Troy Benjegerdes hozer at hozed.org How did I wake up in a Douglas Adams novel today, did anyone check for vogons? The only way it could be better is if he was drunk on russian vodka. http://www.slate.com/blogs/future_tense/2015/01/28/after_white_house_crash_drone_maker_dji_restricts_its_uavs_flying_zone.html The only logical explaination for this is someone who knows how completely busted and broken the system has gotten is trying to make a point. It's the complete absurdity of stuff like this that convinces me that no 'vast government conspiracy' could ever survive the organizational incompetence. Or at least, that's what the vogons want me to think.
SANS Internet Storm Center, InfoCON: green: ISC StormCast for Thursday, January 29th 2015 http://isc.sans.edu/podcastdetail.html?id=4333, (Thu, Jan 29th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Омбудсманът говори пред БНТ. За съдебната система. Естествено, че има гнили ябълки в съдебната система – на възловите места, казва Омбудсманът на удивения Димитър Цонев. Естествено, че ги знам кои са. Естествено, че всеки ги знае. Идете във всеки окръжен град, всеки знае кой ще свърши работа, това е търговска дейност. Естествено, че няма да ги кажа, това значи да не изляза от съда до края на живота си.
В потвърждение – медиите, които говорят за олигарси, търговия с влияние и гнили ябълки, се радват на интереса на най-разнообразни институции – и, важно е да се отбележи – между тях не е медийният регулатор.
1. Малко журналисти информираха за КТБ, акумулирането на публичен ресурс и финансирането на КТБ-медии още когато информацията за КТБ се свеждаше до изречението “Клиентите са ни скъпи.” Санкционираха Икономедия още тогава. КЗК.
За какво? Ето какво казва за нарушението Монитор, годината е 2010 : “В публикация в седмичника Капитал от април 2010 г. дори се посочваше, че НБМГ не е независим издател, а се контролира от трети лица, като например председателя на Надзорния съвет на КТБ Цветан Василев. След щателна проверка обаче от КЗК установиха публично известния факт. А именно – че „Нова българска медийна група” е едноличен собственик на капитала на „Телеграф” , „Монитор” и „Политика”. При това в нито една от фирмите не присъстват нито името на Цветан Василев, нито на КТБ.” Сега е общоизвестно, че НБМГ е закупена с кредит от КТБ.
2. Заради публикации за гнилите ябълки в банковата система издателите на Бивол общуваха с БНБ.
Посланикът на САЩ се изказа за необходимостта от прозрачност в банковия сектор – и БНБ веднага излезе със съобщение, че прозрачност има. КТБ беше тема-табу. Дойче веле, Ню Йорк Таймс, Економист получиха писма с предупреждения, че ще бъдат съдени. Дойче веле прекрати отношенията си с Еми Барух и Иван Бедров с обяснението “не заради КТБ”. Така и не се разбра защо.
3. Медии извършвали пазарни манипулации. Изводът е на КФН.
Било вярно това, което се потвърждавало от публичните регистри. От друга страна, да се посочели източниците на информация за проверка. Върховенството на закона изисквало налагането на санкции.
4. И новини от тази седмица. Проверка в Капитал. БНБ – прокуратура – МВР.
През 2014 БНБ дава пресконференция, на която представя резултатите от одит на КТБ, но управителят на централната банка Иван Искров оповестява само едно число – “липсват, а по-вероятно е да са унищожени в дните преди квестурата, съществени части от кредитните досиета в размер на 3.5 млрд. лв.” Одитите не са публично достъпни. “Митът “Отворете здравата КТБ” е публикация, в която се изнасят заключения на независимите одитори. Половин година по- късно става ясно, че БНБ (Нели Кордовска, ръководител на управление “Банков надзор”) препраща сигнал до прокуратурата за престъпления по две разпоредби на НК – за издаване на информация от длъжностно лице и за разгласяване на банкова тайна. Прокуратурата разпорежда проверки кои лица са имали достъп до информацията, кое от изнесеното е предвидена от закона тайна и “справка от съответните лица от Капитал.”
Не е за първи път. И не, не по всеки сигнал е задължително да се разпитват журналисти: защото в някои случаи – ако отсъствието на престъпление може да се установи елементарно – това е обикновен тормоз.
А дали отговорността за разгласяването на сведения трябва да се носи от журналистиката, е въпрос от времето на вътрешния министър Петканов. Преди това: какво ведомствата обявяват за тайна и защо? Ако се засекретява информация, която уличава институциите в нарушения или в престъпно бездействие, не е ли задължение на медиите е да посочат този факт?
At linux.conf.au 2015 in
Auckland, Rusty Russell presented a talk
about his personal side-project, Pettycoin. Russell had announced
Pettycoin at LCA 2014; at that time it represented an untested
concept: a way to attach a separate, Bitcoin-like network to the
existing Bitcoin blockchain. Pettycoin’s goal was originally to offer
a simpler and faster “side network” that periodically reconnected to
Bitcoin. In the intervening year, Russell made a lot of progress, but
other new innovations in the Bitcoin arena have led him to question
parts of the Pettycoin approach and consider a reimplementation.
An exploitable bug was found in BlackPhone, a “secure” Android phone. This is wildly misinterpreted. BlackPhone isn’t a totally secure phone, such a thing is impossible. Instead, it’s a simply a more secure phone. I mention this because journalists can’t tell the difference.
Soon after its U.S. premiere on January 9, pirate copies of the new Liam Neeson movie Taken 3 began appearing online. While quality was decent for a ‘cam’ recording, it was nothing to get really excited about.
As it happened that didn’t matter too much since most downloaders were already preoccupied with the recent flood of high quality Oscar screeners. Nevertheless, those who ventured into a cinema to record Taken 3 are likely to have exposed themselves to considerable risk.
In many countries one can end up in jail for such activities, especially when recording is followed by uploading to the Internet. But just a week later new events meant that the Taken 3 pirates’ dance with danger would largely be forgotten.
Last Thursday an HD copy of Taken 3 appeared on all major torrent sites but thanks to an earlier tipoff, that came as no surprise to us. Several days earlier a source already told TF that a “pristine” copy of Taken 3 would become available on January 22. So how did he know? The answer lies thousands of miles away in the Middle East.
OSN is a pay TV network with its headquarters in Dubai, United Arab Emirates. The network offers international entertainment content such as movies, TV shows and sporting events. Perhaps surprisingly to readers in the West, it also provides access to movies still running in U.S. theaters.
As can be seen from the image of an OSN TV screen below, Taken 3 was due to air on the PPV network on January 22.
TF was assured that a copy would quickly by pirated using OSN as several other popular movies had also been ‘capped’ from the same source in recent times. Sure enough, the first copies to appear online last Thursday all appeared with tell-tale Arabic subtitles or a suspiciously narrow image window where they’d been cropped out.
While it’s not easy to say whether all ‘subbed’ copies now online originate from the first original ‘capping’ of Taken 3, we know that the first ‘big’ copy on Western sites (uploaded by a group called CPG) was not the first overall.
Those honors fell to a group called “weleef” who uploaded this “exclusive” to Arabic forum ArabScene shortly after the first showings on OSN.
Of course, thanks to this source people from all around the globe were able to watch a good copy of the movie, despite it still playing in cinemas in the United States and elsewhere. Sadly, even those wanting to pay for the movie in the U.S. will have to wait until April 2015 for a VOD release.
Why Hollywood treats citizens in the Middle East and Asia better than its home audience is anyone’s guess, but if defeating piracy is the goal the practice might be backfiring.
Our source says that a Chinese VOD site already has 50 Shades of Grey listed for an end of February release, two weeks after its Valentine’s Day premiere in the U.S. Only a month to find out if that leaks too.
Update: A new and non-subtitled copy of Taken 3 is now flourishing online. The source? An OSN set-top box…
SANS Internet Storm Center, InfoCON: green: Adobe Flash Update Available for CVE-2015-0311 & -0312, (Wed, Jan 28th)
Adobe has released an update to the Flash vulnerability CVE-2015-0311 discussed earlier this week here on the ISC. The update released from Adobe addresses Flash vulnerabilities documented in CVE-2015-0311 CVE-2015-0312, which now has exploits being seen in the wild. Given that we are seeing exploits in the wild, the criticality of this exploit should be re-evaluated for prioritization and implementation. “>tony d0t carothers –gmail
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In the previous article I mentioned about multithreading. The article covered such basic notions as types of multitasking, the scheduler, scheduling strategies, the state machine, and other.
This time, I want to look at the problem of scheduling from another perspective. Namely, I’m going to tell you about scheduling not threads, but their “younger brothers”. Since the article turned out to be quite long, at the last moment I decided to break it up into several parts:
- Multitasking in the Linux Kernel. Interrupts and Tasklets
- Multitasking in the Linux Kernel. Workqueue
- Protothread and Cooperative Multitasking
In the third part, I will also try to compare all of these seemingly different entities and extract some useful ideas. After a little while, I will tell you about the way we managed to apply these ideas in practice in the Embox project, and about how we started our operating system on a small board with almost full multitasking.
Read more at Vita Loginova’s blog.
Debian-LTS has updated eglibc (code execution).
Mageia has updated busybox
(arbitrary module loading), flash-player-plugin (multiple vulnerabilities), php (multiple vulnerabilities), privoxy (multiple vulnerabilities), and python-pillow (denial of service).
Red Hat has updated chromium-browser (RHEL6 Supplementary:
multiple vulnerabilities), flash-plugin
(RHEL5,6 Supplementary: multiple vulnerabilities), glibc (RHEL6,7; RHEL5; RHEL5.6,
5.9, 6.2, 6.4, 6.5: code execution), and kernel (RHEL6: denial of service).
SUSE has updated glibc (SLE11,
SLE10: code execution).
I haven’t seen anybody compile a list of key points about the GHOST bug, so I thought I’d write up some things. I get this from reading the code, but mostly from the advisory.
Most things aren’t vulnerable. Modern software uses getaddrinfo() instead. Software that uses gethostbyname() often does so in a way that can’t be exploited, such as checking inet_addr() first. Therefore, even though software uses the vulnerable function doesn’t mean it’s actually vulnerable.
Most vulnerable things aren’t exploitable. This bug is hard to exploit, only overwriting a few bytes. Most of the time, hackers will only be able to crash a program, not gain code execution.
Many exploits are local-only. It needs a domain-name of a thousand zeroes. The advisory identified many SUID programs (which give root when exploited) that accept such names on the command-line. However, it’s really hard to generate such names remotely, especially for servers.
Is this another Heartbleed? Maybe, but even Heartbleed wasn’t a Heartbleed. This class of bugs (Heartbleed, Shellshock, Ghost) are hard to exploit. The reason we care is because they are pervasive, in old software often going back for more than a decade, in components used by other software, and impossible to stamp out completely. With that said, hackers are far more likely to be able to exploit Shellshock and Heartbleed than Ghost. This can change quickly, though, if hackers release exploits.
Should I panic? No. This is a chronic bug that’ll annoy you over the next several years, but not something terribly exploitable that you need to rush to fix right now.
Beware dynamic and statically linked libraries. Most software dynamically links glibc, which means you update it once, and it fixes all software (after a reboot). However, some software links statically, using it’s own private copy of glibc instead of the system copy. This software needs to be updated individually.
There’s no easy way to scan for it. You could scan for bugs like Heartbleed quickly, because they were remote facing. Since this bug isn’t, it’d be hard to scan for. Right now, about the only practical thing to scan for would be Exim on port 25. Robust vulnerability scanners will often miss vulnerable systems, either because they can’t log on locally, or because while they can check for dynamic glibc libraries, they can’t find static ones. This makes this bug hard to eradicate — but luckily it’s not terribly exploitable (as mentioned above).
You probably have to reboot. This post is a great discussion about the real-world difficulties of patching. The message is that restarting services may not be enough — you may need to reboot.
You can run a quick script to check for vulnerability. In the advisory, and described here, there is a quick program you can run to check if the dynamic glibc library is vulnerable. It’s probably something good to add to a regression suite. Over time, you’ll be re-deploying old VM images, for example, that will still be vulnerable. Therefore, you’ll need to keep re-checking for this bug over and over again.
It’s a Vulnerability-of-Things. A year after Heartbleed, over 200,000 web servers are still vulnerable to it. That’s because they aren’t traditional web-servers, but web interfaces built into devices and appliances — “things”. In the Internet-of-Things (IoT), things tend not to be patched, and will remain vulnerable for years.
This bug doesn’t bypass ASLR or NX. Qualys was able to exploit this bug in Exim, despite ASLR and NX. This is a property of Exim, not GHOST. Somewhere in Exim is the ability to run an arbitrary command-line string. That’s the code being executed, not native x86 code that you’d expect from the typical buffer-overflow, so NX bit doesn’t apply. This vuln reaches the strings Exim produces in response, so the hacker can find where the “run” command is, thus defeating ASLR.
Some pages worth bookmarking:
I’ll more eventually here as I come across them.
SANS Internet Storm Center, InfoCON: green: GHOST glibc gethostbyname() Vulnerability: https://www.youtube.com/watch?v=218JiCBpUTM, (Wed, Jan 28th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
SANS Internet Storm Center, InfoCON: green: ISC StormCast for Wednesday, January 28th 2015 http://isc.sans.edu/podcastdetail.html?id=4331, (Wed, Jan 28th)
It’s time once again to update my Value of a Hacked Email Account graphic: According to a recent alert from the FBI, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employees have their email accounts hijacked.
Federal investigators say the so-called “business email compromise” (BEC) swindle is a sophisticated and increasingly common scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.
According to new data from the Internet Crime Compliant Center (IC3) — a partnership between the National White Collar Crime Center and the FBI — the victims of BEC scams range from small to large businesses that may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals.
One variation on the BEC scam, also known as “CEO fraud,” starts with the email account compromise for high-level business executives (CFO, CTO, etc). Posing as the executive, the fraudster sends a request for a wire transfer from the compromised account to a second employee within the company who is normally responsible for processing these requests.
“The requests for wire transfers are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request,” the agency warned. “In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank ‘X’ for reason ‘Y.’”
The IC3 notes that the fraudsters perpetrating these scams do their homework before targeting a business and its employees, monitoring and studying their selected victims prior to initiating the fraud.
“Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed,” the IC3 alert warns. “The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc).”
The advisory urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.
For more info on how to rethink the security of your inbox, check out this post.
Being monitored online is a reality largely acknowledged by millions of file-sharers worldwide. Countless rightsholders, anti-piracy outfits, analytics companies and other interested parties crawl BitTorrent and other P2P networks every day, spying on downloads and gathering data.
While the public nature of these networks is perfect for those looking to eavesdrop, individuals who use file-hosting sites are often under the impression that their transfers cannot be monitored by third parties since transactions take place privately from user to site via HTTP.
That assumption has today been blown completely out of the water amid revelations that Canada’s top electronic surveillance agency has been spying on millions of downloads from more than 100 file-sharing sites.
Led by the Communications Security Establishment (CSE), Canada’s equivalent of the NSA, and codenamed LEVITATION, the project unveils widespread Internet surveillance carried out by Canadian authorities.
A document obtained by U.S. whistleblower Edward Snowden and released to CBC News shows that in an effort to track down extremists the spy agency monitors up to 15 million downloads carried out by users around the world every day.
According to the 2012 document, 102 file-sharing platforms were monitored by CSE. Just three were named – RapidShare, SendSpace, and the now defunct Megaupload. None of the sites were required to cooperate with the Canadian government since CSE had its own special capabilities.
“A separate secret CSE operation codenamed ATOMIC BANJO obtains the data directly from internet cables that it has tapped into, and the agency then sifts out the unique IP address of each computer that downloaded files from the targeted websites,” The Intercept‘s analysis of the document notes.
Once harvested those IP addresses are cross-referenced with vast amounts of additional data already intercepted by the United States’ NSA and its British counterpart GCHQ. Subsequent searches have the ability to show a list of other websites visited by those downloading from file-hosting sites.
Further associations can then be made with Facebook or Google accounts (via Google analytics cookies) which have the potential to link to names, addresses and other personal details. It’s a potent mix but one apparently designed to weed out just a small number of files from millions of daily events.
According to the LEVITATION documents the system has the ability to track downloads in countries across Europe, the Middle East, North Africa and North America.
Under law, CSE isn’t allowed to spy on Canadians, but IP addresses belonging to a web server in Montreal appeared in a list of “suspicious” downloads. Also monitored by CSE were downloads carried out by citizens located in closely allied countries including the U.S., UK, Germany and Spain.
“CSE is clearly mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism,” CSE spokesman Andrew McLaughlin told CBC.
While it may be of comfort for Canadians to learn that the government is only interested in a small number of files being exchanged outside the country’s borders, mass surveillance of this kind always has the potential to unnerve when mission-creep raises its head.
Here is the most rubbery review presenter we’ve ever met. Bryan Lunduke is here to show you how even a complete beginner whose hands are made from foam can build a games console from scratch, using a Raspberry Pi.
A tip, Bryan. I know you do not have hands that work (or, presumably, fingernails); but you’ll find that Pibow you’re using looks EVEN BETTER if you peel the backing paper off each layer!
I missed this paper when it was first published in 2012:
“Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks”
Abstract: Cryptographic systems often rely on the secrecy of cryptographic keys given to users. Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the concept of implicit learning from cognitive psychology. Implicit learning refers to learning of patterns without any conscious knowledge of the learned pattern. We use a carefully crafted computer game to plant a secret password in the participant’s brain without the participant having any conscious knowledge of the trained password. While the planted secret can be used for authentication, the participant cannot be coerced into revealing it since he or she has no conscious knowledge of it. We performed a number of user studies using Amazon’s Mechanical Turk to verify that participants can successfully re-authenticate over time and that they are unable to reconstruct or even recognize short fragments of the planted secret.
Taking “infringing” apps out of popular app stores is one of Hollywood’s key anti-piracy priorities for the years to come.
Various copyright holder groups frequently report “piracy-enabling” apps to Apple, Google, Microsoft and Amazon, alongside requests for the stores to take them offline.
The stores themselves also screen for potentially problematic software. Apple, for example, has notoriously banned all BitTorrent related apps.
This week, Amazon is following in Apple’s footsteps by banning one of the most used BitTorrent clients from its store. The Android version of FrostWire had been listed for well over a year but Amazon recently had a change of heart.
FrostWire developer Angel Leon tells TF that the app was removed without prior warning. When he asked the company for additional details, he was told that Amazon sees his app as a pirate tool.
“In reviewing your app, we determined that it can be used to facilitate the piracy or illegal download of content. Any facilitation of piracy or illegal downloads is not allowed in our program,” Amazon’s support team writes.
Leon was baffled by the response. FrostWire had been a member of the Developer Select program for over a year and always made sure to avoid any links to piracy. On the contrary, FrostWire was actively promoting Creative Commons downloads and other legal content.
“We have never promoted illegal file sharing, we actually promote creative commons downloads, and free legal downloads from soundcloud, archive.org. The app is also a full blown music player, but none of this probably counts,” Leon tells us.
“Web browsers and email clients are still there, programs that also fall in the category of being ‘used to facilitate the piracy or illegal download of content’,” he adds, pointing out the arbitrary decision.
While it’s not clear why Amazon changed its stance towards FrostWire, it wouldn’t be a surprise if pressure from copyright holders played a role.
FrostWire’s developer believes that the mobile developer industry may have to come up with a less censorship prone store in the future. There’s a need for a decentralized app store that secures the interests of both iOS and Android developers.
For now, Leon hopes that other stores will be less eager to pull the plug on perfectly legal apps. While it may seem to be a small decision for the stores, having a popular app removed can ruin a developer’s entire business.
The beauty of FrostWire and other BitTorrent clients is that they offer the freedom to share files with people from all over the world without being censored. Restricting access to apps that make this possible will harm society, Leon believes.
“This is a freedom which eventually protects society from the likes of totalitarian governments, something some of us at FrostWire have lived first hand in Latin America, something that forced me and so many Venezuelans to leave our countries and start again from scratch in the US,” Leon concludes.
Despite being banned from Amazon’s store, Kindle users will still be able to get updates via the FrostWire website. A special installer for Kindle will be available soon.
Now replaced more and more by forums, social networks, or mailing lists, IRC was once the method of communication of the web. And if it stands today as the last bastion of hackers and bearded Linux users, it remains one of the fastest and most specific channel of communication. If you have a technical difficulty, […]
SANS Internet Storm Center, InfoCON: green: VMware Security Advisories – 1 New, 1 Updated, (Wed, Jan 28th)
VMware has released an new and updated security advisory today. The two security advisories, listed below, address numerous vulnerabilities in the VMware platform. For information regarding the impacted versions, affected components, and related CVE”>”>Updated Advisory: “>”>”>tony d0t carothers –gmail
Ars Technica has a report on GHOST, which is a critical vulnerability found in the GNU C library (glibc).
“The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections.” While the proof-of-concept used Exim, a wide variety of client and server programs call gethostbyname*(), often at the behest of a remote system (or attacker). Distributions have started putting out updates; users and administrators should plan on updating as soon as possible.
This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company
The Backblaze blog recently went through a lot of changes. We moved our service to the most up-to-date version of WordPress. We changed the design. We changed the layout. We added categories (Cloud Storage, Entrepreneurship, Backing Up, and Backblaze Bits) so that it would be easier to get to the types of articles that you wanted to read. Also, it was time for the blog to look more pretty!
Another big change was the date scheme on our blog. We got rid of it. Why? As the Marketing team started to focus more on generating good content for our followers and fans to read, we decided that it was time to make our blog posts more “evergreen”. Additionally, in our old blog environment the date was included in the URL, which was bad for web search results. Yes, we had delved into the deep, dark arts of SEO (search engine optimization).
The problems started when we would have to go back in time and look for a specific blog post that occurred on a very specific date. For example, if you go to Google and ask it to find you the articles about the Backblaze Storage Pods, it’ll give you a list of 4 blog posts on the topic. Unfortunately though, you wouldn’t know which ones are the most recent, as there are no dates associated with them in Google. We also had problems trying to find other articles, for example the ones about hard drive stats. We would search for them in Google and we’d get a lot of answers, though we wouldn’t know chronologically, which ones were the more timely ones. This led to great internal debates between the practical value and the SEO value of our blog.
This internal debate came to a head last week when we were featured as a top story on Hacker News, where we achieved as high as the 4th rank. While we were thrilled to get that much attention from some key individuals and knowledgeable folks, the main question and indeed the highest rated one was not about the hard drive stats that we produced, but was about the dates missing from our blog. A fine example by user mmastrac:
“Always love reading HDD reliability stats from Backblaze — but this demonstrates one of the reasons why post dating is so important, especially when the information in the post is time-sensitive. Nowhere on the page does it say that the post date is today, unless you click the “latest posts” tab by the author below.
I had originally though it was a repost of the many older articles from Backblaze until seeing a reference to Dec 31 2014. While not terribly ambiguous now, the ambiguity will only grow as the year marches on.
If someone from Backblaze happens to see this: you don’t need to put it in your URL, but please date your post near the top or bottom of the text.”
In my initial response I walked the party line:
“Yev from Backblaze here -> it’s an internal debate as to whether we should put dates on everything. It used to be that they were part of the URL (because of the way our blog was designed) but that is no longer the case. We decided to leave them off for a while to see if that made posts more “evergreen”, but we definitely see where it can lead to some confusion. We’ll keep chatting about it internally, there’s likely a good middle-ground.”
The reaction to me jumping in to the stream was lukewarm at best:
“Date of information is one of the most important contexts in IT. I can’t count the times somebody has said “This says this and that about such and such”, and I have to say “Yeah bro, when was that written? Oh, three years ago? What’s the story now?”.”
I waited for my marketing companions to get to the office and then called for an emergency meeting of the minds. While the SEO value of having the blog posts go undated was good, we decided that it was time to overrule our SEO overlords and bring the blog back to the people. We quickly made the change and I made the following announcement:
“BREAKING NEWS -> There are now dates on all of the individual blog posts. The landing page is “date-free” but is in chronological order, if you open a post, the date will be below the title…AS NATURE INTENDED!”
This was met with thunderous applause:
“That’s amazing – I’m reading the post right now (as in, 11:28 AM pacific)- and I switched back to the tab, and it doesn’t show the date. But I opened it less than 10 minutes ago. They couldn’t have changed it that real time could they. Hit Refresh. Lo and behold – there is the date.
Now that’s an agile organization. Thanks very much – I really appreciate the date on these posts as well.”
For a comparison, when I wrote my initial response about having meetings and pondering about the change, that comment got 29 upvotes. However, when we made the change and I announced it, that got a full 41. Now that’s some real-time customer appreciation!
We try to move quickly and make the right decisions, unfortunately, that doesn’t always work out, and we have be willing to rollback especially when we’ve accidently made the user experience worse. Our blogs are written for our fans after all, and if they aren’t happy with them, we’re not happy with them. We hope you enjoy having the dates back, and I personally appreciate everyone in the Hacker News comments for helping me win an argument!
The post The Great Date Debate appeared first on Backblaze Blog | The Life of a Cloud Backup Company.
SANS Internet Storm Center, InfoCON: green: Apple Security Updates 27 JAN 2015 for OS X, Safari, iOS, and Apple TV – http://support.apple.com/en-us/HT1222, (Tue, Jan 27th)
SANS Internet Storm Center, InfoCON: green: New Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST), (Tue, Jan 27th)
Qualys discovered a criticalbuffer overflow in the gethostbyname() and gethostbyname2() functions in glibc. According to the announcement by Qualys, they were able to create an in-house exploit that will execute arbitrary code via the Exim”>glibcbefore version 2.18 (released August ) is vulnerable. You can quickly check your glibc version by using ldd –version”>These glibc”>What should you do: Apply this update as soon as you see patched offered by your Linux/Unix distribution. Some Windows software (and of course OS X) uses glibcas well and may be vulnerable. Use thegetaddrinfo() function, not”>”>You shouldn”>Highly critical Ghost”>GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems – Michael Mimoso, Threatpost