I'm in the same boat. No issues before installing Mavericks.

I did the same tests, even disabled the 3rd party kext I had (pace driver, related to some vst plugins I have) with no luck.

I ran sysdiagnostics and can see the following interrupts, taken from powermetrics.txt:

****  Interrupt distribution ****

CPU 0:

          Vector 0x49(MacBookAir6,2): 31.67 interrupts/sec

          Vector 0x92(IGPU): 408.07 interrupts/sec

          Vector 0x96(HDEF): 216491.54 interrupts/sec

          Vector 0x98(ARPT): 11.06 interrupts/sec

          Vector 0x9e(SSD0): 25.10 interrupts/sec

          Vector 0xdd(TMR): 367.54 interrupts/sec

          Vector 0xde(IPI): 161.86 interrupts/sec

CPU 1:

          Vector 0xdd(TMR): 32.17 interrupts/sec

          Vector 0xde(IPI): 56.18 interrupts/sec

CPU 2:

          Vector 0xdd(TMR): 934.68 interrupts/sec

          Vector 0xde(IPI): 1103.50 interrupts/sec

CPU 3:

          Vector 0xdd(TMR): 165.04 interrupts/sec

          Vector 0xde(IPI): 242.83 interrupts/sec

I feel like that is not normal(see bold) Anyone know what HDEF is referring to, might help tracking this down.

Nothing is truly NSA-proof or hacker-proof, but WireOver wants to offer you more security than Dropbox, Google Drive, or Skydrive. The Y Combinator startup just emerged from stealth with a desktop app that lets you send files of any size for free. And for $10 a month, your transfers get end-to-end encryption so only the recipient can open them. WireOver can’t even look at what you’re sending.

If you just want to send huge video files or photo collections to friends and aren’t worried about encryption, WireOver is totally free for unlimited file-size sharing. But its premium level of privacy could be a big draw for anyone with sensitive files to send.

WireOver founder Trent Ashburn tells me there are security holes in the way big file storage and sharing providers transfer your stuff. “In the industry it’s called encryption in transit and encryption at rest. But the files arrive on the servers decrypted. Their servers will re-encrypt them and store them, but the encryption keys used are controlled by and accessed by the provider.”

Ashburn tells me there’s a risk of the same company having both a copy of your encrypted files and the key to open them. But with WireOver’s end-to-end encryption, files are never stored on its servers, and it doesn’t have the decryption key. “The approach we’re going for is ‘Trust No One’”.

WireOver Founder Trent Ashburn

Ashburn spent several years building computational models for quantitative hedge funds before becoming a semi-pro cyclist. He wanted to start a company he could relate to, and he found he was having some trouble with file transfers.

“With Dropbox, Google Drive, and Skydrive, sending small and medium-size files is pretty much solved but it’s a pain to send big files securely. There’a bunch of things that Dropbox works great for [like syncing]. And they do their best within their goals to have security, but they’re not trying to be the most secure tool. They’re trying to be your files everywhere.”

So Ashburn entered WireOver into Y Combinator. They built a bunch of failed prototypes before settling on a Python-based desktop client. Along with the YC funding it got from Andreessen Horowitz, SV Angel, and Yuri Milner, the four-person startup has raised an additional seed round from Bessemer Venture Partners, Boston’s .406 Ventures, and angels like BrandCast’s Hayes Metzger.

How To Use WireOver

Once you’ve installed WireOver, you just dump files into its little window, and type in the email address of the recipient[s]. Once they have WireOver installed and running, the file is transferred completely peer-to-peer, or routed by WireOver’s servers but isn’t stored there.

If you have a Pro account select “Secure” transfer , your file gets end-to-end encryption, even if the recipient doesn’t hasn’t bought a premium WireOver subscription. For even more security again man-in-the-middle attacks, you can request to verify the recipient’s machine’s crytopgraphic fingerprint.

The big downside to WireOver using a transfer system rather than cloud storage is that both the sender and recipient have to be online at the same time. You can’t just upload a file, email someone a link, and shut off your computer.

But since WireOver doesn’t store files, it doesn’t have to charge for unencrypted transfers. That means you could send 200 gigabyte or even terrabyte-sized files for free, which could cost hundreds or thousands of dollars a year on Dropbox, Drive, or SkyDrive. If you’re looking for security and privacy, WireOver might be worth the $10 a month.

Ashburn says some clients have switched to WireOver from sending physical hard drives and USB drives through the mail or with FedEx. While there are other encrypted file sharing services, we haven’t found any popular ones that offer unlimited file sizes for free, or encryption of those files for as cheap.

Companies large and small are seeing their data fall into the hands of hackers, and we’re realizing our governments are engaging in widespread surveillance. Meanwhile, as our cameras get better and our screens get bigger, file sizes just keep going up. So whether you’re paranoid or just want to send all your photos to mom, WireOver understands.

ESA’s ‘sleeping beauty’ wakes up from deep space hibernation

It got a lot of attention this morning when I tweeted, “You’re Eight Times More Likely to be Killed by a Police Officer than a Terrorist.” It’s been quickly retweeted dozens of times, indicating that the idea is interesting to many people. So let’s discuss it in more than 140 characters.

In case it needs saying: Police officers are unlike terrorists in almost all respects. Crucially, the goal of the former, in their vastest majority, is to have a stable, peaceful, safe, law-abiding society, which is a goal we all share. The goal of the latter is … well, it’s complicated. I’ve cited my favorite expert on that, Audrey Kurth Cronin, here and here and here. Needless to say, the goal of terrorists is not that peaceful, safe, stable society.

I picked up the statistic from a blog post called: “Fear of Terror Makes People Stupid,” which in turn cites the National Safety Council for this and lots of other numbers reflecting likelihoods of dying from various causes. So dispute the number(s) with them, if you care to.

I take it as a given that your mileage may vary. If you dwell in the suburbs or a rural area, and especially if you’re wealthy, white, and well-spoken, your likelihood of death from these two sources probably converges somewhat (at very close to zero).

The point of the quote is to focus people on sources of mortality society-wide, because this focus can guide public policy efforts at reducing death. (Thus, the number is not a product of the base rate fallacy.) In my opinion, too many people are still transfixed by terrorism despite the collapse of Al Qaeda over the last decade and the quite manageable—indeed, the quite well-managed—danger that terrorism presents our society today.

If you want to indulge your fears and prioritize terrorism, you’ll have plenty of help, and neither this blog post nor any other appeal to reason or statistics is likely to convince you. Among the John Mueller articles I would recommend, though, is “Witches, Communists, and Terrorists: Evaluating the Risks and Tallying the Costs” (with Mark Stewart).

If one wants to be clinical about what things reduce death to Americans, one should ask why police officers are such a significant source of danger. I have some ideas.

Cato’s work on the War on Drugs shows how it produces danger to the public and law enforcement both, not to mention loss of privacy and civil liberties, disrespect for law enforcement, disregard of the rule of law, and so on. Is the sum total of mortality and morbidity reduced or increased by the War on Drugs? I don’t know to say. But the War on Drugs certainly increases the danger to innocent people (including law enforcement personnel), where drug legalization would allow harm to naturally concentrate on the people who choose unwisely to use drugs.

The militarization of law enforcement probably contributes to the danger. Cato’s Botched Paramilitary Police Raids map illustrates the problem of over-aggressive policing. Cato alum Radley Balko now documents these issues at the Huffington Post. Try out his “Cop or Soldier?” quiz.

There are some bad apples in the police officer barrel. Given the power that law enforcement personnel have—up to and including the power to kill—I’m not satisfied that standards of professionalism are up to snuff. You can follow the Cato Institute’s National Police Misconduct Reporting Project on Twitter at @NPMRP.

If the provocative statistic cited above got your attention, that’s good. If it adds a little more to your efforts at producing a safe, stable, peaceful, and free society, all the better.

At the end of 2003, I was looking to buy a Mac IIfx for some hacking. I needed a Mac with six NuBus slots and the IIfx is the fastest model that fitted my requirements. One turned up on eBay and I was able to win the auction at a sensible price. The seller was a computer scrapper who had no knowledge or interest in the history of the system.

The system was purchased "untested, as is" and the photo accompanying the auction (see opposite) indicated that it wasn't going to be in pristine condition. When delivered the case was filthy and the steel RF shielding inside had surface rust indicating that it had been stored in a damp environment for a couple of years. The side of the case (psu end) had four grubby chunks of Blu Tac attached. Obviously a previous owner had decided to stand the IIfx on its side as a tower case and used the Blu Tac to stabilise it. (If you try this at home with a IIfx, please stand the case on the other end so that the psu ventilation slots aren't blocked.)

I stripped out the components, scraped off the majority of the Blu Tac and dumped the bare case in the bath tub with some detergent. As the photos show, some of the Blu Tac is still lodged around the ventilation slots and the underside of the case has a peculiar sunburn pattern. My IIfx still looks a mess but I only bought it for hacking anyway.

When switched on for the first time, it was clear that the last user had little understanding of how to store files on the hard disk. The root directory contained hundreds of MacWrite documents. Scrolling through them was a pain and, as I have no interest in other people's private affairs, I selected the lot and deleted them. That was mistake number one. I left the applications folder intact to have a look at later.

In its day, the IIfx was Apple's flagship computer and a well specified machine would have left little change from£10,000. My new purchase had 20MB RAM, an A4 portrait display card, a 256 colour Toby video card and a very noisy Fujitsu (non-Apple ROM) hard disk drive running System software 7.5.5. All of the blanking plates for the NuBus slots had been removed and it is likely that any useful cards had been removed as the Mac descended the scrap chain; the Open Transport preferences contained a reference to an ethernet adapter and the control panel for a Radius display card was installed.

The applications software installed on the system didn't look very interesting. All of the files I had deleted were MacWrite documents and it appeared that the IIfx had been used as a glorified word processor. However Retrospect Remote was installed for backups so somebody had been using the Mac for serious work previously. The last backup was performed on 02-02-1997 but, according to the last modified file dates, the system remained in use until March 1999. Some power user utilities from CE and More were also installed.

I started up MacWrite Pro and noticed that it was registered to "Douglas Adams, Serious Productions Ltd". I paid little attention to this as I had seen warez copies of Claris software where the registered user was Douglas Adams. I then started Claris Resolve, ignoring a warning dialog (mistake number two), and noted that this software was also registered to Douglas Adams. The copies of Claris Works 4.0 and Now Up-to-Date were registered to Jane Belson; I was unfamiliar with the name but a quick web search determined that she is Douglas Adams's widow.

Deleting all those files suddenly seemed like a dumb thing to have done... To undo mistake number one, I popped an ethernet card in the IIfx, mounted an AppleShare volume and ran Norton Utilities to recover the files onto the server.

The results? I recovered hundreds of documents relating to Jane Belson's professional work and precisely two that bear the hand of Douglas Adams. I doubt whether the copyright lawyers would chase me for publishing his Idiots Guide to using a Mac but you wouldn't be thanking me either. For now at least, the draft of a TV sketch called Brief Re-encounter is strictly for my personal enjoyment.

And mistake number two? I should have paid attention to the dialog box when I'd started up Claris Resolve. In twenty years of Mac use working on literally thousands of systems, I've only seen viruses half a dozen times so I ignored the warning. How wrong can you get... A precautionary scan a few hours later using the old Disinfectant application showed that Claris Resolve had been infected by the MBDF A virus and that every application that I had subsequently run was infected too. Cheers, Douglas!

A tiny San Mateo startup that has taken no angel money, no venture capital, and no outside funding of any kind is growing at the torrid rate of 25 percent per month and luring away key employees from hot growing companies like KISSmetrics.

How? By offering you data you can’t get anywhere else.

LinkedIn

Datanyze founder and CEO Ilya Semin

“I validated this via my team,” Datanyze cofounder Ben Sardella, who was recently running sales and customer success at KISSmetrics, told me today. “We started using Datanyze, and within two and a half months closed the largest deal in KISSmetrics’ history.”

Datanyze is like Google for sales and marketing.

Every day, the company crawls millions of websites with its custom spider technology, searching for hints about what software each company is using. In the era of cloud computing, few things are private, and anything on your website related to that marketing automation system you’re using or that CRM you’ve adopted or that e-commerce engine you installed reveals traces of what systems you’ve bought and what solutions you’re using. Bits of code, fragments of Javascript, embeds, even CSS markup could be the clue.

That’s powerful, and it’s similar to what Datanyze competitors HG Data and Salesify do right now. What Datanyze is particularly excited about, however, is that its data is updated every single day.

And that can give sales reps seeming superpowers.

VentureBeat is studying Marketing Automation. Fill out our survey, and you’ll get our full report when it’s published.

“Because we do this on a daily basis, we can see when people start a software trial,” CEO Ilya Semin told me. “So we can tell their competitors, and they can call those companies, and the sales rep can say: “I see you’re checking out our competitor’s solution right now … why don’t you try ours as well?”

That’s pure marketing magic.

Datanyze

Datanyze data offers a unique insight into market share — in this case e-commerce engines.

Not only is the prospect clearly interested in the type of solution you’re offering, he or she is right in the buying cycle as well. And, since you know what solution they are currently testing and presumably have already built a comprehensive sales strategy against that competitor, it’s a fairly simple thing to make the case that, in the interests of covering all their bases, the prospect should give you a shot too. Instantly, you’re in the door.

“That’s our major differentiator,” Semin says.

Updating data every single day is unheard of in the traditional business data world, where data is often old and frequently outdated. Sardella told me about a $10,000 Data.com purchase that KISSmetrics made recently that turned out to be 80 percent inaccurate — causing the company to ask for a refund.

“Buying data is like driving a new car off the lot,” Sardella said. “The value drops 30 percent right away.”

Datanyze, however, says that its data keeps getting better every single day: fresher and fresher.

KISSmetrics is still a customer, as are HubSpot, the marketing automation vendor Act On, as well as many other well-known companies. One in particular, a leading video platform, has found the data so high quality it has increased its purchase from five seats late last year to “well over 100″ today.

Enterprise customers can use the Datanyze API to bring data right into their systems, or use its Salesforce integration, with prices starting at $1,200 for the first seat and going down for subsequent users. Small customers can get platform access and CSV exports for $500 for the first seat, but Datanyze is also looking to offer a freemium product shortly.

While still small — the company will hit $1M in annual revenue “pretty soon” — Datanyze is growing fast.

“We’re really starting to grow,” Sardella says. “By the end of this month we will increase our total revenue by 25% just over one month.”

As the company grows, more options become available. Making the data richer, adding more categories to the 25 or more that it currently searches for, and adding more filtering are all on the table, marketing head Jon Hearty told me.

“We’re also asking ourselves how we can deliver this data in a way that is more seamless for salespeople,” he said. “We built a Chrome plugin for websites — because sales reps are constantly surfing the web for prospects — that gives you all the information in your browser … software they use, company size … and a link to dump it into Salesforce.”

Clearly, with HG Data and Salesify, among other competitors, the big data industry for sales and marketing leads is heating up.

Proponents of the open access model for academic research notched a huge victory Thursday night when Congress passed a budget that will make about half of taxpayer-funded research available to the public.

Deep inside the $1.1 trillion Consolidated Appropriations Act for 2014 is a provision that requires federal agencies under the Labor, Health and Human Services, and Education portion of the bill with research budgets of $100 million or more to provide the public with online access to the research that they fund within 12 months of publication in a peer-reviewed journal.

According to the Scholarly Publishing and Academic Resources Coalition (SPARC), this means approximately $31 billion of the total $60 billion annual U.S. investment in taxpayer-funded research will become openly accessible. “This is an important step toward making federally funded scientific research available for everyone to use online at no cost,” said SPARC Executive Director Heather Joseph in a news  release. The language in the appropriations bill mirrors that in the White House open access memo from last year, and a National Institutes of Health public access program enacted in 2008.

Sen. Tom Harkin (D-Iowa) who was instrumental in getting the NIH program launched told The Post: "Expanding this policy to public health and education research is a step toward a more transparent government and better science.”

While the government funds a significant chunk of academic research in the United States, most taxpayers do not have access to the results of that research, which is often kept in pay-walled databases controlled by commercial publishers. As the Internet has made it far easier for academics to share their research results, many have pushed for a more open system that allows public sharing of scholarly research commonly called "open access." But some publishers have cracked down, even going after individual professors who post their research on their university Web pages.

In recent years, Congress has considered various legislative proposals concerning access to publicly funded research. The Fair Access to Science and Technology Research Act would have mandated that publicly funded research be freed up within six months of publication. Another, the Research Works Act, would have effectively prohibited open access mandates and rolled back the NIH's public access program.

20 January 2014

I have started code reading groups at the last two companies I’ve worked at, Etsy and Twitter, and some folks have asked for my advice about code reading and running code reading groups. Tl;dr: don’t start a code reading group. What you should start instead I’ll get to in a moment but first I need to explain how I arrived at my current opinion.

As a former English major and a sometimes writer, I had always been drawn to the idea that code is like literature and that we ought to learn to write code the way we learn to write good English: by reading good examples. And I’m certainly not the only one to have taken this point of view—Donald Knuth, in addition to his work on The Art of Computer Programming and TeX, has long been a proponent of what he calls Literate Programming and has published several of his large programs as books.

On the other hand, long before I got to Etsy and started my first code reading group I had in hand several pieces of evidence that should have suggested to me that this was the wrong way to look at things.

First, when I did my book of interviews with programmers, Coders at Work, I asked pretty much everyone about code reading. And while most of them said it was important and that programmers should do it more, when I asked them about what code they had read recently, very few of them had any great answers. Some of them had done some serious code reading as young hackers but almost no one seemed to have a regular habit of reading code. Knuth, the great synthesizer of computer science, does seem to read a lot of code and Brad Fitzpatrick was able to talk about several pieces of open source code that he had read just for the heck of it. But they were the exceptions.

If that wasn’t enough, after I finished Coders I had a chance to interview Hal Ableson, the famous MIT professor and co-author of the Structure and Interpretation of Computer Programs. The first time I talked to him I asked my usual question about reading code and he gave the standard answer—that it was important and we should do it more. But he too failed to name any code he had read recently other than code he was obliged to: reviewing co-workers’ code at Google where he was on sabbatical and grading student code at MIT. Later I asked him about this disconnect:

Yet somehow even this explicit acknowledgement that most real code isn’t actually in a form that can be simply read wasn’t enough to lead me to abandon the literature seminar model when I got to Etsy. For our first meeting I picked Jeremy Ashkenas’s backbone.js because many of the Etsy developers would be familiar with Javascript and because I know Jeremy is particularly interested in writing readable code. I still envisioned something like a literature seminar but I figured that a lot of people wouldn’t actually have done the reading in advance (well, maybe not so different from a literature seminar) so I decided to start things off by presenting the code myself before the group discussion.

As I prepared my presentation, I found myself falling into my usual pattern when trying to really understand a piece of code—in order to grok it I have to essentially rewrite it. I’ll start by renaming a few things so they make more sense to me and then I’ll move things around to suit my ideas about how to organize code. Pretty soon I’ll have gotten deep into the abstractions (or lack thereof) of the code and will start making bigger changes to the structure of the code. Once I’ve completely rewritten the thing I usually understand it pretty well and can even go back to the original and understand it too. I have always felt kind of bad about this approach to code reading but it's the only thing that's ever worked for me.

My presentation to the code reading group started with stock backbone.js and then walked through the changes I would make to it to make it, by my lights, more understandable. At one point I asked if people thought we should move on to the group discussion but nobody seemed very interested. Hopefully seeing my refactoring gave people some of the same insights into the underlying structure of the original that I had obtained by doing the refactoring.

The second meeting of the Etsy code reading group featured Avi Bryant demonstrating how to use the code browsing capabilities of Smalltalk to navigate through some code. In that case, because few of the Etsy engineers had any experience with Smalltalk, we had no expectation that folks would read the code in advance. But the presentation was an awesome chance for folks to get exposed to the power of the Smalltalk development environment and for me to heckle Avi about Smalltalk vs Lisp differences.

When I got to Twitter I inexplicably still had the literature seminar model in mind even though neither of the two meetings of the Etsy reading group—which folks seemed to like pretty well—followed that model at all. When I sent out the email inviting Twitter engineers to join a code reading group the response was pretty enthusiastic. The first meeting was, yet again, a presentation of some code, in this case the internals of the Scala implementation of Future that is used throughout Twitter’s many services, presented by Marius Eriksen, who wrote most of it.

It was sometime after that presentation that I finally realized the obvious: code is not literature. We don’t read code, we decode it. We examine it. A piece of code is not literature; it is a specimen. Knuth said something that should have pointed me down this track when I asked him about his own code reading:

He’s not describing reading literature; he’s describing a scientific investigation. So now I have a new mode for how people should get get together to gain insights from code which I explained to the Twitter code reading group like this:

Since I had my epihany we’ve had several meetings of the code reading group, now known as the Royal Society of Twitter for Improving Coding Knowledge, along the new lines. We’re still learning about the best ways to present code but the model feels very right. Also, I no longer feel bad about my dissection-based approach to reading code.

The biggest lesson so far is that code is very dense. A half hour presentation is just enough time to present maybe a dozen meaty lines of code and one main idea. It is also almost certainly the case that the presenters, who have to actually really dig down into a piece of code, get more out of it than anybody. But it does seem that a good presentation can at least expose people to the main ideas and maybe give them a head start if they do decide to read the code themselves.

Okay, I’m calling it: if you’re using guest blogging as a way to gain links in 2014, you should probably stop. Why? Because over time it’s become a more and more spammy practice, and if you’re doing a lot of guest blogging then you’re hanging out with really bad company.

Back in the day, guest blogging used to be a respectable thing, much like getting a coveted, respected author to write the introduction of your book. It’s not that way any more. Here’s an example unsolicited, spam email that I recently received:

If you ignore the bad spacing and read the parts that I bolded, someone sent me a spam email offering money to get links that pass PageRank. That’s a clear violation of Google’s quality guidelines. Moreover, we’ve been seeing more and more reports of “guest blogging” that are really “paying for PageRank” or worse, “we’ll insert some spammy links on your blog without you realizing it.”

Ultimately, this is why we can’t have nice things in the SEO space: a trend starts out as authentic. Then more and more people pile on until only the barest trace of legitimate behavior remains. We’ve reached the point in the downward spiral where people are hawking “guest post outsourcing” and writing articles about “how to automate guest blogging.”

So stick a fork in it: guest blogging is done; it’s just gotten too spammy. In general I wouldn’t recommend accepting a guest blog post unless you are willing to vouch for someone personally or know them well. Likewise, I wouldn’t recommend relying on guest posting, guest blogging sites, or guest blogging SEO as a linkbuilding strategy.

For historical reference, I’ll list a few videos and links to trace the decline of guest articles. Even back in 2012, I tried to draw a distinction between high-quality guest posts vs. spammier guest blogs:

Unfortunately, a lot of people didn’t seem to hear me say to steer away from low-quality guest blog posting, so I did a follow-up video to warn folks away from spammy guest articles:

In mid-2013, John Mueller gave spot on advice about nofollowing links in guest blog posts. I think by mid-2013, a ton of people saw the clear trend towards guest blogging being overused by a bunch of low-quality, spammy sites.

Then a few months ago, I took a question about how to be a guest blogger without it looking like paying for links (even the question is a clue that guest blog posting has been getting spammier and spammier). I tried to find a sliver of daylight to talk about high-quality guest blog posts, but if you read the transcript you’ll notice that I ended up spending most of the time talking about low-quality/spam guest posting and guest articles.

And then in this video that we posted last month, even the question itself predicted that Google would take stronger action and asked about “guest blogging as spam”:

So there you have it: the decay of a once-authentic way to reach people. Given how spammy it’s become, I’d expect Google’s webspam team to take a pretty dim view of guest blogging going forward.

Added: It seems like most people are getting the spirit of what I was trying to say, but I’ll add a bit more context. I’m not trying to throw the baby out with the bath water. There are still many good reasons to do some guest blogging (exposure, branding, increased reach, community, etc.). Those reasons existed way before Google and they’ll continue into the future. And there are absolutely some fantastic, high-quality guest bloggers out there. I changed the title of this post to make it more clear that I’m talking about guest blogging for search engine optimization (SEO) purposes.

I’m also not talking about multi-author blogs. High-quality multi-author blogs like Boing Boing have been around since the beginning of the web, and they can be compelling, wonderful, and useful.

I just want to highlight that a bunch of low-quality or spam sites have latched on to “guest blogging” as their link-building strategy, and we see a lot more spammy attempts to do guest blogging. Because of that, I’d recommend skepticism (or at least caution) when someone reaches out and offers you a guest blog article.

Linux 3.13 is out

Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables. nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions. It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15.

nftables comes with a new command line tool named nft. nft is the successor of iptables and derivatives (ip6tables, arptables). And it has a completely different syntax. Yes, if you are used to iptables, that’s a shock. But there is a compatibility layer that allow you to use iptables even if filtering is done with nftables in kernel.

There is only really few documentation available for now. You can find my nftables quick howto and there is some other initiatives that should be made public soon.

Some command line examples

Suppose you want to log and drop a packet with iptables, you had to write two rules. One for drop and one for logging:

iptables -A FORWARD -p tcp --dport 22 -j LOG
iptables -A FORWARD -p tcp --dport 22 -j DROP

With nft, you can combined both targets:

nft add rule filter forward tcp dport 22 log drop

Suppose you want to allow packets for different ports and allow different icmpv6 types. With iptables, you need to use something like:

ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

With nft, sets can be use on any element in a rule:

nft add rule ip6 filter tcp dport {telnet, http, https} accept
nft add rule filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

It is easier to write and it is more efficient on filtering side as there is only one rule added for each protocol.

You can also use named set to be able to make them evolve other time:

# nft -i # use interactive mode
nft> add set global ipv4_ad { type ipv4_address;}
nft> add element global ipv4_ad { 192.168.1.4, 192.168.1.5 }
nft> add rule ip global filter ip saddr @ipv4_ad drop

# nft -i
nft> add element global ipv4_ad { 192.168.3.4 }

One advanced feature of nftables is mapping. It is possible to use to different type of data and to link them. For example, we can associate iface and a dedicated rule set (stored in a chain and created before). In the example, the chains are named low_sec and high_sec:

# nft -i
nft> add map filter jump_map { type ifindex => verdict; }
nft> add element filter jump_map { eth0 => jump low_sec; }
nft> add element filter jump_map { eth1 => jump high_sec; }
nft> add rule filter input meta iif vmap @jump_map

Now, let’s say you have a new dynamic interface ppp1, it is easy to setup filtering for it. Simply add it in the jump_map mapping:

nft> add element filter jump_map { ppp1 => jump low_sec; }

On administration and kernel side

Adding a rule in iptables was getting dramatically slower with the number of rules and that’s explained why script using iptables call are taking a long time to complete. This is not anymore with nftables which is using atomic and fast operation to update rule sets.

With iptables, each match or target was requiring a kernel module. So, you had to recompile kernel in case you forgot something or want to use something new. this is not anymore the case with nftables. In nftables, most work is done in userspace and kernel only knows some basic instruction (filtering is implemented in a pseudo-state machine). For example, icmpv6 support has been achieved via a simple patch of the nft tool. This type of modification in iptables would have required kernel and iptables upgrade.

When you have an intellectual property – especially one that’s worth millions of dollars – you want to protect it. But can such protections ever go too far? That’s the question a lot of industry watchers are asking this morning, as developers far and wide whose games include the word ‘candy’ are getting emails from Apple on behalf of King, the makers of Candy Crush Saga.

In a filing with the US trademark office dated February 6, 2013, King.com Limited registered claim to the word ‘candy’ as it pertains to video games and, strangely, clothing. On January 15, 2014 the filing was approved. And now, a mere five days later, reports are coming in from developers that they’re being asked to remove their app (or prove that their game doesn’t infringe upon the trademark).

“Lots of devs are frustrated cause it seems so ridiculous” says Benny Hsu, the maker of All Candy Casino Slots – Jewel Craze Connect: Big Blast Mania Land. Benny’s game, which shares no similarities with King’s properties aside from the word ‘candy,’ is one of a number of games that have been targeted by King.

Hsu contacted Sophie Hallstrom, King’s IP paralegal, to discuss the matter further. Rather than the simple “oops, our mistake” that Benny was hoping for, he was given a very finite response. “Your use of CANDY SLOTS in your app icon uses our CANDY trade mark exactly, for identical goods, which amounts to trade mark infringement and is likely to lead to consumer confusion and damage to our brand,” reads Hallstrom’s reply. “The addition of only the descriptive term "SLOTS" does nothing to lessen the likelihood of confusion.” 

So how does a word like ‘candy’ get trademarked? According to Martin Schwimmer, a partner at the IP legal firm Leeson Ellis (and the man behind The Trademark Blog), it’s all about how strong a connection the claimant has to that mark when it comes to a particular good or service. Think of Apple, for example. Nobody is going to expect the electronics giant to lay claim over the fruit, but if someone were to try to market an electronic device under that name, you’d better believe their lawyers would swoop in.

So the question then, is whether or not there’s a strong enough connection between the word ‘candy’ and video games as it pertains to Candy Crush Saga. According to the US Trademark Office, the answer is a bona fide yes.

Still, holding a trademark and being able to enforce it are entirely different things. Schwimmer is quick to point out the difference between suggestive marks and unique ones. “Someone can't plausibly claim that they came up with the term TEENAGE MUTANT NINJA TURTLES on their own.  An incredibly unique trademark like that is somewhat easy to protect.” But something generic – a dictionary word like candy? That can be a lot trickier.

Benny Hsu's All Candy Casino Slots

“Suggestive marks are protectable, but the problem is that third parties can claim that they thought up their mark on their own.” And in the case of something as generic as ‘candy,’ it doesn’t seem that farfetched to think that a lot of developers may have.

“As to how far King can enforce its rights, it will be a function of how strong its mark has become, and how similar the third party name is.  It would likely be able to enforce its rights against marks that are connotatively, phonetically or visually similar, for games that are conceivably competitive,” Schwimmer tells us. “King can't go after candy companies because candy companies don't use the term CANDY as a trademark – they use it to identify their product.”

If you’re a developer who has received one of these letters from King, Schwimmer’s advice is simple: call a lawyer. “A trademark lawyer can be very useful in obtaining a coexistence agreement.  Often a trademark owner will accept a settlement in which the possibility of confusion is mitigated, perhaps because the developer will not expand into areas more directly competitive with the trademark owner.”

But in an App Store littered with small indie developers, this is an option that seems out of reach for developers like Benny Hsu. “Myself and other indie developers don't have the money or resources to fight back… I plan on changing the name if that is what I must do.”

With Apple seemingly complicit in King’s claims – the letter Tsu initially received came through the iTunes legal department – one can’t help but wonder what the future of the App Store and suggestive trademarks might be.

“Last year I learned I couldn't use the word MEMORY because it was trademarked,” said Hsu. “Now I wonder what other common words will be trademarked in the App Store.”

Read more:Candy Crush Saga, King, copyright

Hi everyone,

Just recently I published my technical goals for 2014 and one of them was to learn more about security. Well it couldn’t have been more appropriate, my VPS just got hacked, for the second time (I use the VPS to host a Java web application). The first time, I basically rebuilt my server and hardened security as much as I could, but it didn’t work (more on what I did later). I’m not really a system administrator nor do I have much experience on the matter so I guess I must learn my lessons either studying or by being stung.

My VPS was being used to mine bitcoins, I believe. If you never heard of bitcoins, check Wikipedia

My VPS is configured to send me an email alert when CPU usage is above 90% for more than 2 (two) hours, which was what happened. I received an email by 20.30 last night (Jan, 17 – 2014)

I logged in my VPS and used the top command to find that a single process was using all CPU, this was the culprit:

Never heard of something like that, but with a bit of googling I traced it to bitcoin mining.

As I said at the beginning this was the second time my server got hacked (using the same method I believe ), so this time I really had to figure what went wrong as I wasn’t going to do everything from scratch again!

The first time my server was hacked I rebuilt it from scratch with the following steps to increase security:

• Install a newer CentOS version
• Update all packages
• Disable root login via SSH
• Disable password login via SSH (only private keys)
• Setup firewall to block all traffic except port 80 (HTTP), 443 (HTTPS) and 22 (SSH)
• Install Fail2Ban
• Change the user and root password to even more secure passwords (more than 15 chars each)

I thought I had it covered…

I tried checking the SSH log at /var/log/secure and found that lots of attempts were made to login with different users (with common names like admin, oracle, weblogic, postgres, etc…) but none seemed to have succeeded as I had setup only private key login.

Could it be that someone found a vulnerability in my web application? Oh boy…
I have a setup where Jboss hosts the web application and Apache proxies and handles the SSL stuff.

I went on and checked the Apache access logs (in /var/log/httpd/access_log) around the time the CPU first went off and found something interesting

A GET request to /a/pwn.jsp with a parameter cat /proc/cpuinfo… like this JSP was some kind of a web shell.. and it got a 200 OK response? No way…
Back to the browser to check and surely enough, the server responded with an empty page…  Next check… I try /a/pwn.jsp?cmd=ls and ouch… the directory listed…

Ok, so let’s check the full log using the following command (trimmed for readability)

With a little cleaning and url decode, you get the following list of commands:

Interesting to see is that the web shell appears to be just a means to and end, because the wget used in step 4) downloaded something that was used in step 5) by the perl interpreter, I checked the pdd-nos.info link and found what appears to be a some kind of a backdoor shell and I assume this was what was used to launch the bitcoin mining process.

Ok, so I have a problem, a big one. And I need to do two things:

I started by searching how someone installed a web shell in my Jboss instance. With a bit of googling I found the following resources (the “pwn.jsp” filename was a really big help there)

Which in turn led me to find an existing vulnerability regarding JBoss’s HTTP Invoker was probably used, that basically means an attacker could trigger a remote code execution. Not nice!

With additional search I found an exploit ready to be used. A PHP script that downloads a .war application which contains the web shell and uses the known vulnerability in the HTTP invoker to deploy the .war.

But wait a minute, where was that logrotate process that was consuming my CPU (cleverly named so that I wouldn’t notice)? If there’s a process then there’s an executable somewhere. I found it right inside my /JBOSS_HOME/bin folder along with a file named jboss4.txt (also named so that I wouldn’t found him suspicious) whose content was

Now, the issue is… was there something else that could have been changed so that even if I restarted JBoss it would allow the attacker to execute the same attack again? Hunt time!

Indeed I found that in /JBOSS_HOME/server/INSTANCE/server/deploy/management was a little folder called “lMvcdFxMFrvdib.war” (I kid you not) and inside the folder a file named “ZqxQljMExRpriU.jsp” (again I kid you not).. the content of the JSP was

Although the variable names are obfuscated you can tell that it receives some content encoded as Base64 and then writes that content to a .war file inside JBoss’s deploy directory. Clever trick… if I was to remove the attacker’s original war (the one with pwn.jsp) and restart Jboss, this .war file would also be deployed and provide a clear path of attack again!

So I had to secure the HTTP Invoker and that was the problem. I had the HTTPInvoker and WebConsole deployed and accessible to anyone (big, big mistake), since I don’t need them, I simply removed them, simple enough. Next, to delete the files!

I had to delete the files in JBOSS_HOME/bin which where used to create shell and mine the bitcoins, I had to delete the pwn.jsp that was installed in my JBoss instance and had to delete the war with the crazy name to stop an attacker from deploying another war without my knowledge.

The conclusion is that you can never be to careful with security. Anyone from around the world can try to frak you and you must be very careful. I overlooked the deployment of the web console and HTTP Invoker and I paid for that. Things could have been worse If the attacker found a way to upgrade the privileges of the user running jboss (it’s a sudoer, but the password is really hard) he could have done a lot more damage. I hope I’ve removed the threat but I can’t be 100% sure, so I’ll have to  keep monitoring, but I’ve learned my lesson.

I found a detailed guide explaining the exploit and how it works, in case you want additional information.

Happy coding and be safe!

Additional resources

At least one refrigerator was used to create a botnet that sent spam. Photo: AFP

Call it the attack of the zombie refrigerators.

Computer security researchers say they have discovered a large "botnet" which infected internet-connected home appliances and then delivered more than 750,000 malicious emails.

The California security firm Proofpoint, which announced its findings, said this may be the first proven "internet of things" based cyber attack involving "smart" appliances.

Proofpoint said hackers managed to penetrate home-networking routers, connected multimedia centres, televisions and at least one refrigerator to create a botnet — or platform to deliver malicious spam or phishing emails from a device, usually without the owner's knowledge.

Security experts previously spoke of such attacks as theoretical.

But Proofpoint said the case "has significant security implications for device owners and enterprise targets" because of massive growth expected in the use of smart and connected devices, from clothing to appliances.

"Proofpoint's findings reveal that cyber criminals have begun to commandeer home routers, smart appliances and other components of the internet of things and transform them into 'thingbots'", to carry out the same kinds of attacks normally associated with personal computers.

The security firm said these appliances may become attractive targets for hackers because they often have less security than PCs or tablets.

Proofpoint said it documented the incidents between December 23 and January 6, which featured "waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting enterprises and individuals worldwide".

More than 25 per cent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices. No more than 10 emails were initiated from any single device, making the attack difficult to block based on location

"Botnets are already a major security concern and the emergence of thingbots may make the situation much worse," said David Knight at Proofpoint.

"Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come online and attackers find additional ways to exploit them."

AFP

The line between traditional, paid advertising and organic editorial content on the Internet can sometimes be hazy. A recent stealth promotional campaign between Microsoft and Machinima highlights just how hazy that line has become, and how behind-the-scenes payments can drive ostensibly independent opinion-mongering on by users on services like YouTube.

This weekend, word started leaking of a new promotion offering Machinima video partners an additional $3 CPM (i.e., $3 per thousand video views) for posting videos featuring Xbox One content. The promotion was advertised by Machinima's UK community manager in a since-deleted tweet, and it also appears on Machinima's activity feed on Poptent, a clearinghouse for these kind of video marketing campaigns. The Poptent page also mentions an earlier campaign surrounding the Xbox One's launch in November, which offered an additional $1 CPM for videos "promoting the Xbox One and its release games."

To qualify for the campaign (and the extra payments), Machinima partners had to post a video including at least 30 seconds of Xbox One game footage that mentioned the Xbox One by name and included the tag "XB1M13." A YouTube search for that relatively unique term turns up "about 6,590 results," but a quick scan of those results shows only a few hundred that actually seem to be tagged for the Machinima promotion.

These kinds of payments aren't inherently suspect in and of themselves. If the video makers disclosed that Microsoft was paying extra for these videos, and if they were allowed to say whatever they wanted in those videos, then the whole thing could be seen as merely an unorthodox way to increase exposure for the Xbox One on YouTube.

That's not the case, however. According to a leaked copy of the full legal agreement behind the promotion, video creators "may not say anything negative or disparaging about Machinima, Xbox One, or any of its Games" and must keep the details of the promotional agreement confidential in order to qualify for payment. In other words, to get the money, video makers have to speak positively (or at least neutrally) about the Xbox One, and they can't say they're being paid to do so.

The arrangement as described might go against the FTC's guidelines for the use of endorsements in advertising, which demand full disclosure when there is "a connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement." The document offers a specific example of a video game blogger who gets a free game system that he later talks about on his blog. That blogger would need to disclose that gift, the FTC says, because his opinion is "disseminated via a form of consumer-generated media in which his relationship to the advertiser is not inherently obvious." That same reasoning would seem to apply to the opinions expressed by the video makers participating in this promotion. Neither Microsoft nor Machinima responded immediately to a request for comment on the matter, but we'll let you know if and when we hear from them.

This kind of guerrilla online video advertising doesn't seem to be a major part of Microsoft's Xbox One marketing plan. According to the Machinima e-mail, Microsoft agreed to pay only for the first 1.25 million views in the promotion, putting the budget paid to video creators at a mere $3,750 (it's unclear if Machinima itself received any additional funds for facilitating the promotion). Poptent lists the campaign, which started on January 14, as "expired on January 16," suggesting that Microsoft has already reached that desired video view goal. That money may be pulling more than its weight, though, as those videos continue to attract additional views that Microsoft doesn't have to pay for directly.

Whatever you think about the practice, there's reason to believe this kind of stealth promotion of "consumer-generated media" is likely to get more popular going forward. As readers and viewers get better at ignoring explicit, traditional ads—or start blocking them entirely with browser-side scripts—marketers are going to continue to try finding new ways to get their message out there through supposedly unbiased content creators. Something to keep in mind the next time you watch a video or read something from someone who says they're just an average, everyday consumer.

By Dan Levine

SAN FRANCISCOMon Jan 20, 2014 7:13am EST

Privately-held Intellectual Ventures sued Motorola in 2011, claiming the mobile phone maker infringed patents covering a variety of smartphone-related technologies, including Google Play. Motorola has denied the allegations and will now go to trial over three of those patents.

Barring any last-minute settlements, jury selection is scheduled to begin on Tuesday at a federal court in Wilmington, Delaware.

The trial takes place amid an unfolding debate in Congress over patent reform, in which Intellectual Ventures and Google are on opposite sides. Google is backing attempts to curb software patents and make it easier to fight lawsuits, while IV has warned that Congress should not act too rashly to weaken patent owners' rights.

IV and other patent aggregators have faced criticism from some in the technology industry, who argue that patent litigation and royalty payments have become a burdensome tax on innovation. They say firms like IV, which do not primarily make products, are exploiting the patent system.

But IV argues that unlike some of the firms denounced as "patent trolls," it invests only in quality intellectual property and does not file frivolous lawsuits. IV also says it helps inventors get paid for their innovations while helping tech companies protect and manage their intellectual property.

Should the Delaware jury rule against Motorola and uphold IV's patents, it could bolster the firm's argument that it does not buy frivolous patents, said Shubha Ghosh, a University of Wisconsin Law School professor.

Yet a win for Motorola could be held up as evidence that the U.S. government issues too many dubious patents. And even if IV prevails, Google could still argue that patent litigation before a jury of non-expert citizens is akin to a lottery, said Ghosh, who supports patent reform.

"Just because you have a winning ticket doesn't mean it's not still a lottery," he said.

IV and Google both declined to comment on the upcoming trial.

Since its founding in 2000, IV has raised about $6 billion (3.6 billion pounds) from investors and has bought tens of thousands of intellectual property assets from a variety of sources. Google was an investor in IV's first patent acquisition fund, but did not join later vehicles.

IV filed a barrage of lawsuits in 2010 against companies in various sectors, and most defendants have since settled.

THE INVENTORS

Two of the patents in the upcoming Motorola trial cover inventions by Richard Reisman, U.S. government records show. Through his company, Teleshuttle, Reisman has developed several patent portfolios for various technologies, including an online update service, according to the Teleshuttle website.

IV claims that the two Reisman patents cover several of Motorola's older-generation cellphones that have Google Play, a platform for Android smartphone apps. Motorola argues that IV's patents should never have been issued because the inventions were known in the field already.

Reisman did not respond to requests for comment.

One of the patents in play against Motorola has been in a courtroom before. Teleshuttle and a British partner, BTG, sued Microsoft and Apple in 2004 using one of the same patents now in play against Motorola.

In 2006, Teleshuttle and BTG sold their patent rights to Delaware-based Twintech EU LLC for $35 million up front, plus a percentage of future licensing fees, according to BTG's website. At the same time as the sale, BTG and Teleshuttle abruptly withdrew their cases against Apple and Microsoft.

Microsoft and Apple were both early investors in Intellectual Ventures. IV often uses subsidiary companies to buy patents, and then transfer them at a later date to related corporate entities, though public records do not indicate whether IV had an ownership interest in Twintech.

IV took title on the patents from Twintech in September 2011 and sued Motorola a month later, U.S. records show. In a 2011 blog post, Reisman wrote that his deal with IV provided resources "to let me focus on my work as an inventor."

Microsoft declined to comment while Apple did not respond to a request for comment.

Another patent being asserted against Motorola was originally issued to Rajendra Kumar in 2006. Kumar's company, Khyber Technologies, transferred it to Balustare Processing NY LLC in July 2011, which passed it over to IV about a month later, patent records show.

Khyber Technologies was founded in 1991 with the goal of creating the next generation of handheld computing products, according to its website. The patent that IV obtained from Khyber covers detachable handset technology, which IV claims Motorola used in its defunct Lapdock product.

Kumar declined to comment on the IV lawsuit.

If IV wins, damages will be decided at a later proceeding. The trial is expected to last about ten days.

The case in U.S. District Court, District of Delaware is Intellectual Ventures I and Intellectual Ventures II, 11-908.

(Reporting by Dan Levine; editing by Jonathan Weber)

In the world of JavaScript build tools, Grunt is king. Grunt is a task-based build tool, meaning it has no sense of the dependency graph of a project. Tasks are run, one after the other, until there are no more tasks. Grunt excels in the current environment of compilation tools with unpredictable inputs and outputs. Since globs are only resolved when a previous task ends and a new task begins, a task can output whatever it wants, and the next task will pick up on the new files.

There are a few mechanisms, such as Grunt's watch, for rerunning tasks when files change, but even with watch, the entire task will be run. There are no checksums and no timestamp comparisons; Grunt just isn't concerned with minimizing work.

Developers have another option besides task-based tool like Grunt: file-based tools. File-based build tools are extremely popular; make is arguably the most well known and well used file-based build tool, but there are countless others. Rather than defining rulesets with a sequence of tasks to run one after the other to complete a build, a file-based tool allows the developer to define builds as transformational relationships between files. For example, rather than having a task that turns every CoffeeScript file into JavaScript, we look at each CoffeeScript file and create a transformation between the CoffeeScript input and an associated JavaScript output. The difference may seem subtle at first glance, but it becomes incredibly important in defining the nature of the build process.

In short, the idea of a file-based build tool isn't a new one, but it has fallen out of favor as developers have drifted away from the shell. Make andtup both require use of shell commands to transform files. The problem is that shells can be scary, especially for web developers who rarely venture outside of the browser. I think every developer should be a shell ninja, but I know that probably isn't going to happen. I would advocate that everyone just use make, but there will always be developers who are looking for a lower barrier to entry, and something which is based on tools that developers already know, such as JavaScript.

Enter Fez.

Fez is a file-based build tool I have been working on loosely based on tup and written in JavaScript. Fez takes the idea of a JavaScript build tool with pluggable operations from Grunt, but goes in a different direction. Builds are defined as sets of rules with three components: the input(s), the output(s), and the operation. An operation is just a function. Unlike Grunt, Fez doesn't do any magic plugin loading. You simply require() the operation function and pass it as an argument to a rule. Here is why this simple rule-based build definition system is awesome: we are able to glob the file system for an initial set of inputs, then construct the entire dependency graph from that set of inputs and the set of rules. For example, say we had the rules:

*.less → %f.css
*.css → %f.min.css
*.min.css → dist.min.css

And a few starting nodes we found on the file system:

Fez is able to construct the entire graph, from beginning to end, from just this information:

Now all we have to do is traverse the graph with a topological sort. We can introduce parallelization of operations where appropriate by executing them in child processes, and then waiting on convergence points. Fez, like make, compares timestamps of inputs and outputs during the graph traversal, allowing Fez to only do the work which needs to be done. Even cleaning the build is made awesome by the build graph: any node with one or more inputs is a generated node, and can be safely removed.

Fez is still pretty raw, but is already usable in real projects (and is being used in a few real projects!), but I would love to hear what people think. Check out the website, the GitHub repository, and/or join us in #fez on Freenode.