Welcome to All Cloud, No Cattle Weekly #7.

Tech

How r/wallstreetbets Pushed Gamestop Shares to the Moon

Brandon Kochkodin at Bloomberg:

Give credit where it’s due. In their frenzy, WSB’s cocky hordes have managed to turn the tables in a game short sellers invented, spinning gold from the complacency of others. Before this year, GameStop was a cash register for bearish traders, who borrowed and sold more shares than the company issued. Hedge funds had been winning so long that they overlooked the tinderbox they were creating should sentiment turn.

Gamestop has of course been the wildest ride of the last week, and for good reason. It’s been truly wild. I strongly recommend taking in Planet Money’s take on the phenomenon.

JS browser security concat bypass not detected

An AC filed a bug against semgrep…

We all protested this but he didn’t agree citing timelines. So during the security audit Semgrep found “raw-html-concat” issues and I was happy that atleast now he will be forced to follow proper standards. But instead he bypassed me and forced the juniors to use concat() instead of string concat. And this was undetected by semgrep.

Funny that semgrep caught the one usage of concat but not the other, and I love this approach to dealing with his management: file a bug to close the loophole that allowed them to do this in the first place.

South African government releases its own browser just to re-enable Flash support

Catalin Cimpanu at ZDNet:

The South African Revenue Service has released this week its own custom web browser for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms.

This seems like just asking for trouble, really.

Wikipedia Embraces First-of-Its Kind Universal Code of Conduct, Conceived For The New Internet Era

The Wikimedia Foundation, the nonprofit that administers Wikipedia, launched a first-of-its-kind Universal Code of Conduct that expands on the project’s existing policies to create a global set of community standards for addressing negative behavior on the site.

1500 contributors to the final product. Wow.

PostgreSQL on ARM-based AWS EC2 Instances: Is It Any Good?

The expected growth of ARM processors in data centers has been a hot topic for discussion for quite some time, and we were curious to see how it performs with PostgreSQL.

Spoiler alert: They had some really eye-popping improvements on ARM over x86.

The unreasonable effectiveness of simple HTML

Terence Eden:

If your laptop and phone both got stolen – how easily could you conduct online life through the worst browser you have? If you have to file an insurance claim online – will you get sent a simple HTML form to fill in, or a DOCX which won’t render?

A great read all around.

What happens when the maintainer of a JS library downloaded 26m times a week goes to prison for killing someone with a motorbike? Core-js just found out

Thomas Claburn for The Register:

In November 2019, Denis Pushkarev, maintainer of the popular core-js library, lost an appeal to overturn an 18-month prison sentence imposed for driving his motorcycle into two pedestrians, killing one of them.

As a result, he’s expected to be unavailable to update core-js, a situation that has project contributors and other developers concerned about the fate of his code library.

It appears that core-js has an astonishingly low bus factor (which, given the details here, feels a bit gross to say out loud).

Grab Bag

Infinite Gene Ray

If you remember the infamous Time Cube, Ben Pang built a procedurally generated clone that they call the Infinite Gene Ray.

Blue Check Homes

The blue verified badge on your house lets people outside know that you’re an authentic public figure. To receive the blue check crest, there must be someone authentic and notable actively living in the house.

Poe’s Law is dead.

Welcome to All Cloud, No Cattle Weekly #6.

Tech

An unpleasant sudo vulnerability

Jonathan Corbet, writing for LWN:

It would appear that “sudo” has a buffer-overflow vulnerability that allows any local user to gain root privileges, whether or not they are in the sudoers file. It has been there since 2011. See this advisory for details, but perhaps run an update first.

Since 2011.

The Next Gen Database Servers Powering Let’s Encrypt

Josh Aas and James Renken, writing on the Let’s Encrypt blog:

We’ll start by looking at our median time to process a request because it best reflects subscribers’ experience. Before the upgrade, we turned around the median API request in ~90 ms. The upgrade decimated that metric to ~9 ms!

Adobe Flash EOL Brings Down Chinese Railway Operator

David Cohen and Yue Sun, writing for Tech Node:

Depot staff were confused when their computers lost access to the local dispatch system on the morning of Jan. 12, according to the bulletin. The reason: Adobe’s last update to its Flash Player included a kill-switch set to go off that day, when the company ended support for the notoriously virus-prone web standard. Flash was little missed—except in the Chinese government, where it remains in widespread use.

Whoooooooops…

Retiring Tucows Downloads

We have made the difficult decision to retire the Tucows Downloads site. We’re pleased to say that much of the software and other assets that made up the Tucows Downloads library have been transferred to our friends at the Internet Archive for posterity.

The end of an era.

History of the browser user-agent string

Aaron Anderson, for WebAIM back in 2008:

In the beginning there was NCSA Mosaic, and Mosaic called itself NCSA_Mosaic/2.0 (Windows 3.1), and Mosaic displayed pictures along with text, and there was much rejoicing.

And behold, then came a new web browser known as “Mozilla”, being short for “Mosaic Killer,” but Mosaic was not amused, so the public name was changed to Netscape, and Netscape called itself Mozilla/1.0 (Win3.1), and there was more rejoicing.

Grab Bag

The Best Disney Movies to Learn a Foreign Language According to Data Science

Frank Andrade on towards data science:

But Disney+ has around 662 movies in its catalog. This is too much content to choose from, so I made a data analysis to find the best Disney movies that will help us learn a foreign language easily as I previously did for Netflix shows and 3000 top-rated movies.

As a native anglophone who lives in a not-officially-English-speaking country, this is a gold mine.

Disclosure: Disney is my employer.

Welcome to All Cloud, No Cattle Weekly #5.

Tech

Audion Returns

Panic brought back Audion:

Today, we’d like to give you the chance to experience these faces yourself on any Mac running 10.12 or later. We’re releasing a stripped-down version of Audion for modern macOS to view these faces.

Audion was most old school Mac users’ MP3 player, so it’s great to see this little bit of Classic nostalgia.

Reverse Engineering Prodigy

Phillip Heller writing at Vintage Computing:

What is particularly interesting about reverse engineering Prodigy is that it was patented, and unlike contemporary patents, the patent is usefully descriptive. When reading the patent and contemplating a reverse engineering effort, I was very surprised to read the following:

The source code for RS 400 is provided as part of this specification. This source code can be found in the application file and is incorporated herein by reference.

Parler’s hardware requirements

@th3j35t3r:

Anyone wanna know what Parler are trying to put together from other hosting providers that aren’t AWS? Read this spec list. Good luck with this outside of AWS. Rob Monster of Epik Hosting won’t be able to give them this kinda grunt with his shitty white-label reseller acct.

How do you put together an infrastructure of this size, that costs this much, without having a functional, tested, and executable disaster recovery plan?

Asahi Linux details M1 boot options for Linux

Hector Martin, with the Asahi Linux project:

This means that, effectively, Linux will bootstrap off of a “shell” of macOS, a volume with just iBoot and a few files to convince Apple’s boot infrastructure that it is a legitimate OS that can be booted.

Turns out that the M1 isn’t nearly as locked down as initial reports, and that (as long as macOS is still present to help with the bootstrap), it’s perfectly possible to boot other operating systems.

How We Ported Linux to the M1

And hot of the heels of Asahi Linux’s post, Corellium has done it.

So when Apple decided to allow installing custom kernels on the Macs with M1 processor, we were very happy to try building another Linux port to further our understanding of the hardware platform. As we were creating a model of the processor for our security research product, we were working on the Linux port in parallel.

The bootstrap script is very straightforward, and does not rely on any sort of “jailbreaking” or any hacks. It simply enables the firmware features required to load custom kernels. What Apple has done is disallow unauthenticated kernels by default, but make it trivial to enable them.

Grab Bag

Blue’s Clues Lost Pilot Found

The show’s creator, Angela Santomero, on instagram:

I have the pilot!

Welcome to All Cloud, No Cattle Weekly #4.

Tech

Parler has now been booted by Amazon, Apple and Google

Even without getting into the politics of it, there’s a lot to say about the situation with Parler. On reddit and twitter, I’ve seen a lot of scaremongering about how this makes the cloud “unsuitable” for hosting websites.

The whole concept of commerce is cooperating with outside parties to build value. Whether it’s AWS, Google Cloud, or your friendly neighborhood colo facility, you have to enter into agreements with other people in order to do business, and they will have conditions as to how you can use their facilities. If you build your own data center, you have to contend with your landlord or, at the very least, the companies that provide your business with power, water, and internet access.

“The cloud” is no different.

Dave Troy:

THREAD: Now that @Amazon @awscloud has announced they will no longer host @parler_app, many have speculated that they will just “find another host.”

Here is why that’s not so simple and what it will likely mean for the app’s future. First, let’s look at where things are…

Sarah Mei:

Perhaps we’re all tired of dunking on parler, but just in case you’re not, I did some investigation this evening.

tl;dr: technical clown shoes.

A great thread about the amateurism behind Parler.

Peter Sunde Kolmisoppi of The Pirate Bay:

The pirate bay, the most censored website in the world, started by kids, run by people with problems with alcohol, drugs and money, still is up after almost 2 decades. Parlor and gab etc have all the money around but no skills or mindset. Embarrassing.

Another great thread about the amateurism behind Parler.

Every Deleted Parler Post, Many With Users’ Location Data, Has Been Archived

This is what happens when you wear technical clown shoes.

Matt Ho:

Here’s an interesting visualization I put together of the DC insurrection based on video uploads to Parler.

This is also what happens when you wear technical clown shoes.

It’s not all Parler this week. I promise…

Testing Performance

She says it a bit tongue in cheek, but Charity Majors highlights that testing in production is required. How code runs in production is the only Truth.

This is part of the zen of testing: Our tests can only predict but cannot guarantee how things will run in production. Given the choice and a low enough cost, we’ll happily make our test environment as similar to production as makes sense.

Hector Martin:

So I’m working in understanding the Apple Silicon boot/OS provisioning process. This is all subject to change, but here are some takeaways according to my current understanding.

It turns out that the Apple Silicon Macs aren’t nearly as “locked down” as they were initially believed to be. That’s great news.

Building On-Call Culture at GitHub:

As GitHub grows in size and our product offerings grow in number and complexity, we need to constantly evolve our on-call strategy so we can continue to be the trusted home for all developers.

Grab Bag

Robbie Andrew:

I doubt there are many outside of Norway that know that the Norwegian pop group A-ha was critical in the introduction of electric car incentives in Norway. I certainly didn’t. Read on…

Welcome to Brexit, Ham Sandwich Edition

Dutch TV news has aired footage of customs officers confiscating ham sandwiches from drivers arriving by ferry from the UK under post-Brexit rules banning personal imports of meat and dairy products into the EU.

[…]

“you are no longer allowed to bring certain foods to Europe …” A bemused driver with several sandwiches wrapped in tin foil asked if he could surrender the meat and keep the bread. One customs officer replied: “No, everything will be confiscated. Welcome to Brexit, sir, I’m sorry.”

Woooooof…

What Do You Think of GM’s New Logo?

Personally, I don’t think it’s terrible, but it certainly feels like a medium budget App from 2013. Not exactly the look I’d be expecting for a multi-billion dollar automotive enterprise.

@ItsRetroNemo:

Peacock is literally pricing their service based on how much of the Office you can watch what is going on

People joke about some other services doing similar things, but I think Peacock is the first to make it this explicit.

Welcome to All Cloud, No Cattle Weekly #3.

Tech

Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways

username: zyfwp
password: PrOw!aN_fXp

FFS…

The Great Suspender: “New maintainer is probably malicious”

To summarize, the maintainer recently updated their chrome store package. The update raised red flags for some users, because the changelog was not modified and there was no tag created in GitHub. On investigation, it appeared that the extension was now connecting to various third-party servers, and executing code from them.

The Great Suspender is a once-highly-recommended plugin that I’m not currently using, and ho boy am I glad I’m not after reading this. Woof…

Writing Runbook Documentation When You’re An SRE

A lot of great advice on writing runbooks right here. My one thing though, is that I’d point out that runbooks are the definition of toil: if a task is definable in terms of a re-usable runbook, then you can also automate it. So, if you have to write a runbook, you should have an urgent plan for getting rid of that runbook.

Ticketmaster Fined $10m for Breaking into Rival’s Systems

“Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” Acting U.S. Attorney DuCharme said in a press release.

Even by Ticketmaster’s standards, this is pretty egregious.

Apple Silicon Games

Browse 800+ Game Performance Reports for Apple Silicon Macs

Charger Nerdery

If you don’t know a little about how AC adapters work, it might seem crazy that the difference between an 18W charger and 20W charger could be significant. If you think it’s all about wattage, they sound so similar — how could 2 watts make a difference?

Home Alone: a Post-Incident Review

This time around I noticed all the little checks that were in place but nevertheless failed. It turns out the movie is surprisingly detailed on all these things and made a lot more attempts than I initially thought to make it almost inevitable that Kevin would be stuck home alone.

I forget which movie I was watching recently, but I had a similar notion about writing a post-incident review for it too. I wonder if there’s some fun to be had in watching some movies and building a library of incidents like this…

Grab Bag

@steve_lieber:

Y2K was 21 years ago. Looking back, I think the only thing we learned is that if a bunch people work really hard to stop a problem from happening, lots of other people will assume it was never really a problem.

Today in Tabs Returns

Every civilized weekday (i.e. Mon-Thu), Today in Tabs contained a lot of internet, compressed as tightly as I could get it.

Tabs was one of the inspirations I drew upon to start this, so I’m a little chagrined to see it return right as I’m getting started.

What Happened When I Attempted a Cornyn’d Beef Brisket

If the smell of the brisket in the oven was the $2,000 stimulus check you were hoping for, the flavor of the finished product was the $600 you’re really getting.

He also called it a “cross between a meat loaf and a McRib without the bun.”

The Full(est Possible) Story of the Four Seasons Total Landscaping Press Conference

Siravo wouldn’t say who had called, or if he knew how Donald Trump’s campaign had even heard of the small landscaping business, or anything else, really, that might tell how this stretch of asphalt became the official site of the end of the presidency and the beginning of the ass-backward pseudo-legal effort to reverse the results of the election.

The Four Seasons Total Landscaping fiasco is my #1 favorite story of the entire election, and this is probably going to the most definitive telling we will ever get. And it’s a doozy.

Welcome to All Cloud, No Cattle Weekly #2.

Tech

Cryptocurrency Start-Up Underpaid Women and Black Employees, Data Shows

Coinbase is, of course, the company that famously tried to implement a no-politics policy forbidding anyone in their employ from having opinions about things like this.

So really, I’m shocked to read this news. SHOCKED.

Well. Not that shocked.

How to Prepare for a Site Reliability Engineer Interview

SRE helps break the stereotype that developers don’t take accountability for the services they build.

My one and only quibble with this article is that, in my not so humble opinion, “Site Reliability Engineering” is a discipline and “Site Reliability Engineer” should not be a job title. You might be a Software Engineer in SRE or a Production Engineer in SRE or even a Systems Administrator in SRE but you shouldn’t be a Site Reliability Engineer.

Much that we have gotten wrong about SRE

This article is worth it for the illustrations alone.

GoDaddy Phished Their Employees with a Covid Bonus Offer

“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” the email read. “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.”

That’s some galaxy-brain level ass haberdashery, right there.

Remote OK

A daily listing of remote job postings.

Comic Mono

I wish I were even joking about that one.

Teamstuff Closure

After staving off elimination earlier this year, COVID-19 finally catches up to sports team scheduling service Teamstuff. While no SaaS project is inherently easy, this seems like an area that someone can step into once in-person sports are allowed again.

Grab Bag

USA Hockey Proposed Rule Changes (pdf)

Two major changes will prove quite controversial, if approved: icing would be enforced for shorthanded teams, and immediate offside for all levels of youth hockey.

Regarding icing, the rationale is that teams who commit penalties are suddenly allowed to break another rule with impunity and that’s inherently unfair. The overall message of this rule, when taken with some others, is not that USA Hockey wants to increase scoring, but rather that they want to reduce penalties. If your team will be both shorthanded and unable to ice the puck, you will play a high-skilled game with fewer penalties. The consequences of a penalty are just too high.

When it comes to offside, delayed offside is sometimes confusing for youth players and even some referees. Immediate offside was already the rule in some of the younger divisions. I imagine elite levels will continue with delayed offside as house league rules or what have you.

Don’t look for these rules changes to show up in professional leagues.

NHL Updates Offside Rule

The NHL does have its own offside rule update, though. Skates no longer need to be in contact with the blue line, as long as they haven’t “broken the plane.” The original rule was written when instant replay at 10k FPS was a pipe dream and blade-on-the-ice seemed a reasonable determinate. The new rule maintains the intent of the rule, which is that players not have a positional advantage.

Monsters of 2020: The People Who Gutted Minor League Baseball

It should go without saying that one of the teams driving this movement—though by no means the only one—was the Houston Astros:

[T]he Houston Astros, a model of modern player development, bucked that trend a few years ago. After the 2017 season, they reduced their affiliate count from nine to seven clubs. The Astros believed they could become a more efficient producer of talent with fewer farm clubs.

Of course they did. At the time, the Astros were being feted as baseball’s new meritocrats.

As a life-long fan of both the Astros and Minor League Baseball, their complicity in this wounds my soul. This is the kind of stuff I point to when people ask me why I despise them now; they’ve damaged the game in ways that go far beyond their trashcan-banging cheating scheme.

Sex-hungry foxes migrate through the center of Amsterdam (Dutch)

At least the Red Light District is getting some visitors, even if it’s wildlife.

“Hallelujah” Is Not A Christmas Song

They’re not wrong.

@metaplexmovies thread about the Republic-era Jedi

At the end of the Republic, the Jedi were the bad guys. Don’t @ me.

Master of the Pecos River

But the rule book says that even though the water was in New Mexico’s reservoir, it was Texas’s water that evaporated. (Section C5, “Texas Water Stored in New Mexico Reservoirs”.)

I love that there’s someone whose official title is “River Master of the Pecos River” and that there’s a Pecos River Master Manual (pdf).

Christian communities are coronavirus hotbeds, official figures show

Nine of the 10 biggest coronavirus hotbeds in the Netherlands are classified as Christian council areas, according to research by Trouw, and based on figures from public health institute RIVM.

RIP Austin: All the Places Permanently Closed Due to COVID-19

This list wounds me deeply. Personal favorites on the list include Magnolia Cafe, Threadgills, Luby’s, Dart Bowl, Easy Tiger, and Cap City Comedy.

Cloud

Setting Business Goals with SLOs

Service Level Objectives (SLOs) have boomed in popularity because they provide a common language between business stakeholders and engineers to set aligned goals.

CloudFlare Pages Launches

It’d be a cool project to take my all-cloud-no-cattle site setup here multi-cloud by supporting others, such as CloudFlare Pages.

CloudLinux promises a CentOS Replacement

CloudLinux, which has been making Linux secure and stable since 2010, announced today it will invest $1 million annually in development and establish a community initiative around its RHEL fork intended as a safe haven for CentOS users left stranded with Red Hat’s announcement last week.

Grab Bag

STINKOMAN LEVEL 10

Finally.

On Realizing There Was Still Some American Exceptionalism Lurking In My Brain

I am a patriot but I thought I was a thoughtful one. This year has brought home to me how much American exceptionalism was still lurking in the corners of my head.

MacKenzie Scott donates $50m to Prairie View A&M.

The universities can use the money for whatever they like. At Prairie View, a historically Black university, school leaders have chosen to allocate $10 million to juniors and seniors who had dealt with financial challenges due to the COVID-19 pandemic. The rest of the money will go toward other university initiatives, including faculty development and recruiting, academic improvements and scholarships.

How Offshore Oddsmakers Made a Killing off Gullible Trump Supporters

The betting markets were not good predictors, but they weren’t trying to be. The online bookmakers that fielded bets on the election saw their largest single-event windfall ever. To understand why, you need to understand election betting and Donald Trump supporters.

After doing all of the work to set up impulsiveventures.com, I had an epiphany and realized there was a much, much better blog name just begging to be used here.

So, from today forth we shall be known as All Cloud, No Cattle.

Additionally, I’ve released a version of my Terraform module, personaldomains. There’s probably a better name for it, so perhaps it’ll get renamed at some point.

We work pretty hard to try to recreate nostalgic comfort foods from back home, which can sometimes be a challenge because the ingredients are not always readily available. Even when they are, sometimes the quality is different. When it comes to vegetables, we often find different varietals or cultivars than we’re accustomed to.

“Chili,” or even anything approximating it, isn’t super common here. If you search Albert Heijn for chili you’ll notice a stark difference from the same search at HEB. Even making it yourself is fraught with challenges, as the quality of meat and other ingredients is different.

For the first several years after the Texas Stars came to Austin in 2009, my buddy Steve and I would get a post-game snack at the Steak ‘n Shake in Round Rock. I’d usually get the Chili 5-way (which includes beans). So this dish is more than a little sentimental, even if it’s nothing like what I actually recognize as “chili.” Sadly, Steak ‘n Shake pulled out of Central Texas quite some time ago.

My “Chili” 4-Way

I looked in the fridge today and saw a small container of spaghetti sitting next to another container of ground beef with burrito seasoning, an onion, and shredded cheddar.

There’s no real magic here. It’s spaghetti with burrito meat, onion, and shredded cheddar. It worked out fairly well, though real Cincinnati Chili is quite a bit wetter than this.

This will undoubtedly irritate two types of people: Italians Mad At Food and Texans with strong opinions about constitutes “chili.” Either way, it was a nice, nostalgic lunch with a twist. Maybe I can track down some Wolf Brand Chili and do it right sometime.

Just like when deploying changes to a production commercial website, updating my website domain from j.eremy.nl to impulsiveventures needed to be transparent, implemented in code, and reversible if anything went wrong. In fact, I had quite a bit of trouble with this because my terraform code technically worked but let me in a state where I wouldn’t be able to apply any future changes. Using terraform allowed me to revert those changes without any downtime, research where I had gone wrong, and then roll it out again later.

DNS is an eventually consistent system, meaning that when a change it made, users of the system will receive inconsistent results for a period of time. To get the ball rolling, I had to register the new domain name and set up nameservers for it in Route53. The remaining steps cannot commence until those nameservers are consistent (to be safe, let’s call it an hour).

I’m going to start using a map to track the domains being supported, so first we add the map to variables.tf:

variable "domain_list" {
  type = map
  default = {
    "primary"   = "impulsiveventures.com"
    "secondary" = "eremy.nl"
  }
}

Now, we can use this in dns.tf to create our zone.

resource "aws_route53_zone" "iv" {
  name = var.domain_list["primary"]
  tags = {
    "site" = var.domain_list["primary"]
  }
}

Lastly, we add an output to outputs.tf so that Terraform will tell us our DNS servers.

output "iv_nameservers" {
  value = aws_route53_zone.iv.name_servers
}

After running terraform apply, we’ll get this list back:

$ terraform apply
[ ... snip ... ]
iv_nameservers = [
  "ns-1345.awsdns-40.org",
  "ns-1596.awsdns-07.co.uk",
  "ns-320.awsdns-40.com",
  "ns-994.awsdns-60.net",
]

The one manual step is to run over to our registrar and update the list of nameservers with this information. Then, we go make some coffee and wait an hour or so. Once we’re sure that these have propagated, we can continue.

First, we’ll update acm.tf so that our SSL certificate will be issued for the new domain name, with alternates of the www and the old j.eremy.nl.

resource "aws_acm_certificate" "cert" {
  domain_name       = var.domain_list["primary"]
  validation_method = "DNS"
  subject_alternative_names = [
    "www.${var.domain_list["primary"]}",
    "j.${var.domain_list["secondary"]}",
  ]
  tags = {
    "site" = var.domain_list["primary"]
  }

  lifecycle {
    create_before_destroy = true
  }
}

Later in this file, we have to create validation records from this certificate, so that Route53 can verify that we own the domain and are authorized to create SSL certs for it. The main problem is that we specified the Zone ID for the eremy.nl domain, but now we have to support two different domains. This requires a small change.

zone_id = dvo.domain_name == "j.eremy.nl" ? aws_route53_zone.eremy_nl.zone_id : aws_route53_zone.iv.zone_id

Lastly, we make cloudfront.tf to reflect its new hostnames.

  aliases = [
    "${var.host_name}.${var.domain_list["secondary"]}",
    var.domain_list["primary"],
    "www.${var.domain_list["primary"]}",
  ]

Apply these changes and we’re done.