Skip to main content

2023-10-11

The largest DDoS attack to date, peaking above 398M rps

  • Google has successfully defended against the largest recorded DDoS attack, which peaked at 398 million requests per second, using a novel method termed HTTP/2 Rapid Reset.
  • The coordinated response from the industry following the attack has led to the development and implementation of patches and other mitigation techniques. Users of HTTP/2 are encouraged to apply vendor patches for CVE-2023-44487 to reduce vulnerability to such an attack.
  • For protection against DDoS attacks, Google Cloud customers are advised to make use of Cloud Armor's DDoS protection and other features like proactive rate limiting rules and AI-powered Adaptive Protection.

Reactions

  • The conversation covers a broad spectrum of subjects related to DDoS (Distributed Denial of Service) attacks, including the motivations behind such attacks and possible attackers.
  • Strategies to curb these attacks are discussed, underscoring the role of cloud providers and the responsibility of Internet Service Providers (ISPs).
  • Highlighted points include the growing threat of DDoS attacks in the digital world, increasing concerns regarding internet security, difficulties in addressing cyber security, and the impact of certain safety measures.

Log is the "Pro" in iPhone 15 Pro

  • The blog post primarily discusses the inclusion of log video recording in the latest iPhone 15 Pro and Pro Max, a format that provides increased flexibility in color grading and editing.
  • It explores the advantages of using log footage, including the ability to select different visual appeals and naturally grade colors, as well as its compatibility with various color spaces.
  • The post also refers to the release of the Blackmagic Camera app for the iPhone, which offers enhanced manual controls and features, boosting the creative possibilities for video shooting and editing with these devices.

Reactions

  • The discourse involves the comparison of smartphone cameras and traditional cameras in terms of quality and convenience.
  • The conversation touches upon the influence of smartphones on the camera industry and the capability of capturing high dynamic range (HDR) images on smartphones.
  • Discussions also include the application of log format in videography, post-processing, shooting options, and the camera chips featured in Apple and Sony's flagship smartphones.

Building a 42-inch E-Ink frame for generative art

  • The author created a 42-inch E Ink art frame designed to exhibit generative AI art, utilizing a Raspberry Pi for display control and Blue Noise Dithering for image preprocessing.
  • To tackle the 'ghosting' issue common in E Ink displays, they implemented a solution involving alternating between full black and full white images.
  • Future improvement plans include making the frame battery-powered and using AI to generate art prompts. The project had support from Charly, Nico, and Florian.

Reactions

  • The key focus of the discussions is the high cost and constraints of e-ink displays for generative art, attributed to difficulties in manufacturing, low demand, lack of bulk production benefits, and limited usability.
  • Participants also discuss the strengths and weaknesses of e-ink technology, such as its low energy use, enhanced visibility outdoors, along with its limitations in cost and size.
  • Additional topics involve the role patents play, comparisons with OLED (Organic Light Emitting Diodes) displays, and the utilization of e-ink displays in different applications like digital photo frames and Do It Yourself (DIY) projects.

Oil sector is lobbying for inefficient hydrogen cars to delay electrification

  • Michael Liebreich, a recognized analyst, suggests that the oil sector promotes hydrogen fuel-cell cars to delay the electrification of cars, arguing they are inefficient and costly compared to electric solutions.
  • Liebreich has developed the "Hydrogen Ladder," positioning cars and domestic heating at the bottom as uncompetitive use-cases for hydrogen, asserting that companies might be promoting hydrogen to slow down the shift to electrification.
  • He opposes the need for hydrogen cars, stating that electric vehicles already excel in efficiency, performance, and convenience, and disagrees with the application of hydrogen for domestic heating due to inefficiencies and safety concerns.

Reactions

  • The central debate revolves around the use and efficiency of hydrogen as a fuel source versus the practicality of electric vehicles (EVs). Hydrogen's backing by the oil industry is scrutinized, as are its applications beyond transportation, like long-haul flights.
  • Broad topics include the carbon-neutral synthesis of hydrocarbons, challenges of cost and efficiency against batteries, and hydrogen's potential benefits within certain industries. Japan's investment in hydrogen as a petroleum alternative is mentioned, along with the storage abilities of batteries and hydrogen.
  • Detailed discussions cover the energy density of hydrogen for air travel, EVs' weight and concern for road damage, the lifespan of EV batteries, and the scalability and efficiency of hydrogen as an alternative fuel. The limitations and advancements of EVs, as well as the future of transportation, are also explored.

The novel HTTP/2 'Rapid Reset' DDoS attack

  • In August, Google confirmed that an unprecedented DDoS attack, using the HTTP/2 protocol, targeted its services and Cloud customers, with one attack reaching 398 million requests per second.
  • Google's global load balancing infrastructure successfully prevented any service outages by mitigating the attack on the edge of its network.
  • Google has since implemented additional protective measures and worked with industry partners to address this new attack vector throughout the ecosystem. The article further elaborates on the attack methodology and provides mitigation strategies.

Reactions

  • A new Rapid Reset DDoS attack has been discovered, targeting HTTP/2, leading to discussions on potential alternatives such as improvements to HTTP/1.1 and the upcoming HTTP/3.
  • Discussions are centered around preventing DDoS attacks, including replay/amplification attacks using DNS. Suggestions include having DNS use TCP, padding requests, and exploring limitation solutions.
  • HTTP/2's vulnerability to an attack technique that increases requests per connection is highlighted, with comparisons to possible HTTP/3 attacks. Throttling is proposed as a defensive strategy, acknowledging the difficulty posed by numerous compromised IPs during DDoS attacks.

Engineered material can reconnect severed nerves

  • Rice University researchers have devised a magnetoelectric material capable of stimulating neural tissue and repairing separated nerves.
  • The new material carries out the magnetic-electric conversion 120 times faster than its counterparts, paving the way for accurate remote neuron stimulation and minimally invasive neurostimulation methods.
  • Beyond neurostimulation applications, this cutting-edge material's design framework offers potential use in computing and sensing fields.

Reactions

  • A new engineered material has been produced with the ambition of reconnecting severed nerves, potentially paving the way for spinal cord repairs and neuropathy treatments.
  • There are doubts and debates regarding the viability of nerve regeneration, the body's response to such technology, and the potential exaggeration of research claims by universities.
  • The community also identified issues like the reliability of scientific replication and the risks involved with brain implants and neural stimulation.

Valve says Counter-Strike 2 for macOS not happening, there aren't enough players

  • Valve has decided against releasing a macOS version of Counter-Strike 2 due to insufficient player numbers. Counter-Strike: Global Offensive (CS:GO) players on Mac can request a refund if they played between March 22 and September 27, 2023.
  • Future enhancements to Apple products might include OLED displays for the iPad mini and iPad Air by 2026. An important software update for the iPhone 15 Pro models was released to fix overheating issues.
  • Samsung encourages Apple to adopt the RCS messaging standard in a recent advertisement, following damaging drop tests on luxury smartphones by Allstate Protection Plans.

Reactions

Postgres: The next generation

  • The article stresses the necessity for a younger generation of contributors, committers, and maintainers to support the aging PostgreSQL developer community.
  • The importance of open source sustainability is underscored, along with the potential influence of companies like Neon that invest in enhancing Postgres and can relicense their intellectual property.
  • For the continued success of projects like Postgres, the author recommends intentionality, funding, and enlightened self-interest.

Reactions

  • The article sheds light on the commitment and enthusiasm by the Postgres community towards the open source database system, whilst acknowledging the challenges faced.
  • It discusses the high entry barriers for new contributors, primarily due to the shortage of proficient C developers and the complexity involved in learning and using C.
  • Also, it touches upon the organizational issues in the Postgres mailing list, limitations, and absent features in Postgres, indicating areas of improvement.

Passkeys are now enabled by default for Google users

  • Google is setting passkeys as the default sign-in method for personal Google Accounts with a goal to enhance security and streamline the login process.
  • Passkeys, which use biometric data or a pin, are considered quicker and safer than traditional passwords. Google has shared that the feedback for passkeys have been largely positive.
  • Despite the shift towards passkeys, Google would still offer the option for users to use passwords for account access.

Reactions

  • The discussion about using passkeys for online account authentication is mixed, with some users worrying about the potential for loss of access and insufficient support.
  • Some argue that passkeys offer greater security than traditional passwords; however, this method raises concerns about dependency on device security and lack of passkey exportability and recoverability.
  • The debate underscores the need for improvements in passkey systems and the necessity for user education and backup options.

A student asked how I keep us innovative – I don't

  • The author emphasizes the significance of using tried-and-true technology for its robust documentation, familiarity, and established ecosystems.
  • Innovative tech should only be opted for if it dramatically boosts the chance of problem-solving. This idea forms a part of the author's tech selection framework, which includes understanding issues, validating solutions, refining complexity, evaluating designs, and exposing ideas to critics.
  • However, the author advises remaining clear of cutting-edge technologies to reserve capacity for innovations. This framework's approach is primarily for work projects, as personal projects are prioritized based on personal enjoyment and learning potential.

Reactions

  • The article underscores the need to socialize the design process, engaging diverse viewpoints, and gathering feedback to encourage innovation in software development.
  • It explores the challenges in facilitating effective team communication, advocating for open communication and constructive criticism.
  • The piece debates the risks and rewards of selecting innovative versus established technologies in development projects, arguing against top-down standardization and stressing on the value of technical merit in technology decisions.

US sues eBay for allowing sale of emissions defeat devices

  • The Department of Justice (DOJ) is suing eBay due to the alleged sale of more than 343,000 emissions defeat devices and products that infringe the Clean Air Act.
  • eBay could potentially face billions in penalties, with fines reaching up to $5,580 per violation; the company has claimed this action as "entirely unprecedented" and intends to defend itself firmly.
  • The DOJ also accuses eBay of selling other illegal items, like unregistered pesticides and paint removal products containing a cancer-related chemical; federal pursuit against violations continues despite suggestions otherwise.

Reactions

  • The comments cover a myriad of topics including: a lawsuit against eBay for selling emission defeat devices; the ban of Xiaomi cellphones by the Canadian government; debates about emission regulations and controversies around catalytic converters.
  • The environmental impact of private jets over trucks, issues with disabling traction control and using aftermarket parts in vehicles, as well as the efficiency and requirement of emissions equipment in contemporary diesel engines, are also highlighted.
  • The discussion also covers the concern of noise pollution from loud vehicle exhausts and the imposition of noise regulations.

HTTP/2 zero-day vulnerability results in record-breaking DDoS attacks

  • Cloudflare, Google, and Amazon AWS have revealed a zero-day vulnerability known as the "HTTP/2 Rapid Reset" attack, which exploits the HTTP/2 protocol to conduct significant DDoS attacks.
  • Cloudflare has successfully mitigated several attacks, including a massive one exceeding 201 million requests per second, and has created technology to guard against this vulnerability.
  • For protection, Cloudflare recommends understanding your network connectivity, deploying necessary patches, and considering the backup from a secondary cloud-based DDoS provider.

Reactions

  • A zero-day vulnerability in the HTTP/2 protocol has resulted in DDoS (Distributed Denial-of-Service) attacks, leading companies like Cloudflare and Amazon Web Services to generate patches.
  • HTTP/3, the upcoming version of the protocol, is immune to this vulnerability. This has sparked a debate over whether the vulnerability was foreseen during the protocol's creation.
  • The security flaw lets attackers overload servers with swift reset requests, resulting in clients discontinuing the use of HTTP/1.1 pipelining due to its inefficiency.

Scheme in the browser: A Hoot of a tale

  • The Spritely Institute has made significant progress on their Guile Hoot toolchain, which is designed to compile Scheme programs to WebAssembly (WASM).
  • Among its features, Hoot is self-contained, incorporates garbage collection (GC) reference types, generates compact binaries, and involves a comprehensive developmental environment within the Guile process.
  • The Institute is set to release Hoot 0.1.0 in the near future, which utilises recent WASM features like GC and tail calls, as demonstrated by a Wireworld cellular automaton program coded in Scheme and JavaScript.

Reactions

  • The article explores the potential benefits of using the Scheme programming language in web browsers, suggesting it could help avoid the complexity of CSS with more manageable styling examples.
  • The influence of Scheme on other languages, such as XSLT, is also highlighted, emphasizing the role of language scheme in programming.
  • It discusses the application of Scheme in WebAssembly (WASM) and its use within the Goblins distributed programming environment, signifying its versatility and potential for broader application.

Samsung expected to report 80% profit plunge as losses mount at chip business

  • Samsung Electronics is projected to experience a significant drop in earnings, about 80%, in the third quarter due to troubles in its semiconductor sector.
  • The semiconductor business is expected to record a loss of over 3 trillion won ($2.2 billion), chiefly attributed to declining memory chip prices, an outcome of oversupply and lackluster demand for products such as smartphones and laptops.
  • Despite these losses, optimism arises from Samsung's display business and smartphone unit, which could witness potential growth in the upcoming fourth quarter.

Reactions

  • Samsung is predicted to see a notable drop in profits due to struggles in its chip business as the semiconductor industry contends with oversupply and strong competition.
  • The conversation includes the influence of CUDA technology on the AI market and Nvidia's prominence among researchers and developers, alongside the uncertainties about the future profitability of the semiconductor sector.
  • Speculation regarding Samsung's reported losses in its semiconductor business and the exploration of fabless manufacturing in the industry underscore the importance of profitability, revenue, future cash flows, and stock buybacks for companies.

Google Kubernetes Engine incident spanning 9 days

  • Google Cloud is currently facing a service issue causing Google Kubernetes Engine nodepool upgrade failures, which is impacting a small number of customers.
  • Affected users may encounter an "Internal error" message in the Google Cloud Console as a result of this disruption.
  • Google advises affected customers to either retry the upgrade or to re-create the nodepool at the new version, while assuring that mitigation efforts are underway. Updates regarding this situation will subsequently be provided.

Reactions

  • Google Kubernetes Engine (GKE) faced a 9-day incident that sparked discussions on Hacker News about the difficulties of upgrading Kubernetes and its complex design.
  • Highlights of the discussion included networking challenges, limited developer options, the employment consequences of lacking Kubernetes knowledge, and suggestions for simpler orchestration methods such as AWS ECS.
  • Participants mentioned ECS Fargate and HashiCorp Nomad as potential substitutes, commending Nomad for its simplicity but noting its lack of certain features.