I used to work at Bank of America as a level 2 app analyst back when they first started building Quartz. At the time, it was advertised internally as a system to be used for reporting, and so it had lots of built-in functionality to connect to databases, etc. Pretty neat.
That said.
The method of encoding production database credentials was rot-13. No joke. In the Quartz interface, you could double click on a starred-out set of credentials, and it would run rot-13 on it and display the password. This was for FX, rates, credit card, mortgage, etc etc etc. Having access to this cloud system gave effective access into all of Bank of America and Merrill Lynch.
They probably save a lot of their money by using very, very bad practices.
Still only the second worst security fail I've seen.
A few years back I was mugged in Chicago at a busy intersection very close to a train station. Being the FOIA nerd I am, I submitted a FOIA request for the footage of the spot I was mugged at. It came back saying that no footage exists. Probing the investigator, I was told that the camera rotates randomly, and wasn't pointed in my direction. It's very difficult for me to think of Chicago's surveillance with any sort of charity, when they can't even do a single major intersection.
Fun fact: Chicago's city hall has a retention period of zero days on its cameras. Go figure.
Given that it's Chicago, my understanding would be that the officer handling the FOIA request fed you a line, and they probably didn't even look at any recorded video to see if the camera was pointed in the correct direction.
Did you do a follow up request for whatever that camera actually recorded while you were getting mugged?
Google fi user here: when they throttle in areas with weak cell signal, the throttling is aggressive and internet practically doesn't work. It's very frustrating. "Throttling" isn't the right word.. maybe "crippling" is better.
> when they throttle in areas with weak cell signal, the throttling is aggressive and internet practically doesn't work.
I want to add in for those that don't know. There's a difference between throttling and deprioritization. Throttling usually kicks in as some specified speed at the IP network's level(like 256kbps). This isn't going to make a difference whether you're close to a tower or far away. It will make a massive difference on your battery life if your user equipment has to stay transmitting forever to complete transfers (this is a big problem when roaming on t-mobile's throttled international plans, battery life is obliterated).
Deprioritization is very different. The radio layer (called radio access network) of the tower (specifically the sector) that you're connected to controls how much time your device gets using a QoS scheduler. Stuff like voice always takes priority no matter what, since it all goes over the same data network now. I'm going to try to explain this below in easier to comprehend language...
In LTE, resources can be allocated out to a device as resource blocks. Each layer allows up to 100 physical resource blocks at any given time. Depending on the quality of the signal (how far away you are and how many people are using it), the blocks can be broadcast at different MCS levels. This controls the amount of error correction and the amount of data that can be carried per resource block. So when you're stuck at cell fringes and only allowed to get less than 5 resource blocks at an instant, the transfer rates will be slow. When you're close and allowed to use higher orders of modulation with less error correction (256QAM broadcast 4x4 MIMO), the performance loss isn't going to be as noticeable.
Deprioritization can be worked around by connecting to a different sector that isn't as busy. It's also assessed pretty quickly, something like 20ms the radio scheduling happens. Sprint's the only network afaik that posts something even slightly technical to the general public: https://www.sprint.com/en/legal/open-internet-information.ht...
Also a Fi user, and the quality of my internet is almost entirely based on whether the carrier is Sprint or not. Sprint, at least around here, almost always has no upstream bandwidth, so you can't even get a request to go out.
If you get the fi info app, it can fill your clipboard with a switch carrier sequence you paste into your dialer and it will switch you to one of the alternate carriers.
It's not hard to memorize it's 'FI' + $CODE. I switch regularly when I have poor connection:
##FITMO## (TMobile)
##FISPR## (Sprint)
##FIUSC## (US Cellular) <- Have never used this though
##FINEXT## (Next carrier)
##FIAUTO## (Switch back to auto)
I never got the app, though I really wanted to at first, thinking it did this automatically, but all it does is paste in the dialer codes. Why would I pay for that?
> Also a Fi user, and the quality of my internet is almost entirely based on whether the carrier is Sprint or not. Sprint, at least around here, almost always has no upstream bandwidth, so you can't even get a request to go out.
I had a Pixel 2 XL back in the old "Project Fi" days, I had to manually switch basically every time my phone selected Sprint as the carrier because it was so slow. After the rebrand and the expansion to allow other phones but only route them to T-Mobile, I switched phones, and I genuinely get better coverage. (This isn't too just due to the phone hardware, either; on my old phone, the data speed would be fine after manually switching from Sprint to T-Mobile, so the benefit seems to be that I don't actually ever get routed to Sprint anymore)
So, imagine you have a massive celestial body floating out in space, with a large gravitational field. Its gravitational field is always propagating. Now, take that celestial body, and make it completely and instantaneously disappear. There's now a gravitational differential between the now-gone body, and its previously propagated gravity field. You should be able to detect that if you're close, say through tidal differences.
Very similar happens with black holes colliding, except the gravity differential comes from the two black holes oscillating near each other, close to the speed of light.
Edit: this obviously isn't exactly how this works, since it makes a lot of assumptions, such as the ability to instantaneously remove something. So, don't think of this as how "things actually work", but as a model to help build your intuition.
Be careful with that example. You probably know this, but stars can't disappear instantaneously, and so if you start with that assumption it's easy to get paradoxical results from relativity.
That doesn't mean there's anything wrong with the model. It's just GIGO.
A blackhole traveling at near light speed is pretty darned close to the analogy of a massive object instantaneously disappearing, similar to fictional spaceships engaging their warp engines.
Of course, it's not actually disappearing, just moving, but the original point was about detecting sharp changes in the gravitational waves. A quick Google search tells me that gravitational wave red shifting is a thing, and I imagine that with blackholes it's a very important phenomenon and area of study. And I would guess that there can also be interesting second-order effects that such a blackhole's movements have on the propagation of gravitational and electromagnetic waves from other objects.
> with blackholes it's a very important phenomenon
Black holes can lense gravitational radiation emitted by background systems.
Most background systems we are likely to detect soon will involve black holes. But these are black holes in some sort of mutual orbit, rather than black holes simply moving across some system of celestial coordinates.
For black holes that are moving linearly at near the speed of light, the black hole's effect on the metric elongates like a pencil, with the field weak outside and growing strong towards the centre of the "lead" or graphite. This is similar to Lorentz-contracting the near region around the black hole, and one can generalize a bit and say that as the boost between an observer and any object increases, the object thins. In the ultra-ultrarelativistic limit, the object and all the strengthening-towards-infinity field values around it become infinitely thin.
As one's speed relative to a black hole gets very close to c, the black hole becomes quite easy to model as an exceptionally high-energy massless particle.
You get this effect when your small space capsule whizzes by our galaxy's central black hole at speeds near that of light too, and your small momentary perturbation basically affects the black hole not at all. Because Lorentz contraction is reciprocal, whizzing a black hole -- even a large one -- at ultrarelativistic speeds past the International Space Station is going to have very little effect on it.
Tossing a large black hole past the ISS at low speeds compared to light will really mess up the neighbourhood of the solar system, but your space capsule can pretty safely manage a slow-compared-to-light hyperbolic orbit around a large black hole without much problem (ignoring any accretion disc and twin "paradox" issues).
An object moving and an object vanishing are the same from the perspective of wave propagation, the only difference is that one event will have a more dramatic (therefore easier to visualize) effect.
If the sun instantaneously vanished, we would see it disappear at the same instant as its gravitational effect stops, 8 minutes after the actual event occurred. For those 8 minutes while the light and gravitational information are in transit, the Earth will continue to revolve around a visible (though now nonexistant) sun.
In the same way as if the sun suddenly jerked ten million miles to the south, we would see it move at the same instant as its gravitational force vector changed, 8 minutes after the actual event occurred, but that's harder to keep in your head.
Exactly. As soon as you magically remove the gravitational body, you are magically removing the waves too according to GR. There is no such thing as curved spacetime without mass. (Except for the cosmological constant, but that's different.)
General Relativity admits general curved vacuum metrics (vacuum meaning: no matter anywhere), and many of them are useful theoretical approximations to real astrophysical systems. Famous ones include the Schwarzschild and Kerr metrics (both of which have T^{\mu\nu} = 0, where T is the stress-energy tensor), de Sitter and anti-de Sitter space, and Minkowski space. Useful ones include vacuum pp-waves, used in studying gravitational radiation from the perspective of an observer at large distance from the source. There's even the Sexl ultraboost, which can approximate ultrarelativistic motion between a black hole and a low-mass observer.
These are usually probed by adding test masses of some sort, letting them evolve along available trajectories. Some such test masses are pointlike, neutral, and nearly massless; others are some sort of classical or quantum field. In most cases, the goal is to keep T^{\mu\nu} negligible.
One can alternatively be lead by the stress-energy tensor, and may be tempted to call T^{\mu\nu} the matter tensor in that case. One typically chooses some vacuum background -- Minkowski space, usually, but any background can be used -- and then uses perturbation theory to capture how the chosen matter alters that background curvature. This is very common in cosmology.
> Except for the cosmological constant, but that's different
No, it's not different; one has flexibility to move the cosmological constant into the RHS for calculational convenience without having to change its interpretation as part of the background curvature: https://en.wikipedia.org/wiki/Lambdavacuum_solution
Nothing is wrong with honest feedback of course, but I think it's a bit harsh to disregard a product based on its infancy and inability to serve your market. Companies grow, markets expand, etc. How would you suggest they market differently?
And pretending to be just as eager and passionate as a CS grad who knows how to reverse a binary tree on a whiteboard but has no idea how to humanely extract actionable requirements from non-technical stakeholders.
Change jobs; you are not a wage slave. I come to work at 8 AM and leave at 4 PM on the dot every day no matter the situation. I can care less about the company I work for because it isn't my prerogative to care, but instead, I am paid to build what they tell me to build, and we exchange my abilities for currency. In no way am I willing to give up my dignity or health in any way in exchange for currency.
It sounds like your job sucks more than your field. And I'm not saying that to discredit your point of view. I know. I've been there. My last job was pretty bad and it left me wondering whether I hated the job, or the field. I ended up at a far better job in the same field (not without it's drawbacks, of course) and it turned out to definitely be the job all along.
This isn't my experience with just a single job. This is my experience in the perspective of a sysadmin/SRE/devops "track". Maybe it's different for programmers, but the overall spirit of my post happens at most of the places I've worked at.
Ah sorry. That does sounds relaxing, even in jest.
I'm trying to get out of for-profit tech and into the non-profit space to do data/FOIA/investigative work. It's still "tech work" at the end of the day, but without the deep dread of making rich dudes richer.
Yes, you can get tons of personally identifiable information from things like public records laws and such. That's irrelevant, though. This is a phone number tied to a facebook account, not just their name.
A major difference here is the ability - at scale - to associate people with their facebook accounts. There are people who do not want to be associated with by their facebook account, and reasonably so. Not sure why you don't think that wouldn't be a big deal.
You're suggesting that Facebook is 100% accurate in determining whether a name is real, or a pseudonym.
Imagine this: someone is on Facebook and wants to hide their identity for some reason. Best examples I can think of right now is teachers who don't want their profiles accessible to their students (because high schoolers can be little shits). Or someone trying to create a new life after domestic abuse. It makes full sense that they wouldn't want to give their full name so that they can't be found. Facebook isn't good enough in real name detection to get it right 100%. How could they?
With this sort of dump, a domestic abuser can much, much more easily find the person they abused, when that person was previously under a pseudonym.
This is just a small example. It gets much more complicated when considering how many millions of phone number:Facebook IDs were released.
There's a major, major hosting company whose server IPMIs all had an internet IP and used a default password for an unreasonably long time. I'm honestly not sure how this company is still around.
Can you please name and shame, or at least link to a news article about this?
I'm going to be a little blunt, but the pattern of "there's a well-known company that's done something bad, you probably use their products, but I can't tell you what company because [I don't want to be deposed in a libel lawsuit / I want to feel intellectually superior]" is really long in the tooth, and doesn't add value to the discussion other than to pique everyone's paranoia.
Eh, screw it. It was Rackspace. I worked there, and was told this by a senior member of the infrastructure staff in a one on one. It was was fixed before I got there. They still have similarly bad security flubs.
Last time I looked OVH allowed IPMI access to their servers from the internet. You click a button and it gives you a JNLP which gets you remote console, keyboard/mouse and media.
The OVH IPMI access is pretty cool - needs to be initiated from the web console, no longer requires JNLP, just straight browser access and the web console supports three different two factor authentication methods.
My only regret is that it took us so long to discover and switch to OVH - there are a few wrinkles but it’s such fantastic value compared with colo, let alone AWS/GCP/azure
That said.
The method of encoding production database credentials was rot-13. No joke. In the Quartz interface, you could double click on a starred-out set of credentials, and it would run rot-13 on it and display the password. This was for FX, rates, credit card, mortgage, etc etc etc. Having access to this cloud system gave effective access into all of Bank of America and Merrill Lynch.
They probably save a lot of their money by using very, very bad practices.
Still only the second worst security fail I've seen.