Planet Russell


Planet DebianNorbert Preining: USB stick update: TAILS 1.4, GParted 0.22, SysResCD 4.5.2, Debian Jessie

I have posted a view times (here and here) about how to get a multi-boot/multi-purpose USB stick working. Now that TAILS has seens a major upgrade, and Debian 8.0 Jessie has been released, I think it is time to update the procedure to reflect the latest releases. That turned out to be a painful experience, in particular since Debian removed support for any reasonable boot method.


So going through these explanations one will end up with a usable USB stick that can boot you into TAILS, System Rescue CD, GNU Parted Live CD, but unfortunately not anymore to boot into an installation of Debian 8.0 Jessie installation. But the USB stick will still be usable as normal media.

Let us repeat some things from the original post concerning the wishlist and the main players:

I have a long wishlist of items a boot stick should fulfill

  • boots into Tails, SystemRescueCD, and GParted
  • boots on both EFI and legacy systems
  • uses the full size of the USB stick (user data!)
  • allows installation of Debian (not possible anymore)
  • if possible, preserve already present user data on the stick

This time I have added the GNOME/GNU Partition Editor gparted as it came in useful at times.


A USB stick, the iso images of TAILS 1.4, SystemRescueCD 4.5.2, GParted Lice CD 0.22.0, and some tool to access iso images, for example ISOmaster (often available from your friendly Linux distribution).

I assume that you have already an USB stick prepared as described previously. If this is not the case, please go there and follow the section on preparing your usb stick.

Two types of boot options

We will employ two different approaches to boot special systems: the one is directly from an iso image, the other via extraction of the necessary kernels and images.

At the moment we have the following status with respect to boot methods:

  • Booting directly from ISO image: System Rescue CD and GNOME Parted Live CD
  • Extraction of kernels/images: TAILS (Debian Jessie does not work in any way)

What is a pity is that during the testing phase, booting and installation from testing images worked for Debian as documented previously. But with the final images (and my guess it has to do with systemd, wouldn’t surprise me), there is no Debian CD detected as it cannot find the iso image on the USB stick. Bummer. That means that for having a Debian/USB stick you need a dedicated one.

Booting from ISO image

Grub has gained quite some time ago the ability to boot directly from an ISO image. In this case the iso image is mounted via loopback, and the kernel and initrd are specified relatively to the iso image root.

For both SystemRescueCD and GNOME Partition Live CD, just drop the iso files into /boot/iso/, in my case /boot/iso/systemrescuecd-x86-4.5.2.iso and /boot/iso/gparted-live-0.22.0-1-i586.iso.

After that, entries like the following have to be added to grub.cfg. For the full list see grub.cfg:

submenu "System Rescue CD 4.5.2 (via ISO) ---> " {
  set isofile="/boot/iso/systemrescuecd-x86-4.5.2.iso"
  menuentry "SystemRescueCd (64bit, default boot options)" {
        set gfxpayload=keep
        loopback loop (hd0,1)$isofile
        linux   (loop)/isolinux/rescue64 isoloop=$isofile
        initrd  (loop)/isolinux/initram.igz
submenu "GNU/Gnome Parted Live CD 0.22.0 (via ISO) ---> " {
  set isofile="/boot/iso/gparted-live-0.22.0-1-i586.iso"
  menuentry "GParted Live (Default settings)"{
    loopback loop (hd0,1)$isofile
    linux (loop)/live/vmlinuz boot=live username=user config components quiet noswap noeject  ip=  nosplash findiso=$isofile
    initrd (loop)/live/initrd.img

Note the added isoloop=$isofile and findiso=$isofile that helps the installer find the iso images.

Booting via extraction of kernels and images

This is a bit more tedious, but still not too bad.

Installation of TAILS files

Assuming you have access to the files on the TAILS CD via the directory ~/tails, execute the following commands:

mkdir -p /usbstick/boot/tails
cp -a ~/tails/live/* /usbstick/boot/tails/

The grub.cfg entries look now similar to the following:

submenu "TAILS Environment 1.4 ---> " {
  menuentry "Tails64 Live System" {
        linux   /boot/tails/vmlinuz2 boot=live live-media-path=/boot/tails config live-media=removable nopersistent noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails  libata.force=noncq
        initrd  /boot/tails/initrd2.img

The important part here is the live-media-path=/boot/tails, otherwise TAILS will not find the correct files for booting. The rest of the information was extracted from the boot setup of TAILS itself.

Current status of USB stick

Just to make sure, the usb stick should contain at the current stage the following files:

        vmlinuz Tails.module initrd.img ....
            lots of files
            lots of files
            lots of files
        grub.cfg            *this file we create in the next step!!*

The Grub config file grub.cfg

The final step is to provide a grub config file in /usbstick/boot/grub/grub.cfg. I created one by looking at the isoboot.cfg files both in the SystemRescueCD, TAILS iso images, GParted iso image, and the Debian/Jessie image, and converting them to grub syntax. Excerpts have been shown above in the various sections.

I spare you all the details, grab a copy here: grub.cfg


That’s it. Now you can anonymously provide data about your evil government, rescue your friends computer, fix a forgotten Windows password, and above all, install a proper free operating system.

If you have any comments, improvements or suggestions, please drop me a comment. I hope this helps a few people getting a decent USB boot stick running.


Postscriptum concerning Debian/Jessie

So I have first tried to boot directly into the Debian Jessie firmware ISO image by dropping the ISO into /boot/iso/firmware-8.0.0-amd64-i386-netinst.iso and adding a grub entry like:

submenu "Debian 8.0 Jessie NetInstall ---> " {
    set isofile="/boot/iso/firmware-8.0.0-amd64-i386-netinst.iso"
    menuentry '64 bit Install' {
        set background_color=black
        loopback loop (hd0,1)$isofile
        linux    (loop)/install.amd/vmlinuz iso-scan/ask_second_pass=true iso-scan/filename=$isofile vga=788 -- quiet 
        initrd   (loop)/install.amd/initrd.gz

That was a no go. I have added the iso-scan/ask_second_pass=true iso-scan/filename=$isofile thingy after some research in forum and web, without any change. Of course I have also tried the official ISO image debian-8.0.0-amd64-netinst.iso, with the same effect.

Although I was sure it doesn’t make any difference, I have also tried to extract the kernel and initrd, and boot directly from it, i.e., copying the files to /usbstick/boot/debian/ as follows:

mkdir -p /usbstick/boot/debian
cp -a ~/tails/install.amd /usbstick/boot/debian/
cp -a ~/tails/install.386 /usbstick/boot/debian/

In addition, copy the iso image itself into /usbstick/boot/iso (or directly into the root of the usb stick, didn’t change anything), and added a grub.cfg entry as follows:

submenu "Debian 8.0 Jessie NetInstall ---> " {
  menuentry '64 bit Install' {
    set background_color=black
    linux    /boot/debian/install.amd/vmlinuz vga=788 -- quiet 
    initrd   /boot/debian/install.amd/initrd.gz

All these were without success, always ending up in error messages like: Mounting sdb, this is not a Debian Installation CD, etc etc.

I have also submitted a bug report to the installation reports, unfortunately no answer (not that I expected one). In case someone has a better idea, please let me know!

It is very sad that these kind of support is removed. The Installation Manual lists some options to install from USB, and the only difference is that there syslinux on a FAT16 system is used. This restricts the USB stick size a lot, and does not allow for easy multi boot via grub.

As reported here, I had this actually running. Unfortunately, I stupidly removed the old iso image and replaced it with the current Jessie ISO image, assuming that there will be no regression. Wrong assumption. Now I cannot even investigate the changes by looking into the initrd. Looking at the date of the original post I see that it is more or less one year ago, so before the Systemd introduction. I don’t know whether this has any effect, I doubt, as the installer is separate. But something happened in the mean time. Bad for us.

Email this to someonePrint this pageShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the author

Planet DebianDaniel Pocock: Quick start using Blender for video editing

Although it is mostly known for animation, Blender includes a non-linear video editing system that is available in all the current stable versions of Debian, Ubuntu and Fedora.

Here are some screenshots showing how to start editing a video of a talk from a conference.

In this case, there are two input files:

  • A video file from a DSLR camera, including an audio stream from a microphone on the camera
  • A separate audio file with sound captured by a lapel microphone attached to the speaker's smartphone. This is a much better quality sound and we would like this to replace the sound included in the video file.

Open Blender and choose the video editing mode

Launch Blender and choose the video sequence editor from the pull down menu at the top of the window:

Now you should see all the video sequence editor controls:

Setup the properties for your project

Click the context menu under the strip editor panel and change the panel to a Properties panel:

The video file we are playing with is 720p, so it seems reasonable to use 720p for the output too. Change that here:

The input file is 25fps so we need to use exactly the same frame rate for the output, otherwise you will either observe the video going at the wrong speed or there will be a conversion that is CPU intensive and degrades the quality:

Now specify an output filename and location:

Specify the file format:

and the video codec:

and specify the bitrate (smaller bitrate means smaller file but lower quality):

Specify the AAC audio codec:

Now your basic rendering properties are set. When you want to generate the output file, come back to this panel and use the Animation button at the top.

Editing the video

Use the context menu to change the properties panel back to the strip view panel:

Add the video file:

and then right click the video strip (the lower strip) to highlight it and then add a transform strip:

Audio waveform

Right click the audio strip to highlight it and then go to the properties on the right hand side and click to show the waveform:

Rendering length

By default, Blender assumes you want to render 250 frames of output. Looking in the properties to the right of the audio or video strip you can see the actual number of frames. Put that value in the box at the bottom of the window where it says 250:

Enable AV-sync

Also at the bottom of the window is a control to enable AV-sync. If your audio and video are not in sync when you preview, you need to set this AV-sync option and also make sure you set the frame rate correctly in the properties:

Add the other sound strip

Now add the other sound file that was recorded using the lapel microphone:

Enable the waveform display for that sound strip too, this will allow you to align the sound strips precisely:

You will need to listen to the strips to make an estimate of the time difference. Use this estimate to set the "start frame" in the properties for your audio strip, it will be a negative value if the audio strip starts before the video. You can then zoom the strip panel to show about 3 to 5 seconds of sound and try to align the peaks. An easy way to do this is to look for applause at the end of the audio strips, the applause generates a large peak that is easily visible.

Once you have synced the audio, you can play the track and you should not be able to hear any echo. You can then silence the audio track from the camera by right clicking it, look in the properties to the right and change volume to 0.

Make any transforms you require

For example, to zoom in on the speaker, right click the transform strip (3rd from the bottom) and then in the panel on the right, click to enable "Uniform Scale" and then set the scale factor as required:

Next steps

There are plenty of more comprehensive tutorials, including some videos on Youtube, explaining how to do more advanced things like fading in and out or zooming and panning dynamically at different points in the video.

If the lighting is not good (faces too dark, for example), you can right click the video strip, go to the properties panel on the right hand side and click Modifiers, Add Strip Modifier and then select "Color Balance". Use the Lift, Gamma and Gain sliders to adjust the shadows, midtones and highlights respectively.

Planet Linux AustraliaBinh Nguyen: Las Vegas Style Food Recipes

We interrupt our regular blog posts with a word from our sponsor... LOL

Seriously tough, times are tough in Las Vegas so instead of resorting to standard marketing techniques they've been trying to convince food bloggers (including me) to do their work for them... Just look at the condition of the place! Why would I ever want to go there?

Anyhow, recently someone from (a company that specialises in promoting hotels, restaurants, locations, and other events in Las Vegas) contacted me and asked me to do a take on some of the dishes available in Las Vegas (A copy of the menu is included,

More precisely, dishes from the Aria, Caesars Palace, Bellagio, and The Pallazo. I'm going to take a stab at on a take of a few of these dishes in a way that is inexpensive, quick, and hopefully tasty.

The point of these is to also make them more accessible by substituting ingredients as well (A lot of these ingredients quite simply aren't easily available in other parts of the world and to be honest it's hard to be impressed by something you know little about.).

The following three desserts are designed to be eaten like sundaes.

- ice-cream (vanilla, coffee, or rum-raisan will work best for this)
- crushed peanuts or crushed roasted almonds
- chopped up chocolate bar (Snickers, Picnic, or anything which contains nougat/nuts in it's core)(optional)
- strawberries (or another berry) which have been sliced and left in the fridge in a ice/sugar syrup mix
- a drizzle of caramel/chocolate sauce
- cocoa/coffee powder (optional)
Scoop ice cream into bowl or cup. Drizzle other ingredients on top.

- ice-cream (vanilla, coffee, or rum-raisan will work best for this)
- raisins which have been drenched in rum overnight
- crushed peanuts or crushed roasted almonds
- drizzle of caramel/chocolate sauce
- cocoa/coffee powder (optional)
Scoop ice cream into bowl or cup. Drizzle other ingredients on top.

- ice-cream (vanilla will work best for this)
- some form of cake (can be made or purchased. My preference is towards something darker such as chocolate or coffee flavour. If cooking please cook it so that it is slightly overcooked as it will be mixed with the ice cream. This will stop it from going soggy too quickly and add a bit of texture to the dish).
- some form of alcohol/liquor (we're targetting aroma here. Use whatever you have here but I think rum, cognac, or something else suitably sweet would do well)
Scoop ice cream into bowl or cup. Break up the cake and drop it around in chunks around the ice cream. Drizzle alcohol/liquor around and over the top.

The following is a dessert which is meant to be eaten/drunk like an 'affogato'.
- ice-cream (vanilla will work best for this)
- crushed macaroon biscuits (can be made or purchased. My preference is towards chocolate or coffee flavours. Don't bother making the cream if you don't want to)
- a side drunk of coffee, cappucino, late, Milo (chocolate malt) (I'd probably go for a powdered cappucino/late drink which only requires boiling water to be added to get this done quick and tasty)
- cocoa/coffee powder (optional)
Scoop ice cream into bowl or cup. Drizzle other ingredients on top.

The following is obviously is my take on a deluxe steak sandwich.
- sandwich bread slices
- steak
- onions
- lettuce
- tomato
- bacon
- cheese
- egg
- tomato sauce
- balsamic vinegar (optional)
- mayonnaise (optional)
Toast or grill sandwich slices. Add cheese as first layer. Fry an egg and add this as the next layer. Fry some bacon and add this as the next layer. Fry off steak slices with some onion, garlic, salt, sugar, pepper, and maybe a tiny drop of balsamic vinegar (I would probably caramelise this slightly in a pan to remove some of the tartness before adding it to the sandwich or not add it at all) and add this as the next layer. Slice vegetables and add this as the next layer. Use tomato sauce (mayonnaise is optional depending on your taste) on the top layer as it will stop it from drenching the sandwich prior to your having completing preparing it. Season to taste.

The following is more savoury.
- roasted chicken (can be made or purchased)
- pasta in a white sauce (the 'Bacon and Mushroom Carbonara with Pasta' recipe from, would work well here)
- asparagus
- cheese
- potatoes (use the recipes at, or and remove relevant ingredients (bacon, cream, and cheese for me) to suit the dish)
Cook pasta. Fry asparagus with garlic, butter, oil or else blanch it. Put it in a microwave for a few seconds with a slice of cheese on top to give it a bit of extra flavour. Serve with roasted chicken and fried potatoes. Season dish to taste. You may need to serve this dish with a salad as it is very rich or fatty depending on your interpretation.

Krebs on SecurityMore Evidence of mSpy Apathy Over Breach

Mobile spyware maker mSpy has expended a great deal of energy denying and then later downplaying a breach involving data stolen from tens of thousands of mobile devices running its software. Unfortunately for victims of this breach, mSpy’s lackadaisical response has left millions of screenshots taken from those devices wide open and exposed to the Internet via its own Web site.

mspylogoThe mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.

The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.

For example, here’s a fairly benign screen shot reference that was included in the leaked files:

“ref”: “dav/a00/003/628/359/2015/02/<wbr></wbr>24/cGWmz4OjqoyImZQh-25493887.<wbr></wbr>

Adding the base URL to that URL stem produces a screen shot showing an mSpy-enabled device browsing, a Czech news site. Disturbingly, it is trivial to identify the owners of many mSpy-enabled devices merely based on the information available in the bookmarks bar or Web browser windows shown in many of these screen shots.

According to mSpy, however, this is not a big deal. Almost a week after I requested comment from mSpy, a person named Amelie Ross responded with a somewhat nonsensical statement that essentially said the whole incident was dramatically exaggerated and aggravated by the media.

“Data logs do not include the information of the account user, therefore cannot be tracked back to data owner,” Ross said, ignoring the fact that I was able to identify and contact many of the company’s customers. “This case been a hard lesson and will only serve as an incentive for perfecting our service further. We have communicated with our customers whose data could have been stolen, described them a situation and they perceived it with a total understanding.”

Reached today about the exposed screenshots, mSpy reiterated its claim the data cannot be traced back to the data owner, and then acknowledged that it was reworking its system to render the exposed screenshot links unusable.

“Currently we’re working on re-<wbr></wbr>hashing of the exposed data, <wbr></wbr>which will result in the <wbr></wbr>leaked links becoming <wbr></wbr>inoperable,” Ross wrote. “We expect it to be completed within 24 hours.”

A number of journalists following the mSpy breach story have asked if I knew where the company was based, noting that authorities from several countries are now investigating the breach. As I mentioned in my original story on the break-in, the founders of the company variously claimed UK and Russian nationality, but it remains unclear where the company is physically located. However, I’m leaning toward Russia or another Eastern European country. Ross’s response to my initial email includes a forwarded copy of my May 9 message to the main mailbox, which was prefaced by the the timestamp: “09.05.2015 17:55, brian krebs пишет:” That last word, пишет, is Russian for “wrote”. According to a review of the email headers, the response was sent from a laptop in Ukraine on the Eastern European summer time zone.

I hope it’s clear that it’s foolhardy to place any trust or confidence in a company whose reason for existence is secretly spying on people. Alas, the only customers who can truly “trust” a company like this are those who are indifferent to the privacy and security of the device owner being spied upon.

Planet DebianVincent Bernat: Live patching QEMU for VENOM mitigation

CVE-2015-3456, also known as VENOM, is a security vulnerability in QEMU virtual floppy controller:

The Floppy Disk Controller (FDC) in QEMU, as used in Xen […] and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the FD_CMD_READ_ID, FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands.

Even when QEMU has been configured with no floppy drive, the floppy controller code is still active. The vulnerability is easy to test1:

#define FDC_IOPORT 0x3f5
#define FD_CMD_READ_ID 0x0a

int main() {
    ioperm(FDC_IOPORT, 1, 1);
    for (size_t i = 0;; i++)
        outb(0x42, FDC_IOPORT);
    return 0;

Once the fix installed, all processes still have to be restarted for the upgrade to be effective. It is possible to minimize the downtime by leveraging virsh save.

Another possibility would be to patch the running processes. The Linux kernel attracted a lot of interest in this area, with solutions like Ksplice (mostly killed by Oracle), kGraft (by Red Hat) and kpatch (by Suse) and the inclusion of a common framework in the kernel. The userspace has far less out-of-the-box solutions2.

I present here a simple and self-contained way to patch a running QEMU to remove the vulnerability without requiring any sensible downtime. Here is a short demonstration:

Proof of concept

First, let’s find a workaround that would be simple to implement through live patching: while modifying running code text is possible, it is easier to modify a single variable.


Looking at the code of the floppy controller and the patch, we can avoid the vulnerability by not accepting any command on the FIFO port. Each request would be answered by “Invalid command” (0x80) and a user won’t be able to push more bytes to the FIFO until the answer is read and the FIFO queue reset. Of course, the floppy controller would be rendered useless in this state. But who cares?

The list of commands accepted by the controller on the FIFO port is contained in the handlers[] array:

static const struct {
    uint8_t value;
    uint8_t mask;
    const char* name;
    int parameters;
    void (*handler)(FDCtrl *fdctrl, int direction);
    int direction;
} handlers[] = {
    { FD_CMD_READ, 0x1f, "READ", 8, fdctrl_start_transfer, FD_DIR_READ },
    { FD_CMD_WRITE, 0x3f, "WRITE", 8, fdctrl_start_transfer, FD_DIR_WRITE },
    /* [...] */
    { 0, 0, "unknown", 0, fdctrl_unimplemented }, /* default handler */

To avoid browsing the array each time a command is received, another array is used to map each command to the appropriate handler:

/* Associate command to an index in the 'handlers' array */
static uint8_t command_to_handler[256];

static void fdctrl_realize_common(FDCtrl *fdctrl, Error **errp)
    int i, j;
    static int command_tables_inited = 0;

    /* Fill 'command_to_handler' lookup table */
    if (!command_tables_inited) {
        command_tables_inited = 1;
        for (i = ARRAY_SIZE(handlers) - 1; i >= 0; i--) {
            for (j = 0; j < sizeof(command_to_handler); j++) {
                if ((j & handlers[i].mask) == handlers[i].value) {
                    command_to_handler[j] = i;
    /* [...] */

Our workaround is to modify the command_to_handler[] array to map all commands to the fdctrl_unimplemented() handler (the last one in the handlers[] array).

Testing with gdb

To check if the workaround works as expected, we test it with gdb. Unless you have compiled QEMU yourself, you need to install a package with debug symbols. Unfortunately, on Debian, they are not available, yet3. On Ubuntu, you can install the qemu-system-x86-dbgsym package after enabling the appropriate repositories.

The following function for gdb maps every command to the unimplemented handler:

define patch
  set $handler = sizeof(handlers)/sizeof(*handlers)-1
  set $i = 0
  while ($i < 256)
   set variable command_to_handler[$i++] = $handler
  printf "Done!\n"

Attach to the vulnerable process (with attach), call the function (with patch) and detach of the process (with detach). You can check that the exploit is not working anymore. This could be easily automated.


Using gdb has two main limitations:

  1. It needs to be installed on each host to be patched.
  2. The debug packages need to be installed as well. Moreover, it can be difficult to fetch previous versions of those packages.

Writing a custom patcher

To overcome those limitations, we can write a customer patcher using the ptrace() system call without relying on debug symbols being present.

Finding the right memory spot

Before being able to modify the command_to_handler[] array, we need to know its location. The first clue is given by the symbol table. To query it, use readelf -s:

$ readelf -s /usr/lib/debug/.build-id/09/95121eb46e2a4c13747ac2bad982829365c694.debug | \
>   sed -n -e 1,3p -e /command_to_handler/p

Symbol table '.symtab' contains 27066 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
  8485: 00000000009f9d00   256 OBJECT  LOCAL  DEFAULT   26 command_to_handler

This table is usually stripped out of the executable to save space, like shown below:

$ file -b /usr/bin/qemu-system-x86_64 | tr , \\n
ELF 64-bit LSB shared object
 version 1 (SYSV)
 dynamically linked
 interpreter /lib64/
 for GNU/Linux 2.6.32

If your distribution provides a debug package, the debug symbols are installed in /usr/lib/debug. Most modern distributions are now relying on the build ID4 to map an executable to its debugging symbols, like the example above. Without a debug package, you need to recompile the existing package without stripping debug symbols in a clean environment5. On Debian, this can be done by setting the DEB_BUILD_OPTIONS environment variable to nostrip.

We have now two possible cases:

  • the easy one, and
  • the hard one.

The easy case

On x86, here is the standard layout of a regular Linux process in memory6:

Memory layout of a regular process on x86

The random gaps (ASLR) are here to prevent an attacker from reliably jumping to a particular exploited function in memory. On x86-64, the layout is quite similar. The important point is that the base address of the executable is fixed.

The memory mapping of a process is also available through /proc/PID/maps. Here is a shortened and annotated example on x86-64:

$ cat /proc/3609/maps
00400000-00401000         r-xp 00000000 fd:04 483  not-qemu [text segment]
00601000-00602000         r--p 00001000 fd:04 483  not-qemu [data segment]
00602000-00603000         rw-p 00002000 fd:04 483  not-qemu [BSS segment]
[random gap]
02419000-0293d000         rw-p 00000000 00:00 0    [heap]
[random gap]
7f0835543000-7f08356e2000 r-xp 00000000 fd:01 9319 /lib/x86_64-linux-gnu/
7f08356e2000-7f08358e2000 ---p 0019f000 fd:01 9319 /lib/x86_64-linux-gnu/
7f08358e2000-7f08358e6000 r--p 0019f000 fd:01 9319 /lib/x86_64-linux-gnu/
7f08358e6000-7f08358e8000 rw-p 001a3000 fd:01 9319 /lib/x86_64-linux-gnu/
7f08358e8000-7f08358ec000 rw-p 00000000 00:00 0
7f08358ec000-7f083590c000 r-xp 00000000 fd:01 5138 /lib/x86_64-linux-gnu/
7f0835aca000-7f0835acd000 rw-p 00000000 00:00 0
7f0835b08000-7f0835b0c000 rw-p 00000000 00:00 0
7f0835b0c000-7f0835b0d000 r--p 00020000 fd:01 5138 /lib/x86_64-linux-gnu/
7f0835b0d000-7f0835b0e000 rw-p 00021000 fd:01 5138 /lib/x86_64-linux-gnu/
7f0835b0e000-7f0835b0f000 rw-p 00000000 00:00 0
[random gap]
7ffdb0f85000-7ffdb0fa6000 rw-p 00000000 00:00 0    [stack]

With a regular executable, the value given in the symbol table is an absolute memory address:

$ readelf -s not-qemu | \
>   sed -n -e 1,3p -e /command_to_handler/p

Symbol table '.dynsym' contains 9 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
    47: 0000000000602080   256 OBJECT  LOCAL  DEFAULT   25 command_to_handler

So, the address of command_to_handler[], in the above example, is just 0x602080.

The hard case

To enhance security, it is possible to load some executables at a random base address, just like a library. Such an executable is called a Position Independent Executable (PIE). An attacker won’t be able to rely on a fixed address to find some helpful function. Here is the new memory layout:

Memory layout of a PIE process on x86

With a PIE process, the value in the symbol table is now an offset from the base address.

$ readelf -s not-qemu-pie | sed -n -e 1,3p -e /command_to_handler/p

Symbol table '.dynsym' contains 17 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
    47: 0000000000202080   256 OBJECT  LOCAL  DEFAULT   25 command_to_handler

If we look at /proc/PID/maps, we can figure out where the array is located in memory:

$ cat /proc/12593/maps
7f6c13565000-7f6c13704000 r-xp 00000000 fd:01 9319  /lib/x86_64-linux-gnu/
7f6c13704000-7f6c13904000 ---p 0019f000 fd:01 9319  /lib/x86_64-linux-gnu/
7f6c13904000-7f6c13908000 r--p 0019f000 fd:01 9319  /lib/x86_64-linux-gnu/
7f6c13908000-7f6c1390a000 rw-p 001a3000 fd:01 9319  /lib/x86_64-linux-gnu/
7f6c1390a000-7f6c1390e000 rw-p 00000000 00:00 0
7f6c1390e000-7f6c1392e000 r-xp 00000000 fd:01 5138  /lib/x86_64-linux-gnu/
7f6c13b2e000-7f6c13b2f000 r--p 00020000 fd:01 5138  /lib/x86_64-linux-gnu/
7f6c13b2f000-7f6c13b30000 rw-p 00021000 fd:01 5138  /lib/x86_64-linux-gnu/
7f6c13b30000-7f6c13b31000 rw-p 00000000 00:00 0
7f6c13b31000-7f6c13b33000 r-xp 00000000 fd:04 4594  not-qemu-pie [text segment]
7f6c13cf0000-7f6c13cf3000 rw-p 00000000 00:00 0
7f6c13d2e000-7f6c13d32000 rw-p 00000000 00:00 0
7f6c13d32000-7f6c13d33000 r--p 00001000 fd:04 4594  not-qemu-pie [data segment]
7f6c13d33000-7f6c13d34000 rw-p 00002000 fd:04 4594  not-qemu-pie [BSS segment]
[random gap]
7f6c15c46000-7f6c15c67000 rw-p 00000000 00:00 0     [heap]
[random gap]
7ffe823b0000-7ffe823d1000 rw-p 00000000 00:00 0     [stack]

The base address is 0x7f6c13b31000, the offset is 0x202080 and therefore, the location of the array is 0x7f6c13d33080. We can check with gdb:

$ print &command_to_handler
$1 = (uint8_t (*)[256]) 0x7f6c13d33080 <command_to_handler>

Patching a memory spot

Once we know the location of the command_to_handler[] array in memory, patching it is quite straightforward. First, we start tracing the target process:

/* Attach to the running process */
static int
patch_attach(pid_t pid)
    int status;

    printf("[.] Attaching to PID %d...\n", pid);
    if (ptrace(PTRACE_ATTACH, pid, NULL, NULL) == -1) {
        fprintf(stderr, "[!] Unable to attach to PID %d: %m\n", pid);
        return -1;

    if (waitpid(pid, &status, 0) == -1) {
        fprintf(stderr, "[!] Error while attaching to PID %d: %m\n", pid);
        return -1;
    assert(WIFSTOPPED(status)); /* Tracee may have died */

    if (ptrace(PTRACE_GETSIGINFO, pid, NULL, &si) == -1) {
        fprintf(stderr, "[!] Unable to read siginfo for PID %d: %m\n", pid);
        return -1;
    assert(si.si_signo == SIGSTOP); /* Other signals may have been received */

    printf("[*] Successfully attached to PID %d\n", pid);
    return 0;

Then, we retrieve the command_to_handler[] array, modify it and put it back in memory7.

static int
patch_doit(pid_t pid, unsigned char *target)
    int ret = -1;
    unsigned char *command_to_handler = NULL;
    size_t i;

    /* Get the table */
    printf("[.] Retrieving command_to_handler table...\n");
    command_to_handler = ptrace_read(pid,
    if (command_to_handler == NULL) {
        fprintf(stderr, "[!] Unable to read command_to_handler table: %m\n");
        goto out;

    /* Check if the table has already been patched. */
    /* [...] */

    /* Patch it */
    printf("[.] Patching QEMU...\n");
    for (i = 0; i < QEMU_COMMAND_TO_HANDLER_SIZE; i++) {
        command_to_handler[i] = QEMU_NOT_IMPLEMENTED_HANDLER;
    if (ptrace_write(pid, target, command_to_handler,
           QEMU_COMMAND_TO_HANDLER_SIZE) == -1) {
        fprintf(stderr, "[!] Unable to patch command_to_handler table: %m\n");
        goto out;
    printf("[*] QEMU successfully patched!\n");
    ret = 0;

    return ret;

Since ptrace() only allows to read or write a word at a time, ptrace_read() and ptrace_write() are wrappers to read or write arbitrary large chunks of memory8. Here is the code for ptrace_read():

/* Read memory of the given process */
static void *
ptrace_read(pid_t pid, void *address, size_t size)
    /* Allocate the buffer */
    uword_t *buffer = malloc((size/sizeof(uword_t) + 1)*sizeof(uword_t));
    if (!buffer) return NULL;

    /* Read word by word */
    size_t readsz = 0;
    do {
        errno = 0;
        if ((buffer[readsz/sizeof(uword_t)] =
                ptrace(PTRACE_PEEKTEXT, pid,
                       (unsigned char*)address + readsz,
                       0)) && errno) {
            fprintf(stderr, "[!] Unable to peek one word at address %p: %m\n",
                    (unsigned char *)address + readsz);
            return NULL;
        readsz += sizeof(uword_t);
    } while (readsz < size);
    return (unsigned char *)buffer;

Putting the pieces together

The patcher is provided with the following information:

  • the PID of the process to be patched,
  • the command_to_handler[] offset from the symbol table, and
  • the build ID of the executable file used to get this offset (as a safety measure).

The main steps are:

  1. Attach to the process with ptrace().
  2. Get the executable name from /proc/PID/exe.
  3. Parse /proc/PID/maps to find the address of the text segment (it’s the first one).
  4. Do some sanity checks:
    • check there is a ELF header at this location (4-byte magic number),
    • check the executable type (ET_EXEC for regular executables, ET_DYN for PIE), and
    • get the build ID and compare with the expected one.
  5. From the base address and the provided offset, compute the location of the command_to_handler[] array.
  6. Patch it.

You can find the complete patcher on GitHub.

$ ./patch --build-id 0995121eb46e2a4c13747ac2bad982829365c694 \
>         --offset 9f9d00 \
>         --pid 16833
[.] Attaching to PID 16833...
[*] Successfully attached to PID 16833
[*] Executable name is /usr/bin/qemu-system-x86_64
[*] Base address is 0x7f7eea912000
[*] Both build IDs match
[.] Retrieving command_to_handler table...
[.] Patching QEMU...
[*] QEMU successfully patched!

  1. The complete code for this test is on GitHub

  2. An interesting project seems to be Katana. But there are also some insightful hacking papers on the subject. 

  3. Some packages come with a -dbg package with debug symbols, some others don’t. Fortunately, a proposal to automatically produce debugging symbols for everything is near completion. 

  4. The Fedora Wiki contains the rationale behind the build ID

  5. If the build is incorrectly reproduced, the build ID won’t match. The information provided by the debug symbols may or may not be correct. Debian currently has a reproducible builds effort to ensure that each package can be reproduced. 

  6. Anatomy of a program in memory is a great blog post explaining in more details how a program lives in memory. 

  7. Being an uninitialized static variable, the variable is in the BSS section. This section is mapped to a writable memory segment. If it wasn’t the case, with Linux, the ptrace() system call is still allowed to write. Linux will copy the page and mark it as private. 

  8. With Linux 3.2 or later, process_vm_readv() and process_vm_writev() can be used to transfer data from/to a remote process without using ptrace() at all. However, ptrace() would still be needed to reliably stop the main thread. 

Planet DebianJonathan Carter: Of course I support Jonathan


Spending yesterday mostly away from the computer screen, I was shocked this morning when I read about the Ubuntu Community Council’s request for Jonathan Ridell to step down from the Kubuntu Council. I knew that things have been rough lately and honestly there were some situations that Jonathan could have handled better, but I didn’t expect anything as drastic and sudden as this without seeing any warning signs.

Looking at the mails that Scott Kitterman posted sent by the Kubuntu Council, it seems like it’s been a surprise to KC as well.

I’m disappointed in the way the Ubuntu Community Council has handled this and I think the way they treated Jonathan is appalling, even taking into account that he could’ve communicated his grievances better. I’m also unconvinced that the Ubuntu Community Council is as beneficial to the Ubuntu community in its current form as it could be. The way it is structured and reports to the SABDFL makes that it will always favour Canonical when there’s a conflict of interest. I brought this up with two different CC members last year who both provided shruggy answers in the vein of “Sorry, but we have a framework that’s set up on how we can work in here and there’s just so much we can do about it.” – they seem to fear the leadership too much to question it, and it’s a pity, because everyone makes mistakes.

This request to step down is probably going to sour the Ubuntu project’s relationship with Jonathan Ridell even more, which is especially sad because he’s one of the really good community guys left that keeps both the CoC and the original Ubuntu manifesto ethos in high regard while striving for technical excellence. On top of that, it seems like it may result in at least another such person leaving.

I hope that the CC also takes this opportunity to take a step back and re-avaluate it’s structure and purpose, instead of just shrugging it off with a corporate-sounding statement. I’d also urge them to retract their statement to Jonathan Ridell and attempt to find a more amicable solution.

Sociological ImagesThe Politics of Facial Hair

Recently we ran a graph showing the evolution of facial hair trends starting in 1842. It showed that about 90% of men wore facial hair in the late 1800s, but it was a trend that would slowly die. By 1972, when the research was published, almost as many were clean shaven.

So, why did facial hair fall out of fashion?

Sociologist Rebekah Herrick gives us a hypothesis. With Jeanette Mendez and Ben Pryor, she investigated the stereotypes associated with men’s facial hair and the consequences for U.S. politicians. Facial hair is rare among modern politicians. “Currently,” they noted, “fewer than five percent of the members of the U.S. Congress have beards or mustaches” and no president has sported facial hair since William Howard Taft left office in 1913, before women had the right to vote.

Using an experimental method, Herrick and her colleagues showed people photographs of similarly appearing politicians with and without facial hair, asking them how they felt about the men and their likely positions. They found that potential voters perceived men with facial hair to be more masculine and this was a double edged sword. Higher ratings of masculinity were correlated with perceptions of competence, but also concerns that the politicians were less friendly to women and their concerns.

In other words, the more facial hair, the more people worry that a politician might be sexist:

2 (1)

In reality, facial hair has no relationship to a male politician’s voting record. They checked. The research suggests, though, that men in politics — maybe even all men — would be smart to pay attention to the stereotypes if they want to influence how others see them.

Thanks to my friend, Dmitriy T.C., for use of his face!

Lisa Wade is a professor of sociology at Occidental College and the co-author of Gender: Ideas, Interactions, Institutions. You can follow her on Twitter and Facebook.

(View original at

CryptogramTerrorist Risks by City, According to Actual Data

I don't know enough about the methodology to judge it, but it's interesting:

In total, 64 cities are categorised as 'extreme risk' in Verisk Maplecroft's new Global Alerts Dashboard (GAD), an online mapping and data portal that logs and analyses every reported terrorism incident down to levels of 100m² worldwide. Based on the intensity and frequency of attacks in the 12 months following February 2014, combined with the number and severity of incidents in the previous five years, six cities in Iraq top the ranking. Over this period, the country's capital, Baghdad, suffered 380 terrorist attacks resulting in 1141 deaths and 3654 wounded, making it the world's highest risk urban centre, followed by Mosul, Al Ramadi, Ba'qubah, Kirkuk and Al Hillah.

Outside of Iraq, other capital cities rated 'extreme risk' include Kabul, Afghanistan (13th most at risk), Mogadishu, Somalia (14th), Sana'a, Yemen (19th) and Tripoli, Libya (48th). However, with investment limited in conflict and post-conflict locations, it is the risk posed by terrorism in the primary cities of strategic economies, such as Egypt, Israel, Kenya, Nigeria and Pakistan that has the potential to threaten business and supply chain continuity.

A news article:

According to the index, which ranks world cities by the likelihood of a terror attack based on historic trends, 64 cities around the world are at "extreme risk" of a terror attack.

Of these, the majority are in the Middle East (27) or Asia (19).
Some 14 are in Africa, where the rise of Boko Haram and al-Shabaab as well as political instability have increased risk.

Three are in Europe -- Luhansk (46) and Donetsk (56) in Ukraine, and Grozy (54) in Russia -- while Colombia's Cali (59) is the only South American city on the list.

No US city makes the list.

Planet DebianDirk Eddelbuettel: drat 0.0.4: Yet more features and documentation

A new version, now at 0.0.4, of the drat package arrived on CRAN yesterday. Its name stands for drat R Archive Template, and it helps with easy-to-create and easy-to-use repositories for R packages, and is finding increasing by other projects.

Version 0.0.4 brings both new code and more documentation:

  • support for binary repos on Windows and OS X thanks to Jan Schulz;
  • new (still raw) helper functions initRepo() to create a git-based repository, and pruneRepo() to remove older versions of packages;
  • the insertRepo() functions now uses tryCatch() around git commands (with thanks to Carl Boettiger);
  • when adding a file to a drat repo we ensure that the repo path does not contains spaces (with thank to Stefan Bache);
  • stress that file-based repos need a URL of the form file:/some/path with one colon but not two slashes (also thanks to Stefan Bache);
  • new Using Drat with Travis CI vignette thanks to Colin Gillespie;
  • new Drat FAQ vignette;
  • other fixes and extensions.

Courtesy of CRANberries, there is a comparison to the previous release. More detailed information is on the drat page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Worse Than FailureCodeSOD: Reversing the String, Belaboring the Point

Laser module

The position had sat open for months now; the department was straining under the load of too many projects and too few developers, but the pool of candidates was rapidly shrinking. So when Cindy found a resume that looked halfway decent, she immediately recommended tossing them a programming test and scheduling an interview.

The phone screen is a bit superfluous given fifteen years experience, she thought. We'll just use a quick test and get to the good part.

The test was simple enough: reverse a string, in your language of choice. They were hiring iOS developers, so the candidate was wise enough to choose Objective-C- usually a great choice to demonstrate that you won't need much training on the job.

However, generally, you ought to actually be good at the language in question...

	const char *cVersionOfOriginalString = [originalString cStringUsingEncoding:NSUTF8StringEncoding];
	char *cVersionOfReversedString = malloc((originalString.length + 1) * sizeof(char));
	cVersionOfReversedString = &cVersionOfReversedString[originalString.length];
	*cVersionOfReversedString = '\0';
	char *simpleChar = (char *)&cVersionOfOriginalString[0];
	while (*simpleChar != '\0')
		*cVersionOfReversedString = *simpleChar;
	NSString *reversedString = [NSString stringWithCString:(cVersionOfReversedString + 1) encoding:NSUTF8StringEncoding];

	return reversedString;

Creating a pointer to the last byte of a c-string and walking backwards, depositing characters from the original string as you go, may win some points for creativity, but it's definitely not code you want to see in your iPad app. With a heavy heart, Cindy emailed HR to reject the application. Maybe the guy who barely spoke English deserves another chance...

<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script>
[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet Linux AustraliaBrendan Scott: brendanscott

Youtube has done wonders for lots of people, but frankly, my reaction to the vast majority of videos is that they are largely or wholly content free.  Those cases where a visual demonstration actually assists are exceedingly slim (some digital illustration videos for example, but even those don’t necessarily show you what you want). Watching videos of ostensibly informative topics is an exercise in entertainment and almost always a waste of my time.  If you have a transcript at least you can jump around to see if it’s got the info you’re looking for. With videos even if you jump around, you’re still pulling down info at the rate they speak (ie slowly). Next time you watch a documentary count the average number of words spoken in a minute. It’s ridiculously low.

It’s something of a farce that for my CLE requirements I can listen to some 5 year out “senior associate” um and arr through some talk at a firm or do some facile online tutorial (are there other kinds?) and get an hour’s credit, but if I read an entire book by an expert in the area or research the cases myself I get exactly 0 points.

Planet DebianMatthew Garrett: This is not the UEFI backdoor you are looking for

This is currently the top story on the Linux subreddit. It links to this Tweet which demonstrates using a System Management Mode backdoor to perform privilege escalation under Linux. This is not a story.

But first, some background. System Management Mode (SMM) is a feature in most x86 processors since the 386SL back in 1990. It allows for certain events to cause the CPU to stop executing the OS, jump to an area of hidden RAM and execute code there instead, and then hand off back to the OS without the OS knowing what just happened. This allows you to do things like hardware emulation (SMM is used to make USB keyboards look like PS/2 keyboards before the OS loads a USB driver), fan control (SMM will run even if the OS has crashed and lets you avoid the cost of an additional chip to turn the fan on and off) or even more complicated power management (some server vendors use SMM to read performance counters in the CPU and adjust the memory and CPU clocks without the OS interfering).

In summary, SMM is a way to run a bunch of non-free code that probably does a worse job than your OS does in most cases, but is occasionally helpful (it's how your laptop prevents random userspace from overwriting your firmware, for instance). And since the RAM that contains the SMM code is hidden from the OS, there's no way to audit what it does. Unsurprisingly, it's an interesting vector to insert malware into - you could configure it so that a process can trigger SMM and then have the resulting SMM code find that process's credentials structure and change it so it's running as root.

And that's what Dmytro has done - he's written code that sits in that hidden area of RAM and can be triggered to modify the state of the running OS. But he's modified his own firmware in order to do that, which isn't something that's possible without finding an existing vulnerability in either the OS or (or more recently, and) the firmware. It's an excellent demonstration that what we knew to be theoretically possible is practically possible, but it's not evidence of such a backdoor being widely deployed.

What would that evidence look like? It's more difficult to analyse binary code than source, but it would still be possible to trace firmware to observe everything that's dropped into the SMM RAM area and pull it apart. Sufficiently subtle backdoors would still be hard to find, but enough effort would probably uncover them. A PC motherboard vendor managed to leave the source code to their firmware on an open FTP server and copies leaked into the wild - if there's a ubiquitous backdoor, we'd expect to see it there.

But still, the fact that system firmware is mostly entirely closed is still a problem in engendering trust - the means to inspect large quantities binary code for vulnerabilities is still beyond the vast majority of skilled developers, let alone the average user. Free firmware such as Coreboot gets part way to solving this but still doesn't solve the case of the pre-flashed firmware being backdoored and then installing the backdoor into any new firmware you flash.

This specific case may be based on a misunderstanding of Dmytro's work, but figuring out ways to make it easier for users to trust that their firmware is tamper free is going to be increasingly important over the next few years. I have some ideas in that area and I hope to have them working in the near future.

comment count unavailable comments


LongNowThe Artangel Longplayer Letters: John Burnside writes to Manuel Arriaga

dysonIn April, Carne Ross wrote a letter to John Burnside as part of the Artangel Longplayer Letters series. The series is a relay-style correspondence: The first letter was written by Brian Eno to Nassim Taleb. Nassim Taleb then wrote to Stewart Brand, and Stewart wrote to Esther Dyson, who wrote to Carne Ross, who wrote to John Burnside. John’s response is now addressed to Manuel Arriaga, a writer & professor who studies Political Science, who will respond with a letter to a recipient of his choosing.

The discussion thus far has focused on the extent and ways government and technology can foster long-term thinking. You can find the previous correspondences here.

From: John Burnside, Berlin
To: Manuel Arriaga, New York
7 April 2015

Dear Manuel,

When Carne Ross posted his letter in this series to me, I was just re-reading your marvellous, thoughtful, inspiring book, Rebooting Democracy: A Citizen’s Guide to Reinventing Politics. For some time now, Carne and I have been discussing the question of how we might move from so-called ‘representative democracy’ (which, in our time, is highly unrepresentative and far from democratic) towards, not so much a fairer model, but the only possible political model that could be considered just. For my entire adult life, I have used the terms ‘anarchy’ and ‘anarchism’ when referring to that model, and I have considered myself an ‘anarchist’, but for mainly historical reasons, Carne and I (and many others) have debated whether or not this is still a useful appellation when it is used in dialogue with a broad community for whom the word anarchist has been tarred and very thoroughly feathered with a whole series of deliberately misleading associations with everything from bombs to bad hygiene. I will come back to this semantic problem later, but first I’d like to say a little in response to Carne’s letter.

“We are bidden to consider the future,” he says – though how immediate, and what manner of future this might be has varied across the letters in this series. Carne thought it worthwhile to fantasise about an ideal in his letter, a world in which all people would be well fed, well housed, healthy, free to die as they chose, but until that time would live in peace, free of hatred and resentment. Then, given these basics, we would all be able to pursue the expression and enactment of art, love, pleasure – in short, a rich and diverse culture. He continues by saying that he feels sad and a little desperate, at times, when he sees how far our own, ostensibly rich society stands from that ideal, though he finds grounds for hope in the ways that some groups and individuals have tried to build real democracy and economic models that would not only reward and enrich all those involved in production, but also produce better quality goods and services.

If I was asked to propose an ideal world, I suspect I would not depart very much from the vision Carne outlines. What I want to do in this letter, though, is to propose an outline model of governance that might bring us closer to that ideal and, to do so, I have to take issue with my friend’s note: “I have long doubted the idea of living in harmony with heartless, brutal nature”, not because I think ‘nature’ is kindly, or human oriented, (as James P. Carse says, in Finite and Infinite Games, “Nature offers no home”) but because I believe that careful observation of natural actions and patterns is the basis of true anarchism.

It appears that there are – in the broadest terms – three ways in which human societies are governed: one, by force, that is, by sheer weight of money, physical prowess or numbers, ‘traditional’ privileges and superstition; two, by an ideology of some kind (this includes religions, of course, and even where it does not, it is always enforced by a priestly elite of some kind; I would include ‘community’, so called, i.e. in its usual forms in capitalist societies, as an ideology here, as communities all too rapidly become hierarchical in such a society); three, by representative democracy. What anarchism proposes is, first, a critique of all the above and, second, a means by which the ideal model of self-governance can be brought about. In this model, the group, guided by certain principles, (drawn from nature), spontaneously arrives at decisions and acts to promote the greatest possible good, not just for that group, or for humankind, but for the land, the waters, the skies, the other creatures with whom we live and the creatures of all species yet unborn. The word ‘spontaneously’ is important here: anarchism is closely allied to emergence as a natural, organic model of order and, in its most achieved form, an anarchic society (or individual) does not think, then do, it simply is, responding to circumstances spontaneously, and only where necessary. (I’d note in passing, however, that it takes years of practice and discipline to become spontaneous.)

No doubt this really will sound like an ideal, perhaps an impossible one. But does it need to be possible? As it works on the individual level, then so might it work for the group and it is clear that when, as individuals, we pursue the discipline of spontaneity, responsiveness to natural order and avoidance of action for its own sake (Taoists calls this wu-wei) certain principles emerge. By principles, I mean something different from the bases of ideology in that an ideology is a set of beliefs, whereas a principle is founded in observation of how things work in the world around us. Observations about the basic ground of being: place, time, matter, the elements, other creatures and – by your leave for now, and not seeking at all to get mystical – whatever we think of as ‘the angels’. There are two kinds of principles: universal and temporal; the universal are based on universal conditions such as the conservation of energy, the understanding that any action causes an equal and opposite (or complementary) action, that is central not just to Newton, but also to the Dialectic and Chinese wuji philosophy, (yin and yang in constant play as the whole tends towards an ever shifting, greater or lesser equilibrium). As I say, I don’t wish to be mystical here – and in fact, Taoist thought eschews mysticism by saying that we cannot know, or even name the ‘way’ that governs things; we can, however, see it in action, constantly, by carefully observing the world around us. For centuries now, human observers – supposedly ‘objective’ ones included – have imposed our own, often fantasised values and patterns on the world – that bee colonies are hierarchical, governed by a ‘queen’ for example – instead of paying attention to things as they are. Tao Te Ching and other Chinese classics show us that, if we can only observe with detachment, we will see that the natural world is spontaneous, emergent and self ordering. When we apply force to get what we want, that force is eventually cancelled out and we lose what we gained and more. When we cling to passing ideas, possessions or conditions, we lose everything. This is important, politically: when we observe the real world, we begin to see that what we have been persuaded to think of as necessary power structures are neither natural nor necessary at all, and in fact, because they are susceptible to attachment, excess and imbalance, are the most susceptible to corruption.

These principles are shared by an-archism which acknowledges the need for order but refuses to accept an imposed order. Instead, anarchists, like Taoists and true students of the Dialectic, suggest that, if we would only wake up and pay attention, we would see that order is steadily and spontaneously emergent, and we can shape human activities, including self-governance, to that order. Then, by observing nature, we see how emergent order happens and so let go of the temptations that plague us: to force the issue, to push our theses with no regard for their antitheses, to assume power. As I said, the word anarchism has been besmirched, as we know, by the powers that be. Time to abandon it? Paul Feyerabend seemed to think so, calling himself a ‘Dadaist’ instead, and he is only one of many who feel that, by using the term anarchism, we risk being dragged off into pointless side arguments that add nothing to the central debate about self-governance. As it happens, I think Dadaist carries its own baggage but, semantics aside, I fear we may be in danger of throwing the baby out with the bathwater.

I have gone on long enough, but I do want to throw in some random final thoughts for your consideration. Why I do so is this: having admired Rebooting Democracy, and while I feel it has much to offer the debate, I wonder if we can really reach a state of real, just self-governance (which would have to be universal to be truly just; it would also have to hold to the central principle of respect for organic order above all things) by working with the present system? You are right, I think, to trust to the intelligence and goodwill of informed citizens and community groups – but I think we are far from having an informed citizenry, other than in pockets here and there (something Carne also seemed to be pointing to in his letter). Can we tinker with this vile system and so fix it? Or do we need to find principles that will help guide capitalist-consumer society out of its attachments to comfort and relative power?

I hope my saying this will not lead you to see me as one of those you so rightly criticise in Rebooting Democracy for thinking that “the people” are too dumb, or too selfish, to govern themselves. I certainly agree that this is not so, and I also would vehemently support the notion that nobody else should govern us. However, having seen, even in my own lifetime, a history of massive environmental degradation, I feel that many of us will need time to recover from the assumptions, lifestyle and comforts of a Big Capitalist-Big Consumer society. Some of us will need time to overcome our desire for unnecessary goods, services and ‘developments’; others, though, will need time to shift away from an ideology that, having started out to look for alternatives to the Big CCs, have all too often compromised, or even strayed into the enemy’s ranks. Not long ago, for instance, I asked the opinion of a fairly well known nature writer about the proposed erection of wind turbines on an estuary famed for its birdlife; the response was “sacrifices have to be made.” I have had similar responses from people who should know better, when protesting wind turbine developments on Shetland (103 turbines on precious peatland) and in Scotland’s flow country. Fossil fuels bad, any renewable anywhere good, is the slogan, Animal Farm style. But all common sense and fidelity to natural principles cries out that it is a ridiculous and tragic policy to destroy peatland (which sequesters carbon, amongst other things) and raise massive structures within shouting distance of rare bird colonies. If you want them, put them elsewhere – and if you are as green as you claim to be, defend the birds, the land and the future from all inappropriate developments and not just some.

I am reminded, often, of the conclusion to David Owen’s book, The Conundrum. He says:

It’s easy for wealthy people to look busy on energy, climate, and the environment: all we have to do is drive a hybrid, eat local food (while granting ourselves exemptions for anything we like to eat that doesn’t grow where we live), remember to unplug our cell-phone chargers, and divide our trash into two piles. What’s proven impossible, at least so far, is to commit to taking steps that would actually make a large, permanent difference on a global scale. Do we honestly care? That’s the conundrum.

I feel the same could be said about other things, including justice, prosperity and self-governance – if I have these things, do I really care if others have them? The paradox is that if others are not free, then neither am I. What freedom I think I have is short term, and mostly illusory.

By observing natural principles – and by, most importantly, placing deep ecology principles at the heart of all our governance – we may make it to a genuinely self-governing world. First, though, we have to learn how the world really works. We have the key texts, images and narratives to help us do so, from the Tao Te Ching to the work of Félix Guattari, André Gorz, Aldo Leopold and many others – I hope I have not suggested at any time that anything I am saying here is original – what we must do is formulate, abide by and, where necessary, uphold those principles. The central one, for the moment, must be that, where sacrifices must be made, we in Big CC land must be the ones making them. As we do, we will begin to recover from our sickness, and at the same time, exert less pressure on other societies and the natural world. But the principles are key to that shift. I’ll close with some advice from Ruskin, who may have been talking about art, but was also talking about how to live well:

go to nature in all singleness of heart, and walk with her laboriously and trustingly, having no other thoughts but how best to penetrate her meaning, and remembering her instruction; rejecting nothing, selecting nothing, and scorning nothing.

Over to you, my friend,


John Burnside is a novelist, short story writer and poet. His poetry collection, Black Cat Bone, won both the Forward and the T.S. Eliot Prizes in 2011, a year in which he also received the Petrarch Prize for Poetry. He has twice won the Saltire Scottish Book of the Year award, (in 2006 and 2013). His memoir A Lie About My Father won the Madeleine Zepter Prize (France) and a CORINE Belletristikpreis des ZEIT Verlags Prize (Germany); his story collection, Something Like Happy, received the 2014 Edge Hill Prize. His work has been translated into French, German, Spanish, Italian, Turkish and Chinese. He writes a monthly nature column for The New Statesman and is a regular contributor to The London Review of Books.

Manuel Arriaga is a visiting research professor at New York University and a fellow at the University of Cambridge. In 2014, he published Rebooting Democracy: A Citizen’s Guide to Reinventing Politics, which, by the end of the same year, had become the #1 best-selling book on democracy on Amazon UK. He is currently working on a film project on democratic innovations. More information about his work can be found at

Krebs on SecurityIRS: Crooks Stole Data on 100K Taxpayers Via ‘Get Transcript’ Feature

In March 2015, KrebsOnSecurity broke the news that identity thieves engaged in filing fraudulent tax refund requests with the Internal Revenue Service (IRS) were using the IRS’s own Web site to obtain taxpayer data needed to complete the phony requests. Today, IRS Commissioner John Koskinen acknowledged that crooks used this feature to pull sensitive data on more than 100,000 taxpayers this year.

Screenshot 2015-03-29 14.22.55That March story — Sign Up at Before Crooks Do It For You — tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Koskinen was quoted today in an Associated Press story saying the IRS was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The story noted that the IRS said they targeted the system from February to mid-May, and that the service has been temporarily shut down. Prior to that shutdown, the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.

“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the IRS said in a statement. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”


The Government Accountability Office (GAO) estimates that thieves steal nearly $6 billion from state and federal coffers last year via tax refund fraud. This year, fraudsters changed their tactics, leading to a huge spike in attempted fraudulent refund requests — particularly at the state level.

Earlier this week, I had an opportunity to interview John Valentine, chair of the Utah State Tax Commission. Valentine said this year his state saw a tenfold increase in suspicious tax refund filings, and that most of that increase was the result of a type of tax fraud the state had never seen before.

“This was unique, where someone clearly had the information from the prior year’s tax return,” Valentine said. “That different significantly from the way the return comes across if it’s just ID theft. If you have the prior year’s return, you have the names of children, their Social Security numbers and other data you don’t often times get with ID theft.”

These suspicious returns all had the filing status exactly the same [as the year prior], the number of exemptions exactly the same….you even got spelling errors on addresses and names, so that the same errors that occurred in the 2013 return occurred in the fraudulent 2014 return,” Valentine explained. “That’s what told us we were dealing with a different kind of fraud, especially since the extent of the fraud was ten times the amount of fraud we’d seen in the past.”

Valentine said he believes most of that increase was due to lax authentication and security at third-party tax preparation firms (TurboTax, for example). Based on numerous stories about poor authentication and virtually nonexistent “know-your-customer” procedures at TurboTax, I’ve no doubt the nation’s leading tax preparation firm contributed considerably to the spike. But that same data that Valentine references also could be had by pulling taxpayer data from the IRS’s site, which until very recently offered the full previous year’s W2 information on taxpayers.

Stay tuned over the next week for more in-depth stories and interviews about how the states are grappling with tax return fraud, and the changes they are seeking to the status quo.

CryptogramRace Condition Exploit in Starbucks Gift Cards

A researcher was able to steal money from Starbucks by exploiting a race condition in their gift-card value-transfer protocol. Basically, by initiating two identical web transfers at once, he was able to trick the system into recording them both. Normally, you could take a $5 gift card and move that money to another $5 gift card, leaving you with an empty gift card and a $10 gift card. He was able to duplicate the transfer, giving him an empty gift card and a $15 gift card.

Race-condition attacks are unreliable and it took him a bunch of tries to get it right, but there's no reason to believe that he couldn't have kept doing this forever.

Unfortunately, there was really no one at Starbucks he could tell this to:

The hardest part -- responsible disclosure. Support guy honestly answered there's absolutely no way to get in touch with technical department and he's sorry I feel this way. Emailing on March 23 was futile (and it only was answered on Apr 29). After trying really hard to find anyone who cares, I managed to get this bug fixed in like 10 days.

The unpleasant part is a guy from Starbucks calling me with nothing like "thanks" but mentioning "fraud" and "malicious actions" instead. Sweet!

A little more from BBC News:

A spokeswoman for Starbucks told BBC News: "After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication."

The company did not answer questions about its response to Mr Homakov.

More info.

Geek FeminismFrom the Mixed-up Files of Mrs Basil E. Linkspam (26 May 2015)

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Planet DebianLisandro Damián Nicanor Pérez Meyer: The last planned Qt 4 release is here: Qt 4.8.7. Is your app runnning with Qt5?

Qt 4.8.7 has been released today. Quoting from the blog post (emphasis is mine):

Many users have already moved their active projects to Qt 5 and we encourage also others to do so. With a high degree of source compatibility, we have ensured that switching to Qt 5 is smooth and straightforward. It should be noted that Qt 4.8.7 provides only the basic functionality to run Qt based applications on Mac OS X 10.10, full support is in Qt 5.

Qt 4.8.7 is planned to be the last patch release of the Qt 4 series. Standard support is available until December 2015, after which extended support will be available. We recommend all active projects to migrate to Qt 5, as new operating systems and compilers with Qt 4.8 will not be supported. If you have challenges migrating to Qt 5, please contact us or some of our service partners for assistance

Have you started to port your project?

Sociological ImagesThe Unbearable Daintiness of Women Who Eat with Men

20150526_105320A substantial body of literature suggests that women change what they eat when they eat with men. Specifically, women opt for smaller amounts and lower-calorie foods associated with femininity. So, some scholars argue that women change what they eat to appear more feminine when dining with male companions.

For my senior thesis, I explored whether women change the way they eat  alongside what they eat when dining with a male vs. female companion. To examine this phenomenon, I conducted 42 hours of non-participant observation in two four-star American restaurants in a large west coast city in the United States. I observed the eating behaviors of 76 Euro-American women (37 dining with a male companion and 39 dining with a female companion) aged approximately 18 to 40 to identify differences in their eating behaviors.

I found that women did change the way they ate depending on the gender of their dining companion. Overall, when dining with a male companion, women typically constructed their bites carefully, took small bites, ate slowly, used their napkins precisely and frequently, and maintained good posture and limited body movement throughout their meals. In contrast, women dining with a female companion generally constructed their bites more haphazardly, took larger bites, used their napkins more loosely and sparingly, and moved their bodies more throughout their meals.

On the size of bites, here’s an excerpt from my field notes:

Though her plate is filled, each bite she labors onto her fork barely fills the utensil. Perhaps she’s getting full because each bite seems smaller than the last… and still she’s taking tiny bites. Somehow she has made a single vegetable last for more than five bites.

I also observed many women who were about to take a large bite but stopped themselves. Another excerpt:

She spreads a cracker generously and brings it to her mouth. Then she pauses for a moment as though she’s sizing up the cracker to decide if she can manage it in one bite. After thinking for a minute, she bites off half and gently places the rest of the cracker back down on her individual plate.

Stopping to reconstruct large bites into smaller ones is a feminine eating behavior that implies a conscious monitoring of bite size. It indicates that women may deliberately change their behavior to appear more feminine.

I also observed changes in the ways women used their napkins when dining with a male vs. female companion. When their companion was a man, women used their napkins more precisely and frequently than when their companion was another woman. In some cases, the woman would fold her napkin into fourths before using it so that she could press the straight edge of the napkin to the corners of her mouth. Other times, the woman would wrap the napkin around her finger to create a point, then dab it across her mouth or use the point to press into the corners of her mouth. Women who used their napkins precisely also tended to use them quite frequently:

Using her napkin to dab the edges of her mouth – finger in it to make a tiny point, she is using her napkin constantly… using the point of the napkin to specifically dab each corner of her mouth. She is using the napkin again even though she has not taken a single bite since the last time she used it… using napkin after literally every bite as if she is constantly scared she has food on her mouth. Using and refolding her napkin every two minutes, always dabbing the corners of her mouth lightly.

In contrast, women dining with a female companion generally used their napkins more loosely and sparingly. These women did not carefully designate a specific area of the napkin to use, and instead bunched up a portion of it in one hand and rubbed the napkin across their mouths indiscriminately.

Each of the behaviors observed more frequently among women dining with a male companion versus a female one was stereotypically feminine. Many of the behaviors that emerged as significant among women dining with a female companion, on the other hand, are considered non-feminine, i.e. behaviors that women are instructed to avoid. Behavioral differences between the two groups of women suggest two things. First, women eat in a manner more consistent with normative femininity when in the presence of a male versus a female companion. And, second, gender is something that people perform when cued to do so, not necessarily something people internalize and express all the time.

(View original at

Planet DebianLunar: Reproducible builds: week 4 in Stretch cycle

What happened about the reproducible builds effort for this week:

Toolchain fixes

Lunar rebased our custom dpkg on the new release, removing a now unneeded patch identified by Guillem Jover. An extra sort in the buildinfo generator prevented a stable order and was quickly fixed once identified.

Mattia Rizzolo also rebased our custom debhelper on the latest release.

Packages fixed

The following 30 packages became reproducible due to changes in their build dependencies: animal-sniffer, asciidoctor, autodock-vina, camping, cookie-monster, downthemall, flashblock, gamera, httpcomponents-core, https-finder, icedove-l10n, istack-commons, jdeb, libmodule-build-perl, libur-perl, livehttpheaders, maven-dependency-plugin, maven-ejb-plugin, mozilla-noscript, nosquint, requestpolicy, ruby-benchmark-ips, ruby-benchmark-suite, ruby-expression-parser, ruby-github-markup, ruby-http-connection, ruby-settingslogic, ruby-uuidtools, webkit2gtk, wot.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Patches submitted which did not make their way to the archive yet:

  • #775531 on console-setup by Reiner Herrmann: update and split patch written in January.
  • #785535 on maradns by Reiner Herrmann: use latest entry in debian/changelog as build date.
  • #785549 on dist by Reiner Herrmann: set hostname and domainname to predefined value.
  • #785583 on s5 by Juan Picca: set timezone to UTC when unzipping files.
  • #785617 on python-carrot by Juan Picca: use latest entry in debian/changelog as documentation build date.
  • #785774 on afterstep by Juan Picca: modify documentation generator to allow a build date to be set instead of the current time, then use latest entry in debian/changelog as reference.
  • #786508 on ttyload by Juan Picca: remove timestamp from documentation.
  • #786568 on linux-minidisc by Lunar: use latest entry in debian/changelog as build date.
  • #786615 on kfreebsd-10 by Steven Chamberlain: make order of file in source tarballs stable.
  • #786633 on webkit2pdf by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
  • #786634 on libxray-scattering-perl by Reiner Herrmann: tell Storable::nstore to produce sorted output.
  • #786637 on nvidia-settings by Lunar: define DATE, WHOAMI, andHOSTNAME_CMD` to stable values.
  • #786710 on armada-backlight by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
  • #786711 on leafpad by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
  • #786714 on equivs by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.

Also, the following bugs have been reported:

  • #785536 on maradns by Reiner Herrmann: unreproducible deadwood binary.
  • #785624 on doxygen by Christoph Berg: timestamps in manpages generated makes builds non-reproducible.
  • #785736 on git-annex by Daniel Kahn Gillmor: documentation should be made reproducible.
  • #786593 on wordwarvi by Holger Levsen: please provide a --distrobuild build switch.
  • #786601 on sbcl by Holger Levsen: FTBFS when locales-all is installed instead of locales.
  • #786669 on ruby-celluloid by Holger Levsen: tests sometimes fail, causing ftbfs sometimes.
  • #786743 on obnam by Holger Levsen: FTBFS.

Holger Levsen made several small bug fixes and a few more visible changes:

  • For packages in testing, comparisions will be done using the sid version of debbindiff.
  • The scheduler will now schedule old packages from sid twice often as the ones in testing as we care more about the former at the moment.
  • More statistics are now visible and the layout has been improved.
  • Variations between the first and second build are now explained on the statistics page.


Version 0.007-1 of strip-nondeterminism—the tool to post-process various file formats to normalize them—has been uploaded by Holger Levsen. Version 0.006-1 was already in the reproducible repository, the new version mainly improve the detection of Maven's files.

debbindiff development

At the request of Emmanuel Bourg, Reiner Herrmann added a comparator for Java .class files.

Documentation update

Christoph Berg created a new page for the timestamps in manpages created by Doxygen.

Package reviews

93 obsolete reviews have been removed, 76 added and 43 updated this week.

New identified issues: timestamps in manpages generated by Doxygen, modification time differences in files extracted by unzip, tstamp task used in Ant build.xml, timestamps in documentation generated by ASDocGen. The description for build id related issues has been clarified.


Holger Levsen announced a first meeting on Wednesday, June 3rd, 2015, 19:00 UTC. The agenda is amendable on the wiki.


Lunar worked on a proof-of-concept script to import the build environment found in .buildinfo files to UDD. Lucas Nussbaum has positively reviewed the proposed schema.

Holger Levsen cleaned up various experimental toolchain repositories, marking merged brances as such.

Planet Linux AustraliaJames Purser: So Bill is going to bring a Bill

So Bill Shorten has announced that he and the Deputy Leader of the Opposition, Tanya Plibersec will be putting a bill to the house to allow Same Sex Marriage.

Honestly I'm torn.

The cynical part of me thinks the whole thing is an exercise in futility. Unless the Coalition allows a free vote amongst its members the bill is doomed to die in the House of Reps. If I was going to be really cynical I'd think this was an attempt to take the wind out of the sails of the greens who were proposing a similar bill to start in the Senate.

On the other hand, this is probably the first sign I've seen of Shorten actually stepping forward on an issue that hasn't been focus grouped to death. SSM doesn't have universal support within the Labor party (hi Joe deBruyn you reactionary old fart), and by putting his name directly on the bill Shorten is showing some leadership at last.

If you support Same Sex marriage, or as it's known in other parts of the world, Marriage, I'd urge you to let your local MP know how you feel. Do it politely, do it succinctly but make sure you do it. 

If you want to find out if your local MP or Senator supports or opposes SSM this site is a great resource

Blog Catagories: 

Worse Than FailureTake A Bold

RTFM coffee mug

“Hello!” A perky voice chirped over Evan’s shoulder. “May I come in?”

It was unbearably early in the morning. Evan had yet to get into any sort of programming groove, and so swiveled away from his computer without difficulty. At the threshold of his cube waited a sunny young morning person he’d never seen before. Beside her rested a re-purposed overhead projector cart. Instead of AV equipment, it bore dozens of shiny new coffee mugs.

“Hi! My name’s Kelly.” Beaming, she stepped forward and offered the mug in her hands. “A little treat from the Marketing team! We’re celebrating the creation of a new recruitment bonus program!”

Bleary-eyed and far less enthusiastic, Evan took the proffered mug. Harsh florescent lighting glared off its glossy surface, which read:

Take A <b/>

“Cute, huh?” Kelly asked.

Evan managed a limpid half-smile, and nearly dropped the mug alongside the other glorified dust-magnets in his cubicle, before something made him do a double-take. “That’s the wrong tag.”

Kelly frowned in confusion. “What?”

“There’s a typo,” Evan said. “You wanted ‘Take A Break,’ right? That should be B-R-slash, not B-slash.” He pointed to the mug for emphasis. “Right now, it says ‘Take A Bold.’”

“Are you serious?” The smile vanished from Kelly’s face. Her eyes went wide.

“Yeah,” Evan said.



“Really?” Kelly bit her lip, but her eyes betrayed her mirth. “Oh my goodness. You have no idea how many meetings we had. This slogan got batted around everywhere, up down and sideways, and no one ever said anything about that!”

How many developers were at those meetings?” Evan asked. The company offered hundreds to choose from.

“None. This was all within Marketing.” Kelly giggled freely. “This is everywhere! We’ve got posters, t-shirts, pens…!”

Evan joined in her laughter. “Of course. Printing promotional materials is our core business!”

“Don’t tell anyone else about this, OK? I’m kinda curious to see how long it goes before someone else brings it up.” Kelly returned to her cart and pushed it away, still red-faced and giggling. “Have a good one!”

Heh, typical. How often did Marketing ever vet anything with IT, or even think to? Evan couldn’t even think of any marketers or computer folk who had regular social contact with one another.

Well, maybe that’s about to change, he thought with another smirking look at his new mug. The two teams could bond over some nice coffee bolds.

<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script>
[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

CryptogramStink Bombs for Riot Control

They're coming to the US:

It's called Skunk, a type of "malodorant," or in plainer language, a foul-smelling liquid. Technically nontoxic but incredibly disgusting, it has been described as a cross between "dead animal and human excrement." Untreated, the smell lingers for weeks.

The Israeli Defense Forces developed Skunk in 2008 as a crowd-control weapon for use against Palestinians. Now Mistral, a company out of Bethesda, Md., says they are providing it to police departments in the United States.


The Israelis first used it in 2008 to disperse Palestinians protesting in the West Bank. A BBC video shows its first use in action, sprayed by a hose, a system that has come to be known as the "crap cannon."

Mistral reps say Skunk, once deployed, can be "neutralized" with a special soap ­ and only with that soap. In another BBC video, an IDF spokesman describes how any attempt to wash it via regular means only exacerbates its effects. Six weeks after IDF forces used it against Palestinians at a security barrier, it still lingered in the air.

Planet DebianRicardo Mones: Downgrading to stable

This weekend I had to downgrade my home desktop to stable thanks to a strange Xorg bug which I've been unable to identify among the current ones. Both testing and sid versions seem affected and all you can see after booting is this:

The system works fine otherwise and can be accessed via ssh, but restarting kdm doesn't help to fix it, it just changes the pattern. Anyway, as explaining a toddler he cannot watch his favourite youtube cartoons because suddenly the computer screen has become an abstract art work is not easy I quickly decided to downgrade.

Downgrading went fine, using APT pinning to fix stable and apt-get update/upgrade/dist-upgrade after that, but today I noticed libreoffice stopped working with this message:

Warning: failed to launch javaldx - java may not function correctly
/usr/lib/libreoffice/program/soffice.bin: error while loading shared libraries: cannot open shared object file: No such file or directory

All I found related to that is a post on forums, which didn't help much (neither the original poster nor me). But just found the library was not missing, it was installed:

# locate

But that was not part of any ldconfig conf file, hence the fix was easy:

# echo '/usr/lib/ure/lib' > /etc/
# ldconfig

And presto! libreoffice is working again :-)

Planet DebianJulien Danjou: OpenStack Summit Liberty from a Ceilometer & Gnocchi point of view

Last week I was in Vancouver, BC for the OpenStack Summit, discussing the new Liberty version that will be released in 6 months.

I've attended the summit mainly to discuss and follow-up new developments on Ceilometer, Gnocchi and Oslo. It has been a pretty good week and we were able to discuss and plan a few interesting things.

Ops feedback

We had half a dozen Ceilometer sessions, and the first one was dedicated to getting feedbacks from operators using Ceilometer. We had a few operators present, and a few of the Ceilometer team. We had constructive discussion, and my feeling is that operators struggles with 2 things so far: scaling Ceilometer storage and having Ceilometer not killing the rest of OpenStack.

We discussed the first point as being addressed by Gnocchi, and I presented a bit Gnocchi itself, as well as how and why it will fix the storage scalability issue operators encountered so far.

Ceilometer putting down the OpenStack installation is more interesting problem. Ceilometer pollsters request information from Nova, Glance… to gather statistics. Until Kilo, Ceilometer used to do that regularly and at fixed interval, causing high pike load in OpenStack. With the introduction of jitter in Kilo, this should be less of a problem. However, Ceilometer hits various endpoints in OpenStack that are poorly designed, and hitting those endpoints of Nova or other components triggers a lot of load on the platform. Unfortunately, this makes operators blame Ceilometer rather than blaming the components being guilty of poor designs. We'd like to push forward improving these components, but it's probably going to take a long time.


When I started the Gnocchi project last year, I pretty soon realized that we would be able to split Ceilometer itself in different smaller components that could work independently, while being able to leverage each others. For example, Gnocchi can run standalone and store your metrics even if you don't use Ceilometer – nor even OpenStack itself.

My fellow developer Chris Dent had the same idea about splitting Ceilometer a few months ago and drafted a proposal. The idea is to have Ceilometer split in different parts that people could assemble together or run on their owns.

Interestingly enough, we had three 40 minutes sessions planned to talk and debate about this division of Ceilometer, though we all agreed in 5 minutes that this was the good thing to do. Five more minutes later, we agreed on which part to split. The rest of the time was allocated to discuss various details of that split, and I engaged to start doing the work with Ceilometer alarming subsystem.

I wrote a specification on the plane bringing me to Vancouver, that should be approved pretty soon now. I already started doing the implementation work. So fingers crossed, Ceilometer should have a new components in Liberty handling alarming on its own.

This would allow users for example to only deploys Gnocchi and Ceilometer alarm. They would be able to feed data to Gnocchi using their own system, and build alarms using Ceilometer alarm subsystem relying on Gnocchi's data.


We didn't have a Gnocchi dedicated slot – mainly because I indicated I didn't feel we needed one. We anyway discussed a few points around coffee, and I've been able to draw a few new ideas and changes I'd like to see in Gnocchi. Mainly changing the API contract to be more asynchronously so we can support InfluxDB more correctly, and improve Carbonara (the library we created to manipulate timeseries) based drivers to be faster.

All of those should – plus a few Oslo tasks I'd like to tackle – should keep me busy for the next cycle!

Krebs on SecurityRecent Breaches a Boon to Extortionists

The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. And there is some evidence that ne’er-do-wells are actively trading this data and planning to abuse it for financial gain.

Within hours after data on tens (if not hundreds) of thousands of mSpy users leaked onto the Deep Web, miscreants on the “Hell” forum (reachable only via Tor) were busy extracting countless Apple iTunes usernames and passwords from the archive.

“Apple Id accounts you can use Tor to login perfectly safe! Good method so far use ‘Find My phone,'” wrote Ping, a moderator on the forum. “Wipe data and set a message that they been hacked and the only way to get their data back is to pay a ransom.”

"Hell" forum users discuss extorting mSpy users who had iTunes account credentials compromised in the breach.

“Hell” forum users discuss extorting mSpy users who had iTunes account credentials compromised in the breach.

mSpy works on non-jailbroken iPhones and iPads, but the user loading the program needs to supply the iTunes username and password to load mSpy onto the device. The tough part about a breach at a company like mSpy is that many “users” will not know they need to change their iTunes account passwords because they don’t know they have the application installed in the first place!

Late last week, several publications reported that the database for Adult Friend Finder’s users was being sold online for the Bitcoin equivalent of about USD $17,000. Unfortunately, that same database seems to be circulating quickly around the Deep Web, including on the aforementioned Hell forum.

In an update posted to its site on Friday, AFF owner FriendFinder Networks sought to assure registered users there was no evidence that any financial information or passwords were compromised.

Nevertheless, the AFF breach clearly threatens to inundate breached users with tons more spam, and potentially makes it easy to identify subscribers in real life. Such a connection could expose users to blackmail attempts: I spent roughly 10 minutes popping email addresses from the leaked AFF users list into Facebook, and managed to locate more than a dozen active Facebook accounts apparently tied to married men.

A description posted to the "Hell" forum listing the attributes of the Adult Friend Finder user database.

A description posted to the “Hell” forum listing the attributes of the Adult Friend Finder user database.

According to a note posted by the aforementioned Hell moderator Ping (this user is also administrator of the Deep Web forum The Real Deal), the AFF database has been traded online since March 2015, but it only received widespread media attention last week.

Planet DebianNorbert Preining: Debian/TeX Live 2015 preparations

I have uploaded a preliminary version of the texlive-bin based on the 2015 sources (plus the first fixes) to the Debian archive, targeting experimental. As there are four new packages built from the sources (libtexlua52, -dev, libtexluajit2, -dev) the packages have to go through the NEW queue, which at the moment is an impressive 500+ entries long (nearly top in total history). But ftp-masters are currently very active and I hope they continue for some time.

Debian - TeX Live 2015

Anyway, there are still many things to work out, especially a rework of tex-common for the new fmtutil, in the same way we did some time ago for updmap That also means that all packages shipping formats will need to be rebuild with the new tex-common. Fortunately there are not many additional formats shipped, I think all of them are under my control, so that should be easy.

For those who want to peak at the current packages, here they are compiled for amd64. Also available as apt-sources:

deb exp/
deb-src exp/

WARNING Do not try to actually run these binaries unless you know what you are doing 😉

In case you have some spare time and bit of programming experience, the Debian TeX Team is looking for a bit of support in these days.

Email this to someonePrint this pageShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the author


Planet DebianElena 'valhalla' Grandi: Free Software on Free Hardware

TEDWords of wisdom from mothers, recorded at StoryCorps


When someone makes a StoryCorps interview, they’ll usually talk about the most important people in their lives, remember the best and worst moments they’ve lived through, and pass on wisdom they’ve gleaned over the years. So it comes as no surprise that memories of parents are often the star of the show. Our facilitators tell us that even people who are 100 years old spend time remembering — and often crying about — their mothers and fathers.

Many StoryCorps conversations start with reflections on what’s often our first and most consequential bond — with Mom. We featured a few of these stories in our 2010 book, A Celebration of Mothers From StoryCorps, and a few weeks ago you heard a conversation with my own mom, the incredible Jane Isay. She’s put up with a lot over the years, and has great life advice to share as a result.

Really, StoryCorps is at its heart a project about the transmission of wisdom across generations. So below, enjoy some stories and powerful quotes from moms who inspired us with their heart, gumption, insight and love. Some of the stories are touching, some of them are raw, and all of them help us remember the importance of mothers.

“You should be able to talk to a person in the Bowery, as well as the President of the United States.”

Mary-and-William-Anthony-CobbWilliam Anthony Cobbs interviewed his remarkable, outspoken mother, Mary, who has incurable cancer and unfailing faith. “I’m not afraid of dying, but I did say to the Lord that I didn’t want to leave my children,” she says in this interview, which was part of our Legacy Initiative, recording interviews with people facing life-threatening illnesses.


“The only thing that’s important to me, my dear, is that you remember me.”

Olivia-Fite-and-Barbara-MooreBarbara Moore talks to her daughter, Olivia Fite, about her four decades working as a bricklayer in Baltimore. Despite earning the respect of her fellow workers and a large community of people in their city, many of whom still approach Olivia on the street to talk to her about her mom, Barbara says that her love of her daughter is the only thing that’s ever been important.


“I told anybody and everybody who would listen to me that I … was very proud of my gay son.”

Rita-Fischer-and-Jay-Fischer“I think straight parents should be involved with their gay children,” says Rita Fischer in a frank and funny conversation with her son, Jay Fischer, as part of our OutLoud initiative honoring LGBT stories across America. Does your mom have gaydar? Rita does. She’s also raised more than $800,000 for New York’s AIDS Walk over the years. That said, this conversation is NSFW thanks to f-bombs.


“What should I regret? I think I’m old enough to do whatever I would like.”

Kay-Wang-and-Chen-and-ChengThis classic StoryCorps animation features the feisty Kay Wang, her son, Cheng, and granddaughter, Chen. In it, Kay (reluctantly) fills her son and granddaughter in on her life’s adventures — including her many childhood boyfriends. The story of how she met her husband is particularly amazing.


“I know that there’s nothing I can do about the Alzheimer’s … I try to make the most of each day, because I’m not the kind of person who sits and wallows in self-pity.”

Carol-Kirsch-and-Rebecca-PosamentierRebecca Posamentier interviewed her mom, Carol Kirsch, as part of our Memory Loss Initiative, which helps those with Alzheimer’s and other forms of memory loss share their stories. In this excerpt from our book, Carol shares her initial fear about having children, and Rebecca talks about her gratefulness in always having her mother’s support.


“We don’t have to lie any more.”

Mary-Moran-Murphy-and-Suzan-Mello-SouzaMary Moran Murphy and Susan Mello Souza are two women who were roommates at a home for unwed mothers in Massachusetts in the 1960s. In this interview, they remember the fictitious names they were given and the veil of secrecy regarding the adoption of their children. Both of them have since reunited with their daughters, and they remain good friends.


“I would dedicate more time [to you]. I was so busy going to school I neglected you a little bit.”

Connie-Alvarez-and-Blanca-AlvarezThis moving story was one of the first interviews recorded in our Airstream trailer mobile booths. Connie Alvarez worked at the public radio station KCRW, who partnered with us at our stop in Santa Monica. A recording participant cancelled last-minute, so Connie dragooned her mother, Blanca, into the booth. They had never had this conversation before, about her family’s hardships after they immigrated to the United States. Blanca may have regrets about being so busy when her children were young; but Connie tells her that watching her work was an inspiration.


“I instantly knew that all that anger and animosity I had in my heart for 12 years was over. I had forgiven you.”

Mary-Johnson-and-Oshea-IsraelIn this interview, Mary Johnson speaks to Oshea Israel, the young man who killed her son, Laramiun Byrd. The two talk about the power of forgiveness, and give a new definition of family. Mary founded From Death to Life, an organization that supports mothers who have lost children to homicide and encourages forgiveness between families of murderers and victims. I played an excerpt of this story in my TED Talk, but always bears listening again.


“The hug was enough.”

Brian-Parrello-and-ShirleyShirley Parrello lost her son Brian in the Iraq War. After his death, she became close with several members of his Marine platoon. One of those Marines, Sergeant Kevin Powell, interviewed Shirley as part of StoryCorps’ Military Voices Initiative, focusing on post-9/11 vets and their families. As Kevin says, “The day that you lost Brian, you gained 20 sons. And we’ll always be your sons.”


“There was no one more astonished that I had survived it than myself.”

Myra-Dean-and-Gery-JamisonMyra Dean lost her son, Rich Stark, when he was a child — he was killed by a reckless driver while riding his bike to see the sunset. In this interview, she talks to her friend Gary Jamison about surviving her son. “The worst part is, when you realize you’re gonna live, because you just want to die. I thought I wouldn’t live 10 minutes, and I was astonished when I’d lived 10 days, and mortified when I lived 10 months and not even grateful when I had lived 10 years,” she says. One of my favorite StoryCorps interviews ever.


Be part of our movement. Download the StoryCorps app and honor your own mom or the mother figure in your life with an interview. It’s one of the least expensive but most meaningful gifts we can give.

Dave Isay, the founder of StoryCorps, is the winner of our 2015 TED Prize. In a talk at TED2015, he shared an audacious wish for his organization: to take it global with a free app. Stay tuned for this column every other week on the TED Blog, as we chart the evolution of his TED Prize wish. As told to Amy S. Choi.

CryptogramStory of the ZooKeeper Poison-Packet Bug

Interesting story of a complex and deeply hidden bug -- with AES as a part of it.

RacialiciousMemorial Day: Remembering Soldiers of Color [The Throwback]

In honor of the U.S. celebrating Memorial Day today, we are reprinting this 2012 piece featuring veterans from many of our communities

We’ll begin with a video that was shown here in San Diego earlier this year, at a celebration of the Congressional Gold Medal awarded two years ago to the 100th Infantry Battalion and the 442nd Regimental Combat Team and and U.S. Military Intelligence Service (MIS). The unit, composed mostly of Japanese-Americans, would see heavy action during World War II in Europe, and would go on to produce 21 Medal of Honor recipients. This unit’s exploits were chronicled in fictional form in the film Only The Brave, the trailer of which can be seen here.

<iframe frameborder="0" height="315" src="" width="560"></iframe>

[Note: One video under the cut auto-plays, but is SFW.]

Shifting focus to Vietnam, here’s the trailer for As Long as I Remember: American Veteranos, Laura Varela’s documentary about Latino Vietnam veterans. While it focuses on three South Texas residents in particular, the statistics cited here reflect the sobering cost of duty in the conflict for many servicemen, particularly when it comes to PTSD.

<iframe frameborder="0" height="315" src="" width="560"></iframe>

Last year saw the birth of AIVMI – the American Indian Veterans Memorial Initiative, a campaign led by the Seminole Indian Tribe of Florida to add a statue of a Native American soldier along the Vietnam Walkway near the Vietnam Wall on the National Mall in the nation’s capital. Here we have an interview regarding the issue conducted by Kimberlie Acosta at Native Country TV with Tina Osceola from the Seminole Tribe.

<iframe frameborder="0" height="315" src="" width="560"></iframe>

Finally, here’s the trailer for Veterans Of Color, a documentary focusing on black veterans from the Vietnam and Korea wars and World War II. The film, which is coming off a screening at the Sarasota Film Festival in Florida, is the result of a collaboration between the Association For the Study Of African American Life And History (ASALH) and the Veterans History Project.

<iframe frameborder="0" height="300" src=";byline=0&amp;portrait=0&amp;autoplay=0" width="560"></iframe>

The post Memorial Day: Remembering Soldiers of Color [The Throwback] appeared first on Racialicious - the intersection of race and pop culture.

Worse Than FailureCodeSOD: A Winning Strategy

“Hey,” Roberto said while pairing with an offshore programmer, “this problem would be easier to solve with the Factory pattern.”

“What’s that?”

Roberto explained both the Factory pattern and the idea of design patterns, and congratulated himself on helping a fellow developer improve their skills. Little did he know, he had created a monster.

Things started cropping up in his code base. For example, Roberto found this block:

	var SetInfoAsDateList = SetInfoList.Where(c => c.ValueType.Contains("Date"));
    foreach (var item in SetInfoAsDateList)
    	//Use the Strategy pattern to find the correct date object.
        dateProcessor = GetDateProcessor(item.LabelName); 
        dateProcessor.ProcessDate(item, SetInfoList, criteria, 	agentInformation, agentOptions);

Oh, the Strategy pattern? Let’s go take a look at how GetDateProcessor was implemented.

	private static IDateProcessor GetDateProcessor(string value)
	    IDateProcessor dateStrategy = null;

	    switch (value)
	        case "Change Date":
	            dateStrategy = new DateFormatProcessor();
	        case "Contract Date":
	            dateStrategy = new DateFormatProcessor();
	        case "List Date":
	            dateStrategy = new DateFormatProcessor();
	        case "ListingUpdateType":
	            dateStrategy = new DateFormatProcessor();
	        //case "Mobile Home Mfr. Date":
	        //    dateStrategy = new DateFormatProcessor();
	        //    break;
	        case "Sold Date":
	            dateStrategy = new DateFormatProcessor();
	        case "Withdrawn Date":
	            dateStrategy = new DateFormatProcessor();
	        case "Available Date":
	            dateStrategy = new DateFormatProcessor();
	    return dateStrategy;


Oh, like that. It’s… extensible, at least, I suppose. At the risk of seeing yet another “I wrote my own date processing engine” WTF, should we take a look at what the DateFormatProcessor.ProcessDate function does?

	public class DateFormatProcessor : IDateProcessor
	    public void ProcessDate(result DetailSet, List<result> items, StatsCriteria criteria, login agentInformation, agent_options agentOptions)

	        var AvailableDate = items.Where(i => i.LabelName == "Available Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();
	        var ChangeDate = items.Where(i => i.LabelName == "Change Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();

	        var ContractDate = items.Where(i => i.LabelName == "Contract Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();
	        var ListDate = items.Where(i => i.LabelName == "List Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();

	        var ListingUpdateType = items.Where(i => i.LabelName == "ListingUpdateType" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();
	        var MobileHomeMfrDate = items.Where(i => i.LabelName == "Mobile Home Mfr. Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();

	        var SoldDate = items.Where(i => i.LabelName == "Sold Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();
	        var WithdrawnDate = items.Where(i => i.LabelName == "Withdrawn Date" && i.MlsNum == DetailSet.MlsNum && i.ColumnHeader != "META").FirstOrDefault();

	        if (DetailSet.LabelName == "Withdrawn Date")
	            if (!String.IsNullOrEmpty(WithdrawnDate.LabelValue))
	                DetailSet.LabelValue = String.IsNullOrEmpty(DetailSet.LabelValue) ? "" : String.Format("{0:MM/dd/yyyy}", Convert.ToDateTime(DetailSet.LabelValue));

	                DetailSet.LabelValue = String.Format("{0:MM/dd/yyyy}", DetailSet.LabelValue);

	                DetailSet.LabelValue = "";


	        if (DetailSet.LabelName == "Sold Date")
	            if (!String.IsNullOrEmpty(SoldDate.LabelValue))

	                DetailSet.LabelValue = String.IsNullOrEmpty(DetailSet.LabelValue) ? "" : String.Format("{0:MM/dd/yyyy}", Convert.ToDateTime(DetailSet.LabelValue));

	                DetailSet.LabelValue = String.Format("{0:MM/dd/yyyy}", DetailSet.LabelValue);


	                DetailSet.LabelValue = "";


	        if (DetailSet.LabelName == "List Date")
	            if (!String.IsNullOrEmpty(ListDate.LabelValue))
	                DetailSet.LabelValue = String.IsNullOrEmpty(DetailSet.LabelValue) ? "" : String.Format("{0:MM/dd/yyyy}", Convert.ToDateTime(DetailSet.LabelValue));

	                DetailSet.LabelValue = String.Format("{0:MM/dd/yyyy}", DetailSet.LabelValue);



	                DetailSet.LabelValue = "";

	        if (DetailSet.LabelName == "Contract Date")
	            if (!String.IsNullOrEmpty(ContractDate.LabelValue))
	                DetailSet.LabelValue = String.IsNullOrEmpty(DetailSet.LabelValue) ? "" : String.Format("{0:MM/dd/yyyy}", Convert.ToDateTime(DetailSet.LabelValue));

	                DetailSet.LabelValue = String.Format("{0:MM/dd/yyyy}", DetailSet.LabelValue);


	                DetailSet.LabelValue = "";


	        if (DetailSet.LabelName == "Change Date")
	            if (!String.IsNullOrEmpty(ChangeDate.LabelValue))

	                DetailSet.LabelValue = String.IsNullOrEmpty(DetailSet.LabelValue) ? "" : String.Format("{0:MM/dd/yyyy}", Convert.ToDateTime(DetailSet.LabelValue));

	                DetailSet.LabelValue = String.Format("{0:MM/dd/yyyy}", DetailSet.LabelValue);


	                DetailSet.LabelValue = "";

	        if (DetailSet.LabelName == "Available Date")
	            if (!String.IsNullOrEmpty(AvailableDate.LabelValue))

	                DetailSet.LabelValue = String.IsNullOrEmpty(DetailSet.LabelValue) ? "" : String.Format("{0:MM/dd/yyyy}", Convert.ToDateTime(DetailSet.LabelValue));

	                DetailSet.LabelValue = String.Format("{0:MM/dd/yyyy}", DetailSet.LabelValue);

	                DetailSet.LabelValue = "";


Maybe he should have used a few more design patterns…

<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script>
[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet Linux AustraliaLev Lafayette: MrBayes HPC Installation

Mr. Bayes is a program for Bayesian inference and model choice across a wide range of phylogenetic and evolutionary models.

Download, extract. Note that the developers have produced a tarbomb which will require a separate directory created before download. This has been raised as a bug.

Note that more recent versions of MrBayes make much better use of autoconfiguration tools.

cd /usr/local/src/MRBAYES
mkdir mrbayes-3.2.5
cd mrbayes-3.2.5

read more


Planet DebianRuss Allbery: Catch-up haul

As always, even though I've not been posting much, I'm still buying books. This is a catch-up post listing a variety of random purchases.

Katherine Addison — The Goblin Emperor (sff)
Milton Davis — From Here to Timbuktu (sff)
Mark Forster — How to Make Your Dreams Come True (non-fiction)
Angela Highland — Valor of the Healer (sff)
Marko Kloos — Terms of Enlistment (sff)
Angela Korra'ti — Faerie Blood (sff)
Cixin Liu — The Three-Body Problem (sff)
Emily St. John Mandel — Station Eleven (sff)
Sydney Padua — The Thrilling Adventures of Lovelace and Babbage (graphic novel)
Melissa Scott & Jo Graham — The Order of the Air Omnibus (sff)
Andy Weir — The Martian (sff)

Huh, for some reason I thought I'd bought more than that.

I picked up the rest of the Hugo nominees that aren't part of a slate, and as it happens have already read all the non-slate nominees at the time of this writing (although I'm horribly behind on reviews). I also picked up the first book of Marko Kloos's series, since he did the right thing and withdrew from the Hugos once it became clear what nonsense was going on this year.

The rest is a pretty random variety of on-line recommendations, books by people who made sense on the Internet, and books by authors I like.

Planet DebianNorbert Preining: TeX Live 2015 DVD preparation starts

As the last step in the preparation of the TeX Live 2015 release we have now completely frozen updates to the repository and built the (hopefully) final image. The following weeks will see more testing and preparation of the gold master for DVD preparation.


The last weeks were full of frantic rebuilds of binaries, in particular due to the always in the last minute found bugs in several engines. Also already after the closing time we found a serious problem with Windows installations in administrator mode, where unprivileged users didn’t have read access to the format dumps. This was due to the File::Temp usage on Windows which sets too restrictive ACLs.

Unless really serious bugs show up, further changes will have to wait till after the release. Let’s hope for some peaceful two weeks.

So, it is time to prepare for release parties 😉 Enjoy!

Email this to someonePrint this pageShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the author

Planet DebianWouter Verhelst: Fixing CVE-2015-0847 in Debian

Because of CVE-2015-0847 and CVE-2013-7441, two security issues in nbd-server, I've had to updates for nbd, for which there are various supported versions: upstream, unstable, stable, oldstable, oldoldstable, and oldoldstable-backports. I've just finished uploading security fixes for the various supported versions of nbd-server in Debian. There're various relevant archives, and unfortunately it looks like they all have their own way of doing things regarding security:

  • For squeeze-lts (oldoldstable), you check out the secure-testing repository, run a script from that repository that generates a DLA number and email template, commit the result, and send a signed mail (whatever format) to the relevant mailinglist. Uploads go to ftp-master with squeeze-lts as target distribution.
  • For backports, you send a mail to the team alias requesting a BSA number, do the upload, and write the mail (based on a template that you need to modify yourself), which you then send (inline signed) to the relevant mailinglist. Uploads go to ftp-master with $dist-backports as target distribution, but you need to be in a particular ACL to be allowed to do so. However, due to backports policy, packages should never be in backports before they are in the distribution from which they are derived -- so I refrained from uploading to backports until the regular security update had been done. Not sure whether that's strictly required, but I didn't think it would do harm; even so, that did mean the procedure for backports was even more involved.
  • For the distributions supported by the security team (stable and oldstable, currently), you prepare the upload yourself, ask permission from the security team (by sending a debdiff), do the upload, and then ask the security team to send out the email. Uploads go to security-master, which implies that you may have to use dpkg-buildpackage's -sa parameter in order to make sure that the orig.tar.gz is actually in the security archive.
  • For unstable and upstream, you Just Upload(TM), because it's no different from a regular release.

While I understand how the differences between the various approaches have come to exist, I'm not sure I understand why they are necessary. Clearly, there's some room for improvement here.

As anyone who reads the above may see, doing an upload for squeeze-lts is in fact the easiest of the three "stable" approaches, since no intermediate steps are required. While I'm not about to advocate dropping all procedures everywhere, a streamlining of them might be appropriate.

Planet Linux AustraliaSridhar Dhanapalan: Twitter posts: 2015-05-18 to 2015-05-24

Sociological ImagesWhat Class War Looks Like

Debian Administration Setting up a personal secure apt repository

Packages under development aren't always ready to be in the main Debian archive. But that doesn't mean it should be hard for people to install them. When asking people to test programs, it is most convenient to present it in the

Geek FeminismQuick Hit: New Taylor Swift fanvid “Pipeline” calls out tech industry on diversity hypocrisy

As Julie Pagano put it: “So many ‘diversity in tech’ efforts are about getting young women into the pipeline. Ignore the fact that there’s a meat grinder at the end.” So I’ve made a new fanvid (a type of video art piece): “Pipeline”. It’s a little over 3 minutes long and cuts together about 50 different sources over Taylor Swift’s song “Blank Space”. Specifically, this fanvid uses clips from documentaries, glossy Hollywood depictions of hackers, comics, code school ads, and the Geek Feminism wiki’s Timeline of Incidents to critique this dynamic. It just premiered at the WisCon Vid Party a few hours ago.

My launch blog post on Dreamwidth goes into more detail and includes a comprehensive list of video.

Download: on Google Drive (165 MB high-resolution MP4 file, 23 MB low-resolution MP4 file, 98 MB AVI file), or at Critical Commons with login (high- and low-res MP4 and WebM files)
Stream: at Critical Commons (choose View High Quality for best experience)
Lyrics subtitles file: (you can download this and then ask your video playing app to use it as a subtitles track)

It’s under the license Creative Commons BY-SA; please feel free to redistribute, link, remix, and so on, as long as you attribute me as the vidder. Comments are welcome, though moderated.

Planet Linux AustraliaGary Pendergast: How I Would Solve Plugin Dependencies

lol, I wouldn’t1.

1. If I absolutely had to, I wouldn’t do it the same as Ryan.

WordPress isn’t (and will never be) Linux

ZYpp is the dependency solver used by OpenSUSE (and its PHP port in Composer), it was born of the need to solve complex dependency trees. The good news is, WordPress doesn’t have the same problem, and we shouldn’t create that problem for ourselves.

One of the most common-yet-complex issues is determining how to handle different version requirements by different packages. If My Amazing Plugin requires WP-API 1.9, but Your Wonderful Plugin requires WP-API 2.0, we have a problem. There are two ways to solve it – Windows solves it by installing multiple versions of the dependency, and loading the correct version for each package. This isn’t a particularly viable option in PHP, because trying to load two different versions of the same code in the same process is not my idea of a fun time.

The second option, which ZYpp solves, is to try and find a mutually compatible version of the dependency that each plugin can use. The biggest problem with this method is that it can’t always find a solution. If there’s no compatible way of installing the libraries, it has to throw back to the user to make the decision. This isn’t a viable option, as 99.999*% worth of users wouldn’t be able to tell the difference between WP-API versions 1.9 and 2.0, and nor should they.

But there’s a third option.

Technical Debt as a Service

Code libraries are, by their nature, developer facing. A user never really needs to know that they exist, in the same way that they don’t need to know about WP_Query. In WordPress Core, we strive for (and often achieve) 100% backwards compatibility between major versions. If we were going to implement plugin dependencies, I would make it a requirement that the code libraries shoulder the same burden: don’t make a user choose between upgrades, just always keep the code backwards compatible. If you need to make architectural changes, include a backwards compatible shim to keep things working nicely.

This intentionally moves the burden of upgrading to the developer, rather than the end user.

What Version?

If we’re going to require library developers to maintain backwards compatibility, we can do away with version requirements (and thus, removing the need for a dependency solver). If a plugin needs a library, it can just specify the library slug.

Better Living Through Auto Updates

If we were to implement plugin dependencies, I think it’d be a great place to introduce auto updates being enable by default. There’s no existing architecture for us to take into account, so we can have this use the current WordPress best practices. On top of that, it’s a step towards enabling auto updates for all Core releases, and it encourages developers to create backwards compatible libraries, because their library will almost certainly be updated before a plugin using it is.

Let’s Wrap This Up

I’m still not convinced plugin dependencies is a good thing to put in Core – it introduces significant complexities to plugin updates, as well as adding another dependency on to Core. But it’s definitely a conversation worth having.

Planet DebianRuss Allbery: git-pbuilder 1.34

Long time without a blog post. My time got eaten by work and travel and work-related travel. Hopefully more content soon.

This is just a quick note about the release of version 1.34 of the git-pbuilder script (which at some point really should just be rewritten in Python and incorporated entirely into the git-buildpackage package). Guido Günther added support for creating chroots for LTS distributions.

You can get the latest version from my scripts page.


Planet DebianEddy Petrișor: Linksys NSLU2 adventures into the NetBSD land passed through JTAG highlands - part 1

About 2 months ago I set a goal to run some kind of BSD on the spare Linksys NSLU2 I had. This was driven mostly by curiosity, after listening to a few BSDNow episodes and becoming a regular listener, but it was a really interesting experience (it was also somewhat frustrating, mostly due to lacking documentation or proprietary code).

Looking for documentation on how to install any BSD flavour on the Linksys NSLU2, I have found what appears to be some too-incomplete-to-be-useful-for-a-BSD-newbie information about installing FreeBSD, no information about OpenBSD and some very detailed information about NetBSD on the Linksys NSLU2.

I was very impressed by the NetBSD script which can be used to cross-compile the entire NetBSD system - to do that, it also builds the appropriate toolchain - NetBSD kernel and the base system, even when ran on a Linux host. Having some experience with cross compilation for GNU/Linux embedded systems I can honestly say this is immensely impressive, well done NetBSD!

Gone were a few failed attempts to properly follow the instruction and lots of hours of (re)building, but then I had the kernel and the sets (the NetBSD system is split into several parts which are grouped by functionality, these are the sets), so I was in the position to have to set things up to be able to net boot - kernel loading via TFTP and rootfs on NFS.

But it wouldn't be challenging if the instructions were followed to the letter, so the first thing I wanted to change was that I didn't want to run dhcpd just to pass the DHCP boot configuration to the NSLU2, that seemed like a waste of resources since I already had dnsmasq running.

After some effort and struggling with missing documentation, I managed to use dnsmasq to pass DHCP boot parameters to the slug, but also use it as TFTP server - after some time I documented this for future reference on my blog and expect to refer to it in the future.

Setting up NFS wasn't a problem, but, when trying to boot, I found that I managed to misread at least 3 or 4 times some of the NSLU2 related information on the NetBSD wiki. To be able to debug what was happening I concluded the slug should have a serial console attached to it, which helped a lot.

Still the result was that I wasn't able to boot the trunk version of the NetBSD code on my NSLU2.

Long story short, with the help of some people from the #netbsd IRC channel on Freenode and from the port-arm NetBSD mailing list I found out that I might have a better chance with specific older versions. In practice what really worked was the code from the netbsd_6_1 branch.

Discussions on the port-arm mailing list, some digging into the (recently found) PR (problem reports), and a successful execution of the trunk kernel (at the time, version 7.99.4) together with 6.1.5 userspace lead me to the conclusion the NetBSD userspace for armbe was broken in the trunk branch.

And since I concluded this would be a good occasion to learn a few details about NetBSD, I set out to git bisect through the trunk history to identify when this happened. But that meant being able to easily load kernels and run them from TFTP, which was not how the RedBoot bootloader flashed into the slug behaves by default.

Be default, the RedBoot bootloader flashed into the NSLU2 waits for 2 seconds for a manual interaction (it waits for a ^C) on the serial console or on the telnet RedBoot prompt, then, if no such event happens, it copies the Linux image it has in flash starting with adress 0x50060000 into RAM at address 0x01d00000 (after stripping the Sercomm header) and then executes the copied code from RAM.

Of course, this is not a very handy way to try to boot things from TFTP, so my first idea to overcome this limitation was to use a second stage bootloader which would do the loading via TFTP of the NetBSD kernel, then execute it from RAM. Flashing this second stage bootloader instead of the Linux kernel at 0x50060000 would make sure that no manual intervention except power on would be necessary when a new kernel+userspace pair is ready to be tested.

Another advantage was that I would not risk bricking the NSLU2 since I would not be changing RedBoot, the original bootloader.

I knew Apex was used as the second stage bootloader in Debian, so I started configuring my own version of the APEX bootloader to make it work for the netbsd-nfs.bin image to be loaded via TFTP.

My first disappointment was that Apex was did not support receiving the boot parameters via DHCP, but only via RARP (it was clear it was less tested with BOOTP or DHCP) and TFTP was documented in the code as being problematic. That meant that I would have to hard code the boot configuration or configure RARP, but that wasn't too bad.

Later I found out that I wasted time on that avenue because the network driver in Apex was some Intel code (NPE Access Library) which can't be freely distributed, but could have been downloaded from Intel's site back in 2008-2009. The bad news was that current versions did not work at all with the old patch work that was done in Apex to allow for the driver made for Linux to compile in a world of its own so it could be incorporated in Apex.

I was stuck and the only options I were:
  1. Fight with the available Intel code and make it compile in Apex
  2. Incorporate the NPE driver from NetBSD into a rump kernel which will be included in Apex, since I knew the NetBSD driver only needed a very easily obtainable binary blob, instead of the entire driver as was in Apex before
  3. Hack together an Apex version that simulates the typing of the necessary commands to load the netbsd-nfs.bin image inside RedBoot, or in other words, call from Apex the RedBoot functions necessary to load from TFTP and execute NetBSD.
Option 1 did not look that appealing after looking into the horrible Intel build system and its endless dependencies into a specific Linux kernel version.

Option 2 was more appealing, but since I didn't knew NetBSD and only tried once to build and run a NetBSD rump kernel, it seemed like a doable project only for an experienced NetBSD developer or at least an experienced NetBSD user, which I was not.

So I was left with option 3, which meant I had to do some reverse engineering of the code, because, although RedBoot is GPL, Linksys did not publish the source from which the running RedBoot was built from.

(continues here)

Planet DebianEddy Petrișor: Linksys NSLU2 adventures into the NetBSD land passed through JTAG highlands - part 2 - RedBoot reverse engineering and APEX hacking

(continuation of Linksys NSLU2 adventures into the NetBSD land passed through JTAG highlands - part 1; meanwhile, my article was mentioned briefly in BSDNow Episode 89 - Exclusive Disjunction around minute 36:25)

Choosing to call RedBoot from a hacked Apex

As I was saying in my previous post, in order to be able to automate the booting of the NetBSD image via TFTP, I opted for using a 2nd stage bootloader (planning to flash it in the NSLU2 instead of a Linux kernel), and since Debian was already using Apex, I chose Apex, too.

The first problem I found was that the networking support in Apex was relying on an old version of the Intel NPE library which I couldn't find on Intel's site. The new version was incompatible/not building with the old build wrapper in Apex, so I was faced with 3 options:
  1. Fight with the availabel Intel code and try to force it to compile in Apex
  2. Incorporate the NPE driver from NetBSD into a rump kernel to be included in Apex instead of the original Intel code, since the NetBSD driver only needed an easily compilable binary blob
  3. Hack together an Apex version that simulates the typing necessary RedBoot commands to load via TFTP the netbsd image and execute it.
After taking a look at the NPE driver buildsystem, I concluded there were very few options less attractive that option 1, among which was hammering nails through my forehead as a improvement measure against the severe brain damage which I would probably be likely to be inflicted with after dealing with the NPE "build system".

Option 2 looked like the best option I could have, given the situation, but my NetBSD foo was too close to 0 to even dream to endeavor on such a task. In my opinion, this still remains the technically superior solution to the problem since is very portable and a flexible way to ensure networking works in spite of the proprietary NPE code.

But, in practice, the best option I could implement at the time was option 3. I initially planned to pre-fill from Apex my desired commands into the RedBoot buffer that stored the keyboard strokes typed by the user:

load -r -b 0x200000 -h netbsd-nfs.bin
Since this was the first time ever for me I was going to do less than trivial reverse engineering in order to find the addresses and signatures of interesting functions in the RedBoot code, it wasn't bad at all that I had a version of the RedBoot source code.

When stuck with reverse engineering, apply JTAG

The bad thing was that the code Linksys published as the source of the RedBoot running inside the NSLU2 was, in fact, a different code which had some significant changes around the code pieces I was mostly interested in. That in spite of the GPL terms.

But I thought that I could manage. After all, how hard could it be to identify the 2-3 functions I was interested in and 1 buffer? Even if I only had the disassembled code from the slug, it shouldn't be that hard.

I struggled with this for about 2-3 weeks on the few occasions I had during that time, but the excitement of leaning something new kept me going. Until I got stuck somewhere between the misalignment between the published RedBoot code and the disassembled code, the state of the system at the time of dumping the contents from RAM (for purposes of disassemby), the assembly code generated by GCC for some specific C code I didn't have at all, and the particularities of ARM assembly.

What was most likely to unblock me was to actually see the code in action, so I decided attaching a JTAG dongle to the slug and do a session of in-circuit-debugging was in order.

Luckily, the pinout of the JTAG interface was already identified in the NSLU2 Linux project, so I only had to solder some wires to the specified places and a 2x20 header to be able to connect through JTAG to the board.

JTAG connections on Kinder (the NSLU2 targeting NetBSD)

After this was done I tried immediately to see if when using a JTAG debugger I could break the execution of the code on the system. The answer was sadly, no.

The chip was identified, but breaking the execution was not happening. I tried this in OpenOCD and in another proprietary debugger application I had access to, and the result was the same, breaking was not happening.
$ openocd -f interface/ftdi/olimex-arm-usb-ocd.cfg -f board/linksys_nslu2.cfg
Open On-Chip Debugger 0.8.0 (2015-04-14-09:12)
Licensed under GNU GPL v2
For bug reports, read
Info : only one transport option; autoselect 'jtag'
adapter speed: 300 kHz
Info : ixp42x.cpu: hardware has 2 breakpoints and 2 watchpoints
Info : clock speed 300 kHz
Info : JTAG tap: ixp42x.cpu tap/device found: 0x29277013 (mfg: 0x009,
part: 0x9277, ver: 0x2)

$ telnet localhost 4444
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target was in unknown state when halt was requested
in procedure 'halt'
> poll
background polling: on
TAP: ixp42x.cpu (enabled)
target state: unknown
Looking into the documentation I found a bit of information on the XScale processors[X] which suggested that XScale processors might necessarily need the (otherwise optional) SRST signal on the JTAG interface to be able to single step the chip.

This confused me a lot since I was sure other people had already used JTAG on the NSLU2.

The options I saw at the time were:
  1. my NSLU2 did have a fully working JTAG interface (either due to the missing SRST signal on the interface or maybe due to a JTAG lock on later generation NSLU-s, as was my second slug)
  2. nobody ever single stepped the slug using OpenOCD or other JTAG debugger, they only reflashed, and I was on totally new ground
I even contacted Rod Whitby, the project leader of the NSLU2 project to try to confirm single stepping was done before. Rod told me he never did that and he only reflashed the device.

This confused me even further because, from what I encountered on other platforms, in order to flash some device, the code responsible for programming the flash is loaded in the RAM of the target microcontroller and that code is executed on the target after a RAM buffer with the to be flashed data is preloaded via JTAG, then the operation is repeated for all flash blocks to be reprogrammed.

I was aware it was possible to program a flash chip situated on the board, outside the chip, by only playing with the chip's pads, strictly via JTAG, but I was still hoping single stepping the execution of the code in RedBoot was possible.

Guided by that hope and the possibility the newer versions of the device to be locked, I decided to add a JTAG interface to my older NSLU2, too. But this time I decided I would also add the TRST and SRST signals to the JTAG interface, just in case single stepping would work.

This mod involved even more extensive changes than the ones done on the other NSLU, but I was so frustrated by the fact I was stuck that I didn't mind poking a few holes through the case and the prospect of a connector always sticking out from the other NSLU2, which was doing some small, yet useful work in my home LAN.

It turns out NOBODY single stepped the NSLU2


After biting the bullet and soldering JTAG interface with also the TRST and the SRST signals connected as the pinout page from the NSLU2 Linux wiki suggested, I was disappointed to observe that I was not able to single step the older NSLU2 either, in spite of the presence of the extra signals.

I even tinkered with the reset configurations of OpenOCD, but had not success. After obtaining the same result on the proprietary debugger, digging through a presentation made by Rod back in the hay day of the project and the conversations on the NSLU2 Linux Yahoo mailing list, I finally concluded:
Actually nobody single stepped the NSLU2, no matter the version of the NSLU2 or connections available on the JTAG interface!
So I was back to square 1, I had to either struggle with disassembly, reevaluate my initial options, find another option or even drop entirely the idea. At that point I was already committed to the project, so dropping entirely the idea didn't seem like the reasonable thing to do.

Since I was feeling I was really close to finish on the route I had chosen a while ago, I was not any significantly more knowledgeable in the NetBSD code, and looking at the NPE code made me feel like washing my hands, the only option which seemed reasonable was to go on.

Digging a lot more through the internet, I was finally able to find another version of the RedBoot source which was modified for Intel ixp42x systems. A few checks here and there revealed this newly found code was actually almost identical to the code I had disassembled from the slug I was aiming to run NetBSD on. This was a huge step forward.

Long story short, a couple of days later I had a hacked Apex that could go through the RedBoot data structures, search for available commands in RedBoot and successfully call any of the built-in RedBoot commands!

Testing with loading this modified Apex by hand in RAM via TFTP then jumping into it to see if things woked as expected revealed a few small issues which I corrected right away.

Flashing a modified RedBoot?! But why? Wasn't Apex supposed to avoid exactly that risky operation?

Since the tests when executing from RAM were successful, my custom second stage Apex bootloader for NetBSD net booting was ready to be flashed into the NSLU2.

I added two more targets in the Makefile in the code on the dedicated netbsd branch of my Apex repository to generate the images ready for flashing into the NSLU2 flash (RedBoot needs to find a Sercomm header in flash, otherwise it will crash) and the exact commands to be executed in RedBoot are also print out after generation. This way, if the command is copy-pasted, there is no risk the NSLU2 is bricked by mistake.

After some flashing and reflashing of the apex_nslu2.flash image into the NSLU2 flash, some manual testing, tweaking and modifying the default built in APEX commands, checking that the sequence of commands 'move', 'go 0x01d00000' would jump into Apex, which, in turn, would call RedBoot to transfer the netbsd-nfs.bin image from a TFTP to RAM and then execute it successfully, it was high time to check NetBSD would boot automatically after the NSLU was powered on.

It didn't. Contrary to my previous tests, no call made from Apex to the RedBoot code would return back to Apex, not even the execution of a basic command such as the 'version' command.

It turns out the default commands hardcoded into RedBoot were 'boot; exec 0x01d00000', but I had tested 'boot; go 0x01d0000', which is not the same thing.

While 'go' does a plain jump at the specified address, the 'exec' command also does some preparations so it allows a jump into the Linux kernel and those preparations break some environment the RedBoot commands expect. I don't know which those are and didn't had the mood or motivation to find out.

So the easiest solution was to change the RedBoot's built-in command and turn that 'exec' into a 'go'. But that meant this time I was actually risking to brick the NSLU, unless I
was able to reflash via JTAG the NSLU2.

(to be continued - next, changing RedBoot and bisecting through the NetBSD history)

[X] Linksys NSLU2 has an XScale IXP420 processor which is compatible at ASM level with the ARMv5TEJ instruction set

Sociological ImagesReversing a 100 Year Trend, Men are Staying in the Workforce Longer

In response to company pensions, employer age limits, shifts in the economy, and the initiation of social security, men have increasingly enjoyed a little 20th century social invention called “retirement.” In 1860, more than 80% of men age 70 to 74 worked, but by around 2000, that number had dropped to below 20%.

As of the 2000s, this more-than-100-year-trend of increasing numbers of men enjoying their “golden years” has reversed. This is your image of the week:


Over at Made in America, from where I borrowed this graph, sociologist Claude Fisher explains the reversal of the trend (citations at the link):

The private sources of retirement support, such as company pensions and investments, have weakened; [and] public sources of aid are under strain from a lower birth rate, a stagnating economy, and political retrenchment. And the years that such support must cover are growing. In 1990 a 65-year-old man could expect to live about 15 more years; in 2010, 18 more years. That’s an extra 20 percent of financing needed.

Among other things, the economic health of older Americans is an important sign of the overall health of the economy. It will be interesting to keep an eye on this statistic in the near future.

Lisa Wade is a professor of sociology at Occidental College and the co-author of Gender: Ideas, Interactions, Institutions. You can follow her on Twitter and Facebook.

(View original at

Planet DebianEddy Petrișor: HOWTO: No SSH logins SFTP only chrooted server configuration with OpenSSH

If you are in a situation where you want to set up a SFTP server in a more secure way, don't want to expose anything from the server via SFTP and do not want to enable SSH login on the account allowed to sftp, you might find the information below useful.

What do we want to achive:
  • SFTP server
  • only a specified account is allowed to connect to SFTP
  • nothing outside the SFTP directory is exposed
  • no SSH login is allowed
  • any extra security measures are welcome
To obtain all of the above we will create a dedicated account which will be chroot-ed, its home will be stored on a removable/no always mounted drive (acessing SFTP will not work when the drive is not mounted).

Mount the removable drive which will hold the SFTP area (you might need to add some entry in fstab). 

Create the account to be used for SFTP access (on a Debian system this will do the trick):
# adduser --system --home /media/Store/sftp --shell /usr/sbin/nologin sftp

This will create the account sftp which has login disabled, shell is /usr/sbin/nologin and create the home directory for this user.

Unfortunately the default ownership of the home directory of this user are incompatible with chroot-ing in SFTP (which prevents access to other files on the server). A message like the one below will be generated in this kind of case:
$ sftp -v sftp@localhost
sftp@localhost's password:
debug1: Authentication succeeded (password).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
Also /var/log/auth.log will contain something like this:
fatal: bad ownership or modes for chroot directory "/media/Store/sftp"

The default permissions are visible using the 'namei -l' command on the sftp home directory:
# namei -l /media/Store/sftp
f: /media/Store/sftp
drwxr-xr-x root root    /
drwxr-xr-x root root    media
drwxr-xr-x root root    Store
drwxr-xr-x sftp nogroup sftp
We change the ownership of the sftp directory and make sure there is a place for files to be uploaded in the SFTP area:
# chown root:root /media/Store/sftp
# mkdir /media/Store/sftp/upload
# chown sftp /media/Store/sftp/upload

We isolate the sftp users from other users on the system and configure a chroot-ed environment for all users accessing the SFTP server:
# addgroup sftpusers
# adduser sftp sftusers
Set a password for the sftp user so password authentication works:
# passwd sftp
Putting all pieces together, we restrict access only to the sftp user, allow it access via password authentication only to SFTP, but not SSH (and disallow tunneling and forwarding or empty passwords).

Here are the changes done in /etc/ssh/sshd_config:
PermitEmptyPasswords no
PasswordAuthentication yes
AllowUsers sftp
Subsystem sftp internal-sftp
Match Group sftpusers
        ChrootDirectory %h
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
Reload the sshd configuration (I'm using systemd):
# systemctl reload ssh.service
Check sftp user can't login via SSH:
$ ssh sftp@localhost
sftp@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.
But SFTP is working and is restricted to the SFTP area:
$ sftp sftp@localhost
sftp@localhost's password:
Connected to localhost.
sftp> ls
sftp> pwd
Remote working directory: /
sftp> put netbsd-nfs.bin
Uploading netbsd-nfs.bin to /netbsd-nfs.bin
remote open("/netbsd-nfs.bin"): Permission denied
sftp> cd upload
sftp> put netbsd-nfs.bin
Uploading netbsd-nfs.bin to /upload/netbsd-nfs.bin
netbsd-nfs.bin                                                              100% 3111KB   3.0MB/s   00:00
Now your system is ready to accept sftp connections, things can be uploaded in the upload directory and whenever the external drive is unmounted, SFTP will NOT work.

Note: Since we added 'AllowUsers sftp', you can test no local user can login via SSH. If you don't want to restrict access only to the sftp user, you can whitelist other users by adding them in the AllowUsers directive, or dropping it entirely so all local users can SSH into the system.

Planet DebianDebConf team: Second Call for Proposals and Approved Talks for DebConf15 (Posted by DebConf Content Team)

DebConf15 will be held in Heidelberg, Germany from the 15th to the 22nd of August, 2015. The clock is ticking and our annual conference is approaching. There are less than three months to go, and the Call for Proposals period closes in only a few weeks.

This year, we are encouraging people to submit “half-length” 20-minute events, to allow attendees to have a broader view of the many things that go on in the project in the limited amount of time that we have.

To make sure that your proposal is part of the official DebConf schedule you should submit it before June 15th.

If you have already sent your proposal, please log in to summit and make sure to improve your description and title. This will help us fit the talks into tracks, and devise a cohesive schedule.

For more details on how to submit a proposal see:

Approved Talks

We have processed the proposals submitted up to now, and we are proud to announce the first batch of approved talks. Some of them:

  • This APT has Super Cow Powers (David Kalnischkies)
  • AppStream, Limba, XdgApp: Past, present and future (Matthias Klumpp)
  • Onwards to Stretch (and other items from the Release Team) (Niels Thykier for the Release Team)
  • GnuPG in Debian report (Daniel Kahn Gillmor)
  • Stretching out for trustworthy reproducible builds - creating bit by bit identical binaries (Holger Levsen & Lunar)
  • Debian sysadmin (and infrastructure) from an outsider/newcomer perspective (Donald Norwood)
  • The Debian Long Term Support Team: Past, Present and Future (Raphaël Hertzog & Holger Levsen)

If you have already submitted your event and haven’t heard from us yet, don’t panic! We will contact you shortly.

We would really like to hear about new ideas, teams and projects related to Debian, so do not hesitate to submit yours.

See you in Heidelberg,
DebConf Team

Planet DebianFrancois Marier: Usual Debian Server Setup

I manage a few servers for myself, friends and family as well as for the Libravatar project. Here is how I customize recent releases of Debian on those servers.

Hardware tests

apt-get install memtest86+ smartmontools e2fsprogs

Prior to spending any time configuring a new physical server, I like to ensure that the hardware is fine.

To check memory, I boot into memtest86+ from the grub menu and let it run overnight.

Then I check the hard drives using:

smartctl -t long /dev/sdX
badblocks -swo badblocks.out /dev/sdX


apt-get install etckeepr git sudo vim

To keep track of the configuration changes I make in /etc/, I use etckeeper to keep that directory in a git repository and make the following changes to the default /etc/etckeeper/etckeeper.conf:

  • turn off daily auto-commits
  • turn off auto-commits before package installs

To get more control over the various packages I install, I change the default debconf level to medium:

dpkg-reconfigure debconf

Since I use vim for all of my configuration file editing, I make it the default editor:

update-alternatives --config editor


apt-get install openssh-server mosh fail2ban

Since most of my servers are set to UTC time, I like to use my local timezone when sshing into them. Looking at file timestamps is much less confusing that way.

I also ensure that the locale I use is available on the server by adding it the list of generated locales:

dpkg-reconfigure locales

Other than that, I harden the ssh configuration and end up with the following settings in /etc/ssh/sshd_config (jessie):

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key


UsePrivilegeSeparation sandbox

AuthenticationMethods publickey
PasswordAuthentication no
PermitRootLogin no

AcceptEnv LANG LC_* TZ
AllowGroups sshuser

or the following for wheezy servers:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256

On those servers where I need duplicity/paramiko to work, I also add the following:

KexAlgorithms ...,diffie-hellman-group-exchange-sha1
MACs ...,hmac-sha1

Then I remove the "Accepted" filter in /etc/logcheck/ignore.d.server/ssh (first line) to get a notification whenever anybody successfully logs into my server.

I also create a new group and add the users that need ssh access to it:

addgroup sshuser
adduser francois sshuser

and add a timeout for root sessions by putting this in /root/.bash_profile:


Security checks

apt-get install logcheck logcheck-database fcheck tiger debsums corekeeper
apt-get remove john john-data rpcbind tripwire

Logcheck is the main tool I use to keep an eye on log files, which is why I add a few additional log files to the default list in /etc/logcheck/logcheck.logfiles:


while ensuring that the apache logfiles are readable by logcheck:

chmod a+rx /var/log/apache2
chmod a+r /var/log/apache2/*

and fixing the log rotation configuration by adding the following to /etc/logrotate.d/apache2:

create 644 root adm

I also modify the main logcheck configuration file (/etc/logcheck/logcheck.conf):


Other than that, I enable daily checks in /etc/default/debsums and customize a few tiger settings in /etc/tiger/tigerrc:

Tiger_Running_Procs='rsyslogd cron atd /usr/sbin/apache2 postgres'

General hardening

apt-get install harden-clients harden-environment harden-servers apparmor apparmor-profiles apparmor-profiles-extra

While the harden packages are configuration-free, AppArmor must be manually enabled:

perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub

Entropy and timekeeping

apt-get install haveged rng-tools ntp

To keep the system clock accurate and increase the amount of entropy available to the server, I install the above packages and add the tpm_rng module to /etc/modules.

Preventing mistakes

apt-get install molly-guard safe-rm sl

The above packages are all about catching mistakes (such as accidental deletions). However, in order to extend the molly-guard protection to mosh sessions, one needs to manually apply a patch.

Package updates

apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest

These tools help me keep packages up to date and remove unnecessary or obsolete packages from servers. On Rackspace servers, a small configuration change is needed to automatically update the monitoring tools.

In addition to this, I use the update-notifier-common package along with the following cronjob in /etc/cron.daily/reboot-required:

cat /var/run/reboot-required 2> /dev/null || true

to send me a notification whenever a kernel update requires a reboot to take effect.

Handy utilities

apt-get install renameutils atool iotop sysstat lsof mtr-tiny

Most of these tools are configure-free, except for sysstat, which requires enabling data collection in /etc/default/sysstat to be useful.

Apache configuration

apt-get install apache2-mpm-event

While configuring apache is often specific to each server and the services that will be running on it, there are a few common changes I make.

I enable these in /etc/apache2/conf.d/security:

<Directory />
    AllowOverride None
    Order Deny,Allow
    Deny from all
ServerTokens Prod
ServerSignature Off

and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default.

I also create a new /etc/apache2/conf.d/servername which contains:

ServerName machine_hostname


apt-get install postfix

Configuring mail properly is tricky but the following has worked for me.

In /etc/hostname, put the bare hostname (no domain), but in /etc/mailname put the fully qualified hostname.

Change the following in /etc/postfix/

inet_interfaces = loopback-only
myhostname = (fully qualified hostname)
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3

Set the following aliases in /etc/aliases:

  • set francois as the destination of root emails
  • set an external email address for francois
  • set root as the destination for www-data emails

before running newaliases to update the aliases database.

Create a new cronjob (/etc/cron.hourly/checkmail):

ls /var/mail

to ensure that email doesn't accumulate unmonitored on this box.

Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then test the whole setup using mail root.

Network tuning

To reduce the server's contribution to bufferbloat I change the default kernel queueing discipline (jessie or later) by putting the following in /etc/sysctl.conf:



Geek FeminismI am their fury, I am their patience, I am their Linkspam (22 May 2015)

  • I had a culture column at WIRED. And then I didn’t. Here’s what happened. | monica byrne (May 19): “I’ve talked with other writers who’ve had experiences with Wired. My experience is not unique. So as far as I can tell, they don’t cover the future. They produce a white male fantasy of the future. Which isn’t surprising.”
  • The Dehumanizing Myth of the Meritocracy by Coraline Ada Ehmke | Model View Culture (May 19): “We hide behind the motto of “love the art, hate the artist” to justify our preferences despite the faint voice of conscience, persistent in telling us that something is amiss. It seems that ignoring the worst of our heroes is easy, but should the opposite also hold true? Should we ignore the positive, community-oriented contributions of others as quickly as we dismiss some people’s negative attributes? Are the contributions of bad actors really superior to those who bring humane, non-code contributions to our corner of the world?”
  • #girlswithtoys: women remind Twitter they are scientists too | Wired UK (May 18): “Female scientists from all over the world have taken to Twitter to post pictures of themselves with tools and equipment from their workplaces alongside the hashtag #girlswithtoys.”
  • Furiosa (5) | Be Less Amazing (May 18): “I’ve seen a few internet pundits that they “don’t see the feminist content” of this film. Dudes. It’s about the lone powerful woman in a male-dominated society who helps a group of sex slaves escape under the premise that “[they] are not things.” That’s about as feminist as it gets, and that’s just one of the many amazing equality messages going on this movie. “
  • The programming talent myth | (April 28): “When we see someone who does not look like one of those three men, we assume they are not a real programmer, he said. Almost all of the women he knows in the industry have a story about someone assuming they aren’t a programmer. He talked to multiple women attending PyCon 2015 who were asked which guy they are there with—the only reason they would come is because their partner, the man, is the programmer. “If you’re a dude, has anyone ever asked you that?” On the other hand, when he got up on stage, he did look like those guys. “So you probably assumed I was a real programmer.” These sorts of assumptions contribute to the attrition of marginalized people in tech, he said.”
  • We Will No Longer Be Promoting HBO’s Game of Thrones | The Mary Sue (May 18): “After the episode ended, I was gutted. I felt sick to my stomach. And then I was angry. My next thought was, “I’m going to have to spend part of the next six months explaining why this was a bad move over and over.””
  • Reasons Why It’s Hard to Find Senior Women Engineers | Accidentally in Code (May 14): “People ask me about this topic sometimes, especially as I’m no longer close to being a “new grad” but at the point where I look for bigger opportunities. I’m collecting it here for reference – reasons and observations from my own experience, of why it’s so much harder to find senior women engineers.”
  • How Social Media is Failing Creative Women | Ink, Bits, & Pixels (May 17): “Real Name policies endanger women. Until these companies understand WHY that is, it’s not possible for the policy to be crafted in a way that reduces the danger.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

CryptogramFriday Squid Blogging: Giant Squid Washes Up in New Zealand

The latest one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

TEDHow a TED Talk helped put women’s health research on the political agenda

Paula Johnson's talk at TEDWomen gave attendees a new appreciation of why it's important to include women — and female animals and female cells —in medical research. Because even cells are gendered. Photo: TED

Paula Johnson’s talk at TEDWomen 2013 gave attendees a new appreciation of why it’s so important to include women — and female animals and female cells —in medical research. Photo: TED

“Women’s health is an equal rights issue as important as equal pay.”

When Paula Johnson uttered this sentence on the TEDWomen 2013 stage, the audience broke into spontaneous applause. “At that moment, it said to me they got it,” she says.

Johnson has been working for decades to raise awareness about how diseases behave differently in women and in men — and calling out how much more we know about men’s diseases than women’s. For example, in men, heart disease typically manifests as a blockage, but in women, plaque tends to be distributed more evenly in arteries. The two diseases, though similar, requires different kinds of test to diagnose — but this was not widely known. Many women with heart disease, as a result, simply didn’t get diagnosed or treated at all.

Compounding the problem, until around 20 years ago, women were rarely the subjects of medical research, leading to a stunning lack of information on how diseases — and different medications and treatments — affect them. Even today, while women are part of clinical trials, it’s not necessarily at representative numbers.

So giving her TED Talk, says Dr. Johnson, was like knocking over the first domino in a long chain toward getting her message heard.

“I would say that in a year, we have seen more progress on this issue than we have literally in the past 20,” says Johnson, chief of the Connors Center for Women’s Health and Gender Biology at Brigham and Women’s Hospital in Boston. “My TED Talk was the breakthrough in allowing me to deliver the message to a broad audience.”

Since her talk went live on in early 2014, good things have been happening. Newspapers and magazines have increasingly covered the gender gap in health, often quoting Dr. Johnson and other experts from the Connors Center. The center has started work on a policy brief with the Kaiser Family Foundation, and is working with The Jacobs Institute to study how sex-based science can be translated into clinical care. Johnson herself was elected to the Institute of Medicine.

The talk also kicked off a big moment for the movement: the National Policy Summit on the Future of Women’s Health in March 2014. This summit brought together heavy hitters like Senator Elizabeth Warren, FDA commissioner Margaret Hamburg, and journalist Lesley Stahl for a day-long think on how to push forward the idea of sex-specific medical research. And it had real results.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="330" mozallowfullscreen="mozallowfullscreen" src="" title="National Summit on the Future of Women's Health" webkitallowfullscreen="webkitallowfullscreen" width="586"></iframe>

Johnson and her team had long hoped to hold a summit like this, but her invitation to speak at TEDWomen gave the project a jump-start.

“TED really set the stage,” she says. “As I started to develop the TED Talk, we began to crystalize how to create a powerful story that could be accepted, understood and embraced by the academy, by advocates, by Capitol Hill policymakers and by the general public. You have to think long and hard to get to, ‘What is the best way to articulate my message?’ The goal for me was to create a base of knowledge that was going to move to the next level of change.”

As Johnson wrote her TED Talk, plans for the summit came together, and things accelerated after her talk was posted. “It was really electric,” says Johnson of the March 2014 event. “It was people from academia, pharma, TV news, policymakers all together, getting educated and really thinking about: what is the path forward? People came to the table with visible passion, and I think it was a kind of clarion call for change in the way science is done.” In a breakout session, Stahl interviewed activist Vicki Kennedy and the FDA’s Hamburg, asking tough questions like, “Do you even know which of all the drugs the FDA has approved which men and women metabolize differently?”

One of the most passionate people in the room: Elizabeth Warren. In an interview later, the Senator shared why the topic is so important to her. “Part of this is personal,” Warren said. “My mother was in the hospital for a little surgery. She was going home the next day. She sat up in bed and said to my daddy, ‘Oh there’s that gas pain again,’ and then fell back dead. The autopsy showed that she had advanced coronary disease, which had never been diagnosed and of course never treated. Back then, no one knew that women had heart attacks too.”

Johnson was thrilled to find such an avid supporter of her work. “[Elizabeth Warren] said to me at the end of the summit, ‘We are going to work on this together,’” remembers Johnson. “And she’s done it. She’s followed through.”

Warren, along with nine other House and Senate Democrats, requested a report from the Government Accounting Office (GAO) on the inclusion of women in clinical trials supported by the National Institutes of Health (NIH). The report is expected in August 2015 — and Johnson is hugely excited about it. “Once you get a GAO report, it can form the basis for policy moving forward,” she says.

It is even possible, however, that the NIH may move forward on the issue before the report. Johnson says, “The NIH made an announcement that they, at some point in the near future, will require the inclusion of female animals and female cells in preclinical research, and will also require the inclusion of adequate numbers of women to get meaningful results in clinical trials. They’ve called for input to how to implement such a change, and we’ve provided significant input on that.”

Lesley Stahl interviews Margaret Hamburg of the FDA during the Women's Health Summit in 2014. Notice Paula Johnson in the front row. Photo: Brigham and Women's Hospital

Lesley Stahl interviews Margaret Hamburg of the FDA during the Women’s Health Summit in 2014. Notice Paula Johnson in the front row. Photo: Brigham and Women’s Hospital

At the summit, the Connors Center released a report of its own, called Sex-Specific Medical Research: Why Women’s Health Can’t Wait. It outlined progress and roadblocks on the way to health equity in cardiovascular disease, lung cancer, depression and Alzheimer’s — plus a detailed, bullet-pointed action plan.

One focus of the report: that peer-reviewed journals should require researchers to disclose the gender breakdown of the subjects in their studies and clinical trials. As Johnson says: “What we called for in the report is almost like a nutrition label, so that authors state up front who’s in their study. And not just for clinical trials, but for any study — whether it be on animals or on cells. Even stem cells are sexed. If you use stem cells to populate a heart — what we call a heart scaffold — if it’s female cells, it looks different than male cells.”

In late 2014, the Endocrine Society introduced a policy for its scholarly journals, requiring that all authors submitting papers disclose the sex of both human and animal research subjects.

The report also lays out what individuals can do to help create systemic change, beginning with pushing their own doctors to consider gender in both diagnosis and treatment of ailments and letting politicians know that greater accountability on the issue of gender-equity in medical research is important. Another approach: Johnson wants to see women who are involved in disease-specific advocacy organizations — organizations dedicated to Alzheimer’s, diabetes, etc — bring up gender. “People need to start asking: do you consider sex in your approach to science or care?” says Johnson. “And if the answer is ‘no,’ then: ‘Why? Where are the opportunities to do that?’”

So far, Johnson has been thrilled with the changes that have come from the summit. “Our report lays out a path forward, and it has been the path forward,” she says. “There has been significant momentum. We’re not there yet — there’s still a lot of work to do — but we have really seen a sea change.”

As all of this has happened, Johnson continues to hear from men and women daily about her talk. “The one thing I constantly get from my TED Talk is, ‘I never knew this. I just assumed [research on women] was done,’” she says.

She’s proud that her talk could surface an issue in healthcare and science that had largely flown under the radar. “When you have something as basic as the inclusion of women — and female animals and female cells — in research and it’s not being done routinely in a meaningful way: this is our health,” she says. “There needed to be a rallying call.”


TEDLooking for a new podcast to try? 45 great picks from the TED staff

Podcast recommendations

There’s something so cool about finding a new podcast to love — each little download opens a door to new ideas, new jokes, new ways of seeing the world. Working at TED, as you might guess, many of us have strong opinions about this. Beyond the podcasts we all love: This American Life, Radiolab, The Moth, Serial, and of course our own TED Radio Hour  — here’s our list of 45 you might not know you needed to listen to right this minute.


For great storytelling

Snap Judgment
“It’s a 56-minute whirlwind that always seems to go by too fast,” says Ellyn Guttman, of our TED Books team, about this hard-to-describe NPR podcast hosted by Glynn Washington. “It’s similar to This American Life but edgier,” adds Kim Nederveen Pieterse of our Partnerships workgroup. “It questions race, identity and ‘the system’ through personal storytelling and music.”

This podcast bills itself as “stories of people who’ve done wrong, been wronged or gotten caught somewhere in the middle.” Photographer Ryan Lash says, “After binging on Serial for the third time, this show satisfies my cravings.”

The Story Collider
Science meets stories in this podcast from former TED staffer Ben Lillie. “Sometimes scientists share funny moments from their lab; other times they explain how they became fixated on niche topics. Sometimes it’s non-scientists telling science-y stories,” says writer Kate Torgovnick May. Recent episodes include “Who Looks Like a Scientist?,” about an offhanded sexist remark overheard by TED Fellow Renée Hlozek, and “Questioning a Hero,” with TED speaker Ed Yong — on what happened when he interviewed Sir David Attenborough. 

State of the Re:Union
I’ve been listening more and more,” says Alex Rudloff of TEDx. The concept of this NPR show: it takes a snapshot of America, community by community. “It’s got a grassroots, local focus. And Al Letson’s a great storyteller who, coincidently, hosted TEDxJacksonville.”

Love + Radio
This podcast weaves fact and fiction, pulling together interviews and stories that relate to a theme. “Radiolab featured their segment ‘The Living Room,’ in which a woman learns intimate details of her neighbors’ relationship because they never close their curtains,” says TED-Ed animator Lisa LaBracio. “It’s a podcast that introduces you to the strangest of strangers, but also gives a gentle reminder that we’re all a little bit strange.”

Many members of our staff love this NPR podcast, which explores the intangible forces that shape our lives. Cloe Shasha of our Content team says, “It’s just fascinating to consider the mysteries of our perception and assumptions.” Emily Pidgeon of Design Services adds, “I’ve devoured every episode because they get into emotions, thoughts and perceptions in a way that’s captivating. If I could, I would erase my memory and relisten.” 

The Truth
This show harkens back to the radio plays of yesteryear. “They do a great job with storytelling and production. It’s a lot of fun to listen to — sometimes sad, sometimes funny, always entertaining,” says Jai Punjabi of our Technology team.

Mystery Show
A soon-to-launch podcast hosted by Starlee Kine, Mystery Show promises to solve a real-life mystery every episode. A trailer has Kine talking to one person about the mustached woman who helped her out of a bind, and to another who has been pondering a mystery for 20 years. “The show doesn’t launch until May 22,” says Thu-Huong Ha of our Editorial team. “But Starlee’s trailer is characteristically quirky, intriguing and giggle-inducing.” 

Benjamen Walker’s Theory of Everything
“Each episode feels like a stream of consciousness variety show mixed with music, philosophy and a dose of skepticism,” says LaBracio. “I love the range of topics that he covers and the surprises that he uncovers along the way. One of TED-Ed’s artists, Celeste Lai, works on it now too.”


For a more thoughtful life

On Being
A classic podcast from Krista Tippett. “This weekly conversation grapples with the many facets of human connection and existence,” says TED Prize director Anna Verghese. “It explores value, faith and meaning.” Lisa Bu of our Distribution team recommends this podcast too. She says, “It explores the big questions at the center of life: What does it mean to be human, and how do we want to live?” 

My Brother, My Brother and Me
This podcast could go here, or in the “For belly laughs” section. “It’s three brothers — Justin, Travis and Griffin McElroy — who, essentially, seek out the strangest Yahoo! Answers questions and dish out advice on them,” says writer Torgovnick May. “Sometimes their advice is good. Sometimes it’s terrible. But the real joy is the trio’s lightning-quick wit with each other.”

The Dinner Party Download
“It’s a podcast structured like a dinner party, and intended to make you a scintillating host and/or guest,” says Haley Hoffman of our Technology team. “They bring in a celebrity for a short interview, dish out interesting factoids about current events and have a themed cocktail.” Emily Ludolph of our Partnership team loves this podcast too. “Know all my amazing office jokes?” she says with a wink. “I get them from their ‘icebreaker’ opening.”

Alan Watts Podcast
A collection of lectures and seminars from the iconic philosopher, curated by his son. “Alan Watts has a gift to make abstract ideas come to life,” says Bu. “He can bring Eastern philosophies close to the hearts of Western audiences.” 

The Longest Shortest Time
This show is intended to be a “bedside companion for parents.” But Hoffman, who is actually not a parent, finds herself fascinated by it. “It’s spectatorship for people who like worry,” she says.

Death, Sex + Money
“Touching, poignant and direct, Anna Sale interviews folks — both famous and not — about the three things we want to talk about anyway,” says TED-Ed’s Caroline Cristal about this WNYC show. “The interviews are always interesting, and it’s great to hear different perspectives on these topics and how people handle them.”


For random knowledge

Stuff You Should Know
“This podcast is super fun,” says engineer Michael Rhing. “Each episode does a great job covering a subject in about 30 minutes. The episode that got me hooked was ‘How Skywriting Works’ — never really something that I thought would have an interesting history. But they proved me wrong.” 

The Memory Palace
This podcast surfaces surprising stories of the past. Just one classic: the story of German prisoners of war, captured on a submarine, who attempted to escape a prison camp in Arizona by digging their way out. “It’s one of my all-time favorite podcasts,” says photographer Lash. “The episodes are short, non-traditional, wonderfully intimate notes from history.” 

A show about food, through the lens of science and history. “What’s not to like?” asks Helen Walters, our Ideas Editor. “And it’s helmed by the lovely Nicola Twilley, who is absurdly smart.”

Desert Island Discs Archive
You’re stranded on a deserted island; choose eight records, one book, and a luxury to take with you. BBC Radio 4 has been posing this question since 1942, and the entire archive is online, more than 1,500 programs. editor Emily McManus will someday listen to them all.

Philosophy Bites
Fifteen-minute interviews with philosophers, by philosophers; Rachel Saunders of TEDx is obsessed. “Episodes start with the philosopher summarizing his or her position — and then comes follow-up questions and analysis,” she says. “Some episodes are abstract (‘Noël Carroll on Humour and Morality’), while some are more specific and relevant (‘Jeff McMahan on Gun Control’). And many are with TED speakers (‘Alain de Botton on Philosophy Within and Outside the Academy).”

Word Gang
Best described as “a weekly show about words and the people who use them,” this show goes on the road  to parks, prisons, poetry slams and more for lively conversations about words. “It’s from my pal Rives,” says content director Kelly Stoetzel.

Since 2010, Freakonomics co-author Stephen J. Dubner has done a podcast version of the well-known book franchise. “Digging through the archives turns up some real gems,” says Amanda Ellis of TEDx. “One of my favorites was ‘Why Do People Keep Having Children?’ on the history of why women in various parts of the world keep having multiple children. Another good episode made the case that gossiping may be good for you. Very interesting.”

Free Thinking
A BBC Radio 3 stalwart, this show features in-depth conversations with thinkers and cultural critics. Things often veer in the direction of debate. “It’s like listening to your favorite sociology professor and favorite economics professor duke it out,” says writer Torgovnick May. “It’s where to turn when you want an hour-long discussion of violence in culture or how Dante’s Inferno has influenced us.”

Meanwhile in the Future
This new podcast from Gizmodo imagines science fiction-y futures and asks experts to take them to their most logical extremes. It’s produced and hosted by longtime TED-Ed contributor Rose Eveleth. “It’s a podcast about overthinking things,” says Thu-Huong Ha of our Editorial team. “Two episodes are out so far — about artificial wombs and if Earth had a second moon — but I think it’s going to be great.”


For belly laughs

The Indoor Kids
A podcast dedicated to video games, action figures, comic books and more. “It’s hosted by Kumail Nanjiani, from Silicon Valley, and Emily V. Gordon, who — full disclosure — is a friend I’ve been bonding with over random pop culture stuff since college,” says Torgovnick May. ”It’s hilarious. A nice moment in the week to indulge in assorted nerdery.”

Comedian Zahra Noorbakhsh and writer Tanzila “Taz” Ahmed join forces to examine pop culture, current events and religious identity in America — via their own experiences as young Muslim-American women in California. “Every episode offers smart, funny insights and a fresh, nuanced perspective on the headlines,” says Laura McClure of TED-Ed.

Pop Rocket
“It’s a weekly conversation about pop culture,” says Sacha Vega of our Design Services team. “The hosts combine comic, journalistic, academic and digital media expertise to give a really fun, varied update of the things they love to love.”

WTF with Marc Maron
A classic podcast from comedian Marc Maron, in which he interviews musicians, writers, directors, actors and, naturally, other comedians. Video editor Isaac Wayton loves the show’s casual vibe. “Because of his self-deprecating humor, Marc creates a comfortable atmosphere for guests to open up and talk about their awkward past, how they became ‘famous,’ or just have a casual conversation about everyday life,” he says.

Call Chelsea Peretti
“It’s a call-in show,” says Jessica Ruby of TED-Ed, who is a big fan. “Chelsea is wry, plays little games with her callers, and doesn’t take any of it too seriously.” 

Call Your Girlfriend
“The premise of the podcast is: two long-distance best friends catch up with each other,” says Vega. “The conversation can go anywhere from general life updates to political legislation, Kanye West, tech news, period jokes. I love it because it feels like a genuine conversation between two friends who are hard-working and creative.”

Pop Culture Happy Hour
Guy Raz, the host of TED Radio Hour, loves this NPR podcast. “It’s an incredibly entertaining, smart show where Linda Holmes, Stephen Thompson, Glen Weldon and a rotating cast of characters discuss movies, TV and books,” he says. “It’s accessible — meaning it’s still great even when you haven’t seen the movie or TV show — and you come out of each episode feeling connected to the world and the people around you.” 

Analyze Phish
The premise of this now-ended podcast by comedian pals Harris Wittels and Scott Aukerman? Wittels loves the band Phish, while Aukerman hates them, so Wittels does his best to sort through the band’s catalogue and recruit Aukerman to his side. Wittels died last year, but as Ruby says: “it’s one of the most joyful podcasts I’ve ever heard. It’s for comedy and music fans alike — even, or especially, those who can’t stomach Phish.”


For better business 

Negotiation Academy
“I really enjoyed this podcast from Slate,” says Diana Enriquez of TED’s Content team. “The hosts went through a negotiation course offered by Columbia Business School and created the show to work through some of the scenarios they learned. It provides real tools that I’ve since used to negotiate contracts and new projects.”

The first season of this podcast featured Alex Blumberg sharing his story as he launched Gimlet Media. In season two, he follows two women launching a tech-based matchmaking company. Punjabi of our Tech team says, “It gives a vulnerable and insightful look into the business decisions and the journey of being a technology entrepreneur.”

Manager Tools
“It’s the only podcast I ever listened to regularly,” says Dan Russell, also of our Tech team. “My favorite episode is called, ‘Do You Need to Apologize?’ It’s from 2006, but still so relevant.”

Planet Money
A classic NPR podcast that makes economics fun. “It’s my all-time favorite,” says Enriquez. “It encourages people to think about economics beyond interest rates and other dry topics from Economics 101.” Nederveen Pieterse of Partnerships adds, “I loved their episodes on the underground sneaker economy, the humans behind the machines and how to steal cattle.” 

IDEO Futures
“A great podcast on how design, business and entrepreneurship intersect,” says Jody Mak of our Partnerships team. 

FCPX Grill
“This podcast focuses on all things FCPX — Final Cut Pro X — which is the editing software we use at TED,” says editor Wayton. “It offers insights into the evolution of FCPX, as well as how other working professionals are using the software.”

Grammar Girl Quick and Dirty Tips for Better Writing
“As someone who grew up with a Portuguese-speaking mom and never cared much for studying language or grammar, this podcast has been immensely helpful in my life,” says Gwen Schroeder of our Video team. “It’s made the most confusing grammatical rules understandable.”


For thinking about creativity

A Tiny Sense of Accomplishment
“I am obsessed,” says social media editor Nadia Goodman. “Authors Sherman Alexie and Jess Walter riff on writing and life. It’s funny, thought-provoking and all-around wonderful. And they often read works in progress, which is so cool to hear.”

Culture Gabfest
“We often think of cultural critics as being provocative, cranky and snobby,” says Angela Cheng of our Video team. “But Julia Turner, Dana Stevens and Stephen Metcalf each respond to cultural phenomena with thoughtful and unique analysis. ‘Analysis’ isn’t even the right word. They really just have a weekly conversation that keeps me company.”

Here’s the Thing
This WNYC podcast is easily explained. “It’s Alec Baldwin having a series of honest conversations with different personalities,” says Martha Estafanos of our Media team. And photographer Lash loves it as well: “Who would have thought that Alec Baldwin is one of the all-time great interviewers?” 

99% Invisible
“This design podcast is one of my absolute favorites,” says Punjabi. “It brings attention to all the things that require design — think locks or money — that you might not take the time to think about. It’s a shorter show, which is nice. I was so excited that the host, Roman Mars, gave a TED Talk this year.”

A podcast from screenwriters John August and Craig Mazin. Says Cheng, “It’s a fun and incredibly informative one-hour discussion about all things that screenwriters and movie-loving non-screenwriters would find interesting.”

How Did This Get Made?
“I’ve always had a soft spot in my heart for terrible movies, because they’re so fun to watch with friends,” says Wayton. “Paul Scheer, June Diane Raphael and Jason Mantzoukas take this a step further by actively seeking suggestions for bad films, watching them and then getting together for raucous conversations about them.” He recommends it for anyone who enjoyed Road House, Congo or the Fast & Furious franchise — and warns that it’s NSFW.

CryptogramUSPS Tracking Queries to Its Package Tracking Website

A man was arrested for drug dealing based on the IP address he used while querying the USPS package tracking website.

TEDAvoiding the hunger season: How a TED Fellow is working to save African cassava from whiteflies

Laura Boykin, right, and fellow researcher Donald Kachigamba, at left, inspect African whiteflies feeding on cassava leaves at a farm near Namulonge, Uganda. While scientists once assumed there was only one species of whitefly worldwide, Boykin’s work has identified at least 34. Photo: Courtesy of Laura Boykin

For decades, the farmers of East Africa have battled the African whitefly, a tiny insect that infests the cassava crop. Cassava, also called manioc, arrowroot or tapioca, is an important food all over the world — more than half a billion people (yes, billion with a b) rely on cassava for their daily meals. For East African farmers, a whitefly infestation can completely destroy the year’s crop, and with it the food security for their families.

Yet surprisingly little is known about the whitefly itself. It’s only in the past few years, in fact, that scientists even knew whether there was more than one species — and now, it turns out, there are at least 34. Who’s counting? Computational biologist Laura Boykin, who studies the Bemisia tabaci whiteflies that plague East Africa, using genomics, supercomputing and evolutionary history. With the data she’s gathering, now publicly available via WhiteFlyBase , she hopes to help researchers breed new strains of cassava that resist the whitefly.

We asked Boykin to tell us more about her work, how she discovered this problem … and how she realized she had the right skills to help solve it.

Tell us about the whitefly and cassava. Why is this problem crucial to solve?

700 million people around the world depend on cassava for their daily calories. Without it, for many families, there’s no food and there’s no income. To understand the importance of cassava in a farmer’s life, read The Last Hunger Season, by Roger Thurow. Depending on the country, farmers typically have a one-acre plot, which might include beans and other crops. In Kenya, for example, they’ll grow maize and sweet potatoes, and cassava is a backup. It’s planted and takes a while to grow, so when all the other crops are gone, the family thinks, “Okay, the cassava will get us through the hunger season.” But if it’s rotten due to whitefly, there’s absolutely no food.

Whiteflies transmit two viruses that kill cassava: cassava mosaic disease and cassava brown streak disease. In tandem, these cause 100 percent loss of the crop. It’s a massive problem, especially in East Africa. I’m one of 15 principal investigators working on a new project whose mission is to give farmers a cassava plant that’s resistant to the viruses and the whiteflies. How do we get there? Whiteflies are a global problem, creating havoc on every continent. So first, it’s identifying what whiteflies and viruses are present in East Africa.

African cassava whiteflies(Bemisia tabaci) feed on underside of cassava leaves near Namulonge, Uganda. The viruses whiteflies transmit destroy cassava plants and render their roots inedible. Photo: Laura Boykin

The African cassava whitefly feeds on the underside of cassava leaves. The viruses that these whiteflies transmit destroy cassava plants and render their roots inedible. Photo: Courtesy of Laura Boykin

Where did the problem originate?

Cassava originates from South America, and was taken to Africa in the 1700s. But these viruses aren’t found in South America. The hypothesis is that they’d been lying dormant in African native vegetation. We think that the whiteflies feed on native shrubs, then go feed on cassava, transmitting the virus from the shrubs to the cassava plants.

Fortunately, the viruses haven’t yet spread to West Africa, the biggest cassava-producing place in the world. Right now, the virus is concentrated in a pocket of East Africa: Tanzania, Uganda, Malawi, Mozambique and Zimbabwe. The hope is that we can control the whiteflies enough so that they don’t spread.

When did whitefly infestation start becoming a noticeable problem?

In the 1990s, researchers were attempting to control cassava mosaic disease that was breaking out in East Africa. They thought they had a control for it via traditional breeding. Then the cassava brown streak virus emerged; it turned out that whiteflies loved the new varieties that the researchers rolled out to control the first virus. In essence, the researchers had been trying to breed for virus resistance without taking into account that there might be different species of whiteflies.

We’ve done modeling based on genetic data indicating that Africa is the origin of the species, so it makes sense there will be the most diversity there. With that information, we are working to ensure that the people who are doing the plant breeding get the resistance right for all the whitefly species that the plant might encounter.

How did scientists not know that there was more than one species of whitefly?

This is the interesting part. The idea that there was only one species of whitefly worldwide was held for so long and became so ingrained that no one seems to care what the data says now. Meanwhile, the funding to do work on whiteflies — especially in sub-Saharan Africa — has been so scarce that no one was able to even look to see what’s there. It’s only been in the last seven years or so that people have started to do sampling of the region. The more we sample, the more we realize there are tons more species of whitefly in Africa than we ever thought.

One of the difficult things about identifying new species is that scientists are under pressure to not change their names, because then all the names within the governmental regulations have to be changed. There’s also pressure from chemical companies, who market their products for specific species. If we say there are 34 species — and not one — they have to test their products on all 34. We are creating more work for people, and there’s enormous resistance. But the science is the science. We need our solutions customized to the right enemy. It’s a non-negotiable point.

By the way, the whitefly is highly regulated around the world. Countries have massive regulations on whitefly moving across borders. It can transmit viruses to tomatoes, sweet potatoes and ornamental plants. They are dreaded worldwide.

Cassava root infested by cassava brown streak virus. Healthy cassava root is a solid, creamy white. Photo: Laura Boykin

Cassava root infested with cassava brown streak virus, transmitted by the whitefly. A healthy cassava root has a center that is a solid, creamy white. Photo: Courtesy of Laura Boykin

Take us through your day. What do you do with whiteflies?

I have whiteflies in the lab, and we extract the DNA or the RNA. It sounds simple, but it’s probably three days’ worth of work. The majority of my time is then spent trying to deal with the data we generate from this material. We have these really cool sequencing machines, amazing HiSeq, MiSeq genomic-generating machines, in which we put the samples to generate their genome. The machine spits out a ton of data, and then we have the task of trying to make sense out of billions of base pairs — billions of As, Ts, Gs and Cs at a time. I work with a supercomputer called Magnus, which is the southern hemisphere’s fastest supercomputer. Who doesn’t love that?

I should note that the majority of the research is based in sub-Saharan Africa. We have partners at the Mikocheni Agricultural Research Institute in Tanzania, at the Department of Agricultural Research & Technical Services in Malawi, and at the National Crops Resources Research Institute in Uganda. Where I work at the University of Western Australia, we’re just contracted to do the things with equipment that’s not available in the region — basically, crunching numbers. A big part of what we do is also strengthening the skills of young African scientists. We have Ph.D.s who come for access to the genomic machines and the supercomputer. We’re in the genomic revolution. We have more genomic data than we know what to do with. So part of my goal is to train students on the skills to analyze all this data.

How did you become drawn to this subject — whitefly, cassava, small farmers, Africa?

I’m trained as a plant taxonomist, which is why I’m so into getting the species named correctly. But I realized at some point that I probably wouldn’t get a job doing that. Realistically, how many plant taxonomists actually have jobs at universities? Not many. So I thought if I learned how to analyze DNA data rather than focusing on the organism, I’d have a skill set I could apply to any problem.

I worked at Los Alamos National Laboratory for about four years. That was my first exposure to a supercomputer. I analyzed influenza and hepatitis C sequence data, to find clues to give the CDC about vaccines — on what strains could potentially be the next outbreak in the population. Those sorts of skills are invaluable for work with insects, because they invade the ecosystem like viruses invade our bodies.

I didn’t start working on invasive insects until a postdoc in Florida at the USDA. There, the whitefly problem lies with ornamental plant and tomato growers. Europe put an embargo on Florida flowers due to whitefly, and that was a big deal. So it wasn’t that I was particularly interested in insects. I just decided to put my skills to this problem, because in my opinion, fighting whiteflies is as important as vaccine selection. Farmers are struggling; let’s use what resources we have to get help.

A happy smallholder farmer in Uganda with healthy cassava. The white root indicates there is no cassava brown streak virus, which renders the root inedible. Photo: Laura Boykin

A farmer in Uganda shows what a healthy cassava looks like. The majority of small farmers in East Africa affected by cassava devastation are women. Photo: Courtesy of Laura Boykin

Why Africa?

I always took a global approach to figuring out how many whitefly species there were. I became interested in sub-Saharan Africa because, scientifically, it sits at the base of that [evolutionary] tree. The fact that they’ve been around for millions of years fascinated me.

In 2012, I attended an Agricultural Research Connections workshop hosted by the Bill and Melinda Gates Foundation in Kenya. During that trip, we visited a smallholder farm and I saw the devastation caused by whiteflies. At that moment, I was sold that this is what I needed to be doing. That was it. The situation was unacceptable, and my skills could be applied to the problem. I hadn’t considered before that I could pass them on to the next generation of scientists. I decided the best use of my time on Earth was to make a difference here.

So, when we were doing this big negotiation for our current funding, and it went through several rounds — if it didn’t come through, I was going to go home and live with my mother on the west side of Phoenix, Arizona. This work hits the absolute core of who I am.

Why does this work resonate so deeply with you?

My mom was a single mom — she had two kids and struggled to make ends meet. I thought to myself, these women — because the majority of these farmers are women — sacrifice everything for their kids. They are just like my mom. She sold hot dogs at Phoenix Suns basketball games to put me through college after her day job teaching school. In Africa, it’s like that, times a million. Women are the backbone of society.

These are the poorest people on the planet — how in the world can we not help? Why would I turn away from this? I wish that people who might not think they could help would consider the problem for just a split second. There are really smart people out there, and if everybody just gave a little bit of brain space, we could figure it out a lot quicker.

The collaborators on our project work around the world. Here we are visiting the cassava fields at the National Crops Resources Research Institute, Namulonge, Uganda. From left to right: Dr Peter Sseruwagi, Dr Donald Kachigamba, Dr Titus Alicai, Dr Chris Omongo, Dr Laura Boykin, Professor John Colvin, Dr Sarina MacFayden. Photo courtesy of Laura Boykin

The collaborators on this project hail from around the world. From left to right: Peter Sseruwagi, Donald Kachigamba, Titus Alicai, Chris Omongo, Laura Boykin, John Colvin, Sarina Macfadyen. Photo: Courtesy of Laura Boykin

Wouldn’t it be wonderful if there were some sort of mechanism to get everybody who complained of being bored or underutilized at their job to drop everything and help with problems like this?

Exactly. I do think people want to work on real-world problems, if given the chance. For example, five computing students at UWA helped us make a database with all of our genetic information. They’re not biologists or agriculturalists, but when we made the opportunity available online, they stepped up, in spite of my colleagues’ skepticism that non-biologists would volunteer. They developed WhiteFlyBase, because they want their computational work to mean something. They had the skills, there was a problem, they contributed — done. The best news is they are now finalists for the Western Australian technology awards for their work.

Another example: recently, in Uganda, we interviewed Ph.D. students for a project. One application stood out to me — a mathematical modeler. I said to the team: “You guys, we need him.” They said, “He didn’t rank. He hasn’t got the agricultural skills.” But he turned out to be amazing, and he’s coming to the University of Western Australia to work with us. Having a diverse team is key to solving problems.

At the end of the day, the most magical part of this project are the people I have met in East Africa. The smallholder farmers, my friends and colleagues in Tanzania, Uganda, Kenya and Malawi make me want to keep doing science. For example, one of my collaborators, Dr. Joseph Ndunguru — who has singlehandedly has brought biotechnology to sub-Saharan Africa — is one of my idols in science. He’s so in love with trying to find solutions for smallholder farmers, it’s contagious.

There’s this drive, this work ethic. Nothing is too hard, because the problem is so big. There’s no complaining about trying to get papers into Nature or Science, or “impact factor.” My colleagues have got farmers coming to them who have nothing to eat — so it’s pretty straightforward. That’s what I call “impact”: science applied to people’s lives. All my days are now inspired by these farmers, and I will work as hard as I can.

Joseph Ndunguru, head of the Mikocheni Agricultural Research Institute in Tanzania holds a “gene gun” used to transform cassava. Boykin refers to him as "my idol." Photo: Courtesy of Laura Boykin

Joseph Ndunguru, head of the Mikocheni Agricultural Research Institute in Tanzania, holds a “gene gun” that can be used to inject cassava with resistant genes. Photo: Courtesy of Laura Boykin

Chaotic IdealismShoulds

You should do.

          I won't do.

You should do.

          I am I, not you.

          I want to. Not should.

          You should; but I want.

          I can, or could, or might--or I won't.
          My choice.

You should.

          You should; but I won't.

Your shoulds are I wants.

          I still won't.

          I won't should. I want, could, might--or I won't.
          I choose.

...You could.

          I can.

TEDTED Fellow Tal Danino programs bacteria to detect and treat cancer – and make art


Did you know that bacteria can be programmed as though they were computers? Bioengineer and artist Tal Danino is working out how to instruct bacteria to enter cancerous tumors — where it can detect and treat the disease noninvasively. And when Danino isn’t tinkering with bacteria’s healing potential, he makes artwork with it.

With Danino’s TED talk posted just yesterday, he tells the TED Blog more about bacteria and how the artistic process drives his scientific research.

Tell us about your work in studying and programming bacteria.

There are two really interesting aspects to this. The first is that there’s this entire universe of bacteria inside of you, and in the last five to ten years, there’s been a revolution in figuring out what your microbiome does. It’s a really big part of your identity as well as a part of how you respond to and digest foods, how you develop certain diseases, allergies, and so on. Historically, we’ve thought of bacteria in a negative light and have and worked to maintain sterile environments. Now a lot of the recent research suggests we’ve been too sterile — and that disorders such as allergies, diabetes and obesity are connected to our microbiome. We’ve realized that basically the bacteria in our bodies are usually good, and that they’re a very important part of our health.

Do we know exactly why bacteria are so important to our health?

We don’t yet. We know a lot, and every week we find out a new fact. For example, we now know that the way that you were delivered when you were born — whether it was by caesarian section or traditionally — affects frequency of allergies, or that if you take antibiotics often in the early years of your life it can affect health processes down the road, such as development of asthma. If you grew up with a dog, for example, studies have shown you are less likely to develop allergies or asthma, because dogs can spread bacteria around that develop the immune system and help it to mature when you’re younger.

In my work, we are not only recognizing the importance of bacteria, but we are changing them. There’s this whole other revolution in which we are learning how to program life, similar to how we program computers.

Our technology has reached a point where we can write DNA like we would computer code. As a grad student, I started genetically programming bacteria to talk to each other, and to produce synchronized patterns. Then, as a postdoc, as this bacterial revolution was happening, I began to think about how we can program bacteria in our bodies. That’s when I started to develop bacteria to detect and treat cancer.


How does one program bacteria? What does this mean?

What we’re doing is modifying the DNA of bacteria. Without getting into technical detail, we have machines that can print out the letters of DNA, like A-T-G-C, and we’ve studied what sequences produce what function for quite some time. So for instance, there is a specific string of 500 letters or so that produces a purple-colored molecule. I print and cut-and-paste these DNA sequences, and put them into bacteria to instruct them to do certain things. In this case, I instruct the bacteria to make a purple molecule if they come into contact and grow within cancer cells, and the color is visible in urine, creating a noninvasive way to detect the disease.  We’ve also been using this technique to program bacteria to make molecules that treat cancer, causing the tumors to shrink or slow in growth. Researchers like me are thinking, “What can we program bacteria to do if they find a tumor?” We’ve been working on these ideas in mice with liver cancer.

What bacteria do you use to detect and treat cancer? Are there cancer-causing bacteria that you target?

Except for a few really specific cases, there’s not really a bacterium that causes cancer, so whatever bacteria we use simply need to be able to colonize the body’s tumors — we can use E. coli, Salmonella, and so on, bacteria that will thrive in anyone’s body. In fact, we’ve also been using probiotic bacteria, or ‘good’ bacteria — like those in yogurt  — for these tasks.  So imagine in the future eating a programmed probiotic that could detect and treat cancer, or even other diseases. That’s the goal of my research.

<iframe allowfullscreen="true" class="youtube-player" frameborder="0" height="360" src=";rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent" type="text/html" width="586"></iframe>

Above, watch “Supernova” — a video of bacteria growing a microfluidic device. Through a genetic program, Danino has created synchronized oscillations that you can see because of fluorescent proteins. Taken from Danino et al. Nature 2010

How do the programmed bacteria find the tumors?

If you deliver bacteria orally or via the blood, they land in all of the various organs in your body, as well as in tumors. Normally your immune system is really good at clearing out bacteria, but in cancerous tumors, there’s a weird area called the necrotic core where bacteria can hide because the immune system can’t get in there, and so the bacteria will just happily grow in these tumors.

This was something that people observed maybe 150 years ago, a random interesting fact. The story behind it was that a woman who had a tumor in her neck came into the hospital, and when she got a bacterial infection, her tumor stopped growing. It was the very first time it was observed that bacteria and tumors have this cool interaction.

But it wasn’t really considered safe to treat tumors with bacteria, and we didn’t know how to manipulate bacteria at the time. Today, we are able to program bacteria to be safe — so you won’t actually become infected with E. coli — and program them to do things they don’t normally do.

Pattern made of liver cells.  From the Colonies series, a collaboration with Vik Muniz. Image: Tal Danino

A pattern made of liver cells. From the Colonies series, a collaboration with Vik Muniz. Image: Vik Munoz

Why do you use bacteria to make art?

The art I do highlights the science I do in a very different way. I recently did a collaboration with an artist named Anicka Yi. It came out of a conversation where I was telling her about how there are 10 times more bacterial cells in the body than human cells — that’s interesting fact number one. Interesting fact number two is that there are 100 times more bacterial genes. So really, in terms of genetic material, we’re 1% human. The bacteria in your body are a really large and unique part of your identity.

Anicka was interested in doing a piece on how art and bacteria relate to feminism in expressing a woman as a female pathogen or a viral concept. In the project that evolved, she collected bacterial samples from 100 women, and I grew them on petri dishes for a month or two. The exhibit consisted of these petri dishes — bacterial portraits, in a way — as well as a giant petri dish that was 7 feet long, made entirely out of bacteria from all these women, spelling out the name of the show. As bacteria are also responsible for scents, you could smell it as you walked in.

A 7-foot-long petri dish spelling out the name of exhibition You Can Call me F, a collboration between Tal Danino and Anicka Yi. Photo: Tal Danino

A 7-foot-long petri dish spelling out the name of exhibition You Can Call Me F, a collboration between Tal Danino and Anicka Yi. Photo: Tal Danino

To put bacteria in a petri dish and then culture it so that it can be smelled away from its body is a little disturbing.

Yeah, definitely. But it wasn’t as bad as you would expect. And really, that was part of the point: the bacteria in your body are just natural part of who you are. The show was also addressing paranoia around pathogens. It asks, “Are these bacteria that you’re growing from your body dangerous?”

Have you been an artist all your life?

My mom used to do a lot of art when we were kids, so I was always into it. But I really got interested in science art in graduate school, when I was doing a lot of microscopy. I would see such beautiful things in the microscope, and would make videos of them. Later I realized that for presentations, having a really good video or image takes ideas beyond abstract data, and makes the science a lot more convincing. When you see data and images for yourself, how do you argue with that? Art is also a form of expression for me, as a scientist. Generally, the voice of the scientist in media is limited to something along the lines of “Scientists have discovered X.”

In my work, science and art actually influence each other dramatically. I see these beautiful patterns while working in science, and then I think, “How does that pattern happen? I really want to study it.” In an art project I did with Vik Muniz, for example, I developed a whole new technique to program bacteria to form visual patterns.

<iframe allowfullscreen="true" class="youtube-player" frameborder="0" height="360" src=";rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent" type="text/html" width="586"></iframe>

Above, watch “Turning Living Cells into Art,” a video about the biological art collaboration between Tal Danino and artist Vik Muniz, in which striking images were produced from microscopic photos of bacteria, cells infected with viruses and cancer cells. Proceeds from artwork sales were donated to cancer research.

Aren’t artistic and scientific processes quite different?

To me, they’re very similar, in a way. It’s a pretty open process, you choose a medium, you explore it, and you don’t really know why or what you’re doing all the time. Scientists don’t admit that, but it’s true. There’s an element of just messing around. Eventually you develop a story around the medium and why it’s important, and on the science side, you hammer down what it is that you’re doing.

So the artistic, creative process really affects my work in science. That’s something I don’t think people really understand yet. It’s important. If you look at cancer research, people have been doing the same thing for decades. How do you make something different? For me, a lot of the art has provided the vision for doing something different, doing something more creative that might now lead to a real cancer breakthrough.

Science likes to build on what came before in a linear fashion, so it seems like that would be a pretty hard sell.

That’s true, but at the same time when you look at the big scientific discoveries, they’re often serendipitous. “Where did this come from? We don’t know.” And what does it mean to really be creative, too? It’s not like this idea came out of nowhere — there’s usually a small series of elements that led you to this thing that you did just slightly differently than was done in the past.

I think you can see it either way. My impression is that artists embrace the creative approach and the idea of doing things differently and just going for it, and scientists don’t do this enough. They generally prefer to kind of look into the literature, as there’s been so much done in the past. That’s our process, and I think it’s great, but I really try to bring in a little bit more of the artistic mindset into the science.

"Petri," a collaboration between Vik Muniz and Tal Danino, is a series of ceramic dishes created with Bernardaud porcelain, inspired by naturally occurring bacterial patterns. Photo: Bernardaud

“Petri,” a collaboration between Vik Muniz and Tal Danino, is a series of ceramic dishes created with Bernardaud porcelain, inspired by naturally occurring bacterial patterns. Photo: Bernardaud

Google AdsenseShare your feedback on AdSense, AdMob, and other Google publisher solutions

It’s time to share your feedback! To improve our product and services, we send out a survey to a random group of our publishers every 6 months. The next survey will be sent soon and we’re looking forward to hearing from you.

Your feedback and comments are important to us, and we really do read and consider everything you write. Thanks to previous suggestions, we’ve launched a number of new features to improve our services and help you grow your earnings. These include the redesign of the performance reports with a brand new dashboard, Matched content to help you increase engagement with your site visitors, and welcoming Malay and Hindi languages to the AdSense family.

You may receive a survey by email over the coming weeks. To make sure that you can receive the survey email, please take the following steps as soon as possible:

Whether you’ve completed this survey before or you’re providing feedback for the first time, we’d like to thank you for sharing your valuable thoughts. We’re looking forward to feedback!

Posted by Adriana Satmarean
AdSense Publisher Happiness Team

Sociological ImagesThe Fractal Nature of the Gender Binary: Or Blue vs. Turquoise

Flashback Friday.41EXTGX1VRL__AA400_

A reader named Judith B. wrote in confounded by the copy describing the watch pictured above. It began:

Don’t be fooled by the girly blue and white face on this multifunction Pro Spirit® digital sports watch. It’s more than a match for any tough guy’s watch…

“Girly blue and white?” she asked. “Huh?”

I think I’ve got an answer for you, Judith. And it has to do with fractals. Trees are good examples of fractals: branches can split into two branches, and each of those branches can split into two branches, etc.

2 (1)

The gender binary — that is, the rule that everything (oh animalsjobs, food, kleenex, housework, sound, games, deordorant, love and sex, candy, vitaminsetc) gets split into male and female — is fractal. That means that, for every male or female version of something (say sports versus dance), there is a further gendered split that can be made. If we take sports, we might divide it into the masculine football and the feminine swimming. If we take swimming, we could probably divide it down further. Take education (which is, arguably, feminized): we can split it into physical sciences (masculine) and social sciences (feminine). And we can split the physical sciences into biology (dominated these days by women) and physics (dominated by men). So the gender binary has a fractal character.

What does that mean for blue? Well, it means that, even though “blue” is socially constructed to be masculine, blue can be broken down into more and less masculine types of blue. Turquoise and light blue, for example, are often seen as more feminine that the primary color blue or royal/dark blue. The text, then, is referring to, literally, “girly blue.” Lots of ads aimed at women employ the feminine blues. These ads sent in by some of my former students are good examples:
Female Masculinity - Sports 5Gender - Balance 20Female Masculinity - Sports 6

Usually the use of a “girly blue” serves to balance masculinity and femininity.  It’s no accident that these ads are sports-related, or use copy such as “strong & beautiful” and “I totally have a soft side. You comfortable with that?”

So, that’s my explanation for “girly blue”: fractal gender binaries.

Originally posted in 2010.

Lisa Wade is a professor of sociology at Occidental College and the co-author of Gender: Ideas, Interactions, Institutions. You can follow her on Twitter and Facebook.

(View original at

CryptogramWhy the Current Section 215 Reform Debate Doesn't Matter Much

The ACLU's Chris Soghoian explains (time 25:52-30:55) why the current debate over Section 215 of the Patriot Act is just a minor facet of a large and complex bulk collection program by the FBI and the NSA.

There were 180 orders authorized last year by the FISA Court under Section 215 -- 180 orders issued by this court. Only five of those orders relate to the telephony metadata program. There are 175 orders about completely separate things. In six weeks, Congress will either reauthorize this statute or let it expire, and we're having a debate -- to the extent we're even having a debate -- but the debate that's taking place is focused on five of the 180, and there's no debate at all about the other 175 orders.

Now, Senator Wyden has said there are other bulk collection programs targeted at Americans that the public would be shocked to learn about. We don't know, for example, how the government collects records from Internet providers. We don't know how they get bulk metadata from tech companies about Americans. We don't know how the American government gets calling card records.

If we take General Hayden at face value -- and I think you're an honest guy -- if the purpose of the 215 program is to identify people who are calling Yemen and Pakistan and Somalia, where one end is in the United States, your average Somali-American is not calling Somalia from their land line phone or their cell phone for the simple reason that AT&T will charge them $7.00 a minute in long distance fees. The way that people in the diaspora call home -- the way that people in the Somali or Yemeni community call their family and friends back home -- they walk into convenience stores and they buy prepaid calling cards. That is how regular people make international long distance calls.

So the 215 program that has been disclosed publicly, the 215 program that is being debated publicly, is about records to major carriers like AT&T and Verizon. We have not had a debate about surveillance requests, bulk orders to calling card companies, to Skype, to voice over Internet protocol companies. Now, if NSA isn't collecting those records, they're not doing their job. I actually think that that's where the most useful data is. But why are we having this debate about these records that don't contain a lot of calls to Somalia when we should be having a debate about the records that do contain calls to Somalia and do contain records of e-mails and instant messages and searches and people posting inflammatory videos to YouTube?

Certainly the government is collecting that data, but we don't know how they're doing it, we don't know at what scale they're doing it, and we don't know with which authority they're doing it. And I think it is a farce to say that we're having a debate about the surveillance authority when really, we're just debating this very narrow usage of the statute.

Further underscoring this point, yesterday the Department of Justice's Office of the Inspector General released a redacted version of its internal audit of the FBI's use of Section 215: "A Review of the FBI's Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009," following the reports of the statute's use from 2002-2005 and 2006. (Remember that the FBI and the NSA are inexorably connected here. The order to Verizon was from the FBI, requiring it to turn data over to the NSA.)

Details about legal justifications are all in the report (see here for an important point about minimization), but detailed data on exactly what the FBI is collecting -- whether targeted or bulk -- is left out. We read that the FBI demanded "customer information" (p. 36), "medical and educational records" (p. 39) "account information and electronic communications transactional records" (p. 41), "information regarding other cyber activity" (p. 42). Some of this was undoubtedly targeted against individuals; some of it was undoubtedly bulk.

I believe bulk collection is discussed in detail in Chapter VI. The chapter title is redacted, as well as the introduction (p. 46). Section A is "Bulk Telephony Metadata." Section B (pp. 59-63) is completely redacted, including the section title. There's a summary in the Introduction (p. 3): "In Section VI, we update the information about the uses of Section 215 authority described [redacted word] Classified Appendices to our last report. These appendices described the FBI's use of Section 215 authority on behalf of the NSA to obtain bulk collections of telephony metadata [long redacted clause]." Sounds like a comprehensive discussion of bulk collection under Section 215.

What's in there? As Soghoian says, certainly other communications systems like prepaid calling cards, Skype, text messaging systems, and e-mails. Search history and browser logs? Financial transactions? The "medical and educational records" mentioned above? Probably all of them -- and the data is in the report, redacated (p. 29) -- but there's nothing public.

The problem is that those are the pages Congress should be debating, and not the telephony metadata program exposed by Snowden.

EDITED TO ADD: Marcy Wheeler is going through the document line by line.

Worse Than FailureError'd: Tell QA They Missed One

"You know, I've always wanted some sideways text that says 'not for sale'," writes Julie, "Too bad I'll never know."


James C. wrote, "When invited to sign up for the Microsoft Partner Research Panel, I was presented with a question that I couldn't quite answer."


"I canceled my U-Verse service today and went to check my online account," writes Bill W., "I'm not certain I'll be around on Nov 10, 2111 at 2pm or any other time for that matter."


Pius O. writes, "What do you know...White Night Melbourne exceeded its system power."


"Wow! I can type the exact same speed I do now if I just get some training!" wrote Abner Q.


"While trying to avoid doing work, I thought I would find something to get enraged at on the Internet and comment on it. I put in my more public email address and pressed 'Finish Sign Up' so I could comment on it, but their server has rejected it," Bob H. wrote, "Curses to us foreigners with our exotic email addresses!"


"I just wanted to report a bug on," Simon E. writes, "now, I've gone ahead and made more work for myself."


"I snapped this picture while trying to refill my subway card in St. Eriksplan in Stockholm, Sweden," wrote Andreas, "It was unfortunate timing, but at least I know they're not using Vista."


[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

Planet DebianMichal Čihař: Weblate 2.3

Weblate 2.3 has been released today. It comes with better features for project owners, better file formats support and more configuration options for users.

Full list of changes for 2.3:

  • Dropped support for Django 1.6 and South migrations.
  • Support for adding new translations when using Java Property files
  • Allow to accept suggestion without editing.
  • Improved support for Google OAuth2.
  • Added support for Microsoft .resx files.
  • Tuned default robots.txt to disallow big crawling of translations.
  • Simplified workflow for accepting suggestions.
  • Added project owners who always receive important notifications.
  • Allow to disable editing of monolingual template.
  • More detailed repository status view.
  • Direct link for editing template when changing translation.
  • Allow to add more permissions to project owners.
  • Allow to show secondary language in zen mode.
  • Support for hiding source string in favor of secondary language.

You can find more information about Weblate on, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user.

Weblate is also being used as official translating service for phpMyAdmin, Gammu, Weblate itself and other projects.

If you are free software project which would like to use Weblate, I'm happy to help you with set up or even host Weblate for you.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far!

PS: The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Filed under: English phpMyAdmin SUSE Weblate | 0 comments

Planet Linux AustraliaLev Lafayette: General Atomic and Molecular Electronic Structure System HPC Installation

GAMESS (General Atomic and Molecular Electronic Structure System (GAMESS)) is a general ab initio quantum chemistry package. You will need to agree to the license prior to download, which will provide a link to gamess-current.tar.gz

Download and extract, load the environment variables for atlas and gcc.

cd /usr/local/src/
tar gamess-current.tar.gz
cd gamess
module load atlas/3.10.2
module load gcc/4.9.1

read more

Debian Administration Preventing SPAM connections with bird.

Bird is an Internet routing daemon with full support for all the major routing protocols. It allows you to configure hosts to share routing information, via protocols such as BGP, OSPF, or even statically. Here we're going to look at using it to automatically blacklist traffic from SPAM-sources.

Geek FeminismWhat if free and open source software were more like fandom?

This is the second of a two-part post about feminism and the philosophies and vocabularies of “open stuff” (fandom, open source, etc.). Part I is at Crooked Timber, here, and I suggest you read that first.

Recently I was thinking about abstractions we open source software folks might borrow from fandom, particularly the online world of fan fiction and fanvids. I mean, I am already a rather fannish sort of open sourcer — witness when I started a love meme, a.k.a. an appreciation thread, on the MediaWiki developers’ mailing list. But I hadn’t, until recently, taken a systematic look at what models we might be able to translate into the FLOSS world. And sometimes we can more clearly see our own skeletons, and our muscles and weaknesses, by comparison.

Affirmational and transformational

While arguing in December that the adjectives “fan” and “political” don’t contradict each other, I said:

I think calling them fanwork/fanvids is a reasonable way to honor fandom’s both transformative and affirmational heritage

I got that phrasing (“affirmational/transformational”) from RaceFail, which is a word for many interconnected conversations about racism, cultural appropriation, discourse, and fandom that happened in early 2009. (In “Feminist Point of View: A Geek Feminism Retrospective”, Skud discussed how RaceFail influenced the DNA of Geek Feminism (see slide 15).) RaceFail included several discussions that X-rayed fandom and developed new models for understanding it. (And I do mean “discussions” — in many of the Dreamwidth links I’m about to mention, the bulk of thought happens in the comments.)

obsession_inc, in a RaceFail discussion, articulated the difference between “affirmational” and “transformational” fandom. Do you bask in canon, relaxing in the security of a hierarchy, or do you use it, without a clear answer about Who’s In Charge?

When we use these terms we’re talking about different modes: different approaches to source texts, to communities, to the Web, to the mass media industries, and to each other. It’s not just about whether you’re into pages of words or audio/video, and it’s not necessarily generational either:

So when I see the assertion that as a group, print-oriented old time fans don’t know how to deal with extensive cross-linked multi-threaded fast-paced discussion, all I can do is cough and mutter “bullshit”.

We have a long-standing heritage of transformational fandom — sometimes it surprises fans to know just how long we’ve been making fanvids, for instance. (What other heritages do I have that I don’t know enough about?)

And I’m mulling over what bits of FLOSS culture feel affirmational to me (e.g., deference to celebrities like Linus Torvalds) or transformational (e.g., the Open Source Bridge session selection process, where everyone can see each other’s proposals and favstar what they like). I’d love to hear more thoughts in the comments.

Expectations around socializing and bug reports

I reread the post and the hundreds of comments at oliviacirce’s “Admitting Impediments: Post-WisCon Posts, Part I, or, That Post I Never Made About RaceFail ’09”, where people talked about questions of power and discourse and expectations. For instance, one assessment of a particular sector of fandom: “non-critical, isolated, and valuing individual competition over hypertext fluency and social interaction.” This struck me as a truth about a divide within open source communities, and between different open source projects.

Jumping off of that came dysprositos’s question, “what expectations do we … have of each other that are not related to fandom but that are not expectations we would have for humanity at large?” (“Inessential weirdness” might be a useful bit of vocabulary here.) In this conversation, vehemently distinguishes between fans who possess “the willingness to be much more openly confrontational of a fannish object’s social defects” vs. those who tend to be “resigned or ironic in their observations of same. I don’t think that’s a difference in analysis, however, but a difference in audiencing, tactics, and intent among the analyzers.” When I saw this I thought of the longtime whisper network among women in open source, women warning each other of sexual abusers, and of the newer willingness to publicly name names. And I thought of how we learn, through explicit teaching and through the models we see in our environment, how to write, read, and respond to bug reports. Are you writing to help someone else understand what needs fixing so they can fix it, or are you primarily concerned with warning other users so they don’t get hurt? Do you care about the author’s feelings when you write a report that she’ll probably read?

Optimizing versus plurality

In fanfic and fanvids, we want more. There is no one true best fic or vid and we celebrate a diverse subjectivity and an ever-growing body of art for everyone to enjoy. We keep making and sharing stuff, delighting in making intricate gifts for each other. In the tech world I have praised !!Con for a similar ethos:

In the best fannish traditions, we see the Other as someone whose fandom we don’t know yet but may soon join. We would rather encourage vulnerability, enthusiasm and play than disrespect anyone; we take very seriously the sin of harshing someone else’s squee.

Sometimes we make new vocabulary to solve problems (“Dead Dove: Do Not Eat”) but sometimes we say it’s okay if the answer to a problem is to have quite a lot of person-to-person conversations. It’s okay if we solve things without focusing first on optimizing, on scaling. And I think the FLOSS world could learn from that. As I said in “Good And Bad Signs For Community Change, And Some Leadership Styles”, in the face of a problem, some people reflexively reach more for “make a process that scales” and some for “have a conversation with ____”. We need both, of course – scale and empathy.

Many of us are in open stuff (fanfic, FLOSS, and all the other nooks and crannies) because we like to make each other happy. And not just in an abstract altrustic way, but because sometimes we get to see someone accomplish something they couldn’t have before, or we get comments full of happy squee when we make a vid that makes someone feel understood. It feels really good when someone notices that I’ve entered a room, remembers that they value me and what I’ve contributed, and greets me with genuine enthusiasm. We could do a lot better in FLOSS if we recognized the value of social grooming and praise — in our practices and in time-consuming conversations, not just in new technical features like a friction-free Thanks button. A Yuletide Treasure gift exchange for code review, testing, and other contributions to underappreciated software projects would succeed best if it went beyond the mere “here’s a site” level, and grew a joyous community of practice around the festival.

What else?

I’m only familiar with my corners of fandom and FLOSS, and I would love to hear your thoughts on what models, values, practices, and intellectual frameworks we in open source ought to borrow from fandom. I’m particularly interested in places where pragmatism trumps ideology, in bits of etiquette, and in negotiating the balance between desires for privacy and for publicity.

Planet Linux AustraliaCraige McWhirter: Craige McWhirter: How To Resolve a Volume is Busy Error on Cinder With Ceph Block Storage

When deleting a volume in OpenStack you may sometimes get an error message stating that Cinder was unable to delete the volume because the volume was busy:

2015-05-21 23:31:41.160 16911 ERROR cinder.volume.manager [req-6f77ef4d-bbff-4ff4-8a3e-4c6b264ac5ca \
04b7cb61dd3f4f2f8f80bbd9833addbd 5903e3bda1e840d492fe79fb840acacc - - -] Cannot delete volume \
f8867d43-bc82-404e-bcf5-6d345c32269e: volume is busy

There are a number of reasons why a volume may be reported by Ceph as busy, however the most common reason in my experience has been that a Cinder client connection has not yet been closed, possibly because a client crashed.

If you were to look at the volume in Cinder, that status is usually available, the record looks in order. When you check Ceph, you'll see that the volume still exists there too.

% cinder show f8867d43-bc82-404e-bcf5-6d345c32269e | grep status
|    status    |    available    |

 # rbd -p my.ceph.cinder.pool ls | grep f8867d43-bc82-404e-bcf5-6d345c32269e

Perhaps there's a lock on this volume. Let's check for locks and then remove them if we find one:

# rbd lock list my.ceph.cinder.pool/volume-f8867d43-bc82-404e-bcf5-6d345c32269e

If there are any locks on the volume, you can use lock remove using the id and locker from the previous command to delete the lock:

# rbd lock remove <image-name> <id> <locker>

What if there are no locks on the volume but you're still unable to delete it from either Cinder or Ceph? Let's check for snapshots:

# rbd -p my.ceph.cinder.pool snap ls volume-f8867d43-bc82-404e-bcf5-6d345c32269e
SNAPID NAME                                              SIZE
  2072 snapshot-33c4309a-d5f7-4ae1-946d-66ba4f5cdce3 25600 MB

When you attempt to delete that snapshot you will get the following:

# rbd snap rm my.ceph.cinder.pool/volume-f8867d43-bc82-404e-bcf5-6d345c32269e@snapshot-33c4309a-d5f7-4ae1-946d-66ba4f5cdce3
rbd: snapshot 'snapshot-33c4309a-d5f7-4ae1-946d-66ba4f5cdce3' is protected from removal.
2015-05-22 01:21:52.504966 7f864f71c880 -1 librbd: removing snapshot from header failed: (16) Device or resource busy

This reveals that it was the snapshot that was busy and locked all along.

Now we need to unprotect the snapshot:

# rbd snap unprotect my.ceph.cinder.pool/volume-f8867d43-bc82-404e-bcf5-6d345c32269e@snapshot-33c4309a-d5f7-4ae1-946d-66ba4f5cdce3

You should now be able to delete the volume and it's snapshot via Cinder.

Enjoy :-)


Planet DebianDirk Eddelbuettel: BH release 1.58.0-1

A new released of BH is now on CRAN. BH provides a large part of the Boost C++ libraries as a set of template headers for use by R and Rcpp.

This release both upgrades the version of Boost to the current release, and adds a new library: Boost MultiPrecision .

A brief summary of changes from the NEWS file is below.

Changes in version 1.58.0-1 (2015-05-21)

  • Upgraded to Boost 1.58 installed directly from upstream source

  • Added Boost MultiPrecision as requested in GH ticket #12 based on rcpp-devel request by Jordi Molins Coronado

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

Comments and suggestions are welcome via the mailing list or the issue tracker at the GitHubGitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianYves-Alexis Perez: Followup on Debian grsec kernels for Jessie

So, following the previous post, I've indeed updated the way I'm making my grsec kernels.

I wanted to upgrade my server to Jessie, and didn't want to keep the 3.2 kernel indefinitely, so I had to update to at least 3.14, and find something to make my life (and maybe some others) easier.

In the end, like planned, I've switched to the make deb-pkg way, using some scripts here and there to simplify stuff.

The scripts and configs can be found in my debian-grsec-config repository. The repository layout is pretty much self-explaining:

The bin/ folder contains two scripts:

  •, which will pick the latest grsec patch (for each branch) and applies it to the correct Linux branch. This script should be run from a git clone of the linux-stable git repository;
  • is taken from the src:linux Debian package, and can be used to merge multiple KConfig files

The configs/ folder contains the various configuration bits:

  • config-* files are the Debian configuration files, taken from the linux-image binary packages (for amd64 and i386);
  • grsec* are the grsecurity specifics bits (obviously);
  • hardening* contain non-grsec stuff still useful for hardened kernels, for example KASLR (cargo-culting nonwidthstanding) or strong SSP (available since I'm building the kernels on a sid box, YMMV).

I'm currently building amd64 kernels for Jessie and i386 kernels will follow soon, using config-3.14 + hardening + grsec. I'm hosting them on my apt repository. You're obviously free to use them, but considering how easy it is to rebuild a kernel, you might want to use a personal configuration (instead of mine) and rebuild the kernel yourself, so you don't have to trust my binary packages.

Here's a very quick howto (adapt it to your needs):

mkdir linux-grsec && cd linux-grsec
git clone git://
git clone git://
mkdir build
cd linux-stable
../debian-grsec-config/bin/ stable2 # for 3.14 branch
../debian-grsec-config/bin/ ../build/.config ../debian-grsec-config/configs/config-3.14-2-amd64 ../debian-grsec-config/configs/hardening ../debian-grsec-config/configs/grsec
make KBUILD_OUTPUT=../build -j4 oldconfig
make KBUILD_OUTPUT=../build -j4 deb-pkg

Then you can use the generated Debian binary packages. If you use the Debian config, it'll need a lot of disk space for compilation and generate a huge linux-image debug package, so you might want to unset CONFIG_DEBUG_INFO locally if you're not interested. Right now only the deb files are generated but I've submitted a patch to have a .changes file which can be then used to manipulate them more easily (for example for uploading them a local Debian repository).

Note that, obviously, this is not targeted for inclusion to the official Debian archive. This is still not possible for various reasons explained here and there, and I still don't have a solution for that.

I hope this (either the scripts and config or the generated binary packages) can be useful. Don't hesitate to drop me a mail if needed.

CryptogramNew Pew Research Report on Americans' Attitudes on Privacy, Security, and Surveillance

This is interesting:

The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used. Adding to earlier Pew Research reports that have documented low levels of trust in sectors that Americans associate with data collection and monitoring, the new findings show Americans also have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age.

While some Americans have taken modest steps to stem the tide of data collection, few have adopted advanced privacy-enhancing measures. However, majorities of Americans expect that a wide array of organizations should have limits on the length of time that they can retain records of their activities and communications. At the same time, Americans continue to express the belief that there should be greater limits on government surveillance programs. Additionally, they say it is important to preserve the ability to be anonymous for certain online activities.

Lots of detail in the reports.

Planet DebianJonathan McDowell: I should really learn systemd

As I slowly upgrade all my machines to Debian 8.0 (jessie) they’re all ending up with systemd. That’s fine; my laptop has been running it since it went into testing whenever it was. Mostly I haven’t had to care, but I’m dimly aware that it has a lot of bits I should learn about to make best use of it.

Today I discovered systemctl is-system-running. Which I’m not sure why I’d use it, but when I ran it it responded with degraded. That’s not right, thought I. How do I figure out what’s wrong? systemctl --state=failed turned out to be the answer.

# systemctl --state=failed
  UNIT                         LOAD   ACTIVE SUB    DESCRIPTION
● systemd-modules-load.service loaded failed failed Load Kernel Modules

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

1 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

Ok, so it’s failed to load some kernel modules. What’s it trying to load? systemctl status -l systemd-modules-load.service led me to /lib/systemd/systemd-modules-load which complained about various printer modules not being able to be loaded. Turned out this was because CUPS had dropped them into /etc/modules-load.d/cups-filters.conf on upgrade, and as I don’t have a parallel printer I hadn’t compiled up those modules. One of my other machines had also had an issue with starting up filesystem quotas (I think because there’d been some filesystems that hadn’t mounted properly on boot - my fault rather than systemd). Fixed that up and then systemctl is-system-running started returning a nice clean running.

Now this is probably something that was silently failing back under sysvinit, but of course nothing was tracking that other than some output on boot up. So I feel that I’ve learnt something minor about systemd that actually helped me cleanup my system, and sets me in better stead for when something important fails.

Chaotic IdealismTaking marriage for granted

I can’t help but think how nasty it was of us to deny gay people the formal commitment and legal acknowledgement that straight people have enjoyed for so long.

I’m not surprised that the fight for gay marriage has made straight people think about the value of marriage, too; we took it for granted for so long, until we realized what it was like not to be able to marry at all, whether you wanted to or not. I think gay marriage will probably strengthen the institution of marriage, overall.

Humans, psychologically, pair-bond. We just do. We want to find another person and take on life together. Some of us don't want sex, some of us don't want romance, some of us prefer a person of the same gender; some of us want more than one person at once. A few aren't into the pair-bonding thing, and while that's unusual, there's nothing particularly wrong with it. But the point is--we bond with each other, naturally, and we see it as a good thing.

When all those love hormones are overwhelming your senses and you're "in love", it's easy to stay bonded. You just can't live without each other. Your cognitive abilities are measurably diminished. But that can't, and shouldn't, last forever, and that's where social bonds come in. As a relationship matures, people become friends as well as lovers; they rely on each other, learn to compromise, even learn to argue without hurting each other. Such a relationship takes work to maintain. Commitment.

There are benefits to a formal marriage. You've made your commitment publicly. You've made a legal contract and, if you're religious, you've also made a promise to each other before God. You're agreed that you're in it for the long haul. Legally, things change; you're taxed together, expected to both be responsible for children, and not expected to testify against each other. You can make medical decisions for each other when one is incapacitated. You inherit each others' property and can adopt each others' children.

And all of this is something we've taken for granted for a long time--until gay people reminded us how precious it is to be able to formally, publicly, and legally commit to another person, and how much pain can come from being refused that right.

I grew up with a mom who married some not-so-nice men. I didn't have that much respect for marriage in general. I think I would've been happier with a single mom. And yet all of this is forcing me to think about the value that marriage does have to people who are in love and want to spend their lives together, and how much they lose when they're not allowed to marry. I still don't want to marry, myself; I've never had a romantic relationship. If I did marry, it would be a platonic partner, probably for simple companionship, or to foster children together. I'm not even sure what gender I would prefer; gender is more or less irrelevant to me right now. But all the same, I'm just a tiny bit more open to the possibility of eventually finding that close friend, that love that would mean I would always have both someone to depend on and someone who depended on me. Maybe I'm a loner; maybe I'm not very romantic; but like many people, I've been taking marriage for granted--until I realized how much it matters to people for whom it's not an option.

Planet DebianMichal Čihař: Translating Sphinx documentation

Few days ago, I've started writing Odorik module to manipulate with API of one Czech mobile network operator. As usual, the code comes with documentation written in English. Given that vast majority of users are Czech, it sounds useful to have in Czech language as well.

The documentation itself is written in Sphinx and built using Read the Docs. Using those to translate the documentation is quite easy.

First step is to add necessary configuration to the Sphinx project as described in their Internationalization Quick Guide. It's matter of few configuration directives and invoking of sphinx-intl and the result can be like this commit.

Once the code in repository is ready, you can start building translated documentation on the Read the docs. There is nice guide for that as well. All you need to do is to create another project, set it's language and link it from master project as translation.

The last step is to find some translators to actually translate the document. For me the obvious choice was using Weblate, so the translation is now on Hosted Weblate. The mass import of several po files can be done by import_project management command.

And thanks to all these you can now read Czech documentation for python Odorik module.

Filed under: Coding English Odorik Weblate | 0 comments

Sociological ImagesSame-Sex Parents Spend More Time with Their Children

At the end of this month, the Supreme Court will hear arguments as to whether the Constitution requires states to allow same-sex marriages and to recognize same-sex marriages allowed in other states. In the arguments heard in the lower courts and the record-setting number of amici filed for this case, debate has often veered from whether same-sex couples should be able to marry and waded into the question of how they parent children. Social science research has been front and center in this debate, with a variety of studies examining whether families with two parents of a different sex provide better environments for raising children than two parents of the same sex.

No differences? In general, these studies have examined differences in children’s developmental outcomes to make inferences about differences in what is happening in the home, conflating how children do with the ways that people parent in same-sex and different-sex couples. The “no differences” conclusion refers to the fact that few studies have revealed significant differences in these outcomes between children raised by different-sex parents and same-sex parents. This conclusion about parenting based on data on children, however, may be biased in both directions. For example, same-sex couples are more likely to adopt “hard-to-place” children from the foster care system. They are also more likely to have children who have experienced family instability because they transitioned into new family settings after being in families headed by ‘straight’ couples. Both of these factors are known to affect children’s wellbeing, but they are not as strongly tied to parenting.

New study clarifies. In our new study in the June issue of Demography, we directly address the arguments being made about differences in parenting in two-parent families by examining parents’ actual behaviors. Using the nationally representative American Time Use Survey, we examine how much time parents in same-sex and different-sex couples spend in child-focused activities during a 24-hour period, controlling for a wide range of factors that are also associated with parenting, such as income, education, time spent at work, and the number and age of children in the family. By ‘child-focused’ time, we mean time spent engaged with children in activities that support their physical and cognitive development, like reading to them, playing with them, or helping them with their homework.

Supporting a no differences conclusion, our study finds that women and men in same-sex relationships and women in different-sex relationships do not differ in the amount of time they spend in child-focused activities (about 100 minutes a day). We did find one difference, however, as men in different-sex relationships spend only half as much child-focused time as the other three types of parents. Averaging across mothers and fathers, we determined that children with same-sex parents received an hour more of child-focused parent time a day (3.5 hours) than children in different-sex families (2.5 hours).

A key implication of our study is that the focus on whether same-sex parents provide depreciably different family contexts for healthy child development is misplaced. If anything, the results show that same-sex couples are more likely to invest time in the types of parenting behaviors that support child development. In line with a recent study that has continued to highlight that poverty — more so than family structure — is the greatest detriment to parenting practices, it’s hard not to see how delegitimizing same-sex families in ways that create both social and economic costs for them, pose a greater source of disadvantage for children.

Cross-posted at Families as They Really Are.

Kate Prickett is a PhD candidate in the Department of Sociology and the Population Research Center at the University of Texas at Austin; Alexa Martin-Storey is a developmental psychologist and Assistant Professor at the Université de Sherbrooke, in Sherbrooke, Quebec. You can find their new study (with Robert Crosnoe) here.

(View original at

Krebs on SecurityCarefirst Blue Cross Breach Hits 1.1M

CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.

carefirstAccording to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.

Nobody is officially pointing fingers at the parties thought to be responsible for this latest health industry breach, but there are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.

As I noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com.

ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.

On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”).

tc-cfbcbs“It is believed that the prennera[dot]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[dot]com command and control infrastructure,” ThreatConnect observed in a February 2015 blog post.

Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).

Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

CryptogramThe Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

Here's the academic paper.

One of the problems with patching the vulnerability is that it breaks things:

On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole.

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn't patched. And it's the vulnerability the media is focusing on.

Much more interesting is the other vulnerability that the researchers found:

Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve -- the most efficient algorithm for breaking a Diffie-Hellman connection -- is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

The researchers believe the NSA has been using this attack:

We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

Remember James Bamford's 2012 comment about the NSA's cryptanalytic capabilities:

According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: "Everybody's a target; everybody with communication is a target."


The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. "Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it," he says. The reason? "They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption."

And remember Director of National Intelligence James Clapper's introduction to the 2013 "Black Budget":

Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.

It's a reasonable guess that this is what both Bamford's source and Clapper are talking about. It's an attack that requires a lot of precomputation -- just the sort of thing a national intelligence agency would go for.

But that requirement also speaks to its limitations. The NSA isn't going to put this capability at collection points like Room 641A at AT&T's San Francisco office: the precomputation table is too big, and the sensitivity of the capability is too high. More likely, an analyst identifies a target through some other means, and then looks for data by that target in databases like XKEYSCORE. Then he sends whatever ciphertext he finds to the Cryptanalysis and Exploitation Services (CES) group, which decrypts it if it can using this and other techniques.

Ross Anderson wrote about this earlier this month, almost certainly quoting Snowden:

As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a "stolen cert", presumably a private key obtained through hacking). Else the analyst sends the ciphertext to CES and they either decrypt it or say they can't.

The analysts are instructed not to think about how this all works. This quote also applied to NSA employees:

Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: "Do not ask about or speculate on sources or methods underpinning Bullrun."

I remember the same instructions in documents I saw about the NSA's CES.

Again, the NSA has put surveillance ahead of security. It never bothered to tell us that many of the "secure" encryption systems we were using were not secure. And we don't know what other national intelligence agencies independently discovered and used this attack.

The good news is now that we know reusing prime numbers is a bad idea, we can stop doing it.

EDITED TO ADD: The DH precomputation easily lends itself to custom ASIC design, and is something that pipelines easily. Using BitCoin mining hardware as a rough comparison, this means a couple orders of magnitude speedup.

EDITED TO ADD (5/23): Good analysis of the cryptography.

EDITED TO ADD (5/24): Good explanation by Matthew Green.

Worse Than FailureCodeSOD: Sea of SQL

Andy writes: “Operations reported that a query was taking a long time.  Even the 'developers' of this query didn't know why it was taking a long time.”

I tell ya, folks… some submissions, you just set down and back away slowly… then hunt up a magnifying glass and a bottle of aspirin.


<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script> <style>code { font-family: Consolas, monospace; }</style>
[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

Planet Linux AustraliaLev Lafayette: JAGS (Just Another Gibbs Sampler) Installation

JAGS is Just Another Gibbs Sampler. It is a program for analysis of Bayesian hierarchical models using Markov Chain Monte Carlo (MCMC) simulation not wholly unlike BUGS.

cd /usr/local/src/JAGS
tar xvf JAGS-3.4.0.tar.gz
mv JAGS-3.4.0 jags-3.4.0
cd jags-3.4.0
make check
make install
make installcheck

The config script takes the following form

install=$(basename $(pwd) | sed 's%-%/%')

read more

Planet Linux AustraliaLev Lafayette: MuTect Installation

MuTect is a method developed at the Broad Institute for the reliable and accurate identification of somatic point mutations in next generation sequencing data of cancer genomes.

For complete details, please see the publication in Nature Biotechnology:

Cibulskis, K. et al. Sensitive detection of somatic point mutations in impure and heterogeneous cancer samples. Nat Biotechnology (2013).doi:10.1038/nbt.2514

Download after login.

read more

Planet Linux AustraliaLev Lafayette: PROJ.4 Cartographic Projections library installation

The PROJ.4 Cartographic Projections library was originally written by Gerald Evenden then of the USGS.

Download, extract, install.

cd /usr/local/src/PROJ
tar xvf proj-4.9.1.tar.gz
cd proj-4.9.1
make check
make install

The config file is a quick executable.

./configure --prefix=/usr/local/$(basename $(pwd) | sed 's#-#/#')

read more

Planet Linux AustraliaLev Lafayette: Geospatial Data Abstraction Library Installation

GDAL (Geospatial Data Abstraction Library) is a translator library for raster and vector geospatial data formats.

Download, extract, install.

cd /usr/local/src/GDAL
tar gdal-1.11.2.tar.gz
cd gdal-1.11.2
make install

The config file is a quick executable.

./configure --prefix=/usr/local/$(basename $(pwd) | sed 's#-#/#')

read more

Planet Linux AustraliaLev Lafayette: Rosetta Proteins with SCons (and jam and cream)

Rosetta is a library based object-oriented software suite which provides a robust system for predicting and designing protein structures, protein folding mechanisms, and protein-protein interactions.

You'll need a license

Download, extract, load scons, and compile.

cd /usr/local/src/ROSETTA
tar xvf rosetta_src_2015.19.57819_bundle.tgz
cd rosetta_src_2015.19.57819_bundle/main/src
module load scons

read more

Planet Linux AustraliaLev Lafayette: SCons with Modules

SCons is a software construction tool (build tool, or make tool) implemented in Python, that uses Python scripts as "configuration files" for software builds.

cd /usr/local/src/SCONS
tar xvf scons-2.3.4.tar.gz
cd scons-2.3.4
python install --prefix=/usr/local/scons/2.3.4

Change to the appropriate modules directory, check for .desc and .version and .base, create a symblink to .base

cd /usr/local/Modules/modulefiles/scons
ln -s .base 2.3.4

read more

Planet Linux AustraliaLev Lafayette: Freesufer cluster installation

Freesurfer is a set of tools for analysis and visualization of structural and functional brain imaging data.

Check system requirements and download. Note that registration and a license key is required for functionality, but not installation.

Create a source directory, change to it, download, extract, discover that everything is bundled, create the application directory and move everything across.

read more

Planet DebianDirk Eddelbuettel: RInside 0.2.13

A new release 0.2.13 of RInside is now on CRAN. RInside provides a set of convenience classes which facilitate embedding of R inside of C++ applications and programs, using the classes and functions provided by Rcpp.

This release works around a bug in R 3.2.0, and addressed in R 3.2.0-patched. The NEWS extract below has more details.

Changes in RInside version 0.2.13 (2015-05-20)

  • Added workaround for a bug in R 3.2.0: by including the file RInterface.h only once we do not getting linker errors due to multiple definitions of R_running_as_main_program (which is now addressed in R-patched as well).

  • Small improvements to the Travis CI script.

CRANberries also provides a short report with changes from the previous release. More information is on the RInside page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Krebs on SecuritymSpy Denies Breach, Even as Customers Confirm It

Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.

myspyappmSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. mSpy also told the BBC that claims the hackers had breached its systems and stolen data were false.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

Let’s parse that statement a bit further. No, the stolen records aren’t on the Web; rather, they’ve been posted to various sites on the Deep Web, which is only accessible using Tor. Also, I don’t doubt that mSpy was the target of extortion attempts; the fact that the company did not pay the extortionist is likely what resulted in its customers’ data being posted online.

How am I confident of this, considering mSpy has still not responded to requests for comment? I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.

Joe Natoli, director of a home care provider in Arizona, confirmed what was clear from looking at the leaked data — that he had paid mSpy hundreds of dollars a month for a subscription to monitor all of the mobile devices distributed to employees by his company. Natoli said all employees agree to the monitoring when they are hired, but that he only used mSpy for approximately four months.

“The value proposition for the cost didn’t work out,” Natoli said.

Katherine Till‘s information also was in the leaked data. Till confirmed that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter, and were still a paying customer as of my call to her.

Till added that she was unaware of a breach, and was disturbed that mSpy might try to cover it up.

“This is disturbing, because who knows what someone could do with all that data from her phone,” Till said, noting that she and her husband had both discussed the monitoring software with their daughter. “As parents, it’s hard to keep up and teach kids all the time what they can and can’t do. I’m sure there are lots more people like us that are in this situation now.”

Another user whose financial and personal data was in the cache asked not to be identified, but sheepishly confirmed that he had paid mSpy to secretly monitor the mobile device of a “friend.”

Update, May 22, 10:24 a.m.: mSpy is finally admitting that it did have a breach that exposed customer information, but they are still downplaying the numbers.


News of the mSpy breach prompted renewed calls from Sen. Al Franken for outlawing products like mSpy, which the Minnesota democrat refers to as “stalking apps.” In a letter (PDF) sent this week to the U.S. Justice Department and Federal Trade Commission, Franken urged the agencies to investigate mSpy, whose products he called ‘deeply troubling’ and “nothing short of terrifying” when “in the hands of a stalker or abuse intimate partner.”

Last year, Franken reintroduced The Location Privacy Protection Act of 2014, legislation that would outlaw the development, operation, and sale of such products.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”


Rondam RamblingsThe great inner tube caper

I am in the midst of a surreal experience.  Half an hour ago, a delivery truck deposited a 60 pound box on my doorstep.  It turned out to be filled with a dozen recreational inner tubes of the sort one would use to float in a swimming pool. At first I thought the delivery service had made a mistake, but no, the box was indeed addressed to me.  Both my name and address were correct.  But the

CryptogramResearch on Patch Deployment

New research indicates that it's very hard to completely patch systems against vulnerabilities:

It turns out that it may not be that easy to patch vulnerabilities completely. Using WINE, we analyzed the patch deployment process for 1,593 vulnerabilities from 10 Windows client applications, on 8.4 million hosts worldwide [Oakland 2015]. We found that a host may be affected by multiple instances of the same vulnerability, because the vulnerable program is installed in several directories or because the vulnerability is in a shared library distributed with several applications. For example, CVE-2011-0611 affected both the Adobe Flash Player and Adobe Reader (Reader includes a library for playing .swf objects embedded in a PDF). Because updates for the two products were distributed using different channels, the vulnerable host population decreased at different rates, as illustrated in the figure on the left. For Reader patching started 9 days after disclosure (after patch for CVE-2011-0611 was bundled with another patch in a new Reader release), and the update reached 50% of the vulnerable hosts after 152 days.

For Flash patching started earlier, 3 days after disclosure, but the patching rate soon dropped (a second patching wave, suggested by the inflection in the curve after 43 days, eventually subsided as well). Perhaps for this reason, CVE-2011-0611 was frequently targeted by exploits in 2011, using both the .swf and PDF vectors.


LongNowNeil Gaiman Seminar Tickets


The Long Now Foundation’s monthly

Seminars About Long-term Thinking

Neil Gaiman presents How Stories Last

Neil Gaiman presents “How Stories Last”


Tuesday June 9, 02015 at 7:30pm Castro Theater

Long Now Members can reserve 1 seat, and purchase a second ticket for half price ($15) join today! General Tickets $30


About this Seminar:

Neil’s talk will explore the way stories, myths and tales survive over great lengths of time and why creating for the future means making works that will endure within the oral tradition.

Preternaturally eloquent, Neil Gaiman has told stories in every medium—graphic novels (The Sandman), novels (The Ocean at the End of the Lane; American Gods), short stories (Trigger Warning), children’s books (The Graveyard Book), television (Dr Who), the occasional song (“I Google You”, with Amanda Palmer), and the occasional speech that goes viral (“Make Good Art”).

Members can reserve one complimentary ticket, and purchase one additional ticket for $15.00 (50% off of the General Admission ticket price).

Photograph of Neil Gaiman by Kimberly Butler

Sociological ImagesWhether You Call It “Protest” or “Rioting” May Depend on Your Race

On average, white and black Americans have different ideas as to what’s behind the recent unrest in Ferguson and Baltimore. A Wall Street Journal/NBC poll of 508 adults found that nearly two-thirds of African Americans felt that the unrest reflected “long-standing frustrations about police mistreatment of African Americans,” compared to less than one-third of whites.

2 (1)

In contrast, among whites, 58% believed that African Americans were just looking for an “excuse to engage in looting and violence.” A quarter of black respondents thought the same.

Though they may see it differently, almost everyone expects the uprising to reach more cities over the summer.

Lisa Wade is a professor of sociology at Occidental College and the co-author of Gender: Ideas, Interactions, Institutions. You can follow her on Twitter and Facebook.

(View original at

Planet DebianHideki Yamane: What is the most valuable challenge for Debian in this Stretch cycle?

  • restructuring website as 21st century style and drop deprecated info
  • automate test integration to infrastructure: piuparts & ci
  • more test for packages: adopt autopkgtest
  • "go/no-go vote" for migration to next release candidate (e.g. bohdi in Fedora)
  • more comfortable collab-development (see GitHub's pull request style, not mail-centric)
  • other
Your opinion?

CryptogramSpy Dust

Used by the Soviet Union during the Cold War:

A defecting agent revealed that powder containing both luminol and a substance called nitrophenyl pentadien (NPPD) had been applied to doorknobs, the floor mats of cars, and other surfaces that Americans living in Moscow had touched. They would then track or smear the substance over every surface they subsequently touched.

Planet Linux AustraliaJames Purser: Movement at the Angry Beanie station

Good news everybody!

This week I've started pulling everything together to bring both For Science! and Purser Explores The World back to the internet airwaves :)

I won't reveal what the return episode of Purser Explores The World is going to be about, but suffice to say it's going to continue the same explorations and interview style that previous episodes had.

For Science! of course is going to be the return of Mel, Mags and I doing our thing about science news and getting our rant on (well Mags and Mel more than me but anyway). I'm also going to be looking at either expanding the show to include a new segment or create a smaller podcast that will be talking to researchers around the country, not more than say 15 or 20 minutes long in which we find out a bit more about the work the researcher is doing, how they got started in science and so on.

I have some other thoughts about Angry Beanie and its direction, but they are for another blog post I think.

Blog Catagories: 

Worse Than FailureLike a Well-Oiled Machine

It was Housekeeping Sunday in Dirk’s small IT shop, which usually meant taking their diminutive lot of servers down for routine maintenance. Dirk thought he’d change it up this week and add some actual cleaning to their housekeeping tasks. He knew just the man for the job too - Andrew, the Big Boss’s nephew.
Andrew couldn’t be trusted with much, but he was assigned to work with Dirk on this Housekeeping Sunday so he would have to be assigned a task he couldn’t possibly screw up. Several of the servers hadn’t been physically cleaned in a while and their dust bunnies had evolved in to full-blown Killer Rabbits of Caerbannog.

Dirk dispatched Andrew to the IT closet that doubled as the janitor’s storage room. “All the cleaning supplies you could possibly need are in there,” Dirk assured him. “Just use the cans of computer duster though. They should already have those little red straws jammed on to them and the label says ‘Electronics Duster’ in big letters. When you see dust, just point and shoot.”

“YES SIR!” Andrew shot back, with a sarcastic salute. Dirk brushed it off and went back to the remote firewall maintenance he was working on.

About half an hour later, Dirk’s phone buzzed on his desk with a text message from Andrew. “CAN U COME IN HERE?? Comps r broken.” It was immediately followed by a swarm of buzzes from email alerts about key servers not shutting down gracefully. Gravely concerned, Dirk rushed to the IT/Janitor closet in time to see Andrew stumble out of the room coughing and looking dazed.

“I don’t know what happened, man. I sprayed the stuff at the dust like you said, things started smoking, then the servers started crashing.” Andrew recounted.

“You should shut the servers down before you start opening them and spraying computer duster in there!” Dirk said, peering inside the closet. His nostrils were greeted with the scent of burning chemicals that were not native to cans of air. On the work bench he saw empty cans of WD–40 laying there, red straws and all.

“We should get some different cleaning junk, I don’t think that works right!” Andrew blurted out from behind him.

“For once, you’re right about something Andrew…” Dirk replied, as his head began to wrap around the fact that Housekeeping Sunday just became Disaster Control Sunday. But at least all the servers were now well-lubricated.

Ed. note: Someone (most specifically, me) did not get the next episode of TDWTF:Live! edited in time for this week. Our next episode, with John Lange, will appear next week. - Remy
[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

Planet DebianMartin-Éric Racine: xf86-video-geode 2.11.17

This morning, I pushed out version 2.11.17 of the Geode X.Org driver. This is the driver used by the OLPC XO-1 and by a plethora of low-power desktops, micro notebooks and thin clients. This is a minor release. It merges conditional support for the OpenBSD MSR device (Marc Ballmer, Matthieu Herrb), fixes a condition that prevents compiling on some embedded platforms (Brian A. Lloyd) and upgrades the code for X server 1.17 compatibility (Maarten Lankhorst).

Pending issues:

  • toggle COM2 into DDC probing mode during driver initialization
  • reset the DAC chip when exiting X and returning to vcons
  • fix a rendering corner case with Libre Office

Planet DebianEnrico Zini: love-thy-neighbor

Love thy neighbor as thyself

‘Love thy neighbor as thyself’, words which astoundingly occur already in the Old Testament.

One can love one’s neighbor less than one loves oneself; one is then the egoist, the racketeer, the capitalist, the bourgeois. and although one may accumulate money and power one does not of necessity have a joyful heart, and the best and most attractive pleasures of the soul are blocked.

Or one can love one’s neighbor more than oneself—then one is a poor devil, full of inferiority complexes, with a longing to love everything and still full of hate and torment towards oneself, living in a hell of which one lays the fire every day anew.

But the equilibrium of love, the capacity to love without being indebted to anyone, is the love of oneself which is not taken away from any other, this love of one’s neighbor which does no harm to the self.

(From Herman Hesse, "My Belief")

I always have a hard time finding this quote on the Internet. Let's fix that.

Planet DebianRhonda D'Vine: Berge

I wrote well over one year ago about Earthlings. It really did have some impact on my life. Nowadays I try to avoid animal products where possible, especially for my food. And in the context of vegan information that I tracked I stumbled upon a great band from Germany: Berge. They recently started a deal with their record label which says that if they receive one million clicks within the next two weeks on their song 10.000 Tränen their record label is going to donate 10.000,- euros to a German animal rights organization. Reason enough for me to share this band with you! :)
(For those who are puzzled by the original upload date of the video: Don't let yourself get confused, the call for it is from this monday)

  • 10.000 Tränen: This is the song that needs the views. It's a nice tune and great lyrics to think about. Even though its in German it got English subtitles. :)
  • Schauen was passiert: In the light of 10.000 Tränen it was hard for me to select other songs, but this one sounds nice. "Let's see what happens". :)
  • Meer aus Farben: I love colors. And I hate the fact that most conference shirts are black only. Or that it seems to be impossible to find colorful clothes and shoes for tall women.

Like always, enjoy!

/music | permanent link | Comments: 3 | Flattr this

Planet Linux AustraliaTridge on UAVs: APM:Plane 3.3.0 released

APM:Plane 3.3.0 released

The ardupilot development team is proud to announce the release of version 3.3.0 of APM:Plane. This is a major release with a lot of changes. Please read the release notes carefully!

The last stable release was 3 months ago, and since that time we have applied over 1200 changes to the code. It has been a period of very rapid development for ArduPilot. Explaining all of the changes that have been made would take far too long, so I've chosen some key changes to explain in detail, and listed the most important secondary changes in a short form. Please ask for details if there is a change you see listed that you want some more information on.

Arming Changes

This is the first release of APM:Plane where ARMING_CHECK and ARMING_REQUIRE both default to enabled. That means when you upgrade if you didn't previously have arming enabled you will need to learn about arming your plane.

Please see this page for more information on arming:

I know many users will be tempted to disable the arming checks, but please don't do that without careful thought. The arming checks are an important part of ensuring the aircraft is ready to fly, and a common cause of flight problems is to takeoff before ArduPilot is ready.

Re-do Accelerometer Calibration

Due to a change in the maximum accelerometer range on the Pixhawk all users must re-do their accelerometer calibration for this release. If you don't then your plane will fail to arm with a message saying that you have not calibrated the accelerometers.

Only 3D accel calibration

The old "1D" accelerometer calibration method has now been removed, so you must use the 3D accelerometer calibration method. The old method was removed because a significant number of users had poor flights due to scaling and offset errors on their accelerometers when they used the 1D method. My apologies for people with very large aircraft who find the 3D method difficult.

Note that you can do the accelerometer calibration with the autopilot outside the aircraft which can make things easier for large aircraft.


After an auto-landing the autopilot will now by default disarm after LAND_DISARMDELAY seconds (with a default of 20 seconds). This feature is to prevent the motor from spinning up unexpectedly on the ground
after a landing.

HIL_MODE parameter

It is now possible to configure your autopilot for hardware in the loop simulation without loading a special firmware. Just set the parameter HIL_MODE to 1 and this will enable HIL for any autopilot. This is designed to make it easier for users to try HIL without having to find a HIL firmware.

SITL on Windows

The SITL software in the loop simulation system has been completely rewritten for this release. A major change is to make it possible to run SITL on native windows without needing a Linux virtual machine. There should be a release of MissionPlanner for Windows soon which will make it easy to launch a SITL instance.

The SITL changes also include new backends, including the CRRCSim flight simulator. This gives us a much wider range of aircraft we can use for SITL. See for more information.

Throttle control on takeoff

A number of users had problems with pitch control on auto-takeoff, and with the aircraft exceeding its target speed during takeoff. The auto-takeoff code has now been changed to use the normal TECS throttle control which should solve this problem.

Rudder only support

There is a new RUDDER_ONLY parameter for aircraft without ailerons, where roll is controlled by the rudder. Please see the documentation for more information on flying with a rudder only aircraft: ... udder_only

APM1/APM2 Support

We have managed to keep support for the APM1 and APM2 in this release, but in order to fit it in the limited flash space we had to disable some more features when building for those boards. For this release the AP_Mount code for controlling camera mounts is disabled on APM1/APM2.

At some point soon it will become impractical to keep supporting the APM1/APM2 for planes. Please consider moving to a 32 bit autopilot soon if you are still using an APM1 or APM2.

New INS code

There have been a lot of changes to the gyro and accelerometer handling for this release. The accelerometer range on the Pixhawk has been changed to 16g from 8g to prevent clipping on high vibration aircraft, and the sampling rate on the lsm303d has been increased to 1600Hz.

An important bug has also been fixed which caused aliasing in the sampling process from the accelerometers. That bug could cause attitude errors in high vibration environments.

Numerous Landing Changes

Once again there have been a lot of improvements to the automatic landing support. Perhaps most important is the introduction of a smooth transition from landing approach to the flare, which reduces the tendency to pitch up too much on flare.

There is also a new parameter TECS_LAND_PMAX which controls the maximum pitch during landing. This defaults to 10 degrees, but for many aircraft a smaller value may be appropriate. Reduce it to 5 degrees if you find you still get too much pitch up during the flare.

Other secondary changes in this release include:

  • a new SerialManager library which gives much more flexible management of serial port assignment
  • changed the default FS_LONG_TIMEOUT to 5 seconds
  • raised default IMAX for roll/pitch to 3000
  • lowered default L1 navigation period to 20
  • new BRD_SBUS_OUT parameter to enable SBUS output on Pixhawk
  • large improvements to the internals of PX4Firmware/PX4NuttX for better performance
  • auto-formatting of microSD cards if they can't be mounted on boot (PX4/Pixhawk only)
  • a new PWM based driver for the PulsedLight Lidar to avoid issues with the I2C interface
  • fixed throttle forcing to zero when disarmed
  • only reset mission on disarm if not in AUTO mode
  • much better handling of steep landings
  • added smooth transition in landing flare
  • added HIL_MODE parameter for HIL without a special firmware
  • lowered default FS_LONG_TIMEOUT to 5 seconds
  • mark old ELEVON_MIXING mode as deprecated
  • fixed 50Hz MAVLink support
  • support DO_SET_HOME MAVLink command
  • fixed larger values of TKOFF_THR_DELAY
  • allow PulsedLight Lidar to be disabled at a given height
  • fixed bungee launch (long throttle delay)
  • fixed a bug handling entering AUTO mode before we have GPS lock
  • added CLI_ENABLED parameter
  • removed 1D accel calibration
  • added EKF_STATUS_REPORT MAVLink message
  • added INITIAL_MODE parameter
  • added TRIM_RC_AT_START parameter
  • added auto-disarm after landing (LAND_DISARMDELAY)
  • added LOCAL_POSITION_NED MAVLink message
  • avoid triggering a fence breach in final stage of landing
  • rebuild glide slope if we are above it and climbing
  • use TECS to control throttle on takeoff
  • added RUDDER_ONLY parameter to better support planes with no ailerons
  • updated Piksi RTK GPS driver
  • improved support for GPS data injection (for Piksi RTK GPS)
  • added NAV_LOITER_TO_ALT mission item
  • fixed landing approach without an airspeed sensor
  • support RTL_AUTOLAND=2 for landing without coming to home first
  • disabled camera mount support on APM1/APM2
  • added support for SToRM32 and Alexmos camera gimbals
  • added support for Jaimes mavlink enabled gimbal
  • improved EKF default tuning for planes
  • updated support for NavIO and NavIO+ boards
  • updated support for VRBrain boards
  • fixes for realtime threads on Linux
  • added simulated sensor lag for baro and mag in SITL
  • made it possible to build SITL for native Windows
  • switched to faster accel sampling on Pixhawk
  • added coning corrections on Pixhawk
  • set ARMING_CHECK to 1 by default
  • disable NMEA and SiRF GPS on APM1/APM2
  • support MPU9255 IMU on Linux
  • updates to BBBMINI port for Linux
  • added TECS_LAND_PMAX parameter
  • switched to synthetic clock in SITL
  • support CRRCSim FDM backend in SITL
  • new general purpose replay parsing code
  • switched to 16g accel range in Pixhawk
  • added FENCE_AUTOENABLE=2 for disabling just fence floor
  • added POS dataflash log message
  • changed GUIDED behaviour to match copter
  • added support for a 4th MAVLink channel
  • support setting AHRS_TRIM in preflight calibration
  • fixed a PX4 mixer out of range error

Many thanks to everyone who contributed to this release. We have a lot of new developers contributing which is really great to see! Also, apologies for those who have contributed a pull request but not yet had it incorporated (or had feedback on the change). We will be trying to get to as many PRs as we can soon.

Best wishes to all APM:Plane users from the dev team, and happy flying!

Krebs on SecuritySecurity Firm Redefines APT: African Phishing Threat

A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, PoliticoSC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

The cover art for the root9B report.

The cover art for the root9B report.

“While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

“It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

The problem with that linkage is although carbon2go[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2go home for their DNS operations, including these clowns.

From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

rolexzadFor example, most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “,”,” and “”.

Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

The domain rolexad[dot]com was flagged as early as 2008 by, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

Bob Zito, a spokesperson for root9B, said “the team stands by the report as 100 percent accurate and it has been received very favorably by the proper authorities in Washington (and others in the cyber community, including other cyber firms).”

I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).

“Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

Blasco’s comments may sound harsh, but it is true that root9B Chairman Joe Grano bought large quantities of the firm’s stock roughly a week before issuing this report. On May 14, 2015, root9B issued its first quarter 2015 financial results.

There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.

Planet DebianNorbert Preining: Shishiodoshi or Us and They – On the perceived exclusivity of Japanese

The other day I received from my Japanese teacher an interesting article by Yamazaki Masakazu 山崎正和 comparing garden styles, and in particular the attitude towards and presentation of water in Japanese and European gardens (page 1, page 2). The author’s list of achievements is long, various professorships, dramatist, literature critique, recognized as Person of Cultural Merit, just to name a view. I was looking forward to an interesting and high quality article!

The article itself introduces the reader to 鹿おどし Shishiodoshi, one of the standard ingredients of a Japanese garden: It is a device where water drips into a bamboo tube that is also a seesaw. At some point the water in the bamboo tube makes the seesaw switch over and the water pours out, after which the seesaw returns to the original position and a new cycle begins.


The author describes his feelings and thoughts about the shishiodoshi, in particular connects human life (stress and relieve, cycles), the flow of time, and some other concepts with the shishiodoshi. Up to here it is a wonderful article providing interesting insights into the way the author thinks. Unfortunately, then the author tries to underline his ideas by comparing the Japanese shishiodoshi with European style water fountains, describing the former with all favorable properties and full of deep meaning, while the latter is qualified as beautiful and nice, but bare of any deeper meaning.

I don’t go into details that the whole comparison is anyway a bad one, as he is comparing Baroque style fountains, a very limited period, and furthermore ignores the fact that water fountains are not genuinely European (isn’t there one in the Kenrokuen, one of the three most famous gardens in Japan!?), nor does he consider any other “water-installation” that might be available. What really destroys the in principle very nice article is the tone:

The general tone of the article then can be summarized into: “The shishiodoshi is rich on meaning, connects to the life of humans, instigates philosophical reflections, represents nature, the flow of time etc. The water fountain is beautiful and gorgeous, but that is all.”

I don’t think that this separation, or this negative undertone, was created on purpose by the author. A person of his stature is supposedly above this level of primitive comparison. I believe that it is nothing else but a consequence of upbringing and the general attitude that permeates the whole society with this feeling of separateness.

Us and They

Repeatedly providing sentences like “Japanese people and Western people have different tastes..” (日本人は西洋人と違った独特の好みを持っていたのである). About 10 times in this short article expressions like “Japanese” and “Westerner” appear, leaving the reader with a bitter taste of an author that considers first the Japanese a people (what about Ainu, Ryukyu, etc?), and second that the Japanese are exclusive in the sense that they are set apart from the rest of the world in their way of thinking, living, being.

What puzzles me is that this is not only a singular opinion, but a very general straight in the Japanese media, TV, radio, newspaper, books. Everyone considers “Japan” and “Japanese” as something that is fundamentally and profoundly different from everyone else in the world.

There is “We – the Japanese” (and that doesn’t mean nationality of passport, but blood line!), and there are “They – the Rest” or, as the way of writing and and description on many occasion suggestions, “They – the Barbarians”.

A short anecdote will underly this: One of the favorite TV talk show / pseudo-documentary style is about Japanese living abroad. That day a lady married in Paris was interviewed. What followed was a guided tour through Paris showing: Dirt in the gutter, street cleaning cars, waste disposal places. Yes, that was all. Just about the “dirt”. Of course, at length the (unfortunately only apparent) cleanliness of Japanese cities and neighborhoods are mentioned and shown to remind everyone how wonderful Japan is and how dirty the Barbarians. I don’t want to say that I consider Japan more dirty than most other countries – just the visible part is clean, the moment you step a bit aside and around the corner, there are the worst trash just thrown away without consideration. Anyway.

To return to the topic of “Us and They” – I consider us all humans, first and foremost, and nationality, birthplace, and all that are just by chance. I do NOT reject cultural differences, they are here, of course. But cultural differences are one thing, separating one self and one’s perceived people from the rest of the world is another.


I repeat, I don’t think that the author had any ill intentions, but it would have been nicer if the article wouldn’t make such a stark distinction. He could have written about Shishiodoshi and water fountains without using the “Us – They” categorization. He could have compared other water installations, could have discussed the long tradition of small ponds in European gardens, just to name a few things. But the author choose to highlight differences instead of commonalities.

It is the “Us against Them” feeling that often makes life in Japan for a foreigner difficult. Japanese are not special, Austrians, too, are not special, nor are Americans, Russians, Tibetans, or any other nationality. No nationality is special, we are all humans. Maybe at some point this will arrive also in the Japanese society and thinking.

Email this to someonePrint this pageShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInFlattr the author


Planet DebianGunnar Wolf: Feeling somewhat special

Today I feel more special than I have ever felt.

Or... Well, or something like that.

Thing is, there is no clear adjective for this — But I successfully finished my Specialization degree! Yes, believe it or not, today I can formally say I am Specialist in Informatic Security and Information Technologies (Especialista en Seguridad Informática y Tecnologías de la Información), as awarded by the Higher School of Electric and Mechanic Engineering (Escuela Superior de Ingeniería Mecánica y Eléctrica) of the National Polytechnical Institute (Instituto Politécnico Nacional).

In Mexico and most Latin American countries, degrees are usually incorporated to your name as if they were a nobiliary title. Thus, when graduating from Engineering studies (pre-graduate universitary level), I became "Ingeniero Gunnar Wolf". People graduating from further postgraduate programs get to introduce themselves as "Maestro Foobar Baz" or "Doctor Quux Noox". And yes, a Specialization is a small posgraduate program (I often say, the smallest possible posgraduate). And as a Specialist... What can I brag about? Can say I am Specially Gunnar Wolf? Or Special Gunnar Wolf? Nope. The honorific title for a Specialization is a pointer to null, and when casted into a char* it might corrupt your honor-recognizing function. So I'm still Ingeniero Gunnar Wolf, for information security reasons.

So that's the reason I am now enrolled in the Masters program. I hope to write an addenda to this message soonish (where soonish ≥ 18 months) saying I'm finally a Maestro.

As a sidenote, many people asked me: Why did I take on the specialization, which is a degree too small for most kinds of real work recognition? Because it's been around twenty years since I last attended a long-term scholar program as a student. And my dish is quite full with activities and responsabilities. I decided to take a short program, designed for 12 months (I graduated in 16, minus two months that the university was on strike... Quite good, I'd say ;-) ) to see how I fared on it, and only later jumping on the full version.

Because, yes, to advance my career at the university, I finally recognized and understood that I do need postgraduate studies.

Oh, and what kind of work did I do for this? Besides the classes I took, I wrote a thesis on a model for evaluating covert channels for establishing secure communications.

Geek FeminismLinkspam, Will Robinson! Linkspam! (19 May 2015)

  • Where Does Your Pipeline Lead? | Life as I Know It: “If you’re thinking about getting into the tech industry or wondering how to stay in the tech industry in the face of pervasive toxic environments, I encourage you to broaden your horizons about what ‘being in tech’ can look like. What is your goal? If you want to use technology to make a better life for yourself, think carefully about the pipeline you enter and where you want it to lead.”
  • Marvel replaces Black Widow with Captain America for its toy line | BoingBoing: “In other words, not only is Black Widow ridiculously underrepresented in Avengers merchandise—she’s also actively erased from her own scenes. Well done Marvel.”
  • Happy Birthday to Inge Lehmann, the Woman Who Discovered Earth’s Inner Core | Smart News | Smithsonian: “Her idea was revolutionary. When Lehmann published her findings in 1936, her solid core model was quickly adopted by the scientific community. Lehmann’s theory was finally proven right in 1970, when new, more sensitive seismographs picked up seismic waves bouncing off the Earth’s solid core.”
  • Interview: ‘Nimona’ Creator Noelle Stevenson | NPR: “Like a lot of young women, I went through an entire period where I hated female characters — I didn’t want to read about them! I thought I was going to be the cool girl who was not like other girls. And that’s so harmful.”
  • ATP Shownote Data | Kieran Healy: “When doing this kind of thing it can be helpful to look back on what your past practice has been. For example, it can be useful to audit one’s own habits of linking and engagement. Often exclusion is less a matter of explicit boundary policing (though God knows there’s enough of that in the tech sector) and more a matter of passive homophily.”
  • Project Update: The Electric Blanket is DONE! | Tech Musings: “Mrs. Parenteau and her merry band of 3rd grade scientists/sewers have finally finished their electric blanket project! The final result is a quilt containing approximately 45 squares that light up. Currently hanging in the Science hallway, it’s fun to watch students interact with it by pressing the different switches to light up the quilt. This was a challenging project for the kids and we are proud of their hard work and perseverance with the e-textile materials – especially the conductive thread.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

TEDDoes body language help a TED Talk go viral? 5 nonverbal patterns from blockbuster talks

One nonverbal factor that correlates with higher ratings of talks and speakers? Hand movement. Photo: James Duncan Davidson. Collage by Josh Roos/TED.

Hand gestures might make a talk feel more compelling. In a poll that asked volunteers to rate TED Talks, there appeared to be a correlation between the number of hand gestures a speaker made and how well people rated their talks. Photo: James Duncan Davidson. Collage by Josh Roos/TED.

All TED Talks are good. Why do only some go viral?

Over the last year, a human behavior consultancy called Science of People set out to answer this question. To do so, says founder Vanessa Van Edwards, they polled 760 volunteers, asking them to rate hundreds of hours of TED Talks, looking for specific nonverbal and body language patterns. To ensure comparability, they limited talks to videos that had been posted on in 2010 and were between 15 and 20 minutes long.

So why do some TED Talks rack up millions of views, while others on similar topics get less attention? Van Edwards points to five nonverbal patterns that the poll revealed:

  1. “It’s not what you say, it’s how you say it.” Van Edwards found that people rated speakers comparably on charisma, credibility and intelligence whether they watched talks with sound — or on mute.
  2. “Jazz hands rock.” Van Edwards noted a correlation between the number of hand gestures a speaker makes in a talk and the number of views the talk receives.
  3. “Scripts kill your charisma.” Van Edwards found that speakers who offered more vocal variety showed better ratings on charisma and credibility. What’s especially interesting: people rated speakers who clearly ad libbed in their talks higher than those who stayed on script.
  4. “Smiling makes you look smarter.” Van Edwards found that the longer a TED speaker smiled, the higher their perceived intelligence ratings.
  5. “You have seven seconds.” Van Edwards found that first impressions matter a lot, and that people had largely formed their opinion about a speaker based on the first several seconds.

We spoke to Van Edwards to find out more.

What initially piqued your interest in looking TED Talks?

We’re always looking for something that is counter to logic. I’m a TED junkie, and I was searching on the TED Blog one day, and I saw two talks that had similar titles. They were both on leadership and both given the same year. Both talks are great. But one, Simon Sinek’s talk, had 20-something million views, and the other had far fewer. I thought, “There’s a puzzle here.” You have people who are not quote-unquote famous — they usually don’t have massive Twitter followings, especially not before they did their TED Talk. So it’s not a celebrity factor and, in this society, I think that’s rare. When TED Talks go viral, there’s something else going on.

I had to figure out how we could turn this into an experiment. We like to base our projects on existing academic research, and there are a couple studies out there that look at how nonverbal cues and thin-slicing can affect people’s perceptions of a teacher. TED Talks are teaching, in many ways. So we decided to test the things that were in the existing research about thin-slicing, using TED Talks.

At TEDxVilnius, photographer Jurga Anusauskiene set out to capture speakers nonverbal communication in photos. Here, one of those collages. Photo: Jurga Anusauskiene/TEDxVilnius

At TEDxVilnius, photographer Jurga Anusauskiene captured speakers’ nonverbal communication in photos. Here, speaker Daria Kaleniuk gives a talk on corruption, using a variety of hand gestures and body stances. Photo: Jurga Anusauskiene/TEDxVilnius

And what is thin-slicing?

Thin-slicing is what we do when we first see someone: we take a very quick snapshot of who we think they are. We gauge very quickly, in less than a second: do we think that they’re credible? Do we think they’re competent? Do we think that they’re charismatic? And we do that very, very quickly based on very few cues, almost always nonverbal.

Let’s talk through some of the patterns you noticed. I was pretty shocked by the conclusion that people rate speakers comparably whether they listened to the content of the talk or not. How did you find that?

We did a couple different screenings of the talks. We have about 40,000 subscribers on our website, and get about 100,000 to 200,000 visitors a month, so we’re able to get a lot of data quickly. In one of the screenings, we had half the participants watch talks on silent, and half watch talks with sound. We asked both of the groups the exact same questions: How would you rate this talk overall? How charismatic is the speaker? How intelligent is the speaker? How credible is the speaker? And we found that the people who watched the talks on mute rated speakers almost exactly the same as the people who had watched the talks with sound. The one exception was David Blaine’s TED Talk, I think because it included a lot of videos of him from previous endeavors and that confused people. For his talk, the ratings were different.

I’m also curious why you think hand gestures make such a difference in how a talk is rated.

One of the things that past research has suggested is that hand gestures — even nonsensical ones — make you seem more charismatic. That’s a really easy thing to test. So we had four different people in our lab — people who are trained in body language — count the number of hand movements. Any kind of up-and-down, side-to-side move. We tallied all of them and took the average. Then, we looked at the number of hand gestures in each talk and ranked the talks from top to bottom. And we found that the talks that had the most hand gestures correlated with the talks that were overall favorites. Temple Grandin has a lot of hand gestures, Jamie Oliver had a lot of hand gestures — it correlated with people’s favorite talks.

This was a total surprise. I would’ve guessed that the talks with the most hand gestures were going to have a lower rating, because it was distracting, and that the middle hand-gesture talks would be the most charismatic. That was not the case. We don’t know why, but we have a hypothesis: If you’re watching a talk and someone’s moving their hands, it gives your mind something else to do in addition to listening. So you’re doubly engaged. For the talks where someone is not moving their hands a lot, it’s almost like there’s less brain engagement, and the brain is like, “This is not exciting” — even if the content’s really good.

Your third conclusion is, “Scripts kill your charisma.” How so?

We found that the more vocal variety a speaker had, the higher their charisma and credibility ratings were. Something about vocal variety links to charisma and competence. To look at this, we first had to rate vocal variety on our side. We looked at cadence, volume, pitch and emotionality. Speakers that were using lots of different pacing — who yelled at the audience and occasionally got really quiet, who sped up and then slowed down — the higher charisma and credibility ratings they got.

Again, we think this has to do with the fact that we can only pay attention for so long. The longer a talk is — even at 18 minutes — there are points where you kind of think about dinner, think about traffic, think about email. And so we think that the vocal variety engages the brain when it likes to sleep on the content.

TED favorite Larry Lessig spoke at TEDxVilnius, and this image captures his masterful use of body language to punctuate his words. Photo: Jurga Anusauskiene/TEDxVilnius

Hand gestures from a powerful talk by Larry Lessig, photographed at TEDxVilnius. Photo: Jurga Anusauskiene/TEDxVilnius

Talk to me about how smiling affected ratings.

This totally surprised us as well. We thought, and existing research has said, that leaders actually smile less. But what we found is that the longer someone smiles, the higher their intelligence ratings went. We’re not sure exactly what this is, but we think that perhaps it’s a relatability thing. The speakers who smiled from stage, they almost seemed more human to people who were watching. And so the viewers went, “Ah! This is someone I could get to know.”

What about the seven-second rule?

At the very end, we decided we had to test: do people really make their decision about someone within the first few seconds? So we took the same videos, we [edited them down to] the first seven seconds, and had people watch. We gave these viewers the exact same questions as people who had watched the entire talk. And we found that the ratings overall — who people liked overall and who they didn’t like — matched, whether they’d watched the first seven seconds or the full talk. We think that the brain actually decides as soon as that person takes the stage and begins speaking, “You know what? I’m gonna like this talk.”

What do you think that future speakers — and even TED as an organization — can take from this research? Obviously, the content of talks does matter. But how can this information about nonverbal communication help lead to better talks?

I hope that this can help TED speakers strengthen their verbal messages. I like to think about using these nonverbal shortcuts as a way to bold or underline spoken words. Anyone with a big idea should be able to express their passion both verbally and nonverbally. This study gives relatively easy nonverbal tools that TED speakers can use to enhance their stage presence so their idea spreads further.

Another of Jurga Anusauskiene's body language collages from TEDxVilnius. Photo: Jurga Anusauskiene/ TEDxVilnius

While Darlene Damm talked about collaboration at TEDxVilnius, Jurga Anusauskiene captured her hand motions and gestures. Photo: Jurga Anusauskiene/ TEDxVilnius

Planet DebianLars Wirzenius: Software development estimation

Acceptable estimations for software development:

  • Almost certainly doable in less than a day.
  • Probably doable in less than a day, almost certainly not going to take more than three days.
  • Probably doable in less than a week, but who knows?
  • Certainly going to take longer than a week, and nobody can say how long, but if you press me, the estimate is between two weeks and four months.

Reality prevents better accuracy.

RacialiciousQuoted: Race + Waco, Texas’ Real Life FX Drama

One of the most distinct characteristics of white privilege is the privilege to be unique. When white people commit violent acts, they are treated as aberrations, slips described with adjectives that show they are unusual and in no way representative of the broader racial group to which they belong.

In fact, in much of the coverage of the Waco shootings, the race of the gang members isn’t even mentioned, although pictures of the aftermath show groups of white bikers being held by police. By comparison, the day after Freddie Gray died in the custody of police officers in Baltimore, not only did most coverage mention that Gray was black, but also included a quote from the deputy police commissioner noting Gray was arrested in “a high-crime area known to have high narcotic incidents,” implicitly smearing Gray and the entire community.

How did press reports quote the police in Waco? “We’ve been made aware in the past few months of rival biker gangs … being here and causing issues,” Waco police Sgt. W. Patrick Swanton said. Causing issues? Cops were reportedly so worried about the bikers gathering in the Waco strip mall that they had 12 officers as well as officers from the Texas Department of Public Safety stationed outside the restaurant.

Now there’s word that the biker gangs have issued repeated threats against the police in the aftermath of the Waco “melee” as The New York Times headline called it. During the uprisings in Baltimore, I saw a flurry of tweets about black people disrespecting property and throwing rocks at police. Now that these biker gangs have issued actual death threats, why am I not now seeing tons of Twitter posts about white people disrespecting the lives of police?

Waco Coverage Shows Double Standard on Race, by Sally Kohn; via, May 19, 2015


The post Quoted: Race + Waco, Texas’ Real Life FX Drama appeared first on Racialicious - the intersection of race and pop culture.

Planet DebianThorsten Alteholz: alpine and UTF-8 and Debian lists

This is a note for my future self: When writing an email with only “charset=US-ASCII”, alpine creates an email with:

Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

and everything is fine.

In case of UTF-8 characters inside the text, alpine creates something like:

Content-Type: MULTIPART/MIXED; BOUNDARY="705298698-1667814148-1432049085=:28313"

and the only available part contains:

Content-Type: TEXT/PLAIN; format=flowed; charset=UTF-8
Content-Transfer-Encoding: 8BIT

Google tells me that the reason for this is:

Alpine uses a single part MULTIPART/MIXED to apply a protection wrapper around QUOTED-PRINTABLE and BASE64 content to prevent it from being corrupted by various mail delivery systems that append little (typically advertising) things at the end of the message.

Ok, this behavior might come from bad experiences and it seems to work most of the time. Unfortunately if one sends a signed email to a Debian list that checks whether the signature is valid (like for example debian-lts-announce), such an email will be rejected with:

Failed to understand the email or find a signature: UDFormatError:
Cannot handle multipart messages not of type multipart/signed


Sociological ImagesThe Relative Importance of Poverty to Catholicism

At the New York Times, Ross Douthat has called out liberals who think, and declare, that churches today are more focused on “culture war” issues like abortion and homosexuality than on poverty.

Ridiculous, says Douthat. Religious organizations spend only “a few hundred million dollars” on pro-life causes and “traditional marriage” but tens of billions on charities, schools, and hospitals. Douthat and his sources, though, lump all spending together rather than separating domestic U.S. budgets from those going to the developing world.  But even in the U.S. and other wealthy countries, abortion and gay marriage are largely legislative and legal matters. Building schools and hospitals and then keeping them running – that takes real money.

Why then do liberals get this impression about the priorities of religious organizations? Douthat blames the media. He doesn’t do a full O’Reilly and accuse the media (liberal, it goes without saying) and others of ganging up in a war on religion, but that’s the subtext.

Anyone who tells you that America’s pastors are obsessed with homosexuality or abortion only hears them through a media filter. You can attend Masses or megachurches for months without having those issues intrude.

Actually, the media do not report on the sermons and homilies of local clergy at all, whether they are urging their flocks to live good lives, become wealthy, help the needy, or oppose gay marriage. Nor is there a data base of these Sunday texts, so we don’t know precisely how much American chuchgoers are hearing about any of these topics. Only a handful of clergy get media coverage, and that coverage focuses on their pronouncements about controversial issues.  As Douthat says, liberals are probably reacting to “religious leaders who make opposition to abortion more of a political priority than publicly-funded antipoverty efforts.”

Of his own Catholic church, Douthat adds, “You can bore yourself to tears reading denominational statements and bishops’ documents (true long before Pope Francis) with a similar result.” Maybe he has done this reading, and maybe he does think that his Church does not let “those issues intrude.” Or as he puts it, “The belief that organized religion is organized around culture war is largely a conceit of the irreligious.”

But here, thanks to the centralized and hierarchical structure of the Church, we can get data that might reveal what the Church is worried about. As Douthat implies, the previous pope (Benedict XVI, the former Joseph Ratzinger), was more concerned about culture-war issues than is the current pope.

How concerned? I went to Lexis-Nexis. I figured that papal pronouncements on these issues would be issued in masses, in official statements, and in addresses.  For each of those three terms, I searched for “Pope Benedict” with four “culture-war” terms (Abortion, Homosexuality, Condom, and Birth control) and Poverty.

3 2 2 (1)
Abortion was the big winner.  Poverty was referred to in more articles than were the other individual culture-war terms.  But if those terms are combined into a single bar, its clear that poverty as a papal concern is dwarfed by the attention to these other issues. The graph below shows the data for “mass.”

This is not the best data. It might reflect the concerns of the press more than those of the Church. Also, some of those Lexis-Nexis articles are not direct hits. They might reference an “address” or “statement” by someone else. But there’s no reason to think that these off-target citations are skewed towards Abortion and away from Poverty.So it’s completely understandable that liberals, and perhaps non-liberals as well, have the impression that Big Religion has a big concern with matters of sex and reproduction.

Cross-posted at Montclair SocioBlog.

Jay Livingston is the chair of the Sociology Department at Montclair State University. You can follow him at Montclair SocioBlog or on Twitter.

(View original at

CryptogramMore on Chris Roberts and Avionics Security

Last month, I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight:

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There's some serious surveillance going on.

We know a lot more of the back story from the FBI's warrant application. He had been interviewed by the FBI multiple times previously, and was able to take control of at least some of the planes' controls during flight.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane's thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

"He stated that he successfully commanded the system he had accessed to issue the 'CLB' or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," said the affidavit, signed by F.B.I. agent Mike Hurley.

Roberts also told the agents he hacked into airplane networks and was able "to monitor traffic from the cockpit system."

According to the search warrant application, Roberts said he hacked into the systems by accessing the in-flight entertainment system using his laptop and an Ethernet cable.

Wired has more.

This makes the FBI's behavior much more reasonable. They weren't scanning the Twitter feed for random keywords; they were watching his account.

We don't know if the FBI's statements are true, though. But if Roberts was hacking an airplane while sitting in the passenger, is that a stupid thing to do.

From the Christian Science Monitor:

But Roberts' statements and the FBI's actions raise as many questions as they answer. For Roberts, the question is why the FBI is suddenly focused on years-old research that has long been part of the public record.

"This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed,'" Roberts noted. "Is there a credible threat? Is something happening? If so, they're not going to tell us," he said.

Roberts isn't the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.

"I would like to see a transcript (of the interviews)," said one former federal computer crimes prosecutor, speaking on condition of anonymity. "If he did what he said he did, why is he not in jail? And if he didn't do it, why is the FBI saying he did?"

The real issue is that the avionics and the entertainment system are on the same network. That's an even stupider thing to do. Also last month, I wrote about the risks of hacking airplanes, and said that I wasn't all that worried about it. Now I'm more worried.

Planet DebianSimon Josefsson: Scrypt in IETF

Colin Percival and I have worked on an internet-draft on scrypt for some time. I realize now that the -00 draft was published over two years ago, turning this effort today somewhat into archeology rather than rocket science. Still, having a published RFC that is easy to refer to from other Internet protocols will hopefully help to establish the point that PBKDF2 alone no longer provides state-of-the-art protection for password hashing.

I have written about password hashing before where I give a quick introduction to the basic concepts in the context of the well-known PBKDF2 algorithm. The novelty in scrypt is that it is designed to combat brute force and hardware accelerated attacks on hashed password databases. Briefly, scrypt expands the password and salt (using PBKDF2 as a component) and then uses that to create a large array (typically tens or hundreds of megabytes) using the Salsa20 core hash function and then de-references that large array in a random and sequential pattern. There are three parameters to the scrypt function: a CPU/Memory cost parameter N (varies, typical values are 16384 or 1048576), a blocksize parameter r (typically 8), and a parallelization parameter p (typically a low number like 1 or 16). The process is described in the draft, and there are further discussions in Colin’s original scrypt paper.

The document has been stable for some time, and we are now asking for it to be published. Thus now is good time to provide us with feedback on the document. The live document on gitlab is available if you want to send us a patch.

Planet DebianRitesh Raj Sarraf: Lenovo Yoga 2 13 with Debian

I recently acquired a Lenovo Yoga 2 13. While, at the time, the Yoga 3 was available, I decided to go for Yoga 2 13. The Yoga 3 comes with the newer Core M Broadwell family, which, in my opinion, doesn't really bring any astounding benefits.

The Yoga 2 13 comes in mulitple variants worldwide. Infact these hardware variations have different effets when run under Linux.

My varaint of Yoga 2 13 is:

CPU: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz

RAM: 8 GiB - Occupying 2 slots

Memory Controller Information
        Supported Interleave: One-way Interleave
        Current Interleave: One-way Interleave
        Maximum Memory Module Size: 8192 MB
        Maximum Total Memory Size: 16384 MB
Handle 0x0006, DMI type 6, 12 bytes
Handle 0x0007, DMI type 6, 12 bytes

The usual PCI devices:

rrs@learner:~$ lspci
00:00.0 Host bridge: Intel Corporation Haswell-ULT DRAM Controller (rev 0b)
00:02.0 VGA compatible controller: Intel Corporation Haswell-ULT Integrated Graphics Controller (rev 0b)
00:03.0 Audio device: Intel Corporation Haswell-ULT HD Audio Controller (rev 0b)
00:14.0 USB controller: Intel Corporation 8 Series USB xHCI HC (rev 04)
00:16.0 Communication controller: Intel Corporation 8 Series HECI #0 (rev 04)
00:1b.0 Audio device: Intel Corporation 8 Series HD Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 8 Series PCI Express Root Port 4 (rev e4)
00:1d.0 USB controller: Intel Corporation 8 Series USB EHCI #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation 8 Series LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 8 Series SATA Controller 1 [AHCI mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 8 Series SMBus Controller (rev 04)
01:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter
17:37 ♒♒♒   ☺    

And the storage devices

Device Model:     WDC WD5000M22K-24Z1LT0-SSHD-16GB

Device Model:     KINGSTON SM2280S3120G



The drive runs into serious performance problems when its SSHD's NCQ (mis)feature is under use in Linux <= 4.0.

[28974.232550] ata2.00: configured for UDMA/133
[28974.232565] ahci 0000:00:1f.2: port does not support device sleep
[28983.680955] ata1.00: exception Emask 0x10 SAct 0x7fffffff SErr 0x400100 action 0x6 frozen
[28983.681000] ata1.00: irq_stat 0x08000000, interface fatal error
[28983.681027] ata1: SError: { UnrecovData Handshk }
[28983.681052] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.681082] ata1.00: cmd 61/40:00:b8:84:88/05:00:0a:00:00/40 tag 0 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.681152] ata1.00: status: { DRDY }
[28983.681171] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.681202] ata1.00: cmd 61/40:08:f8:89:88/05:00:0a:00:00/40 tag 1 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.681271] ata1.00: status: { DRDY }
[28983.681289] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.681316] ata1.00: cmd 61/40:10:38:8f:88/05:00:0a:00:00/40 tag 2 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.681387] ata1.00: status: { DRDY }
[28983.681407] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.681435] ata1.00: cmd 61/40:18:78:94:88/05:00:0a:00:00/40 tag 3 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697642] ata1.00: status: { DRDY }
[28983.697643] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.697646] ata1.00: cmd 61/40:c8:38:65:88/05:00:0a:00:00/40 tag 25 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697647] ata1.00: status: { DRDY }
[28983.697648] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.697651] ata1.00: cmd 61/40:d0:78:6a:88/05:00:0a:00:00/40 tag 26 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697651] ata1.00: status: { DRDY }
[28983.697652] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.697656] ata1.00: cmd 61/40:d8:b8:6f:88/05:00:0a:00:00/40 tag 27 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697657] ata1.00: status: { DRDY }
[28983.697658] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.697661] ata1.00: cmd 61/40:e0:f8:74:88/05:00:0a:00:00/40 tag 28 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697662] ata1.00: status: { DRDY }
[28983.697663] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.697666] ata1.00: cmd 61/40:e8:38:7a:88/05:00:0a:00:00/40 tag 29 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697667] ata1.00: status: { DRDY }
[28983.697668] ata1.00: failed command: WRITE FPDMA QUEUED
[28983.697672] ata1.00: cmd 61/40:f0:78:7f:88/05:00:0a:00:00/40 tag 30 ncq 688128 out
                        res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error)
[28983.697672] ata1.00: status: { DRDY }
[28983.697676] ata1: hard resetting link
[28984.017356] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[28984.022612] ata1.00: configured for UDMA/133
[28984.022740] ata1: EH complete
[28991.611732] Suspending console(s) (use no_console_suspend to debug)
[28992.183822] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
[28992.186569] sd 1:0:0:0: [sdb] Stopping disk
[28992.186604] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[28992.189594] sd 0:0:0:0: [sda] Stopping disk
[28992.967426] PM: suspend of devices complete after 1351.349 msecs
[28992.999461] PM: late suspend of devices complete after 31.990 msecs
[28993.000058] ehci-pci 0000:00:1d.0: System wakeup enabled by ACPI
[28993.000306] xhci_hcd 0000:00:14.0: System wakeup enabled by ACPI
[28993.016463] PM: noirq suspend of devices complete after 16.978 msecs
[28993.017024] ACPI: Preparing to enter system sleep state S3
[28993.017349] PM: Saving platform NVS memory
[28993.017357] Disabling non-boot CPUs ...
[28993.017389] intel_pstate CPU 1 exiting
[28993.018727] kvm: disabling virtualization on CPU1
[28993.019320] smpboot: CPU 1 is now offline
[28993.019646] intel_pstate CPU 2 exiting

In the interim, to overcome this problem, we can force the device to run in degraded mode. I'm not sure if it is really the degraded mode, or the device was falsely advertised as a 6 GiB capable device. Time will tell, but for now, force it to run in 3 GiB mode, and so far, I haven't run into the above mentioned probems. To force 3 GiB speed, apply the following.

rrs@learner:~$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-4.0.4+ root=/dev/mapper/sdb_crypt ro cgroup_enable=memory swapaccount=1 rootflags=data=writeback libata.force=1:3 quiet
16:42 ♒♒♒   ☺    

And then verify it... As you can see below, I've forced it for ata1 because I want my SSD drive to run at full-speed. I've done enough I/O, which earlier resulted in the kernel spitting the SATA errors. With this workaround, the kernel does not spit any error messages.

[    1.273365] libata version 3.00 loaded.
[    1.287290] ahci 0000:00:1f.2: AHCI 0001.0300 32 slots 4 ports 6 Gbps 0x3 impl SATA mode
[    1.288238] ata1: FORCE: PHY spd limit set to 3.0Gbps
[    1.288240] ata1: SATA max UDMA/133 abar m2048@0xb051b000 port 0xb051b100 irq 41
[    1.288242] ata2: SATA max UDMA/133 abar m2048@0xb051b000 port 0xb051b180 irq 41
[    1.288244] ata3: DUMMY
[    1.288245] ata4: DUMMY
[    1.606971] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 320)
[    1.607906] ata1.00: ATA-9: WDC WD5000M22K-24Z1LT0-SSHD-16GB, 02.01A03, max UDMA/133
[    1.607910] ata1.00: 976773168 sectors, multi 0: LBA48 NCQ (depth 31/32), AA
[    1.608856] ata1.00: configured for UDMA/133
[    1.609106] scsi 0:0:0:0: Direct-Access     ATA      WDC WD5000M22K-2 1A03 PQ: 0 ANSI: 5
[    1.927167] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[    1.928980] ata2.00: ATA-8: KINGSTON SM2280S3120G, S8FM06.A, max UDMA/133
[    1.928983] ata2.00: 234441648 sectors, multi 16: LBA48 NCQ (depth 31/32), AA
[    1.929616] ata2.00: configured for UDMA/133

And the throughput you get out of your WD SATA SSHD drive, with capability set to 3.0 GiB is:

rrs@learner:/media/SSHD/tmp$ while true; do dd if=/dev/zero of=foo.img bs=1M count=20000; sync; rm -rf foo.img; sync; done
20000+0 records in
20000+0 records out
20971520000 bytes (21 GB) copied, 202.014 s, 104 MB/s
20000+0 records in
20000+0 records out
20971520000 bytes (21 GB) copied, 206.111 s, 102 MB/s

Hannes Reinecke has submitted patches for NCQ enhancements, for Linux 4.1, which I hope will resolve these problems. Another option is to disable NCQ for the drive, or else blacklist the make/model in driver/ata/libata-core.c

By the time I finished this blog entry draft, I had tests to conclude that this did not look like an NCQ problem. Because in degraded mode too, it runs with NCQ enabled (check above).

rrs@learner:~$ sudo fstrim -vv /media/SSHD
/media/SSHD: 268.2 GiB (287930949632 bytes) trimmed
16:58 ♒♒♒   ☺    

rrs@learner:~$ sudo fstrim -vv /
[sudo] password for rrs:
/: 64 GiB (68650749952 bytes) trimmed
16:56 ♒♒♒   ☺    

Another interesting feature of this drive is support for TRIM / DISCARD. This drive's FTL accepts the TRIM command. Ofcourse, you need to ensure that you have discard enabled in all the layers. In my case, SATA + Device Mapper (Crypt and LVM) + File System (ext4)


The overall display of this device is amazing. It is large enough to give you vibrant look. At 1920x1080 resolution, things look good. The display support was available out-of-the-box.

There were some suspend / resume hangs  that occured with kernels < 4.x, during suspend / resume. The issue was root caused and fixed for Linux 4.0.

You may still notice the following kernel messages, though not problematic to me so far.

[28977.518114] PM: thaw of devices complete after 3607.979 msecs
[28977.590389] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[28977.590582] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[28977.591095] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[28977.591185] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[28977.591368] acpi device:30: Cannot transition to power state D3cold for parent in (unknown)
[28977.591911] pci_bus 0000:01: Allocating resources
[28977.591933] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[28977.592093] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[28977.592401] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment

You may need to disable the Intel Management Engine Interface (mei.ko), incase you run into suspend/resume problems.

rrs@learner:/media/SSHD/tmp$ cat /etc/modprobe.d/intel-mei-blacklist.conf
blacklist mei
blacklist mei-me
17:01 ♒♒♒   ☺    

You may also run into the following Kernel Oops during suspend/resume. Below, you see 2 interation of sleep because it first hibernates and then sleeps (s2both).

[  180.470206] Syncing filesystems ... done.
[  180.473337] Freezing user space processes ... (elapsed 0.001 seconds) done.
[  180.475210] PM: Marking nosave pages: [mem 0x00000000-0x00000fff]
[  180.475213] PM: Marking nosave pages: [mem 0x0006f000-0x0006ffff]
[  180.475215] PM: Marking nosave pages: [mem 0x00088000-0x000fffff]
[  180.475220] PM: Marking nosave pages: [mem 0x97360000-0x97b5ffff]
[  180.475274] PM: Marking nosave pages: [mem 0x9c36f000-0x9cffefff]
[  180.475356] PM: Marking nosave pages: [mem 0x9d000000-0xffffffff]
[  180.476877] PM: Basic memory bitmaps created
[  180.477003] PM: Preallocating image memory... done (allocated 380227 pages)
[  180.851800] PM: Allocated 1520908 kbytes in 0.37 seconds (4110.56 MB/s)
[  180.851802] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
[  180.853355] Suspending console(s) (use no_console_suspend to debug)
[  180.853520] wlan0: deauthenticating from c4:6e:1f:d0:67:26 by local choice (Reason: 3=DEAUTH_LEAVING)
[  180.864159] cfg80211: Calling CRDA to update world regulatory domain
[  181.172222] PM: freeze of devices complete after 319.294 msecs
[  181.196080] ------------[ cut here ]------------
[  181.196124] WARNING: CPU: 3 PID: 3707 at drivers/gpu/drm/i915/intel_display.c:7904 hsw_enable_pc8+0x659/0x7c0 [i915]()
[  181.196125] SPLL enabled
[  181.196159] Modules linked in: rfcomm ctr ccm bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bridge stp llc xt_conntrack iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_CHECKSUM xt_tcpudp iptable_mangle ip_tables x_tables nls_utf8 nls_cp437 vfat fat rtsx_usb_ms memstick snd_hda_codec_hdmi joydev mousedev hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_iio_common iTCO_wdt iTCO_vendor_support hid_multitouch x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm btusb hid_sensor_hub bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops
[  181.196203]  videobuf2_core v4l2_common videodev media pcspkr evdev mac_hid arc4 psmouse serio_raw efivars i2c_i801 rtl8723be btcoexist rtl8723_common rtl_pci rtlwifi mac80211 snd_soc_rt5640 cfg80211 snd_soc_rl6231 snd_hda_codec_realtek i915 snd_soc_core snd_hda_codec_generic ideapad_laptop ac snd_compress dw_dmac sparse_keymap drm_kms_helper rfkill battery dw_dmac_core snd_hda_intel snd_pcm_dmaengine snd_soc_sst_acpi snd_hda_controller video 8250_dw regmap_i2c snd_hda_codec drm snd_hwdep snd_pcm spi_pxa2xx_platform i2c_designware_platform soc_button_array snd_timer i2c_designware_core snd i2c_algo_bit soundcore shpchp lpc_ich button processor fuse ipv6 autofs4 ext4 crc16 jbd2 mbcache btrfs xor raid6_pq algif_skcipher af_alg dm_crypt dm_mod sg usbhid sd_mod rtsx_usb_sdmmc rtsx_usb crct10dif_pclmul
[  181.196220]  crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common thermal fan thermal_sys hwmon i2c_hid hid i2c_core sdhci_acpi sdhci mmc_core gpio_lynxpoint
[  181.196224] CPU: 3 PID: 3707 Comm: kworker/u16:7 Tainted: G           O    4.0.4+ #14
[  181.196225] Hardware name: LENOVO 20344/INVALID, BIOS 96CN29WW(V1.15) 10/16/2014
[  181.196230] Workqueue: events_unbound async_run_entry_fn
[  181.196233]  0000000000000000 ffffffffa0706f68 ffffffff81522198 ffff880064debc88
[  181.196235]  ffffffff8106c5b1 ffff880251460000 ffff880250f83b68 ffff880250f83b78
[  181.196237]  ffff880250f83800 0000000000000001 ffffffff8106c62a ffffffffa071407c
[  181.196238] Call Trace:
[  181.196248]  [<ffffffff81522198>] ? dump_stack+0x40/0x50
[  181.196251]  [<ffffffff8106c5b1>] ? warn_slowpath_common+0x81/0xb0
[  181.196254]  [<ffffffff8106c62a>] ? warn_slowpath_fmt+0x4a/0x50
[  181.196278]  [<ffffffffa06ae349>] ? hsw_enable_pc8+0x659/0x7c0 [i915]
[  181.196289]  [<ffffffffa0643ee0>] ? intel_suspend_complete+0xe0/0x6e0 [i915]
[  181.196300]  [<ffffffffa0644501>] ? i915_drm_suspend_late+0x21/0x90 [i915]
[  181.196311]  [<ffffffffa0644690>] ? i915_pm_poweroff_late+0x40/0x40 [i915]
[  181.196318]  [<ffffffff813fa7ba>] ? dpm_run_callback+0x4a/0x100
[  181.196321]  [<ffffffff813fb010>] ? __device_suspend_late+0xa0/0x180
[  181.196324]  [<ffffffff813fb10e>] ? async_suspend_late+0x1e/0xa0
[  181.196326]  [<ffffffff8108b973>] ? async_run_entry_fn+0x43/0x160
[  181.196330]  [<ffffffff81083a5d>] ? process_one_work+0x14d/0x3f0
[  181.196332]  [<ffffffff81084463>] ? worker_thread+0x53/0x480
[  181.196334]  [<ffffffff81084410>] ? rescuer_thread+0x300/0x300
[  181.196338]  [<ffffffff81089191>] ? kthread+0xc1/0xe0
[  181.196341]  [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180
[  181.196346]  [<ffffffff81527898>] ? ret_from_fork+0x58/0x90
[  181.196349]  [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180
[  181.196350] ---[ end trace 8e339004db298838 ]---
[  181.220094] PM: late freeze of devices complete after 47.936 msecs
[  181.220972] PM: noirq freeze of devices complete after 0.875 msecs
[  181.221577] ACPI: Preparing to enter system sleep state S4
[  181.221886] PM: Saving platform NVS memory
[  181.222702] Disabling non-boot CPUs ...
[  181.222731] intel_pstate CPU 1 exiting
[  181.224041] kvm: disabling virtualization on CPU1
[  181.224680] smpboot: CPU 1 is now offline
[  181.225121] intel_pstate CPU 2 exiting
[  181.226407] kvm: disabling virtualization on CPU2
[  181.227025] smpboot: CPU 2 is now offline
[  181.227441] intel_pstate CPU 3 exiting
[  181.227728] Broke affinity for irq 19
[  181.227747] Broke affinity for irq 41
[  181.228771] kvm: disabling virtualization on CPU3
[  181.228793] smpboot: CPU 3 is now offline
[  181.229624] PM: Creating hibernation image:
[  181.563651] PM: Need to copy 379053 pages
[  181.563655] PM: Normal pages needed: 379053 + 1024, available pages: 1697704
[  182.472910] PM: Hibernation image created (379053 pages copied)
[  181.232347] PM: Restoring platform NVS memory
[  181.233171] Enabling non-boot CPUs ...
[  181.233246] x86: Booting SMP configuration:
[  181.233248] smpboot: Booting Node 0 Processor 1 APIC 0x1
[  181.246771] kvm: enabling virtualization on CPU1
[  181.249339] CPU1 is up
[  181.249389] smpboot: Booting Node 0 Processor 2 APIC 0x2
[  181.262313] kvm: enabling virtualization on CPU2
[  181.264853] CPU2 is up
[  181.264903] smpboot: Booting Node 0 Processor 3 APIC 0x3
[  181.277831] kvm: enabling virtualization on CPU3
[  181.280317] CPU3 is up
[  181.288471] ACPI: Waking up from system sleep state S4
[  182.340655] PM: noirq thaw of devices complete after 0.637 msecs
[  182.378087] PM: early thaw of devices complete after 37.428 msecs
[  182.378436] rtlwifi: rtlwifi: wireless switch is on
[  182.451021] rtc_cmos 00:01: System wakeup disabled by ACPI
[  182.697575] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 320)
[  182.697617] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[  182.699248] ata1.00: configured for UDMA/133
[  182.699911] ata2.00: configured for UDMA/133
[  182.699917] ahci 0000:00:1f.2: port does not support device sleep
[  186.059539] PM: thaw of devices complete after 3685.338 msecs
[  186.134292] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  186.134479] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  186.134992] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  186.135080] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  186.135266] acpi device:30: Cannot transition to power state D3cold for parent in (unknown)
[  186.135950] pci_bus 0000:01: Allocating resources
[  186.135974] pcieport 0000:00:1c.0: bridge window [mem 0x00100000-0x000fffff 64bit pref] to [bus 01] add_size 200000
[  186.135980] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  186.136049] pcieport 0000:00:1c.0: res[15]=[mem 0x00100000-0x000fffff 64bit pref] get_res_add_size add_size 200000
[  186.136072] pcieport 0000:00:1c.0: BAR 15: assigned [mem 0x9fb00000-0x9fcfffff 64bit pref]
[  186.136174] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  186.136490] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  199.454497] Suspending console(s) (use no_console_suspend to debug)
[  200.024190] sd 1:0:0:0: [sdb] Synchronizing SCSI cache
[  200.024356] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[  200.025359] sd 1:0:0:0: [sdb] Stopping disk
[  200.028701] sd 0:0:0:0: [sda] Stopping disk
[  201.106085] PM: suspend of devices complete after 1651.336 msecs
[  201.106591] ------------[ cut here ]------------
[  201.106628] WARNING: CPU: 0 PID: 3725 at drivers/gpu/drm/i915/intel_display.c:7904 hsw_enable_pc8+0x659/0x7c0 [i915]()
[  201.106628] SPLL enabled
[  201.106656] Modules linked in: rfcomm ctr ccm bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bridge stp llc xt_conntrack iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_CHECKSUM xt_tcpudp iptable_mangle ip_tables x_tables nls_utf8 nls_cp437 vfat fat rtsx_usb_ms memstick snd_hda_codec_hdmi joydev mousedev hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_iio_common iTCO_wdt iTCO_vendor_support hid_multitouch x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm btusb hid_sensor_hub bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops
[  201.106694]  videobuf2_core v4l2_common videodev media pcspkr evdev mac_hid arc4 psmouse serio_raw efivars i2c_i801 rtl8723be btcoexist rtl8723_common rtl_pci rtlwifi mac80211 snd_soc_rt5640 cfg80211 snd_soc_rl6231 snd_hda_codec_realtek i915 snd_soc_core snd_hda_codec_generic ideapad_laptop ac snd_compress dw_dmac sparse_keymap drm_kms_helper rfkill battery dw_dmac_core snd_hda_intel snd_pcm_dmaengine snd_soc_sst_acpi snd_hda_controller video 8250_dw regmap_i2c snd_hda_codec drm snd_hwdep snd_pcm spi_pxa2xx_platform i2c_designware_platform soc_button_array snd_timer i2c_designware_core snd i2c_algo_bit soundcore shpchp lpc_ich button processor fuse ipv6 autofs4 ext4 crc16 jbd2 mbcache btrfs xor raid6_pq algif_skcipher af_alg dm_crypt dm_mod sg usbhid sd_mod rtsx_usb_sdmmc rtsx_usb crct10dif_pclmul
[  201.106711]  crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common thermal fan thermal_sys hwmon i2c_hid hid i2c_core sdhci_acpi sdhci mmc_core gpio_lynxpoint
[  201.106714] CPU: 0 PID: 3725 Comm: kworker/u16:25 Tainted: G        W  O    4.0.4+ #14
[  201.106715] Hardware name: LENOVO 20344/INVALID, BIOS 96CN29WW(V1.15) 10/16/2014
[  201.106720] Workqueue: events_unbound async_run_entry_fn
[  201.106723]  0000000000000000 ffffffffa0706f68 ffffffff81522198 ffff880064dd7c88
[  201.106725]  ffffffff8106c5b1 ffff880251460000 ffff880250f83b68 ffff880250f83b78
[  201.106727]  ffff880250f83800 0000000000000002 ffffffff8106c62a ffffffffa071407c
[  201.106728] Call Trace:
[  201.106737]  [<ffffffff81522198>] ? dump_stack+0x40/0x50
[  201.106740]  [<ffffffff8106c5b1>] ? warn_slowpath_common+0x81/0xb0
[  201.106742]  [<ffffffff8106c62a>] ? warn_slowpath_fmt+0x4a/0x50
[  201.106765]  [<ffffffffa06ae349>] ? hsw_enable_pc8+0x659/0x7c0 [i915]
[  201.106776]  [<ffffffffa0643ee0>] ? intel_suspend_complete+0xe0/0x6e0 [i915]
[  201.106786]  [<ffffffffa0644501>] ? i915_drm_suspend_late+0x21/0x90 [i915]
[  201.106797]  [<ffffffffa0644690>] ? i915_pm_poweroff_late+0x40/0x40 [i915]
[  201.106802]  [<ffffffff813fa7ba>] ? dpm_run_callback+0x4a/0x100
[  201.106805]  [<ffffffff813fb010>] ? __device_suspend_late+0xa0/0x180
[  201.106809]  [<ffffffff813fb10e>] ? async_suspend_late+0x1e/0xa0
[  201.106811]  [<ffffffff8108b973>] ? async_run_entry_fn+0x43/0x160
[  201.106813]  [<ffffffff81083a5d>] ? process_one_work+0x14d/0x3f0
[  201.106815]  [<ffffffff81084463>] ? worker_thread+0x53/0x480
[  201.106818]  [<ffffffff81084410>] ? rescuer_thread+0x300/0x300
[  201.106821]  [<ffffffff81089191>] ? kthread+0xc1/0xe0
[  201.106824]  [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180
[  201.106827]  [<ffffffff81527898>] ? ret_from_fork+0x58/0x90
[  201.106830]  [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180
[  201.106832] ---[ end trace 8e339004db298839 ]---
[  201.130052] PM: late suspend of devices complete after 23.960 msecs
[  201.130725] ehci-pci 0000:00:1d.0: System wakeup enabled by ACPI
[  201.130885] xhci_hcd 0000:00:14.0: System wakeup enabled by ACPI
[  201.146986] PM: noirq suspend of devices complete after 16.930 msecs
[  201.147591] ACPI: Preparing to enter system sleep state S3
[  201.147942] PM: Saving platform NVS memory
[  201.147948] Disabling non-boot CPUs ...
[  201.147999] intel_pstate CPU 1 exiting
[  201.149324] kvm: disabling virtualization on CPU1
[  201.149337] smpboot: CPU 1 is now offline
[  201.149640] intel_pstate CPU 2 exiting
[  201.151096] kvm: disabling virtualization on CPU2
[  201.151108] smpboot: CPU 2 is now offline
[  201.152017] intel_pstate CPU 3 exiting
[  201.153250] kvm: disabling virtualization on CPU3
[  201.153256] smpboot: CPU 3 is now offline
[  201.156229] ACPI: Low-level resume complete
[  201.156307] PM: Restoring platform NVS memory
[  201.160033] CPU0 microcode updated early to revision 0x1c, date = 2014-07-03
[  201.160190] Enabling non-boot CPUs ...
[  201.160241] x86: Booting SMP configuration:
[  201.160243] smpboot: Booting Node 0 Processor 1 APIC 0x1
[  201.172665] kvm: enabling virtualization on CPU1
[  201.174982] CPU1 is up
[  201.175013] smpboot: Booting Node 0 Processor 2 APIC 0x2
[  201.187569] CPU2 microcode updated early to revision 0x1c, date = 2014-07-03
[  201.188796] kvm: enabling virtualization on CPU2
[  201.191130] CPU2 is up
[  201.191158] smpboot: Booting Node 0 Processor 3 APIC 0x3
[  201.203297] kvm: enabling virtualization on CPU3
[  201.205679] CPU3 is up
[  201.210414] ACPI: Waking up from system sleep state S3
[  201.224617] ehci-pci 0000:00:1d.0: System wakeup disabled by ACPI
[  201.332523] xhci_hcd 0000:00:14.0: System wakeup disabled by ACPI
[  201.332634] PM: noirq resume of devices complete after 121.623 msecs
[  201.372718] PM: early resume of devices complete after 40.058 msecs
[  201.372892] rtlwifi: rtlwifi: wireless switch is on
[  201.373270] sd 0:0:0:0: [sda] Starting disk
[  201.373271] sd 1:0:0:0: [sdb] Starting disk
[  201.445954] rtc_cmos 00:01: System wakeup disabled by ACPI
[  201.692510] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[  201.694719] ata2.00: configured for UDMA/133
[  201.694724] ahci 0000:00:1f.2: port does not support device sleep
[  201.836724] usb 2-4: reset high-speed USB device number 2 using xhci_hcd
[  201.890158] psmouse serio1: synaptics: queried max coordinates: x [..5702], y [..4730]
[  201.930768] psmouse serio1: synaptics: queried min coordinates: x [1242..], y [1124..]
[  202.076784] usb 2-5: reset full-speed USB device number 3 using xhci_hcd
[  202.205100] usb 2-5: ep 0x2 - rounding interval to 64 microframes, ep desc says 80 microframes
[  202.316799] usb 2-7: reset full-speed USB device number 5 using xhci_hcd
[  202.444945] usb 2-7: No LPM exit latency info found, disabling LPM.
[  202.556817] usb 2-8: reset full-speed USB device number 6 using xhci_hcd
[  202.908691] usb 2-6: reset high-speed USB device number 4 using xhci_hcd
[  203.932602] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 320)
[  204.044890] ata1.00: configured for UDMA/133
[  206.228698] PM: resume of devices complete after 4855.892 msecs
[  206.380738] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.383152] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.385775] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.388066] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.390415] acpi device:30: Cannot transition to power state D3cold for parent in (unknown)
[  206.393078] pci_bus 0000:01: Allocating resources
[  206.393098] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.395470] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.397927] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment
[  206.518516] Restarting kernel threads ... done.
[  206.518812] PM: Basic memory bitmaps freed
[  206.518816] Restarting tasks ... done.

There is one more occasional Kernel Oops (below), which I believe again has to do with Intel.

[ 8770.745396] ------------[ cut here ]------------
[ 8770.745441] WARNING: CPU: 0 PID: 7206 at drivers/gpu/drm/i915/intel_display.c:9756 intel_check_page_flip+0xd2/0xe0 [i915]()
[ 8770.745444] Kicking stuck page flip: queued at 466186, now 466191
[ 8770.745445] Modules linked in: cpuid rfcomm ctr ccm bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bridge stp llc xt_conntrack iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_CHECKSUM xt_tcpudp iptable_mangle ip_tables x_tables nls_utf8 nls_cp437 vfat fat rtsx_usb_ms memstick snd_hda_codec_hdmi joydev mousedev hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_iio_common iTCO_wdt iTCO_vendor_support hid_multitouch x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm btusb hid_sensor_hub bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops
[ 8770.745484]  videobuf2_core v4l2_common videodev media pcspkr evdev mac_hid arc4 psmouse serio_raw efivars i2c_i801 rtl8723be btcoexist rtl8723_common rtl_pci rtlwifi mac80211 snd_soc_rt5640 cfg80211 snd_soc_rl6231 snd_hda_codec_realtek i915 snd_soc_core snd_hda_codec_generic ideapad_laptop ac snd_compress dw_dmac sparse_keymap drm_kms_helper rfkill battery dw_dmac_core snd_hda_intel snd_pcm_dmaengine snd_soc_sst_acpi snd_hda_controller video 8250_dw regmap_i2c snd_hda_codec drm snd_hwdep snd_pcm spi_pxa2xx_platform i2c_designware_platform soc_button_array snd_timer i2c_designware_core snd i2c_algo_bit soundcore shpchp lpc_ich button processor fuse ipv6 autofs4 ext4 crc16 jbd2 mbcache btrfs xor raid6_pq algif_skcipher af_alg dm_crypt dm_mod sg usbhid sd_mod rtsx_usb_sdmmc rtsx_usb crct10dif_pclmul
[ 8770.745536]  crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common thermal fan thermal_sys hwmon i2c_hid hid i2c_core sdhci_acpi sdhci mmc_core gpio_lynxpoint
[ 8770.745561] CPU: 0 PID: 7206 Comm: icedove Tainted: G        W  O    4.0.4+ #14
[ 8770.745563] Hardware name: LENOVO 20344/INVALID, BIOS 96CN29WW(V1.15) 10/16/2014
[ 8770.745565]  0000000000000000 ffffffffa0706f68 ffffffff81522198 ffff88025f203dc8
[ 8770.745569]  ffffffff8106c5b1 ffff880250f83800 ffff880254dcc000 0000000000000000
[ 8770.745572]  0000000000000000 0000000000000000 ffffffff8106c62a ffffffffa0709d50
[ 8770.745575] Call Trace:
[ 8770.745577]  <IRQ>  [<ffffffff81522198>] ? dump_stack+0x40/0x50
[ 8770.745592]  [<ffffffff8106c5b1>] ? warn_slowpath_common+0x81/0xb0
[ 8770.745595]  [<ffffffff8106c62a>] ? warn_slowpath_fmt+0x4a/0x50
[ 8770.745616]  [<ffffffffa06a0bb3>] ? __intel_pageflip_stall_check+0x113/0x120 [i915]
[ 8770.745634]  [<ffffffffa06af042>] ? intel_check_page_flip+0xd2/0xe0 [i915]
[ 8770.745652]  [<ffffffffa067cde1>] ? ironlake_irq_handler+0x2e1/0x1010 [i915]
[ 8770.745657]  [<ffffffff81092d1a>] ? check_preempt_curr+0x5a/0xa0
[ 8770.745663]  [<ffffffff812d66c2>] ? timerqueue_del+0x22/0x70
[ 8770.745668]  [<ffffffff810bb7d5>] ? handle_irq_event_percpu+0x75/0x190
[ 8770.745672]  [<ffffffff8101b945>] ? read_tsc+0x5/0x10
[ 8770.745676]  [<ffffffff810bb928>] ? handle_irq_event+0x38/0x50
[ 8770.745680]  [<ffffffff810be841>] ? handle_edge_irq+0x71/0x120
[ 8770.745685]  [<ffffffff810153bd>] ? handle_irq+0x1d/0x30
[ 8770.745689]  [<ffffffff8152a866>] ? do_IRQ+0x46/0xe0
[ 8770.745694]  [<ffffffff8152866d>] ? common_interrupt+0x6d/0x6d
[ 8770.745695]  <EOI>  [<ffffffff8152794d>] ? system_call_fastpath+0x16/0x1b
[ 8770.745701] ---[ end trace 8e339004db29883a ]---


In my case, the laptop came with the Realtek Wireless device (details above in lspci output). Note: The machine has no wired interface.

While the Intel Wifi devices shipped with this laptop have their own share of problems, this device (rtl8723be) works out of the box. But only for a while. There is no certain pattern on what triggers the bug, but once triggered, the network just freezes. Nothing is logged.

If your Yoga 2 13 came with the RTL chip, the following workaround may help avoid the network issues.

rrs@learner:/media/SSHD/tmp$ cat /etc/modprobe.d/rtl8723be.conf
options rtl8723be fwlps=0
17:06 ♒♒♒   ☺    


Almost every boot, eventually, the kernel reports MCE errors. Not something I understand well, but so far, it hasn't caused any visible issues. And from what I have googled so far, nobody seems to have fixed it anywhere

So, with fingers crossed, lets just hope this never translates into a real problem.

What the kernel reports of the CPU's capabilities.

[    0.041496] mce: CPU supports 7 MCE banks
[  299.540930] mce: [Hardware Error]: Machine check events logged

The MCE logs extracted from the buffer.

mcelog: failed to prefill DIMM database from DMI data
Hardware event. This is not a software error.
MISC 38a0000086 ADDR fef81880
TIME 1432455005 Sun May 24 13:40:05 2015
MCG status:
MCi status:
Error overflow
Uncorrected error
MCi_MISC register valid
MCi_ADDR register valid
Processor context corrupt
MCA: corrected filtering (some unreported errors in same region)
Generic CACHE Level-2 Generic Error
STATUS ee0000000040110a MCGSTATUS 0
CPUID Vendor Intel Family 6 Model 69
Hardware event. This is not a software error.
MISC 78a0000086 ADDR fef81780
TIME 1432455005 Sun May 24 13:40:05 2015
MCG status:
MCi status:
Uncorrected error
MCi_MISC register valid
MCi_ADDR register valid
Processor context corrupt
MCA: corrected filtering (some unreported errors in same region)
Generic CACHE Level-2 Generic Error
STATUS ae0000000040110a MCGSTATUS 0
CPUID Vendor Intel Family 6 Model 69
Hardware event. This is not a software error.
MISC 38a0000086 ADDR fef81880
TIME 1432455114 Sun May 24 13:41:54 2015
MCG status:
MCi status:
Error overflow
Uncorrected error
MCi_MISC register valid
MCi_ADDR register valid
Processor context corrupt
MCA: corrected filtering (some unreported errors in same region)
Generic CACHE Level-2 Generic Error
STATUS ee0000000040110a MCGSTATUS 0
CPUID Vendor Intel Family 6 Model 69
Hardware event. This is not a software error.
MISC 78a0000086 ADDR fef81780
TIME 1432455114 Sun May 24 13:41:54 2015
MCG status:
MCi status:
Uncorrected error
MCi_MISC register valid
MCi_ADDR register valid
Processor context corrupt
MCA: corrected filtering (some unreported errors in same region)
Generic CACHE Level-2 Generic Error
STATUS ae0000000040110a MCGSTATUS 0
CPUID Vendor Intel Family 6 Model 69



Planet DebianSteve McIntyre: Easier installation of Jessie on the Applied Micro X-Gene

As shipped, Debian Jessie (8.0) did not include kernel support for the USB controller on APM X-Gene based machines like the Mustang. In fact, at the time of writing this that support has not yet gone upstream into the mainline Linux kernel either but patches have been posted by Mark Langsdorf from Red Hat.

This means that installing Debian is more awkward than it could be on these machines. They don't have optical drives fitted normally, so the neat isohybrid CD images that we have made in Debian so far won't work very well at all. Booting via UEFI from a USB stick will work, but then the installer won't be able to read from the USB stick at all and you're stuck. :-( The best way so far for installing Debian is to do a network installation using tftp etc.

Well, until now... :-)

I've patched the Debian Jessie kernel, then re-built the installer and a netinst image to use them. I've put a copy of that image up at with more instructions on how to use it. I'm just submitting the patch for inclusion into the Jessie stable kernel, hopefully ready to go into the 8.1 point release.

Worse Than FailureCodeSOD: Recruiting Desperation

When hiring programmers, recruiters will often try to be “clever”. Sometimes, this results in a memorable trick, like EA Canada’s job posting billboard.

EA Canada billboard which reads: char msg = {78,111,119,32,72,105,114,105,110,103,0};

Other times, these stunts don’t go nearly as well. Andrea recently got this job posting from a recruiter. Note, they’re hiring for a PHP job.

using System;
 using Php;

namespace agency
 class Senior Developer
 static readonly uint THRESHOLD = 5;

     static uint Question(string text)
         Console.WriteLine(text + ” [y/N]”);
         string answer = Console.ReadLine();
         return answer != null && answer.Equals(“y”) ? 1U : 0U;

     static void Main()
         string[] questionTexts =
                 “Looking for a new challenge?”,
                 “Want to work in the heart of London?”,
                 “Do you enjoy solving hard problems efficiently and creatively in PHP?”,
                 “Would you like to work where you can make a difference?”,
                 “Want to work on building the latest interfaces with HTML, CSS & JavaScript used by millions of people?”,
                 “Would you like to know more?”
         uint score = questionTexts.Aggregate<string, uint>(0, (current, text) => current + Question(text));
         Console.WriteLine(score > THRESHOLD
                               ? @”Contact today”


There’s so much to hate here. Using C# code as a way to hire PHP candidates is bad enough, the fact that they’re hiring PHP developers <script src="" type="text/javascript"></script> is arguably worse (I wouldn’t wish PHP on my worst enemy ), but this code wouldn’t even compile.

I also have to wonder, do they think they’re being clever? Or maybe they think that they’re somehow weeding out candidates who couldn’t figure out how to apply because they’ve encapsulated the job posting in code, thus making it impenetrable to the normal run of man?

<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script>
[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

Planet DebianAndrew Cater: CI20 - MIPS dev. board - first impressions.

Annoyingly, I've bought one of these just before the form factor changes and it becomes a nice square board.

Up and running immediately out of the box, which is nice.

The kernel supplied on NAND flash is recent enough that it supports CONFIG_FHANDLE which is needed for the upgrade to Jessie.

The instructions for Jessie upgrade are straightforward and appear to be working correctly: they also suggest apt-get autoremove and apt-get autoclean to clean up which is a very nice touch.

The sources.list in apt was already pointing to my country's Debian mirror which was even nicer.

Quite a good experience immediately from unboxing: it also adds to the number of machine architectures I've run Debian on:
alpha, amd64, arm, armel, armhf, i386, sparc - not bad for a start.

It's a bit slow - but it's a SoC, so what can you expect? The PowerVR graphics demos were spectacular  but the drivers are very definitely non-free - you can't have everything.

[I do notice that there is an FSF-friendly Debian variant, though not yet certified as such - presumably not including PowerVR drivers]

(Lots of occurrences of the word "nice" in this post that I've just noticed. It's either understatement or just that I'm British)


Planet DebianJonathan McDowell: Stepping down from SPI

I was first elected to the Software in the Public Interest board back in 2009. I was re-elected in 2012. This July I am up for re-election again. For a variety of reasons I’ve decided not to stand; mostly a combination of the fact that I think 2 terms (6 years) is enough in a single stretch and an inability to devote as much time to the organization as I’d like. I mentioned this at the May board meeting. I’m planning to stay involved where I can.

My main reason for posting this here is to cause people to think about whether they might want to stand for the board. Nominations open on July 1st and run until July 13th. The main thing you need to absolutely commit to is being able to attend the monthly board meeting, which is held on IRC at 20:30 UTC on the second Thursday of the month. They tend to last at most 30 minutes. Of course there’s a variety of tasks that happen in the background, such as answering queries from prospective associated projects or discussing ongoing matters on the membership or board lists depending on circumstances.

It’s my firm belief that SPI do some very important work for the Free software community. Few people realise the wide variety of associated projects. SPI offload the boring admin bits around accepting donations and managing project assets (be those machines, domains, trademarks or whatever), leaving those projects able to concentrate on the actual technical side of things. Most project members don’t realise the involvement of SPI, and that’s largely a good thing as it indicates the system is working. However it also means that there can sometimes be a lack of people wanting to stand at election time, and an absence of diversity amongst the candidates.

I’m happy to answer questions of anyone who might consider standing for the board; #spi on is a good place to ask them - I am there as Noodles.

Krebs on SecuritySt. Louis Federal Reserve Suffers DNS Breach

The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office.

fedstlouisThe communique, shared by an anonymous source, was verified as legitimate by a source at another regional Federal Reserve location.

The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s website, including webpages for FRED, FRASER, GeoFRED and ALFRED.”

Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator.

The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.”

The statement continues:

“These risks apply to individuals who attempted to access the St. Louis Fed’s website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password.

The St. Louis Fed’s website itself was not compromised.

“Out of an abundance of caution, we wanted to alert you to this issue, and also make you aware that the next time you log into your user account, you will be asked to change your password. In addition, in the event that your user name and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique and different password for each of your user accounts on the Internet. Click to change your user account password now.”

According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data.

FRASER stands for the Federal Reserve Archival System for Economic Research, and reportedly contains links to scanned images (PDF format) of historic economic statistical publications, releases, and documents including the annual Economic Report of the President. Coverage starts with the 19th and early 20th century for some economic and banking reports.

According to the Federal Reserve, GeoFred allows authorized users to create, customize, and share geographical maps of data found in FRED.

ALFRED, short for ArchivaL Federal Reserve Economic Data, allows users to retrieve vintage versions of economic data that were available on specific dates in history.

The St. Louis Federal Reserve is one of twelve regional Fed organizations, and serves banks located in the all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee. According to the reserve’s Web site, it also serves most of eastern Missouri and southern Illinois.

No information is available at this time about the attackers involved in this intrusion, but given the time lag between this event and today’s disclosure it seems likely that it is related to state-sponsored hacking activity from a foreign adversary. If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal. This is likely to be a fast-moving story. More updates as they become available.

Planet DebianDaniel Pocock: Free and open WebRTC for the Fedora Community

In January 2014, we launched the service for the Debian community. An equivalent service has been in testing for the Fedora community at

Some key points about the Fedora service:

  • The web front-end is just HTML, CSS and JavaScript. PHP is only used for account creation, the actual WebRTC experience requires no server-side web framework, just a SIP proxy.
  • The web code is all available in a Github repository so people can extend it.
  • Anybody who can authenticate against the FedOAuth OpenID is able to get a test account immediately.
  • The server is built entirely with packages from CentOS 7 + EPEL 7, except for the SIP proxy itself. The SIP proxy is reSIProcate, which is available as a Fedora package and builds easily on RHEL / CentOS.

Testing it with WebRTC

Create an RTC password and then log in. Other users can call you. It is federated, so people can also call from or from

Testing it with other SIP softphones

You can use the RTC password to connect to the SIP proxy from many softphones, including Jitsi or Lumicall on Android.

Copy it

The process to replicate the server for another domain is entirely described in the Real-Time Communications Quick Start Guide.

Discuss it

The FreeRTC mailing list is a great place to discuss any issues involving this site or free RTC in general.

WebRTC opportunities expanding

Just this week, the first batch of Firefox OS televisions are hitting the market. Every one of these is a potential WebRTC client that can interact with free communications platforms.

Krebs on SecurityStarbucks Hacked? No, But You Might Be

When it comes to reporting on breaches involving customer accounts at major brands, the news media overall deserves an F-minus. Hardly a week goes by when I don’t hear from readers about a breathless story proclaiming that yet another household brand name company has been hacked. Upon closer inspection, the stories usually are based on little more than anecdotal evidence from customers who had their online loyalty or points accounts hijacked and then drained of value.

javamessThe latest example of this came last week from a story that was responsibly reported by Bob Sullivan, a former MSNBC journalist who’s since struck out on his own. Sullivan spoke with multiple consumers who’d seen their Starbucks card balances emptied and then topped up again.

Those customers had all chosen to tie their debit accounts to their Starbucks cards and mobile phones. Sullivan allowed in his story one logical explanation for the activity: These consumers had re-used their Starbucks account password at another site that got hacked, and attackers simply tried those account credentials en masse at other popular sites — knowing that a fair number of consumers use the same email address and password across multiple sites.

Following up on Sullivan’s story, the media pounced, suggesting that Starbucks had been compromised. In a written statement, Starbucks denied the unauthorized activity was the result of a hack or intrusion into its servers or mobile applications.

“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account,” the company wrote. “This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

In most cases, a flurry of fraudulent account activity targeting a major brand is preceded by postings on noob-friendly hacker forums about large numbers of compromised accounts for sale, and the publication of teachable “methods” for extracting value from said hacked accounts.


Unsurprisingly, we saw large numbers of compromised Starbucks accounts for sale in the days leading up to the initial story about the Starbucks fraud, as well as the usual “methods” explaining to clueless ne’er-do-wells about how to perpetrate fraud against hacked accounts. Here’s another noob-friendly thread explaining how to cash out compromised Subway accounts; how long until we read media reports shouting that Subway has been hacked?

To be sure, password re-use is a major problem, and it’s a core driver of fraud like this. Also, companies like Starbucks, Hilton Honors, Starwood and others certainly could be doing more — such as offering customers two-step authentication — to protect accounts. Indeed, as these recurring episodes show, affected brands take an image hit when customers have their accounts hijacked through password re-use, because the story inevitably devolves into allegations of a data breach at the brand involved.

But it works both ways: consumers who re-use passwords for sites holding their payment data are asking for trouble, and will get it eventually.

For helpful hints on picking strong passwords (or outsourcing that to third-party software and/or services), check out this primer. For further reading about how penny-ante punks exploit password re-use and trick media outlets into falsely reporting breaches, see How to Tell Data Leaks from Publicity Stunts.

Sociological ImagesHigher Black Mortality and the Outcome of Elections

Black people in the U.S. vote overwhelmingly Democratic. They also have, compared to Whites, much higher rates of infant mortality and lower life expectancy. Since dead people have lower rates of voting, that higher mortality rate might affect who gets elected. What would happen if Blacks and Whites had equal rates of staying alive?


The above figure is from the recent paper, “Black lives matter: Differential mortality and the racial composition of the U.S. electorate, 1970-2004,” by Javier Rodriguez, Arline Geronimus, John Bound and Danny Dorling.  A summary by Dean Robinson at the The Monkey Cage summarizes the key finding.

between 1970 and 2004, Democrats would have won seven Senate elections and 11 gubernatorial elections were it not for excess mortality among blacks.

At Scatterplot, Dan Hirschman and others have raised some questions about the assumptions in the model. But more important than the methodological difficulties are the political and moral implications of this finding. The Monkey Cage account puts it this way:

given the differences between blacks and whites in their political agendas and policy views, excess black death rates weaken overall support for policies — such as antipoverty programs, public education and job training — that affect the social status (and, therefore, health status) of blacks and many non-blacks, too.

In other words, Black people being longer-lived and less poor would be antithetical to the policy preferences of Republicans. The unspoken suggestion is that Republicans know this and will oppose programs that increase Black health and decrease Black poverty in part for the same reasons that they have favored incarceration and permanent disenfranchisement of people convicted of felonies.

That’s a bit extreme.  More stringent requirements for registration and felon disenfranchisement are, like the poll taxes of an earlier era, directly aimed at making it harder for poor and Black people to vote.  But Republican opposition to policies that would  increase the health and well-being of Black people is probably not motivated by a desire for high rates of Black mortality and thus fewer Black voters. After all, Republicans also generally oppose abortion. But, purely in electoral terms, reducing mortality, like reducing incarceration, would not be good for Republicans.

Cross-posted at Montclair SocioBlog.

Jay Livingston is the chair of the Sociology Department at Montclair State University. You can follow him at Montclair SocioBlog or on Twitter.

(View original at

Planet Linux AustraliaBinh Nguyen: Learning to Cook

I recently noticed a significant spike in traffic to this blog and it's become pretty obvious why. The food recipes... If you're curious why they've been going up online I'm a firm believer in the following philosophy.
Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)

Seriously though, I have a tendency to lose things sometimes and thought that posting it here would be my best chance of never losing my them. Since it needed to be presented in public it would also mean that it would force me into writing more complete recipes rather than simply scrawling down whatever seemed pertinent at the time. (I never thought that I would be presented with opportunities through this. More on this later.)

In spite of all this, you're probably wondering why the recipes lack a bit of detail still and how I ended up with this particular style of cooking.

As you can guess from my name, I have an asian (Vietnamese to be more precise) background. Growing up I learnt that our cooking was often extremely tedious, required a lot of preparation, tasted great but often didn't fill me. Ultimately, this meant that my family wanted me to spend less time helping in the kitchen and more time tending to me studies. To a certain extent, this family policy has served us well. Many of the kids are well educated and have done well professionally.

The problem is that if you've ever worked worked a standard week over any period of time then you ultimately realise that a lot of the time you don't want to spend heaps of time cooking whether for yourself or for others (this style doesn't work long term). 

This is where I radically differ from my family. Many of them see cooking as a necessary chore (who wants to die, right? :-)) and they labour over it or else they love it with such a passion that they lose sight of the fact that there's only 24 hours in a day (there are/have been some professional chefs in the family). Ultimately, they end up wearing themselves out day after day but I've learnt to strip back recipes to their core flavours so that I can cook decent tasting food in reasonable amounts of time.

Like others, I went through multiple phases from a culinary perspective. As a child I loved to eat most things thrown at me (but my family didn't want me in the kitchen). In my teenage years, I used to enjoy and revel in fast and fatty foods but basically grew out of it as I discovered that it wasn't all that filling and could result in poor health. Just like the protaganist of 'Supersize Me' I found out that some of my bodily functions didn't work quite as well on this particular diet.

Eating out was much the same because they often added unhealthy elements to meals (high levels of MSG, sugar, salt, etc... to boost the taste). Not to mention the fact, that serving sizes could sometimes be low and prices relatively high. I basically had no choice but to learn to cook for myself. In the beginning, I began trying to reproduce restaurant meals badly. I didn't have the reportoire to be able to reproduce and balance flavours well enough to do a half decent job. Over time, I spent more time exploring cheat restaurants, diners, etc... around where I studied and/or worked. I also watched, read, and in general spent more time in the grocer just trying random sauces, spices, and so on... I developed a sense of flavour and how to achieve them from base ingredients.

This is why none of the recipes contain exact amounts of ingredients (at the moment). It's also because that was the way I learnt to cook (I was taught a bit by some of my aunts), some of the lesser talented members of the family had a tendency to fiddle constantly so listing amounts was basically useless, some people (family or not) aren't willing to share ingredients so you just have to figure it out when and if you have to, and finally I figured out that it was the easiest way for me to learn to cook. When you look at a recipe, you're often doing mental arithmetic in order to make it 'taste right'. By developing a better sense of taste I could mostly forgo this and not have to suffer the consequences of a mathematical screw up (it happened enough times in the family for me to learn to not become so reliant on it).

In general my perspective with regards to food are the following:
  • kids will eventually learn what fills them and fast food will make them feel like horrible. They will grow out of it and eat properly eventually if they are exposed to the right foods
  • rely on machinery when you can. Why waste you're time cutting food perfectly if you can get it done in a fraction of the time using the right equipment?
  • why bother with perfection if you can achieve 95% of the taste and 50% apparent effort
  • I'd much rather spend time enjoying food than cooking it
  • prior to marinating any piece of meat I create the core sauce/marinade seperately first and then add the meat. There's no chance of food posioning and I get to have an idea what it will taste like
  • balance of flavours is more important than exact amounts over and over again. You may have a different preference from time to time also. Obviously, the converse is also true. Exact amounts give you a basis from which to work from
  • don't think that more resources will make you a better chef. It's possible that the exact opposite is true at times. Think about the food of the wealthy versus that of the poor. The poor have to make the most of everything that is thrown at them, extracting every last single ounce of flavour from something small/cheap while the wealthy have the basically mix and match the very best each and every time. From a chef's perspective this means that they don't have the chance to understand flavours at a more elemental/core level
  • shop from specialist butchers, fishmongers, etc... they will often be able to get you unusual cuts/meats, have better knowledge, do extra things like cutting down large bones for soup stocks and they are also often quite a bit cheaper
  • don't freeze if you can avoid it (or at least avoid freezing some foods). Some people I know use it as a technique to save time. For some dishes this is true but for others it can alter the actual structure (and sometimes faste. Think about soups versus meats when they are dethawed correctly and incorrectly.) of the food involved leaving it a mess when you finally prepare and eat it
  • fresh means fresh. Leave fish (and some meats) in the fridge for even a day after leaving the better/stable environment at a supermarket or fishmonger and it will begin to smell and taste slightly rank. This effect increases exponentially over time
  • try everything whether that be sauces, spices, restaurants, cultures, etc... You will find cheap opportunties if you go to the right places and ultimately you will end up healther (you learn that better tasting food is often healther as well), happier (variety is the spice of life), and possibly wealthier because of it (you can save a lot by learning to cook well). The wider you're vocabulary, the better your cooking will become...
  • balance of flavours as key. Even if you stuff up a recipe you can rescue it if you know enough about this. Added too much sugar? Use sourness to balance it out, etc...
  • don't learn from a single source. If you learn purely through celebrity chefs and books you'll realise that a lot of what they do is quite gimmicky. A lot of the ingredients that they use aren't very accessible, expensive, in spite of what they say. Use your head to strip the recipes back to core flavours to save you time and money (in procuring them)
  • learning to cook well will take time. Have patience. It took me a long while before I could build a sufficient 'vocabulary' before I could build dishes that were worth staying at home for. It took me more time to learn how to reverse engineer dishes at restaurants. Use every resource at your disposal (the Internet has heaps of free information, remember?).
On a side note, based on the contents of my blog (and other places) people have semi-regularly requested to write here and for me to write for them. I'm more than happy to do this providing I have the time and the task is interesting enough... on any topic.

Worse Than FailurePizza Hacker

...and at 10PM, see if the investigators can track a killer who hacks an online game and tricks children into delivering illegal weapons on the next episode of...

It was a quiet, lazy evening. Alan C. was in bed with his wife, getting his well deserved rest after a hectic week at work. Just as he picked up the remote to raise the volume, he was startled by a long, low growl.

"Hungry?" his wife muttered without opening her eyes.

"Guess so."

"No way I'm cooking anything today. Let's grab a pizza."

Alan sighed and picked up his laptop, looking for a pizza place nearby.

Mario's Pizza - the best pizza in town! the first Google result screamed at him. Order by phone or online!

Not wanting to disturb his half-asleep wife, he entered the website and clicked the big "ORDER ONLINE" button. After a few minutes of picking ingredients, sides, drinks, and sauces, he was ready to place his $50 order of "true Italian goodness". He scrolled down to the end of the form to submit it.

Then he scrolled up. Then he scrolled left, right, and sideways, but no matter where he looked, he couldn't proceed with his order. The submit button simply wasn't there.

But Alan wasn't a developer for nothing. A simple UI glitch wouldn't stand between him and his thin-crust treat. He fired up the console, opened the site's source, and typed:

<button type="submit">Give me my pizza!</button>

He hit the button, and was instantly taken to the confirmation page. Patting himself on the back for his cleverness, he returned to watching TV.

A few minutes later, his phone rang.

"Hello, it's Mario's Pizza, the best pizza in town," a dull woman's voice announced. "Your order's ready, but we're not able to deliver it to your location. Would you like to pick it up yourself?"

Alan checked the website for the pizzeria's address. Just five minutes from here. Well, if that's what it takes... "Okay. I'll be there soon."

The counter propped up a bored-looking waitress. In the back, a man with a thick moustache, curly hair, and apron tended the ovens. Otherwise, the pizza place was deserted.

Alan approached the counter and pulled out his wallet. "Hello, I'm here to pick up an online order."

"An... online order?" The quiet blonde stared at him with wide-open eyes, like a deer caught in headlights.

By the looks of it, she's never seen a customer before, Alan thought. "That's right."

"I'll... get it right now."

She retreated into the back and whispered something to the aproned man- who frowned and shooed her back out.

"Sir, we apologize, but the order seems to be... delayed," she said upon returning. "If you wouldn't mind having a seat..."

"No, not at all." Alan was getting annoyed with the situation, but decided to bite the bullet. After all, a good pizza is worth the wait.

A minute later, the shop door chimed. Two policemen entered, both sporting slight looks of confusion. One of them- a short, black youngster with thin-framed glasses- stepped behind the counter with the waitress to examine a computer monitor. The other- buzz-cut, muscular, a head taller than Alan- struggled to get through the small door frame.

The man in the back ran out, pointing at a surprised Alan. "There he is! Un criminale!" he yelled with an Italian accent far too over-the-top to be genuine. "Arrest him now!"

"Sir." The taller policeman sat down with Alan. "We've received a report of cyber crime."

"Excuse me?" Alan struggled to make sense of what was happening.

"According to the owner of this establishment-" the policeman pointed at the Italian "-a security breach occurred on his website about an hour ago. Our technician is investigating. In the meantime, we'd appreciate you telling us what you know."

"Um, I... okay, I guess?" Alan's mind kept drawing blanks. Maybe it's some hidden camera show? Like, you help out and you get a million dollars? "I used the website to place an order..."

"A-HA!" the owner screamed loud enough to knock both Alan and the policeman out of their chairs. "You admit! You criminale! You assassino! The webmaster took the website down today! Nobody can order anything!"

"But the website's up!" Alan cried in protest.

"It does seem to be working," the other policeman called from the monitor.

"But you can't order!" The owner rushed to the computer, clicked "ORDER ONLINE" and turned the monitor. "See? See?!"

Something in Alan's mind fell into place. "The form was broken! There was no submit button, so I worked around it."

"A criminal, and a shameless one to boot!" the owner cried.

"What?! I just added a button that wasn't there!" Alan cried. "Anybody could do it!"

"Um, if I may?" the officer at the computer- obviously the more technical of the pair- said.

Angry half-Italian screams drowned him out. "He hacked us! He changed our code!" the owner cried. "Arrest him!"

"Sir, I-"

"Come on, what am I paying taxes for?! Put him in jail! Him, his sons, his son's sons, and-"

"Sir, I advise you to drop the matter!" the technician finally managed.

"Drop it? Pigliainculo, vai e fot..."

"Sir," he continued, "if you don't drop the charges, we'll have to report this incident to the Internet Police."

"Report?" the owner repeated with a quiet and much more New York voice.

Alan was about to protest, but at the last moment decided it was probably wiser not to.

"There are strict standard security protocols for taking down US-based websites. They've gone shamlessly ignored here," the technician said. "That's a serious offense, carrying a maximum fine of up to $500,000."

"Five... hundred...!"

Alan did all he could not to burst out giggling.

"However... if you don't press charges, we don't file paperwork, and this all goes away," the technician said. "So? What'll it be?"

"No, no, of course, no charges, no! Free of charges! Pizza too, free of charge! Just go!" The owner motioned to the waitress to grab some boxes from the kitchen and shove them into Alan's hands.

As the doors closed behind them, Alan handed two of the boxes to the policemen. "Wow, I owe you two big time. Internet police? Really?"

"I've always wanted to say that." The technician smiled. "When you see how stupid people can be with security sometimes..."

"Well, it's a good thing they don't give them guns," the other policeman chuckled.

"We're done here," the technician said. "Be safe, and don't go around hacking pizzerias!"

"Don't worry, never again!" Alan said.

"Hey, what took you so long?" his wife asked from under the covers.

"Oh, nothing really. I just had a little chat with the owner," Alan said. "He said they had some... website problems."

"Let me guess, you fixed it for them. You're so easily sidetracked."

"Guess you can say that." Alan picked up a piece of pizza and grabbed the remote. It was five to ten, and he wasn't going to miss a single second of the show.

<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script> <style>code { font-family: Consolas, monospace; }</style>
[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!

Cory DoctorowBruce Sterling’s introduction to the Italian edition of Little Brother

Italy’s Multiplayer Edizioni just launched a beautiful new Italian edition of Little Brother with an introduction by Bruce Sterling. It’s the second essay that Bruce has written for one of my books, and it’s my favorite — I was so pleased with it that I asked his permission to reproduce it here, which he’s graciously granted.

Big Brother and His Grandson

This is the second time I have written an introduction to a Cory Doctorow book. However, this is my first effort to explain Cory Doctorow to Italians.

It’s a complicated matter, but maybe not in ways that Italians would expect. Cory Doctorow is highly intelligent and likes elaborate, complex issues, but this book, “Little Brother,” is probably his simplest book. It was written for an audience of high school students. It’s a “young adult” novel: the hero is seventeen.

Our young hero is an idealist and rather unworldly, but he’s intelligent and he does know some unusual things, mostly about technology. He’s eager to explain what he knows. Our valiant student hero spends most of this book either learning or teaching. “Little Brother” is a didactic work of science fiction: it has almost as many well-informed lectures as a Jules Verne novel.

The book is about an American power struggle over electronics. There are two rival groups who both somehow imagine that digital technologies are theirs by right: hackers and the secret police.

Neither hackers nor the secret police have much interest in law, regulation, democracy or public opinion. They are both obsessed with computers and consider civilization to be something old, obsolete and in the way of their destiny. Unfortunately, though they have a lot in common, they despise each other. So, conflict abounds.

In this novel, there is a sabotage incident in San Francisco (near Silicon Valley, the epicenter of American electronics). The police immediately begin using all the electronic power they have covertly accumulated during the War on Terror. Our teenage hero, a hacker, decides to resist with various ingenious acts of electronic civil disobedience.

Of course, no teenager will defeat and abolish federal police services. His real aim is to break the false consciousness of the American population and make them understand that electronic outrages are being perpetrated in their name. Being a hacker, he naturally thinks that normal people will prefer hackers like himself to his enemies the spies. However, as we see in the book, the public is fickle.

This novel has a sequel novel called “Homeland.” When he fled the United States, the NSA informant Edward Snowden took the novel “Homeland” along with him for some leisure reading in exile. This demonstrates that, although this novel is science fiction, it’s concerned with genuine issues.

If you are Italian, you might assume that this book is about American domestic politics, and that Cory Doctorow is an American political partisan. Actually, Cory Doctorow not American: he was born Canadian. He’s also British by marriage. He has a remarkably complicated heritage: his ancestors were Belarusian Jews and his father was born in a refugee camp in Azerbaijan. He’s very well-travelled — even his little seven year old daughter has seen Italy, Japan, Honduras and Iceland.

Cory Doctorow is an electronic activist with global awareness. Most of the incidents in this book have already happened in various parts of the world where hackers have struggled with police repression. His young hero is an American nationalist and patriot, but Cory is not. Cory is an activist and journalist, an acknowledged world expert in electronic network politics, digital economics and free expression.

Most people who are interested in electronic issues want to do something with it that favors their own situation. If they’re business people they want to profit. If they are spies they want to electronically spy. If they are religious they want to spread their gospel. If they’re military they’re interested in cyberwar. Cory Doctorow is well-known as a novelist, but he’s also well-known for abandoning the conventional literary publishing business. I’ve never known any man more at ease with the idea of expressing himself, with a computer, to a global audience, by whatever means are necessary. Cory Doctorow has a universal message, of sorts. Like the Internet, he’s heard and seen everywhere, but doesn’t belong anywhere.

This book is one of Cory’s most successful novels for, I think, a simple reason: it was written in a fit of passion. Cory is a very methodical writer and has severe work discipline. He’s a good researcher, and his fictional work tends to be cool and analytical. He knows how to program computers, and he’s rather good at confronting the glowing screen and arranging his texts in neat blocks.

When writing LITTLE BROTHER, however, Cory had been doing a lot of analytical study — his brain was, if anything, overburdened with the thousand details of electronic civil liberties issues. He had a lot to say, and he suddenly came up with the plot concept of a high-tech city stricken by public emergency.

Thanks to this dramatic arrangement, concepts that might seem arcane and tedious become headlong and exciting. It’s almost as crammed with fast drama one of Jules Verne’s most successful novels, “Around the World in Eighty Days.” There’s a lot of telling, well-observed detail, but it reels by at fast speed because the characters are constantly struggling with emergencies.

Verne’s novel is like an eighty-day catalog of every possible crisis that could happen to a tourist. In the novel Little Brother, it’s as if every electronic problem in the whole world is happening to our hacker hero, all at once, in too tight a space, in too short a time.

“Little Brother” is, of course, an homage to George Orwell’s tyrannical spy “Big Brother” in the Orwell novel “1984.” Orwell’s dystopia has a languid, half-starved pace; there are cruel shortages everywhere, the clothes are ugly, the food is bad, the language is primitive and stupefying. “Little Brother” is very much of our own time: the pace is frantic, people grab fast food, there is too much of everything, the clothes are silly costumes, and everything is over-explained in five or ten different ways.

It’s not that one book is correct about the world, and another is not. Orwell’s book and Doctorow’s book share the clever technique of seeming “prophetic” by describing obscure tragedies that have already happened to real people.

To write “1984” George Orwell had to know a lot about the tyrannies of 1948. To write “Little Brother,” Cory Doctorow had to know a lot about the dark political underside of 2008, and Cory Doctorow knew plenty: enough to compile a bibliography and even to create hardware. The two books may not dress alike or talk alike, but one book really is the grandson of the other.

Planet DebianRaphaël Hertzog: Freexian’s report about Debian Long Term Support, April 2015

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In April, 81.75 work hours have been dispatched among 5 paid contributors (20.75 hours where unused hours of Ben and Holger that were re-dispatched to other contributors). Their reports are available:

Evolution of the situation

May has seen a small increase in terms of sponsored hours (66.25 hours per month) and June is going to do even better with at least a new gold sponsor. We will have no problems sustaining the increased workload it implies since three Debian developers joined the team of contributors paid by Freexian (Antoine Beaupré, Santiago Ruano Rincón, Scott Kitterman).

The Jessie release probably shed some light on the Debian LTS project since we announced that Jessie will benefit from 5 years of support. Let’s hope that the trend will continue in the following months and that we reach our first milestone of funding the equivalent of a half-time position.

In terms of security updates waiting to be handled, the situation is a bit contrasted: the dla-needed.txt file lists 28 packages awaiting an update (12 less than last month), the list of open vulnerabilities in Squeeze shows about 60 affected packages in total (4 more than last month). The extra hours helped to make a good stride in the packages awaiting an update but there are many new vulnerabilities waiting to be triaged.

Thanks to our sponsors

The new sponsors of the month are in bold.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Planet DebianDirk Eddelbuettel: random 0.2.4

A new release of our random package for truly (hardware-based) random numbers as provided by is now on CRAN.

The R 3.2.0 release brought the change to use an internal method="libcurl" which we are using if available; else the curl::curl() method added in release 0.2.3 is used. We are also a little more explicit about closing connections, and added really basic regression tests -- as it is hard to test hardware-based RNGs draws.

Courtesy of CRANberries comes a diffstat report for this release. Current and previous releases are available here as well as on CRAN.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.


Planet DebianLunar: Reproducible builds: week 3 in Stretch cycle

What happened about the reproducible builds effort for this week:

Toolchain fixes

Tomasz Buchert submitted a patch to fix the currently overzealous package-contains-timestamped-gzip warning.

Daniel Kahn Gillmor identified #588746 as a source of unreproducibility for packages using python-support.

Packages fixed

The following 57 packages became reproducible due to changes in their build dependencies: antlr-maven-plugin, aspectj-maven-plugin, build-helper-maven-plugin, clirr-maven-plugin, clojure-maven-plugin, cobertura-maven-plugin, coinor-ipopt, disruptor, doxia-maven-plugin, exec-maven-plugin, gcc-arm-none-eabi, greekocr4gamera, haskell-swish, jarjar-maven-plugin, javacc-maven-plugin, jetty8, latexml, libcgi-application-perl, libnet-ssleay-perl, libtest-yaml-valid-perl, libwiki-toolkit-perl, libwww-csrf-perl, mate-menu, maven-antrun-extended-plugin, maven-antrun-plugin, maven-archiver, maven-bundle-plugin, maven-clean-plugin, maven-compiler-plugin, maven-ear-plugin, maven-install-plugin, maven-invoker-plugin, maven-jar-plugin, maven-javadoc-plugin, maven-processor-plugin, maven-project-info-reports-plugin, maven-replacer-plugin, maven-resources-plugin, maven-shade-plugin, maven-site-plugin, maven-source-plugin, maven-stapler-plugin, modello-maven-plugin1.4, modello-maven-plugin, munge-maven-plugin, ocaml-bitstring, ocr4gamera, plexus-maven-plugin, properties-maven-plugin, ruby-magic, ruby-mocha, sisu-maven-plugin, syncache, vdk2, wvstreams, xml-maven-plugin, xmlbeans-maven-plugin.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Ben Hutchings also improved and merged several changes submitted by Lunar to linux.

Currently untested because in contrib:

  • Dmitry Smirnov uploaded fheroes2-pkg/0+svn20150122r3274-2-2.

“Thanks to the reproducible-build team for running a buildd from hell.” — gregor herrmann

Mattia Rizzolo modified the script added last week to reschedule a package from Alioth, a reason can now be optionally specified.

Holger Levsen splitted the package sets page so each set now has its own page. He also added new sets for Java packages, Haskell packages, Ruby packages, debian-installer packages, Go packages, and OCaml packages.

Reiner Herrmann added locales-all to the set of packages installed in the build environment as its needed to properly identify variations due to the current locale.

Holger Levsen improved the scheduling so new uploads get tested sooner. He also changed the .json output that is used by to lists FTBFS issues again but only for issues unrelated to the toolchain or our test setup. Amongst many other small fixes and additions, the graph colors should now be more friendly to red-colorblind people.

The fix for pbuilder given in #677666 by Tim Landscheidt is now used. This fixed several FTBFS for OCaml packages.

Work on rebuilding with different CPU has continued, a “kvm-on-kvm” build host has been set been set up for this purpose.

debbindiff development

Version 19 of debbindiff included a fix for a regression when handling info files.

Version 20 fixes a bug when diffing files with many differences toward a last line with no newlines. It also now uses the proper encoding when writing the text output to a pipe, and detects info files better.

Documentation update

Thanks to Santiago Vila, the unneeded -depth option used with find when fixing mtimes has been removed from the examples.

Package reviews

113 obsolete reviews have been removed this week while 77 has been added.

TEDFirst impressions: A TED salon on what we learn (and reveal) at first glance

Judith Donath looked at the many ways in which we can cheat first impressions. Photo: Ryan Lash/TED

Can we cheat at making a first impression? Judith Donath says yes, and in many ways. Photo: Ryan Lash/TED

First impressions are full of promise — and anxiety. On Tuesday night, five speakers in TED’s New York office shared a salon that explored the hidden opportunities, truths and humor in these split-second assumptions.

First up, NYU associate professor Adam Alter showed how exploiting a simple human trait could actually make us more generous. “We like things that remind of us of ourselves,” he says. There’s no shame in that — it’s why so many humans look like our dogs — and in fact, there’s opportunity. Alter’s research on what drives generosity revealed that people are more likely to donate to a fund for hurricane disaster relief if the first letter of the hurricane’s name matches the first letter of their own name. So a person named Richard is more likely to donate to a relief fund for Hurricane Rita. The fundraising hack he suggests? Instead of naming hurricanes in alphabetical order, as the National Weather Service does, name them according to the most common first-name initials in the United States: J, M, C and R. Alter suggests that this shift could spike philanthropy to the tune of $700 million.

Judith Donath studies our ability to construct perceptions of ourselves. Luxury car rentals, elevator shoes, buying twitter followers (who might be bots), we’ve come up with a thousand ways to fake a first impression. Online, it’s all about seeming, not being. And now that we’ve reached a reasonable level of artificial intelligence, when we’re not sure if the telemarketer on the phone is a robot or someone reading a script (as she reminds us, a Turing test doesn’t ask, “Can a machine be intelligent?,” but, “Can a machine seem intelligent?”) — Donath suggests it’s time to move beyond caring about construction and illusion online, and focus instead on the reality behind it.

Journalist and comedian Chris Colin charmed the audience with tips on how to turn small talk into smart conversation. Our favorite tips:

  1. Prompt for details. Instead of asking, “How was your day?” you might ask, “Tell me three things you did today.”
  2. If you’ve been asked a boring question, act like a politician and instead answer the question you wish had been asked.
  3. When you’re meeting a friend at a bar, get there 10 minutes early, turn off your phone and walk around the block – your brain will click into curious mode.

Next, slam poet Mahogany L. Browne riveted us with her spoken poem “This.” Her voice was rapid-fire and soaring, like a bird’s wings beating then floating on the updrafts: “I can’t hold this want / this now / this here / sprawled inside my chest / this black that I can’t separate from the breaking sunrise / this smile.”

Finally, designer Chip Kidd stood up to talk about his new TED Book, Judge This, a deep dive into the design of first impressions. Kidd himself likes design that is legible and clear. But, as a book jacket designer, Kidd also uses ambiguity and intrigue to entice readers to open a book up and learn more. He walked us through the thinking behind several of his book covers. One example: David Sedaris’ All the Beauty You Will Ever Need. “The title had nothing to do with anything in the book,” Kidd moaned. “It came to the author’s boyfriend in a dream.” Kidd wandered around New York City for days trying to come up with a visual for the title. He found his inspiration in a restaurant in Chinatown. “I was trying to think,” Kidd remembers, “where might I see a bit of mysterious text that seems to mean something but doesn’t?” The answer was right in front of him: a fortune cookie. The jacket design was born.

There are two ways to give a good first impression: with clarity and with mystery. Designer Chip Kidd looked at the assorted uses of both. Photo: Ryan Lash/TED

There are two ways to give a good first impression: with clarity and with mystery. Designer Chip Kidd likes both. Photo: Ryan Lash/TED

TEDPolice on trial in Afghanistan, an 11-year-old’s jazz album, and literary insights from a Berlin birdhouse

Kimberley-Motley-TED-Talk-CTALots of happenings in the TED community this week. Below, some highlights.

Police on trial in Afghanistan. This week, Kimberley Motley represented the family of Farkhunda, a 27-year-old woman who was brutally murdered, in an Afghan court against 19 policemen who are accused of standing by while she was set on fire, run over and then thrown into the Kabul River. The trial, which is being broadcast live across Afghanistan, includes cell phone footage taken at the scene, “To see this young lady in a sea of men being abused and beaten and no one doing anything,” Motley says, “and to watch her trying to get up and pleading for her life was so gruesome. It is one of the worst things I have ever seen.” The outcome of the trial could have big implications for women in Afghanistan’s justice system. (Watch Kim’s TED Talk, “How I defend the rule of law.”)

A jazz prodigy releases his first album. 11-year-old jazz pianist Joey Alexander, who wowed the audience at TED2015, was profiled in The New York Times thanks to the release of his debut album, My Favorite Things. The article charts Alexander’s rise from being discovered three years ago in Indonesia to his breakout performance at a Jazz at Lincoln Center Gala last year. Joey’s secret to success? “Jazz is a hard music,” he says. “And you have to really work hard and also have fun performing; that’s the most important thing.” (Read about Joey’s TED2015 performance.)

Revelations in a Berlin birdhouse. In this week’s issue of The New Yorker, Kathryn Schulz visits a Berlin birdhouse with novelist Nell Zink. While taking in the Dr. Evil laugh of a kookaburra and noting that a bird with turquoise wings “looks like an Italian bathrobe,” Schulz gets a clearer view of Zink’s love for the unique, something that deeply informs her writing. Schulz also got a glimpse of Zink’s newest novel, Mislaid, about preteens who are navigating the complex nuances of sexuality in rural Virginia. (Watch Kathryn’s TED Talk, “Don’t regret regret.”)

Young designers on the cutting edge. Elaine Ng Yan Ling, a TED Fellow, has been named one of the 2015 Swarovski Designers of the Future. The award recognizes young designers who use bold processes and materials in their work. Winners will team up with Swarovski to produce works for Design Miami/Basel. (Read our interview with Elaine.)

The next generation of journalists. TED Fellow Will Potter has been selected as a Knight-Wallace Fellow at the University of Michigan. This year-long fellowship asks journalists to create their own personalized study plans. As Potter shared in a blog post, he’ll be exploring “how the War on Terror impacts whistleblowers and journalists.”  (Watch Will’s TED Talk, “The shocking move to criminalize nonviolent protests.”)

Have news to share? Write us at and you may see it included in this weekly round-up.

Geek FeminismQuick Hit: The Word “Girl” in “Supergirl”

CBS has just released a “first look” teaser for the new Supergirl TV show, coming this fall. I’ve always frowned at the name “Supergirl” for an adult woman, finding it infantilizing. The teaser tries to address this:

News announcer on television: “Media Magnate Cat Grant, of National City’s new female hero: Supergirl.” (news channel displays “#Supergirl”)

Kara Danvers: “We can’t name her that.”

Cat Grant: “We … didn’t.”

Danvers: “Shouldn’t she be called Super…. woman?”

Grant: “What do you think is so bad about ‘girl’? I’m a girl. And your boss, and powerful, and rich, and hot, and smart. So if you perceive ‘Supergirl’ as anything less than excellent, isn’t the real problem you?”

Calista Flockhart plays an authoritative Cat Grant, a casting choice which itself implies (to me) a defense of the type of femininity Flockhart performed as Ally McBeal in her best-known role to date.

I don’t find Grant’s argument convincing, since my particular beef with the “girl” suffix is around connotations of immaturity, and particularly because we do not tend to call men of similar ages “boys”. That’s unequal. But I appreciate that at least this teaser attempts a defense. And overall I loved the teaser, and it made me cry. Stories of women discovering and claiming our power, in ourselves and to help others, will always get me.


Planet DebianAndrew Pollock: [debian] Fixing some issues with

I got an email last year pointing out a cosmetic issue with I think at the time of the email, the only problem was some bitrot in PHP's built-in server variables making some text appear incorrectly.

I duly added something to my TODO list to fix it, and it subsequently sat there for like 13 months. In the ensuing time, Debian changed some stuff, and my code started incorrectly handling a 302 as well, which actually broke it good and proper.

I finally got around to fixing it.

I also fixed a problem where sometimes there can be multiple entries in the Sources file for a package (switching to using would also address this), which caused sometimes caused an incorrect version of the changelog to be returned.

In the resulting tinkering, I learned about, which is totally awesome. I could stop maintaining and parsing a local copy of sid's Sources file, and just make a call to this instead.

Finally, I added linking to CVEs, because it was a quick thing to do, and adds value.

In light of, I'm very tempted to rewrite the redirector. The code is very old and hard for present-day Andrew to maintain, and I despise PHP. I'd rather write it in Python today, with some proper test coverage. I could also potentially host it on AppEngine instead of locally, just so I get some experience with AppEngine

It's also been suggested that I fold the changes into the changelog hosting on I'm hesitant to do this, as it would require changing the output from plain text to HTML, which would mess up consumers of the plain text (like the current implementation of

Planet Linux AustraliaSridhar Dhanapalan: Twitter posts: 2015-05-11 to 2015-05-17

Planet DebianLunar: Reproducible builds: week 2 in Stretch cycle

What happened about the reproducible builds effort for this week:

Media coverage

Debian's effort on reproducible builds has been covered in the June 2015 issue of Linux Magazin in Germany.

Cover of Linux Magazin June 2015

Article about reproducible builds in Linux Magazin June 2015

Toolchain fixes

  • gregor herrmann uploaded libextutils-depends-perl/0.404-1 which makes its output deterministic.
  • Christian Hofstaedtler uploaded yard/ which will not write timestamps in the generated documentation. Original patch by Chris Lamb, does not write timestamps in the generated documentation anymore.
  • Emmanuel Bourg uploaded maven-plugin-tools/3.3-2 which removes the date from the plugin descriptor. Patch by Reiner Herrmann.
  • Emmanuel Bourg uploaded maven-archiver/2.6-1 which now uses the date set in the DEB_CHANGELOG_DATETIME environment variable for the timestamp in the file embedded in the jar files. Original patch by Chris West.
  • Nicolas Boulenguez uploaded dh-ada-library/6.4 which will warn against non deterministic ALI for sources newer than changelog.

josch rebased the experimental version of debhelper on 9.20150507.

Packages fixed

The following 515 packages became reproducible due to changes of their build dependencies: airport-utils, airspy-host, all-in-one-sidebar, ampache, aptfs, arpack, asciio, aspell-kk, asused, balance, batmand, binutils-avr, bioperl, bpm-tools, c2050, cakephp-instaweb, carton, cbp2make, checkbot, checksecurity, chemeq, chronicle, cube2-data, cucumber, darkstat, debci, desktop-file-utils, dh-linktree, django-pagination, dosbox, eekboek, emboss-explorer, encfs, exabgp, fbasics, fife, fonts-lexi-saebom, gdnsd, glances, gnome-clocks, gunicorn, haproxy, haskell-aws, haskell-base-unicode-symbols, haskell-base64-bytestring, haskell-basic-prelude, haskell-binary-shared, haskell-binary, haskell-bitarray, haskell-bool-extras, haskell-boolean, haskell-boomerang, haskell-bytestring-lexing, haskell-bytestring-mmap, haskell-config-value, haskell-mueval, haskell-tasty-kat, itk3, jnr-constants, jshon, kalternatives, kdepim-runtime, kdevplatform, kwalletcli, lemonldap-ng, libalgorithm-combinatorics-perl, libalgorithm-diff-xs-perl, libany-uri-escape-perl, libanyevent-http-scopedclient-perl, libanyevent-perl, libanyevent-processor-perl, libapache-session-wrapper-perl, libapache-sessionx-perl, libapp-options-perl, libarch-perl, libarchive-peek-perl, libaudio-flac-header-perl, libaudio-wav-perl, libaudio-wma-perl, libauth-yubikey-decrypter-perl, libauthen-krb5-simple-perl, libauthen-simple-perl, libautobox-dump-perl, libb-keywords-perl, libbarcode-code128-perl, libbio-das-lite-perl, libbio-mage-perl, libbrowser-open-perl, libbusiness-creditcard-perl, libbusiness-edifact-interchange-perl, libbusiness-isbn-data-perl, libbusiness-tax-vat-validation-perl, libcache-historical-perl, libcache-memcached-perl, libcairo-gobject-perl, libcarp-always-perl, libcarp-fix-1-25-perl, libcatalyst-action-serialize-data-serializer-perl, libcatalyst-controller-formbuilder-perl, libcatalyst-dispatchtype-regex-perl, libcatalyst-plugin-authentication-perl, libcatalyst-plugin-authorization-acl-perl, libcatalyst-plugin-session-store-cache-perl, libcatalyst-plugin-session-store-fastmmap-perl, libcatalyst-plugin-static-simple-perl, libcatalyst-view-gd-perl, libcgi-application-dispatch-perl, libcgi-application-plugin-authentication-perl, libcgi-application-plugin-logdispatch-perl, libcgi-application-plugin-session-perl, libcgi-application-server-perl, libcgi-compile-perl, libcgi-xmlform-perl, libclass-accessor-classy-perl, libclass-accessor-lvalue-perl, libclass-accessor-perl, libclass-c3-adopt-next-perl, libclass-dbi-plugin-type-perl, libclass-field-perl, libclass-handle-perl, libclass-load-perl, libclass-ooorno-perl, libclass-prototyped-perl, libclass-returnvalue-perl, libclass-singleton-perl, libclass-std-fast-perl, libclone-perl, libconfig-auto-perl, libconfig-jfdi-perl, libconfig-simple-perl, libconvert-basen-perl, libconvert-ber-perl, libcpan-checksums-perl, libcpanplus-dist-build-perl, libcriticism-perl, libcrypt-cracklib-perl, libcrypt-dh-gmp-perl, libcrypt-mysql-perl, libcrypt-passwdmd5-perl, libcrypt-simple-perl, libcss-packer-perl, libcss-tiny-perl, libcurses-widgets-perl, libdaemon-control-perl, libdancer-plugin-database-perl, libdancer-session-cookie-perl, libdancer2-plugin-database-perl, libdata-format-html-perl, libdata-uuid-libuuid-perl, libdata-validate-domain-perl, libdate-jd-perl, libdate-simple-perl, libdatetime-astro-sunrise-perl, libdatetime-event-cron-perl, libdatetime-format-dbi-perl, libdatetime-format-epoch-perl, libdatetime-format-mail-perl, libdatetime-tiny-perl, libdatrie, libdb-file-lock-perl, libdbd-firebird-perl, libdbix-abstract-perl, libdbix-class-datetime-epoch-perl, libdbix-class-dynamicdefault-perl, libdbix-class-introspectablem2m-perl, libdbix-class-timestamp-perl, libdbix-connector-perl, libdbix-oo-perl, libdbix-searchbuilder-perl, libdbix-xml-rdb-perl, libdevel-stacktrace-ashtml-perl, libdigest-hmac-perl, libdist-zilla-plugin-emailnotify-perl, libemail-date-format-perl, libemail-mime-perl, libemail-received-perl, libemail-sender-perl, libemail-simple-perl, libencode-detect-perl, libexporter-tidy-perl, libextutils-cchecker-perl, libextutils-installpaths-perl, libextutils-libbuilder-perl, libextutils-makemaker-cpanfile-perl, libextutils-typemap-perl, libfile-counterfile-perl, libfile-pushd-perl, libfile-read-perl, libfile-touch-perl, libfile-type-perl, libfinance-bank-ie-permanenttsb-perl, libfont-freetype-perl, libfrontier-rpc-perl, libgd-securityimage-perl, libgeo-coordinates-utm-perl, libgit-pureperl-perl, libgnome2-canvas-perl, libgnome2-wnck-perl, libgraph-readwrite-perl, libgraphics-colornames-www-perl, libgssapi-perl, libgtk2-appindicator-perl, libgtk2-gladexml-simple-perl, libgtk2-notify-perl, libhash-asobject-perl, libhash-moreutils-perl, libhtml-calendarmonthsimple-perl, libhtml-display-perl, libhtml-fillinform-perl, libhtml-form-perl, libhtml-formhandler-model-dbic-perl, libhtml-html5-entities-perl, libhtml-linkextractor-perl, libhtml-tableextract-perl, libhtml-widget-perl, libhtml-widgets-selectlayers-perl, libhtml-wikiconverter-mediawiki-perl, libhttp-async-perl, libhttp-body-perl, libhttp-date-perl, libimage-imlib2-perl, libimdb-film-perl, libimport-into-perl, libindirect-perl, libio-bufferedselect-perl, libio-compress-lzma-perl, libio-compress-perl, libio-handle-util-perl, libio-interface-perl, libio-multiplex-perl, libio-socket-inet6-perl, libipc-system-simple-perl, libiptables-chainmgr-perl, libjoda-time-java, libjsr305-java, libkiokudb-perl, liblemonldap-ng-cli-perl, liblexical-var-perl, liblingua-en-fathom-perl, liblinux-dvb-perl, liblocales-perl, liblog-dispatch-configurator-any-perl, liblog-log4perl-perl, liblog-report-lexicon-perl, liblwp-mediatypes-perl, liblwp-protocol-https-perl, liblwpx-paranoidagent-perl, libmail-sendeasy-perl, libmarc-xml-perl, libmason-plugin-routersimple-perl, libmasonx-processdir-perl, libmath-base85-perl, libmath-basecalc-perl, libmath-basecnv-perl, libmath-bigint-perl, libmath-convexhull-perl, libmath-gmp-perl, libmath-gradient-perl, libmath-random-isaac-perl, libmath-random-oo-perl, libmath-random-tt800-perl, libmath-tamuanova-perl, libmemoize-expirelru-perl, libmemoize-memcached-perl, libmime-base32-perl, libmime-lite-tt-perl, libmixin-extrafields-param-perl, libmock-quick-perl, libmodule-cpanfile-perl, libmodule-load-conditional-perl, libmodule-starter-pbp-perl, libmodule-util-perl, libmodule-versions-report-perl, libmongodbx-class-perl, libmoo-perl, libmoosex-app-cmd-perl, libmoosex-attributehelpers-perl, libmoosex-blessed-reconstruct-perl, libmoosex-insideout-perl, libmoosex-relatedclassroles-perl, libmoosex-role-timer-perl, libmoosex-role-withoverloading-perl, libmoosex-storage-perl, libmoosex-types-common-perl, libmoosex-types-uri-perl, libmoox-singleton-perl, libmoox-types-mooselike-numeric-perl, libmousex-foreign-perl, libmp3-tag-perl, libmysql-diff-perl, libnamespace-clean-perl, libnet-bonjour-perl, libnet-cli-interact-perl, libnet-daap-dmap-perl, libnet-dbus-glib-perl, libnet-dns-perl, libnet-frame-perl, libnet-google-authsub-perl, libnet-https-any-perl, libnet-https-nb-perl, libnet-idn-encode-perl, libnet-idn-nameprep-perl, libnet-imap-client-perl, libnet-irc-perl, libnet-mac-vendor-perl, libnet-openid-server-perl, libnet-smtp-ssl-perl, libnet-smtp-tls-perl, libnet-smtpauth-perl, libnet-snpp-perl, libnet-sslglue-perl, libnet-telnet-perl, libnhgri-blastall-perl, libnumber-range-perl, libobject-signature-perl, libogg-vorbis-header-pureperl-perl, libopenoffice-oodoc-perl, libparse-cpan-packages-perl, libparse-debian-packages-perl, libparse-fixedlength-perl, libparse-syslog-perl, libparse-win32registry-perl, libpdf-create-perl, libpdf-report-perl, libperl-destruct-level-perl, libperl-metrics-simple-perl, libperl-minimumversion-perl, libperl6-slurp-perl, libpgobject-simple-perl, libplack-middleware-fixmissingbodyinredirect-perl, libplack-test-externalserver-perl, libplucene-perl, libpod-tests-perl, libpoe-component-client-ping-perl, libpoe-component-jabber-perl, libpoe-component-resolver-perl, libpoe-component-server-soap-perl, libpoe-component-syndicator-perl, libposix-strftime-compiler-perl, libposix-strptime-perl, libpostscript-simple-perl, libproc-processtable-perl, libprotocol-osc-perl, librcs-perl, libreadonly-xs-perl, libreturn-multilevel-perl, librivescript-perl, librouter-simple-perl, librrd-simple-perl, libsafe-isa-perl, libscope-guard-perl, libsemver-perl, libset-tiny-perl, libsharyanto-file-util-perl, libshell-command-perl, libsnmp-info-perl, libsoap-lite-perl, libstat-lsmode-perl, libstatistics-online-perl, libstring-compare-constanttime-perl, libstring-format-perl, libstring-toidentifier-en-perl, libstring-tt-perl, libsub-recursive-perl, libsvg-tt-graph-perl, libsvn-notify-perl, libswish-api-common-perl, libtap-formatter-junit-perl, libtap-harness-archive-perl, libtemplate-plugin-number-format-perl, libtemplate-plugin-yaml-perl, libtemplate-tiny-perl, libtenjin-perl, libterm-visual-perl, libtest-block-perl, libtest-carp-perl, libtest-classapi-perl, libtest-cmd-perl, libtest-consistentversion-perl, libtest-data-perl, libtest-databaserow-perl, libtest-differences-perl, libtest-file-sharedir-perl, libtest-hasversion-perl, libtest-kwalitee-perl, libtest-lectrotest-perl, libtest-module-used-perl, libtest-object-perl, libtest-perl-critic-perl, libtest-pod-coverage-perl, libtest-script-perl, libtest-script-run-perl, libtest-spelling-perl, libtest-strict-perl, libtest-synopsis-perl, libtest-trap-perl, libtest-unit-perl, libtest-utf8-perl, libtest-without-module-perl, libtest-www-selenium-perl, libtest-xml-simple-perl, libtest-yaml-perl, libtex-encode-perl, libtext-bibtex-perl, libtext-csv-encoded-perl, libtext-csv-perl, libtext-dhcpleases-perl, libtext-diff-perl, libtext-quoted-perl, libtext-trac-perl, libtext-vfile-asdata-perl, libthai, libthread-conveyor-perl, libthread-sigmask-perl, libtie-cphash-perl, libtie-ical-perl, libtime-stopwatch-perl, libtk-dirselect-perl, libtk-pod-perl, libtorrent, libturpial, libunicode-japanese-perl, libunicode-maputf8-perl, libunicode-stringprep-perl, libuniversal-isa-perl, libuniversal-moniker-perl, liburi-encode-perl, libvi-quickfix-perl, libvideo-capture-v4l-perl, libvideo-fourcc-info-perl, libwiki-toolkit-plugin-rss-reader-perl, libwww-mechanize-formfiller-perl, libwww-mechanize-gzip-perl, libwww-mechanize-perl, libwww-opensearch-perl, libx11-freedesktop-desktopentry-perl, libxc, libxml-dtdparser-perl, libxml-easy-perl, libxml-handler-trees-perl, libxml-libxml-iterator-perl, libxml-libxslt-perl, libxml-rss-perl, libxml-validator-schema-perl, libxml-xpathengine-perl, libxml-xql-perl, llvm-py, madbomber, makefs, mdpress, media-player-info, meta-kde-telepathy, metamonger, mmm-mode, mupen64plus-audio-sdl, mupen64plus-rsp-hle, mupen64plus-ui-console, mupen64plus-video-z64, mussort, newpid, node-formidable, node-github-url-from-git, node-transformers, nsnake, odin, otcl, parsley, pax, pcsc-perl, pd-purepd, pen, prank, proj, proot, puppet-module-puppetlabs-postgresql, python-async, python-pysnmp4, qrencode, r-bioc-graph, r-bioc-hypergraph, r-bioc-iranges, r-bioc-xvector, r-cran-pscl, rbenv, rlinetd, rs, ruby-ascii85, ruby-cutest, ruby-ejs, ruby-factory-girl, ruby-hdfeos5, ruby-kpeg, ruby-libxml, ruby-password, ruby-zip-zip, sdl-sound1.2, stterm, systemd, taktuk, tcc, tryton-modules-account-invoice, ttf-summersby, tupi, tuxpuck, unknown-horizons, unsafe-mock, vcheck, versiontools, vim-addon-manager, vlfeat, vsearch, xacobeo, xen-tools, yubikey-personalization-gui, yubikey-personalization.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Patches submitted which did not make their way to the archive yet:

  • #784541 on yasm by Lunar: remove build date from version strings.
  • #784694 on smcroute by Micha Lenk: remove build date from version string.
  • #784672 on gnumeric by Daniel Kahn Gillmor: remove timestamps in embedded gzip'ed data in shared library.
  • #774347 on sed by Lunar: fix permissions before creating the package.
  • #784352 on icebreaker by Reiner Herrmann: use UTC timezone when calculating version date.
  • #784325 on kde-workspace by Lunar: make the output of kdm stable.
  • #784602 on monkeysign by Daniel Kahn Gillmor: use time of debian/changelog entry when generating documentation.
  • #784723 on alot by Juan Picca: pass time of debian/changelog entry to Sphinx.
  • #784538 on file-rc by Lunar: use sed instead of grep+mv to keep correct file permissions.
  • #784335 on libapache2-mod-perl2 by Lunar: set PERL_HASH_SEED=0 during configure to make the generated .c and .h files stable.
  • #784267 on mpv by Lunar: pass --disable-build-date to ./configure.
  • #784793 on bugs-everywhere by Daniel Kahn Gillmor: use time of debian/changelog entry as build date.
  • #784318 on gnome-desktop3 by Lunar: use time of debian/chanelog entry as build date.
  • #774504 on debianutils by Lunar: fix file permissions.

Alioth now hosts a script that can be used to redo builds and test for a package. This was preliminary done manually through requests over the IRC channel. This should reduce the number of interruptions for jenkins' maintainers

The graph of the oldest build per day has been fixed. Maintainance scripts will not error out when they are no files to remove.

Holger Levsen started work on being able to test variations of CPU features and build date (as in build in another month of 1984) by using virtual machines.

debbindiff development

Version 18 has been released. It will uses proper comparators for pk3 and info files. Tar member names are now assumed to be UTF-8 encoded.

The limit for the maximum number of different lines has been removed. Let's see on how it goes for pathological cases.

It's now possible to specify both --html and --text output. When neither of them is specified, the default will be to print a text report on the standard output (thanks to Paul Wise for the suggestion).

Documentation update

Nicolas Boulenguez investigated Ada libraries.

Package reviews

451 obsolete reviews have been removed and 156 added this week.

New identified issues: running kernel version getting captured, random filenames in GHC debug symbols, and timestamps in headers generated by qdbusxml2cpp.


Holger Levsen went to re:publica and talked about reproducible builds to developers and users there.

Holger also had a chance to meet FreeBSD developers and discuss the status of FreeBSD. Investigations have started on how it could be made part of our current test system.

Laurent Guerby gave Lunar access to systems in the GCC Compile Farm. Hopefully access to these powerful machines will help to fix packages for GCC, Iceweasel, and similar packages requiring long build times.


Planet DebianIan Campbell: A vhosting git setup with gitolite and gitweb

Since gitorious' shutdown I decided it was time to start hosting my own git repositories for my own little projects (although the company which took over gitorious has a Free software offering it seems that their hosted offering is based on the proprietary version, and in any case once bitten, twice shy and all that).

After a bit of investigation I settled on using gitolite and gitweb. I did consider (and even had a vague preference for) cgit but it wasn't available in Wheezy (even backports, and the backport looked tricky) and I haven't upgraded my VPS yet. I may reconsider cgit this once I switch to Jessie.

The only wrinkle was that my VPS is shared with a friend and I didn't want to completely take over the gitolite and gitweb namespaces in case he ever wanted to setup, so I needed something which was at least somewhat compatible with vhosting. gitolite doesn't appear to support such things out of the box but I found an interesting/useful post from Julius Plenz which included sufficient inspiration that I thought I knew what to do.

After a bit of trial and error here is what I ended up with:

Install gitolite

The gitolite website has plenty of documentation on configuring gitolite. But since gitolite is in Debian its even more trivial than even the quick install makes out.

I decided to use the newer gitolite3 package from wheezy-backports instead of the gitolite (v2) package from Wheezy. I already had backports enabled so this was just:

# apt-get install gitolite3/wheezy-backports

I accepted the defaults and gave it the public half of the ssh key which I had created to be used as the gitolite admin key.

By default this added a user gitolite3 with a home directory of /var/lib/gitolite3. Since they username forms part of the URL used to access the repositories I want it to include the 3, so I edited /etc/passwd, /etc/groups, /etc/shadow and /etc/gshadow to say just gitolite but leaving the home directory as gitolite3.

Now I could clone the gitolite-admin repo and begin to configure things.

Add my user

This was simple as dropping the public half into the gitolite-admin repo as keydir/, then git add, commit and push.

Setup vhosting

Between the gitolite docs and Julius' blog post I had a pretty good idea what I wanted to do here.

I wasn't too worried about making the vhost transparent from the developer's (ssh:// URL) point of view, just from the gitweb and git clone side. So I decided to adapt things to use a simple $VHOST/$REPO.git schema.

I created /var/lib/gitolite3/local/lib/Gitolite/Triggers/ containing:

package Gitolite::Triggers::VHost;

use strict;
use warnings;

use File::Slurp qw(read_file write_file);

sub post_compile {
    my %vhost = ();
    my @projlist = read_file("$ENV{HOME}/projects.list");
    for my $proj (sort @projlist) {
        $proj =~ m,^([^/\.]*\.[^/]*)/(.*)$, or next;
        my ($host, $repo) = ($1,$2);
        $vhost{$host} //= [];
        push @{$vhost{$host}} => $repo;
    for my $v (keys %vhost) {
                   { atomic => 1 }, join("\n",@{$vhost{$v}}));

I then edited /var/lib/gitolite3/.gitolite.rc and ensured it contained:

LOCAL_CODE                =>  "$ENV{HOME}/local",

POST_COMPILE => [ 'VHost::post_compile', ],

(The first I had to uncomment, the second to add).

All this trigger does is take the global projects.list, in which gitolite will list any repo which is configured to be accessible via gitweb, and split it into several vhost specific lists.

Create first repository

Now that the basics were in place I could create my first repository (for hosting qcontrol).

In the gitolite-admin repository I edited conf/gitolite.conf and added:

    RW+     =   ijc

After adding, committing and pushing I now have "/var/lib/gitolite3/projects.list" containing:

(the testing.git repository is configured by default) and /var/lib/gitolite3/ containing just:


For cloning the URL is:


which is rather verbose (${VPSNAME} is quote long in my case too), so to simplify things I added to my .ssh/config:

Host gitolite
Hostname ${VPSNAME}
User gitolite
IdentityFile ~/.ssh/id_rsa_gitolite

so I can instead use:

which is a bit less of a mouthful and almost readable.

Configure gitweb (http:// URL browsing)

Following the documentation's advice I edited /var/lib/gitolite3/.gitolite.rc to set:

UMASK                           =>  0027,

and then:

$ chmod -R g+rX /var/lib/gitolite3/repositories/*

Which arranges that members of the gitolite group can read anything under /var/lib/gitolite3/repositories/*.


# adduser www-data gitolite

This adds the user www-data to the gitolite group so it can take advantage of those relaxed permissions. I'm not super happy about this but since gitweb runs as www-data:www-data this seems to be the recommended way of doing things. I'm consoling myself with the fact that I don't plan on hosting anything sensitive... I also arranged things such that members of the groups can only list the contents of directories from the vhost directory down by setting g=x not g=rx on higher level directories. Potentially sensitive files do not have group permissions at all either.

Next I created /etc/apache2/gitolite-gitweb.conf:

die unless $ENV{GIT_PROJECT_ROOT};
$ENV{GIT_PROJECT_ROOT} =~ m,^.*/([^/]+)$,;
our $gitolite_vhost = $1;
our $projectroot = $ENV{GIT_PROJECT_ROOT};
our $projects_list = "/var/lib/gitolite3/projects.${gitolite_vhost}.list";
our @git_base_url_list = ("http://git.${gitolite_vhost}");

This extracts the vhost name from ${GIT_PROJECT_ROOT} (it must be the last element) and uses it to select the appropriate vhost specific projects.list.

Then I added a new vhost to my apache2 configuration:

<VirtualHost [2001:41c8:1:628a::89]:80>
        SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories/
        SetEnv GITWEB_CONFIG /etc/apache2/gitolite-gitweb.conf
        Alias /static /usr/share/gitweb/static
        ScriptAlias / /usr/share/gitweb/gitweb.cgi/

This configures (don't forget to update DNS too) and sets the appropriate environment variables to find the custom gitolite-gitweb.conf and the project root.

Next I edited /var/lib/gitolite3/.gitolite.rc again to set:

GIT_CONFIG_KEYS                 => 'gitweb\.(owner|description|category)',

Now I can edit the repo configuration to be:

    owner   =   Ian Campbell
    desc    =   qcontrol
    RW+     =   ijc
    R       =   gitweb

That R permission for the gitweb pseudo-user causes the repo to be listed in the global projects.list and the trigger which we've added causes it to be listed in, which is where our custom gitolite-gitweb.conf will look.

Setting GIT_CONFIG_KEYS allows those options (owner and desc are syntactic sugar for two of them) to be set here and propagated to the actual repo.

Configure git-http-backend (http:// URL cloning)

After all that this was pretty simple. I just added this to my vhost before the ScriptAlias / /usr/share/gitweb/gitweb.cgi/ line:

        ScriptAliasMatch \
                "(?x)^/(.*/(HEAD | \
                                info/refs | \
                                objects/(info/[^/]+ | \
                                         [0-9a-f]{2}/[0-9a-f]{38} | \
                                         pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                                git-(upload|receive)-pack))$" \

This (which I stole straight from the git-http-backend(1) manpage causes anything which git-http-backend should deal with to be sent there and everything else to be sent to gitweb.

Having done that access is enabled by editing the repo configuration one last time to be:

    owner   =   Ian Campbell
    desc    =   qcontrol
    RW+     =   ijc
    R       =   gitweb daemon

Adding R permissions for daemon causes gitolite to drop a stamp file in the repository which tells git-http-backend that it should export it.

Configure git daemon (git:// URL cloning)

I actually didn't bother with this, git http-backend supports the smart HTTP mode which should be as efficient as the git protocol. Given that I couldn't see any reason to run another network facing daemon on my VPS.

FWIW it looks like vhosting could have been achieved by using the --interpolated-path option.


There's quite a few moving parts, but they all seems to fit together quite nicely. In the end apart from adding www-data to the gitolite group I'm pretty happy with how things ended up.

Planet DebianHolger Levsen: 20150516-lts-march-and-april

My LTS March and April

In March and April 2015 I sadly didn't get much LTS work done, for a variety of reasons. Most of these reasons make me happy, while at the same time I'm sad I had to reduce my LTS involvement and actually I even failed to allocate those few hours which were assigned to me. So I'll keep this blog post short too, as time is my most precious ressource atm.

In March I only sponsored the axis upload for and wrote DLA-169-1, besides that I spent some hours to implement JSON output for the security-tracker, which was more difficult than anticipated, because a.) different people had different (first) unspoken assumptions what output they wanted and b.) since the security-trackers database schema has grown over years getting the data out in a logically structured fashion ain't as easy as one would imagine...

In April I sponsored the openldap upload and wrote DLA-203-1 and then prepared debian-security-support 2015.04.04~~deb6u1 for squeeze-lts and triaged some of d-s-s's bugs. Adding support for oldoldstable (and thus keeping support for squeeze-lts) to the security-tracker was my joyful contribution for the very joyful Jessie release day.

So in total I only spent 7.5 (paid) hours in these two months on LTS, despite I should have spent 10. The only thing I can say to my defense is that I've spent more time on LTS (supporting both users as well as contributors on the list as well as on IRC) but this time ain't billable. Which I think is right, but it still eats from my "LTS time" and so sometimes I wish I could more easily ignore people and just concentrate on technical fixes...

Planet DebianCraig Small: Debian, WordPress and Multi-site

For quite some time, the Debian version of WordPress has had a configuration tweak that made it possible to run multiple websites on the same server. This came from a while ago when multi-site wasn’t available. While a useful feature, it does make the initial setup of WordPress for simple sites more complicated.

I’m looking at changing the Debian package slightly so that for a single-site use it Just Works. I have also looked into the way WordPress handles the content, especially themes and plugins, to see if there is a way of updating them through the website itself. This probably won’t suit everyone but I think its a better default.

The idea will be to setup Debian packages something like this by default and then if you want more fancier stuff its all still there, just not setup. It’s not setup at the moment but the default is a little confusing which I hope to change.


The first step was to get my pair of websites into one. So first it was backing up time and then the removal of my config-websitename.php files in /etc/wordpress. I created a single /etc/wordpress/config-default.php file that used a new database.  This initial setup worked ok and I had the primary site going reasonably quickly.

The second site was a little trickier. The problem is that multisite does things like and while I wanted and There is a plugin wordpress-mu-domain-mapping that almost sorta-kinda works.  While it let me make the second site with a different name, it didn’t like aliases, especially if the alias was the first site.

Some evil SQL fixed that nicely.  “UPDATE wp_domain_mapping SET blog_id=1 WHERE id=2″

So now I had:

  • as my primary site
  • as a second site
  • as an alias for my primary site

Files and Permissions

We really three separate sets of files in wordpress. These files come from three different sources and are updated using three different ways with a different release cycle.

The first is the wordpress code which is shipped in the Debian package. All of this code lives in /usr/share/wordpress and is only changed if you update the Debian package, or you fiddle around with it. It needs to be readable to the webserver but not writable. The config files in /etc/wordpress are in this lot too.

Secondly, we have the user generated data. This is things like your pictures that you add to the blog. As they are uploaded through the webserver, it needs to be writable to it. These files are located in /var/lib/wordpress/wp-content/uploads

Third, is the plugins and themes. These can either be unzipped and placed into a directory or directly loaded in from the webserver. I used to do the first way but are trying the second. These files are located in /var/lib/wordpress/wp-content

Ever tried to update your plugins and get the FTP prompt? This is because the wp-content directory is not writable. I adjusted the permissions and now when a plugin wants to update, I click yes and it magically happens!

You will have to reference the /var/lib/wordpress/wp-content subdirectory in two places:

  • In your /etc/config-default.php:  WP_CONTENT_DIR definition
  • In apache or htaccess: Either a symlink out of /usr/share/wordpress and turn on followsymlinks or an apache Alias and also permit access.

What broke

Images did, in a strange way. My media library is empty, but my images are still there. Something in the export and reimport did not work. For me its a minor inconvenience and due to moving from one system to another, but it still is there.



Planet DebianRogério Brito: A Small Python Project (coursera-dl) Activites

Lately, I have been dedicating a lot of my time (well, at least compared to what I used to) to Free Software projects. In particular, I have spent a moderate amount of time with two projects written in Python.

In this post, I want to talk about the first, more popular project is called coursera-dl. To be honest, I think that I may have devoted much more time to it than to any other project in particular.

With it I started to learn (besides the practices that I already used in Debian), how to program in Python, how to use unit tests (I started with Python's built-in unittest framework, then progressed to nose, and I am now using pytest), hooking up the results of the tests with a continuous integration system (in this case, Travis CI).

I must say that I am sold on this idea of testing software (after being a skeptical for way too long) and I can say that I find hacking on other projects without proper testing a bit uncomfortable, since I don't know if I am breaking unrelated parts of the project.

My use/migration to pytest was the result of a campaign from called Adopt Pytest Month which a kind user of the project let me know about. I got a very skilled volunteer assigned from pytest to our project. Besides learning from their pull requests, one side-effect of this whole story was that I spent a moderate amount of hours trying to understand how properly package and distribute things on PyPI.

One tip learned along the way: contrary to the official documentation, use twine, not python upload. It is more flexible for uploading your package to PyPI.

You can see the package on PyPI. Anyway, I made the first upload of the package to PyPI on the 1st of May and it already has almost 1500 download, which is far more than what I expected.

A word of warning: there are other similarly named project, but they don't seem to have as much following as we have. A speculation from my side is that this may be, perhaps, due to me spending a lot of time interacting with users in the bug tracker that github provides.

Anyway, installation of the program is now as simple as:

pip install coursera

And all the dependencies will be neatly pulled in, without having to mess with multi-step procedures. This is a big win for the users.

Also, I even had an offer to package the program to have it available in Debian!

Well, despite all the time that this project demanded, I think that I have only good things to say, especially to the original author, John Lehmann. :)

If you like the project, please let me know and consider yourselves invited to participate lending a hand, testing/using the program or [triaging some bugs][issues].


LongNowBeth Shapiro Seminar Media

This lecture was presented as part of The Long Now Foundation’s monthly Seminars About Long-term Thinking.

How to Clone a Mammoth

Monday May 11, 02015 – San Francisco

Audio is up on the Shapiro Seminar page, or you can subscribe to our podcast.


De-extinction science – a summary by Stewart Brand

When people hear about “ancient DNA” in fossils, Shapiro began, the first question always is “Can we clone a dinosaur?” Dinosaurs died out so many millions of years ago, their fossils are nothing but rock (and by the way, there’s no workaround with mosquitoes in amber because amber totally destroys DNA). With no DNA, there’s no chance of cloning a dinosaur. (Sorry.)

The fossils of woolly mammoths, though, are not rock. They died out only thousands of years ago, and their remains are pretty well preserved in frozen tundra, which means there is recoverable DNA. So, Plan A, can we clone a mammoth? It would be like Dolly-the-sheep, where you take nuclear DNA from somewhere in the preserved mammoth body, inject it into the egg of a closely related species (Asian elephant), plant the mammoth embryo in a surrogate mother, and in two years, a newborn woolly mammoth! But as soon as any animal dies, unless it is cyropreserved with great care, all the DNA is attacked by gut bacteria, by water, by temperature change, and soon you have nothing but tiny fragments. Nobody has found any intact cells or intact DNA in frozen mammoth mummies, and probably they never will. So, you can’t clone a mammoth. (Sorry.)

Okay, Plan B, can you sequence a mammoth—reconstruct the entire genome through digital analysis and then rebuild it chemically and plant that in an elephant egg? Ancient DNA, even from the best specimens, is so badly fragmented and contaminated it’s hard to tell what bits are mammoth and how they go together. Using the elephant genome for comparison, though, you can do a pretty good job of approximating the original. Just last week the successful sequencing and assembly of the full woolly mammoth genome—4 billion base pairs—was announced. But all sequencing is incomplete, including the human genome, and maybe important elements got left out. A genome rebuilt from scratch won’t be functional, and you can’t create a mammoth with it. (Sorry.)

Alright, Plan C, can you engineer a mammoth? Take a living elephant genome and cut and paste important mammoth genes into it so you get all the mammoth traits you want. There is an incredibly powerful new tool for genome editing called CRISPR Cas 9 that can indeed swap synthetic mammoth genes into an elephant genome, and this has been done by George Church and his team at Harvard. They swapped in 14 genes governing mammoth traits for long hair, extra fat, and special cold-adapted blood cells. If you can figure out the right genes to swap, and you get them all working in an elephant genome, and you manage the difficult process of cross-species cloning and cross-species parenthood, then you may get mammoth-like Asian elephants capable of living in the cold.

(During the Q & A, Shapiro pointed out that with birds the process is different than with mammals. Instead of cloning, you take the edited genome and inject it into primordial germ cells of the embryo of a closely related bird. If all goes well, when the embryo grows up, it has the gonads of the extinct bird and will lay some eggs carrying the traits of the extinct animal.)

Why bring back extinct animals? Certainly not to live in zoos. But in the wild they could restore missing ecological interactions. Shapiro described Sergey Zimov’s “Pleistocene Park” in northern Siberia, where he proved that a dense herd of large herbivores can turn tundra into grassland—”the animals create and maintain their own grazing environment.” The woolly mammoth was a very large herbivore. Its return to the Arctic could provide new habitat for endangered species, help temper climate change, increase the population of elephants in the world, and bring excitement and a reframed sense of what is possible to conservation.

Furthermore, Shapiro concluded, the technology of de-extinction can be applied to endangered species. Revive & Restore is working on the black-footed ferret, which has inbreeding problems and extreme vulnerability to a disease called sylvatic plague. Gene variants that are now absent in the population might be recovered from the DNA of specimens in museums, and the living ferrets could get a booster shot from their ancestors.

Subscribe to our Seminar email list for updates and summaries.

CryptogramFriday Squid Blogging: NASA's Squid Rover

NASA is funding a study for a squid rover that could explore Europa's oceans.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Sociological ImagesDividing Legitimate from Illegitimate Violence

Flashback Friday.

Sociologist Max Weber argued that the nation-state can be defined by its monopoly on violence. For most of us, most of the time, violence exercised by the state is assumed to be legitimate (unless shown otherwise). For example, police walk around with guns and can shoot you legally. Soldiers kill as part of their jobs. This is simply “keeping the peace” or “following orders.”

But violence exercised by individuals and other entities is (unless shown otherwise) illegitimate. In fact, when individuals or other entities do violence, it is often called “criminality” or “terrorism.”


Words are powerful. Calling something “terrorism” is a way to make it seem illegitimate.  And, often, what makes violence illegitimate is not something inherent in the violence itself, but your perspective on it.

Thanks to Perry H.for the submission. Originally posted in 2009.

Lisa Wade is a professor of sociology at Occidental College and the co-author of Gender: Ideas, Interactions, Institutions. You can follow her on Twitter and Facebook.

(View original at

Geek FeminismIn The Hall Of The Mountain Linkspam (15 May 2015)

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

RacialiciousIn His Own Words: B.B. King (1925-2015)

Compiled by Arturo R. García

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

I would sit on the corners, and people would walk up to me and ask me to play a gospel song, and they’d pat me on the head and say, that’s nice, son – but they didn’t tip at all. But people who ask me to play the blues would always tip me. I’d make $40-50. Even as off in the head as I am, I could see it made better sense to be a blues singer.
The Telegraph, 2009

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

I used to play a place in Twist, Arkansas — it’s still there, Twist, Arkansas — and they used to have a little nightclub there that we played quite often. It used to get quite cold in Twist. And they used to take something that looked like a big garbage pail and set it in the middle of the floor, half-fill it with kerosene. They would light that fuel and that’s what we used for heat. And generally the people would dance around and they would disturb this container.

But this particular night, two guys started fighting, and one of them knocked the other one over on this container. And when they did, it spilled on the floor. Now, it was already burning, so when it spilled, it looked like a river of fire. And everybody ran for the front door, including yours truly. But when I got on the outside, I realized that I’d left my guitar inside.

I went back for it. The building was a wooden building, and it was burning so fast, when I got my guitar it started to collapse around me. So I almost lost my life trying to save the guitar. The next morning we found that these two guys was fightin’ about a lady. I never did meet the lady, but I learned that her name was Lucille. So I named my guitar Lucille to remind me not to do a thing like that again.

– Interview with Joe Smith, 1986; animation by ‘Blank on Blank,’ 2015.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

I studied a little bit. I compose. I’ve been composing for years. I write a little bit. And people didn’t know it, but my early records, most of em I produced them myself. And then somebody said, when we did Blues on the Bayou or somethin, “Oh B.B. produced a record!” And I said, “Really?” Most of the things, I just didn’t get credit for the early ones. People would put names on my songs and I didn’t even know who they were. It would say The King and Ling. Who the hell is Ling? I don’t know, that was just the way they could claim part of the song. And so many of the things I produced, nobody mentioned it. I didn’t know then. I know today, but it doesn’t matter a lot. But it’s the way people make money off of em, which is fine. I feel that in this music business, everybody got to make their little taste. I just don’t want em to take mine.

Guitar Magazine

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

You’re mighty young to write such heavy lyrics.
– To U2 lead singer Bono, as seen in “Rattle & Hum,” 1988

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

Back when we was in school in Mississippi, we had Little Black Sambo. That’s what you learned: Anytime something was not good, or anytime something was bad in some kinda way, it had to be called black. Like, you had Black Monday, Black Friday, black sheep. … Of course, everything else, all the good stuff, is white. White Christmas and such. You got to pay attention to the language, hear what it’s really saying.

Esquire, 2006.

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

You continuously have to learn. If I — I’m off sometime like 2-3 weeks- I have to learn my routines in my head again or I’ll forget some of the songs. I forget. I have to go back and get them in my head again. Because I gotta have at least 14 or 15 songs to remember the lines in my head. It’s sort of like an actor or actress. I have to remember these lines and you kinda dramatize them you don’t just say them you know you got to make it make some sense. So to answer your question I have to practice just like everybody else. I don’t practice enough — never have.
MNBlues, 2000

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="520"></iframe>

I carried this song around in my head for seven or eight years. It was a different kind of blues ballad. I’d been arranging it in my head and had even tried a couple of different versions that didn’t work. But when I walked in to record on this night at the Hit Factory in New York, all the ideas came together. I changed the tune around to fit my style, and [producer] Bill Szymczyk set up the sound nice and mellow. We got through around 3 a.m. I was thrilled, but Bill wasn’t, so I just went home. Two hours later, Bill called and woke me up and said, ‘I think “The Thrill Is Gone” is a smash hit, and it would be even more of a hit if I added on strings. What do you think?’ I said, ‘Let’s do it.’

– On the making of “The Thrill Is Gone,” Guitar World, 2013

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="" width="560"></iframe>

Top image via B.B. King official Facebook page.

The post In His Own Words: B.B. King (1925-2015) appeared first on Racialicious - the intersection of race and pop culture.

CryptogramMicrobe Biometric


Franzosa and colleagues used publicly available microbiome data produced through the Human Microbiome Project (HMP), which surveyed microbes in the stool, saliva, skin, and other body sites from up to 242 individuals over a months-long period. The authors adapted a classical computer science algorithm to combine stable and distinguishing sequence features from individuals' initial microbiome samples into individual-specific "codes." They then compared the codes to microbiome samples collected from the same individuals' at follow-up visits and to samples from independent groups of individuals.

The results showed that the codes were unique among hundreds of individuals, and that a large fraction of individuals' microbial "fingerprints" remained stable over a one-year sampling period. The codes constructed from gut samples were particularly stable, with more than 80% of individuals identifiable up to a year after the sampling period.

Worse Than FailureError'd: BSOD Could Go All the Way This Year

"Yes! I'm a huge fan of BSOD. I'm glad to see SportsCenter giving some well deserved recognition!," Mike writes.


"Found this while on a university's web page," writes Michael P., "So, does this mean that I might be using this page un-officially?"


Ben S. wrote, "Sure, it gets points for portability, but I'm concerned about how usable it is."


"I don't think that Unity understands what the word 'failed' means," writes Roman.


Ishan writes, "Looks like BitDefender is testing in production."


This is a blurb about the Error'd that Scott sent in.


Stefan wrote, "Even if you can't read Swedish, it's pretty easy to spot the WTF."


"I guess this is what I get for giving out my email address," wrote Andreas.


[Advertisement] BuildMaster is more than just an automation tool: it brings together the people, process, and practices that allow teams to deliver software rapidly, reliably, and responsibly. And it's incredibly easy to get started; download now and use the built-in tutorials and wizards to get your builds and/or deploys automated!

Planet Linux AustraliaDavid Rowe: Lower SNR limit of Digital Voice

I’m currently working on a Digital Voice (DV) mode that will work at negative SNRs. So I started thinking about where the theoretical limits are:

  1. Lets assume we have a really good rate 0.5 FEC code that approaches the Shannon Limit of perfectly correcting random bit errors up to a channel BER of 12%
  2. A real-world code this good requires a FEC frame size of 1000′s of bits which will mean long latency (seconds). Lets assume that’s OK.
  3. A large frame size with perfect error correction means we can use a really low bit rate speech codec that can analyse seconds of speech at a time and remove all sorts of redundant information (like silence). This will allow us to code more efficiently and lower the bit rate. Also, we only want speech quality just on the limits of intelligibility. So lets assume a 300 bit/s speech codec.
  4. Using rate 0.5 FEC that’s a bit rate over the channel of 600 bit/s.
  5. Lets assume QPSK on a AWGN channel. It’s possible to make a fading channel behave like a AWGN channel if we use diversity, e.g. a long code with interleaving (time diversity), or spread spectrum (frequency diversity).
  6. QPSK at around 12% BER requires an Eb/No of -1dB or an Es/No of Eb/No + 3 = 2dB. If the bit rate is 600 bit/s the QPSK symbol rate is 300 symbols/s

So we have SNR = Es/No – 10*log10(NoiseBW/SymbolRate) = 2 – 10*log10(3000/300) = -8dB. Untrained operators find SSB very hard to use beneath 6dB, however I imagine many Ham contacts (especially brief exchanges of callsigns and signal reports) are made well beneath that. DV at -8dB would be completely noise free, but of low quality (e.g. a little robotic) and high latency.

For VHF applications C/No is a more suitable measurement, this is a C/No = SNR – 10*log10(3000) = 26.7dBHz (FM is a very scratchy readability 5 at around 43dBHz). That’s roughly a 20dB (100 x) power improvement over FM!

CryptogramEighth Movie-Plot Threat Contest Semifinalists

On April 1, I announced the Eighth Movie Plot Threat Contest: demonstrate the evils of encryption.

Not a whole lot of good submissions this year. Possibly this contest has run its course, and there's not a whole lot of interest left. On the other hand, it's heartening to know that there aren't a lot of encryption movie-plot threats out there.

Anyway, here are the semifinalists.

  1. Child pornographers.

  2. Bombing the NSA.

  3. Torture.

  4. Terrorists and a vaccine.

  5. Election systems.

Cast your vote by number here; voting closes at the end of the month.


Previous contests.


Krebs on SecurityMobile Spyware Maker mSpy Hacked, Customer Data Leaked

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”

mSpy has not responded to multiple requests for comment left for the company over the past five days. KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor, a technology that helps users hide their true Internet address and allows users to host Web sites that are extremely difficult to get taken down.

The Tor-based Web site hosting content stolen from mobile devices running Mspy.

The Tor-based Web site hosting content stolen from mobile devices running mSpy.

The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.

The exact number of mSpy users compromised could not be confirmed, but one thing is clear: There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.

Mspy users can track Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of every key the user types.

mSspy users can track the exact location of Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of every word the user types.

It’s unclear exactly where mSpy is based; the company’s Web site suggests it has offices in the United States, Germany and the United Kingdom, although the firm does not appear to list an official physical address. However, according to historic Web site registration records, the company is tied to a now-defunct firm called MTechnology LTD out of the United Kingdom.

Documents obtained from Companies House, an official register of corporations in the U.K., indicate that the two founding members of the company are self-described programmers Aleksey Fedorchuk and Pavel Daletski. Those records (PDF) indicate that Daletski is a British citizen, and that Mr. Fedorchuk is from Russia. Neither of the men could be reached for comment.

Court documents (PDF) obtained from the U.S. District Court in Jacksonville, Fla. regarding a trademark dispute involving mSpy and Daletski state that mSpy has a U.S.-based address of 800 West El Camino Real, in Mountain View, Calif. Those same court documents indicate that Daletski is a director at a firm based in the Seychelles called Bitex Group LTD. Interestingly, that lawsuit was brought by Retina-X Studios, an mSpy competitor based in Jacksonville, Fla. that makes a product called MobileSpy.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”

Unlike Akbar’s StealthGenie and some other mobile spyware products, mSpy advertises that its product works even on non-jailbroken iPhones, giving users the ability to log the device holder’s contacts, call logs, text messages, browser history, events and notes.

“If you have opted to purchase mSpy Without Jailbreak, and you have the mobile user’s iCloud credentials, you will not need physical access to the device,” the company’s FAQ states. “However, there may be some instances where physical access may be necessary. If you purchase mSpy for a jailbroken iOS phone or tablet, you will need 5-15 minutes of physical access to the device for successful installation.”

A public relations pitch from mSpy to KrebsOnSecurity in March 2015 stated that approximately 40 percent of the company’s users are parents interested in keeping tabs on their kids. Assuming that is a true statement, it’s ironic that so many parents have now unwittingly exposed their kids to predators, bullies and other ne’er-do-wells thanks to this breach.

Dave HallLeaking Information in Drupal URLs

Update: It turns out the DA was trolling. We all now know that DrupalCon North America 2017 will be in New Orleans. I've kept this post up as I believe the information about handling unpublished nodes is relevant. I have also learned that m4032404 is enabled by default in govCMS.

When a user doesn't have access to content in Drupal a 403 forbidden response is returned. This is the case out of the box for unpublished content. The problem with this is that sensitive information may be contained in the URL. A great example of this the DrupalCon site.

The way to avoid this is to use the m4032404 module which changes a 403 response to a 404. This simple module prevents your site leaking information via URLs.

DrupalCon-Philadephia.png139.21 KB

CryptogramIn Which I Collide with Admiral Rogers

Universe does not explode.

Photo here.

EDITED TO ADD (5/15): Commentary. There are some funny buddy-movie suggestions.

Rondam RamblingsWhy Lisp?

A number of people have contacted me about a comment I wrote yesterday on Hacker News asking me to elaborate, e.g.: my impression is that lisp is *only* a different notation. Is that correct, or am I missing something? I don't see why it is so important that lisp code matches the data structure (and my assumption is that the match is the answer to 'why lisp') - am I overlooking the importance of

CryptogramAdmiral Rogers Speaking at the Joint Service Academy Cyber Security Summit

Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about.

First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share insight and knowledge, and to do that in a timely manner.

Second, innovation. It's about much more than just technology. It's about ways to organize, values, training, and so on. We need to think about innovation very broadly.

Third, technology. This is a technologically based problem, and we need to apply technology to defense as well.

Fourth, human capital. If we don't get people working right, all of this is doomed to fail. We need to build security workforces inside and outside of military. We need to keep them current in a world of changing technology.

So, what is the Department of Defense doing? They're investing in cyber, both because it's a critical part of future fighting of wars and because of the mission to defend the nation.

Rogers then explained the five strategic goals listed in the recent DoD cyber strategy:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;

  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;

  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;

  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;

  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Expect to see more detailed policy around these coming goals in the coming months.

What is the role of the US CyberCommand and the NSA in all of this? The CyberCommand has three missions related to the five strategic goals. They defend DoD networks. They create the cyber workforce. And, if directed, they defend national critical infrastructure.

At one point, Rogers said that he constantly reminds his people: "If it was designed by man, it can be defeated by man." I hope he also tells this to the FBI when they talk about needing third-party access to encrypted communications.

All of this has to be underpinned by a cultural ethos that recognizes the importance of professionalism and compliance. Every person with a keyboard is both a potential asset and a threat. There needs to be well-defined processes and procedures within DoD, and a culture of following them.

What's the threat dynamic, and what's the nature of the world? The threat is going to increase; it's going to get worse, not better; cyber is a great equalizer. Cyber doesn't recognize physical geography. Four "prisms" to look at threat: criminals, nation states, hacktivists, groups wanting to do harm to the nation. This fourth group is increasing. Groups like ISIL are going to use the Internet to cause harm. Also embarrassment: releasing documents, shutting down services, and so on.

We spend a lot of time thinking about how to stop attackers from getting in; we need to think more about how to get them out once they've gotten in -- and how to continue to operate even though they are in. (That was especially nice to hear, because that's what I'm doing at my company.) Sony was a "wake-up call": a nation-state using cyber for coercion. It was theft of intellectual property, denial of service, and destruction. And it was important for the US to acknowledge the attack, attribute it, and retaliate.

Last point: "Total force approach to the problem." It's not just about people in uniform. It's about active duty military, reserve military, corporations, government contractors -- everyone. We need to work on this together. "I am not interested in endless discussion.... I am interested in outcomes." "Cyber is the ultimate team sport." There's no single entity, or single technology, or single anything, that will solve all of this. He wants to partner with the corporate world, and to do it in a way that benefits both.

First question was about the domains and missions of the respective services. Rogers talked about the inherent expertise that each service brings to the problem, and how to use cyber to extend that expertise -- and the mission. The goal is to create a single integrated cyber force, but not a single service. Cyber occurs in a broader context, and that context is applicable to all the military services. We need to build on their individual expertises and contexts, and to apply it in an integrated way. Similar to how we do special forces.

Second question was about values, intention, and what's at risk. Rogers replied that any structure for the NSA has to integrate with the nation's values. He talked about the value of privacy. He also talked about "the security of the nation." Both are imperatives, and we need to achieve both at the same time. The problem is that the nation is polarized; the threat is getting worse at the same time trust is decreasing. We need to figure out how to improve trust.

Third question was about DoD protecting commercial cyberspace. Rogers replied that the DHS is the lead organization in this regard, and DoD provides capability through that civilian authority. Any DoD partnership with the private sector will go through DHS.

Fourth question: How will DoD reach out to corporations, both established and start-ups? Many ways. By providing people to the private sectors. Funding companies, through mechanisms like the CIA's In-Q-Tel. And some sort of innovation capability. Those are the three main vectors, but more important is that the DoD mindset has to change. DoD has traditionally been very insular; in this case, more partnerships are required.

Final question was about the NSA sharing security information in some sort of semi-classified way. Rogers said that there are lot of internal conversations about doing this. It's important.

In all, nothing really new or controversial.

These comments were recorded -- I can't find them online now -- and are on the record. Much of the rest of the summit was held under Chatham House Rules. I participated in a panel on "Crypto Wars 2015" with Matt Blaze and a couple of government employees.

EDITED TO ADD (5/15): News article.

RacialiciousThe Hollow Promise of “Inclusivity”: Saida Grundy and Boston University

By Tope Fadiran

It’s hard out there for white men on college campuses. At least, that’s what American media would have us believe, given its coverage of the current controversy swirling around Dr. Saida Grundy, a Black scholar recently hired (effective July 1, 2015) by Boston University as an assistant professor of Sociology and African American Studies.

In reality, the way in which Dr. Grundy has been unceremoniously shoved into the spotlight proves the exact opposite: Black women on our campuses, even those who have reached the highest levels of educational achievement, are political and cultural targets simply for existing. There is no other explanation for the fact that this all began with a white man whose response to Grundy’s hiring was to go in search of something he could use to undermine her intellectual and professional standing.

Nick Pappas is a conservative student activist at University of Massachusetts Amherst (for those who aren’t familiar with my home state’s geography, that’s basically on the other side of the state from Boston). Pappas apparently saw BU’s hiring of Grundy as enough cause for concern that he decided to dig through her Twitter account. He then published some of her tweets online—taken out of their original context—to “expose the bias and factual problems with modern humanities classes, which are many, and common at colleges across the country.”

A sampling of what Pappas saw as evidence of Grundy’s “bias”:

Why is white America so reluctant to identify white college males as a problem population?

Deal with your white shit, white people. slavery is a *YALL* thing.

Every MLK week I commit myself to not spending a dime in white-owned businesses. And every year I find it nearly impossible.

White masculinity isn’t a problem for america’s colleges, white masculinity is THE problem for america’s colleges.

The rest is predictable: conservative media picked up Pappas’ post and ran with it, lambasting her as “anti-white,” “anti-male,” a “major-league-twit…[and] a certified, dyed-in-the-wool, four-square, in-your-face racist.” BU’s initial response to all this was tepid support—”free speech,” etc. etc. In the last few days though, the school has seemed increasingly spooked by the furor. BU issued two statements in rapid succession—one of them from university president Robert A. Brown—essentially validating right wing smears of Grundy as “racist.”

Long story short, BU threw Dr. Grundy under the bus in a scramble to prove that it is an “inclusive” institution that “does not condone racism or bigotry in any form.” The irony.

As for Grundy, these smears and the ensuing online attacks on her have forced her to make her Twitter account private. She has also released a statement expressing regret for “depriv[ing]” the issues she raised in her tweets “of the nuance and complexity that such subjects always deserve,” and assuring the BU community that she is ”professionally and ethically…unequivocally committed to ensuring that my classroom is a space where all students are welcomed.”

Dr. Saida Grundy

Dr. Saida Grundy. via Boston University

On the plus side: Grundy has gotten a wave of support online. #ISupportSaida and #IStandWithSaida have taken off on Twitter, and there’s a petition urging BU to stand behind her. There have also been several articles published in her defense.

It also looks like this controversy won’t cost Grundy the job she hasn’t even started yet, which, frankly, is a relief. It wouldn’t be the first time a scholar of color was denied a professional opportunity because of their inconvenient politics. Still, you can bet that Grundy will be under intense scrutiny and suspicion at BU, even beyond the already high levels that Black women academics routinely face.

Grundy earned her doctorate only last year; her job at BU would be her first appointment as a professor. Now, some might question the wisdom of posting the comments she did, in public, as a Black woman just starting her academic career. But so long as we recognize that white supremacy, patriarchy, and systemic racism are real forces in the world, the worst we can say of Grundy’s comments is that they were impolitic and arguably ill-advised.

It’s certainly the case that she didn’t use the often abstracted, punch-pulling language of academia. But it’s also the case that there’s a wide and deep body of scholarship that says exactly what Grundy said—white masculinity is a major source of societal dysfunction and violence—only more formally.

It’s also a mystery what is so “offensive” about a Black woman to choosing to exclusively support businesses owned by people of color, much less to do so for only one week out of the year. If only people were as scandalized by the fact that systemic racism makes building wealth and owning businesses a herculean task for many POC.

That’s not the world we live in. In this world, intentionally supporting POC businesses is “racist”; a system that entrenches whole communities of color in poverty is not. To add insult to injury, BU’s leaders have now signaled to students, staff, faculty, and the entire country that this perverse redefinition of “racism” is correct.

It’s worth looking a bit more closely at how right wing media especially have characterized Grundy’s comments to better understand what, exactly, BU’s leadership validated through its response.

Fox News’s Andrea Tantaros, for example, claimed Grundy’s tweets show that the “last acceptable [targets] of discrimination in this country” are “Christians…and white men.” Grundy can “get away” with such “discrimination,” she added, because there are no “organizations in defense of white men…Where are the marches? Where are the editorials penned?”

Hmm, organizations writing and marching in defense of white men. Gosh, what does that sound like? I’m drawing a blank…

Andrea Tantaros on Outnumbered, via Fox News

Lest we be confused about the intersection of anti-Blackness and misogyny here, Tantaros also connected Grundy’s tweets to Rolling Stone’s disastrous misreporting on rape at UVA. She suggested “rape culture,” is nothing more than a conspiracy to attack white men on college campuses, manufactured by an unspecified “they” who are also “feminizing [white men] even more to get rid of that masculinity.” In the same segment, Jedidiah Bila added that white men on American campuses “feel really unprotected, and Sandra Smith questioned whether Grundy can “subjectively [sic] grade white males in her class room” when “she’s got that kind of bias.”

Elsewhere Fox quoted notoriously anti-Black, anti-affirmative action, professional campus agitator David Horowitz: “I’m not surprised that Boston University is hiring a racist to teach African American Studies.” Why? Black Studies is apparently “rampant with anti-white racism” and “indoctrination programs in left-wing politics.” The kicker: “If she were a white racist rather than an anti-white racist, she would never be hired.”

So universities never hire racist white professors? I think more than a few schools might have missed that memo.

This is who Boston University’s leaders felt so compelled to appease:  racism and rape culture denialists who see any kind of “ethnic studies” as inherently invalid, who literally want to rewrite the history of this country to cover up our long, sordid history of white supremacist violence and oppression. In other words, misogynist white supremacists. Misogynoirists.

So there’s a bitter irony in BU’s scramble to say how “saddened” it is by Dr. Grundy’s “offensive” comments, and declare its “commit[ment] to maintaining an educational environment that is free from bias, fully inclusive, and open to wide-ranging discussions.” Because, y’know, distancing your institution from a Black woman scholar on account of the rantings of people who insist talking about racism is racist and talking about rape culture is anti-male, is kind of the opposite of maintaining an “inclusive” educational environment.

Boston University, via Facebook

In response to the railroading of Saida Grundy, current and former members of the BU community have been speaking out about exactly what kind of “educational environment” the university fosters for students of color.

Criticizing her alma mater for throwing Grundy under the bus, Michelle Huxtable notes the Boston Globe’s recent reporting on the overwhelming whiteness of higher education institutions in Boston. BU stands even out among its local peers on lack of representation:

  • Only 4% of the current student body is Black. In the Globe piece, BU’s provost justifies low Black enrollment with the argument that “the pool of academically qualified black students is slim.”
  • 2.8% of full-time faculty are Black, a number that has risen by a mere 1% in thirty years.
  • 7.4% of full-time faculty are from “underrepresented” racial or ethnic groups. The Globe adds: “Among local large private colleges, only Boston College had a smaller percentage of minority faculty.”

BU also recently announced that it would be closing its African Presidential Center for “fail[ing] to sustain itself financially,” a decision that “prompt[ed] the center’s director…to charge that the school lacks commitment to issues concerning black people.”

Alumna Huxtable charges the same, specifically calling the school out for profiting off its association with Dr. King (MLK earned his Ph.D. there) but failing to walk its talk on diversity:

Myself along with other Boston University alumni and current students have tried other methods. We’ve gone to the Dean of Students, Kenneth Elmore. In his own words, “I have tried – for a long time – to stay out of the conversations on races.”…We’ve tried running for office in the Student Government. We had a Black Student Body President. Not president of the Black Student Union. The Boston University Student Government. Nothing helped. So here we are. Cyberbullying Boston University into acting like they have some sense…

Boston University representative Colin Riley said, “The University does not condone racism or bigotry in any form and we are deeply saddened when anyone makes such offensive statements”…Didn’t Boston University’s Provost just make some racist, bigoted, offensive statements? Oh. She’s not a Black woman. Cool. As you were.

As does former BU employee Christian Cho:

When I used to work at BU, I was pulled into a superior’s office. At the time, I was writing rather directly about the ongoing civil unrest in Ferguson and New York, trying to articulate opinions not highly present online. I was warned not to write these opinions. When I asked if this was coming from a specific person or not, he told me that I was to be the Assistant Director for all students. In other words, I should be quiet and whitewash my opinions to make white people more comfortable.

Huxtable and Cho are not alone. Among the many people contributing to the #ISupportSaida hashtag are students of color currently enrolled at BU. Read their tweets about how isolated, demeaned, and poorly supported they feel on their own campus, then decide for yourself how strong BU’s commitment is to maintaining an inclusive and bias-free educational environment.

<iframe frameborder="no" height="750" src="" width="100%"></iframe><script src=""></script>

<noscript>[&amp;amp;amp;amp;amp;amp;lt;a href="//" target="_blank"&amp;amp;amp;amp;amp;amp;gt;View the story "Why BU Students of Color Support Saida Grundy #ISupportSaida" on Storify&amp;amp;amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;amp;amp;gt;]</noscript>

The post The Hollow Promise of “Inclusivity”: Saida Grundy and Boston University appeared first on Racialicious - the intersection of race and pop culture.

CryptogramLicense Plate Scanners Hidden in Fake Cactus

The city of Paradise Valley, AZ, is hiding license plate scanners in fake cactus plants.

Worse Than FailureCodeSOD: Happy Little (Read-Only) Trees

Blossoming tree - painting by László Mednyánszky

"Joey," asked Ross of the new contractor, in a slow, careful voice, as though trying to calm a large predator. "Explain to me why the data tree has this read-only flag?"

"It's more secure that way. Obviously, if it's read-only, arbitrary people can't write to it."

Deep inside our Jar? Are we afraid of our own code? Ross wondered, but he dismissed his doubts. Sure, let him have that one. "Okay, but why is there a flag at every single node of the tree?"

"Well, obviously, if only the root's protected, people can still edit the leaves and branches. We want to protect the whole tree."

"Okay, but that means to edit the setting you have to visit every single node, which is O(n) at best."

"Price of security, man."

"Okay, but even so, why do you flip the flag before every insert, only to set it again after? Doesn't that make building the tree painful?"

"You can never be too careful."

"Okay, even if I buy all that, and even assuming that this is the best possible way to solve this problem- which it's not- Why do you visit every node twice?"

class treeNode {
	bool readOnly;
	treeNode child, sib;

	void setReadOnly(bool ro) {
		readOnly = ro;
		if (child != null) child.setReadOnly( ro );
		if(sib != null ) sib.setReadOnly( ro );

	void updateReadOnly(bool ro) {
		setReadOnly( ro );
		if (child != null) child.updateReadOnly( ro );
		if( sib != null ) sib.updateReadOnly( ro );

	// call on root node
	void insert(treeNode parent, treeNode fng) { 
		if (parent.child == null) parent.child = fng;
		else {
			treeNode k;
			for (k = parent.child; k.sib != null; k = k.sib);
			k.sib = fng;

Faced with this evidence, even Joey was silenced, though not for long. "It's.... doubly secure?"

"It's taking upwards of twenty minutes to build the tree!"

Joey's face lit up. "Ah! Right! I was just reading last week, it turns out, slower code is more secure, cryptographically speaking."

Faced with stupidity this blinding, all Ross could do was walk away. Hopefully Monica, the real security expert, would fare better setting him straight...

"Hi Ross!" she said, glancing up briefly before turning back to her computer. "Can't talk now. The new guy forgot to secure the data endpoint for our web service. The whole tree's publicly accessible!"

Ross smiled to himself as he headed back to his own desk. At this rate, Joey wasn't likely to last long anyway.

<link href="" rel="stylesheet"/> <script src=""></script> <script>hljs.initHighlightingOnLoad();</script> <style>code { font-family: Consolas, monospace; }</style>
[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!