Siciliani, an aria from
Handel's Messiah, and the Verdi Requiem. All wonderful music; but the
first violin score for the Overture was horrid. Not only was it a
handwritten Kalmus part from 1965; but it also had wind cues written in.
Presumably the purpose was to allow the violin score to be used by a
conductor; but the net result was to render it almost entirely illegible.
-
ZumoDrive rolls a hard six
I haven't had much time for blogging recently, but sometimes things come
up which just beg for a response; case in point: A recent post to
the ZumoDrive blog entitled
"Sometimes
you have to roll a hard six" about the security of the ZumoDrive
cloud storage / backup service. I have to give credit to ZumoDrive
for one thing: Unlike most online backup services, they published the
reasons why they think their service is secure. Sadly, the credit goes
no further.
[EDIT 2010-03-11 18:00 I mention this below, but to place my conflict
up front: I'm the author of the Tarsnap
secure online backup service, which is in some ways a competitor to
ZumoDrive.]
-
Supporting FreeBSD
As a FreeBSD user and developer, I obviously care about the success of
FreeBSD. I make a small contribution towards this success via my role
as Security Officer; but the time I spend working on my
Tarsnap online backup service
prevents me from making as much of a direct contribution as I would
like. Fortunately the
FreeBSD Foundation
does an excellent job of supporting FreeBSD development; but like most
such organizations, they are funded entirely by donations and are always
in need of more. In light of this, I am pleased to announce that I
will be donating all of the profits made by
Tarsnap for the month of December
to the FreeBSD Foundation.
-
Looking back at 100 blog posts
I found recently, somewhat to my surprise, that as of my last post I had
written exactly 100 of these dispatches. Spread over 49 months, this
is not a very high posting rate; but I promised myself when I started
that I would limit myself to writing when I felt that I had something
worth saying, and would not indulge in the common trend towards
excessive introspection (or, in the words I used back in 2005,
"adolescent gutspill"), and I believe I've done a good job of holding
myself to this standard. Nevertheless, I think this is a good time to
look back at four years and a hundred posts and say a few words about
this blog.
-
Securing an HTTPS server
In response to numerous comments about "excessive minimalism", I
recently put together a new website for my
Tarsnap online backup service;
and since I was reworking things anyway, I decided that it was a good
time to move to a new web server and generally clean up the system
configuration. Among the things I cleaned up was how I handle HTTPS:
I need it because people enter passwords when creating tarsnap accounts
and when logging in to the tarsnap account management interface, but
I wasn't satisfied with the (in)security of running Apache with SSL
enabled.
|
BSD em Geral 
