MSO and the CPF Annual Limit
31 Dec 2019
The Medisave-cum-Subsidised Outpatient (MSO) scheme is one of the medical benefits schemes in the Singapore public sector, and the scheme that’s part of the current benefits package for many public sector employees.
In 1994, with the launch of Medishield Plus several years after the introduction of Medishield, the civil service introduced the MSO scheme to replace the Comprehensive Co-payment Scheme (CCS). Inpatient medical benefits were removed in favour of an additional 1% Medisave contribution (that you’re expected to spend on the new Medishield/Plus), while outpatient benefits had an annual cap applied.
Troubleshooting corrupt apt downloads through apt-cacher-ng
23 Nov 2019
This was an interesting problem that isn’t too environment-specific, so I thought it might be interesting to write up.
tl;dr – if you are using apt-cacher-ng and getting corrupt Release/Packages files that contain a mix of stale and fresh data, check if the upstream server fully supports HTTP/1.1 range requests, and if it doesn’t, set VfileUseRangeOps:0 on apt-cacher-ng.
Context Within internal network environments, apt-get on hosts can be set to use an apt-cacher-ng instance as a caching proxy, via the Acquire::http::proxy directive.
The Golang.org URL redirector
20 Oct 2019
I always thought it was interesting that the Go project always uses “vanity” URL redirectors to link to things like GitHub issues and GitHub wiki pages and CLs, which I thought would be pretty static things. Can we figure out what these redirectors do, and what they’re meant to do? Is there something more to it than vanity?
Within commit messages, issues and PRs, you’ll see humans and bots make references to GitHub issues through https://golang.
Stashaway's August 2019 Re-optimisation
16 Aug 2019
StashAway has always talked up their proprietary ERAA asset allocation framework/investment strategy which is supposed to respond to macroeconomic indicators and valuation of asset classes, but we’re seeing this first major “re-optimisation” now after over 2 years into their existence, and slightly over 1.5 years since I started dollar cost averaging into an account there.
In the upcoming re-optimisation, ERAA® is deploying asset allocations that maintain portfolios under a “disinflationary growth” regime for US-based assets and shifting to our “All-Weather” strategy for non-US assets.
Mozilla's Server Side TLS 5.0
8 Jul 2019
I got distracted into yak-shaving about TLS cipher suites today when I noticed that Mozilla’s Server Side TLS document had been updated – just 10 days ago, it turns out – so I figured I’d try and write down some of what I learnt.
TLS has this negotiation between the server and client about which set of ciphers should be used for the connection. Picking what ought to be on this list, and in what order, can get a little complicated when there are something like 200-300 cipher suites!
Roadtripping in the U.S.
2 Jun 2019
I recently spent 12 days on a road trip through Utah and Arizona. More details on that in another post, but here’s a brain dump of what I learnt (or was surprised by!) about road tripping in the U.S. It’s just the one trip so it’s not exactly distilled wisdom, and I don’t know if anyone will ever find this useful, but I know I will want to remind myself about some of these things before any future road trips, so I might as well post it.
Default AWS Systems Manager IAM policy may grant unexpected S3 permissions
28 Oct 2018
If you use S3 buckets and the AWS Systems Manager agent with the suggested AWS-managed SSM IAM policy for EC2 instances, you should take a careful look at the effective S3 permissions on your SSM-managed instances. Depending on how you’re managing your S3 bucket/object permissions, your instances may have more access than expected.
I’ve been testing out AWS Systems Manager (SSM), ever since the new Session Manager features got announced a few weeks ago.
New CMS (II)
1 Sep 2018
tl;dr – this is Hugo published on Netlify.
From Anchor Couple years down the road, it’s time for a new CMS! I last wrote about moving from Anchor to Bolt in 2015.
The motivation? I have to go around patching things at work, I really do not want to spend my weekend patching my own services as far as possible, especially when it’s not as simple as bumping the version on a Docker image spec and seeing what breaks.
MikroTik RouterOS on tagged M1 Fibre
8 Jun 2016
If you have a recently-connected M1 fibre connection, you should be using the black Huawei ONT, with optional voice port for digital voice, and an untagged internet port on port 1. This guide is not for you.
If you’re on an older M1 fibre connection on the white Nucleus Connect ONT, with a tagged port, typically issued with a white Huawei Residential Gateway or something like the Asus RT-N56U, and you want to connect a MikroTik RouterOS device to the WAN – this guide is for you.
Live packet captures using MikroTik RouterOS and Wireshark
26 Jul 2015
This is a quick post to let Google pick it up. You know how the MikroTik wiki and forums are, plus how Stack Overflow is.. very confusing.
This was tested on RouterOS v6.27 (mipsbe) and v6.28 (smips), but it should work mostly the same everywhere. I was using Windows 7 (64-bit) and Wireshark 1.12.6, on a Thinkpad X220 using the onboard gigabit ethernet port and Intel 6205 802.11n card.