Planet Russell

,

Planet DebianMike Gabriel: @DebConf17: Work for Debian and FLOSS I got done during DebCamp and DebConf... and Beyond...

People I Met and will Remember

  • Angela, my wife, I met daily on Jabber. Thanks for letting me go to this great DebConf17 conference and keeping our family up and running
  • Andreas asking people to either impersonate his wife or adoptive daughter for a photo shooting. You gave such a touching talk on Friday, together with Minh from Vietnam.
  • Holger for nagging us about stone age bugs in the Debian Blends package and the outdated software list in Debian Edu (Kernel 2.6.32 package are finally not mentioned anymore)
  • Vagrant, Foetini and Alkis for there efforts on LTSP and their success in Greece with bringing Debian into Greek schools
  • Tiago, Jerome and all the others from the local team, providing us with such great food and support. THANKS folks!!!
  • Enrico who showed my his 20 liner version of nodm aka lightdm-autologin-greeter (and also made me curious on staticsite)
  • Jonas Smedegaard for teaching me the solarized theme and loads of other things
  • Siri for being around and really having a stand for making Debian look more like a product
  • Dimitri John Ledkov for chiming in on Ayatana Indicators as next Indicators upstream for Ubuntu 18.04 LTS
  • Chrys for chiming on .desktop file proxying, meet you back in #arctica on Freenode
  • Sean for asking me daily, if my luggage had arrived (see below), as he shared the same fate during DebCamp
  • the owner of that nice shop where I bought loads of clothes while waiting for my luggage still stuck in Hamburg
  • Steven for looking into gcc compiler macros with me for nx-libs autotools conversion, also probably - luggage wise - the lightest traveller among us
  • Fabian for sharing is sadness and pain about the FLOSS non-situation in schools all over Quebec
  • Mario from New Zealand and Jos from the Netherlands chiming in on FLOSS and education on IRC after having watch my talk about Debian Edu / Skolelinux. Mario, we will soon ask you for opensourcing your teacher screen over WiFi solution...
  • Lior who thinks about bringing Debian Edu / Skolelinux to Israel. (That would be awesome!)
  • Rhonda for having time for my Debian Backports woes and probably having been quite forgiving ;-)
  • Bobby who is a font engineer during the week and (used to be) a cave explorer and mapper in his spare time
  • Ximin for providing deep insight in the key signing workflow and the caff approach to it
  • Daniel for sharing work experiences and nudging me to go with Remote Desktop stuff (out of pure personal interest *g*, of course, but still)
  • Tzfarir and Gunnar for a nice chat on the last night of DebConf

Topics I have worked on

  • Finding my luggage

    • After I had arrived at Montreal Airport, I found out that my luggage stayed in Hamburg
    • So the first 4.5 days, I was continuously busy with calling Lufthansa for package item tracking...
    • Go shopping twice, to update my plastic bag of fresh clothes...
  • MATE 1.18 in Debian

    • Finalize package builds of MATE 1.18 in Debian unstable (because of some GLib2.0 regression, thanks to Iain Lane for the prompt fix and upload)
  • Debian Edu

    • clear up src:package debian-edu regarding the task files related to Debian Pure Blends
    • this work is still in progress...
  • Debian Blends (esp. the blends-dev part of the blends src:package)

    • You can now have empty Depends: / Recommends: / Suggests: fields with the list of packages then starting in the next line.
    • It is now possible to have real Depends: fields in task files that become Depends: fields in debian/control. Packages targetting Depends: that are not in unstable get de-promoted to the Suggests: field in debian/control.
    • Tested with most available Debian Pure Blends meta-packages
    • I also pointed Daniel Pocock with his new GnuPG clean-room project towards Debian Pure Blends
  • Ring: A 'new' distributed video chat tool without mediating servers. Good concept, however, we could not get it to work on the DebConf campus.

  • Debian Design Team (which I am now a member of, I guess)

    • Dive into and out of the vision of a Debian Uniform set of packages, turning the collection of software in Debian into one thing.
    • Run my terminal applications now with the Base16 profile 'solarized-universal'. However, Debian Design will be much more than 16 colors in a console terminal.
    • Let's turn Debian into something like a potential product!
  • Debian Policy:

    • I even helped with a Debian Policy bug...
  • Skolab Groupware: Forking Kolab (v2) as a new project, named the Skolab Groupware. Instead of migrating my own mail server away from Kolab (v2), I chose continuing maintenance for it, at least for the core compoents:

  • nx-libs: Work on several PRs:

  • Weblate:

    • Become hosted by hosted Weblate for...
    • Ayatana Indicators
    • Arctica Project
    • Skolab Groupware

    Thanks to Michal Čihař for providing this fine translation service

Talks and BoFs

Packages Uploaded to Debian unstable

  • mate-settings-daemon
  • mate-dock-applet
  • brisk-menu
  • mate-optimus
  • caja-actions
  • mate-common
  • mate-tweak
  • plank
  • freerdp (2x)
  • freerdp2
  • gosa-plugin-mailaddress

Packages Uploaded to Debian NEW

  • python-wither
  • lightdm-autologin-greeter
  • caja-rename

I also looked into lightdm-webkit2-greeter, but upstream is in the middle of a transition from Gtk3 to Qt5, so this has been suspended for now.

Packages Uploaded to oldstable-/stable-proposed-updates or -security

  • freerdp (1.1) (actually twice, one of them a security upload)
  • gosa-plugin-mailaddress
  • mate-themes

Other Package related Stuff

  • Prepare upload of caja-admin by asking for release tags upstream
  • Talk Clint Byrums into a fresh upload of the long not touch undistract-me package
  • Breed on different desktop layouts for Debian MATE (like in Ubuntu MATE)
  • Do quite a bit of GnuPG key signing
  • Update my consent with NM to pick up my work on collab-maint request processing again

Thanks to Everyone Making This Event Possible

A big thanks to everyone who made it possible for me to attend this event!!!

,

Planet DebianBits from Debian: DebConf17 closes in Montreal and DebConf18 dates announced

DebConf17 group photo - click to enlarge

Today, Saturday 12 August 2017, the annual Debian Developers and Contributors Conference came to a close. With over 405 people attending from all over the world, and 169 events including 89 talks, 61 discussion sessions or BoFs, 6 workshops and 13 other activities, DebConf17 has been hailed as a success.

Highlights included DebCamp with 117 participants, the Open Day,
where events of interest to a broader audience were offered, talks from invited speakers (Deb Nicholson, Matthew Garrett and Katheryn Sutter), the traditional Bits from the DPL, lightning talks and live demos and the announcement of next year's DebConf (DebConf18 in Hsinchu, Taiwan).

The schedule has been updated every day, including 32 ad-hoc new activities, planned
by attendees during the whole conference.

For those not able to attend, talks and sessions were recorded and live streamed, and videos are being made available at the Debian meetings archive website. Many sessions also facilitated remote participation via IRC or a collaborative pad.

The DebConf17 website will remain active for archive purposes, and will continue to offer links to the presentations and videos of talks and events.

Next year, DebConf18 will be held in Hsinchu, Taiwan, from 29 July 2018 until 5 August 2018. It will be the first DebConf held in Asia. For the days before DebConf the local organisers will again set up DebCamp (21 July - 27 July), a session for some intense work on improving the distribution, and organise the Open Day on 28 July 2018, aimed at the general public.

DebConf is committed to a safe and welcome environment for all participants. See the DebConf Code of Conduct and the Debian Code of Conduct for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf17, particularly our Platinum Sponsors Savoir-Faire Linux, Hewlett Packard Enterprise, and Google.

About Savoir-faire Linux

Savoir-faire Linux is a Montreal-based Free/Open-Source Software company with offices in Quebec City, Toronto, Paris and Lyon. It offers Linux and Free Software integration solutions in order to provide performance, flexibility and independence for its clients. The company actively contributes to many free software projects, and provides mirrors of Debian, Ubuntu, Linux and others.

About Hewlett Packard Enterprise

Hewlett Packard Enterprise (HPE) is one of the largest computer companies in the world, providing a wide range of products and services, such as servers, storage, networking, consulting and support, software, and financial services.

HPE is also a development partner of Debian, and provides hardware for port development, Debian mirrors, and other Debian services.

About Google

Google is one of the largest technology companies in the world, providing a wide range of Internet-related services and products as online advertising technologies, search, cloud computing, software, and hardware.

Google has been supporting Debian by sponsoring DebConf since more than ten years, at gold level since DebConf12, and at platinum level for this DebConf17.

Planet DebianSteve Kemp: A day in the life of Steve

I used to think I was a programmer who did "sysadmin-stuff". Nowadays I interact with too many real programmers to believe that.

Or rather I can code/program/develop, but I'm not often as good as I could be. These days I'm getting more consistent with writing tests, and I like it when things are thoroughly planned and developed. But too often if I'm busy, or distracted, I think to myself "Hrm .. compiles? Probably done. Oops. Bug, you say?"

I was going to write about working with golang today. The go language is minimal and quite neat. I like the toolset:

  • go fmt
    • Making everything consistent.
  • go test

Instead I think today I'm going to write about something else. Since having a child a lot of my life is different. Routine becomes something that is essential, as is planning and scheduling.

So an average week-day goes something like this:

  • 6:00AM
    • Wake up (naturally).
  • 7:00AM
    • Wake up Oiva and play with him for 45 minutes.
  • 7:45AM
    • Prepare breakfast for my wife, and wake her up, then play with Oiva for another 15 minutes while she eats.
  • 8:00AM
    • Take tram to office.
  • 8:30AM
    • Make coffee, make a rough plan for the day.
  • 9:00AM
    • Work, until lunchtime which might be 1pm, 2pm, or even 3pm.
  • 5:00PM
    • Leave work, and take bus home.
    • Yes I go to work via tram, but come back via bus. There are reasons.
  • 5:40PM
    • Arrive home, and relax in peace for 20 minutes.
  • 6:00PM-7:00PM
    • Take Oiva for a walk, stop en route to relax in a hammock for 30 minutes reading a book.
  • 7:00-7:20PM
    • Feed Oiva his evening meal.
  • 7:30PM
    • Give Oiva his bath, then pass him over to my wife to put him to bed.
  • 7:30PM - 8:00pm
    • Relax
  • 8:00PM - 10:00PM
    • Deal with Oiva waking up, making noises, or being unsettled.
    • Try to spend quality time with my wife, watch TV, read a book, do some coding, etc.
  • 10:00PM ~ 11:30PM
    • Go to bed.

In short I'm responsible for Oiva from 6ish-8ish in the morning, then from 6PM-10PM (with a little break while he's put to bed.) There are some exceptions to this routine - for example I work from home on Monday/Friday afternoons, and Monday evenings he goes to his swimming classes. But most working-days are the same.

Weekends are a bit different. There I tend to take him 6AM-8AM, then 1PM-10PM with a few breaks for tea, and bed. At the moment we're starting to reach the peak-party time of year, which means weekends often involve negotiation(s) about which parent is having a party, and which parent is either leaving early, or not going out at all.

Today I have him all day, and it's awesome. He's just learned to say "Daddy" which makes any stress, angst or unpleasantness utterly worthwhile.

Planet DebianBastian Blank: Network caps in cloud environments

Providing working network is not easy. All the cloud providers seem to know how to do that most of the time. Providing enough troughput is not easy either. Here it get's interresting as the cloud providers tackle that problem with completely different results.

There are essentially three large cloud providers. The oldest and mostly known cloud provider is Amazon Web Services (AWS). Behind that follow Microsoft with Azure and the Google Cloud Platform (GCP). Some public instances of OpenStack exist, but they simply don't count anyway. So we remain with three and they tackle this problem with widely different results.

Now, what network troughput is necessary for real world systems anyway? An old friend gives the advice: 1Gbps per Core of uncongested troughput within the complete infrastructure is the minimum. A generalization of this rule estimates around 1bps per clock cycle and core, so a 2GHz core would need 2Gbps. Do you even get a high enough network cap at your selected cloud provider to fill any of these estimates?

Our first provider, AWS, publishes a nice list of network caps for some of there instance types. The common theme in this list is: for two cores (all the *.large types) you get 500Mbps, for four cores (*.xlarge) you get 750Mbps and for eight cores (*.2xlarge) you get 1000Mbps. This is way below our estimate shown above and does not even raise linear with the number of cores. But all of this does not really matter anyway, as the performance of AWS is the worst of the three providers.

Our second provider, Azure, seems to not publish any real information about network caps at all. From my own knowledge it is 50MBps (500Mbps) per core for at least the smaller instances. At least is scales linear with instance size, but is still way below our estimates.

Our third provider, GCP, documents a simple rule for network caps: 2Gbps per core. This matches what we estimated.

Now the most important question: does this estimate really work and can we actually fill it. The answer is not easy. A slightly synthetic test of a HTTP server with cached static content showed that it can easily reach 7Gbps on a 2GHz Intel Skylake core. So yes, it gives a good estimate on what network troughput is needed for real world applications. However we still could easily file pipe that is larger by a factor of three.

Rondam RamblingsYou can't say that! It might be true!

By now you have probably heard about James Damore, the Google engineer who was fired for writing a memo about... well, that's where the trouble begins, because the memo was about two things.  But the media kerfuffle focuses on only one of them. One of the two things the memo was about was the hypothesis that women might be less suited to careers in technology at least in part for biological

Planet DebianSam Hartman: Debian: a Commons of Innovation

I recently returned from Debconf. This year at Debconf, Matthew Garrett gave a talk about the next twenty years in free software. In his talk he raised concerns that Debian might not be relevant in that ecosystem and talked about some of the trends that contribute to his concerns.
I was talking to Marga after the talk and she said that Debian used to be a lot more innovative than it is today.
My initial reaction was doubt; what she said didn't feel right to me. At the time I didn't have a good answer. Since then I've been pondering the issue, and I think I have a partial answer to both Marga and Matthew and so I'll share it here.
In the beginning Debian focused on a lot of technical innovations related to bringing an operating system together. We didn't understand how to approach builds and build dependencies in a uniform manner. Producing packages in a clean environment was hard. We didn't understand what we wanted out of packages in terms of a uniform approach to configuration handling and upgrades. To a large extent we've solved those problems.
However, as the community has grown, our interests are more diverse. Our users and free software (and the operating system we build together) are what bring us together: we still have a central focus. However, no one technical project captures us all. There's still significant technical innovation in the Debian ecosystem. That innovation happens in Debian teams, companies and organizations that interact with the Debian community. We saw several talks about such innovation this year. I found the talk about ostree and flatpak interesting, especially because it focused on people in the broader Debian ecosystem valuing Debian along with some of the same technologies that Matthew is worried will undermine our relevance.
Matthew talked about how Debian ends up being a man-in-the-middle. We're between users and developers. we're between distributions and upstreams. Users are frustrated because we hold back the latest version of software they want from getting to them. Developers are frustrated because we present our users with old versions of their software configured not as they would like, combined with different dependencies than they expect.
All these weaknesses are real.
However, I think Debian-in-the-middle is our greatest strength both on the technical and social front.
I value Debian because I get a relatively uniform interface to the software I use. I can take one approach to reporting bugs whether they are upstream or Debian specific. I expect the software to behave in uniform ways with regard to things covered by policy. I know that I'm not going to have to configure multiple different versions of core dependencies; for the most part system services are shared. When Debian has value it's because our users want those things we provide. Debian has also reviewed every source file in the software we ship to understand the license and license compatibility. As a free software supporter and as someone who consumes software in commercial context, that value alone is enormous.
The world has evolved and we're facing technologies that provide different models. They've been coming for years: Python, Ruby, Java, Perl and others have been putting together their own commons of software. They have all been working to provide virtualization to isolate one program (and its dependencies) from another. Containerization takes that to the next level. Sometimes that's what our users want.
We haven't figured out what the balances are, how we fit into this new world. However, I disagree with the claim that we aren't even discussing the problem. I think we're trying a lot of things off in our own little technical groups. We're just getting to the level of critical mass of understanding where we can take advantage of Debian's modern form of innovation.
Because here's the thing. Debian's innovation now is social, not technical. Just as we're in the middle technically, we're in the middle socially. Upstreams, developers, users, derivatives, and all the other members of our community work together. we're a place where we can share technology, explore solutions, and pull apart common elements. This is the first Debconf where it felt like we'd explored some of these trends enough to start understanding how they might fit together in a whole. Seven years ago, it felt like we were busy being convinced the Java folks were wrong-headed. A couple of years later, it felt like we were starting to understand our users' desires that let to models different than packaging, but we didn't have any thoughts. At least in my part of the hallway it sounded like people were starting to think about how they might fit parts together and what the tradeoffs would be.
Yes, Matthew's talk doubtless sparked some of that. I think he gave us a well deserved and important wake-up call. However, I was excited by the discussion prior to Thursday.
What I'm taking a way is that Debian is valuable when there's a role in the middle. Both socially and technically we should capitalize on situations where something between makes things better and get out of the way where it does not.

TEDThe big idea: Meetings, the ultimate time-suck, and how to fix them

When great minds meet, everybody benefits. So, when meetings are good, they’re great. But if they’re bad (as most office meetings are, be honest with yourself), they’re anything but beneficial. You may say to yourself, or quietly argue to this article during your sad desk lunch: “But I am doing work. I’m sitting and talking and brainstorming about work, thus I am working.” Yeah, not really.

As Jason Fried (TED Talk: Why work doesn’t happen at work) points out, “Meetings aren’t work. Meetings are places to go to talk about things you’re supposed to be doing later.”

Or, if you’re not in-person, there’s the hands-free and nightmarish conference call.

Since we can’t escape meetings entirely, how do we stop them from sucking up everyone’s time and space like the work equivalent of a black hole?

Step 1: Ask yourself a simple question. “Does this [thing] really need a meeting?”

If you’re having a hard time answering that question, here’s a handy infographic that should help you get to the bottom of one of work-life’s most sustaining and existential questions.

Other questions to think about:

Step 2: If a meeting is unavoidable — how do you minimize the inevitable dread for all involved?

“[There’s] this fundamental belief that we are powerless to do anything other than go to meetings and suffer through these poorly run meetings and live to meet another day,” says David Grady.

Which, generally, sounds like a special circle of hell that it needn’t be.

In his talk, Grady outlines a few ways to lessen the blunt force trauma to the head that a poorly run, unproductive meeting can feel like. Behold, a 3-point checklist.

  • Do you really need to be there? The answer is maybe, maybe not. Imagine this scenario: A meeting invitation pops up in your calendar. And it’s from this woman who you kind of know from down the hall, and the subject line references some project that you heard a little bit about. But there’s no agenda. There’s no information about why you were invited to the meeting. And yet you accept the meeting invitation, and you go. And when this highly unproductive session is over, you go back to your desk, and you stand at your desk and you say, “Boy, I wish I had those two hours back.”
  • Will an email suffice? Yes yes, the one thing people may despise more than meetings are emails. TED Curator Chris Anderson even has an entire website dedicated to saving our inboxes from the ever-rising flood of emails that haunt most professionals’ waking hours. However, there are few sweeter victories than avoiding half-hour meetings with a few focused clacks of the keyboard, or even a 5-minute desk / kitchen / watercooler chat (if it’s painless for all parties involved, that is; don’t stalk your co-workers, please).
  • Does the meeting have an agenda? It’s important to have an outline that keeps everyone on task and ensures that all points that need discussing are covered. If you’re not the meeting creator and you don’t see an agenda, reach out to the person heading it and request bulletpoints on what will be reviewed.

    “Tell them you’re very excited to support their work, ask them what the goal of the meeting is, and tell them you’re interested in learning how you can help them achieve their goal,” Grady advises.

    Agendas are great touchpoints to have if this is a new topic, a project that’s being dusted off, or if it’s the seven-millionth meeting about this one thing and you need some guiding words to navigate this nebulous and redundant path to success. Who knows — in asking for this information often and respectfully, people may be a little more thoughtful and actually include agendas by default in the future.

    (Best-case scenario, the person realizes after writing up the agenda that there’s no point in meeting and cancels the meeting. Hooray!)

Step 3: Third meeting in a row? Consider moving outside the conference room. (If the meeting is small, that is.)

Cabin fever sets in probably around Meeting Three (that’s just a guesstimate). And if the meetings don’t kill you, the sitting most likely will, says this TED-Ed lesson:

So, if the option is available to you, take your meeting outside. Suggest a walking meeting prior to your small one-on-one or even get some headphones (preferably with a microphone) and take the call on an outdoor excursion around the block.

A little exercise and fresh air does wonders for your mind, health and productivity — and may even improve creativity, a Stanford study finds. You’d also be among some famous company.

All snark aside, meetings are useful when done well. But with great power over other peoples’ time and productivity, comes great responsibility.


,

Planet DebianThorsten Glaser: [PSA] Fixing CVE-2017-12836 (Debian #871810) in GNU cvs

Considering I’ve become the de-facto upstream of cvs(GNU) even if not yet formally the de-iure upstream maintainer, fixing this bug obviously falls to me — not quite the way I had planned passing this evening after coming homw from work and a decent and, worse, very filling meal at the local Croatian restaurant. But, so’s life.

The problem here is basically that CVS invokes ssh(1) (well, rsh originally…) but doesn’t add the argument separator “--” before the (user-provided) hostname, which when starting with a hyphen-minus will be interpreted by ssh as an argument. (Apparently the other VCSes also had additional vulnerabilities such as not properly escaping semicoloi or pipes from the shell or unescaping percent-escaped fun characters, but that doesn’t affect us.)

The obvious fix and the one I implemented first is to simply add the dashes. This will also be backported to Debian {,{,old}old}stable-security.

Then I looked at other VCSes out of which only one did this, but they all added extra paranoia hostname checks (some of them passing invalid hostnames, such as those with underscores in them). OK, I thought, then also let’s add extra checks to CVS’ repository reference handling. This will end up in Debian sid and MirBSD, pending passing the regression tests of course… hah, while writing this article I had to fixup because a test failed. Anyway, it’s not strictly necessary AFAICT to fix the issue.

Update, about 2⅕ hours past midnight (the testsuite runs for several hours): of course, the “sanirt” testsuite (which itself is rather insane…) also needs adjustments, plus a bonus fix (for something that got broken when the recent allow-root-regex patch was merged and got fixed in the same go to…night).

tl;dr: a fix will end up in Debian *stable-security and can be taken out of my mail to the bugreport; another few changes for robustness are being tested and then added to both MirBSD and Debian sid. The impact is likely small, as it’s hard to get a user (if you find one, in the first place) to use a crafted CVSROOT string, which is easy to spot as well.

CryptogramFriday Squid Blogging: Squid Eyeballs

Details on how a squid's eye corrects for underwater distortion:

Spherical lenses, like the squids', usually can't focus the incoming light to one point as it passes through the curved surface, which causes an unclear image. The only way to correct this is by bending each ray of light differently as it falls on each location of the lens's surface. S-crystallin, the main protein in squid lenses, evolved the ability to do this by behaving as patchy colloids­ -- small molecules that have spots of molecular glue that they use to stick together in clusters.

Research paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

TEDWhat if? … and other questions that lead to big ideas: The talks of TED@UPS

Hosts Bryn Freedman and Kelly Stoetzel welcome us to the show at TED@UPS, July 20, 2017, at SCADshow in Atlanta, Georgia. (Photo: Mary Anne Morgan / TED)

What if one person could change the world? What if we could harness our collective talent, insight and wisdom? And what if, together, we could spark a movement with positive impact far into the future?

For a third year, UPS has partnered with TED to bring experts in business, logistics, design and technology to the stage to share ideas from the forefront of innovation. At this year’s TED@UPS — held on July 20, 2017, at SCADShow in Atlanta, Georgia — 18 speakers and performers showed how daring human imagination can solve our most difficult problems. 

After opening remarks from Juan Perez, UPS’s chief information and engineering officer, the talks in Session 1

Why protectionism isn’t a good deal. We’ve heard a lot of rhetoric lately suggesting that importers, like the US, are losing valuable manufacturing jobs to exporters like China, Mexico and Vietnam. In reality, those manufacturing jobs haven’t disappeared for the reasons you may think, says border and logistics specialist Augie Picado. Automation, not offshoring, is really to blame, he says; in fact, of the 5.7 million manufacturing jobs lost in the US between 2000 and 2010, 87 percent of them were lost to automation. If that trend continues, it means that future protectionist policies would save 1 in 10 manufacturing jobs, at best — but, more likely, they’d lead to tariffs and trade wars. And with the nature of modern manufacturing inexorably trending toward shared production, in which individual products are manufactured using materials produced in many different countries, protectionist policies make even less sense. Shared production allows us to manufacture higher-quality products at prices we can afford, but it’s impossible without efficient cross-border movement of materials and products. As Picado asks: “Does it make more sense to drive up prices to the point where we can’t afford basic goods, for the sake of protecting a job that might be eliminated by automation in a few years anyway?” 

Christine Thach shares her experience growing up in a refugee community — and the lessons it taught her about life and business — at TED@UPS. (Photo: Mary Anne Morgan / TED)

Capitalism for the collective. Christine Thach was raised within a tight-knit community of Cambodian refugees in the United States. Time after time, she witnessed the triumphs of community-first thinking through her own family’s hardships, steadfast relationships and continuous investment in refugee-owned businesses. “This collective-success mindset we’ve seen in refugees can actually improve the way we do business,” she says. “The self-interested foundations of capitalism, and the refugee collectivist mindset, are not in direct conflict with each other. They’re actually complementary.” Thach thinks an all-for-one, one-for-all mentality may just be able to shake up capitalism in a way that benefits everyone — if companies shift away from the individual and rally for group prosperity.

In defense of perfectionism. Some people think perfectionism is a bad thing, that it only leaves us disappointed. Jon Bowers disagrees; he sees perfectionism as “a willingness to do what is difficult to achieve what is right.” Bowers manages a facility where he trains professional delivery drivers. The stakes are high — 100 people in the US die every day in car accidents. So he’s a fan of striving to get as close to perfect as possible. We shouldn’t lower our standards because we’re afraid to fail, Bowers says. “We need to fail … failure is a natural stepping stone toward perfection.”

Uma Adwani shares the joys of teaching math at TED@UPS. (Photo: Mary Anne Morgan / TED)

Math’s hidden messages. “I hated math until it saved my life,” says Uma Adwani. As a young woman, Adwani left her small hometown of Akola, India, to start a career and life for herself in an unfamiliar city on her own. For months, she scraped by on three dollars a day — until a primary school hired her to teach the subject she loathed the most: math. But as Uma worked to prepare her lessons (and keep her job!), she started to discover “the magic of even and odd numbers, the poetry, the symmetry.” She shares the secret wisdom she found in the multiplication tables, like this one: if I am even to myself, no matter what I am multiplied with or what I go through in life, the result will always be even!

Truck driver turned activist John McKown tells sobering stories of human trafficking at TED@UPS. (Photo: Mary Anne Morgan / TED)

Activism on the road. As a small-town police officer, John McKown dealt with his share of prostitution cases. But after he left the force and became a truck driver, he faced prostitution in a new light — at truck stops. After first brushing them off as an annoyance, McKown came to realize that the many prostitutes who go from truck to truck offering “dates” at truck stops weren’t just stuck, they were enslaved. According to the FBI, 293,000 American children are at risk of enslavement, McKown says, and now he sees it as a moral imperative to help. When he pulls into a truck stop, he’s not just looking for a parking spot; he’s looking for a way to help — and he encourages others not to turn a blind eye to this problem.

A life of awe. For artist Jennifer Allison, getting dressed can feel like rubbing against a cactus, the lights at the grocery store seem more like strobes at a disco, and the number four is always royal blue. It wasn’t until Allison was an adult that she was given a name for the strange, and often painful, way her brain processes information — Sensory Processing Disorder (SPD). Allison shares the many ways she tried to cope with her condition — from stealing cars (and returning them) to self-medication and eventually an overdose — before returning to her childhood love: art. In an intimate talk, Allison shares how art saved her life, transforming her world “from pain and chaos to mesmerizing awe and wonder.” She urges us to find what transforms our own worlds, “whether it’s through art or science, nature or religion.” Because, she explains, it’s this sense of awe that connects us to the bigger picture and each other, grounding us and making life worth living.

Johnny Staats grew up singing gospel in church and his family band. Now a UPS driver and bluegrass virtuoso, he plays music with people along his route and at Carnegie Hall. Joined by multi-instrumentalist Davey Vaughn, Staats closes out Session 1 of TED@UPS with a performance of his original song, “His Love Has Got a Hold on Me.”

Singer Stella Stevenson and pianist Danny Bauer open Session 2 by transforming the TED@UPS stage into a jazz lounge with a bold, smoky cover of “Our Day Will Come.”

What’s the point of living in the city? Leading organizations predict that by 2050, 66 percent of the population will live in cities with worsening crime, congestion and inequality. Julio Gil believes the opposite. Trends come and go, he says, and city living will eventually go, as people realize we can now get the same benefits of city while living in the countryside. With the delivery innovations and ubiquitous technology of modern life, there’s no reason not to settle outside the city for a bigger piece of land. Soon enough, he says, “city life” will able to be lived anywhere with the help of drones, social media and augmented reality. Gil challenges the TED@UPS audience to think outside big-city walls to consider the advantages of greener pastures.

Sebastian Guo heralds the arrival of the Chinese millennials — the biggest emerging consumer demographic in the world — at TED@UPS. (Photo: Mary Anne Morgan / TED)

Pay attention to Chinese millennials. The business world is obsessed with American millennials, but Sebastian Guo suggests that a different group is about to take over the world: Chinese millennials. If they were their own country, Chinese millennials would be the world’s third largest. They’re well-educated and super motivated — 57 percent have a bachelor’s degree and 23 percent have a master’s, and they’re choosing majors that give them a competitive edge, specifically STEM and business management. As the biggest emerging consumer demographic on the planet, Chinese millennials spend four times more on mobile purchases than their American counterparts. And then there are the intangibles. The Chinese are big-picture people whose thinking starts from the overview and makes its way to the specific, Guo says, which means they focus on growth and the future in the workplace. And 10 years of smartphones hasn’t erased thousands of years of Confucian ideals, which emphasize a sense of hierarchy in social relations and suggest that a Chinese millennial might be more deferential to their managers at work. The world is tilted towards China now, Guo says, and Chinese millennials are ready to be explorers in this new adventure.

Robot-proof our jobs. “Driver” is the most common job in 29 of the 50 states — and with self-driving cars on the horizon, this could quickly turn into a big problem. To keep robots from taking our jobs, innovation architect David Lee says that we should stop asking people to work like robots and let work feel like … the weekend! “Human beings are amazing on weekends,” Lee says. They’re artists, carpenters, chefs and athletes. The key is to start asking people what problems they are inspired to solve and what talents they want to bring to work. Let them lead the way. “When you invite people to be more, they can amaze us with how much more they can be,” Lee says.

Back with a welcomed musical interlude, Johnny Staats and Davey Vaughn return to the TED@UPS stage to perform an original song, “The West Virginia Coal Miner.”

How drones are revolutionizing healthcare. Partnering across disciplines, UPS joined with Zipline, Gavi and the Rwandan government to create the world’s first drone-based medical delivery system. The scalable system transports emergency medical supplies to remote villages in Rwanda. On track to its goal of saving thousands of lives a year, it could help transform how we deliver medical resources in the future as populations outgrow aging infrastructure. Learn more about this unique partnership in the mini-doc “Collaboration Lifeline,” shown for the first time at TED@UPS.

Planning happiness. City planners are already busy designing futures full of bike paths and LED-certified buildings. But are they designing for our happiness? It’s hard to define, and even harder to plan for, but urban planner Thomas Madrecki has a simple solution: Ask the public. “Our quality of life improves most when we feel engaged and empowered,” he explains, and one of the best ways planners can do this is by making public participation a priority. He calls for an “overhaul of the planning process” through public engagement, clear communication, and meetings the public actually want to attend. It’s not enough for urban planners to be trained in zoning regulations, data methods and planning history — they need to be trained in people, says Madrecki. After all, happiness and health are not engineering problems; they’re people problems.

Innovators don’t see different things; they see things differently. As a Colonel in the Air Force Reserve and an MD-11 Captain at UPS, Jeff Kozak thinks a lot about fuel, and for good reason. For his airline, fuel is by far the largest expense, at over $1.3 billion a year. Kozak tells the story of a counterintuitive idea he had to optimize fuel efficiency and cut carbon emissions by focusing on finding the exact amount of fuel needed for each plane to get to each leg of its journey. Initially met with resistance by an industry that believed more fuel was always better, the plan worked — after just ten days the airline saved $500,000 and eliminated 1,300 tons of CO2 emissions. “Let’s all continue to strive to see things differently and stay open to ideas that go against conventional thinking,” Kozak says. “Despite the resistance this type of thinking can often bring, embracing the counterintuitive can make all the difference.”

Former professional wrestler Mike Kinney encourages us all to turn ourselves up at TED@UPS. (Photo: Mary Anne Morgan / TED)

That’s me … in the chaps. How do you go from a typical high school senior to a sweaty wild man in chaps and a cowboy hat? “You turn yourself up!” says retired professional wrestler and UPS sales supervisor Mike Kinney. For years Kinney was a professional wrestler with the stage name Cowboy Gator Magraw, a persona he invented for the ring by amplifying the best parts of himself, the things about him that made him unique. In a talk equal parts funny and smart, Kinney taps into some locker-room wisdom to show us how we can all turn up to reach our full potential.

To close out the show, violinist Jessica Cambron and flutist Paige James play a moving rendition of the goodnight waltz (and Ken Burns fan favorite) “Ashokan Farewell,” accompanied by Johnny Staats and Davey Vaughn.


CryptogramI Seem to Have a LinkedIn Account

I seem to have a LinkedIn account.

This comes as a surprise, since I don't have a LinkedIn account, and have never logged in to LinkedIn.

Does anyone have any contacts into the company? I would like to report this fraudulent account, and possibly get control of it. I'm not on LinkedIn, but the best defense against this is probably to create a real account.

Planet DebianMichal Čihař: Weblate 2.16

Weblate 2.16 has been released today while I'm at DebConf17. There are quite some performance improvements (and more of that is scheduled for 2.17), new file formats support and various other improvements.

Full list of changes:

  • Various performance improvements.
  • Added support for nested JSON format.
  • Added support for WebExtension JSON format.
  • Fixed git exporter authentication.
  • Improved CSV import in certain situations.
  • Improved look of Other translations widget.
  • The max-length checks is now enforcing length of text in form.
  • Make the commit_pending age configurable per component.
  • Various user interface cleanups.
  • Fixed component/project/sitewide search for translations.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Weblate is also being used on https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Turris, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Filed under: Debian English SUSE Weblate

Planet DebianMike Gabriel: @DebConf 2017: Ayatana Indicators

On last Tuesday, I gave a 20 min talk about Ayatana Indicators at DebConf 17 in Montreal.

Ayatana Indicators Talk

The talk had video coverage, so big thanks to the DebConf video team for making it possible to send the below video link around to people in the world:

http://meetings-archive.debian.net/pub/debian-meetings/2017/debconf17/ay...

The document of notes shown in the video is available on Debian's Infinote (Gobby) server:

$ sudo apt-get install gobby
$ sudo gobby infinote://gobby.debian.org/debconf17/talk/ayatana-indicators 

The major outcome of this talk was getting to know Dimitri John Ledkov from the Foundation Team at Canonical Ltd. We agreed on investigating the following actions, targetting the Ubuntu 18.04 LTS release and later on Debian 10 (aka buster):

Upstream Todos

  • We need to find out what indicator applets are still needed (already there: application, session, power; w-i-p: messages, not yet touch: sound, datetime, transfer). If you maintain a desktop environment and need indicator support, please contact us.
  • Rip-out liburl-dispatcher and Mir related code from all ayatana-indicator-* code projects (upstream)
  • Build-time disable phone and tablet related code (upstream). If you are from the UBPorts project and have concerns about this, please contact us.
  • Fully deprecate all Ubuntu Indicators upstream projects on Launchpad and point to Ayatana Indicators as upstream source for indicators in the Ubuntu ecosystem

Debian/Ubuntu Todos

  • Update https://wiki.debian.org/Ayatana, most important change for packagers: The team will use Git from now on, not Bazaar.
  • Get in touch with people maintaining indicator related packages (packages that have libappindicator-dev as build-dependency) to prepare for the transition from Ubuntu Indicators (unmaintained upstream, unmaintained in Debian) to Ayatana Indicators (package list, see DDPO Ayatana Developers Overview)
  • File bug reports against all packages still dependending on Ubuntu Indicators in Debian and ideally provide patches to make those packages build against Ayatana Indicators
  • Do the Ayatana Indicator transition in Debian

Please get in Touch...

As this is going to be quite an effort, esp. if we want to get this done until 18.04 LTS, let me say, that this blog post is a call for help. If you are attached to Ubuntu and have used desktops with indicator support until now, please get in touch with the Ayatana Indicators team upstream as well as downstream (Debian/Ubuntu).

Contact:

  • Ayatana Indicators upstream:
    • #arctica on Freenode IRC
  • Ayatana Indicators in Debian:
  • Ubuntu Desktop Developers:
    • #ubuntu-desktop on Freenode IRC

Looking forward to meeting you online or on person and possibly working together with you on this transition project.

Planet DebianMike Gabriel: @DebConf17: Story Telling about Debian Edu in Northern Germany

Last Monday, I gave a 20min talk about our little FLOSS school project "IT-Zukunft Schule" at the Debian Conference 17 in Montreal.

The talk had video coverage, so may want to peek in, if you couldn't manage to watch the life stream:

http://meetings-archive.debian.net/pub/debian-meetings/2017/debconf17/su...

I'd like to share some major outcomes (so far) of this talk.

  1. I realized how attached I am to "IT-Zukunft Schule" and how much it means to me that our kids grow up in a world of freedom and choice. Also and esp. when it comes to choosing your daily communication tools and computer working environment
  2. I met Foteini Tsiami and Alkis Georgopoulos from Greece. They work on LTSP and have deployed 1000+ schools in Greece with LTSP + Debian GNU/Linux + MATE Desktop Environment
  3. I met Vagrant Cascadian who is the maintainer of LTSP in Debian and also a major LTSP upstream contributor
  4. I received a lot of fine feedback that was very encouraging to go on with our local work in Schleswig-Holstein

If you have some more time for watching DebConf talks on video, I dearly recommend the talk given by Alkis and Foteini on their Greek FLOSS success story. If you don't have that much time, please skip through the video until you are at 26:15 and enjoy the map that shows how much Debian + LTSP has spread over all of Greece.

http://meetings-archive.debian.net/pub/debian-meetings/2017/debconf17/lt...

Unfortunately, the schools in Greece are so much smaller than schools in Germany. Most schools there have between 50 and 300 students. So at the Greek schools, it is possible to have a teacher machine being the server for one computer lab. This teacher / server machine provides the infrastructure for a room full of LTSP fat clients (no hard drive inside) and that's it.

For German schools, unfortunately, we need a larger scale setup. German schools often have 800+ students and network services need to be spread over more than one server machine. So, the current approach with one server running LDAP, Kerberos etc. is quite appropriate, but also extendible, possibly on municipality level or on county level.

We (from IT-Zukunft Schule) are quite positive that there will be opportunities for introducing FLOSS approaches more on the county level in Schleswig-Holstein in the near future. So stay tuned...

Planet DebianLucas Nussbaum: systemd services, and queue management?

I’ve been increasingly using systemd timers as a replacement for cron jobs. The fact that you get free logging is great, and also the fact that you don’t have to care about multiple instances running simultaneously.

However, sometimes I would be interested in more complex scenarios, such as:

  • I’d like to trigger a full run of the service unit: if the service is not running, it should be started immediately. If it’s currently running, it should be started again when it terminates.
  • Same as the above, but with queue coalescing: If I do the above multiple times in a row, I only want the guarantee that there’s one full run of the service after the last time I triggered it (typical scenario: each run processes all pending events, so there’s no point in running multiple times).

Is this doable with systemd? If not, how do people do that outside of systemd?

CryptogramConfusing Self-Driving Cars by Altering Road Signs

Researchers found that they could confuse the road sign detection algorithms of self-driving cars by adding stickers to the signs on the road. They could, for example, cause a car to think that a stop sign is a 45 mph speed limit sign. The changes are subtle, though -- look at the photo from the article.

Research paper:

"Robust Physical-World Attacks on Machine Learning Models," by Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song:

Abstract: Deep neural network-based classifiers are known to be vulnerable to adversarial examples that can fool them into misclassifying their input through the addition of small-magnitude perturbations. However, recent studies have demonstrated that such adversarial examples are not very effective in the physical world--they either completely fail to cause misclassification or only work in restricted cases where a relatively complex image is perturbed and printed on paper. In this paper we propose a new attack algorithm--Robust Physical Perturbations (RP2)-- that generates perturbations by taking images under different conditions into account. Our algorithm can create spatially-constrained perturbations that mimic vandalism or art to reduce the likelihood of detection by a casual observer. We show that adversarial examples generated by RP2 achieve high success rates under various conditions for real road sign recognition by using an evaluation methodology that captures physical world conditions. We physically realized and evaluated two attacks, one that causes a Stop sign to be misclassified as a Speed Limit sign in 100% of the testing conditions, and one that causes a Right Turn sign to be misclassified as either a Stop or Added Lane sign in 100% of the testing conditions.

Worse Than FailureError'd: D.O.A.

John A. writes, "Um, you know, I don't think this was a brilliant idead."

 

"Well, actually, let me describe how I can help you," writes Bruce W.

 

"I'm fairly certain it's supposed to compress my data, and not the free space," Carter K. wrote. (and yes, that is DriveSpace 3. On Windows 98. On a non-standard format 720K 5.25" floppy disk.)

 

"The problem with JIRA is that I have to use it. Yup. That's about right," wrote Chris I.

 

"Skd Chg is a happening place, man!" writes Bruce J.

 

"In response to where my spouse and I met, I typed a city name, but found that it would not accept any answer unless I included at least one number," William B. wrote.

 

[Advertisement] BuildMaster integrates with an ever-growing list of tools to automate and facilitate everything from continuous integration to database change scripts to production deployments. Interested? Learn more about BuildMaster!

Planet DebianDirk Eddelbuettel: #8: Customizing Spell Checks for R CMD check

Welcome to the eight post in the ramblingly random R rants series, or R4 for short. We took a short break over the last few weeks due to some conferencing followed by some vacationing and general chill.

But we're back now, and this post gets us back to initial spirit of (hopefully) quick and useful posts. Perusing yesterday's batch of CRANberries posts, I noticed a peculiar new directory shown the in the diffstat output we use to compare two subsequent source tarballs. It was entitled .aspell/, in the top-level directory, and in two new packages by R Core member Kurt Hornik himself.

The context is, of course, the not infrequently-expressed desire to customize the spell checking done on CRAN incoming packages, see e.g. this r-package-devel thread.

And now we can as I verified with (the upcoming next release of) RcppArmadillo, along with a recent-enough (i.e. last few days) version of r-devel. Just copying what Kurt did, i.e. adding a file .aspell/defaults.R, and in it pointing to rds file (named as the package) containing a character vector with words added to the spell checker's universe is all it takes. For my package, see here for the peculiars.

Or see here:

edd@bud:~/git/rcpparmadillo/.aspell(master)$ cat defaults.R 
Rd_files <- vignettes <- R_files <- description <-
    list(encoding = "UTF-8",
         language = "en",
         dictionaries = c("en_stats", "RcppArmadillo"))
edd@bud:~/git/rcpparmadillo/.aspell(master)$ r -p -e 'readRDS("RcppArmadillo.rds")'
[1] "MPL"            "Sanderson"      "Templated"
[4] "decompositions" "onwards"        "templated"
edd@bud:~/git/rcpparmadillo/.aspell(master)$     

And now R(-devel) CMD check --as-cran ... is silent about spelling. Yay!

But take this with a grain of salt as this does not yet seem to be "announced" as e.g. yesterday's change in the CRAN Policy did not mention it. So things may well change -- but hey, it worked for me.

And this all is about aspell, here is something topical about a spell to close the post:

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

TEDA sobering new video from Beverly and Dereck Joubert on World Lion Day

Documentary filmmakers Beverly and Dereck Joubert have worked to conserve wildlife in Africa for more than 30 years. Last year, I visited the Jouberts in one of the Great Plains safari camps and preserves they founded: Great Plains Conservation, launched a few years ago in Botswana and Kenya. You can read about my 2016 visit and their work in honor of World Lion Day.

Another year has passed and I wish I could say that the situation has improved, but lions and other big cats are still a very threatened species. Beverly and Dereck continue to work relentlessly to save big cats in Africa, but their numbers continue to diminish. National Geographic’s Big Cat Initiative, the sponsor of World Cat Day, is “partnering with some of the world’s leading big cat experts, the initiative funds on-the-ground research and innovative conservation projects to protect our planet’s top felines and leads a global public awareness campaign to shine light on the issue.” You can stay in touch with National Geographic Explorers-in-Residence Dereck and Beverly Joubert and receive updates by subscribing to their newsletter.

Today, they posted a video to their Facebook page detailing the decimation of the lion population over the past 40 years.

Visit Big Cat Conservation to learn more about their efforts and to find out what you can do to help. For a list of other organizations to support, visit the World Lion Day website.


Planet DebianKartik Mistry: DebConf17

So, I’m here. It will take sometime to write about this, but this is to just reminder to myself that I exists on this blog too! 🙂


CryptogramTurning an Amazon Echo into an Eavesdropping Device

For once, the real story isn't as bad as it seems. A researcher has figured out how to install malware onto an Echo that causes it to stream audio back to a remote controller, but:

The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.

The way to implement this attack is by intercepting the Echo before it arrives at the target location. But if you can do that, there are a lot of other things you can do. So while this is a vulnerability that needs to be fixed -- and seems to have inadvertently been fixed -- it's not a cause for alarm.

Planet DebianDon Armstrong: Debbugs: 22 Years of Bugs (Debconf 2017)

This is a talk which I presented on August 10th, 2017 at Debconf 17 in Montreal, Canada.

Rondam RamblingsI'm running out of new ways to say "Staggering hypocrisy"

Bill Maher completely destroys the last pretense Republicans may have had of hewing to any actual principles by putting Donald Trump's words in Barack Obama's mouth. (That segment is worth watching all the way through just to see Reggie Brown's absolutely brilliant impersonation of Obama!) To top it off (as if that weren't enough) the Washington Post reports to day that a majority of

TED5 stellar mini-docs that will make you rethink time

Five mini-documentary films captivated the TEDWomen 2016 audience — directed, written and produced by female filmmakers whose work embodies today’s best and most innovative storytelling. In a partnership between Lifetime and Chicken & Egg Pictures, these short films are artful in the ways their storytelling catalyzes social change and the TEDWomen 2016 theme, “It’s About Time.”

Watch the selected films below and learn more about the award-winning filmmakers behind them.

Lyari Girl Boxing

About this film: In Lyari, Pakistan—called “the Colombia of Karachi” because of the tightening grip of rival gangs and widespread drug culture—a group of female boxers are taking ownership of their fate.

About the filmmaker: Sharmeen Obaid Chinoy is a two-time Academy Award and Emmy-winning documentary filmmaker. In the past 15 years, she has made more than a dozen multi-award-winning films in over 10 countries around the world. Her films include A Girl in the River, Song of Lahore, Peacekeepers: A Journey of a Thousand Miles and Saving Face. In 2012, Time Magazine included Sharmeen in its annual list of the 100 most influential people in the world. In 2013, the Canadian government awarded her a Queen Elizabeth II Diamond Jubilee Medal for her work in the field of documentary films, and the World Economic Forum honored her with a Crystal Award at their annual summit in Davos. She is a TED Senior Fellow.

How Much Is Enough?

About this film: Several American mothers reflect on two key questions: How much extra time would you like in a day? What would you do with that extra time?

About the filmmaker: Grace Lee directed the Peabody-winning documentary American Revolutionary: The Evolution of Grace Lee Boggs, which Hollywood Reporter called “an entertainingly revealing portrait of the power of a single individual to effect change.” The film premiered at the 2013 Los Angeles Film Festival and was broadcast on the PBS series “POV.” Her previous documentary The Grace Lee Project was broadcast on Sundance Channel and was called “ridiculously entertaining” by New York magazine. She recently produced two documentaries for PBS: the Emmy-nominated Makers: Women in Politics and Off the Menu: Asian America. As a Women at Sundance Fellow, she is developing a social issue comedy series.

A Mother’s Dream

About this film: An intimate portrait of a day in the life of Collette Flanagan, a mother who lost a child to police violence and now empowers others to demand constructive and concrete systemic change in their communities.

About the filmmaker: Filmmaker, artist and author Michèle Stephenson pulls from her Panamanian and Haitian roots and experience as a human rights attorney to tell compelling, personal stories that resonate beyond the margins. Her most recent film, American Promise, was nominated for three Emmys, won the Jury Prize at Sundance, and was selected for the New York Film Festival’s Main Slate Program. Shewas recently awarded the Chicken & Egg Pictures Filmmaker Breakthrough Award and is a 2016 Guggenheim Fellow and a Sundance Skoll Storytellers for Change Fellow. Her recent book, Promises Kept, written along with co-authors Joe Brewster and Hilary Beard, won an NAACP Image Award for Outstanding Literary Work.

 

BeeLove

About this film: This film captures the unlikely story of Sweet Beginnings, a company that employs ex-offenders by teaching them how to be beekeepers and harvest honey.

About the filmmaker: Kristi Jacobson is an award-winning filmmaker and founder of Catalyst Films. Her latest film, Solitary, an immersive look at life inside a supermax prison, premiered at the 2016 Tribeca Film Festival and will be released on HBO in 2017. She has created films for HBO, PBS, ESPN, ABC, the Sundance Channel, A&E, Lifetime and Channel 4/UK. Her films, including American Standoff, Toots and A Place at the Table, reveal her passion for capturing nuanced, intimate and provocative portrayals of individuals and communities. She’s a 2016 recipient of Chicken & Egg Pictures’ Breakthrough Filmmaker Award, awarded to 5 nonfiction filmmakers whose artful and innovative storytelling catalyzes social change.

 

The Experience of Time

About this film: This short film explores the history of humans’ complicated relationship with time, deconstructs our obsession with controlling it, and contemplates how to be more mindful of this valuable resource.

About the filmmaker: Elaine McMillion Sheldon is a Peabody-winning documentary filmmaker and media artist. She’s the creative director of the Emmy-nominated interactive documentary Hollow and runs “She Does,” a weekly podcast that documents creative women’s journeys. In 2016, she was awarded the Breakthrough Filmmaker award from Chicken & Egg Pictures. Sheldon has been named one of 50 People Changing The South by Southern Living Magazine, a 2013 Future of Storytelling Fellow, and one of the 25 New Faces of Independent Film by Filmmaker magazine. She’s a founding member of All Y’all Southern Documentary Collective.


Planet Linux AustraliaDonna Benjamin: Tools for talking

I gave a talk a couple of years ago called Tools for Talking.

I'm preparing a new talk, which, in some ways, is a sequel to this one. As part of that prep, I thought it might be useful to write some short summaries of each of the tools outlined here, with links to resources on them.

  • Powerful Non Defensive Communication
  • Non Violent Communication
  • Active Listening
  • Appreciative Inquiry
  • Transactional Analysis
  • The Drama Triangle vs
  • The Empowerment Dynamic
  • The 7 Cs

So I might try to make a start on that over the next week or so.

 

In the meantime, here's the slides:

And here's the video of the presentation at DrupalCon Barcelona

Cory DoctorowBurbank! I’ll see you tonight at 7PM at the Buena Vista library

My Walkaway book-tour is basically over, but I’m taking a little victory lap tonight at my local library, the Buena Vista Branch of the Burbank Public Library. Hope to see you there!

Krebs on SecurityBeware of Security by Press Release

On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it “security by press release.” It goes a bit like this: A security firm releases a report claiming to have unearthed a major flaw in a competitor’s product; members of the trade press uncritically republish the claims without adding much clarity or waiting for responses from the affected vendor; blindsided vendor responds in a blog post showing how the issue is considerably less dire than originally claimed.

At issue are claims made by Denver-based security company DirectDefense, which published a report this week warning that Cb Response — a suite of security tools sold by competitor Carbon Black (formerly Bit9) — was leaking potentially sensitive and proprietary data from customers who use its product.

snm

DirectDefense warned about a problem with Cb Response’s use of “a cloud-based multiscanner” to scan suspicious files for malware. DirectDefense didn’t name the scanner in question, but it’s Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There’s also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. This is the full extent of the “vulnerability” that DirectDefense labeled “the world’s largest pay-for-play data exfiltration botnet.”

Carbon Black responded with its own blog post noting that the feature DirectDefense warned about was not turned on by default, and that Carbon Black informs customers of the privacy risks that may be associated with sharing files with VirusTotal.

ANALYSIS

Adrian Sanabria, a security expert and co-founder of Savage Security, published a blog post that called “bullshit” on DirectDefense’s findings, noting that the company inexplicably singles out a competitor when many other security firms similarly allow customers to submit files to VirusTotal.

“Dozens of other security vendors either have an option to automatically submit binaries (yes, whole binaries, not just the hash) to VirusTotal or do it without the customers knowledge altogether,” Sanabria wrote. “In singling out Carbon Black, DirectDefense opens itself up to criticism and closer scrutiny.”

Such as shilling for a partner firm (Cylance) that stands to gain from taking Carbon Black down a few notches in the public eye, Sanabria observed [link added].

“I personally don’t believe DirectDefense is a shill for Cylance, but in singling out one of many vendors that do the same thing, they’ve stepped into a classic PR gaffe that makes them look like one,” he wrote.

My take is that most people in corporate cybersecurity roles understand what VirusTotal is and the potential privacy risks involved in uploading files to the service — either on a one-off basis or automatically submitted through some security suite like CB Response (if not, those security folks probably need to investigate another career).

That’s not to say that organizations don’t inadvertently overshare. I’ve seen instances where entire email threads and apparently sensitive documents have been submitted to VirusTotal along with embedded malware.

Lesley Carhart, a security incident response team leader and a prolific security commentator on Twitter, said there are immense amounts of trust given VirusTotal. Carhart said if a malicious actor were able to identify individual files uploaded from a target organization to VirusTotal — even just as file hashes — they could gain lots of information about the organization, including what software suites they use, what operating systems, and which document types.

“They provide an amazing free resource for the infosec community, as well as some great paid services,” Carhart said of VirusTotal. “However, we have unintentionally given them one of the largest repositories of files in the world.”

If DirectDefense’s report helped some security people better grasp the risks of oversharing with multiscanners like VirusTotal, that’s a plus. But from where I sit, these types of overblown research reports tend to live or die by uncritical and/or unbalanced coverage in the news media — also known as “churnalism.”

My advice to tech reporters: Quit taking claims like these at face value and start asking some basic questions before publishing anything. For example, the early coverage of DirectDefense’s report in the media suggests that few reporters even asked about the identity of the multiscanner referenced throughout the report. Also, it’s clear that few (if any) reporters asked DirectDefense whether it had alerted Carbon Black before going public with their findings (it hadn’t).

Pro tip: If a researcher or company with a vulnerability “scoop” doesn’t mention interaction with the affected vendor before going public with their research, this should be a giant red flag indicating that this individual or entity is merely trying to use the media to generate short-term PR buzz, and that the “vulnerability” in question is little more than smoke and mirrors.

Planet Linux AustraliaBen Martin: Larger format CNC

Having access to a wood cutting CNC machine that can do a full sheet of plywood at once has led me to an initial project for a large sconce stand. The sconce is 210mm square at the base and the DAR ash I used was 140mm across. This lead to the four edge grain glue ups in the middle of the stand.


The design was created in Fusion 360 by just seeing what might look good. Unfortunately the sketch export as DXF presented some issues on the import side. This was part of why a littler project like this was a good first choice rather than a more complex whole sheet of ply.

To get around the DXF issue the tip was to select a face of a body and create a sketch from that face. Then export the created sketch as DXF which seemed to work much better. I don't know what I had in the original sketch that I created the body from that the DXF export/import didn't like. Maybe the dimensions, maybe the guide lines, hard to know without a bisect. The CNC was using the EnRoute software, so I had to work out how to bounce things from Fusion over to EnRoute and then get some help to reCAM things on that side and setup tabs et al.

One tip for others would be to use the DAR timber to form a glue up before arriving at a facility with a larger cut surface. Fewer pieces means less tabs/bridges and easier reCAM. A preformed blue panel would also have let me used more advanced designs such as n and u slots to connect two pieces instead of edge grains to connect four.

Overall it was a fun build and the owner of the sconce will love having it slightly off the table top so it can more easily be seen.

Worse Than FailureCodeSOD: Protect Your Property

Given the common need to have getter/setter methods on properties, many languages have adopted conventions which try and make it easier to implement/invoke them. For example, if you name a method foo= in Ruby, you can invoke it by doing: obj.foo = 5.

In the .NET family of languages, there’s a concept of a property, which bundles the getter and setter methods together through some syntactical sugar. So, something like this, in VB.Net.

    Public Property Foo() as Boolean
        Get
            return _foo
        End Get
        Set(val as Boolean)
            _foo = val
        end Set
    End Property

Now, you can do obj.Foo = FILE_NOT_FOUND, which actually invokes the Set method.

You can have more fun- the Property declaration can be marked as ReadOnly, and then you can skip the Set portion, or you can mark it as WriteOnly and skip the Get portion.

Dave S was given some time to pay down existing technical debt, and went hunting for bad code. He found this unusual way of making a property read only:

    hfRequiredDocsPresent = CBool(hfAllDocumentsUploaded.Value)
    Public Property hfRequiredDocsPresent() As Boolean
        Get
            Return CBool(hfAllDocumentsUploaded.Value)
        End Get
        Set(ByVal value As Boolean)
            value = CBool(hfAllDocumentsUploaded.Value)
        End Set
    End Property
[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet DebianFrançois Marier: pristine-tar and git-buildpackage Work-arounds

I recently ran into problems trying to package the latest version of my planetfilter tool.

This is how I was able to temporarily work-around bugs in my tools and still produce a package that can be built reproducibly from source and that contains a verifiable upstream signature.

pristine-tar being is unable to reproduce a tarball

After importing the latest upstream tarball using gbp import-orig, I tried to build the package but ran into this pristine-tar error:

$ gbp buildpackage
gbp:error: Pristine-tar couldn't checkout "planetfilter_0.7.4.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3 decode failed! at /usr/share/perl5/Pristine/Tar/DeltaTools.pm line 56.
pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
pristine-tar: failed to generate tarball

So I decided to throw away what I had, re-import the tarball and try again. This time, I got a different pristine-tar error:

$ gbp buildpackage
gbp:error: Pristine-tar couldn't checkout "planetfilter_0.7.4.orig.tar.gz": xdelta3: target window checksum mismatch: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
xdelta3 decode failed! at /usr/share/perl5/Pristine/Tar/DeltaTools.pm line 56.
pristine-tar: command failed: pristine-gz --no-verbose --no-debug --no-keep gengz /tmp/user/1000/pristine-tar.mgnaMjnwlk/wrapper /tmp/user/1000/pristine-tar.EV5aXIPWfn/planetfilter_0.7.4.orig.tar.gz.tmp
pristine-tar: failed to generate tarball

I filed bug 871938 for this.

As a work-around, I simply symlinked the upstream tarball I already had and then built the package using the tarball directly instead of the upstream git branch:

ln -s ~/deve/remote/planetfilter/dist/planetfilter-0.7.4.tar.gz ../planetfilter_0.7.4.orig.tar.gz
gbp buildpackage --git-tarball-dir=..

Given that only the upstream and master branches are signed, the .delta file on the pristine-tar branch could be fixed at any time in the future by committing a new .delta file once pristine-tar gets fixed. This therefore seems like a reasonable work-around.

git-buildpackage doesn't import the upstream tarball signature

The second problem I ran into was a missing upstream signature after building the package with git-buildpackage:

$ lintian -i planetfilter_0.7.4-1_amd64.changes
E: planetfilter changes: orig-tarball-missing-upstream-signature planetfilter_0.7.4.orig.tar.gz
N: 
N:    The packaging includes an upstream signing key but the corresponding
N:    .asc signature for one or more source tarballs are not included in your
N:    .changes file.
N:    
N:    Severity: important, Certainty: certain
N:    
N:    Check: changes-file, Type: changes
N: 

This problem (and the lintian error I suspect) is fairly new and hasn't been solved yet.

So until gbp import-orig gets proper support for upstream signatures, my work-around was to copy the upstream signature in the export-dir output directory (which I set in ~/.gbp.conf) so that it can be picked up by the final stages of gbp buildpackage:

ln -s ~/deve/remote/planetfilter/dist/planetfilter-0.7.4.tar.gz.asc ../build-area/planetfilter_0.7.4.orig.tar.gz.asc

If there's a better way to do this, please feel free to leave a comment (authentication not required)!

Planet DebianJohn Goerzen: A new baby and deep smiles

IMG_2059

A month ago, we were waiting for our new baby; time seemed to stand still. Now she is here! Martha Goerzen was born recently, and she is doing well and growing! Laura and I have enjoyed moments of cuddling her, watching her stare at our faces, hearing her (hopefully) soft sounds as she falls asleep in our arms. It is also heart-warming to see Martha’s older brothers take such an interest in her. Here is the first time Jacob got to hold her:

IMG_1846

Oliver, who is a boy very much into sports, play involving police and firefighters, and such, has started adding “aww” and “she’s so cute!” to his common vocabulary. He can be very insistent about interrupting me to hold her, too.

Planet DebianThorsten Glaser: New mksh and jupp releases, mksh FAQ, jupprc for JOE 4.4; MuseScore

mksh R56 was released with experimental fixes for the “history no longer persisted when HISTFILE near-full” and interactive shell cannot wait on coprocess by PID issues (I hope they do not introduce any regressioins) and otherwise as a bugfix release. You might wish to know the $EDITOR selection mechanism in dot.mkshrc changed. Some more alias characters are allowed again, and POSIX character classes (for ASCII, and EBCDIC, only) appeared by popular vote.

mksh now has a FAQ; enjoy. Do feel free to contribute (answers, too, of course).

The jupp text editor has also received a new release; asides from being much smaller, and updated (mksh too, btw) to Unicode 10, and some segfault fixes, it features falling back to using /dev/tty if stdin or stdout is not a terminal (for use on GNU with find | xargs jupp, since they don’t have our xargs(1) -o option yet), a new command to exit nonzero (sometimes, utilities invoking the generic visual editor need this), and “presentation mode”.

Presentation mode, crediting Natureshadow, is basically putting your slides as (UTF-8, with fancy stuff inside) plaintext files into one directory, with sorting names (so e.g. zero-padded slide numbers as filenames), presenting them with jupp * in a fullscreen xterm. You’d hit F6 to switch to one-file view first, then present by using F8 to go forward (F7 to go backward), and, for demonstrations, F9 to pipe the entire slide through an external command (could be just “sh”) offering the previous one as default. Simple yet powerful; I imagine Sven Guckes would love it, were he not such a vim user.

The new release is offered as source tarball (as usual) and in distribution packages, but also, again, a Win32 version as PKZIP archive (right-click on setup.inf and hit I̲nstall to install it). Note that this comes with its own (thankfully local) version of the Cygwin32 library (compatible down to Windows 95, apparently), so if you have Cygwin installed yourself you’re better off compiling it there and using your own version instead.

I’ve also released a new DOS version of 2.8 with no code patches but an updated jupprc; the binary (self-extracting LHarc archive) this time comes with all resource files, not just jupp’s.

Today, the jupprc drop-in file for JOE 3.7 got a matching update (and some fixes for bugs discovered during that) and I added a new one for JOE 4.4 (the former being in Debian wheezy, the latter in jessie, stretch and buster/sid). It’s a bit rudimentary (the new shell window functionality is absent) but, mostly, gives the desired jupp feeling, more so than just using stock jstar would.

CVS’ ability to commit to multiple branches of a file at the same time, therefore grouping the commit (by commitid at least, unsure if cvsps et al. can be persuaded to recognise it). If you don’t know what cvs(GNU) is: it is a proper (although not distributed) version control system and the best for centralised tasks. (For decentral tasks, abusing git as pseudo-VCS has won by popularity vote; take this as a comparison.)

If desired, I can make these new versions available in my “WTF” APT repository on request. (Debian buster/sid users: please change “https” to “http” there, the site is only available with TLSv1.0 as it doesn’t require bank-level security.)

I’d welcome it very much if people using an OS which does not yet carry either to package it there. Message me when one more is added, too ☺

In unrelated news I uploaded MuseScore 2.1 to Debian unstable, mostly because the maintainers are busy (though I could comaintain it if needed, I’d just need help with the C++ and CMake details). Bonus side effect is that I can now build 2.2~ test versions with patches of mine added I plan to produce to fix some issues (and submit upstream) ☻

(read more…)

,

Planet DebianPetter Reinholdtsen: Simpler recipe on how to make a simple $7 IMSI Catcher using Debian

On friday, I came across an interesting article in the Norwegian web based ICT news magazine digi.no on how to collect the IMSI numbers of nearby cell phones using the cheap DVB-T software defined radios. The article refered to instructions and a recipe by Keld Norman on Youtube on how to make a simple $7 IMSI Catcher, and I decided to test them out.

The instructions said to use Ubuntu, install pip using apt (to bypass apt), use pip to install pybombs (to bypass both apt and pip), and the ask pybombs to fetch and build everything you need from scratch. I wanted to see if I could do the same on the most recent Debian packages, but this did not work because pybombs tried to build stuff that no longer build with the most recent openssl library or some other version skew problem. While trying to get this recipe working, I learned that the apt->pip->pybombs route was a long detour, and the only piece of software dependency missing in Debian was the gr-gsm package. I also found out that the lead upstream developer of gr-gsm (the name stand for GNU Radio GSM) project already had a set of Debian packages provided in an Ubuntu PPA repository. All I needed to do was to dget the Debian source package and built it.

The IMSI collector is a python script listening for packages on the loopback network device and printing to the terminal some specific GSM packages with IMSI numbers in them. The code is fairly short and easy to understand. The reason this work is because gr-gsm include a tool to read GSM data from a software defined radio like a DVB-T USB stick and other software defined radios, decode them and inject them into a network device on your Linux machine (using the loopback device by default). This proved to work just fine, and I've been testing the collector for a few days now.

The updated and simpler recipe is thus to

  1. start with a Debian machine running Stretch or newer,
  2. build and install the gr-gsm package available from http://ppa.launchpad.net/ptrkrysik/gr-gsm/ubuntu/pool/main/g/gr-gsm/,
  3. clone the git repostory from https://github.com/Oros42/IMSI-catcher,
  4. run grgsm_livemon and adjust the frequency until the terminal where it was started is filled with a stream of text (meaning you found a GSM station).
  5. go into the IMSI-catcher directory and run 'sudo python simple_IMSI-catcher.py' to extract the IMSI numbers.

To make it even easier in the future to get this sniffer up and running, I decided to package the gr-gsm project for Debian (WNPP #871055), and the package was uploaded into the NEW queue today. Luckily the gnuradio maintainer has promised to help me, as I do not know much about gnuradio stuff yet.

I doubt this "IMSI cacher" is anywhere near as powerfull as commercial tools like The Spy Phone Portable IMSI / IMEI Catcher or the Harris Stingray, but I hope the existance of cheap alternatives can make more people realise how their whereabouts when carrying a cell phone is easily tracked. Seeing the data flow on the screen, realizing that I live close to a police station and knowing that the police is also wearing cell phones, I wonder how hard it would be for criminals to track the position of the police officers to discover when there are police near by, or for foreign military forces to track the location of the Norwegian military forces, or for anyone to track the location of government officials...

It is worth noting that the data reported by the IMSI-catcher script mentioned above is only a fraction of the data broadcasted on the GSM network. It will only collect one frequency at the time, while a typical phone will be using several frequencies, and not all phones will be using the frequencies tracked by the grgsm_livemod program. Also, there is a lot of radio chatter being ignored by the simple_IMSI-catcher script, which would be collected by extending the parser code. I wonder if gr-gsm can be set up to listen to more than one frequency?

Planet DebianSimon McVittie: DebConf 17: Flatpak and Debian

The indoor garden at Collège de Maisonneuve, the DebConf 17 venue
Decorative photo of the indoor garden

I'm currently at DebConf 17 in Montreal, back at DebConf for the first time in 10 years (last time was DebConf 7 in Edinburgh). It's great to put names to faces and meet more of my co-developers in person!

On Monday I gave a talk entitled “A Debian maintainer's guide to Flatpak”, aiming to introduce Debian developers to Flatpak, and show how Flatpak and Debian (and Debian derivatives like SteamOS) can help each other. It seems to have been quite well received, with people generally positive about the idea of using Flatpak to deliver backports and faster-moving leaf packages (games!) onto the stable base platform that Debian is so good at providing.

I've now put up my slides in the DebConf git-annex repository, with some small edits to link to more source code: A Debian maintainer's guide to Flatpak. Source code for the slides is also available from Collabora's git server.

The next step is to take my proof-of-concept for building Flatpak runtimes and apps from Debian and SteamOS packages, flatdeb, get it a bit more production-ready, and perhaps start publishing some sample runtimes from a cron job on a Debian or Collabora server. (By the way, if you downloaded that source right after my talk, please update - I've now pushed some late changes that were necessary to fix the 3D drivers for my OpenArena demo.)

I don't think Debian will be going quite as far as Endless any time soon: as Cosimo outlined in the talk right before mine, they deploy their Debian derivative as an immutable base OS with libOSTree, with all the user-installable modules above that coming from Flatpak. That model is certainly an interesting thing to think about for Debian derivatives, though: at Collabora we work on a lot of appliance-like embedded Debian derivatives, with a lot of flexibility during development but very limited state on deployed systems, and Endless' approach seems a perfect fit for those situations.

TEDMark Ronson makes a cameo, Roxane Gay and Adam Grant discuss the pros and cons of social media, and much more

Please enjoy your roundup of TED-related news:

This one’s for the boys. Mark Ronson takes a break from making music to have some fun in Charli XCX’s video for “Boys.” You’ll find him (suavely) combing his hair, amid scenes of other male celebs, such as Wiz Khalifa, Riz Ahmed and Joe Jonas having a pillow fight or cuddling with puppies, in a video intended to “flip the male gaze on its head.” (Watch Ronson’s TED Talk)

To tweet, or not to tweet? Twitter and Facebook allow writers to promote their work and engage readers—but is it a force for good or for evil? In a conversation with LitHub, TED speakers Roxane Gay and Adam Grant, along with Alexander Chee and and Celeste Ng, discuss how they harness social media without letting it get the best of them. Grant was dragged into the online conversation “kicking and screaming,” but now believes that “it can be a source of energy and a real boon for your career.” Gay loves how Twitter keeps her up to date with new books; she sees more benefits than drawbacks for writers and publishers, and thinks “social media only sucks the life out of you if you allow it.” (Watch Grant’s TED Talk and Gay’s TED Talk)

The race for our attention. When our attention is currency, tech companies work hard to get us to watch that next video, keep the Snap streak going or click on that personalized ad. Tristan Harris warns that while engineers are getting better and better at this, we’re just getting more and more sucked in without even meaning to. Fortunately, Harris shares some advice on how to protect our minds as well as his vision for a more constructive tech future in a Q&A with Wired that builds on his new TED Talk. (Watch Harris’ TED Talk)

Medicine that bridges inequality. TED Prize winner Raj Panjabi discusses his plans with the New York Times to increase access to medical care for those living in rural, disconnected parts of Liberia. Motivated by the idea that “medicine could be a way to bridge inequality,” Panjabi’s nonprofit, Last Mile Health, trains locals as community health workers and provides them with medical supplies such as thermometers, smartphones and even malaria test kits. While his charity is focused on his birth country, Liberia, Panjabi believes that this approach to medical care could have a larger scope, even one that extends to rural America. “Why should anyone die from diseases that others don’t?” (Watch Panjabi’s TED Talk)

Art all around us. The subdued whirr of a computer fan, a plastic bag caught in the wind … can these things come alive as art? Shih Chieh Huang believes so, and his new exhibition at the Worcester Art Museum, “Reusable Universes,” shows his belief at work. Using fans to inflate bags with air, he creates cephalopod-looking objects—lit up and moving, suspended in midair—and controls their movements with an app designed for stage lighting. Sometimes he sees the exhibit as a bunch of everyday items. “But sometimes,” he told artnet, “I think that’s a cell, heart, a lung, a sea creature.” (Watch Huang’s TED Talk)

How can we grapple with historic injustices? Bryan Stevenson adds his voice to an anthology of eleven essays that analyze the history of racism in the criminal justice system, and its contemporary effects on the lives of African American men and boys. Each essayist touches on various stages and symptoms of the system, while making policy suggestions for the future. Stevenson’s piece takes the reader to South Africa and Germany, emphasizing the importance of recognizing and confronting historical injustices in order to move forward. Policing the Black Man: Arrest, Prosecution and Imprisonment is edited by Angela J. Davis. (Watch Stevenson’s TED Talk)

Have a news item to share? Write us at contact@ted.com and you may see it included in this biweekly round-up.


Planet DebianJoey Hess: unifying OS installation and configuration management

Three years ago, I realized that propellor (my configuration management system that is configured using haskell) could be used as an installer for Debian (or other versions of Linux). In propellor is d-i 2.0, I guessed it would take "a month and adding a few thousand lines of code".

I've now taken that month, and written that code, and I presented the result at DebConf yesterday. I demoed propellor building a live Debian installation image, and then handed it off to a volenteer from the audience to play with its visual user interface and perform the installation. The whole demo took around 20 minutes, and ended with a standard Debian desktop installation. (Video)

The core idea is to reuse the same configuration management system for several different purposes.

  1. Building a bootable disk image that can be used as both a live system and as an OS installer.
  2. Running on that live system, to install the target system. Which can just involve copying the live system to the target disk and then letting the configuration management system make the necessary changes to get from the live system configuration to the target system configuration.
  3. To support such things as headless arm boards, building customized images tuned for the target board and use case, that can then simply be copied to the board to install.
  4. Optionally, running on the installed system later, to futher customize it. Starting from the same configuration that produced the installed system in the first place.

There can be enourmous code reuse here, and improvements made for one of those will often benefit all the rest as well.

Once everything is handled by configuration management, all user interface requirements become just a matter of editing the configuration. Including:

  • A user interface that runs on the live system and gets whatever input is needed to install to the target system. This is really just a config editor underneath. I built a prototype gamified interface that's as minimal as such an interface could get.
  • With a regular text editor, of course. This is the equivilant of preseeding in d-i, giving advanced users full control over the system that gets built. Unlike with preseeding, users have the full power of a configuration management system, so can specify precisely the system they want installed.
  • A separate user interface for customizing disk images, for arm boards and similar use cases. This would run on a server, or on the user's own laptop.

That's the gist of it. Configuration management reused for installation and image building, and multiple editor interfaces to make it widely usable.

I was glad, sitting in to a BoF session before my talk, that several people in Debian are already thinking along similar lines. And if Debian wanted to take this work and run with it, I'd be glad to assist as propellor's maintainer. But the idea is more important than the code and I hope my elaboration of it helps point a way if not the way.

While what I've built installs Debian, little of it is Debian-specific. It would probably be easy to port it to Arch Linux, which propellor already supports. There are Linux-specific parts, so porting to FreeBSD would be harder, but propellor knows, at the type level which OSs properties support, which will ease porting.

GuixSD and NixOS already use configuration management for installation, and were part of my inspiration. I've extended what they do in some ways (in other ways they remain far ahead).


The code is here. And here are some links to more details about what I built, and ideas encountered along the way:

Krebs on SecurityAlleged vDOS Operators Arrested, Charged

Two young Israeli men alleged by this author to have co-founded vDOS — until recently the largest and most profitable cyber attack-for-hire service online — were arrested and formally indicted this week in Israel on conspiracy and hacking charges.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated more than two million distributed denial-of-service (DDoS) attacks over the four year period it was in business.

That story named two then 18-year-old Israelis — Yarden “applej4ck” Bidani and Itay “p1st” Huri — as the likely owners and operators of vDOS. Within hours of that story’s publication the two were detained by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

vDOS as it existed on Sept. 8, 2016.

vDOS as it existed on Sept. 8, 2016.

On Tuesday, Israeli prosecutors announced they had formally arrested and charged two 19-year-olds with conspiring to commit a felony, prohibited activities, tampering with or disrupting a computer, and storing or disseminating false information. A statement from a spokesman for the Israeli state attorney’s office said prosecutors couldn’t name the accused because their alleged crimes were committed while they were minors.

But a number of details match perfectly with previous reporting on Bidani and Huri. As noted in the original Sept. 2016 expose’ on vDOS’s alleged founders, Israeli prosecutors say the two men made more than $600,000 in two of the four years the service was in operation. vDOS was shuttered for good not longer after Bidani and Huri’s initial detention in Sept. 2016.

“The defendants were constantly improving the attack code and finding different network security weaknesses that would enable them to offer increased attack services that could overcome existing defenses and create real damage to servers and services worldwide,” Israeli prosecutors alleged of the accused and their enterprise.

“Subscribers were able to select an ‘attack’ package from the various packages offered, with the packages classified by the duration of each attack in seconds, the number of simultaneous attacks and the magnitude of the attack in Gigabits per second, and their prices ranged from $ 19.99 to $ 499.99,” the allegation continues.

19-year-old Yarden Bidani.

19-year-old Yarden Bidani.

Lawyers for Bidani and Huri could not be immediately reached for comment. But both have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks.

The owners of these stresser services have sought to hide behind wordy “terms of service” agreements to which all customers must agree, arguing that these agreements absolve them of any sort of liability for how their customers use the service.

Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.

KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.

That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.

At the height of vDOS’s profitability in mid-2015, the DDoS-for-hire service was earning its then-17-year-old proprietors more than $42,000 a month in PayPal and Bitcoin payments from thousands of subscribers. That’s according to an analysis of the leaked vDOS database performed by researchers at New York University.

The vDos home page.

The vDOS home page.

Rondam RamblingsWhat an incredibly stupid thing to say

Yesterday Donald Trump threatened in no uncertain terms to use military force against North Korea: “North Korea best not make any more threats to the United States,” Trump said at an event at his Bedminster, N.J., golf club. “They will be met with fire and fury like the world has never seen.”  The president then repeated that North Korea “will be met with the fire and fury and, frankly, power,

CryptogramMore on the Vulnerabilities Equities Process

Richard Ledgett -- a former Deputy Director of the NSA -- argues against the US government disclosing all vulnerabilities:

Proponents argue that this would allow patches to be developed, which in turn would help ensure that networks are secure. On its face, this argument might seem to make sense -- but it is a gross oversimplification of the problem, one that not only would not have the desired effect but that also would be dangerous.

Actually, he doesn't make that argument at all. He basically says that security is a lot more complicated than finding and disclosing vulnerabilities -- something I don't think anyone disagrees with. His conclusion:

Malicious software like WannaCry and Petya is a scourge in our digital lives, and we need to take concerted action to protect ourselves. That action must be grounded in an accurate understanding of how the vulnerability ecosystem works. Software vendors need to continue working to build better software and to provide patching support for software deployed in critical infrastructure. Customers need to budget and plan for upgrades as part of the going-in cost of IT, or for compensatory measures when upgrades are impossible. Those who discover vulnerabilities need to responsibly disclose them or, if they are retained for national security purposes, adequately safeguard them. And the partnership of intelligence, law enforcement and industry needs to work together to identify and disrupt actors who use these vulnerabilities for their criminal and destructive ends. No single set of actions will solve the problem; we must work together to protect ourselves. As for blame, we should place it where it really lies: on the criminals who intentionally and maliciously assembled this destructive ransomware and released it on the world.

I don't think anyone would argue with any of that, either. The question is whether the US government should prioritize attack over defense, and security over surveillance. Disclosing, especially in a world where the secrecy of zero-day vulnerabilities is so fragile, greatly improves the security of our critical systems.

Worse Than FailureDisk Administrations

It was a mandatory change control meeting. Steven S.’s department, a research branch of the Ministry of Social Affairs and Health in Belgium, assembled in a cramped meeting room without enough chairs for everyone. Camille, head of IT, was nonplussed.

“These orders come directly from Security,” she began. “Just last month, we monitored over a hundred attempts to break into the HCP.” The Home Care Platform was a database of citizens’ requests for doctors’ visits, prescription coverage, etc. Steven’s team had developed a mobile app that gave citizens access to HCP’s records.

“An automated script,” she continued, “purged our server logs before Security could investigate. Now we have little information on what these attackers were trying to access, nor if they were able to find a breach.”

A Woodpile 3D

Steven could guess what was coming next.

“Under no circumstances is any member of this department to delete logs from the servers without the consent of IT. That is all.”

The First Drops

The first support calls came a few days later. Some app users complained that they weren’t able to access their records. When they entered their credentials into the app, the login screen would display a spinner indefinitely.

At first, Steven didn’t think much of it, as some users would refresh their app so much that the firewall would block the IP for a bit. He entered the details into a new ticket, assigned it to IT, and marked it low priority. He always had something better to do.

But the calls kept coming. He escalated the ticket to medium, then high, then critical. Meanwhile, no one from IT had touched it.

Steven groaned. He opened the department’s internal API tool in a browser window and tried out a few requests. They all timed out.

Then, all fo a sudden, the requests started going through again.

The HCP backend was remarkably robust, with request caching and multiple middleware servers. If the entire API had failed, it had to be more serious than a network configuration change or a temporary server outage. He marked the ticket as “In Progress” and kept it assigned to himself.

The Flood

The next day, the API went down again, and this time it wasn’t recovering.

Steven stormed to the IT office. Camille would know what took the servers down yesterday, and she would know what was happening now. He found her hovering over a monitor, furtively typing into terminal window.

He read her command prompt: srm /var/log/*.

“Are you purging the logs?” Steven asked.

Camille closed the terminal window. “Of course not.”

Steven pressed the issue. “The API servers are down, and I can’t keep up with all the support calls.”

Camille sighed. “After we disabled the script that was purging the logs, the hard disk kept running out of space. I was stuck on the metro and couldn’t get here in time to purge it manually. We miscalculated how many requests these servers were processing.”

“So … why don’t you just turn the script back on?”

“Security has expressly forbidden automatic server log deletion. We have to do it ourselves.” With that, Camille re-opened the terminal and re-entered the command.

Plugging the Holes

This went on for another few months. Every few days the API would fail, typically early in the morning, until someone from IT could go in and purge the logs. Steven even wrote a phone script to use for the inevitable, predictable support calls.

Finally, he had had enough. He emailed a representative from Security, the department that started this ball rolling, about the issue. He asked if the automated script could be re-enabled.

The representative emailed back a few minutes later. They said that IT had been given the authorization to re-enable the script only a week after.

The API had been going down almost every day for months because Camille never read the request to turn the script back on.

It was the end of his shift. After forwarding the email to Camille, he left the office to look for a nearby pub. He needed a good lambic to soothe his soul. Months of support calls could have been avoided if anyone in IT checked their email.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet DebianJunichi Uekawa: reading up on rapidjson.

reading up on rapidjson. I was reading the docs for rapidjson performance and I like that source buffer is destroyed for performance. I was wrinting JSON parser myself and performance bottleneck seems to be copying and constructing objects.

,

Harald WelteIPv6 User Plane support in Osmocom

Preface

Cellular systems ever since GPRS are using a tunnel based architecture to provide IP connectivity to cellular terminals such as phones, modems, M2M/IoT devices and the like. The MS/UE establishes a PDP context between itself and the GGSN on the other end of the cellular network. The GGSN then is the first IP-level router, and the entire cellular network is abstracted away from the User-IP point of view.

This architecture didn't change with EGPRS, and not with UMTS, HSxPA and even survived conceptually in LTE/4G.

While the concept of a PDP context / tunnel exists to de-couple the transport layer from the structure and type of data inside the tunneled data, the primary user plane so far has been IPv4.

In Osmocom, we made sure that there are no impairments / assumptions about the contents of the tunnel, so OsmoPCU and OsmoSGSN do not care at all what bits and bytes are transmitted in the tunnel.

The only Osmocom component dealing with the type of tunnel and its payload structure is OpenGGSN. The GGSN must allocate the address/prefix assigned to each individual MS/UE, perform routing between the external IP network and the cellular network and hence is at the heart of this. Sadly, OpenGGSN was an abandoned project for many years until Osmocom adopted it, and it only implemented IPv4.

This is actually a big surprise to me. Many of the users of the Osmocom stack are from the IT security area. They use the Osmocom stack to test mobile phones for vulnerabilities, analyze mobile malware and the like. As any penetration tester should be interested in analyzing all of the attack surface exposed by a given device-under-test, I would have assumed that testing just on IPv4 would be insufficient and over the past 9 years, somebody should have come around and implemented the missing bits for IPv6 so they can test on IPv6, too.

In reality, it seems nobody appears to have shared line of thinking and invested a bit of time in growing the tools used. Or if they did, they didn't share the related code.

In June 2017, Gerrie Roos submitted a patch for OpenGGSN IPv6 support that raised hopes about soon being able to close that gap. However, at closer sight it turns out that the code was written against a more than 7 years old version of OpenGGSN, and it seems to primarily focus on IPv6 on the outer (transport) layer, rather than on the inner (user) layer.

OpenGGSN IPv6 PDP Context Support

So in July 2017, I started to work on IPv6 PDP support in OpenGGSN.

Initially I thought How hard can it be? It's not like IPv6 is new to me (I joined 6bone under 3ffe prefixes back in the 1990ies and worked on IPv6 support in ip6tables ages ago. And aside from allocating/matching longer addresses, what kind of complexity does one expect?

After my initial attempt of implementation, partially mislead by the patch that was contributed against that 2010-or-older version of OpenGGSN, I'm surprised how wrong I was.

In IPv4 PDP contexts, the process of establishing a PDP context is simple:

  • Request establishment of a PDP context, set the type to IETF IPv4
  • Receive an allocated IPv4 End User Address
  • Optionally use IPCP (part of PPP) to reques and receive DNS Server IP addresses

So I implemented the identical approach for IPv6. Maintain a pool of IPv6 addresses, allocate one, and use IPCP for DNS. And nothing worked.

  • IPv6 PDP contexts assign a /64 prefix, not a single address or a smaller prefix
  • The End User Address that's part of the Signalling plane of Layer 3 Session Management and GTP is not the actual address, but just serves to generate the interface identifier portion of a link-local IPv6 address
  • IPv6 stateless autoconfiguration is used with this link-local IPv6 address inside the User Plane, after the control plane signaling to establish the PDP context has completed. This means the GGSN needs to parse ICMPv6 router solicitations and generate ICMPV6 router advertisements.

To make things worse, the stateless autoconfiguration is modified in some subtle ways to make it different from the normal SLAAC used on Ethernet and other media:

  • the timers / lifetimes are different
  • only one prefix is permitted
  • only a prefix length of 64 is permitted

A few days later I implemented all of that, but it still didn't work. The problem was with DNS server adresses. In IPv4, the 3GPP protocols simply tunnel IPCP frames for this. This makes a lot of sense, as IPCP is designed for point-to-point interfaces, and this is exactly what a PDP context is.

In IPv6, the corresponding IP6CP protocol does not have the capability to provision DNS server addresses to a PPP client. WTF? The IETF seriously requires implementations to do DHCPv6 over PPP, after establishing a point-to-point connection, only to get DNS server information?!? Some people suggested an IETF draft to change this butthe draft has expired in 2011 and we're still stuck.

While 3GPP permits the use of DHCPv6 in some scenarios, support in phones/modems for it is not mandatory. Rather, the 3GPP has come up with their own mechanism on how to communicate DNS server IPv6 addresses during PDP context activation: The use of containers as part of the PCO Information Element used in L3-SM and GTP (see Section 10.5.6.3 of 3GPP TS 24.008. They by the way also specified the same mechanism for IPv4, so there's now two competing methods on how to provision IPv4 DNS server information: IPCP and the new method.

In any case, after some more hacking, OpenGGSN can now also provide DNS server information to the MS/UE. And once that was implemented, I had actual live uesr IPv6 data over a full Osmocom cellular stack!

Summary

We now have working IPv6 User IP in OpenGGSN. Together with the rest of the Osmocom stack you can operate a private GPRS, EGPRS, UMTS or HSPA network that provide end-to-end transparent, routed IPv6 connectivity to mobile devices.

All in all, it took much longer than nneeded, and the following questions remain in my mind:

  • why did the IETF not specify IP6CP capabilities to configure DNS servers?
  • why the complex two-stage address configuration with PDP EUA allocation for the link-local address first and then stateless autoconfiguration?
  • why don't we simply allocate the entire prefix via the End User Address information element on the signaling plane? For sure next to the 16byte address we could have put one byte for prefix-length?
  • why do I see duplication detection flavour neighbour solicitations from Qualcomm based phones on what is a point-to-point link with exactly two devices: The UE and the GGSN?
  • why do I see link-layer source address options inside the ICMPv6 neighbor and router solicitation from mobile phones, when that option is specifically not to be used on point-to-point links?
  • why is the smallest prefix that can be allocated a /64? That's such a waste for a point-to-point link with a single device on the other end, and in times of billions of connected IoT devices it will just encourage the use of non-public IPv6 space (i.e. SNAT/MASQUERADING) while wasting large parts of the address space

Some of those choices would have made sense if one would have made it fully compatible with normal IPv6 like e.g. on Ethernet. But implementing ICMPv6 router and neighbor solicitation without getting any benefit such as ability to have multiple prefixes, prefixes of different lengths, I just don't understand why anyone ever thought You can find the code at http://git.osmocom.org/openggsn/log/?h=laforge/ipv6 and the related ticket at https://osmocom.org/issues/2418

Google AdsenseHelping publishers bust annoying ads

Cross posted from The Keyword

At some point, we’ve all been caught off guard by an annoying ad online—like a video automatically playing at full volume, or a pop-up standing in the way to the one thing we’re trying to find. Thanks to research conducted by the Coalition for Better Ads, we now know which ad experiences rank lowest among consumers and are most likely to drive people to install ad blockers.

Ads, good and bad, help fund the open web. But 69% of people who installed ad blockers said they were motivated by annoying or intrusive ads. When ads are blocked, publishers don’t make money.
In June we launched the Ad Experience Report to help publishers understand if their site has ads that violate the Coalition’s Better Ads Standards. In just two months, 140,000 publishers worldwide have viewed the report.

"This report is great for helping publishers adapt to the Better Ads Standards. The level of transparency and data is incredibly actionable. It literally says here's the issue, here's how to fix it. I think it will be helpful for all publishers." Katya Moukhina, Director of Programmatic Operations, Politico

We're already starting to see data trends that can give publishers insights into the most common offending ads. Here's a look at what we know so far.


It's official: Popups are the most annoying ads on the web

Pop-up ads are the most common annoying ads found on publisher sites. On desktop they account for 97% of the violations! These experiences can be bad for business: 50% of users surveyed say they would not revisit or recommend a page that had a pop-up ad.

Instead of pop-ups, publishers can use less disruptive alternatives like full-screen inline ads. They offer the same amount of screen real estate as pop-ups—without covering up any content. Publishers can find more tips and alternatives in our best practices guide.


Mobile and desktop have different issues

On mobile the issues are more varied. Pop-ups account for 54% of issues found, while 21% of issues are due to high ad density: A mobile page flooded with ads takes longer to load, and this makes it harder for people to find what they're looking for.



Most issues come from smaller sites with fewer resources

Our early reporting shows that most issues are not coming from mainstream publishers, like daily newspapers or business publications. They come from smaller sites, who often don’t have the same access to quality control resources as larger publishers.

To help these publishers improve their ads experiences, we review sites daily and record videos of the ad experiences that have been found non-compliant with the Better Ads Standards. If a site is in a “failing” or “warning” state, their Ad Experience Report will include these visuals, along with information about the Better Ad Standards and how the issues may impact their site.

We encourage all publishers to take a look at their report. Here’s how.
  1. Gaining access to the report
    The Ad Experience Report is part of Google Search Console, which means you need to be a verified site owner to access it. You can either ask your webmaster to add you as an owner or user, or verify ownership yourself. Learn more.
  2. Understanding the report
    If your site has been reviewed and the status is “Warning" or "Failing," the report will show videos of the ad experiences that are likely to annoy or mislead your visitors. Click on desktop or mobile reports to see the specific experiences identified.
  3. Fixing the issues and requesting a review
    Once you’ve identified the violating experiences, work with your ad ops and site design teams to remove the annoying experiences. After that, describe how you addressed each of the issues in the ‘Request review’ area and click ‘I fixed this’. You’ll receive a confirmation email saying your review is in progress. Learn more.



Looking ahead

Over the next few weeks we’ll begin notifying sites with issues. For even more insights on the types of sites and violations found, publishers can visit The Ad Experience Report API.

The good news is that people don’t hate all ads—just annoying ones. Replacing annoying ads with more acceptable ones will help ensure all content creators, big and small, can continue to sustain their work with online advertising. This is why we support the Coalition’s efforts to develop marketplace guidelines for supporting the Better Ads Standards and will continue working with them on the standards as they evolve.

Planet DebianJonathan Dowland: libraries

Cover for The Rise Of The Meritocracy

Cover for The Rise Of The Meritocracy

At some point during my Undergraduate years I lost the habit of using Libraries. On reflection this is probably Amazon's fault. In recent years I've tried to get back into the habit of using them.

Using libraries is a great idea if you are trying to lead a more minimalist life. I am registered to use Libraries in two counties: North Tyneside, where I live, and Newcastle, where I work. The union of the two counties' catalogues is pretty extensive. Perhaps surprisingly I have found North Tyneside to offer both better customer service and a more interesting selection of books.

Sometimes there are still things that are hard to get ahold of. After listening to BBC Radio 4's documentary The Rise and Fall of Meritocracy, presented by Toby Young, I became interested in reading The Rise of the Meritocracy: an alarmist, speculative essay that coined the term meritocracy, written by Toby's father, Michael Young.

The book was not on either catalogue. It is out of print, with the price of second hand copies fluctuating but generally higher than I am prepared to pay. I finally managed to find a copy in Newcastle University's Library. As an associate of the School of Computing I have access to the Library services.

It's an interesting read, and I think if it were framed more as a novel than as an essay it might be remembered in the same bracket as Brave New World or 1984.

Krebs on SecurityCritical Security Fixes from Adobe, Microsoft

Adobe has released updates to fix dozens of vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, it’s time once again to get your patches on.

brokenwindowsMore than two dozen of the vulnerabilities fixed in today’s Windows patch bundle address “critical” flaws that can be exploited by malware or miscreants to assume complete, remote control over a vulnerable PC with little or no help from the user.

Security firm Qualys recommends that top priority for patching should go to a vulnerability in the Windows Search service, noting that this is the third recent Patch Tuesday to feature a vulnerability in this service.

Qualys’ Jimmy Graham observes that many of the vulnerabilities in this month’s release involve the Windows Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems.

According to Microsoft, none of flaws in August’s Patch Tuesday are being actively exploited in the wild, although Bleeping Computer notes that three of the bugs were publicly detailed before today’s patch release.

Case in point: This month’s patch batch from Microsoft does not address the recently-detailed SMBLoris flaw, a vulnerability in all versions of Windows that can be used to remotely freeze up vulnerable systems or cause them to crash.

brokenflash-aFor those of you who still have Adobe Flash Player installed in a browser, it’s time to update and/or restart your browser. The latest version of Flash Player is v. 26.0.0.151 for Windows, Mac and Linux systems.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).

Better yet, consider removing or at least hobbling Flash Player, which is a perennial target of malware attacks. For more on how to do that and other ways to reduce your exposure to Flash-based attacks, see this post.

By the way, the bulk of the vulnerabilities that Adobe patched today were in versions of its Acrobat and Adobe PDF Reader software. If you use either of these products, please take a moment to update them today.

As always, if anyone experiences weirdness or troubles after installing today’s updates, please leave us a note about it in the comments.

CryptogramUber Drivers Hacking the System to Cause Surge Pricing

Interesting story about Uber drivers who have figured out how to game the company's algorithms to cause surge pricing:

According to the study. drivers manipulate Uber's algorithm by logging out of the app at the same time, making it think that there is a shortage of cars.

[...]

The study said drivers have been coordinating forced surge pricing, after interviews with drivers in London and New York, and research on online forums such as Uberpeople.net. In a post on the website for drivers, seen by the researchers, one person said: "Guys, stay logged off until surge. Less supply high demand = surge."

.

Passengers, of course, have long had tricks to avoid surge pricing.

I expect to see more of this sort of thing as algorithms become more prominent in our lives.

Planet DebianWouter Verhelst: DebConf17 first videos published

Due to some technical issues, it took a slight bit longer than I'd originally expected; but the first four videos of the currently running DebConf 17 conference are available. Filenames are based on the talk title, so that should be reasonably easy to understand. I will probably add an RSS feed (like we've done for DebConf 16) to that place some time soon as well, but code for that still needs to be written.

Meanwhile, we're a bit behind on the reviewing front, with (currently) 34 talks still needing review. If you're interested in helping out, please join the #debconf-video channel on OFTC and ask what you can do. This is something which you can do from home if you're interested, so don't be shy! We'd be happy for your help.

Worse Than FailureCodeSOD: Drop it Like it's a Deployment

Zenith’s company went ahead on and outsourced 95% of their development to the lowest bidder. Said bidder promised a lot of XML and MVC and whatever TLAs sounded buzzwordy that day, and off they went. It’s okay, though, the customer isn’t just taking that code and deploying it- “Zenith” gets to do code reviews to ensure code quality. The general flow of the post-code-review conversation goes something like:

Zenith: This code shouldn’t go into production, hell, it’s so bad that a proud parent wouldn’t even hang it on their fridge.
Management: I’ll raise your concerns.
Outsourced Team: We did the needful, please review again.
Zenith: They didn’t change anything. It doesn’t even compile.
Offshore Team: There are too many barriers, we cannot hit deadlines, your team is too strict
Managment: Yeah… I guess you’re gonna have to lay off the contractors. Don’t be so strict in your code reviews. We have to deliver software!

The worst code ended up, not in the software, but in the deployment scripts. The team didn’t have and didn’t want a build environment (because they didn’t want to be expected to test their deployment scripts), so they essentially just guessed what the deployment scripts should be like and hoped for the best. They didn’t check them, they certainly didn’t run them.

For deploying changes to stored procedures, they got especially interested in using DROP commands, like so:

    DROP PROCEDURE [schema].[foo];
    CREATE PROCEDURE [schema].[foo] AS…

DROP statements destroy the object and any grants associated with it- meaning the permissions got wiped out with every deployment. After a long weekend cleaning up a botched deployment, “Zenith” gave them a template to follow. All they needed to do was plug their code into a script that would never drop, but instead create/alter as needed.

They… “adapted” his script to their own processes.

IF EXISTS(select * from sys.all_objects where name = 'USPCandidateSearchElectionInfo')
        DROP PROCEDURE CF.USPCandidateSearchElectionInfo
GO
IF OBJECT_ID('[CFO].[USPCandidateSearchElectionInfo]') IS NULL
BEGIN
EXECUTE('CREATE PROCEDURE [CFO].[USPCandidateSearchElectionInfo] AS BEGIN SELECT NULL; END');
END
GO
ALTER PROCEDURE [CF].[USPCandidateSearchElectionInfo]
 @Request XML
AS
BEGIN
--pages and pages of horrific code follow, the details of which are inconsequential
RETURN @@ROWCOUNT
END

Not only did they keep the DROP, thus defeating the entire reason why he had given them a script in the first place, they also couldn’t even get so far using the same name forr the procedure all the way through.

“Zenith” raised this with management, and was once again scolded: “Code reviews are supposed to facilitate development, not provide a barrier to deployments.”

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Don MartiMoral values in society

Moral values in society are collapsing? Really? Elizabeth Stoker Bruenig writes, The baseline moral values of poor people do not, in fact, differ that much from those of the rich. (read the whole thing).

Unfortunately, if you read the fine print, it's more complicated than that. Any market economy depends on establishing trust between people who trade with each other. Tim Harford writes,

Being able to trust people might seem like a pleasant luxury, but economists are starting to believe that it’s rather more important than that. Trust is about more than whether you can leave your house unlocked; it is responsible for the difference between the richest countries and the poorest.

Somehow, over thousands of years, business people have built up a set of norms about high-status and low-status business activities. Craftsmanship, consistent supply of high-quality staple goods, and construction of noteworthy projects are high-status activities. Usury and deception are examples of low-status activities. (You make your money in quarters, gambling with retired people? You lend people $100 until Friday at a 300% interest rate? No club invitation for you.)

Somehow, though, that is now changing in the USA. Those who earn money through deception now have seats at the same table as legitimate business. Maybe it started with the shift into "consumer credit" by respectable banks. But why were high-status bankers willing to play loan shark to begin with? Something had to have been building, culturally. (It started too early to blame the Baby Boomers.)

We tend to blame information technology companies for complex, one-sided Terms of Service and EULAs, but it's not so much a tech trend as it is a general business culture trend. It shows up in tech fast, because rapid technology change provides cover and concealment for simultaneous changes in business terms. US business was rapidly losing its connection to basic norms when it was still moving at the speed of FedEx and fax. (You can't say, all of a sudden, "car crashes in existing fast-food drive-thrus are subject to arbitration in Unfreedonia" but you can stick that kind of term into a new service's ToS.) There's some kind of relativistic effect going on. Tech bros just seem like bigger douchebags because they're moving faster.

Regulation isn't the answer. We have a system in which business people can hire lobbyists to buy the laws and regulations we want. The question is whether we're going to use our regulatory capture powers in a shortsighted, society-eroding hustler way, or in a conservative way. Economic conservatism means not just limiting centralized state control of capital, but preserving the balance among all the long-standing stewards of capital, including households, municipalities, and religious and educational institutions. Economic conservatism and radical free-marketism are fundamentally different.

People blame trashy media for the erosion of norms among the poor, so let's borrow that explanation for the erosion of norms among the rich as well. Maybe our problem with business norms results from the globablization and sensationalism of business media. Joe CEO isn't just the most impotant corporate leader of Mt. Rose, MN, any more—on a global scale he's just another broke-ass hustler.

,

Planet DebianBen Hutchings: Debian LTS work, July 2017

I was assigned 15 hours of work by Freexian's Debian LTS initiative and worked 14 hours. I will carry over 1 hour to the next month.

I prepared and released an update on the Linux 3.2 longterm stable branch (3.2.91), and started work on the next update. However, I didn't make any uploads to Debian this month.

Planet DebianRaphaël Hertzog: My Free Software Activities in July 2017

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donors (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

This month I was allocated 12 hours but I only managed to work for 7 hours (due to vacation and unanticipated customer work). I gave back the remaining hours to the pool as I didn’t want to carry them over for August which will be also short due to vacation (BTW I’m not attending Debconf). I spent my 7 hours doing CVE triaging during the week where I was in charge of the LTS frontdesk (I committed 22 updates to the security tracker). I did publish DLA-1010-1 on vorbis-tools but the package update had been prepared by Petter Reinholdtsen.

Misc Debian work

zim. I published an updated package in experimental (0.67~rc2-2) with the upstream bug fixes on the current release candidate. The final version has been released during my vacation and I will soon upload it to unstable.

Debian Handbook. I worked with Petter Reinholdtsen to finalize the paperback version of the Norwegian translation of the Debian Administrator’s Handbook (still covering Debian 8 Jessie). It’s now available.

Bug reports. I filed a few bugs related to my Kali work. #868678: autopkgtest’s setup-testbed script is not friendly to derivatives. #868749: aideinit fails with syntax errors when /etc/debian_version contains spaces.

debian-installer. I submitted a few d-i patches that I prepared for a customer who had some specific needs (using the hd-media image to boot the installer from an ISO stored in an LVM logical volume). I made changes to debian-installer-utils (#868848), debian-installer (#868852), and iso-scan (#868859, #868900).

Thanks

See you next month for a new summary of my activities.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Sociological ImagesWhat does the slur “cosmopolitan” mean?

Originally posted at Montclair Socioblog.

Why did White House advisor Stephen Miller call CNN reporter Jake Acosta “cosmopolitan”?

At the end of last week’s press briefing, Acosta asked about the Trump administration’s new proposals on immigration – reducing the total number of green cards by half and giving preference to people who are more skilled and people who speak English well.

ACOSTA:   The Statue of Liberty has always been a beacon of hope to the world for people to send their people to this country. They’re not always going to speak English.. . . Are we just going to bring in people from Great Britain and Australia?

MILLER: I have to say, I am shocked at your statement that you think that only people from Great Britain and Australia would know English. It reveals your cosmopolitan bias to a shocking degree.

Cosmopolitan? Acosta’s question suggests the exact opposite – provinicialism. A worldly and sophisticated person would know that countries in Asia and Africa have English as their national or dominant language and that people all over the world learn English as a second language. Only a rube would think that English proficiency was limited to Great Britain and Australia.

What did Miller mean by cosmopolitan? The question sent me back to the article that put “cosmopolitan” into the sociological lexicon – Alvin Gouldner’s 1957 “Cosmopolitans and Locals.”

 Cosmopolitans:

  • low on loyalty to the employing organization
  • high on commitment to specialized role skills
  • likely to use an outer reference group orientation

Locals: 

  • high on loyalty to the employing organization
  • low on commitment to specialized role skills
  • likely to use an inner reference group orientation.

Gouldner was writing about people in organizations. Miller is concerned with politics. The common element here is loyalty. Miller, along with Steve Bannon, engineered Trump’s “America first” doctrine, and by “cosmopolitans” he seems to mean people who are not putting America first. On immigration, people like Acosta are thinking about what might be good for an uneducated but hard-working Guatemalan, when instead they should be thinking only about what’s good for the US.

Jeff Greenfield put it this way at Politico: “It’s a way of branding people or movements that are unmoored to the traditions and beliefs of a nation, and identify more with like-minded people regardless of their nationality.”

The alt-Right has been using cosmopolitan for a while now, and perhaps it was Miller’s familiarity with White nationalist discourse that made the word so available as a put-down of Acosta even though Acosta’s question seemed based on the kind of ignorance about the world that is much respected over on the right.

Like “America first,” “cosmopolitan” has a history of holding hands with anti-Semitism. In Stalin’s Russia, the phrase “rootless cosmopolitan” was a synonym for Jew, and he murdered quite a few of them. In the US today, the antipathy to “cosmopolitan” embodies this same fear of rootlessness and the same dislike of Jews. Here is one website’s take on yesterday’s press briefing:

The twist here is that Acosta, the alleged cosmopolitan, is not Jewish, but Miller is. (The alt-Right uses the triple parentheses around a name to designate a Jew.) I don’t know how Miller resolves the dissonance other than to claim that he has never had anything to do with White nationalists (a claim that is probably false).  For the anti-Semites, the website has this:

While not a Jew himself, Acosta is the end result of the education and programming pushed by the Rootless Cosmopolitans wherever they dwell – even Stalin grew wise to them near the end of his life.

So Acosta cosmopolitanism came from being educated by Jews.

Miller and other Jews must surely understand the overtones of the term. And finally, let’s throw in a good word for Stalin: an anti-Semitic Russian autocrat – what’s not to like?

The rootless cosmopolitan on the right is from a Soviet humor magazine 1949.

Jay Livingston is the chair of the Sociology Department at Montclair State University. You can follow him at Montclair SocioBlog or on Twitter.

(View original at https://thesocietypages.org/socimages)

Planet Linux AustraliaTim Serong: NBN Fixed Wireless – Four Years On

It’s getting close to the fourth anniversary of our NBN fixed wireless connection. Over that time, speaking as someone who works from home, it’s been generally quite good. 22-24 Mbps down and 4-4.5 Mbps up is very nice. That said, there have been a few problems along the way, and more recently evenings have become significantly irritating.

There were some initial teething problems, and at least three or four occasions where someone was performing “upgrades” during business hours over the course of several consecutive days. These upgrade periods wouldn’t have affected people who are away at work or school or whatever during the day, as by the time they got home, the connection would have been back up. But for me, I had to either tether my mobile phone to my laptop, or go down to a cafe or friend’s place to get connectivity.

There’s also the icing problem, which occurs a couple of times a year when snow falls below 200-300 metres for a few days. No internet, and also no mobile phone.

These are all relatively isolated incidents though. What’s been happening more recently is our connection speed in the evenings has gone to hell. I don’t tend to do streaming video, and my syncing several GB of software mirrors happens automatically in the wee hours while I’m asleep, so my subjective impression for some time has just been that “things were kinda slower during the evenings” (web browsing, pushing/pulling from already cloned git repos, etc.). I vented about this on Twitter in mid-June but didn’t take any further action at the time.

Several weeks later, on the evening of July 28, I needed to update and rebuild a Ceph package for openSUSE and SLES. The specifics aren’t terribly relevant to this post, but the process (which is reasonably automated) involves running something like `git clone git@github.com:SUSE/ceph.git && cd ceph && git submodule update --init --recursive`, which in turn downloads a few GB of data. I’ve done this several times in the past, and it usually takes an hour, or maybe a bit more. So you start it up, then go make a meal, come back and you’re done.

Not so on that Friday evening. It took six hours.

I ran a couple of speed tests:

I looked at my smokeping graphs:

smokeping-2017-07-28

That’s awfully close to 20% packet loss in the evenings. It happens every night:

smokeping-last-10-days

And it’s been happening for a long time:

smokeping-last-400-days

Right now, as I’m writing this, the last three hours show an average of 15.57% packet loss:

smokeping-last-three-hours

So I’ve finally opened a support ticket with iiNet. We’ll see what they say. It seems unlikely that this is a problem with my equipment, as my neighbour on the same wireless tower has also had noticeable speed problems for at least the last couple of months. I’m guessing it’s either not enough backhaul, or the local NBN wireless tower is underprovisioned (or oversubscribed). I’m leaning towards the latter, as in recent times the signal strength indicators on the NTD flick between two amber and three green lights in the evenings, whereas during the day it’s three green lights all the time.

Planet DebianGunnar Wolf: #DebConf17, Montreal • An evening out

I have been in Montreal only for a day. Yesterday night, I left DebConf just after I finished presenting the Continuous Key-Signing Party introduction to go out with a long-time friend from Mexico and his family. We went to the Mont Royal park, from where you can have a beautiful city view:

What I was most amazed of as a Mexico City dweller is of the sky, of the air... Not just in this picture, but as we arrived, or later when a full moon rose. This city has beautiful air, and a very beautiful view. We later went for dinner to a place I heartfully recommend to other non-vegetarian attendees:

Portuguese-style grill. Delicious. Of course, were I to go past it, I'd just drive on (as it had a very long queue waiting to enter). The secret: Do your request on the phone. Make a short queue to pick it up. Have somebody in the group wait for a table, or eat at the nearby Parc Lafontaine. And... Thoroughly enjoy :-)

Anyway, I'm leaving for the venue, about to use the Bixi service for the first time. See you guys soon! (if you are at DebConf17, of course. And you should all be here!)

AttachmentSize
Montreal1.jpeg112.83 KB
Montreal2.jpeg118.2 KB
Poule.jpeg118.85 KB

CryptogramHacking Slot Machines by Reverse-Engineering the Random Number Generators

Interesting story:

The venture is built on Alex's talent for reverse engineering the algorithms -- known as pseudorandom number generators, or PRNGs -- that govern how slot machine games behave. Armed with this knowledge, he can predict when certain games are likeliest to spit out money­insight that he shares with a legion of field agents who do the organization's grunt work.

These agents roam casinos from Poland to Macau to Peru in search of slots whose PRNGs have been deciphered by Alex. They use phones to record video of a vulnerable machine in action, then transmit the footage to an office in St. Petersburg. There, Alex and his assistants analyze the video to determine when the games' odds will briefly tilt against the house. They then send timing data to a custom app on an agent's phone; this data causes the phones to vibrate a split second before the agent should press the "Spin" button. By using these cues to beat slots in multiple casinos, a four-person team can earn more than $250,000 a week.

It's an interesting article; I have no idea how much of it is true.

The sad part is that the slot-machine vulnerability is so easy to fix. Although the article says that "writing such algorithms requires tremendous mathematical skill," it's really only true that designing the algorithms requires that skill. Using any of secure encryption algorithm or hash function as a PRNG is trivially easy. And there's no reason why the system can't be designed with a real RNG. There is some randomness in the system somewhere, and it can be added into the mix as well. The programmers can use a well-designed algorithm, like my own Fortuna, but even something less well-thought-out is likely to foil this attack.

Worse Than FailureCredential Helper

302 El Born Centre Cultural, sala Casanova, claus dels calabossos de la Ciutadella

John S. worked with a customer who still owned several Windows 2008/R2 servers. Occassionally during automated management and deployments, these machines threw exceptions because they weren't configured for remote management. One day, John caught an exception on a SQL box and remoted in to address the problem.

The RDP login process always felt like accessing a portal into the distant past. This time, just after the ancient Windows interface appeared, a Notepad document popped open. John skimmed the so-called Readme.txt file—then read through it again (grammatical errors preserved):

After reboot, please check the sql service is started.
If need the password for sql service account:
$svc.username [theActualEffingPassword]

If need the password for sql agent account:
$svc.agtusername [theActualEffingPassword]

If need the password for dba account:
dbaAcct [theActualEffingPassword]

Someone had set up this helpful logon task to open the file to anyone, absolutely anyone, who logged into the server.

Agape, John quickly regained his composure, finished his work on the remote machine, then killed the logon task. Afterward, he went home to see, in his words, "if [his] toaster wanted to take a bath."

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet DebianMario Lang: If your software should be cross platform and accessible, forget about Qt

A few years ago, I started to write software which primary audience is going to be blind musicians. I did a small presentation of the UI at DebConf15.

Most of the functionality is in a compiler-alike backend. But eventually, I wanted to create a user interface to improve the interactive experience.

So, the problem again: which toolkit to choose which would be accessible on most platforms? Last time I needed to solve a similar problem, I used Java/Swing. This has its problems, but it actually works on Windows, Linux and (supposedly) Mac. This time around, my implementation language is C++, so Swing didn't look that interesting. It appears there is not much that fullfils these requirements. Qt looked like it could. But since I had my bad experiences already with Qt claiming accessibility they really never implemented, I was at least a bit cautious. Around 10 years ago, when Qt 4 was released, I found that the documentation claimed that Qt4 was accessible on Linux, but it really never was until a very late 4.x release. This information was a blatant lie, trying to lure uninformed programmers into using Qt, much to the disservice of their disabled users. If you ask a random blind Windows user who knows a bit about toolkits, they will readily tell you that they hate every app written in Qt.

With this knowledge, and the spirit of "We can change the world" I wrote a private mail to the person responsible for maintaining Qt accessibility. I explained to them that I am about to choose Qt as the UI platform for my program, and that my primary audience is users that rely on Accessibility. I also explained that cross-platform support (esp. good support on Windows) is a necessary requirement for my project. I basically got a nice marketing speak answer back, but when I read it back then, I didn't fully realize that just yet. The tone basicallly: "No problem. Qt works on Linux, Mac and Windows, and if you find any problems, just report them to us and we are going to fix them." Well, I was aware that I am not a paying customer of Qt Company, so the promise above is probbably a bit vague (I thought), but still, it sounded quite encouraging.

So off I went, and started to learn enough Qt to implement the simple user interface I wanted. First tests on Linux seemed to work, that is nice. After a while, I started to test on Windows. And BANG, of course, there is a "hidden" problem. The most wide-spread (commercial) screen reader used by most blind people somehow does not see the content of text entry widgets. This was and still is a major problem for my project. I have a number of text entry fields in my UI. Actually, the main part of the UI is a simple editor, so you might see the problem already.

So some more testing was done, just to realize that yes, text entry fields indeed do not work with the most widely used screen reader on Windows. While other screen readers seemed to work (NVDA) it is simply not feasable to ask my future users to switch to a different screen reader just for a single program. So I either needed to get JAWS fixed, or drop Qt.

Well, after a lot of testing, I ended up submitting a bug to the Qt tracker. That was a little over a year ago. The turnaround time of private mail was definitely faster.

And now I get a reply to my bug explaining that JAWS was never a priority, still is not, and that my problem will probably go away after a rewrite which has no deadline yet.

Why did I expect this already?

At least now I know why no blind users wants to have any Qt on their machines.

If you want to write cross-platform accessible software: You definitely should not use Qt. And no other Free Software toolkit for that matter, because they basically all dont give a shit about accessibility on non-Linux platforms. Yes, GTK has a Windows port, but that isn't accessible at all. Yes, wxWindows has a Windows port, but that has problems with, guess what, text entry fields (at least last time I checked).

Free Software is NOT about Accessibility or equality. I see evidence for that claim since more then 15 years now. It is about coolness, self-staging, scratch-your-own-itchness and things like that. When Debian released Jessie, I was told that something like Accessibility is not important enough to delay the release. If GNOME just broke all the help system by switching to not-yet-accessible webkit, that is just bad luck, I was told. But it is outside of the abilities of package maintainers to ensure that what we ship is accessible.

I hereby officially give up. And I admit my own stupidity. Sorry for claiming Free Software would be a good thing for the world. It is definitely not for my kin. If Free Software ever takes over, the blind will be unable to use their computers.

Don't get me wrong. I love my command-line. But as the well-known saying goes: "Free Software will be ready for the desktop user, perhaps, next year?"

The scratch-your-own-itch philosophy simply doesn't work together with a broad list of user requirements. If you want to support users with disabilities, you probably should not rely on hippie coders right now.

I repeat: If you want to write compliant software, that would be also useable to people with disabilities, you can not use Qt. For now, you will need to write a native UI for every platform you want to support. Oh, and do not believe Qt Company marketing texts, your users will suffer if you do.

,

Planet Linux AustraliaOpenSTEM: This Week in HASS – term 3, week 5

This week students in all year levels are working on their research project for the term. Our youngest students are looking at items and pictures from the past, while our older students are collecting source material for their project on Australian history.

Foundation/Prep/Kindy to Year 3

The focus of this term is an investigation into the past and how we can find out about past events. For students in Foundation/Prep/Kindy (Units F.1 and F-1.3), Years 1 (Unit 1.3), 2 (Unit 2.3) and 3 (Unit 3.3) it is recommended that the teacher bring in sources of information about the past for the students to examine. Teachers can tailor these to suit a particular direction for their class. Examples of possible sources include old toys, old books, historic photographs, texts and items about local history (including the school itself), images of old paintings, old newspaper articles which can be accessed online etc. OpenSTEM provides resources which can be used for these investigations: e.g. Historic Photographs of Families, Modes of Transport 100 Years Ago, Brisbane Through the Years, Perth Through the Years, resources on floods in Brisbane and Gundagai, bush fires in Victoria, on the different colonies in Australia etc. Teachers can also use the national and state resources such as the State Library of Queensland, particularly their Picture Archive; the State Library of NSW; the State Library of South Australia, particularly their images collection; the National Archives of Australia; Trove, which archives old newspapers in Australia; Museums Victoria, and many similar sites. Students should also be encouraged to bring material from home, which can be built up into a Class Museum.

Years 3 to 6

As students in Years 3 (Unit 3.7), 4 (Unit 4.3), 5 (Unit 5.3) and 6 (Unit 6.3) move into the period of gathering information from sources to address their research question, teachers should guide them to consider the nature of each source and how to record it. Resources such as Primary and Secondary Sources and Historical Sources aid in understanding the context of different kinds of sources and teachers should assist students to record the details of each source for their Method section of their Scientific Report. Recording these sources in detail is also essential for being able to compile a Bibliography, which is required to accompany the report. OpenSTEM resources are listed for each research topic for these units, but students (and teachers) should feel free to complement these with any additional material such as online collections of images and newspaper articles (such as those listed in the paragraph above). These will help students to achieve a more unique presentation for their report and demonstrate the ability to collate a variety of information, thus earning a higher grade. Using a wide range of sources will also give students a wider appreciation for their chosen topic in Australian history.

CryptogramNSA Collects MS Windows Error Information

Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports:

One example of the sheer creativity with which the TAO spies approach their work can be seen in a hacking method they use that exploits the error-proneness of Microsoft's Windows. Every user of the operating system is familiar with the annoying window that occasionally pops up on screen when an internal problem is detected, an automatic message that prompts the user to report the bug to the manufacturer and to restart the program. These crash reports offer TAO specialists a welcome opportunity to spy on computers.

When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA's powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.

The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer.

Although the method appears to have little importance in practical terms, the NSA's agents still seem to enjoy it because it allows them to have a bit of a laugh at the expense of the Seattle-based software giant. In one internal graphic, they replaced the text of Microsoft's original error message with one of their own reading, "This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine." ("Sigint" stands for "signals intelligence.")

The article talks about the (limited) value of this information with regard to specific target computers, but I have another question: how valuable would this database be for finding new zero-day Windows vulnerabilities to exploit? Microsoft won't have the incentive to examine and fix problems until they happen broadly among its user base. The NSA has a completely different incentive structure.

I don't remember this being discussed back in 2013.

EDITED TO ADD (8/6): Slashdot thread.

Planet DebianFrançois Marier: Time Synchronization with NTP and systemd

I recently ran into problems with generating TOTP 2-factor codes on my laptop. The fact that some of the codes would work and some wouldn't suggested a problem with time keeping on my laptop.

This was surprising since I've been running NTP for a many years and have therefore never had to think about time synchronization. After realizing that ntpd had stopped working on my machine for some reason, I found that systemd provides an easier way to keep time synchronized.

The new systemd time synchronization daemon

On a machine running systemd, there is no need to run the full-fledged ntpd daemon anymore. The built-in systemd-timesyncd can do the basic time synchronization job just fine.

However, I noticed that the daemon wasn't actually running:

$ systemctl status systemd-timesyncd.service 
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
           └─disable-with-time-daemon.conf
   Active: inactive (dead)
Condition: start condition failed at Thu 2017-08-03 21:48:13 PDT; 1 day 20h ago
     Docs: man:systemd-timesyncd.service(8)

referring instead to a mysterious "failed condition". Attempting to restart the service did provide more details though:

$ systemctl restart systemd-timesyncd.service 
$ systemctl status systemd-timesyncd.service 
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
  Drop-In: /lib/systemd/system/systemd-timesyncd.service.d
           └─disable-with-time-daemon.conf
   Active: inactive (dead)
Condition: start condition failed at Sat 2017-08-05 18:19:12 PDT; 1s ago
           └─ ConditionFileIsExecutable=!/usr/sbin/ntpd was not met
     Docs: man:systemd-timesyncd.service(8)

The above check for the presence of /usr/sbin/ntpd points to a conflict between ntpd and systemd-timesyncd. The solution of course is to remove the former before enabling the latter:

apt purge ntp

Enabling time synchronization with NTP

Once the ntp package has been removed, it is time to enable NTP support in timesyncd.

Start by choosing the NTP server pool nearest you and put it in /etc/systemd/timesyncd.conf. For example, mine reads like this:

[Time]
NTP=ca.pool.ntp.org

before restarting the daemon:

systemctl restart systemd-timesyncd.service 

That may not be enough on your machine though. To check whether or not the time has been synchronized with NTP servers, run the following:

$ timedatectl status
...
 Network time on: yes
NTP synchronized: no
 RTC in local TZ: no

If NTP is not enabled, then you can enable it by running this command:

timedatectl set-ntp true

Once that's done, everything should be in place and time should be kept correctly:

$ timedatectl status
...
 Network time on: yes
NTP synchronized: yes
 RTC in local TZ: no

Planet DebianDaniel Silverstone: STM32 and RTFM

I have been working with STM32 chips on-and-off for at least eight, possibly closer to nine years. About as long as ST have been touting them around. I love the STM32, and have done much with them in C. But, as my previous two posts may have hinted, I would like to start working with Rust instead of C. To that end, I have been looking with great joy at the work which Jorge Aparicio has been doing around Cortex-M3 and Rust. I've had many comments in person at Debconf, and also several people mention on Twitter, that they're glad more people are looking at this. But before I can get too much deeper into trying to write my USB stack, I need to sort a few things from what Jorge has done as demonstration work.

Okay, this is fast, but we need Ludicrous speed

All of Jorge's examples seem to leave the system clocks in a fairly default state, excepting turning on the clocks to the peripherals needed during the initialisation phase. Sadly, if we're going to be running the USB at all, we need the clocks to run a tad faster. Since my goal is to run something moderately CPU intensive on the end of the USB too, it makes sense to try and get our STM32 running at maximum clock speed. For the one I have, that's 72MHz rather than the 8MHz it starts out with. Nine times more cycles to do computing in makes a lot of sense.

As I said above, I've been doing STM32 in C a lot for many years; and fortunately I have built systems with the exact chip that's on the blue-pill before. As such, if I rummage, I can find some old C code which does what we need...

    /* Enable HSE */
    RCC_HSEConfig(RCC_HSE_ON);

    /* Wait till HSE is ready */
    HSEStartUpStatus = RCC_WaitForHSEStartUp();

    if (HSEStartUpStatus == SUCCESS)
    {
      /* Enable Prefetch Buffer */
      FLASH_PrefetchBufferCmd(FLASH_PrefetchBuffer_Enable);
      /* Flash 2 wait state */
      FLASH_SetLatency(FLASH_Latency_2);

      /* HCLK = SYSCLK */
      RCC_HCLKConfig(RCC_SYSCLK_Div1);
      /* PCLK2 = HCLK */
      RCC_PCLK2Config(RCC_HCLK_Div1);
      /* PCLK1 = HCLK/2 */
      RCC_PCLK1Config(RCC_HCLK_Div2);
      /* ADCCLK = PCLK2/6 */
      RCC_ADCCLKConfig(RCC_PCLK2_Div6);
      /* PLLCLK = 8MHz * 9 = 72 MHz */
      RCC_PLLConfig(RCC_PLLSource_HSE_Div1, RCC_PLLMul_9);

      /* Enable PLL */
      RCC_PLLCmd(ENABLE);
      /* Wait till PLL is ready */
      while (RCC_GetFlagStatus(RCC_FLAG_PLLRDY) == RESET)
      {}

      /* Select PLL as system clock source */
      RCC_SYSCLKConfig(RCC_SYSCLKSource_PLLCLK);
      /* Wait till PLL is used as system clock source */
      while (RCC_GetSYSCLKSource() != 0x08)
      {}
    }

This code, rather conveniently, uses an 8MHz external crystal so we can almost direct-port it to the blue-pill Rust code and see how we go. If you're used to the CMSIS libraries for STM32, then you won't completely recognise the above since it uses the pre-CMSIS core libraries to do its thing. Library code from 2008 and it's still good on today's STM32s providing they're in the right family :-)

A direct conversion to Rust, using Jorge's beautifully easy to work with crates made from svd2rust results in:

    fn make_go_faster(rcc: &RCC, flash: &FLASH) {
        rcc.cr.modify(|_, w| w.hseon().enabled());
        while !rcc.cr.read().hserdy().is_ready() {}
        flash.acr.modify(|_, w| w.prftbe().enabled());
        flash.acr.modify(|_, w| w.latency().two());
        rcc.cfgr.modify(|_, w| w
                        .hpre().div1()
                        .ppre2().div1()
                        .ppre1().div2()
                        // .adcpre().bits(8)
                        .pllsrc().external()
                        .pllxtpre().div1()
                        .pllmul().mul9()
        );
        rcc.cr.modify(|_, w| w.pllon().enabled());
        while rcc.cr.read().pllrdy().is_unlocked() {}
        rcc.cfgr.modify(|_,w| w.sw().pll());
        while !rcc.cfgr.read().sws().is_pll() {}
    }

Now, I've not put the comments in which were in the C code, because I'm being very lazy right now, but if you follow the two together you should be able to work it through. I don't have timeouts for the waits, and you'll notice a single comment there (I cannot set up the ADC prescaler because for some reason the SVD is missing any useful information and so the generated crate only carries an unsafe function (bits()) and I'm trying to steer clear of unsafe for now. Still, I don't need the ADC immediately, so I'm okay with this.

By using this function in the beginning of the init() function of the blinky example, I can easily demonstrate the clock is going faster since the LED blinks more quickly.

This function demonstrates just how simple it is to take bit-manipulation from the C code and turn it into (admittedly bad looking) Rust with relative ease and without any of the actual bit-twiddling. I love it.

Mess with time, and you get unexpected consequences

Sadly, when you mess with the clock tree on a microcontroller, you throw a lot of things out of whack. Not least, by adjusting the clock frequency up we end up adjusting the AHB, APB1, and APB2 clock frequencies. This has direct consequences for peripherals floating around on those busses. Fortunately Jorge thought of this and while the blue-pill crate hard-wires those frequencies to 8MHz, they are, at least, configurable in code in some sense.

If we apply the make_go_faster() function to the serial loopback example, it simply fails to work because now the bus which the USART1 peripheral is connected to (APB2) is going at a different speed from the expected power-on default of 8MHz. If you remember from the function, we did .hpre().div1() which set HCLK to 72MHz, then .ppre1().div2() which sets the APB1 bus clock to be HCLK divided by 2, and .ppre2().div1() which sets APB2 bus clock to be HCLK. This means that we'd need to alter src/lib.rs to reflect these changes in the clock frequences and in theory loopback would start working once more.

It'd be awkward to try and demonstrate all that to you since I only have a phone camera to hand, but if you own a blue-pill then you can clone Jorge's repo and have a go yourself and see that I'm not bluffing you.

With all this done, it'll be time to see if we can bring the USB peripheral in the STM32 online, and that will be the topic of my next post in this discovery series.

Planet DebianJoachim Breitner: Communication Failure

I am still far from being a professor, but I recently got a glimps of what awaits you in that role…

From: Sebastian R. <…@gmail.com>
To: joachim@cis.upenn.edu
Subject: re: Errors

I've spotted a basic error in your course on Haskell (https://www.seas.upenn.edu/~cis194/fall16/). Before I proceed, it's cool if you're not receptive to errors being indicated; I've come across a number of professors who would rather take offense than admit we're all human and thus capable of making mistakes... My goal is to find a resource that might be useful well into the future, and a good indicator of that is how responsive the author is to change.

In your introduction note you have written:

n contrast to a classical intro into Haskell, we do not start with numbers, booleans, tuples, lists and strings, but we start with pictures. These are of course library-defined (hence the input CodeWorld) and not part of “the language”. But that does not make them less interesting, and in fact, even the basic boolean type is library defined – it just happens to be the standard library.

Howeverm there is no input CodeWorld in the code above. Have you been made aware of this error earlier?

Regards, ...

Nice. I like when people learn from my lectures. The introduction is a bit werid, but ok, maybe this guy had some bad experiences.

Strangley, I don’t see a mistake in the material, so I respond:

From: Joachim Breitner <noscript>joachim at cis dot upenn dot edu</noscript>
To: Sebastian R. <…@gmail.com>
Subject: Re: Errors

Dear Sebastian,

thanks for pointing out errors. But the first piece of code under “Basic Haskell” starts with

{-# LANGUAGE OverloadedStrings #-}
import CodeWorld

so I am not sure what you are referring to.

Note that these are lecture notes, so you have to imagine a lecturer editing code live on stage along with it. If you only have the notes, you might have to infer a few things.

Regards, Joachim

A while later, I receive this response:

From: Sebastian R. <…@gmail.com>
To: Joachim Breitner <noscript>joachim at cis dot upenn dot edu</noscript>
Subject: Re: Errors

Greetings, Joachim.

Kindly open the lecture slides and search for "input CodeWorld" to find the error; it is not in the code, but in the paragraph that implicitly refers back to the code.

You might note that I quoted this precisely from the lectures... and so I repeat myself... this came from your lectures; they're not my words!

In contrast to a classical intro into Haskell, we do not start with numbers, booleans, tuples, lists and strings, but we start with pictures. These are of course library-defined (hence the input CodeWorld) and not part of “the language”. But that does not make them less interesting, and in fact, even the basic boolean type is library defined – it just happens to be the standard library.

This time around, I've highlighted the issue. I hope that made it easier for you to spot...

Nonetheless, I got my answer. Don't reply if you're going to fight tooth and nail about such a basic fix; it's simply a waste of both of our time. I'd rather learn from somewhere else...

On Tue, Aug 1, 2017 at 11:19 PM, Joachim Breitner <noscript>joachim at cis dot upenn dot edu</noscript> wrote:

I am a bit reminded of Sean Spicer … “they’re not my words!” … but clearly I am missing something. And indeed I am: In the code snippet, I wrote – correctly – import CodeWorld, but in the text I had input CodeWorld. I probably did write LaTeX before writing the lecture notes. Well, glad to have that sorted out. I fixed the mistake and wrote back:

From: Joachim Breitner <noscript>joachim at cis dot upenn dot edu</noscript>
To: Sebastian R. <…@gmail.com>
Betreff: Re: Errors

Dear Sebastian,

nobody is fighting, and I see the mistake now: The problem is not that the line is not in the code, the problem is that there is a typo in the line and I wrote “input” instead of “import”.

Thanks for the report, although you did turn it into quite a riddle… a simple “you wrote import when it should have been import” would have been a better user of both our time.

Regards, Joachim

Am Donnerstag, den 03.08.2017, 13:32 +1000 schrieb Sebastian R.:

(And it seems I now made the inverse typo, writing “import“ instead of “input”. Anyways, I did not think of this any more until a few days later, when I found this nice message in my mailbox:

From: Sebastian R. <…@gmail.com>
To: Joachim Breitner <noscript>joachim at cis dot upenn dot edu</noscript>
Subject: Re: Errors

a simple “you wrote import when it should have been import” would have been a better user of both our time.

We're both programmers. How about I cut ALL of the unnecessary garbage and just tell you to s/import/input/ on that last quotation (the thing immediately before this paragraph, in case you didn't know).

I blatantly quoted the error, like this:

In your introduction note you have written:

n contrast to a classical intro into Haskell, we do not start with numbers, booleans, tuples, lists and strings, but we start with pictures. These are of course library-defined (hence the input CodeWorld) and not part of “the language”. But that does not make them less interesting, and in fact, even the basic boolean type is library defined – it just happens to be the standard library.

Howeverm there is no input CodeWorld in the code above.

Since that apparently wasn't clear enough, in my second email to you I had to highlight it like so:

You might note that I quoted this precisely from the lectures... and so I repeat myself... this came from your lectures; they're not my words!

In contrast to a classical intro into Haskell, we do not start with numbers, booleans, tuples, lists and strings, but we start with pictures. These are of course library-defined (hence the input CodeWorld) and not part of “the language”. But that does not make them less interesting, and in fact, even the basic boolean type is library defined – it just happens to be the standard library.

This time around, I've highlighted the issue. I hope that made it easier for you to spot...

I'm not sure if you're memeing at me or not now, but it seems either your reading comprehension, or your logical deduction skills might be substandard. Unfortunately, there isn't much either of us can do about that, so I'm happy to accept that some people will be so stupid; after all, it's to be expected and if we don't accept that which is to be expected then we live our lives in denial.

Happy to wrap up this discusson here, Seb...

On Fri, Aug 4, 2017 at 12:22 AM, Joachim Breitner <noscript>joachim at cis dot upenn dot edu</noscript> wrote:

Well, I chose to be amused by this, and I am sharing my amusement with you.

Planet DebianFoteini Tsiami: Internationalization, part four: localization

Now, I am working in the fourth part of my Outreachy project which is the localization of the just-internationalized LTSP Manager software. Specifically, I am translating every message of the application’s GUI from English to Greek (the reverse task from part 1), using the “Translations” environment of Launchpad, that my mentors pointed out to me. localization_08_17I am writing this post from Montreal, where I have traveled in order to attend the 18th DebConf and present my Outreachy project to the Debian community. My mentor and I are giving a joined presentation titled: LTSP Manager: how 1000+ Greek schools switched to Debian-based distributions.

Last but not least, I would like to mention that today, tο my great surprise,  when I logged in to the launchpad translating environment, I saw that a Czech translation to the LTSP Manager software had started!  The internationalization of the LTSP Manager software progresses well: it is already available in English and very soon in Greek and Czech!


Planet DebianBits from Debian: DebConf17 starts today in Montreal

DebConf17 logo

DebConf17, the 18th annual Debian Conference, is taking place in Montreal, Canada from August 6 to August 12, 2017.

Debian contributors from all over the world have come together at Collège Maisonneuve during the preceding week for DebCamp (focused on individual work and team sprints for in-person collaboration developing Debian), and the Open Day on August 5th (with presentations and workshops of interest to a wide audience).

Today the main conference starts with nearly 400 attendants and over 120 activities scheduled, including 45- and 20-minute talks and team meetings, workshops, a job fair, talks from invited speakers, as well as a variety of other events.

The full schedule at https://debconf17.debconf.org/schedule/ is updated every day, including activities planned ad-hoc by attendees during the whole conference.

If you want to engage remotely, you can follow the video streaming of the events happening in the three talk rooms: Buzz (the main auditorium), Rex, and Bo, or join the conversation about what is happening in the talk rooms: #debconf17-buzz, #debconf17-rex and #debconf17-bo, and the BoF (discussions) rooms: #debconf17-potato and #debconf17-woody (all those channels in the OFTC IRC network).

DebConf is committed to a safe and welcome environment for all participants. See the DebConf Code of Conduct and the Debian Code of Conduct for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf17, particularly our Platinum Sponsors Savoir-Faire Linux, Hewlett Packard Enterprise, and Google.

Sam VargheseLions’ coach Ackermann asleep at the wheel again

Last year, Johan Ackermann, the coach of South Africa’s Lions super rugby team was literally asleep during the final against the Hurricanes. His team lost to the Hurricanes 3-20.

This year, he appeared to be dozing again as his team lost, only to a different New Zealand team, the Crusaders.

The Lions lost a player to a red card about a minute before half-time but given the inherent advantages they had — they were playing at home, at altitude which made the visitors prone to running out of gas, and in dry weather which has always suited them — they could still have won.

The Lions were trailing 3-15 at half-time and this being a game where the winner would end up taking all, they should have used the kickable penalties they were awarded in the second half to move closer on the scoreboard. But for some mysterious reason, they kept going for touch and aiming for a try instead. At least two kickable penalties were wasted in this manner; a score of 9-15 would have given the home team that much more fire in their bellies in the final run home.

The Lions lost loose forward Kwagga Smith a minute before half-time when he collided with Crusaders’ full-back David Havili who had gone up to take a high kick. Smith had no chance of taking the ball and did not go up in the air to contest it either, but just stood there like a water buffalo; it resulted in Havili’s tripping over him and taking a very dangerous toss. Referee Jaco Peyper had no option but to send Smith off.

(As an aside, it is interesting to note the difference in the way that referees react to the likelihood of head and neck injuries these days. I remember a Test match in 2003, when Australia’s Wendell Sailor tackled All Black Mils Muliaina while the latter was in the air. It was much more dangerous than what Smith did but Sailor only got a yellow card.)

The Lions failed to learn from their previous win, against the Waikato Chiefs in the semi-finals. In that game, the Chiefs were terribly tired towards the latter half of the game and, after leading by a big margin at half-time, were beaten 44-29. The trip from New Zealand to Johannesburg and playing at altitude really took its toll.

Thus Ackermann should have told his men to keep the gap between the two teams on the scoreboard as small as possible and go for broke in the last 10 minutes when the Crusaders would be feeling the effects of altitude and the long flight. But by the 62nd minute, when the Lions got their first try, the score had blown out to 3-25. It could well have been 9-25.

(It must be noted that the Crusaders’ coach Scott Robertson displayed a great deal of intelligence in his substitutions, bringing on players off the bench to ensure that those who took the field at the start were not exhausted before they were replaced.)

Given that the Lions also scored with about seven minutes left, taking those two kickable penalties would have put them within two points. And that would have no doubt given them additional energy to fight it out, especially in front of a vociferous home crowd that filled the stadium to its maximum.

Alas, poor instructions from Ackermann again played the Lions false. This is his last game as coach; maybe the man who replaces him will realise that a coach can do a great deal to help a team win.

Don MartiPragmatists for copyleft, or, corporate hive minds don't accept software licenses

One of the common oversimplifications in discussing open-source software licenses is that copyleft licenses are "idealistic" while non-copyleft licenses are "pragmatic." But that's not all there is to it.

The problem is that most people redistributing licensed code are doing so in an organizational context. And no human organization is a hive mind where those who participate within it subordinate their goals to that of the collective. Human organizations are full of of people with their own motivations.

Instead of treating the downstrem developer's employer as a hive mind, it can be more producive to assume good faith on the part of the individual who intends to contribute to the software, and think about the license from the point of view of a real person.

Releasing source for a derivative work costs time and money. The well-intentioned "downstream" contributor wants his or her organization to make those investments, but he or she has to make a case for them. The presence of copyleft helps steer the decision in the right direction. Jane Hacker at an organization planning to release a derivative work can say, matter-of-factly, "we need to comply with the upstream license" if copyleft is involved. The organization is then more likely to do the right thing. There are always violations, but the license is a nudge in the right direction.

(The extreme case is university licensing offices. University-owned software patents can exclude a graduate student from his or her own project when the student leaves the university, unless he or she had the foresight to build it as a derivative work of something under copyleft.)

Copyleft isn't a magic commons-building tool, and it isn't right for every situation. But it can be enough to push an organization over the line. (One place where I worked had to a do a source release for one dependency licensed under GPLv2, and it turned out to be easist to just build one big source code release with all the dependencies in it, and offer that.)

Don MartiMore random links

Not the Google story everyone is talking about, but related: Google Is Matching Your Offline Buying With Its Online Ads, But It Isn’t Sharing How. (If a company becomes known for doing creepy shit, it will get job applications from creepy people, and at a large enough company some of them will get hired. Related: The Al Capone theory of sexual harassment)

Least surprising news story ever: The Campaign Against Facebook And Google's Ad "Duopoly" Is Going Nowhere Independent online publishers can't beat the big surveillance marketing companies at surveillance marketing? How about they try to beat Amazon and Microsoft at cloud services, or Apple and Lenovo at laptop computers? There are possible winning strategies for web publishers, but doing the same as the incumbents with less money and less data is not one of them.

Meanwhile, from an investor point of view: It’s the Biggest Scandal in Tech (and no one’s talking about it) Missing the best investment advice: get out of any B-list adtech company that is at risk of getting forced into a low-value acquisition by a sustained fraud story. Or short it and research the fraud story yourself.

Did somebody at The Atlantic get a loud phone notification during a classical music concert or something? Your Smartphone Reduces Your Brainpower, Even If It's Just Sitting There and Have Smartphones Destroyed A Generation?, by Jean M. Twenge, The Atlantic

Good news: Math journal editors resign to start rival open-access journal

Apple’s Upcoming Safari Changes Will Shake Up Ad Tech: Not surprisingly, Facebook and Amazon are the big winners in this change. Most of their users come every day or at least every week. And even the mobile users click on links often, which, on Facebook, takes them to a browser. These companies will also be able to buy ad inventory on Safari at lower prices because many of the high-dollar bidders will go away. A good start by Apple, but other browsers can do better. (Every click on a Facebook ad from a local business is $0.65 of marketing money that's not going to local news, Little League sponsorships, and other legit places.)

Still on the upward slope of the Peak Advertising curve: Facebook 'dark ads' can swing political opinions, research shows

You’re more likely to hear from tech employers if you have one of these 10 things on your resume (and only 2 of them are proprietary. These kids today don't know how good they have it.)

The Pac-Man Rule at Conferences

How “Demo-or-Die” Helped My Career

,

Planet DebianBits from Debian: Google Platinum Sponsor of DebConf17

Googlelogo

We are very pleased to announce that Google has committed support to DebConf17 as a Platinum sponsor.

Google is one of the largest technology companies in the world, providing a wide range of Internet-related services and products as online advertising technologies, search, cloud computing, software, and hardware.

Google has been supporting Debian by sponsoring DebConf since more than ten years, and at gold level since DebConf12.

With this additional commitment as Platinum Sponsor for DebConf17, Google contributes to make possible our annual conference, and directly supports the progress of Debian and Free Software helping to strengthen the community that continues to collaborate on Debian projects throughout the rest of the year.

Thank you very much Google, for your support of DebConf17!

DebConf17 is starting!

Many Debian contributors are already taking advantage of DebCamp and the Open Day to work individually or in groups developing and improving Debian. DebConf17 will officially start on August 6, 2017. Visit the DebConf17 website at https://debconf17.debconf.org to know the schedule, live streaming and other details.

Planet DebianLars Wirzenius: Enabling TRIM/DISCARD on Debian, ext4, luks, and lvm

I realised recently that my laptop isn't set up to send TRIM or DISCARD commands to its SSD. That means the SSD firmware has a harder time doing garbage collection (see whe linked Wikipedia page for more details.)

After some searching, I found two articles by Christopher Smart: one, update. Those, plus some addition reading of documentation, and a little experimentation, allowed me to do this. Since the information is a bit scattered, here's the details, for Debian stretch, as much for my own memory as to make sure this is collected into one place.

  • Append ,discard to the fourth column on relevant lines in /etc/crypttab. For me, this means the fourth column should be luks,discard.
  • Change in /etc/lvm/lvm.conf that says issue_discards to enable it (assign 1 instead of 0).
  • Append rd.luks.options=discard to the GRUB_CMDLINE_LINUX_DEFAULT value in /etc/default/grub
  • Run sudo update-grub
  • Run sudo update-initramfs -u
  • Reboot.
  • Run sudo fstrim -av - if this works, you're good! If it gives you errors, then you get to debug. I have no idea what I'm talking about.
  • Copy /usr/share/doc/util-linux/examples/fstrim.* to /etc/systemd/system and run sudo systemctl enable fstrim.timer. This will tell systemd to run fstrim every week. (If you don't use systemd you'll have to adapt the systemd bits mentioned here. I've no idea how.)

Note that it seems to be a possible information leak to TRIM encryped devices. I don't know the details, but if that bothers you, don't do it.

I don't know of any harmful effects for enabling TRIM for everything, except the crypto bit above, so I wonder if it wouldn't make sense for the Debian installer to do this by default.

Planet DebianDaniel Silverstone: USB Device Stacks, on RTFM, part 2

Previously we talked about all the different kinds of descriptors which USB devices use to communicate their capability. This is important stuff because to write any useful USB device firmware we need to be able to determine how to populate our descriptors. However, having that data on the device is entirely worthless without an understanding of how it gets from the device to the host so that it can be acted upon. To understand that, let's look at the USB wire protocol.

Note, I'll again be talking mostly about USB2.0 low- and full-speed. I believe that high speed is approximately the same but with faster wires, except not quite that simple.

Down to the wire

I don't intend to talk about the actual electrical signalling, though it's not un-reasonable for you to know that USB is a pair of wires forming a differentially signalled bidirectional serial communications link. The host is responsible for managing all the framing and timing on the link, and for formatting the communications into packets.

There are a number of packet types which can appear on the USB link:

Packet type Purpose
Token Packet When the host wishes to send a message to the Control endpoint to configure the device, read data IN, or write data OUT, it uses this to start the transaction.
Data(0/1) Packet Following a Setup, In, or Out token, a Data packet is a transfer of data (in either direction). The 0 and 1 alternate to provide a measure of confidence against lost packets.
Handshake Packet Following a data packet of some kind, the other end may ACK the packet (all was well), NAK the packet (report that the device cannot, temporarily, send/receive data, or that an interrupt endpoint isn't triggered), or STALL the bus in which case the host needs to intervene.
Start of Frame Every 1ms (full-speed) the host will send a SOF packet which carries a frame number. This can be used to help keep time on very simple devices. It also divides the bus into frames within which bandwidth is allocated.

As an example, when the host wishes to perform a control transfer, the following packets are transacted in turn:

  1. Setup Token - The host addresses the device and endpoint (OUT0)
  2. Data0 Packet - The host transmits a GET_DESCRIPTOR for the device descriptor
  3. Ack Packet - The device acknowledges receipt of the request

This marks the end of the first transaction. The device decodes the GET_DESCRIPTOR request and prepares the device descriptor for transmission. The transmission occurs as the next transaction on the bus. In this example, we're assuming 8 byte maximum transmission sizes, for illustrative purposes.

  1. In Token - The host addresses the device and endpoint (IN0)
  2. Data1 Packet - The device transmits the first 8 bytes of the descriptor
  3. Ack Packet - The host acknowledges the data packet
  4. In Token - The host addresses the device and endpoint (IN0)
  5. Data0 Packet - The device transmits the remaining 4 bytes of the descriptor (padded)
  6. Ack Packet - The host acknowledges the data packet

The second transaction is now complete, and the host has all the data it needs to proceed. Finally a status transaction occurs in which:

  1. Out Token - The host addresses the device and endpoint (OUT0)
  2. Data1 Packet - The host transmits a 0 byte data packet to indicate successful completion
  3. Ack Packet - The device acknowledges the completion, indicating its own satisfaction

And thus ends the full control transaction in which the host retrieves the device descriptor.

From a high level, we need only consider the activity which occurs at the point of the acknowledgement packets. In the above example:

  1. On the first ACK the device prepares IN0 to transmit the descriptor, readying whatever low level device stack there is with a pointer to the descriptor and its length in bytes.
  2. On the second ACK the low levels are still thinking.
  3. On the third ACK the transmission from IN0 is complete and the endpoint no longer expects to transfer data.
  4. On the fourth ACK the control transaction is entirely complete.

Thinking at the low levels of the control interface

Before we can build a high level USB stack, we need to consider the activity which might occur at the lower levels. At the low levels, particularly of the device control interface, work has to be done at each and every packet. The hardware likely deals with the token packet for us, leaving the data packets for us to process, and the resultant handshake packets will be likely handled by the hardware in response to our processing the data packets.

Since every control transaction is initiated by a setup token, let's look at the setup requests which can come our way...

Setup Packet (Data) Format
Field Name Byte start Byte length Encoding Meaning
bmRequestType 0 1 Bitmap Describes the kind of request, and the target of it. See below.
bRequest 1 1 Code The request code itself, meanings of the rest of the fields vary by bRequest
wValue 2 2 Number A 16 bit value whose meaning varies by request type
wIndex 4 2 Number A 16 bit value whose meaning varies by request type but typically encodes an interface number or endpoint.
wLength 6 2 Number A 16 bit value indicating the length of the transfer to come.

Since bRequest is essentially a switch against which multiple kinds of setup packet are selected between, here's the meanings of a few...

GET_DESCRIPTOR (Device) setup packet
Field Name Value Meaning
bmRequestType 0x08 Data direction is IN (from device to host), recipient is the device
bRequest 0x06 GET_DESCRIPTOR (in this instance, the device descriptor is requested)
wValue 0x0001 This means the device descriptor
wIndex 0x0000 Irrelevant, there's only 1 device descriptor anyway
wLength 12 This is the length of a device descriptor (12 bytes)
SET_ADDRESS to set a device's USB address
Field Name Value Meaning
bmRequestType 0x00 Data direction is OUT (from host to device), recipient is the device
bRequest 0x05 SET_ADDRESS (Set the device's USB address)
wValue 0x00nn The address for the device to adopt (max 127)
wIndex 0x0000 Irrelevant for address setting
wLength 0 There's no data transfer expected for this setup operation

Most hardware blocks will implement an interrupt at the point that the Data packet following the Setup packet has been receive. This is typically called receiving a 'Setup' packet and then it's up to the device stack low levels to determine what to do and dispatch a handler. Otherwise an interrupt will fire for the IN or OUT tokens and if the endpoint is zero, the low level stack will handle it once more.

One final thing worth noting about SET_ADDRESS is that it doesn't take effect until the completion of the zero-length "status" transaction following the setup transaction. As such, the status request from the host will still be sent to address zero (the default for new devices).

A very basic early "packet trace"

This is an example, and is not guaranteed to be the packet sequence in all cases. It's a good indication of the relative complexity involved in getting a fresh USB device onto the bus though...

When a device first attaches to the bus, the bus is in RESET state and so the first event a device sees is a RESET which causes it to set its address to zero, clear any endpoints, clear the configuration, and become ready for control transfers. Shortly after this, the device will become suspended.

Next, the host kicks in and sends a port reset of around 30ms. After this, the host is ready to interrogate the device.

The host sends a GET_DESCRIPTOR to the device, whose address at this point is zero. Using the information it receives from this, it can set up the host-side memory buffers since the device descriptor contains the maximum transfer size which the device supports.

The host is now ready to actually 'address' the device, and so it sends another reset to the device, again around 30ms in length.

The host sends a SET_ADDRESS control request to the device, telling it that its new address is nn. Once the acknowledgement has been sent from the host for the zero-data status update from the device, the device sets its internal address to the value supplied in the request. From now on, the device shall respond only to requests to nn rather than to zero.

At this point, the host will begin interrogating further descriptors, looking at the configuration descriptors and the strings, to build its host-side representation of the device. These will be GET_DESCRIPTOR and GET_STRING_DESCRIPTOR requests and may continue for some time.

Once the host has satisfied itself that it knows everything it needs to about the device, it will issue a SET_CONFIGURATION request which basically starts everything up in the device. Once the configuration is set, interrupt endpoints will be polled, bulk traffic will be transferred, Isochronous streams begin to run, etc.

Okay, but how do we make this concrete?

So far, everything we've spoken about has been fairly abstract, or at least "soft". But to transfer data over USB does require some hardware. (Okay, okay, we could do it all virtualised, but there's no fun in that). The hardware I'm going to be using for the duration of this series is the STM32 on the blue-pill development board. This is a very simple development board which does (in theory at least) support USB device mode.

If we view the schematic for the blue-pill, we can see a very "lightweight" USB interface which has a pullup resistor for D+. This is the way that a device signals to the host that it is present, and that it wants to speak at full-speed. If the pullup were on D- then it would be a low-speed device. High speed devices need a little more complexity which I'm not going to go into for today.

The USB lines connect to pins PA11 and PA12 which are the USB pins on the STM32 on the board. Since USB is quite finicky, the STM32 doesn't let you remap that function elsewhere, so this is all looking quite good for us so far.

The specific STM32 on the blue-pill is the STM32F103C8T6. By viewing its product page on ST's website we can find the reference manual for the part. Jumping to section 23 we learn that this STM32 supports full-speed USB2.0 which is convenient given the past article and a half. We also learn it supports up to eight endpoints active at any one time, and offers double-buffering for our bulk and isochronous transfers. It has some internal memory for packet buffering, so it won't use our RAM bandwidth while performing transfers, which is lovely.

I'm not going to distill the rest of that section here, because there's a large amount of data which explains how the USB macrocell operates. However useful things to note are:

  • How IN OUT and SETUP transfers work.
  • How the endpoint buffer memory is configured.
  • That all bus-powered devices MUST respond to suspend/resume properly
  • That the hardware will prioritise endpoint interrupts for us so that we only need deal with the most pressing item at any given time.
  • There is an 'Enable Function' bit in the address register which must be set or we won't see any transactions at all.
  • How the endpoint registers signal events to the device firmware.

Next time, we're going to begin the process of writing a very hacky setup routine to try and initialise the USB device macrocell so that we can see incoming transactions through the ITM. It should be quite exciting, but given how complex this will be for me to learn, it might be a little while before it comes through.

Cory DoctorowWalkaway is a finalist for the Dragon Awards and is #1 on Locus’s hardcover bestseller list

Dragon Con’s Dragon Award ballot was just published and I’m delighted to learn that my novel Walkaway is a finalist in the “Best Apocalyptic Novel” category, along with Daniel Humphreys’ A Place Outside the Wild, Omar El Akkad’s American War, Declan Finn and Allan Yoskowitz’s Codename: Unsub, N.K. Jemisin’s The Obelisk Gate, Rick Heinz’s The Seventh Age: Dawn, and J.F. Holmes’s ZK: Falling.


I’m also delighted to note that Walkaway is currently Locus Magazine’s #1 top-selling hardcover at science fiction and fantasy bookstores in the USA and Canada.

Many thanks to all those who nominated Walkaway for the Dragon Award, and everyone who shopped for a copy at their friendly neighborhood sf store!

Planet DebianBits from Debian: DebConf17 Open Day

Today, the day preceeding the official start of the annual Debian Conference, is the Open Day at DebConf17, at Collège Maisonneuve in Montreal (Canada).

This day is open to the public with events of interest to a wide audience.

The schedule of today's events include, among others:

  • A Newbie's Newbie Guide to Debian
  • Ask Anything About Debian
  • Debian Packaging 101
  • Debian InstallFest
  • Presentations or workshops related to free software projects and local organizations.

Everyone is welcome to attend! It is a great possibility for interested users to meet our community and for Debian to widen our community.

See the full schedule for today's events at https://debconf17.debconf.org/schedule/open-day/.

If you want to engage remotely, you can watch the video streaming of the Open Day events happening in the "Rex" room, or join the conversation in the channels #debconf17-rex, #debconf17-potato and #debconf17-woody in the OFTC IRC network.

DebConf is committed to a safe and welcome environment for all participants. See the DebConf Code of Conduct and the Debian Code of Conduct for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf17, particularly our Platinum Sponsors Savoir-Faire Linux, Hewlett Packard Enterprise, and Google.

DebConf17 logo

Planet DebianSteinar H. Gunderson: Dear conference organizers

Dear conference organizers,

In this day and age, people stream conferences and other events over the Internet. Most of the Internet happens to be in a different timezone from yours (it's crazy, I know!). This means that if you publish a schedule, please say which timezone it's in. We've even got this thing called JavaScript now, which allows you to also convert times to the user's local timezone (the future is now!), so you might want to consider using it. :-)

(Yes, this goes for you, DebConf, and also for you, Assembly.)

Don MartiHey kids, favicon!

Finally fixed those 404s from browsers looking for favicon.ico on this blog.

  1. Google image search for images where "reuse with modification" is allowed.

  2. Found this high-quality lab mouse SVG image.

  3. Opened it in GNU Image Manipulation Program, posterized, cropped to a square. Kept the transparent background.

  4. Just went to realfavicongenerator.net and did what it says, and added the resulting images and markup to the site.

That's about it. Now there's a little mouse in the browser tab (and it should do the right thing with the icons if someone pins it to their home screen on mobile.)

Planet DebianGunnar Wolf: DebConf17 Key Signing Party: You are here↓

I ran my little analysis program written last year to provide a nice map on the DebConf17 key signing party, based on the . What will you find if you go there?

  • A list of all the people that will take part of the KSP
  • Your key's situation relative to the KSP keyring

As an example, here is my location on the map (click on the graph to enlarge):

Its main use? It will help you find what clusters are you better linked with - And who you have not cross-signed with. Some people have signed you but you didn't sign them? Or the other way around? Whom should you approach to make the keyring better connected? Can you spot some attendees who are islands and can get some help getting better connected to our keyring? Please go ahead and do it!

PS— There are four keys that are mentioned in the DebConf17 Keysigning Party Names file I used to build this from: 0xE8446B4AC8C77261, 0x485E1BD3AE76CB72, 0x4618E4C700000173, E267B052364F028D. The public keyserver network does not know about them. If you control one of those keys and you want me to run my script again to include it, please send it to the keyservers and mail me. If your key is not in the keyservers, nobody will be able to sign it!

,

CryptogramFriday Squid Blogging: Squid Fake News

I never imagined that there would be fake news about squid. (That website lets you write your own stories.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianDaniel Silverstone: USB Device Stacks, on RTFM

I have been spending time with Jorge Aparicio's RTFM for Cortex M3 framework for writing Rust to target Cortex-M3 devices from Arm (and particularly the STM32F103 from ST Microelectronics). Jorge's work in this area has been of interest to me ever since I discovered him working on this stuff a while ago. I am very tempted by the idea of being able to implement code for the STM32 with the guarantees of Rust and the language features which I have come to love such as the trait system.

I have been thinking to myself that, while I admire and appreciate the work done on the GNUK, I would like to, personally, have a go at implementing some kind of security token on an STM32 as a USB device. And with the advent of the RTFM for M3 work, and Jorge's magical tooling to make it easier to access and control the registers on an M3 microcontroller, I figured it'd be super-nice to do this in Rust, with all the advantages that entails in terms of isolating unsafe behaviour and generally having the potential to be more easily verified as not misbehaving.

To do this though, means that I need a USB device stack which will work in the RTFM framework. Sadly it seems that, thus-far, only Jorge has been working on drivers for any of the M3 devices his framework supports. And one person can only do so much. So, in my infinite madness, I decided I should investigate the complexity of writing a USB device stack in Rust for the RTFM/M3 framework. (Why I thought this was a good idea is lost to the mists of late night Googling, but hey, it might make a good talk at the next conference I go to). As such, this blog post, and further ones along these lines, will serve as a partial tour of what I'm up to, and a partial aide-memoir for me about learning USB. If I get something horribly wrong, please DO contact me to correct me, otherwise I'll just continue to be wrong. If I've simplified something but it's still strictly correct, just let me know if it's an oversimplification since in a lot of cases there's no point in me putting the full details into a blog posting. I will mostly be considering USB2.0 protocol details but only really for low and full speed devices. (The hardware I'm targetting does low-speed and full-speed, but not high-speed. Though some similar HW does high-speed too, I don't have any to hand right now)

A brief introduction to USB

In order to go much further, I needed a grounding in USB. It's a multi-layer protocol as you might expect, though we can probably ignore the actual electrical layer since any device we might hope to support will have to have a hardware block to deal with that. We will however need to consider the packet layer (since that will inform how the hardware block is implemented and thus its interface) and then the higher level protocols on top.

USB is a deliberately asymmetric protocol. Devices are meant to be significantly easier to implement, both in terms of hardware and software, as compared with hosts. As such, despite some STM32s having OTG ports, I have no intention of supporting host mode at this time.

USB is arranged into a set of busses which are, at least in the USB1.1 case, broadcast domains. As such, each device has an address assigned to it by the host during an early phase called 'configuration'. Once the address is assigned, the device is expected to only ever respond to messages addressed to it. Note that since everything is asymmetric in USB, the device can't send messages on its own, but has to be asked for them by the host, and as such the addressing is always from host toward device.

USB devices then expose a number of endpoints through which communication can flow IN to the host or OUT to the device. Endpoints are not bidirectional, but the in and out endpoints do overlap in numbering. There is a special pair of endpoints, IN0 and OUT0 which, between them, form what I will call the device control endpoints. The device control endpoints are important since every USB device MUST implement them, and there are a number of well defined messages which pass over them to control the USB device. In theory a bare minimum USB device would implement only the device control endpoints.

Configurations, and Classes, and Interfaces, Oh My!

In order for the host to understand what the USB device is, and what it is capable of, part of the device control endpoints' responsibility is to provide a set of descriptors which describe the device. These descriptors form a heirarchy and are then glommed together into a big lump of data which the host can download from the device in order to decide what it is and how to use it. Because of various historical reasons, where a multi-byte value is used, they are defined to be little-endian, though there are some BCD fields. Descriptors always start with a length byte and a type byte because that way the host can parse/skip as necessary, with ease.

The first descriptor is the device descriptor, is a big one, and looks like this:

Device Descriptor
Field Name Byte start Byte length Encoding Meaning
bLength 0 1 Number Size of the descriptor in bytes (18)
bDescriptorType 1 1 Constant Device Descriptor (0x01)
bcdUSB 2 2 BCD USB spec version compiled with
bDeviceClass 4 1 Class Code, assigned by USB org (0 means "Look at interface descriptors", common value is 2 for CDC)
bDeviceSubClass 5 1 SubClass Code, assigned by USB org (usually 0)
bDeviceProtocol 6 1 Protocol Code, assigned by USB org (usually 0)
bMaxPacketSize 7 1 Number Max packet size for IN0/OUT0 (Valid are 8, 16, 32, 64)
idVendor 8 2 ID 16bit Vendor ID (Assigned by USB org)
idProduct 10 2 ID 16bit Product ID (Assigned by manufacturer)
bcdDevice 12 2 BCD Device version number (same encoding as bcdUSB)
iManufacturer 14 1 Index String index of manufacturer name (0 if unavailable)
iProduct 15 1 Index String index of product name (0 if unavailable)
iSerialNumber 16 1 Index String index of device serial number (0 if unavailable)
bNumConfigurations 17 1 Number Count of configurations the device has.

This looks quite complex, but breaks down into a relatively simple two halves. The first eight bytes carries everything necessary for the host to be able to configure itself and the device control endpoints properly in order to communicate effectively. Since eight bytes is the bare minimum a device must be able to transmit in one go, the host can guarantee to get those, and they tell it what kind of device it is, what USB protocol it supports, and what the maximum transfer size is for its device control endpoints.

The encoding of the bcdUSB and bcdDevice fields is interesting too. It is of the form 0xMMmm where MM is the major number, mm the minor. So USB2.0 is encoded as 0x0200, USB1.1 as 0x0110 etc. If the device version is 17.36 then that'd be 0x1736.

Other fields of note are bDeviceClass which can be 0 meaning that interfaces will specify their classes, and idVendor/idProduct which between them form the primary way for the specific USB device to be identified. The Index fields are indices into a string table which we'll look at later. For now it's enough to know that wherever a string index is needed, 0 can be provided to mean "no string here".

The last field is bNumConfigurations and this indicates the number of ways in which this device might function. A USB device can provide any number of these configurations, though typically only one is provided. If the host wishes to switch between configurations then it will have to effectively entirely quiesce and reset the device.

The next kind of descriptor is the configuration descriptor. This one is much shorter, but starts with the same two fields:

Configuration Descriptor
Field Name Byte start Byte length Encoding Meaning
bLength 0 1 Number Size of the descriptor in bytes (9)
bDescriptorType 1 1 Constant Configuration Descriptor (0x02)
wTotalLength 2 2 Number Size of the configuration in bytes, in total
bNumInterfaces 4 1 Number The number of interfaces in this configuration
bConfigurationValue 5 1 Number The value to use to select this configuration
iConfiguration 6 1 Index The name of this configuration (0 for unavailable)
bmAttributes 7 1 Bitmap Attributes field (see below)
bMaxPower 8 1 Number Maximum bus power this configuration will draw (in 2mA increments)

An important field to consider here is the bmAttributes field which tells the host some useful information. Bit 7 must be set, bit 6 is set if the device would be self-powered in this configuration, bit 5 indicates that the device would like to be able to wake the host from sleep mode, and bits 4 to 0 must be unset.

The bMaxPower field is interesting because it encodes the power draw of the device (when set to this configuration). USB allows for up to 100mA of draw per device when it isn't yet configured, and up to 500mA when configured. The value may be used to decide if it's sensible to configure a device if the host is in a low power situation. Typically this field will be set to 50 to indicate the nominal 100mA is fine, or 250 to request the full 500mA.

Finally, the wTotalLength field is interesting because it tells the host the total length of this configuration, including all the interface and endpoint descriptors which make it up. With this field, the host can allocate enough RAM to fetch the entire configuration descriptor block at once, simplifying matters dramatically for it.

Each configuration has one or more interfaces. The interfaces group some endpoints together into a logical function. For example a configuration for a multifunction scanner/fax/printer might have an interface for the scanner function, one for the fax, and one for the printer. Endpoints are not shared among interfaces, so when building this table, be careful.

Next, logically, come the interface descriptors:

Interface Descriptor
Field Name Byte start Byte length Encoding Meaning
bLength 0 1 Number Size of the descriptor in bytes (9)
bDescriptorType 1 1 Constant Interface Descriptor (0x04)
bInterfaceNumber 2 1 Number The number of the interface
bAlternateSetting 3 1 Number The interface alternate index
bNumEndpoints 4 1 Number The number of endpoints in this interface
bInterfaceClass 5 1 Class The interface class (USB Org defined)
bInterfaceSubClass 6 1 SubClass The interface subclass (USB Org defined)
bInterfaceProtocol 7 1 Protocol The interface protocol (USB Org defined)
iInterface 8 1 Index The name of the interface (or 0 if not provided)

The important values here are the class/subclass/protocol fields which provide a lot of information to the host about what the interface is. If the class is a USB Org defined one (e.g. 0x02 for Communications Device Class) then the host may already have drivers designed to work with the interface meaning that the device manufacturer doesn't have to provide host drivers.

The bInterfaceNumber is used by the host to indicate this interface when sending messages, and the bAlternateSetting is a way to vary interfaces. Two interfaces with the came bInterfaceNumber but different bAlternateSettings can be switched between (like configurations, but) without resetting the device.

Hopefully the rest of this descriptor is self-evident by now.

The next descriptor kind is endpoint descriptors:

Endpoint Descriptor
Field Name Byte start Byte length Encoding Meaning
bLength 0 1 Number Size of the descriptor in bytes (7)
bDescriptorType 1 1 Constant Endpoint Descriptor (0x05)
bEndpointAddress 2 1 Endpoint Endpoint address (see below)
bmAttributes 3 1 Bitmap Endpoint attributes (see below)
wMaxPacketSize 4 2 Number Maximum packet size this endpoint can send/receive
bInterval 6 1 Number Interval for polling endpoint (in frames)

The bEndpointAddress is a 4 bit endpoint number (so there're 16 endpoint indices) and a bit to indicate IN vs. OUT. Bit 7 is the direction marker and bits 3 to 0 are the endpoint number. This means there are 32 endpoints in total, 16 in each direction, 2 of which are reserved (IN0 and OUT0) giving 30 endpoints available for interfaces to use in any given configuration. The bmAttributes bitmap covers the transfer type of the endpoint (more below), and the bInterval is an interval measured in frames (1ms for low or full speed, 125µs in high speed). bInterval is only valid for some endpoint types.

The final descriptor kind is for the strings which we've seen indices for throughout the above. String descriptors have two forms:

String Descriptor (index zero)
Field Name Byte start Byte length Encoding Meaning
bLength 0 1 Number Size of the descriptor in bytes (variable)
bDescriptorType 1 1 Constant String Descriptor (0x03)
wLangID[0] 2 2 Number Language code zero (e.g. 0x0409 for en_US)
wLangID[n] 4.. 2 Number Language code n ...

This form (for descriptor 0) is that of a series of language IDs supported by the device. The device may support any number of languages. When the host requests a string descriptor, it will supply both the index of the string and also the language id it desires (from the list available in string descriptor zero). The host can tell how many language IDs are available simply by dividing bLength by 2 and subtracting 1 for the two header bytes.

And for string descriptors of an index greater than zero:

String Descriptor (index greater than zero)
Field Name Byte start Byte length Encoding Meaning
bLength 0 1 Number Size of the descriptor in bytes (variable)
bDescriptorType 1 1 Constant String Descriptor (0x03)
bString 2.. .. Unicode The string, in "unicode" format

This second form of the string descriptor is simply the the string is in what the USB spec calls 'Unicode' format which is, as of 2005, defined to be UTF16-LE without a BOM or terminator.

Since string descriptors are of a variable length, the host must request strings in two transactions. First a request for 2 bytes is sent, retrieving the bLength and bDescriptorType fields which can be checked and memory allocated. Then a request for bLength bytes can be sent to retrieve the entire string descriptor.

Putting that all together

Phew, this is getting to be quite a long posting, so I'm going to leave this here and in my next post I'll talk about how the host and device pass packets to get all that information to the host, and how it gets used.

CryptogramFriday Squid Blogging: Giant Squids Have Small Brains

New research:

In this study, the optic lobe of a giant squid (Architeuthis dux, male, mantle length 89 cm), which was caught by local fishermen off the northeastern coast of Taiwan, was scanned using high-resolution magnetic resonance imaging in order to examine its internal structure. It was evident that the volume ratio of the optic lobe to the eye in the giant squid is much smaller than that in the oval squid (Sepioteuthis lessoniana) and the cuttlefish (Sepia pharaonis). Furthermore, the cell density in the cortex of the optic lobe is significantly higher in the giant squid than in oval squids and cuttlefish, with the relative thickness of the cortex being much larger in Architeuthis optic lobe than in cuttlefish. This indicates that the relative size of the medulla of the optic lobe in the giant squid is disproportionally smaller compared with these two cephalopod species.

From the New York Times:

A recent, lucky opportunity to study part of a giant squid brain up close in Taiwan suggests that, compared with cephalopods that live in shallow waters, giant squids have a small optic lobe relative to their eye size.

Furthermore, the region in their optic lobes that integrates visual information with motor tasks is reduced, implying that giant squids don't rely on visually guided behavior like camouflage and body patterning to communicate with one another, as other cephalopods do.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramPenetrating a Casino's Network through an Internet-Connected Fish Tank

Attackers used a vulnerability in an Internet-connected fish tank to successfully penetrate a casino's network.

BoingBoing post.

Planet DebianMichal Čihař: Changes to Docker container for Weblate

I've made several changes to the Weblate Docker container which are worth mentioning today.

First of all if you are still using nijel/weblate, you should switch to weblate/weblate. They both currently share same configuration, but it might happen that some future updates will go to the weblate owned container only.

Now back to the container changes. Since beginning we were using Django built in server. That's fine for development purposes, but it really doesn't work that well in production as it can handle only one request at time. Therefore we've switched to more robust approach using nginx + uwsgi + supervisor.

Thanks to this, the docker-compose no longer needs separate nginx server as everything is now sanely handled within the weblate container itself.

Filed under: Debian English Gammu phpMyAdmin SUSE Weblate

Worse Than FailureError'd: A Test-imonial

"You know, usually these statements are just marketing B.S., but I think this guy's got the right idea," wrote Philip K.

 

"Windows 10 forgot it is 2017 when it decided my USB stick was in fact, a floppy drive," writes Joshua R.

 

"Sydney Ferry Service's really uses Vista's 'overlapping WTF' technology effectively," Matthias writes.

 

Hans wrote, "So, let me see if I understand this - my password strength is weak though it's 64 fully random chars and clearly I should've used fewer chars to make it more secure?"

 

"Isn't there a saying that goes 'null news is good news'?" writes Bob S.

 

Walton H. wrote, "I've never heard of 'Lua Error' before but they did an amazing job!"

 

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet DebianDirk Eddelbuettel: R for System Adminstration

Just getting back from the most fun meetup I have been to in quite some time: episode 23 (by their count) of Open Source Open Mic hosted by Matt Godbolt and Joe Walnes here in Chicago. Nothing but a sequence of lightning talks. Plus beer and pizza. Sounds awesome? It was!

We had fantastic talks across at least half a dozen languages, covering both new-ish (Pony) and interesting ones such (Rust, Go, ...) plus of course some Javascript and some Python, no Java (yay!) and a few batshit crazy things like a self-hosting database in its own (shell) code, a terminal gif viewer (!!), and more. And it gave me an opportunity to quickly (one evening and morning commute) jam out a presentation about what is in the title: R for system administration.

And I am only half-joking. I had used R a couple of years ago when I needed to select, subset, modify, ... a large number of image files given some timestamp and filename patterns. And given how well R works in a vectorised manner with both regular expressions and timestamps, as well as on top of essentially all standard POSIX-style operating system / file-system functions, I picked up that thread again on the problem of ... cleaning up the file storage underlying CRANberries which by now has well over fifty-seven thousand (!!) tarballs of CRAN packages based on now ten years of CRANberries. So I showed how to prune this in essentially half a dozen lines of R (and data.table code), plus some motivation---all just right for a lightning talk. Seemingly the talk went well enough as quite a few folks gave a thumbs up and compliments over beers afterwards.

But see for yourself as the slides are now uploaded to my standard talks page.

My thanks to Matt and Joe for organizing the meetup. I think I will be back.

,

Planet DebianJoey Hess: home power monitoring

For years I've recorded solar panel data by hand. Filled two notebooks with columns of figures. My new charge controller, an EPsolar Tracer-BN, finally let me automate it.

morning activity; by 8 am the sun is still behind the hill but, 16 watts are being produced, and by 11:30 am, the battery bank is full

You can explore my home power data here: http://homepower.joeyh.name/
(click and drag to zoom)

The web interface loads the RRD files into a web browser using javascriptRRD. I wrote a haskell program that drives the epsolar-tracer python library to poll for data, and stores it in RRD files. Could have used collectd or something, but the interface to the charge controller is currently a bit flakey and I have to be careful about retries and polling frequencies. Also I wanted full control over how much data is stored in the RRD files.

Full source code

Planet DebianDaniel Silverstone: Gitano 1.1

Today marks the release of Gitano 1.1. Richard(s) and I have spent quite a lot of time and effort on this release, and there's plenty of good stuff in it. We also released new versions of Lace, Supple, Luxio, and Gall to go alongside it, with bugfixes and improvements.

At this point, I intend to take a short break from Gitano to investigate some Rust-on-STM32 stuff, and then perhaps do some NetSurf work too.

Planet DebianJeremy Bicha: Link: Ubuntu @ GUADEC 2017 and plans for GNOME Shell migration

Since Didier Roche’s blog is not on Planet GNOME or Planet Debian and I think his post is of widespread interest, I’m linking to it here. Enjoy!

Ubuntu @ GUADEC 2017 and plans for GNOME Shell migration

TEDTEDGlobal 2017: Announcing the speaker lineup for our Arusha conference

TEDGlobal 2017 kicks off August 27–30, 2017, in Arusha, Tanzania. Ten years after the last TEDGlobal in Arusha, we’ll again gather a community from across the continent and around the world to explore ideas that may propel Africa’s next leap — in business, politics and justice, creativity and entrepreneurship, science and tech.

Today, we’re thrilled to announce our speaker lineup for TEDGlobal 2017! It’s a powerful list you can skim here — to dive into speaker bios and learn about the 8 themed sessions of TEDGlobal 2017, visit our full Program Guide.

OluTimehin Adegbeye, Writer and activist: Writing on gender justice, sexual and reproductive rights, urban poverty and media OluTimehin Adegbeye shares her (often very strong) opinions on Twitter and in long-form work. @OhTimehin

Oshiorenoya Agabi, Neurotechnology entrepreneur: Oshiorenoya Agabi is engineering neurons to express synthetic receptors which give them an unprecedented ability to become aware of surroundings. koniku.io

Nabila Alibhai, Place-maker: Nabila Alibhai leads inCOMMONS, a new organization focused on civic engagement, public spaces, and building collective responsibility for our shared places.@NabilaAlibhai

Bibi Bakare-Yusuf, Publisher: Bibi Bakare-Yusuf is co-founder and publishing director of one of Africa’s leading publishing houses, Cassava Republic Press. cassavarepublic.biz

Christian Benimana, Architect: Christian Benimana is co-founder of the African Design Center, a training program for young architects. massdesigngroup.org

Gus Casely-Hayford, Cultural historian: Gus Casely-Hayford writes, lectures, curates and broadcasts widely about African culture.

In Session 5, Repatterning, speakers will talk about the worlds we create — in fiction, fashion, design, music.

Natsai Audrey Chieza, Designer: Natsai Audrey Chieza is a design researcher whose fascinating work crosses boundaries between technology, biology, design and cultural studies. @natsaiaudrey

Tania Douglas, Biomedical engineer: Tania Douglas imagines how biomedical engineering can help address some of Africa’s health challenges. @tania_douglas

Touria El Glaoui, Art fair curator: To showcase vital new art from African nations and the diaspora, Touria El Glaoui founded the powerhouse 1:54 Contemporary African Art Fair. @154artfair

Meron Estefanos, Refugee activist: Meron Estefanos is the executive director of the Eritrean Initiative on Refugee Rights, advocating for refugees and victims of trafficking and torture. @meronina

Chika Ezeanya-Esiobu, Indigenous knowledge expert: Working across disciplines, Chika Ezeanya-Esiobu explores indigenous knowledge, homegrown and grassroots approaches to the sustainable advancement of Sub-Saharan Africa. chikaforafrica.com

Kamau Gachigi, Technologist: At Gearbox, Kamau Gachigi empowers Kenya’s next generation of creators to prototype and fabricate their visions. @kamaufablab

Ameenah Gurib-Fakim: President of Mauritius: Ameenah Gurib-Fakim is the 6th president of the island of Mauritius. As a biodiversity scientist as well, she explores the medical and nutrition secrets of her home. @aguribfakim

Leo Igwe, Human rights activist: Leo Igwe works to end a variety of human rights violations that are rooted in superstition, including witchcraft accusations, anti-gay hate, caste discrimination and ritual killing. @leoigwe

Joel Jackson, Transport entrepreneur: Joel Jackson is the founder and CEO of Mobius Motors, set to launch a durable, low-cost SUV made in Africa. mobiusmotors.com

Tunde Jegede, Composer, cellist, kora virtuoso: TED Fellow Tunde Jegede combines musical traditions to preserve classical forms and create new ones. tundejegede.com

Paul Kagame, President of the Republic of Rwanda: As president of Rwanda, Paul Kagame has received recognition for his leadership in peace-building, development, good governance, promotion of human rights and women’s empowerment, and advancement of education and ICT. @PaulKagame

Zachariah Mampilly, Political scientist: Zachariah Mampilly is an expert on the politics of both violent and non-violent resistance. He is the author of “Rebel Rulers: Insurgent Governance and Civilian Life during War” and “Africa Uprising: Popular Protest and Political Change.” @Ras_Karya

Vivek Maru, Legal empowerment advocate: Vivek Maru is the founder of Namati, a movement for legal empowerment around the world powered by cadres of grassroots legal advocates. Global Legal Empowerment Network

In Session 6: A Hard Look, these speakers will confront myths and hard facts about the continent, from the lens of politics and human rights as well as the reality of life as a small farmer.

Kola Masha, Agricultural leader: Kola Masha is the managing director of Babban Gona, an award-winning, high-impact, financially sustainable and highly scalable social enterprise, part-owned by the farmers they serve. @BabbanGona

Clapperton Chakanetsa Mavhunga, MIT professor, grassroots thinker-doer, author: Clapperton Chakanetsa Mavhunga studies the history, theory, and practice of science, technology, innovation, and entrepreneurship in the international context, with a focus on Africa. sts-program.mit.edu/people/sts-faculty/c-clapperton-mavhunga/

Thandiswa Mazwai, Singer: Thandiswa is one of the most influential South African musicians of this generation. @thandiswamazwai

Yvonne Chioma Mbanefo, Digital learning advocate: After searching for an Igbo language learning tool for her kids, digital strategist Yvonne Mbanefo helped create the first illustrated Igbo dictionary for children. Now she’s working on Yoruba, Hausa, Gikuyu and more. @yvonnembanefo

Sara Menker, Technology entrepreneur: Sara Menker is founder and CEO of Gro Intelligence, a tech company that marries the application of machine learning with domain expertise and enables users to understand and predict global food and agriculture markets. @SaraMenker

Eric Mibuari, Computer scientist: Eric Mibuari studies the blockchain at IBM Research, and is the founder of the Laare Community Technology Centre in Meru, Kenya. laare.csail.mit.edu

Kingsley Moghalu, Political economist: Kingsley Moghalu is a global leader who has made contributions to the stability, progress and wealth of nations, societies and individuals across such domains as academia, economic policy, banking and finance, entrepreneurship, law and diplomacy. kingsleycmoghalu.com

Sethembile Msezane, Artist: Sethembile Msezane the act of public commemoration — how it creates myths, constructs histories, includes some and excludes others. @sthemse

Kisilu Musya, Farmer and filmmaker: For six years, Kisilu Musya has filmed his life on a small farm in South East Kenya, to make the documentary “Thank You for the Rain.” thankyoufortherain.com

Robert Neuwirth, Author: To research his book “Stealth of Nations,” Robert Neuwirth spent four years among street vendors, smugglers and “informal” import/export firms. @RobertNeuwirth

Kevin Njabo, Biodiversity scientist: Kevin Njabo is coordinating the development of UCLA’s newly established Congo Basin Institute (CBI) in Yaoundé, Cameroon.

Alsarah and the Nubatones, East African retro-popsters: Inspired by both the golden age of Sudanese pop music of the ’70s and the New York effervescence, Alsarah & the Nubatones have built a repertoire where an exhilarating oud plays electric melodies on beautiful jazz-soul bass lines, and where sharp and modern percussions breathe new life to age-old rhythms. alsarah.com

Ndidi Nwuneli, Social innovation expert: Through her work in food and agriculture, and as a leadership development mentor, Ndidi Okonkwo Nwuneli commits to building economies in West Africa. @ndidiNwuneli

Dayo Ogunyemi, Cultural media builder: Dayo Ogunyemi is the founder of 234 Media, which makes principal investments in the media, entertainment and technology sectors. @AfricaMET

Nnedi Okorafor, Science fiction writer: Nnedi Okorafor weaves African cultures into the evocative settings and memorable characters of her science fiction work for kids and adults. @Nnedi

Fredros Okumu, Mosquito scientist: Fredros Okumu studies human-mosquito interactions, hoping to understand how to keep people from getting malaria. ihi.or.tz

Qudus Onikeku, Dancer, choreographer: With a background as an acrobat and dancer, Qudus Onikeku is one of the preeminent Nigerian choreographers working today. @qudusonikeku

DK Osseo-Asare, Designer: DK Osseo-Asare is a designer who makes buildings, landscapes, cities, objects and digital tools. @dkoa

Keller Rinaudo, Robotics entrepreneur: Keller Rinaudo is CEO and co-founder of Zipline, building drone delivery for global public health customers. @kellerrinaudo

Reeta Roy, President and CEO, The Mastercard Foundation: A thoughtful leader and an advocate for the world’s most vulnerable, Reeta Roy has worked tirelessly to build a foundation that is collaborative and known for its lasting impact. mastercardfdn.org

Chris Sheldrick, Co-founder & CEO, what3words: With what3words, Chris Sheldrick is providing a precise and simple way to talk about location, by dividing the world into a grid of 3m x 3m squares and assigning each one a unique 3 word address. what3words.com

George Steinmetz, Aerial photographer: Best known f­or his exploration photography, George Steinmetz has a restless curiosity for the unknown: remote deserts, obscure cultures, the ­mysteries of science and technology. georgesteinmetz.com

Olúfẹ́mi Táíwò, Historian and philosopher: Drawing on a rich cultural and personal history, Olúfẹ́mi Táíwò studies philosophy of law, social and political philosophy, Marxism, and African and Africana philosophy. africana.cornell.edu/

Pierre Thiam, Chef: Pierre Thiam shares the cuisine of his home in Senegal through global restaurants and highly praised cookbooks. pierrethiam.com

Iké Udé, Artist: The work of Nigerian-born Iké Udé explores a world of dualities: photographer/performance artist, artist/spectator, African/postnationalist, mainstream/marginal, individual/everyman and fashion/art. ikeude.com

Washington Wachira, Wildlife ecologist and nature photographer: Birder and ecologist Washington Wachira started the Youth Conservation Awareness Programme (YCAP) to nurture young environmental enthusiasts in Kenya. washingtonwachira.com

Ghada Wali, Designer: A pioneering graphic designer in Egypt, Ghada Wali has designed fonts, brands and design-driven art projects. ghadawali.com


CryptogramSplitting the NSA and US Cyber Command

Rumor is that the Trump administration will separate the NSA and US Cyber Command. I have long thought this was a good idea. Here's a good discussion of what it does and doesn't mean.

Worse Than FailureNature In Its Volatility

About two years ago, we took a little trip to the Galapagos- a tiny, isolated island where processes and coding practices evolved… a bit differently. Calvin, as an invasive species, brought in new ways of doing things- like source control, automated builds, and continuous integration- and changed the landscape of the island forever.

Geospiza parvula

Or so it seemed, until the first hiccup. Shortly after putting all of the code into source control and automating the builds, the application started failing in production. Specifically, the web service calls out to a third party web service for a few operations, and those calls universally failed in production.

“Now,” Hank, the previous developer and now Calvin’s supervisor, “I thought you said this should make our deployments more reliable. Now, we got all these extra servers, and it just plumb don’t work.”

“We’re changing processes,” Calvin said, “so a glitch could happen easily. I’ll look into it.”

“Looking into it” was a bit more of a challenge than it should have been. The code was a pasta-golem: a gigantic monolith of spaghetti. It had no automated tests, and wasn’t structured in a way that made it easy to test. Logging was nonexistent.

Still, Calvin’s changes to the organization helped. For starters, there was a brand new test server he could use to replicate the issue. He fired up his testing scripts, ran them against the test server, and… everything worked just fine.

Calvin checked the build logs, to confirm that both test and production had the same version, and they did. So next, he pulled a copy of the code down to his machine, and ran it. Everything worked again. Twiddling the config files didn’t accomplish anything. He build a version of the service configured for remote debugging, and chucked it up to the production server… and the error went away. Everything suddenly started working fine.

Quickly, he reverted production. On his local machine, he did something he’d never really had call to do- he flipped the build flag from “Debug” to “Release” and recompiled. The service hung. When built in “Release” mode, the resulting DLL had a bug that caused a hang, but it was something that never appeared when built in “Debug” mode.

“I reckon you’re still workin’ on this,” Hank asked, as he ambled by Calvin’s office, thumbs hooked in his belt loops. “I’m sure you’ve got a smart solution, and I ain’t one to gloat, but this ain’t never happened the old way.”

“Well, I can get a temporary fix up into production,” Calvin said. He quickly threw a debug build up onto production, which wouldn’t have the bug. “But I have to hunt for the underlying cause.”

“I guess I just don’t see why we can’t build right on the shared folder, is all.”

“This problem would have cropped up there,” Calvin said. “Once we build for Release, the problem crops up. It’s probably a preprocessor directive.”

“A what now?”

Hank’s ignorance about preprocessor directives was quickly confirmed by a search through the code- there was absolutely no #if statements in there. Calvin spent the next few hours staring at this block of code, which is where the application seemed to hang:

public class ServiceWrapper
{
    bool thingIsDone = false;
    //a bunch of other state variables

    public string InvokeSoap(methodArgs args)
    {
        //blah blah blah
        soapClient client = new Client();
        client.doThingCompleted += new doThingEventHandler(MyCompletionMethod);
        client.doThingAsync(args);

        do
        {
            string busyWork = "";
        }
        while (thingIsDone == false)

        return "SUCCESS!" //seriously, this is what it returns
    }

    private void MyCompletionMethod(object sender, completedEventArgs e)
    {
        //do some other stuff
        thingIsDone = true;
    }
}

Specifically, it was in the busyWork loop where the thing hung. He stared and stared at this code, trying to figure out why thingIsDone never seemed to become true, but only when built in Release. Obviously, it had to be a compiler optimization- and that’s when the lightbulb went off.

The C# compiler, when building for release, will look for variables whose values don’t appear to change, and replace them with in-lined constants. In serial code, this can be handled with some pretty straightforward static analysis, but in multi-threaded code, the compiler can make “mistakes”. There’s no way for the compiler to see that thingIsDone ever changes, since the change happens in an external thread. The fix is simple: chuck volatile on the variable declaration to disable that optimization.

volatile bool thingIsDone = false solved the problem. Well, it solved the immediate problem. Having seen the awfulness of that code, Calvin couldn’t sleep that night. Nightmares about the busyWork loop and the return "SUCCESS!" kept him up. The next day, the very first thing he did was refactor the code to actually properly handle multiple threads.

[Advertisement] Atalasoft’s imaging SDKs come with APIs & pre-built controls for web viewing, browser scanning, annotating, & OCR/barcode capture. Try it for 30 days with included support.

Planet DebianElena 'valhalla' Grandi: Debian Day in Varese

Debian Day in Varese

I'm stuck home instead of being able to go to DebConf, but that doesn't mean that Debian Day will be left uncelebrated!

Since many of the locals are away for the holidays, we of @Gruppo Linux Como and @LIFO aren't going to organize a full day of celebrations, but at the very least we are meeting for a dinner in Varese, at some restaurant that will be open on that date.

Everybody is welcome: to join us please add your name (nickname or identifier of any kind, as long as it fits in the box) on dudle.inf.tu-dresden.de/debday before thursday, August 10th, so that we can
get a reservation at the restaurant.

Planet DebianMichal Čihař: Going to DebConf17

After fours years, I will again make it to DebConf, I'm looking forward to meet many great people, so if you want to meet and happen to be in Montreal next week come and say hello to me :-).

It seems I've settled down on four year schedule - I've attended DebConf09 and DebConf13 so far. Let's see if next one will come in 2021 or earlier.

Filed under: Debian English Gammu phpMyAdmin Weblate

,

Planet DebianMarkus Koschany: My Free Software Activities in July 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I backported freeciv, freeorion and minetest to stretch-backports.
  • The bug fix (#866378) for 3dchess also landed in Stretch and Jessie.
  • I sponsored Lugaru for Vincent Prat and Martin Erik Werner, a really cool 3D fighting game featuring a rabbit. The game is dfsg-free now and will replace openlugaru.
  • I uploaded fifechan to unstable and packaged new upstream versions of fife, unknown-horizons, adonthell-data and hyperrogue.
  • I fixed bugs in bloboats (#864534), lordsawar (RC #866988), kraptor (#826423), pathogen (#845991), fretsonfire (#866426), blockout2 (#826416), boswars (#827112), kanatest (RC #868315, fix also backported to Stretch), overgod (#827114), morris (#829948, #721834, #862224), mousetrap (#726842), alsoft-conf (#784052, #562898) and nikwi (#835625)
  • I uploaded a new revision of clanlib and teg fixing Perl transition bugs. The patches were provided by gregor herrmann. I added myself to Uploaders in case of teg because the package was missing a human maintainer.
  • I adopted trackballs after I discovered #868983 where Henrique de Moraes Holschuh called attention to a new fork of Trackballs. The current version was broken and unplayable and it was only a matter of time before the game was removed from Debian. I could fix a couple of bugs, forwarded some issues upstream and I believe a nice game was saved.
  • I uploaded Bullet 2.86.1 to unstable and completed another Bullet transition.

Debian Java

Debian LTS

This was my seventeenth month as a paid contributor and I have been paid to work 23,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 24. July until 31. July I was in charge of our LTS frontdesk. I triaged bugs in tinyproxy, varnish, freerdp, ghostscript, gcc-4.6, gcc-4.7, fontforge, teamspeak-server, teamspeak-client, qpdf, nvidia-graphics-drivers and sipcrack. I also pinged Diego Biurrun for more information about the next libav update and replied to questions on the debian-lts mailing list and LTS IRC channel.
  • DLA 1034-1. Issued a security update for php5 fixing 5 CVE. I discussed CVE-2017-11362 with the security team. We came to the conclusion that it was no security issue but just a normal bug.
  • DLA 1036-1. Issued a security update for gsoap fixing 1 CVE.
  • DLA 1037-1. Issued a security update for catdoc fixing 1 CVE.
  • DLA 613-2. Issued a regression update for roundcube.
  • DLA 1045-1. Issued a security update for graphicsmagick fixing 10 CVE.
  • DLA 1047-1. Issued a security update for supervisor fixing 1 CVE.
  • DLA-1048-1.  Issued a security update for ghostscript fixing 8 CVE.

Non-maintainer upload

  • I uploaded the security fix for spice to unstable which was already fixed in Stretch and earlier versions.

Thanks for reading and see you next time.

Planet DebianSteve Kemp: So I did a thing, then another thing.

So I did start a project, to write a puppet-dashboard, it is functionally complete, but the next step is to allow me to raise alerts based on failing runs of puppet - in real-time.

(i.e. Now that I have a dashboard I wish to not use it. I want to be alerted to failures, without having to remember to go look for them. Something puppet-dashboard can't do ..)

In other news a while back I slipped in a casual note about having a brain scan done, here in sunny Helsinki.

One of the cool things about that experience, in addition to being told I wasn't going to drop dead that particular day, was that the radiologist told me that I could pay €25 to get a copy of my brain data in DICOM format.

I've not yet played with this very much, but I couldn't resist a brief animation:

  • See my brain.
    • Not the best quality, or the best detail, but damn. It is my brain.
    • I shall do better with more experimentation I think.
    • After I posted it my wife, a doctor, corrected me: That wasn't a gif of my brain, instead it was a gif of my skull. D'oh!

CryptogramVoting Machine Security

Last week, DefCon hosted a "Voter Hacker Village" event. Every single voting machine there was easily hackable.

Here are detailed details. There should be a summary report soon; I'll add it to this post when it's published.

Planet DebianMarkus Koschany: PDFsam: How to upgrade a Maven application for Debian

In the coming weeks and months I intend to write a mini series about packaging Java software for Debian. The following article basically starts in the middle of this journey because the PDFsam upgrade is still fresh in my mind. It requires some preexisting knowledge about build tools like Maven and some Java terminology. But do not fear. Hopefully it will make sense in the end when all pieces fall into place.

A month ago I decided to upgrade PDFsam, a Java application to split, merge, extract, mix and rotate PDF documents. The current version 1.1.4 is already seven years old and uses Ant as its build system. Unfortunately up to now nobody was interested enough to invest the time to upgrade it to the latest version. A quick internet search unveils that the current sources can be found on github.com. Another brief look reveals we are dealing with a Maven project here because we can find a pom.xml file in the root directory and there is no sign of Ant’s typical build.xml file anymore. Here are some general tips how to proceed from this point by using the PDFsam upgrade as an example.

Find out how many new dependencies you really need

The pom.xml file declares its dependencies in the <dependencies> section. It is good practice to inspect the pom.xml file and determine how much work will be required to upgrade the package. A seasoned Java packager will quickly find common dependencies like Hibernate or the Apache Commons libraries. Fortunately for you they are already packaged in Debian because a lot of projects depend on them. If you are unsure what is and what is not packaged for Debian, tracker.debian.org and codesearch.debian.net are useful tools to search for those packages. If in doubt just ask on debian-java@lists.debian.org. There is no automagical tool (yet) to find out what dependencies are really new (we talk about mh_make soon) but if you use the aforementioned tools and websites you will notice that in June 2017 one could not find the following artifacts: fontawesomefx, eventstudio, sejda-* and jackson-jr-objects. There are also jdepend and testFx but notice they are marked as <scope>test</scope> meaning they are only required if you would like to run upstream’s test suite as well. For the sake of simplicity, it is best to ignore them for now and to focus on packaging only dependencies which are really needed to compile the application. Test dependencies can always be added later.

This pom.xml investigation leads us to the following conclusion: PDFsam depends on Sejda, a PDF library. Basically Sejda is the product of a major refactoring that happened years ago and allows upstream to develop PDFsam faster and in multiple directions. For Debian packagers it is quite clear now that the “upgrade” of PDFsam is in reality more like packaging a completely new application. The inspection of Sejda’s pom.xml file (another Maven project) reveals we also have to package imgscalr, Twelvemonkeys and SAMBox. We continue with these pom.xml analyses and end up with these new source packages: jackson-jr, libimgscalr-java, libsambox-java, libsejda-java, libsejda-injector-java, libsejda-io-java, libsejda-eventstudio-java, libtwelvemonkeys-java, fontawesomefx and libpdfbox2-java. Later I discovered that gettext-maven-plugin was also required.

This was not obvious at first glance if you only check the pom.xml in the root directory but PDFsam and Sejda are multi-module projects! In this case every subdirectory (module) contains another pom.xml with additional information, so ideally you should check those too before you decide to start with your packaging. But don’t worry it is often possible to ignore modules with a simple –ignore  rule inside your debian/*.poms file. The package will have less functionality but it can be still useful if you only need a subset of the modules. Of course in this case ignoring the gettext-maven-plugin artifact would result in a runtime error. C’est la vie.

A brief remark about Java package names: Java library packages must be named like libXXX-java. This is important for binary packages to avoid naming collisions. We are more tolerant when it comes to source package names but in general we recommend to use the exact same name as for the binary package. There are exceptions like prefixing source packages with their well known project name like jackson-XXX or jboss-XXX but this should only be used when there are already existing packages that use such a naming scheme. If in doubt, talk to us.

mh_make or how to quickly generate an initial debian directory

Packaging a Maven library is usually not very difficult even if it consists of multiple modules. The tricky part is to get the maven.rules, maven.IgnoreRules and your *.poms file right but debian/rules often only consists of a single dh line and the rest is finding the build-dependencies and adding them to debian/control.

A small tool called mh_make, which is included in maven-debian-helper, can lend you a helping hand. The tool is not perfect yet. It requires that most build-dependencies are already installed on your local system, otherwise it won’t create the initial debian directory and will only produce some unfinished (but in some cases still useful) files.

A rule of thumb is to start with a package that does not depend on any other new dependency and requires the fewest build-dependencies.  I have chosen libtwelvemonkeys-java because it was the simplest package and met the aforementioned criteria.

Here is how mh_make looks like in action. (The animated GIF was created with Byzanz) First of all download the release tarball, unpack it and run mh_make inside the root directory.

Ok, what is happening here? First you can choose a source and binary package name. Then disable the tests and don’t run javadoc to create the documentation. This will simplify things a little.  Tests and javadoc settings can be added later. Choose the version you want to package and then you can basically follow the default recommendations and confirm them by hitting the Enter key. Throughout the project we choose to transform the upstream version with the symbolic “debian” version. Remember that Java/Maven is version-centric. This will ensure that our Maven dependencies are always satisfied later and we can simply upgrade our Maven libraries and don’t have to change the versions by hand in various pom.xml files; maven-debian-helper will automatically transform them for us to “debian”. Enable all modules. If you choose not to, you can select each module individually. Note that later on some of the required build-dependencies cannot be found because they are either not installed (libjmagick6-java) or they cannot be found in Debian’s Maven repository under /usr/share/maven-repo.  You can fix this by entering a substitution rule or, as I did in this case, you can just ignore these artifacts for now. They will be added to maven.IgnoreRules. In order to successfully compile your program you have to remove them from this file later again, create the correct substitution rule in maven.rules and add the missing build-dependencies to debian/control. For now we just want to quickly create our initial debian directory.

If everything went as planned a complete debian directory should be visible in your root directory. The only thing left is to fix the substitution rule for the Servlet API 3.1. Add libservlet3.1-java to Build-Depends and the following rule to maven.rules:

javax.servlet s/servlet-api/javax.servlet-api/ * s/.*/3.1/ * *
s/javax.servlet/javax.servlet.jsp/ s/jsp-api/javax.servlet.jsp-api/ * s/.*/2.3/ * *

The maven.rules file consists of multiple rows separated by six columns. The values represent groupId, artifactId, type, version number and two fields which I never use. 🙂 You can just use an asterisk to match any value. Every value can be substituted. This is necessary when the value of upstream’s pom.xml file differs from Debian’s system packages. This happens frequently for API packages which are uploaded to Maven Central multiple times under a different groupId/artifactId but provide the same features. In this case the Twelvemonkeys’ pom requires an older API version but Debian is already at version 3.1. Note that we require a strict version number in this case because libservlet3.1-java does not use a symbolic debian version since we provide more than one Servlet API in the archive and this measure prevents conflicts.

Thanks for reading this far. More articles about Java packaging will follow in the near future and hopefully they will clarify some terms and topics which could only be briefly mentioned in this post.

before

and after

 

 

 

Krebs on SecurityFlash Player is Dead, Long Live Flash Player!

Adobe last week detailed plans to retire its Flash Player software, a cross-platform browser plugin so powerful and so packed with security holes that it has become the favorite target of malware developers. To help eradicate this ubiquitous liability, Adobe is enlisting the help of Apple, Facebook, Google, Microsoft and Mozilla. But don’t break out the bubbly just yet: Adobe says Flash won’t be put down officially until 2020.

brokenflash-aIn a blog post about the move, Adobe said more sites are turning away from proprietary code like Flash toward open standards like HTML5, WebGL and WebAssembly, and that these components now provide many of the capabilities and functionalities that plugins pioneered.

“Over time, we’ve seen helper apps evolve to become plugins, and more recently, have seen many of these plugin capabilities get incorporated into open web standards,” Adobe said. “Today, most browser vendors are integrating capabilities once provided by plugins directly into browsers and deprecating plugins.”

It’s remarkable how quickly Flash has seen a decline in both use and favor, particularly among the top browser makers. Just three years ago, at least 80 percent of desktop Chrome users visited a site with Flash each day, according to Google. Today, usage of Flash among Chrome users stands at just 17 percent and continues to decline (see Google graphic below).

For Mac users, the turning away from Flash began in 2010, when Apple co-founder Steve Jobs famously penned his “Thoughts on Flash” memo that outlined the reasons why the technology would not be allowed on the company’s iOS products. Apple stopped pre-installing the plugin that same year.

The percentage of Chrome users over time that have used Flash on a Web site. Image: Google.

The percentage of Chrome users over time that have used Flash on a Web site. Image: Google.

“Today, if users install Flash, it remains off by default,” a post by Apple’s WebKit Team explains. “Safari requires explicit approval on each website before running the Flash plugin.”

Mozilla said that starting this month Firefox users will choose which websites are able to run the Flash plugin.

“Flash will be disabled by default for most users in 2019, and only users running the Firefox Extended Support Release will be able to continue using Flash through the final end-of-life at the end of 2020,” writes Benjamin Smedberg for Mozilla. “In order to preserve user security, once Flash is no longer supported by Adobe security patches, no version of Firefox will load the plugin.”

Facebook has long hosted plenty of games that invoke Flash, but over time more Facebook apps and games turned to HTML5, the company said.

“Today, more than 200 HTML5 games are live on our platform, most of which launched within the last year,” wrote Facebook’s Jakub Pudelek. “Many of the largest developers on the platform…migrated at least one Flash game to HTML5 on the Facebook platform with minimal impact to their existing customers.”

Finally, Microsoft said it has begun phasing out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. For now, Microsoft Edge, the default browser on newer versions of Windows, will continue to ask users for permission to run Flash on most sites the first time the site is visited, remembering the user’s preference on any subsequent visits.

By mid- to late 2018, Microsoft says, Edge will require permission for Flash to be run each browser session. But by mid 2018, Microsoft will disable Flash by default in both Edge and Internet Explorer. Read more about Microsoft’s timeline for Flash elimination here.

For years, unpatched vulnerabilities in Flash plugins have been the top moneymaker for users of various commercial “exploit kits,” crimeware designed to be stitched into the fabric of hacked or malicious sites and exploit browser plugin flaws.

An analysis of exploit kit activity  by Arlington, Va.-based security firm Recorded Future showed that Flash Player vulnerabilities provided six of the top 10 vulnerabilities used by exploit kits in 2016 [full disclosure: Recorded Future is an advertiser on this blog].

Image: Recorded Future

Image: Recorded Future

I look forward to a time when Flash Player is in the rearview mirror entirely. Until then, KrebsOnSecurity will continue to call attention to new security updates for Flash Player and other widely used Adobe products.

Even so, I’ll also continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

CryptogramDetecting Stingrays

Researchers are developing technologies that can detect IMSI-catchers: those fake cell phone towers that can be used to surveil people in the area.

This is good work, but it's unclear to me whether these devices can detect all the newer IMSI-catchers that are being sold to governments worldwide.

News article.

Worse Than FailureCodeSOD: Synchronized Threads

Tim was debugging one of those multithreading bugs, where there appeared to be a race condition of some kind. The developer who had initially written the code denied that such a thing could exist: “It’s impossible, I used locks to synchronize the threads!”

Well, he did use locks at the very least.

/// <summary>
/// Performs the synchronisation
/// </summary>
/// <param name="state">Current state</param>
private void Synchronize(object state)
{
    // Take care that this can only run in one thread at a time
    var lockThis = new Object();
    lock (lockThis)
    {
        //…code…
    }
}

There is of course, one problem. The object you use for the lock needs to be shared across threads. This is less a “lock” in the sense of an “air lock” and more a lock in the sense of a “complete hull breach”.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet DebianJonathan Dowland: Debian on the Raspberry Pi3

Back in November, Michael Stapelberg blogged about running (pure) Debian on the Raspberry Pi 3. This is pretty exciting because Raspbian still provide 32 bit packages, so this means you can run a true ARM64 OS on the Pi. Unfortunately, one of the major missing pieces with Debian on the Pi3 at this time is broken video support.

A helpful person known as "SandPox" wrote to me in June to explain that they had working video for a custom kernel build on top of pure Debian on the Pi, and they achieved this simply by enabling CONFIG_FB_SIMPLE in the kernel configuration. On request, this has since been enabled for official Debian kernel builds.

Michael and I explored this and eventually figured out that this does work when building the kernel using the upstream build instructions, but it doesn't work when building using the Debian kernel package's build instructions.

I've since ran out of time to look at this more, so I wrote to request help from the debian-kernel mailing list, alas, nobody has replied yet.

I've put up the dmesg.txt for a boot with the failing kernel, which might offer some clues. Can anyone help figure out what's wrong?

Thanks to Michael for driving efforts for Debian on the Pi, and to SandPox for getting in touch to make their first contribution to Debian. Thanks also to Daniel Silverstone who loaned me an ARM64 VM (from Scaleway) upon which I performed some of my kernel builds.

,

Krebs on SecurityNew Bill Seeks Basic IoT Security Standards

Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.

iotc

The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.

The bill, introduced by Sens. Steve Daines (R-Mont.), Cory Gardner (R-Colo.), Mark Warner (D-Va.) and Ron Wyden (D-Ore.), directs the White House Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. In addition, it requires each executive agency to inventory all Internet-connected devices in use by the agency.

The bill’s provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as “a physical object that is capable of connecting to and is in regular connection with the Internet;” and one that “has computer processing capabilities that can collect, send or receive data.”

According to the bill’s core sponsors, the measure already has the support of several key legislative technology groups, including the Center for Democracy & Technology (CDT), Mozilla, and the Berklett Cybersecurity Project at Harvard University’s Berkman Klein Center for Internet & Society.

Those advocates were no doubt involved in shaping other aspects of this legislation, including one that exempts cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act (CFAA), a dated anti-cybercrime law that many critics say has been abused by government prosecutors and companies to intimidate and silence security researchers.

Perhaps the most infamous example of prosecutorial overreach under the CFAA comes in Aaron Swartz, a Harvard research fellow who committed suicide after being hounded by multiple CFAA fraud charges by state and federal prosecutors for downloading a large number of academic journals.

Specifically, the bill would “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines,” according to a statement released by Sen. Warner (link added).

The measure also directs the Department of Homeland Security to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government.

Last fall, Sens. Warner and others pinged federal regulators at the U.S. Federal Trade Commission (FTC) and the U.S. Federal Communications Commission (FCC) to see if something more could be done about the proliferating threat from poorly-secured IoT devices.

At the time, the world had just witnessed two of the largest cyberattacks the Internet had ever seen (including one against this Web site). Those attacks were launched with the help of IoT devices — mostly cheap security cameras and Internet routers — that were hacked thanks largely to user accounts which could not be removed and which were configured to be remotely accessible over the Internet.

A full text of the Senate proposal is available here.

Update, 3:49 p.m. ET: Corrected abbreviation for Sen. Wyden’s home state.

CryptogramVulnerabilities in Car Washes

Articles about serious vulnerabilities in IoT devices and embedded systems are now dime-a-dozen. This one concerns Internet-connected car washes:

A group of security researchers have found vulnerabilities in internet-connected drive-through car washes that would let hackers remotely hijack the systems to physically attack vehicles and their occupants. The vulnerabilities would let an attacker open and close the bay doors on a car wash to trap vehicles inside the chamber, or strike them with the doors, damaging them and possibly injuring occupants.

Worse Than FailureTales from the Interview: The 5% Candidate

Exams Start... Now

There are many kinds of jackasses in this world, from the pretentious prick to the smug cynic. Each has their own flavor of awfulness, their own way of making you hate not only them but the entire world that gave birth to them. This story is about one kind of jackass in particular, perhaps the most classic flavor: the man so sure of his own greatness that he becomes enraged at the world whenever it fails to bow before his massive intellect.

You see these people a lot on Twitter these days. With self-righteous fury, they demand that you get with the program and acknowledge their clear superiority. But as obnoxious as they are online, they're worse in person ... especially if they turn up at your job interview.

Today's candidate applied for a job at a government IT department. Unlike stories you've seen on this site before, this government shop was actually fairly efficient and pleasant to work for. They were hiring Java developers, preferably ones that also had UI and database skills. As such, they had over 100 CVs to skim through for their first 2 positions. After removing those written in crayon, with massive coffee rings obscuring the text, or which had return addresses in prison, they were able to narrow the field to a mere 30, but it was still far more candidates than they wanted to interview in a few short days.

But interview they did. At 10 candidates a day, they barely had time to weed through people; however, it didn't take long to eliminate most of the candidates. Some lacked a basic understanding of computers, such as how to launch applications when they're not strewn across the desktop. Others lacked a basic understanding of programming, being entirely unable to tell Java apart from Microsoft Word. Still others—disturbingly many others—lacked a basic understanding of hygiene.

For Round 2, they decided only to work with agencies they'd had firsthand experience with, either from that office or from previous companies. They also put together a quick "sniff test" to filter the wheat from the chaff. This 30-minute test checked for basic logic skills, including some open-ended CS questions and Java code to debug. They were looking more for the explanations behind the answers than the answers themselves, hoping to get some idea of how these people reasoned.

It worked like a charm. Those who scored under 50% were always appalling in the interview, and those who scored highly were always at worst acceptable. They quickly found their candidates. When it came time to fill the next junior opening, the decision was unanimous: they would use the sniff test as a screen, refusing to interview anyone who failed.

Enter The Architect, our aforementioned jackass. This guy seemed pretty good on paper: "10 years experience in infrastructure architecture, design patterns, certifications, and software development practices" according to his cover letter. Applying for a junior role was a bit odd for this veteran, to be sure, but they gave him the test anyway.

And boy, did he fail. His final score was a mere 5%. Every answer included a tirade about how the question was wrong. Every. Single. One.

Some of you may not believe this man exists. But some of you have met him, or one of his many counterparts the world over. This is the man who, when faced with a question like:

Linked List, Binary Tree, Stack and Queue - describe a simple program to read in a million names and output them in reverse order using one of the above structures.

Writes an answer like:

Seriously??? I wouldn't use any data structures. I'd use a database. Thats what there there for. Man you need a rethink!!!

Or when faced with this simple logic test:

What's the missing sequence: 2, 4, 8, __, 32 1, 3, 9, 27, __

Replies:

2, 4, 8, 10, 32 You've missed out 6, 12, 14, 16, 18 etc. This is unacceptable for a test at this level. Are you sure you want people of my caliber here? Sort it out please!!!

Those who've had the misfortune of meeting someone like this know what comes next, but I'll relate it anyway.

The exam was graded and laughed at. The interviewer went into the room to tell the man he just "wasn't the right fit."

The man exploded with rage: screaming obscenities, wishing death and destruction upon the interviewer, the business, the whole city. He refused to leave until they offered him the job. It took 3 people plus the security team to escort him out of the building, and even then he wouldn't go until they threatened to call the police.

Somewhere out there, there is a blog in which this agency is lambasted up and down for its poor hiring practices. It probably goes on a scathing rant, estimating (too highly) how much of "MY TAXES!!!!" this man pays to support these "incompetent" developers who "wasted MY time!" with their "bullsh!t interview". Maybe it even theorizes that taxes themselves are illegal, as the man proudly declares himself a "sovereign citizen".

Thankfully, you are reading The Daily WTF and not this man's blog. In fact, I'd dare say nobody is visiting this man's blog. That's probably why he's so very angry in the first place.

[Advertisement] Incrementally adopt DevOps best practices with BuildMaster, ProGet and Otter, creating a robust, secure, scalable, and reliable DevOps toolchain.

Don MartiWhy surveillance marketers don't worry about GDPR (but privacy nerds should)

A lot of privacy people these days sound like a little kid arguing with a sibling. You're going to be in big trouble when Dad gets home!

Dad, here, is the European Union, who's going to put the General Data Protection Regulation foot down, and then, oh, boy, those naughty surveillance marketers are going to catch it, and wish that they had been listening to us about privacy all along.

Right?

But Internet politics never works like that. Sure, European politicians don't want to hand over power to the right-wing factions who are better at surveillance marketing than they are. And foreign agents use Facebook (and other US-based companies) to attack legit political systems. But that stuff is not going to be enough to save GDPR.

The problem is that perfectly normal businesses are using GDPR-violating sneaky tracking pixels and other surveillance marketing as part of their daily marketing routine.

As the GDPR deadline approaches, surveillance marketers in Europe are going to sigh and painstakingly explain to European politicians that of course this GDPR thing isn't going to work. "You see, politicians, it's an example of political overreach that completely conflicts with technical reality." European surveillance marketers will use the same kind of language about GDPR that the freedom-loving side used when we talked about the proposed CBDTPA. It's just going to Break the Internet! People will lose their jobs!

The result is predictable. GDPR will be delayed, festooned with exceptions, or both, and the hoped-for top-down solution to privacy problems will not come. There's no shortcut. We'll only get a replacement for surveillance marketing when we build the tools, the networks, the business processes, the customer/voter norms, and then the political power.

Planet Linux AustraliaGabriel Noronha: NBN FTTN

Unfortunate for us our home only got FTTN NBN connection. but like others I thought I would share the speed improvement results from cleaning up wiring inside your own home. we have 2 phone sockets 1 in the bedroom and one in the kitchen. by removing the cable from the kitchen to the bedroom, we managed to increase our maximum line rate from 14.2Mbps upload and 35.21Mbps download to 20Mbps upload and 47 Mbps download.

Bedroom Phone Line connected.
Line Statistics Post Wiring clean up

we’ve also put a speed change request from the 12/5 plan to the 50/20 plan so next month we should be enjoying a bit more of an NBN.

To think that with FTTH you could of had up to 4 100/40 connections. and you wouldn’t of had to pay someone to rewire your phone sockets.

Update:

speed change has gone through

NBN ModemModem statistics on 50/20 speed

,

Sociological ImagesI argued that men avoid ball-kicking to protect the myth of masculinity; in secret, they agreed

In 2015 I wrote an essay in which I speculated about why we don’t see men kicking each other in the balls more often. We leave no stones unturned here at SocImages, folks.

I argued that men don’t kick each other in the balls because it would reveal to everyone an inherent and undeniable biological weakness in every man, not just the man getting kicked.  In other words, it’s a secret pact to protect the myth of masculine superiority.

I expected a reaction, but I was genuinely surprised at what transpired. In public — in the comments — men debated strategy, arguing that men don’t kick each other in the balls because it’s actually a difficult blow to land or would escalate the fight. But in private — in my email inbox — men sent me hushed messages of you-are-so-right-though.

This is interesting because people rarely bother to go to the trouble of googling me, finding my email address, and writing me a note. The comments thread is right there and there’s a link to my twitter account at the end of the post. Most people criticize or compliment me publicly. Moreover, the emails have never stopped coming. I get one now every couple months — almost two years later — which I think means that ball kicking is something men (and it’s always men) are quietly seeking information about.

So, what do they say in private to me?

The one I received today was characteristic and the guy who wrote it gave me permission to share some of it. I’ll call him “Guy.”

First, Guy agreed that the vulnerability of having testicles is distressing to him specifically because he has been taught that boys and men are supposed to be stronger than girls and women.

Boys usually think of themselves as being tough and we want to be tough and tougher than girls especially. The idea that a girl could hurt a big strong boy like me is ridiculous right. But then I got older and learned about testicles and that girls didnt have them and i was embarrassed that I had a weak spot and they didn’t.

Second, he acknowledged that knowing that other people know about this vulnerability adds to the stress of having it.

I always hate in movies when a guy gets hit in the balls and drops especially if a woman did the kicking and if I am watching it with women. I don’t want anyone to know I have a weak spot or to acknowledge it. I still try to workout and be big and strong but I always feel vulnerable down there. My older sister and i used to play fight and i started getting bigger than her and winning. Then one time she faked a kick to my groin and i jumped back and covered myself. She had this self satisfied smurk on her face like ya dont mess with me and i never did again.

This vulnerability, Guy emphasizes, isn’t just a trivial thing; it’s everything. It affects how he feels about his whole body (“your only as strong as your weakest link”) and it’s psychologically consuming (“I hate knowing this”).

Your only as strong as your weakest link and guys have the weakest link on the body. I hate knowing this and I’m afraid women realize this and I think alot of guys feel the same even if they dont admit it.

“They dont admit it,” Guy writes, which means it’s a secret shame. And, like many of the men who’ve emailed me, he thanks me for putting it out there in public and says that it’s a relief to actually talk about it.

Anyway I think you really hit a nerve with this article and I think its kinda therapeutic to talk about it cause I usually keep it to myself. Keep up the good work and Take Care!

I think this is amazing.

I’m touched, first of all, by the emotional vulnerability that Guy and the other (mostly young) men who’ve emailed me have shown. Behind all of the pretending like they’re a “big strong boy,” these guys are nervous, worried that their front is going to be exposed and everyone is going to see them as a fraud and a failure. Not a Real Man at all.

In fact, they worry that everyone already sees them that way. The sister’s smirk tells Guy, in no uncertain terms, that his front is transparent. “I won’t expose you,” it says. “Not today. But I can and we both know it.” No matter how hard he tries — no matter how big his biceps or bank account, no matter how corner his office is or how hot his wife — he’s got those goddamn testicles and they’re right there.

Guy explains that it makes him want to compensate. He works out to be “big and strong.” But it’ll never be enough. He says, “I always feel vulnerable down there.” He feels vulnerable anyway. There’s really nothing he can do.

This is telling us something profound about what it feels like to be a man in America today. Told to live up to an impossible standard of invulnerability; they inevitably feel like failures. Told specifically to be more invulnerable than (and not vulnerable to) women, by biological accident, they’re not. What a cruel twist of the testicles. It hurts.

And I wonder how much of what men do in their lives is a response to this psychic injury. How many of Donald Trump’s shenanigans, for example, have to do with the fact that he knows, and he knows that everyone knows, that someone could just drop him with a kick to the balls at any time? It sounds absurd to blame the risk of nuclear war on Trump’s testicles, but these young men are telling me that, right around puberty — as they are graduating from boys to men, doubling down on their difference from girls and women, and being told that to earn others’ esteem they have to be bigger and stronger — they have a disturbing revelation that compels them to embark on a lifetime of proving they’re not weak.

Until we all agree to let men be human, they’re going to keep living lives of quiet desperation. And the rest of us have to keep fearing what they will do to avoid being exposed.

Lisa Wade, PhD is a professor at Occidental College. She is the author of American Hookup, a book about college sexual culture, and a textbook about gender. You can follow her on Twitter, Facebook, and Instagram.

(View original at https://thesocietypages.org/socimages)

CryptogramRobot Safecracking

Robots can crack safes faster than humans -- and differently:

So Seidle started looking for shortcuts. First he found that, like many safes, his SentrySafe had some tolerance for error. If the combination includes a 12, for instance, 11 or 13 would work, too. That simple convenience measure meant his bot could try every third number instead of every single number, immediately paring down the total test time to just over four days. Seidle also realized that the bot didn't actually need to return the dial to its original position before trying every combination. By making attempts in a certain careful order, it could keep two of the three rotors in place, while trying new numbers on just the last, vastly cutting the time to try new combinations to a maximum of four seconds per try. That reduced the maximum bruteforcing time to about one day and 16 hours, or under a day on average.

But Seidle found one more clever trick, this time taking advantage of a design quirk in the safe intended to prevent traditional safecracking. Because the safe has a rod that slips into slots in the three rotors when they're aligned to the combination's numbers, a human safecracker can apply light pressure to the safe's handle, turn its dial, and listen or feel for the moment when that rod slips into those slots. To block that technique, the third rotor of Seidle's SentrySafe is indented with twelve notches that catch the rod if someone turns the dial while pulling the handle.

Seidle took apart the safe he and his wife had owned for years, and measured those twelve notches. To his surprise, he discovered the one that contained the slot for the correct combination was about a hundredth of an inch narrower than the other eleven. That's not a difference any human can feel or listen for, but his robot can easily detect it with a few automated measurements that take seconds. That discovery defeated an entire rotor's worth of combinations, dividing the possible solutions by a factor of 33, and reducing the total cracking time to the robot's current hour-and-13 minute max.

We're going to have to start thinking about robot adversaries as we design our security systems.

Planet Linux AustraliaRussell Coker: Running a Tor Relay

I previously wrote about running my SE Linux Play Machine over Tor [1] which involved configuring ssh to use Tor.

Since then I have installed a Tor hidden service for ssh on many systems I run for clients. The reason is that it is fairly common for them to allow a server to get a new IP address by DHCP or accidentally set their firewall to deny inbound connections. Without some sort of VPN this results in difficult phone calls talking non-technical people through the process of setting up a tunnel or discovering an IP address. While I can run my own VPN for them I don’t want their infrastructure tied to mine and they don’t want to pay for a 3rd party VPN service. Tor provides a free VPN service and works really well for this purpose.

As I believe in giving back to the community I decided to run my own Tor relay. I have no plans to ever run a Tor Exit Node because that involves more legal problems than I am willing or able to deal with. A good overview of how Tor works is the EFF page about it [2]. The main point of a “Middle Relay” (or just “Relay”) is that it only sends and receives encrypted data from other systems. As the Relay software (and the sysadmin if they choose to examine traffic) only sees encrypted data without any knowledge of the source or final destination the legal risk is negligible.

Running a Tor relay is quite easy to do. The Tor project has a document on running relays [3], which basically involves changing 4 lines in the torrc file and restarting Tor.

If you are running on Debian you should install the package tor-geoipdb to allow Tor to determine where connections come from (and to not whinge in the log files).

ORPort [IPV6ADDR]:9001

If you want to use IPv6 then you need a line like the above with IPV6ADDR replaced by the address you want to use. Currently Tor only supports IPv6 for connections between Tor servers and only for the data transfer not the directory services.

Data Transfer

I currently have 2 systems running as Tor relays, both of them are well connected in a European DC and they are each transferring about 10GB of data per day which isn’t a lot by server standards. I don’t know if there is a sufficient number of relays around the world that the share of the load is small or if there is some geographic dispersion algorithm which determined that there are too many relays in operation in that region.

CryptogramMeasuring Vulnerability Rediscovery

New paper: "Taking Stock: Estimating Vulnerability Rediscovery," by Trey Herr, Bruce Schneier, and Christopher Morris:

Abstract: How often do multiple, independent, parties discover the same vulnerability? There are ample models of vulnerability discovery, but little academic work on this issue of rediscovery. The immature state of this research and subsequent debate is a problem for the policy community, where the government's decision to disclose a given vulnerability hinges in part on that vulnerability's likelihood of being discovered and used maliciously by another party. Research into the behavior of malicious software markets and the efficacy of bug bounty programs would similarly benefit from an accurate baseline estimate for how often vulnerabilities are discovered by multiple independent parties.

This paper presents a new dataset of more than 4,300 vulnerabilities, and estimates vulnerability rediscovery across different vendors and software types. It concludes that rediscovery happens more than twice as often as the 1-9% range previously reported. For our dataset, 15% to 20% of vulnerabilities are discovered independently at least twice within a year. For just Android, 13.9% of vulnerabilities are rediscovered within 60 days, rising to 20% within 90 days, and above 21% within 120 days. For the Chrome browser we found 12.57% rediscovery within 60 days; and the aggregate rate for our entire dataset generally rises over the eight-year span, topping out at 19.6% in 2016. We believe that the actual rate is even higher for certain types of software.

When combined with an estimate of the total count of vulnerabilities in use by the NSA, these rates suggest that rediscovery of vulnerabilities kept secret by the U.S. government may be the source of up to one-third of all zero-day vulnerabilities detected in use each year. These results indicate that the information security community needs to map the impact of rediscovery on the efficacy of bug bounty programs and policymakers should more rigorously evaluate the costs of non-disclosure of software vulnerabilities.

We wrote a blog post on the paper, and another when we issued a revised version.

Comments on the original paper by Dave Aitel. News articles.

Worse Than FailureRepresentative Line: Groovy Typing, Man

Groovy was one of those programming languages that spent about six months as the trendy language du jour, and I haven’t heard much about it since. If I were to learn it, I’d want to learn by example- going through real-world Groovy code and seeing how it works.

An anonymous submitter has provided one sample for me to learn from:

List<String> items = new ArrayList<String>(Arrays.asList(data.split(",")))
String itemOne = items[2].toString()

It reminds me of those Family Circus comics where little Billy would wander the entire city to get from the front yard to the back yard.

It does indeed. And certainly, the type conversions are definitely the long way around: String -> String[] -> List<String> -> String -> String. But more than anything else, it’s the second statement that really gets me.

String itemOne = items[2].toString()


[Advertisement] BuildMaster integrates with an ever-growing list of tools to automate and facilitate everything from continuous integration to database change scripts to production deployments. Interested? Learn more about BuildMaster!

,

Planet Linux AustraliaOpenSTEM: This Week in HASS – term 3, week 4

This week younger students start investigating how we can find out about the past. This investigation will be conducted over the next 3 weeks and will culminate in a Scientific Report. Older students are considering different sources of historical information and how they will use these sources in their research.

Foundation/Prep/Kindy to Year 3

Students in stand-alone Foundation/Prep/Kindy classes (Unit F.3), as well as those in integrated classes (Unit F-1.3) and Years 1 (Unit 1.3), 2 (Unit 2.3) and 3 (Unit 3.3) are all starting to think about how we can find out about the past. This is a great opportunity for teachers to encourage students to think about how we know about the past and brainstorm ideas, as well as coming up with their own avenues of inquiry. Teachers may wish to hold a Question and Answer session in class to help guide students to examine many different aspects of this topic. The resource Finding Out About The Past contains core information to help the teacher guide the discussion to cover different ways of examining the past. This discussion can be tailored to the level and individual circumstances of each class. Foundation/Prep/Kindy students are just starting to think about the past as a time before the present and how this affects what we know about past events. The discussion can be developed in higher years, and the teacher can start to introduce the notion of sources of information, including texts and material culture. This investigation forms the basis for the Method section of the Scientific Report, which is included in the Student Workbook.

Years 3 to 6

Students in Years 3 (Unit 3.7), 4 (Unit 4.3), 5 (Unit 5.3) and 6 (Unit 6.3) are following a similar line of investigation this week, but examining Historical Sources specifically. As well as Primary and Secondary Sources, students are encouraged to think about Oral Sources, Textual Sources and Material Culture (artefacts such as stone tools or historical items). This discussion forms the basis for students completing the Method section of their Scientific Report, where they will list the sources of information and how these contributed to their research. Older students might be able to self-direct this process, although teachers may wish to guide the process through an initial class discussion. Teachers may wish to take the class through a discussion of the sources they are using for their research and discuss how students will use and report on these sources in their report for their topic.

,

Cory DoctorowA Hopeful Look At The Apocalypse: interview with Innovation Hub

I’m on the latest episode of Innovation Hub (MP3):

Science-fiction is a genre that imagines the future. It doesn’t necessarily predict the future (after all, where are flying cars?), but it grapples with the technological and societal changes happening today to better understand our world and where it’s heading.

So, what does it mean when so much of our most popular science-fiction – The Handmaid’s Tale, The Walking Dead, and The Hunger Games – present bleak, depressing futures? Cory Doctorow might just have an answer. He’s a blogger, writer, activist, and author of the new book Walkaway, an optimistic disaster novel.

Three Takeaways

* Doctorow thinks that science-fiction can give people “ideas for what to do if the future turns out in different ways.” Like how William Gibson’s Neuromancer didn’t just predict the internet, it predicted the intermingling of corporations and the state.

* When you have story after story about how people turn on each other after disaster, Doctorow believes it gives us the largely false impression that people act like jerks in crises. When in fact, people usually rise to the occasion.

* With Walkaway, his “optimistic” disaster novel, Doctorow wanted to present a new narrative about resolving differences between people who are mostly on the same side.

CryptogramRoombas will Spy on You

The company that sells the Roomba autonomous vacuum wants to sell the data about your home that it collects.

Some questions:

What happens if a Roomba user consents to the data collection and later sells his or her home -- especially furnished -- and now the buyers of the data have a map of a home that belongs to someone who didn't consent, Mr. Gidari asked. How long is the data kept? If the house burns down, can the insurance company obtain the data and use it to identify possible causes? Can the police use it after a robbery?

EDITED TO ADD (6/29): Roomba is backtracking -- for now.

Planet Linux AustraliaRussell Coker: Apache Mesos on Debian

I decided to try packaging Mesos for Debian/Stretch. I had a spare system with a i7-930 CPU, 48G of RAM, and SSDs to use for building. The i7-930 isn’t really fast by today’s standards, but 48G of RAM and SSD storage mean that overall it’s a decent build system – faster than most systems I run (for myself and for clients) and probably faster than most systems used by Debian Developers for build purposes.

There’s a github issue about the lack of an upstream package for Debian/Stretch [1]. That upstream issue could probably be worked around by adding Jessie sources to the APT sources.list file, but a package for Stretch is what is needed anyway.

Here is the documentation on building for Debian [2]. The list of packages it gives as build dependencies is incomplete, it also needs zlib1g-dev libapr1-dev libcurl4-nss-dev openjdk-8-jdk maven libsasl2-dev libsvn-dev. So BUILDING this software requires Java + Maven, Ruby, and Python along with autoconf, libtool, and all the usual Unix build tools. It also requires the FPM (Fucking Package Management) tool, I take the choice of name as an indication of the professionalism of the author.

Building the software on my i7 system took 79 minutes which includes 76 minutes of CPU time (I didn’t use the -j option to make). At the end of the build it turned out that I had mistakenly failed to install the Fucking Package Management “gem” and it aborted. At this stage I gave up on Mesos, the pain involved exceeds my interest in trying it out.

How to do it Better

One of the aims of Free Software is that bugs are more likely to get solved if many people look at them. There aren’t many people who will devote 76 minutes of CPU time on a moderately fast system to investigate a single bug. To deal with this software should be prepared as components. An example of this is the SE Linux project which has 13 source modules in the latest release [3]. Of those 13 only 5 are really required. So anyone who wants to start on SE Linux from source (without considering a distribution like Debian or Fedora that has it packaged) can build the 5 most important ones. Also anyone who has an issue with SE Linux on their system can find the one source package that is relevant and study it with a short compile time. As an aside I’ve been working on SE Linux since long before it was split into so many separate source packages and know the code well, but I still find the separation convenient – I rarely need to work on more than a small subset of the code at one time.

The requirement of Java, Ruby, and Python to build Mesos could be partly due to language interfaces to call Mesos interfaces from Ruby and Python. Ohe solution to that is to have the C libraries and header files to call Mesos and have separate packages that depend on those libraries and headers to provide the bindings for other languages. Another solution is to have autoconf detect that some languages aren’t installed and just not try to compile bindings for them (this is one of the purposes of autoconf).

The use of a tool like Fucking Package Management means that you don’t get help from experts in the various distributions in making better packages. When there is a FOSS project with a debian subdirectory that makes barely functional packages then you will be likely to have an experienced Debian Developer offer a patch to improve it (I’ve offered patches for such things on many occasions). When there is a FOSS project that uses a tool that is never used by Debian developers (or developers of Fedora and other distributions) then the only patches you will get will be from inexperienced people.

A software build process should not download anything from the Internet. The source archive should contain everything that is needed and there should be dependencies for external software. Any downloads from the Internet need to be protected from MITM attacks which means that a responsible software developer has to read through the build system and make sure that appropriate PGP signature checks etc are performed. It could be that the files that the Mesos build downloaded from the Apache site had appropriate PGP checks performed – but it would take me extra time and effort to verify this and I can’t distribute software without being sure of this. Also reproducible builds are one of the latest things we aim for in the Debian project, this means we can’t just download files from web sites because the next build might get a different version.

Finally the fpm (Fucking Package Management) tool is a Ruby Gem that has to be installed with the “gem install” command. Any time you specify a gem install command you should include the -v option to ensure that everyone is using the same version of that gem, otherwise there is no guarantee that people who follow your documentation will get the same results. Also a quick Google search didn’t indicate whether gem install checks PGP keys or verifies data integrity in other ways. If I’m going to compile software for other people to use I’m concerned about getting unexpected results with such things. A Google search indicates that Ruby people were worried about such things in 2013 but doesn’t indicate whether they solved the problem properly.

Don MartiExtracting just the audio from big video files

Got a big video, and want a copy of just the audio for listening on a device with limited storage? Use Soundconverter.

soundconverter -b -m mp3 -s .mp3 long-video.webm

(MP3 patents are expired now, hooray! I'm just using MP3 here because if I get a rental car that lets me plug in a USB stick for listening, the MP3 format is most likely to be supported.)

Soundconverter has a GUI but you can use -b for batch mode from the shell. soundconverter --help for help. You do need to set both the MIME type, with -m, and the file suffix, with -s.

,

Krebs on SecuritySuspended Sentence for Mirai Botmaster Daniel Kaye

Last month, KrebsOnSecurity identified U.K. citizen Daniel Kaye as the likely real-life identity behind a hacker responsible for clumsily wielding a powerful botnet built on Mirai, a malware strain that enslaves poorly secured Internet of Things (IoT) devices for use in large-scale online attacks. Today, a German court issued a suspended sentence for Kaye, who now faces cybercrime charges in the United Kingdom.

Daniel Kaye's Facebook profile page.

Daniel Kaye’s Facebook profile page.

In February 2017, authorities in the United Kingdom arrested a 29-year-old U.K. man on suspicion of knocking more than 900,000 Germans offline in a Mirai attack in November 2016. Shortly after that 2016 attack, a hacker using the nickname “Bestbuy” told reporters he was responsible for the outage, apologizing for the incident.

Prosecutors in Europe had withheld Kaye’s name from the media throughout the trial. But a court in Germany today confirmed Kaye’s identity as it handed down a suspended sentence on charges stemming from several failed attacks from his Mirai botnet — which nevertheless caused extensive internet outages for ISPs in the U.K., Germany and Liberia last year.

On July 5, KrebsOnSecurity published Who is the GovRAT Author and Mirai Botmaster BestBuy. The story followed clues from reports produced by a half-dozen security firms that traced common clues between this BestBuy nickname and an alter-ego, “Spiderman.”

Both identities were connected to the sale of an espionage tool called GovRAT, which is documented to have been used in numerous cyber espionage campaigns against governments, financial institutions, defense contractors and more than 100 corporations.

That July 5 story traced a trail of digital clues left over 10 years back to Daniel Kaye, a 29-year-old man who had dual U.K. and Israeli citizenship and who was engaged to be married to a U.K. woman.

A “mind map” tracing some of the research mentioned in this post.

Last week, a 29-year-old identified by media only as “Daniel K” pleaded guilty in a German court for launching the attacks that knocked 900,000 Deutsche Telekom customers offline. Prosecutors said Daniel K sold access to his Mirai botnet as an attack-for-hire service.

The defendant reportedly told the court that the incident was the biggest mistake of his life, and that he took money in exchange for launching attacks in order to help start a new life with his fiancee.

Today, the regional court in the western city of Cologne said it would suspend the sentence of one year and eight months against Kaye, according to a report from Agence France Presse.

While it may seem that Kaye was given a pass by the German court, he is still facing criminal charges in Britain, where authorities have already requested his extradition.

As loyal readers here no doubt know, KrebsOnSecurity last year was massively attacked by the first-ever Mirai botnet — an attack which knocked this site offline for almost four days before it came back online under the protection of Google’s Project Shield service.

In January 2017, this blog published the results of a four-month investigation into who was likely responsible for not only for writing Mirai, but for leaking the source code for the malware — spawning dozens of competing Mirai botnets like the one that Kaye built. To my knowledge, no charges have yet been filed against any of the individuals named in that story.

CryptogramMe on Restaurant Surveillance Technology

I attended the National Restaurant Association exposition in Chicago earlier this year, and looked at all the ways modern restaurant IT is spying on people.

But there's also a fundamentally creepy aspect to much of this. One of the prime ways to increase value for your brand is to use the Internet to practice surveillance of both your customers and employees. The customer side feels less invasive: Loyalty apps are pretty nice, if in fact you generally go to the same place, as is the ability to place orders electronically or make reservations with a click. The question, Schneier asks, is "who owns the data?" There's value to collecting data on spending habits, as we've seen across e-commerce. Are restaurants fully aware of what they are giving away? Schneier, a critic of data mining, points out that it becomes especially invasive through "secondary uses," when the "data is correlated with other data and sold to third parties." For example, perhaps you've entered your name, gender, and age into a taco loyalty app (12th taco free!). Later, the vendors of that app sell your data to other merchants who know where and when you eat, whether you are a vegetarian, and lots of other data that you have accidentally shed. Is that what customers really want?

CryptogramZero-Day Vulnerabilities against Windows in the NSA Tools Released by the Shadow Brokers

In April, the Shadow Brokers -- presumably Russia -- released a batch of Windows exploits from what is presumably the NSA. Included in that release were eight different Windows vulnerabilities. Given a presumed theft date of the data as sometime between 2012 and 2013 -- based on timestamps of the documents and the limited Windows 8 support of the tools:

  • Three were already patched by Microsoft. That is, they were not zero days, and could only be used against unpatched targets. They are EMERALDTHREAD, EDUCATEDSCHOLAR, and ECLIPSEDWING.

  • One was discovered to have been used in the wild and patched in 2014: ESKIMOROLL.

  • Four were only patched when the NSA informed Microsoft about them in early 2017: ETERNALBLUE, ETERNALSYNERGY, ETERNALROMANCE, and ETERNALCHAMPION.

So of the five serious zero-day vulnerabilities against Windows in the NSA's pocket, four were never independently discovered. This isn't new news, but I haven't seen this summary before.

Worse Than FailureError'd: The Things That Should Not Be

"I tried to export my game to HTML5, but I guess it just wasn't meant to be," Edward W. writes.

 

Tom H. wrote, "I guess the build server never saw that memo."

 

"I love going out to dinner with my friend null null," writes Adam R., "She never steals any of my food!"

 

Mike C. wrote, "Sorry JIRA, all the keys on my keyboard are defined."

 

"You guys! I caught an error! 🎣 🎣" writes Nick.

 

Hamakei asks, "Never mind who's watching the Watchmen...who helps the helpers?"

 

[Advertisement] High availability, Load-balanced or Basic – design your own Universal Package Manager, allow the enterprise to scale as you grow. Download and see for yourself!

Don MartiOnline ads don't matter to P&G

In the news: P&G Cuts More Than $100 Million in ‘Largely Ineffective’ Digital Ads

Not surprising.

Proctor & Gamble makes products that help you comply with widely held cleanliness norms.

Digital ads are micro-targeted to you as an individual.

That's the worst possible brand/medium fit. If you don't know that the people who expect you to keep your house or body clean are going to be aware of the same product, how do you know whether to buy it?

Bonus link from Bob Hoffman last year: Will The P&G Story Bring Down Ad Tech? Please?

Planet Linux AustraliaPia Waugh: RegTech – a primer for the uninitiated

Whilst working at AUSTRAC I wrote a brief about RegTech which was quite helpful. I was given permission to blog the generically useful parts of it for general consumption :) Thanks Leanne!

Overview – This brief is the most important thing you will read in planning transformation! Government can’t regulate in the way we have traditionally done. Traditional approaches are too small, too slow and too ineffective. We need to explore new ways to regulate and achieve the goal of a stronger financial sector resistance to abuse that leverages data, automation, machine learning, technology and collaboration. We are here to help!

The key here is to put technology at the heart of the business strategy, rather than as simply an implementation mechanism. By embracing technology thinking, which means getting geeks into the strategy and policy rooms, we can build the foundation of a modern, responsive, agile, proactive and interactive regulator that can properly scale.

The automation of compliance with RegTech has the potential to overcome individual foibles and human error in a way that provides the quantum leap in culture and compliance that our regulators, customers, policy makers and the community are increasingly demanding… The Holy Grail is when we start to actually write regulation and legislation in code. Imagine the productivity gains and compliance savings of instantaneous certified compliance… We are now in one of the most exciting phases in the development of FinTech since the inception of e-banking.Treasurer Morrison, FinTech Australia Summit, Nov 2016

On the back of the FinTech boom, there is a growth in companies focused on “RegTech” solutions and services to merge technology and regulation/compliance needs for a more 21st century approach to the problem space. It is seen as a logical next step to the FinTech boom, given the high costs and complexity of regulation in the financial sector, but the implications for the broader regulatory sector are significant. The term only started being widely used in 2015. Other governments have started exploring this space, with the UK Government investing significantly.

Core themes of RegTech can be summarised as: data; automation; security; disruption; and enabling collaboration. There is also an overall drive towards everything being closer to real-time, with new data or information informing models, responses and risk in an ongoing self-adjusting fashion.

  • Data driven regulation – better monitoring, better use of available big and small data holdings to inform modelling and analysis (rather than always asking a human to give new information), assessment on the fly, shared data and modelling, trends and forecasting, data analytics for forward looking projections rather than just retrospective analysis, data driven risk and adaptive modelling, programmatic delivery of regulations (regulation as a platform).
  • Automation – reporting, compliance, risk modelling of transactions to determine what should be reported as “suspicious”, system to system registration and escalation, use of machine learning and AI, a more blended approach to work combining humans and machines.
  • Security – biometrics, customer checks, new approaches to KYC, digital identification and assurance, sharing of identity information for greater validation and integrity checking.
  • Disruptive technologies – blockchain, cloud, machine learning, APIs, cryptography, augmented reality and crypto-currencies just to start!
  • Enabling collaboration – for-profit regulation activities, regulation/compliance services and products built on the back of government rules/systems/data, access to distributed ledgers, distributed risk models and shared data/systems, broader private sector innovation on the back of regulator open data and systems.

Some useful references for the more curious:

,

Cory DoctorowHey, Little Rock, AR: there’s a special stage performance of Little Brother coming your way for Banned Books Week!

Adapted by Josh Costello from the novel by Cory Doctorow
September 15, 16, 22, 23, 24, 28, 29, 30, 2017
Directed by Ryan Whitfield and Jason Green

SYNOPSIS
While skipping school and playing an alternate reality game, San Francisco teenager Marcus Yallow ends up in the middle of a terrorist attack and on the wrong side of the Department of Homeland Security. This play asks “What is the right thing to do when authorities become oppressors?”

CAST
LITTLE BROTHER CAST LIST
Marcus – Jeffrey Oakley
Ange – Kayley Shettles
Jolu – Yusuf Richardson
Daryl – Jack Clay

ENSEMBLE
Severe Haircut – Madison McMichael
Benson/Sutherland – Robert Gatlin
Guard – Essence Robinson
Mom – Isabelle Marchese
Dad – Max Green
Turk/CHP Officer – Braden Hammock
Ms. Galvez – Anais Moore
Charles – Elijah White
Police Officer 1 – Kyndall Jackson
Police Officer 2- Mia Simone Parker
Trudy Doo – Emily Shull
NPR Announcer – Allison Boggs
Concertgoer – Rachel Worthington
Reporter – Hannah Livingston
Fox Commentator – Katie Rasure
BBC Reporter – Olivia Ward
Pirate Queen – Abigail Harris
On stage light/sound/projection tech – Trenton Gorman, Claire Green

TICKETS & TIMES
$16— Adults
$12— Students & Seniors
Thursday, Friday and Saturday night curtain time is 7:30 pm.
Sunday afternoon curtain time is 2:30 pm.

The Box Office and the theater open one (1) hour prior to curtain.
The House opens 30 minutes prior to curtain.
Please arrive promptly. There will be no late admission.

TEDAnonymous ideas worth spreading — and the surprising discoveries behind their curation

The intimacy of listening: Producer Cloe Shasha shares what she and her team learned while producing TED and Audible’s original audio series “Sincerely, X.”

In the spring of 2016, we put out a call for submissions for anonymous talks from around the world for the first season of our new podcast, Sincerely, X. We received hundreds of ideas — stories touching on a broad range of topics. As we read through them, we found ourselves flooded by tragedy, comedy, intrigue and surprise. Stories of victims of abuse, struggles with mental health, lessons from prison, insider secrets within companies and governmental organizations, and so much more.

>> Sincerely, X was co-produced with Audible. Episode 1, “Dr. Burnout,” is available now on Apple Podcasts and the TED Android app. <<

The premise of the podcast Sincerely, X felt simple at first: sharing important ideas, anonymously. The episodes would include speakers who need to separate their professional ideas from their personal lives; those who want to share an idea, but fear it would hurt someone in their family if they did so publicly; and quiet idealists whose solutions could transform lives. Why anonymous? Our theory was that inviting people to share ideas without having to reveal their identity might allow for an entirely new category of talks.

We dove into this pool of submissions to figure out who would make a great speaker for the show, and started interviewing people by phone. We were looking for compelling stories that had a strong need for anonymity while also considering them through the lens that we use for TED Talk submissions. In other words, did each story have an idea worth spreading?

Throughout the process of creating Sincerely, X season 1, we realized that we had to think about these talks quite differently from TED Talks on a stage, and we adapted along the way.

Signposting in an audio talk

When you’re watching a speaker on a stage, context and sentiment are communicated through the speaker’s body language, facial expressions and images (if they have slides). In audio, with only one of our senses engaged, a lot more information has to be transmitted through a speaker’s voice alone.

This came up when we worked with the speaker in episode 2, “Pepper Spray.” It’s the story of a woman who lived a normal-seeming life — until one day she lashed out in a department store and began pepper-spraying strangers. There are a lot of details that she shares about her life in that episode — both before and after the pepper spray incident. If she were telling this story on a stage, the audience would experience visual cues that would indicate whether she were reflecting on the far past versus the recent past, or whether she felt shameful or justified in her actions. (Watch a TED Talk with the sound off sometime, and you’ll be surprised at how much context you can pick up!) But when we shared the audio with colleagues for their feedback, they were at times confused by the sequence of events in the story. So we worked with the speaker to help her find places to include signposting sentences such as, “But I want to come back to the hero of the story.” In other words, phrases that could ground the listener in what’s about to come.  

The intimacy of listening

In the same way that hearing a ghost story around a campfire conjures up scary visualizations, hearing a difficult story on a podcast can build intense images in your mind. Drawing the line between deeply moving content and manipulative content can be tricky and nuanced.

In the case of some Sincerely, X episodes, a few of the early drafts of talks contained details that felt disturbingly intimate — details that might have packed an emotional punch from the distance of a stage, but that felt too intimate coming out of earbuds. We had to learn how to mitigate that intensity by listening to the content and getting feedback from early screeners who shared honest reactions.

This was a relevant dynamic for several of our speakers, including our speaker in episode 6, “Rescued by Ritual.” This speaker talks about a private ritual she invented in order to cope with the horror of her abusive marriage before she left her ex-husband. In the earliest draft, in order to provide context for the purpose of her ritual, the leadup to the reenactment of the ritual involved details that were difficult to hear for some early listeners. So we worked with the speaker to figure out which details she felt were most needed in order to paint an accurate picture of that time in her life.

To read or to memorize?

When it comes to our TED speakers on the stage, we typically encourage two ways of preparing for a talk: either memorizing their content so thoroughly that they can recite it seamlessly while standing on one foot with the television blaring, or memorizing an outline and riffing off that rehearsed structure once onstage. As Chris Anderson says, partially memorizing a talk produces an “uncanny valley” effect — a seemingly robotic or artificial performance. It’s hard to appear authentic while devoting a fair amount of energy to the process of recall. So if someone is not a great memorizer, we encourage improvising the sentences based on a solid outline of the concepts. Both of these forms of preparation are aimed at fostering an authentic delivery from the speaker, which cultivates a powerful connection between the speaker and the audience.

In the context of Sincerely, X, we thought about how to foster that authentic delivery, and considered that preparing speakers to read their talks might be a lower-stress way to record speakers in the studio. But it soon became clear that unless a speaker had acting experience, reading a talk sounded like… reading. So we experimented with having speakers memorize their talks extremely thoroughly before coming into the studio. And this worked for some speakers; when we recorded the speaker in episode 1, “Dr. Burnout,” she delivered her talk beautifully once she had fully committed it to memory.

Sincerely, X was co-produced by TED and Audible. The team was led by executive producers Collin Campbell, Deron Triff and June Cohen (who is also the host). Episode 1, “Dr. Burnout,” is available now on Apple Podcasts and the TED Android app. We’ll be releasing new episodes every Thursday for the next ten weeks.

We’ll be releasing new episodes every Thursday for the next ten weeks.


Planet Linux AustraliaLinux Users of Victoria (LUV) Announce: LUV Beginners August Meeting: TBD

Aug 26 2017 12:30
Aug 26 2017 16:30
Aug 26 2017 12:30
Aug 26 2017 16:30
Location: 
Infoxchange, 33 Elizabeth St. Richmond

Workshop to be announced.

There will also be the usual casual hands-on workshop, Linux installation, configuration and assistance and advice. Bring your laptop if you need help with a particular issue. This will now occur BEFORE the talks from 12:30 to 14:00. The talks will commence at 14:00 (2pm) so there is time for people to have lunch nearby.

The meeting will be held at Infoxchange, 33 Elizabeth St. Richmond 3121 (enter via the garage on Jonas St.) Late arrivals, please call (0421) 775 358 for access to the venue.

LUV would like to acknowledge Infoxchange for the venue.

Linux Users of Victoria Inc., is an incorporated association, registration number A0040056C.

August 26, 2017 - 12:30

Planet Linux AustraliaLinux Users of Victoria (LUV) Announce: LUV Main August 2017 Meeting

Aug 1 2017 18:30
Aug 1 2017 20:30
Aug 1 2017 18:30
Aug 1 2017 20:30
Location: 
The Dan O'Connell Hotel, 225 Canning Street, Carlton VIC 3053

Tuesday, August 1, 2017

6:30 PM to 8:30 PM
The Dan O'Connell Hotel
225 Canning Street, Carlton VIC 3053

Speakers:

  • Tony Cree, CEO Aboriginal Literacy Foundation (to be confirmed)
  • Russell Coker, QEMU and ARM on AMD64

Russell Coker will demonstrate how to use QEMU to run software for ARM CPUs on an x86 family CPU.

The Dan O'Connell Hotel, 225 Canning Street, Carlton VIC 3053

Food and drinks will be available on premises.

Before and/or after each meeting those who are interested are welcome to join other members for dinner.

Linux Users of Victoria Inc., is an incorporated association, registration number A0040056C.

August 1, 2017 - 18:30

CryptogramFiring a Locked Smart Gun

The Armatix IP1 "smart gun" can only be fired by someone who is wearing a special watch. Unfortunately, this security measure is easily hackable.

Krebs on SecurityGas Pump Skimmer Sends Card Data Via Text

Skimming devices that crooks install inside fuel station gas pumps frequently rely on an embedded Bluetooth component allowing thieves to collect stolen credit card data from the pumps wirelessly with any mobile device. The downside of this approach is that Bluetooth-based skimmers can be detected by anyone else with a mobile device. Now, investigators in the New York say they are starting to see pump skimmers that use cannibalized cell phone components to send stolen card data via text message.

Skimmers that transmit stolen card data wirelessly via GSM text messages and other mobile-based communications methods are not new; they have been present — if not prevalent — in ATM skimming devices for ages.

But this is the first instance KrebsOnSecurity is aware of in which such SMS skimmers have been found inside gas pumps, and that matches the experience of several states hardest hit by pump skimming activity.

The beauty of the GSM-based skimmer is that it can transmit stolen card data wirelessly via text message, meaning thieves can receive real-time transmissions of the card data anywhere in the world — never needing to return to the scene of the crime. That data can then be turned into counterfeit physical copies of the cards.

Here’s a look at a new skimmer pulled from compromised gas pumps at three different filling stations in New York this month. Like other pump skimmers, this device was hooked up to the pump’s internal power, allowing it to operate indefinitely without relying on batteries.

A GSM-based card skimmer found embedded in a gas pump in the northeastern United States.

A GSM-based card skimmer found embedded in a gas pump in the northeastern United States.

It may be difficult to see from the picture above, but the skimmer includes a GSM-based device with a SIM card produced by cellular operator T-Mobile. The image below shows the other side of the pump skimmer, with the SIM card visible in the upper right corner of the circuitboard:

The reverse side of this GSM-based pump skimmer shows a SIM card from T-Mobile.

The reverse side of this GSM-based pump skimmer shows a SIM card from T-Mobile.

It’s not clear what type of mobile device was used in this skimmer, and the police officer who shared these images with KrebsOnSecurity said the forensic analysis of the device was ongoing.

Here’s a close-up of the area around the SIM card:

GSMpumpskimcloseup2

The officer, who shared these photos on condition of anonymity, said this was thought to be the first time fraud investigators in New York had ever encountered a GSM-based pump skimmer.

Skimmers used at all three New York filling stations impacted by the scheme included T-Mobile SIM cards, but the investigator said analysis so far showed the cards held no other data other than the SIM’s card’s unique serial number (ICCID).

KrebsOnSecurity reached out to weights and measures officials in several states most heavily hit by pump skimming activity, including Arizona, California and Florida.

Officials in all three states said they’ve yet to find a GSM-based skimmer attached to any of their pumps.

Skimmers at the pump are most often the work of organized crime rings that traffic in everything from stolen credit and debit cards to the wholesale theft and commercial resale of fuel — in some cases from (and back to) the very fuel stations that have been compromised with the gang’s skimming devices.

Investigators say skimming gangs typically gain access to station pumps by using a handful of master keys that still open a great many pumps in use today. In a common scenario, one person will distract the station attendant as fuel thieves pull up alongside the pump in a van with doors that obscure the machine on both sides. For an in-depth look at the work on one fuel-theft gang working out of San Diego, check out this piece.

There are generally no outward signs when a pump has been compromised by a skimmer, but a study KrebsOnSecurity published last year about a surge in pump skimming activity in Arizona suggests that skimmer gangs can spot the signs of a good mark.

Fraud patterns show fuel theft gangs tend to target stations that are close to major highway arteries; those with older pumps; and those without security cameras, and/or a regular schedule for inspecting security tape placed on the pumps.

Many filling stations are upgrading their pumps to include more physical security — such as custom locks and security cameras. In addition, newer pumps can accommodate more secure chip-based payment cards that are already in use by all other G20 nations.

But these upgrades are disruptive and expensive, and some stations are taking advantage of recent moves by Visa to delay adding much-needed security improvements, such as chip-capable readers.

Until late 2016, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Under previous Visa rules, station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks and consumers eat most of the fraud costs from fuel skimming).

But in December 2016, Visa delayed the requirements, saying fuel station owners would now have until October 1, 2020 to meet the liability shift deadline.

The best advice one can give to avoid pump skimmers is to frequent stations that appear to place an emphasis on physical security. More importantly, some pump skimming devices are capable of stealing debit card PINs as wellso it’s good idea to avoid paying with a debit card at the pump.

Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Worse Than FailureTable 12

We've all encountered database tables that look like this:

  ID    Data
  ----- --------------------------------------------
  00001 TRUE, FALSE, FILE_NOT_FOUND
  00002 MALE|FEMALE|TRANS|EUNUCH|OTHER|M|Q|female|Female|male|Male|$
  00003 <?xml version="1.0" encoding="UTF-8"?><item id="1234"><name "Widget"/>...</item>
  00004 1234|Fred,Lena,Dana||||||||||||1.3DEp42|

Oh the joy of figuring out what each field of each row represents. The fun of deciphering the code that writes and reads/parses each row of data. In a moment, you will fondly look back on that experience as the Good-Old-Days.

People waving the Canadian Flag

The task of administering elections in the Great White North is handled by the appropriately-named agency Elections Canada. As part of their mandate, they provide the results of past elections in granular detail, both as nicely formatted web pages and as downloadable raw files. The latter are meant to be used by researchers for studying how turnout varies across provinces, ages, races, etc., as well as arguing about the merits of proportional representation versus single transferable votes; and so forth.

One of the more comprehensive data files is descriptively known as Table-Twelve, and it contains a record for every candidate who ran in the election. Each record contains how many votes they got, the riding (electoral district) in which they competed, their affiliated party, home town, occupation, and hundreds of other details about the candidate. This file has been published for every election since the 38th general in 2004. Vicki was charged with creating a new parser for this data.

Table-Twelve is a CSV file in the same way that managers describe their new agile process as <details of waterfall here>. While parsing a CSV file in general is no big deal, writing a function to parse this data was far harder than she expected. For one thing, the column titles change from year to year. One might think Who cares, as long as the data is in the same sequence. One would be wrong. As an example, depending upon the year, the identifier for the electoral district might be in a column named "Electoral District Name", "Electoral District" or "District", and might contain a string representing the district name, or a numeric district identifier, either of which may or may not be enclosed in single or double quotes. Just to make it interesting, some of the quoted strings have commas, and some of the numbers are commafied as well.

Further inspection revealed that the columns are not only inconsistently named, but named so as to be completely misleading. There's a column labeled "Majority". If you're thinking that it contains a boolean to indicate whether the candidate got a majority, or 50%+1 of the number of cast votes (i.e.: "How many votes do you need for a majority?"), you'd be mistaken. Nor is it even a slight misuse (where it should have been "Plurality"). Instead, it's the delta between the winning candidate and the second-place candidate in that riding. They also helpfully give you the quotient of this delta to the total cast votes as the "Majority Percentage".

Canada has a parliamentary system; it's also important to know how many candidates of each party won, so the party designation is obviously going to be easy to access, right? Or maybe you'd like to sort by surname? Well, it turns out that the party is appended to the field containing the candidate's name, delimited with a single space (and possibly an asterisk if they were incumbent). But the candidate's name and the party are already each a variable number of words (some have middle names or two surnames) delimited by single spaces. The party name, however, must be given in both English and French, separated by a forward slash. Of course, some parties already have a slash in their name! Oh, and if the candidate didn't run as a member of a party, they might be listed as "Independent" or as "No affiliation"; both are used in any given file.

Above and beyond the call of making something difficult to parse, the files are full of French accented text, so the encoding changes from file to file, here ISO-8859, there UTF-8, over there a BOM or two.

Don't get me wrong, I've written parsers for this sort of garbage by creating a bunch of routines to do trivial parsing and using them for larger logical parsers, and so on until you can parse all of the fields in an entire row, and all the special cases that spew forth. But the files they were supposed to parse were consistent from one day to the next.

Vicki is considering pulling out all of her hair, braiding it together and using it to hang the person who designed Table-Twelve.

[Advertisement] High availability, Load-balanced or Basic – design your own Universal Package Manager, allow the enterprise to scale as you grow. Download and see for yourself!

,

Rondam RamblingsThe definition of dishonorable

Donald Trump during the campaign: Donald Trump in office: I wonder if he even knows what the T in LGBT stands for. The bigotry and ignorance behind this decision are truly staggering.  The implication that a transgender person imposes "tremendous medical costs and disruption" which impedes "decisive and overwhelming victory" when they serve "in any capacity" (emphasis mine) is

LongNowWhy Do Some Forms of Knowledge Go Extinct?

The History of Art and Architecture slide library at Trinity College, Dublin. Via the Department of Ultimology.


Fiona Hallinan is an artist and researcher based at Trinity College, Dublin. She’s co-founder of a project along with curator Kate Strain called the Department of Ultimology. Ultimology is the study of that which is dead or dying in a series or process. When applied to academic disciplines, it becomes the study of extinct or endangered subjects, theories, and tools of learning. Long Now recently spoke with Hallinan when she visited The Interval. What follows is a transcript of our conversation, edited for length and clarity.

LONG NOW: What was the inspiration for a department studying extinct or endangered subjects and theories?

Fiona Hallinan: It began back when Kate and I were both alumni of the History of Art and Architecture Department at Trinity University College, Dublin. We learned everything we studied from a rather limited slide library. And we were speculating how in the last ten years those slides probably had been digitized, and students now probably had access to an infinite number of images compared to our limited selection. We wondered how that had impacted how people learned the discipline, and therefore how that had actually evolved the discipline of art history itself. So we came up with an idea for a department within the university that would examine all the other disciplines and departments from that perspective.

Via the Department of Ultimology.


We had encountered the term “ultimology” in the context of the study of endangered languages and thought that that could be expanded to become a general discipline across the university that looked at that which was dead or dying. In 02014 we applied for and won the Trinity Creative Challenge, which was a provost’s award for artistic projects that would explore the university and present the knowledge being produced there to the general public. We spent the next year conducting interviews with different heads of departments and disciplines about what was ultimological in their disciplines. Based off of our findings, we organized the First International Conference of Ultimology, a public event that presented a mix of artistic commissions, presentations and real academic papers. Through that we were invited to be hosted as the Department of Ultimology in residence at CONNECT, which is the center for future networks at Trinity.

LN: What is your methodology when approaching a given academic discipline? Are you reaching out to specific fields and subjects that you suspect as having ultimological potential?

FH: At the beginning we just wanted to get as wide as scope as possible; we had a particular narrative that we expected to encounter, namely, that there was an increasing commercialization of the university because certain disciplines could receive funding that perhaps other modes of knowledge production could not on account of phasing out of interest and activity. We thought that a subject like, say, medieval architecture might be virtually impossible to get funding for nowadays versus something like computational linguistics. And as a result, this was causing a shift or change in the structure of the university.

The Illusion of Infinite Resources,” by the Department of Ultimology.


While we did find that that was true to an extent, we also found that as a term, “ultimology” was really exciting for lots of the academics that we spoke to, and there was a sense of relief that finally there was somewhere they could put all of this endangered or extinct knowledge. Often, we would go into a meeting and people would be prepared with heaps of examples, whereas other times people would be interested but say that ultimology wasn’t really that relevant to their discipline, only to realize through inquiry that it was.

One example of that was in Trinity’s Department of Psychology, where the department head, Dr. Jean Quigley, said that psychology didn’t really have anything ultimological because ideas and tools were added all the time instead of being taken away. We asked her for an example of something that had been recently added, and she described the concept of personality. From that, we asked what would the set of qualities we call “personality” been described as before. And she said that people would have spoken about the soul. So from that conversation we started to think about different methodologies, and we described that methodology as negative space—the space that the concept would have occupied before.

A second methodology we developed was the idea of ultimology as a service. We hold clinics where academics come to us and speak to us, and the ultimological becomes a service akin to therapy where people can get things off their chest or they can talk about their research papers that didn’t go anywhere. It becomes a repository for the burden of the recent past.

Another methodology we began to utilize was the idea of embodiment, where we embody the Department of Ultimology through commissioning artists to make us the accessories or trappings of a real department, like bureaucratic forms.

Lanyards designed by Dennis McNulty for the First International Conference of Ultimology. Via the Department of Ultimology.


For our conference, we found a company in Dublin that had a hundred remaining lanyards with mobile phone loops on them, which would have been used in the pre-smartphone age. We commissioned an artist, Dennis McNulty, to riff on these lanyards with a poetic piece of text on them about the designer of the iPhone. The lanyard itself looked like an iPhone. And so there was this potential in an object like a lanyard that connoted a certain context and space of knowledge production, and I think there’s scope there to work with artists to consider those objects and what they mean and what their associations are for us. The bureaucratic questionnaire fulfills a similar function: it asks what research is, and talks about the idea of a person’s practice. While it looks very bureaucratic, its purpose is to get people to go deeply into reflecting on what they actually do.

The performativity of being a “department”  is essential. By doing it, it becomes real. While the Department of Ultimology is technically an art project, it’s not about just a specific outcome or a specific object coming out of it;  it’s more about using an artistic process to re-evaluate everything critically.

LN: What role does nostalgia play in the Department of Ultimology? Do the academics you interview bemoan a lost discipline or practice?  

FH: We try to be careful to avoid nostalgia, to avoid people being sad for something just because of a kind of fondness for it. While I’m not against nostalgia personally, I think it’s less interesting to fetishize the past, and more interesting to look at how these things actually affect the future.

Glassware blown by Trinity’s resident glassblower John Kelly.


For example, we met with Dr. Sylvia Draper, Head of the School of Chemistry at Trinity, and asked her what had changed in the discipline of Chemistry. She spoke about how glassware used to be an essential part of research. If you were a student of chemistry, you might actually design a piece of glassware that goes with your research. Draper told us that Trinity College had a glassblowing workshop on site with a glassblower named John Kelly, but that he was going to retire in two years and would not be replaced. It ties back to the commercialization of the university: the reason he’s not being replaced is because he’s salaried and a salaried employee is a high cost for the university. And so he and his work become expendable because in theory the department can just bring in cheaper, standard glassware from abroad.

However, if you’re a student and you’re planning your experiment and it requires an intricate, strange, unique piece of glass, it might now be much more expensive for you to get it, which might impact how you look at your research. You might be less willing or able to do something weirder, essentially. I picture it like these tiny little cracks that maybe can’t be explored in a discipline as people are funnelled down into a more particular standard route.

John Kelly at work in his lab at Trinity College, Dublin. Via the Department of Ultimology.


So while there’s a sense of nostalgia thinking about John Kelly in his lab and his beautiful glassware, it’s less about trying to preserve what he’s doing for the sake of it; there’s an actual reason behind it that’s important to know about. It’s also very short-term thinking. Say his salary is 50,000 Euro a year, and a piece of special glassware costs 1,000 Euro to ship in. it’s really quickly not going to add up, and is a short-sighted view of saving money now without much thought to the future.

LN: Looking to the future, what’s next for the Department of Ultimology?

Kate Strain and Fiona Hallinan, founders of the Department of Ultimology.


We’re hoping to publish a journal in December. We’re treating the journey of making it all as part of the project as well. So it won’t be a roll-out of a finished product, and I think that we might think of the field of peer review as potential for a public event.  

Ultimately, we would like to start a Department of Ultimology in every time zone. We say “time zones” because  it’s a way of dividing the world that is perhaps more timeless than countries or nation-states. There’s an instability to those, particularly at the moment, whereas time zones have a celestial, larger-than-us quality.

Keep up with the Department of Ultimology by heading to its website or following it on Twitter.

Worse Than FailureCodeSOD: The Nuclear Option

About a decade ago, Gerald worked at a European nuclear plant. There was a “minor” issue where a controller connected to a high-voltage power supply would start missing out on status messages. “Minor”, because it didn’t really pose a risk to life and limb- but still, any malfunction with a controller attached to a high-voltage power supply in a nuclear power plant needs to be addressed.

So Gerald went off and got the code. It was on a file share, in a file called final.zip. Or, wait, was it in the file called real-final.zip? Or installed.zip? Or, finalnew.zip?

It took a few tries, but eventually he picked out the correct one. To his surprise, in addition to the .c and .h files he expected to see, there was also a mysterious .xls. And that’s where things went bad.

Pause for a moment to consider a problem: you receive a byte containing an set of flags to represent an error code. So, you need to check each individual bit to understand what the exact error is. At this point, you’re probably reaching for a bitshift operator, because that’s the easiest way to do it.

I want you to imagine, for a moment, however, that you don’t really know C, or bitwise operations, or even what a bit is. Instead, you know two things: that there are 255 possible error codes, and how to use Excel. With those gaps in knowledge, you might perhaps, just manually write an Excel spreadsheet with every possible option, using Excel's range-drag operation to fill in the columns with easily predictable values. You might do this for 254 rows of data. Which, as a note, the range of possible values is 255, so guess what was causing the error?

if (variable==   0       ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   1       ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   2       ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   3       ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   4       ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   5       ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   6       ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   7       ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   8       ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   9       ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   10      ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   11      ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   12      ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   13      ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   14      ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   15      ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   16      ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   17      ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   18      ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   19      ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   20      ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   21      ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   22      ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   23      ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   24      ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   25      ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   26      ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   27      ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   28      ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   29      ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   30      ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   31      ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     0       ;}
if (variable==   32      ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   33      ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   34      ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   35      ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   36      ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   37      ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   38      ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   39      ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   40      ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   41      ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   42      ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   43      ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   44      ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   45      ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   46      ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   47      ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   48      ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   49      ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   50      ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   51      ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   52      ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   53      ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   54      ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   55      ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   56      ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   57      ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   58      ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   59      ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   60      ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   61      ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   62      ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   63      ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     0       ;}
if (variable==   64      ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   65      ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   66      ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   67      ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   68      ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   69      ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   70      ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   71      ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   72      ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   73      ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   74      ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   75      ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   76      ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   77      ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   78      ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   79      ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   80      ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   81      ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   82      ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   83      ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   84      ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   85      ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   86      ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   87      ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   88      ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   89      ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   90      ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   91      ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   92      ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   93      ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   94      ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   95      ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     0       ;}
if (variable==   96      ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   97      ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   98      ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   99      ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   100     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   101     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   102     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   103     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   104     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   105     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   106     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   107     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   108     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   109     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   110     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   111     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   112     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   113     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   114     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   115     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   116     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   117     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   118     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   119     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   120     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   121     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   122     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   123     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   124     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   125     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   126     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   127     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     0       ;}
if (variable==   128     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   129     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   130     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   131     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   132     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   133     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   134     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   135     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   136     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   137     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   138     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   139     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   140     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   141     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   142     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   143     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   144     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   145     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   146     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   147     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   148     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   149     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   150     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   151     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   152     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   153     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   154     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   155     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   156     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   157     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   158     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   159     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     0       ;h=     1       ;}
if (variable==   160     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   161     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   162     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   163     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   164     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   165     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   166     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   167     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   168     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   169     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   170     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   171     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   172     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   173     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   174     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   175     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   176     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   177     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   178     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   179     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   180     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   181     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   182     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   183     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   184     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   185     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   186     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   187     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   188     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   189     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   190     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   191     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     0       ;h=     1       ;}
if (variable==   192     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   193     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   194     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   195     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   196     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   197     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   198     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   199     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   200     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   201     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   202     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   203     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   204     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   205     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   206     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   207     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   208     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   209     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   210     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   211     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   212     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   213     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   214     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   215     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   216     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   217     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   218     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   219     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   220     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   221     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   222     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   223     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     0       ;g=     1       ;h=     1       ;}
if (variable==   224     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   225     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   226     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   227     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   228     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   229     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   230     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   231     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   232     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   233     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   234     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   235     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   236     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   237     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   238     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   239     ) {     a=      1       ; b=    1       ; c=    1       ; d=    1       ;e=      0       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   240     ) {     a=      0       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   241     ) {     a=      1       ; b=    0       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   242     ) {     a=      0       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   243     ) {     a=      1       ; b=    1       ; c=    0       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   244     ) {     a=      0       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   245     ) {     a=      1       ; b=    0       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   246     ) {     a=      0       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   247     ) {     a=      1       ; b=    1       ; c=    1       ; d=    0       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   248     ) {     a=      0       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   249     ) {     a=      1       ; b=    0       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   250     ) {     a=      0       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   251     ) {     a=      1       ; b=    1       ; c=    0       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   252     ) {     a=      0       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   253     ) {     a=      1       ; b=    0       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
if (variable==   254     ) {     a=      0       ; b=    1       ; c=    1       ; d=    1       ;e=      1       ;f=     1       ;g=     1       ;h=     1       ;}
[Advertisement] Infrastructure as Code built from the start with first-class Windows functionality and an intuitive, visual user interface. Download Otter today!

Don MartiIncentivizing production of information goods

Just thinking about approaches to incentivizing production of information goods, and where futures markets might fit in.

Artificial property

Article 1, Section 8, of the US Constitution still covers this one best.

To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;

We know about the problems with this one. It encourages all kinds of rent-seeking and freedom-menacing behavior by the holders of property interests in information. And the transaction costs are too high to incentivize the production of some useful kinds of information.

Commoditize the complement

Joel Spolsky explained it best, in Strategy Letter V. Smart companies try to commoditize their products’ complements. (See also: the list of business models in the Some Easily Rebutted Objections to GNU's Goals section of the GNU Manifesto)

This one has been shown to work for some categories of information goods but not others. (We have Free world-class browsers and OS kernels because search engines and hardware are complements. We don't have free world-class software in categories such as CAD.)

Signaling

Release a free information good as a way to signal competence in performing a service, or at least a large investment by the author in persuading others that the author is competent. Works at the level of the individual labor market and in consulting. Don't know if this works in other areas.

Game and market mechanisms

With "gamified crowdsourcing" you can earn play rewards for very low transaction costs, and contribute very small tasks.

Common Voice

Higher transaction costs are associated with "crowdfunding" which sounds similar but requires more collaboration and administration.

In the middle, between crowdsourcing and crowdfunding, is a niche for a mechanism with lower transaction costs than crowdfunding but more rewards than crowdsourcing.

By using the existing bug tracker to resolve contracts, a bug futures market keeps transaction costs low. By connecting to an existing cryptocurrency, a bug futures market enables a kind of reward that is more liquid, and transferrable among projects.

We don't know how wide the bug futures niche is. Is it a tiny space between increasingly complex tasks that can be resolved by crowdsourcing and increasingly finer-grained crowdfunding campaigns?

Or are bug futures capable of achieving low enough transaction costs to be an attractive incentivization mechanism for a lot of tasks that go into a variety of information goods?

Don MartiGot a reply from Twitter

I thought it would be fun to try Twitter ads, and, not surprisingly, I started getting fake followers pretty quickly after I started a Twitter follower campaign.

Since I'm paying nine cents a head for these followers, I don't want to get ripped off. So naturally I put in a support ticket to Twitter, and just heard back.

Thanks for writing in about the quality of followers and engagements. One of the advantages of the Twitter Ads platform is that any RTs of your promoted ads are sent to the retweeting account's followers as an organic tweet. Any engagements that result are not charged, however followers gained may not align with the original campaign's targeting criteria. These earned followers or engagements do show in the campaign dashboard and are used to calculate cost per engagement, however you are not charged for them directly.

Twitter also passes all promoted engagements through a filtering mechanism to avoid charging advertisers for any low-quality or invalid engagements. These filters run on a set schedule so the engagements may show in the campaign dashboard, but will be deducted from the amount outstanding and will not be charged to your credit card.

If you have any further questions, please don't hesitate to reply.

That's pretty dense San Francisco speak, so let me see if I can translate to the equivalent for a normal product.

Hey, what are these rat turds doing in my raisin bran?

Thanks for writing in about the quality of your raisin bran eating experience. One of the advantages of the raisin bran platform is that during the production process, your raisin bran is made available to our rodent partners as an organic asset.

I paid for raisin bran, so why are you selling me raisin-plus-rat-turds bran?

Any ingredients that result from rodent engagement are not charged, however ingredients gained may not align with your original raisin-eating criteria.

Can I have my money back?

We pass all raisin bran sales through a filtering mechanism to avoid charging you for invalid ingredients. The total weight of the product, as printed on the box, includes these ingredients, but the weight of invalid ingredients will be deducted from the amount charged to your credit card.

So how can I tell which rat turds are "organic" so I'm not paying for them, and which are the ones that you just didn't catch and are charging me for?

(?)

Buying Twitter followers: Fiverr or Twitter?

On Fiverr, Twitter followers are about half a cent each ($5/1000). On Twitter, I'm gettting followers for about 9 cents each. The Twitter price is about 18x the Fiverr price.

But every follower that someone else buys on Fiverr has to be "aged" and disguised in order to look realistic enough not to get banned. The bot-herders have to follow legit follower campaigns such as mine and not just their paying customers.

If Twitter is selling those "follow" actions to me for nine cents each, and the bot-herder is only making half a cent, how is Twitter not making more from bogus Twitter followers than the bot-herders are?

If you're verified on Twitter, you may not be seeing how much of a shitshow their ad business is. Maybe the're going to have to sell Twitter to me sooner than I thought.

,

Krebs on SecurityHow a Citadel Trojan Developer Got Busted

A U.S. District Court judge in Atlanta last week handed a five year prison sentence to Mark Vartanyan, a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan. This fact has been reported by countless media outlets, but far less well known is the fascinating backstory about how Vartanyan got caught.

For several years, Citadel ruled the malware scene for criminals engaged in stealing online banking passwords and emptying bank accounts. U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.

Like most complex banking trojans, Citadel was marketed and sold in secluded, underground cybercrime markets. Often the most time-consuming and costly aspect of malware sales and development is helping customers with any tech support problems they may have in using the crimeware.

In light of that, one innovation that Citadel brought to the table was to crowdsource some of this support work, easing the burden on the malware’s developers and freeing them up to spend more time improving their creations and adding new features.

Citadel users discuss the merits of including a module to remove other parasites from host PCs.

Citadel users discuss the merits of including a module to remove other parasites from host PCs.

Citadel boasted an online tech support system for customers designed to let them file bug reports, suggest and vote on new features in upcoming malware versions, and track trouble tickets that could be worked on by the malware developers and fellow Citadel users alike. Citadel customers also could use the system to chat and compare notes with fellow users of the malware.

It was this very interactive nature of Citadel’s support infrastructure that FBI agents would ultimately use to locate and identify Vartanyan, who went by the nickname “Kolypto.” The nickname of the core seller of Citadel was “Aquabox,” and the FBI was keen to identify Aquabox and any programmers he’d hired to help develop Citadel.

In June 2012, FBI agents bought several licenses of Citadel from Aquabox, and soon the agents were suggesting tweaks to the malware that they could use to their advantage. Posing as an active user of the malware, FBI agents informed the Citadel developers that they’d discovered a security vulnerability in the Web-based interface that Citadel customers used to keep track of and collect passwords from infected systems (see screenshot below).

A screenshot of the Citadel botnet panel.

A screenshot of the Web-based Citadel botnet control panel.

Aquabox took the bait, and asked the FBI agents to upload a screen shot of the bug they’d found. As noted in this September 2015 story, the FBI agents uploaded the image to file-sharing giant Sendspace.com and then subpoenaed the logs from Sendspace to learn the Internet address of the user that later viewed and downloaded the file.

The IP address came back as the same one they had previously tied to Aquabox. The other address that accessed the file was in Ukraine and tied to Vartanyan. Prosecutors said Vartanyan’s address soon after was seen uploading to Sendspace a patched version of Citadel that supposedly fixed the vulnerability identified by the agents posing as Citadel users.

Mark Vartanyan. Source: Twitter.

Mark Vartanyan. Source: Twitter.

“In the period August 2012 to January 2013, there were in total 48 files uploaded from Marks IP to Sendspace,” reads a story in the Norwegian daily VG that KrebsOnSecurity had translated into English here (PDF). “Those files were downloaded by ‘Aquabox’ with 2 IPs (193.105.134.50 and 149.154.155.81).”

Investigators would learn that Vartanyan was a Russian citizen who’d grown up in Ukraine. At the time of his arrest, Mark was living in Norway, which later extradited him to the United States for prosecution. In March 2017, Vartanyan pleaded guilty to one count of computer fraud, and was sentenced on July 19 to five years in federal prison.

Another Citadel developer, Dimitry Belorossov (a.k.a. “Rainerfox”), was arrested and sentenced in 2015 to four years and six months in prison after pleading guilty to distributing Citadel.

Early in its heydey, some text strings were added to the Citadel Trojan which named Yours Truly as the real author of Citadel (see screenshot below). While I obviously had no involvement in writing the trojan, I have written a great deal about its core victims — mainly dozens of small businesses here in the United States who saw their bank accounts drained of hundreds of thousands or millions of dollars after a Citadel infection.

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

Planet Linux AustraliaRussell Coker: Forking Mon and DKIM with Mailing Lists

I have forked the “Mon” network/server monitoring system. Here is a link to the new project page [1]. There hasn’t been an upstream release since 2010 and I think we need more frequent releases than that. I plan to merge as many useful monitoring scripts as possible and support them well. All Perl scripts will use strict and use other best practices.

The first release of etbe-mon is essentially the same as the last release of the mon package in Debian. This is because I started work on the Debian package (almost all the systems I want to monitor run Debian) and as I had been accepted as a co-maintainer of the Debian package I put all my patches into Debian.

It’s probably not a common practice for someone to fork upstream of a package soon after becoming a comaintainer of the Debian package. But I believe that this is in the best interests of the users. I presume that there are other collections of patches out there and I hope to merge them so that everyone can get the benefits of features and bug fixes that have been separate due to a lack of upstream releases.

Last time I checked mon wasn’t in Fedora. I believe that mon has some unique features for simple monitoring that would be of benefit to Fedora users and would like to work with anyone who wants to maintain the package for Fedora. I am also interested in working with any other distributions of Linux and with non-Linux systems.

While setting up the mailing list for etbemon I wrote an article about DKIM and mailing lists (primarily Mailman) [2]. This explains how to setup Mailman for correct operation with DKIM and also why that seems to be the only viable option.

CryptogramAlternatives to Government-Mandated Encryption Backdoors

Policy essay: "Encryption Substitutes," by Andrew Keane Woods:

In this short essay, I make a few simple assumptions that bear mentioning at the outset. First, I assume that governments have good and legitimate reasons for getting access to personal data. These include things like controlling crime, fighting terrorism, and regulating territorial borders. Second, I assume that people have a right to expect privacy in their personal data. Therefore, policymakers should seek to satisfy both law enforcement and privacy concerns without unduly burdening one or the other. Of course, much of the debate over government access to data is about how to respect both of these assumptions. Different actors will make different trade-offs. My aim in this short essay is merely to show that regardless of where one draws this line -- whether one is more concerned with ensuring privacy of personal information or ensuring that the government has access to crucial evidence -- it would be shortsighted and counterproductive to draw that line with regard to one particular privacy technique and without regard to possible substitutes. The first part of the paper briefly characterizes the encryption debate two ways: first, as it is typically discussed, in stark, uncompromising terms; and second, as a subset of a broader problem. The second part summarizes several avenues available to law enforcement and intelligence agencies seeking access to data. The third part outlines the alternative avenues available to privacy-seekers. The availability of substitutes is relevant to the regulators but also to the regulated. If the encryption debate is one tool in a game of cat and mouse, the cat has other tools at his disposal to catch the mouse -- and the mouse has other tools to evade the cat. The fourth part offers some initial thoughts on implications for the privacy debate.

Blog post.

Worse Than FailureThe Logs Don't Lie

She'd resisted the call for years. As a senior developer, Makoto knew how the story ended: one day, she'd be drafted into the ranks of the manager, forswearing her true love webdev. When her boss was sacked unexpectedly, mere weeks after the most senior dev quit, she looked around and realized she was holding the short straw. She was the most senior. This is her story.

As she settled into her new responsibilities, Makoto started coming in earlier and earlier in the hopes of getting some development work done. As such, she started to get accustomed to the rhythm of the morning shift, before most devs had rolled out of bed, but after the night shift ops guys had gone home.

Bad sign number 1: the CEO wandering past, looking a bit lost and vaguely concerned.

"Can I help you?" Makoto asked, putting down her breakfast pastry.

Bad sign number 2 was his reply: "Does the Internet look down to you?"

Makoto quickly pulled up her favorite Internet test site, /r/aww, to verify that she still had connectivity. "Seems all right to me."

"Well, I can't get online."

Webdev-Makoto would've shrugged and thought, Not my circus. Manager-Makoto forced a grin onto her face and said, "I'll get my guys on that."

"Thanks, you're a real champ." Satisfied, the CEO wandered back to whatever it was he did all day, leaving Makoto to explain a problem she wasn't experiencing to guys way more qualified to work on this than she was.

Hoping to explain the discrepancy, she unplugged her laptop. This time, the adorable kittens failed to load.

"Success!" she told the empty office. "This is officially some weird wi-fi problem."

She drafted up a notice to that effect, sent it to the office mailing list, and assigned her teammate Sven to find and fix the problem. By 9:00 AM, all was well, and her team had sent out an update to that effect.

Now well into her daily routine, Makoto put the incident behind her. After all, it was resolved, wasn't it?

4:00 PM rolled around, and Makoto was somehow the recipient for an angry email from Greg in Sales. Is the internet still out? I need to close out my sales!!! Why hasn't your team fixed this yet! We could lose $300,000 if I can't close out my sales by 5PM!!!!!

Makoto rolled her eyes at the unnecessary number of exclamation points and checked the sales pipeline. Sure enough, there was nothing preventing her from accessing Greg's queue and verifying that all $100 worth of sales were present and accounted for.

Makoto cracked her knuckles and crafted the most polite response she could muster: As per my update at 9am, the Internet is back online and you should be able to perform any and all job duties at this time.

The reply came 2 minutes later: I cannot close my opportunities!!!

Makoto forwarded the email chain to Sven before rolling over to his desk. "Greg's being a drama llama again. Can you pull the firewall logs and prove he's got Internet?"

"'Course."

10 minutes and 4 raised eyebrows later, Sven replied to the ticket, copying Greg's boss and attaching a screenshot of the logs. As Makoto stated, we are online at this time. Is it possible your computer received a virus from browsing PornHub since 9:30 this morning?

Greg spent the next day in meetings with HR, and the next week on unpaid leave to think about what he'd done. To this day, he cannot look Sven or Makoto in the eye as they pass each other in the hallway. Makoto suspects he won't suffer long—only as long as it takes him to find another job. Maybe one with IT people who don't know what search keywords he uses.

[Advertisement] Scale your release pipelines, creating secure, reliable, reusable deployments with one click. Download and learn more today!

,

TEDOur podcast “Sincerely, X” co-produced with Audible now available free worldwide

Last year, TED and Audible co-produced a new audio series that invited speakers to share ideas—anonymously. Our goal was to make room for an entirely new trove of ideas: those that could only be broadcast publicly if the speaker’s identity remained private.

The series debuted with a number of powerful stories, and we learned a lot in the process (read about producer Cloe Shasha’s personal experience here).

Now, we’re bringing that first season for free to Apple Podcasts, the TED Android app, or wherever you get your podcasts.

We begin with our first episode, “Dr. Burnout,” featuring a doctor who says she committed a fatal mistake with a patient, leading her to a disturbing diagnosis: the medical field pushes for professional burnout. She unveils a powerful perspective on how doctors must deepen their self-awareness.

We’ll be releasing new episodes every Thursday for the next 10 weeks.

Fans can also access all the episodes today at audible.com/sincerelyx

 


CryptogramUS Army Researching Bot Swarms

The US Army Research Agency is funding research into autonomous bot swarms. From the announcement:

The objective of this CRA is to perform enabling basic and applied research to extend the reach, situational awareness, and operational effectiveness of large heterogeneous teams of intelligent systems and Soldiers against dynamic threats in complex and contested environments and provide technical and operational superiority through fast, intelligent, resilient and collaborative behaviors. To achieve this, ARL is requesting proposals that address three key Research Areas (RAs):

RA1: Distributed Intelligence: Establish the theoretical foundations of multi-faceted distributed networked intelligent systems combining autonomous agents, sensors, tactical super-computing, knowledge bases in the tactical cloud, and human experts to acquire and apply knowledge to affect and inform decisions of the collective team.

RA2: Heterogeneous Group Control: Develop theory and algorithms for control of large autonomous teams with varying levels of heterogeneity and modularity across sensing, computing, platforms, and degree of autonomy.

RA3: Adaptive and Resilient Behaviors: Develop theory and experimental methods for heterogeneous teams to carry out tasks under the dynamic and varying conditions in the physical world.

Slashdot thread.

And while we're on the subject, this is an excellent report on AI and national security.

Worse Than FailureCodeSOD: This or That

Processing financial transactions is not the kind of software you want to make mistakes in. If something is supposed to happen, it is definitely supposed to happen. Not partially happen. Not maybe happen.

Thus, a company like Charles R’s uses a vendor-supplied accounting package. That vendor has a professional services team, so when the behavior needs to be customized, Charles’s company outsources that development to the vendor.

Of course, years later, that code needs to get audited, and it’s about then that you find out that the vendor outsourced their “professional services” to the lowest bidder, creating a less-than-professional service result.

If you want to make sure than when the country code is equal to "HND", you want to be really sure.

if(transaction.country == config.country_code.HND || transaction.country == config.country_code.HND)
    parts[0] = parts[0].replace(/\B(?=(\d{3})+(?!\d))/g, ",");
else
    parts[0] = parts[0].replace(/\B(?=(\d{3})+(?!\d))/g, ".");
[Advertisement] Application Release Automation for DevOps – integrating with best of breed development tools. Free for teams with up to 5 users. Download and learn more today!

,

Planet Linux AustraliaOpenSTEM: This Week in HASS – term 3, week 3

This week our youngest students are playing games from different places around the world, in the past. Slightly older students are completing the Timeline Activity. Students in Years 4, 5 and 6 are starting to sink their teeth into their research project for the term, using the Scientific Process.

Foundation/Prep/Kindy to Year 3

Playing hoopsThis week students in stand-alone Foundation/Prep/Kindy classes (Unit F.3) and those integrated with Year 1 (Unit F-1.3) are examining games from the past. The teacher can choose to match these to the stories from Week 1 of the unit, as games are listed matching each of the places and time periods included in those stories. However, some games are more practical to play than others, and some require running around, so the teacher may wish to choose games which suit the circumstances of each class. Teachers can discuss how different places have different types of games and why these games might be chosen in those places (e.g. dragons in China and lions in Africa).

Students in Years 1 (Unit 1.3), 2 (Unit 2.3) and 3 (Unit 3.3) have this week to finish off the Timeline Activity. The Timeline activity requires some investment of time, which can be done as 2 half hour sessions or one longer session. Some flexible timing is built into the unit for teachers who want to match this activity to the number line in Maths, and other revise or cover the number line in more depth as a complement to this activity.

Years 3 to 6

Arthur Phillip

Last week students in Years 3 to 6 chose a research topic, related to a theme in Australian History. Different themes are studied by different year levels. Students in Year 3 (Unit 3.7) study a topic in the history of their capital city or local community. Students in Year 4 (Unit 4.3) study a topic from Australian history in the precolonial or early colonial periods. Students in Year 5 (Unit 5.3) study a topic from Australian colonial history and students in Year 6 (Unit 6.3) study a topic related to Federation or 20th century Australian history. These research topics are undertaken as a Scientific Investigation. This week the focus is on defining a Research Question and undertaking Background Research. Student workbooks will guide students through the process of choosing a research question within their chosen topic, and then how to start the Background Research. These sections will be included in the Scientific Report each student produces at the end of this unit. OpenSTEM resources available with each unit provide a starting point for this Background Research.

 

Rondam RamblingsDonald Trump shows that democracy is working. Alas.

I must confess to indulging in a certain amount of schadenfreude watching Donald Trump squirm.  I have been an unwavering never-Trumper since before he announced he was running for president.  And yet I am mindful of the fact that nearly all of the predictions I have made about Trump's political fortunes have been wrong.  In fact, while researching links for this post I realized that I wrote

Planet Linux AustraliaGabriel Noronha: test post

test posting from wordpress.com

01 – [Jul-24 13:35 API] Volley error on https://public-api.wordpress.com/rest/v1.1/sites/4046490/posts/366/?context=edit&locale=en_AU – exception: null
02 – [Jul-24 13:35 API] StackTrace: com.android.volley.ServerError
at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:179)
at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:114)

03 – [Jul-24 13:35 API] Dispatching action: PostAction-PUSHED_POST
04 – [Jul-24 13:35 POSTS] Post upload failed. GENERIC_ERROR: The Jetpack site is inaccessible or returned an error: transport error – HTTP status code was not 200 (403) [-32300]
05 – [Jul-24 13:35 POSTS] updateNotificationError: Error while uploading the post: The Jetpack site is inaccessible or returned an error: transport error – HTTP status code was not 200 (403) [-32300]
06 – [Jul-24 13:35 EDITOR] Focus out callback received

Don MartiMy bot parsed 12,387 RSS feeds and all I got were these links.

Bryan Alexander has a good description of an "open web" reading pipeline in I defy the world and go back to RSS. I'm all for the open web, but 40 separate folders for 400 feeds? That would drive me nuts. I'm a lumper, not a splitter. I have one folder for 12,387 feeds.

My chosen way to use RSS (and one of the great things about RSS is you can choose UX independently of information sources) is a "scored river". Something like Dave Winer's River of News concept, that you can navigate by just scrolling, but not exactly a river of news.

  • with full text if available, but without images. I can click through if I want the images.

  • items grouped by score, not feed. (Scores assigned managed by a dirt-simple algorithm where a feed "invests" a percentage of its points in every link, and the investments pay out in a higher score for that feed if the user likes a link.)

I also put the byline at the bottom of each item. Anyway, one thing I have found out about manipulating my own filter bubble is that linklog feeds and blogrolls are great inputs. So here's a linklog feed. (It's mirrored from the live site, which annoys everyone except me.)

Here are some actual links.

This might look funny: How I ran my kids like an Atlassian team for a month. But think about it for a minute. Someone at every app or site your kids use is doing the same thing, and their goals don't include "Dignity and Respect" or "Hard Work Smart Work".

Global network of 'hunters' aim to take down terrorists on the internet It took me a few days to figure things out and after a few weeks I was dropping accounts like flies…

Google's been running a secret test to detect bogus ads — and its findings should make the industry nervous. (This is a hella good idea. Legit publishers could borrow it: just go ad-free for a few minutes at random, unannounced, a couple of times a week, then send the times straight to CMOs. Did you buy ads that someone claimed ran on our site at these times? Well, you got played.)

For an Inclusive Culture, Try Working Less As I said, to this day, my team at J.D. Edwards was the most diverse I’ve ever worked on....Still, I just couldn’t get over that damned tie.

The Al Capone theory of sexual harassment Initially, the connection eluded us: why would the same person who made unwanted sexual advances also fake expense reports, plagiarize, or take credit for other people’s work?

Jon Tennant - The Cost of Knowledge But there’s something much more sinister to consider; recently a group of researchers saw fit to publish Ebola research in a ‘glamour magazine’ behind a paywall; they cared more about brand association than the content. This could be life-saving research, why did they not at least educate themselves on the preprint procedure....

Twitter Is Still Dismissing Harassment Reports And Frustrating Victims

This Is How Your Fear and Outrage Are Being Sold for Profit (Profit? What about TEH LULZ??!?!1?)

Fine, have some cute animal photos, I was done with the other stuff anyway: Photographer Spends Years Taking Adorable Photos of Rats to Break the Stigma of Rodents

,

Cory DoctorowCome see me at San Diego Comic-Con!


There are three more stops on my tour for Walkaway: tomorrow at San Diego Comic-Con, next weekend at Defcon 25 in Las Vegas, and August 10th at the Burbank Public Library.


My Comic-Con day is tomorrow/Sunday, July 23: first, a 10AM signing at the Tor Books booth (#2701); then a panel, The Future is Bleak, with Annalee Newitz, Scott Westerfeld, Scott Reintgen and Alex R. Kahler; and finally a 1:15PM signing at autographic area AA06.


(Image: Gage Skidmore, CC-BY-SA)

Don Martithe other dude

Making the rounds, this is a fun one: A computer was asked to predict which start-ups would be successful. The results were astonishing.

  • 2014: When there's no other dude in the car, the cost of taking an Uber anywhere becomes cheaper than owning a vehicle. So the magic there is, you basically bring the cost below the cost of ownership for everybody, and then car ownership goes away.

  • 2018 (?): When there's no other dude in the fund, the cost of financing innovation anywhere becomes cheaper than owning a portfolio of public company stock. So the magic there is, you basically bring the transaction costs of venture capital below the cost of public company ownership for everybody, and then public companies go away.

Could be a thing for software/service companies faster than we might think. Futures contracts on bugs→equity crowdfunding and pre-sales of tokens→bot-managed follow-on fund for large investors.

,

TEDProsthetics that feel more natural, how mushrooms may help save bees, and more

Please enjoy your roundup of TED-related news:

Prosthetics that feel more natural. A study in Science Robotics lays out a surgical technique developed by Shriya Srinivasan, Hugh Herr and others that may help prosthetics feel more like natural limbs. During an amputation, the muscle pairs that allow our brains to sense how much force is applied to a limb and where it is in space are severed, halting sensory feedback to and from the brain and affecting one’s ability to balance, handle objects and move. But nerves that send signals to the amputated limb remain intact in many amputees. Using rats, the scientists connected these nerves with muscles grafted from other parts of the body — a technique that successfully restored the muscle pair relationship and sensory feedback being sent to the brain. Combined with other research on translating nerve signals into instructions for moving the prosthetic limb, the technique could help amputees regain the ability to sense where the prosthetic is in space and the forces applied to it. They plan to begin implementing this technique in human amputees. (Watch Herr’s TED Talk)

From mathematician to politician. Emmanuel Macron wants France to be at the forefront of science, and science to be incorporated in global politics, but this is easier said than done. The election of Cédric Villani to the French National Assembly—a mathematician, Fields medalist, and TED speaker—provides a reason for optimism. “Currently, scientific knowledge within French political circles is close to zero,” Villani said in an interview with Science. “It’s important that some scientific expertise is present in the National Assembly.” Villani’s election is a step in that direction. (Watch Villani’s TED Talk)

A digital upgrade for the US government. The United States Digital Services, of which Matt Cutts is acting administrator, released its July Report to Congress. Since 2014, the USDS has worked with Silicon Valley engineers and experienced government employees to streamline federal websites and online services. Currently, the USDS is working with seven federal agencies, including the Department of Defense, the Department of Health and Human Services and the Department of Education. Ultimately, the USDS’ digital intervention is not just about reducing cost and increasing efficiency– it’s about restoring people’s trust in government. (Watch Cutts’ TED Talk)

Can mushrooms help save bees? Bee populations have been in decline for the past decade, and the consequences could be dire. But in a video for Biographic, produced by Louie Schwartzberg and including mycologist Paul Stamets, scientists discuss an unexpected solution: mushrooms. The spores and extract from Metarhizium anisopliae, a common species of mushroom, are toxic to varroa mites, the vampiric parasite which sucks blood from bees and causes colony collapse disorder. However, bees can tolerate low doses free of harm. Metarhizium anisopliae has even been shown to promote beehive longevity. This could be a step forward in curbing the mortality rate of nature’s most prolific pollinator. (Watch Schwartzberg’s TED Talk and Stamets’ TED Talk)

Support for women entrepreneurs. The World Bank Group announced its creation of The Women Entrepreneurs Finance Initiative (We-Fi), a facility that will create a $1 billion fund to support and encourage female entrepreneurship. Initiated by the U.S. and Germany, it quickly received support from other nations including Canada, Japan, Saudi Arabia and South Korea. Nearly 70% of small and medium-sized enterprises owned by women in developing countries are denied or unable to receive adequate financial services. We-Fi aims to overcome these and many other obstacles by providing early support, networking opportunities and access to markets. “Women’s economic empowerment is critical to achieve the inclusive economic growth required to end extreme poverty, which is why it has been such a longstanding priority for us,” World Bank Group President Jim Yong Kim said. “This new facility offers an unprecedented opportunity to harness both the public and private sectors to open new doors of opportunity for women entrepreneurs and women-owned firms in developing countries around the globe.” (Watch Kim’s TED Talk)

Daring to drive. Getting behind the wheel of a car is something many of us take for granted. However, as Manal al-Sharif details in her new memoir, Daring to Drive: A Saudi Woman’s Awakening, it’s not that way for everybody. The daughter of a taxi driver, al-Sharif got an education and landed a good job. The real challenge was simply getting to work—as a rule, Saudi women are not allowed to drive. Daring to Drive tells the story of her activism in the face of adversity. (Watch al-Sharif’s TED Talk)

Have a news item to share? Write us at contact@ted.com and you may see it included in this biweekly round-up.


CryptogramFriday Squid Blogging: Giant Squid Caught Off the Coast of Ireland

It's the second in two months. Video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramHacking a Segway

The Segway has a mobile app. It is hackable:

While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn't being used for authentication at every level of the system. As a result, Kilbride could send arbitrary commands to the scooter without needing the user-chosen PIN.

He also discovered that the hoverboard's software update platform didn't have a mechanism in place to confirm that firmware updates sent to the device were really from Segway (often called an "integrity check"). This meant that in addition to sending the scooter commands, an attacker could easily trick the device into installing a malicious firmware update that could override its fundamental programming. In this way an attacker would be able to nullify built-in safety mechanisms that prevented the app from remote-controlling or shutting off the vehicle while someone was on it.

"The app allows you to do things like change LED colors, it allows you to remote-control the hoverboard and also apply firmware updates, which is the interesting part," Kilbride says. "Under the right circumstances, if somebody applies a malicious firmware update, any attacker who knows the right assembly language could then leverage this to basically do as they wish with the hoverboard."

Worse Than FailureError'd: No Thanks Necessary

"I guess we're not allowed to thank the postal carriers?!" Brian writes.

 

"So, does the CPU time mean that Microsoft has been listening to every noise I have made since before I was born?" writes Shaun F.

 

"No problem. I will not attempt to re-use your error message without permission," wrote Alex K.

 

Mark B. writes, "Ah, if only we could have this in real life."

 

"Good work Google! Another perfect translation into German," Kolja wrote.

 

"I was searching for an Atmel MCU, so I naturally opened Atmel's Product Finder. I kind of wish that I didn't," writes Michael B.,

 

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!