View on GitHub

Quorten Blog 1

First blog for all Quorten's blog-like writings

More info on virtual machines, kernel same-page merging, row hammer, and Google Project Zero

quorten

2018-12-05

Categories: random-software   security  
Tags: random-software   security  

Virtual machines. Oh, sure, some types of virtualization have become massively popular, whereas most remain relatively obscure. What does Wikipedia have to say on this?

20181204/https://en.wikipedia.org/wiki/Virtual_machine

So, related to the popular form of virtualization. Kernel same-page merging (KSM), this is interesting. Purportedly Red Hat ran 52 virtual instances of Windows XP with 1 GB of memory via KSM. Alas, there’s going to be a big problem if changes in the OS workload mean that all OSes will need all of their requested memory.

20181204/https://en.wikipedia.org/wiki/Kernel_same-page_merging

Row hammer? Now, this is interesting. Early on in the history of DRAM, memory corruption caused by specific access patterns was a recognized issue, and memory vendors worked to mitigate it. However, market demands for highly dense memory in recent years have caused a counter-trend for this issue to start cropping up once again. But, this time through, we have a much bigger software development world at hand compared to the hardware world, and security researchers got to work to see how they could turn this hardware issue into a security vulnerability. Then they published an official academic-style research paper on the subject. Now, the ongoing challenge in mitigating this issue revolves around the energy consumption of the mitigation technique. The motivations on how modern DRAM evolved to be vulnerable are obvious: higher density, lower heat dissipation, lower energy consumption, lower cost. So, it took a while longer for mitigations to come back this time through, but for newer architectures and DRAM modules, they are now available, so the row hammer issue is a non-issue on the right hardware.

20181204/https://en.wikipedia.org/wiki/Row_hammer

Wow, and they’ve made yet another mention of Google Project Zero. Again, I reiterate, because this is important! So, why the name Project Zero? The name Project Zero was chosen because the task was to find a number of zero-day vulnerabilities. Also, the original motivation for Project Zero came in light of the Heartbleed vulnerability.

20181204/https://en.wikipedia.org/wiki/Project_Zero

Interesting and unfortunate that the process of plugging security vulnerabilities must follow this route. First of all, third parties must make a big deal about them by developing working exploits, publishing them, and describing their effects, then we can see the originating companies getting to work at fixing these. Sometimes the process is slighly modified to notify the originators first before the wider publication, but generally speaking, the de facto process that must be obeyed to get any progress is to develop working exploits, not simply warn about the existence of such vulnerabilities that must be fixed.

Kubernetes's first major security vulnerability, and SplitSpectre

quorten

2018-12-04

Categories: kubernetes   security  
Tags: kubernetes   security  

Security! Kubernetes first major vulnerability discovered. This is a vulnerability that is curiously pervasive, easy to exploit, leaves virtually no discernable trace, and the only solution is fix it is to upgrade. The other mitigations have caveats that outweigh their benefits. A crafted discovery API call can be used to get direct access to the internal highly privileged server processes, can happen through any user, and over regular authentication.

20181204/https://www.zdnet.com/google-amp/article/kubernetes-first-major-security-hole-discovered/

Oh, SplitSpectre, a more powerful variant of the Spectre attack, one that can be exercised using commodity computer configurations.

20181204/https://www.zdnet.com/article/researchers-discover-splitspectre-a-new-spectre-like-cpu-attack/

Least concern endangerment status, extinction, great Pacific garbage patch

quorten

2018-12-03

Categories: random  
Tags: random  

“Least concern.” Does Wikipedia have an article on that? Indeed, it does. It’s part of the IUCN Red List. Interestingly, the IUCN Red List has a formal study of the endangerment status of humans. It’s pretty interesting to see some of the environmental living parameters of humans lined up with animals. Particularly, humans can’t habitate swamp areas very well.

20181203/https://en.wikipedia.org/wiki/Least-concern_species 20181203/https://en.wikipedia.org/wiki/IUCN_Red_List 20181203/https://en.wikipedia.org/wiki/Extinction 20181203/https://en.wikipedia.org/wiki/Holocene_extinction#Defaunation 20181203/https://www.iucnredlist.org/species/136584/4313662

Great Pacific garbage patch? Now, this is interesting. Although the plastic garbage patch covers a large area, most of the garbage is not visible to the eye. Most of the contents are microplastics. The original plastics photodegraded from sun exposure, so they therefore slowly broke down into smaller and smaller pieces of plastic. Also, note that there is more than one such garbage patch, but one of them is the biggest, of course.

20181203/https://en.wikipedia.org/wiki/Great_Pacific_garbage_patch

Indeed, if you look at this picture of plastic garbage waste, you can see that most of the contents are indeed some sort of food container of a sort.

20181203/https://en.wikipedia.org/wiki/File:Litter_on_Singapore%27s_East_Coast_Park.jpg
20181203/https://upload.wikimedia.org/wikipedia/commons/b/bd/Litter_on_Singapore%27s_East_Coast_Park.jpg

GPIO pin distance

quorten

2018-12-01

Categories: raspberry-pi  
Tags: raspberry-pi  

What is the pin spacing distance on the Raspberry Pi Zero GPIO pin header? Well, let’s see. First of all, we know it must be the same pin pitch as is used on the other conventional Raspberry Pi modules.

Second, let me try to measure it myself. From first glace, it looks like it must be 3 mm.

Okay, now let’s try searching for official numbers. Oh, close guess, but not quite. Actually, the pin pitch is 0.1 inch = 2.54 mm.

20181201/DuckDuckGo raspberry pi zero pin spacing
20181201/https://raspberrypi.stackexchange.com/questions/7452/what-is-the-pin-distance-of-gpio

Thermal mass

quorten

2018-12-01

Categories: home-network  
Tags: home-network  

Now, I’ve heard of thermal mass before, most memorably in relation to cold weather shooting with a DSLR camera, but what does Wikipedia have to say about this? I haven’t read about it in detail. Oh, wow, quite a number of interesting things. So, thermal mass is also termed thermal capacitance. Insulation inhibits thermal conductivity. Thermal mass is great for isolating a building from fluctuating external temperatures. Concrete and earth are great sources for thermal mass. Therefore, an insulated concrete slab at the base of a building can significantly improve its thermal efficiency and dynamics. Water, of course, is another great source for thermal mass, since it has a very high specific heat. That being said, the human occupants of a building are also a great contributor to a building’s thermal mass.

20181130/https://en.wikipedia.org/wiki/Thermal_mass

ATmega microcontrollers

quorten

2018-11-30

Categories: raspberry-pi  
Tags: raspberry-pi  

If you only need a simple microcontroller, ATmega is a good choice. It was made popular by its inclusion in many lines of Arduino development boards, so I am told. Part of the larger AVR series of microcontrollers.

20181130/https://en.wikipedia.org/wiki/AVR_microcontrollers#Basic_families

Diode as a cheap temperature sensor

quorten

2018-11-29

Categories: raspberry-pi  
Tags: raspberry-pi  

Suppose you want to design a whole large matrix of temperature sensors to sense multiple points in an entire room. You should be able to do this with diodes, correct? I do remember reading that a laser diode’s performance is dependent on its temperature. Cooler diodes require more energy to pump the same light output.

So, now let’s go searching. How do you setup a diode as a temperature sensor? Ah, yes, you use the variable reverse bias effect of a diode to sense the temperature within 5 degrees Celcius or so. Given that it’s not real good accuracy, well it might not make as much sense as you thought to use a large array of cheap temperature sensors in a room. Maybe one expensive temperature sensor would be just as effective. Even half a degree Celcius, which roughly corresponds to one degree Fahrenheit, isn’t all that good for accuracy either.

20181128/DuckDuckGo diode temperature sensor
20181128/https://www.arrow.com/en/research-and-events/articles/using-a-simple-diode-as-a-ballpark-temperature-sensor
20181128/https://en.wikipedia.org/wiki/Hysteresis

Wait, so this sensor IC can measure both temperature and humidity? Oh, apparently what happened here is that the Arrow website classified it under “temperature and humidity sensors,” but really it’s only good for temperature measurements.

20181128/https://www.arrow.com/en/products/lm95235cimmnopb/texas-instruments
20181128/DuckDuckGo LM95235CIMM/NOPB datasheet
20181128/https://www.ti.com/store/ti/en/p/product?p=LM95235CIMM/NOPB
20181128/http://www.ti.com/lit/ds/symlink/lm95235.pdf

Background information on humidity

quorten

2018-11-28

Categories: raspberry-pi  
Tags: raspberry-pi  

So, you’re wondering about humidity sensors? Well, let’s start by going to Wikipedia to get some background information on relative humidity. Ah, interesting, the article mentions that a device for measuring humidity is called a hygrometer. And indeed, the mechanisms of a hygrometer are very similar to some of your suspected ideas. One method may involve measuring the rate of static electricity dissipation, other methods involve measuring capacitance or resistance.

20181129/https://en.wikipedia.org/wiki/Relative_humidity
20181129/https://en.wikipedia.org/wiki/Hygrometer

Solving some Golang package management troubles

quorten

2018-11-28

Categories: golang  
Tags: golang  

Having trouble with Golang package management? Do you use go build or go get? Well, if you follow Golang through the weeds, generally you can use either. If you’re having some of the trouble with dependency management that I have had, use at least version 1.11 of Golang and try enabling setting GO111MODULE=on. The vgoget repository I linked may be helpful, but it is not necessary.

20181128/https://github.com/matcornic/hermes/pull/30/files
20181128/https://github.com/matcornic/hermes/issues/33
20180118/https://gist.github.com/rogpeppe/7de05eef4dd774056e9cf175d8e6a168
20181128/https://github.com/golang/go/wiki/Modules#why-does-installing-a-tool-via-go-get-fail-with-error-cannot-find-main-module

Pretty print XML on the command line

quorten

2018-11-28

Categories: random-software   reiterate   important  
Tags: random-software   reiterate   important  

Important! Again, I reiterate, because this is important!

How do you pretty print indent and format XML? Yeah, I remember I searched for this, but then I dropped it thinking it was just too obvious. But then I realize I had to search for it again. So, I will take a note of it too. It’s easy to do from a GNU/Linux command line if you have libxml tools installed.

xmllint --format file.xml

20181127/https://stackoverflow.com/questions/16090869/how-to-pretty-print-xml-from-the-command-line