The language used in financial markets is fascinating. Everything is about taking or making bets.
If you take bets on how companies will do in the future, that's finance.
If you take bets on sports, that's gambling.
If you take bets on human misery, that's insurance.
CARDS ON THE TABLE
I used to work for a sports betting exchange. Or as the industry prefers to be known, a prediction market.
Cyclops is a tool to ingest, index and search through CycloneDX SBOMs. Point it to a directory containing CycloneDX files (and optionally an S3 bucket path) - it will index the files and makes them searchable through a simple command line interface.
Database engine is SQLite, for two reasons:
database/sql interface, so it should be
reasonably low effort to port the tool to use a dedicated, separate
database instance. Should the need arise.Cyclops is licensed under AGPL.
Download: cyclops.tar.xz (~40kB)
Git: git clone https://bostik.iki.fi/src/cyclops.git
List ingested SBOM types
cyclops -J
List detected packaging ecosystems, number of packages
cyclops -E
Ingest SBOMs
cyclops -d /path/to/somewhere/with/sboms/
Download SBOMs from S3 in addition to ingesting them
cyclops \
-d /path/to/somewhere/with/sboms/ \ # becomes download path
--s3-get \
--s3-bucket <BUCKET NAME> \
--s3-prefix <OBJECT PATH PREFIX> \
[--s3-max-days <MAX OBJECT AGE>] \
[--s3-max-dl-batch <PARALLEL DOWNLOAD BATCH SIZE>]
List known packages, their ecosystems, how many found
cyclops -P
List known packages, how many found for a single ecosystem
cyclops -P -p <ECOSYSTEM>
List indexed SBOMs
cyclops -L
List indexed SBOMs for a specific type only
cyclops -L -j <SBOM TYPE>
Search for dependencies by a partial detection path match
cyclops -S <PATH MATCH>
Search for packages whose names include 'foo'
cyclops -m foo
Search for any number of known package names
cyclops -n pkg1 pkg2 pkg3 [...] pkgN
Special case for eg. Sha1-Hulud investigation ("do I have any of these infected packages anywhere in my stack?"):
cut -d ',' -f1 /path/to/downloaded/sha1-hulud.csv \
| xargs cyclops -n
Various options can be usually combined to list or search through dependencies only for a given SBOM type and/or a specific packaging ecosystem.
I have had a persistent problem at $work. We generate and publish SBOMs but the only external use I've seen for them is to feed them to context-free vulnerability "scanner" software.
Cyclops began as a personal tool to make searching for detection paths and dependency bloat easier. The data in SBOMs, especially in aggregate, is far more valuable as a supply chain analytics material and I wanted to see if I could make this use case more accessible.
The tool has been written entirely outside of work, though. I had a problem, some spare time and needed a creative outlet.
Why AGPL?
I wanted to explicitly discourage anyone from picking up a tool I wrote for terminal investigations and turning it into a hosted SaaS.
NOTE: the DB schema file is intentionally licensed under CC0; I wanted it to be clear that any data you have stored in Cyclops's database is always yours. If you want to interact with it for eg. analytics purposes, you are free to write tools of your choice to generate reports from data held in the SQLite file. As long as these tools do not use the code from the rest of Cyclops, they will remain unaffected by the project's chosen license.
Cyclops was first presented at DC4420.
The name is a homage to CycloneDX project and a play on the far too common myopic practice of using SBOMs as a fancy input to whatever vulnerability scanner[TM] happens to be available.
Supports generating a Zsh autocompletion script with cyclops
completion.
Learning without thinking is useless. Thinking without learning is dangerous. -- C.
Gent is a simple application telemetry collector & exporter. It Ingests
both regular StatsD and its extended variant, DogStatsD messages and
generates Prometheus-compatible telemetry. It is designed to be
reasonably small with no external dependencies. It can be built with
nothing beyond Go standard library.
Gent is intended to be run on the host or inside a container with direct host networking. For maximal usefulness, it is distributed under the MIT license.
Download: gent.tar.xz (~10kB)
Once the agent is running, send *StatsD messages to its listening
port. Gent will process the messages and generate an export for
Prometheus-compatible scrapers. These exports are regenerated every 15
seconds.
| HOST |
+-------------------------------------------------------+
| |
| +---------------+ +---------------+ |
| | Service A |-+ +-|+-------------+| |
| +---------------+ | | || Container X || |
| |[msg] | |+-------------+| |
| +---------------+ |[msg] | +---------------+ |
| | Service B |-+ [msg]| |
| +---------------+ | | |
| |[msg] [msg]| |
| | [msg]| |
| | [msg]| |
| |[msg] | +------+ |
| v v | Gent | |
| | | |
+-------------------Y-----------Y------------========---+
localhost container-network
Tested on a relatively recent AMD Zen 7 @3.3GHz.
With the included stresser sources, gent can sustain a degenerate
rate of 400k packets per second before dropping messages. At rates below
50k/pps the CPU utilisation is negligible.
The name gent is a pun, for "a gent".
It is inspired by bucky3, a monitoring agent used internally at Smarkets .
The ringbuffer design is inspired by LMAX Disruptor but takes a few shortcuts to make the implementation easier to reason about.
For practical information on DogStatsD message format, see
this article.
With both of the big names (OpenAI & Anthropic) announcing their speedy IPO plans, the only sensible conclusion to draw is that the bubble is about to burst. The companies in question know it. Their investors know it. The public at large knows it. The investor class expects it but is looking at trajectory based on history. 1
The sentiment among the AI companies is being telegraphed loud and clear: "take the money and run". If they get to IPO before the reality catches up, someone else will be holding the bag. The owners and investors have cashed out. Collapsing stock price is no longer their problem. The world can burn.
With any luck, they will also have the money to buy good businesses for pennies during the crash, and own even more of the global production when the cataclysm eventually subsides.
Or as someone else distilled the whole thing: "The price of computer memory has tripled because a bunch of memory that hasn't been yet manufactured has been pre-ordered so it can be used in GPUs that aren't yet installed in data centers that haven't been built yet in order to supply a demand that doesn't exist so the companies can earn profits that won't happen."
You are not cynical enough.
No, not even you. Not even after adjusting for the above.
Listening to political winds and reading the tea leaves in the UK make one thing disturbingly clear.
The country is about 6 years away from brownshirts, and 9 years from camps.
Long-term investment is looking at razor wire and heating element manufacturing as a growth sector.
A misanthrope is someone whose view of the world can be distilled into a simple sentence: "I hate people in general, and everyone in particular."
And it's a common enough condition in expressed writing that even AI has picked it up.
Vulnerability scanners, in the year 2025 - and the companies flogging
them to unsuspecting customers victims - are defective
by design. The latest trend in flooding the already substandard spewage
with even more useless noise is to run CI-time checks against non-CI
systems.
A "modern"[tm] scanner, upon finding a build manifest source code file with listed dependencies will happily claim that every listed package is installed on the system. It does not bother to verify its claim. That would be too much work.
That is just as accurate as if a police visiting a home sees a copy of Malleus Maleficarum in the bookshelf, and puts everyone in jail because of iron-clad proof that the family living there burn people alive.
Some time ago (cough several months cough) I wrote a piece at work. As part of a bigger set of reader friendly updates, I knew I needed the option to link to a concise piece that explains what takes place in the event of an online breach. And that piece could not be too specific, or tied to any single vendor or system.
Among other things, breaches are reported and news of them read because humans are... well, human. Selfish. Shallow.
Consider this a PR-approved, yet sufficiently cynical take on the anatomy of an online breach: Four stages of getting griefed