Planet Russell

,

Planet DebianDaniel Lange: Weird times ... or how the New York DEC decided the US presidential elections

November 2024 will be known as the time when killing peanut, a pet squirrel, by the New York DEC swung the US presidential elections and shaped history forever.

The hundreds of millions of dollars spent on each side, the tireless campaigning by the candidates, the celebrity endorsements ... all made for an open race for months. Investments evened each other out.

But an OnlyFans producer showing people an overreaching, bureaucracy driven State raiding his home to confiscate a pet squirrel and kill it ... swung enough voters to decide the elections.

That is what we need to understand in times of instant worldwide publication and a mostly attention driven economy: Human fates, elections, economic cycles and wars can be decided by people killing squirrels.

RIP, peanut.

P.S.: Trump Media & Technology Group Corp. (DJT) stock is up 30% pre-market.

Planet DebianJaldhar Vyas: Making America Great Again

Making America Great Again

Justice For Peanut

Some interesting takeaways (With the caveat that exit polls are not completely accurate and we won't have the full picture for days.)

  • President Trump seems to have won the popular vote which no Republican has done I believe since Reagan.

  • Apparently women didn't particularly care about abortion (CNN said only 14% considered it their primary issue) There is a noticable divide but it is single versus married not women versus men per se.

  • Hispanics who are here legally voted against Hispanics coming here illegally. Latinx's didn't vote for anything because they don't exist.

  • The infamous MSG rally joke had no effect on the voting habits of Puerto Ricans.

  • Republicans have taken the Senate and if trends continue as they are will retain control of the House of Representatives.

  • President Biden may have actually been a better candidate than Border Czar Harris.

365 TomorrowsThe Fall of Man

Author: Alastair Millar Prosperina Station’s marketing slogan, “No sun means more fun!”, didn’t do it justice: circling the wandering gas giant PSO J318.5-22, better known as Dis, it was the ultimate in literally non-stop nightlife, seasoned with a flexible approach to Terran laws. Newly graduated robot designer Max Wayne knew she was a decade or […]

The post The Fall of Man appeared first on 365tomorrows.

Worse Than FailureCodeSOD: Uniquely Validated

There's the potential for endless installments of "programmers not understanding how UUIDs work." Frankly, I think the fact that we represent them as human readable strings is part of the problem; sure, it's readable, but conceals the fact that it's just a large integer.

Which brings us to this snippet, from Capybara James.

    if (!StringUtils.hasLength(uuid) || uuid.length() != 36) {
        throw new RequestParameterNotFoundException(ErrorCodeCostants.UUID_MANDATORY_OR_FORMAT);
    }

StringUtils.hasLength comes from the Spring library, and it's a simple "is not null or empty" check. So- we're testing to see if a string is null or empty, or isn't exactly 36 characters long. That tells us the input is bad, so we throw a RequestParameterNotFoundException, along with an error code.

So, as already pointed out, a UUID is just a large integer that we render as a 36 character string, and there are better ways to validate a UUID. But this also will accept any 36 character string- as long as you've got 36 characters, we'll call it a UUID. "This is valid, really valid, dumbass" is now a valid UUID.

With that in mind, I also like the bonus of it not distinguishing between whether or not the input was missing or invalid, because that'll make it real easy for users to understand why their input is getting rejected.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

Cryptogram IoT Devices in Password-Spraying Botnet

Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. Not sure about the “highly evasive” part; the techniques seem basically what you get in a distributed password-guessing attack:

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”

Some of the characteristics that make detection difficult are:

  • The use of compromised SOHO IP addresses
  • The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
  • The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

,

Cryptogram AIs Discovering Vulnerabilities

I’ve been writing about the possibility of AIs automatically discovering code vulnerabilities since at least 2018. This is an ongoing area of research: AIs doing source code scanning, AIs finding zero-days in the wild, and everything in between. The AIs aren’t very good at it yet, but they’re getting better.

Here’s some anecdotal data from this summer:

Since July 2024, ZeroPath is taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing (SAST) tools were ill-equipped to find. This post provides a technical deep-dive into our research methodology and a living summary of the bugs found in popular open-source tools.

Expect lots of developments in this area over the next few years.

This is what I said in a recent interview:

Let’s stick with software. Imagine that we have an AI that finds software vulnerabilities. Yes, the attackers can use those AIs to break into systems. But the defenders can use the same AIs to find software vulnerabilities and then patch them. This capability, once it exists, will probably be built into the standard suite of software development tools. We can imagine a future where all the easily findable vulnerabilities (not all the vulnerabilities; there are lots of theoretical results about that) are removed in software before shipping.

When that day comes, all legacy code would be vulnerable. But all new code would be secure. And, eventually, those software vulnerabilities will be a thing of the past. In my head, some future programmer shakes their head and says, “Remember the early decades of this century when software was full of vulnerabilities? That’s before the AIs found them all. Wow, that was a crazy time.” We’re not there yet. We’re not even remotely there yet. But it’s a reasonable extrapolation.

EDITED TO ADD: And Google’s LLM just discovered an expolitable zero-day.

Krebs on SecurityCanadian Man Arrested in Snowflake Data Extortions

A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake.

Image: https://www.pomerium.com/blog/the-real-lessons-from-the-snowflake-breach

On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday.

At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations.

Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information and phone and text message records for roughly 110 million people — nearly all of its customers. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen phone records.

A report on the extortion attacks from the incident response firm Mandiant notes that Snowflake victim companies were privately approached by the hackers, who demanded a ransom in exchange for a promise not to sell or leak the stolen data. All told, more than 160 Snowflake customers were relieved of data, including TicketMasterLending TreeAdvance Auto Parts and Neiman Marcus.

Moucka is alleged to have used the hacker handles Judische and Waifu, among many others. These monikers correspond to a prolific cybercriminal whose exploits were the subject of a recent story published here about the overlap between Western, English-speaking cybercriminals and extremist groups that harass and extort minors into harming themselves or others.

On May 2, 2024, Judische claimed on the fraud-focused Telegram channel Star Chat that they had hacked Santander Bank, one of the first known Snowflake victims. Judische would repeat that claim in Star Chat on May 13 — the day before Santander publicly disclosed a data breach — and would periodically blurt out the names of other Snowflake victims before their data even went up for sale on the cybercrime forums.

404 Media reports that at a court hearing in Ontario this morning, Moucka called in from a prison phone and said he was seeking legal aid to hire an attorney.

KrebsOnSecurity has learned that Moucka is currently named in multiple indictments issued by U.S. prosecutors and federal law enforcement agencies. However, it is unclear which specific charges the indictments contain, as all of those cases remain under seal.

TELECOM DOMINOES

Mandiant has attributed the Snowflake compromises to a group it calls “UNC5537,” with members based in North America and Turkey. Sources close to the investigation tell KrebsOnSecurity the UNC5537 member in Turkey is John Erin Binns, an elusive American man indicted by the U.S. Department of Justice (DOJ) for a 2021 breach at T-Mobile that exposed the personal information of at least 76.6 million customers.

In a statement on Moucka’s arrest, Mandiant said UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024.

“In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations,” wrote Austin Larsen, Mandiant’s senior threat analyst. “The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

Sources involved in the investigation said UNC5537 has focused on hacking into telecommunications companies around the world. Those sources told KrebsOnSecurity that Binns and Judische are suspected of stealing data from India’s largest state-run telecommunications firm Bharat Sanchar Nigam Ltd (BNSL), and that the duo even bragged about being able to intercept or divert phone calls and text messages for a large portion of the population of India.

Judische appears to have outsourced the sale of databases from victim companies who refuse to pay, delegating some of that work to a cybercriminal who uses the nickname Kiberphant0m on multiple forums. In late May 2024, Kiberphant0m began advertising the sale of hundreds of gigabytes of data stolen from BSNL.

“Information is worth several million dollars but I’m selling for pretty cheap,” Kiberphant0m wrote of the BSNL data in a post on the English-language cybercrime community Breach Forums. “Negotiate a deal in Telegram.”

Also in May 2024, Kiberphant0m took to the Russian-language hacking forum XSS to sell more than 250 gigabytes of data stolen from an unnamed mobile telecom provider in Asia, including a database of all active customers and software allowing the sending of text messages to all customers.

On September 3, 2024, Kiberphant0m posted a sales thread on XSS titled “Selling American Telecom Access (100B+ Revenue).” Kiberphant0m’s asking price of $200,000 was apparently too high because they reposted the sales thread on Breach Forums a month later, with a headline that more clearly explained the data was stolen from Verizon‘s “push-to-talk” (PTT) customers — primarily U.S. government agencies and first responders.

404Media reported recently that the breach does not appear to impact the main consumer Verizon network. Rather, the hackers broke into a third party provider and stole data on Verizon’s PTT systems, which are a separate product marketed towards public sector agencies, enterprises, and small businesses to communicate internally.

INTERVIEW WITH JUDISCHE

Investigators say Moucka shared a home in Kitchener with other tenants, but not his family. His mother was born in Chechnya, and he speaks Russian in addition to French and English. Moucka’s father died of a drug overdose at age 26, when the defendant was roughly five years old.

A person claiming to be Judische began communicating with this author more than three months ago on Signal after KrebsOnSecurity started asking around about hacker nicknames previously used by Judische over the years.

Judische admitted to stealing and ransoming data from Snowflake customers, but he said he’s not interested in selling the information, and that others have done this with some of the data sets he stole.

“I’m not really someone that sells data unless it’s crypto [databases] or credit cards because they’re the only thing I can find buyers for that actually have money for the data,” Judische told KrebsOnSecurity. “The rest is just ransom.”

Judische has sent this reporter dozens of unsolicited and often profane messages from several different Signal accounts, all of which claimed to be an anonymous tipster sharing different identifying details for Judische. This appears to have been an elaborate effort by Judische to “detrace” his movements online and muddy the waters about his identity.

Judische frequently claimed he had unparalleled “opsec” or operational security, a term that refers to the ability to compartmentalize and obfuscate one’s tracks online. In an effort to show he was one step ahead of investigators, Judische shared information indicating someone had given him a Mandiant researcher’s assessment of who and where they thought he was. Mandiant says those were discussion points shared with select reporters in advance of the researcher’s recent talk at the LabsCon security conference.

But in a conversation with KrebsOnSecurity on October 26, Judische acknowledged it was likely that the authorities were closing in on him, and said he would seriously answer certain questions about his personal life.

“They’re coming after me for sure,” he said.

In several previous conversations, Judische referenced suffering from an unspecified personality disorder, and when pressed said he has a condition called “schizotypal personality disorder” (STPD).

According to the Cleveland Clinic, schizotypal personality disorder is marked by a consistent pattern of intense discomfort with relationships and social interactions: “People with STPD have unusual thoughts, speech and behaviors, which usually hinder their ability to form and maintain relationships.”

Judische said he was prescribed medication for his psychological issues, but that he doesn’t take his meds. Which might explain why he never leaves his home.

“I never go outside,” Judische allowed. “I’ve never had a friend or true relationship not online nor in person. I see people as vehicles to achieve my ends no matter how friendly I may seem on the surface, which you can see by how fast I discard people who are loyal or [that] I’ve known a long time.”

Judische later admitted he doesn’t have an official STPD diagnosis from a physician, but said he knows that he exhibits all the signs of someone with this condition.

“I can’t actually get diagnosed with that either,” Judische shared. “Most countries put you on lists and restrict you from certain things if you have it.”

Asked whether he has always lived at his current residence, Judische replied that he had to leave his hometown for his own safety.

“I can’t live safely where I’m from without getting robbed or arrested,” he said, without offering more details.

A source familiar with the investigation said Moucka previously lived in Quebec, which he allegedly fled after being charged with harassing others on the social network Discord.

Judische claims to have made at least $4 million in his Snowflake extortions. Judische said he and others frequently targeted business process outsourcing (BPO) companies, staffing firms that handle customer service for a wide range of organizations. They also went after managed service providers (MSPs) that oversee IT support and security for multiple companies, he claimed.

“Snowflake isn’t even the biggest BPO/MSP multi-company dataset on our networks, but what’s been exfiltrated from them is well over 100TB,” Judische bragged. “Only ones that don’t pay get disclosed (unless they disclose it themselves). A lot of them don’t even do their SEC filing and just pay us to fuck off.”

INTEL SECRETS

The other half of UNC5537 — 24-year-old John Erin Binns — was arrested in Turkey in late May 2024, and currently resides in a Turkish prison. However, it is unclear if Binns faces any immediate threat of extradition to the United States, where he is currently wanted on criminal hacking charges tied to the 2021 breach at T-Mobile.

A person familiar with the investigation said Binns’s application for Turkish citizenship was inexplicably approved after his incarceration, leading to speculation that Binns may have bought his way out of a sticky legal situation.

Under the Turkish constitution, a Turkish citizen cannot be extradited to a foreign state. Turkey has been criticized for its “golden passport” program, which provides citizenship and sanctuary for anyone willing to pay several hundred thousand dollars.

This is an image of a passport that Binns shared in one of many unsolicited emails to KrebsOnSecurity since 2021. Binns never explained why he sent this in Feb. 2023.

Binns’s alleged hacker alter egos — “IRDev” and “IntelSecrets” — were at once feared and revered on several cybercrime-focused Telegram communities, because he was known to possess a powerful weapon: A massive botnet. From reviewing the Telegram channels Binns frequented, we can see that others in those communities — including Judische — heavily relied on Binns and his botnet for a variety of cybercriminal purposes.

The IntelSecrets nickname corresponds to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted.

Since 2020, Binns has filed a flood of lawsuits naming various federal law enforcement officers and agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.

Binns claims he was kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his detention and torture by the Turkish authorities.

However, in a 2020 lawsuit he filed against the CIA, Binns himself acknowledged having visited a previously ISIS-controlled area of Syria prior to moving to Turkey in 2017.

A segment of a lawsuit Binns filed in 2020 against the CIA, in which he alleges U.S. put him on a terror watch list after he traveled to Syria in 2017.

Sources familiar with the investigation told KrebsOnSecurity that Binns was so paranoid about possible surveillance on him by American and Turkish intelligence agencies that his erratic behavior and online communications actually brought about the very government snooping that he feared.

In several online chats in late 2023 on Discord, IRDev lamented being lured into a law enforcement sting operation after trying to buy a rocket launcher online. A person close to the investigation confirmed that at the beginning of 2023, IRDev began making earnest inquiries about how to purchase a Stinger, an American-made portable weapon that operates as an infrared surface-to-air missile.

Sources told KrebsOnSecurity Binns’ repeated efforts to purchase the projectile earned him multiple visits from the Turkish authorities, who were justifiably curious why he kept seeking to acquire such a powerful weapon.

WAIFU

A careful study of Judische’s postings on Telegram and Discord since 2019 shows this user is more widely known under the nickname “Waifu,” a moniker that corresponds to one of the more accomplished “SIM swappers” in the English-language cybercrime community over the years.

SIM swapping involves phishing, tricking or bribing mobile phone company employees for credentials needed to redirect a target’s mobile phone number to a device the attackers control — allowing thieves to intercept incoming text messages and phone calls.

Several SIM-swapping channels on Telegram maintain a frequently updated leaderboard of the 100 richest SIM-swappers, as well as the hacker handles associated with specific cybercrime groups (Waifu is ranked #24). That list has long included Waifu on a roster of hackers for a group that called itself “Beige.”

The term “Beige Group” came up in reporting on two stories published here in 2020. The first was in an August 2020 piece called Voice Phishers Targeting Corporate VPNs, which warned that the COVID-19 epidemic had brought a wave of targeted voice phishing attacks that tried to trick work-at-home employees into providing access to their employers’ networks. Frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers.

The second time Beige Group was mentioned by sources was in reporting on a breach at the domain registrar GoDaddy. In November 2020, intruders thought to be associated with the Beige Group tricked a GoDaddy employee into installing malicious software, and with that access they were able to redirect the web and email traffic for multiple cryptocurrency trading platforms. Other frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers.

Judische’s various Telegram identities have long claimed involvement in the 2020 GoDaddy breach, and he didn’t deny his alleged role when asked directly. Judische said he prefers voice phishing or “vishing” attacks that result in the target installing data-stealing malware, as opposed to tricking the user into entering their username, password and one-time code.

“Most of my ops involve malware [because] credential access burns too fast,” Judische explained.

CRACKDOWN ON HARM GROUPS?

The Telegram channels that the Judische/Waifu accounts frequented over the years show this user divided their time between posting in channels dedicated to financial cybercrime, and harassing and stalking others in harm communities like Leak Society and Court.

Both of these Telegram communities are known for victimizing children through coordinated online campaigns of extortion, doxing, swatting and harassment. People affiliated with harm groups like Court and Leak Society will often recruit new members by lurking on gaming platforms, social media sites and mobile applications that are popular with young people, including DiscordMinecraftRobloxSteamTelegram, and Twitch.

“This type of offence usually starts with a direct message through gaming platforms and can move to more private chatrooms on other virtual platforms, typically one with video enabled features, where the conversation quickly becomes sexualized or violent,” warns a recent alert from the Royal Canadian Mounted Police (RCMP) about the rise of sextortion groups on social media channels.

“One of the tactics being used by these actors is sextortion, however, they are not using it to extract money or for sexual gratification,” the RCMP continued. “Instead they use it to further manipulate and control victims to produce more harmful and violent content as part of their ideological objectives and radicalization pathway.”

Some of the largest such known groups include those that go by the names 764, CVLT, Kaskar, 7997888429926996555Slit Town545404NMK303, and H3ll.

On the various cybercrime-oriented channels Judische frequented, he often lied about his or others’ involvement in various breaches. But Judische also at times shared nuggets of truth about his past, particularly when discussing the early history and membership of specific Telegram- and Discord-based cybercrime and harm groups.

Judische claimed in multiple chats, including on Leak Society and Court, that they were an early member of the Atomwaffen Division (AWD), a white supremacy group whose members are suspected of having committed multiple murders in the U.S. since 2017.

In 2019, KrebsOnSecurity exposed how a loose-knit group of neo-Nazis, some of whom were affiliated with AWD, had doxed and/or swatted nearly three dozen journalists at a range of media publications. Swatting involves communicating a false police report of a bomb threat or hostage situation and tricking authorities into sending a heavily armed police response to a targeted address.

Judsiche also told a fellow denizen of Court that years ago he was active in an older harm community called “RapeLash,” a truly vile Discord server known for attracting Atomwaffen members. A 2018 retrospective on RapeLash posted to the now defunct neo-Nazi forum Fascist Forge explains that RapeLash was awash in gory, violent images and child pornography.

A Fascist Forge member named “Huddy” recalled that RapeLash was the third incarnation of an extremist community also known as “FashWave,” short for Fascist Wave.

“I have no real knowledge of what happened with the intermediary phase known as ‘FashWave 2.0,’ but FashWave 3.0 houses multiple known Satanists and other degenerates connected with AWD, one of which got arrested on possession of child pornography charges, last I heard,” Huddy shared.

In June 2024, a Mandiant employee told Bloomberg that UNC5537 members have made death threats against cybersecurity experts investigating the hackers, and that in one case the group used artificial intelligence to create fake nude photos of a researcher to harass them.

Allison Nixon is chief research officer with the New York-based cybersecurity firm Unit 221B. Nixon is among several researchers who have faced harassment and specific threats of physical violence from Judische.

Nixon said Judische is likely to argue in court that his self-described psychological disorder(s) should somehow excuse his long career in cybercrime and in harming others.

“They ran a misinformation campaign in a sloppy attempt to cover up the hacking campaign,” Nixon said of Judische. “Coverups are an acknowledgment of guilt, which will undermine a mental illness defense in court. We expect that violent hackers from the [cybercrime community] will experience increasingly harsh sentences as the crackdown continues.”

5:34 p.m. ET: Updated story to include a clarification from Mandiant.

365 TomorrowsBifurcation

Author: Majoki Her fingers stinging, Salda felt the chill and vastness of the late spring runoff as she sat upon a large stone in the middle of the river. High above her in the mountains, that same frigid water was a torrent muscling rock and soil relentlessly to carve deep channels. Channels that converged, then […]

The post Bifurcation appeared first on 365tomorrows.

Worse Than FailureCodeSOD: Counting it All

Since it's election day in the US, many people are thinking about counting today. We frequently discuss counting here, and how to do it wrong, so let's look at some code from RK.

This code may not be counting votes, but whatever it's counting, we're not going to enjoy it:

case LogMode.Row_limit: // row limit excel = 65536 rows
    if (File.Exists(personalFolder + @"\" + fileName + ".CSV"))
    {
        using (StreamReader reader = new StreamReader(personalFolder + @"\" + fileName + ".CSV"))
        {
            countRows = reader.ReadToEnd().Split(new char[] { '\n' }).Length;
        }
    }

Now, this code is from a rather old application, originally released in 2007. So the comment about Excel's row limit really puts us in a moment in time- Excel 2007 raised the row limit to 1,000,000 rows. But older versions of Excel did cap out at 65,536. And it wasn't the case that everyone just up and switched to Excel 2007 when it came out- transitioning to the new Office file formats was a conversion which took years.

But we're not even reading an Excel file, we're reading a CSV.

I enjoy that we construct the name twice, because that's useful. But the real magic of this one is how we count the rows. Because while Excel can handle 65,536 rows at this time, I don't think this program is going to do a great job of it- because we read the entire file into memory with ReadToEnd, then Split on newlines, then count the length that way.

As you can imagine, in practice, this performed terribly on large files, of which there were many.

Unfortunately for RK, there's one rule about old, legacy code: don't touch it. So despite fixing this being a rather easy task, nobody is working on fixing it, because nobody wants to be the one who touched it last. Instead, management is promising to launch a greenfield replacement project any day now…

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

,

David BrinBalanced perspectives for our time - JUST in time?

Just before the consequential US election (I am optimistic we can prevail over Putinism), my previous posting offered a compiled packet of jpegs and quick bullets to use if you still have a marginally approachable, residually sane neighbor or relative who is 'sanity curious.' A truly comprehensive compendium! From the under-appreciated superb economy to proved dangers of pollution. From Ukraine to proof of Trump's religion-fakery. From saving science to ...

... the biggest single sentence of them all... "Almost every single honest adult who served under Trump now denounces him." Now numbering hundreds. 

And Harrison Ford emphasizing that point with eloquence.

Anyone able to ignore that central fact... that grownups who get to know Trump all despise him... truly is already a Kremlin boy.


== More sober reflections == 

Fareed Zakaria is by far the best pundit of our time - sharp, incisive, with well-balanced big-perspective. And yet, even he is myopic about what's going on.

On this occasion, he starts with The Economist's cover story that the U.S. economy is the "Envy of the World." 

Booming manufacturing and wages, record-low unemployment, the lowest inflation among industrial nations (now down to 2%), with democratic policies finally transferring money to the middle class, after 40 years of Supply Side ripoffs for the rich. 

The Wall Street Journal - of all capitalist and traditionally Republican outfits - calls the present economy 'superb at all levels' and 'remarkable,' with real growth in middle class wages and prosperity.

 And yet, many in the working classes now despise the Rooseveltean coalition that gave them everything, and even many black & hispanic males flock to Trump's macho ravings.

Zakaria is spot-on saying it's no longer about economics - not when good times can be taken for granted. Rather, it's social and cultural, propelled by visceral loathing of urban, college educated 'elites' by those who remain blue-collar, rural and macho. 

One result - amplified in media-masturbatory echo chambers and online Nuremberg Rallies - has been all-out war vs all fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.

Where Fareed gets it all wrong is in claiming this is something new!  

Elsewhere I point out the same cultural divide has erupted across all EIGHT different phases of the American civil/cultural war, since 1778. Moreover, farmers and blue collar workers, etc. have been traumatized for a century, in one crucial way! As their brightest sons and daughters rushed off from high school graduation to city/university lights...

... and then came back (if they ever come back at all) changed. 
It's been going on for 140 years. And the GI Bill after WWII accelerated it prodigiously.

I won't apologize for that... but I admit it's gotta hurt.

While sympathy is called-for, we need to recall that the recurring confederate fever is always puppetted by aristocrats - by King George, by slaver plantation lords, by gilded-age moguls, by inheritance brats and today's murder sheiks & Kremlin "ex"-commissars... and whenever the confederacy wins (as in 1830s, 1870s and 1920s in the United States and 1933 Germany) the results are stagnation and horror. And every "Union" victory (as in the 1770s, 1860s, 1940s, 1960s) is followed by both moral and palpable progress.

See also Fareed Zakaria's perspectives in his recently released book, Age of Revolutions: Progress and Backlash from 1600 to the Present.


== For this last week ==

Trump has learned a lesson from his time in office. Never trust any adults or women and men of accomplishment and stature. He has said clearly he will never have another Kelly, Mattis, Mullen, Milley... or even partisan hacks with some pride, like Barr, Pence, etc... allowed anywhere near the Oval Office. 

In fact, he wants many people in his potential administration who have criminal records and cannot get security clearances under present rules. He wants to have a private firm do background checks instead of the government and military security clearance process. 

This should give a bunch of corrupt or blackmail-vulnerable criminals access to and control over our most critical and sensitive secrets.

And anyone can doubt any longer that he is a Kremlin agent?


== A final note of wisdom ==

Only one method has ever been found that can often (not always) discover, interrogate and refute lies and liars or hallucinators.**

That method has been accountability via free-speech-empowered adversarial rivalry.  Almost all of our enlightenment institutions and accomplishments and freedoms rely upon it... Pericles and Adam Smith spoke of it and the U.S. Founders enshrined it...

...and the method is almost-never even remotely discussed in regards today's tsunamis of lies.

And even if things go super well in the Tuesday election, this basic truth must also shine light into the whole new problem/opportunity of Artificial Intelligence. (And I go into that elsewhere.) 

 It must... or we're still screwed.

---
** I openly invite adversarial refutation of this assertion.

------------------------------------------
------------------------------------------

Okay okay. You want prediction? I'll offer four scenarios:

1.     Harris and dems win big. They must, for the “steal” yammer-lies to fade to nothing, except for maybe a few McVeigh eruptions. (God bless the FBI undercover guys!) In this scenario, everyone but Putin soon realizes things are already pretty good in the US and West and getting better... and the many of our Republican neighbors – waking up from this insane trance – shake off confederatism and get back to loyally standing up for both America and enterprise. 


And perhaps the GOP will also shake away the heavily blackmail compromised portion of their upper castes and return to the pre-Hastert mission of negotiating sane conservative needs into a growing consensus.


2.     Harris squeaks in. We face 6 months of frantic Trumpian shrieks and Project 2025 ploys and desperate Kremlin plots and a tsunami of McVeighs.  (Again: God bless the FBI undercover guys!)  In this case, I will have a dozen ideas to present next week, to staunch the vile schemes of the Project 2025ers.


    In this case there will be confederate cries of "Secession!" over nothing real, as they had no real cause in 1861. We must answer "Okay fine this time. Off you go! Only we keep all military bases and especially we keep all of your blue cities (linking them with high speed rail), cities who get to secede from YOU!  Sell us beef and oil, till we make both obsolete! And you beg to be let back in.  Meanwhile, your brighter sons and daughters will still come over - with scholarships. So go in peace and God bless."


3.    Trump squeaks in and begins his reign of terror. We brace ourselves for the purge of all fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.  And within 6 months you will hear two words that I am speaking here for the 1st time: 


                    GENERAL STRIKE. 


    A legal and mammoth job action by those who actually know stuff and how to do stuff.  At which point then watch how redders realize how much they daily rely on our competence. And how quickly the oligarchs act to remove Trump, either through accelerating senility, or bribed retirement or... the Howard Beale scenario. At which point then Peter Thiel (briefly) owns America. It's Putin's dream outcome as the USA betrays Ukraine and Europe and the future... and tears itself apart. But no matter how painful, remember, we've recovered before. And we'll remember that you did this, Vlad and Peter. And those who empowered them.


    Oh, yes and this. Idiot believers in THE FOURTH TURNING will get their transformative 'crisis' that never had to happen and that they artificially caused (and we'll remember.) Above all, the Gen-Z 'hero generation' will know this. And you cultists will not like them, when they're mad.


    4. Trump landslide. Ain’t gonna happen. For one thing because Putin knows he won’t benefit if Trump is so empowered that he's freed from all puppet strings and blackmail threats. At which point Putin will suddenly realize he’s lost control - the way the German Junkers caste lords lost control in 1933, as portrayed at the end of CABARET. 

Still confused why Putin wouldn't want this? Watch Angela Lansbury’s chilling soliloquy near the end of THE MANCHURIAN CANDIDATE. This outcome is the one Putin should most fear. 

By comparison, Kamala would likely let Vlad live. But a fully empowered Trump will erase Putin,-- along with every other oligarch who ever commanded or extorted or humiliated him - like those depicted below. And the grease stains will smolder.


Again... here's your compiled ompendium of final ammo. To help us veer this back to victory for America, the planet, and the Union side in our recurring civil war... 

...followed by malice toward none and charity for all and a return to fraternal joy in being a light unto the world. 





David BrinMeme-images for your semi-sane and residually honorable MAGA

Swamped with patent disclosures, podcasts and the Great Big AI Panic of 2024. And just learned the H1N5 bird flu may be nastier soon! (😟check your supplies.) Also, I appear to be more optimistic than most... and most of you have voted already. 

Still, I gotta do what I can, offering you some final, concise leverage. Not for your hopeless MAGA-Putinist uncle. But maybe his worried wife, your residually-sane aunt.  

What leverage?  Why... punchy jpegs, of course! 


   == Ammo Images that might sway... ==


How can anyone still sway to the hypnotism...

...of a face drenched in makeup and dripping hair dye?   

But OK. Let's start with a simple question.  

             Who are his enemies and who are his friends? 

ONE sentence ought to settle everything:

                                                     

Two Defense Secretaries. Two chiefs of staff. His Attorney General. His National Security Advisor & Secretary of State. His domestic policy head. Chair of the Joint Chiefs. Two communications directors. His Vice President plus 250 more.

Make your MAGA see this jpeg! ==>


All of them were HIS choices. Whom he called "Great Guys!"... who are now denouncing him as a horror-calamity and lethal stooge of foreign enemies.

 

At minimum, he's a terrible judge of character! (Who fell 'in love' with Kim Jong Un.) 


But don't worry. In Trump II he's promised there will be no adults at all.


Examples: James Mattis, Marine General(ret), Trump’s 1st Defense Secretary: â€œDonald Trump is the first president in my life who didn't even pretend to try to unite the American people. He tries to divide us.â€�

Mark Esper, Trump’s 2nd Defense Secretary: â€œI believe he is a threat to democracy.â€�

John Kelly, Marine General(ret), Trump’s 2nd White House Chief of Staff: â€œHe often said‘Hitler did good things, too.’â€�

Ask Joint Chiefs Chair Mark Milley +Admiral McRaven +250 other officers!  

 Ask nearly all scientists.

Ask counter insurgency experts about “exâ€� commissar Putin’s long puppet strings.


But Don does have friends!

Here they are!==>

Have your MAGA zoom in and explain this.



== But... but isn't Trump the agent of God? ==

Such a Christian! Though if he ever willingly chose church over golf, no one has seen it. Here's one time he had to show up. And this one image says it all.


There's a hilarious and sad video of him mouthing-along while trying to recite the famous and well-known 23rd Psalm with worshippers and giving up after "He leadeth me.."  Too lazy even to memorize a couple of passages for show, he still after all these years, refuses to name a favorite passage. 
"It's too personal."  Riiiiight.

But then... some evangelicals can see all that! So they switch to the "Cyrus" argument. Like the King of the Medes who freed the people of Judah from Babylon, Trump is a 'righteous gentile!' A pagan who serves God by actions & deeds! 

(How? By destroying America and democracy and serving Moscow? But we'll get to that.)

Huh. Some servant of God. The most opposite-to-Jesus human any of us ever saw typifies every Deadly Sin! (Have your MAGA recite them aloud and NOT see Trump as the archetype!) 

Look, I don't credit the Book of Revelation. (Though all of you should know it! See the comic book version Apocamon; I mean it. You truly need to see what some of your neighbors wish and plan for you!) 

Still, there is a recurring character in that nightmare tome who DT resembles. I'm not talking about the Lamb of God. The character's name starts with "auntie" or "the Anti --" and Trump fits every described characteristic.  To a T.


== Is it the Economy, Stupid? ==

A problem with good times... folks soon take it for granted. Unemployment was the big issue. 
But after clawing our way out of the Covid Recession and Supply Chain inflation (nearly all economists blame Trump for worsening those) the 2021 stimulus bills worked!

Infrastructure - bridges etc. - are being fixed! Unemployment has stayed at the lowest level since the early 60s. We're in the best US economy since WWII.

Inflation? What? Ask your MAGA to step up NOW with wager stakes and bet which two nations have had the LOWEST inflation in the Industrial world for 3 years! 

(Hint, it's the US and Japan.)


 


Then why so grumpy?   Because Fox rants at fools to enjoy sanctimonious grumpiness! It's more fun than accepting the truth... that you are mesmerized by an echo chamber and Nuremberg Rally, with one central goal...

... to hate facts and fact professions & the damn, dry statistics.

But let's make it a wager. Assert the following and demand your MAGAs step up (like men) with cash stakes on the table:


EVERY Democratic Administration was more fiscally responsible regarding debt and deficits than EVERY Republican administration. 

In fact, most Democratic administrations had by far better economic outcomes across the board, for everyone except oligarchs and inheritance brats, who ALWAYS do vastly better under the GOP. Demand wagers!

But this is the biggie. The USA is undergoing the greatest boom in MANUFACTURING since the Second World War.  

That is unambiguous. Democrats did it.


== Climate Change ==

Nothing better illustrates the agenda of the GOP masters than fostering all-out war vs ALL fact using professions, from science, teaching, medicine, law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.  
"Hate the FBI!" is the most amazing and dangerous in the near term, but the anti-science campaign is core, over the long run.

Dig it. They're not attacking science in order to make $$ by delaying action on climate disaster. It's the reverse. They use climate denialism as one of many tools to attack all scientists and undermine trust in science

Why? Oligarchs can't restore 6000 years of insipid feudalism til they castrate all fact professions. But more on that elsewhere.

The crisis over our endangered EARTH is a vast subject! But this posting is about last minute, punchy capsules. So use this: Foxites flee in panic when you mention OCEAN ACIDIFICATION, which is unambiguously killing the seas our children will need and can only be caused by CO2 pollution. How they run from those two words.

Alas, instead of giving credit to the genius meteorologists who now predict hurricane paths within a few miles FIVE DAYS in advance, jibberers yammer: "They cause hurricanes!"

WHO is 'they?'  No, never mind that. You said it when earthquakes hit California. Recognize God's wrath when you feel it...


== Ukraine and NATO and Putin ==

Seriously? Who do you think Ronald Reagan would side with? The barely changed Kremlin and relabeled KGB, run by "ex" commissars who all grew up reciting Leninist catechisms? Who are now re-nationalizing all Russian businesses, crushing dissent and rebuilding the USSR?


Um, can anyone with a trace of fairness in their hearts not root for and support the attacked Ukrainian underdogs? And say "Damn Putin and his fellow tyrants!"

Dig it: NATO is now stronger than ever since 1946! Putin is fighting for his own murderous, richest-man-in-the-world life, desperate to get Trump into the Oval Office. It's his one hope.

LOOK at Trump's pals! At the expressions on their faces. Zoom in.


Can any of your neighbors who support Putin call anyone ELSE a 'commie'?


== Memory Lane ==


And wager NOW over the different death rates of the vaccinated vs. the un-vaccinated.  Death rates are simple. Even the reddest state suppies stats on that. And there's no ambiguity at all. Fox is trying to kill you.


== Immigration ==

But what about immigration? Well, surprise? I'll sorta half give you that one!

It's a vexing problem and the farthest left has not been helpful. They refuse to see how Putin and other tyrants have herded poor refugees into Europe and America, knowing it will push potitics in those countries to the right.  And it has even worked on U.S. Hispanics, who poll overwhelmingly wanting tighter borders.

Look, you may not like facing it, but Putin's strategy here has worked! And if you lefties want the power to do good, YOU are gonna have to prioritize. Compromise.

But this is not a Bill Maher screed aimed at woke-ist betrayals of the only coalition that can save the world. Later.

It is about far-worse MAGA lunacy. And what could be more lunatic than Trump ordering the GOP - last January - to torpedo the Immigration Bill they had just finished negotiating! 

That bill would have majorly increased the Border Patrol, plus internal tracking of refugee claimants and would have built more wall by now than the entire Trump presidency!

Now why would he do that? Simple. Going back generations before Trump & Putin took over the Republican Party, the GOP's master oligarchs loved cheap labor!

You just think about that now.

P.S. If a time comes when Republicans reject the madness and corruption that skyrocketed in the GOP since Dennis 'friend to boys" Hastert, and choose instead to return to political negotiation, moderate dems will race to work out incremental steps to mix pragmatic border security with helping refugees return safely to their improved home countries... with living by the American tradition (and biblical injunction) of kindness to legitimate newcomers.


== Again  - the most-effective single sentence is... ==


"ALL of the honest adults who served under Trump now denounce him."             

Earlier I showed former Trumpists who were admirable to some degree, and now denounce him. Now gaze at some more! Though some of these weren't quite as admirable as the 1st bunch. ==>

Still, these guys at least want the USA to survive! If only because it's where they keep their best stuff. Hypocrites some of them? I prefer the first set! Still, we need all the help...

On the other hand, THIS is a Republican we can all respect! (below):



== So what about fascism? ==

Seriously? This is an issue?

My Dad beat up f--ng Nazis in Chicago in the 1930s, when they marched both for Hitler and for the spectacularly misnamed "America First."  I know f--ng Nazis when I see em! And even if Trump isn't one by strict definition*...
   ... all the current American Nazis think he is! And they love him.


* But of course... he is.


== The endless lies ==

I notoriously demand WAGERS over all the lies! e.g. ANY randomly chosen 5 minute segment of any Trump speech! Put it before a randomly-chosen panel of low-political retired, senior military officers! 

I have a long list (dropped into comments*) of wager challenges. And not one MAGA in ten years has ever had the manly guts or confidence to step up with $$$ atty-escrowed stakes. Not one, ever. Weenie no-cojone cowards.

But let's start with Trump's endless promises to prove Obama was born in Kenya, or the mythical promise of a "Great Health Plan to replace Obamacare! I'll unveil it next week!" And then the next week and the next, for year after year after year... 

...and MAGAs never ask "Um, well?"


Or releasing "My great financials!" Or "I'll proudly release my tax returns when the IRS is done auditing!" Except the audits were a myth!  Or his college transcripts. Or the bone spur xrays. Or the fecal spew of lies during covid.

What we DO have is at least 20 copies of the Honolulu Advertiser from 1962 that folks have found in attics and garages all over Hawaii, with a birth announcement for Barack Obama. But any retraction or shame from ol' Two Scoops? Never.

There's a reason...

<==Declassify the "we fell in love!" notes from Kim! 

Then there's the biggest damn lie of them all...





== And heck, let's give you some more! ==

Do I have an ulterior motive, in dumping upon you this tsunami of jpegs? I mean other than hoping that a few of you will use them to help save the nation and world?

Hey I am over 70 and pushing 'clippings' at the young is what we farts do! ;-0

 But still... I am angry at MAGA crapheads dumping on Tim Walz, a 25 year veteran who trained hundreds of young troops with patience that made him beloved... as with 20 years of high school civics students... and the teams he coached to state championships... and so much more. (The Putin servants searched for ONE former student they could bribe to denounce Walz; even one.) 

A command sergeant major whose shoes you lying bastards aren't fit to...

   Like this good man who served and still does ==>    

(Calm David. You promised 'malice toward none..." Sure, after we save America in this 8th phase of the recurring civil war.)

In contrast to real men... we have this cringing, face-painted carnival barker... zoom in!

The colors are un-altered.






== Miscellaneous Adds! ==

Okay I'll conclude by dumping in a few more. Use whatever you like! MAKE the redeemable/reachable... if you know any... zoom in and see and then snap out of the trance! 





...and a few may even hear the call of Lincoln, Eisenhower and Teddy Roosevelt and even Reagan... realizing they must help rescue the Republican Party from treasonous madness. (LOOK below.)


And remember, Dems ALWAYS do better vs deficits and with almost every economic indicator...









Finally, Here's my biggest effort at supplying political tactics that might have ended this phase of the US Civil War decisively, in 2020, instead of merely getting a Gettysburg - vital(!) but requiring us to keep fighting the same monster.  May this year be Appomattox! Followed by "Malice toward none and charity for all..."

...and an America that leads a consensus-wiser world toward freedom, hope, and the stars.

Polemical Judo


.........  And in the words of Tiny Tim... God bless us, one and all...


================

================


Oh, I oughta give originator credit lines for every single one of these jpegs!  It's a modern problem. Almost none of the postings I took them from had credits, either!  This is one thing I expect AI to solve and soon.  May they be Machines of Loving Grace.


Planet DebianRavi Dwivedi: Asante Kenya for a Good Time

In September of this year, I visited Kenya to attend the State of the Map conference. I spent six nights in Nairobi, two nights in Mombasa, and one night on a train. I was very happy with the visa process being smooth and quick. Furthermore, I stayed at the Nairobi Transit Hotel with other attendees, with Ibtehal from Bangladesh as my roommate. One of the memorable moments was the time I spent at a local coffee shop nearby. We used to go there at midnight, despite the grating in the shops suggesting such adventures were unsafe. Fortunately, nothing bad happened, and we were rewarded with a fun time with the locals.

The coffee shop Ibtehal and me used to visit during the midnight

Grating at a chemist shop in Mombasa, Kenya

The country lies on the equator, which might give the impression of extremely hot temperatures. However, Nairobi was on the cooler side (10–25 degrees Celsius), and I found myself needing a hoodie, which I bought the next day. It also served as a nice souvenir, as it had an outline of the African map printed on it.

I bought a Safaricom SIM card for 100 shillings and recharged it with 1000 shillings for 8 GB internet with 5G speeds and 400 minutes talk time.

A visit to Nairobi’s Historic Cricket Ground

On this trip, I got a unique souvenir that can’t be purchased from the market—a cricket jersey worn in an ODI match by a player. The story goes as follows: I was roaming around the market with my friend Benson from Nairobi to buy a Kenyan cricket jersey for myself, but we couldn’t find any. So, Benson had the idea of visiting the Nairobi Gymkhana Club, which used to be Kenya’s main cricket ground. It has hosted some historic matches, including the 2003 World Cup match in which Kenya beat the mighty Sri Lankans and the record for the fastest ODI century by Shahid Afridi in just 37 balls in 1996.

Although entry to the club was exclusively for members, I was warmly welcomed by the staff. Upon reaching the cricket ground, I met some Indian players who played in Kenyan leagues, as well as Lucas Oluoch and Dominic Wesonga, who have represented Kenya in ODIs. When I expressed interest in getting a jersey, Dominic agreed to send me pictures of his jersey. I liked his jersey and collected it from him. I gave him 2000 shillings, an amount suggested by those Indian players.

Me with players at the Nairobi Gymkhana Club

Cricket pitch at the Nairobi Gymkhana Club

A view of the cricket ground inside the Nairobi Gymkhana Club

Scoreboard at the Nairobi Gymkhana cricket ground

Giraffe Center in Nairobi

Kenya is known for its safaris and has no shortage of national parks. In fact, Nairobi is the only capital in the world with a national park. I decided not to visit a national park, as most of them were expensive and offered multi-day tours, and I didn’t want to spend that much time in the wildlife.

Instead, I went to the Giraffe Center in Nairobi with Pragya and Rabina. The ticket cost 1500 Kenyan shillings (1000 Indian rupees). In Kenya, matatus - shared vans, usually decorated with portraits of famous people and play rap songs - are the most popular means of public transport. Reaching the Giraffe Center from our hotel required taking five matatus, which cost a total of 150 shillings, and a 2 km walk. The journey back was 90 shillings, suggesting that we didn’t find the most efficient route to get there. At the Giraffe Center, we fed giraffes and took photos.

A matatu with a Notorious BIG portrait.

Inside the Giraffe Center

Train ride from Nairobi to Mombasa

I took a train from Nairobi to Mombasa. The train is known as the “SGR Train,” where “SGR” refers to “Standard Gauge Railway.” The journey was around 500 km. M-Pesa was the only way to make payment for pre-booking the train ticket, and I didn’t have an M-Pesa account. Pragya’s friend Mary helped facilitate the payment. I booked a second-class ticket, which cost 1500 shillings (1000 Indian rupees).

The train was scheduled to depart from Nairobi at 08:00 hours in the morning and arrive in Mombasa at 14:00 hours. The security check at the station required scanning our bags and having them sniffed by sniffer dogs. I also fell victim to a scam by a security official who offered to help me get my ticket printed, only to later ask me to get him some coffee, which I politely declined.

Before boarding the train, I was treated to some stunning views at the Nairobi Terminus station. It was a seating train, but I wished it were a sleeper train, as I was sleep-deprived. The train was neat and clean, with good toilets. The train reached Mombasa on time at around 14:00 hours.

SGR train at Nairobi Terminus.

Interior of the SGR train

Arrival in Mombasa

Mombasa Terminus station.

Mombasa was a bit hotter than Nairobi, with temperatures reaching around 30 degrees Celsius. However, that’s not too hot for me, as I am used to higher temperatures in India. I had booked a hostel in the Old Town and was searching for a hitchhike from the Mombasa Terminus station. After trying for more than half an hour, I took a matatu that dropped me 3 km from my hostel for 200 shillings (140 Indian rupees). I tried to hitchhike again but couldn’t find a ride.

I think I know why I couldn’t get a ride in both the cases. In the first case, the Mombasa Terminus was in an isolated place, so most of the vehicles were taxis or matatus while any noncommercial cars were there to pick up friends and family. If the station were in the middle of the city, there would be many more car/truck drivers passing by, thus increasing my possibilities of getting a ride. In the second case, my hostel was at the end of the city, and nobody was going towards that side. In fact, many drivers told me they would love to give me a ride, but they were going in some other direction.

Finally, I took a tuktuk for 70 shillings to reach my hostel, Tulia Backpackers. It was 11 USD (1400 shillings) for one night. The balcony gave a nice view of the Indian Ocean. The rooms had fans, but there was no air conditioning. Each bed also had mosquito nets. The place was walking distance of the famous Fort Jesus. Mombasa has had more Islamic influence compared to Nairobi and also has many Hindu temples.

The balcony at Tulia Backpackers Hostel had a nice view of the ocean.

A room inside the hostel with fans and mosquito nets on the beds

Visiting White Sandy Beaches and Getting a Hitchhike

Visiting Nyali beach marked my first time ever at a white sand beach. It was like 10 km from the hostel. The next day, I visited Diani Beach, which was 30 km from the hostel. Going to Diani Beach required crossing a river, for which there’s a free ferry service every few minutes, followed by taking a matatu to Ukunda and then a tuk-tuk to Diani Beach. This gave me an opportunity to see the beautiful countryside during the ride.

Nyali beach is a white sand beach

This is the ferry service for crossing the river.

During my return from Diani Beach to the hostel, I was successful in hitchhiking. However, it was only a 4 km ride and not sufficient to reach Ukunda, so I tried to get another ride. When a truck stopped for me, I asked for a ride to Ukunda. Later, I learned that they were going in the same direction as me, so I got off within walking distance from my hostel. The ride was around 30 km. I also learned the difference between a truck ride and a matatu or car ride. For instance, matatus and cars are much faster and cooler due to air conditioning, while trucks tend to be warmer because they lack it. Further, the truck was stopped at many checkpoints by the police for inspections as it carried goods, which is not the case with matatus. Anyways, it was a nice experience, and I am grateful for the ride. I had a nice conversation with the truck drivers about Indian movies and my experiences in Kenya.

Diani beach is a popular beach in Kenya. It is a white sand beach.

Selfie with truck drivers who gave me the free ride

Back to Nairobi

I took the SGR train from Mombasa back to Nairobi. This time I took the night train, which departs at 22:00 hours, reaching Nairobi at around 04:00 in the morning. I could not sleep comfortably since the train only had seater seats.

I had booked the Zarita Hotel in Nairobi and had already confirmed if they allowed early morning check-in. Usually, hotels have a fixed checkout time, say 11:00 in the morning, and you are not allowed to stay beyond that regardless of the time you checked in. But this hotel checked me in for 24 hours. Here, I paid in US dollars, and the cost was 12 USD.

Almost Got Stuck in Kenya

Two days before my scheduled flight from Nairobi back to India, I heard the news that the airports in Kenya were closed due to the strikes. Rabina and Pragya had their flight back to Nepal canceled that day, which left them stuck in Nairobi for two additional days. I called Sahil in India and found out during the conversation that the strike was called off in the evening. It was a big relief for me, and I was fortunate to be able to fly back to India without any changes to my plans.

Newspapers at a stand in Kenya covering news on the airport closure

Experience with locals

I had no problems communicating with Kenyans, as everyone I met knew English to an extent that could easily surpass that of big cities in India. Additionally, I learned a few words from Kenya’s most popular local language, Swahili, such as “Asante,” meaning “thank you,” “Jambo” for “hello,” and “Karibu” for “welcome.” Knowing a few words in the local language went a long way.

I am not sure what’s up with haggling in Kenya. It wasn’t easy to bring the price of souvenirs down. I bought a fridge magnet for 200 shillings, which was the quoted price. On the other hand, it was much easier to bargain with taxis/tuktuks/motorbikes.

I stayed at three hotels/hostels in Kenya. None of them had air conditioners. Two of the places were in Nairobi, and they didn’t even have fans in the rooms, while the one in Mombasa had only fans. All of them had good Wi-Fi, except Tulia where the internet overall was a bit shaky.

My experience with the hotel staff was great. For instance, we requested that the Nairobi Transit Hotel cancel the included breakfast in order to reduce the room costs, but later realized that it was not a good idea. The hotel allowed us to revert and even offered one of our missing breakfasts during dinner.

The staff at Tulia Backpackers in Mombasa facilitated the ticket payment for my train from Mombasa to Nairobi. One of the staff members also gave me a lift to the place where I could catch a matatu to Nyali Beach. They even added an extra tea bag to my tea when I requested it to be stronger.

Food

At the Nairobi Transit Hotel, a Spanish omelet with tea was served for breakfast. I noticed that Spanish omelette appeared on the menus of many restaurants, suggesting that it is popular in Kenya. This was my first time having this dish. The milk tea in Kenya, referred to by locals as “white tea,” is lighter than Indian tea (they don’t put a lot of tea leaves).

Spanish Omelette served in breakfast at Nairobi Transit Hotel

I also sampled ugali with eggs. In Mombasa, I visited an Indian restaurant called New Chetna and had a buffet thali there twice.

Ugali with eggs.

Tips for Exchanging Money

In Kenya, I exchanged my money at forex shops a couple of times. I received good exchange rates for bills larger than 50 USD. For instance, 1 USD on xe.com was 129 shillings, and I got 128.3 shillings per USD (a total of 12,830 shillings) for two 50 USD notes at an exchange in Nairobi, compared to 127 shillings, which was the highest rate at the banks. On the other hand, for each 1 USD note, I would have received an exchange rate of 125 shillings. A passport was the only document required for the exchange, and they also provided a receipt.

A good piece of advice for travelers is to keep 50 USD or larger bills for exchanging into the local currency while saving the smaller US dollar bills for accommodation, as many hotels and hostels accept payment in US dollars.

Missed Malindi and Lamu

There were more places on my to-visit list in Kenya. But I simply didn’t have time to cover them, as I don’t like rushing through places, especially in a foreign country where there is a chance of me underestimating the amount of time it takes during transit. I would have liked to visit at least one of Kilifi, Watamu or Malindi beaches. Further, Lamu seemed like a unique place to visit as it has no cars or motorized transport; the only options for transport are boats and donkeys.

Planet DebianSven Hoexter: Google CloudDNS HTTPS Records with ipv6hint

I naively provisioned an HTTPS record at Google CloudDNS like this via terraform:

resource "google_dns_record_set" "testv6" {
    name         = "testv6.some-domain.example."
    managed_zone = "some-domain-example"
    type         = "HTTPS"
    ttl          = 3600
    rrdatas      = ["1 . alpn=\"h2\" ipv4hint=\"198.51.100.1\" ipv6hint=\"2001:DB8::1\""]
}

This results in a permanent diff because the Google CloudDNS API seems to parse the record content, and stores the ipv6hint expanded (removing the :: notation) and in all lowercase as 2001:db8:0:0:0:0:0:1. Thus to fix the permanent diff we've to use it like this:

resource "google_dns_record_set" "testv6" {
    name = "testv6.some-domain.example."
    managed_zone = "some-domain-example"
    type = "HTTPS"
    ttl = 3600
    rrdatas = ["1 . alpn=\"h2\" ipv4hint=\"198.51.100.1\" ipv6hint=\"2001:db8:0:0:0:0:0:1\""]
}

Guess I should be glad that they already support HTTPS records natively, and not bicker too much about the implementation details.

Worse Than FailureCodeSOD: A Matter of Understanding

For years, Victoria had a co-worker who "programmed by Google Search"; they didn't understand how anything worked, they simply plugged their problem into Google search and then copy/pasted and edited until they got code that worked. For this developer, I'm sure ChatGPT has been a godsend, but this code predates its wide use. It's pure "Googlesauce".

    StringBuffer stringBuffer = new StringBuffer();
    stringBuffer.append("SELECT * FROM TABLE1 WHERE COLUMN1 = 1 WITH UR");

    String sqlStr = stringBuffer.toString();
    ps = getConnection().prepareStatement(sqlStr);

    ps.setInt(1, code);

    rs = ps.executeQuery();

    while (rs.next())
    {
      count++;
    }

The core of this WTF isn't anything special- instead of running a SELECT COUNT they run a SELECT and then loop over the results to get the count. But it's all the little details in here which make it fun.

They start by using a StringBuffer to construct their query- not a horrible plan when the query is long, but this is just a single, simple, one-line query. The query contains a WITH clause, but it's in the wrong spot. Then they prepareStatement it, which does nothing, since this query doesn't contain any parameters (and also, isn't syntactically valid). Once it's prepared, they set the non-existent parameter 1 to a value- this operation will throw an exception because there are no parameters in the query.

Finally, they loop across the results to count.

The real WTF is that this code ended up in the code base, somehow. The developer said, "Yes, this seems good, I'll check in this non-functional blob that I definitely don't understand," and then there were no protections in place to keep that from happening. Now it falls to more competent developers, like Victoria, to clean up after this co-worker.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

365 TomorrowsThe Noghath Watches

Author: Julian Miles, Staff Writer The screen turns to flickering white lines behind a ‘Connecting…’ prompt. I find myself smiling and look up at the night sky. What do the natives call that constellation? Sarg something. Sarga Nol? Bigger… ‘Sarghalor Noghath’! Yes. Conceptual translation gives us ‘The noghath watches’. Neither the indigens nor us have […]

The post The Noghath Watches appeared first on 365tomorrows.

Cryptogram Sophos Versus the Chinese Hackers

Really interesting story of Sophos’s five-year war against Chinese hackers.

,

Rondam RamblingsWhat scares me about a second Trump administration

As long as I'm getting things on the record (while I still can without too much fear of reprisal) I want to endorse a video by Legal Eagle that lays out the case against voting for Donald Trump in 18 minutes of some of the best video commentary I've ever seen.  It's well worth watching, and encouraging others to watch, but just in case you don't want to invest the time and would rather read,

Planet DebianSteinar H. Gunderson: Ultimate rules as a service

Since WFDF changed their ultimate rules web site to be less-than-ideal (in the name of putting everything into Wordpress…), I made my own, at urules.org. It was a fun journey; I've never fiddled with PWAs before, and I was a bit surprised how low-level it all was. I assumed that since my page is just a bunch of HTML files and ~100 lines of JS, I could just bundle that up—but no, that is something they expect a framework to do for you.

The only primitive you get is seemingly that you can fire up your own background service worker (JS running in its own, locked-down context) and that gets to peek at every HTTP request done and possibly intercept it. So you can use a Web Cache (seemingly a separate concept from web local storage?), insert stuff into that, and then query it to intercept requests. It doesn't feel very elegant, perhaps?

It is a bit neat that I can use this to make my own bundling, though. All the pages and images (painfully converted to SVG to save space and re-flow for mobile screens, mostly by simply drawing over bitmaps by hand in Inkscape) are stuck into a JSON dictionary, compressed using the slowest compressor I could find and then downloaded as a single 159 kB bundle. It makes the site actually sort of weird to navigate; since it pretty quickly downloads the bundle in the background, everything goes offline and the speed of loading new pages just feels… off somehow. As if it's not a Serious Web Page if there's no load time.

Of course, this also means that I couldn't cache PNGs, because have you ever tried to have non-UTF-8 data in a JSON sent through N layers of JavaScript? :-)

Planet DebianGuido Günther: Free Software Activities October 2024

Another short status update of what happened on my side last month. Besides a phosh bugfix release improving text input and selection was a prevalent pattern again resulting in improvements in the compositor, the OSK and some apps.

phosh

  • Install gir (MR). Needed for e.g. Debian to properly package the Rust bindings.
  • Try harder to find an app icon when showing notifications (MR)
  • Add a simple Pomodoro timer plugin (MR)
  • Small screenshot manager fixes (MR)
  • Tweak portals configuration (MR)
  • Consistent focus style on lock screen and settings (MR). Improves the visual appearance as the dotted focus frame doesn't match our otherwise colored focus frames
  • Don't focus buttons in settings (MR). Improves the visual appearance as attention isn't drawn to the button focus.
  • Close Phosh's settings when activating a Settings panel (MR)

phoc

  • Improve cursor and cursor theme handling, hide mouse pointer by default (MR)
  • Don't submit empty preedit (MR)
  • Fix flickering selection bubbles in GTK4's text input fields (MR)
  • Backport two more fixes and release 0.41.1 (MR)

phosh-mobile-settings

  • Allow to select default text completer (MR, MR)
  • Don't crash when we fail to load a pref plugin (MR)

libphosh-rs

  • Update with current gir and allow to use status pages (MR)
  • Expose screenshot manager and build without warnings (MR). (Improved further by a follow up MR from Sam)
  • Fix clippy warnings and add clippy to CI (MR)

phosh-osk-stub

  • presage: Always set predictors (MR). Avoids surprises with unwanted predictors.
  • Install completer information (MR)
  • Handle overlapping touch events (MR). This should improve fast typing.
  • Allow plain ctrl and alt in the shortcuts bar (MR
  • Use Adwaita background color to make the OSK look more integrated (MR)
  • Use StyleManager to support accent colors (MR)
  • Fix emoji section selection in RTL locales (MR)
  • Don't submit empty preedit (MR). Helps to better preserve text selections.

phosh-osk-data

  • Add scripts to build word corpus from Wikipedia data (MR) See here for the data.

xdg-desktop-portal-phosh

  • Release 0.42~rc1 (MR)
  • Fix HighContrast (MR)

Debian

  • Collect some of the QCom workarounds in a package (MR). This is not meant to go into Debian proper but it's nicer than doing all the mods by hand and forgetting which files were modified.
  • q6voiced: Fix service configuration (MR)
  • chatty: Enable clock test again (MR), and then unbreak translations (MR)
  • phosh: Ship gir for libphosh-rs (MR)
  • phoc: Backport input method related fix (MR)
  • Upload initial package of phosh-osk-data: Status in NEW
  • Upload initial package of xdg-desktop-portal-pohsh: Status in NEW
  • Backport phosh-osk-stub abbrev fix (MR
  • phoc: Update to 0.42.1 (MR
  • mobile-tweaks: Enable zram on Librem 5 and PP (MR)

ModemManager

  • Some further work on the Cell Broadcast to address comments MR)

Calls

  • Further improve daemon mode (MR) (mentioned last month already but got even simpler)

GTK

  • Handle Gtk{H,V}Separator when migrating UI files to GTK4 (MR)

feedbackd

  • Modernize README a bit (MR)

Chatty

  • Use special event for SMS (MR)
  • Another QoL fix when using OSK (MR)
  • Fix printing time diffs on 32bit architectures (MR)

libcmatrix

  • Use endpoints for authenticated media (MR). Needed to support v1.11 servers.

phosh-ev

  • Switch to GNOME 47 runtime (MR)

git-buildpackage

  • Don't use deprecated pkg-resources (MR)

Unified push specification

  • Expand on DBus activation a bit (MR)

swipeGuess

  • Small build improvement and mention phosh-osk-stub (Commit)

wlr-clients

  • Fix -o option and add help output (MR)

iotas (Note taking app)

  • Don't take focus with header bar buttons (MR). Makes typing faster (as the OSK won't hide) and thus using the header bar easier

Flare (Signal app)

  • Don't take focus when sending messages, adding emojis or attachments (MR). Makes typing faster (as the OSK won't hide) and thus using those buttons easier

xdg-desktop-portal

  • Use categories that work for both xdg-spec and the portal (MR)

Reviews

This is not code by me but reviews on other peoples code. The list is fairly incomplete, hope to improve on this in the upcoming months:

  • phosh-tour: add first login mode (MR)
  • phosh: Animate swipe closing notifications (MR)
  • iio-sensor-proxy: Report correct value on claim (MR)
  • iio-sensor-proxy: face-{up,down} (MR)
  • phosh-mobile-settings: Squeekboad scaling (MR)
  • libcmatrix: Misc cleanups/fixes (MR)
  • phosh: Notification separator improvements (MR
  • phosh: Accent colors (MR

Help Development

If you want to support my work see donations. This includes a list of hardware we want to improve support for. Thanks a lot to all current and past donors.

Planet DebianJunichi Uekawa: Doing more swimming in everyday life for the past few months.

Doing more swimming in everyday life for the past few months. Seems like I am keeping that up.

365 TomorrowsHere Be Dragons

Author: Beck Dacus One half of the sky brimmed with stars, the Sun at one light-week’s distance barely outshining the rest. The other half was utterly dark, as if the universe ended at a sheer cliff. As I approached the blackness, detail started to emerge, my headlamp casting shadows on icy gravel the color of […]

The post Here Be Dragons appeared first on 365tomorrows.

,

Planet DebianDirk Eddelbuettel: Rcpp 1.0.13-1 on CRAN: Hot Fix

rcpp logo

A hot-fix release 1.0.13-1, consisting of two small PRs relative to the last regular CRAN release 1.0.13, just arrived on CRAN. When we prepared 1.0.13, we included a change related to the ‘tightening’ of the C API of R itself. Sadly, we pinned an expected change to ‘comes with next (minor) release 4.4.2’ rather than now ‘next (normal aka major) release 4.5.0’. And now that R 4.4.2 is out (as of two days ago) we accidentally broke building against the header file with that check. Whoops. Bugs happen, and we are truly sorry—but this is now addressed in 1.0.13-1.

The normal (bi-annual) release cycle will resume with 1.0.14 slated for January. As you can see from the NEWS file of the development branch, we have a number of changes coming. You can safely access that release candidate version, either off the default branch at github or via r-universe artifacts.

The list below details all changes, as usual. The only other change concerns the now-mandatory use of Authors@R.

Changes in Rcpp release version 1.0.13-1 (2024-11-01)

  • Changes in Rcpp API:

    • Use read-only VECTOR_PTR and STRING_PTR only with with R 4.5.0 or later (Kevin in #1342 fixing #1341)
  • Changes in Rcpp Deployment:

    • Authors@R is now used in DESCRIPTION as mandated by CRAN

Thanks to my CRANberries, you can also look at a diff to the previous release Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page. Bugs reports are welcome at the GitHub issue tracker as well (where one can also search among open or closed issues).

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianRussell Coker: More About the Yoga Gen3

Two months ago I bought a Thinkpad X1 Yoga Gen3 [1]. I’m still very happy with it, the screen is a great improvement over the FullHD screen on my previous Thinkpad. I have yet to discover what’s the best resolution to have on a laptop if price isn’t an issue, but it’s at least 1440p for a 14″ display, that’s 210DPI. The latest Thinkpad X1 Yoga is the 7th gen and has up to 3840*2400 resolution on the internal display for 323DPI. Apple apparently uses the term “Retina Display” to mean something in the range of 250DPI to 300DPI, so my current laptop is below “Retina” while the most expensive new Thinkpads are above it.

I did some tests on external displays and found that this Thinkpad along with a Dell Latitude of the same form factor and about the same age can only handle one 4K display on a Thunderbolt dock and one on HDMI. On Reddit u/Carlioso1234 pointed out this specs page which says it supports a maximum of 3 displays including the built in TFT [2]. The Thunderbolt/USB-C connection has a maximum resolution of 5120*2880 and the HDMI port has a maximum of 4K. The latest Yoga can support four displays total which means 2*5K over Thunderbolt and one 4K over HDMI. It would be nice if someone made a 8000*2880 ultrawide display that looked like 2*5K displays when connected via Thunderbolt. It would also be nice if someone made a 32″ 5K display, currently they all seem to be 27″ and I’ve found that even for 4K resolution 32″ is better than 27″.

With the typical configuration of Linux and the BIOS the Yoga Gen3 will have it’s touch screen stop working after suspend. I have confirmed this for stylus use but as the finger-touch functionality is broken I couldn’t confirm that. On r/thinkpad u/p9k told me how to fix this problem [3]. I had to set the BIOS to Win 10 Sleep aka Hybrid sleep and then put the following in /etc/systemd/system/thinkpad-wakeup-config.service :

# https://www.reddit.com/r/thinkpad/comments/1blpy20/comment/kw7se2l/?context=3

[Unit]
Description=Workarounds for sleep wakeup source for Thinkpad X1 Yoga 3
After=sysinit.target
After=systemd-modules-load.service

[Service]
Type=oneshot
ExecStart=/bin/sh -c "echo 'enabled' > /sys/devices/platform/i8042/serio0/power/wakeup"
ExecStart=/bin/sh -c "echo 'enabled' > /sys/devices/platform/i8042/serio1/power/wakeup"
ExecStart=/bin/sh -c "echo 'LID' > /proc/acpi/wakeup"

[Install]
WantedBy=multi-user.target

Now it works fine, for stylus at least. I still get kernel error messages like the following which don’t seem to cause problems:

wacom 0003:056A:5146.0005: wacom_idleprox_timeout: tool appears to be hung in-prox. forcing it out.

When it wasn’t working I got the above but also kernel error messages like:

wacom 0003:056A:5146.0005: wacom_wac_queue_insert: kfifo has filled, starting to drop events

This change affected the way suspend etc operate. Now when I connect the laptop to power it will leave suspend mode. I’ve configured KDE to suspend when the lid is closed and there’s no monitor connected.

Planet DebianRussell Coker: Moving Between Devices

I previously wrote about the possibility of transferring work between devices as an alternative to “convergence” (using a phone or tablet as a desktop) [1]. This idea has been implemented in some commercial products already.

MrWhosTheBoss made a good YouTube video reviewing recent Huawei products [2]. At 2:50 in that video he shows how you can link a phone and tablet, control one from the other, drag and drop of running apps and files between phone and tablet, mirror the screen between devices, etc. He describes playing a video on one device and having it appear on the other, I hope that it actually launches a new instance of the player app as the Google Chromecast failed in the market due to remote display being laggy. At 7:30 in that video he starts talking about the features that are available when you have multiple Huawei devices, starting with the ability to move a Bluetooth pairing for earphones to a different device.

At 16:25 he shows what Huawei is doing to get apps going including allowing apk files to be downloaded and creating what they call “Quick Apps” which are instances of a web browser configured to just use one web site and make it look like a discrete app, we need something like this for FOSS phone distributions – does anyone know of a browser that’s good for it?

Another thing that we need is to have an easy way of transferring open web pages between systems. Chrome allows sending pages between systems but it’s proprietary, limited to Chrome only, and also takes an unreasonable amount of time. KDEConnect allows sharing clipboard contents which can be used to send URLs that can then be pasted into a browser, but the process of copy URL, send via KDEConnect, and paste into other device is unreasonably slow. The design of Chrome with a “Send to your devices” menu option from the tab bar is OK. But ideally we need a “Send to device” for all tabs of a window as well, we need it to run from free software and support using your own server not someone else’s server (AKA “the cloud”). Some of the KDEConnect functionality but using a server rather than direct connection over the same Wifi network (or LAN if bridged to Wifi) would be good.

What else do we need?

365 TomorrowsBetter Left Undead

Author: J. Scott King “Can he continue?” A familiar voice, distant, urgent. And nearer, “The Seconds are conferring, Captain.” Then, more urgently, “Come no closer, sir! Resseaux, control your man!” A gruff, mumbled reply I can’t make out. “I’ll have him done!” That first fellow again… Captain Eddings. Right. Yes, that’s the one. Never liked […]

The post Better Left Undead appeared first on 365tomorrows.

Planet DebianRussell Coker: What is a Workstation?

I recently had someone describe a Mac Mini as a “workstation”, which I strongly disagree with. The Wikipedia page for Workstation [1] says that it’s a type of computer designed for scientific or technical use, for a single user, and would commonly run a multi-user OS.

The Mac Mini runs a multi-user OS and is designed for a single user. The issue is whether it is for “scientific or technical use”. A Mac Mini is a nice little graphical system which could be used for CAD and other engineering work. But I believe that the low capabilities of the system and lack of expansion options make it less of a workstation.

The latest versions of the Mac Mini (to be officially launched next week) have up to 64G of RAM and up to 8T of storage. That is quite decent compute power for a small device. For comparison the HP ML 110 Gen9 workstation I’m currently using was released in 2021 and has 256G of RAM and has 4 * 3.5″ SAS bays so I could easily put a few 4TB NVMe devices and some hard drives larger than 10TB. The HP Z640 workstation I have was released in 2014 and has 128G of RAM and 4*2.5″ SATA drive bays and 2*3.5″ SATA drive bays. Previously I had a Dell PowerEdge T320 which was released in 2012 and had 96G of RAM and 8*3.5″ SAS bays.

In CPU and GPU power the recent Mac Minis will compare well to my latest workstations. But they compare poorly to workstations from as much as 12 years ago for RAM and storage. Which is more important depends on the task, if you have to do calculations on 80G of data with lots of scans through the entire data set then a system with 64G of RAM will perform very poorly and a system with 96G and a CPU less than half as fast will perform better. A Dell PowerEdge T320 from 2012 fully loaded with 192G of RAM will outperform a modern Mac Mini on many tasks due to this and the T420 supported up to 384G.

Another issue is generic expansion options. I expect a workstation to have a number of PCIe slots free for GPUs and other devices. The T320 I used to use had a PCIe power cable for a power hungry GPU and I think all the T320 and T420 models with high power PSUs supported that.

I think that a usable definition of a “workstation” is a system having a feature set that is typical of servers (ECC RAM, lots of storage for RAID, maybe hot-swap storage devices, maybe redundant PSUs, and lots of expansion options) while also being suitable for running on a desktop or under a desk. The Mac Mini is nice for running on a desk but that’s the only workstation criteria it fits. I think that ECC RAM should be a mandatory criteria and any system without it isn’t a workstation. That excludes most Apple hardware. The Mac Mini is more of a thin-client than a workstation.

My main workstation with ECC RAM could run 3 VMs that each have more RAM than the largest Mac Mini that will be sold next week.

If 32G of non-ECC RAM is considered enough for a “workstation” then you could get an Android phone that counts as a workstation – and it will probably cost less than a Mac Mini.

,

Krebs on SecurityBooking.com Phishers May Leave You With Reservations

A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We’ll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world’s most visited travel website.

According to the market share website statista.com, booking.com is by far the Internet’s busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California hotel.

The missive bore the name of the hotel and referenced details from their reservation, claiming that booking.com’s anti-fraud system required additional information about the customer before the reservation could be finalized.

The phishing message our reader’s friend received after making a reservation at booking.com in late October.

In an email to KrebsOnSecurity, booking.com confirmed one of its partners had suffered a security incident that allowed unauthorized access to customer booking information.

“Our security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which unfortunately is not a new situation and quite common across industries,” booking.com replied. “Importantly, we want to clarify that there has been no compromise of Booking.com’s internal systems.”

The phony booking.com website generated by visiting the link in the text message.

Booking.com said it now requires 2FA, which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.

“2FA is required and enforced, including for partners to access payment details from customers securely,” a booking.com spokesperson wrote. “That’s why the cybercriminals follow-up with messages to try and get customers to make payments outside of our platform.”

“That said, the phishing attacks stem from partners’ machines being compromised with malware, which has enabled them to also gain access to the partners’ accounts and to send the messages that your reader has flagged,” they continued.

It’s unclear, however, if the company’s 2FA requirement is enforced for all or just newer partners. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.

A scan of social media networks showed this is not an uncommon scam.

In November 2023, the security firm SecureWorks detailed how scammers targeted booking.com hospitality partners with data-stealing malware. SecureWorks said these attacks had been going on since at least March 2023.

“The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy,” SecureWorks said of the booking.com partner it investigated.

In June 2024, booking.com told the BBC that phishing attacks targeting travelers had increased 900 percent, and that thieves taking advantage of new artificial intelligence (AI) tools were the primary driver of this trend.

Booking.com told the BCC the company had started using AI to fight AI-based phishing attacks. Booking.com’s statement said their investments in that arena “blocked 85 million fraudulent reservations over more than 1.5 million phishing attempts in 2023.”

The domain name in the phony booking.com website sent to our reader’s friend — guestssecureverification[.]com — was registered to the email address ilotirabec207@gmail.com. According to DomainTools.com, this email address was used to register more than 700 other phishing domains in the past month alone.

Many of the 700+ domains appear to target hospitality companies, including platforms like booking.com and Airbnb. Others seem crafted to phish users of Shopify, Steam, and a variety of financial platforms. A full, defanged list of domains is available here.

A cursory review of recent posts across dozens of cybercrime forums monitored by the security firm Intel 471 shows there is a great demand for compromised booking.com accounts belonging to hotels and other partners.

One post last month on the Russian-language hacking forum BHF offered up to $5,000 for each hotel account. This seller claims to help people monetize hacked booking.com partners, apparently by using the stolen credentials to set up fraudulent listings.

A service advertised on the English-language crime community BreachForums in October courts phishers who may need help with certain aspects of their phishing campaigns targeting booking.com partners. Those include more than two million hotel email addresses, and services designed to help phishers organize large volumes of phished records. Customers can interact with the service via an automated Telegram bot.

Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies catering to fellow scammers, with up to 50 percent discounts on hotel reservations through booking.com. Others are selling ready-to-use “config” files designed to make it simple to conduct automated login attempts against booking.com administrator accounts.

SecureWorks found the phishers targeting booking.com partner hotels used malware to steal credentials. But today’s thieves can just as easily just visit crime bazaars online and purchase stolen credentials to cloud services that do not enforce 2FA for all accounts.

That is exactly what transpired over the past year with many customers of the cloud data storage giant Snowflake. In late 2023, cybercriminals figured out that while tons of companies had stashed enormous amounts of customer data at Snowflake, many of those customer accounts were not protected by 2FA.

Snowflake responded by making 2FA mandatory for all new customers. But that change came only after thieves used stolen credentials to siphon data from 160 companies — including AT&T, Lending Tree and TicketMaster.

Planet DebianColin Watson: Free software activity in October 2024

Almost all of my Debian contributions this month were sponsored by Freexian.

You can also support my work directly via Liberapay.

Ansible

I noticed that Ansible had fallen out of Debian testing due to autopkgtest failures. This seemed like a problem worth fixing: in common with many other people, we use Ansible for configuration management at Freexian, and it probably wouldn’t make our sysadmins too happy if they upgraded to trixie after its release and found that Ansible was gone.

The problems here were really just slogging through test failures in both the ansible-core and ansible packages, but their test suites are large and take a while to run so this took some time. I was able to contribute a few small fixes to various upstreams in the process:

This should now get back into testing tomorrow.

OpenSSH

Martin-Éric Racine reported that ssh-audit didn’t list the ext-info-s feature as being available in Debian’s OpenSSH 9.2 packaging in bookworm, contrary to what OpenSSH upstream said on their specifications page at the time. I spent some time looking into this and realized that upstream was mistakenly saying that implementations of ext-info-c and ext-info-s were added at the same time, while in fact ext-info-s was added rather later. ssh-audit now has clearer output, and the OpenSSH maintainers have corrected their specifications page.

I looked into a report of an ssh failure in certain cases when using GSS-API key exchange (which is a Debian patch). Once again, having integration tests was a huge win here: the affected scenario is quite a fiddly one, but I was able to set it up in the test, and thereby make sure it doesn’t regress in future. It still took me a couple of hours to get all the details right, but in the past this sort of thing took me much longer with a much lower degree of confidence that the fix was correct.

On upstream’s advice, I cherry-picked some key exchange fixes needed for big-endian architectures.

Python team

I packaged python-evalidate, needed for a new upstream version of buildbot.

The Python 3.13 transition rolls on. I fixed problems related to it in htmlmin, humanfriendly, postgresfixture (contributed upstream), pylint, python-asyncssh (contributed upstream), python-oauthlib, python3-simpletal, quodlibet, zope.exceptions, and zope.interface.

A trickier Python 3.13 issue involved the cgi module. Years ago I ported zope.publisher to the multipart module because cgi.FieldStorage was broken in some situations, and as a result I got a recommendation into Python’s “dead batteries” PEP 594. Unfortunately there turns out to be a name conflict between multipart and python-multipart on PyPI; python-multipart upstream has been working to disentangle this, though we still need to work out what to do in Debian. All the same, I needed to fix python-wadllib and multipart seemed like the best fit; I contributed a port upstream and temporarily copied multipart into Debian’s python-wadllib source package to allow its tests to pass. I’ll come back and fix this properly once we sort out the multipart vs. python-multipart packaging.

tzdata moved some timezone definitions to tzdata-legacy, which has broken a number of packages. I added tzdata-legacy build-dependencies to alembic and python-icalendar to deal with this in those packages, though there are still some other instances of this left.

I tracked down an nltk regression that caused build failures in many other packages.

I fixed Rust crate versioning issues in pydantic-core, python-bcrypt, and python-maturin (mostly fixed by Peter Michael Green and Jelmer Vernooij, but it needed a little extra work).

I fixed other build failures in entrypoints, mayavi2, python-pyvmomi (mostly fixed by Alexandre Detiste, but it needed a little extra work), and python-testing.postgresql (ditto).

I fixed python3-simpletal to tolerate future versions of dh-python that will drop their dependency on python3-setuptools.

I fixed broken symlinks in python-treq.

I removed (build-)depends on python3-pkg-resources from alembic, autopep8, buildbot, celery, flufl.enum, flufl.lock, python-public, python-wadllib (contributed upstream), pyvisa, routes, vulture, and zodbpickle (contributed upstream).

I upgraded astroid, asyncpg (fixing a Python 3.13 failure and a build failure), buildbot (noticing an upstream test bug in the process), dnsdiag, frozenlist, netmiko (fixing a Python 3.13 failure), psycopg3, pydantic-settings, pylint, python-asyncssh, python-bleach, python-btrees, python-cytoolz, python-django-pgtrigger, python-django-test-migrations, python-gssapi, python-icalendar, python-json-log-formatter, python-pgbouncer, python-pkginfo, python-plumbum, python-stdlib-list, python-tokenize-rt, python-treq (fixing a Python 3.13 failure), python-typeguard, python-webargs (fixing a build failure), pyupgrade, pyvisa, pyvisa-py (fixing a Python 3.13 failure), toolz, twisted, vulture, waitress (fixing CVE-2024-49768 and CVE-2024-49769), wtf-peewee, wtforms, zodbpickle, zope.exceptions, zope.interface, zope.proxy, zope.security, and zope.testrunner to new upstream versions.

I tried to fix a regression in python-scruffy, but I need testing feedback.

I requested removal of python-testing.mysqld.

Worse Than FailureError'd: Alternative Maths

"Check out Visual Studio optimizing their rating system to only include the ratings used," shared Fiorenzo R. Imagine the performance gain!

0

 

"This sounds about right," says Colin A.

1

 

"Wow! Must snap up some sweet Anker kit with this amazing offer; but less than four days to go!" exclaims Dave L., who then goes on to explain
"The actual WTF is this though. I sent this image to Anker with this email: But only 3days left? I hope this offer continues!
Anker replied: Thank you for your feedback! I understand that you appreciate the savings on the Anker SOLIX PS100 Portable Solar Panel and wish the offer could be extended beyond the current 3-day limit. Your suggestion is valuable and will be considered for future promotions to enhance customer satisfaction. If you have any other requests or need further assistance, please let me know.
I for one welcome our new AI overlords. "

3

 

Graham F. almost stashed this away for later. "Looks like Dropbox could use a few lessons in how to do Maths! Although maybe their definition of 'almost' differs from mine."

4

 

Finally Joshua found time to report a brand-new date-handling bug. "Teams is so buggy; this one just takes the cake. I had to check with the unix cal program to make sure I wasn't completely bonkers." For the readers, November 8 this year is supposed to be a Friday. I suppose things could change after the US election.

2

 


Have a great weekend. Maybe I'll see you next Friday, or maybe all the weekdays will be renamed Thursday.
[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

Planet DebianRuss Allbery: Review: Overdue and Returns

Review: Overdue and Returns, by Mark Lawrence

Publisher: Mark Lawrence
Copyright: June 2023
Copyright: February 2024
ASIN: B0C9N51M6Y
ASIN: B0CTYNQGBX
Format: Kindle
Pages: 99

Overdue is a stand-alone novelette in the Library Trilogy universe. Returns is a collection of two stories, the novelette "Returns" and the short story "About Pain." All of them together are about the length of a novella, so I'm combining them into a single review.

These are ancillary stories in the same universe as the novels, but not necessarily in the same timeline. (Trying to fit "About Pain" into the novel timeline will give you a headache and I am choosing to read it as author's fan fiction.) I'm guessing they're part of the new fad for releasing short fiction on Amazon to tide readers over and maintain interest between books in a series, a fad about which I have mixed feelings. Given the total lack of publisher metadata in either the stories or on Amazon, I'm assuming they were self-published even though the novels are published by Ace, but I don't know that for certain.

There are spoilers for The Book That Wouldn't Burn, so don't read these before that novel. There are no spoilers for The Book That Broke the World, and I don't think the reading order would matter.

I found all three of these stories irritating and thuddingly trite. "Returns" is probably the best of the lot in terms of quality of storytelling, but I intensely dislike the structural implications of the nature of the book at its center and am therefore hoping that it's non-canonical.

I would not waste your time with these even if you are enjoying the novels.

"Overdue": Three owners of the same bookstore at different points in time have encounters with an albino man named Yute who is on a quest. One of the owners is trying to write a book, one of them is older, depressed, and closed off, and one of them has regular conversations with her sister's ghost. The nature of the relationship between the three is too much of a spoiler, but it involves similar shenanigans as The Book That Wouldn't Burn.

Lawrence uses my least favorite resolution of benign ghost stories. The story tries very hard to sell it as a good thing, but I thought it was cruel and prefer fantasy that rejects both branches of that dilemma. Other than that, it was fine, I guess, although the moral was delivered with all of the subtlety of the last two minutes of a Saturday morning cartoon. (5)

"Returns": Livira returns a book deep inside the library and finds that she can decipher it, which leads her to a story about Yute going on a trip to recover another library book. This had a lot of great Yute lines, plus I always like seeing Livira in exploration mode. The book itself is paradoxical in a causality-destroying way, which is handwaved away as literal magic. I liked this one the best of the three stories, but I hope the world-building of the main series does not go in this direction and I'm a little afraid it might. (6)

"About Pain": A man named Holden runs into a woman named Clovis at the gym while carrying a book titled Catcher that his dog found and that he's returning to the library. I thoroughly enjoy Clovis and was happy to read a few more scenes about her. Other than that, this was fine, I guess, although it is a story designed to deliver a point and that point is one that appears in every discussion of classics and re-reading that has ever happened on the Internet. Also, I know I'm being grumpy, but Lawrence's puns with authors and character names are chapter-epigraph amusing but not short-story-length funny. Yes, yes, his name is Holden, we get it. (5)

Rating: 5 out of 10

365 TomorrowsA Chest In A Room

Author: Aubrey Williams The cheap hotel room was draughty, the shadows ink in the recesses. Each sheet of green William Morris wallpaper was peeling in at least three places. For all the dinginess, though, it was a room, and I needed one. By a feeble light I’d tried to work, but the sound of the […]

The post A Chest In A Room appeared first on 365tomorrows.

Rondam RamblingsRon Prognosticates: Trump is Going to Win

 I'm too depressed to elaborate much on this, but I just wanted to go on the record with this prediction before the election.  Why do I think Trump is going to win?  Because DJT stock is up and has been rising steadily since it hit an all-time low in late September.  It didn't even go down today after yesterday's disastrous MSG rally.  The polls have been static since

Planet DebianPaul Wise: FLOSS Activities October 2024

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

Issues

Sponsors

All work was done on a volunteer basis.

Planet DebianTaavi Väänänen: Custom domains on the Wikimedia Cloud VPS web proxy

The shared web proxy used on Wikimedia Cloud VPS now has technical support for using arbitrary domains (and not just wmcloud.org subdomains) in proxy names. I think this is a good example of how software slowly evolves over time as new requirements emerge, with each new addition building on top of the previous ones.

According to the edit history on Wikitech, the web proxy service has its origins in 2012, although the current idea where you create a proxy and map it to a specific instance and port was only introduced a year later. (Before that, it just directly mapped the subdomain to the VPS instance with the same name).

There were some smaller changes in the coming years like the migration to acme-chief for TLS certificate management, but the overall logic stayed very similar until 2020 when the wmcloud.org domain was introduced. That was implemented by adding a config option listing all possible domains, so future domain additions would be as simple as adding the new domain to that list in the configuration.

Then the changes start becoming more frequent:

  • In 2022, for my Terraform support project, a bunch of logic, including the list of supported backend domains was moved from the frontend code to the backend. This also made it possible to dynamically change which projects can use which domains suffixes for their proxies.
  • Then, early this year, I added support for zones restricted to a single project, because we wanted to use the proxy for the *.svc.toolforge.org Toolforge infrastructure domains instead of coming up with a new system for that use case. This also added suport for using different TLS certificates for different domains so that we would not have to have a single giant certificate with all the names.
  • Finally, the last step was to add two new features to the proxy system: support for adding a proxy at the apex of a domain, as well as support for domains that are not managed in Designate (the Cloud VPS/OpenStack auth DNS service). In addition, we needed a bit of config to ensure http-01 challenges get routed to the acme-chief instance.

,

Planet DebianGunnar Wolf: Do you have a minute..?

Do you have a minute...?

…to talk about the so-called “Intellectual Property”?

Cryptogram Roger Grimes on Prioritizing Cybersecurity Advice

This is a good point:

Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.

What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others.

[…]

The solution?

Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.

[…]

This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.

The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the other, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest?

Cryptogram Tracking World Leaders Using Strava

Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running.

Six years later, the problem remains. Le Monde has reported that the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do.

Worse Than FailureCodeSOD: All the Rest Have 31

Horror movies, as of late, have gone to great lengths to solve the key obstacle to horror movies- cell phones. When we live in a world where help is a phone call away, it's hard to imagine the characters not doing that. So screenwriters put them in situations where this is impossible: in Midsommar they isolate them in rural Sweden, in Get Out calling the police is only going to put our protagonist in more danger. But what's possibly more common is making the film a period piece- like the X/Pearl/Maxxxine trilogy, Late Night with the Devil, or Netflix's continuing series of R.L. Stine adaptations.

I bring this up, because today's horror starts in 1993. A Norwegian software company launched its software product to mild acclaim. Like every company, it had its ups and downs, its successes and missteps. On the surface, it was a decent enough place to work.

Over the years, the company tried to stay up to date with technology. In 1993, the major languages one might use for launching a major software product, your options are largely C or Pascal. Languages like Python existed, but weren't widely used or even supported on most systems. But the company stayed in business and needed to update their technology as time passed, which meant the program gradually grew and migrated to new languages.

Which meant, by the time Niklas F joined the company, they were on C#. Even though they'd completely changed languages, the codebase still derived from the original C codebase. And that meant that the codebase had many secrets, dark corners, and places a developer should never look.

Like every good horror movie protagonist, Niklas heard the "don't go in there!" and immediately went in there. And lurking in those shadows was the thing every developer fears the most: homebrew date handling code.

/// <summary>
/// 
/// </summary>
/// <param name="dt"></param>
/// <returns></returns>
public static DateTime LastDayInMonth(DateTime dt)
{
	int day = 30;
	switch (dt.Month)
	{
		case 1:
			day = 31;
			break;
		case 2:
			if (IsLeapYear(dt))
				day = 29;
			else
				day = 28;
			break;
		case 3:
			day = 31;
			break;
		case 4:
			day = 30;
			break;
		case 5:
			day = 31;
			break;
		case 6:
			day = 30;
			break;
		case 7:
			day = 31;
			break;
		case 8:
			day = 31;
			break;
		case 9:
			day = 30;
			break;
		case 10:
			day = 31;
			break;
		case 11:
			day = 30;
			break;
		case 12:
			day = 31;
			break;
	}
	return new DateTime(dt.Year, dt.Month, day, 0, 0, 0);
}

/// <summary>
/// 
/// </summary>
/// <param name="dt"></param>
/// <returns></returns>
public static bool IsLeapYear(DateTime dt)
{
	bool ret = (((dt.Year % 4) == 0) && ((dt.Year % 100) != 0) || ((dt.Year % 400) == 0));
	return ret;
}

For a nice change of pace, this code isn't incorrect. Even the leap year calculation is actually correct (though my preference would be to just return the expression instead of using a local variable). But that's what makes this horror all the more insidious: there are built-in functions to handle all of this, but this code works and will likely continue to work, just sitting there, like a demon that we've made a pact with. And suddenly we realize this isn't Midsommar but Ari Aster's other hit film, Hereditary, and we're trapped being in a lineage of monsters, and can't escape our inheritance.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

365 TomorrowsImagine a Creature

Author: Rollin T. Gentry Imagine a creature crafted from crushed bones and entropy. It may or may not have fangs, or claws, or even a face. It rides from calamity to calamity, crisis to crisis, along ley lines the scale of galaxies. Wait. There he is, knocking at the door. The door, an ancient relic […]

The post Imagine a Creature appeared first on 365tomorrows.

Cryptogram Simson Garfinkel on Spooky Cryptographic Action at a Distance

Excellent read. One example:

Consider the case of basic public key cryptography, in which a person’s public and private key are created together in a single operation. These two keys are entangled, not with quantum physics, but with math.

When I create a virtual machine server in the Amazon cloud, I am prompted for an RSA public key that will be used to control access to the machine. Typically, I create the public and private keypair on my laptop and upload the public key to Amazon, which bakes my public key into the server’s administrator account. My laptop and that remove server are thus entangled, in that the only way to log into the server is using the key on my laptop. And because that administrator account can do anything to that server­—read the sensitivity data, hack the web server to install malware on people who visit its web pages, or anything else I might care to do­—the private key on my laptop represents a security risk for that server.

Here’s why it’s impossible to evaluate a server and know if it is secure: as long that private key exists on my laptop, that server has a vulnerability. But if I delete that private key, the vulnerability goes away. By deleting the data, I have removed a security risk from the server and its security has increased. This is true entanglement! And it is spooky: not a single bit has changed on the server, yet it is more secure.

Read it all.

,

LongNowEnlarging the Question

💡
FIRST LOOK: CENTURIES OF THE BRISTLECONE
Coming Spring 02025

An exhibition by artist and experimental philosopher Jonathon Keats co-commissioned by The Long Now Foundation and the Center for Art + Environment at the Nevada Museum of Art

An 18-foot tall dual pendulum clock that measures the growth of the world's most ancient living trees, exploring new ways of thinking about deep time and resilience. 

Sign up for our newsletter to learn more and join us this spring for our grand opening.
Enlarging the Question

At the summit of eastern Nevada’s Mount Washington, a grove of bristlecone pine trees bears witness to millennia of change. Perched precariously along ridges of limestone, battered by harsh winds, the gnarled forms that populate Long Now’s Bristlecone Preserve can look more like abstract sculptures than living organisms. But they are alive, have been alive, some since before the first stone of the Great Pyramid of Giza was laid 4,500 years ago. And they are growing. Very. Slowly. A sapling from today would potentially not reach maturity until the year 07000. 

But to speak of years like 07000 is to speak in human time. Bristlecone time is not like our time. In 01964, a geographer took core samples of a nearby bristlecone known as Prometheus. The tree had 4,862 growth rings. This did not, as one might assume, mean that the tree was 4,862 years old. Because of the harsh conditions, and the high elevation, some bristlecone pines grow so slowly that they don’t form a tree ring each year. Such was the case with Prometheus, whom researchers later estimated to be closer to 4,900 years old. 

The discrepancy between human time — in which a year is exactly 365.2425 days in duration — and bristlecone time — which varies depending on environmental conditions — is the focus of a forthcoming project from the conceptual artist and experimental philosopher Jonathon Keats, The Long Now Foundation, and the Nevada Museum of Art. Centuries of the Bristlecone empowers the longest-lived organisms on Earth to be timekeepers. A living calendar for the next five millennia, the project will measure the growth of select bristlecone pine trees at Long Now’s Bristlecone Preserve. Those measurements — “bristlecone time” — will be transmitted to an 18-foot tall dual pendulum clock housed at the Nevada Museum of Art. The growth of these trees will tell a story. What that story is depends on us.

Enlarging the Question
Long Now’s Bristlecone Preserve, Mount Washington, eastern Nevada. Photo by Ian van Coller

“Through time, each bristlecone will bear witness to human activity in the Anthropocene,” Keats has written. “The meaning of the living calendar will change with the changes we bring to the environment.”

Consider again that sapling. Over time, increased carbon dioxide in the atmosphere stemming from anthropogenic climate change would lead to it growing at a faster rate, much like its siblings at lower elevations. A visitor to the Centuries of the Bristlecone clock a hundred years from now would see two different times displayed, side by side. The dial displaying human, or standard, time would read “02124.” The dial displaying bristlecone, or arboreal, time might read “02377.” 

Or it might not. We cannot know how the future will unfold. And we could, of course, choose to act differently. For Keats, that’s precisely the point. 

Enlarging the Question
The gnarled forms that populate Long Now’s Bristlecone Preserve can look more like abstract sculptures than living organisms. Photo by Justin Oliphant

“Our actions will affect bristlecone time,” Keats writes. “And while we need to be aware of our hubris, we also need to be aware that we have choices and responsibilities. Arboreal time will provide us with an ecological feedback mechanism. Sentinels from the distant past that will long outlive us, the bristlecones will calibrate our time on this planet.”

Centuries of the Bristlecone has been in the works since 02015, when Keats shared his vision during a Long Now Talk at The Interval. In September 02024, a contingent of staff from Long Now and the Nevada Museum of Art joined Keats atop Mount Washington to help realize that vision, installing the indexes and plaques that will allow future citizen-timekeepers to chart the growth of the trees. In the spring of 02025, the municipal clock at the Nevada Museum of Art will open to the public. 

Centuries of the Bristlecone is part of Keats’ broader philosophical exploration of time from a more-than-human perspective. “The overarching goal is to reverse the process of human alienation that began by seeing nature as other,” he says. “We can reintegrate ourselves into nature by reintegrating nature into human systems.”

Recently, Keats sat down with William L. Fox, the Director of the Center for Art + Environment at the Nevada Museum of Art, to discuss the many projects he’s undertaken to achieve that goal, as well as the unconventional thought experiments that comprise his larger body of work. Over the years, Keats has attempted to genetically engineer God; copyright his brain in a bid to become immortal; and pass Aristotle’s law of identity as a law of the legal system (violators caught being unidentical to themselves would be fined one-tenth of a cent). He has created pinhole cameras with exposure times of one thousand years, and he has shown pornography to house plants (which is to say, videos of bees pollinating flowers). 

Equal parts playful and profound, Keats’ interventions open up spaces for the public to engage in contemplative inquiry across a wide swath of disciplines and domains, from the perennial questions posed by philosophy — What is the relationship between thinking and being? — to the ethical quandaries posed by the Anthropocene — How might non-human species participate in the collective decision-making of the democratic system in which we live?  

“A question is never resolved,” he says. “It is only enlarged.”

The following conversation has been edited for length and clarity.

Enlarging the Question
William L. Fox speaking at Long Now on April 5, 02016. Seated in the audience at left is Jonathon Keats. Photo by Gary Wilson

William L. Fox: You and I have been working together for years, but we don’t sit down and actually talk about what childhood was like, what grade school was like. I’d like to remedy that now. So let’s start with how you must’ve driven every teacher you’ve ever had absolutely nuts.

Jonathon Keats: It started with my parents. I drove them crazy long before I had teachers to distract and classes to disturb. But in terms of the first experience in a formal educational situation, it was preschool. As is the case in many Montessori schools, I got told by the teachers how to be creative. What more creative thing can one do than to rebel against that?

It didn't go over well. I actually didn't speak for an entire year. I would speak outside of class, but the moment I walked through the doors of the school, I would stop speaking. Later, when I got my hands on a Diagnostic and Statistical Manual of Mental Disorders, I was able to diagnose myself as having elective mutism. I was quite pleased with myself to be an elective mute because knowing when not to say something seems like it is as important as knowing when to say something. That is one of the essential qualities of my work and one of the essential qualities that I seek in art more generally.

As I went on in that vein, being obstinate whenever I was asked to be creative or imaginative, one of the preschool teachers asked whether I had an imagination. I think that's still open to debate. Nevertheless, it was clear that any sort of formal structure that came from someone else was one to be resisted or to be broken free of, as opposed to my own systems that I very much wanted to create.

The first work that could potentially be categorized retrospectively as an artwork — or as a thought experiment — came shortly after moving cross country from New York City, where I'd gone to preschool, to Corte Madera, a very quaint town in California. In my driveway, on a street that few people frequented, I set up a table and put some rocks on it and priced the rocks at one cent apiece. The rocks on the ground were identical, but were not the ones that were for sale, so they had no price on them whatsoever. And so I went into the business of selling rocks to a market that was effectively zero. There was, I think, a neighbor who came up to water the lawn at some point. But, more than a profit-making enterprise, my venture was a way in which to ask fundamental questions about economics, which probably originated with my puzzlement about what my father did for a living as a stockbroker. What does it mean to buy and sell? What is the nature of money?

Even then, the way in which I went about investigating the world was on my own terms, creating some sort of alternative reality that others could enter into with me, where I eliminated as much as possible that seemed extraneous, leaving just the essence to try to make sense of. I think that has been the case ever since.

Fox: The most valid rubric I use to describe you is as an ‘experimental philosopher.’ Clearly, that’s where you’ve been going since Montessori preschool. By the time you get to high school, have you begun, within that cloud of possibilities, to make some choices about what you want to do?

Keats: At the time, I was very interested in law and governance, which are deeply interesting to me still — not only as subjects, but also as constructs at a meta-level: How is the world ordered? What sort of sense do we make of the world through the systems we have, and how do we interrogate those systems? How do we ask how those systems work and what they do in order to speculate on the ways in which they might achieve what we actually want them to do?

All too often, there are legacy systems built on legacy systems, and they’re not functioning as intended. We can see this on a day-to-day basis, but we won’t understand why until we start to look at what is invisible to us. It’s like the operating system on a computer: We might not know how it operates, but it structures our word processing, our web browsing, et cetera. Law was a particularly interesting area for me because it was structured, and because it structured everything else.

During the summer of my junior year, I interned at the City Attorney’s Office in San Francisco.  They must not have been very well funded, because they would tell me about cases and then set me free in their law library to write memoranda that I would dictate into a Dictaphone. These were often on rather arcane areas of law, such as trademark infringement, but there were also more conventional problems, such as the liability of the city when a bus driver ran over a pedestrian. So I ended up with an informal education in the law, both in how the law is structured and how it actually functions.

In terms of actual schoolwork, I was very keen to go to the high school that I did — Lick-Wilmerding — for manifestly other reasons: it had a magnificent shop program, with a whole room of World War II-era lathes. That was useful not only from the standpoint of learning how to make things, but in terms of learning the procedures. When you're working in a machine shop, you have to think about what you are trying to create in a way that is extremely orderly, considering the stages underlying the manufacture of a given part and considering how multiple parts will fit together. So while I wasn't thinking in these terms at the time, in making things out of wood, metal, and other materials, I was, in very physical and tangible ways, trying to make sense of how systems come into being, what they do, and where they break down.

Fox: And you move on into college, and the adventures continue.

Keats: They do. They travel with me to the East Coast, to Amherst College in western Massachusetts. It was an ideal setting for exploring whatever interested me. That’s the nature of a liberal arts college when you take the mandate seriously, and most of my professors did. They were perfectly happy to provide guidance, but were seemingly equally happy not to do so, and to allow much of my education to become a form of independent study.

Amherst is where I learned philosophy, and where I learned that I did not want to practice philosophy within academia. Formal logic is not my forte. And then there was the fact that philosophy at Amherst was analytic and highly technical. And while I found Ludwig Wittgenstein fascinating — he once asked, What time is it on the sun? — for the most part the way in which philosophy was done in school was not at all like what I had imagined. What I had envisioned was probably not so far off from selling rocks on the street corner. As far as I was concerned, philosophy was about asking questions and enticing others to try and make sense of that world with me.

The thought experiment was, to me, an incredibly interesting means of making sense that was used in a way that was not at all interesting. It was used as a mode of argumentation — reductio ad absurdum — as a way of rhetorically drawing somebody into a state of contradiction. I was interested in the thought experiment as a mode of open-ended experimentation. And so I got enough training in philosophy — enough language, enough rigor — to be able to smuggle philosophy out of academia. Breaking free was also important for another reason: Whenever I talked to anybody outside of my department, including classmates and my parents, they had no idea what I was talking about. Partly, I think that’s because I was never very good at paraphrasing others’ philosophy, but partly it’s because analytic philosophy was so abstruse. 

As I said earlier, we need to get inside the operating system. We need to be able to understand the basis of our understanding. There's so much scholarship underlying philosophy as it's done right now that “good philosophy” is directed by what was considered worthy in the past.  We need to go in other directions, and to do so with others in a way that’s socially engaged, such that we’re all philosophers together.

I declared my independence from philosophy my senior year by opting to write a thesis on aesthetics, which was one of the areas I’d studied. In my proposal to the philosophy department, I argued that it made no sense to write about aesthetics; I should be working within aesthetics. That is, I should be writing a novel. The philosophy department responded by saying, That’s a very good idea, but not here. So I formed my own aesthetics department. I gave it a name and had a philosophy professor on the board. I wrote a novel, or something that passed as a novel, as a senior thesis. That was the moment when I realized that writing was one way in which to pursue what I wanted and needed to do. Writing fiction and poetry was particularly generative because it avoided some of the necessities of argumentation, namely first and foremost that one has something one is arguing for, as opposed to trying to open up a space for reflection.

But I also realized that beyond writing, other arts presented great opportunities. I had studied enough art history in college to see that the Duchampian turn was so dizzying that nobody knew what art was anymore. Every other discipline, from physics to philosophy, had become more disciplined, more rigorous, more rigid, and more narrow as time had gone on. Art had gone the opposite direction, from producing painting or sculpture in an academic tradition to “anything goes”.

Fox: You have just proposed a kind of analog to the working practice of Allan Kaprow and his relationship to William James and the birth of American pragmatism. Which is to say, in counter distinction: when I was at the Clark Art Institute, I had a good friend who was a curator of art from Bordeaux at the Contemporary Art Museum. He was the last student of Deleuze. And he said, “You don't like Deleuze and Guattari very much, do you?” And I said, “No, I loathe them. And in fact, I threw away A Thousand Plateaus.” It's the only book in my life I've ever thrown in a trash basket. And he said, “Why on earth? What's your problem?” And I said, “Because they don't tell the truth. They use language in very clever ways. But you cannot argue about whether or not there's a river that flows from the Rocky Mountains to the Pacific Ocean. And they would pretend to do otherwise.” And so he said, “But Bill, you don't understand: the whole point is the person who argues the best wins.” I found that instructive. And to hear you actually anchor yourself in the world in a philosophical tradition that is not founded on argumentation is refreshing.

Keats: I think that argumentation is at the core of my practice, but not for the sake of winning. I’m drawn to the Hegelian dialectic and even more to the Talmudic tradition in which any point is a basis for a counterpoint. A question is never resolved. It’s only enlarged.

What I do in much of my work now is that I take a position internally —  a proposition, a provocation, or a world that I create — not because I think that it is definitive, but because I think that it is a point of departure for navigating a space that I intuit to be meaningful, relevant and interesting. I seldom know my way around the space at the outset, I only know that I can’t navigate it alone. I know that it needs to be large enough for me to get lost.

Enlarging the Question

In Berkeley in 02002, I tried to find my way through the legal system. I attempted to pass a law of logic: the proposition that a equals a, that every entity is identical to itself. I held a petition drive and set up a table piled high with political buttons. It wasn’t so different from my childhood experiment of setting up a stand on the street and selling rocks as a way of understanding what money is; the rocks were meaningless except for the transaction that was happening through their sale. Equivalent to that, in trying to pass a law of logic as legislation, I was trying to figure out whether we actually can make laws, or whether they already all exist and we simply elect certain laws to be those that we follow.

Fox: One of the things you’ve done is copyright your brain.

Keats: My motivation was to explore some of the questions that have persisted for such a long time: what it is to think, what it is to be, and what is the relationship between the two? But also it was about trying to figure out the nature of intellectual property.

Instead of trying to achieve immortality through the merits of my paintings or sculptures, as artists often do, I opted to enlist the Copyright Act of 01978, which afforded copyright protection on any work for 70 years beyond the artist’s death. I submitted paperwork to the Copyright Office registering my brain as a sculpture that was formed through the act of thinking. I hypothesized that this sculpture, by virtue of being copyrighted, and through the magic of cogito ergo sum, could become a way to outsurvive myself by 70 years.

At the same time that I registered my brain with the Copyright Office to protect the neural networks, I orchestrated an IPO offering futures contracts on my individual neurons. The neural networks were really what mattered after I was dead; the ability to use those networks after my death would be essential to fulfilling the cogito and continuing to exist exclusively as myself for those 70 years. But in order to be able to fund suitable technology, as well as suitable legal protections, I needed some sort of a cash windfall at the end of my life. (Being an artist, as we all know, is not a way to get rich.) Investors were offered the opportunity to purchase a million neurons at a $10 premium against a $10,000 strike price. The neurons were, and remain, deliverable upon my death.

Fox: I’d like to talk about trees. You and I have both been involved in the UC Berkeley Sagehen Creek Field Station that is north of Truckee, California. At one point, you wanted to allow trees to have agency about the quality of their environment, giving them the ability to vote in a countywide election. Jeff Brown and Faerthen Felix, the then-director and manager, respectively, of the Sagehen Creek Station, not only let you set up camp there, but brought you in contact with scientists and instruments that could facilitate that process.          

Keats: For a while I've been trying to figure out how to move beyond rights of nature. I’ve been trying to take a broader view of ecology, considering how we’re making life worse, not only for ourselves, but for most every species on planet Earth through our actions today and arguably since the Industrial Revolution.

From an ecological perspective, giving trees the right to clean air is certainly a step in the right direction: it allows for beings in jeopardy to be protected in a court of law, and their interests to be protected in very broad terms, much as rights apply to humans. But there is something essential missing from the equation, and it has to do with representation. In other words: how might non-human species be able to participate in the collective decision-making of the democratic system in which we live?

Enlarging the Question
Promotional still for Keats’ latest exhibition, “The Future Democracies Laboratory,” hosted at Modernism Gallery on October 30, 02024 and on view at the Institute of Contemporary Art San José through February 23, 02025.

We don’t really know much about what happens on this planet, let alone what is in the best interest of non-human others. If we want to make good policy, we need to be able to access the extraordinary range of sensory systems and ways in which these non-human beings make sense of the world. And, at an ethical level, these others are affected by our actions, and should, therefore, have a say in what actions are taken.

When I first approached Jeff and Faerthen — and when they introduced me to Earth Law Center in Colorado — I was just beginning to develop ideas for enlarging democratic decision-making processes. Starting with plants made sense because of the fact that we humans are less than 1% of Earth’s biomass and plants are by some measures more than 80%. In other words, they’re the majority.

I started to think about plants’ participation in the democratic process initially in terms of an old electoral cliche : Are you better off now than you were four years ago? People supposedly ask themselves that question in presidential elections. How might we pose that question to plants?

I think the question could be reformulated as follows: Are you getting more stressed or less so as a result of the political decisions that are being made on your behalf in our representative democracy? All species can be monitored in terms of stress level. The hormone cortisol, for instance, is correlated with stress in the case of animals. Plants experience stress as well, as indicated by their production of phytohormones such as ethylene. Measuring these hormones might be a substitute for lining up plants at the voting booth and waiting for them to pull a lever.

Enlarging the Question
Keats’ exhibit at MOD, “The Assembly of Trees.” Photo by Topbunk

It’s a thought experiment, but one I am undertaking in public at MOD, an art-and-science museum at the University of South Australia. All this year in Adelaide, 50 trees are being monitored. We aren't monitoring phytohormones, which are difficult to measure directly. Instead, we’re observing an epiphenomenon: foliage density. We're looking at whether there’s more or less foliage this year compared to last year as a proxy measure of stress. And we're inviting visitors to correlate these changes with new legislation.  

To legally enfranchise nonhuman species would probably take a constitutional amendment, an idea that we’ve been investigating at Earth Law Center. It’s an ideal but it’s not going to be approved by the electorate anytime soon. On the other hand, it seems eminently feasible to influence people’s political decisions by making them more aware of the ecosystem in which they live such that they can incorporate the interests and worldview of other species at the polls. The MOD installation is intended to encourage people to take nonhuman interests and perspectives into account when they vote.

The overarching goal is to reverse the process of human alienation that began by seeing nature as other. We can reintegrate ourselves into nature by reintegrating nature into human systems.

Enlarging the Question
A bristlecone pine in Long Now's Bristlecone Preserve. Photo by Justin Oliphant

Fox: From my standpoint, Centuries of the Bristlecone is a project that came about because you wanted to find a way to demonstrate in front of humans in real time the difference between human time and bristlecone time. If I remember correctly, you originally wanted to work with sequoias or redwoods or other species, but The Long Now Foundation said, “We own the largest private grove of bristlecones in the world,” and that’s a 5,000-year potential growth pattern for a plant. 

You were looking for a place where you could take a signal from a bristlecone pine, let’s say the growth of a tree ring annually, as an indicator of the chemical composition of the atmosphere around the bristlecone. And you could put those two facts together and measure a correlation. But all this would be happening on top of an 11,000 foot mountain. How could you get that data and that ongoing signal to the public?

The answer was, find an organization that was nearby in the Nevada Museum of Art. We’re about as close a museum to the bristlecone pines as you can find in this state. And so we began to talk about a device that would translate and make visible that data for people to come in and apprehend on a regular basis or even on a one-time visit, just to get a sense of what the different kinds of time were. It’s an exquisite instrument that’s been designed. It’s taken us years to get here, and it’s a monumental public clock that has both human and bristlecone time being displayed on the face of that clock.

What’s going through your mind as you are coming up with the idea of Centuries of the Bristlecone?

Keats: I’m concerned about the ways in which societies have kept time since the beginning of the Industrial Revolution, by the mechanization and standardization of time through the use of mechanical, electronic, and atomic clocks. As time became more technical, it became more abstract. Like many technologies, the techno­logy of timekeeping allowed us to disconnect from planetary systems and do what we want to do whenever we want to do it. In modern logistics, there are no temporal feedback loops to indicate the impact of our actions.

💡
WATCH David Rooney’s 02021 Long Now Talk on how time has been imagined, politicized, and weaponized over the centuries — and how it might bring peace.

In the past (pre-classical Greece, say), and still in some indigenous societies today, time reckoning has very much been about observing phenomena in your midst. Time is embedded in planetary systems and in how other creatures are experiencing these systems together with humans, all living in a state of kinship. 

I want to reintegrate modern society into those planetary systems. I want to do so through law and governance, but also through the mechanism of timekeeping.

Imagine a sapling. If we were to put markers around a tree in the shape of a spiral, and we were to mark them with future dates based on the current average annual growth for that tree, and we were then to stand back and give the tree authority to let us know what time it is, the arboreal year might deviate from the Gregorian calendar. And it would do so in ways that would be meaningful because this would be the ground truth for the tree, influenced by essential factors ranging from precipitation to the amount of carbon dioxide in the air. It would be the tree’s experience of time, as legitimate and relevant as any other experience of time. The calendar would be a way to vicariously experience time that is being experienced by others, such that time becomes a relationship. Ultimately, this is how we’ve used time amongst humans, but it needs to be enlarged in terms of who is using and construing time together.

Enlarging the Question

I’d initially been inclined to work with redwood trees because of a talk I gave at the College of the Redwoods years ago. In 02015, I was invited to give a talk at The Long Now Foundation. They’d heard about cameras I’d been making with hundred- and thousand-year-long exposure times. I came in saying that I’d like to propose something new rather than just talk about projects I’d done before. At that initial meeting, I re-encountered Alexander Rose, with whom I’d gone to grade school, and who had subsequently become the Executive Director of Long Now

As I told him my ideas about redwood time reckoning, he mentioned the bristlecones. Immediately I knew that those were the trees. He told me about Mount Washington. Immediately I knew that that was the site. It all became obvious. It made perfect sense to do this on Mount Washington, and as you said, to work with a museum. The Nevada Museum of Art’s Center for Art + Environment was perfect because of the proximity.

For all these reasons I took a road trip to Reno with Alexander and Michael McElligott, who at the time was leading Long Now’s Interval lecture series. We made a presentation, and were met with silence. At first we thought it was befuddlement, but it turned out to be the silence of people giving serious thought to our proposal. Before we left, they said yes.

And that’s when you and I started talking. We talked about how the clock needed to be monumental in order to bring people together. It needed to have the monumental scale of a municipal clock. One of the most important decisions was to engage the master clockmaker Phil Abernethy and the antiquarian horologist Brittany Nicole Cox, who have the skills to make this mechanism a reality.

Enlarging the Question
A rendering of the Centuries of the Bristlecone clock that will be on display at the Nevada Museum of Art. Render by clockmaker Phil Abernethy 

Centuries of the Bristlecone will be a communal gathering point for a new time protocol. Each year or two, we’ll make a trip to Mount Washington, and get the measure of time from the trees by taking a microcore. The clock has a mechanism to measure and record the growth rate shown in the most recent tree ring, and to translate it into the rate at which a pendulum swings. This clock rate will also be available online for people to calibrate their smartphone, their watch, their scheduling software.

But trees are only one dimension of the project. I’ve also been working on a system that correlates the flow of time with the flow of a river. From minute to minute, the clock is unpredictable because the flow of rivers is stochastic, encouraging people to be in the moment. Over the long term, the time indicates changes in the climate through the impact of climate change on glacier melt, rainfall, and groundwater. Like the calendar around the sapling, the calendar on this clock provides an environmental feedback loop.

Several years ago, we projected the first instantiation of this clock onto the front of the Anchorage Museum, indicating time based on the flow of five rivers in Alaska. It was the first visible sign of what time might look like if it were not homogenized like Universal Coordinated Time, of what time might look like if we understood time to be pluralistic. I've also been collaborating on performances on rivers in Atlanta, calibrated by the flow of the Chattahoochee and its tributaries. And I'll be installing two erosion calendars in Atlanta in 02025 and 02026.

Time exists as a conversation between myriad beings and living systems. The conversation becomes accessible to us through a vernacular that we know. A system that is familiar to all humans draws us out into the world while simultaneously bringing the world into our lives.

Krebs on SecurityChange Healthcare Breach Hits 100M Americans

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Image: Tamer Tuncay, Shutterstock.com.

A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.

In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”

A notification letter from Change Healthcare said the breach involved the theft of:

-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.

Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.

That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.

A breach notification from Change Healthcare.

A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”

It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI declined to comment.

Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”

But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.

Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.

According to the HIPAA Journal, the biggest penalty imposed to date for a HIPAA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.

A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.

There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.

The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.

All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.

If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.

Planet DebianRussell Coker: Links October 2024

Dacid Brin wrote an interesting article about AI ecosystems and how humans might work with machines on creative projects [1]. Also he’s right about “influencers” being like funghi.

Cory Doctorow wrote an interesting post about DRM, coalitions, and cheating [2]. It seems that people like me who want “trusted computing” to secure their own computers don’t fit well in any of the coalitions.

The CHERI capability system for using extra hardware to validate jump addresses is an interesting advance in computer science [3]. The lecture is froim the seL4 Summit, this sort of advance in security goes well with a formally proven microkernel. I hope that this becomes a checkbox when ordering a custom RISC-V design.

Bunnie wrote an insightful blog post about how the Mossad might have gone about implementing the exploding pager attack [4]. I guess we will see a lot more of this in future, it seems easy to do.

Interesting blog post about Control Flow Integrity in the V8 engine of Chrome [5].

Interesting blog post about the new mseal() syscall which can be used by CFI among other things [6].

This is the Linux kernel documentation about the Control-flow Enforcement Technology (CET) Shadow Stack [7]. Unfortunately not enabled in Debian/Unstable yet.

ARM added support for Branch Target Identification in version 8.5 of the architecture [8].

The CEO of Automatic has taken his dispute with WPEngine to an epic level, this video catalogues it, I wonder what is wrong with him [9].

NuShell is an interesting development in shell technology which runs on Linux and Windows [10].

Interesting article about making a computer game without coding using ML [11]. I doubt that it would be a good game, but maybe educational for kids.

Krebs has an insightful article about location tracking by phones which is surprisingly accurate [12]. He has provided information on how to opt out of some of it on Android, but we need legislative action!

Interesting YouTube video about how to make a 20kW microwave oven and what it can do [13]. Don’t do this at home, or anywhere else!

The Void editor is an interesting project, a fork of VSCode that supports DIRECT connections to LLM systems where you don’t have their server acting as a middle-man and potentially snooping [14].

Worse Than FailureCodeSOD: A Base Nature

Once again, we take a look at the traditional "if (boolean) return true; else return false;" pattern. But today's, from RJ, offers us a bonus twist.

public override bool IsValid
{
   get
   {
      if (!base.IsValid)
         return false;

      return true;
   }
}

As promised, this is a useless conditional. return base.IsValid would do the job just as well. Except, that's the twist, isn't it. base is our superclass. We're overriding a method on our superclass to… just do what the base method does.

This entire function could just be deleted. No one would notice. And yet, it hasn't been. Everyone agrees that it should be, yet it hasn't been. No one's doing it. It just sits there, like a pimple, begging to be popped.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

365 TomorrowsThe Time Capsule

Author: Milo Brown William Smith was very proud of his name, not because it was a very good name (although it was) but because it granted him a certain level of anonymity. In William’s opinion, the only better name would be John Doe, since the name John Smith was made famous, and in turn infamous, […]

The post The Time Capsule appeared first on 365tomorrows.

Planet DebianDirk Eddelbuettel: gcbd 0.2.7 on CRAN: More Mere Maintenance

Another pure maintenance release 0.2.7 of the gcbd package is now on CRAN. The gcbd proposes a benchmarking framework for LAPACK and BLAS operations (as the library can exchanged in a plug-and-play sense on suitable OSs) and records result in local database. Its original motivation was to also compare to GPU-based operations. However, as it is both challenging to keep CUDA working packages on CRAN providing the basic functionality appear to come and go so testing the GPU feature can be challenging. The main point of gcbd is now to actually demonstrate that ‘yes indeed’ we can just swap BLAS/LAPACK libraries without any change to R, or R packages. The ‘configure / rebuild R for xyz’ often seen with ‘xyz’ being Goto or MKL is simply plain wrong: you really can just swap them (on proper operating systems, and R configs – see the package vignette for more). But nomatter how often we aim to correct this record, it invariably raises its head another time.

This release accommodates a CRAN change request as we were referencing the (now only suggested) package gputools. As hinted in the previous paragraph, it was once on CRAN but is not right now so we adjusted our reference.

CRANberries also provides a diffstat report for the latest release.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Worse Than FailureRepresentative Line: On the Log, Forever

Jon recently started a new project. When setting up his dev environment, one of his peers told him, "You can disable verbose logging by setting DEBUG_LOG=false in your config file."

Well, when Jon did that, the verbose logging remained on. When he asked his peers, they were all surprised to see that the flag wasn't turning off debug logging. "Hunh, that used to work. Someone must have changed something…" Everyone had enough new development to do that tracking down a low priority bug fell to Jon. It didn't take long.

const DEBUG_LOG = process.env.DEBUG_LOG || true

According to the blame, the code had been like this for a year, the commit crammed with half a dozen features, was made by a developer who was no longer with the company, and the message was simply "Debugging". Presumably, this was intended to be a temporary change that accidentally got committed and no one noticed or cared.

Jon fixed it, and moved on. There was likely going to be plenty more to find.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

365 TomorrowsThe Trees Are Chatty

Author: Majoki “What a poetic way of expressing it, Sibyl,” Cassie warily admitted. She was walking along the stream that meandered through the glade, the aspens chattering in the stiffening evening breeze. *It’s true, Cassandra. The trees are chatty. They’re discussing the gathering storm.* Cassie tilted her head, as she did every time, Sibyl voiced […]

The post The Trees Are Chatty appeared first on 365tomorrows.

Cryptogram Law Enforcement Deanonymizes Tor Users

The German police have successfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay.

Tor has written about this.

Hacker News thread.

Cory DoctorowSpill, part four (a Little Brother story)

Will Staehle's cover for 'Spill': a white star on an aqua background; a black stylized fist rises out of the star with a red X over its center.

This week on my podcast, I read part four of “Spill“, a new Little Brother story commissioned by Clay F Carlson and published on Reactor, the online publication of Tor Books. Also available in DRM-free ebook form as a Tor Original.

I didn’t plan to go to Oklahoma, but I went to Oklahoma.

My day job is providing phone tech support to people in offices who use my boss’s customer-relationship management software. In theory, I can do that job from anywhere I can sit quietly on a good Internet connection for a few hours a day while I’m on shift. It’s a good job for an organizer, because it means I can go out in the field and still pay my rent, so long as I can park a rental car outside of a Starbucks, camp on their WiFi, and put on a noise-canceling headset. It’s also good organizer training because most of the people who call me are angry and confused and need to have something difficult and technical explained to them.

My comrades started leaving for Oklahoma the day the Water Protector camp got set up. A lot of them—especially my Indigenous friends—were veterans of the Line 3 Pipeline, the Dakota Access Pipeline, and other pipeline fights, and they were plugged right into that network.

The worse things got, the more people I knew in OK. My weekly affinity group meeting normally had twenty people at it. One week there were only ten of us. The next week, three. The next week, we did it on Zoom (ugh) and most of the people on the line were in OK, up on “Facebook Hill,” the one place in the camp with reliable cellular data signals.


MP3

,

Planet DebianSven Hoexter: GKE version 1.31.1-gke.1678000+ is a baddy

Just a "warn your brothers" for people foolish enough to use GKE and run on the Rapid release channel.

Update from version 1.31.1-gke.1146000 to 1.31.1-gke.1678000 is causing trouble whenever NetworkPolicy resources and a readinessProbe (or health check) are configured. As a workaround we started to remove the NetworkPolicy resources. E.g. when kustomize is involved with a patch like this:

- patch: |-
    $patch: delete
    apiVersion: "networking.k8s.io/v1"
    kind: NetworkPolicy
    metadata:
        name: dummy
  target:
    kind: NetworkPolicy

We tried to update to the latest version - right now 1.31.1-gke.2008000 - which did not change anything. Behaviour is pretty much erratic, sometimes it still works and sometimes the traffic is denied. It also seems that there is some relevant fix in 1.31.1-gke.1678000 because that is now the oldest release of 1.31.1 which I can find in the regular and rapid release channels. The last known good version 1.31.1-gke.1146000 is not available to try a downgrade.

Cryptogram Criminals Are Blowing up ATMs in Germany

It’s low tech, but effective.

Why Germany? It has more ATMs than other European countries, and—if I read the article right—they have more money in them.

Planet DebianThomas Lange: 30.000 FAIme jobs created in 7 years

The number of FAIme jobs has reached 30.000. Yeah!
At the end of this November the FAIme web service for building customized ISOs turns 7 years old. It had reached 10.000 jobs in March 2021 and 20.000 jobs were reached in June 2023. A nice increase of the usage.

Here are some statistics for the jobs processed in 2024:

Type of jobs

3%     cloud image
11%     live ISO
86%     install ISO

Distribution

2%     bullseye
8%     trixie
12%     ubuntu 24.04
78%     bookworm

Misc

  • 18%   used a custom postinst script
  • 11%   provided their ssh pub key for passwordless root login
  • 50%   of the jobs didn't included a desktop environment at all, the others used GNOME, XFCE or KDE or the Ubuntu desktop the most.
  • The biggest ISO was a FAIme job which created a live ISO with a desktop and some additional packages This job took 30min to finish and the resulting ISO was 18G in size.

Execution Times

The cloud and live ISOs need more time for their creation because the FAIme server needs to unpack and install all packages. For the install ISO the packages are only downloaded. The amount of software packages also affects the build time. Every ISO is build in a VM on an old 6-core E5-1650 v2. Times given are calculated from the jobs of the past two weeks.

Job type     Avg     Max
install no desktop     1 min     2 min
install GNOME     2 min     5 min

The times for Ubuntu without and with desktop are one minute higher than those mentioned above.

Job type     Avg     Max
live no desktop     4 min     6 min
live GNOME     8 min     11 min

The times for cloud images are similar to live images.

A New Feature

For a few weeks now, the system has been showing the number of jobs ahead of you in the queue when you submit a job that cannot be processed immediately.

The Next Milestone

At the end of this years the FAI project will be 25 years old. If you have a success story of your FAI usage to share please post it to the linux-fai mailing list or send it to me. Do you know the FAI questionnaire ? A lot of reports are already available.

Here's an overview what happened in the past 20 years in the FAI project.

About FAIme

FAIme is the service for building your own customized ISO via a web interface. You can create an installation or live ISO or a cloud image. Several Debian releases can be selected and also Ubuntu server or Ubuntu desktop installation ISOs can be customized. Multiple options are available like selecting a desktop and the language, adding your own package list, choosing a partition layout, adding a user, choosing a backports kernel, adding a postinst script and some more.

Worse Than FailureCodeSOD: Trophy Bug Hunting

Quality control is an important business function for any company. When your company is shipping devices with safety concerns, it's even more important. In some industries, a quality control failure is bound to be national headlines.

When the quality control software tool stopped working, everyone panicked. At which point, GRH stepped in.

Now, we've discussed this software and GRH before, but as a quick recap, it was:

written by someone who is no longer employed with the company, as part of a project managed by someone who is no longer at the company, requested by an executive who is also no longer at the company. There are no documented requirements, very few tests, and a lot of "don't touch this, it works".

And this was a quality control tool. So we're already in bad shape. It also had been unmaintained for years- a few of the QC engineers had tried to take it over, but weren't programmers, and it had essentially languished.

Specifically, it was a quality control tool used to oversee the process by about 50 QC engineers. It automates a series of checks by wrapping around third party software tools, in a complex network of "this device gets tested by generating output in program A, feeding it to program B, then combining the streams and sending them to the device, but this device gets tested using programs D, E, and F."

The automated process using the tool has a shockingly low error rate. Without the tool, doing things manually, the error rate climbs to 1-2%. So unless everyone wanted to see terrifying headlines in the Boston Globe about their devices failing, GRH needed to fix the problem.

GRH was given the code, in this case a a zip file on a shared drive. It did not, at the start, even build. After fighting with the project configuration to resolve that, GRH was free to start digging in deeper.

Public Sub connect2PCdb()
        Dim cPath As String = Path.Combine(strConverterPath, "c.pfx")
        Dim strCN As String

        ' JES 12/6/2016: Modify the following line if MySQL server is changed to a different server.  A dump file will be needed to re-create teh database in the new server.
        strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;database=REDACTED;sslmode=Required;certificatepassword=REDACTED;certificatefile=REDACTED\c.pfx;password=REDACTED'"
        strCN = Regex.Replace(strCN, "certificatefile=.*?pfx", "certificatefile=" & cPath)
        pcContext = New Entities(strCN)
        strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;persistsecurityinfo=True;database=REDACTED;password=REDACTED'"
        strCN = Regex.Match(strCN, ".*'(.*)'").Groups(1).Value

        Try
            strCN = pcContext.Database.Connection.ConnectionString
            cnPC.ConnectionString = "server=REDACTED;user id=REDACTED;password=REDACTED;database=REDACTED;"
            cnPC.Open()
        Catch ex As Exception

        End Try
    End Sub

This is the code which connects to the backend database. The code is in the category of more of a trainwreck than a WTF. It's got a wonderful mix of nonsense in here, though- a hard-coded connection string which includes plaintext passwords, regex munging to modify the string, then hard-coding a string again, only to use regexes to extract a subset of the string. A subset we don't use.

And then, for a bonus, the whole thing has a misleading comment- "modify the following line" if we move to a different server? We have to modify several lines, because we keep copy/pasting the string around.

Oh, and of course, it uses the pattern of "open a database connection at application startup, and just hold that connection forever," which is a great way to strain your database as your userbase grows.

The good news about the hard-coded password is that it got GRH access to the database. With that, it was easy to see what the problem was: the database was full. The system was overly aggressive with logging, the logs went to database tables, the server was an antique with a rather small hard drive, and the database wasn't configured to even use all of that space anyway.

Cleaning up old logs got the engineers working again. GRH kept working on the code, though, cleaning it up and modernizing it. Updating to latest version of the .NET Core framework modified the data access to be far simpler, and got rid of the need for hard-coded connection strings. Still, GRH left the method looking like this:

    Public Sub connect2PCdb()
        'Dim cPath As String = Path.Combine(strConverterPath, "c.pfx")
        'Dim strCN As String

        ' JES 12/6/2016: Modify the following line if MySQL server is changed to a different server.  A dump file will be needed to re-create teh database in the new server.
        'strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;database=REDACTED;sslmode=Required;certificatepassword=REDACTED;certificatefile=REDACTED\c.pfx;password=REDACTED'"
        'strCN = Regex.Replace(strCN, "certificatefile=.*?pfx", "certificatefile=" & cPath)
        'pcContext = New Entities(strCN)
        'strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;persistsecurityinfo=True;database=REDACTED;password=REDACTED'"
        'strCN = Regex.Match(strCN, ".*'(.*)'").Groups(1).Value

        'GRH 2021-01-15.  Connection information moved to App.Config
        'GRH 2021-08-13.  EF Core no longer supports App.Config method
        pcContext = New PcEntities

        Try
            ' GRH 2021-08-21  This variable no longer exists in .NET 5
            'strCN = pcContext.Database.Connection.ConnectionString
            ' GRH 2021-08-20  Keeping the connection open causes EF Core to not work
            'cnPC.ConnectionString = "server=REDACTED;user id=REDACTED;password=REDACTED;database=REDACTED;SslMode=none"
            'cnPC.Open()
        Catch ex As Exception

        End Try
    End Sub

It's now a one-line method, with most of the code commented out, instead of removed. Why on Earth is the method left like that?

GRH explains:

Yes, I could delete the function as it is functionally dead, but I keep it for the same reasons that a hunter mounts a deer's head above her mantle.

[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

365 TomorrowsThe Last Resort

Author: Julian Miles, Staff Writer Abby whips her wing-tentacles about, making little ‘cracks’ of delight as a gigantic silver dinosaur walks by, its crystal eyes filled with icy fire. Every footfall causes things to shake and drinks to splash about in their cups – unless they’re being carried on the spindly spider-legged copper tables that […]

The post The Last Resort appeared first on 365tomorrows.

,

David BrinScience as the ultimate accountability process

Before getting into Science as the ultimate accountability process, let me allow that I am biased in favor of this scientific era!  Especially after last weekend when Caltech - my alma mater - honored me - along with three far-more-deserving others - as Distinguished Alumnus.  Seems worth noting. Especially since it is one honor I truly never expected!


You  readers of Contrary Brin might be surprised that, with the crucial US election looming, I'm gonna step back from cliff-edge politics, to offer some Big Picture Perspective about how science works... and civilization, in general. 


But I think maybe perspective is kinda what we need, right now.



== How did we achieve the flawed miracle that we now have... and take too much for granted? ==


All the way back to our earliest records, civilization has faced a paramount problem. How can we maintain and improve a decent society amid our deeply human propensity for lies and delusion? 


As recommended by Pericles around 300 BCE… then later by Adam Smith and the founders of our era… humanity has only ever found one difficult but essential trick that actually works at freeing leaders and citizens to craft policy relatively - or partially - free from deception and falsehoods. 


That trick is NOT preaching or ‘don’t lie’ commandments. Sure, for 6000 years, top elites finger-wagged and passed laws against such stuff... only to become top liars and self-deceivers! Bringing calamities down upon the nations and peoples that they led.


Laws can help. But the truly ’essential trick’ that we’ve gradually become somewhat good-at is Reciprocal Accountability … freeing rival powers and even average citizens to keep an eye on each other laterally. Speaking up when we see what we perceive as lies or mistakes.


== How we've done this... a method under threat! ==

Yeah, sometimes it’s the critic who is wrong, and conventional wisdom can be right!  

Indeed, one of today's mad manias is to assume that experts - who spent their lives studying a topic closely - must be clueless compared to those who are 'informed' by Facebook memes and cable news rants.

Still, Criticism Is the Only Known Antidote to Error (CITOKATE!)...

...and one result of free speech criticism is a system that’s open enough to spot most errors – even those by the mighty – and criticize them (sometimes just in time and sometimes too late) so that many (never all!) of them get corrected. 

We aren’t yet great at it! Though better than all prior generations. And at the vanguard in this process is science.


== The horrible, ingrate reflex is NOT 'questioning authority' ==

Sure, scientists are human and subject to the same temptations to self-deceive or even tell lies. We who were trained in a scientific field (or two or three) were taught to recite the sacred catechism of science: “I might be wrong!” 


That core tenet – plus piles of statistical and error-checking techniques – made modern science different – and vastly more effective (and less hated) -- than all or any previous priesthoods. Still, we remain human. And delusion in science can have weighty consequences.


Which brings us to this article by Chris Said: "Scientific whistleblowers can be compensated for their service."  It begins with a paragraph that’s both true and also way exaggerates!  Still, the author poses a problem that needs an answer:


“Science has a fraud problem. Highly cited research is often based on faked data, which causes other researchers to pursue false leads. In medical research, the time wasted by followup studies can delay the discovery of effective treatments for serious diseases, potentially causing millions of lives to be lost.”


As I said: that’s an exaggeration – one that feeds into today’s Mad Right, in its all-out war vs. every fact-using profession. (Not just science, but also teaching, medicine and law and civil service... all the way to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.) 


Still, the essay is worth reading for its proposed solution. Which boils down to do more reciprocal accountability, only do it better!

The proposal would start with the fact that most scientists are competitive creatures! A
mong the most competitive that this planet ever produced – nothing like the lemming, paradigm-hugger stereotype spread by some on the far-left... and by almost everyone on today’s entire gone-mad right. 


Only this author proposes that we then augment that competitiveness with whistle blower rewards**, to incentivize the cross-checking process with cash prizes.

Hey, I'm all in favor! I’ve long pushed for stuff like this since my 1998 book The Transparent Society: Will Technology Make Us Choose Between Privacy and Freedom? 


...and more recently my proposal for a FACT Act...


...and especially lately, suggesting incentives so that Artificial Intelligences will hold each other accountable (our only conceivable path to a ’soft AI landing.’) 


So, sure… the article is worth a look - and more discussion. 


Just watch it when yammerers attack science in general with the 'lemming' slander. Demand cash wagers over that one!



== A useful tech rule-of-thumb? ==


Do you know the “hype cycle curve”? That’s an observational/pragmatic correlation tool devised by Gartner in the 90s, for how new technologies often attract heaps of zealous attention, followed by a crash of disillusionment, when even the most promising techs encounter obstacles to implementation, and many just prove wrong. 


That trough is followed, in a few cases, by a more grounded rise in solid investment, as productivity takes hold. (It happened repeatedly with railroads and electricity and later with computers and the Internet and seems to be happening with AI.) The inimitable Sabine Hossenfelder offers a podcast about this, using recent battery tech developments as examples. 


Your takeaways: yes, it seems that some battery techs may deliver major good news pretty soon. And remember this ‘hype cycle’ thing is correlative, not causative. It has almost no predictive utility in individual cases.


But the final take-away is also important. That progress is being made! Across many fronts and very rapidly. And every single thing you are being told by the remnant denialist cult about the general trend toward sustainable technologies is a damned lie.


Take this jpeg I just copied from the newsletter of Peter Diamandis, re: the rapidly maturing tech of perovskite based solar cells, which have a theoretically possible efficiency of 66%, double that of silicon. (And many of you first saw the word “perovskite” in my novel Earth, wherein I pointed out that most high-temp superconductors take that mineral form… and so does most of the Earth’s mantle. Put those two together!)


Do subscribe to Peter’s Abundance Newsletter, as an antidote to the gloom that’s spread by today’s entire gone-mad-right and by much of today’s dour, farthest-fringe-left. 


The latter are counter-productive sanctimony junkies, irritating but statistically unimportant as we make progress without much help from them.


The former are a monstrously insane, science-hating treason-cult that’s potentially lethal to our civilization and world and our children. And for those mouth-foaming neighbors of ours, the only cure will be victory – yet again, and with malice toward none – by the Union side in this latest phase of our recurring confederate fever. 


======


** The 1986 Whistle Blower law, enticing tattle-tales with up to 30% cuts of any $$ recovered by the US taxpayers, has just been gutted by a Trump appointed (and ABA 'not-qualified') judge. Gee, I wonder why?



Planet DebianEnrico Zini: Typing decorators for class members with optional arguments

This looks straightforward and is far from it. I expect tool support will improve in the future. Meanwhile, this blog post serves as a step by step explanation for what is going on in code that I'm about to push to my team.

Let's take this relatively straightforward python code. It has a function printing an int, and a decorator that makes it argument optional, taking it from a global default if missing:

from unittest import mock

default = 42


def with_default(f):
    def wrapped(self, value=None):
        if value is None:
            value = default
        return f(self, value)

    return wrapped


class Fiddle:
    @with_default
    def print(self, value):
        print("Answer:", value)


fiddle = Fiddle()
fiddle.print(12)
fiddle.print()


def mocked(self, value=None):
    print("Mocked answer:", value)


with mock.patch.object(Fiddle, "print", autospec=True, side_effect=mocked):
    fiddle.print(12)
    fiddle.print()

It works nicely as expected:

$ python3 test0.py
Answer: 12
Answer: 42
Mocked answer: 12
Mocked answer: None

It lacks functools.wraps and typing, though. Let's add them.

Adding functools.wraps

Adding a simple @functools.wraps, mock unexpectedly stops working:

# python3 test1.py
Answer: 12
Answer: 42
Mocked answer: 12
Traceback (most recent call last):
  File "/home/enrico/lavori/freexian/tt/test1.py", line 42, in <module>
    fiddle.print()
  File "<string>", line 2, in print
  File "/usr/lib/python3.11/unittest/mock.py", line 186, in checksig
    sig.bind(*args, **kwargs)
  File "/usr/lib/python3.11/inspect.py", line 3211, in bind
    return self._bind(args, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/inspect.py", line 3126, in _bind
    raise TypeError(msg) from None
TypeError: missing a required argument: 'value'

This is the new code, with explanations and a fix:

# Introduce functools
import functools
from unittest import mock

default = 42


def with_default(f):
    @functools.wraps(f)
    def wrapped(self, value=None):
        if value is None:
            value = default
        return f(self, value)

    # Fix:
    # del wrapped.__wrapped__

    return wrapped


class Fiddle:
    @with_default
    def print(self, value):
        assert value is not None
        print("Answer:", value)


fiddle = Fiddle()
fiddle.print(12)
fiddle.print()


def mocked(self, value=None):
    print("Mocked answer:", value)


with mock.patch.object(Fiddle, "print", autospec=True, side_effect=mocked):
    fiddle.print(12)
    # mock's autospec uses inspect.getsignature, which follows __wrapped__ set
    # by functools.wraps, which points to a wrong signature: the idea that
    # value is optional is now lost
    fiddle.print()

Adding typing

For simplicity, from now on let's change Fiddle.print to match its wrapped signature:

      # Give up with making value not optional, to simplify things :(
      def print(self, value: int | None = None) -> None:
          assert value is not None
          print("Answer:", value)

Typing with ParamSpec

# Introduce typing, try with ParamSpec
import functools
from typing import TYPE_CHECKING, ParamSpec, Callable
from unittest import mock

default = 42

P = ParamSpec("P")


def with_default(f: Callable[P, None]) -> Callable[P, None]:
    # Using ParamSpec we forward arguments, but we cannot use them!
    @functools.wraps(f)
    def wrapped(self, value: int | None = None) -> None:
        if value is None:
            value = default
        return f(self, value)

    return wrapped


class Fiddle:
    @with_default
    def print(self, value: int | None = None) -> None:
        assert value is not None
        print("Answer:", value)

mypy complains inside the wrapper, because while we forward arguments we don't constrain them, so we can't be sure there is a value in there:

test2.py:17: error: Argument 2 has incompatible type "int"; expected "P.args"  [arg-type]
test2.py:19: error: Incompatible return value type (got "_Wrapped[P, None, [Any, int | None], None]", expected "Callable[P, None]")  [return-value]
test2.py:19: note: "_Wrapped[P, None, [Any, int | None], None].__call__" has type "Callable[[Arg(Any, 'self'), DefaultArg(int | None, 'value')], None]"

Typing with Callable

We can use explicit Callable argument lists:

# Introduce typing, try with Callable
import functools
from typing import TYPE_CHECKING, Callable, TypeVar
from unittest import mock

default = 42

A = TypeVar("A")


# Callable cannot represent the fact that the argument is optional, so now mypy
# complains if we try to omit it
def with_default(f: Callable[[A, int | None], None]) -> Callable[[A, int | None], None]:
    @functools.wraps(f)
    def wrapped(self: A, value: int | None = None) -> None:
        if value is None:
            value = default
        return f(self, value)

    return wrapped


class Fiddle:
    @with_default
    def print(self, value: int | None = None) -> None:
        assert value is not None
        print("Answer:", value)


if TYPE_CHECKING:
    reveal_type(Fiddle.print)

fiddle = Fiddle()
fiddle.print(12)
# !! Too few arguments for "print" of "Fiddle"  [call-arg]
fiddle.print()


def mocked(self, value=None):
    print("Mocked answer:", value)


with mock.patch.object(Fiddle, "print", autospec=True, side_effect=mocked):
    fiddle.print(12)
    fiddle.print()

Now mypy complains when we try to omit the optional argument, because Callable cannot represent optional arguments:

test3.py:32: note: Revealed type is "def (test3.Fiddle, Union[builtins.int, None])"
test3.py:37: error: Too few arguments for "print" of "Fiddle"  [call-arg]
test3.py:46: error: Too few arguments for "print" of "Fiddle"  [call-arg]

typing's documentation says:

Callable cannot express complex signatures such as functions that take a variadic number of arguments, overloaded functions, or functions that have keyword-only parameters. However, these signatures can be expressed by defining a Protocol class with a call() method:

Let's do that!

Typing with Protocol, take 1

# Introduce typing, try with Protocol
import functools
from typing import TYPE_CHECKING, Protocol, TypeVar, Generic, cast
from unittest import mock

default = 42

A = TypeVar("A", contravariant=True)


class Printer(Protocol, Generic[A]):
    def __call__(_, self: A, value: int | None = None) -> None:
        ...


def with_default(f: Printer[A]) -> Printer[A]:
    @functools.wraps(f)
    def wrapped(self: A, value: int | None = None) -> None:
        if value is None:
            value = default
        return f(self, value)

    return cast(Printer, wrapped)


class Fiddle:
    # function has a __get__ method to generated bound versions of itself
    # the Printer protocol does not define it, so mypy is now unable to type
    # the bound method correctly
    @with_default
    def print(self, value: int | None = None) -> None:
        assert value is not None
        print("Answer:", value)


if TYPE_CHECKING:
    reveal_type(Fiddle.print)

fiddle = Fiddle()
# !! Argument 1 to "__call__" of "Printer" has incompatible type "int"; expected "Fiddle"
fiddle.print(12)
fiddle.print()


def mocked(self, value=None):
    print("Mocked answer:", value)


with mock.patch.object(Fiddle, "print", autospec=True, side_effect=mocked):
    fiddle.print(12)
    fiddle.print()

New mypy complaints:

test4.py:41: error: Argument 1 to "__call__" of "Printer" has incompatible type "int"; expected "Fiddle"  [arg-type]
test4.py:42: error: Missing positional argument "self" in call to "__call__" of "Printer"  [call-arg]
test4.py:50: error: Argument 1 to "__call__" of "Printer" has incompatible type "int"; expected "Fiddle"  [arg-type]
test4.py:51: error: Missing positional argument "self" in call to "__call__" of "Printer"  [call-arg]

What happens with class methods, is that the function object has a __get__ method that generates a bound versions of itself. Our Printer protocol does not define it, so mypy is now unable to type the bound method correctly.

Typing with Protocol, take 2

So... we add the function descriptor methos to our Protocol!

A lot of this is taken from this discussion.

# Introduce typing, try with Protocol, harder!
import functools
from typing import TYPE_CHECKING, Protocol, TypeVar, Generic, cast, overload, Union
from unittest import mock

default = 42

A = TypeVar("A", contravariant=True)

# We now produce typing for the whole function descriptor protocol
#
# See https://github.com/python/typing/discussions/1040


class BoundPrinter(Protocol):
    """Protocol typing for bound printer methods."""

    def __call__(_, value: int | None = None) -> None:
        """Bound signature."""


class Printer(Protocol, Generic[A]):
    """Protocol typing for printer methods."""

    # noqa annotations are overrides for flake8 being confused, giving either D418:
    # Function/ Method decorated with @overload shouldn't contain a docstring
    # or D105:
    # Missing docstring in magic method
    #
    # F841 is for vulture being confused:
    #   unused variable 'objtype' (100% confidence)

    @overload
    def __get__(  # noqa: D105
        self, obj: A, objtype: type[A] | None = None  # noqa: F841
    ) -> BoundPrinter:
        ...

    @overload
    def __get__(  # noqa: D105
        self, obj: None, objtype: type[A] | None = None  # noqa: F841
    ) -> "Printer[A]":
        ...

    def __get__(
        self, obj: A | None, objtype: type[A] | None = None  # noqa: F841
    ) -> Union[BoundPrinter, "Printer[A]"]:
        """Implement function descriptor protocol for class methods."""

    def __call__(_, self: A, value: int | None = None) -> None:
        """Unbound signature."""


def with_default(f: Printer[A]) -> Printer[A]:
    @functools.wraps(f)
    def wrapped(self: A, value: int | None = None) -> None:
        if value is None:
            value = default
        return f(self, value)

    return cast(Printer, wrapped)


class Fiddle:
    # function has a __get__ method to generated bound versions of itself
    # the Printer protocol does not define it, so mypy is now unable to type
    # the bound method correctly
    @with_default
    def print(self, value: int | None = None) -> None:
        assert value is not None
        print("Answer:", value)


fiddle = Fiddle()
fiddle.print(12)
fiddle.print()


def mocked(self, value=None):
    print("Mocked answer:", value)


with mock.patch.object(Fiddle, "print", autospec=True, side_effect=mocked):
    fiddle.print(12)
    fiddle.print()

It works! It's typed! And mypy is happy!

365 TomorrowsBook Mouse

Author: Brooks C. Mendell “Where is she?” asked Dr. Nemur, holding her glasses in place while looking under a chair. “Relax, Doc,” said Burt. “It’s only a mouse. We’ll find her.” “Only a mouse?” said Nemur. “Her frontal cortex packs more punch than your bird brain.” “I get it,” said Burt. “I’m not your type.” […]

The post Book Mouse appeared first on 365tomorrows.

Cory DoctorowSpill, part three (a Little Brother story)

Will Staehle's cover for 'Spill': a white star on an aqua background; a black stylized fist rises out of the star with a red X over its center.

This week on my podcast, I read part three of “Spill“, a new Little Brother story commissioned by Clay F Carlson and published on Reactor, the online publication of Tor Books. Also available in DRM-free ebook form as a Tor Original.

I didn’t plan to go to Oklahoma, but I went to Oklahoma.

My day job is providing phone tech support to people in offices who use my boss’s customer-relationship management software. In theory, I can do that job from anywhere I can sit quietly on a good Internet connection for a few hours a day while I’m on shift. It’s a good job for an organizer, because it means I can go out in the field and still pay my rent, so long as I can park a rental car outside of a Starbucks, camp on their WiFi, and put on a noise-canceling headset. It’s also good organizer training because most of the people who call me are angry and confused and need to have something difficult and technical explained to them.

My comrades started leaving for Oklahoma the day the Water Protector camp got set up. A lot of them—especially my Indigenous friends—were veterans of the Line 3 Pipeline, the Dakota Access Pipeline, and other pipeline fights, and they were plugged right into that network.

The worse things got, the more people I knew in OK. My weekly affinity group meeting normally had twenty people at it. One week there were only ten of us. The next week, three. The next week, we did it on Zoom (ugh) and most of the people on the line were in OK, up on “Facebook Hill,” the one place in the camp with reliable cellular data signals.


MP3

Cory DoctorowSpill, part two (a Little Brother story)

Will Staehle's cover for 'Spill': a white star on an aqua background; a black stylized fist rises out of the star with a red X over its center.

This week on my podcast, I read part two of “Spill“, a new Little Brother story commissioned by Clay F Carlson and published on Reactor, the online publication of Tor Books. Also available in DRM-free ebook form as a Tor Original.

I didn’t plan to go to Oklahoma, but I went to Oklahoma.

My day job is providing phone tech support to people in offices who use my boss’s customer-relationship management software. In theory, I can do that job from anywhere I can sit quietly on a good Internet connection for a few hours a day while I’m on shift. It’s a good job for an organizer, because it means I can go out in the field and still pay my rent, so long as I can park a rental car outside of a Starbucks, camp on their WiFi, and put on a noise-canceling headset. It’s also good organizer training because most of the people who call me are angry and confused and need to have something difficult and technical explained to them.

My comrades started leaving for Oklahoma the day the Water Protector camp got set up. A lot of them—especially my Indigenous friends—were veterans of the Line 3 Pipeline, the Dakota Access Pipeline, and other pipeline fights, and they were plugged right into that network.

The worse things got, the more people I knew in OK. My weekly affinity group meeting normally had twenty people at it. One week there were only ten of us. The next week, three. The next week, we did it on Zoom (ugh) and most of the people on the line were in OK, up on “Facebook Hill,” the one place in the camp with reliable cellular data signals.


MP3

,

Planet DebianSteve McIntyre: Mini-Debconf in Cambridge, October 10-13 2024

Group photo

Again this year, Arm offered to host us for a mini-debconf in Cambridge. Roughly 60 people turned up on 10-13 October to the Arm campus, where they made us really welcome. They even had some Debian-themed treats made to spoil us!

Cakes

Hacking together

minicamp

For the first two days, we had a "mini-debcamp" with disparate group of people working on all sorts of things: Arm support, live images, browser stuff, package uploads, etc. And (as is traditional) lots of people doing last-minute work to prepare slides for their talks.

Sessions and talks

Secure Boot talk

Saturday and Sunday were two days devoted to more traditional conference sessions. Our talks covered a typical range of Debian subjects: a DPL "Bits" talk, an update from the Release Team, live images. We also had some wider topics: handling your own data, what to look for in the upcoming Post-Quantum Crypto world, and even me talking about the ups and downs of Secure Boot. Plus a random set of lightning talks too! :-)

Video team awesomeness

Video team in action

Lots of volunteers from the DebConf video team were on hand too (both on-site and remotely!), so our talks were both streamed live and recorded for posterity - see the links from the individual talk pages in the wiki, or http://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Cambridge/ for the full set if you'd like to see more.

A great time for all

Again, the mini-conf went well and feedback from attendees was very positive. Thanks to all our helpers, and of course to our sponsor: Arm for providing the venue and infrastructure for the event, and all the food and drink too!

Photo credits: Andy Simpkins, Mark Brown, Jonathan Wiltshire. Thanks!

Planet DebianRussell Coker: The CUPS Vulnerability

The Announcement

Late last month there was an announcement of a “severity 9.9 vulnerability” allowing remote code execution that affects “all GNU/Linux systems (plus others)” [1]. For something to affect all Linux systems that would have to be either a kernel issue or a sshd issue. The announcement included complaints about the lack of response of vendors and “And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix”.

He seems to have a different experience to me of reporting bugs, I have had plenty of success getting bugs fixed without hyping them. I just report the bug, wait a while, and it gets fixed. I have reported potential security bugs without even bothering to try and prove that they were exploitable (any situation where you can make a program crash is potentially exploitable), I just report it and it gets fixed. I was very dubious about his ability to determine how serious a bug is and to accurately report it so this wasn’t a situation where I was waiting for it to be disclosed to discover if it affected me. I was quite confident that my systems wouldn’t be at any risk.

Analysis

Not All Linux Systems Run CUPS

When it was published my opinion was proven to be correct, it turned out to be a series of CUPS bugs [2]. To describe that as “all GNU/Linux systems (plus others)” seems like a vast overstatement, maybe a good thing to say if you want to be a TikTok influencer but not if you want to be known for computer security work.

For the Debian distribution the cups-browsed package (which seems to be the main exploitable one) is recommended by cups-daemon, as I have my Debian systems configured to not install recommended packages by default that means that it wasn’t installed on any of my systems. Also the vast majority of my systems don’t do printing and therefore don’t have any part of CUPS installed.

CUPS vs NAT

The next issue is that in Australia most home ISPs don’t have IPv6 enabled and CUPS doesn’t do the things needed to allow receiving connections from the outside world via NAT with IPv4. If inbound port 631 is blocked on both TCP and USP as is the default on Australian home Internet or if there is a correctly configured firewall in place then the network is safe from attack. There is a feature called uPnP port forwarding [3] to allow server programs to ask a router to send inbound connections to them, this is apparently usually turned off by default in router configuration. If it is enabled then there are Debian packages of software to manage this, the miniupnpc package has the client (which can request NAT changes on the router) [4]. That package is not installed on any of my systems and for my home network I don’t use a router that runs uPnP.

The only program I knowingly run that uses uPnP is Warzone2100 and as I don’t play network games that doesn’t happen. Also as an aside in version 4.4.2-1 of warzone2100 in Debian and Ubuntu I made it use Bubblewrap to run the game in a container. So a Remote Code Execution bug in Warzone 2100 won’t be an immediate win for an attacker (exploits via X11 or Wayland are another issue).

MAC Systems

Debian has had AppArmor enabled by default since Buster was released in 2019 [5]. There are claims that AppArmor will stop this exploit from doing anything bad.

To check SE Linux access I first use the “semanage fcontext” command to check the context of the binary, cupsd_exec_t means that the daemon runs as cupsd_t. Then I checked what file access is granted with the sesearch program, mostly just access to temporary files, cupsd config files, the faillog, the Kerberos cache files (not used on the Kerberos client systems I run), Samba run files (might be a possibility of exploiting something there), and the security_t used for interfacing with kernel security infrastructure. I then checked the access to the security class and found that it is permitted to check contexts and access-vectors – not access that can be harmful.

The next test was to use sesearch to discover what capabilities are granted, which unfortunately includes the sys_admin capability, that is a capability that allows many sysadmin tasks that could be harmful (I just checked the Fedora source and Fedora 42 has the same access). Whether the sys_admin capability can be used to do bad things with the limited access cupsd_t has to device nodes etc is not clear. But this access is undesirable.

So the SE Linux policy in Debian and Fedora will stop cupsd_t from writing SETUID programs that can be used by random users for root access and stop it from writing to /etc/shadow etc. But the sys_admin capability might allow it to do hostile things and I have already uploaded a changed policy to Debian/Unstable to remove that. The sys_rawio capability also looked concerning but it’s apparently needed to probe for USB printers and as the domain has no access to block devices it is otherwise harmless. Below are the commands I used to discover what the policy allows and the output from them.

# semanage fcontext -l|grep bin/cups-browsed
/usr/bin/cups-browsed                              regular file       system_u:object_r:cupsd_exec_t:s0 
# sesearch -A -s cupsd_t -c file -p write
allow cupsd_t cupsd_interface_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write };
allow cupsd_t cupsd_lock_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow cupsd_t cupsd_log_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow cupsd_t cupsd_runtime_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow cupsd_t cupsd_rw_etc_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow cupsd_t cupsd_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow cupsd_t cupsd_tmp_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow cupsd_t faillog_t:file { append getattr ioctl lock open read write };
allow cupsd_t init_tmpfs_t:file { append getattr ioctl lock read write };
allow cupsd_t krb5_host_rcache_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ allow_kerberos ]:True
allow cupsd_t print_spool_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow cupsd_t samba_var_t:file { append getattr ioctl lock open read write };
allow cupsd_t security_t:file { append getattr ioctl lock open read write };
allow cupsd_t security_t:file { append getattr ioctl lock open read write }; [ allow_kerberos ]:True
allow cupsd_t usbfs_t:file { append getattr ioctl lock open read write };
# sesearch -A -s cupsd_t -c security
allow cupsd_t security_t:security check_context; [ allow_kerberos ]:True
allow cupsd_t security_t:security { check_context compute_av };
# sesearch -A -s cupsd_t -c capability
allow cupsd_t cupsd_t:capability net_bind_service; [ allow_ypbind ]:True
allow cupsd_t cupsd_t:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill net_bind_service setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
# sesearch -A -s cupsd_t -c capability2
allow cupsd_t cupsd_t:capability2 { block_suspend wake_alarm };
# sesearch -A -s cupsd_t -c blk_file

Conclusion

This is an example of how not to handle security issues. Some degree of promotion is acceptable but this is very excessive and will result in people not taking security announcements seriously in future. I wonder if this is even a good career move by the researcher in question, will enough people believe that they actually did something good in this that it outweighs the number of people who think it’s misleading at best?

365 TomorrowsThe Tower

Author: Mark Renney The island is getting smaller, but those who reside in the Tower are in denial. Hiding behind the steel rafters and columns and the reinforced sheets of glass that comprise the walls of their homes, they won’t accept that a very real danger lurks beyond their windows. The occupants of the Tower, […]

The post The Tower appeared first on 365tomorrows.

,

Planet DebianJonathan Dowland: Behringer Model-D (synths I didn't buy)

Whilst researching what synth to buy, I learned of the Behringer1 Model-D2: a 2018 clone of the 1970 Moog Minimoog, in a desktop form factor.

Behringer Model-D

Behringer Model-D

In common with the original Minimoog, it's a monophonic analogue synth, featuring three audible oscillators3 , Moog's famous 12-ladder filter and a basic envelope generator. The model-d has lost the keyboard from the original and added some patch points for the different stages, enabling some slight re-routing of the audio components.

1970 Moog Minimoog

1970 Moog Minimoog

Since I was focussing on more fundamental, back-to-basics instruments, this was very appealing to me. I'm very curious to find out what's so compelling about the famous Moog sound. The relative lack of features feels like an advantage: less to master. The additional patch points makes it a little more flexible and offer a potential gateway into the world of modular synthesis. The Model-D is also very affordable: about £ 200 GBP. I'll never own a real Moog.

For this to work, I would need to supplement it with some other equipment. I'd need a keyboard (or press the Micron into service as a controller); I would want some way of recording and overdubbing (same as with any synth). There are no post-mix effects on the Model-D, such as delay, reverb or chorus, so I may also want something to add those.

What stopped me was partly the realisation that there was little chance that a perennial beginner, such as I, could eek anything novel out of a synthesiser design that's 54 years old. Perhaps that shouldn't matter, but it gave me pause. Whilst the Model-D has patch points, I don't have anything to connect to them, and I'm firmly wanting to avoid the Modular Synthesis money pit. The lack of effects, and polyphony could make it hard to live-sculpt a tone.

I started characterizing the Model-D as the "heart" choice, but it seemed wise to instead go for a "head" choice.

Maybe another day!


  1. There's a whole other blog post of material I could write about Behringer and their clones of classic synths, some long out of production, and others, not so much. But, I decided to skip on that for now.
  2. taken from the fact that the Minimoog was a productised version of Moog's fourth internal prototype, the model D.
  3. 2 oscillators is more common in modern synths

Cryptogram Watermark for LLM-Generated Text

Researchers at Google have developed a watermark for LLM-generated text. The basics are pretty obvious: the LLM chooses between tokens partly based on a cryptographic key, and someone with knowledge of the key can detect those choices. What makes this hard is (1) how much text is required for the watermark to work, and (2) how robust the watermark is to post-generation editing. Google’s version looks pretty good: it’s detectable in text as small as 200 tokens.

Worse Than FailureError'd: What Goes Around

No obvious pattern fell out of last week's submissions for Error'd, but I did especially like Caleb Su's example.

Michael R. , apparently still job hunting, reports "I have signed up to outlier.ai to make some $$$ on the side. No instructions necessary."

0

 

Peter G. repeats a recurring theme of lost packages, saying "(Insert obligatory snark about Americans and geography. No, New Zealand isn't located in Washington DC)." A very odd coincidence, since neither the lat/long nor the zip code are particularly interesting.

1

 

"The Past Is Mutable," declares Caleb Su , explaining "In the race to compete with Gmail feature scheduling emails to send in the *future*, Outlook now lets you send emails in the past! Clearly, someone at Microsoft deserves a Nobel Prize for defying the basic laws of unidirectional time." That's thinking different.

2

 

Explorer xOneca explains this snapshot: "Was going to watch a Youtube video in DuckDuckGo, and while diagnosing why it wasn't playing I found this. It seems that youtube-nocookie.com actually *sets* cookies..?"

3

 

Morgan either found or made a funny. But it is a funny. "Now when I think about it I do like Option 3 more…" I rate this question a 👎

4

 

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

365 TomorrowsThe Other SETI

Author: David Barber This was back in 1937, in Wheaton, Illinois, where Grote Reber built a radio telescope to track down persistent background noise that was annoying Bell Telephone Labs. The Depression still lingered and Bell wouldn’t employ him, but in his spare time Reber built a 30-foot dish in his mother’s back yard and […]

The post The Other SETI appeared first on 365tomorrows.

Planet DebianReproducible Builds (diffoscope): diffoscope 282 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 282. This version includes the following changes:

[ Chris Lamb ]
* Ignore errors when listing .ar archives. (Closes: #1085257)
* Update copyright years.

You find out more by visiting the project homepage.

,

Planet DebianEmmanuel Kasper: back to blogging and running a feed reader as a containerized systemd service

After reading about Jonathan McDowell feed reader install and the back to blogging initiative, I decided to install a feed reader to follow all those nice blog posts. With a feed reader you can compose your own feed of news based on blog posts, websites, mastodon toots. And then you are independant from ad oriented ranking algorithms of social networks.

Since Jonathan used FreshRSS as a feed reader, I started with the same software. On a quick glance on its github page, it sounded like a good project:

  • active contributions
  • different channels for stable and latest version of the software
  • container images pointing to the stable release
  • support multiple databases for storage, including PostgreSQL
  • correct documentation mentioning security caveats

I prefer to do the container image installation using podman since:

  • upgrades from FreshRSS are easy to do and can be done separately from operating system upgrades
  • I do not mess my based operating system with php (subjective) and in case of a compromized freshrss, the freshrss/apache install would be still restrained to its own Linux namespaces, separated from the rest of the system.

Podman is image compatible with Docker as they both implement the OCI runtime specification, and have a nearly identical command line interface. This installation will be done on a Debian server, but should work too on any Linux distribution.

Initial setup

  • start a container image based on the start command provided by the FreshRSS project. The podman command line is nearly identical to the docker command line, excepts that podman expects the fully qualified domain name associated with the container image, and I chose to run the freshrss container on the localhost interface only. I also use a defined version tag, because using the latest tag makes it complicated to track which exact ersion I have installed.
# podman pull docker.io/freshrss/freshrss:1.20.1
# podman run --detach --restart unless-stopped --log-opt max-size=10m \
  --publish 127.0.0.1:8081:80 \
  --env TZ=Europe/Paris \
  --env 'CRON_MIN=1,31' \
  --volume freshrss_data:/var/www/FreshRSS/data \
  --volume freshrss_extensions:/var/www/FreshRSS/extensions \
  --name freshrss \
  docker.io/freshrss/freshrss:1.20.1
  • verify where the podman volumes have been created. This is where the user data of freshrss will be stored.
# podman volume ls
# podman volume inspect freshrss_data
  • now that freshrss is installed, you can start its configuration wizard at localhost:8081. You should keep the default sqlite choice
  • finally after running the wizard, you can login again and add some feeds
  • verify that your config has been stored outside the container, and inside the volume (so that it will not be erased in case of upgrages)
# ls -l /var/lib/containers/storage/volumes/freshrss_data/_data/users/
  • verify the state of sqlite database
echo '.tables'| sqlite3  /var/lib/containers/storage/volumes/freshrss_data/_data/users/<your freshrss user>/db.sqlite 
category  entry     entrytag  entrytmp  feed      tag

Going with FreshRSS in Production

Podman has this very nice feature that it can generate a systemd unit from a running container, and use systemd to start a container on boot. This is in contrary to docker where the docker daemon does the stop/start of containers on boot. I prefer the systemd approach as it treats containers the same way as other system services.

Once the freshrss container is running we can generate a systemd unit of it with:

# podman generate systemd --new --name freshrss | tee /etc/systemd/system/container-freshrss.service

Let’s stop the container we started previously, and use systemd to manage it:

# podman stop freshrss
# systemctl enable --now container-freshrss.service

We can verify that we have a listening socket on the localhost interface, on the source port 8081

# systemctl status container-freshrss.service
  ...
# ss --listening --numeric --process '( sport = 8081 )'
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process         
tcp           LISTEN          0               4096                         127.0.0.1:8081                        0.0.0.0:*             users:(("conmon",pid=4464,fd=5))

Nota Bene: conmon (8) is the process managing the network namespace in which fresh-rss is running, hence it is displayed as the process owning the listening socket

Exposing FreshRSS to the external world

We have now a running service, but we need to make it reachable from the internet. The simplest, classical way, is to create a subdomain and a VirtualHost configured as a reverse proxy to access the service at 127.0.0.1:8081. Fortunately the FreshRSS authors have documented this setup in https://github.com/FreshRSS/FreshRSS/tree/edge/Docker#alternative-reverse-proxy-using-apache and those steps are no different from a standard application behind a web reverse proxy.

Upgrading freshrss container to a newer version

A documentation showing how to install a piece of software is nothing when it does not show how to upgrade that said software. Installing is easy, upgrading is where the challenge is. Fortunately to the good stateless design of freshrss (everything is in the sqlite database, which is backed by a non-epheremal volume in our setup), switchting versions is a peace of cake.

# podman pull docker.io/freshrss/freshrss:1.20.2
# systemctl stop container-freshrss.service
# sed -i 's,docker.io/freshrss/freshrss:1.20.1,docker.io/freshrss/freshrss:1.20.2,' /etc/systemd/system/container-freshrss.service
# systemctl daemon-reload
# systemctl start container-freshrss.service

If you need to rollback, you just need to revert version numbers in the instruction above.

Enjoy your own reader feed !

I will add the following feeds of blogs I like, let us see if I follow them better with a feed reader !

Worse Than FailureCodeSOD: Join Our Naming

As a general rule, if you're using an RDBMS and can solve your problem using SQL, you should solve your problem using SQL. It's how we avoid doing joins or sorts in our application code, which is always a good thing.

But this is a general rule. And Jasmine sends us one where solving the problem as a query was a bad idea.

ALTER   FUNCTION [dbo].[GetName](@EntityID int)

RETURNS varchar(200)

AS

BEGIN

declare @Name varchar(200)

select @Name =
  case E.EntityType
    when 'Application'  then A.ApplicationName
    when 'Automation'   then 'Automated Process'
    when 'Group'        then G.GroupName
    when 'Organization' then O.OrgName
    when 'Person'       then P.FirstName + ' ' + P.LastName
    when 'Resource'     then R.ResourceName
    when 'Batch'        then B.BatchComment
  end
from Entities E
left join AP_Applications A   on E.EntityID = A.EntityID
left join CN_Groups G         on E.EntityID = G.EntityID
left join CN_Organizations O  on E.EntityID = O.EntityID
left join CN_People P         on E.EntityID = P.EntityID
left join Resources R         on E.EntityID = R.EntityID
left join AR_PaymentBatches B on E.EntityID = B.EntityID
where E.EntityID = @EntityID

return @Name

END

The purpose of this function is to look up the name of an entity. Depending on the kind of entity we're talking about, we have to pull that name from a different table. This is a very common pattern in database normalization- a database equivalent of inheritance. All the common fields to all entities get stored in an Entities table, while specific classes of entity (like "Applications") get their own table which joins back to the Entities table.

On the surface, this code doesn't even really look like a WTF. By the book, this is really how you'd write this kind of function- if we were going by the book.

But the problem was that these tables were frequently very large, and even with indexes on the EntityID fields, it simply performed horribly. And since "showing the name of the thing you're looking at" was a common query, that performance hit added up.

The fix was easy- write out seven unique functions- one for each entity type- and then re-write this function to use an IF statement to decide which one to execute. The code was simpler to understand and read, and performed much faster.

In the end, perhaps not really a WTF, or perhaps the root WTF is some of the architectural decisions which allow this to exist (why a function for getting the name, and the name alone, which means we execute this query independently and not part of a more meaningful join?). But I think it's an interesting example of how "this is the right way to do it" can lead to some unusual outcomes.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

365 TomorrowsThe Art of Learning a Language

Author: Stuart Wilson The Art of Learning a Language ̈Japanese must be easy. ̈ I had to shout over the traffic. And the person to whom I was shouting was quite far below now. ̈ ̈There are not so many unusual sounds, ̈ I continued, trying to twist my neck into the sort of angle […]

The post The Art of Learning a Language appeared first on 365tomorrows.

Planet DebianValhalla's Things: Asemic Writing, a Zine

Posted on October 24, 2024
Tags: madeof:atoms, madeof:bits, craft:zine

An open booklet with lines that look like some kind of cursive non-alphabetic script, framed by a border in the same script and four symbols in the corners.

I have no idea either.

The front of that booklet, with three lines of fake text in different sizes and a circle of the same.

Happy Maladay1 to those who celebrate it, I guess.


A template on white paper with pencil lines where text is supposed to go.

Multiple A4 sheet of tracing paper with fake text, plus an A6 sheet and a white A6 sheet with a stamp impression.

If you care about the how, it started as china ink on tracing paper, with the help of a template (and a correction sheet for one page where I used the wrong line on the template).

alt

A rubber stamp was carved with the author’s signature and stamped on white paper because the ink from the pad wasn’t working well on tracing paper.

Then everything was scanned (with the correction on top of the wrong page) asemic_zine_scans.tar.

Imported in Inkscape and traced asemic_zine_svg.tar.

Printed, cut in half, folded and stapled. The magenta lines weren’t by design, but are there because my printer is currently2 cursed.

And finally, asemic_zine.pdf was created, joining the pages together with pdfjam, for convenience in case somebody wants to download the full thing.

All the .tar and .pdf downloads from this page are released under the WTFPL, or All Rites Reversed..


  1. it’s still technically Maladay when I write this, even if by the time you’ll get this it’s probably the 6th of The Aftermath.↩︎

  2. I mean, all printers are always cursed, but at different times they can be cursed in different and novel ways.↩︎

,

Cryptogram Are Automatic License Plate Scanners Constitutional?

An advocacy groups is filing a Fourth Amendment challenge against automatic license plate readers.

“The City of Norfolk, Virginia, has installed a network of cameras that make it functionally impossible for people to drive anywhere without having their movements tracked, photographed, and stored in an AI-assisted database that enables the warrantless surveillance of their every move. This civil rights lawsuit seeks to end this dragnet surveillance program,” the lawsuit notes. “In Norfolk, no one can escape the government’s 172 unblinking eyes,” it continues, referring to the 172 Flock cameras currently operational in Norfolk. The Fourth Amendment protects against unreasonable searches and seizures and has been ruled in many cases to protect against warrantless government surveillance, and the lawsuit specifically says Norfolk’s installation violates that.”

Harald WelteOn Linux MAINTAINERS file removal of Russian developers

I sincerely regret to see Linux kernel patches like this one removing Russian developers from the MAINTAINERS file. To me, it is a sign or maybe even a symbol of how far the Linux kernel developer community I remember from ~ 20 years ago has changed, and how much it has alienated itself from what I remember back in the day.

In my opinion this commit is wrong at so many different levels:

  • it is intransparent. Initially it gave no explanation whatsoever (other than some compliance hand-waving). There was some follow-up paraphrasing one paragraph of presumed legal advice that was given presumably by Linux Foundation to Linus. That's not a thorough legal analysis at all. It doesn't even say to whom it was given, and who (the individual developers? Linux Foundation? Distributors?) is presumed to be subject to the unspecified regulations in which specific jurisdiction

  • it discriminates developers based on their presumed [Russian] nationality based on their name, e-mail address domain name or employer.

A later post in the thread has clarified that it's about an U.S. embargo list against certain Russian individuals / companies. It is news to me that the MAINTAINERS file was usually containing Companies or that the Linux kernel development is Companies engaging with each other. I was under the naive assumption that it's individual developers who work together, and their employers do not really matter. Contributions are judged by their merit, and not by the author or their employer / affiliation. In the super unlikely case that indeed those individual developers removed from the MAINTAINERS file would be personally listed in the embargo list: Then yes, of course, I agree, they'd have to be removed. But then the commit log should of course point to [the version] of that list and explicitly mention that they were personally listed there.

And no, I am of course not a friend of the Russian government at all. They are committing war crimes, no doubt about it. But since when has the collaboration of individual developers in an open source project been something related to actions completely unrelated to those individuals? Should I as a German developer be excluded due to the track record of Germany having started two world wars killing millions? Should Americans be excluded due to a very extensive track record of violating international law? Should we exclude Palestinians? Israelis? Syrians? Iranians? [In case it's not obvious: Those are rhetorical questions, my position is of course no to all of them].

I just think there's nothing more wrong than discriminating against people just because of their passport, their employer or their place of residence. Maybe it's my German upbringing/socialization, but we've had multiple times in our history where the concept of **Sippenhaft** (kin liability) existed. In those dark ages of history you could be prosecuted for crimes committed by other family members.

Now of course removal from the MAINTAINERS file or any other exclusion from the Linux kernel development process is of course not in any way comparable to prosecution like imprisonment or execution. However, the principle seems the same: An individual is punished for mere association with some others who happen to be committing crimes.

Now if there really was a compelling legal argument for this (I doubt it, but let's assume for a second there is): In that case I'd expect a broad discussion against it; a reluctance to comply with it; a search for a way to circumvent said legal requirement; a petition or political movement against that requirement.

Even if there was absolutely no way around performing such a "removal of names": At the very least I'd expect some civil disobedience by at least then introducing a statement into the file that one would have hoped to still be listing those individuals as co-maintainers but one was forced by [regulation, court order, ...] to remove them.

But the least I would expect is for senior Kernel developers to simply do apply the patch with a one-sentence commit log message and thereby disrespect the work of said [presumed] Russian developers. All that does is to alienate individuals of the developer community. Not just those who are subject to said treatment today, but any others who see this sad example how Linux developers treat each other and feel discouraged from becoming or remaining active in a community with such behaviour.

It literally hurts me personally to see this happening. It's like a kick in the gut. I used to be proud about having had an involvement with the Linux kernel community in a previous life. This doesn't feel like the community I remember being part of.

LongNowThe Weather Out There

💡
READ Andrew Dana Hudson's companion essay to this work of speculative fiction, "Space Is Dead. So Why Do We Keep Writing About It?"

Ferris

27th of Fructidor 

The Weather Out There

I worked in the garden this morning. Put my hands in the dirt, wanting to harvest. But I’m holding off. Ticking down the days or hours until the transmission from Alsafi arrives. When it comes, I’ll celebrate, pick the peas, chard and beets, enjoy them during the autumnal Feast Days next week, a bounty made all the sweeter for the waiting.

So instead I pulled weeds while the overcast sky sank low and dusty, and a rogue wave of San Francisco fog rolled over Oakland. Slow going, but I needed the time to clear my head. When my back was aching and my hands satisfied, I came in with anxious energy still to burn and picked up this housejournal, which I haven’t touched in years. I’ve got that impatient, behind-the-eyes fuzziness, like waiting for a crush to write back.

I expect we’ll hear from them today, tomorrow latest. The weather in our Oort Cloud isn’t as clear as we’d anticipated, but nothing major, nothing that should muddy the signal.

When it comes, this will be the fourth message received from Alsafi in my lifetime. Few have timed their career so fortuitously. The first came when I was a child. The second came just weeks after I joined the Intercivilizational Observatory’s San Francisco office, and I wormed my way onto the analysis team. The third came the year I met Cassio, and I was doubly lovestruck. Still, I was reading responses to questions another generation had asked. But now, a full 39-year round-trip after I began, I’ll finally get answers to my questions. Ones from my youth, maybe, but they’ll be mine. After all this time, I’ll finally be In Conversation.

Feast of Travails

Nothing yet. We’ve crept past the end of the official window. Wouldn’t be the first time they’ve missed us — or us them, for that matter. But it’s been a couple centuries since things have gone off schedule. I’m boggled, but everyone is looking to me for answers. Devin and Atul are the only ones keeping their heads. I might ask them to help me work the problem if we don’t hear something soon.

I was feeling caged by the impending equinox and my too-ancient house, so I walked down Peralta Street to the public farm, where I could get under the trees and not worry about the quiet sky. In the volunteer apple grove I bumped into Cassio. She hates Feast Week, so maybe she was escaping too. It’s been four years since we’ve talked much, outside chilly conversations in conference hallways. She seemed warmer today, not a word about our falling out, just an attentive smile and a sympathetic hand patting mine. I played it cool, but it was obvious that she’d heard about the lost window. Cass — ever the thoughtful astronomer — already had her own theories.

“Could be some dark planet wandered into the path at just the wrong time,” she said. “Our charts always have blind spots, you know. If we didn’t see it, it’s probably closer to their end, which means they’ll notice it quick and get something rough out to you soon.”

“Or they’ve been cooked by a solar flare,” I sulked. “Or they blew themselves up, or died in a plague, or suffered ecosystem collapse, or — ”

“Oh hush! Equipment failure is more likely. Maybe the problem is on our end, failed last transmission. Maybe they’ve been sitting there for decades worrying about us exactly like you’re worrying about them.”

“I like that thought even less,” I said.

“Didn’t you once tell me that people started theorizing about the emptiness of the cosmos after just a couple years of SETI listening?”

“They expected empires and megastructures,” I admitted. “They didn’t see any right away, so they figured no one was out there. That’s where the ‘Great Filter’ idea came from. It took us getting through our own Filter to realize that the universe was vast not just in space but in time.”

“Exactly. We had to listen for a long time to actually connect, and so did they. Which means we had to be sustainable, and so did they.” Cass made me look her in the eyes. “Which means if we’re fine, they’re probably fine too. We know they’re sustainable. Otherwise how could we have held down a Conversation for the last 900 years? A couple days’ tardiness doesn’t have to mean anything. Maybe years will go by, and then just like that you’ll hear from them. You’ll go back to talking like before, like nothing ever happened.”

Then she got on my shoulders and pruned a knotty, fruitless tree the neighborhood was neglecting. As she left, she said to say hi to the house, so here I am, diligently noting it in the housejournal. She said we could talk more sometime, about Alsafi, if I wanted. I think I’ll take her up on that.

16th of Vendémiaire

If things had gone as planned, I’d be releasing a new message to the world right now. Everyone is eager for these curated infusions of alien novelty — something to stir up our slow churning culture. Fashion houses and architects anticipate the fads for new Alsafi aesthetics. Philosophers await progress on the Shared Paradoxes, those questions both our worlds can make sense of but neither can answer. 

We’ve been slowly spreading the word that nothing is coming, while preparing a longer study. Devin retasked our out-system equipment to get a better look at the weather in the interstellar medium. I’d like to tell the continuity councils something, but Atul says it might be a long time before we know anything new.

So, time to kill, I walked with Cassio from the Observatory out to Ocean Beach. It was chilly, so we huddled together and draped the beach blanket over our shoulders. We strolled along the surf, watching children play fetch with neighborhood dogs. Cows munching seaweed appeared out of the mist. The fog was so thick, Cass was inspired to lecture me about space.

“Say there’s a lighthouse out there.” She waved towards Marin. “It’s going to blink a message at you. What are all the things that have to go right for you to get that message?”

“You have to have line of sight,” I said. “And be looking in the right direction, at the right time. You have to be watching long enough to see the whole message, and you need a good enough memory to remember the pattern. Then you have to know how to decode it.”

“And,” Cass waved expansively, “it can’t be too foggy.”

“We’re pretty good at predicting the weather out there, you know.”

“I’ve never liked that metaphor. Tracking matter a dozen light-years away is nothing like watching for clouds on the horizon. It’s dark, and your model has to look decades ahead based on the thinnest flickers of shadow. Did you know they keep changing the estimates of how much dark matter there is in the universe?”

I did, but something about being there with her, on that beach, stirred a thought I hadn’t had before.

“In the histories the Alsafi used to wonder a lot why they never heard from anyone besides us,” I said. “They’ve always been more bullish about the chances of life in the universe.”

“You think if they got a transmission from someone else, they’d stop talking to us?” Cassio asked.

“A second contact changes everything about The Conversation. Do they tell us about them, or them about us? Whose permission do they need first? Who do they prioritize? It gets complicated.”

“Kind of like us,” Cass said.

She spoke low, barely louder than the surf. We let it hang there for a moment, the chimes of distant drift-ships rolling in and out of the Golden Gate. 

“Kind of like us,” I agreed.

I expected her to bring up Katarina then, but she didn’t. The conversation turned back to work, to Devin’s concept sculpting and Atul’s mantra of patience. When we parted it was like the moment had never come up, like we were old colleagues whittling at a problem. More than I deserve, probably, but I’ll take it.

20th of Brumaire

The chatter stopped.

From time to time, as the weather out there allows, we pick up faint bits of Alsafi’s in-system communications, outside the transmission schedule. Nothing we can parse, usually; all noise, no signal. It fades in and out, and we’ve gotten used to paying it little mind.

Occasionally scholars or cranks will try to decode it, write a paper about some pattern noticed or a new sifting technique. Some dream of continuous contact, while others look to the chatter to confirm this fringe theory or that. But to me it’s always felt a bit like reading someone’s diary or snooping on private messages. It’s the things they say to us intentionally that matter. Otherwise, it’s not a Conversation.

But now that the chatter is all we have, we’ve been listening harder, and it’s just not there. No unscheduled distress call. No sudden wail of anguish. The last flicker arrived a couple years ago, which meant it departed Alsafi shortly after they received a transmission from us.  

It really is a locked room. I feel sure the chatter is gone for good. Until we hear from them again, all we have to go on is what’s already been said. And so much has been said — 900 years of conversation! It’s time to start looking at the histories, see if we can’t find a clue, something that might indicate what was about to go wrong.

Cassio and I commuted back to Oakland together, taking the vineway from the Observatory back over the bay, between the skyscrapers, feeling the music of their wooden creaking disappearing into our bones. Today the timing was just right, and we passed over downtown right as the last red light of the west glanced off the windows. Glass flashed kaleidoscope brilliance down into the canals and canyon farms. For three precious minutes, San Francisco exploded with spectacle.

I felt Cass nudge against me then, and she kissed me. A dense kiss, filled with hope and desire, sadness and confusion, anger at all that had happened with Katarina, lust, triumph, forgiveness. Somehow I felt four years worth of heat in her breath.

Did she kiss like that before? I hadn’t realized I’d forgotten.

7th of Pluviôse

I’ve been spending more nights at Cassio’s place. The garden is going to rot. Cass says that if I can’t caretake properly, we should let the house go to someone else. Maybe find some less needy rooms together, closer to the Observatory. I can’t tell if things are moving very fast or very slow.

Why now? What opened up in me, or in her, that made that meeting in the apple grove different than all the other run-ins we had during those four years we were broken up?

In the meantime I feel well-chided about the garden, so this morning I did some late season planting. It felt good to clear away the weeds, get my hands dirty. My mind is jumbled from combing back through old messages, communing with the computationals to parsing the leaps and doubling-backs of raw Alsafi language.

There has to be something we missed. Hints of political instability? A question we misinterpreted? Some sign of ecological decay that might open the door to pandemic? Were they keeping something from us? Posturing as more sustainable than they really were? Could some cascade of fragility have been buried in their civilization, and if so, how could we find it when they didn’t? Then again, who else could? What if they need our help?

The Weather Out There

Cassio

24th of Prairial

Hello! We gave up the apartment search, but we were still getting the side-eye from the housing councils — cohabiting too much without putting our places back into circulation. So here I am, moving back in, sharing this housejournal once again! Honestly I’m surprised Ferris worked up the nerve to suggest it, but I’m not complaining.

I always loved this old logbook. No clue who started it, however many centuries ago, and looking it up would take away the mystery. But it’s part of the house now, as much as any wall. If you care for a home long enough, its trinkets and furnishings find a kind of elegant permanence. Just the right thing in just the right drawer. If we want something that isn’t here, we should probably ask ourselves if we really need it! 

So after bouncing around unstable East Bay dorms for a few years, moving back in was a treat. Weird little antique house on a weird little antique street. All wood beams and pastel paint, devilishly complicated plumbing —  1,200 years old! Older than The Conversation. Every part has been replaced ten or twenty times, but still it remains itself. Like a civilization, I suppose, or a relationship. The good ones have a narrative, some line of continuity that stays true even as the people in them change. Growth, decay, collapse, renewal — the oldest story. Which reminds me: Ferris’s garden needs some help.

The Weather Out There

Ferris

Feast of Virtue

It’s Feast Week again, and at last I think I found something. An inconsistency in the codebase. It showed up six centuries ago, but I can’t find a record of the affirmed sign-off. It’s a tiny change, a slight tweak in how the algorithms flag and repair errors. Routine — or at least it should have been. Could such a little thing have bloomed into some deep misunderstanding without us noticing?

It’s shocking to find an error — even Atul agrees. The codebase is the greatest intellectual achievement in human or Alsafi history. It took a century and a half of confused cross-talk to co-create it. Not only did we need to learn each other’s languages — an enormous feat, given the utter alienness of our cultures — we had to build in layers of redundancy. Otherwise a stray cosmic ray or a mite of dust could scramble some crucial line of message. We learned from DNA how to write code that was both dense with information and self-repairing, while they taught us how to compress our data by hosting ideas within a web of interlaced probabilities.

Then we had to compare observations of the cosmos to find the years and trajectories where a clear signal could cross the gulf of space intact. Space is just so big, as Cass keeps reminding me. We are not stars; our strongest transmission is but a tiny ripple in the dirty darkness. We and the Alsafi stood on opposite sides of a lake, sending messages by skipping-stone. It took so much patience to begin that Conversation. And 600 years ago, we misspoke.

The Weather Out There

Cassio

Feast of Recompenses

Happy New Year! I’m toasting it alone. Ferris is down in Palo Alto, chasing his new lead, haranguing some Observatory computer boffin, poor Devin probably playing peacekeeper. I had wanted to get out of town, take an airship up to the Lost Coast, see some stars. I’m still trying to decide if I’m annoyed that he bailed or glad to be able to mope through on my own.

Feast Week is unlucky for me, unscientific as that is. My mom leaving, my first miscarriage, the falling out with Ferris over Katarina, Dad dying a year later. The normal travails of life, but they seem to accumulate in these last complementary days. Now every year I tense up, this weird pre-fight-or-flight paralysis.

But today, instead of waiting for disaster, I stole Ferris’s sunhat and did what I could for the garden. We’re in salvage mode now, I’m afraid! No wonder the neighbors looked relieved when I told them I’d moved back in! Only the potatoes made it; the squash and melons were strangled by grass Ferris should have been weeding. 

I know the Alsafi thing is a distraction. “The Quiet” they call it now. What, like we’re getting the silent treatment? But the Alsafi don’t live here, and I do, which means I’m the only one getting punished if he lets the garden go fallow.

The Weather Out There

Ferris

1st of Germinal

First day of spring, and equinox upkeep won’t wait for my domestic slump to lift. I skipped it last year, distracted by the Quiet and having Cass back. So this year we dusted every corner, inspected every picture frame, took care of new nicks in the furniture. We tossed the plates and utensils that needed composting, pulled the linens and clothes that needed mending and set them out for return to the public laundry. We mucked out the lamps, scrubbed the toilet, went top to bottom wiping away the winter oils, even grouted the foundation, though that wasn’t due for a few years. I admit: together Cass and I were far more rigorous than I’d have been alone! Bachelors and civilizations — both half-feral without a partner.

Just like spring upkeep, the codebase is a form of unending maintenance, but out of sight, so we often forget that it's happening. I’d always assumed our messages would be translated faithfully, but now I see just how much the codebase shapes the message once it leaves the Observatory’s servers.

The codebase determines which sections to prioritize with which levels of redundancy. The idea that an algorithm would rank some parts of our message above others would surely shock some members of my team. Worse, the codebase automatically swaps certain sets of synonyms for one clear term that can be coded more easily. It’s a good corrective to verbose humans forgetting the limits of the Alsafi’s knowledge of our language. But still, I can’t count the number of times we argued over which overly-deft word to use in our message. How many of those nuances were lost?

Of course, we took everything we heard from Alsafi with a grain of salt, and hopefully vice versa. You don’t build a 900-year relationship by rushing to judgment, or by being too proud to articulate confusion. But if our best efforts still leave such ambiguity, how can we be sure we ever really understood each other in the first place?

I’m more convinced than ever that something went wrong long ago. It goes beyond the glitch — we have to totally rethink how our messages might have translated through all those layers of glass we’ve set up between us. The codebase is the mystery now, the enemy even. Atul will see that, even if Devin doesn’t. Even if Cass won’t.

The Weather Out There

Cassio

12th of Messidor

Ferris is gone to Portland this week. Fighting to keep computing power on his project. He’s right that it’s too soon by decades to give up, but more people are involved now that The Quiet is public. He can’t unilaterally order a shakedown of solar system infrastructure, no matter how much he feels like he owns the mystery.

So I walked up to Berkeley today to talk to Atul. We had lunch at this new cafe, tucked into the side of Atul’s squat dormitory. The meal was red lentils and fresh Bay arame. As we ate, Atul told me about Ferris’s latest angle. I hardly had to ask, Atul was so eager to vent to someone.

“He’s very dedicated to this ‘locked room’ approach of his,” Atul said. “It was an intriguing problem at first — ‘let us apply the greatest scrutiny to ourselves’ and all that.”

“Well, shouldn’t we?” I was surprised to find myself defending Ferris.

 “He’s not wrong, but he’s upsetting people. He’s gone barging in on teams he doesn’t know, playing inquisitor. Very undiplomatic, and it reflects on the Observatory. I don’t know what to do with him.”

“What about the glitch he found? Are folks not taking it seriously?”

Atul looked surprised. “He didn’t tell you? There was no glitch, not really. The signoff was just misfiled in the records. Part of the switch from the Gregorian to the Republican calendar, long ago. It ended up buried in a heap of technical addendums to a very invigorating exchange about the mechanics of color. We found it a month ago, and good job to Ferris! But he’s still carrying on like this error in procedure amounts to an error in the code, and I’m afraid there’s not much support for that position.”

I had to think back on what Ferris had said about the glitch. I decided he hadn’t lied to me. Not exactly.

“What about you?” I said. “Any theories?” 

“It hasn’t even been two years. There’s no point in getting upset until it’s been at least a decade. The lack of chatter is strange, but if you ask me that points to a physical blockage. That’s the simplest explanation, and it will be at least five more years before we can get a good enough scan to even begin to rule that out. Look — ”

Atul took my hand here, gently.

“It’s not about the Quiet. It’s about Ferris. The more I work with him, the more I think that he’s taking this all rather...personally. That’s why Devin basically quit, and I don’t blame her.”

“Conversation was his life’s ambition. To have that disappear right when...” I stopped. Atul’s tone made me realize he meant something else.

“I think he feels...spurned by Alsafi,” Atul said. “Deep down he doesn’t think The Quiet is technical, or astronomical, or anything like that. He thinks they decided to stop talking to us. To him. And he doesn’t know why, so he feels both responsible and victimized at the same time. Does that make any sense?”

It did, of course.

Maybe writing here, where Ferris will see, is passive aggressive. I don’t care.

Ferris, I’m sorry I left. And in a way, I’m sorry I came back the way I did. We’re all in a whirlpool. Even when we feel like we’re swimming, we’re not. We’re swept along. It’s all so much bigger than anyone. Even us.

The Weather Out There

Ferris

20th of Thermidor

They kicked me out of the Observatory. They were very polite about it — in fact they promoted me, asked me to take over a whole curriculum, teach the next generation about Alsafi ways of life and thought. As though any of that matters in The Quiet.

It was surreal leaving, taking the stairs for no reason at all, hoofing it out of the park, leaving my favorite bike. I hung limp on a trolley strap. In downtown, I sleepwalked into the water gardens, uncouthly swimming in all my clothes. I got concerned looks. I lay on my back, thinking about Alsafi canal computers, wishing I could wash out into the bay.

All this time chasing after a glitch, I’ve ignored that scary, simple question that came to me on the beach, in that unfocused first month of the Quiet: who else might the Alsafi have met? Those ancient fantasies about interstellar travel — how do we know it couldn’t be done? We gave up after, what, three tries? Content to stay by our own little star forever. Could other beings, with different biology, a different path of technology, have succeeded where we failed? Perhaps another post-Filter sustainable, like us, but more ambitious in their exploration. Or some kind of pre-Filter expansionary. Or something else — gods or monsters?

We could propel a probe — Cass told me the theory. A tiny wafer, lasers burning it through the murk of space all the way to Alsafi. The signal back would not be strong, but it would be our own observations, in our own language.

Yes, it would take decades, but how can we wait? Either someone convinced Alsafi to stop talking to us, or something made them stop talking to us. We have to find out which — not just for them, but for our own survival.

And if the Alsafi are still there, just stubbornly silent, we could ask them why, ask them what we said. Would they refuse to answer us then, to our face? 

The Weather Out There

Cassio

26th of Fructidor

Ferris and I had a fight. A real one, with screaming and sobbing and hands trembling, me almost throwing a vase that must be 200 years old. Not since Katarina have I been so mad at him.

He'd asked me again to pitch his probe to my colleagues. And it’s not crazy, but the way he demands it, I feel hounded. I know that after this thing will be the next thing, and the next. When will he say, “I’ve done enough. Now I can settle down and wait”?

So finally we fought about it, and about everything, all the way back through 15 years, to when we first saw each other on that Observatory retreat — me the rookie stargazer, him the dashing intellectual, speaker of alien tongues, shouter across the void. We were in the shadow of the Bay Bridge, and he grinned at me and dived, leaving me sitting in my stupid kayak, waiting for his eyes to break water.

We fought about the house, his neglect, and about his year with Katarina, how it hurt me in ways I’m still ashamed of. And then he asked me what the point was, in me coming back. And I just couldn’t find a good answer for him.

The Conversation is an ache for Ferris, history tugging him one way, the boundless future another. But I love him because he pulls back so hard, seems to own all that time. And there are moments when he feels so there for me, when he’ll melt the scale away, just be present.

I wanted that again. But how could that be enough?

He asked me why I was at the public farm that night. Well, Ferris, the truth is I tracked you down. I’d heard about The Quiet, and I wanted to see what you were like without Alsafi. Maybe on some level I did want to see you denied your Conversation. I can hate you, when I want. But mostly I missed you.

So I went to the house in time to see you leave. I followed you, caught up with you in the apple grove. I talked you down from your panic, came back into your life, cleaned up after you when you let your home fall to ruin. I thought that maybe, without them, you’d finally need me.

But I’m just one more woman, coming and going from your life, playing at domesticity. Always hovering second in your thoughts, or third. You’ll never think about my feelings the way you scrutinize the motivations of unknowable aliens. I’ll never be that interesting to you. Maybe because I didn’t play hard enough to get.

After, I waited for you to leave, then crept downstairs, feeling the vibrations of our shouting match still thrumming in the walls. I wonder if the next people here might feel it. Our love and our anger, another blot in this palimpsest.

The Weather Out There

Ferris

Feast of the Filter

Cassio left last night. Again. Today the house feels misshapen. I keep bumping into furniture that hasn’t been moved in centuries. I go out to the garden, but I don’t want to touch the patch she planted.

She’s off to Baja in the morning, where most of the asteroid deflection planning happens. There’s a comet passing through in 170 years. Cass says she wants to set it into long-term parking around Saturn, save it for a rainy day.

She didn’t ask me to come with her. 

Today is the last day of the year, that rare leap year festival. Cass hates feast days, except this one. Why is the saddest feast the one she’s drawn to? I wonder how she’s celebrating.

New Years Day, 1st of Vendémiaire

Eventually I got out of the house, felt like it let me go. I wandered down the neighborhood toward Lake Merritt, looking for Cass but dreading seeing her. Soon the revelers arrived, in masks and fresh-woven harvest cloth, and my search got worse, more panicked, until I abandoned it, numb and aching for her presence.

I got swept up in the celebrations, though for me they were a dirge. I danced and shook, waved candles and shouted songs with the crowd. When I got to Lake Merritt, I put my hand on the memorial wall, my fingertips captured by the carvings of species lost in the Filter. There were so many: leaf presses and insects drawn as in amber, mammals and birds playing little scenes. Should we add Alsafi to our wall of dead things? They talked to us for almost a thousand years. If we had really understood them, might things have turned out different?

The sun is coming up now. A new year. The third year of The Quiet, they’ll call it. The revelers have gone to bed. The air is still, the weather will be clear. It’s perfectly silent, but for the ringing in my ears.

I don’t remember how I got home, or when. Outside I see the garden. Some weeding might help my aching head. Instead I open the window and sit down to write.

Strange that I need to say it, but I do: it wasn’t my fault the Alsafi transmissions stopped. How arrogant of me to think it was! I can’t do anything about aliens 19 light-years away, any more than I can bring back those extinct creatures on the Lake Merritt wall.

Cassio leaving, though — that was my fault. This time and the last. There is no mystery to it. I neglected her love, chased either another woman or another species. I should have listened, when she told me that to my face. 

I don’t deserve to get her back, but she deserves to have me try. I’ll get some sleep and pack a bag. Baja is closer than Alsafi. Maybe there’s nothing I can do, but Cass deserves a real conversation.

💡
READ Andrew Dana Hudson's 02018 story, "The Mammoth Steps," in which translation technology and norms of interspecies communication make possible a deep friendship between a boy and a de-extincted mammoth.

LongNowSpace is Dead. Why Do We Keep Writing About It?

💡
READ Andrew Dana Hudson's companion piece to this essay, "The Weather Out There," a work of speculative fiction about communication between humans and across the stars — and what happens when that communication breaks down.
Space is Dead. Why Do We Keep Writing About It?

When I was a young kid in the 90s, my dad and I made a bet. Actually, more of a long bet. I wagered that humankind would put a person on Mars by 02020. I lost.

As I was growing up — devouring sci-fi books, watching Star Trek, pouring over Popular Mechanics, and even attending Space Camp — it just made sense that humanity’s next steps into the universe were both inevitable and imminent. Technology was improving, after all, and there seemed to be ever more sophisticated proposals for how we’d travel to Mars and what we’d do when we got there. I remember the illustrations: chunky spacecraft spinning through the void, sleek domes sprouting like mushrooms out of rusty dirt.

And I wasn’t the only one. Kim Stanley Robinson’s Red Mars — still considered one of the most rigorous hard science fiction novels of all time — was published in 01992. Robinson put the start of colonization at 02026, with the first man on Mars some years before.

Yes, there’d been a lull after the high-flying moonshot 60s, but the space shuttle and the international space station were still impressive feats: a foothold in orbit. In 02004 Bush laid out a plan to go back to the moon by 02020, and send crewed missions to Mars as soon as 02030. There was talk of commercializing space, space tourism, space mining, all of which seemed just around the corner. Throughout the aughts I figured I might lose my childhood bet, but it still felt like something was happening.

Now all this feels naive, given what we know about the 21st century’s politics, predilections, and challenges. In retrospect, Bush’s ambitions seem more like muscular nationalist posturing, shoring up our image at a moment of declining American popularity abroad. When Trump made the same promises and founded the much mocked Space Force, it felt like a naked appeal to the nostalgia of his aging Baby Boomer base. Nowadays anyone eager to put boots on Mars puts their faith in the increasingly noxious and incoherent Elon Musk. While SpaceX has become a real player in the rocketry sector, at this point I trust Elon’s grand plans and promises even less than Trump’s.

The truth is that for over half a century since the moon landing, we’ve made little progress on the interplanetary manifest destiny I grew up believing in. Today manned spaceflight has little cultural or political momentum. China and America talk about being in a new “space race” to return to the moon, but, as impressive as that feat would be, it would just be a rerun of the 60s, playing for a much less engaged audience. To date less than 700 people have ever been to space. Orbit is filling up with junk.

None of this is to discount the real and meaningful work that NASA and others have done over these past few decades. The unmanned craft they have sent all across the solar system have been great scientific and technological achievements. I have friends who work on such probes, and they are marvels of ingenuity.

However, a big part of futures thinking is projecting current trends and trajectories into the future, and right now — despite 75 years of rocket ships, space stations, moon bases, and Mars domes being the dominant signifier of futurity — our present trends and trajectories point only down, back to our ever-warming Earth.

We should consider the possibility that, to quote Sam Kriss’s “Manifesto of the Committee to Abolish Outer Space”:

1 Humanity will never colonize Mars, never build moon bases, never rearrange the asteroids, never build a sphere around the sun.

2 There will never be faster-than-light travel. We will not roam across the galaxy. We will not escape our star.

3 Life is probably an entirely unexceptional phenomenon; the universe probably teems with it. We will never make contact. We will never fuck green-skinned alien babes.

4 The human race will live and die on this rock, and after we are gone something else will take our place. Maybe it already has, without our even noticing.

5 All this is good. This is a good thing.

(It’s very much worth reading this 02015 essay in full. It’s a potent corrective to the default attitude of heroic wonder with which we are usually encouraged to regard outer space.)

And yet, space stories keep coming. Walk down to your local bookstore and you’ll find plenty of new sci-fi releases about brave astronauts, rugged interstellar colonists, dashing star pirates, vast galactic empires, and so on. I recently poured over an issue of Analog Science Fiction & Fact, and I found that only five out of 20 pieces of fiction didn’t feature space in some way. I don’t have hard numbers on this, but I’d bet money that a strong majority of all the words of science fiction ever written have been about space or aliens, set in space(ships), or set on other planets.

Increasingly these stories take the form of deliberate retrofuturist period pieces. A good example is “Beyond the Sea,” in series six of Black Mirror. Some are explicitly alternate histories full of yearning for lost momentum, such as the show For All Mankind (in which a Soviet moon landing means the space race never stops). Or Mary Robinette Kowal’s The Calculating Stars and sequels (in which a 01952 asteroid impact forces humanity to figure out how to get off planet before the Earth becomes unlivable).

Others are keen on imagining space full of people and nations other than white, American men. My friend Deji Bryce Olukotun’s Nigerians in Space is a great example, as is the OSS Hope exhibit at the Museum of the Future

Still others use space less as a future and more as a flavor of the fantastical, like Star Wars. Ann Leckie’s Ancillary Justice novels might as well be set a long time ago in a galaxy far, far away. Same with Becky Chambers’ Monk and Robot novellas, which take place on a distant moon called Panga. I find this somewhat frustrating, as Chambers’ story of postcapitalist solarpunks living in harmony with their environment and each other is a vision I’d like us to try building here in the real world. Is the takeaway that Earth is too far gone, too complicated and fractious, too sedimented with historical injustice, to achieve that kind of utopia?

And there are plenty more who continue to draw a direct line from present day Earth to the planets and stars, from The Expanse novels and TV series to the video game Starfield. Most of these, like Star Trek, depend on the invention of a physics-breaking faster than light (FTL) drive sometime in the next century or two. Perhaps we are starting to feel that, without such a breakthrough to make things quick and easy, the whole space affair is not worth the trouble. Kim Stanley Robinson’s Aurora makes the excellent case that venturing beyond our solar system is too slow and fraught to do with the technology that currently seems within our grasp.

💡
WATCH OR LISTEN to recent Long Now Talks on speculative and science fiction:

• Becky Chambers and Annalee Newitz's 02023 Long Now Talk, "Resisting Dystopia."
• Kim Stanley Robinson's 02022 Long Now Talk, "Climate Futures: Beyond 02022."
• Neal Stephenson's 02021 Long Now Talk, "Termination Shock."

Let me just stress that all the works I’ve just mentioned are excellent. Science fiction writers should write what they want, gloomy forecasts be damned. In fact, maybe it’s good that the genre holds a torch for space even after the wind has gone out of our collective solar sails.

But I think it’s worth asking: Why? Why do so many of us feel compelled to write about a future that isn’t actually happening? And what does it mean for science fiction that its grandest, most prominent prediction doesn’t seem to be coming to pass?

Space is Dead. Why Do We Keep Writing About It?
Chart from Methods of Technological Forecasting (01977) by NATO's Advisory Group for Aerospace Research & Development. Originally seen via Maciej Ceglowski’s excellent presentation, “Web Design: The First 100 Years.”

The above chart shows an “envelope curve,” in which successive technological breakthroughs are chained together to produce, often, a view of skyrocketing, logarithmic progress. Consider this quote from a 01977 report by the Advisory Group for Aerospace Research (AGARD) on “Methods of Technological Forecasting”:

The extrapolation of envelope curves is considered by most authors as one of the tools particularly suitable for technological forecasting. Some consider it even as having potential for discerning technological breakthroughs. In the available literature, however, the same examples have been mentioned for a decade, so that there can be some doubt as to the progress made in this direction.

When you can make a series of technological breakthroughs fit neatly onto a chart, it’s easy to feel like you’re seeing a deep and inevitable pattern that must continue. Every barrier broken gives confidence that the next barrier can also be broken, even when the next barriers are, by definition of your chart, logarithmically more difficult.

Imagine you are standing on this curve at circa 01965. Behind you is a steep drop off in human velocity, ahead of you the potential for an ascent that reaches for the speed of light itself. It must have been heady days, going in one lifetime from puttering cars to the first airplanes to rockets capable of escaping Earth’s gravity well. Nothing like it had ever happened before. In many ways it was a fundamental change in what it meant to be human — to cross oceans and continents on a lark, to pierce the firmament. How could one see that hockey-sticking slope and not let one’s gaze be drawn to the stars?

We needed stories to make sense of that massive, accelerating shift. We needed a new mythology that helped us understand our place in a bigger universe, our destiny, our purpose. Science fiction is modern mythmaking that helps us manage future shock as we ride the waves of technological upheaval and social change. Waves that have rocked the world since Mary Shelley conceived of The Modern Prometheus during a dreary climate event in Geneva.

When we tell stories about space now, we aren’t predicting the future, we’re adding to and riffing on that mythological tradition, the way folklore always works.

Of course, by 01977 doubts were already starting to sneak in, as “the same examples have been mentioned for a decade.” Here’s another chart that puts the 01965 view in perspective:

Space is Dead. Why Do We Keep Writing About It?
NASA's budget as a percentage of the federal budget, 01958–02017.

What happened in reality was the hockey-sticking acceleration stopped and progress plateaued. Human velocity peaked in 01969 with the crew of Apollo 10. After that NASA’s budget dropped precipitously. Meanwhile supersonic flight proved too costly, loud, and uncomfortable for most travelers, and anyway how often does one really need to get from New York to London in three hours instead of eight? The height of high velocity transportation for the vast majority of humans is now the Boeing 747 and its kin. Few trends point to this changing anytime soon — except perhaps to slow down, as the demands of decarbonization push us to fly less and take the train (or the Zoom call) more.

Going to space is several orders of magnitude more costly, loud, and uncomfortable than a Concorde jet. So, probably, we just aren’t going to do it. No nation-state is likely to devote 5% of its spending to a Mars mission, not when global economic competition is increasingly tight, aging populations are straining pensions, a pandemic demolished many healthcare systems, and climate change is battering crops, housing, and infrastructure.

And despite slide-deck dreams of quadrillion dollar asteroid mining jackpots and Martian debt slavery company towns, there isn’t much money to be made in space. So the capitalists aren’t going to do it either. They have budgets to balance and quarterly earnings targets to hit and executive bonuses to pay out and stocks to buy back, and no amount of cosmist mythmaking is going to make space profitable. Elon launches rockets and Starlink satellites to hype up Tesla stock and get governments under his thumb.

Everyone frets about the billionaires running off to other planets and leaving us to suffer on a broken Earth, but that’s just another parable. Our climate is getting bad, but it’s not anywhere close to being Mars-bad or Vensus-bad. That’s where you need domes. Doing anything in space is so, so much harder and more expensive than fixing up the ecosystems around us. Repairing our own atmosphere is going to be a big project, but way easier than terraforming another planet. The appeal of “Planet B” narratives is that you could start over without the headache of dealing with people, which is so much more pessimistic and misanthropic than just acknowledging that we’re stuck here on Earth, with each other.

We’ll send astronauts to orbit, maybe back to the moon — a little space race redux for the U.S.-China rivalry. We’ll send unmanned probes to every celestial body within reach, and learn a great deal from those. We won’t put a man on Mars or build a moon base — at least not in my lifetime.

I say all this as someone who sincerely loves space. If there really was a chance to board a colony ship to Mars, I’d be sorely tempted. I desperately hope the world proves my low expectations wrong. To do so, however, would take a very different political and economic order than the one we have now.

The moon landing happened because capitalism and American empire actually had a rival. These forces had to prove they could outrace, outplan, and outspend communism and Soviet empire. It was probably the biggest PR campaign of all time, if you don’t count our bloated military. But such grand flexes are not necessary in our current capitalist realist status quo. When there’s no alternative, who are you trying to impress?

I do think we can go to Mars, and beyond, if we want to. But we’d have to decide to do so, collectively and democratically, probably not even as a nation-state but as a species. We’d have to put aside capitalist and nationalist competition. We’d have to take up more pressing moonshots first — decarbonization and climate repair — and then keep that momentum of big public spending flowing.

So if you want to write a story about space, that’s where I think it should start. How do we get through the bottleneck of climate collapse and polycrisis, through to a better system that offers more expansive possibilities?

💡
READ Andrew Dana Hudson's 02022 interview with Long Now about his novel, Our Shared Storm: A Novel of Five Climate Futures.

It’s an extremely tough question, so I don’t blame my fellow science fiction writers for skipping to the good stuff or offering alternate histories instead. I find the latter approach compelling myself. But the world is once again hockey sticking, and we need new myths to get us through.

A coda: if we ever do get a message from another star, our communication will probably be bound by the speed of light. No ansible, no Contact blueprints. We’ll have to send letters plodding back and forth across the endless void, waiting years or decades or centuries for a reply.

So maybe our best bet of finding out what’s Out There in the universe is to extend our reach not into the vastness of space but into the equally vast expanse of time: to make our civilization peaceful, stable, and sustainable, so we can keep listening. If we listen long enough, we might just catch a signal from someone else out there that’s achieved the same thing.

This essay was first published in slightly different form on Andrew Dana Hudson's newsletter, solarshades.club.

Krebs on SecurityThe Global Surveillance Free-for-All in Mobile Ad Data

Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.

Image: Shutterstock, Arthimides.

Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online. Backed by millions of dollars in litigation financing, Atlas so far this year has sued 151 consumer data brokers on behalf of a class that includes more than 20,000 New Jersey law enforcement officers who are signed up for Atlas services.

Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers. Daniel’s Law was passed in 2020 after the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge — his mother.

Last week, Atlas invoked Daniel’s Law in a lawsuit (PDF) against Babel Street, a little-known technology company incorporated in Reston, Va. Babel Street’s core product allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area.

Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices.

Babel Street can offer this tracking capability by consuming location data and other identifying information that is collected by many websites and broadcast to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user.

This image, taken from a video recording Atlas made of its private investigator using Babel Street to show all of the unique mobile IDs seen over time at a mosque in Dearborn, Michigan. Each red dot represents one mobile device.

In an interview, Atlas said a private investigator they hired was offered a free trial of Babel Street, which the investigator was able to use to determine the home address and daily movements of mobile devices belonging to multiple New Jersey police officers whose families have already faced significant harassment and death threats.

Atlas said the investigator encountered Babel Street while testing hundreds of data broker tools and services to see if personal information on its users was being sold. They soon discovered Babel Street also bundles people-search services with its platform, to make it easier for customers to zero in on a specific device.

The investigator contacted Babel Street about possibly buying home addresses in certain areas of New Jersey. After listening to a sales pitch for Babel Street and expressing interest, the investigator was told Babel Street only offers their service to the government or to “contractors of the government.”

“The investigator (truthfully) mentioned that he was contemplating some government contract work in the future and was told by the Babel Street salesperson that ‘that’s good enough’ and that ‘they don’t actually check,’” Atlas shared in an email with reporters.

KrebsOnSecurity was one of five media outlets invited to review screen recordings that Atlas made while its investigator used a two-week trial version of Babel Street’s LocateX service. References and links to reporting by other publications, including 404 Media, Haaretz, NOTUS, and The New York Times, will appear throughout this story.

Collectively, these stories expose how the broad availability of mobile advertising data has created a market in which virtually anyone can build a sophisticated spying apparatus capable of tracking the daily movements of hundreds of millions of people globally.

The findings outlined in Atlas’s lawsuit against Babel Street also illustrate how mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.

WARRANTLESS SURVEILLANCE

Atlas says the Babel Street trial period allowed its investigator to find information about visitors to high-risk targets such as mosques, synagogues, courtrooms and abortion clinics. In one video, an Atlas investigator showed how they isolated mobile devices seen in a New Jersey courtroom parking lot that was reserved for jurors, and then tracked one likely juror’s phone to their home address over several days.

While the Atlas investigator had access to its trial account at Babel Street, they were able to successfully track devices belonging to several plaintiffs named or referenced in the lawsuit. They did so by drawing a digital polygon around the home address or workplace of each person in Babel Street’s platform, which focused exclusively on the devices that passed through those addresses each day.

Each red dot in this Babel Street map represents a unique mobile device that has been seen since April 2022 at a Jewish synagogue in Los Angeles, Calif. Image: Atlas Data Privacy Corp.

One unique feature of Babel Street is the ability to toggle a “night” mode, which makes it relatively easy to determine within a few meters where a target typically lays their head each night (because their phone is usually not far away).

Atlas plaintiffs Scott and Justyna Maloney are both veteran officers with the Rahway, NJ police department who live together with their two young children. In April 2023, Scott and Justyna became the target of intense harassment and death threats after Officer Justyna responded to a routine call about a man filming people outside of the Motor Vehicle Commission in Rahway.

The man filming the Motor Vehicle Commission that day is a social media personality who often solicits police contact and then records himself arguing about constitutional rights with the responding officers.

Officer Justyna’s interaction with the man was entirely peaceful, and the episode appeared to end without incident. But after a selectively edited video of that encounter went viral, their home address and unpublished phone numbers were posted online. When their tormentors figured out that Scott was also a cop (a sergeant), the couple began receiving dozens of threatening text messages, including specific death threats.

According to the Atlas lawsuit, one of the messages to Mr. Maloney demanded money, and warned that his family would “pay in blood” if he didn’t comply. Sgt. Maloney said he then received a video in which a masked individual pointed a rifle at the camera and told him that his family was “going to get [their] heads cut off.”

Maloney said a few weeks later, one of their neighbors saw two suspicious individuals in ski masks parked one block away from the home and alerted police. Atlas’s complaint says video surveillance from neighboring homes shows the masked individuals circling the Maloney’s home. The responding officers arrested two men, who were armed, for unlawful possession of a firearm.

According to Google Maps, Babel Street shares a corporate address with Google and the consumer credit reporting bureau TransUnion.

Atlas said their investigator was not able to conclusively find Scott Maloney’s iPhone in the Babel Street platform, but they did find Justyna’s. Babel Street had nearly 100,000 hits for her phone over several months, allowing Atlas to piece together an intimate picture of Justyna’s daily movements and meetings with others.

An Atlas investigator visited the Maloneys and inspected Justyna’s iPhone, and determined the only app that used her device’s location data was from the department store Macy’s.

In a written response to questions, Macy’s said its app includes an opt-in feature for geo-location, “which allows customers to receive an enhanced shopping experience based on their location.”

“We do not store any customer location information,” Macy’s wrote. “We share geo-location data with a limited number of partners who help us deliver this enhanced app experience. Furthermore, we have no connection with Babel Street” [link added for context].

Justyna’s experience highlights a stark reality about the broad availability of mobile location data: Even if the person you’re looking for isn’t directly identifiable in platforms like Babel Street, it is likely that at least some of that person’s family members are. In other words, it’s often trivial to infer the location of one device by successfully locating another.

The terms of service for Babel Street’s Locate X service state that the product “may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action.” But Scott Maloney said he’s convinced by their experience that not even law enforcement agencies should have access to this capability without a warrant.

“As a law enforcement officer, in order for me to track someone I need a judge to sign a warrant – and that’s for a criminal investigation after we’ve developed probable cause,” Mr. Maloney said in an interview. “Data brokers tracking me and my family just to sell that information for profit, without our consent, and even after we’ve explicitly asked them not to is deeply disturbing.”

Mr. Maloney’s law enforcement colleagues in other states may see things differently. In August, The Texas Observer reported that state police plan to spend more than $5 million on a contract for a controversial surveillance tool called Tangles from the tech firm PenLink. Tangles is an AI-based web platform that scrapes information from the open, deep and dark web, and it has a premier feature called WebLoc that can be used to geofence mobile devices.

The Associated Press reported last month that law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cell phone tracking tool called Fog Reveal — at times without warrants — that gives them the ability to follow people’s movements going back many months.

It remains unclear precisely how Babel Street is obtaining the abundance of mobile location data made available to users of its platform. The company did not respond to multiple requests for comment.

But according to a document (PDF) obtained under a Freedom of Information Act request with the Department of Homeland Security’s Science and Technology directorate, Babel Street re-hosts data from the commercial phone tracking firm Venntel.

On Monday, the Substack newsletter All-Source Intelligence unearthed documents indicating that the U.S. Federal Trade Commission has opened an inquiry into Venntel and its parent company Gravy Analytics.

“Venntel has also been a data partner of the police surveillance contractor Fog Data Science, whose product has been described as ‘mass surveillance on a budget,'” All-Source’s Jack Poulson wrote. “Venntel was also reported to have been a primary data source of the controversial ‘Locate X’ phone tracking product of the American data fusion company Babel Street.”

MAID IN HELL

The Mobile Advertising ID or MAID — the unique alphanumeric identifier assigned to each mobile device — was originally envisioned as a way to distinguish individual mobile customers without relying on personally identifiable information such as phone numbers or email addresses.

However, there is now a robust industry of marketing and advertising companies that specialize in assembling enormous lists of MAIDs that are “enriched” with historical and personal information about the individual behind each MAID.

One of many vendors that “enrich” MAID data with other identifying information, including name, address, email address and phone number.

Atlas said its investigator wanted to know whether they could find enriched MAID records on their New Jersey law enforcement customers, and soon found plenty of ad data brokers willing to sell it.

Some vendors offered only a handful of data fields, such as first and last name, MAID and email address. Other brokers sold far more detailed histories along with their MAID, including each subject’s social media profiles, precise GPS coordinates, and even likely consumer category.

How are advertisers and data brokers gaining access to so much information? Some sources of MAID data can be apps on your phone such as AccuWeather, GasBuddy, Grindr, and MyFitnessPal that collect your MAID and location and sell that to brokers.

A user’s MAID profile and location data also is commonly shared as a consequence of simply using a smartphone to visit a web page that features ads. In the few milliseconds before those ads load, the website will send a “bid request” to various ad exchanges, where advertisers can bid on the chance to place their ad in front of users who match the consumer profiles they’re seeking. A great deal of data can be included in a bid request, including the user’s precise location (the current open standard for bid requests is detailed here).

The trouble is that virtually anyone can access the “bidstream” data flowing through these so-called “realtime bidding” networks, because the information is simultaneously broadcast in the clear to hundreds of entities around the world.

The result is that there are a number of marketing companies that now enrich and broker access to this mobile location information. Earlier this year, the German news outlet netzpolitik.org purchased a bidstream data set containing more than 3.6 billion data points, and shared the information with the German daily BR24. They concluded that the data they obtained (through a free trial, no less) made it possible to establish movement profiles — some of them quite precise — of several million people across Germany.

A screenshot from the BR24/Netzpolitik story about their ability to track millions of Germans, including many employees of the German Federal Police and Interior Ministry.

Politico recently covered startling research from universities in New Hampshire, Kentucky and St. Louis that showed how the mobile advertising data they acquired allowed them to link visits from investigators with the U.S. Securities and Exchange Commission (SEC) to insiders selling stock before the investigations became public knowledge.

The researchers in that study said they didn’t attempt to use the same methods to track regulators from other agencies, but that virtually anyone could do it.

Justin Sherman, a distinguished fellow at Georgetown Law’s Center for Privacy and Technology, called the research a “shocking demonstration of what happens when companies can freely harvest Americans’ geolocation data and sell it for their chosen price.”

“Politicians should understand how they, their staff, and public servants are threatened by the sale of personal data—and constituent groups should realize that talk of data broker ‘controls’ or ‘best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions,” Sherman wrote for Lawfare this week.

A BIDSTREAM DRAGNET?

The Orwellian nature of modern mobile advertising networks may soon have far-reaching implications for women’s reproductive rights, as more states move to outlaw abortion within their borders. The 2022 Dobbs decision by the U.S. Supreme Court discarded the federal right to abortion, and 14 states have since enacted strict abortion bans.

Anti-abortion groups are already using mobile advertising data to advance their cause. In May 2023, The Wall Street Journal reported that an anti-abortion group in Wisconsin used precise geolocation data to direct ads to women it suspected of seeking abortions.

As it stands, there is little to stop anti-abortion groups from purchasing bidstream data (or renting access to a platform like Babel Street) and using it to geofence abortion clinics, potentially revealing all mobile devices transiting through these locations.

Atlas said its investigator geofenced an abortion clinic and was able to identify a likely employee at that clinic, following their daily route to and from that individual’s home address.

A still shot from a video Atlas shared of its use of Babel Street to identify and track an employee traveling each day between their home and the clinic.

Last year, Idaho became the first state to outlaw “abortion trafficking,” which the Idaho Capital Sun reports is defined as “recruiting, harboring or transporting a pregnant minor to get an abortion or abortion medication without parental permission.” Tennessee now has a similar law, and GOP lawmakers in five other states introduced abortion trafficking bills that failed to advance this year, the Sun reports.

Atlas said its investigator used Babel Street to identify and track a person traveling from their home in Alabama — where abortion is now illegal — to an abortion clinic just over the border in Tallahassee, Fla. — and back home again within a few hours. Abortion rights advocates and providers are currently suing Alabama Attorney General Steve Marshall, seeking to block him from prosecuting people who help patients travel out-of-state to end pregnancies.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said she’s extremely concerned about dragnet surveillance of people crossing state lines in order to get abortions.

“Specifically, Republican officials from states that have outlawed abortion have made it clear that they are interested in targeting people who have gone to neighboring states in order to get abortions, and to make it more difficult for people who are seeking abortions to go to neighboring states,” Galperin said. “It’s not a great leap to imagine that states will do this.”

APPLES AND GOOGLES

Atlas found that for the right price (typically $10-50k a year), brokers can provide access to tens of billions of data points covering large swaths of the US population and the rest of the world.

Based on the data sets Atlas acquired — many of which included older MAID records — they estimate they could locate roughly 80 percent of Android-based devices, and about 25 percent of Apple phones. Google refers to its MAID as the “Android Advertising ID,” (AAID) while Apple calls it the “Identifier for Advertisers” (IDFA).

What accounts for the disparity between the number of Android and Apple devices that can be found in mobile advertising data? In April 2021, Apple shipped version 14.5 of its iOS operating system, which introduced a technology called App Tracking Transparency (ATT) that requires apps to get affirmative consent before they can track users by their IDFA or any other identifier.

Apple’s introduction of ATT had a swift and profound impact on the advertising market: Less than a year later Facebook disclosed that the iPhone privacy feature would decrease the company’s 2022 revenues by about $10 billion.

Source: cnbc.com.

Google runs by far the world’s largest ad exchange, known as AdX. The U.S. Department of Justice, which has accused Google of building a monopoly over the technology that places ads on websites, estimates that Google’s ad exchange controls 47 percent of the U.S. market and 56 percent globally.

Google’s Android is also the dominant mobile operating system worldwide, with more than 72 percent of the market. In the U.S., however, iPhone users claim approximately 55 percent of the market, according to TechRepublic.

In response to requests for comment, Google said it does not send real time bidding requests to Babel Street, nor does it share precise location data in bid requests. The company added that its policies explicitly prohibit the sale of data from real-time bidding, or its use for any purpose other than advertising.

Google said its MAIDs are randomly generated and do not contain IP addresses, GPS coordinates, or any other location data, and that its ad systems do not share anyone’s precise location data.

“Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID,” Google’s written statement reads. “If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.”

In a written statement shared with reporters, Apple said Location Services is not on by default in its devices. Rather, users must enable Location Services and must give permission to each app or website to use location data. Users can turn Location Services off at any time, and can change whether apps have access to location at any time. The user’s choices include precise vs. approximate location, as well as a one-time grant of location access by the app.

“We believe that privacy is a fundamental human right, and build privacy protections into each of our products and services to put the user in control of their data,” an Apple spokesperson said. “We minimize personal data collection, and where possible, process data only on users’ devices.”

Zach Edwards is a senior threat analyst at the cybersecurity firm SilentPush who has studied the location data industry closely. Edwards said Google and Apple can’t keep pretending like the MAIDs being broadcast into the bidstream from hundreds of millions of American devices aren’t making most people trivially trackable.

“The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem,” he said.

STATES ACT, WHILE CONGRESS DITHERS

According to Bloomberg Law, between 2019 and 2023, threats against federal judges have more than doubled. Amid increasingly hostile political rhetoric and conspiracy theories against government officials, a growing number of states are seeking to pass their own versions of Daniel’s Law.

Last month, a retired West Virginia police officer filed a class action lawsuit against the people-search service Whitepages for listing their personal information in violation of a statute the state passed in 2021 that largely mirrors Daniel’s Law.

In May 2024, Maryland passed the Judge Andrew F. Wilkinson Judicial Security Act — named after a county circuit court judge who was murdered by an individual involved in a divorce proceeding over which he was presiding. The law allows current and former members of the Maryland judiciary to request their personal information not be made available to the public.

Under the Maryland law, personal information can include a home address; telephone number, email address; Social Security number or federal tax ID number; bank account or payment card number; a license plate or other unique vehicle identifier; a birth or marital record; a child’s name, school, or daycare; place of worship; place of employment for a spouse, child, or dependent.

The law firm Troutman Pepper writes that “so far in 2024, 37 states have begun considering or have adopted similar privacy-based legislation designed to protect members of the judiciary and, in some states, other government officials involved in law enforcement.”

Atlas alleges that in response to requests to have data on its New Jersey law enforcement clients scrubbed from consumer records sold by LexisNexis, the data broker retaliated by freezing the credit of approximately 18,500 people, and falsely reporting them as identity theft victims.

In addition, Atlas said LexisNexis started returning failure codes indicating they had no record of these individuals, resulting in denials when officers attempted to refinance loans or open new bank accounts.

The data broker industry has responded by having at least 70 of the Atlas lawsuits moved to federal court, and challenging the constitutionality of the New Jersey statute as overly broad and a violation of the First Amendment.

Attorneys for the data broker industry argued in their motion to dismiss that there is “no First Amendment doctrine that exempts a content-based restriction from strict scrutiny just because it has some nexus with a privacy interest.”

Atlas’s lawyers responded that data covered under Daniel’s Law — personal information of New Jersey law enforcement officers — is not free speech. Atlas notes that while defending against comparable lawsuits, the data broker industry has argued that home address and phone number data are not “communications.”

“Data brokers should not be allowed to argue that information like addresses are not ‘communications’ in one context, only to turn around and claim that addresses are protectable communications,” Atlas argued (PDF). “Nor can their change of course alter the reality that the data at issue is not speech.”

The judge overseeing the challenge is expected to rule on the motion to dismiss within the next few weeks. Regardless of the outcome, the decision is likely to be appealed all the way to the U.S. Supreme Court.

Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states could limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminal charges against media outlets that publish the same type of public and government records that fuel the people-search industry.

Sen. Ron Wyden (D-Ore.) said Congress’ failure to regulate data brokers, and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis.

“Whether location data is being used to identify and expose closeted gay Americans, or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans’ deepest secrets and exposing them to serious harm, all for a few bucks,” Wyden said in a statement shared with KrebsOnSecurity, 404 Media, Haaretz, NOTUS, and The New York Times.

Sen. Wyden said Google also deserves blame for refusing to follow Apple’s lead by removing companies’ ability to track phones.

“Google’s insistence on uniquely tracking Android users – and allowing ad companies to do so as well – has created the technical foundations for the surveillance economy and the abuses stemming from it,” Wyden said.

Georgetown Law’s Justin Sherman said the data broker and mobile ad industries claim there are protections in place to anonymize mobile location data and restrict access to it, and that there are limits to the kinds of invasive inferences one can make from location data. The data broker industry also likes to tout the usefulness of mobile location data in fighting retail fraud, he said.

“All kinds of things can be inferred from this data, including people being targeted by abusers, or people with a particular health condition or religious belief,” Sherman said. “You can track jurors, law enforcement officers visiting the homes of suspects, or military intelligence people meeting with their contacts. The notion that the sale of all this data is preventing harm and fraud is hilarious in light of all the harm it causes enabling people to better target their cyber operations, or learning about people’s extramarital affairs and extorting public officials.”

WHAT CAN YOU DO?

Privacy experts say disabling or deleting your device’s MAID will have no effect on how your phone operates, except that you may begin to see far less targeted ads on that device.

Any Android apps with permission to use your location should appear when you navigate to the Settings app, Location, and then App Permissions. “Allowed all the time” is the most permissive setting, followed by “Allowed only while in use,” “Ask every time,” and “Not allowed.”

Android users can delete their ad ID permanently, by opening the Settings app and navigating to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. According to the EFF, this will prevent any app on your phone from accessing the ad ID in the future. Google’s documentation on this is here.

Image: eff.org

By default, Apple’s iOS requires apps to ask permission before they can access your device’s IDFA. When you install a new app, it may ask for permission to track you. When prompted to do so by an app, select the “Ask App Not to Track” option. Apple users also can set the “Allow apps to request to track” switch to the “off” position, which will block apps from asking to track you.

Apple’s Privacy and Ad Tracking Settings.

Apple also has its own targeted advertising system which is separate from third-party tracking enabled by the IDFA. To disable it, go to Settings, Privacy, and Apple Advertising, and ensure that the “Personalized Ads” setting is set to “off.”

Finally, if you’re the type of reader who’s the default IT support person for a small group of family or friends (bless your heart), it would be a good idea to set their devices not to track them, and to disable any apps that may have location data sharing turned on 24/7.

There is a dual benefit to this altruism, which is clearly in the device owner’s best interests. Because while your device may not be directly trackable via advertising data, making sure they’re opted out of said tracking also can reduce the likelihood that you are trackable simply by being physically close to those who are.

Planet DebianJonathan Dowland: Why hardware synths?

Russell wrote a great comment on my last post (thanks!):

What benefits do these things offer when a general purpose computer can do so many things nowadays? Is there a USB keyboard that you can connect to a laptop or phone to do these things? I presume that all recent phones have the compute power to do all the synthesis you need if you have the right software. Is it just a lack of software and infrastructure for doing it on laptops/phones that makes synthesisers still viable?

I've decided to turn my response into a post of its own.

The issue is definitely not compute power. You can indeed attach a USB keyboard to a computer and use a plethora of software synthesisers, including very faithful emulations of all the popular classics. The raw compute power of modern hardware synths is comparatively small: I’ve been told the modern Korg digital synths are on a par with a raspberry pi. I’ve seen some DSPs which are 32 bit ARMs, and other tools which are roughly equivalent to arduinos.

I can think of four reasons hardware synths remain popular with some despite the above:

  1. As I touched on in my original synth post, computing dominates my life outside of music already. I really wanted something separate from that to keep mental distance from work.

  2. Synths have hard real-time requirements. They don't have raw power in compute terms, but they absolutely have to do their job within microseconds of being instructed to, with no exceptions. Linux still has a long way to go for hard real-time.

  3. The Linux audio ecosystem is… complex. Dealing with pipewire, pulseaudio, jack, alsa, oss, and anything else I've forgotten, as well as their failure modes, is too time consuming.

  4. The last point is to do with creativity and inspiration. A good synth is more than the sum of its parts: it's an instrument, carefully designed and its components integrated by musically-minded people who have set out to create something to inspire. There are plenty of synths which aren't good instruments, but have loads of features: they’re boxes of "stuff". Good synths can't do it all: they often have limitations which you have to respond to, work around or with, creatively. This was expressed better than I could by Trent Reznor in the video archetype of a synthesiser:

Planet DebianJonathan Dowland: Arturia Microfreak

Arturia Microfreak. [© CC-BY-SA 4](https://commons.wikimedia.org/wiki/File:MicroFreak.jpg)

Arturia Microfreak. © CC-BY-SA 4

I nearly did, but ultimately I didn't buy an Arturia Microfreak.

The Microfreak is a small form factor hybrid synth with a distinctive style. It's priced at the low end of the market and it is overflowing with features. It has a weird 2-octave keyboard which is a stylophone-style capacitive strip rather than weighted keys. It seems to have plenty of controls, but given the amount of features it has, much of that functionality is inevitably buried in menus. The important stuff is front and centre, though. The digital oscillators are routed through an analog filter. The Microfreak gained sampler functionality in a firmware update that surprised and delighted its owners.

I watched a load of videos about the Microfreak, but the above review from musician Stimming stuck in my mind because it made a comparison between the Microfreak and Teenage Engineering's OP-1.

The Teenage Engineering OP-1.

The Teenage Engineering OP-1.

I'd been lusting after the OP-1 since it appeared in 2011: a pocket-sized1 music making machine with eleven synthesis engines, a sampler, and less conventional features such as an FM radio, a large colour OLED display, and a four track recorder. That last feature in particular was really appealing to me: I loved the idea of having an all-in-one machine to try and compose music. Even then, I was not keen on involving conventional computers in music making.

Of course in many ways it is a very compromised machine. I never did buy a OP-1, and by now they've replaced it with a new model (the OP-1 field) that costs 50% more (but doesn't seem to do 50% more) I'm still not buying one.

Framing the Microfreak in terms of the OP-1 made the penny drop for me. The Microfreak doesn't have the four-track functionality, but almost no synth has: I'm going to have to look at something external to provide that. But it might capture a similar sense of fun; it's something I could use on the sofa, in the spare room, on the train, during lunchbreaks at work, etc.

On the other hand, I don't want to make the same mistake as with the Micron: too much functionality requiring some experience to understand what you want so you can go and find it in the menus. I also didn't get a chance to audition the unusual keyboard: there's only one music store carrying synths left in Newcastle and they didn't have one.

So I didn't buy the Microfreak. Maybe one day in the future once I'm further down the road. Instead, I started to concentrate my search on more fundamental, back-to-basics instruments…


  1. Big pockets, mind

Worse Than FailureCodeSOD: Querieous Strings

When processing HTTP requests, you frequently need to check the parameters which were sent along with that request. Those parameters are generally passed as stringly-typed key/value pairs. None of this is news to anyone.

What is news, however, is how Brodey's co-worker indexed the key/value pairs.

For i As Integer = 0 To (Request.Params().Count - 1)
    If (parameters.GetKey(i).ToString() <> "Lang") Then
        If (parameters.GetKey(i).Equals("ID")) OrElse (parameters.GetKey(i).Equals("new")) OrElse _
             (parameters.GetKey(i).Equals("open")) OrElse (parameters.GetKey(i).Equals("FID")) _
         OrElse (parameters.GetKey(i).Equals("enabled")) OrElse (parameters.GetKey(i).Equals("my")) OrElse _
         (parameters.GetKey(i).Equals("msgType")) OrElse (parameters.GetKey(i).Equals("Type")) _
         OrElse (parameters.GetKey(i).Equals("EID")) OrElse (parameters.GetKey(i).Equals("Title")) OrElse _
         (parameters.GetKey(i).Equals("ERROR")) Then
            URLParams &= "&" & parameters.GetKey(i).ToString()
            URLParams &= "=" & parameters(i).ToString()
        End If
    End If
Next

The goal of this code is to take a certain set of keys and construct a URLParams string which represents those key/values as an HTTP query string. The first thing to get out of the way: .NET has a QueryString type that handles the construction of the query string for you (including escaping), so that you don't need to do any string concatenation.

But the real WTF is everything surrounding that. We opt to iterate across every key- not just the ones we care about- and use the GetKey(i) function to check each individual key in an extensive chain of OrElse statements.

The obvious and simpler approach would have been to iterate across an array of the keys I care about- ID, new, FID, enabled, my, msgType, Type, EID, Title, ERROR- and simply check if they were in the Request.

I suppose the only silver lining here is that they thought to use the OrElse operator- which is a short-circuiting "or" operation, like you'd expect in just about any other language, instead of Or, which doesn't short circuit (pulling double duty as both a bitwise Or and a logical Or, because Visual Basic wants to contribute some WTFs).

[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

365 TomorrowsThe Fells

Author: Majoki Silence Wildgoose was lost. Not an uncommon occurrence in the weighty mists that formed on the fells. Getting turned around on the moor was not something that ever put her on edge, but she sensed something else had descended to earth with the mists as well, and Silence was not pleased. She’d made […]

The post The Fells appeared first on 365tomorrows.

Planet DebianMichael Ablassmeier: qmpbackup 0.33

In the last weeks qmpbackup has seen a bit more improvements.

  • Adds support for CEPH/RBD backed devices.
  • Allows to use unique bitmaps for having multiple, separate backup chains.
  • Adds support for jsonified filename configurations like often used on proxmox systems.
  • Adds support for saving attached pflash/nvram devices (storing UEFI related settings)
  • qmprestore can now merge the backup chain into a new image file and the new snapshotrebase command can rebase the images and after committing, creates an internal qcow snapshot, so one can easily switch between different vm states in the backup.

Ive been running it lately to backup Virtual machines on proxmox systems, where the proxmox backup server is not an option.

,

Harald WelteOral history transcripts: Pioneers of Taiwans Chip + PC industry

During the preparation of my current brief visit to Taiwan, I've more or less by coincidence stumbled on several transcripts of oral history interviews with pioneers of the Taiwanese Chip and PC industry (click on the individual transcripts in the Related Records section at the bottom). They have been recorded, transcribed and translated in 2011 by the Computer History Museum under funding from the National Science Council, Taiwan, R.O.C..

As some of you know, I've been spending a lot of time in recent years researching (and practically exploring + re-implementing) historical telecommunications with my retronetworking project.

Retrocomputing itself is not my main focus. I usually feel there's more than enough people operating, repairing, documenting at least many older computers, as well as keeping archives of related software and continuing to spread knowledge on how they operated. Nevertheless, it is a very interesting topic - I just decided that with my limited spare time I want to focus on retro-communications which is under-explored and under-represented.

What's equally important than keeping the old technology alive, is keeping the knowledge around its creation alive. How did it happen that certain technologies were created and became successful or not? How where they key people behind it? etc.

Given my personal history with Taiwan during the last 18 years, it's actually surprising I haven't yet given thought on how or where the history of the Taiwanese IT industry is documented or kept alive. So far I didn't know of any computer museums that would focus especially on the Taiwanese developments. It didn't even occur to me to even check if there are any.

During my work in Taiwan I've had the chance to briefly meet a few senior people at FIC (large mainboard maker that made many PC mainboards I personally used) and both at VIA (chipset + CPU maker). But I didn't ever have a chance to talk about the history.

In any case, I now found those transcripts of interviews. And what a trove of interesting first-hand information they are! If you have an interest in computer history, and want to understand how it came about that Taiwan became such a major player in either the PC industry or in the semiconductor design + manufacturing, then I believe those transcripts are a "must read".

Now they've made me interested to learn more. I have little hope of many books being published on that subject, particularly in a Language I can read (i.e. English, not mandarin Chinese). But I shall research that subject. I'd also be interested to hear about any other information, like collections of historical artifacts, archives, libraries, etc. So in the unlikely case anybody reading this has some pointers on information about the history of the Taiwanese Chip and Computer history, please by all means do reach out and share!.

Once I have sufficiently prepared myself in reading whatever I can find in terms of written materials, I might be tempted to try to reach out and see if I can find some first-hand witnesses who'd want to share their stories on a future trip to Taiwan...

Harald WelteBack to Taiwan the first time after 5 years

Some of the readers of this blog know that I have a very special relationship with Taiwan. As a teenager, it was the magical far-away country that built most of the PC components in all my PCs since my first 286-16 I got in 1989. Around 2006-2008 I had the very unexpected opportunity to work in Taiwan for some time (mainly for Openmoko, later some consulting for VIA). During that time I have always felt most welcome in and fascinated by the small island nation who managed to turn themselves into a high-tech development and manufacturing site for ever more complex electronics. And who managed to evolve from decades of military dictatorship and turn into a true democracy - all the while being discriminated by pretty much all of the countries around the world, as everybody wanted to benefit from cheap manufacturing in mainland China and hence expel democratic Taiwan from the united nations in favour of communist mainland Chine.

I have the deepest admiration for Taiwan to manage all of their economic success and progress in terms of democracy and freedom despite the political situation across the Taiwan strait, and despite everything that comes along with it. May they continue to have the chance of continuing their path.

Setting economy, society and politics behind: On a more personal level I've enjoyed their culinary marvels from excellent dumplings around every street corner to niu rou mien (beef noodle soup) to ma la huo guo (spicy hot pot). Plus then the natural beauty, particularly of the rural mountainous regions once you leave the densely populated areas around the coast line and the plains of the north west.

While working in Taiwan in 2006/2007 I decided to buy a motorbike. Using that bike I've first made humble day trips and later (once I was no longer busy with stressful work at Openmoko) multiple week-long road trips around the island, riding on virtually any passable road you can find. My typical routing algorithm is "take the smallest possible road from A to B".

So even after concluding my work in Taiwan, I returned again and again for holidays, each one with more road trips. For some time, Taiwan had literally become my second home. I had my favorite restaurants, shops, as well as some places around the rural parts of the Island I cam back to several times. I even managed to take up some mandarin classes, something I never had the time for while doing [more than] full time work. To my big regret, it's still very humble beginner level; I guess had I not co-started a company (sysmocom) in Berlin in 2011, I'd have spent more time for a more serious story.

In any case, I have nothing but the fondest memory of Taiwan. My frequent visits cam to a forcible halt with the COVID-19 pandemic, Taiwan was in full isolation in 2020/21, and even irrespective of government regulations, I've been very cautious about travel and contact. Plus of course, there's always the bad conscience of frequent intercontinental air travel.

Originally I was planning to finally go on an extended Taiwan holiday in Summer 2024, but then the island was hit by a relatively serious earthquake in April, affecting particularly many of the remote mountain regions that are of main interest to me. There are some roads that I'd have wanted to ride ever since 2008, but which had been closed every successive year when I went there, due to years of reconstructions after [mostly landslides following] earthquakes and typhoons. So I decided to postpone it for another year to 2025.

However, in an unexpected change of faith, the opportunity arose to give the opening Keyonte at the 2024 Open Compliance Summit in Japan, and along with that the opportunity to do a stop-over in Taiwan. It will just be a few days of Taipei this time (no motorbike trips), but I'm very much looking forward to being back in the city I probably know second or third-best on the planet (after Berlin, my home for 23 years, as well as Nuernberg, my place of birth). Let's see what is still the same and what has changed during the past 5 years!

Worse Than FailureCoded Smorgasbord: What the Hmm?

Our stories come from you, our readers- which, it's worth reminding everyone, keep those submissions coming in. There's nothing on this site without your submissions.

Now, we do get some submissions which don't make the page. Frequently, it's simply because we simply don't have enough context from the submission to understand it or comment on it effectively. Often, it's just not that remarkable. And sometimes, it's because the code isn't a WTF at all.

So I want to discuss some of these, because I think it's still interesting. And it's unfair to expect everyone to know everything, so for the submitters who discover they didn't understand why this code isn't bad, you're one of today's lucky 10,000.

We start with this snippet, from Guss:

#define FEATURE_SENSE_CHAN      (1 << 0)
#define FEATURE_SENSE_PEER      (1 << 1)

Guss writes:

The Asterisk open source telephony engine has some features that need to know from which direction they've been invoked in a two-way call. This is called "sense" in the Asterisk lingo, and there are two macros defined in the source which allow you to textually know if you're talking about this direction or the other. This of course stands for 1 and 0 respectively, but they couldn't have just simply go on and say that - it has to be "interesting". Do also note, as this is a macro, it means that whenever someone sets or tests the "sense", another redundant bit shift operation is done.

First, minor detail- this stands for 1 and 2 respectively. And what's important here is that these fields are clearly meant to be a bitmask. And when we're talking about a bitmask, using bitshift operators makes the code more clear. And we can generally rely on a shift by zero bits to be a no-op, and any compiler should be smart enough to spot that and optimize the operation out. Hell, a quick check with GCC shows that even the (1 << 1) gets optimized to just the constant 0x2.

Not a WTF, but it does highlight something we've commented on in the past- bitmasks can be confusing for people. This is a good example of that. But not only is this not a WTF, but it's not even bad code.

(Now, it may be the case that these are never really used as a bitmask, in which case, that's a mild WTF, but that's not what Guss was drawing our attention to)

In other cases, the code is bad, but it may be reacting to the badness it's surrounded by. Greg inherited this blob from some offshore contractors:

RegistryKey RK = Registry.LocalMachine.OpenSubKey("SOFTWARE\\XXXXX\\YYYYY");
string BoolLog = "";
if (RK != null)
	BoolLog = ((string)RK.GetValue("LogSocket", "")).ToLower();
if (BoolLog == "true" || BoolLog == "yes" || BoolLog == "1")
{
	...
}

Now, seeing a string variable called BoolLog is a big red flag about bad code inbound. And we see handling some stringly typed boolean data to try and get a truth value. Which all whiffs of bad code.

But let's talk about the Windows Registry. It's typed, but the types are strings, lists of strings, and various numeric types. There's no strictly boolean type. And sure, while explicitly storing a 1 in a numeric field is probably a better choice for the registry than string booleans, there are reasons why you might do that (especially if you frequently need to modify Registry keys by hand, like when you're debugging).

The real WTF, in this case, isn't this code, but is instead the Windows Registry. Having a single tree store be the repository for all your system configuration sounds like a good idea on paper, but as anyone who's worked with it has discovered- it's a nightmare. The code here isn't terrible. It's not good, but it's a natural reaction to the terrible world in which it lives.

Sometimes, the code is actually downright awful, but it's just hard to care about too much. Rudolf was shopping for bulk LEDs, which inevitably leads one to all sorts of websites based in China offering incredibly cheap prices and questionable quality control.

The site Rudolf was looking at had all sorts of rendering glitches, and so out of curiosity, he viewed the source.

{\rtf1\ansi\ansicpg1252\deff0\deflang2055{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\f0\fs24 <html>\par
\par
<head> <meta http-equiv="refresh" content="1; url=http://totally-fine-leds-really-its-fine.ch"> \par

Here we see someone wrote their HTML in WordPad, and saved the file as an RTF, instead of a plain text file. Which sure, is bad. But again, we need to put this in context: this almost certainly isn't the page for handling any transactions or sales (that almost certainly uses a prebaked ecommerce plugin). This is their approach to letting "regular" users upload content to the site- frequently documentation pages. This isn't a case where some developer should have known better messed up- this is almost certainly some sales person who has an HTML template to fill in and upload. It probably stretches their technical skills to the limit to "Save As…" in WordPad.

So the code isn't bad. Again, the environment in which it sits is bad. But this is a case where the environment doesn't matter- these kinds of sites are really hoping to score some B2B sales in bulk quantities, and "customer service" and "useful website" isn't going to drive sales better than "bargain basement prices" will. They're not trying to sell to consumers, they're trying to sell to a company which will put these into consumer products. Honestly, we should be grateful that they at least tried to make an HTML file, and didn't just upload PDFs, which is usually what you find on these sites.

Sometimes, we don't have a WTF. Sometimes, we have a broken world that we can just do our best to navigate. We must simply do our best.

[Advertisement] Picking up NuGet is easy. Getting good at it takes time. Download our guide to learn the best practice of NuGet for the Enterprise.

365 TomorrowsTabula Rasa

Author: Justin Anderson [Begin transcript] I wear different shoes and take a different route every time I come down here. The last thing I need is to be tracked by the cameras and the drones hiding all over this sector. On the way here, I kept my mind empty. Didn’t betray where I was going. […]

The post Tabula Rasa appeared first on 365tomorrows.

David BrinSupernovas, Mars, and solar sails!

We just returned from Pasadena, where Caltech - my alma mater - installed me as Distinguished Alumnus. An honor that I sincerely never expected, given the many brilliant minds I knew when I was there. Reflecting on that is humbling - even 'imposter syndroming' - though people kindly urged me to think otherwise.

In today's delayed posting, I'll be mostly taking a pause from politics... though the topic of my previous blog - about the likelihood of blackmail poisoning top levels of the U.S. republic - remains horrifically plausible... 

...especially now that prominent members of one party are openly admitting that their party is suborned in this way, by foreign powers.

Only now, let's move on to news from out there!


== Space News! ==

I've already posted elsewhere about the incredible "chopstix" landing-grab of a returning heavy-lift SpaceX booster stage. The concept is now proved, even though a whole lot more incremental steps are needed. 

Don't let any polemical jibber-distractions take away from the wonder that was achieved by Gwynne Shotwell and her SpaceX team.

Anyway, as for that distracting blather... well... I recall when there was a similar problem with Frank Zappa -- vast accomplishments that he seemed bent on contiuously spoiling with audience-insulting rants -- until (at last) Zappa listened to the fans shouting he should "Shut up and play your Guitar!" 

The ratio of ravings to accomplishments seems similar, this time. And what will be remembered (whether or not that wise example is followed) is the 'guitar.'**


 == The next steps in space exploration? ==

On this Future in Review (FiRe) podcast, I'm interviewed by the brilliant Berit Anderson - focusing on the near and mid-future of human spaceflight, especially Artemis and other planned missions to the Moon. (Incidentally, the annual FiRe Conference - one of the most visionary gatherings on the planet - has been postponed due to landslides.)

Also.... Just released: a newly-updated version of  Project Solar Sail: 21st Century Edition: A collection of stories and essays exploring the future of lightships and solar sails in propelling interplanetary... and then interstellar... exploration!

This volume (which I edited with Stephen W. Potts) offers classic contributions by Arthur C. Clarke, Isaac Asimov, Larry Niven, Poul Anderson, Jack Vance, and others... plus new material, including by JPL scientists exploring the latest technologies and vast potential for sails in the future of space exploration. 

== A Red/WET Planet? ==

Geophysical/seismic data from the old Mars InSight lander indicates lot of water – frozen or even liquid – sloshing deep, deep under the surface of Mars. If the water-rich layer now detected deeper below the surface were consistent around the entire globe of Mars, there would be enough water to fill ancient oceans, and then some. 


And while we’re there…


NASA's Innovative & Advanced Concepts program - (NIAC) - is pleased to announce the 2024 NIAC Phase III award to the mighty pioneer of applications of spaceflight to future biology, and vice versa, Lynn Rothschild: “Mycotecture Off Planet: En Route to the Moon and Mars.”  

In other words, growing space habitats with the help of fungi and mushrooms! A house that protects you from vacuum and radiation... and that you can eat!  For a list of all early stage NIAC research, please visit the Funded Studies page


The Curiosity Mars rover rolled over a rock, accidentally crushing it open to reveal yellow crystals of elemental sulfur! - the first time sulfur has been found in its elemental form on Mars.


A fine article about my friend & colleague (and half of a mighty fencing team) Geoff Landis, epic scifi author and incidentally superstar NASA scientist, proposing ways to explore Venus. See also Land-Sailing: Venus Rover, where Landis introduces younger readers to methods of exploring - and traveling across - the surface of Venus.


Speaking of Venus…. re-analysis of data from the 1990s Magellan probe appears to show that volcanoes there are still active!



== Gettin’ a little galactic wit it ==


Many of you are familiar with Lagrange points – L1 through L5 – where gravity balance between two objects (the smaller orbiting the larger) creates ‘tidepools’ where even-smaller things can gather. Temporarily or (in the case of Jupiter’s Trojan asteroid clusters) permanently. Here Anton Petrov talks about a (slim) possibility that there might be such a point between our sun and the galactic center.  It would not be able to collect much, with other stars whipping by over millions of years. But still… I do talk about galactic tidepools in Infinity’s Shore!


Mysterious brightening of a distant galaxy: Did this galaxy suddenly brighten, doubling in infrared frequencies, a 10 fold increase in X-rays)… because its central black hole ate a star?


Getting cosmic. Has the James Webb Space Telescope allowed researchers to resolve the “Hubble Tension” or discrepancy in the rate of expansion of the universe?  It may have just been exaggerated… or possible we simply needed a better tool. 


Two huge galactic clusters were colliding at 1% of light speed, billions of years away/ago, heating their gas clouds prodigiously as drag slowed them down… "These cluster collisions are the most energetic phenomena since the Big Bang…"  But while drag slowed the gas and stars, the galaxies’ dark matter apparently kept rolling on ahead at the original velocities, separating dark from regular matter clumps. This is pretty good reporting on how much detailed sleuthing is involved in figuring all this out.

== Truly mind-stretching! ==


Incredible. About 20 seconds into this video by Anton Petrov (one of the best ‘casts about new discoveries in space) you’ll see an amazing image from the Webb Space Telescope. A very deep field photo that dives into the faint past, beyond redshift-3, this one image captures eighty(!) supernovae taking place ‘simultaneously’ (as seen from Earth today) in a single, narrow frame. Each in a different galaxy. 


There are so many things this tells us.


1. Since any one supernova only remains stand-out visible for a few weeks (maybe a bit longer in infrared, the Webb specialty), this means there ‘are’ absolute gobs of them happening out there…

2. …or there used to be gobs of them, since we are in this case peering way back in time, making it a wee bit less surprising, since early star formation must have led to a great many giant, 1st generation stars, of the kind the burn bright and then blow themselves up with core-collapse supernovas… seeding later generations with heavier elements. Certainly, nothing like this rate is occurring “today”… (our redshift <1 era.) Though Betelgeuse is simmering...

3. Since each of the circled supernovae happened in a different galaxy… and it had to be happening a lot, in order for these brief bursts to be so common in one patch of deep sky... it gives you a truly boggling idea how many galaxies there are. A mind stretch that I can only perform for a few seconds at a time. Read more: NASA's Webb opens new window on supernova science..

That we are a civilization capable of building such a wonder as the Webb… and perceiving and marveling at such wonders… fills me with joy! And also fear that we might throw it all away, in a fit of anti-modernity angst, Pushed by powerful fools bent on restoring us to feudalism’s darkness.


More impact news...


Recent chemical and isotopic analyses from samples obtained by coring into the Chicxulub, Mexico's crater site in the Yucatan peninsula, indicate that the 66-million year old mass-extinction event was likely caused by the impact of a carbonaceous asteroid, originating from the outer solar system, rather than a comet.


As for the moon... Bombardment and impact vaporization of meteorites hitting the lunar surface appear to replenish and maintain the moon's extremely thin atmosphere.


Watch this simulation of a black hole tearing apart a star


And...You can help find black holes: a new app, Black Hole Finder - enables citizen scientists to help identify singularities in astronomical images collected by BlackGEM telescopes in Chile. 


And yeah. Again. ALL of this is under threat by ingrates with a lunatic grudge against not only scientists, but every fact-using profession. A too-seldom-mentioned aspect of this dire fight for the only civilization that ever brought us all these wonders... and that now stands poised to venture the stars.


If we decide not to blow it.


====


====



** Patrick Farley's Electric Sheep Comix appears to no longer support the beautiful series DON'T LOOK BACK, which featured Guitar spaceships!  You could nag him to repost it?  


Or else enjoy... and be terrified by... APOCAMON, revealing what fate some of our neighbors believe and fervently salivate for, from from the Book of Revelation. OMG read that one and know what they want and plan for us! People who want this are not nice and they are openly telling you what they want for you.


Planet DebianDirk Eddelbuettel: drat 0.2.5 on CRAN: Small Updates

drat user

A new minor release of the drat package arrived on CRAN today, which is just over a year since the previous release. drat stands for drat R Archive Template, and helps with easy-to-create and easy-to-use repositories for R packages. Since its inception in early 2015 it has found reasonably widespread adoption among R users because repositories with marked releases is the better way to distribute code.

Because for once it really is as your mother told you: Friends don’t let friends install random git commit snapshots. Properly rolled-up releases it is. Just how CRAN shows us: a model that has demonstrated for over two-and-a-half decades how to do this. And you can too: drat is easy to use, documented by six vignettes and just works. Detailed information about drat is at its documentation site. That said, and ‘these days’, if you mainly care about github code then r-universe is there too, also offering binaries its makes and all that jazz. But sometimes you just want to, or need to, roll a local repository and drat can help you there.

This release contains a small PR (made by Arne Holmin just after the previous release) adding support for an ‘OSflacour’ variable (helpful for macOS). We also corrected an issue with one test file being insufficiently careful of using git2r only when installed, and as usual did a round of maintenance for the package concerning both continuous integration and documentation.

The NEWS file summarises the release as follows:

Changes in drat version 0.2.5 (2024-10-21)

  • Function insertPackage has a new optional argument OSflavour (Arne Holmin in #142)

  • A test file conditions correctly about git2r being present (Dirk)

  • Several smaller packaging updates and enhancements to continuous integration and documentation have been added (Dirk)

Courtesy of my CRANberries, there is a comparison to the previous release. More detailed information is on the drat page as well as at the documentation site.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Planet DebianSahil Dhiman: Free Software Mirrors in India

Last Updated on 02/11/2024.

List of public mirrors in India. Location discovered basis personal knowledge, traces or GeoIP. Mirrors which aren’t accessible outside their own ASN are excluded.

North India

East India

South India

West India

CDN (or behind one)

Many thanks to Shrirang and Saswata for tips and corrections. Let me know if I’m missing someone or something is amiss.

Cryptogram No, The Chinese Have Not Broken Modern Encryption Systems with a Quantum Computer

The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.”

No, it’s not true.

This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken widely out of proportion.

Cryptography is safe, and will be for a long time

Planet DebianSven Hoexter: Terraform: Making Use of Precondition Checks

I'm in the unlucky position to have to deal with GitHub. Thus I've a terraform module in a project which deals with populating organization secrets in our GitHub organization, and assigning repositories access to those secrets.

Since the GitHub terraform provider internally works mostly with repository IDs, not slugs (this human readable organization/repo format), we've to do some mapping in between. In my case it looks like this:

#tfvars Input for Module
org_secrets = {
    "SECRET_A" = {
        repos = [
            "infra-foo",
            "infra-baz",
            "deployment-foobar",
        ]
    "SECRET_B" = {
        repos = [
            "job-abc",
            "job-xyz",
        ]
    }
}

# Module Code
/*
Limitation: The GH search API which is queried returns at most 1000
results. Thus whenever we reach that limit this approach will no longer work.
The query is also intentionally limited to internal repositories right now.
*/
data "github_repositories" "repos" {
    query           = "org:myorg archived:false -is:public -is:private"
    include_repo_id = true
}

/*
The properties of the github_repositories.repos data source queried
above contains only lists. Thus we've to manually establish a mapping
between the repository names we need as a lookup key later on, and the
repository id we got in another list from the search query above.
*/
locals {
    # Assemble the set of repository names we need repo_ids for
    repos = toset(flatten([for v in var.org_secrets : v.repos]))

    # Walk through all names in the query result list and check
    # if they're also in our repo set. If yes add the repo name -> id
    # mapping to our resulting map
    repos_and_ids = {
        for i, v in data.github_repositories.repos.names : v => data.github_repositories.repos.repo_ids[i]
        if contains(local.repos, v)
    }
}

resource "github_actions_organization_secret" "org_secrets" {
    for_each        = var.org_secrets
    secret_name     = each.key
    visibility      = "selected"
    # the logic how the secret value is sourced is omitted here
    plaintext_value = data.xxx
    selected_repository_ids = [
        for r in each.value.repos : local.repos_and_ids[r]
        if can(local.repos_and_ids[r])
    ]
}

Now if we do something bad, delete a repository and forget to remove it from the configuration for the module, we receive some error message that a (numeric) repository ID could not be found. Pretty much useless for the average user because you've to figure out which repository is still in the configuration list, but got deleted recently.

Luckily terraform supports since version 1.2 precondition checks, which we can use in an output-block to provide the information which repository is missing. What we need is the set of missing repositories and the validation condition:

locals {
    # Debug facility in combination with an output and precondition check
    # There we can report which repository we still have in our configuration
    # but no longer get as a result from the data provider query
    missing_repos = setsubtract(local.repos, data.github_repositories.repos.names)
}

# Debug facility - If we can not find every repository in our
# search query result, report those repos as an error
output "missing_repos" {
    value = local.missing_repos
    precondition {
        condition     = length(local.missing_repos) == 0
        error_message = format("Repos in config missing from resultset: %v", local.missing_repos)
    }
}

Now you only have to be aware that GitHub is GitHub and the TF provider has open bugs, but is not supported by GitHub and you will encounter inconsistent results. But it works, even if your terraform apply failed that way.

Worse Than FailureCodeSOD: Perfect Test Coverage

When SC got hired, the manager said "unit testing is very important to us, and we have 100% test coverage."

Well, that didn't sound terrible, and SC was excited to see what kind of practices they used to keep them at that high coverage.

[Test]
public void a_definition() {   

Assert.True(new TypeExpectations<IndexViewModel>()
                            .DerivesFrom<object>()
                            .IsConcreteClass()
                            .IsSealed()
                            .HasDefaultConstructor()
                            .IsNotDecorated()
                            .Implements<IEntity>()
                            .Result);
}

This is an example of what all of their tests look like. There are almost no tests of functionality, and instead just long piles of these kinds of type assertions. Which, having type assertions isn't a bad idea, most of these would be caught by the compiler:

  • DerviesFrom<object> is a tautology (perhaps this test framework is ensuring it doesn't derive from other classes? but object is the parent of all classes)
  • IsConcreteClass would be caught at compile time anywhere someone created an instance
  • HasDefaultConstructor would again, be caught if it were used
  • Implement<IEntity> would also be caught anywhere you actually tried to use polymorphism.

IsSealed and IsNotDecorated will actually do something, I suppose, though I wonder how much I actually care about that something. It's not wrong to check, but in the absence of actual real unit tests, why do I care?

Because every class had a test like this, and because of the way the test framework worked, when they ran code coverage metrics, they got a 100% score. It wasn't testing any of the code, mind you, but hey, the tests touched all of it.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

365 TomorrowsWaiting for the Scan

Author: Julian Miles, Staff Writer “Did you see that?” I look at Lopaka. “What?” He indicates with the muzzle of his laser. “Over there. To the left of the big blue rock that’s right of the black cube.” “Between the dark monolith and the blue boulder?” He gives me the side-eye. “That’s what I said, […]

The post Waiting for the Scan appeared first on 365tomorrows.

Planet DebianRuss Allbery: California general election

As usual with these every-two-year posts, probably of direct interest only to California residents. Maybe the more obscure things we're voting on will be a minor curiosity to people elsewhere. I'm a bit late this year, although not as late as last year, so a lot of people may have already voted, but I've been doing this for a while and wanted to keep it up.

This post will only be about the ballot propositions. I don't have anything useful to say about the candidates that isn't hyper-local. I doubt anyone who has read my posts will be surprised by which candidates I'm voting for.

As always with Calfornia ballot propositions, it's worth paying close attention to which propositions were put on the ballot by the legislature, usually because there's some state law requirement (often that I disagree with) that they be voted on by the public, and propositions that were put on the ballot by voter petition. The latter are often poorly written and have hidden problems. As a general rule of thumb, I tend to default to voting against propositions added by petition. This year, one can conveniently distinguish by number: the single-digit propositions were added by the legislature, and the two-digit ones were added by petition.

Proposition 2: YES. Issue $10 billion in bonds for public school infrastructure improvements. I generally vote in favor of spending measures like this unless they have some obvious problem. The opposition argument is a deranged rant against immigrants and government debt and fails to point out actual problems. The opposition argument also claims this will result in higher property taxes and, seriously, if only that were true. That would make me even more strongly in favor of it.

Proposition 3: YES. Enshrines the right to marriage without regard to sex or race into the California state constitution. This is already the law given US Supreme Court decisions, but fixing California state law is a long-overdue and obvious cleanup step. One of the quixotic things I would do if I were ever in government, which I will never be, would be to try to clean up the laws to make them match reality, repealing all of the dead clauses that were overturned by court decisions or are never enforced. I am in favor of all measures in this direction even when I don't agree with the direction of the change; here, as a bonus, I also strongly agree with the change.

Proposition 4: YES. Issue $10 billion in bonds for infrastructure improvements to mitigate climate risk. This is basically the same argument as Proposition 2. The one drawback of this measure is that it's kind of a mixed grab bag of stuff and probably some of it should be supported out of the general budget rather than bonds, but I consider this a minor problem. We definitely need to ramp up climate risk mitigation efforts.

Proposition 5: YES. Reduces the required super-majority to pass local bond measures for affordable housing from 67% to 55%. The fact that this requires a supermajority at all is absurd, California desperately needs to build more housing of any kind however we can, and publicly funded housing is an excellent idea.

Proposition 6: YES. Eliminates "involuntary servitude" (in other words, "temporary" slavery) as a legally permissible punishment for crimes in the state of California. I'm one of the people who think the 13th Amendment to the US Constitution shouldn't have an exception for punishment for crimes, so obviously I'm in favor of this. This is one very, very tiny step towards improving the absolutely atrocious prison conditions in the state.

Proposition 32: YES. Raises the minimum wage to $18 per hour from the current $16 per hour, over two years, and ties it to inflation. This is one of the rare petition-based propositions that I will vote in favor of because it's very straightforward, we clearly should be raising the minimum wage, and living in California is absurdly expensive because we refuse to build more housing (see Propositions 5 and 33). The opposition argument is the standard lie that a higher minimum wage will increase unemployment, which we know from numerous other natural experiments is simply not true.

Proposition 33: NO. Repeals Costa-Hawkins, which prohibits local municipalities from enacting rent control on properties built after 1995. This one is going to split the progressive vote rather badly, I suspect.

California has a housing crisis caused by not enough housing supply. It is not due to vacant housing, as much as some people would like you to believe that; the numbers just don't add up. There are way more people living here and wanting to live here than there is housing, so we need to build more housing.

Rent control serves a valuable social function of providing stability to people who already have housing, but it doesn't help, and can hurt, the project of meeting actual housing demand. Rent control alone creates a two-tier system where people who have housing are protected but people who don't have housing have an even harder time getting housing than they do today. It's therefore quite consistent with the general NIMBY playbook of trying to protect the people who already have housing by making life harder for the people who do not, while keeping the housing supply essentially static.

I am in favor of rent control in conjunction with real measures to increase the housing supply. I am therefore opposed to this proposition, which allows rent control without any effort to increase housing supply. I am quite certain that, if this passes, some municipalities will use it to make constructing new high-density housing incredibly difficult by requiring it all be rent-controlled low-income housing, thus cutting off the supply of multi-tenant market-rate housing entirely. This is already a common political goal in the part of California where I live. Local neighborhood groups advocate for exactly this routinely in local political fights.

Give me a mandate for new construction that breaks local zoning obstructionism, including new market-rate housing to maintain a healthy lifecycle of housing aging into affordable housing as wealthy people move into new market-rate housing, and I will gladly support rent control measures as part of that package. But rent control on its own just allocates winners and losers without addressing the underlying problem.

Proposition 34: NO. This is an excellent example of why I vote against petition propositions by default. This is a law designed to affect exactly one organization in the state of California: the AIDS Healthcare Foundation. The reason for this targeting is disputed; one side claims it's because of the AHF support for Proposition 33, and another side claims it's because AHF is a slumlord abusing California state funding. I have no idea which side of this is true. I also don't care, because I am fundamentally opposed to writing laws this way. Laws should establish general, fair principles that are broadly applicable, not be written with bizarrely specific conditions (health care providers that operate multifamily housing) that will only be met by a single organization. This kind of nonsense creates bad legal codes and the legal equivalent of technical debt. Just don't do this.

Proposition 35: YES. I am, reluctantly, voting in favor of this even though it is a petition proposition because it looks like a useful simplification and cleanup of state health care funding, makes an expiring tax permanent, and is supported by a very wide range of organizations that I generally trust to know what they're talking about. No opposition argument was filed, which I think is telling.

Proposition 36: NO. I am resigned to voting down attempts to start new "war on drugs" nonsense for the rest of my life because the people who believe in this crap will never, ever, ever stop. This one has bonus shoplifting fear-mongering attached, something that touches on nasty local politics that have included large retail chains manipulating crime report statistics to give the impression that shoplifting is up dramatically. It's yet another round of the truly horrific California "three strikes" criminal penalty obsession, which completely misunderstands both the causes of crime and the (almost nonexistent) effectiveness of harsh punishment as deterrence.

,

Planet DebianBits from Debian: Ada Lovelace Day 2024 - Interview with some Women in Debian

Alt Ada Lovelace portrait

Ada Lovelace Day was celebrated on October 8 in 2024, and on this occasion, to celebrate and raise awareness of the contributions of women to the STEM fields we interviewed some of the women in Debian.

Here we share their thoughts, comments, and concerns with the hope of inspiring more women to become part of the Sciences, and of course, to work inside of Debian.

This article was simulcasted to the debian-women mail list.

Beatrice Torracca

1. Who are you?

I am Beatrice, I am Italian. Internet technology and everything computer-related is just a hobby for me, not my line of work or the subject of my academic studies. I have too many interests and too little time. I would like to do lots of things and at the same time I am too Oblomovian to do any.

2. How did you get introduced to Debian?

As a user I started using newsgroups when I had my first dialup connection and there was always talk about this strange thing called Linux. Since moving from DR DOS to Windows was a shock for me, feeling like I lost the control of my machine, I tried Linux with Debian Potato and I never strayed away from Debian since then for my personal equipment.

3. How long have you been into Debian?

Define "into". As a user... since Potato, too many years to count. As a contributor, a similar amount of time, since early 2000 I think. My first archived email about contributing to the translation of the description of Debian packages dates 2001.

4. Are you using Debian in your daily life? If yes, how?

Yes!! I use testing. I have it on my desktop PC at home and I have it on my laptop. The desktop is where I have a local IMAP server that fetches all the mails of my email accounts, and where I sync and back up all my data. On both I do day-to-day stuff (from email to online banking, from shopping to taxes), all forms of entertainment, a bit of work if I have to work from home (GNU R for statistics, LibreOffice... the usual suspects). At work I am required to have another OS, sadly, but I am working on setting up a Debian Live system to use there too. Plus if at work we start doing bioinformatics there might be a Linux machine in our future... I will of course suggest and hope for a Debian system.

5. Do you have any suggestions to improve women's participation in Debian?

This is a tough one. I am not sure. Maybe, more visibility for the women already in the Debian Project, and make the newcomers feel seen, valued and welcomed. A respectful and safe environment is key too, of course, but I think Debian made huge progress in that aspect with the Code of Conduct. I am a big fan of promoting diversity and inclusion; there is always room for improvement.

Ileana Dumitrescu (ildumi)

1. Who are you?

I am just a girl in the world who likes cats and packaging Free Software.

2. How did you get introduced to Debian?

I was tinkering with a computer running Debian a few years ago, and I decided to learn more about Free Software. After a search or two, I found Debian Women.

3. How long have you been into Debian?

I started looking into contributing to Debian in 2021. After contacting Debian Women, I received a lot of information and helpful advice on different ways I could contribute, and I decided package maintenance was the best fit for me. I eventually became a Debian Maintainer in 2023, and I continue to maintain a few packages in my spare time.

4. Are you using Debian in your daily life? If yes, how?

Yes, it is my favourite GNU/Linux operating system! I use it for email, chatting, browsing, packaging, etc.

5. Do you have any suggestions to improve women's participation in Debian?

The mailing list for Debian Women may attract more participation if it is utilized more. It is where I started, and I imagine participation would increase if it is more engaging.

Kathara Sasikumar (kathara)

1. Who are you?

I'm Kathara Sasikumar, 22 years old and a recent Debian user turned Maintainer from India. I try to become a creative person through sketching or playing guitar chords, but it doesn't work! xD

2. How did you get introduced to Debian?

When I first started college, I was that overly enthusiastic student who signed up for every club and volunteered for anything that crossed my path just like every other fresher.

But then, the pandemic hit, and like many, I hit a low point. COVID depression was real, and I was feeling pretty down. Around this time, the FOSS Club at my college suddenly became more active. My friends, knowing I had a love for free software, pushed me to join the club. They thought it might help me lift my spirits and get out of the slump I was in.

At first, I joined only out of peer pressure, but once I got involved, the club really took off. FOSS Club became more and more active during the pandemic, and I found myself spending more and more time with it.

A year later, we had the opportunity to host a MiniDebConf at our college. Where I got to meet a lot of Debian developers and maintainers, attending their talks and talking with them gave me a wider perspective on Debian, and I loved the Debian philosophy.

At that time, I had been distro hopping but never quite settled down. I occasionally used Debian but never stuck around. However, after the MiniDebConf, I found myself using Debian more consistently, and it truly connected with me. The community was incredibly warm and welcoming, which made all the difference.

3. How long have you been into Debian?

Now, I've been using Debian as my daily driver for about a year.

4. Are you using Debian in your daily life? If yes, how?

It has become my primary distro, and I use it every day for continuous learning and working on various software projects with free and open-source tools. Plus, I've recently become a Debian Maintainer (DM) and have taken on the responsibility of maintaining a few packages. I'm looking forward to contributing more to the Debian community 🙂

Rhonda D'Vine (rhonda)

1. Who are you?

My name is Rhonda, my pronouns are she/her, or per/pers. I'm 51 years old, working in IT.

2. How did you get introduced to Debian?

I was already looking into Linux because of university, first it was SuSE. And people played around with gtk. But when they packaged GNOME and it just didn't even install I looked for alternatives. A working colleague from back then gave me a CD of Debian. Though I couldn't install from it because Slink didn't recognize the pcmcia drive. I had to install it via floppy disks, but apart from that it was quite well done. And the early GNOME was working, so I never looked back. 🙂

3. How long have you been into Debian?

Even before I was more involved, a colleague asked me whether I could help with translating the release documentation. That was my first contribution to Debian, for the slink release in early 1999. And I was using some other software before on my SuSE systems, and I wanted to continue to use them on Debian obviously. So that's how I got involved with packaging in Debian. But I continued to help with translation work, for a long period of time I was almost the only person active for the German part of the website.

4. Are you using Debian in your daily life? If yes, how?

Being involved with Debian was a big part of the reason I got into my jobs since a long time now. I always worked with maintaining Debian (or Ubuntu) systems. Privately I run Debian on my laptop, with occasionally switching to Windows in dual boot when (rarely) needed.

5. Do you have any suggestions to improve women's participation in Debian?

There are factors that we can't influence, like that a lot of women are pushed into care work because patriarchal structures work that way, and don't have the time nor energy to invest a lot into other things. But we could learn to appreciate smaller contributions better, and not focus so much on the quantity of contributions. When we look at longer discussions on mailing lists, those that write more mails actually don't contribute more to the discussion, they often repeat themselves without adding more substance. Through working on our own discussion patterns this could create a more welcoming environment for a lot of people.

Sophie Brun (sophieb)

1. Who are you?

I'm a 44 years old French woman. I'm married and I have 2 sons.

2. How did you get introduced to Debian?

In 2004 my boyfriend (now my husband) installed Debian on my personal computer to introduce me to Debian. I knew almost nothing about Open Source. During my engineering studies, a professor mentioned the existence of Linux, Red Hat in particular, but without giving any details.

I learnt Debian by using and reading (in advance) The Debian Administrator's Handbook.

3. How long have you been into Debian?

I've been a user since 2004. But I only started contributing to Debian in 2015: I had quit my job and I wanted to work on something more meaningful. That's why I joined my husband in Freexian, his company. Unlike most people I think, I started contributing to Debian for my work. I only became a DD in 2021 under gentle social pressure and when I felt confident enough.

4. Are you using Debian in your daily life? If yes, how?

Of course I use Debian in my professional life for almost all the tasks: from administrative tasks to Debian packaging.

I also use Debian in my personal life. I have very basic needs: Firefox, LibreOffice, GnuCash and Rhythmbox are the main applications I need.

Sruthi Chandran (srud)

1. Who are you?

A feminist, a librarian turned Free Software advocate and a Debian Developer. Part of Debian Outreach team and DebConf Committee.

2. How did you get introduced to Debian?

I got introduced to the free software world and Debian through my husband. I attended many Debian events with him. During one such event, out of curiosity, I participated in a Debian packaging workshop. Just after that I visited a Tibetan community in India and they mentioned that there was no proper Tibetan font in GNU/Linux. Tibetan font was my first package in Debian.

3. How long have you been into Debian?

I have been contributing to Debian since 2016 and Debian Developer since 2019.

4. Are you using Debian in your daily life? If yes, how?

I haven't used any other distro on my laptop since I got introduced to Debian.

5. Do you have any suggestions to improve women's participation in Debian?

I was involved with actively mentoring newcomers to Debian since I started contributing myself. I specially work towards reducing the gender gap inside the Debian and Free Software community in general. In my experience, I believe that visibility of already existing women in the community will encourage more women to participate. Also I think we should reintroduce mentoring through debian-women.

Tássia Camões Araújo (tassia)

1. Who are you?

Tássia Camões Araújo, a Brazilian living in Canada. I'm a passionate learner who tries to push myself out of my comfort zone and always find something new to learn. I also love to mentor people on their learning journey. But I don't consider myself a typical geek. My challenge has always been to not get distracted by the next project before I finish the one I have in my hands. That said, I love being part of a community of geeks and feel empowered by it. I love Debian for its technical excellence, and it's always reassuring to know that someone is taking care of the things I don't like or can't do. When I'm not around computers, one of my favorite things is to feel the wind on my cheeks, usually while skating or riding a bike; I also love music, and I'm always singing a melody in my head.

2. How did you get introduced to Debian?

As a student, I was privileged to be introduced to FLOSS at the same time I was introduced to computer programming. My university could not afford to have labs in the usual proprietary software model, and what seemed like a limitation at the time turned out to be a great learning opportunity for me and my colleagues. I joined this student-led initiative to "liberate" our servers and build LTSP-based labs - where a single powerful computer could power a few dozen diskless thin clients. How revolutionary it was at the time! And what an achievement! From students to students, all using Debian. Most of that group became close friends; I've married one of them, and a few of them also found their way to Debian.

3. How long have you been into Debian?

I first used Debian in 2001, but my first real connection with the community was attending DebConf 2004. Since then, going to DebConfs has become a habit. It is that moment in the year when I reconnect with the global community and my motivation to contribute is boosted. And you know, in 20 years I've seen people become parents, grandparents, children grow up; we've had our own child and had the pleasure of introducing him to the community; we've mourned the loss of friends and healed together. I'd say Debian is like family, but not the kind you get at random once you're born, Debian is my family by choice.

4. Are you using Debian in your daily life? If yes, how?

These days I teach at Vanier College in Montréal. My favorite course to teach is UNIX, which I have the pleasure of teaching mostly using Debian. I try to inspire my students to discover Debian and other FLOSS projects, and we are happy to run a FLOSS club with participation from students, staff and alumni. I love to see these curious young minds put to the service of FLOSS. It is like recruiting soldiers for a good battle, and one that can change their lives, as it certainly did mine.

5. Do you have any suggestions to improve women's participation in Debian?

I think the most effective way to inspire other women is to give visibility to active women in our community. Speaking at conferences, publishing content, being vocal about what we do so that other women can see us and see themselves in those positions in the future. It's not easy, and I don't like being in the spotlight. It took me a long time to get comfortable with public speaking, so I can understand the struggle of those who don't want to expose themselves. But I believe that this space of vulnerability can open the way to new connections. It can inspire trust and ultimately motivate our next generation. It's with this in mind that I publish these lines.

Another point we can't neglect is that in Debian we work on a volunteer basis, and this in itself puts us at a great disadvantage. In our societies, women usually take a heavier load than their partners in terms of caretaking and other invisible tasks, so it is hard to afford the free time needed to volunteer. This is one of the reasons why I bring my son to the conferences I attend, and so far I have received all the support I need to attend DebConfs with him. It is a way to share the caregiving burden with our community - it takes a village to raise a child. Besides allowing us to participate, it also serves to show other women (and men) that you can have a family life and still contribute to Debian.

My feeling is that we are not doing super well in terms of diversity in Debian at the moment, but that should not discourage us at all. That's the way it is now, but that doesn't mean it will always be that way. I feel like we go through cycles. I remember times when we had many more active female contributors, and I'm confident that we can improve our ratio again in the future. In the meantime, I just try to keep going, do my part, attract those I can, reassure those who are too scared to come closer. Debian is a wonderful community, it is a family, and of course a family cannot do without us, the women.

These interviews were conducted via email exchanges in October, 2024. Thanks to all the wonderful women who participated in this interview. We really appreciate your contributions in Debian and to Free/Libre software.

MEMG4 Review

In the past I haven’t had a high opinion of MG cars, decades ago they were small and expensive and didn’t seem to offer anything I wanted. As there’s a conveniently located MG dealer I decided to try out an MG electric car and see if they are any good. I brought two friends along who are also interested in new technology.

I went to the MG dealer without any preconceptions or much prior knowledge of the MG electric cars apart from having vaguely noticed that they were significantly cheaper than Teslas. I told the salesperson that I didn’t have a model in mind and I just wanted to see what MG offers, so they offered me a test driver of a “MG4 64 EXCITE”. The MG web site isn’t very good and doesn’t give an indication of what this model costs, my recollection is that it’s something like $40,000, the base model is advertised at $30,990. I’m not particularly interested in paying for extras above the base model and the only really desirable feature that the “Excite 64” offers over the “Excite 51” is the extra range (the numbers 51 and 64 represent the battery capacity in KWh). The base model has a claimed range of 350KM which is more than I drive in a typical week, generally there are only about 4 days a year when I need to drive more than 300KM in a day and on those rare days I can spend a bit of time at a charging station without much inconvenience.

The experience of driving an MG4 is not much different from other EVs I’ve driven, the difference between that and the Genesis GV60 (which was advertised at $117,000) [1] isn’t significant. The Genesis has some nice camera features giving views from all directions and showing a view of the side on the dash when you put your turn indicator on. Also some models of Genesis (not the one I test drove) have cameras instead of side mirrors. The MG4 lacks most of those cameras but has a very effective reversing camera which estimates the distance to an “obstacle” behind you in cm. Some of the MG electric cars have a sunroof or moonroof (sunroof that just opens to transparent glass not open to the air), the one I tested didn’t have them and I didn’t feel I was missing much. While a moonroof is a nice feature I probably won’t want to pay as much extra as they will demand for it.

The dash of the MG4 doesn’t have any simulation of the old fashioned dash unlike the Genesis GV60 which had a display in the same location as is traditionally used which displays analogue instruments (except when the turn indicators are on). The MG4 has two tablets, a big one in the middle of the front for controlling heating/cooling and probably other things like the radio and a small one visible through the steering wheel which has the instruments. I didn’t have to think about the instruments, they just did the job which is great.

For second hand cars I looked at AutoTrader which seems to be the only Australian site for second hand cars that allows specifying electric as a search criteria [2]. For the EVs advertised on that site the cheapest are around $13,000 for cars about 10 years old and $21,000 for a 5yo LEAF. If you could only afford to spend $21,000 on a car then a 5yo LEAF would definitely be better than nothing, but when comparing a 5yo car for $21,000 and a new car for $31,000 the new car is the obvious choice if you can afford it. There was an Australian company importing used LEAFs and other EVs and selling them over the web for low prices, if they were still around and still selling LEAFs for $15,000 then that would make LEAF vs MG3 a difficult decision for me. But with the current prices for second hand LEAFs the decision is easy.

When I enrolled for the test drive the dealer took my email address and sent me an automated message with details about the test drive and an email address to ask for more information. The email address they used bounced all mail, even from my gmail account. They had a contact form on their web site but that also doesn’t get a response. MG really should periodically test their dealer’s email addresses, they are probably losing sales because of this.

On the same day I visited a Hyundai dealer to see what they had to offer. A salesman there said that the cheapest Hyundai was $60,000 and suggested that I go elsewhere if I am prepared to buy a lesser car to save money. I don’t need to get negged by a car dealer and I really don’t think there’s much scope for a car to be significantly better than the MG3 while also not competing with the Genesis cars. Genesis is a Hyundai brand and their cars are very nice, but the prices are well outside the range I’m prepared to pay.

Next I have to try the BYD. From what I’ve heard they are mostly selling somewhat expensive cars in Australia (a colleague recently got one which was about $60,000 which he is extremely happy with) but hopefully they have some of the cheaper ones available too. I don’t want to flex on my neighbors, I just want a reliable and moderately comfortable car that doesn’t cost too much.

365 TomorrowsThe Arecibo Voyager

Author: Jade T. Woodridge Cogito ergo sum… The crater Hathor is 107.5 miles in diameter. I stand in its center and am lost to the constant firings of my mental cortex. Flashes of pictures, texts, and movies blur my vision. I am blinded and deafened by recordings of mankind and, somewhere beneath the surface, auditory […]

The post The Arecibo Voyager appeared first on 365tomorrows.

,

Cryptogram AI and the SEC Whistleblower Program

Tax farming is the practice of licensing tax collection to private contractors. Used heavily in ancient Rome, it’s largely fallen out of practice because of the obvious conflict of interest between the state and the contractor. Because tax farmers are primarily interested in short-term revenue, they have no problem abusing taxpayers and making things worse for them in the long term. Today, the U.S. Securities and Exchange Commission (SEC) is engaged in a modern-day version of tax farming. And the potential for abuse will grow when the farmers start using artificial intelligence.

In 2009, after Bernie Madoff’s $65 billion Ponzi scheme was exposed, Congress authorized the SEC to award bounties from civil penalties recovered from securities law violators. It worked in a big way. In 2012, when the program started, the agency received more than 3,000 tips. By 2020, it had more than doubled, and it more than doubled again by 2023. The SEC now receives more than 50 tips per day, and the program has paid out a staggering $2 billion in bounty awards. According to the agency’s 2023 financial report, the SEC paid out nearly $600 million to whistleblowers last year.

The appeal of the whistleblower program is that it alerts the SEC to violations it may not otherwise uncover, without any additional staff. And since payouts are a percentage of fines collected, it costs the government little to implement.

Unfortunately, the program has resulted in a new industry of private de facto regulatory enforcers. Legal scholar Alexander Platt has shown how the SEC’s whistleblower program has effectively privatized a huge portion of financial regulatory enforcement. There is a role for publicly sourced information in securities regulatory enforcement, just as there has been in litigation for antitrust and other areas of the law. But the SEC program, and a similar one at the U.S. Commodity Futures Trading Commission, has created a market distortion replete with perverse incentives. Like the tax farmers of history, the interests of the whistleblowers don’t match those of the government.

First, while the blockbuster awards paid out to whistleblowers draw attention to the SEC’s successes, they obscure the fact that its staffing level has slightly declined during a period of tremendous market growth. In one case, the SEC’s largest ever, it paid $279 million to an individual whistleblower. That single award was nearly one-third of the funding of the SEC’s entire enforcement division last year. Congress gets to pat itself on the back for spinning up a program that pays for itself (by law, the SEC awards 10 to 30 percent of their penalty collections over $1 million to qualifying whistleblowers), when it should be talking about whether or not it’s given the agency enough resources to fulfill its mission to “maintain fair, orderly, and efficient markets.”

Second, while the stated purpose of the whistleblower program is to incentivize individuals to come forward with information about potential violations of securities law, this hasn’t actually led to increases in enforcement actions. Instead of legitimate whistleblowers bringing the most credible information to the SEC, the agency now seems to be deluged by tips that are not highly actionable.

But the biggest problem is that uncovering corporate malfeasance is now a legitimate business model, resulting in powerful firms and misaligned incentives. A single law practice led by former SEC assistant director Jordan Thomas captured about 20 percent of all the SEC’s whistleblower awards through 2022, at which point Thomas left to open up a new firm focused exclusively on whistleblowers. We can admire Thomas and his team’s impact on making those guilty of white-collar crimes pay, and also question whether hundreds of millions of dollars of penalties should be funneled through the hands of an SEC insider turned for-profit business mogul.

Whistleblower tips can be used as weapons of corporate warfare. SEC whistleblower complaints are not required to come from inside a company, or even to rely on insider information. They can be filed on the basis of public data, as long as the whistleblower brings original analysis. Companies might dig up dirt on their competitors and submit tips to the SEC. Ransomware groups have used the threat of SEC whistleblower tips as a tactic to pressure the companies they’ve infiltrated into paying ransoms.

The rise of whistleblower firms could lead to them taking particular “assignments” for a fee. Can a company hire one of these firms to investigate its competitors? Can an industry lobbying group under scrutiny (perhaps in cryptocurrencies) pay firms to look at other industries instead and tie up SEC resources? When a firm finds a potential regulatory violation, do they approach the company at fault and offer to cease their research for a “kill fee”? The lack of transparency and accountability of the program means that the whistleblowing firms can get away with practices like these, which would be wholly unacceptable if perpetrated by the SEC itself.

Whistleblowing firms can also use the information they uncover to guide market investments by activist short sellers. Since 2006, the investigative reporting site Sharesleuth claims to have tanked dozens of stocks and instigated at least eight SEC cases against companies in pharma, energy, logistics, and other industries, all after its investors shorted the stocks in question. More recently, a new investigative reporting site called Hunterbrook Media and partner hedge fund Hunterbrook Capital, have churned out 18 investigative reports in their first five months of operation and disclosed short sales and other actions alongside each. In at least one report, Hunterbrook says they filed an SEC whistleblower tip.

Short sellers carry an important disciplining function in markets. But combined with whistleblower awards, the same profit-hungry incentives can emerge. Properly staffed regulatory agencies don’t have the same potential pitfalls.

AI will affect every aspect of this dynamic. AI’s ability to extract information from large document troves will help whistleblowers provide more information to the SEC faster, lowering the bar for reporting potential violations and opening a floodgate of new tips. Right now, there is no cost to the whistleblower to report minor or frivolous claims; there is only cost to the SEC. While AI automation will also help SEC staff process tips more efficiently, it could exponentially increase the number of tips the agency has to deal with, further decreasing the efficiency of the program.

AI could be a triple windfall for those law firms engaged in this business: lowering their costs, increasing their scale, and increasing the SEC’s reliance on a few seasoned, trusted firms. The SEC already, as Platt documented, relies on a few firms to prioritize their investigative agenda. Experienced firms like Thomas’s might wield AI automation to the greatest advantage. SEC staff struggling to keep pace with tips might have less capacity to look beyond the ones seemingly pre-vetted by familiar sources.

But the real effects will be on the conflicts of interest between whistleblowing firms and the SEC. The ability to automate whistleblower reporting will open new competitive strategies that could disrupt business practices and market dynamics.

An AI-assisted data analyst could dig up potential violations faster, for a greater scale of competitor firms, and consider a greater scope of potential violations than any unassisted human could. The AI doesn’t have to be that smart to be effective here. Complaints are not required to be accurate; claims based on insufficient evidence could be filed against competitors, at scale.

Even more cynically, firms might use AI to help cover up their own violations. If a company can deluge the SEC with legitimate, if minor, tips about potential wrongdoing throughout the industry, it might lower the chances that the agency will get around to investigating the company’s own liabilities. Some companies might even use the strategy of submitting minor claims about their own conduct to obscure more significant claims the SEC might otherwise focus on.

Many of these ideas are not so new. There are decades of precedent for using algorithms to detect fraudulent financial activity, with lots of current-day application of the latest large language models and other AI tools. In 2019, legal scholar Dimitrios Kafteranis, research coordinator for the European Whistleblowing Institute, proposed using AI to automate corporate whistleblowing.

And not all the impacts specific to AI are bad. The most optimistic possible outcome is that AI will allow a broader base of potential tipsters to file, providing assistive support that levels the playing field for the little guy.

But more realistically, AI will supercharge the for-profit whistleblowing industry. The risks remain as long as submitting whistleblower complaints to the SEC is a viable business model. Like tax farming, the interests of the institutional whistleblower diverge from the interests of the state, and no amount of tweaking around the edges will make it otherwise.

Ultimately, AI is not the cause of or solution to the problems created by the runaway growth of the SEC whistleblower program. But it should give policymakers pause to consider the incentive structure that such programs create, and to reconsider the balance of public and private ownership of regulatory enforcement.

This essay was written with Nathan Sanders, and originally appeared in The American Prospect.

365 TomorrowsA Minor Negotiation

Author: Rick Tobin Boswan Raz screamed with limited breath as he raced into the Earth Alliance council chambers. “They are here, Eric!” He paused, stopping finally, panting in excitement. “All of them. They’re landing their ships around the capital.” Eric Hamilton tried to rise from his rotating chair–gaunt, weary, and worn. Months of intense confrontations […]

The post A Minor Negotiation appeared first on 365tomorrows.

,

Cryptogram Justice Department Indicts Tech CEO for Falsifying Security Certifications

The Wall Street Journal is reporting that the CEO of a still unnamed company has been indicted for creating a fake auditing company to falsify security certifications in order to win government business.

Krebs on SecurityBrazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

USDoD’s InfraGard sales thread on Breached.

The Brazilian news outlet TV Globo first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.

USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime community RaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.

TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.com published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:

A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com.

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.

Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.

In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.

USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.

The FBI declined to comment on reports about USDoD’s arrest.

In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.

Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.

“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”

When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.

Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

Worse Than FailureError'd: Friday On My Mind

The most common type of submission Error'd receives are simple, stupid, data problems on Amazon. The text doesn't match the image, the pricing is goofy, or some other mixup that are just bound to happen with a database of zillions of products uploaded by a plethora of barely-literate mountain village drop-shippers.

So I don't usually feature them, preferring to find something with at least a chance of being a creative new bug.

But I uncovered a story by Mark Johansen about his favorite author, and decided that since so many of you obviously DO think online retail flubs are noteworthy, what the heck. Here is Mark's plain-text story, and a handful of bungled products. They're not exactly bugs, but at least some of them are about bugs.

"I guess I missed your item about failings of AI, but here's one of my favorites: Amazon regularly sends me emails of books that their AI thinks I might want to read, presumably based on books that I've bought from them in the past. So recently I got an email saying, "The newest book by an author you've read before!" And this new book was by ... Ernest Hemingway. Considering that he died almost 60 years ago, it seemed unlikely that he was still writing. Or where he was sending manuscripts from. Lest you wonder, it turned out it was a collection of letters he wrote when he was, like, actually alive. The book was listed as authored by Ernest Hemingway rather than under the name of whomever compiled the letters."

What do we all think? Truly an Error'd, or just some publisher taking marketing advice from real estate agents? Let me know.

A while back, Christian E. "Wanted to order some groceries from nemlig.com. So I saw the free (labelled GRATIS) product and pressed the info button and this popped up. Says that I can get the product delivered from the 1st of January (today is the 2nd of march). Have to wait for a while then..." Not too much longer, Christian.

0

 

Reliable Michael R. muttered "msofas either have their special math where 5% always is GBP10 or they know already what I want to buy."

1

 

"Do not feed to vegetarians." warns Jeffrey B.

2

 

"Not sure how this blue liquid works for others, but there has been no sucking here yet," reports Matthias.

3

 

"Nice feature but I am not sure if it can fit in my notebook," writes Tiger Fok.

5

 

Lady-killer Bart-Jan is preparing for Friday night on the town, apparently. Knock 'em dead, Bart! "It says 'Fragrance for Men'. Which is fine, as long as it also does a good job deterring the female mosquitoes."

4

 

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

365 TomorrowsReincarnation

Author: Haley DiRenzo The seven bodies that you could come back as stare back at you after your death. Four men and three woman whose vessels are still capable of withstanding the Earth’s elements. You’ve been selected to inhabit one of them, not knowing how your soul and their skin will merge. You only have […]

The post Reincarnation appeared first on 365tomorrows.

Planet DebianReproducible Builds (diffoscope): diffoscope 281 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 281. This version includes the following changes:

[ Chris Lamb ]
* Don't try and test with systemd-ukify within Debian stable.

[ Jelle van der Waa ]
* Add support for UKI files.

You find out more by visiting the project homepage.

,

Krebs on SecuritySudanese Brothers Arrested in ‘AnonSudan’ Takedown

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit PayPal the following month, followed by Twitter/X (Aug. 2023), and OpenAI (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the FBI and the Department of State.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the U.S. Department of Justice says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service Telegram, and marketed its DDoS service by several names, including “Skynet,” “InfraShutdown,” and the “Godzilla botnet.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

Amazon was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm CrowdStrike said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the Cedars-Sinai Hospital in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

Worse Than FailureCodeSOD: Ancestry Dot Dumb

Damiano's company had more work than staff, and opted to hire a subcontractor. When hiring on a subcontractor, you could look for all sorts of things. Does their portfolio contain work similar to what you're asking them to do? What's the average experience of their team? What are the agreed upon code quality standards for the contract?

You could do that, or you could hire the cheapest company.

Guess which one Damiano's company did? If you're not sure, look at this code:

if(jQuery('table').hasClass('views-view-grid')){
  var EPid= ".views-view-grid";
  jQuery(EPid +' td').each(function(){

   if(!jQuery(this).parent().parent().parent().parent().parent().hasClass('view-article-in-right-sidebar') && !jQuery(this).parent().parent().parent().parent().parent().hasClass('view-offers-in-right-sidebar')){
    var title = jQuery(this).find("h2 a").html();

    var body = jQuery(this).find(".field-name-body").html();
    var datetime = jQuery(this).find(".field-name-field-event-date-time").html();
    var flyer = jQuery(this).find(".field-name-field-flyer a").attr("href");
    var imageThumb = jQuery(this).find(".field-name-field-image-thumb").html();
    var readMore = '<a href="'+jQuery(this).find("h2 a").attr("href")+'" class="read-more">READ MORE</a>';

    var str = '<div class="thumb-listing listpage">';

    if(title != null && title != ""){
      if(imageThumb && imageThumb != "" && imageThumb != null)
        str = str + imageThumb;
      if(datetime && datetime != "" && datetime != null)
        str = str + '<div class="lp-date ">'+datetime+'</div>';
      str = str + '<div class="lp-inner clear"><div class="lp-title">'+title+'</div>';
      str = str + body + '</div><div class="sep2"></div>';
      str = str + readMore;
    }
    if(flyer)
      str = str + '<a class="download-flyer" href="'+flyer+'"><?php if(isset($node) && $node->type == "events"){ echo 'download the flyer'; }else {echo 'download the article';} ?></a>';

    str = str + '</div>';
    jQuery(this).children('.node').remove();

    jQuery(this).append(str);
  }
});

This was in a Drupal project. The developer appointed by the contractor didn't know Drupal at all, and opted to build all the new functionality by dropping big blobs of JavaScript code on top of it.

There's so much to hate about this. We can start with the parent().parent() chains. Who doesn't love to make sure that your JavaScript code is extremely fragile against changes in the DOM, while at the same time making it hard to read or understand.

I like that we create the EPid variable to avoid having a magic string inside our DOM query, only to still need to append a magic string to it. It hints at some programming by copy/paste.

Then there's the pile of HTML-by-string-concatenation, which is always fun.

But this couldn't be complete without this moment: <?php if(isset($node) && $node->type == "events"){ echo 'download the flyer'; }else {echo 'download the article';} ?>

Oh yeah, buried in this unreadable blob of JavaScript there's a little bonus PHP, just to make it a little spicier.

The entire project came back from the contractor in an unusable state. The amount of re-work just to get it vaguely functional quickly outweighed any potential cost savings. And even after that work went it, it remained a buggy, unmaintainable mess.

Did management learn their lesson? Absolutely not- they bragged about how cheaply they got the work done at every opportunity, and entered into a partnership agreement with the subcontractor.

[Advertisement] Plan Your .NET 9 Migration with Confidence
Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!

365 TomorrowsThe Raconteur from County Galway

Author: John Szamosi It was the old Irishman’s stories that would bring scores of people to his table every time he sat down for lunch. Sometimes humorous, sometimes sad, sometimes scary, other times just plain provocative, they had one thing in common: they were all made up. In other words, they were yarns, pure fabrications, […]

The post The Raconteur from County Galway appeared first on 365tomorrows.

,

Rondam RamblingsHave Republicans Ever Actually Listened to the Lyrics of YMCA?

Yesterday we were treated to the sight of a major party nominee at what was supposed to be a town hall meeting suddenly stop taking questions and just dancing (badly) for the better part of an hour.   A mere 20 years ago, well within living memory, less than five seconds of screaming were enough to end Howard Dean's political career.  My, how times change.But the truly astonishing thing

Worse Than FailureCodeSOD: Time to Change

Dennis found this little nugget in an application he inherited.

function myTime(){
    $utc_str = gmdate("M d Y H:i:s", time());
    $utc = strtotime($utc_str);
    return $utc;
}

time() returns the current time as a Unix timestamp. gmdate then formats that, with the assumption that the time is in GMT. strtotime then parses that string back into a timestamp, and returns that timestamp.

Notably, PHP pins the Unix timestamp to UTC+00:00, aka GMT. So this function takes a time, formats it, parses the format to get what should be the same time back.

And we call the function myTime because of course we do. When reinventing a wheel, but square, please do let everyone know that it's yours.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

365 TomorrowsOnly the Lonely

Author: Alastair Millar The Company had refused Karl’s request to have his wife join him on Mars again, he explained; this time because “the dependents’ travel budget was cut, and it’s run out for this budget cycle.” As usual, Accounts had the final say, and being just a manager, even one with the right to […]

The post Only the Lonely appeared first on 365tomorrows.

Cryptogram Cheating at Conkers

The men’s world conkers champion is accused of cheating with a steel chestnut.

Planet DebianSahil Dhiman: 25, A Quarter of a Century Later

25 the number says well into adulthood. Aviral pointed that I have already passed 33% mark in my life, which does hits different.

I had to keep reminding myself about my upcoming birthday. It didn’t felt like birthday month, week or the day itself.

My writings took a long hiatus starting this past year. The first post came out in May and quite a few people asked about the break. Hiatus had its own reasons, but restarting became harder each passing day afterward. Preparations for DebConf24 helped push DebConf23 (first post this year) out of the door, after which things were more or less back on track on the writing front.

Recently, I have picked the habit of reading monthly magazines. When I was a child, I used to fancy seeing all the magazines on stationary and bookshops and thought of getting many when I’m older. Seems like that was the connection, and now I’m heavily into monthly magazines and order many each month (including Hindi ones). They’re fun short reads and cover a wide spectrum of topics.

Travelling has become the new found love. I got the opportunity to visit a few new cities like Jaipur, Meerut, Seoul and Busan. My first international travel showed me how a society which cares about the people’s overall wellbeing turns out to be. Going in foreign land, expanded the concept of everything for me. It showed the beauty of silence in public places. Also, re-visited Bengaluru, which felt good with its good weather and food.

It has become almost become tradition to attend a few events. Jashn-e-Rekhta, DebConf, New Delhi World Book Fair, IndiaFOSS and FoECon. It’s always great talking to new and old folks, sharing and learning about ideas. It’s hard for an individual to learn, grow and understand the world in a silo. Like I keep on saying about Free Software projects, it’s all about the people, it’s always about the people. Good and interesting people keep the project going and growing. (Side Note - it’s fine if a project goes. Things are not meant to last a perpetuity. Closing and moving on is fine). Similarly, I have been trying to attend Jaipur Literature Festival since a while but failing. Hopefully, I would this time around.

Expanding my Free Software Mirror to India was a big highlight this year. The mirror project now has 3 nodes in India and 1 in Germany, serving almost 3-4 TB of mirror traffic daily. Increasing the number of Software mirrors in India was and still is one of my goals. Hit me up if you want to help or setup one yourself. It’s not that hard now actually, projects that require more mirrors and hosting setup has already been figured out.

One realization I would like to mention was to amplify/support people who’re already doing (a better job) at it, rather than reinventing the wheel. A single person might not be able to change the world, but a bunch of people experimenting and trying to make a difference certainly would.

Writing 25 was felt harder than all previous years. It was a traditional year with much internal growth due to experiencing different perspectives and travelling.

To infinity and beyond!

,

Planet DebianAndrew Cater: Mini-DebConf Cambridge 20241013 1300

 LATE NEWS

 I haven't blogged until now: I should have done from Thursday onwards.

It's a joy to be here in Cambridge at ARM HQ. Lots of people I recognise from last year  here: lots *not* here because this mini-conference is a month before the next one in Toulouse and many people can't attend both.

Two days worth of chatting, working on bits and pieces, chatting and informal meetings was a very good and useful way to build relationships and let teams find some space for themselves.

Lots of quiet hacking going on - a few loud conversations. A new ARM machine in mini-ITX format - see Steve McIntyre's blog on planet.debian.org about Rock 5 ITX.

Two days worth of talks for Saturday and Sunday. For some people, this is a first time. Lightning talks are particularly good to break down barriers - three slides and five minutes (and the chance for a bit of gamesmanship to break the rules creatively).

Longer talks: a couple from Steve Capper of ARM were particularly helpful to those interested in upcoming development. A couple of the talks in the schedule are traditional: if the release team are here, they tell us what they are doing, for example.

ARM are main sponsors and have been very generous in giving us conference and facilities space. Fast network, coffee and interested people - what's not to like :)

[EDIT/UPDATE - And my talk is finished and went fairly well: slides have now been uploaded and the talk is linked from the Mini-DebConf pages]

Planet DebianDirk Eddelbuettel: qlcal 0.0.13 on CRAN: Small Calendar Update

The thirteenth release of the qlcal package arrivied at CRAN today.

qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over sixty country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page.

This releases synchronizes qlcal with the QuantLib release 1.36 (made this week) and contains some minor updates to two calendars.

Changes in version 0.0.13 (2024-10-15)

  • Synchronized with QuantLib 1.36 released yesterday

  • Calendar updates for South Korea and Poland

Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples. If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianJonathan Dowland: Whisper (pipewire tool)

It's time to mint a new blog tag…

I want to write to pour praise on some software I recently discovered.

I'm not up to speed on Pipewire—the latest piece of Linux plumbing related to audio—nor how it relates to the other bits (Pulseaudio, ALSA, JACK, what else?). I recently tried to plug something into the line-in port on my external audio interface, and wished to hear it on the machine. A simple task, you'd think.

I'll refrain from writing about the stuff that didn't work well and focus on the thing that did: A little tool called Whisper, which is designed to let you listen to a microphone through your speakers.

_Whisper_'s UI. Screenshot from upstream.

Whisper's UI. Screenshot from upstream.

Whisper does a great job of hiding the complexity of what lies beneath and asking two questions: which microphone, and which speakers? In my case this alone was not quite enough, as I was presented with two identically-named "SB Live Extigy" "microphone" devices, but that's easily resolved with trial and error.

More stuff like this please!

Planet DebianLukas Märdian: Waiting for a Linux system to be online

Designed by Freepik

What is an “online” system?

Networking is a complex topic, and there is lots of confusion around the definition of an “online” system. Sometimes the boot process gets delayed up to two minutes, because the system still waits for one or more network interfaces to be ready. Systemd provides the network-online.target that other service units can rely on, if they are deemed to require network connectivity. But what does “online” actually mean in this context, is a link-local IP address enough, do we need a routable gateway and how about DNS name resolution?

The requirements for an “online” network interface depend very much on the services using an interface. For some services it might be good enough to reach their local network segment (e.g. to announce Zeroconf services), while others need to reach domain names (e.g. to mount a NFS share) or reach the global internet to run a web server. On the other hand, the implementation of network-online.target varies, depending on which networking daemon is in use, e.g. systemd-networkd-wait-online.service or NetworkManager-wait-online.service. For Ubuntu, we created a specification that describes what we as a distro expect an “online” system to be. Having a definition in place, we are able to tackle the network-online-ordering issues that got reported over the years and can work out solutions to avoid delayed boot times on Ubuntu systems.

In essence, we want systems to reach the following networking state to be considered online:

  1. Do not wait for “optional” interfaces to receive network configuration
  2. Have IPv6 and/or IPv4 “link-local” addresses on every network interface
  3. Have at least one interface with a globally routable connection
  4. Have functional domain name resolution on any routable interface

A common implementation

NetworkManager and systemd-networkd are two very common networking daemons used on modern Linux systems. But they originate from different contexts and therefore show different behaviours in certain scenarios, such as wait-online. Luckily, on Ubuntu we already have Netplan as a unification layer on top of those networking daemons, that allows for common network configuration, and can also be used to tweak the wait-online logic.

With the recent release of Netplan v1.1 we introduced initial functionality to tweak the behaviour of the systemd-networkd-wait-online.service, as used on Ubuntu Server systems. When Netplan is used to drive the systemd-networkd backend, it will emit an override configuration file in /run/systemd/system/systemd-networkd-wait-online.service.d/10-netplan.conf, listing the specific non-optional interfaces that should receive link-local IP configuration. In parallel to that, it defines a list of network interfaces that Netplan detected to be potential global connections, and waits for any of those interfaces to reach a globally routable state.

Such override config file might look like this:

[Unit]
ConditionPathIsSymbolicLink=/run/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service

[Service]
ExecStart=
ExecStart=/lib/systemd/systemd-networkd-wait-online -i eth99.43:carrier -i lo:carrier -i eth99.42:carrier -i eth99.44:degraded -i bond0:degraded
ExecStart=/lib/systemd/systemd-networkd-wait-online --any -o routable -i eth99.43 -i eth99.45 -i bond0

In addition to the new features implemented in Netplan, we reached out to upstream systemd, proposing an enhancement to the systemd-networkd-wait-online service, integrating it with systemd-resolved to check for the availability of DNS name resolution. Once this is implemented upstream, we’re able to fully control the systemd-networkd backend on Ubuntu Server systems, to behave consistently and according to the definition of an “online” system that was lined out above.

Future work

The story doesn’t end there, because Ubuntu Desktop systems are using NetworkManager as their networking backend. This daemon provides its very own nm-online utility, utilized by the NetworkManager-wait-online systemd service. It implements a much higher-level approach, looking at the networking daemon in general instead of the individual network interfaces. By default, it considers a system to be online once every “autoconnect” profile got activated (or failed to activate), meaning that either a IPv4 or IPv6 address got assigned.

There are considerable enhancements to be implemented to this tool, for it to be controllable in a fine-granular way similar to systemd-networkd-wait-online, so that it can be instructed to wait for specific networking states on selected interfaces.

A note of caution

Making a service depend on network-online.target is considered an antipattern in most cases. This is because networking on Linux systems is very dynamic and the systemd target can only ever reflect the networking state at a single point in time. It cannot guarantee this state to be remained over the uptime of your system and has the potentially to delay the boot process considerably. Cables can be unplugged, wireless connectivity can drop, or remote routers can go down at any time, affecting the connectivity state of your local system. Therefore, “instead of wondering what to do about network.target, please just fix your program to be friendly to dynamically changing network configuration.” [source].

Worse Than FailureCodeSOD: An Overloaded Developer

"Oh, I see what you mean, I'll just write an overloaded function which takes the different set of parameters," said the senior dev.

That got SB's attention. You see, they were writing JavaScript, which doesn't have function overloading. "Um," SB said, "you're going to do what?"

"Function overloading," the senior dev said. "It's when you write multiple versions of the same method with different signatures-"

"I know what it is," SB said. "I'm just wondering how you're going to do that in JavaScript."

"Ah," the senior dev said with all the senior dev wisdom in the world. "It's a popular misconception that function overloading isn't allowed in JavaScript. See this?"

function addMarker(lat,lng,title,desc,pic,link,linktext,cat,icontype) {
         addMarker(lat,lng,title,desc,pic,link,linktext,cat,icontype,false);
}
               
function addMarker(lat,lng,title,desc,pic,link,linktext,cat,icontype,external) {       
    /* preparation code */
    if (external){             
        /* glue code */
    } else {
        /* other glue code */
    }
}

This, in fact, did not overload the function. This first created a version of addMarker which called itself with the wrong number of parameters. It then replaced that definition with a new one that actually did the work. That it worked at all was a delightful coincidence- when you call a JavaScript function with too few parameters, it just defaults the remainders to null, and null is falsy.

[Advertisement] Picking up NuGet is easy. Getting good at it takes time. Download our guide to learn the best practice of NuGet for the Enterprise.

Cryptogram More on My AI and Democracy Book

In July, I wrote about my new book project on AI and democracy, to be published by MIT Press in fall 2025. My co-author and collaborator Nathan Sanders and I are hard at work writing.

At this point, we would like feedback on titles. Here are four possibilities:

  1. Rewiring the Republic: How AI Will Transform our Politics, Government, and Citizenship
  2. The Thinking State: How AI Can Improve Democracy
  3. Better Run: How AI Can Make our Politics, Government, Citizenship More Efficient, Effective and Fair
  4. AI and the New Future of Democracy: Changes in Politics, Government, and Citizenship

What we want out of the title is that it convey (1) that it is a book about AI, (2) that it is a book about democracy writ large (and not just deepfakes), and (3) that it is largely optimistic.

What do you like? Feel free to do some mixing and matching: swapping “Will Transform” for “Will Improve” for “Can Transform” for “Can Improve,” for example. Or “Democracy” for “the Republic.” Remember, the goal here is for a title that will make a potential reader pick the book up off a shelf, or read the blurb text on a webpage. It needs to be something that will catch the reader’s attention. (Other title ideas are here).

Also, FYI, this is the current table of contents:

Introduction
1. Introduction: How AI will Change Democracy
2. Core AI Capabilities
3. Democracy as an Information System

Part I: AI-Assisted Politics
4. Background: Making Mistakes
5. Talking to Voters
6. Conducting Polls
7. Organizing a Political Campaign
8. Fundraising for Politics
9. Being a Politician

Part II: AI-Assisted Legislators
10. Background: Explaining Itself
11. Background: Who’s to Blame?
12. Listening to Constituents
13. Writing Laws
14. Writing More Complex Laws
15. Writing Laws that Empower Machines
16. Negotiating Legislation

Part III: The AI-Assisted Administration
17. Background: Exhibiting Values and Bias
18. Background: Augmenting Versus Replacing People
19. Serving People
20. Operating Government
21. Enforcing Regulations

Part IV: The AI-Assisted Court
22. Background: Being Fair
23. Background: Getting Hacked
24. Acting as a Lawyer
25. Arbitrating Disputes
26. Enforcing the Law
27. Reshaping Legislative Intent
28. Being a Judge

Part V: AI-Assisted Citizens
29. Background: AI and Power
30. Background: AI and Trust
31. Explaining the News
32. Watching the Government
33. Moderating, Facilitating, and Building Consensus
34. Acting as Your Personal Advocate
35. Acting as Your Personal Political Proxy

Part VI: Ensuring That AI Benefits Democracy
36. Why AI is Not Yet Good for Democracy
37. How to Ensure AI is Good for Democracy
38. What We Need to Do Now
39. Conclusion

Everything is subject to change, of course. The manuscript isn’t due to the publisher until the end of March, and who knows what AI developments will happen between now and then.

EDITED: The title under consideration is “Rewiring the Republic,” and not “Rewiring Democracy.” Although, I suppose, both are really under consideration.

365 TomorrowsUnseen Unnoticed

Author: Majoki They stared right through me. It used to bother me. Now, it’s essential. I uncoupled the mag-links while Symplex’s security personnel looked past me. I didn’t fit their profiles, didn’t merit a glance. That’s what it is to be me. I live by a pair of simple rules. The fact that they come […]

The post Unseen Unnoticed appeared first on 365tomorrows.

Planet DebianIustin Pop: Optical media lifetime - one data point

Way back (more than 10 years ago) when I was doing DVD-based backups, I knew that normal DVDs/Blu-Rays are no long-term archival solutions, and that if I was real about doing optical media backups, I need to switch to M-Disc. I actually bought a (small stack) of M-Disc Blu-Rays, but never used them.

I then switched to other backups solutions, and forgot about the whole topic. Until, this week, while sorting stuff, I happened upon a set of DVD backups from a range of years, and was very curious whether they are still readable after many years.

And, to my surprise, there were no surprises! Went backward in time, and:

  • 2014, TDK DVD+R, fully readable
  • 2012, JVC DVD+R and TDK DVD+R, fully readable
  • 2010, Verbatim DVD+R, fully readable
  • 2009/2008/2007, Verbatim DVD+R, 4 DVDs, fully readable

I also found stack of dual-layer DVD+R from 2012-2014, some for sure Verbatim, and some unmarked (they were intended to be printed on), but likely Verbatim as well. All worked just fine. Just that, even at ~8GiB per disk, backing up raw photo files took way too many disks, even in 2014 😅.

At this point I was happy that all 12+ DVDs I found, ranging from 10 to 14 years, are all good. Then I found a batch of 3 CDs! Here the results were mixed:

  • 2003: two TDK “CD-R80â€�, “Mettalicâ€�, 700MB: fully readable, after 21 years!
  • unknown year, likely around 1999-2003, but no later, “Creationâ€� CD-R, 700MB: read errors to the extent I can’t even read the disk signature (isoinfo -d).

I think the takeaway is that for all explicitly selected media - TDK, JVC and Verbatim - they hold for 10-20 years. Valid reads from summer 2003 is mind boggling for me, for (IIRC) organic media - not sure about the “TDK metallic� substrate. And when you just pick whatever (“Creation�), well, the results are mixed.

Note that in all this, it was about CDs and DVDs. I have no idea how Blu-Rays behave, since I don’t think I ever wrote a Blu-Ray. In any case, surprising to me, and makes me rethink a bit my backup options. Sizes from 25 to 100GB Blu-Rays are reasonable for most critical data. And they’re WORM, as opposed to most LTO media, which is re-writable (and to some small extent, prone to accidental wiping).

Now, I should check those M-Disks to see if they can still be written to, after 10 years 😀

,

Planet DebianDirk Eddelbuettel: RcppDate 0.0.4: New Upstream Minor

RcppDate wraps the featureful date library written by Howard Hinnant for use with R. This header-only modern C++ library has been in pretty wide-spread use for a while now, and adds to C++11/C++14/C++17 what will be (with minor modifications) the ‘date’ library in C++20.

This release, the first in 3 1/2 years, syncs the code with the recent date 3.0.2 release from a few days ago. It also updates a few packaging details such as URLs, badges or continuous integration.

Changes in version 0.0.4 (2024-10-14)

  • Updated to upstream version 3.0.2 (and adjusting one pragma)

  • Several small updates to overall packaging and testing

Courtesy of my CRANberries, there is also a diffstat report for the most recent release. More information is available at the repository or the package page.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianScarlett Gately Moore: Kubuntu 24.10 Released, KDE Snaps at 24.08.2, and I lived to tell you about it!

Happy 28th birthday KDE!Happy 28th Birthday KDE!

Sorry my blog updates have been MIA. Let me tell you a story…

As some of you know, 3 months ago I was in a no fault car accident. Thankfully, the only injury was I ended up with a broken arm. ER sends me home in a sling and tells me it was a clean break and it will mend itself in no time. After a week of excruciating pain I went to my follow up doctor appointment, and with my x-rays in hand, the doc tells me it was far from a clean break and needs surgery. So after a week of my shattered bone scraping my nerves and causing pain I have never felt before, I finally go in for surgery! They put in a metal plate with screws to hold the bone in place so it can properly heal. The nerve pain was gone, so I thought I was on the mend. Some time goes by and the swelling still has not subsided, the doctors are not as concerned about this as I am, so I carry on until it becomes really inflamed and developed fever blisters. After no success in reaching the doctors office my husband borrows the neighbors car and rushes me to the ER. Good thing too, I had an infection. So after a 5 day stay in the hospital, they sent us home loaded with antibiotics and trained my husband in wound packing. We did everything right, kept the place immaculate, followed orders with the wound care, took my antibiotics, yet when they ran out there was still no sign of relief, or healing. Went to doctors and they gave me another month supply of antibiotics. Two days after my final dose my arm becomes inflamed again and with extra spectacular levels of pain to go with it. I call the doctor office… They said to come in on my appointment day ( 4 days away ). I asked, “You aren’t concerned with this inflammation?�, to which they replied, “No.�. Ok, maybe I am over reacting and it’s all in my head, I can power through 4 more days. The following morning my husband observed fever blisters and the wound site was clearly not right, so once again off we go to the ER. Well… thankfully we did. I was in Sepsis and could have died… After deliberating with the doctor on the course of action for treatment, the doctor accepted our plea to remove the plate, rather than tighten screws and have me drive 100 miles to hospital everyday for iv antibiotics (Umm I don’t have a car!?) So after another 4 day stay I am released into the world, alive and well. I am happy to report, the swelling is almost gone, the pain is minimal, and I am finally healing nicely. I am still in a sling and I have to be super careful and my arm was not fully knitted. So with that I am bummed to say, no traveling for me, no Ubuntu Summit �

I still need help with that car, if it weren’t for our neighbor, this story would have ended much differently.

https://gofund.me/00942f47

Despite my tragic few months for my right arm, my left arm has been quite busy. Thankfully I am a lefty! On to my work progress report.

Kubuntu:

With Plasma 6! A big thank you to the Debian KDE/QT team and Rik Mills, could not have done it without you!

KDE Snaps:

All release service snaps are done! Save a few problematic ones still WIP.. I have released 24.08.2 which you can find here:

https://snapcraft.io/publisher/kde

I completed the qt6 and KDE frameworks 6 content packs for core24

Snapcraft:

I have a PR in for kde-neon-6 extension core24 support.

That’s all for now. Thanks for stopping by!

Cryptogram Auto-Identification Smart Glasses

Two students have created a demo of a smart-glasses app that performs automatic facial recognition and then information lookups. Kind of obvious—something similar was done in 2011—but the sort of creepy demo that gets attention.

News article.

Cryptogram Largest Recorded DDoS Attack is 3.8 Tbps

Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.)

News article.

Cryptogram Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I’m speaking at SOSS Fusion 2024 in Atlanta, Georgia, USA. The event will be held on October 22 and 23, 2024, and my talk is  at 9:15 AM ET on October 22, 2024.

The list is maintained on this page.

Cryptogram More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies

The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here).

The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to reveal, was a former Middle East sales representative for the Taiwanese firm who had established her own company and acquired a license to sell a line of pagers that bore the Apollo brand. Sometime in 2023, she offered Hezbollah a deal on one of the products her firm sold: the rugged and reliable AR924.

“She was the one in touch with Hezbollah, and explained to them why the bigger pager with the larger battery was better than the original model,” said an Israeli official briefed on details of the operation. One of the main selling points about the AR924 was that it was “possible to charge with a cable. And the batteries were longer lasting,” the official said.

As it turned out, the actual production of the devices was outsourced and the marketing official had no knowledge of the operation and was unaware that the pagers were physically assembled in Israel under Mossad oversight, officials said. Mossad’s pagers, each weighing less than three ounces, included a unique feature: a battery pack that concealed a tiny amount of a powerful explosive, according to the officials familiar with the plot.

In a feat of engineering, the bomb component was so carefully hidden as to be virtually undetectable, even if the device was taken apart, the officials said. Israeli officials believe that Hezbollah did disassemble some of the pagers and may have even X-rayed them.

Also invisible was Mossad’s remote access to the devices. An electronic signal from the intelligence service could trigger the explosion of thousands of the devices at once. But, to ensure maximum damage, the blast could also be triggered by a special two-step procedure required for viewing secure messages that had been encrypted.

“You had to push two buttons to read the message,” an official said. In practice, that meant using both hands.

Also read Bunnie Huang’s essay on what it means to live in a world where people can turn IoT devices into bombs. His conclusion:

Not all things that could exist should exist, and some ideas are better left unimplemented. Technology alone has no ethics: the difference between a patch and an exploit is the method in which a technology is disclosed. Exploding batteries have probably been conceived of and tested by spy agencies around the world, but never deployed en masse because while it may achieve a tactical win, it is too easy for weaker adversaries to copy the idea and justify its re-deployment in an asymmetric and devastating retaliation.

However, now that I’ve seen it executed, I am left with the terrifying realization that not only is it feasible, it’s relatively easy for any modestly-funded entity to implement. Not just our allies can do this—a wide cast of adversaries have this capability in their reach, from nation-states to cartels and gangs, to shady copycat battery factories just looking for a big payday (if chemical suppliers can moonlight in illicit drugs, what stops battery factories from dealing in bespoke munitions?). Bottom line is: we should approach the public policy debate around this assuming that someday, we could be victims of exploding batteries, too. Turning everyday objects into fragmentation grenades should be a crime, as it blurs the line between civilian and military technologies.

I fear that if we do not universally and swiftly condemn the practice of turning everyday gadgets into bombs, we risk legitimizing a military technology that can literally bring the front line of every conflict into your pocket, purse or home.

Planet DebianPhilipp Kern: Touch Notifications for YubiKeys

When setting up your YubiKey you have the option to require the user to touch the device to authorize an operation (be it signing, decrypting, or authenticating). While web browsers often provide clear prompts for this, other applications like SSH or GPG will not. Instead the operation will just hang without any visual indication that user input is required. The YubiKey itself will blink, but depending on where it is plugged in that is not very visible.

yubikey-touch-detector (fresh in unstable) solves this issue by providing a way for your desktop environment to signal the user that the device is waiting for a touch. It provides an event feed on a socket that other components can consume. It comes with libnotify support and there are some custom integrations for other environments.

For GNOME and KDE libnotify support should be sufficient, however you still need to turn it on:

$ mkdir -p ~/.config/yubikey-touch-detector
$ sed -e 's/^YUBIKEY_TOUCH_DETECTOR_LIBNOTIFY=.*/YUBIKEY_TOUCH_DETECTOR_LIBNOTIFY=true/' \
  < /usr/share/doc/yubikey-touch-detector/examples/service.conf.example \
  > ~/.config/yubikey-touch-detector/service.conf
$ systemctl --user restart yubikey-touch-detector

I would still have preferred a more visible, more modal prompt. I guess that would be an exercise for another time, listening to the socket and presenting a window. But for now, desktop notifications will do for me.

PS: I have not managed to get SSH's no-touch-required to work with YubiKey 4, while it works just fine with a YubiKey 5.

Worse Than FailureRepresentative Line: Ripping Away the Mask

Jason was investigating a bug in a bitmask. It should have been set to 0b11, but someone had set it to just plain decimal 11. The line responsible looked like this:

byte number = (byte) 11;

This code takes the decimal number 11, casts it to a byte, and stores it in a byte, leaving us with the decimal number 11.

Curious, Jason checked the blame and saw that one of their senior-most devs was responsible. Figuring this was a good opportunity to poke a little fun at the dev for a silly mistake like this, Jason sent them a message about the difficulties of telling apart decimal values and binary values when the decimal value only contained ones and zeroes.

"What are you talking about?" the dev replied back. "The (byte) operator tells the compiler that the number is in binary."

Concerned by that reply, Jason started checking the rest of the code. And sure enough, many places in the code, the senior dev had followed this convention. Many of them were wrong, and just hadn't turned into a bug yet. One of two were coincidentally setting the important bits anyway.

Now, in a vague "defense" of what the senior dev was trying to do, C doesn't have a standard way of specifying binary literals. GCC and Clang both have a non-standard extension which lets you do 0b11, but that's not standard. So I understand the instinct- "there should be an easy way to do this," even if anyone with more than a week's experience *should have known better*.

But the real moral of the story is: don't use bitmasks without also using constants. It never should have been written with literals, it should have been written as byte number = FLAG_A | FLAG_B. The #define for the flags could be integer constants, or if you're feeling spicy about it, bitshift operations: #define FLAG_A = (1 << 1). Then you don't need binary literals, and also your code is actually readable for humans.

It was difficult to track down all the places where this misguided convention for binary literals was followed, as it was hard to tell the difference between that and a legitimate cast to byte. Fortunately, there weren't that many places where bitmasks were getting set.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

365 TomorrowsDisposable

Author: Julian Miles, Staff Writer The squad’s sitting there having breakfast when Tommo’s head explodes. Just like that, we’re all on the deck. Except Bert. He’s still sat there noshing his way through a bacon butty. “Bert! What the frack?” He swallows before replying. “When was the last time they missed? We’re the ones who […]

The post Disposable appeared first on 365tomorrows.

,

Cryptogram Weird Zimbra Vulnerability

Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit reliably.

In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details:

  • While the exploitation attempts we have observed were indiscriminate in targeting, we haven’t seen a large volume of exploitation attempts
  • Based on what we have researched and observed, exploitation of this vulnerability is very easy, but we do not have any information about how reliable the exploitation is
  • Exploitation has remained about the same since we first spotted it on Sept. 28th
  • There is a PoC available, and the exploit attempts appear opportunistic
  • Exploitation is geographically diverse and appears indiscriminate
  • The fact that the attacker is using the same server to send the exploit emails and host second-stage payloads indicates the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and payload servers to be different entities in a more mature operation.
  • Defenders protecting Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses.

Planet DebianAndy Simpkins: The state of the art

A long time ago….

A long time ago a computer was a woman (I think almost exclusively a women, not a man) who was employed to do a lot of repetitive mathematics – typically for accounting and stock / order processing.

Then along came Lyons, who deployed an artificial computer to perform the same task, only with fewer errors in less time. Modern day computing was born – we had entered the age of the Digital Computer.

These computers were large, consumed huge amounts of power but were precise, and gave repeatable, verifiable results.

Over time the huge mainframe digital computers have shrunk in size, increased in performance, and consume far less power – so much so that they often didn’t need the specialist CFC based, refrigerated liquid cooling systems of their bigger mainframe counterparts, only requiring forced air flow, and occasionally just convection cooling. They shrank so far and became cheep enough that the Personal Computer became to be, replacing the mainframe with its time shared resources with a machine per user. Desktop or even portable “laptop” computers were everywhere.

We networked them together, so now we can share information around the office, a few computers were given specialist tasks of being available all the time so we could share documents, or host databases these servers were basically PCs designed to operate 24×7, usually more powerful than their desktop counterparts (or at least with faster storage and networking).

Next we joined these networks together and the internet was born. The dream of a paperless office might actually become realised – we can now send email (and documents) from one organisation (or individual) to another via email. We can make our specialist computers applications available outside just the office and web servers / web apps come of age.

Fast forward a few years and all of a sudden we need huge data-halls filled with “Rack scale” machines augmented with exotic GPUs and NPUs again with refrigerated liquid cooling, all to do the same task that we were doing previously without the magical buzzword that has been named AI; because we all need another dot com bubble or block chain band waggon to jump aboard. Our AI enabled searches take slightly longer, consume magnitudes more power, and best of all the results we are given may or may not be correct….

Progress, less precise answers, taking longer, consuming more power, without any verification and often giving a different result if you repeat your question AND we still need a personal computing device to access this wondrous thing.

Remind me again why we are here?

(time lines and huge swaves of history simply ignored to make an attempted comic point – this is intended to make a point and not be scholarly work)

365 TomorrowsCigar Over Macclesfield

Author: David Tam McDonald Colin gave a polite cough to start the meeting. As team leader he sat at the head of the table. Brian, the secretary, sat to his left, perusing the agenda, which was blank and absolutely not taking any minutes. Tony, Richard and Lyndsey sat facing them, all eager to begin. “I […]

The post Cigar Over Macclesfield appeared first on 365tomorrows.

Planet DebianTaavi Väänänen: Bulk downloading Wikimedia Commons categories

Wikimedia Commons, the Wikimedia project for freely licensed media files, also contains a bunch of photos by me and photos of me at various events. While I don't think Commons is going away anytime soon, I would still like to have a local copy of those images available on my own storage hardware.

Obviously this requires some way to query for photos you want to download. I'm using Commons categories for this, since that's easy to implement and works for both use cases. The Commons community tends to come up with very specific categories that you can use, and if not, you can usually categorize the files yourself.

Me replying 'shh' to a Discord message showing myself categorizing photos about me and accusing me of COI editing

thankfully Commons has no such thing as a Conflict of interest (COI) policy

There is almost an existing tool for this: Sam Wilson's mwcli project has support for exporting images one has uploaded to Commons. However I couldn't use that to upload photos of me others have uploaded, plus it's written in PHP and I don't exactly want to deal with the problem of figuring out how to package it in a way I could neatly install it on my NAS.

So I wrote my own tool for it, called comload. It's written in Python because Python is easy to deploy (I can just throw it in a .deb and upload it to my internal repository), and because I did not find a Go library to handle Action API pagination for me. The basic usage is like this:

$ comload --subcats "Taavi Väänänen"

This will download any files in Category:Taavi Väänänen and its sub-categories to the current directory. Former image versions, as well as the image description and SDC data, if any, is also included. And it's smart enough to not download any files that are already there on future runs, so you can just throw it in a systemd timer to get any future files. I'd still like it to handle moved files without creating a duplicate copy, but otherwise I'm really happy with the current state.

comload is available from PyPI and from my Git server directly, and is licensed under the GPLv3.

,

Planet DebianJonathan Dowland: Code formatting in documents

I've been exploring typesetting and formatting code within text documents such as papers, or my thesis. Up until now, I've been using the listings package without thinking much about it. By default, some sample Haskell code processed by listings looks like this (click any of the images to see larger, non-blurry versions):

default output of listings on a Haskell code sample

It's formatted with a monospaced font, with some keywords highlighted, but not syntactic symbols.

There are several other options for typesetting and formatting code in LaTeX documents. For Haskell in particular, there is the preprocessor lhs2tex, The default output of which looks like this:

default output of lhs2tex on a Haskell code sample

A proportional font, but it's taken pains to preserve vertical alignment, which is syntactically significant for Haskell. It looks a little cluttered to me, and I'm not a fan of nearly everything being italic. Again, symbols aren't differentiated, but it has substituted them for more typographically pleasing alternatives: -> has become , and \ is now λ.

Another option is perhaps the newest, the LaTeX package minted, which leverages the Python Pygments program. Here's the same code again. It defaults to monospace (the choice of font seems a lot clearer to me than the default for listings), no symbolic substitution, and liberal use of colour:

default output of minted on a Haskell code sample

An informal survey of the samples so far showed that the minted output was the most popular.

All of these packages can be configured to varying degrees. Here are some examples of what I've achieved with a bit of tweaking

_listings_ adjusted with colour and some symbols substituted (but sadly not the two together)

listings adjusted with colour and some symbols substituted (but sadly not the two together)

_lhs2tex_ adjusted to be less italic, sans-serif and use some colour

lhs2tex adjusted to be less italic, sans-serif and use some colour

All of this has got me wondering whether there are straightforward empirical answers to some of these questions of style.

Firstly, I'm pretty convinced that symbolic substitution is valuable. When writing Haskell, we write ->, \, /= etc. not because it's most legible, but because it's most practical to type those symbols on the most widely available keyboards and popular keyboard layouts.1 Of the three options listed here, symbolic substitution is possible with listings and lhs2tex, but I haven't figured out if minted can do it (which is really the question: can pygments do it?)

I'm unsure about proportional versus monospaced fonts. We typically use monospaced fonts for editing computer code, but that's at least partly for historical reasons. Vertical alignment is often very important in source code, and it can be easily achieved with monospaced text; it's also sometimes important to have individual characters (., etc.) not be de-emphasised by being smaller than any other character.

lhs2tex, at least, addresses vertical alignment whilst using proportional fonts. I guess the importance of identifying individual significant characters is just as true in a code sample within a larger document as it is within plain source code.

From a (brief) scan of research on this topic, it seems that proportional fonts result in marginally quicker reading times for regular prose. It's not clear whether those results carry over into reading computer code in particular, and the margin is slim in any case. The drawbacks of monospaced text mostly apply when the volume of text is large, which is not the case for the short code snippets I am working with.

I still have a few open questions:

  • Is colour useful for formatting code in a PDF document?
    • does this open up a can of accessibility worms?
  • What should be emphasised (or de-emphasised)
  • Why is the minted output most popular: Could the choice of font be key? Aspects of the font other than proportionality (serifs? Size of serifs? etc)

  1. The Haskell package Data.List.Unicode lets the programmer use a range of unicode symbols in place of ASCII approximations, such as instead of elem, instead of /=. Sadly, it's not possible to replace the denotation for an anonymous function, \, with λ this way.

David BrinRepublicans admit “We’re blackmailed!” – Plus quick/partial fixes for the Electoral College

There's not a lot of time left, so let’s go for the carotid on a couple of major political points that could benefit from a little ‘judo.’


== Republicans denouncing the subornation ==


Remember Madison Cawthorn, the rising young Republican star Congressmember, who was suddenly dumped by the GOP, for revealing ‘orgies’ amid upper ranks of the party? That huge over-reaction - destroying him for offhand (and likely stoned) remarks on shock radio - reflected almost-certain desperation to silence truth; otherwise he'd a got a slap on the wrist. 


But was it true? I've long posited that the behavior of so many top GOPpers – e.g. Lindsey Graham and Ted Cruz – can only be explained by blackmail. Mere corruption is insufficient, because any merely-corrupt official can say ‘that’s enough bribery for this year; if I keep saying more shit, I’ll look suspicious or insane.’ 


Blackmail, on the other hand, is insatiable. You simply keep doing whatever the blackmailer demands, even if it makes you look like an idiot, or hypocrite, or both, as in the multiple times when Graham tried to say "I'm done with Trump!" hoping that it would end his ongoing humiliation... followed the next day by utter groveling. 


I mean, do you have an even remotely plausible alternate theory?


This isn't new. Russian secret services have been expert at ‘honeypot traps’ ever since the czars.  Look up the Moscow US embassy Marine guards (1980s) as just one example.

Now, yet another Republican Rep has spoken out, even more explicitly than Cawthorn. Tennessee Congressman Tim Burchett warns that fellow Republicans in the House of Representatives have been lured into honeytraps with sex workers and drugs. 

"Republicans aren’t backing important efforts, such as Rep. Marsha Blackburn’s crusade for Jeffrey Epstein’s flight logs, under orders by big backers and Russians."

Seriously read this.  It’s not getting the attention it deserves and this fellow is at least partially a hero. Or watch this



== It’s the Republican defectors who will make the biggest difference, stupid ==


Above, I showed how an honest and decent conservative Congressmember has stepped up to denounce the blackmail subornation of his party. Others recently used insane rhetoric and mad conspiracy theories about hurricanes as their own excuse to step up and partially reject the madness.  


Not as much courage as we need from them. But we'll take what we can get.


Then of course there's the long list of former Trump officials – his ‘adults in the room’ during Trump v1.0 – who have nearly all denounced him. From Tillerson & McMaster to Kames Mattis and John Kelly, to even far-right schmucks like John Bolton and Bill Barr. As many as a hundred have said "even I can't stomach the insanity and treason."


To which Tump's answer is that in Trump2.0 there will be NO adults in the room. Total brownshirt time. 


Which is why I urge the zillionaire oligarchs, murder sheiks and "ex" commissars who have pulled Trump's puppet strings for decades to watch the movie Cabaret, especially the last 5 minutes. Because if he does get back into office on a MAGA sig-heil-wave, none of those masters will ever again ‘control him.’ Not with blackmail or anything else.


In fact, you oligarchs and Kremlin guys need yet another film... watch Angela Lansbury’s chilling soliloquy near the end of The Manchurian Candidate to see what Don will likely do to his former masters, once the strings are cut.


But let’s add yet more pertinent movie overlaps! This interview with former Trump Communications Director Scaramucci is interesting. “Scaramucci on Trump: "He's going to lose because he's getting boring."

 

Dig a little, and you'll see that the Mooch is describing the "Howard Beale Scenario." (Watch the last 10' of Network and get truly scared!) 


Still, the part of his interview that I resent - because if it does happen, Mooch will get all the prediction points - is when he gives 40% that odds ol' Two Scoops won't even make it to the election or inauguration. 


While I was there lots earlier - with lower odds - I hedged it with the election that actually matters - the Electoral College. Which is where the fix may be in.



== It’s the Electoral College, dummy ==


Okay, three big points about the Electoral College, America’s weird (insane) but unchangeable Constitutionally gerrymandered gimmick favoring Red America.

Make that four points. The first? Um why are there two Dakotas? And shouldn’t just one state – Ida-Wyo-Mont – span the northern Rockies?


But no, let’s get practical. The core aim of the Trumpists has been openly declared… for GOP governors and others in some Harris-won states to refuse to certify enough electors, so that the count for president will be invalid, so that the choice will be ‘thrown to the House.’ Hence, even if Dems win a sweeping, crushing victory in November, you might still see Trump get in! 


Because at that stage - in another insanely dumb Constitutional provision - the House votes by delegations – one vote per – and Republicans have 26 delegations vs 24 for dems.


Now, that nightmare assumes there won’t be brave and patriotic Republican Congresswomen or men in some of those reddish delegations, who decide to put country first, the way Alexander Hamilton (bravely) swung the 1800 election to Jefferson, instead of Aaron Burr. That might happen. 


Or else some of YOU will be heroes who help swing just one or two of those delegations blue. In some cases it could come down to just one Congressional race. Look around. There may be some tight races you can help with. And that's where $100 could make a lot more difference than donating to Kamala.



== More Electoral College partial fixes within reach! ==


Okay, two more. I have elsewhere ruminated on the Wyoming Rule. If the dems get real power in Congress, they should pass it, so that all Americans get at least roughly equal representation in the lower house, as was intended. And if that happens, not only will blue states get more representation in the larger (~560 members) House, but the coloration of the Electoral College will change forever.


Only let’s swing to another of my proposals, One which no one else has broached, but that could (well, maybe) make a real difference this year.

In Polemical Judo I mentioned a possible action by one hyper rich person (say a Mark Cuban?) A bold yet totally legal move that could (possibly) get us past whatever tricks the Project 2025 schemers have in mind, to screw up certifications and throw it to the House. 


Briefly: rent a whole mountaintop luxury hotel with minimal - highly vetted - staff. Then announce that for two weeks ...

"Only certified Electors may come as guests. Upon arrival from their home states, they can just stroll and enjoy the views and meals and discuss with each other anything they like. Or else they could - at their own volition - convene the first actual Electoral College in U.S. history. As would be their prerogative! And this year, such a gathering just might be one more bulwark against shenanigens." 


Again, no coercion or persuasion. Just show up by individual choice, eat, stroll and chat with others who just happen to be there at the same time, without any of those others being anyone but fellow electors (and minimal staff of trusted cooks). And if you just happen to decide to convene a meeting - formal or informal - well…


Suppose this happened. Watch how quickly the stalling states would rush to certify! 


Though note. No matter how carefully Trumpists have ensured the GOP elector slates are party hacks – and most dem electors would likely be loyalists as well – some would likely talk it over, suddenly moved by the genuine (not ceremonial) power in their hands. 


Moreover, as one of the candidates (you-know-who) fulminates volcanically against this "trickery!!" just enough of them might listen to their conscience and reason…

… and act to save the Republic.


365 TomorrowsStorm

Author: Martin Clyde-Wilkie There’s an angel outside town, if you know where to look. Push through the gorse and scramble along the river bed, keeping your gaze away from the branch of lightning frozen over the gully, until you reach the edge and can peer down at it. It doesn’t look much like you’d expect. […]

The post Storm appeared first on 365tomorrows.

,

Planet DebianSteve McIntyre: Rock 5 ITX

It's been a while since I've posted about arm64 hardware. The last machine I spent my own money on was a SolidRun Macchiatobin, about 7 years ago. It's a small (mini-ITX) board with a 4-core arm64 SoC (4 * Cortex-A72) on it, along with things like a DIMM socket for memory, lots of networking, 3 SATA disk interfaces.

The Macchiatobin was a nice machine compared to many earlier systems, but it took quite a bit of effort to get it working to my liking. I replaced the on-board U-Boot firmware binary with an EDK2 build, and that helped. After a few iterations we got a new build including graphical output on a PCIe graphics card. Now it worked much more like a "normal" x86 computer.

I still have that machine running at home, and it's been a reasonably reliable little build machine for arm development and testing. It's starting to show its age, though - the onboard USB ports no longer work, and so it's no longer useful for doing things like installation testing. :-/

So...

I was involved in a conversation in the #debian-arm IRC channel a few weeks ago, and diederik suggested the Radxa Rock 5 ITX. It's another mini-ITX board, this time using a Rockchip RK3588 CPU. Things have moved on - the CPU is now an 8-core big.LITTLE config: 4*Cortex A76 and 4*Cortex A55. The board has NVMe on-board, 4*SATA, built-in Mali graphics from the CPU, soldered-on memory. Just about everything you need on an SBC for a small low-power desktop, a NAS or whatever. And for about half the price I paid for the Macchiatobin. I hit "buy" on one of the listed websites. :-)

A few days ago, the new board landed. I picked the version with 24GB of RAM and bought the matching heatsink and fan. I set it up in an existing case borrowed from another old machine and tried the Radxa "Debian" build. All looked OK, but I clearly wasn't going to stay with that. Onwards to running a native Debian setup!

I installed an EDK2 build from https://github.com/edk2-porting/edk2-rk3588 onto the onboard SPI flash, then rebooted with a Debian 12.7 (Bookworm) arm64 installer image on a USB stick. How much trouble could this be?

I was shocked! It Just Worked (TM)

I'm running a standard Debian arm64 system. The graphical installer ran just fine. I installed onto the NVMe, adding an Xfce desktop for some simple tests. Everything Just Worked. After many years of fighting with a range of different arm machines (from simple SBCs to desktops and servers), this was without doubt the most straightforward setup I've ever done. Wow!

It's possible to go and spend a lot of money on an Ampere machine, and I've seen them work well too. But for a hobbyist user (or even a smaller business), the Rock 5 ITX is a lovely option. Total cost to me for the board with shipping fees, import duty, etc. was just over £240. That's great value, and I can wholeheartedly recommend this board!

The two things that are missing compared to the Macchiatobin? This is soldered-on memory (but hey, 24G is plenty for me!) It also doesn't have a PCIe slot, but it has sufficient onboard network, video and storage interfaces that I think it will cover most people's needs.

Where's the catch? It seems these are very popular right now, so it can be difficult to find these machines in stock online.

FTAOD, I should also point out: I bought this machine entirely with my own money, for my own use for development and testing. I've had no contact with the Radxa or Rockchip folks at all here, I'm just so happy with this machine that I've felt the need to shout about it! :-)

Here's some pictures...

Rock 5 ITX top view

Rock 5 ITX back panel view

Rock 5 EDK2 startuo

Rock 5 xfce login

Rock 5 ITX running Firefox