Here’s a useful presentation on Linux debugging tools — tools that don’t require source code, additional prints or logging.
strace has a new flag that I didn’t know about: -y, which prints the paths that are associated with file descriptors.
opensnoop lets you see the details of open() calls across the entire system, or for an individual process, or for paths containing certain characters, or it can print the file paths that couldn’t be opened.
pgrep shows the stack trace of a running process, which can be useful to get an idea of what a program spends most of its time doing.
dstat shows system resource stats. It is a replacement for vmstat, iostat and ifstat.
htop — a more beautiful ‘top’, and easier to use. I still mostly use ‘top’ because it is installed by default. Other great tools I use include ‘powertop’ and ‘iotop’.
ngrep — an alternative to tcpdump, but allows the use of regexes to match plain-text data in packets.
tcpdump — useful when troubleshooting network connections between servers.
- wireshark — a more UI-friendly tool than tcpdump, with dissectors for most protocols
Article: The One Python Library Everyone Needs: attrs
Some people are excited about eventually being able to program in Python 3 everywhere. What I’m looking forward to is being able to program in Python-with-attrs everywhere. It exerts a subtle, but positive, design influence in all the codebases I’ve see it used in.
Or, for those who want more power (an complexity) than the attrs module, there’s macropy and it’s case-classes.
Stackoverflow has introduced a new tech documentation tool that focuses on providing examples, rather then merely sparsely documenting an API. The one on Python string formatting is quite useful.
I needed to help a friend on a remote computer recently. A coworker told me about Chrome Remote Desktop, which works on any computer that has a Chrome browser, including Linux, Mac, Windows, iPhone and Android.
Chrome Remote Desktop is an easy-to-install plugin for Chrome, and is gratis (no cost). It worked quite well, and I’m happy to recommend it.
Alternatives include copilot.com, which is free on weekends. Lifehacker has a list of solutions as well.
Facebook recently made their computer vision library available to the public under an open source license. It allows a computer to recognize different objects in a picture. The software is explained in their “Learning to Segment” blog post, and it sounds impressive.
Their “DeepMask and SharpMask object proposal algorithms” are available on github.
No matter what you think of a computer language, you ought to respect its idioms for the same reason one has to know idioms in a human language—they facilitate communication, which is the true purpose of all languages, programming or otherwise.
— George V. Neville-Neil
George also explains that “a single cache miss is more expensive than many instructions, so optimizing away a few instructions is not really going to win your software any speed tests”.
LWN covers the new W3C spec for HTML subresource integrity (SRI):
SRI is designed to combat injection attacks that come through third-party content. The originating site can include cryptographic hashes of third-party script and image files, enabling the user’s browser to hash the corresponding files it receives from the third-party servers and verify that the hashes match.
Most browsers already support SRI, including Firefox, Chrome and Opera.
If you’re designing a service that requires passwords for authentication, store them using the Argon2 or bcrypt password hashing functions. Don’t use MD5, SHA-1, SHA-2 or SHA-3 — they’re not designed to keep passwords secure against attackers that gain access to your password database.
Reference article: How LinkedIn’s password sloppiness hurts us all by Jeremi M. Gosney
If [online services] aren’t using something like bcrypt or Argon2 for password storage, then they’re doing things very, very wrong. But slow hashing is no longer as effective of a solution as it could have once been had it only been adopted sooner.
When you suspect a password database has been compromised, even just in part, you cash in on that insurance policy [of using forced password resets] immediately by activating your incident response team and your public relations team.
What is Argon2? It’s the winning algorithm from the Password Hashing Competition. Argon2 has been added to recent versions of libsodium.
I’ve been following the Ars coverage of the Oracle v Google trial regarding whether Google’s use of Java APIs is “fair use”. I didn’t think Google would win, but was pleasantly surprised when the jury decided in their favor. Hurrah!
However, just because Google won, doesn’t mean that companies can indiscriminately copy APIs and have it fall within “fair use”. It seems safest to me to make use of APIs that fall under an open source license. That way, the code individuals and companies write can more easily be run against competitive API implementations without being held hostage by the owners of the original API.
Ars has an interesting article showing how the internet works with regard to the underseas cables that tie the continents together. I had no idea there were repeaters to help the signal propagation, or how broken cables were repaired.
It’s useful to shorten long URLs, especially when sending them in tweets and in text messages. An LWN.net article helped me learn that they can be a security risk:
URL shorteners such as bit.ly and goo.gl perform a straightforward task: they turn long URLs into short ones, consisting of a domain name followed by a 5-, 6-, or 7-character token. This simple convenience feature turns out to have an unintended consequence. The tokens are so short that the entire set of URLs can be scanned by brute force. The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.
Around 7% of the OneDrive folders discovered in this fashion allow writing. This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content
— VITALY SHMATIKOV