* Posts by rjed

30 publicly visible posts • joined 17 Jan 2018

New measurement alert: Liz Truss inspires new Register standard


while on the other side of the earth

We have XI Jinping who is all set for an infinite Truss.

IETF publishes HTTP/3 RFC to take the web from TCP to UDP


QUIC can do what TCP cant

Usually I hear folks debating the performance (throughput, latency) aspects of things when QUIC is introduced. I don't think QUIC can improve throughput since that is primarily handled by congestion control and flow control algorithms which are mostly same on both TCP and QUIC. QUIC had some advantages when it comes latency improvement just because it has deeper integrations with TLS 1.3 and supports features such as session resumption and 0-RTT handshake.

But I would say those would not be my primary reasons to move to QUIC. QUIC can do some things which TCP can never do (and TCP cannot do it because of its ossification in existing systems). Things such as:

1. handling partial reliability: TCP is a fully reliable transport protocol. Lot of times we need partial reliability for scenarios such as gaming, live streaming. For e.g., within a video stream, you might want full/better reliability for I-frames but lower reliability for P/B frames. Infact P/B frames towards the end of GOP (group of pictures) could have much lower reliability. Today if an app uses a tcp-send, you cannot then drop it. TCP will try to resend it till it manages to get it delivered. This counterproductive in the scenarios I mentioned. In a live-stream, if you cannot deliver the P/B frame within a second (for instance), then it is best to drop it since video decoder will anyways extrapolate and manage to get it recovered. Retrying even after few seconds will result in traffic clogging impacting subsequent traffic. QUIC can support such modes.

2. improved multipath transports: MPTCP (multipath) suffers from lot of design constraints because of TCP ossification. QUIC can do much better with multipath. As an example, once a segment is transmitted on a TCP path within a connection, that segment cannot be rescheduled to be transmitted on another path within the same TCP connection since middleboxes expect all the TCP segments to arrive (because of full reliability). QUIC doesn't suffer from such limitation.

3. notion of streams: TCP does not support notion of streams and thus an application has to initiate multiple TCP connections for each stream. QUIC's design is much closer to app.

4. future extension: QUIC can be extended without having to worry about ossification. QUIC is smartly designed so that intermeditate routers/switches cannot read the packet and cannot make a decision based on a specific bit within the packet. This means we will see innovation at transport layer. Today the innovation with TCP is stalled because TCP has to work within the constraints of middleboxes which have ossified implementation. QUIC has ensured that this ossification wont happen with its design.

Using QUIC in kernel space or user space is a systems issue. Today one can use TCP in userspace as well but most apps prefer to use existing kernel space implementation. The same will be true for QUIC since app devs will want to use existing implementation in favor of deploying their own.

There's no Huawei back now: Biden signs law that forbids US buyers acquiring kit on naughty list


Insecure gear

“will help to ensure that insecure gear from companies like Huawei and ZTE can no longer be inserted into America’s communications networks,”

The notion, fully-secure, doesn't exists in software/hardware world. In security world what matters most is:

Transparency: Is the code open for investigation? I will ensure that my deployed binaries are generated from the code that I have seen. Many orgs lack that capability but I don't think that is true in telecom world. BT (British Telecom) and UK CSEC had ready access to Huawei code and sure they found vulnerabilities, but at-least there was transparency. Such transparency is not exhibited by Cisco and Ericsson.

I guess I am trying to make a point which is so obvious and as bright as the Sun. This act is politically motivated. And just the way that no one wants to look into Sun with their direct eyes, the same is true in this case.

Google adds VM support to Anthos, admits not everyone is ready for containerised everything


Re: Containers dead?

I don't think the article in any way indicates that containers are dead!

Just that virtual machine based workloads are here to stay. And I would argue that even bare-metal non-virtualized workloads are here to stay.

Some transaction-based workloads could benefit from using bare-metal/VMs directly where the transaction processing speed could be impacted because of containerization layer. But there are lot of workloads where containerization layer adds much more value. Put k8s-like orchestration in the mix and you get lot of high-end features (such as service load-balancing, HA, reliability) readily available.

Also using containers/k8s is not really straight forward today. The development and admin community is still catching up with the k8s/containerization nuances. Orchestration engines such as google auto-pilot and AWS FarGate could help alleviate some of these pain points.

Facebook used facial recognition without consent 200,000 times, says South Korea's data watchdog


take a page out of GDPR for enforcing fines

Facebook's revenue for 12 months ending June 2021 was $105bn (up ~40% YoY).

Fines of $5.5m + $22K ... I don't think Zuck's team will even bat an eye. In fact, if anything, this would embolden them to even care less about carrying out such malpractices in your country in the future.

Take a page out of the GDPR framework where the fines are decided based on the proportion of yearly revenues. Doing facial recognition without consent.. shame on you Facebook.

Infosys CEO hauled in to tell minister why India's tax portal is still a glitchy mess


F squared

Infosys is fucking up it's already fucked up image.

These tweets, headlines will be paraded for years to come, if at all they survive till then.

At least, the government is not holding back and treating them like any other vendor. Good to see that and better would be to see some actions taken.

India bans Mastercard from signing up new customers

IT Angle

MasterCard babbling with response

Seems MasterCard just didn't care. The mandate given by govt was to comply in 6 months and were given 3 years. If this is not good enough for MasterCard, I don't know what is. MasterCard needs to gets its house in order.

India tells Twitter to obey its laws — or make wielding them easier


Re: Pick and choose

Content removal is very different from identifying who the first originator of that content is.

Content removal is already done today by Youtube, Facebook, Twitter, LinkedIn and there is a process in place. It can be argued whether or not that process is correct or not.

The problem with identifying who the first originator of the content leads to other problems. Primarily, the govt or any other agency can go after that originator.

Big Brother


Govt wants Twitter to dance to its Kumbaya. Democracy is vibrant not because of the people who lay rules but also because of the people who question it. Anyone who reads "Intermediary Guidelines and Digital Media Ethics Code" will understand how vague it is and there is no surprise that Twitter couldn't find anyone in India to be the Nodal Officer. Anyone who gets that post will be slaughtered on day one.

Regulators need to be cautious of what tech tweaks they ask for. These tweaks can make or break a democracy.

For me, I have not used Facebook, WhatsApp, Twitter, but I am worried about Reddit, Signal. It would be interesting to see how Govt deals with them.

Microsoft embraces Linux kernel's eBPF super-tool, extends it for Windows

Thumb Up


This move reflects the change in the ideological stance of MS. Earlier, anything coming out of Linux used to be frowned upon by MS and there was an inclination to build something in parallel.

By adopting eBPF, MS is proving that it is maturing in terms of thought process. It doesn't simply reject anything coming out of Linux and is keen on working out the model that has worked out on Linux. eBPF has proved immensely successful for observability, monitoring, and lately for security enforcement and performance tuning on Linux. By adopting eBPF, MS will reduce the efforts required by security developers having to rebuild the same security engines again for MS windows. This certainly helps MS.

However, it remains to be seen as to how much of Linux eBPF hooks, primitives can actually percolate in MS Win. The power of eBPF lies in the hooks, helper functions, and maturity of the kernel verifier. Linux recently coupled eBPF with LSM hooks (called KRSI). How would MS Win handle this?

Anyways, a great start nonetheless, and looking forward.

Payment app MobiKwik denies customer data was stolen from it, has no idea how the info ended up on the dark web: Maybe it was your fault?


And that is why GDPR is needed ...

With GDPR you will have to shell out 4% of your annual revenue as fines and thus an organization would be extra diligent before scrapping such charges.

Some companies are extra careful (which means they devote more resources) towards security and privacy. If other companies want to compete in the same space and do not ensure the same rigor towards security and privacy might end up saving on these resources that will add up to their bottom line. All this is possible because of the lack of regulations and of-course CXOs who care more about the bottom line than their users.

Indian government slams Facebook over WhatsApp 'privacy' update, wants its own Europe-style opt-out switch

Thumb Up

Clear win for GDPR and EU in general

It is discriminatory for Facebook to have different rules for Europe vs India/US/Rest. But the world (India/US/Rest) should understand, only they are to blame.

This simply goes on to show how effective legislation can protect Citizen's right.

Kudos to GDPR which is not only protecting Europe but also is indirectly instrumental in protecting other parts of the world.

Oracle and AWS trumpeted how their clouds helped Zoom scale. But it turns out Zoom fears its cloud bills and uses co-located kit


Why am I not surprised?

... PR/Marketing folks in AWS/Oracle/elsewhere making tall claims about their products which may not "entirely" be true. Is there any other way to play this game? The onus as always is on the customers/consumers to interpret/validate.

Elon Musk says he tried to sell Tesla to Apple, which didn’t bite and wouldn't even meet


Re: iCar

Some more marketing ideas for Apple biz folks:

* User needs to pay Apple $99 before the door could be opened.

* Two years later the car will travel at max 20mph and the user has to upgrade to iCar2pro

* Silver plated steering wheel for $5999 only

* iCar can be charged only through special chargers available in Cupertino and in Iceland.

* iCar chargers won't be sold with the car to save our mother Earth.

SolarWinds’ shares drop 22 per cent. But what’s this? $286m in stock sales just before hack announced?


Make IT look easy!

.. is what SolarWinds tagline is. They sure lived up to it.

Thumb Down

...were not aware of this potential cyberattack at SolarWinds

One might think, what a reckless way of running the company? They own 70% of the company, have 6 board seats and they were not aware of the most defining moment of their investment/firm.

Either they are too dumb or they think an average Joe is too dumb.

Regardless, after the SEC investigation, am sure one of average Joe will find out how dumb (s)he was when (s)he is remanded to prison and not the firm's top ones.

Travel agent leaked customer data by – this is embarrassing – giving it away in a hackathon


Data can either be anonymous or useful but not both


Check out surprising failures of anonymization/reidentification procedures to protect privacy. Just read the initial two pages and am sure you will be taken aback.

Five Eyes nations plus Japan, India call for Big Tech to bake backdoors into everything


To use raw power is to make yourself infinitely vulnerable to greater powers -Frank Herbert

Government through legislation can at best mandate open social media platforms to share their private keys for all users.

But terrorists do not hangout on WhatsApp, Facebook, WeChat to discuss their world domination plans. If they do, they have already proved their idiocy and they may not be as big a threat.

An avg IT dev (myself) may take less than a week to write a private app which can ensure end to end encryption and this is what any terrorist (who has any wits) will do. Sure the keys have to be shared across the two ends but there are n number of ways to do that out of band (without necessarily using Internet).

So the biggest purpose this legislation solves is to ensure that public dissent is caught early on. People make use of social media platform to connect to fellow citizens to whom they are not directly connected to voice opinions, raise dissents and governments will ensure that such dissent is caught early on and suppressed. Such legislation will become a tool for dictators.

Such legislation will make evil-minds think more about having a cyber-security cell within their outfits. In short, <read the title>.

If you're wondering how Brit cops' live suspect-hunting facial-recog is going, it's cruising at 88% false positives

Paris Hilton

Now you see me

I don't understand how is this a failed tech!

There were 8600 faces detected and 7 were flagged as probable matches (by matching against 7292 possible faces) and 1 turned on to be a true positive.

Meaning only 7 were sent for manual inspection. Can you imagine the fleet of people required to do this manually?

Also I am assuming 7 were flagged because the system could not afford to have false negatives and thus been liberal in flagging the matches.

I am no fan of surveillance, but this article seems trumpeting towards the wrong end.

One man is standing up to Donald Trump's ban on US chip tech going to Huawei. That man... is Donald Trump


Heads I win, Tails you lose

Fantastic strategy! Yeah, its not easy for folks below him.

You've got (Ginni's) mail! Judge orders IBM to cough up CEO, execs' internal memos in age-discrim legal battle


Re: Good luck

Urgh, Good luck finding mails in Lotus Notes!

I could not manage to find yesterday's mails let alone anything older. The person who designed the search interface definitely had a grudge on sapiens.

Apple strips clips of WWDC devs booing that $999 monitor stand from the web using copyright claims. Fear not, you can listen again here...


Upcoming: Apple monitor setting buttons

Done with the stand.

Marketer: Now lets sell monitor settings buttons for $299 only.

Tim: Ohyeah, Bring it ohhn

Juniper slips out update after hardcoded credentials left in switches


Get your act together, Juniper!

Gets me thinking, even with multi-level peer code reviews, automated static/dynamic code analysis, the hardcoded credentials still managed to sneak in to the production. The Junos version mentioned was last updated in Feb 2019. Pretty reprehensible!

You won't get Huawei with this, America! Chinese giant sues US government over 'unconstitutional' ban


Ironically the irony is not even ironic anymore..

Every actor is just playing its own scripted part now ...

Linux kernel's Torvalds: 'I am truly sorry' for my 'unprofessional' rants, I need a break to get help


thank you Linus .. to say the least

Well done with the apology. But please do maintain the ZEAL.

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’


Privacy matters

Such pro-privacy moves should be commended. I will be switching over to firefox. Sure it will take some time but i ll make a deliberate effort. Its about time tech enthusiast start showing (through actions) that privacy matters. It is possible that some portals may post a message saying firefox not supported and I will know their intentions when the message pops up.

Kudos to Firefox for making such a move.

Australia wants tech companies to let cops 'n' snoops see messages without backdoors


politician talking to skeptic security expert

Politician: We need access to some communications between x and y ... give us the master key

SecExpert: There is no master key ... Let me tell you how it works ..

Politician (thinking in the mind) : Oh! She started again!!

Politician: Lets cut to the chase .. give me a way to access communication between x and y .. whatever it takes..

SecExpert: I do not own the keys for the communication ... the keys are owned by the users and its a breach of trust if i give it to you.

Politician: Do you know whom you speaking to? How come you do not trust us ?

SecExpert: Maybe I trust you but i do not know how can i trust the institution and its future staff from misusing this powers ...

Poitician: How can you not trust the constitution makers? We ll amend the constitution and we ll see you then.

Meanwhile, in the other part of world:

Terrorist1: Shall we use whatsapp to send messages?

TerroristSecExpert: What! Are you mad? We ll use this android app which i developed in past few days which uses our own generated public/private key pairs.

Terrorist1: I want those poo emojis in that app ... do you have it?

TerroristSecExpert (rolling her eyes)...

Google's 'QUIC' TCP alternative slow to excite anyone outside Google


Quite an achievement, given that QUIC is still not a RFC/standard

QUIC is not been deployed yet because it is still not a standard !! IETF is working on it and has recently pushed back the dates (to end of 2018) and streamlined what could possibly be achieved in the first version to make most of em/us happy.

Because it is still not a standard, open source implementations haven't sprung up and thus the adoption is limited.

Currently only google has deployed "its own version of QUIC" in their own clients and servers. It has seen the prospects and want others to adopt (and eventually/naturally google will also benefit along with others).

Amongst others, 3GPP has already realized the potential and proposed it for 5G core control plane (https://www.ietf.org/mail-archive/web/quic/current/msg01878.html).

Point is, the adoption is slow for a reason. The reason is, it is still not a standard and hence not many stable open sources.