Code push imminent!

Apr. 30th, 2017 08:48 pm
karzilla: a green fist above the word SMASH! (Default)
[staff profile] karzilla posting in [site community profile] dw_maintenance

We're about to pull the lever on tonight's code push! Many of the changes we are making to the site are under-the-hood improvements, but these are the ones you are more likely to notice:

  • New account setting option for RP accounts, for future feature development.
  • Many more sites upgraded to use HTTPS links instead of relying on our SSL proxy.
  • Moved the Manage Icons page to /manage/icons and modernized the underlying code.
  • Increased the size limit for icon descriptions from 120 to 300 characters.
  • Various requested fixes for the image upload/management pages.
  • Improved processing of emailed entries for changes to entry security.
  • Improved processing of emailed comments for removal of quoted text.
  • Reading page with date filter now has previous / next day links.
  • Banned users hidden by default on the Manage Circle page.
  • Most importer failure messages will now include the name of the journal being imported, for the benefit of users running multiple imports.
  • People who read the RSS/Atom feed of your journal will see correct entry links and embedded content.
  • Whitelist embeds from:,,
  • New <user> tag sites:,,,
  • New "other site" fields on user profiles: Imzy, Instagram

Once the code push starts, you may notice that the site is slow to respond, but it should remain available to use unless something goes badly wrong.

I'll update this post when the code push is finished. Stay tuned!

Update: All done! Let us know if anything seems more wrong than usual!


Apr. 30th, 2017 01:41 pm
ceb: (Default)
[personal profile] ceb posting in [community profile] qec
* bit of unpacking
* tidied old stuff out of near fridge
* washing
* washed cake box
* set up filing system
* filed paperwork from post tray
* old boxes to bin

* map thoughts
[personal profile] mjg59
Another in the series of looking at the security of IoT type objects. This time I've gone for the Arlo network connected cameras produced by Netgear, specifically the stock Arlo base system with a single camera. The base station is based on a Broadcom 5358 SoC with an 802.11n radio, along with a single Broadcom gigabit ethernet interface. Other than it only having a single ethernet port, this looks pretty much like a standard Netgear router. There's a convenient unpopulated header on the board that turns out to be a serial console, so getting a shell is only a few minutes work.

Normal setup is straight forward. You plug the base station into a router, wait for all the lights to come on and then you visit and follow the setup instructions - by this point the base station has connected to Netgear's cloud service and you're just associating it to your account. Security here is straightforward: you need to be coming from the same IP address as the Arlo. For most home users with NAT this works fine. I sat frustrated as it repeatedly failed to find any devices, before finally moving everything behind a backup router (my main network isn't NATted) for initial setup. Once you and the Arlo are on the same IP address, the site shows you the base station's serial number for confirmation and then you attach it to your account. Next step is adding cameras. Each base station is broadcasting an 802.11 network on the 2.4GHz spectrum. You connect a camera by pressing the sync button on the base station and then the sync button on the camera. The camera associates with the base station via WDS and now you're up and running.

This is the point where I get bored and stop following instructions, but if you're using a desktop browser (rather than using the mobile app) you appear to need Flash in order to actually see any of the camera footage. Bleah.

But back to the device itself. The first thing I traced was the initial device association. What I found was that once the device is associated with an account, it can't be attached to another account. This is good - I can't simply request that devices be rebound to my account from someone else's. Further, while the serial number is displayed to the user to disambiguate between devices, it doesn't seem to be what's used internally. Tracing the logon traffic from the base station shows it sending a long random device ID along with an authentication token. If you perform a factory reset, these values are regenerated. The device to account mapping seems to be based on this random device ID, which means that once the device is reset and bound to another account there's no way for the initial account owner to regain access (other than resetting it again and binding it back to their account). This is far better than many devices I've looked at.

Performing a factory reset also changes the WPA PSK for the camera network. Newsky Security discovered that doing so originally reset it to 12345678, which is, uh, suboptimal? That's been fixed in newer firmware, along with their discovery that the original random password choice was not terribly random.

All communication from the base station to the cloud seems to be over SSL, and everything validates certificates properly. This also seems to be true for client communication with the cloud service - camera footage is streamed back over port 443 as well.

Most of the functionality of the base station is provided by two daemons, xagent and vzdaemon. xagent appears to be responsible for registering the device with the cloud service, while vzdaemon handles the camera side of things (including motion detection). All of this is running as root, so in the event of any kind of vulnerability the entire platform is owned. For such a single purpose device this isn't really a big deal (the only sensitive data it has is the camera feed - if someone has access to that then root doesn't really buy them anything else). They're statically linked and stripped so I couldn't be bothered spending any significant amount of time digging into them. In any case, they don't expose any remotely accessible ports and only connect to services with verified SSL certificates. They're probably not a big risk.

Other than the dependence on Flash, there's nothing immediately concerning here. What is a little worrying is a family of daemons running on the device and listening to various high numbered UDP ports. These appear to be provided by Broadcom and a standard part of all their router platforms - they're intended for handling various bits of wireless authentication. It's not clear why they're listening on rather than, and it's not obvious whether they're vulnerable (they mostly appear to receive packets from the driver itself, process them and then stick packets back into the kernel so who knows what's actually going on), but since you can't set one of these devices up in the first place without it being behind a NAT gateway it's unlikely to be of real concern to most users. On the other hand, the same daemons seem to be present on several Broadcom-based router platforms where they may end up being visible to the outside world. That's probably investigation for another day, though.

Overall: pretty solid, frustrating to set up if your network doesn't match their expectations, wouldn't have grave concerns over having it on an appropriately firewalled network.

Book comments

Apr. 29th, 2017 10:45 pm
hilarita: trefoil carving (Default)
[personal profile] hilarita
There may be mild spoilers beneath cuts.

Serrano Series, Elizabeth Moon

You wanted fox-hunting, space-ships, and kickarse women? And some political manoeuvres? Excellent. They're over here, and they'd like to say hello. Please note, take these women seriously when you say hello, otherwise you may find your arse kicked.

Expanse Series, James E Corey

What can I say? It's an excellent space opera series, with some hard bio-science in there. (Also, warning for bio-horror - there are bits I have to skip past quickly because ewww.) The characters are interesting, and are getting better with the series. The first novel suffers a bit from a very male-centric point of view, but the writers quickly wised up and worked out that they had some fascinating female characters, and they've really let them have some excellent moments as the series has progressed.

Who Killed Sherlock Holmes?, Paul Cornell

If you want your fantasy to look like a hard-boiled police procedural, with all the joy leeched out of the world, go for it. I found the characters too hard-boiled to be likeable, and won't be reading more in this universe, even though the premises are generally intriguing. Suffers a little bit from being nth in a series, but that for me was a far lesser problem than the fact that I just wanted to get out of the world and stop reading asap.

Ghost Talkers, Mary Robinette Kowal

You wanted an alternate history in which Spiritualism wasn't people making shit up, didn't you? Well, Mary Robinette Kowal has provided. Although it's set against a backdrop of the First World War, it's not all doom, gloom, and mud and blood up to your elbows. Also contains spies, which I'm a bit of a sucker for.

Ninefox Gambit, Yoon Ha Lee

I really enjoyed this book. It's a strange book, quite a creepy book. But I bought it on the Friday of Eastercon, and had finished it by Monday night, despite a fully and busy con.

Read more... )

A Closed and Common Orbit, Becky Chambers

I loved this. It's about constructing what we mean by 'human'. And how we understand other people, and what free will means, and the characters are fascinating, and the cultures are interesting (and strange). I want to love it and hug it and call it George. I hadn't read the first book, and it read just fine for me.

Empire Games, Charles Stross

First of a new trilogy in the Merchant Princes-verse. I haven't read the previous novels, so it took a little while to get into this, but I really enjoyed it when I did. Some excellent social commentary, exploration of spy tradecraft, and some interesting situations set up. My only problem is that it's part of a series, and I'd quite like the next books now please.

Binti: Home, Nnedi Okorafor (published Jan 2017) (novella)

Amazing. Binti returns from University to visit her home. Some weird shit goes down (no further comment, because I don't want to spoil it at all). Only downside is that GODDAMMIT I WANT THE SEQUEL NOW. It ties up enough for the book to be ended reasonably, but there are many, many things where I want to know more and GODDAMMIT I WANT THE SEQUEL NOW.

Dusk or Dark or Dawn or Day, Seanan McGuire (published 2017) (novella)

Do you like American Ghosts? Do you like Seanan's writing? If either apply, I strongly recommend picking this up. I'm not a big horror fan, but this is about putting together strange clues, which is much more my thing. Evokes cornfields and big cities really well. It mentions suicide, but I in no way found this disturbing.

Forest of Memory, Mary Robinette Kowal

Well, I read it. I can remember fuck-all about it, so let this just be a record that I read it, and a reminder that I should write this shit up while I can still remember reading it.

Hooves Above the Waves, Laura Clay

Laura is a friend of mine, and I'm extremely relieved that I can recommend her short stories ;) because they're good. Hooves above the Waves is a collection of 3 stories, one about kelpies, one about superheroes, one about selkies. I thought the superhero story was the weakest, but that's partly because it belongs in its own fictional universe, and it felt like there was too much background to work comfortably with the rest of the story. The kelpie story has some nice social observation, a nice myffic feel (to reference Nanny Ogg), a good bit of creeping sinisterness, and some proper Scottish Scenery. The Scottish scenery is also on show in our selkie story, along with some history, and quite a lot of wet and sinister water. If you read short fiction, I'd give it a go.

The Burning Page, Genevieve Cogman

Libraries portals to other universes ect ect, holding back forces of chaos ect ect. Lots of intertextuality (i.e. literary references), some cool action sequences, and lust. It's not massively deep, but it passes the time.

Interim Errantry: On Ordeal: Mamvish, Diane Duane

CN: cannibalism - this is the best and most cheerful and excellent book involving cannibalism that you're ever likely to read. It's a story about how one of the minor characters in the Young Wizards series came to be a wizard. Mam'vish is an alien, and we've met her as a cheery and kind background character hitherto. This puts her front and centre as she works out her culture and morality. A+ for properly weird aliens, senzawunda, and generally awesome shit. Diane Duane is one of my favourite authors, because she loves space, and changing the world for the better.

All the Birds in the Sky, Charlie Jane Anders

"Nice video, shame about the song." Rather style over substance in some ways. It's shooting for a very big idea, mixing magic and science, but doesn't really pull it off.

CN: emotional abuse of children Read more... )

Terry Pratchett, The Shepherd's Crown

sob Oh, so sad, both because of the book, and because there is no more Terry Pratchett. A man is never dead when his name is spoken, and there are many of us who will speak his name for a long time to come. The writing isn't as polished as his best books, but the themes are well handled, and it's a good send-off for the Discworld. I've read this book twice now, and I've cried or nearly so both times (this is super-rare for me), so I shall read it at home in future.

Every Heart a Doorway, Seanan McGuire

Oh god. Creepy, so good. It's a post-portal fantasy novel, full of extremely creepy people. There's a murder mystery in there (which I don't think is that good, but for me that didn't matter, because it was mostly about the characters and the setting and what happens after you leave Narnia or your equivalent). It's also excellent for its explicit representation on the page of trans and asexual characters.

Magic for Nothing, Seanan McGuire (published 2017)

One of Seanan's Incryptid novels, this one with some very cool undercover stuff, and a circus! Also, this being a novel about the Prices, it also includes knives. Very readable, with some real sibling anger in there - made me glad I was an only child, tbh. The stakes are high, but the series tends to be optimistic in outlook, so it's a fun read, despite the darker things beneath the service.

Code tour: 2017-04-02 to 2017-04-29

Apr. 29th, 2017 03:06 pm
azurelunatic: A castle with rockets and fire cannons with the DW D on it. (Castle Dreamwidth)
[personal profile] azurelunatic posting in [site community profile] dw_dev
So we've got a code push coming up tomorrow! The code push will include stuff from mid-February until now. With one small exception, most of this is not yet live on the site. (The exception is the stuff that [staff profile] mark faithfully checked in, so the repository matches what's live in production.)

This tour covers April. It was a busy, busy month: 53 total issues resolved
Contributors: [ profile] NightFlyer, [ profile] afuna, [ profile] kaberett, [ profile] kareila, [ profile] rahaeli, [ profile] srukle, [ profile] zorkian

[staff profile] karzilla was doing something akin to NaNoWriMo for development, and it shows!

This is [ profile] NightFlyer's first contribution! Welcome!

Read more... )

And unless someone sneaks in some fixes under the wire, that's it for now!

Hugo voting!

Apr. 29th, 2017 06:49 pm
rmc28: Rachel standing in front of the entrance to the London Eye pier (Default)
[personal profile] rmc28
I got the email that my ballot was open a few days ago, and I have just entered my votes-so-far into it, based on what I've already managed to read / watch / otherwise consume.  Ballots can be edited right up until the deadline, but this seems like a good way to make sure even the limited preferences I have right now get recorded.

My intention is to make brief posts about how I'm voting and what I think of the finalists, as I complete each category.  As a general rule, I pay no attention[1] to stuff by Vox Day or his publishing company Castalia House.  For this Hugos, I intend to pay no attention to Puppy nominations unless I also see buzz about them from elsewhere​, so some of my Hugo posts will list five finalists, and some six, and that is why.

[1] wording deliberate: attention is probably my most limited resource and I've a lot of other things I'd rather spend it on

So far, I have managed to read all the non-Puppy finalists for Short Story and for Novelette, and while in each category I have a clear favourite, ranking the remainder is proving something of a challenge, but in a good way.


Apr. 29th, 2017 01:03 pm
ceb: (Default)
[personal profile] ceb posting in [community profile] qec
* trimmed honeysuckle
* helped H move
* picked up prescription for D
* oiled bike lock
* donated to the Russian LGBT Network (via All Out)
* donated to the ACLU
* washing
* helped B collect a filing cabinet

* emailed re spectroscopy display
* went through decisions document

* prepped booklets for posting
* drafted annual awards report
purplecat: Texture by simpleandclean (LiveJournal) (Doctor Who)
[personal profile] purplecat

Doctor Who annuals, necessarily constrained to telling very short stories aimed primarily at 10 year olds often written by people who have never seen the show, have a tendency towards the bland and a bit rubbish, occasionally enlivened with stuff that is a bit bonkers. The annuals in the late 1970s went for the bonkers end of the spectrum with enthusiasm which these days makes them far more interesting than many of the others. As a child I recall just being very bemused by both the story-telling and the artwork which seemed to bear relatively little relation to the show I loved.

I recall the above panel clearly. The Doctor has helped a group of apparently very nice men escape from a planet on which they were trapped, only for it to be revealed that once outside the special atmosphere of the planet they revert to psychotic monsters. This panel reveals them in their monstrous state (their psychosis is never actually shown to us, were are simply told they are also psychotic). The Doctor tricks them back down onto the planet by pretending to be stranded and, despite being (allegedly) psychotically evil, they return because of the debt they owe him. They are not happy to find themselves trapped once more and the Doctor (in a detail I missed as a child) weeps as he abandons them.

It's a difficult story. Even as a child I was concerned that the Doctor accepted so easily that these creatures must be evil and I do wonder if its trying to say something about assumptions that to be ugly is the same as to be evil (a message Doctor Who occasionally strays into, much as it also has stories that assert the opposite). Given the Doctor's tears at the end I wonder if the artist also had doubts about the message the story seemed to be conveying.

All that said, it has the merit of not being remotely bland.

Encouraging News From America

Apr. 29th, 2017 09:19 am
hairyears: (Default)
[personal profile] hairyears
Here's an article from the Washington Post:

The GOP’s latest repeal effort just collapsed. The reason is simpler than you think.

Worrying, in many ways - it's a portrait of dysfunctionality and the neccesity of cognitive dissonance in Congress - but the good news is clear: Obamacare is here to stay  *

For all the bad news that we hear, there is this: reality can and does obtrude into 'post-truth politics' and I think that we should start to use the term 'pre-truth politics' from now on.

* I would welcome comments and additional links from readers in America: you are closer to the events, and better able to judge the veracity of your country's media.

venta: (Default)
[personal profile] venta
So yesterday, at a gig, I discovered that my last LJ post tagged "gig" was January 2016. Err... Last year was a weird one, on account of not being able to walk for much of it, but I managed more gigs than that. I think my post-fu has been weak.

So! I'm attempting to lurch back into it. Not least because I won't have the least what bands I've seen otherwise.

So, to Whitby to see the Goths! )


Apr. 28th, 2017 11:51 pm
ceb: (Default)
[personal profile] ceb posting in [community profile] qec
* Eastercon
* BSFA awards
* snooker
* went to see Bring It On
* interview prep with X
* picked up pills
* ordered cutlery for I
* ordered present for [redacted]
* calendar faff
* posted parcel to V
* Bookatorium posts
* WGT reviews
* Leipzig faff, 2018 version (I kno rite?)

* emailed people about BSFA booklets

* lots of Worldcon stuff, assorted
* including actually sorting out the Design list
* and emailing people about shipping
* and recruiting a fan lounge organiser
* and lots of meetings at Eastercon

Currently reading: 2017

Apr. 28th, 2017 11:44 pm
ceb: (Default)
[personal profile] ceb posting in [community profile] bookatorium

And the Clarke shortlist is announced on 3rd May. Excitement!

Nick Wood - Azanian Bridges

Apr. 28th, 2017 11:43 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Nick Wood - Azanian Bridges
(BSFA shortlist)

Tricia Sullivan - Occupy Me

Apr. 28th, 2017 11:42 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Tricia Sullivan - Occupy Me
(BSFA shortlist)

Nisi Shawl - Everfair

Apr. 28th, 2017 11:40 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Nisi Shawl - Everfair
(Nebula shortlist)

Content Warning for slavery and (off-screen) mutilation in the Belgian Congo.

Ada Palmer - Too Like the Lightning

Apr. 28th, 2017 11:39 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Ada Palmer - Too Like the Lightning
(Hugo shortlist)

Cixin Liu - Death’s End

Apr. 28th, 2017 11:37 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Cixin Liu - Death’s End
(Hugo shortlist)

Yoon Ha Lee - Ninefox Gambit

Apr. 28th, 2017 11:37 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Yoon Ha Lee - Ninefox Gambit
(Hugo shortlist, Nebula shortlist)

N K Jemisin - The Obelisk Gate

Apr. 28th, 2017 11:36 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
N K Jemisin - The Obelisk Gate
(Hugo shortlist, Nebula shortlist)

Dave Hutchinson - Europe in Winter

Apr. 28th, 2017 11:35 pm
ceb: (books)
[personal profile] ceb posting in [community profile] bookatorium
Dave Hutchinson - Europe in Winter
(BSFA winner!)

January 2017

151617 18192021

Most Popular Tags

Expand Cut Tags

No cut tags