You must have already guessed from the title that today's article will be focusing on bugs in software source code. But not only that. If you are not only interested in C++ and in reading about bugs in other developers' code but also dig unusual video games and wonder what «roguelikes» are and how you play them, then welcome to read on!

This is a second article out of a series «Citymobil — a manual for improving availability amid business growth for startups». You can read the first part here. Let’s continue to talk about the way we managed to improve the availability of Citymobil services. In the first article, we learned how to count the lost trips. Ok, we are counting them. What now? Now that we are equipped with an understandable tool to measure the lost trips, we can move to the most interesting part — how do we decrease losses? Without slowing down our current growth! Since it seemed to us that the lion’s share of technical problems causing the trips loss had something to do with the backend, we decided to turn our attention to the backend development process first. Jumping ahead of myself, I’m going to say that we were right — the backend became the main site of the battle for the lost trips.

In this article, we're going to talk about not the classical AFL itself but about utilities designed for it and its modifications, which, in our view, can significantly improve the quality of fuzzing. If you want to know how to boost AFL and how to find more vulnerabilities faster – keep on reading!

OAuth 2 overview

This article assumes that readers are familiar with OAuth 2. However, below a brief description of it is presented below.

1. The application requests authorization to access service resources from the user. The application needs to provide the client ID, client secret, redirect URI and the required scopes.
2. If the user authorizes the request, the application receives an authorization grant
3. The application requests an access token from the authorization server by presenting authentication of its own identity, and the authorization grant
4. If the application identity is authenticated and the authorization grant is valid, the authorization server issues the access and refresh (if required) token to the application. Authorization is complete.
5. The application requests the resource from the resource server and presents the access token for authentication
6. If the access token is valid, the resource server serves the resource to the application

The are some main Pros and Cons in OAuth 2.0

• OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)
• Wide spread and continuing growing
• Short lived Tokens
• Encapsulated Tokens

— No signature (relies solely on SSL/TLS ), Bearer Tokens
— No built-in security
— Can be dangerous if used from not experienced people
— Too many compromises. Working group did not make clear decisions
— Mobile integration (web views)
— Oauth 2.0 spec is not a protocol, it is rather a framework — RFC 6749

In this first part of an article series «Citymobil — a manual for improving availability amid business growth for startups» I’m going to break down the way we managed to dramatically scale up the availability of Citymobil services. The article opens with the story about our business, our task, the reason for this task to increase the availability emerged and limitations. Citymobil is a rapid-growing taxi aggregator. In 2018, it increased by more than 15 times in terms of number of successfully completed trips. Some months showed 50% increase compared with the previous month.

The business grew like a weed in every direction (it still does): there was an increase in server load, team size and number of deployments. At the same time the new threats to service availability emerged. The company faced a task of the most importance — how to increase availability without compromising company growth. In this article, I’ll talk about the way we managed to solve this task in a relatively short time.

Java developers have access to a number of useful tools that help to write high-quality code such as the powerful IDE IntelliJ IDEA, free analyzers SpotBugs, PMD, and the like. The developers working on CUBA Platform have already been using all of these, and this review will show how the project can benefit even more from the use of the static code analyzer PVS-Studio.

Looking for an app development company? I’ve searched for information about it and made this list. It might help to find an app development company to hire. The list contains basic information about each company included in it like company size, hourly rate, min. project size, etc. And I recently decided to upgrade the list to 100 app development companies.

In this article, I decided to describe how the functionality of selecting and displaying photos on a specific place on the map was implemented in our photo service gfranq.com. The photo service does not work now.

Since we had a lot of photos in our service and sending requests to database every time the viewport changes was too resource-intensive, it was logical to divide the map into several areas that contain information about the retrieved data. For obvious reasons, these areas have rectangular shape (although hexagonal grid was considered too). As the areas become more spherical at large scales, elements of spherical geometry and tools for it were also considered.

In this article, the following issues were raised:

• Storing and retrieving photos from the database and caching them on the server (SQL, C#, ASP.NET).
• Downloading necessary photos on the client side and saving them to the client cache (JavaScript).
• Recalculation of photos that must be hidden or shown when the viewport changes.
• Elements of spherical geometry.

With the appearance of ECMAScript 2015, an avalanche of features came; some of them make you mad, and others are pleasant surprises, like meeting an old friend after a long time.

Some features are related to metaprogramming. What is that? I'm not very eloquent, so let's turn to our friend, Wikipedia.

ML.NET is an open-source and cross-platform machine learning framework (Windows, Linux, macOS) for .NET developers. Using ML.NET, developers can leverage their existing tools and skillsets to develop and infuse custom AI into their applications by creating custom machine learning models for common scenarios like Sentiment Analysis, Recommendation, Image Classification and more!.

Today we’re announcing the ML.NET 1.0 RC (Release Candidate) (version 1.0.0-preview) which is the last preview release before releasing the final ML.NET 1.0 RTM in 2019 Q2 calendar year.

Soon we will be ending the first main milestone of a great journey in the open that started on May 2018 when releasing ML.NET 0.1 as open source. Since then we’ve been releasing monthly, 12 preview releases so far, as shown in the roadmap below:

In this release (ML.NET 1.0 RC) we have initially concluded our main API changes. For the next sprint we are focusing on improving documentation and samples and addressing major critical issues if needed.

The goal is to avoid any new breaking changes moving forward.

I decided to make an interview with one of my American friends — Rob Vugteveen. He was working as a FORTRAN programmer back in 1980s, so it's quite a unique experience.


Rob Vugteveen, Carson City, Nevada, USA

K: Hi Rob. I've heard you were working as a Fortran programmer many years ago. Is that right? How the industry was looking back then?

R: Good morning, Kirill.

In the 1980s I made my living as a FORTRAN programmer in the mining industry, primarily in the processing of exploration data and presenting it graphically. We were using VAX minicomputers from Digital Equipment Corporation. This was a time when desktop PCs were growing in popularity, and procedural languages like FORTRAN were being challenged by object-oriented languages. Also, graphics display systems were shifting away from character-cell terminals to X-window-based displays.

FORTRAN (“FORmula TRANslation”) was built for computationally intensive programs, and it did not have its own graphic libraries to display information. There were companies that sold large FORTRAN subroutine libraries to provide that capability. These were not yet designed for the growing popularity of X-window technology.

When we were forced to move from expensive VAX computers to cheaper PCs, we had to write hybrid programs using FORTRAN for computations and C++ for display. It was a bit messy at first. I left that job for something completely different (building a mining museum) and haven’t really done any programming since.

FORTRAN is still used today in scientific research for computationally intensive work, but I’m sure it’s been adapted to work with graphical display systems through external subroutines written in object-oriented code.

Today’s taxi market is crowded with ride-sharing apps like Uber, Ola, and Lyft. They are giving serious competition for upcoming ventures. These on-demand apps have initiated the radical shift in the taxi industry enabling the smooth transition from conventional taxi hailing to booking a cab through an app. Customers are opting for hailing taxis through the app because of its reliability to get a taxi and ensuring a much better cab booking experience. Thus, the taxi market is ripe for the taking, and this is the right time for entrepreneurs to make use of the opportunity.

Statistics on the Taxi Industry

The traditional taxi industry is still stuck with inefficient phone call bookings, competitors and they stand to lose at least $20 million on an everyday basis just because customers couldn’t find a cab. Another statistics survey tells us that almost 80% of the commuter prefer Ola and Uber over regular taxis and that Uber has completed nearly 2 billion rides since its inception. The profits soared over $20 Billion in the process. What made Uber and Ola successful ventures is the sound business strategy they employed. So if you are going to establish your venture then understanding the market is imperative.

This is the second post in our series of articles about the results of checking open-source software working with the RDP protocol. Today we are going to take a look at the rdesktop client and xrdp server.

On March 13, a proposal for the RIPE anti-abuse working group was submitted, stating that a BGP hijacking event should be treated as a policy violation. In case of acceptance, if you are an ISP attacked with the hijack, you could submit a special request where you might expose such an autonomous system. If there is enough confirming evidence for an expert group, then such a LIR would be considered an adverse party and further punished. There were some arguments against this proposal.

With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes. Moreover, it again raises concerns about the possible motives for the future attack of this type.

The last decades the world economy regularly falls into this vortex of financial crises that have affected each country. It almost led to the collapse of the existing financial system, due to this fact, experts in mathematical and economic modelling have become to use methods for controlling the losses of the asset and portfolio in the financial world (Lechner, L. A., and Ovaert, T. C. (2010). There is an increasing trend towards mathematical modelling of an economic process to predict the market behaviour and an assessment of its sustainability (ibid). Having without necessary attention to control and assess properly threats, everybody understands that it is able to trigger tremendous cost in the development of the organisation or even go bankrupt.

Value at Risk (VaR) has eventually been a regular approach to catch the risk among institutions in the finance sector and its regulator (Engle, R., and Manganelli S., 2004). The model is originally applied to estimate the loss value in the investment portfolio within a given period of time as well as at a given probability of occurrence. Besides the fact of using VaR in the financial sector, there are a lot of examples of estimation of value at risk in different area such as anticipating the medical staff to develop the healthcare resource management Zinouri, N. (2016). Despite its applied primitiveness in a real experiment, the model consists of drawbacks in evaluation, (ibid).

The goal of the report is a description of the existing VaR model including one of its upgrade versions, namely, Conditional Value at Risk (CVaR). In the next section and section 3, the evaluation algorithm and testing of the model are explained. For a vivid illustration, the expected loss is estimated on the asset of one of the Kazakhstani company trading in the financial stock exchange market in a long time period. The final sections 4 and 5 discuss and demonstrate the findings of the research work.

It is a new selection of tips and tricks about Python and programming from my Telegram-channel @pythonetc.

Previous publications.

0_0

0_0 is a totally valid Python expression.

It was an ordinary Thursday on 4.04.2019. Except that at some point of the midday timeline an AS60280 belonging to Belarus’ NTEC leaked 18600 prefixes originating from approximately 1400 ASes.

Those routes were taken from the transit provider RETN (AS9002) and further announced to NTEC’s provider — RU-telecom’s AS205540, which, in its turn, accepted all of them, spreading the leak.

Wireshark Foundation released the final stable-version of the popular network traffic analyzer — Wireshark 3.0.0. The new release fixes several bugs, it is now possible to analyze the new protocols, apart from that the driver on Npcap WinPcap is replaced. Here is where quoting of the announcement ends and our note about bugs in the project starts off. The projects authors definitely haven't done their best in fixing bugs before the release.

Let's collect hotfixes right now to give a motive in doing a new release :).

Introduction

Wireshark is a well-known tool to capture and analyze network traffic. The program works with the vast majority of known protocols, has intuitive and logical graphical interface, an all-powerful system of filters. Wireshark is cross-platform, works in such OSs, as: Windows, Linux, macOS, Solaris, FreeBSD, NetBSD and many others.

To do the source code analysis, we used PVS-Studio static code analyzer. To analyze the source code, first we needed to compile the project in an OS. The choice was wide not only due to the cross platform nature of the project, but also because of that of the analyzer. I chose macOS for the analysis. You can also run the analyzer under Windows and Linux.

Christmas has always been one of my favourite times of the year. For me, Christmas is a season that brings so much love, laughter, happiness, and other magical things into our lives.

I was born and raised in Spain, more specifically in Tenerife, a sunny subtropical island in the middle of the Atlantic Ocean just off the African coast. I have to say that Christmas in Tenerife is very different to my the last two Christmases I’ve spent in London since joining Badoo.

One amazing plus of living in London is that I have got to see snow for the first time in my life, real snowflakes falling from the sky. Just incredible!

Talking of snowflakes, I have an interesting story to tell you about something that happened to me one day in the office the last Christmas.  It was right before I was heading home to Tenerife to spend a few days with my family.

It just so happened that last December I’d been assigned a very interesting ticket with the following description

Google loves easter eggs. It loves them so much, in fact, that you could find them in virtually every product of theirs. The tradition of Android easter eggs began in the very earliest versions of the OS (I think everyone there knows what happens when you go into the general settings and tap the version number a few times).

But sometimes you can find an easter egg in the most unlikely of places. There’s even an urban legend that one day, a programmer Googled “mutex lock”, but instead of search results landed on foo.bar, solved all tasks and landed a job at Google.


The same thing (except without the happy ending) happened to me. Hidden messages where there definitely couldn’t be any, reversing Java code and its native libraries, a secret VM, a Google interview — all of that is below.