The bomb attack on the bus of the german soccer club BVB has been solved. The attacker was not an islamist extremist, as the fake letters found on site suggested. They also weren’t Neo-Nazis, as the fake letters to two german newspapers claimed. The perpetrator was instead a militant capitalist who tried to influence BVB stock in order, after he purchased 15k put options on BVB stock. An english language article with background can be found at the BBC. It is unclear if German legislation will now call on a ban on radical capitalist education camps in german universities, or what kind of extreme vetting will be instituted in order to handle the problem.

The open source sysdig is a piece of software that does not quite, but almost, what strace or oprofile do: It instrument the kernel, and traces system calls as well as a few other kernel activities.

Youtube: Sysdig Open Source - Getting Started With Csysdig

It does not utilize the ptrace(2) kernel facility, though, but its own interface. This interface picks up data in the kernel and writes it into a ring buffer. A userspace component extracts this data, interprets, filters and formats it, and then shows it .

The Tweet points to the bug report . After the facepalming there is still a lot to say about that.

About the bug:

There is a system call stat(2) in Posix, which returns a struct stat as a result. Part of that data structure is a field st_ino, which contains the inode number of that file. That number is a unique file identifier, a 64 bit bit pattern. Javascript does not have integer types to represent that number, so node.js has been falsely converting it to a float, which can hold 53 bits of precision.

I was having two independent discussions recently, which started with some traditional Unix person condemning software installing with curlbash (curl https://... | bash), or even curl | sudo bash.

I do not really think this to be much more dangerous than the installation of random rpm or dpkg packages any more. Especially if those packages are unsigned or the signing key gets installed just before the package.

The threat model really became a different one in the last few years, and the security mechanism have had to change as well. And they have, UIDs becoming much less important. Desktop containers and Sandboxes have become much more important, and segregation happens now at a much finer granularity (the app level) instead of the user level.

The Telegraph had a article on a self-styled ‘grammar vigilante’, who corrects badly punctuated shop signs in the dead of the night, and the article has not been dated April, 1st.

[…] the man has corrected tens of missing and misplaced apostrophes on shop banners across Bristol over the past 13 years. The pedant, who is yet to reveal his identity, claims his efforts are needed to bring an end to the improper use of English.

A long time ago, I wrote a text on the German Blog and on Carta: Wieso wir uns veröffentlichen (Why we publish ourselves).

In the middle of a discussion about privacy I was explaining why people publish themselves, why they publicly reveal (sometimes intimate) facts about themselves. They are doing this, I wrote, to find other like-minded people, to become searchable and to become approachable, to build trust. Trust is a wonderful thing. It is the powerful assumption that most people most of the time want to help you and that falsely trying out to trust people is a recoverable mistake. Having trust and being in a trustworthy environment keeps transactional costs low and makes cooperation possible.

See also Why I Don’t Talk to Google Recruiters .

Where I work we have regular round tables, in which you can talk and ask questions to middle management from other departments than your own. I had the opportunity to talk to a person who manages development priorities and staffs teams, and who of course has some insight into hiring and the interview process. That was very enlightening.

For example, finding people to hire in a large organisation is a hard job. Hiring rates are quite fixed, so in order to find people to hire you need to go through a relatively fixed, larger number of resume reviews, phone screens and face to face interviews. Assume that for each three people you would want to hire you need to sift through 100 resumes - that’s 10.000 resumes to look at for 300 people to hire. And it can not be automated.

Autoblog titles: The race for autonomous cars is over. Silicon Valley lost . The point they want to make is:

To paraphrase Elon Musk, Silicon Valley is learning that “Making rockets is hard, but making cars is really hard.” People outside of the auto industry tend to have a shallow understanding of how complex the business really is. They think all you have to do is design a car and start making it. But most startups never make it past the concept car stage because the move to mass production proves too daunting.

Marnix Dekker has an article on HTTPS interception as it is being done in some workplaces. He lists:

• Are you serious? We worked so hard to make the web more secure and you are fucking it up.
• HSTS, you are breaking it.
• Blinds the browser and the user, because you re-encrypt with wildcard certs.
• Disrupts personal use.
• Breaks pinning and CT.
• Breaks with consumerization.
• Disrupts BYOD.
• Discourages good user practices.
• Limited benefits.
• and finally: Hard shell, soft inside is not going to work.

Netzpolitik.org has an article (in German) in which they are interviewing IT-Security Consultant Thorsten Schröder on Adblockers, wasted capped mobile bandwidth and Malvertising.

netzpolitik.org : Neben dem Schutz vor Malware, welche weiteren Gründe für die Nutzung von Adblockern findest Du wichtig?

Thorsten Schröder : Wenn wir als Malware all das klassifizieren, was Nutzer ausspioniert, täuscht, kompromittiert oder finanziell schädigt, haben wir im Grunde schon mal eine ganze Reihe an Gründen abgehakt. Nutzer müssen die Möglichkeit haben, selbstbestimmt das Schutzniveau ihres Computers bestimmen zu dürfen. Hat die Bundesregierung vielleicht mal das Bundesamt für Sicherheit in der Informationstechnik (BSI) gefragt? Es wäre eine gute Gelegenheit für das BSI, zu zeigen, was es drauf hat.