Actually, you might be surprised but something else has been going on for years.
Let's have a look at what a company like Wallmart is doing. They replaced part of their infrastructure with node.js.
If you look at what they are doing is: they are replacing not the backend systems, they are replacing the user-facing/HTML-generating/CSS-generating/AJAX-talking/JSON-generating/whatever-it-does parts of the system with node.js. So node.js talks to the backend systems on one side and the browser on the other side.
Wallmart even have open source projects releasing and collaborating on the code they use: http://hapijs.com/
Let's take an other example. They already made that transition earlier than Wallmart. Can I say they are also a house hold name ? Because that would be Paypal: http://www.youtube.com/watch?v...
So now they can do frequent changes to the user-facing websites in hours, maybe even minutes. Instead of the 6 week update cycle they had with Java.
These are just examples of companies, but you can see what they are doing and hopefully you can also imagine why that makes sense.
Because now the webdevelopers deal with everything that talks to the client (browser) and the other teams create webservices. It's a good seperation of concerns.
Just in case you need a diagram, here is an article about it:
Then a couple of years later, this old concept of Service Oriented Architecture and the Unix-philosophy of single purpose programs was starting to be applied to this new 'cloud thing'.
You might have heared what Netflix has been doing in that space.
So the result is:
Languages are now competing which each other because you are building microservices and the protocols are pretty much standardized (HTTP, JSON, REST).
This means, languages get used for what they are best suited for.
And if they don't fit. You just rewrite that microservice in an other language. These code-bases are very small. And the processes itself are usually stateless.
All the data is stored in the data-store.
This means you can do this 'webscale' thing with your stateless microservice, because you can start as many of them as you need. All you need to do is put a bunch of loadbalancers in front which disperse the requests over these other service specific processes.
Most of the time these microservices are just a single process, a daemon. Some use Docker or other containers to deploy them. Microsoft is now building the same for Windows.
Sometimes they include a webserver like nginx.
The same is happening to databases, NoSQL and SQL like.
You need to create a microservice that handles login ? You give it a seperate datastore, maybe you think LDAP is a good idea, who knows.
You need to build a microservice which handles checkout ? You give it a seperate datastore too.
You need to build a microservice which stores the session-information, yep, that too is a seperate microservice, it might be using .
And remember: that one microservice is the only service talking to that data-store.
Funny you should mention: project-manager.
You know, it turns out, smart people don't need any management. They can manage themselves. Management really doesn't add much value. The more complex the problems get, it's best to let the poeple working on the problem decice how to work on the problem.
Here is an example of bank, yes bank, which got rid of all the project managers:
Some people might call all these things: devops, agile, cloud, software-defined-whatever and whatever else, but I think you might get the idea of what is going on.
Voting is completely useless without fixing the gerrymandering.
Most of the the electections per state for the coming couple of elections are already known.
Just ask Kimball Brace.
Re:(binary protocol)--
on
HTTP/2 Finalized
·
· Score: 4, Informative
I'm really going to miss being able to telnet to a server and troubleshoot using plain text. Feels like a lot of simple has disappeared from the internet
Yes, HTTP/2 is a multipllexing binary framing layer, but it has all the same semantics of HTTP/1.x on top.
HTTP/2 is 'just' an optimization. So if your webserver supports HTTP/1.x and HTTP/2 then you can still use telnet to check whatever you want and it should give the same result as HTTP/2.
But you also have to remember: The IETF which is the group of people who design the Internet protocol made this statement: https://www.iab.org/2014/11/14...
"Newly designed protocols should prefer encryption to cleartext operation."
The W3C made a similar statement, there are also drafts with the intention to moving to HTTPS by default.
So it is all moving to TLS protocols like HTTPS or STARTTLS for SMTP anyway. Those are clearly not text protocol either.
So even if you want to interact with the text protocol used inside that TLS-encrypted connection, you'll need to use a tool because netcat or telnet won't cut it.
Let's look at HTTP, because this is a HTTP/2 article.
That tool could be the openssl s_client, but as you can see that is kind of cumbersome: echo -en "HEAD / HTTP/1.1\nHost: slashdot.org\nConnection: close\n\n" | openssl s_client -ign_eof -host slashdot.org -port 443 -servername slashdot.org
The main developer for cURL works for Mozilla these days and is one of the people working on the HTTP/2 implementation in Firefox and is writing a document explaining HTTP/2: http://daniel.haxx.se/http2/ So as you would expect Curl supports HTTP/2: https://github.com/http2/http2...
Basically every browser include 'developer tools' which will also let you see the headers and everything else you are used from HTTP/1.x.
I would rather see we all move to using encrypted protocols then that we can still use telnet.
Seems like a pretty clear trend to me XML is on the way out.
SOAP or WSDL you say ?:
Well, usually you use JSON with REST.
At the last technology conference where they all immplement 'micro services'. I asked several people does REST/JSON need a WSDL-like solution: They all answered: no
If you want to describe your REST/JSON API, there are solutions though:
The above mentioned solution could be based on open source software (the research project is open source).
In a similar fashion to how Wordpress is currently hosted, your get updates from the vendor (WordPress) not from the hoster, but in the case above with encrypted data.
Yes, SaaS providers will pretty much never go for it, because dealing with encryption means extra work for them.
I was just pointing out it isn't completely impossible. Because that is what most people assume.
The attack is about sending specially crafted XML requests/responses to circumvent the checks of the authentication system. Which allow you to login as a user of your choice.
This has nothing to do with breaking TLS, what you do need is: the username and to know which application (URL) they are allowed to login into.
The Tao of IETF still mentions: "We reject kings, presidents and voting. We believe in rough consensus and running code" http://www.ietf.org/tao.html
Maybe it's just me, but might it apply here ?
Before the httpbis working group started looking at proposals for HTTP/2.0 SPDY was already implemented and deployed in the field by mutliple browser vendors, library builders for servers and several large websites. A bunch of research documents was written. And a protocol specification document draft existed. SPDY wasn't created in the open perse, but it was iterated with the help the community.
"In this paper we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them... have critical XML Signature wrapping (XSW) vulnerabilities"
" In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model."
You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb: http://css.csail.mit.edu/crypt...
And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above: https://css.csail.mit.edu/myla...
Also notice the last line on Wikipedia says: "As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[42]"
Something I've been missing in this discussion is a notion of scale.
This is a statistic from 10 years ago from the US: - the average citizen uses 10 times more energy when going from and to work each day (the use of their car) than all their energy use of the rest of the day combined.
If I'm not mistake, this includes natural gas.
Now this number has shifted in the past 10 years.
But let's say a batterypack for the average home is about quarter the size of what goes into a car.
Also what would happen at homes when electrical cars are driving down the price of batteries ?
What if you life in a country where power from the grid has a different price for night than day ?
Well, that system isn't going to last is it ?
Will it smooth out demand on the grid during the day ?
Lots of changes coming in the future, they could be bad, they could be good. They will be bad for some people, good for others.
I do know one thing Elon Musk will probably make some more money if he can deliver on some of his goals.
Investments by electrical companies have become really hard to do, because they are making less and less money on their investments: "Wholesale electricity prices in Germany have dropped 60 percent since 2008 as renewable energy, which is heavily subsidized and has priority access to the grid, gets dispatched first due to its much lower short-term marginal production costs than traditional plants, displacing natural gas, coal and nuclear power." http://instituteforenergyresea...
Here is the brass tacks... The EU sees a big rich american company doing business in the EU and they're not paying EU taxes. So they're going to fuck around with it until they figure out how to get money from it.
Slashdot Mirror
Actually, you might be surprised but something else has been going on for years.
Let's have a look at what a company like Wallmart is doing. They replaced part of their infrastructure with node.js.
If you look at what they are doing is: they are replacing not the backend systems, they are replacing the user-facing/HTML-generating/CSS-generating/AJAX-talking/JSON-generating/whatever-it-does parts of the system with node.js. So node.js talks to the backend systems on one side and the browser on the other side.
Wallmart even have open source projects releasing and collaborating on the code they use:
http://hapijs.com/
Let's take an other example. They already made that transition earlier than Wallmart. Can I say they are also a house hold name ? Because that would be Paypal:
http://www.youtube.com/watch?v...
So now they can do frequent changes to the user-facing websites in hours, maybe even minutes. Instead of the 6 week update cycle they had with Java.
These are just examples of companies, but you can see what they are doing and hopefully you can also imagine why that makes sense.
Because now the webdevelopers deal with everything that talks to the client (browser) and the other teams create webservices. It's a good seperation of concerns.
Just in case you need a diagram, here is an article about it:
http://www.nczonline.net/blog/...
Then a couple of years later, this old concept of Service Oriented Architecture and the Unix-philosophy of single purpose programs was starting to be applied to this new 'cloud thing'.
They call it microservices now:
https://www.youtube.com/watch?...
You might have heared what Netflix has been doing in that space.
So the result is:
Languages are now competing which each other because you are building microservices and the protocols are pretty much standardized (HTTP, JSON, REST).
This means, languages get used for what they are best suited for.
And if they don't fit. You just rewrite that microservice in an other language. These code-bases are very small. And the processes itself are usually stateless.
All the data is stored in the data-store.
This means you can do this 'webscale' thing with your stateless microservice, because you can start as many of them as you need. All you need to do is put a bunch
of loadbalancers in front which disperse the requests over these other service specific processes.
Most of the time these microservices are just a single process, a daemon. Some use Docker or other containers to deploy them. Microsoft is now building the same for Windows.
Sometimes they include a webserver like nginx.
The same is happening to databases, NoSQL and SQL like.
You need to create a microservice that handles login ? You give it a seperate datastore, maybe you think LDAP is a good idea, who knows.
You need to build a microservice which handles checkout ? You give it a seperate datastore too.
You need to build a microservice which stores the session-information, yep, that too is a seperate microservice, it might be using .
And remember: that one microservice is the only service talking to that data-store.
Funny you should mention: project-manager.
You know, it turns out, smart people don't need any management. They can manage themselves. Management really doesn't add much value. The more complex the problems get, it's best to let the poeple working on the problem decice how to work on the problem.
Here is an example of bank, yes bank, which got rid of all the project managers:
https://www.youtube.com/watch?...
Some people might call all these things: devops, agile, cloud, software-defined-whatever and whatever else, but I think you might get the idea of what is going on.
Ahh, cool, didn't know nmap included that.
I know, that is why I mentioned:
"Let's look at HTTP, because this is a HTTP/2 article."
Anyway, for those that don't know:
echo -en "MAIL FROM:\nRCPT TO:\nDATA\nSubject: test messsage\n\ntest message body\n\n.\nquit\n" | openssl s_client -host gmail-smtp-in.l.google.com. -port 25 -starttls smtp -ign_eof
Voting is completely useless without fixing the gerrymandering.
Most of the the electections per state for the coming couple of elections are already known.
Just ask Kimball Brace.
I'm really going to miss being able to telnet to a server and troubleshoot using plain text. Feels like a lot of simple has disappeared from the internet
Yes, HTTP/2 is a multipllexing binary framing layer, but it has all the same semantics of HTTP/1.x on top.
HTTP/2 is 'just' an optimization. So if your webserver supports HTTP/1.x and HTTP/2 then you can still use telnet to check whatever you want and it should give the same result as HTTP/2.
But you also have to remember:
The IETF which is the group of people who design the Internet protocol made this statement:
https://www.iab.org/2014/11/14...
"Newly designed protocols should prefer encryption to cleartext operation."
The W3C made a similar statement, there are also drafts with the intention to moving to HTTPS by default.
So it is all moving to TLS protocols like HTTPS or STARTTLS for SMTP anyway. Those are clearly not text protocol either.
So even if you want to interact with the text protocol used inside that TLS-encrypted connection, you'll need to use a tool because netcat or telnet won't cut it.
Let's look at HTTP, because this is a HTTP/2 article.
That tool could be the openssl s_client, but as you can see that is kind of cumbersome:
echo -en "HEAD / HTTP/1.1\nHost: slashdot.org\nConnection: close\n\n" | openssl s_client -ign_eof -host slashdot.org -port 443 -servername slashdot.org
But I suggest you just use:
curl -I https://slashdot.org/
The main developer for cURL works for Mozilla these days and is one of the people working on the HTTP/2 implementation in Firefox and is writing a document explaining HTTP/2: http://daniel.haxx.se/http2/
So as you would expect Curl supports HTTP/2:
https://github.com/http2/http2...
Basically every browser include 'developer tools' which will also let you see the headers and everything else you are used from HTTP/1.x.
I would rather see we all move to using encrypted protocols then that we can still use telnet.
My guess would be:
Microsoft is 'helping' Cyanogen to add some kind of cloud service.
Basically, putting you data in the Microsoft cloud.
I assume Cyanogen doesn't mind, because it's optional.
Well, that is my guess.
Yes, it's a really hard.
Lots of people have tried, for years now, they've all failed:
http://media.ccc.de/browse/con...
Things that might look good in theory still turn out to be a big fail in practise. Even just getting the implementations right is really, really hard.
Using a blockchain will probably fail too.
Remember if we knew how to make Bitcoin or Darkcoin/Darkwallet/Darksend/Coinjoin/etc. really, really good anonymous, we would have already done it.
I think this is a good sign for a differerent reason.
We all know OpenSSL could be a lot better. Supposedly they got more funding.
If they are busy finding and fixing bugs that's could be a good thing.
Let's see how many new and existing APIs use JSON in comparison to XML:
http://www.programmableweb.com...
http://www.programmableweb.com...
Seems like a pretty clear trend to me XML is on the way out.
SOAP or WSDL you say ?:
Well, usually you use JSON with REST.
At the last technology conference where they all immplement 'micro services'. I asked several people does REST/JSON need a WSDL-like solution:
They all answered: no
If you want to describe your REST/JSON API, there are solutions though:
https://helloreverb.com/develo...
http://raml.org/
Sorry, my mistake. You are closer to the prerequisites than I was.
You need a signed assertion:
https://www.youtube.com/watch?...
But getting a signed assertion is pretty easy, if it's a cloud service.
Just sign up.
Anyway, most implementations have been fixed. I hope. ;-)
Unless they upgrade or downgrade the XML-parser and break it by accident.
There are so many definitions of cloud.
The above mentioned solution could be based on open source software (the research project is open source).
In a similar fashion to how Wordpress is currently hosted, your get updates from the vendor (WordPress) not from the hoster, but in the case above with encrypted data.
Yes, SaaS providers will pretty much never go for it, because dealing with encryption means extra work for them.
I was just pointing out it isn't completely impossible. Because that is what most people assume.
You might not be aware of what the attack is.
The attack is about sending specially crafted XML requests/responses to circumvent the checks of the authentication system. Which allow you to login as a user of your choice.
This has nothing to do with breaking TLS, what you do need is: the username and to know which application (URL) they are allowed to login into.
Let's not kid ourselfs.
We all make mistakes.
Especially when we start to generate HTML based on different sources.
One mistake meant: the visitor on the webpage got to see an error instead of most of the page when you are not using XHTML.
XHTML was just to complicated, not flexible enough and strict.
Could it be that is also the reason JSON is now much more popular than XML ?
The Tao of IETF still mentions:
"We reject kings, presidents and voting. We believe in rough consensus and running code"
http://www.ietf.org/tao.html
Maybe it's just me, but might it apply here ?
Before the httpbis working group started looking at proposals for HTTP/2.0 SPDY was already implemented and deployed in the field by mutliple browser vendors, library builders for servers and several large websites. A bunch of research documents was written. And a protocol specification document draft existed. SPDY wasn't created in the open perse, but it was iterated with the help the community.
So the IETF WG let people suggest proposals:
http://trac.tools.ietf.org/wg/...
And then they voted.
SPDY got selected.
Also the SPDY draft was used as a basis for writing the new HTTP/2.0 draft.
Is anyone surprised ?
There might fundamental parts of the protocol which might have turned out differently if they would have gone through a open collaborative process.
But at first glace it doesn't look that bad.
I can see the appeal of rubberstamping what already exists.
SAML ? Don't make me laugh:
"In this paper we describe an in-depth analysis of 14 major SAML frameworks and show that 11 of them ... have critical XML Signature wrapping (XSW) vulnerabilities"
" In order to protect integrity and authenticity of the exchanged SAML assertions, the XML Signature standard is applied. However, the signature verification algorithm is much more complex than in traditional signature formats like PKCS#7. The integrity protection can thus be successfully circumvented by application of different XML Signature specific attacks, under a weak adversarial model."
https://www.usenix.org/confere...
Also as a foreigner I'm now a 100% sure I can't put my data in a US cloud:
http://media.ccc.de/browse/con...
You can do some computational things on encrypted data, like create a database, which obviously adds some overhead. For example cryptdb:
http://css.csail.mit.edu/crypt...
And built an application which then decrypts the data on the client when the user needs access to it, for example there is Mylar from the same research group as the database above:
https://css.csail.mit.edu/myla...
There was a law (amendment) proposed, it got shot down:
https://en.wikipedia.org/wiki/...
Also notice the last line on Wikipedia says:
"As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[42]"
If anything is missing, it's probably only missing on Windows.
Support on Linux and Mac is jut fine, I think.
Windows:
- client support is kind of OK
- virtual filesytem support is kind of OK
The biggest missing solution:
- Windows server support. There are some expensive solutions, not sure how well they work.
My suspicion is it would be a virtual community.
Like a large minecraft.
How do you bomb that ?
Especially if we create a distributed version of that with no dependence on a single or small number of computers.
There used to be a boat which did abortions in countries where the law wasn't favorable to abortion:
http://www.womenonwaves.org/en...
The laws of the sea were the only ones that applied.
Why would you create many centralized points if you can create a decentralized system ?
They worked more than 9 years on Tribler might as well start using it, right ?:
http://www.tribler.org/
https://github.com/Tribler/tri...
Something I've been missing in this discussion is a notion of scale.
This is a statistic from 10 years ago from the US:
- the average citizen uses 10 times more energy when going from and to work each day (the use of their car) than all their energy use of the rest of the day combined.
If I'm not mistake, this includes natural gas.
Now this number has shifted in the past 10 years.
But let's say a batterypack for the average home is about quarter the size of what goes into a car.
Also what would happen at homes when electrical cars are driving down the price of batteries ?
What if you life in a country where power from the grid has a different price for night than day ?
Well, that system isn't going to last is it ?
Will it smooth out demand on the grid during the day ?
Lots of changes coming in the future, they could be bad, they could be good. They will be bad for some people, good for others.
I do know one thing Elon Musk will probably make some more money if he can deliver on some of his goals.
Rooftop solar and battery storage cannot even begin to compete with efficient central generation and distribution.
I would think utilities think 10, 20 maybe 30 years ahead. Because they have to invest in building things. Large things.
In Germany they had a public opinion that renewable energy would be a good thing, so politics created a fund which put money behind it, lots of money.
The result:
http://www.greentechmedia.com/...
Investments by electrical companies have become really hard to do, because they are making less and less money on their investments:
"Wholesale electricity prices in Germany have dropped 60 percent since 2008 as renewable energy, which is heavily subsidized and has priority access to the grid, gets dispatched first due to its much lower short-term marginal production costs than traditional plants, displacing natural gas, coal and nuclear power."
http://instituteforenergyresea...
Their next goal ? Funding energy storage technologies:
http://www.energystorageforum....
So what did the largest utility company do ?:
http://www.theguardian.com/env...
Here is the brass tacks... The EU sees a big rich american company doing business in the EU and they're not paying EU taxes. So they're going to fuck around with it until they figure out how to get money from it.
Actually, seems to me Google was paying taxes in EU:
http://www.latimes.com/busines...
http://www.businessweek.com/ma...
I don't know where their taxes will be going next.
Or dot you think Ireland is not a EU-country ?:
http://en.wikipedia.org/wiki/M...