Department of Mathematics
 Search | Help | Login | pdf version | printable version

Math @ Duke





.......................

.......................


Yunliang Yu, IT Senior Manager

Yunliang Yu

Open source is an investment in the future.

FDS Motto: we serve and empower the faculty.

Contact Info:
Office Location:  029D Physics
Office Phone:  (919) 660-2803
Email Address:   send me a message
Web Page:   http://www.math.duke.edu/~yu

Office Hours:

12:01AM - 12:02AM every other day except today.
Not by appt :-)
Specialties:

Mathematics
Recent Publications

  1. Y. Yu, test 123 (March, 2010). [PNG, PDF]

Famous Sayings:
Your dream will come true, if you eat your soup.
    --- Angela Yu
Don't be a turkey; read a book.
    --- Christina Yu
Security = avoid "unexpected inputs for unintended results".
    --- moi
To learn and practice what is learned from time to time is pleasure, is it not? To have friends from afar is happiness, is it not? To be unperturbed when not appreciated by others is a gentleman, is it not?
    --- Kungfu Zi
Better to light a candle than to curse the darkness.
    --- Chinese Proverb

mathprograms.org, academicjobsonline.org, mathjobs.org, ShortURLs, sharedworkingplace.org, chinesecalligraphyandwoodcarving.

/. headline news :-)

  • Slooh Observatory Is Webcasting Today's Rare 'Ring of Fire' Eclipse
    2017-02-26T12:00:00+00:00
    An anonymous reader quotes Space.com A solar eclipse and its spectacular "ring of fire" will be visible from the Southern Hemisphere this Sunday morning, but no matter what side of the equator you're on, you can watch the spectacular event unfold online in a live broadcast from Slooh's online observatory...beginning at 7 a.m. EST (1200 GMT)... This type of eclipse is called an annular eclipse, meaning that the sun will remain visible as a bright ring around the moon... Slooh will present the eclipse in live feeds from Chile and other locations. "During the broadcast, Slooh host Gerard Monteux will guide viewers on this journey across multiple continents and thousands of miles," Slooh said in a statement. "He'll be joined by a number of guests who will help viewers explore not only the science of eclipses, but also the fascinating legend, myth, and spiritual and emotional expression associated with these most awe-inspiring celestial events."

    Read more of this story at Slashdot.

  • The Videogame Industry Is Fighting 'Right To Repair' Laws
    2017-02-26T04:34:00+00:00
    An anonymous reader quotes Motherboard: The video game industry is lobbying against legislation that would make it easier for gamers to repair their consoles and for consumers to repair all electronics more generally. The Entertainment Software Association, a trade organization that includes Sony, Microsoft, Nintendo, as well as dozens of video game developers and publishers, is opposing a "right to repair" bill in Nebraska, which would give hardware manufacturers fewer rights to control the end-of-life of electronics that they have sold to their customers... Bills making their way through the Nebraska, New York, Minnesota, Wyoming, Tennessee, Kansas, Massachusetts, and Illinois statehouses will require manufacturers to sell replacement parts and repair tools to independent repair companies and consumers at the same price they are sold to authorized repair centers. The bill also requires that manufacturers make diagnostic manuals public and requires them to offer software tools or firmware to revert an electronic device to its original functioning state in the case that software locks that prevent independent repair are built into a device. The bills are a huge threat to the repair monopolies these companies have enjoyed, and so just about every major manufacturer has brought lobbyists to Nebraska, where the legislation is currently furthest along... This setup has allowed companies like Apple to monopolize iPhone repair, John Deere to monopolize tractor repair, and Sony, Microsoft, and Nintendo to monopolize console repair... Motherboard's reporter was unable to get a comment from Microsoft, Apple, and Sony, and adds that "In two years of covering this issue, no manufacturer has ever spoken to me about it either on or off the record."

    Read more of this story at Slashdot.

  • How Cable Monopolies Hurt ISP Customers
    2017-02-26T04:34:00+00:00
    "New York subscribers have had to overpay month after month for services that Spectrum deliberately didn't provide," reports Backchannel -- noting these practices are significant because together Comcast and Charter (formerly Time Warner Cable) account for half of America's 92 million high-speed internet connections. An anonymous reader quotes Backchannel: Based on the company's own documents and statements, it appears that just about everything it has been saying since 2012 to New York State residents about their internet access and data services is untrue...because of business decisions the company deliberately made in order to keep its capital expenditures as low as possible... Its marketing department kept sending out advertising claims to the public that didn't match the reality of what consumers were experiencing or square with what company engineers were telling Spectrum executives. That gives the AG's office its legal hook: Spectrum's actions in knowingly saying one thing but doing another amount to fraudulent, unfair, and deceptive behavior under New York law... The branding people went nuts, using adjectives like Turbo, Extreme, and Ultimate for the company's highest-speed 200 or 300 Mbps download offerings. But no one, or very few people, could actually experience those speeds...because, according to the complaint, the company deliberately required that internet data connections be shared among a gazillion people in each neighborhood... [T]he lawsuit won't by itself make much of a difference. But maybe the public nature of the attorney-general's assault -- charging Spectrum for illegal misconduct -- will lead to a call for alternatives. Maybe it will generate momentum for better, faster, wholesale fiber networks controlled by cities and localities themselves. If that happened, retail competition would bloom. We'd get honest, straightforward, inexpensive service, rather than the horrendously expensive cable bundles we're stuck with today. The article says Spectrum charged 800,000 New Yorkers $10 a month for outdated cable boxes that "weren't even capable of transmitting and receiving wifi at the speeds the company advertised customers would be getting," then promised the FCC in 2013 that they'd replace them, and then didn't. "With no competition, it had no reason to upgrade its services. Indeed, the company's incentives went exactly in the other direction."

    Read more of this story at Slashdot.

  • GitHub Invites Contributions To 'Open Source Guides'
    2017-02-26T02:34:00+00:00
    An anonymous reader quotes InfoQ: GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories... "Open source is complicated, especially for newcomers. Experienced contributors have learned many lessons about the best way to use, contribute to, and produce open source software. Everyone shouldn't have to learn those lessons the hard way." Making a successful first contribution is not the exclusive focus of the guides, though, which also strives to make it easier to find users for a project, starting a new project, and building healthy open source communities. Other topics the guides dwell on are best practices, getting financial support, metrics, and legal matters. GitHub's Head of Open Source says the guides create "the equivalent of a water cooler for the community."

    Read more of this story at Slashdot.

  • Ask Slashdot: How Are You Responding To Cloudbleed?
    2017-02-26T00:34:00+00:00
    An anonymous IT geek writes: Cloudflare-hosted web sites have been leaking data as far back as September, according to Gizmodo, which reports that at least Cloudflare "acted fast" when the leak was discovered, closing the hole within 44 minutes, and working with search engines to purge their caches. (Though apparently some of it is still lingering...) Cloudflare CEO Matthew Prince "claims that there was no detectable uptick in requests to Cloudflare-powered websites from September of last year...until today. That means the company is fairly confident hackers didn't discover the vulnerability before Google's researchers did." And the company's CTO also told Reuters that "We've seen absolutely no evidence that this has been exploited. It's very unlikely that someone has got this information... We do not know of anybody who has had a security problem as a result of this." Nevertheless, Fortune warns that "So many sites were vulnerable that it doesn't make sense to review the list and change passwords on a case-by-case basis." Some sites are now even resetting every user's password as a precaution, while site operators "are also being advised to wipe their sites' cookies and security certificates, and perform their own web searches to see if site data leaked." But I'd like to know what security precautions are being taken by Slashdot's readers? Leave your own answers in the comments. How did you respond to Cloudbleed?

    Read more of this story at Slashdot.

  • Machine-Learning AI Now Beats Humans At Super Smash Bros. Melee
    2017-02-25T23:34:00+00:00
    "The AI is definitely godlike," one professional player told Quartz. "I am not sure if anyone could beat it." An anonymous reader quotes their report about an AI's showdown with the best players of Super Smash Bros. Melee: Of 10 professionals that faced the bot, each one was killed more than they could kill the bot... But the bot was once only as good as a mere mortal. At first, Vlad Firoiu, creator and a competitive Smash player himself, couldn't train 'Phillip' to be as strong as the in-game bot, which he says even the worst players can beat fairly easily. Firoiu's solution? He started making the bot play itself over and over again, slowly learning which techniques fail and which succeed, called reinforcement learning. Then, he left it alone. "I just sort of forgot about it for a week," said Firoiu, who coauthored an unreviewed paper with William F. Whitney, the NYU student [who helped him] on the work. "A week later I looked at it and I was just like, 'Oh my gosh.' I tried playing it and I couldn't beat it." Business Insider points out that their AI read the players positions, velocities, and states directly from the game's memory, so the AI responds six times faster than a human player. To compensate it played as Captain Falcon, the game's slowest character, but there was one crucial glitch. "One particularly clever player found that the simple strategy of crouching at the edge of the stage caused the network to behave very oddly, refusing to attack and eventually KOing itself by falling off the other side of the stage."

    Read more of this story at Slashdot.

  • Linus Torvalds On Git's Use Of SHA-1: 'The Sky Isn't Falling'
    2017-02-25T22:34:00+00:00
    Google's researchers specifically cited Git when they announced a new SHA-1 attack vector, according to ZDNet. "The researchers highlight that Linus Torvald's code version-control system Git 'strongly relies on SHA-1' for checking the integrity of file objects and commits. It is essentially possible to create two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one,' they note." Saturday morning, Linus responded: First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git. Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation. And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories... The reason for using a cryptographic hash in a project like git is because it pretty much guarantees that there is no accidental clashes, and it's also a really really good error detection thing. Think of it like "parity on steroids": it's not able to correct for errors, but it's really really good at detecting corrupt data... if you use git for source control like in the kernel, the stuff you really care about is source code, which is very much a transparent medium. If somebody inserts random odd generated crud in the middle of your source code, you will absolutely notice... It's not silently switching your data under from you... And finally, the "yes, git will eventually transition away from SHA1". There's a plan, it doesn't look all that nasty, and you don't even have to convert your repository. There's a lot of details to this, and it will take time, but because of the issues above, it's not like this is a critical "it has to happen now thing". In addition, ZDNet reports, "Torvalds said on a mailing list yesterday that he's not concerned since 'Git doesn't actually just hash the data, it does prepend a type/length field to it', making it harder to attack than a PDF... Do we want to migrate to another hash? Yes. Is it game over for SHA-1 like people want to say? Probably not."

    Read more of this story at Slashdot.

  • Seven Film Studios Want 41 Web Sites Blocked By Australian ISPs
    2017-02-25T21:34:00+00:00
    angry tapir writes: A group of film studios is undertaking what is set to be the most significant use so far of Australia's anti-piracy laws, which allow rights holders to apply for court orders that can compel ISPs to block their customers from accessing certain piracy-linked sites. A pair of rights holders last year successfully obtained court orders forcing Australia's most popular ISPs to block a handful of sites including The Pirate Bay. Now Village Roadshow wants to have 41 more sites blocked. Village Roadshow joined six other studios in requesting an injunction Friday in federal court, reports Computerworld. And meanwhile, "a separate site-blocking application has been launched by Australian music labels, which are seeking to have Telstra, Optus, TPG and Foxtel's broadband arm block access to Kickass Torrents."

    Read more of this story at Slashdot.

  • Garmin Engineer Shot And Killed By Man Yelling 'Get Out Of My Country!'
    2017-02-25T20:34:00+00:00
    lxw56 writes: Garmin engineer Srinivas Kuchibhotla was shot and killed at a local bar in Olathe, Kansas, the U.S. headquarters of Garmin. Co-worker Alok Madasani was also injured along with bystander Ian Grillot, who attempted to help the men. "The suspect in the shooting, Adam Purinton, was drinking at the bar in Olathe, Kansas, at about 7:15 p.m. that night," reports The Verge. "A witness said he yelled 'get out of my country' to two of the victims, reportedly saying the men, believed to originally be from India, were 'Middle Eastern.'" In 2015, Garmin employed 2,700 workers in Olathe and has plans to double this number, which the article notes has led to "increasing diversity" in the community.

    Read more of this story at Slashdot.

  • FAA Warns More Drones Are Flying Near Airports
    2017-02-25T19:34:00+00:00
    Between February and September of 2016, there were 1,274 reports of drones near airports -- versus just 874 for the same period in 2015, according to newly-released FAA research. "The report detailed more than 1,200 incidents of airplane pilots, law enforcement, air traffic controllers, and U.S. citizens reporting drones flying in places they shouldn't," writes Fortune. An anonymous reader quotes their report: One of takeaway of the report was that while the FAA has received several reports from pilots that drones may have hit their aircraft, the administration was unable to verify any such claim. "Every investigation has found the reported collisions were either birds, impact with other items such as wires and posts, or structural failure not related to colliding with an unmanned aircraft," the FAA said in a statement... Although a drone hasn't smashed into an airplane yet, the FAA "wants to send a clear message that operating drones around airplanes and helicopters is dangerous and illegal. Unauthorized operators may be subject to stiff fines and criminal charges, including possible jail time," the FAA said.

    Read more of this story at Slashdot.

  • Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks
    2017-02-25T18:34:00+00:00
    An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly). This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

    Read more of this story at Slashdot.

  • $10K Package Of Super Nintendo Games Finally Found By Post Office
    2017-02-25T17:34:00+00:00
    A project to preserve (and validate) every Super Nintendo game ROM had been derailed when the post office lost a package containing 100 games from the PAL region. But now Byuu, the creator of the Higan SNES emulator, reports that the package has been found. An anonymous reader writes: Thursday Byuu finally posted photos of the unboxing for the package that was shipped to him January 5th. "I'd like to offer my sincerest apologies to the USPS for assuming the worst in that these games were stolen. I should not have been so hasty to assume malicious intent." At the same time, Byuu writes that "My package was sitting in Atlanta, GA for well over a month with my address clearly visible right on the box. Had this case not been escalated to the media, it likely would have gone up for auction in a bin with other electronics sometime in March." Byuu is now refunding donations he'd received to replace the missing games, and says he can now also resume work on the SNES Preservation Project. And going forward, according to Eurogamer, "Byuu has said he will be more cautious with shipping games in the future -- only using smaller shipments, or buying individual games to scan and archive then selling them on to get some money back."

    Read more of this story at Slashdot.

  • Are Your Slack Conversations Really Private and Secure?
    2017-02-25T16:34:00+00:00
    An anonymous reader writes: "Chats that seem to be more ephemeral than email are still being recorded on a server somewhere," reports Fast Company, noting that Slack's Data Request Policy says the company will turn over data from customers when "it is compelled by law to do so or is subject to a valid and binding order of a governmental or regulatory body...or in cases of emergency to avoid death or physical harm to individuals." Slack will notify customers before disclosure "unless Slack is prohibited from doing so," or if the data is associated with "illegal conduct or risk of harm to people or property." The article also warns that like HipChat and Campfire, Slack "is encrypted only at rest and in transit," though a Slack spokesperson says they "may evaluate" end-to-end encryption at some point in the future. Slack has no plans to offer local hosting of Slack data, but if employers pay for a Plus Plan, they're able to access private conversations. Though Slack has 4 million users, the article points out that there's other alternatives like Semaphor and open source choices like Wickr and Mattermost. I'd be curious to hear what Slashdot readers are using at their own workplaces -- and how they feel about the privacy and security of Slack?

    Read more of this story at Slashdot.

  • Java and Python FTP Attacks Can Punch Holes Through Firewalls
    2017-02-25T15:34:00+00:00
    "The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks," reports CSO Online. itwbennett writes: Last weekend security researcher Alexander Klink disclosed an interesting attack where exploiting an XML External Entity vulnerability in a Java application can be used to send emails. At the same time, he showed that this type of vulnerability can be used to trick the Java runtime to initiate FTP connections to remote servers. After seeing Klink's exploit, Timothy Morgan, a researcher with Blindspot Security, decided to disclose a similar attack that works against both Java's and Python's FTP implementations. "But his attack is more serious because it can be used to punch holes through firewalls," writes Lucian Constantin in CSO Online. "The Java and Python developers have been notified of this problem, but until they fix their FTP client implementations, the researcher advises firewall vendors to disable classic mode FTP translation by default..." reports CSO Online. "It turns out that the built-in implementation of the FTP client in Java doesn't filter out special carriage return and line feed characters from URLs and actually interprets them. By inserting such characters in the user or password portions of an FTP URL, the Java FTP client can be tricked to execute rogue commands..."

    Read more of this story at Slashdot.

  • Al Gore Sells $29.5 Million In Apple Stock
    2017-02-25T13:00:00+00:00
    An anonymous reader quotes a report from AppleInsider: A U.S. Securities and Exchange Commission filing on Friday reveals Apple board member Al Gore this week sold 215,437 shares of Apple stock (APPL) worth about $29.5 million. Gore's stock sale, which was accomplished in multiple trades ranging from $136.4 to $137.12 on Wednesday, nearly matches a $29.6 million purchase of Apple shares made in 2013. When Gore bought the stock batch more than four years ago, he exercised Apple's director stock option to acquire 59,000 shares at a price of about $7.48 per share, costing him approximately $441,000. This was pre-split AAPL, so shares were valued at $502.68 each. Following today's sale, Gore owns 230,137 shares of Apple stock worth $31.5 million at the end of trading on Friday.

    Read more of this story at Slashdot.

 

dept@math.duke.edu
ph: 919.660.2800
fax: 919.660.2821

Mathematics Department
Duke University, Box 90320
Durham, NC 27708-0320