Similar to what Steve Yegge said in his unintentionally published platforms rant:
- monitoring and QA are the same thing. You'd never think so until you try doing a big SOA. But when your service says "oh yes, I'm fine", it may well be the case that the only thing still functioning in the server is the little component that knows how to say "I'm fine, roger roger, over and out" in a cheery droid voice. In order to tell whether the service is actually responding, you have to make individual calls. The problem continues recursively until your monitoring is doing comprehensive semantics checking of your entire range of services and data, at which point it's indistinguishable from automated QA. So they're a continuum.
This was a great rant and I wish I could have access to all those "learnings". Are there any books or blog posts with that knowledge already? The best resource I know are Martin Fowler's posts on the subject...
1. If I'm going to be spending 2000+ plus hours a year in a single physical location it needs to have some privacy and comfort, at an absolute minimum.
2. I'm not willing to be scrutinized by others for exactly how I spend my time. Or how I appear to be spending my time. Goofing off, at least I'm only distracting myself, instead of wandering around distracting others. "Following orders" leads to intellectual heat-death. In the software profession this kills earning power.
3. Many people fail to realize that whatever minor thing they are currently locked on to psychologically is totally inconsequential. I can't have them hovering over me and yammering about it and trying to get me to click/type/open/smell whichever program/website/document/foodstuff has gotten them whipped up in a frenzy. People aren't conscious of boundaries when they're excited and this needs to be defended against physically with doors, desks, and body position.
4. Maybe it helps individual productivity to the detriment of group productivity. When I get a big raise based on group productivity, I'll start to care about it.
Given two gold bars, one adulterated with Tungsten, and one not, either the weight will differ or the volume will differ. So, given equal weights (i.e. standard 400oz bars), you can check the displacement to establish purity.
If you use a container that is filled up to a spout, and you measure the displaced water by collecting it in a measuring cup, you can just directly calculate density, and then compare it to gold.
you can't just check density like that, come on. platinum (which apparently trades around the same price as gold) - has a density of 21.45 [1] which more than compensates. If you want 100 grams of a tungsten-platinum mix to match the weight/volume of 100 grams of gold, this is how many grams you get to use of tungsten:
19.3 * 100 = 19.25 * x + 21.4(100-x)
gold is left, mix is right (a sum of the tungsten and platinum parts). I solve for 100 grams because voila, it's now a percentage. That solves to x = 97.7273 (you get to use 97.7273 grams of tungsten) or you just need 2.2727% platinum. (which recall costs about the same as gold.) so if this were a great test people could just use an alloy, which apparently exist:
Yeah this looks viable. This would make the best fake bar. I don't think the metal even need to be alloyed, you can just pour in one first, then the other.
I didn't mean it to be a viable suggestion - I don't think it is one. If you're testing density to within 2.7% you are doing other tests (suggested elsewhere by others in this thread). All I was saying is that although I do think the author is wrong (there is no problem of fake gold bars), the existence of a simple density test isn't why...
The first sentence of the original article states that XRF won't tell you if the core of the bar has been replaced with a different metal: "You don’t need to be a conspiracy theorist to find this worrying: a 1kg gold bar, certified as 99.98% pure by XRF (X-ray fluorescence) tests, turns out to have been drilled out and largely replaced with tungsten"
The article also says that a micro-ohm meter can detect such replacement.
I don't know anything about this case, but it could be there's a bunch of air trapped inside the bar with the tungsten, assuming the forgers didn't alter the outside dimensions of the bar.
Not if you start with a gold bar, then hollow the core out like a Twinkie and fill it with tungsten and the plug the end. Which I believe is what gbhn was implying.
Then the bar is not heavy enough, because you've run out of room to add tungsten on the inside, and adding it on the outside would change the volume or shape of the bar.
Tungsten is less dense than gold. Not as much a difference as actual twinkie filling, but either way you're stuck with a similar issue.
My guess is that they are using human operators, and they probably have a retrieval squad on standby in case they lose contact. The regulatory issues I couldn't begin to guess.
The goal at this stage would be to validate the business model and to collect flight data and get a sense of the operational requirements. If it works and they want to develop an autopilot, they will then have all the flight data, landing zone choices and issues, and trained operators to consult.
Nicely put; especially with respect to the business model. It almost seems that being competitive with traditional methods (bicycle, scooter, truck) almost will require more investment than can be expected as a return on capital. If human capital is very cheap in the markets for delivery (assumption) then establishing a break-even / profit point is genuinely of concern.
Also, I can't help but recall seeing pictures of some cities with smog so bad I wonder if drone pilots would even be able to see at certain altitudes. Limited scenario, I know, but seems to correspond with population density. Dense population seems kind of the ideal market, so, yeah, just a thought.
I really liked all of them, but episode 2 was probably my favourite of season 1. It is over the top compared to other parts of the series, but not compared to other experimental far future or alternate universe scifi. For example: Dark City, Idiocracy, Cube, Moon, Battle Royale, Maze Runner.
And VCRs too. The original Macrovision technique relied on the low tolerance to noise in the old record-mode AGC circuits on first generation VCRs. But when VCRs improved to the point that Macrovision was ineffective, legislation was passed so that VCR manufactures had to include a special circuit to recognize the Macrovision noise bursts, and emulate the old behavior. (Source: my memory of an old article in an electronics magazine, so the above may be somewhat inaccurate -- the article may have been only referring to proposed legislation, or possibly industry self-regulation).
I remember hooking my first DVD player (I had just received for my birthday) to the family TV via an RF modulator, because the DVD player only output RCA and the TV only had a coaxial input. I tried playing The Matrix (the only DVD I had at the time), and the video constantly faded to black and back to normal every few seconds. In retrospect, I gather that was some sort of DRM implemented in the RF modulator, but I don't know if it has anything to do with what you're talking about.
Up to now I had never considered the need for protection against a mid-keystroke attack. Ideally it would have to involve no unusual hardware or software, or you might as well just slap a "I'm a criminal" sticker on your forehead.
Second, I can't see it working properly if you need to do something specific when you're being struck.
Closest thing I can think of:
- headphones must be plugged in to launch a certain program
- if headphones are unplugged before program is closed, lock and begin wipe
- don't, under any circumstances, let go of the headphones
At this level of paranoia you probably also need interrogation training. Ideally you'd also have your sensitive stuff on a machine that is both hidden and protected, and only access it remotely. You want to be able to deny its existence to have any chance of withstanding a torture attack.
Edit: iphone earbuds have a switch that you might be able to use in your hand/mouth as a deadman switch, but I can't see that being workable for more than a few seconds.
Also, if you're in public, they could film your monitor... so that would need to be sanitized somehow as well.
The problem with schemes like this, is that they show premeditated intent to destroy evidence. I hear that courts don't like that. Maybe there wouldn't be evidence that specifically unplugging the headphones is what caused the drive to self destruct. But a good forensic security analyst should be able to show that the system was intentionally destroyed.
If you can come up with a plan for plausible deniability when it comes to, say, permanently deleting the keys for an encrypted drive, then that's worth way more than the deadman's switch is on its own.
You won't know in advance who is going to rob you, in this case it was the FBI but for this attack it could be anyone, even a reasonably organized group of 13 year olds could probably pull this off. For example the situation could be the same but DPR is a tech CEO working in a coffeeshop in Asia, and someone has just ran off with a copy of his email and financials. He chases them out of the door, gets hit in the face with a bike chain, and wakes up in the hospital, not even knowing if they were just aggressive petty thieves, or if he was targeted and someone knows all this plans.
I think that "lock and wipe" might be too much though, and locking only would be more practical, wouldn't constitute destruction of evidence (as far as they know), wouldn't punish mistakes so much. Right now, off the shelf, a computer will lock up on screensaver, or sleep/poweroff. For a high paranoia user, you could add headphone unplug, power cord in/out, any usb in/out, even monitor the mic for certain codewords to trigger the lock. And if it happens it isn't such a big deal, just re-authenticate.
So now it's the locking mechanism that's gotta be made plausibly deniable. The beauty of it being done in software via (say) an HID interrupt is that the software itself is protected by the act of locking the computer.
You have to evaluate the risk: how "expensive" are occasional miss-triggers compared to a failure to trigger when necessary, and where is the optimal balance? (the always/never problem)
I've been considering running all my mobile data through a VPN for better security, and saving all of it so I can analyze anything after the fact. Anyone doing anything like this?
I am often dependent on a high-latency GPRS link, and the overhead of establishing a tunnel using OpenVPN or SSH (e.g. sshuttle) is prohibitive. OpenVPN is very likely to timeout before it can negotiate a TLS session. This is one of the major reasons why I wrote my own VPN software[1] using NaCl. Deterministic public-key encryption means that there is no negotiation required at startup. The tunnel is therefore ready to use as soon as the program is started. To me, that's the difference between a usable connection and nothing at all.
OpenVPN has a tuneable keepalive interval. I think the default is 10 seconds, which is not so good for battery. But if you set it to 10 minutes, that would be fine.
(I bet the roaming between wifi and cellular data could be a problem, though.)
On letting the user switch between register and login at any time, there is one small thing that tumblr does that I like.
If you go to tumblr.com it displays the registration page with email/password/username. If you just type in email+password on this page, it still works. So an incomplete registration form can be used to login.
A lot of companies are giant faceless MBAocracies, and all their front line staff are designed to be minimum cost minimum fuss drones, which selects for checked out losers. The purpose of tipping is to bypass institutional apathy so you can deal with someone who will treat you as human for the right price
- monitoring and QA are the same thing. You'd never think so until you try doing a big SOA. But when your service says "oh yes, I'm fine", it may well be the case that the only thing still functioning in the server is the little component that knows how to say "I'm fine, roger roger, over and out" in a cheery droid voice. In order to tell whether the service is actually responding, you have to make individual calls. The problem continues recursively until your monitoring is doing comprehensive semantics checking of your entire range of services and data, at which point it's indistinguishable from automated QA. So they're a continuum.
https://plus.google.com/+RipRowan/posts/eVeouesvaVX