Saturday, November 14

Geek

Daily News Stuff 13 November 2020

The Year Of The Eternal Two Weeks Edition

Tech News

  • I tried out the Aria storage engine to see if it worked better than InnoDB for large working sets relative to memory, and it turned out the answer is no. 

    Which is good because I didn't want to use it anyway.  While Aria (unlike MyISAM) is at least crash safe, it doesn't improve on MyISAM's write lock behaviour, which is frankly terrible.

    It's not a problem for the search index, because by design that uses a single asynchronous writer.


  • I'll run a scaling test on a 32GB dedicated server today.  It's really nice that I can spin one up for 18ยข an hour and then just shut it down when the test is done.


  • Now that the US election is all over bar the screaming, Facebook is permitting political ads again LOL J/K.  (The Guardian)

    Facebook is extending its ban on political advertising for another month, because it was never about protecting the integrity of the election.


  • Nvida is also planning to release a feature like AMD's SAM.  (Tom's Hardware)

    This lets you map all of video card's VRAM into the CPU's address space rather than using a 256M window, and boosts performance by a few percent.  Why this wasn't done before I'm not sure; it seems a no-brainer on 64-bit systems.


  • Third-gen Epyc is on its way, at clock speeds up to 3.5GHz.  (Tom's Hardware)

    That's nearly as fast as my existing desktop, and has around 40% better IPC.  And eight times as many cores.


  • AMD just announced a new Ryzen Embedded lineup so where are the systems based on them oh there they are.  (Tom's Hardware)

    Pretty nice systems too.  Six or eight cores, up to 64GB RAM with ECC support, room for one each M.2 and 2.5" drives, DisplayPort and HDMI, 1GbE and 2.5GbE network ports, two USB 3.2 Gen 2 Type A (that is, 10Gb), two USB 3.2 Gen 2 Type C with DisplayPort - though these are on the front so not ideal for connecting monitors, four USB 2.0, and optional WiFi.  And a serial port, because these are for embedded applications.

    And it's passively cooled.

    They also offer the motherboards, which are NUC-sized 4"x4", if you want to build your own.

    No retail pricing because again these are for embedded applications.


  • MacOS Big Sur is out.  (Apple)

    How long before they manage to fuck everything up?


  • Less than a day, as it turns out.  (Tech Crunch)

    Apple's Gatekeeper back-end broke down, which meant that Macs running recent versions of MacOS (I've frozen updates on mine for over a year now) could not start third-party applications.  Any third-party applications.

    Response of the world's richest company:

    If you rebooted your Mac during this outage the problem would go away because the operating system would never finish rebooting.

    Apple's ongoing infantilisation of their operating system is why I'm never going to buy another Mac.


  • So, if you can't run third-party Apps because an Apple online service broke, that means that Apple is tracking every third-party app you run, right?

    And that's not the half of it.  (Sneak.Berlin)

    They transmit all this information through a third-party CDN - Akamai - UNENCRYPTED.

    Previously, you could monitor and even block this nonsense with apps like Little Snitch.  Big Sur no longer allows Little Snitch to run.  And while it still supports VPN software, Apple apps and operating system functions will simply bypass the VPN.

    Oh, and those new Arm-based Macs?  You have no option to run anything but Big Sur.  Because fuck you, that's why.


  • We now live in a timeline so thoroughly messed up that Microsoft are the good guys.



Totally Not Tech News

  • Washington Post: There is no Deep State.

    Also Washington Post: LOL the Deep State lied to elected officials.




  • The fascists at CNN of course think this is a wonderful jape.



    War, what is it good for?
    Ratings.


  • Twitter rando whose account has since gone private so that no-one can see it tweeted at Target that a book made them feel unsafe.

    Target's response:



Pizza on Pineapple Video of the Day



Hololive Alignment Chart of the day



Disclaimer: Nobody asked you, Patrice.

Posted by: Pixy Misa at 12:09 AM | Comments (12) | Add Comment | Trackbacks (Suck)
Post contains 727 words, total size 7 kb.

1 Apple:  Sounds like it's (past) time for people to start running pfSense routers and blocking that shit.

Posted by: Rick C at Saturday, November 14 2020 12:54 AM (eqaFC)

2 Apple vs MS:  MS has been doing this and more for quite a while now.  It's just that MS doesn't actually lock you out of 3rd party apps when their servers hiccough.  Apple just figured no-one in the tame mac press would write about it.
And if you remember the old realplayer garbage, if you tried to firewall its normal communication ports it would just shift over to using 80.

Posted by: normal at Saturday, November 14 2020 01:41 AM (LADmw)

3 Windows does have install-time checks and real-time monitoring.  But those are configurable (though it complains incessantly if you turn them off) and they don't lock you out of your own computer.

Posted by: Pixy Misa at Saturday, November 14 2020 02:00 AM (PiXy!)

4 Apple's next step if they get annoyed by people blocking ocsp.apple.com is to simply override your DNS servers for "necessary" hosts in apple.com domains. Y'know, for security, to prevent spoofing.

We did it at Ooma because certain ISPs like to redirect your traffic by returning phony DNS results, and our devices couldn't come online if they weren't talking to a server with the correct SSL certs.

-j

Posted by: J Greely at Saturday, November 14 2020 06:38 AM (ZlYZd)

5 "pple's next step if they get annoyed by people blocking ocsp.apple.com is to simply override your DNS servers for "necessary" hosts in apple.com domains. "
How's that going to work if the router drops all packets from that host?  (I know, locking you out of the OS or something.)

Posted by: Rick C at Saturday, November 14 2020 07:42 AM (eqaFC)

6 Don't you mean "how's that going to work if you block the entire IP ranges owned by Akamai and any other third-party CDN Apple decides to use?" At least as long as they're not forcing the query to go to their DNS servers, you've got a chance. And when they add the override, it's sure to be part of a critical security update that you're utterly boned without.

-j

Posted by: J Greely at Saturday, November 14 2020 10:24 AM (ZlYZd)

7 You can always run a real firewall, and drop everything from certain ip addresses regardless of DNS.  Well, and you can always just not use apple's garbage.  And if you run any services on the web, you can use TCI/IP fingerprinting to redirect apple products to a "don't use apple products" landing page.

Posted by: normal at Saturday, November 14 2020 10:31 AM (obo9H)

8 J:  well, yeah, although I'm going to handwave that away as a detail.  If you block packets to those domains at the router, it doesn't really matter what the OS does, it's shouting into the void.  Any override presumably has to deal with the concept that you're not online, either--I don't think Apple users are going to like it if Apple refuses to let apps run if the device can't connect to the snoop server.

Posted by: Rick C at Saturday, November 14 2020 12:10 PM (eqaFC)

9 Normal:  yes, but it can't be on the Mac itself, because the OS will bypass the firewall when it's phoning home.  That's why I said block it at the router.
Depending on how the phone home works you might find someone writing a server process that can run on routers that simply always returns the equivalent of "yep, go ahead & run this."

Posted by: Rick C at Saturday, November 14 2020 12:26 PM (eqaFC)

10 I can block the current IP addresses at the firewall, but then I need an automated process that looks them up every week/day/hour to follow CDN changes (been there, done that, gaps in coverage). I can override the hostnames in DNS ("you are here"), which works until Apple bypasses that to use their own DNS servers. I can block all outgoing DNS requests, which works until Apple switches their DNS lookup to a non-standard port. I can add a full-on filtering proxy for all web traffic, which risks breaking a lot of things and only works until Apple moves their traffic to a non-standard port ("ask me why Ooma client syslog traffic goes out on TCP port 110"). I can even nail my network down like a room full of customer-service temps who'd rather surf porn than take calls, but then I wouldn't have real Internet access any more. And none of that helps me if I ever have a reason to leave the house with my laptop again someday.

Basically, it's whack-a-moles all the way down, and while Apple won't spend a dime on QA or building reliable Internet services, they're eager to invest in converting their products into walled gardens that grow only RPU.

(why, yes, I've bought my last Mac, and it will never be upgraded to Big Sur; if that someday breaks interoperability with my phone and watch, I'll replace those, too. If I weren't living under the threat of Harris becoming President in January, I'd be ready to drop a few grand on a high-end Windows laptop; WSL2 is good and getting better)

-j

Posted by: J Greely at Sunday, November 15 2020 06:17 AM (ZlYZd)

11 "I can block the current IP addresses at the firewall, but then I need an automated process that looks them up every week/day/hour to follow CDN changes (been there, done that, gaps in coverage)."
True.  Since I haven't really looked into pfSense yet, but am getting closer to doing so, I have to wonder how hard it would be to just have something like a cron job that runs every hour or so and does a GetHostByName(), gets the h_addr_list out of the returned hostent, and blocks all of those IPs (or some more modern equivalent for any piece of that) again, on a router.  One of those cute, cheap U-series-powered computers with multiple NICs you can get on Aliexpress ought to make a nice filter.
I certainly agree there's a level of whack-a-mole that you could theoretically end up in.  Depends on how many people blocking them it would take for Apple to escalate each time.

Posted by: Rick C at Sunday, November 15 2020 08:30 AM (eqaFC)

12 FYI, the TTL for the host that ocsp.apple.com redirects to at Akamai is 15 seconds. They can bounce that sucker around their network as much as they want.

-j

Posted by: J Greely at Sunday, November 15 2020 12:40 PM (ZlYZd)

Hide Comments | Add Comment




Apple pies are delicious. But never mind apple pies. What colour is a green orange?




61kb generated in CPU 0.1, elapsed 0.4833 seconds.
58 queries taking 0.4187 seconds, 314 records returned.
Powered by Minx 1.1.6c-pink.