November 2024 will be known as the time when killing peanut, a pet squirrel, by the New York DEC swung the US presidential elections and shaped history forever.
The hundreds of millions of dollars spent on each side, the tireless campaigning by the candidates, the celebrity endorsements ... all made for an open race for months. Investments evened each other out.
But an OnlyFans producer showing people an overreaching, bureaucracy driven State raiding his home to confiscate a pet squirrel and kill it ... swung enough voters to decide the elections.
That is what we need to understand in times of instant worldwide publication and a mostly attention driven economy: Human fates, elections, economic cycles and wars can be decided by people killing squirrels.
Some interesting takeaways (With the caveat that exit polls are not completely accurate and we won't have the full picture for days.)
President Trump seems to have won the popular vote which no Republican has done I believe since Reagan.
Apparently women didn't particularly care about abortion (CNN said only 14% considered it their primary issue) There is a noticable divide but it is single versus married not women versus men per se.
Hispanics who are here legally voted against Hispanics coming here illegally. Latinx's didn't vote for anything because they don't exist.
The infamous MSG rally joke had no effect on the voting habits of Puerto Ricans.
Republicans have taken the Senate and if trends continue as they are will retain control of the House of Representatives.
President Biden may have actually been a better candidate than Border Czar Harris.
Author: Alastair Millar Prosperina Station’s marketing slogan, “No sun means more fun!”, didn’t do it justice: circling the wandering gas giant PSO J318.5-22, better known as Dis, it was the ultimate in literally non-stop nightlife, seasoned with a flexible approach to Terran laws. Newly graduated robot designer Max Wayne knew she was a decade or […]
There's the potential for endless installments of "programmers not understanding how UUIDs work." Frankly, I think the fact that we represent them as human readable strings is part of the problem; sure, it's readable, but conceals the fact that it's just a large integer.
Which brings us to this snippet, from Capybara James.
if (!StringUtils.hasLength(uuid) || uuid.length() != 36) {
thrownewRequestParameterNotFoundException(ErrorCodeCostants.UUID_MANDATORY_OR_FORMAT);
}
StringUtils.hasLength comes from the Spring library, and it's a simple "is not null or empty" check. So- we're testing to see if a string is null or empty, or isn't exactly 36 characters long. That tells us the input is bad, so we throw a RequestParameterNotFoundException, along with an error code.
So, as already pointed out, a UUID is just a large integer that we render as a 36 character string, and there are better ways to validate a UUID. But this also will accept any 36 character string- as long as you've got 36 characters, we'll call it a UUID. "This is valid, really valid, dumbass" is now a valid UUID.
With that in mind, I also like the bonus of it not distinguishing between whether or not the input was missing or invalid, because that'll make it real easy for users to understand why their input is getting rejected.
[Advertisement]
ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.
Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. Not sure about the “highly evasive” part; the techniques seem basically what you get in a distributed password-guessing attack:
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”
Some of the characteristics that make detection difficult are:
The use of compromised SOHO IP addresses
The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.
I’ve been writing about the possibility of AIs automatically discovering code vulnerabilities since at least 2018. This is an ongoing area of research: AIs doing source code scanning, AIs finding zero-days in the wild, and everything in between. The AIs aren’t very good at it yet, but they’re getting better.
Since July 2024, ZeroPath is taking a novel approach combining deep program analysis with adversarial AI agents for validation. Our methodology has uncovered numerous critical vulnerabilities in production systems, including several that traditional Static Application Security Testing (SAST) tools were ill-equipped to find. This post provides a technical deep-dive into our research methodology and a living summary of the bugs found in popular open-source tools.
Expect lots of developments in this area over the next few years.
Let’s stick with software. Imagine that we have an AI that finds software vulnerabilities. Yes, the attackers can use those AIs to break into systems. But the defenders can use the same AIs to find software vulnerabilities and then patch them. This capability, once it exists, will probably be built into the standard suite of software development tools. We can imagine a future where all the easily findable vulnerabilities (not all the vulnerabilities; there are lots of theoretical results about that) are removed in software before shipping.
When that day comes, all legacy code would be vulnerable. But all new code would be secure. And, eventually, those software vulnerabilities will be a thing of the past. In my head, some future programmer shakes their head and says, “Remember the early decades of this century when software was full of vulnerabilities? That’s before the AIs found them all. Wow, that was a crazy time.” We’re not there yet. We’re not even remotely there yet. But it’s a reasonable extrapolation.
EDITED TO ADD: And Google’s LLM just discovered an expolitable zero-day.
A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake.
On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday.
At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations.
Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information and phone and text message records for roughly 110 million people — nearly all of its customers. Wired.comreported in July that AT&T paid a hacker $370,000 to delete stolen phone records.
A report on the extortion attacks from the incident response firm Mandiant notes that Snowflake victim companies were privately approached by the hackers, who demanded a ransom in exchange for a promise not to sell or leak the stolen data. All told, more than 160 Snowflake customers were relieved of data, including TicketMaster, Lending Tree, Advance Auto Parts and Neiman Marcus.
Moucka is alleged to have used the hacker handles Judische and Waifu, among many others. These monikers correspond to a prolific cybercriminal whose exploits were the subject of a recent story published here about the overlap between Western, English-speaking cybercriminals and extremist groups that harass and extort minors into harming themselves or others.
On May 2, 2024, Judische claimed on the fraud-focused Telegram channel Star Chat that they had hacked Santander Bank, one of the first known Snowflake victims. Judische would repeat that claim in Star Chat on May 13 — the day before Santander publicly disclosed a data breach — and would periodically blurt out the names of other Snowflake victims before their data even went up for sale on the cybercrime forums.
404 Media reports that at a court hearing in Ontario this morning, Moucka called in from a prison phone and said he was seeking legal aid to hire an attorney.
KrebsOnSecurity has learned that Moucka is currently named in multiple indictments issued by U.S. prosecutors and federal law enforcement agencies. However, it is unclear which specific charges the indictments contain, as all of those cases remain under seal.
TELECOM DOMINOES
Mandiant has attributed the Snowflake compromises to a group it calls “UNC5537,” with members based in North America and Turkey. Sources close to the investigation tell KrebsOnSecurity the UNC5537 member in Turkey is John Erin Binns, an elusive American man indicted by the U.S. Department of Justice (DOJ) for a 2021 breach at T-Mobile that exposed the personal information of at least 76.6 million customers.
In a statement on Moucka’s arrest, Mandiant said UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024.
“In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations,” wrote Austin Larsen, Mandiant’s senior threat analyst. “The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”
Sources involved in the investigation said UNC5537 has focused on hacking into telecommunications companies around the world. Those sources told KrebsOnSecurity that Binns and Judische are suspected of stealing data from India’s largest state-run telecommunications firmBharat Sanchar Nigam Ltd (BNSL), and that the duo even bragged about being able to intercept or divert phone calls and text messages for a large portion of the population of India.
Judische appears to have outsourced the sale of databases from victim companies who refuse to pay, delegating some of that work to a cybercriminal who uses the nickname Kiberphant0m on multiple forums. In late May 2024, Kiberphant0m began advertising the sale of hundreds of gigabytes of data stolen from BSNL.
“Information is worth several million dollars but I’m selling for pretty cheap,” Kiberphant0m wrote of the BSNL data in a post on the English-language cybercrime community Breach Forums. “Negotiate a deal in Telegram.”
Also in May 2024, Kiberphant0m took to the Russian-language hacking forum XSS to sell more than 250 gigabytes of data stolen from an unnamed mobile telecom provider in Asia, including a database of all active customers and software allowing the sending of text messages to all customers.
On September 3, 2024, Kiberphant0m posted a sales thread on XSS titled “Selling American Telecom Access (100B+ Revenue).” Kiberphant0m’s asking price of $200,000 was apparently too high because they reposted the sales thread on Breach Forums a month later, with a headline that more clearly explained the data was stolen from Verizon‘s “push-to-talk” (PTT) customers — primarily U.S. government agencies and first responders.
404Media reported recently that the breach does not appear to impact the main consumer Verizon network. Rather, the hackers broke into a third party provider and stole data on Verizon’s PTT systems, which are a separate product marketed towards public sector agencies, enterprises, and small businesses to communicate internally.
INTERVIEW WITH JUDISCHE
Investigators say Moucka shared a home in Kitchener with other tenants, but not his family. His mother was born in Chechnya, and he speaks Russian in addition to French and English. Moucka’s father died of a drug overdose at age 26, when the defendant was roughly five years old.
A person claiming to be Judische began communicating with this author more than three months ago on Signal after KrebsOnSecurity started asking around about hacker nicknames previously used by Judische over the years.
Judische admitted to stealing and ransoming data from Snowflake customers, but he said he’s not interested in selling the information, and that others have done this with some of the data sets he stole.
“I’m not really someone that sells data unless it’s crypto [databases] or credit cards because they’re the only thing I can find buyers for that actually have money for the data,” Judische told KrebsOnSecurity. “The rest is just ransom.”
Judische has sent this reporter dozens of unsolicited and often profane messages from several different Signal accounts, all of which claimed to be an anonymous tipster sharing different identifying details for Judische. This appears to have been an elaborate effort by Judische to “detrace” his movements online and muddy the waters about his identity.
Judische frequently claimed he had unparalleled “opsec” or operational security, a term that refers to the ability to compartmentalize and obfuscate one’s tracks online. In an effort to show he was one step ahead of investigators, Judische shared information indicating someone had given him a Mandiant researcher’s assessment of who and where they thought he was. Mandiant says those were discussion points shared with select reporters in advance of the researcher’s recent talk at the LabsCon security conference.
But in a conversation with KrebsOnSecurity on October 26, Judische acknowledged it was likely that the authorities were closing in on him, and said he would seriously answer certain questions about his personal life.
“They’re coming after me for sure,” he said.
In several previous conversations, Judische referenced suffering from an unspecified personality disorder, and when pressed said he has a condition called “schizotypal personality disorder” (STPD).
According to the Cleveland Clinic, schizotypal personality disorder is marked by a consistent pattern of intense discomfort with relationships and social interactions: “People with STPD have unusual thoughts, speech and behaviors, which usually hinder their ability to form and maintain relationships.”
Judische said he was prescribed medication for his psychological issues, but that he doesn’t take his meds. Which might explain why he never leaves his home.
“I never go outside,” Judische allowed. “I’ve never had a friend or true relationship not online nor in person. I see people as vehicles to achieve my ends no matter how friendly I may seem on the surface, which you can see by how fast I discard people who are loyal or [that] I’ve known a long time.”
Judische later admitted he doesn’t have an official STPD diagnosis from a physician, but said he knows that he exhibits all the signs of someone with this condition.
“I can’t actually get diagnosed with that either,” Judische shared. “Most countries put you on lists and restrict you from certain things if you have it.”
Asked whether he has always lived at his current residence, Judische replied that he had to leave his hometown for his own safety.
“I can’t live safely where I’m from without getting robbed or arrested,” he said, without offering more details.
A source familiar with the investigation said Moucka previously lived in Quebec, which he allegedly fled after being charged with harassing others on the social network Discord.
Judische claims to have made at least $4 million in his Snowflake extortions. Judische said he and others frequently targeted business process outsourcing (BPO) companies, staffing firms that handle customer service for a wide range of organizations. They also went after managed service providers (MSPs) that oversee IT support and security for multiple companies, he claimed.
“Snowflake isn’t even the biggest BPO/MSP multi-company dataset on our networks, but what’s been exfiltrated from them is well over 100TB,” Judische bragged. “Only ones that don’t pay get disclosed (unless they disclose it themselves). A lot of them don’t even do their SEC filing and just pay us to fuck off.”
INTEL SECRETS
The other half of UNC5537 — 24-year-old John Erin Binns — was arrested in Turkey in late May 2024, and currently resides in a Turkish prison. However, it is unclear if Binns faces any immediate threat of extradition to the United States, where he is currently wanted on criminal hacking charges tied to the 2021 breach at T-Mobile.
A person familiar with the investigation said Binns’s application for Turkish citizenship was inexplicably approved after his incarceration, leading to speculation that Binns may have bought his way out of a sticky legal situation.
Under the Turkish constitution, a Turkish citizen cannot be extradited to a foreign state. Turkey has been criticized for its “golden passport” program, which provides citizenship and sanctuary for anyone willing to pay several hundred thousand dollars.
This is an image of a passport that Binns shared in one of many unsolicited emails to KrebsOnSecurity since 2021. Binns never explained why he sent this in Feb. 2023.
Binns’s alleged hacker alter egos — “IRDev” and “IntelSecrets” — were at once feared and revered on several cybercrime-focused Telegram communities, because he was known to possess a powerful weapon: A massive botnet. From reviewing the Telegram channels Binns frequented, we can see that others in those communities — including Judische — heavily relied on Binns and his botnet for a variety of cybercriminal purposes.
The IntelSecrets nickname corresponds to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted.
Since 2020, Binns has filed a flood of lawsuits naming various federal law enforcement officers and agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.
Binns claims he was kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his detention and torture by the Turkish authorities.
However, in a 2020 lawsuit he filed against the CIA, Binns himself acknowledged having visited a previously ISIS-controlled area of Syria prior to moving to Turkey in 2017.
A segment of a lawsuit Binns filed in 2020 against the CIA, in which he alleges U.S. put him on a terror watch list after he traveled to Syria in 2017.
Sources familiar with the investigation told KrebsOnSecurity that Binns was so paranoid about possible surveillance on him by American and Turkish intelligence agencies that his erratic behavior and online communications actually brought about the very government snooping that he feared.
In several online chats in late 2023 on Discord, IRDev lamented being lured into a law enforcement sting operation after trying to buy a rocket launcher online. A person close to the investigation confirmed that at the beginning of 2023, IRDev began making earnest inquiries about how to purchase a Stinger, an American-made portable weapon that operates as an infrared surface-to-air missile.
Sources told KrebsOnSecurity Binns’ repeated efforts to purchase the projectile earned him multiple visits from the Turkish authorities, who were justifiably curious why he kept seeking to acquire such a powerful weapon.
WAIFU
A careful study of Judische’s postings on Telegram and Discord since 2019 shows this user is more widely known under the nickname “Waifu,” a moniker that corresponds to one of the more accomplished “SIM swappers” in the English-language cybercrime community over the years.
SIM swapping involves phishing, tricking or bribing mobile phone company employees for credentials needed to redirect a target’s mobile phone number to a device the attackers control — allowing thieves to intercept incoming text messages and phone calls.
Several SIM-swapping channels on Telegram maintain a frequently updated leaderboard of the 100 richest SIM-swappers, as well as the hacker handles associated with specific cybercrime groups (Waifu is ranked #24). That list has long included Waifu on a roster of hackers for a group that called itself “Beige.”
The term “Beige Group” came up in reporting on two stories published here in 2020. The first was in an August 2020 piece called Voice Phishers Targeting Corporate VPNs, which warned that the COVID-19 epidemic had brought a wave of targeted voice phishing attacks that tried to trick work-at-home employees into providing access to their employers’ networks. Frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers.
The second time Beige Group was mentioned by sources was in reporting on a breach at the domain registrar GoDaddy. In November 2020, intruders thought to be associated with the Beige Group tricked a GoDaddy employee into installing malicious software, and with that access they were able to redirect the web and email traffic for multiple cryptocurrency trading platforms. Other frequent targets of the Beige group included employees at numerous top U.S. banks, ISPs, and mobile phone providers.
Judische’s various Telegram identities have long claimed involvement in the 2020 GoDaddy breach, and he didn’t deny his alleged role when asked directly. Judische said he prefers voice phishing or “vishing” attacks that result in the target installing data-stealing malware, as opposed to tricking the user into entering their username, password and one-time code.
“Most of my ops involve malware [because] credential access burns too fast,” Judische explained.
CRACKDOWN ON HARM GROUPS?
The Telegram channels that the Judische/Waifu accounts frequented over the years show this user divided their time between posting in channels dedicated to financial cybercrime, and harassing and stalking others in harm communities like Leak Society and Court.
Both of these Telegram communities are known for victimizing children through coordinated online campaigns of extortion, doxing, swatting and harassment. People affiliated with harm groups like Court and Leak Society will often recruit new members by lurking on gaming platforms, social media sites and mobile applications that are popular with young people, including Discord, Minecraft, Roblox, Steam, Telegram, and Twitch.
“This type of offence usually starts with a direct message through gaming platforms and can move to more private chatrooms on other virtual platforms, typically one with video enabled features, where the conversation quickly becomes sexualized or violent,” warns a recent alert from the Royal Canadian Mounted Police (RCMP) about the rise of sextortion groups on social media channels.
“One of the tactics being used by these actors is sextortion, however, they are not using it to extract money or for sexual gratification,” the RCMP continued. “Instead they use it to further manipulate and control victims to produce more harmful and violent content as part of their ideological objectives and radicalization pathway.”
Some of the largest such known groups include those that go by the names 764, CVLT, Kaskar, 7997, 8884, 2992, 6996, 555, Slit Town, 545, 404, NMK, 303, and H3ll.
On the various cybercrime-oriented channels Judische frequented, he often lied about his or others’ involvement in various breaches. But Judische also at times shared nuggets of truth about his past, particularly when discussing the early history and membership of specific Telegram- and Discord-based cybercrime and harm groups.
Judische claimed in multiple chats, including on Leak Society and Court, that they were an early member of the Atomwaffen Division (AWD), a white supremacy group whose members are suspected of having committed multiple murders in the U.S. since 2017.
In 2019, KrebsOnSecurity exposed how a loose-knit group of neo-Nazis, some of whom were affiliated with AWD, had doxed and/or swatted nearly three dozen journalists at a range of media publications. Swatting involves communicating a false police report of a bomb threat or hostage situation and tricking authorities into sending a heavily armed police response to a targeted address.
Judsiche also told a fellow denizen of Court that years ago he was active in an older harm community called “RapeLash,” a truly vile Discord server known for attracting Atomwaffen members. A 2018 retrospective on RapeLash posted to the now defunct neo-Nazi forum Fascist Forge explains that RapeLash was awash in gory, violent images and child pornography.
A Fascist Forge member named “Huddy” recalled that RapeLash was the third incarnation of an extremist community also known as “FashWave,” short for Fascist Wave.
“I have no real knowledge of what happened with the intermediary phase known as ‘FashWave 2.0,’ but FashWave 3.0 houses multiple known Satanists and other degenerates connected with AWD, one of which got arrested on possession of child pornography charges, last I heard,” Huddy shared.
In June 2024, a Mandiant employee told Bloomberg that UNC5537 members have made death threats against cybersecurity experts investigating the hackers, and that in one case the group used artificial intelligence to create fake nude photos of a researcher to harass them.
Allison Nixon is chief research officer with the New York-based cybersecurity firm Unit 221B. Nixon is among several researchers who have faced harassment and specific threats of physical violence from Judische.
Nixon said Judische is likely to argue in court that his self-described psychological disorder(s) should somehow excuse his long career in cybercrime and in harming others.
“They ran a misinformation campaign in a sloppy attempt to cover up the hacking campaign,” Nixon said of Judische. “Coverups are an acknowledgment of guilt, which will undermine a mental illness defense in court. We expect that violent hackers from the [cybercrime community] will experience increasingly harsh sentences as the crackdown continues.”
5:34 p.m. ET: Updated story to include a clarification from Mandiant.
Author: Majoki Her fingers stinging, Salda felt the chill and vastness of the late spring runoff as she sat upon a large stone in the middle of the river. High above her in the mountains, that same frigid water was a torrent muscling rock and soil relentlessly to carve deep channels. Channels that converged, then […]
Since it's election day in the US, many people are thinking about counting today. We frequently discuss counting here, and how to do it wrong, so let's look at some code from RK.
This code may not be counting votes, but whatever it's counting, we're not going to enjoy it:
Now, this code is from a rather old application, originally released in 2007. So the comment about Excel's row limit really puts us in a moment in time- Excel 2007 raised the row limit to 1,000,000 rows. But older versions of Excel did cap out at 65,536. And it wasn't the case that everyone just up and switched to Excel 2007 when it came out- transitioning to the new Office file formats was a conversion which took years.
But we're not even reading an Excel file, we're reading a CSV.
I enjoy that we construct the name twice, because that's useful. But the real magic of this one is how we count the rows. Because while Excel can handle 65,536 rows at this time, I don't think this program is going to do a great job of it- because we read the entire file into memory with ReadToEnd, then Split on newlines, then count the length that way.
As you can imagine, in practice, this performed terribly on large files, of which there were many.
Unfortunately for RK, there's one rule about old, legacy code: don't touch it. So despite fixing this being a rather easy task, nobody is working on fixing it, because nobody wants to be the one who touched it last. Instead, management is promising to launch a greenfield replacement project any day now…
[Advertisement]
Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.
Just before the consequential US election (I am optimistic we can prevail over Putinism), my previous posting offered a compiled packet of jpegs and quick bullets to use if you still have a marginally approachable, residually sane neighbor or relative who is 'sanity curious.' A truly comprehensive compendium! From the under-appreciated superb economy to proved dangers of pollution. From Ukraine to proof of Trump's religion-fakery. From saving science to ...
... the biggest single sentence of them all... "Almost every single honest adult who served under Trump now denounces him." Now numbering hundreds.
Anyone able to ignore that central fact... that grownups who get to know Trump all despise him... truly is already a Kremlin boy.
== More sober reflections ==
Fareed Zakaria is by far the best pundit of our time - sharp, incisive, with well-balanced big-perspective. And yet, even he is myopic about what's going on.
Booming manufacturing and wages, record-low unemployment, the lowest inflation among industrial nations (now down to 2%), with democratic policies finally transferring money to the middle class, after 40 years of Supply Side ripoffs for the rich.
And yet, many in the working classes now despise the Rooseveltean coalition that gave them everything, and even many black & hispanic males flock to Trump's macho ravings.
Zakaria is spot-on saying it's no longer about economics - not when good times can be taken for granted. Rather, it's social and cultural, propelled by visceral loathing of urban, college educated 'elites' by those who remain blue-collar, rural and macho.
One result - amplified in media-masturbatory echo chambers and online Nuremberg Rallies - has been all-out war vs all fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.
Where Fareed gets it all wrong is in claiming this is something new!
Elsewhere I point out the same cultural divide has erupted across all EIGHT different phases of the American civil/cultural war, since 1778. Moreover, farmers and blue collar workers, etc. have been traumatized for a century, in one crucial way! As their brightest sons and daughters rushed off from high school graduation to city/university lights...
... and then came back (if they ever come back at all) changed.
It's been going on for 140 years. And the GI Bill after WWII accelerated it prodigiously.
I won't apologize for that... but I admit it's gotta hurt.
While sympathy is called-for, we need to recall that the recurring confederate fever is always puppetted by aristocrats - by King George, by slaver plantation lords, by gilded-age moguls, by inheritance brats and today's murder sheiks & Kremlin "ex"-commissars... and whenever the confederacy wins (as in 1830s, 1870s and 1920s in the United States and 1933 Germany) the results are stagnation and horror. And every "Union" victory (as in the 1770s, 1860s, 1940s, 1960s) is followed by both moral and palpable progress.
Trump has learned a lesson from his time in office. Never trust any adults or women and men of accomplishment and stature. He has said clearly he will never have another Kelly, Mattis, Mullen, Milley... or even partisan hacks with some pride, like Barr, Pence, etc... allowed anywhere near the Oval Office.
In fact, he wants many people in his potential administration who have criminal records and cannot get security clearances under present rules. He wants to have a private firm do background checks instead of the government and military security clearance process.
This should give a bunch of corrupt or blackmail-vulnerable criminals access to and control over our most critical and sensitive secrets.
And anyone can doubt any longer that he is a Kremlin agent?
== A final note of wisdom ==
Only one method has ever been found that can often (not always) discover, interrogate and refute lies and liars or hallucinators.**
That method has been accountability via free-speech-empowered adversarial rivalry. Almost all of our enlightenment institutions and accomplishments and freedoms rely upon it... Pericles and Adam Smith spoke of it and the U.S. Founders enshrined it...
...and the method is almost-never even remotely discussed in regards today's tsunamis of lies.
And even if things go super well in the Tuesday election, this basic truth must also shine light into the whole new problem/opportunity of Artificial Intelligence. (And I go into that elsewhere.)
It must... or we're still screwed.
---
** I openly invite adversarial refutation of this assertion.
------------------------------------------
------------------------------------------
Okay okay. You want prediction? I'll offer four scenarios:
1.Harris and dems win big. They must, for the “steal” yammer-lies to fade to nothing, except for maybe a few McVeigh eruptions. (God bless the FBI undercover guys!) In this scenario, everyone but Putin soon realizes things are already pretty good in the US and West and getting better... and the many of our Republican neighbors – waking up from this insane trance – shake off confederatism and get back to loyally standing up for both America and enterprise.
And perhaps the GOP will also shake away the heavily blackmail compromised portion of their upper castes and return to the pre-Hastert mission of negotiating sane conservative needs into a growing consensus.
2.Harris squeaks in. We face 6 months of frantic Trumpian shrieks and Project 2025 ploys and desperate Kremlin plots and a tsunami of McVeighs. (Again: God bless the FBI undercover guys!) In this case, I will have a dozen ideas to present next week, to staunch the vile schemes of the Project 2025ers.
In this case there will be confederate cries of "Secession!" over nothing real, as they had no real cause in 1861. We must answer "Okay fine this time. Off you go! Only we keep all military bases and especially we keep all of your blue cities (linking them with high speed rail), cities who get to secede from YOU! Sell us beef and oil, till we make both obsolete! And you beg to be let back in. Meanwhile, your brighter sons and daughters will still come over - with scholarships. So go in peace and God bless."
3.Trump squeaks in and begins his reign of terror. We brace ourselves for the purge of all fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror. And within 6 months you will hear two words that I am speaking here for the 1st time:
GENERAL STRIKE.
A legal and mammoth job action by those who actually know stuff and how to do stuff. At which point then watch how redders realize how much they daily rely on our competence. And how quickly the oligarchs act to remove Trump, either through accelerating senility, or bribed retirement or... the Howard Beale scenario. At which point then Peter Thiel (briefly) owns America. It's Putin's dream outcome as the USA betrays Ukraine and Europe and the future... and tears itself apart. But no matter how painful, remember, we've recovered before. And we'll remember that you did this, Vlad and Peter. And those who empowered them.
Oh, yes and this. Idiot believers in THE FOURTH TURNING will get their transformative 'crisis' that never had to happen and that they artificially caused (and we'll remember.) Above all, the Gen-Z 'hero generation' will know this. And you cultists will not like them, when they're mad.
4. Trump landslide. Ain’t gonna happen. For one thing because Putin knows he won’t benefit if Trump is so empowered that he's freed from all puppet strings and blackmail threats. At which point Putin will suddenly realize he’s lost control - the way the German Junkers caste lords lost control in 1933, as portrayed at the end of CABARET.
Still confused why Putin wouldn't want this? Watch Angela Lansbury’s chilling soliloquy near the end of THE MANCHURIAN CANDIDATE. This outcome is the one Putin should most fear.
By comparison, Kamala would likely let Vlad live. But a fully empowered Trump will erase Putin,-- along with every other oligarch who ever commanded or extorted or humiliated him - like those depicted below. And the grease stains will smolder.
Swamped with patent disclosures, podcasts and the Great Big AI Panic of 2024. And just learned the H1N5 bird flu may be nastier soon! (😟check your supplies.) Also, I appear to be more optimistic than most... and most of you have voted already.
Still, I gotta do what I can, offering you some final, concise leverage. Not for your hopeless MAGA-Putinist uncle. But maybe his worried wife, your residually-sane aunt.
Two Defense Secretaries. Two chiefs of staff. His Attorney General. His National Security Advisor & Secretary of State. His domestic policy head. Chair of the Joint Chiefs. Two communications directors. His Vice President plus 250 more.
Make your MAGA see this jpeg! ==>
All of them were HIS choices. Whom he called "Great Guys!"... who are now denouncing him as a horror-calamity and lethal stooge of foreign enemies.
At minimum, he's a terrible judge of character! (Who fell 'in love' with Kim Jong Un.)
But don't worry. In Trump II he's promised there will be no adults at all.
Examples: James Mattis, Marine General(ret), Trump’s 1st DefenseSecretary:“Donald Trump is the first president in my life who didn't even pretend to try to unite the American people. He tries to divide us.�
Mark Esper, Trump’s 2nd DefenseSecretary:“I believe he is a threat to democracy.�
John Kelly, Marine General(ret), Trump’s 2nd White House Chief of Staff:“He often said‘Hitler did good things, too.’�
Ask Joint Chiefs Chair Mark Milley +Admiral McRaven +250 other officers!
Ask nearly all scientists.
Ask counter insurgency experts about “ex� commissar Putin’s long puppet strings.
But Don does have friends!
Here they are!==>
Have your MAGA zoom in and explain this.
== But... but isn't Trump the agent of God? ==
Such a Christian! Though if he ever willingly chose church over golf, no one has seen it. Here's one time he had to show up. And this one image says it all.
There's a hilarious and sad video of him mouthing-along while trying to recite the famous and well-known 23rd Psalm with worshippers and giving up after "He leadeth me.." Too lazy even to memorize a couple of passages for show, he still after all these years, refuses to name a favorite passage.
"It's too personal." Riiiiight.
But then... some evangelicals can see all that! So they switch to the "Cyrus" argument. Like the King of the Medes who freed the people of Judah from Babylon, Trump is a 'righteous gentile!' A pagan who serves God by actions & deeds!
(How? By destroying America and democracy and serving Moscow? But we'll get to that.)
Huh. Some servant of God. The most opposite-to-Jesus human any of us ever saw typifies every Deadly Sin!(Have your MAGA recite them aloud and NOT see Trump as the archetype!)
Look, I don't credit the Book of Revelation. (Though all of you should know it! See the comic book version Apocamon; I mean it. You truly need to see what some of your neighbors wish and plan for you!)
Still, there is a recurring character in that nightmare tome who DT resembles. I'm not talking about the Lamb of God. The character's name starts with "auntie" or "the Anti --" and Trump fits every described characteristic. To a T.
== Is it the Economy, Stupid? ==
A problem with good times... folks soon take it for granted. Unemployment was the big issue.
But after clawing our way out of the Covid Recession and Supply Chain inflation (nearly all economists blame Trump for worsening those) the 2021 stimulus bills worked!
Infrastructure - bridges etc. - are being fixed! Unemployment has stayed at the lowest level since the early 60s. We're in the best US economy since WWII.
Inflation? What? Ask your MAGA to step up NOW with wager stakes and bet which two nations have had the LOWEST inflation in the Industrial world for 3 years!
(Hint, it's the US and Japan.)
Then why so grumpy? Because Fox rants at fools to enjoy sanctimonious grumpiness! It's more fun than accepting the truth... that you are mesmerized by an echo chamber and Nuremberg Rally, with one central goal...
... to hate facts and fact professions & the damn, dry statistics.
But let's make it a wager. Assert the following and demand your MAGAs step up (like men) with cash stakes on the table:
EVERY Democratic Administration was more fiscally responsible regarding debt and deficits than EVERY Republican administration.
In fact, most Democratic administrations had by far better economic outcomes across the board, for everyone except oligarchs and inheritance brats, who ALWAYS do vastly better under the GOP. Demand wagers!
But this is the biggie. The USA is undergoing the greatest boom in MANUFACTURING since the Second World War.
That is unambiguous. Democrats did it.
== Climate Change ==
Nothing better illustrates the agenda of the GOP masters than fostering all-out war vs ALL fact using professions, from science, teaching, medicine, law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.
"Hate the FBI!" is the most amazing and dangerous in the near term, but the anti-science campaign is core, over the long run.
Dig it. They're not attacking science in order to make $$ by delaying action on climate disaster. It's the reverse. They use climate denialism as one of many tools to attack all scientists and undermine trust in science.
Why? Oligarchs can't restore 6000 years of insipid feudalism til they castrate all fact professions. But more on that elsewhere.
The crisis over our endangered EARTH is a vast subject! But this posting is about last minute, punchy capsules. So use this: Foxites flee in panic when you mention OCEAN ACIDIFICATION, which is unambiguously killing the seas our children will need and can only be caused by CO2 pollution. How they run from those two words.
Alas, instead of giving credit to the genius meteorologists who now predict hurricane paths within a few miles FIVE DAYS in advance, jibberers yammer: "They cause hurricanes!"
WHO is 'they?' No, never mind that. You said it when earthquakes hit California. Recognize God's wrath when you feel it...
== Ukraine and NATO and Putin ==
Seriously? Who do you think Ronald Reagan would side with? The barely changed Kremlin and relabeled KGB, run by "ex" commissars who all grew up reciting Leninist catechisms? Who are now re-nationalizing all Russian businesses, crushing dissent and rebuilding the USSR?
Um, can anyone with a trace of fairness in their hearts not root for and support the attacked Ukrainian underdogs? And say "Damn Putin and his fellow tyrants!"
Dig it: NATO is now stronger than ever since 1946! Putin is fighting for his own murderous, richest-man-in-the-world life, desperate to get Trump into the Oval Office. It's his one hope.
LOOK at Trump's pals! At the expressions on their faces. Zoom in.
Can any of your neighbors who support Putin call anyone ELSE a 'commie'?
== Memory Lane ==
And wager NOW over the different death rates of the vaccinated vs. the un-vaccinated. Death rates are simple. Even the reddest state suppies stats on that. And there's no ambiguity at all. Fox is trying to kill you.
== Immigration ==
But what about immigration? Well, surprise? I'll sorta half give you that one!
It's a vexing problem and the farthest left has not been helpful. They refuse to see how Putin and other tyrants have herded poor refugees into Europe and America, knowing it will push potitics in those countries to the right. And it has even worked on U.S. Hispanics, who poll overwhelmingly wanting tighter borders.
Look, you may not like facing it, but Putin's strategy here has worked! And if you lefties want the power to do good, YOU are gonna have to prioritize. Compromise.
But this is not a Bill Maher screed aimed at woke-ist betrayals of the only coalition that can save the world. Later.
It is about far-worse MAGA lunacy. And what could be more lunatic than Trump ordering the GOP - last January - to torpedo the Immigration Bill they had just finished negotiating!
That bill would have majorly increased the Border Patrol, plus internal tracking of refugee claimants and would have built more wall by now than the entire Trump presidency!
Now why would he do that? Simple. Going back generations before Trump & Putin took over the Republican Party, the GOP's master oligarchs loved cheap labor!
You just think about that now.
P.S. If a time comes when Republicans reject the madness and corruption that skyrocketed in the GOP since Dennis 'friend to boys" Hastert, and choose instead to return to political negotiation, moderate dems will race to work out incremental steps to mix pragmatic border security with helping refugees return safely to their improved home countries... with living by the American tradition (and biblical injunction) of kindness to legitimate newcomers.
== Again - the most-effective single sentence is... ==
"ALL of the honest adults who served under Trump now denounce him."
Earlier I showed former Trumpists who were admirable to some degree, and now denounce him. Now gaze at some more! Though some of these weren't quite as admirable as the 1st bunch. ==>
Still, these guys at least want the USA to survive! If only because it's where they keep their best stuff. Hypocrites some of them? I prefer the first set! Still, we need all the help...
On the other hand, THIS is a Republican we can all respect! (below):
== So what about fascism? ==
Seriously? This is an issue?
My Dad beat up f--ng Nazis in Chicago in the 1930s, when they marched both for Hitler and for the spectacularly misnamed "America First." I know f--ng Nazis when I see em! And even if Trump isn't one by strict definition*...
... all the current American Nazis think he is! And they love him.
I notoriously demand WAGERS over all the lies! e.g. ANY randomly chosen 5 minute segment of any Trump speech! Put it before a randomly-chosen panel of low-political retired, senior military officers!
I have a long list (dropped into comments*) of wager challenges. And not one MAGA in ten years has ever had the manly guts or confidence to step up with $$$ atty-escrowed stakes. Not one, ever. Weenie no-cojone cowards.
But let's start with Trump's endless promises to prove Obama was born in Kenya, or the mythical promise of a "Great Health Plan to replace Obamacare! I'll unveil it next week!" And then the next week and the next, for year after year after year...
...and MAGAs never ask "Um, well?"
Or releasing "My great financials!" Or "I'll proudly release my tax returns when the IRS is done auditing!" Except the audits were a myth! Or his college transcripts. Or the bone spur xrays. Or the fecal spew of lies during covid.
What we DO have is at least 20 copies of the Honolulu Advertiser from 1962 that folks have found in attics and garages all over Hawaii, with a birth announcement for Barack Obama. But any retraction or shame from ol' Two Scoops? Never.
There's a reason...
<==Declassify the "we fell in love!" notes from Kim!
Then there's the biggest damn lie of them all...
== And heck, let's give you some more! ==
Do I have an ulterior motive, in dumping upon you this tsunami of jpegs? I mean other than hoping that a few of you will use them to help save the nation and world?
Hey I am over 70 and pushing 'clippings' at the young is what we farts do! ;-0
But still... I am angry at MAGA crapheads dumping on Tim Walz, a 25 year veteran who trained hundreds of young troops with patience that made him beloved... as with 20 years of high school civics students... and the teams he coached to state championships... and so much more.(The Putin servants searched for ONE former student they could bribe to denounce Walz; even one.)
A command sergeant major whose shoes you lying bastards aren't fit to...
Like this good man who served and still does ==>
(Calm David. You promised 'malice toward none..." Sure, after we save America in this 8th phase of the recurring civil war.)
In contrast to real men... we have this cringing, face-painted carnival barker... zoom in!
The colors are un-altered.
== Miscellaneous Adds! ==
Okay I'll conclude by dumping in a few more. Use whatever you like! MAKE the redeemable/reachable... if you know any... zoom in and see and then snap out of the trance!
...and a few may even hear the call of Lincoln, Eisenhower and Teddy Roosevelt and even Reagan... realizing they must help rescue the Republican Party from treasonous madness. (LOOK below.)
And remember, Dems ALWAYS do better vs deficits and with almost every economic indicator...
Finally, Here's my biggest effort at supplying political tactics that might have ended this phase of the US Civil War decisively, in 2020, instead of merely getting a Gettysburg - vital(!) but requiring us to keep fighting the same monster. May this year be Appomattox! Followed by "Malice toward none and charity for all..."
...and an America that leads a consensus-wiser world toward freedom, hope, and the stars.
......... And in the words of Tiny Tim... God bless us, one and all...
================
================
Oh, I oughta give originator credit lines for every single one of these jpegs! It's a modern problem. Almost none of the postings I took them from had credits, either! This is one thing I expect AI to solve and soon. May they be Machines of Loving Grace.
In September of this year, I visited Kenya to attend the State of the Map conference. I spent six nights in Nairobi, two nights in Mombasa, and one night on a train. I was very happy with the visa process being smooth and quick. Furthermore, I stayed at the Nairobi Transit Hotel with other attendees, with Ibtehal from Bangladesh as my roommate. One of the memorable moments was the time I spent at a local coffee shop nearby. We used to go there at midnight, despite the grating in the shops suggesting such adventures were unsafe. Fortunately, nothing bad happened, and we were rewarded with a fun time with the locals.
The coffee shop Ibtehal and me used to visit during the midnight
Grating at a chemist shop in Mombasa, Kenya
The country lies on the equator, which might give the impression of extremely hot temperatures. However, Nairobi was on the cooler side (10–25 degrees Celsius), and I found myself needing a hoodie, which I bought the next day. It also served as a nice souvenir, as it had an outline of the African map printed on it.
I bought a Safaricom SIM card for 100 shillings and recharged it with 1000 shillings for 8 GB internet with 5G speeds and 400 minutes talk time.
A visit to Nairobi’s Historic Cricket Ground
On this trip, I got a unique souvenir that can’t be purchased from the market—a cricket jersey worn in an ODI match by a player. The story goes as follows: I was roaming around the market with my friend Benson from Nairobi to buy a Kenyan cricket jersey for myself, but we couldn’t find any. So, Benson had the idea of visiting the Nairobi Gymkhana Club, which used to be Kenya’s main cricket ground. It has hosted some historic matches, including the 2003 World Cup match in which Kenya beat the mighty Sri Lankans and the record for the fastest ODI century by Shahid Afridi in just 37 balls in 1996.
Although entry to the club was exclusively for members, I was warmly welcomed by the staff. Upon reaching the cricket ground, I met some Indian players who played in Kenyan leagues, as well as Lucas Oluoch and Dominic Wesonga, who have represented Kenya in ODIs. When I expressed interest in getting a jersey, Dominic agreed to send me pictures of his jersey. I liked his jersey and collected it from him. I gave him 2000 shillings, an amount suggested by those Indian players.
Me with players at the Nairobi Gymkhana Club
Cricket pitch at the Nairobi Gymkhana Club
A view of the cricket ground inside the Nairobi Gymkhana Club
Scoreboard at the Nairobi Gymkhana cricket ground
Giraffe Center in Nairobi
Kenya is known for its safaris and has no shortage of national parks. In fact, Nairobi is the only capital in the world with a national park. I decided not to visit a national park, as most of them were expensive and offered multi-day tours, and I didn’t want to spend that much time in the wildlife.
Instead, I went to the Giraffe Center in Nairobi with Pragya and Rabina. The ticket cost 1500 Kenyan shillings (1000 Indian rupees). In Kenya, matatus - shared vans, usually decorated with portraits of famous people and play rap songs - are the most popular means of public transport. Reaching the Giraffe Center from our hotel required taking five matatus, which cost a total of 150 shillings, and a 2 km walk. The journey back was 90 shillings, suggesting that we didn’t find the most efficient route to get there. At the Giraffe Center, we fed giraffes and took photos.
A matatu with a Notorious BIG portrait.
Inside the Giraffe Center
Train ride from Nairobi to Mombasa
I took a train from Nairobi to Mombasa. The train is known as the “SGR Train,” where “SGR” refers to “Standard Gauge Railway.” The journey was around 500 km. M-Pesa was the only way to make payment for pre-booking the train ticket, and I didn’t have an M-Pesa account. Pragya’s friend Mary helped facilitate the payment. I booked a second-class ticket, which cost 1500 shillings (1000 Indian rupees).
The train was scheduled to depart from Nairobi at 08:00 hours in the morning and arrive in Mombasa at 14:00 hours. The security check at the station required scanning our bags and having them sniffed by sniffer dogs. I also fell victim to a scam by a security official who offered to help me get my ticket printed, only to later ask me to get him some coffee, which I politely declined.
Before boarding the train, I was treated to some stunning views at the Nairobi Terminus station. It was a seating train, but I wished it were a sleeper train, as I was sleep-deprived. The train was neat and clean, with good toilets. The train reached Mombasa on time at around 14:00 hours.
SGR train at Nairobi Terminus.
Interior of the SGR train
Arrival in Mombasa
Mombasa Terminus station.
Mombasa was a bit hotter than Nairobi, with temperatures reaching around 30 degrees Celsius. However, that’s not too hot for me, as I am used to higher temperatures in India. I had booked a hostel in the Old Town and was searching for a hitchhike from the Mombasa Terminus station. After trying for more than half an hour, I took a matatu that dropped me 3 km from my hostel for 200 shillings (140 Indian rupees). I tried to hitchhike again but couldn’t find a ride.
I think I know why I couldn’t get a ride in both the cases. In the first case, the Mombasa Terminus was in an isolated place, so most of the vehicles were taxis or matatus while any noncommercial cars were there to pick up friends and family. If the station were in the middle of the city, there would be many more car/truck drivers passing by, thus increasing my possibilities of getting a ride. In the second case, my hostel was at the end of the city, and nobody was going towards that side. In fact, many drivers told me they would love to give me a ride, but they were going in some other direction.
Finally, I took a tuktuk for 70 shillings to reach my hostel, Tulia Backpackers. It was 11 USD (1400 shillings) for one night. The balcony gave a nice view of the Indian Ocean. The rooms had fans, but there was no air conditioning. Each bed also had mosquito nets. The place was walking distance of the famous Fort Jesus. Mombasa has had more Islamic influence compared to Nairobi and also has many Hindu temples.
The balcony at Tulia Backpackers Hostel had a nice view of the ocean.
A room inside the hostel with fans and mosquito nets on the beds
Visiting White Sandy Beaches and Getting a Hitchhike
Visiting Nyali beach marked my first time ever at a white sand beach. It was like 10 km from the hostel. The next day, I visited Diani Beach, which was 30 km from the hostel. Going to Diani Beach required crossing a river, for which there’s a free ferry service every few minutes, followed by taking a matatu to Ukunda and then a tuk-tuk to Diani Beach. This gave me an opportunity to see the beautiful countryside during the ride.
Nyali beach is a white sand beach
This is the ferry service for crossing the river.
During my return from Diani Beach to the hostel, I was successful in hitchhiking. However, it was only a 4 km ride and not sufficient to reach Ukunda, so I tried to get another ride. When a truck stopped for me, I asked for a ride to Ukunda. Later, I learned that they were going in the same direction as me, so I got off within walking distance from my hostel. The ride was around 30 km. I also learned the difference between a truck ride and a matatu or car ride. For instance, matatus and cars are much faster and cooler due to air conditioning, while trucks tend to be warmer because they lack it. Further, the truck was stopped at many checkpoints by the police for inspections as it carried goods, which is not the case with matatus. Anyways, it was a nice experience, and I am grateful for the ride. I had a nice conversation with the truck drivers about Indian movies and my experiences in Kenya.
Diani beach is a popular beach in Kenya. It is a white sand beach.
Selfie with truck drivers who gave me the free ride
Back to Nairobi
I took the SGR train from Mombasa back to Nairobi. This time I took the night train, which departs at 22:00 hours, reaching Nairobi at around 04:00 in the morning. I could not sleep comfortably since the train only had seater seats.
I had booked the Zarita Hotel in Nairobi and had already confirmed if they allowed early morning check-in. Usually, hotels have a fixed checkout time, say 11:00 in the morning, and you are not allowed to stay beyond that regardless of the time you checked in. But this hotel checked me in for 24 hours. Here, I paid in US dollars, and the cost was 12 USD.
Almost Got Stuck in Kenya
Two days before my scheduled flight from Nairobi back to India, I heard the news that the airports in Kenya were closed due to the strikes. Rabina and Pragya had their flight back to Nepal canceled that day, which left them stuck in Nairobi for two additional days. I called Sahil in India and found out during the conversation that the strike was called off in the evening. It was a big relief for me, and I was fortunate to be able to fly back to India without any changes to my plans.
Newspapers at a stand in Kenya covering news on the airport closure
Experience with locals
I had no problems communicating with Kenyans, as everyone I met knew English to an extent that could easily surpass that of big cities in India. Additionally, I learned a few words from Kenya’s most popular local language, Swahili, such as “Asante,” meaning “thank you,” “Jambo” for “hello,” and “Karibu” for “welcome.” Knowing a few words in the local language went a long way.
I am not sure what’s up with haggling in Kenya. It wasn’t easy to bring the price of souvenirs down. I bought a fridge magnet for 200 shillings, which was the quoted price. On the other hand, it was much easier to bargain with taxis/tuktuks/motorbikes.
I stayed at three hotels/hostels in Kenya. None of them had air conditioners. Two of the places were in Nairobi, and they didn’t even have fans in the rooms, while the one in Mombasa had only fans. All of them had good Wi-Fi, except Tulia where the internet overall was a bit shaky.
My experience with the hotel staff was great. For instance, we requested that the Nairobi Transit Hotel cancel the included breakfast in order to reduce the room costs, but later realized that it was not a good idea. The hotel allowed us to revert and even offered one of our missing breakfasts during dinner.
The staff at Tulia Backpackers in Mombasa facilitated the ticket payment for my train from Mombasa to Nairobi. One of the staff members also gave me a lift to the place where I could catch a matatu to Nyali Beach. They even added an extra tea bag to my tea when I requested it to be stronger.
Food
At the Nairobi Transit Hotel, a Spanish omelet with tea was served for breakfast. I noticed that Spanish omelette appeared on the menus of many restaurants, suggesting that it is popular in Kenya. This was my first time having this dish. The milk tea in Kenya, referred to by locals as “white tea,” is lighter than Indian tea (they don’t put a lot of tea leaves).
Spanish Omelette served in breakfast at Nairobi Transit Hotel
I also sampled ugali with eggs. In Mombasa, I visited an Indian restaurant called New Chetna and had a buffet thali there twice.
Ugali with eggs.
Tips for Exchanging Money
In Kenya, I exchanged my money at forex shops a couple of times. I received good exchange rates for bills larger than 50 USD. For instance, 1 USD on xe.com was 129 shillings, and I got 128.3 shillings per USD (a total of 12,830 shillings) for two 50 USD notes at an exchange in Nairobi, compared to 127 shillings, which was the highest rate at the banks. On the other hand, for each 1 USD note, I would have received an exchange rate of 125 shillings. A passport was the only document required for the exchange, and they also provided a receipt.
A good piece of advice for travelers is to keep 50 USD or larger bills for exchanging into the local currency while saving the smaller US dollar bills for accommodation, as many hotels and hostels accept payment in US dollars.
Missed Malindi and Lamu
There were more places on my to-visit list in Kenya. But I simply didn’t have time to cover them, as I don’t like rushing through places, especially in a foreign country where there is a chance of me underestimating the amount of time it takes during transit. I would have liked to visit at least one of Kilifi, Watamu or Malindi beaches. Further, Lamu seemed like a unique place to visit as it has no cars or motorized transport; the only options for transport are boats and donkeys.
This results in a permanent diff because the Google CloudDNS API seems to parse the
record content, and stores the ipv6hint expanded (removing the :: notation) and in all
lowercase as 2001:db8:0:0:0:0:0:1. Thus to fix the permanent diff we've to use it like
this:
For years, Victoria had a co-worker who "programmed by Google Search"; they didn't understand how anything worked, they simply plugged their problem into Google search and then copy/pasted and edited until they got code that worked. For this developer, I'm sure ChatGPT has been a godsend, but this code predates its wide use. It's pure "Googlesauce".
StringBufferstringBuffer=newStringBuffer();
stringBuffer.append("SELECT * FROM TABLE1 WHERE COLUMN1 = 1 WITH UR");
StringsqlStr= stringBuffer.toString();
ps = getConnection().prepareStatement(sqlStr);
ps.setInt(1, code);
rs = ps.executeQuery();
while (rs.next())
{
count++;
}
The core of this WTF isn't anything special- instead of running a SELECT COUNT they run a SELECT and then loop over the results to get the count. But it's all the little details in here which make it fun.
They start by using a StringBuffer to construct their query- not a horrible plan when the query is long, but this is just a single, simple, one-line query. The query contains a WITH clause, but it's in the wrong spot. Then they prepareStatement it, which does nothing, since this query doesn't contain any parameters (and also, isn't syntactically valid). Once it's prepared, they set the non-existent parameter 1 to a value- this operation will throw an exception because there are no parameters in the query.
Finally, they loop across the results to count.
The real WTF is that this code ended up in the code base, somehow. The developer said, "Yes, this seems good, I'll check in this non-functional blob that I definitely don't understand," and then there were no protections in place to keep that from happening. Now it falls to more competent developers, like Victoria, to clean up after this co-worker.
[Advertisement]
Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Author: Julian Miles, Staff Writer The screen turns to flickering white lines behind a ‘Connecting…’ prompt. I find myself smiling and look up at the night sky. What do the natives call that constellation? Sarg something. Sarga Nol? Bigger… ‘Sarghalor Noghath’! Yes. Conceptual translation gives us ‘The noghath watches’. Neither the indigens nor us have […]
As long as I'm getting things on the record (while I still can without too much fear of reprisal) I want to endorse a video by Legal Eagle that lays out the case against voting for Donald Trump in 18 minutes of some of the best video commentary I've ever seen. It's well worth watching, and encouraging others to watch, but just in case you don't want to invest the time and would rather read,
Since WFDF changed their ultimate rules web site
to be less-than-ideal (in the name of putting everything into Wordpress…),
I made my own, at urules.org. It was a fun
journey; I've never fiddled with PWAs
before, and I was a bit surprised how low-level it all was. I assumed that
since my page is just a bunch of HTML files and ~100 lines of JS, I could
just bundle that up—but no, that is something they expect a framework to do
for you.
The only primitive you get is seemingly that you can fire up your own
background service worker (JS running in its own, locked-down context)
and that gets to peek at every HTTP request done and possibly intercept it.
So you can use a Web Cache
(seemingly a separate concept from web local storage?), insert stuff into
that, and then query it to intercept requests. It doesn't feel very elegant,
perhaps?
It is a bit neat that I can use this to make my own bundling, though.
All the pages and images (painfully converted to SVG to save space and
re-flow for mobile screens, mostly by simply drawing over bitmaps by hand
in Inkscape) are stuck into a JSON dictionary, compressed using the slowest
compressor I could find and then downloaded as a single 159 kB bundle.
It makes the site actually sort of weird to navigate; since it pretty quickly
downloads the bundle in the background, everything goes offline and the
speed of loading new pages just feels… off somehow. As if it's not a
Serious Web Page if there's no load time.
Of course, this also means that I couldn't cache PNGs, because have you ever
tried to have non-UTF-8 data in a JSON sent through N layers of JavaScript? :-)
Another short status update of what happened on my side last month. Besides a phosh bugfix release improving text input and selection
was a prevalent pattern again resulting in improvements in the compositor, the OSK and some apps.
Consistent focus style on lock screen and settings (MR). Improves the visual appearance
as the dotted focus frame doesn't match our otherwise colored focus frames
Don't focus buttons in settings (MR). Improves the visual appearance as
attention isn't drawn to the button focus.
Close Phosh's settings when activating a Settings panel (MR)
Collect some of the QCom workarounds in a package (MR). This is not meant to go into Debian proper but it's nicer than doing all the mods by hand and forgetting which files were modified.
Don't take focus when sending messages, adding emojis or attachments (MR). Makes typing faster (as the OSK
won't hide) and thus using those buttons easier
xdg-desktop-portal
Use categories that work for both xdg-spec and the portal (MR)
Reviews
This is not code by me but reviews on other peoples code. The list is
fairly incomplete, hope to improve on this in the upcoming months:
If you want to support my work see donations. This includes
a list of hardware we want to improve support for. Thanks a lot to all current and past donors.
Author: Beck Dacus One half of the sky brimmed with stars, the Sun at one light-week’s distance barely outshining the rest. The other half was utterly dark, as if the universe ended at a sheer cliff. As I approached the blackness, detail started to emerge, my headlamp casting shadows on icy gravel the color of […]
A hot-fix release 1.0.13-1, consisting of two small PRs relative to
the last regular CRAN release
1.0.13,
just arrived on CRAN. When we
prepared 1.0.13,
we included a change related to the ‘tightening’ of the C API of R
itself. Sadly, we pinned an expected change to ‘comes with next (minor)
release 4.4.2’ rather than now ‘next (normal aka major) release 4.5.0’.
And now that R 4.4.2 is out (as of two days ago) we accidentally broke
building against the header file with that check. Whoops. Bugs happen,
and we are truly sorry—but this is now addressed in 1.0.13-1.
The normal (bi-annual) release cycle will resume with 1.0.14 slated
for January. As you can see from the NEWS
file of the development branch, we have a number of changes coming.
You can safely access that release candidate version, either off the
default branch at github or via r-universe artifacts.
The list below details all changes, as usual. The only other change
concerns the now-mandatory use of Authors@R.
Changes in
Rcpp release version 1.0.13-1 (2024-11-01)
Changes in Rcpp API:
Use read-only VECTOR_PTR and STRING_PTR
only with with R 4.5.0 or later (Kevin in #1342 fixing #1341)
Changes in Rcpp Deployment:
Authors@R is now used in DESCRIPTION as mandated by CRAN
Two months ago I bought a Thinkpad X1 Yoga Gen3 [1]. I’m still very happy with it, the screen is a great improvement over the FullHD screen on my previous Thinkpad. I have yet to discover what’s the best resolution to have on a laptop if price isn’t an issue, but it’s at least 1440p for a 14″ display, that’s 210DPI. The latest Thinkpad X1 Yoga is the 7th gen and has up to 3840*2400 resolution on the internal display for 323DPI. Apple apparently uses the term “Retina Display” to mean something in the range of 250DPI to 300DPI, so my current laptop is below “Retina” while the most expensive new Thinkpads are above it.
I did some tests on external displays and found that this Thinkpad along with a Dell Latitude of the same form factor and about the same age can only handle one 4K display on a Thunderbolt dock and one on HDMI. On Reddit u/Carlioso1234 pointed out this specs page which says it supports a maximum of 3 displays including the built in TFT [2]. The Thunderbolt/USB-C connection has a maximum resolution of 5120*2880 and the HDMI port has a maximum of 4K. The latest Yoga can support four displays total which means 2*5K over Thunderbolt and one 4K over HDMI. It would be nice if someone made a 8000*2880 ultrawide display that looked like 2*5K displays when connected via Thunderbolt. It would also be nice if someone made a 32″ 5K display, currently they all seem to be 27″ and I’ve found that even for 4K resolution 32″ is better than 27″.
With the typical configuration of Linux and the BIOS the Yoga Gen3 will have it’s touch screen stop working after suspend. I have confirmed this for stylus use but as the finger-touch functionality is broken I couldn’t confirm that. On r/thinkpad u/p9k told me how to fix this problem [3]. I had to set the BIOS to Win 10 Sleep aka Hybrid sleep and then put the following in /etc/systemd/system/thinkpad-wakeup-config.service :
Now it works fine, for stylus at least. I still get kernel error messages like the following which don’t seem to cause problems:
wacom 0003:056A:5146.0005: wacom_idleprox_timeout: tool appears to be hung in-prox. forcing it out.
When it wasn’t working I got the above but also kernel error messages like:
wacom 0003:056A:5146.0005: wacom_wac_queue_insert: kfifo has filled, starting to drop events
This change affected the way suspend etc operate. Now when I connect the laptop to power it will leave suspend mode. I’ve configured KDE to suspend when the lid is closed and there’s no monitor connected.
MrWhosTheBoss made a good YouTube video reviewing recent Huawei products [2]. At 2:50 in that video he shows how you can link a phone and tablet, control one from the other, drag and drop of running apps and files between phone and tablet, mirror the screen between devices, etc. He describes playing a video on one device and having it appear on the other, I hope that it actually launches a new instance of the player app as the Google Chromecast failed in the market due to remote display being laggy. At 7:30 in that video he starts talking about the features that are available when you have multiple Huawei devices, starting with the ability to move a Bluetooth pairing for earphones to a different device.
At 16:25 he shows what Huawei is doing to get apps going including allowing apk files to be downloaded and creating what they call “Quick Apps” which are instances of a web browser configured to just use one web site and make it look like a discrete app, we need something like this for FOSS phone distributions – does anyone know of a browser that’s good for it?
Another thing that we need is to have an easy way of transferring open web pages between systems. Chrome allows sending pages between systems but it’s proprietary, limited to Chrome only, and also takes an unreasonable amount of time. KDEConnect allows sharing clipboard contents which can be used to send URLs that can then be pasted into a browser, but the process of copy URL, send via KDEConnect, and paste into other device is unreasonably slow. The design of Chrome with a “Send to your devices” menu option from the tab bar is OK. But ideally we need a “Send to device” for all tabs of a window as well, we need it to run from free software and support using your own server not someone else’s server (AKA “the cloud”). Some of the KDEConnect functionality but using a server rather than direct connection over the same Wifi network (or LAN if bridged to Wifi) would be good.
Author: J. Scott King “Can he continue?” A familiar voice, distant, urgent. And nearer, “The Seconds are conferring, Captain.” Then, more urgently, “Come no closer, sir! Resseaux, control your man!” A gruff, mumbled reply I can’t make out. “I’ll have him done!” That first fellow again… Captain Eddings. Right. Yes, that’s the one. Never liked […]
I recently had someone describe a Mac Mini as a “workstation”, which I strongly disagree with. The Wikipedia page for Workstation [1] says that it’s a type of computer designed for scientific or technical use, for a single user, and would commonly run a multi-user OS.
The Mac Mini runs a multi-user OS and is designed for a single user. The issue is whether it is for “scientific or technical use”. A Mac Mini is a nice little graphical system which could be used for CAD and other engineering work. But I believe that the low capabilities of the system and lack of expansion options make it less of a workstation.
The latest versions of the Mac Mini (to be officially launched next week) have up to 64G of RAM and up to 8T of storage. That is quite decent compute power for a small device. For comparison the HP ML 110 Gen9 workstation I’m currently using was released in 2021 and has 256G of RAM and has 4 * 3.5″ SAS bays so I could easily put a few 4TB NVMe devices and some hard drives larger than 10TB. The HP Z640 workstation I have was released in 2014 and has 128G of RAM and 4*2.5″ SATA drive bays and 2*3.5″ SATA drive bays. Previously I had a Dell PowerEdge T320 which was released in 2012 and had 96G of RAM and 8*3.5″ SAS bays.
In CPU and GPU power the recent Mac Minis will compare well to my latest workstations. But they compare poorly to workstations from as much as 12 years ago for RAM and storage. Which is more important depends on the task, if you have to do calculations on 80G of data with lots of scans through the entire data set then a system with 64G of RAM will perform very poorly and a system with 96G and a CPU less than half as fast will perform better. A Dell PowerEdge T320 from 2012 fully loaded with 192G of RAM will outperform a modern Mac Mini on many tasks due to this and the T420 supported up to 384G.
Another issue is generic expansion options. I expect a workstation to have a number of PCIe slots free for GPUs and other devices. The T320 I used to use had a PCIe power cable for a power hungry GPU and I think all the T320 and T420 models with high power PSUs supported that.
I think that a usable definition of a “workstation” is a system having a feature set that is typical of servers (ECC RAM, lots of storage for RAID, maybe hot-swap storage devices, maybe redundant PSUs, and lots of expansion options) while also being suitable for running on a desktop or under a desk. The Mac Mini is nice for running on a desk but that’s the only workstation criteria it fits. I think that ECC RAM should be a mandatory criteria and any system without it isn’t a workstation. That excludes most Apple hardware. The Mac Mini is more of a thin-client than a workstation.
My main workstation with ECC RAM could run 3 VMs that each have more RAM than the largest Mac Mini that will be sold next week.
If 32G of non-ECC RAM is considered enough for a “workstation” then you could get an Android phone that counts as a workstation – and it will probably cost less than a Mac Mini.
A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We’ll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world’s most visited travel website.
According to the market share website statista.com, booking.com is by far the Internet’s busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message within the Booking mobile app just minutes after making a reservation at a California hotel.
The missive bore the name of the hotel and referenced details from their reservation, claiming that booking.com’s anti-fraud system required additional information about the customer before the reservation could be finalized.
The phishing message our reader’s friend received after making a reservation at booking.com in late October.
In an email to KrebsOnSecurity, booking.com confirmed one of its partners had suffered a security incident that allowed unauthorized access to customer booking information.
“Our security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which unfortunately is not a new situation and quite common across industries,” booking.com replied. “Importantly, we want to clarify that there has been no compromise of Booking.com’s internal systems.”
The phony booking.com website generated by visiting the link in the text message.
Booking.com said it now requires 2FA, which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.
“2FA is required and enforced, including for partners to access payment details from customers securely,” a booking.com spokesperson wrote. “That’s why the cybercriminals follow-up with messages to try and get customers to make payments outside of our platform.”
“That said, the phishing attacks stem from partners’ machines being compromised with malware, which has enabled them to also gain access to the partners’ accounts and to send the messages that your reader has flagged,” they continued.
It’s unclear, however, if the company’s 2FA requirement is enforced for all or just newer partners. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.
A scan of social media networks showed this is not an uncommon scam.
In November 2023, the security firm SecureWorksdetailed how scammers targeted booking.com hospitality partners with data-stealing malware. SecureWorks said these attacks had been going on since at least March 2023.
“The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy,” SecureWorks said of the booking.com partner it investigated.
In June 2024, booking.com told the BBC that phishing attacks targeting travelers had increased 900 percent, and that thieves taking advantage of new artificial intelligence (AI) tools were the primary driver of this trend.
Booking.com told the BCC the company had started using AI to fight AI-based phishing attacks. Booking.com’s statement said their investments in that arena “blocked 85 million fraudulent reservations over more than 1.5 million phishing attempts in 2023.”
The domain name in the phony booking.com website sent to our reader’s friend — guestssecureverification[.]com — was registered to the email address ilotirabec207@gmail.com. According to DomainTools.com, this email address was used to register more than 700 other phishing domains in the past month alone.
Many of the 700+ domains appear to target hospitality companies, including platforms like booking.com and Airbnb. Others seem crafted to phish users of Shopify, Steam, and a variety of financial platforms. A full, defanged list of domains is available here.
A cursory review of recent posts across dozens of cybercrime forums monitored by the security firm Intel 471 shows there is a great demand for compromised booking.com accounts belonging to hotels and other partners.
One post last month on the Russian-language hacking forum BHF offered up to $5,000 for each hotel account. This seller claims to help people monetize hacked booking.com partners, apparently by using the stolen credentials to set up fraudulent listings.
A service advertised on the English-language crime community BreachForums in October courts phishers who may need help with certain aspects of their phishing campaigns targeting booking.com partners. Those include more than two million hotel email addresses, and services designed to help phishers organize large volumes of phished records. Customers can interact with the service via an automated Telegram bot.
Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies catering to fellow scammers, with up to 50 percent discounts on hotel reservations through booking.com. Others are selling ready-to-use “config” files designed to make it simple to conduct automated login attempts against booking.com administrator accounts.
SecureWorks found the phishers targeting booking.com partner hotels used malware to steal credentials. But today’s thieves can just as easily just visit crime bazaars online and purchase stolen credentials to cloud services that do not enforce 2FA for all accounts.
That is exactly what transpired over the past year with many customers of the cloud data storage giant Snowflake. In late 2023, cybercriminals figured out that while tons of companies had stashed enormous amounts of customer data at Snowflake, many of those customer accounts were not protected by 2FA.
Snowflake responded by making 2FA mandatory for all new customers. But that change came only after thieves used stolen credentials to siphon data from 160 companies — including AT&T, Lending Tree and TicketMaster.
Almost all of my Debian contributions this month were
sponsored by Freexian.
You can also support my work directly via
Liberapay.
Ansible
I noticed that Ansible had fallen out of Debian
testing due to autopkgtest failures. This seemed like a problem worth
fixing: in common with many other people, we use Ansible for configuration
management at Freexian, and it probably wouldn’t make our sysadmins too
happy if they upgraded to trixie after its release and found that Ansible
was gone.
The problems here were really just slogging through test failures in both
the ansible-core and ansible packages, but their test suites are large
and take a while to run so this took some time. I was able to contribute a
few small fixes to various upstreams in the process:
Martin-Éric Racine
reported that ssh-audit
didn’t list the ext-info-s feature as being available in Debian’s OpenSSH
9.2 packaging in bookworm, contrary to what OpenSSH upstream said on their
specifications page at the time. I
spent some time looking into this and realized that upstream was mistakenly
saying that implementations of ext-info-c and ext-info-s were added at
the same time, while in fact ext-info-s was added rather later.
ssh-audit now has clearer output, and the OpenSSH maintainers have
corrected their specifications page.
I looked into a report of an ssh
failure in certain cases when using GSS-API key exchange (which is a Debian
patch). Once again, having integration
tests was a huge win here: the affected
scenario is quite a fiddly one, but I was able to set it up in the
test,
and thereby make sure it doesn’t regress in future. It still took me a
couple of hours to get all the details right, but in the past this sort of
thing took me much longer with a much lower degree of confidence that the
fix was correct.
On upstream’s
advice,
I cherry-picked some key exchange fixes needed for big-endian architectures.
Python team
I packaged python-evalidate, needed for a
new upstream version of buildbot.
tzdata
moved
some timezone definitions to tzdata-legacy, which has broken a number of
packages. I added tzdata-legacy build-dependencies to
alembic and
python-icalendar to deal with this in
those packages, though there are still some other instances of this left.
I tracked down an nltk regression that
caused build failures in many other packages.
I fixed Rust crate versioning issues in
pydantic-core,
python-bcrypt, and
python-maturin (mostly fixed by Peter
Michael Green and Jelmer Vernooij, but it needed a little extra work).
"Check out Visual Studio optimizing their rating system to
only include the ratings used," shared
Fiorenzo R.
Imagine the performance gain!
"This sounds about right," says
Colin A.
"Wow! Must snap up some sweet Anker kit with this amazing offer; but less than four days to go!" exclaims
Dave L., who then goes on to explain
"The actual WTF is this though. I sent this image to Anker with this email:
But only 3days left? I hope this offer continues!
Anker replied:
Thank you for your feedback! I understand that you appreciate the savings on the Anker SOLIX PS100 Portable Solar Panel and wish the offer could be extended beyond the current 3-day limit. Your suggestion is valuable and will be considered for future promotions to enhance customer satisfaction. If you have any other requests or need further assistance, please let me know.
I for one welcome our new AI overlords.
"
Graham F.
almost stashed this away for later.
"Looks like Dropbox could use a few lessons in how to do
Maths! Although maybe their definition of 'almost' differs from mine."
Finally
Joshua
found time to report a brand-new date-handling bug.
"Teams is so buggy; this one just takes the cake. I had to check with the unix cal program to make sure I wasn't completely bonkers."
For the readers,
November 8 this year is supposed to be a Friday. I suppose things could change after
the US election.
Have a great weekend. Maybe I'll see you next Friday, or maybe
all the weekdays will be renamed Thursday.
[Advertisement] Plan Your .NET 9 Migration with Confidence Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!
Overdue is a stand-alone novelette in the Library Trilogy universe. Returns is a collection of two
stories, the novelette "Returns" and the short story "About Pain." All of
them together are about the length of a novella, so I'm combining them
into a single review.
These are ancillary stories in the same universe as the novels, but not
necessarily in the same timeline. (Trying to fit "About Pain" into the
novel timeline will give you a headache and I am choosing to read it as
author's fan fiction.) I'm guessing they're part of the new fad for
releasing short fiction on Amazon to tide readers over and maintain
interest between books in a series, a fad about which I have mixed
feelings. Given the total lack of publisher metadata in either the
stories or on Amazon, I'm assuming they were self-published even though
the novels are published by Ace, but I don't know that for certain.
I found all three of these stories irritating and thuddingly trite.
"Returns" is probably the best of the lot in terms of quality of
storytelling, but I intensely dislike the structural implications of the
nature of the book at its center and am therefore hoping that it's
non-canonical.
I would not waste your time with these even if you are enjoying the
novels.
"Overdue": Three owners of the same bookstore at different
points in time have encounters with an albino man named Yute who is on a
quest. One of the owners is trying to write a book, one of them is older,
depressed, and closed off, and one of them has regular conversations with
her sister's ghost. The nature of the relationship between the three is
too much of a spoiler, but it involves similar shenanigans as The
Book That Wouldn't Burn.
Lawrence uses my least favorite resolution of benign ghost stories. The
story tries very hard to sell it as a good thing, but I thought it was
cruel and prefer fantasy that rejects both branches of that dilemma.
Other than that, it was fine, I guess, although the moral was delivered
with all of the subtlety of the last two minutes of a Saturday morning
cartoon. (5)
"Returns": Livira returns a book deep inside the library and
finds that she can decipher it, which leads her to a story about Yute
going on a trip to recover another library book. This had a lot of great
Yute lines, plus I always like seeing Livira in exploration mode. The
book itself is paradoxical in a causality-destroying way, which is
handwaved away as literal magic. I liked this one the best of the three
stories, but I hope the world-building of the main series does not go in
this direction and I'm a little afraid it might. (6)
"About Pain": A man named Holden runs into a woman named Clovis
at the gym while carrying a book titled Catcher that his dog found
and that he's returning to the library. I thoroughly enjoy Clovis and was
happy to read a few more scenes about her. Other than that, this was
fine, I guess, although it is a story designed to deliver a point and that
point is one that appears in every discussion of classics and re-reading
that has ever happened on the Internet. Also, I know I'm being grumpy,
but Lawrence's puns with authors and character names are chapter-epigraph
amusing but not short-story-length funny. Yes, yes, his name is Holden,
we get it. (5)
Author: Aubrey Williams The cheap hotel room was draughty, the shadows ink in the recesses. Each sheet of green William Morris wallpaper was peeling in at least three places. For all the dinginess, though, it was a room, and I needed one. By a feeble light I’d tried to work, but the sound of the […]
I'm too depressed to elaborate much on this, but I just wanted to go on the record with this prediction before the election. Why do I think Trump is going to win? Because DJT stock is up and has been rising steadily since it hit an all-time low in late September. It didn't even go down today after yesterday's disastrous MSG rally. The polls have been static since
The shared web proxy used on Wikimedia Cloud VPS now has technical
support for using arbitrary domains (and not just wmcloud.org
subdomains) in proxy names. I think this is a good example of how
software slowly evolves over time as new requirements emerge, with each
new addition building on top of the previous ones.
According to the edit history on Wikitech, the web proxy service has
its origins in 2012, although the current idea where you create a proxy
and map it to a specific instance and port was only introduced a year
later. (Before that, it just directly mapped the subdomain to the VPS
instance with the same name).
There were some smaller changes in the coming years like the migration
to acme-chief for TLS certificate management, but the overall logic
stayed very similar until 2020 when the wmcloud.org domain was
introduced. That was implemented by adding a config option listing all
possible domains, so future domain additions would be as simple as
adding the new domain to that list in the configuration.
Then the changes start becoming more frequent:
In 2022, for my Terraform support project, a bunch of logic,
including the list of supported backend domains was moved from the
frontend code to the backend. This also made it possible to
dynamically change which projects can use which domains suffixes for
their proxies.
Then, early this year, I added support for zones restricted to a
single project, because we wanted to use the proxy for the
*.svc.toolforge.org Toolforge infrastructure domains instead of
coming up with a new system for that use case. This also added suport
for using different TLS certificates for different domains so that we
would not have to have a single giant certificate with all the names.
Finally, the last step was to add two new features to the proxy
system: support for adding a proxy at the apex of a domain, as well
as support for domains that are not managed in Designate (the Cloud
VPS/OpenStack auth DNS service). In addition, we needed a bit of
config to ensure http-01 challenges get routed to the acme-chief
instance.
Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.
What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others.
[…]
The solution?
Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.
[…]
This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.
The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the other, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest?
Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running.
Six years later, the problem remains. Le Mondehasreportedthat the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do.
Horror movies, as of late, have gone to great lengths to solve the key obstacle to horror movies- cell phones. When we live in a world where help is a phone call away, it's hard to imagine the characters not doing that. So screenwriters put them in situations where this is impossible: in Midsommar they isolate them in rural Sweden, in Get Out calling the police is only going to put our protagonist in more danger. But what's possibly more common is making the film a period piece- like the X/Pearl/Maxxxine trilogy, Late Night with the Devil, or Netflix's continuing series of R.L. Stine adaptations.
I bring this up, because today's horror starts in 1993. A Norwegian software company launched its software product to mild acclaim. Like every company, it had its ups and downs, its successes and missteps. On the surface, it was a decent enough place to work.
Over the years, the company tried to stay up to date with technology. In 1993, the major languages one might use for launching a major software product, your options are largely C or Pascal. Languages like Python existed, but weren't widely used or even supported on most systems. But the company stayed in business and needed to update their technology as time passed, which meant the program gradually grew and migrated to new languages.
Which meant, by the time Niklas F joined the company, they were on C#. Even though they'd completely changed languages, the codebase still derived from the original C codebase. And that meant that the codebase had many secrets, dark corners, and places a developer should never look.
Like every good horror movie protagonist, Niklas heard the "don't go in there!" and immediately went in there. And lurking in those shadows was the thing every developer fears the most: homebrew date handling code.
///<summary>//////</summary>///<param name="dt"></param>///<returns></returns>publicstatic DateTime LastDayInMonth(DateTime dt)
{
int day = 30;
switch (dt.Month)
{
case1:
day = 31;
break;
case2:
if (IsLeapYear(dt))
day = 29;
else
day = 28;
break;
case3:
day = 31;
break;
case4:
day = 30;
break;
case5:
day = 31;
break;
case6:
day = 30;
break;
case7:
day = 31;
break;
case8:
day = 31;
break;
case9:
day = 30;
break;
case10:
day = 31;
break;
case11:
day = 30;
break;
case12:
day = 31;
break;
}
returnnew DateTime(dt.Year, dt.Month, day, 0, 0, 0);
}
///<summary>//////</summary>///<param name="dt"></param>///<returns></returns>publicstaticboolIsLeapYear(DateTime dt)
{
bool ret = (((dt.Year % 4) == 0) && ((dt.Year % 100) != 0) || ((dt.Year % 400) == 0));
return ret;
}
For a nice change of pace, this code isn't incorrect. Even the leap year calculation is actually correct (though my preference would be to just return the expression instead of using a local variable). But that's what makes this horror all the more insidious: there are built-in functions to handle all of this, but this code works and will likely continue to work, just sitting there, like a demon that we've made a pact with. And suddenly we realize this isn't Midsommar but Ari Aster's other hit film, Hereditary, and we're trapped being in a lineage of monsters, and can't escape our inheritance.
[Advertisement]
Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Author: Rollin T. Gentry Imagine a creature crafted from crushed bones and entropy. It may or may not have fangs, or claws, or even a face. It rides from calamity to calamity, crisis to crisis, along ley lines the scale of galaxies. Wait. There he is, knocking at the door. The door, an ancient relic […]
Consider the case of basic public key cryptography, in which a person’s public and private key are created together in a single operation. These two keys are entangled, not with quantum physics, but with math.
When I create a virtual machine server in the Amazon cloud, I am prompted for an RSA public key that will be used to control access to the machine. Typically, I create the public and private keypair on my laptop and upload the public key to Amazon, which bakes my public key into the server’s administrator account. My laptop and that remove server are thus entangled, in that the only way to log into the server is using the key on my laptop. And because that administrator account can do anything to that server—read the sensitivity data, hack the web server to install malware on people who visit its web pages, or anything else I might care to do—the private key on my laptop represents a security risk for that server.
Here’s why it’s impossible to evaluate a server and know if it is secure: as long that private key exists on my laptop, that server has a vulnerability. But if I delete that private key, the vulnerability goes away. By deleting the data, I have removed a security risk from the server and its security has increased. This is true entanglement! And it is spooky: not a single bit has changed on the server, yet it is more secure.
An 18-foot tall dual pendulum clock that measures the growth of the world's most ancient living trees, exploring new ways of thinking about deep time and resilience.
At the summit of eastern Nevada’s Mount Washington, a grove of bristlecone pine trees bears witness to millennia of change. Perched precariously along ridges of limestone, battered by harsh winds, the gnarled forms that populate Long Now’s Bristlecone Preserve can look more like abstract sculptures than living organisms. But they are alive, have been alive, some since before the first stone of the Great Pyramid of Giza was laid 4,500 years ago. And they are growing. Very. Slowly. A sapling from today would potentially not reach maturity until the year 07000.
But to speak of years like 07000 is to speak in human time. Bristlecone time is not like our time. In 01964, a geographer took core samples of a nearby bristlecone known as Prometheus. The tree had 4,862 growth rings. This did not, as one might assume, mean that the tree was 4,862 years old. Because of the harsh conditions, and the high elevation, some bristlecone pines grow so slowly that they don’t form a tree ring each year. Such was the case with Prometheus, whom researchers later estimated to be closer to 4,900 years old.
The discrepancy between human time — in which a year is exactly 365.2425 days in duration — and bristlecone time — which varies depending on environmental conditions — is the focus of a forthcoming project from the conceptual artist and experimental philosopher Jonathon Keats, The Long Now Foundation, and the Nevada Museum of Art. Centuries of the Bristlecone empowers the longest-lived organisms on Earth to be timekeepers. A living calendar for the next five millennia, the project will measure the growth of select bristlecone pine trees at Long Now’s Bristlecone Preserve. Those measurements — “bristlecone time” — will be transmitted to an 18-foot tall dual pendulum clock housed at the Nevada Museum of Art. The growth of these trees will tell a story. What that story is depends on us.
Long Now’s Bristlecone Preserve, Mount Washington, eastern Nevada. Photo by Ian van Coller
“Through time, each bristlecone will bear witness to human activity in the Anthropocene,” Keats has written. “The meaning of the living calendar will change with the changes we bring to the environment.”
Consider again that sapling. Over time, increased carbon dioxide in the atmosphere stemming from anthropogenic climate change would lead to it growing at a faster rate, much like its siblings at lower elevations. A visitor to the Centuries of the Bristlecone clock a hundred years from now would see two different times displayed, side by side. The dial displaying human, or standard, time would read “02124.” The dial displaying bristlecone, or arboreal, time might read “02377.”
Or it might not. We cannot know how the future will unfold. And we could, of course, choose to act differently. For Keats, that’s precisely the point.
The gnarled forms that populate Long Now’s Bristlecone Preserve can look more like abstract sculptures than living organisms. Photo by Justin Oliphant
“Our actions will affect bristlecone time,” Keats writes. “And while we need to be aware of our hubris, we also need to be aware that we have choices and responsibilities. Arboreal time will provide us with an ecological feedback mechanism. Sentinels from the distant past that will long outlive us, the bristlecones will calibrate our time on this planet.”
Centuries of the Bristlecone has been in the works since 02015, when Keats shared his vision during a Long Now Talk at The Interval. In September 02024, a contingent of staff from Long Now and the Nevada Museum of Art joined Keats atop Mount Washington to help realize that vision, installing the indexes and plaques that will allow future citizen-timekeepers to chart the growth of the trees. In the spring of 02025, the municipal clock at the Nevada Museum of Art will open to the public.
Photo of Jonathon Keats' 02015 Long Now Talk on Centuries of the Bristlecone by Michael McElligott; photos of Centuries of the Bristlecone installation by James Home, Justin Oliphant, Gary Wilson; rendering of the Centuries of the Bristlecone clock by clockmaker Phil Abernethy
Centuries of the Bristlecone is part of Keats’ broader philosophical exploration of time from a more-than-human perspective. “The overarching goal is to reverse the process of human alienation that began by seeing nature as other,” he says. “We can reintegrate ourselves into nature by reintegrating nature into human systems.”
Recently, Keats sat down with William L. Fox, the Director of the Center for Art + Environment at the Nevada Museum of Art, to discuss the many projects he’s undertaken to achieve that goal, as well as the unconventional thought experiments that comprise his larger body of work. Over the years, Keats has attempted to genetically engineer God; copyright his brain in a bid to become immortal; and pass Aristotle’s law of identity as a law of the legal system (violators caught being unidentical to themselves would be fined one-tenth of a cent). He has created pinhole cameras with exposure times of one thousand years, and he has shown pornography to house plants (which is to say, videos of bees pollinating flowers).
Equal parts playful and profound, Keats’ interventions open up spaces for the public to engage in contemplative inquiry across a wide swath of disciplines and domains, from the perennial questions posed by philosophy — What is the relationship between thinking and being? — to the ethical quandaries posed by the Anthropocene — How might non-human species participate in the collective decision-making of the democratic system in which we live?
“A question is never resolved,” he says. “It is only enlarged.”
The following conversation has been edited for length and clarity.
William L. Fox speaking at Long Now on April 5, 02016. Seated in the audience at left is Jonathon Keats. Photo by Gary Wilson
William L. Fox: You and I have been working together for years, but we don’t sit down and actually talk about what childhood was like, what grade school was like. I’d like to remedy that now. So let’s start with how you must’ve driven every teacher you’ve ever had absolutely nuts.
Jonathon Keats: It started with my parents. I drove them crazy long before I had teachers to distract and classes to disturb. But in terms of the first experience in a formal educational situation, it was preschool. As is the case in many Montessori schools, I got told by the teachers how to be creative. What more creative thing can one do than to rebel against that?
It didn't go over well. I actually didn't speak for an entire year. I would speak outside of class, but the moment I walked through the doors of the school, I would stop speaking. Later, when I got my hands on a Diagnostic and Statistical Manual of Mental Disorders, I was able to diagnose myself as having elective mutism. I was quite pleased with myself to be an elective mute because knowing when not to say something seems like it is as important as knowing when to say something. That is one of the essential qualities of my work and one of the essential qualities that I seek in art more generally.
As I went on in that vein, being obstinate whenever I was asked to be creative or imaginative, one of the preschool teachers asked whether I had an imagination. I think that's still open to debate. Nevertheless, it was clear that any sort of formal structure that came from someone else was one to be resisted or to be broken free of, as opposed to my own systems that I very much wanted to create.
Photos from Jonathon Keats’ ninth birthday party in Corte Madera, 01980. Keats is shown in the left photo. One of the partygoers is future Long Now Executive Director Alexander Rose, shown in the right photo, seated at right. Photos courtesy of Jonathon Keats
The first work that could potentially be categorized retrospectively as an artwork — or as a thought experiment — came shortly after moving cross country from New York City, where I'd gone to preschool, to Corte Madera, a very quaint town in California. In my driveway, on a street that few people frequented, I set up a table and put some rocks on it and priced the rocks at one cent apiece. The rocks on the ground were identical, but were not the ones that were for sale, so they had no price on them whatsoever. And so I went into the business of selling rocks to a market that was effectively zero. There was, I think, a neighbor who came up to water the lawn at some point. But, more than a profit-making enterprise, my venture was a way in which to ask fundamental questions about economics, which probably originated with my puzzlement about what my father did for a living as a stockbroker. What does it mean to buy and sell? What is the nature of money?
Even then, the way in which I went about investigating the world was on my own terms, creating some sort of alternative reality that others could enter into with me, where I eliminated as much as possible that seemed extraneous, leaving just the essence to try to make sense of. I think that has been the case ever since.
Fox: The most valid rubric I use to describe you is as an ‘experimental philosopher.’ Clearly, that’s where you’ve been going since Montessori preschool. By the time you get to high school, have you begun, within that cloud of possibilities, to make some choices about what you want to do?
Keats: At the time, I was very interested in law and governance, which are deeply interesting to me still — not only as subjects, but also as constructs at a meta-level: How is the world ordered? What sort of sense do we make of the world through the systems we have, and how do we interrogate those systems? How do we ask how those systems work and what they do in order to speculate on the ways in which they might achieve what we actually want them to do?
All too often, there are legacy systems built on legacy systems, and they’re not functioning as intended. We can see this on a day-to-day basis, but we won’t understand why until we start to look at what is invisible to us. It’s like the operating system on a computer: We might not know how it operates, but it structures our word processing, our web browsing, et cetera. Law was a particularly interesting area for me because it was structured, and because it structured everything else.
During the summer of my junior year, I interned at the City Attorney’s Office in San Francisco. They must not have been very well funded, because they would tell me about cases and then set me free in their law library to write memoranda that I would dictate into a Dictaphone. These were often on rather arcane areas of law, such as trademark infringement, but there were also more conventional problems, such as the liability of the city when a bus driver ran over a pedestrian. So I ended up with an informal education in the law, both in how the law is structured and how it actually functions.
In terms of actual schoolwork, I was very keen to go to the high school that I did — Lick-Wilmerding — for manifestly other reasons: it had a magnificent shop program, with a whole room of World War II-era lathes. That was useful not only from the standpoint of learning how to make things, but in terms of learning the procedures. When you're working in a machine shop, you have to think about what you are trying to create in a way that is extremely orderly, considering the stages underlying the manufacture of a given part and considering how multiple parts will fit together. So while I wasn't thinking in these terms at the time, in making things out of wood, metal, and other materials, I was, in very physical and tangible ways, trying to make sense of how systems come into being, what they do, and where they break down.
Fox: And you move on into college, and the adventures continue.
Keats: They do. They travel with me to the East Coast, to Amherst College in western Massachusetts. It was an ideal setting for exploring whatever interested me. That’s the nature of a liberal arts college when you take the mandate seriously, and most of my professors did. They were perfectly happy to provide guidance, but were seemingly equally happy not to do so, and to allow much of my education to become a form of independent study.
Amherst is where I learned philosophy, and where I learned that I did not want to practice philosophy within academia. Formal logic is not my forte. And then there was the fact that philosophy at Amherst was analytic and highly technical. And while I found Ludwig Wittgenstein fascinating — he once asked, What time is it on the sun? — for the most part the way in which philosophy was done in school was not at all like what I had imagined. What I had envisioned was probably not so far off from selling rocks on the street corner. As far as I was concerned, philosophy was about asking questions and enticing others to try and make sense of that world with me.
The thought experiment was, to me, an incredibly interesting means of making sense that was used in a way that was not at all interesting. It was used as a mode of argumentation — reductio ad absurdum — as a way of rhetorically drawing somebody into a state of contradiction. I was interested in the thought experiment as a mode of open-ended experimentation. And so I got enough training in philosophy — enough language, enough rigor — to be able to smuggle philosophy out of academia. Breaking free was also important for another reason: Whenever I talked to anybody outside of my department, including classmates and my parents, they had no idea what I was talking about. Partly, I think that’s because I was never very good at paraphrasing others’ philosophy, but partly it’s because analytic philosophy was so abstruse.
In 02015, Amherst College held an exhibition on Keats' deep time photography. Keats' cameras, with exposure times of 100 and 1,000 years, document long-term change in cities from San Francisco to Berlin.
As I said earlier, we need to get inside the operating system. We need to be able to understand the basis of our understanding. There's so much scholarship underlying philosophy as it's done right now that “good philosophy” is directed by what was considered worthy in the past. We need to go in other directions, and to do so with others in a way that’s socially engaged, such that we’re all philosophers together.
I declared my independence from philosophy my senior year by opting to write a thesis on aesthetics, which was one of the areas I’d studied. In my proposal to the philosophy department, I argued that it made no sense to write about aesthetics; I should be working within aesthetics. That is, I should be writing a novel. The philosophy department responded by saying, That’s a very good idea, but not here. So I formed my own aesthetics department. I gave it a name and had a philosophy professor on the board. I wrote a novel, or something that passed as a novel, as a senior thesis. That was the moment when I realized that writing was one way in which to pursue what I wanted and needed to do. Writing fiction and poetry was particularly generative because it avoided some of the necessities of argumentation, namely first and foremost that one has something one is arguing for, as opposed to trying to open up a space for reflection.
But I also realized that beyond writing, other arts presented great opportunities. I had studied enough art history in college to see that the Duchampian turn was so dizzying that nobody knew what art was anymore. Every other discipline, from physics to philosophy, had become more disciplined, more rigorous, more rigid, and more narrow as time had gone on. Art had gone the opposite direction, from producing painting or sculpture in an academic tradition to “anything goes”.
Fox: You have just proposed a kind of analog to the working practice of Allan Kaprow and his relationship to William James and the birth of American pragmatism. Which is to say, in counter distinction: when I was at the Clark Art Institute, I had a good friend who was a curator of art from Bordeaux at the Contemporary Art Museum. He was the last student of Deleuze. And he said, “You don't like Deleuze and Guattari very much, do you?” And I said, “No, I loathe them. And in fact, I threw away A Thousand Plateaus.” It's the only book in my life I've ever thrown in a trash basket. And he said, “Why on earth? What's your problem?” And I said, “Because they don't tell the truth. They use language in very clever ways. But you cannot argue about whether or not there's a river that flows from the Rocky Mountains to the Pacific Ocean. And they would pretend to do otherwise.” And so he said, “But Bill, you don't understand: the whole point is the person who argues the best wins.” I found that instructive. And to hear you actually anchor yourself in the world in a philosophical tradition that is not founded on argumentation is refreshing.
Keats: I think that argumentation is at the core of my practice, but not for the sake of winning. I’m drawn to the Hegelian dialectic and even more to the Talmudic tradition in which any point is a basis for a counterpoint. A question is never resolved. It’s only enlarged.
What I do in much of my work now is that I take a position internally — a proposition, a provocation, or a world that I create — not because I think that it is definitive, but because I think that it is a point of departure for navigating a space that I intuit to be meaningful, relevant and interesting. I seldom know my way around the space at the outset, I only know that I can’t navigate it alone. I know that it needs to be large enough for me to get lost.
In Berkeley in 02002, I tried to find my way through the legal system. I attempted to pass a law of logic: the proposition that a equals a, that every entity is identical to itself. I held a petition drive and set up a table piled high with political buttons. It wasn’t so different from my childhood experiment of setting up a stand on the street and selling rocks as a way of understanding what money is; the rocks were meaningless except for the transaction that was happening through their sale. Equivalent to that, in trying to pass a law of logic as legislation, I was trying to figure out whether we actually can make laws, or whether they already all exist and we simply elect certain laws to be those that we follow.
Fox: One of the things you’ve done is copyright your brain.
Keats: My motivation was to explore some of the questions that have persisted for such a long time: what it is to think, what it is to be, and what is the relationship between the two? But also it was about trying to figure out the nature of intellectual property.
Instead of trying to achieve immortality through the merits of my paintings or sculptures, as artists often do, I opted to enlist the Copyright Act of 01978, which afforded copyright protection on any work for 70 years beyond the artist’s death. I submitted paperwork to the Copyright Office registering my brain as a sculpture that was formed through the act of thinking. I hypothesized that this sculpture, by virtue of being copyrighted, and through the magic of cogito ergo sum, could become a way to outsurvive myself by 70 years.
At the same time that I registered my brain with the Copyright Office to protect the neural networks, I orchestrated an IPO offering futures contracts on my individual neurons. The neural networks were really what mattered after I was dead; the ability to use those networks after my death would be essential to fulfilling the cogito and continuing to exist exclusively as myself for those 70 years. But in order to be able to fund suitable technology, as well as suitable legal protections, I needed some sort of a cash windfall at the end of my life. (Being an artist, as we all know, is not a way to get rich.) Investors were offered the opportunity to purchase a million neurons at a $10 premium against a $10,000 strike price. The neurons were, and remain, deliverable upon my death.
Fox: I’d like to talk about trees. You and I have both been involved in the UC Berkeley Sagehen Creek Field Station that is north of Truckee, California. At one point, you wanted to allow trees to have agency about the quality of their environment, giving them the ability to vote in a countywide election. Jeff Brown and Faerthen Felix, the then-director and manager, respectively, of the Sagehen Creek Station, not only let you set up camp there, but brought you in contact with scientists and instruments that could facilitate that process.
Keats: For a while I've been trying to figure out how to move beyond rights of nature. I’ve been trying to take a broader view of ecology, considering how we’re making life worse, not only for ourselves, but for most every species on planet Earth through our actions today and arguably since the Industrial Revolution.
From an ecological perspective, giving trees the right to clean air is certainly a step in the right direction: it allows for beings in jeopardy to be protected in a court of law, and their interests to be protected in very broad terms, much as rights apply to humans. But there is something essential missing from the equation, and it has to do with representation. In other words: how might non-human species be able to participate in the collective decision-making of the democratic system in which we live?
We don’t really know much about what happens on this planet, let alone what is in the best interest of non-human others. If we want to make good policy, we need to be able to access the extraordinary range of sensory systems and ways in which these non-human beings make sense of the world. And, at an ethical level, these others are affected by our actions, and should, therefore, have a say in what actions are taken.
When I first approached Jeff and Faerthen — and when they introduced me to Earth Law Center in Colorado — I was just beginning to develop ideas for enlarging democratic decision-making processes. Starting with plants made sense because of the fact that we humans are less than 1% of Earth’s biomass and plants are by some measures more than 80%. In other words, they’re the majority.
I started to think about plants’ participation in the democratic process initially in terms of an old electoral cliche : Are you better off now than you were four years ago? People supposedly ask themselves that question in presidential elections. How might we pose that question to plants?
I think the question could be reformulated as follows: Are you getting more stressed or less so as a result of the political decisions that are being made on your behalf in our representative democracy? All species can be monitored in terms of stress level. The hormone cortisol, for instance, is correlated with stress in the case of animals. Plants experience stress as well, as indicated by their production of phytohormones such as ethylene. Measuring these hormones might be a substitute for lining up plants at the voting booth and waiting for them to pull a lever.
Keats’ exhibit at MOD, “The Assembly of Trees.” Photo by Topbunk
It’s a thought experiment, but one I am undertaking in public at MOD, an art-and-science museum at the University of South Australia. All this year in Adelaide, 50 trees are being monitored. We aren't monitoring phytohormones, which are difficult to measure directly. Instead, we’re observing an epiphenomenon: foliage density. We're looking at whether there’s more or less foliage this year compared to last year as a proxy measure of stress. And we're inviting visitors to correlate these changes with new legislation.
To legally enfranchise nonhuman species would probably take a constitutional amendment, an idea that we’ve been investigating at Earth Law Center. It’s an ideal but it’s not going to be approved by the electorate anytime soon. On the other hand, it seems eminently feasible to influence people’s political decisions by making them more aware of the ecosystem in which they live such that they can incorporate the interests and worldview of other species at the polls. The MOD installation is intended to encourage people to take nonhuman interests and perspectives into account when they vote.
The overarching goal is to reverse the process of human alienation that began by seeing nature as other. We can reintegrate ourselves into nature by reintegrating nature into human systems.
A bristlecone pine in Long Now's Bristlecone Preserve. Photo by Justin Oliphant
Fox: From my standpoint, Centuries of the Bristlecone is a project that came about because you wanted to find a way to demonstrate in front of humans in real time the difference between human time and bristlecone time. If I remember correctly, you originally wanted to work with sequoias or redwoods or other species, but The Long Now Foundation said, “We own the largest private grove of bristlecones in the world,” and that’s a 5,000-year potential growth pattern for a plant.
You were looking for a place where you could take a signal from a bristlecone pine, let’s say the growth of a tree ring annually, as an indicator of the chemical composition of the atmosphere around the bristlecone. And you could put those two facts together and measure a correlation. But all this would be happening on top of an 11,000 foot mountain. How could you get that data and that ongoing signal to the public?
The answer was, find an organization that was nearby in the Nevada Museum of Art. We’re about as close a museum to the bristlecone pines as you can find in this state. And so we began to talk about a device that would translate and make visible that data for people to come in and apprehend on a regular basis or even on a one-time visit, just to get a sense of what the different kinds of time were. It’s an exquisite instrument that’s been designed. It’s taken us years to get here, and it’s a monumental public clock that has both human and bristlecone time being displayed on the face of that clock.
What’s going through your mind as you are coming up with the idea of Centuries of the Bristlecone?
Keats: I’m concerned about the ways in which societies have kept time since the beginning of the Industrial Revolution, by the mechanization and standardization of time through the use of mechanical, electronic, and atomic clocks. As time became more technical, it became more abstract. Like many technologies, the technology of timekeeping allowed us to disconnect from planetary systems and do what we want to do whenever we want to do it. In modern logistics, there are no temporal feedback loops to indicate the impact of our actions.
💡
WATCH David Rooney’s 02021 Long Now Talk on how time has been imagined, politicized, and weaponized over the centuries — and how it might bring peace.
In the past (pre-classical Greece, say), and still in some indigenous societies today, time reckoning has very much been about observing phenomena in your midst. Time is embedded in planetary systems and in how other creatures are experiencing these systems together with humans, all living in a state of kinship.
I want to reintegrate modern society into those planetary systems. I want to do so through law and governance, but also through the mechanism of timekeeping.
Imagine a sapling. If we were to put markers around a tree in the shape of a spiral, and we were to mark them with future dates based on the current average annual growth for that tree, and we were then to stand back and give the tree authority to let us know what time it is, the arboreal year might deviate from the Gregorian calendar. And it would do so in ways that would be meaningful because this would be the ground truth for the tree, influenced by essential factors ranging from precipitation to the amount of carbon dioxide in the air. It would be the tree’s experience of time, as legitimate and relevant as any other experience of time. The calendar would be a way to vicariously experience time that is being experienced by others, such that time becomes a relationship. Ultimately, this is how we’ve used time amongst humans, but it needs to be enlarged in terms of who is using and construing time together.
I’d initially been inclined to work with redwood trees because of a talk I gave at the College of the Redwoods years ago. In 02015, I was invited to give a talk at The Long Now Foundation. They’d heard about cameras I’d been making with hundred- and thousand-year-long exposure times. I came in saying that I’d like to propose something new rather than just talk about projects I’d done before. At that initial meeting, I re-encountered Alexander Rose, with whom I’d gone to grade school, and who had subsequently become the Executive Director of Long Now.
As I told him my ideas about redwood time reckoning, he mentioned the bristlecones. Immediately I knew that those were the trees. He told me about Mount Washington. Immediately I knew that that was the site. It all became obvious. It made perfect sense to do this on Mount Washington, and as you said, to work with a museum. The Nevada Museum of Art’s Center for Art + Environment was perfect because of the proximity.
For all these reasons I took a road trip to Reno with Alexander and Michael McElligott, who at the time was leading Long Now’s Interval lecture series. We made a presentation, and were met with silence. At first we thought it was befuddlement, but it turned out to be the silence of people giving serious thought to our proposal. Before we left, they said yes.
And that’s when you and I started talking. We talked about how the clock needed to be monumental in order to bring people together. It needed to have the monumental scale of a municipal clock. One of the most important decisions was to engage the master clockmaker Phil Abernethy and the antiquarian horologist Brittany Nicole Cox, who have the skills to make this mechanism a reality.
A rendering of the Centuries of the Bristlecone clock that will be on display at the Nevada Museum of Art. Render by clockmaker Phil Abernethy
Centuries of the Bristlecone will be a communal gathering point for a new time protocol. Each year or two, we’ll make a trip to Mount Washington, and get the measure of time from the trees by taking a microcore. The clock has a mechanism to measure and record the growth rate shown in the most recent tree ring, and to translate it into the rate at which a pendulum swings. This clock rate will also be available online for people to calibrate their smartphone, their watch, their scheduling software.
Using a Rolleicord camera, Keats created a daylong cyanotype capturing the process of installing the calendar in a single exposure. Photo by Justin Oliphant; cyanotype by Jonathon Keats
But trees are only one dimension of the project. I’ve also been working on a system that correlates the flow of time with the flow of a river. From minute to minute, the clock is unpredictable because the flow of rivers is stochastic, encouraging people to be in the moment. Over the long term, the time indicates changes in the climate through the impact of climate change on glacier melt, rainfall, and groundwater. Like the calendar around the sapling, the calendar on this clock provides an environmental feedback loop.
Several years ago, we projected the first instantiation of this clock onto the front of the Anchorage Museum, indicating time based on the flow of five rivers in Alaska. It was the first visible sign of what time might look like if it were not homogenized like Universal Coordinated Time, of what time might look like if we understood time to be pluralistic. I've also been collaborating on performances on rivers in Atlanta, calibrated by the flow of the Chattahoochee and its tributaries. And I'll be installing two erosion calendars in Atlanta in 02025 and 02026.
Alaska River Time engages a network of glacial and spring rivers to regulate a new kind of clock, which speeds up and slows down with the waters. The clock can be used to recalibrate all aspects of life from work schedules to personal relationships.
Time exists as a conversation between myriad beings and living systems. The conversation becomes accessible to us through a vernacular that we know. A system that is familiar to all humans draws us out into the world while simultaneously bringing the world into our lives.
Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.
Image: Tamer Tuncay, Shutterstock.com.
A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.
In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”
A notification letter from Change Healthcare said the breach involved the theft of:
-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
The HIPAA Journalreports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.
Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.
That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.
A breach notification from Change Healthcare.
A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.
“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”
It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI declined to comment.
Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”
But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.
Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.
According to the HIPAA Journal, the biggest penalty imposed to date for a HIPAA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.
A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.
There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.
The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.
Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.
All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.
If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.
Once again, we take a look at the traditional "if (boolean) return true; else return false;" pattern. But today's, from RJ, offers us a bonus twist.
publicoverridebool IsValid
{
get
{
if (!base.IsValid)
returnfalse;
returntrue;
}
}
As promised, this is a useless conditional. return base.IsValid would do the job just as well. Except, that's the twist, isn't it. base is our superclass. We're overriding a method on our superclass to… just do what the base method does.
This entire function could just be deleted. No one would notice. And yet, it hasn't been. Everyone agrees that it should be, yet it hasn't been. No one's doing it. It just sits there, like a pimple, begging to be popped.
[Advertisement]
Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.
Author: Milo Brown William Smith was very proud of his name, not because it was a very good name (although it was) but because it granted him a certain level of anonymity. In William’s opinion, the only better name would be John Doe, since the name John Smith was made famous, and in turn infamous, […]
Another pure maintenance release 0.2.7 of the gcbd package is now on
CRAN. The gcbd proposes a
benchmarking framework for LAPACK and BLAS operations (as the library
can exchanged in a plug-and-play sense on suitable OSs) and records
result in local database. Its original motivation was to also compare to
GPU-based operations. However, as it is both challenging to keep CUDA
working packages on CRAN
providing the basic functionality appear to come and go so testing the
GPU feature can be challenging. The main point of gcbd is now to actually
demonstrate that ‘yes indeed’ we can just swap BLAS/LAPACK libraries
without any change to R, or R packages. The ‘configure / rebuild R for
xyz’ often seen with ‘xyz’ being Goto or MKL is simply plain wrong: you
really can just swap them (on proper operating systems, and R
configs – see the package vignette for more). But nomatter how often we
aim to correct this record, it invariably raises its head another
time.
This release accommodates a CRAN change request as we were
referencing the (now only suggested) package gputools. As
hinted in the previous paragraph, it was once on CRAN but is not right now so we
adjusted our reference.
Jon recently started a new project. When setting up his dev environment, one of his peers told him, "You can disable verbose logging by setting DEBUG_LOG=false in your config file."
Well, when Jon did that, the verbose logging remained on. When he asked his peers, they were all surprised to see that the flag wasn't turning off debug logging. "Hunh, that used to work. Someone must have changed something…" Everyone had enough new development to do that tracking down a low priority bug fell to Jon. It didn't take long.
constDEBUG_LOG = process.env.DEBUG_LOG || true
According to the blame, the code had been like this for a year, the commit crammed with half a dozen features, was made by a developer who was no longer with the company, and the message was simply "Debugging". Presumably, this was intended to be a temporary change that accidentally got committed and no one noticed or cared.
Jon fixed it, and moved on. There was likely going to be plenty more to find.
[Advertisement]
Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Author: Majoki “What a poetic way of expressing it, Sibyl,” Cassie warily admitted. She was walking along the stream that meandered through the glade, the aspens chattering in the stiffening evening breeze. *It’s true, Cassandra. The trees are chatty. They’re discussing the gathering storm.* Cassie tilted her head, as she did every time, Sibyl voiced […]
The German police have successfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay.
I didn’t plan to go to Oklahoma, but I went to Oklahoma.
My day job is providing phone tech support to people in offices who use my boss’s customer-relationship management software. In theory, I can do that job from anywhere I can sit quietly on a good Internet connection for a few hours a day while I’m on shift. It’s a good job for an organizer, because it means I can go out in the field and still pay my rent, so long as I can park a rental car outside of a Starbucks, camp on their WiFi, and put on a noise-canceling headset. It’s also good organizer training because most of the people who call me are angry and confused and need to have something difficult and technical explained to them.
My comrades started leaving for Oklahoma the day the Water Protector camp got set up. A lot of them—especially my Indigenous friends—were veterans of the Line 3 Pipeline, the Dakota Access Pipeline, and other pipeline fights, and they were plugged right into that network.
The worse things got, the more people I knew in OK. My weekly affinity group meeting normally had twenty people at it. One week there were only ten of us. The next week, three. The next week, we did it on Zoom (ugh) and most of the people on the line were in OK, up on “Facebook Hill,” the one place in the camp with reliable cellular data signals.
Just a "warn your brothers" for people foolish enough to
use GKE and run on the Rapid release channel.
Update from version 1.31.1-gke.1146000 to 1.31.1-gke.1678000 is causing
trouble whenever NetworkPolicy resources and a readinessProbe (or health check)
are configured. As a workaround we started to remove the NetworkPolicy
resources. E.g. when kustomize is involved with a patch like this:
We tried to update to the latest version - right now 1.31.1-gke.2008000 - which
did not change anything.
Behaviour is pretty much erratic, sometimes it still works and sometimes the traffic
is denied. It also seems that there is some relevant fix in 1.31.1-gke.1678000
because that is now the oldest release of 1.31.1 which I can find in the regular and
rapid release channels. The last known good version 1.31.1-gke.1146000 is not
available to try a downgrade.
The number of FAIme jobs has reached 30.000. Yeah!
At the end of this November the FAIme web service for building customized ISOs turns 7 years old.
It had reached 10.000 jobs in March 2021 and 20.000 jobs were reached in
June 2023. A nice increase of the usage.
Here are some statistics for the jobs processed in 2024:
Type of jobs
3%
cloud image
11%
live ISO
86%
install ISO
Distribution
2%
bullseye
8%
trixie
12%
ubuntu 24.04
78%
bookworm
Misc
18% used a custom postinst script
11% provided their ssh pub key for passwordless root login
50% of the jobs didn't included a desktop environment at
all, the others used GNOME, XFCE or KDE or the Ubuntu desktop the most.
The biggest ISO was a FAIme job which created a live ISO with a desktop and some additional packages
This job took 30min to finish and the resulting ISO was 18G in size.
Execution Times
The cloud and live ISOs need more time for their creation because the
FAIme server needs to unpack and install all packages. For the install
ISO the packages are only downloaded. The amount of software
packages also affects the build time.
Every ISO is build in a VM on an old 6-core E5-1650 v2.
Times given are calculated from the jobs of the past two weeks.
Job type
Avg
Max
install no desktop
1 min
2 min
install GNOME
2 min
5 min
The times for Ubuntu without and with desktop are one minute higher than those mentioned above.
Job type
Avg
Max
live no desktop
4 min
6 min
live GNOME
8 min
11 min
The times for cloud images are similar to live images.
A New Feature
For a few weeks now, the system has been showing the number of jobs
ahead of you in the queue when you submit a job that cannot be
processed immediately.
The Next Milestone
At the end of this years the FAI project will be 25 years old.
If you have a success story of your FAI usage to share please post it
to the linux-fai mailing list or send it to me.
Do you know the FAI questionnaire ? A lot of
reports are already available.
Here's an overview what happened in the past 20 years in the FAI
project.
About FAIme
FAIme is the service for building your own customized ISO via a web
interface. You can create an installation or live ISO or a cloud
image. Several Debian releases can be selected and also Ubuntu
server or Ubuntu desktop installation ISOs can be customized.
Multiple options are available like selecting a desktop and the language, adding your own package
list, choosing a partition layout, adding a user, choosing a backports
kernel, adding a postinst script and some more.
Quality control is an important business function for any company. When your company is shipping devices with safety concerns, it's even more important. In some industries, a quality control failure is bound to be national headlines.
When the quality control software tool stopped working, everyone panicked. At which point, GRH stepped in.
Now, we've discussed this software and GRH before, but as a quick recap, it was:
written by someone who is no longer employed with the company, as part of a project managed by someone who is no longer at the company, requested by an executive who is also no longer at the company. There are no documented requirements, very few tests, and a lot of "don't touch this, it works".
And this was a quality control tool. So we're already in bad shape. It also had been unmaintained for years- a few of the QC engineers had tried to take it over, but weren't programmers, and it had essentially languished.
Specifically, it was a quality control tool used to oversee the process by about 50 QC engineers. It automates a series of checks by wrapping around third party software tools, in a complex network of "this device gets tested by generating output in program A, feeding it to program B, then combining the streams and sending them to the device, but this device gets tested using programs D, E, and F."
The automated process using the tool has a shockingly low error rate. Without the tool, doing things manually, the error rate climbs to 1-2%. So unless everyone wanted to see terrifying headlines in the Boston Globe about their devices failing, GRH needed to fix the problem.
GRH was given the code, in this case a a zip file on a shared drive. It did not, at the start, even build. After fighting with the project configuration to resolve that, GRH was free to start digging in deeper.
PublicSub connect2PCdb()
Dim cPath As String = Path.Combine(strConverterPath, "c.pfx")
Dim strCN As String
' JES 12/6/2016: Modify the following line if MySQL server is changed to a different server. A dump file will be needed to re-create teh database in the new server.
strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;database=REDACTED;sslmode=Required;certificatepassword=REDACTED;certificatefile=REDACTED\c.pfx;password=REDACTED'"
strCN = Regex.Replace(strCN, "certificatefile=.*?pfx", "certificatefile=" & cPath)
pcContext = New Entities(strCN)
strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;persistsecurityinfo=True;database=REDACTED;password=REDACTED'"
strCN = Regex.Match(strCN, ".*'(.*)'").Groups(1).Value
Try
strCN = pcContext.Database.Connection.ConnectionString
cnPC.ConnectionString = "server=REDACTED;user id=REDACTED;password=REDACTED;database=REDACTED;"
cnPC.Open()
Catch ex As Exception
End Try
EndSub
This is the code which connects to the backend database. The code is in the category of more of a trainwreck than a WTF. It's got a wonderful mix of nonsense in here, though- a hard-coded connection string which includes plaintext passwords, regex munging to modify the string, then hard-coding a string again, only to use regexes to extract a subset of the string. A subset we don't use.
And then, for a bonus, the whole thing has a misleading comment- "modify the following line" if we move to a different server? We have to modify several lines, because we keep copy/pasting the string around.
Oh, and of course, it uses the pattern of "open a database connection at application startup, and just hold that connection forever," which is a great way to strain your database as your userbase grows.
The good news about the hard-coded password is that it got GRH access to the database. With that, it was easy to see what the problem was: the database was full. The system was overly aggressive with logging, the logs went to database tables, the server was an antique with a rather small hard drive, and the database wasn't configured to even use all of that space anyway.
Cleaning up old logs got the engineers working again. GRH kept working on the code, though, cleaning it up and modernizing it. Updating to latest version of the .NET Core framework modified the data access to be far simpler, and got rid of the need for hard-coded connection strings. Still, GRH left the method looking like this:
PublicSub connect2PCdb()
'Dim cPath As String = Path.Combine(strConverterPath, "c.pfx")'Dim strCN As String' JES 12/6/2016: Modify the following line if MySQL server is changed to a different server. A dump file will be needed to re-create teh database in the new server.'strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;database=REDACTED;sslmode=Required;certificatepassword=REDACTED;certificatefile=REDACTED\c.pfx;password=REDACTED'"'strCN = Regex.Replace(strCN, "certificatefile=.*?pfx", "certificatefile=" & cPath)'pcContext = New Entities(strCN)'strCN = "metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=MySql.Data.MySqlClient;provider connection string='server=REDACTED;user id=REDACTED;persistsecurityinfo=True;database=REDACTED;password=REDACTED'"'strCN = Regex.Match(strCN, ".*'(.*)'").Groups(1).Value'GRH 2021-01-15. Connection information moved to App.Config'GRH 2021-08-13. EF Core no longer supports App.Config method
pcContext = New PcEntities
Try
' GRH 2021-08-21 This variable no longer exists in .NET 5'strCN = pcContext.Database.Connection.ConnectionString' GRH 2021-08-20 Keeping the connection open causes EF Core to not work'cnPC.ConnectionString = "server=REDACTED;user id=REDACTED;password=REDACTED;database=REDACTED;SslMode=none"'cnPC.Open()
Catch ex As Exception
End Try
EndSub
It's now a one-line method, with most of the code commented out, instead of removed. Why on Earth is the method left like that?
GRH explains:
Yes, I could delete the function as it is functionally dead, but I keep it for the same reasons that a hunter mounts a deer's head above her mantle.
[Advertisement] Plan Your .NET 9 Migration with Confidence Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!
Author: Julian Miles, Staff Writer Abby whips her wing-tentacles about, making little ‘cracks’ of delight as a gigantic silver dinosaur walks by, its crystal eyes filled with icy fire. Every footfall causes things to shake and drinks to splash about in their cups – unless they’re being carried on the spindly spider-legged copper tables that […]
Before getting into Science as the ultimate accountability process, let me allow that I am biased in favor of this scientific era! Especially after last weekend when Caltech - my alma mater - honored me - along with three far-more-deserving others - as Distinguished Alumnus. Seems worth noting. Especially since it is one honor I truly never expected!
You readers of Contrary Brin might be surprised that, with the crucial US election looming, I'm gonna step back from cliff-edge politics, to offer some Big Picture Perspective about how science works... and civilization, in general.
But I think maybe perspective is kinda what we need, right now.
== How did we achieve the flawed miracle that we now have... and take too much for granted? ==
All the way back to our earliest records, civilization has faced a paramount problem. How can we maintain and improve a decent society amid our deeply human propensity for lies and delusion?
As recommended by Pericles around 300 BCE… then later by Adam Smith and the founders of our era… humanity has only ever found one difficult but essential trick that actually works at freeing leaders and citizens to craft policy relatively - or partially - free from deception and falsehoods.
That trick is NOT preaching or ‘don’t lie’ commandments. Sure, for 6000 years, top elites finger-wagged and passed laws against such stuff... only to become top liars and self-deceivers! Bringing calamities down upon the nations and peoples that they led.
Laws can help. But the truly ’essential trick’ that we’ve gradually become somewhat good-at is Reciprocal Accountability … freeing rival powers and even average citizens to keep an eye on each other laterally. Speaking up when we see what we perceive as lies or mistakes.
== How we've done this... a method under threat! ==
Yeah, sometimes it’s the critic who is wrong, and conventional wisdom can be right!
Indeed, one of today's mad manias is to assume that experts - who spent their lives studying a topic closely - must be clueless compared to those who are 'informed' by Facebook memes and cable news rants.
Still, Criticism Is the Only Known Antidote to Error (CITOKATE!)...
...and one result of free speech criticism is a system that’s open enough to spot most errors – even those by the mighty – and criticize them (sometimes just in time and sometimes too late) so that many (never all!) of them get corrected.
We aren’t yet great at it! Though better than all prior generations. And at the vanguard in this process is science.
== The horrible, ingrate reflex is NOT 'questioning authority' ==
Sure, scientists are human and subject to the same temptations to self-deceive or even tell lies. We who were trained in a scientific field (or two or three) were taught to recite the sacred catechism of science: “I might be wrong!”
That core tenet – plus piles of statistical and error-checking techniques – made modern science different – and vastly more effective (and less hated) -- than all or any previous priesthoods. Still, we remain human. And delusion in science can have weighty consequences.
Which brings us to this article by Chris Said: "Scientific whistleblowers can be compensated for their service." It begins with a paragraph that’s both true and also way exaggerates!Still, the author poses a problem that needs an answer:
“Science has a fraud problem. Highly cited research is often based on faked data, which causes other researchers to pursue false leads. In medical research, the time wasted by followup studies can delay the discovery of effective treatments for serious diseases, potentially causing millions of lives to be lost.”
As I said: that’s an exaggeration – one that feeds into today’s Mad Right, in its all-out war vs. every fact-using profession. (Not just science, but also teaching, medicine and law and civil service... all the way to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror.)
Still, the essay is worth reading for its proposed solution. Which boils down to do more reciprocal accountability, only do it better!
The proposal would start with the fact that most scientists are competitive creatures! Among the most competitive that this planet ever produced – nothing like the lemming, paradigm-hugger stereotype spread by some on the far-left... and by almost everyone on today’s entire gone-mad right.
Only this author proposes that we then augment that competitiveness with whistle blower rewards**, to incentivize the cross-checking process with cash prizes.
So, sure… the article is worth a look - and more discussion.
Just watch it when yammerers attack science in general with the 'lemming' slander. Demand cash wagers over that one!
== A useful tech rule-of-thumb? ==
Do you know the “hype cycle curve”?That’s an observational/pragmatic correlation tool devised by Gartner in the 90s, for how new technologies often attract heaps of zealous attention, followed by a crash of disillusionment, when even the most promising techs encounter obstacles to implementation, and many just prove wrong.
That trough is followed, in a few cases, by a more grounded rise in solid investment, as productivity takes hold. (It happened repeatedly with railroads and electricity and later with computers and the Internet and seems to be happening with AI.) The inimitable Sabine Hossenfelder offers a podcast about this, using recent battery tech developments as examples.
Your takeaways: yes, it seems that some battery techs may deliver major good news pretty soon. And remember this ‘hype cycle’ thing is correlative, not causative. It has almost no predictive utility in individual cases.
But the final take-away is also important. That progress is being made! Across many fronts and very rapidly. And every single thing you are being told by the remnant denialist cult about the general trend toward sustainable technologies is a damned lie.
Take this jpeg I just copied from the newsletter of Peter Diamandis, re: the rapidly maturing tech of perovskite based solar cells, which have a theoretically possible efficiency of 66%, double that of silicon. (And many of you first saw the word “perovskite” in my novel Earth, wherein I pointed out that most high-temp superconductors take that mineral form… and so does most of the Earth’s mantle. Put those two together!)
Do subscribe to Peter’s Abundance Newsletter, as an antidote to the gloom that’s spread by today’s entire gone-mad-right and by much of today’s dour, farthest-fringe-left.
The latter are counter-productive sanctimony junkies, irritating but statistically unimportant as we make progress without much help from them.
The former are a monstrously insane, science-hating treason-cult that’s potentially lethal to our civilization and world and our children. And for those mouth-foaming neighbors of ours, the only cure will be victory – yet again, and with malice toward none – by the Union side in this latest phase of our recurring confederate fever.
======
** The 1986 Whistle Blower law, enticing tattle-tales with up to 30% cuts of any $$ recovered by the US taxpayers, has just been gutted by a Trump appointed (and ABA 'not-qualified') judge. Gee, I wonder why?
This looks straightforward and is far from it. I expect tool support will
improve in the future. Meanwhile, this blog post serves as a step by step
explanation for what is going on in code that I'm about to push to my team.
Let's take this relatively straightforward python code. It has a function
printing an int, and a decorator that makes it argument optional, taking it
from a global default if missing:
It lacks functools.wraps and typing, though. Let's add them.
Adding functools.wraps
Adding a simple @functools.wraps, mock unexpectedly stops working:
# python3 test1.py
Answer: 12
Answer: 42
Mocked answer: 12
Traceback (most recent call last):
File "/home/enrico/lavori/freexian/tt/test1.py", line 42, in <module>
fiddle.print()
File "<string>", line 2, in print
File "/usr/lib/python3.11/unittest/mock.py", line 186, in checksig
sig.bind(*args, **kwargs)
File "/usr/lib/python3.11/inspect.py", line 3211, in bind
return self._bind(args, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/inspect.py", line 3126, in _bind
raise TypeError(msg) from None
TypeError: missing a required argument: 'value'
This is the new code, with explanations and a fix:
# Introduce functoolsimportfunctoolsfromunittestimportmockdefault=42defwith_default(f):@functools.wraps(f)defwrapped(self,value=None):ifvalueisNone:value=defaultreturnf(self,value)# Fix:# del wrapped.__wrapped__returnwrappedclassFiddle:@with_defaultdefprint(self,value):assertvalueisnotNoneprint("Answer:",value)fiddle=Fiddle()fiddle.print(12)fiddle.print()defmocked(self,value=None):print("Mocked answer:",value)withmock.patch.object(Fiddle,"print",autospec=True,side_effect=mocked):fiddle.print(12)# mock's autospec uses inspect.getsignature, which follows __wrapped__ set# by functools.wraps, which points to a wrong signature: the idea that# value is optional is now lostfiddle.print()
Adding typing
For simplicity, from now on let's change Fiddle.print to match its wrapped signature:
# Give up with making value not optional, to simplify things :(defprint(self,value:int|None=None)->None:assertvalueisnotNoneprint("Answer:",value)
Typing with ParamSpec
# Introduce typing, try with ParamSpecimportfunctoolsfromtypingimportTYPE_CHECKING,ParamSpec,Callablefromunittestimportmockdefault=42P=ParamSpec("P")defwith_default(f:Callable[P,None])->Callable[P,None]:# Using ParamSpec we forward arguments, but we cannot use them!@functools.wraps(f)defwrapped(self,value:int|None=None)->None:ifvalueisNone:value=defaultreturnf(self,value)returnwrappedclassFiddle:@with_defaultdefprint(self,value:int|None=None)->None:assertvalueisnotNoneprint("Answer:",value)
mypy complains inside the wrapper, because while we forward arguments we don't
constrain them, so we can't be sure there is a value in there:
test2.py:17: error: Argument 2 has incompatible type "int"; expected "P.args" [arg-type]
test2.py:19: error: Incompatible return value type (got "_Wrapped[P, None, [Any, int | None], None]", expected "Callable[P, None]") [return-value]
test2.py:19: note: "_Wrapped[P, None, [Any, int | None], None].__call__" has type "Callable[[Arg(Any, 'self'), DefaultArg(int | None, 'value')], None]"
Typing with Callable
We can use explicit Callable argument lists:
# Introduce typing, try with CallableimportfunctoolsfromtypingimportTYPE_CHECKING,Callable,TypeVarfromunittestimportmockdefault=42A=TypeVar("A")# Callable cannot represent the fact that the argument is optional, so now mypy# complains if we try to omit itdefwith_default(f:Callable[[A,int|None],None])->Callable[[A,int|None],None]:@functools.wraps(f)defwrapped(self:A,value:int|None=None)->None:ifvalueisNone:value=defaultreturnf(self,value)returnwrappedclassFiddle:@with_defaultdefprint(self,value:int|None=None)->None:assertvalueisnotNoneprint("Answer:",value)ifTYPE_CHECKING:reveal_type(Fiddle.print)fiddle=Fiddle()fiddle.print(12)# !! Too few arguments for "print" of "Fiddle" [call-arg]fiddle.print()defmocked(self,value=None):print("Mocked answer:",value)withmock.patch.object(Fiddle,"print",autospec=True,side_effect=mocked):fiddle.print(12)fiddle.print()
Now mypy complains when we try to omit the optional argument, because Callable
cannot represent optional arguments:
test3.py:32: note: Revealed type is "def (test3.Fiddle, Union[builtins.int, None])"
test3.py:37: error: Too few arguments for "print" of "Fiddle" [call-arg]
test3.py:46: error: Too few arguments for "print" of "Fiddle" [call-arg]
Callable cannot express complex signatures such as functions that take a
variadic number of arguments, overloaded functions, or functions that have
keyword-only parameters. However, these signatures can be expressed by
defining a Protocol class with a call() method:
Let's do that!
Typing with Protocol, take 1
# Introduce typing, try with ProtocolimportfunctoolsfromtypingimportTYPE_CHECKING,Protocol,TypeVar,Generic,castfromunittestimportmockdefault=42A=TypeVar("A",contravariant=True)classPrinter(Protocol,Generic[A]):def__call__(_,self:A,value:int|None=None)->None:...defwith_default(f:Printer[A])->Printer[A]:@functools.wraps(f)defwrapped(self:A,value:int|None=None)->None:ifvalueisNone:value=defaultreturnf(self,value)returncast(Printer,wrapped)classFiddle:# function has a __get__ method to generated bound versions of itself# the Printer protocol does not define it, so mypy is now unable to type# the bound method correctly@with_defaultdefprint(self,value:int|None=None)->None:assertvalueisnotNoneprint("Answer:",value)ifTYPE_CHECKING:reveal_type(Fiddle.print)fiddle=Fiddle()# !! Argument 1 to "__call__" of "Printer" has incompatible type "int"; expected "Fiddle"fiddle.print(12)fiddle.print()defmocked(self,value=None):print("Mocked answer:",value)withmock.patch.object(Fiddle,"print",autospec=True,side_effect=mocked):fiddle.print(12)fiddle.print()
New mypy complaints:
test4.py:41: error: Argument 1 to "__call__" of "Printer" has incompatible type "int"; expected "Fiddle" [arg-type]
test4.py:42: error: Missing positional argument "self" in call to "__call__" of "Printer" [call-arg]
test4.py:50: error: Argument 1 to "__call__" of "Printer" has incompatible type "int"; expected "Fiddle" [arg-type]
test4.py:51: error: Missing positional argument "self" in call to "__call__" of "Printer" [call-arg]
What happens with class methods, is that the function object has a __get__
method that generates a bound versions of itself. Our Printer protocol does not
define it, so mypy is now unable to type the bound method correctly.
Typing with Protocol, take 2
So... we add the function descriptor methos to our Protocol!
# Introduce typing, try with Protocol, harder!importfunctoolsfromtypingimportTYPE_CHECKING,Protocol,TypeVar,Generic,cast,overload,Unionfromunittestimportmockdefault=42A=TypeVar("A",contravariant=True)# We now produce typing for the whole function descriptor protocol## See https://github.com/python/typing/discussions/1040classBoundPrinter(Protocol):"""Protocol typing for bound printer methods."""def__call__(_,value:int|None=None)->None:"""Bound signature."""classPrinter(Protocol,Generic[A]):"""Protocol typing for printer methods."""# noqa annotations are overrides for flake8 being confused, giving either D418:# Function/ Method decorated with @overload shouldn't contain a docstring# or D105:# Missing docstring in magic method## F841 is for vulture being confused:# unused variable 'objtype' (100% confidence)@overloaddef__get__(# noqa: D105self,obj:A,objtype:type[A]|None=None# noqa: F841)->BoundPrinter:...@overloaddef__get__(# noqa: D105self,obj:None,objtype:type[A]|None=None# noqa: F841)->"Printer[A]":...def__get__(self,obj:A|None,objtype:type[A]|None=None# noqa: F841)->Union[BoundPrinter,"Printer[A]"]:"""Implement function descriptor protocol for class methods."""def__call__(_,self:A,value:int|None=None)->None:"""Unbound signature."""defwith_default(f:Printer[A])->Printer[A]:@functools.wraps(f)defwrapped(self:A,value:int|None=None)->None:ifvalueisNone:value=defaultreturnf(self,value)returncast(Printer,wrapped)classFiddle:# function has a __get__ method to generated bound versions of itself# the Printer protocol does not define it, so mypy is now unable to type# the bound method correctly@with_defaultdefprint(self,value:int|None=None)->None:assertvalueisnotNoneprint("Answer:",value)fiddle=Fiddle()fiddle.print(12)fiddle.print()defmocked(self,value=None):print("Mocked answer:",value)withmock.patch.object(Fiddle,"print",autospec=True,side_effect=mocked):fiddle.print(12)fiddle.print()
Author: Brooks C. Mendell “Where is she?” asked Dr. Nemur, holding her glasses in place while looking under a chair. “Relax, Doc,” said Burt. “It’s only a mouse. We’ll find her.” “Only a mouse?” said Nemur. “Her frontal cortex packs more punch than your bird brain.” “I get it,” said Burt. “I’m not your type.” […]
I didn’t plan to go to Oklahoma, but I went to Oklahoma.
My day job is providing phone tech support to people in offices who use my boss’s customer-relationship management software. In theory, I can do that job from anywhere I can sit quietly on a good Internet connection for a few hours a day while I’m on shift. It’s a good job for an organizer, because it means I can go out in the field and still pay my rent, so long as I can park a rental car outside of a Starbucks, camp on their WiFi, and put on a noise-canceling headset. It’s also good organizer training because most of the people who call me are angry and confused and need to have something difficult and technical explained to them.
My comrades started leaving for Oklahoma the day the Water Protector camp got set up. A lot of them—especially my Indigenous friends—were veterans of the Line 3 Pipeline, the Dakota Access Pipeline, and other pipeline fights, and they were plugged right into that network.
The worse things got, the more people I knew in OK. My weekly affinity group meeting normally had twenty people at it. One week there were only ten of us. The next week, three. The next week, we did it on Zoom (ugh) and most of the people on the line were in OK, up on “Facebook Hill,” the one place in the camp with reliable cellular data signals.
I didn’t plan to go to Oklahoma, but I went to Oklahoma.
My day job is providing phone tech support to people in offices who use my boss’s customer-relationship management software. In theory, I can do that job from anywhere I can sit quietly on a good Internet connection for a few hours a day while I’m on shift. It’s a good job for an organizer, because it means I can go out in the field and still pay my rent, so long as I can park a rental car outside of a Starbucks, camp on their WiFi, and put on a noise-canceling headset. It’s also good organizer training because most of the people who call me are angry and confused and need to have something difficult and technical explained to them.
My comrades started leaving for Oklahoma the day the Water Protector camp got set up. A lot of them—especially my Indigenous friends—were veterans of the Line 3 Pipeline, the Dakota Access Pipeline, and other pipeline fights, and they were plugged right into that network.
The worse things got, the more people I knew in OK. My weekly affinity group meeting normally had twenty people at it. One week there were only ten of us. The next week, three. The next week, we did it on Zoom (ugh) and most of the people on the line were in OK, up on “Facebook Hill,” the one place in the camp with reliable cellular data signals.
Again this year, Arm offered to
host us for
a mini-debconf
in Cambridge. Roughly 60 people turned up on 10-13 October to the Arm
campus, where they made us really welcome. They even had some
Debian-themed treats made to spoil us!
Hacking together
For the first two days, we had a "mini-debcamp" with disparate
group of people working on all sorts of things: Arm support, live
images, browser stuff, package uploads, etc. And (as is traditional)
lots of people doing last-minute work to prepare slides for their
talks.
Sessions and talks
Saturday and Sunday were two days devoted to more traditional
conference sessions. Our talks covered a typical range of Debian
subjects: a DPL "Bits" talk, an update from the Release Team, live
images. We also had some wider topics: handling your own data, what to
look for in the upcoming Post-Quantum Crypto world, and even me
talking about the ups and downs of Secure Boot. Plus a random set of
lightning talks too! :-)
Video team awesomeness
Lots of volunteers from the DebConf video team were on hand too
(both on-site and remotely!), so our talks were both streamed live and
recorded for posterity - see the links from the individual talk pages
in the wiki,
or http://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Cambridge/
for the full set if you'd like to see more.
A great time for all
Again, the mini-conf went well and feedback from attendees was very
positive. Thanks to all our helpers, and of course to our
sponsor: Arm for providing the venue
and infrastructure for the event, and all the food and drink too!
Photo credits: Andy Simpkins, Mark Brown, Jonathan Wiltshire. Thanks!
Late last month there was an announcement of a “severity 9.9 vulnerability” allowing remote code execution that affects “all GNU/Linux systems (plus others)” [1]. For something to affect all Linux systems that would have to be either a kernel issue or a sshd issue. The announcement included complaints about the lack of response of vendors and “And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix”.
He seems to have a different experience to me of reporting bugs, I have had plenty of success getting bugs fixed without hyping them. I just report the bug, wait a while, and it gets fixed. I have reported potential security bugs without even bothering to try and prove that they were exploitable (any situation where you can make a program crash is potentially exploitable), I just report it and it gets fixed. I was very dubious about his ability to determine how serious a bug is and to accurately report it so this wasn’t a situation where I was waiting for it to be disclosed to discover if it affected me. I was quite confident that my systems wouldn’t be at any risk.
Analysis
Not All Linux Systems Run CUPS
When it was published my opinion was proven to be correct, it turned out to be a series of CUPS bugs [2]. To describe that as “all GNU/Linux systems (plus others)” seems like a vast overstatement, maybe a good thing to say if you want to be a TikTok influencer but not if you want to be known for computer security work.
For the Debian distribution the cups-browsed package (which seems to be the main exploitable one) is recommended by cups-daemon, as I have my Debian systems configured to not install recommended packages by default that means that it wasn’t installed on any of my systems. Also the vast majority of my systems don’t do printing and therefore don’t have any part of CUPS installed.
CUPS vs NAT
The next issue is that in Australia most home ISPs don’t have IPv6 enabled and CUPS doesn’t do the things needed to allow receiving connections from the outside world via NAT with IPv4. If inbound port 631 is blocked on both TCP and USP as is the default on Australian home Internet or if there is a correctly configured firewall in place then the network is safe from attack. There is a feature called uPnP port forwarding [3] to allow server programs to ask a router to send inbound connections to them, this is apparently usually turned off by default in router configuration. If it is enabled then there are Debian packages of software to manage this, the miniupnpc package has the client (which can request NAT changes on the router) [4]. That package is not installed on any of my systems and for my home network I don’t use a router that runs uPnP.
The only program I knowingly run that uses uPnP is Warzone2100 and as I don’t play network games that doesn’t happen. Also as an aside in version 4.4.2-1 of warzone2100 in Debian and Ubuntu I made it use Bubblewrap to run the game in a container. So a Remote Code Execution bug in Warzone 2100 won’t be an immediate win for an attacker (exploits via X11 or Wayland are another issue).
To check SE Linux access I first use the “semanage fcontext” command to check the context of the binary, cupsd_exec_t means that the daemon runs as cupsd_t. Then I checked what file access is granted with the sesearch program, mostly just access to temporary files, cupsd config files, the faillog, the Kerberos cache files (not used on the Kerberos client systems I run), Samba run files (might be a possibility of exploiting something there), and the security_t used for interfacing with kernel security infrastructure. I then checked the access to the security class and found that it is permitted to check contexts and access-vectors – not access that can be harmful.
The next test was to use sesearch to discover what capabilities are granted, which unfortunately includes the sys_admin capability, that is a capability that allows many sysadmin tasks that could be harmful (I just checked the Fedora source and Fedora 42 has the same access). Whether the sys_admin capability can be used to do bad things with the limited access cupsd_t has to device nodes etc is not clear. But this access is undesirable.
So the SE Linux policy in Debian and Fedora will stop cupsd_t from writing SETUID programs that can be used by random users for root access and stop it from writing to /etc/shadow etc. But the sys_admin capability might allow it to do hostile things and I have already uploaded a changed policy to Debian/Unstable to remove that. The sys_rawio capability also looked concerning but it’s apparently needed to probe for USB printers and as the domain has no access to block devices it is otherwise harmless. Below are the commands I used to discover what the policy allows and the output from them.
This is an example of how not to handle security issues. Some degree of promotion is acceptable but this is very excessive and will result in people not taking security announcements seriously in future. I wonder if this is even a good career move by the researcher in question, will enough people believe that they actually did something good in this that it outweighs the number of people who think it’s misleading at best?
Author: Mark Renney The island is getting smaller, but those who reside in the Tower are in denial. Hiding behind the steel rafters and columns and the reinforced sheets of glass that comprise the walls of their homes, they won’t accept that a very real danger lurks beyond their windows. The occupants of the Tower, […]
Whilst researching what synth to buy, I learned of the Behringer1
Model-D2: a 2018 clone of the 1970 Moog Minimoog, in a desktop form
factor.
Behringer Model-D
In common with the original Minimoog, it's a monophonic analogue synth,
featuring three audible oscillators3 , Moog's famous 12-ladder filter and
a basic envelope generator. The model-d has lost the keyboard from the
original and added some patch points for the different stages, enabling
some slight re-routing of the audio components.
1970 Moog Minimoog
Since I was focussing on more fundamental, back-to-basics
instruments,
this was very appealing to me. I'm very curious to find out what's so compelling
about the famous Moog sound. The relative lack of features feels like an
advantage: less to master. The additional patch points makes it a little
more flexible and offer a potential gateway into the world of modular synthesis.
The Model-D is also very affordable: about £ 200 GBP. I'll never
own a real Moog.
For this to work, I would need to supplement it with some other equipment.
I'd need a keyboard (or press the Micron into service as a controller); I
would want some way of recording and overdubbing (same as with any synth).
There are no post-mix effects on the Model-D, such as delay, reverb or
chorus, so I may also want something to add those.
What stopped me was partly the realisation that there was little chance that a
perennial beginner, such as I, could eek anything novel out of a synthesiser
design that's 54 years old. Perhaps that shouldn't matter, but it gave me
pause. Whilst the Model-D has patch points, I don't have anything to connect
to them, and I'm firmly wanting to avoid the Modular Synthesis money pit.
The lack of effects, and polyphony could make it hard to live-sculpt a tone.
I started characterizing the Model-D as the "heart" choice, but it seemed
wise to instead go for a "head" choice.
Maybe another day!
There's a whole other blog post of material I could write about
Behringer and their clones of classic synths, some long out of production,
and others, not so much. But, I decided to skip on that for now.↩
taken from the fact that the Minimoog was a productised version
of Moog's fourth internal prototype, the model D.↩
Researchers at Google havedeveloped a watermark for LLM-generated text. The basics are pretty obvious: the LLM chooses between tokens partly based on a cryptographic key, and someone with knowledge of the key can detect those choices. What makes this hard is (1) how much text is required for the watermark to work, and (2) how robust the watermark is to post-generation editing. Google’s version looks pretty good: it’s detectable in text as small as 200 tokens.
No obvious pattern fell out of last week's submissions for Error'd, but I did especially like Caleb Su's example.
Michael R.
, apparently still job hunting, reports
"I have signed up to outlier.ai to make some $$$ on the side. No instructions necessary."
Â
Peter G.
repeats a recurring theme of lost packages, saying
"(Insert obligatory snark about Americans and geography.
No, New Zealand isn't located in Washington DC)." A very
odd coincidence, since neither the lat/long nor the zip code
are particularly interesting.
Â
"The Past Is Mutable," declares
Caleb Su
, explaining
"In the race to compete with Gmail feature scheduling
emails to send in the *future*, Outlook now lets you
send emails in the past! Clearly, someone at Microsoft
deserves a Nobel Prize for defying the basic laws of
unidirectional time." That's thinking different.
Â
Explorer
xOneca
explains this snapshot:
"Was going to watch a Youtube video in DuckDuckGo, and
while diagnosing why it wasn't playing I found this. It
seems that youtube-nocookie.com actually *sets* cookies..?"
Â
Morgan
either found or made a funny. But it is a funny.
"Now when I think about it I do like Option 3 more…"
I rate this question a 👎
Â
[Advertisement]
ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.
Author: David Barber This was back in 1937, in Wheaton, Illinois, where Grote Reber built a radio telescope to track down persistent background noise that was annoying Bell Telephone Labs. The Depression still lingered and Bell wouldn’t employ him, but in his spare time Reber built a 30-foot dish in his mother’s back yard and […]
After reading about Jonathan McDowell feed reader install and the back to blogging initiative, I decided to install a feed reader to follow all those nice blog posts. With a feed reader you can compose your own feed of news based on blog posts, websites, mastodon toots. And then you are independant from ad oriented ranking algorithms of social networks.
Since Jonathan used FreshRSS as a feed reader, I started with the same software. On a quick glance on its github page, it sounded like a good project:
active contributions
different channels for stable and latest version of the software
container images pointing to the stable release
support multiple databases for storage, including PostgreSQL
correct documentation mentioning security caveats
I prefer to do the container image installation using podman since:
upgrades from FreshRSS are easy to do and can be done separately from operating system upgrades
I do not mess my based operating system with php (subjective) and in case of a compromized freshrss, the freshrss/apache install would be still restrained to its own Linux namespaces, separated from the rest of the system.
Podman is image compatible with Docker as they both implement the OCI runtime specification, and have a nearly identical command line interface. This installation will be done on a Debian server, but should work too on any Linux distribution.
Initial setup
start a container image based on the start command provided by the FreshRSS project. The podman command line is nearly identical to the docker command line, excepts that podman expects the fully qualified domain name associated with the container image, and I chose to run the freshrss container on the localhost interface only. I also use a defined version tag, because using the latest tag makes it complicated to track which exact ersion I have installed.
Podman has this very nice feature that it can generate a systemd unit from a running container, and use systemd to start a container on boot. This is in contrary to docker where the docker daemon does the stop/start of containers on boot.
I prefer the systemd approach as it treats containers the same way as other system services.
Once the freshrss container is running we can generate a systemd unit of it with:
# podman generate systemd --new --name freshrss | tee /etc/systemd/system/container-freshrss.service
Let’s stop the container we started previously, and use systemd to manage it:
We can verify that we have a listening socket on the localhost interface, on the source port 8081
# systemctl status container-freshrss.service
...
# ss --listening --numeric --process '( sport = 8081 )'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 4096 127.0.0.1:8081 0.0.0.0:* users:(("conmon",pid=4464,fd=5))
Nota Bene: conmon (8) is the process managing the network namespace in which fresh-rss is running, hence it is displayed as the process owning the listening socket
Exposing FreshRSS to the external world
We have now a running service, but we need to make it reachable from the internet.
The simplest, classical way, is to create a subdomain and a VirtualHost configured as a reverse proxy to access the service at 127.0.0.1:8081. Fortunately the FreshRSS authors have documented this setup in https://github.com/FreshRSS/FreshRSS/tree/edge/Docker#alternative-reverse-proxy-using-apache
and those steps are no different from a standard application behind a web reverse proxy.
Upgrading freshrss container to a newer version
A documentation showing how to install a piece of software is nothing when
it does not show how to upgrade that said software. Installing is easy, upgrading is where the challenge is. Fortunately to the good stateless design of freshrss (everything is in the sqlite database, which is backed by a non-epheremal volume in our setup), switchting versions is a peace of cake.
As a general rule, if you're using an RDBMS and can solve your problem using SQL, you should solve your problem using SQL. It's how we avoid doing joins or sorts in our application code, which is always a good thing.
But this is a general rule. And Jasmine sends us one where solving the problem as a query was a bad idea.
ALTERFUNCTION [dbo].[GetName](@EntityIDint)
RETURNSvarchar(200)
ASBEGINdeclare@Namevarchar(200)
select@Name=case E.EntityType
when'Application'then A.ApplicationName
when'Automation'then'Automated Process'when'Group'then G.GroupName
when'Organization'then O.OrgName
when'Person'then P.FirstName +' '+ P.LastName
when'Resource'then R.ResourceName
when'Batch'then B.BatchComment
endfrom Entities E
leftjoin AP_Applications A on E.EntityID = A.EntityID
leftjoin CN_Groups G on E.EntityID = G.EntityID
leftjoin CN_Organizations O on E.EntityID = O.EntityID
leftjoin CN_People P on E.EntityID = P.EntityID
leftjoin Resources R on E.EntityID = R.EntityID
leftjoin AR_PaymentBatches B on E.EntityID = B.EntityID
where E.EntityID =@EntityIDreturn@NameEND
The purpose of this function is to look up the name of an entity. Depending on the kind of entity we're talking about, we have to pull that name from a different table. This is a very common pattern in database normalization- a database equivalent of inheritance. All the common fields to all entities get stored in an Entities table, while specific classes of entity (like "Applications") get their own table which joins back to the Entities table.
On the surface, this code doesn't even really look like a WTF. By the book, this is really how you'd write this kind of function- if we were going by the book.
But the problem was that these tables were frequently very large, and even with indexes on the EntityID fields, it simply performed horribly. And since "showing the name of the thing you're looking at" was a common query, that performance hit added up.
The fix was easy- write out seven unique functions- one for each entity type- and then re-write this function to use an IF statement to decide which one to execute. The code was simpler to understand and read, and performed much faster.
In the end, perhaps not really a WTF, or perhaps the root WTF is some of the architectural decisions which allow this to exist (why a function for getting the name, and the name alone, which means we execute this query independently and not part of a more meaningful join?). But I think it's an interesting example of how "this is the right way to do it" can lead to some unusual outcomes.
[Advertisement]
Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Author: Stuart Wilson The Art of Learning a Language ̈Japanese must be easy. ̈ I had to shout over the traffic. And the person to whom I was shouting was quite far below now. ̈ ̈There are not so many unusual sounds, ̈ I continued, trying to twist my neck into the sort of angle […]
Happy Maladay1 to those who celebrate it, I guess.
If you care about the how, it started as china ink on tracing paper,
with the help of a template (and a correction sheet for one page where I
used the wrong line on the template).
A rubber stamp was carved with the author’s signature and stamped on
white paper because the ink from the pad wasn’t working well on tracing
paper.
Then everything was scanned (with the correction on top of the wrong
page) asemic_zine_scans.tar.
An advocacy groups is filing a Fourth Amendment challenge against automatic license plate readers.
“The City of Norfolk, Virginia, has installed a network of cameras that make it functionally impossible for people to drive anywhere without having their movements tracked, photographed, and stored in an AI-assisted database that enables the warrantless surveillance of their every move. This civil rights lawsuit seeks to end this dragnet surveillance program,” the lawsuit notes. “In Norfolk, no one can escape the government’s 172 unblinking eyes,” it continues, referring to the 172 Flock cameras currently operational in Norfolk. The Fourth Amendment protects against unreasonable searches and seizures and has been ruled in many cases to protect against warrantless government surveillance, and the lawsuit specifically says Norfolk’s installation violates that.”
I sincerely regret to see Linux kernel patches like this one removing Russian developers from the MAINTAINERS
file. To me, it is a sign or maybe even
a symbol of how far the Linux kernel developer community I remember from ~ 20 years ago has changed, and how
much it has alienated itself from what I remember back in the day.
In my opinion this commit is wrong at so many different levels:
it is intransparent. Initially it gave no explanation whatsoever (other than some compliance
hand-waving). There was some follow-up paraphrasing one paragraph of presumed legal advice that was given
presumably by Linux Foundation to Linus. That's not a thorough legal analysis at all. It doesn't even say
to whom it was given, and who (the individual developers? Linux Foundation? Distributors?) is presumed to be
subject to the unspecified regulations in which specific jurisdiction
it discriminates developers based on their presumed [Russian] nationality based on their name, e-mail
address domain name or employer.
A later post in the thread has clarified
that it's about an U.S. embargo list against certain Russian individuals / companies. It is news to me that
the MAINTAINERS file was usually containing Companies or that the Linux kernel development is Companies
engaging with each other. I was under the naive assumption that it's individual developers who work together,
and their employers do not really matter. Contributions are judged by their merit, and not by the author or
their employer / affiliation. In the super unlikely case that indeed those individual developers removed from
the MAINTAINERS file would be personally listed in the embargo list: Then yes, of course, I agree, they'd have
to be removed. But then the commit log should of course point to [the version] of that list and explicitly
mention that they were personally listed there.
And no, I am of course not a friend of the Russian government at all. They are committing war crimes,
no doubt about it. But since when has the collaboration of individual developers in an open source project
been something related to actions completely unrelated to those individuals? Should I as a German developer
be excluded due to the track record of Germany having started two world wars killing millions? Should
Americans be excluded due to a very extensive track record of violating international law? Should we exclude
Palestinians? Israelis? Syrians? Iranians? [In case it's not obvious: Those are rhetorical questions, my
position is of course no to all of them].
I just think there's nothing more wrong than discriminating against people just because of their passport,
their employer or their place of residence. Maybe it's my German upbringing/socialization, but we've had
multiple times in our history where the concept of **Sippenhaft** (kin liability) existed. In those dark ages of history you
could be prosecuted for crimes committed by other family members.
Now of course removal from the MAINTAINERS file or any other exclusion from the Linux kernel development
process is of course not in any way comparable to prosecution like imprisonment or execution. However, the
principle seems the same: An individual is punished for mere association with some others who happen to be
committing crimes.
Now if there really was a compelling legal argument for this (I doubt it, but let's assume for a second
there is): In that case I'd expect a broad discussion against it; a reluctance to comply with it; a search
for a way to circumvent said legal requirement; a petition or political movement against that requirement.
Even if there was absolutely no way around performing such a "removal of names": At the very least I'd expect
some civil disobedience by at least then introducing a statement into the file that one would have hoped to
still be listing those individuals as co-maintainers but one was forced by [regulation, court order, ...] to
remove them.
But the least I would expect is for senior Kernel developers to simply do apply the patch with a one-sentence
commit log message and thereby disrespect the work of said [presumed] Russian developers. All that does is to
alienate individuals of the developer community. Not just those who are subject to said treatment today, but
any others who see this sad example how Linux developers treat each other and feel discouraged from becoming
or remaining active in a community with such behaviour.
It literally hurts me personally to see this happening. It's like a kick in the gut. I used to be proud
about having had an involvement with the Linux kernel community in a previous life. This doesn't feel like
the community I remember being part of.
I worked in the garden this morning. Put my hands in the dirt, wanting to harvest. But I’m holding off. Ticking down the days or hours until the transmission from Alsafi arrives. When it comes, I’ll celebrate, pick the peas, chard and beets, enjoy them during the autumnal Feast Days next week, a bounty made all the sweeter for the waiting.
So instead I pulled weeds while the overcast sky sank low and dusty, and a rogue wave of San Francisco fog rolled over Oakland. Slow going, but I needed the time to clear my head. When my back was aching and my hands satisfied, I came in with anxious energy still to burn and picked up this housejournal, which I haven’t touched in years. I’ve got that impatient, behind-the-eyes fuzziness, like waiting for a crush to write back.
I expect we’ll hear from them today, tomorrow latest. The weather in our Oort Cloud isn’t as clear as we’d anticipated, but nothing major, nothing that should muddy the signal.
When it comes, this will be the fourth message received from Alsafi in my lifetime. Few have timed their career so fortuitously. The first came when I was a child. The second came just weeks after I joined the Intercivilizational Observatory’s San Francisco office, and I wormed my way onto the analysis team. The third came the year I met Cassio, and I was doubly lovestruck. Still, I was reading responses to questions another generation had asked. But now, a full 39-year round-trip after I began, I’ll finally get answers to my questions. Ones from my youth, maybe, but they’ll be mine. After all this time, I’ll finally be In Conversation.
Feast of Travails
Nothing yet. We’ve crept past the end of the official window. Wouldn’t be the first time they’ve missed us — or us them, for that matter. But it’s been a couple centuries since things have gone off schedule. I’m boggled, but everyone is looking to me for answers. Devin and Atul are the only ones keeping their heads. I might ask them to help me work the problem if we don’t hear something soon.
I was feeling caged by the impending equinox and my too-ancient house, so I walked down Peralta Street to the public farm, where I could get under the trees and not worry about the quiet sky. In the volunteer apple grove I bumped into Cassio. She hates Feast Week, so maybe she was escaping too. It’s been four years since we’ve talked much, outside chilly conversations in conference hallways. She seemed warmer today, not a word about our falling out, just an attentive smile and a sympathetic hand patting mine. I played it cool, but it was obvious that she’d heard about the lost window. Cass — ever the thoughtful astronomer — already had her own theories.
“Could be some dark planet wandered into the path at just the wrong time,” she said. “Our charts always have blind spots, you know. If we didn’t see it, it’s probably closer to their end, which means they’ll notice it quick and get something rough out to you soon.”
“Or they’ve been cooked by a solar flare,” I sulked. “Or they blew themselves up, or died in a plague, or suffered ecosystem collapse, or — ”
“Oh hush! Equipment failure is more likely. Maybe the problem is on our end, failed last transmission. Maybe they’ve been sitting there for decades worrying about us exactly like you’re worrying about them.”
“I like that thought even less,” I said.
“Didn’t you once tell me that people started theorizing about the emptiness of the cosmos after just a couple years of SETI listening?”
“They expected empires and megastructures,” I admitted. “They didn’t see any right away, so they figured no one was out there. That’s where the ‘Great Filter’ idea came from. It took us getting through our own Filter to realize that the universe was vast not just in space but in time.”
“Exactly. We had to listen for a long time to actually connect, and so did they. Which means we had to be sustainable, and so did they.” Cass made me look her in the eyes. “Which means if we’re fine, they’re probably fine too. We know they’re sustainable. Otherwise how could we have held down a Conversation for the last 900 years? A couple days’ tardiness doesn’t have to mean anything. Maybe years will go by, and then just like that you’ll hear from them. You’ll go back to talking like before, like nothing ever happened.”
Then she got on my shoulders and pruned a knotty, fruitless tree the neighborhood was neglecting. As she left, she said to say hi to the house, so here I am, diligently noting it in the housejournal. She said we could talk more sometime, about Alsafi, if I wanted. I think I’ll take her up on that.
16th of Vendémiaire
If things had gone as planned, I’d be releasing a new message to the world right now. Everyone is eager for these curated infusions of alien novelty — something to stir up our slow churning culture. Fashion houses and architects anticipate the fads for new Alsafi aesthetics. Philosophers await progress on the Shared Paradoxes, those questions both our worlds can make sense of but neither can answer.
We’ve been slowly spreading the word that nothing is coming, while preparing a longer study. Devin retasked our out-system equipment to get a better look at the weather in the interstellar medium. I’d like to tell the continuity councils something, but Atul says it might be a long time before we know anything new.
So, time to kill, I walked with Cassio from the Observatory out to Ocean Beach. It was chilly, so we huddled together and draped the beach blanket over our shoulders. We strolled along the surf, watching children play fetch with neighborhood dogs. Cows munching seaweed appeared out of the mist. The fog was so thick, Cass was inspired to lecture me about space.
“Say there’s a lighthouse out there.” She waved towards Marin. “It’s going to blink a message at you. What are all the things that have to go right for you to get that message?”
“You have to have line of sight,” I said. “And be looking in the right direction, at the right time. You have to be watching long enough to see the whole message, and you need a good enough memory to remember the pattern. Then you have to know how to decode it.”
“And,” Cass waved expansively, “it can’t be too foggy.”
“We’re pretty good at predicting the weather out there, you know.”
“I’ve never liked that metaphor. Tracking matter a dozen light-years away is nothing like watching for clouds on the horizon. It’s dark, and your model has to look decades ahead based on the thinnest flickers of shadow. Did you know they keep changing the estimates of how much dark matter there is in the universe?”
I did, but something about being there with her, on that beach, stirred a thought I hadn’t had before.
“In the histories the Alsafi used to wonder a lot why they never heard from anyone besides us,” I said. “They’ve always been more bullish about the chances of life in the universe.”
“You think if they got a transmission from someone else, they’d stop talking to us?” Cassio asked.
“A second contact changes everything about The Conversation. Do they tell us about them, or them about us? Whose permission do they need first? Who do they prioritize? It gets complicated.”
“Kind of like us,” Cass said.
She spoke low, barely louder than the surf. We let it hang there for a moment, the chimes of distant drift-ships rolling in and out of the Golden Gate.
“Kind of like us,” I agreed.
I expected her to bring up Katarina then, but she didn’t. The conversation turned back to work, to Devin’s concept sculpting and Atul’s mantra of patience. When we parted it was like the moment had never come up, like we were old colleagues whittling at a problem. More than I deserve, probably, but I’ll take it.
20th of Brumaire
The chatter stopped.
From time to time, as the weather out there allows, we pick up faint bits of Alsafi’s in-system communications, outside the transmission schedule. Nothing we can parse, usually; all noise, no signal. It fades in and out, and we’ve gotten used to paying it little mind.
Occasionally scholars or cranks will try to decode it, write a paper about some pattern noticed or a new sifting technique. Some dream of continuous contact, while others look to the chatter to confirm this fringe theory or that. But to me it’s always felt a bit like reading someone’s diary or snooping on private messages. It’s the things they say to us intentionally that matter. Otherwise, it’s not a Conversation.
But now that the chatter is all we have, we’ve been listening harder, and it’s just not there. No unscheduled distress call. No sudden wail of anguish. The last flicker arrived a couple years ago, which meant it departed Alsafi shortly after they received a transmission from us.
It really is a locked room. I feel sure the chatter is gone for good. Until we hear from them again, all we have to go on is what’s already been said. And so much has been said — 900 years of conversation! It’s time to start looking at the histories, see if we can’t find a clue, something that might indicate what was about to go wrong.
Cassio and I commuted back to Oakland together, taking the vineway from the Observatory back over the bay, between the skyscrapers, feeling the music of their wooden creaking disappearing into our bones. Today the timing was just right, and we passed over downtown right as the last red light of the west glanced off the windows. Glass flashed kaleidoscope brilliance down into the canals and canyon farms. For three precious minutes, San Francisco exploded with spectacle.
I felt Cass nudge against me then, and she kissed me. A dense kiss, filled with hope and desire, sadness and confusion, anger at all that had happened with Katarina, lust, triumph, forgiveness. Somehow I felt four years worth of heat in her breath.
Did she kiss like that before? I hadn’t realized I’d forgotten.
7th of Pluviôse
I’ve been spending more nights at Cassio’s place. The garden is going to rot. Cass says that if I can’t caretake properly, we should let the house go to someone else. Maybe find some less needy rooms together, closer to the Observatory. I can’t tell if things are moving very fast or very slow.
Why now? What opened up in me, or in her, that made that meeting in the apple grove different than all the other run-ins we had during those four years we were broken up?
In the meantime I feel well-chided about the garden, so this morning I did some late season planting. It felt good to clear away the weeds, get my hands dirty. My mind is jumbled from combing back through old messages, communing with the computationals to parsing the leaps and doubling-backs of raw Alsafi language.
There has to be something we missed. Hints of political instability? A question we misinterpreted? Some sign of ecological decay that might open the door to pandemic? Were they keeping something from us? Posturing as more sustainable than they really were? Could some cascade of fragility have been buried in their civilization, and if so, how could we find it when they didn’t? Then again, who else could? What if they need our help?
Cassio
24th of Prairial
Hello! We gave up the apartment search, but we were still getting the side-eye from the housing councils — cohabiting too much without putting our places back into circulation. So here I am, moving back in, sharing this housejournal once again! Honestly I’m surprised Ferris worked up the nerve to suggest it, but I’m not complaining.
I always loved this old logbook. No clue who started it, however many centuries ago, and looking it up would take away the mystery. But it’s part of the house now, as much as any wall. If you care for a home long enough, its trinkets and furnishings find a kind of elegant permanence. Just the right thing in just the right drawer. If we want something that isn’t here, we should probably ask ourselves if we really need it!
So after bouncing around unstable East Bay dorms for a few years, moving back in was a treat. Weird little antique house on a weird little antique street. All wood beams and pastel paint, devilishly complicated plumbing — 1,200 years old! Older than The Conversation. Every part has been replaced ten or twenty times, but still it remains itself. Like a civilization, I suppose, or a relationship. The good ones have a narrative, some line of continuity that stays true even as the people in them change. Growth, decay, collapse, renewal — the oldest story. Which reminds me: Ferris’s garden needs some help.
Ferris
Feast of Virtue
It’s Feast Week again, and at last I think I found something. An inconsistency in the codebase. It showed up six centuries ago, but I can’t find a record of the affirmed sign-off. It’s a tiny change, a slight tweak in how the algorithms flag and repair errors. Routine — or at least it should have been. Could such a little thing have bloomed into some deep misunderstanding without us noticing?
It’s shocking to find an error — even Atul agrees. The codebase is the greatest intellectual achievement in human or Alsafi history. It took a century and a half of confused cross-talk to co-create it. Not only did we need to learn each other’s languages — an enormous feat, given the utter alienness of our cultures — we had to build in layers of redundancy. Otherwise a stray cosmic ray or a mite of dust could scramble some crucial line of message. We learned from DNA how to write code that was both dense with information and self-repairing, while they taught us how to compress our data by hosting ideas within a web of interlaced probabilities.
Then we had to compare observations of the cosmos to find the years and trajectories where a clear signal could cross the gulf of space intact. Space is just so big, as Cass keeps reminding me. We are not stars; our strongest transmission is but a tiny ripple in the dirty darkness. We and the Alsafi stood on opposite sides of a lake, sending messages by skipping-stone. It took so much patience to begin that Conversation. And 600 years ago, we misspoke.
Cassio
Feast of Recompenses
Happy New Year! I’m toasting it alone. Ferris is down in Palo Alto, chasing his new lead, haranguing some Observatory computer boffin, poor Devin probably playing peacekeeper. I had wanted to get out of town, take an airship up to the Lost Coast, see some stars. I’m still trying to decide if I’m annoyed that he bailed or glad to be able to mope through on my own.
Feast Week is unlucky for me, unscientific as that is. My mom leaving, my first miscarriage, the falling out with Ferris over Katarina, Dad dying a year later. The normal travails of life, but they seem to accumulate in these last complementary days. Now every year I tense up, this weird pre-fight-or-flight paralysis.
But today, instead of waiting for disaster, I stole Ferris’s sunhat and did what I could for the garden. We’re in salvage mode now, I’m afraid! No wonder the neighbors looked relieved when I told them I’d moved back in! Only the potatoes made it; the squash and melons were strangled by grass Ferris should have been weeding.
I know the Alsafi thing is a distraction. “The Quiet” they call it now. What, like we’re getting the silent treatment? But the Alsafi don’t live here, and I do, which means I’m the only one getting punished if he lets the garden go fallow.
Ferris
1st of Germinal
First day of spring, and equinox upkeep won’t wait for my domestic slump to lift. I skipped it last year, distracted by the Quiet and having Cass back. So this year we dusted every corner, inspected every picture frame, took care of new nicks in the furniture. We tossed the plates and utensils that needed composting, pulled the linens and clothes that needed mending and set them out for return to the public laundry. We mucked out the lamps, scrubbed the toilet, went top to bottom wiping away the winter oils, even grouted the foundation, though that wasn’t due for a few years. I admit: together Cass and I were far more rigorous than I’d have been alone! Bachelors and civilizations — both half-feral without a partner.
Just like spring upkeep, the codebase is a form of unending maintenance, but out of sight, so we often forget that it's happening. I’d always assumed our messages would be translated faithfully, but now I see just how much the codebase shapes the message once it leaves the Observatory’s servers.
The codebase determines which sections to prioritize with which levels of redundancy. The idea that an algorithm would rank some parts of our message above others would surely shock some members of my team. Worse, the codebase automatically swaps certain sets of synonyms for one clear term that can be coded more easily. It’s a good corrective to verbose humans forgetting the limits of the Alsafi’s knowledge of our language. But still, I can’t count the number of times we argued over which overly-deft word to use in our message. How many of those nuances were lost?
Of course, we took everything we heard from Alsafi with a grain of salt, and hopefully vice versa. You don’t build a 900-year relationship by rushing to judgment, or by being too proud to articulate confusion. But if our best efforts still leave such ambiguity, how can we be sure we ever really understood each other in the first place?
I’m more convinced than ever that something went wrong long ago. It goes beyond the glitch — we have to totally rethink how our messages might have translated through all those layers of glass we’ve set up between us. The codebase is the mystery now, the enemy even. Atul will see that, even if Devin doesn’t. Even if Cass won’t.
Cassio
12th of Messidor
Ferris is gone to Portland this week. Fighting to keep computing power on his project. He’s right that it’s too soon by decades to give up, but more people are involved now that The Quiet is public. He can’t unilaterally order a shakedown of solar system infrastructure, no matter how much he feels like he owns the mystery.
So I walked up to Berkeley today to talk to Atul. We had lunch at this new cafe, tucked into the side of Atul’s squat dormitory. The meal was red lentils and fresh Bay arame. As we ate, Atul told me about Ferris’s latest angle. I hardly had to ask, Atul was so eager to vent to someone.
“He’s very dedicated to this ‘locked room’ approach of his,” Atul said. “It was an intriguing problem at first — ‘let us apply the greatest scrutiny to ourselves’ and all that.”
“Well, shouldn’t we?” I was surprised to find myself defending Ferris.
“He’s not wrong, but he’s upsetting people. He’s gone barging in on teams he doesn’t know, playing inquisitor. Very undiplomatic, and it reflects on the Observatory. I don’t know what to do with him.”
“What about the glitch he found? Are folks not taking it seriously?”
Atul looked surprised. “He didn’t tell you? There was no glitch, not really. The signoff was just misfiled in the records. Part of the switch from the Gregorian to the Republican calendar, long ago. It ended up buried in a heap of technical addendums to a very invigorating exchange about the mechanics of color. We found it a month ago, and good job to Ferris! But he’s still carrying on like this error in procedure amounts to an error in the code, and I’m afraid there’s not much support for that position.”
I had to think back on what Ferris had said about the glitch. I decided he hadn’t lied to me. Not exactly.
“What about you?” I said. “Any theories?”
“It hasn’t even been two years. There’s no point in getting upset until it’s been at least a decade. The lack of chatter is strange, but if you ask me that points to a physical blockage. That’s the simplest explanation, and it will be at least five more years before we can get a good enough scan to even begin to rule that out. Look — ”
Atul took my hand here, gently.
“It’s not about the Quiet. It’s about Ferris. The more I work with him, the more I think that he’s taking this all rather...personally. That’s why Devin basically quit, and I don’t blame her.”
“Conversation was his life’s ambition. To have that disappear right when...” I stopped. Atul’s tone made me realize he meant something else.
“I think he feels...spurned by Alsafi,” Atul said. “Deep down he doesn’t think The Quiet is technical, or astronomical, or anything like that. He thinks they decided to stop talking to us. To him. And he doesn’t know why, so he feels both responsible and victimized at the same time. Does that make any sense?”
It did, of course.
Maybe writing here, where Ferris will see, is passive aggressive. I don’t care.
Ferris, I’m sorry I left. And in a way, I’m sorry I came back the way I did. We’re all in a whirlpool. Even when we feel like we’re swimming, we’re not. We’re swept along. It’s all so much bigger than anyone. Even us.
Ferris
20th of Thermidor
They kicked me out of the Observatory. They were very polite about it — in fact they promoted me, asked me to take over a whole curriculum, teach the next generation about Alsafi ways of life and thought. As though any of that matters in The Quiet.
It was surreal leaving, taking the stairs for no reason at all, hoofing it out of the park, leaving my favorite bike. I hung limp on a trolley strap. In downtown, I sleepwalked into the water gardens, uncouthly swimming in all my clothes. I got concerned looks. I lay on my back, thinking about Alsafi canal computers, wishing I could wash out into the bay.
All this time chasing after a glitch, I’ve ignored that scary, simple question that came to me on the beach, in that unfocused first month of the Quiet: who else might the Alsafi have met? Those ancient fantasies about interstellar travel — how do we know it couldn’t be done? We gave up after, what, three tries? Content to stay by our own little star forever. Could other beings, with different biology, a different path of technology, have succeeded where we failed? Perhaps another post-Filter sustainable, like us, but more ambitious in their exploration. Or some kind of pre-Filter expansionary. Or something else — gods or monsters?
We could propel a probe — Cass told me the theory. A tiny wafer, lasers burning it through the murk of space all the way to Alsafi. The signal back would not be strong, but it would be our own observations, in our own language.
Yes, it would take decades, but how can we wait? Either someone convinced Alsafi to stop talking to us, or something made them stop talking to us. We have to find out which — not just for them, but for our own survival.
And if the Alsafi are still there, just stubbornly silent, we could ask them why, ask them what we said. Would they refuse to answer us then, to our face?
Cassio
26th of Fructidor
Ferris and I had a fight. A real one, with screaming and sobbing and hands trembling, me almost throwing a vase that must be 200 years old. Not since Katarina have I been so mad at him.
He'd asked me again to pitch his probe to my colleagues. And it’s not crazy, but the way he demands it, I feel hounded. I know that after this thing will be the next thing, and the next. When will he say, “I’ve done enough. Now I can settle down and wait”?
So finally we fought about it, and about everything, all the way back through 15 years, to when we first saw each other on that Observatory retreat — me the rookie stargazer, him the dashing intellectual, speaker of alien tongues, shouter across the void. We were in the shadow of the Bay Bridge, and he grinned at me and dived, leaving me sitting in my stupid kayak, waiting for his eyes to break water.
We fought about the house, his neglect, and about his year with Katarina, how it hurt me in ways I’m still ashamed of. And then he asked me what the point was, in me coming back. And I just couldn’t find a good answer for him.
The Conversation is an ache for Ferris, history tugging him one way, the boundless future another. But I love him because he pulls back so hard, seems to own all that time. And there are moments when he feels so there for me, when he’ll melt the scale away, just be present.
I wanted that again. But how could that be enough?
He asked me why I was at the public farm that night. Well, Ferris, the truth is I tracked you down. I’d heard about The Quiet, and I wanted to see what you were like without Alsafi. Maybe on some level I did want to see you denied your Conversation. I can hate you, when I want. But mostly I missed you.
So I went to the house in time to see you leave. I followed you, caught up with you in the apple grove. I talked you down from your panic, came back into your life, cleaned up after you when you let your home fall to ruin. I thought that maybe, without them, you’d finally need me.
But I’m just one more woman, coming and going from your life, playing at domesticity. Always hovering second in your thoughts, or third. You’ll never think about my feelings the way you scrutinize the motivations of unknowable aliens. I’ll never be that interesting to you. Maybe because I didn’t play hard enough to get.
After, I waited for you to leave, then crept downstairs, feeling the vibrations of our shouting match still thrumming in the walls. I wonder if the next people here might feel it. Our love and our anger, another blot in this palimpsest.
Ferris
Feast of the Filter
Cassio left last night. Again. Today the house feels misshapen. I keep bumping into furniture that hasn’t been moved in centuries. I go out to the garden, but I don’t want to touch the patch she planted.
She’s off to Baja in the morning, where most of the asteroid deflection planning happens. There’s a comet passing through in 170 years. Cass says she wants to set it into long-term parking around Saturn, save it for a rainy day.
She didn’t ask me to come with her.
Today is the last day of the year, that rare leap year festival. Cass hates feast days, except this one. Why is the saddest feast the one she’s drawn to? I wonder how she’s celebrating.
New Years Day, 1st of Vendémiaire
Eventually I got out of the house, felt like it let me go. I wandered down the neighborhood toward Lake Merritt, looking for Cass but dreading seeing her. Soon the revelers arrived, in masks and fresh-woven harvest cloth, and my search got worse, more panicked, until I abandoned it, numb and aching for her presence.
I got swept up in the celebrations, though for me they were a dirge. I danced and shook, waved candles and shouted songs with the crowd. When I got to Lake Merritt, I put my hand on the memorial wall, my fingertips captured by the carvings of species lost in the Filter. There were so many: leaf presses and insects drawn as in amber, mammals and birds playing little scenes. Should we add Alsafi to our wall of dead things? They talked to us for almost a thousand years. If we had really understood them, might things have turned out different?
The sun is coming up now. A new year. The third year of The Quiet, they’ll call it. The revelers have gone to bed. The air is still, the weather will be clear. It’s perfectly silent, but for the ringing in my ears.
I don’t remember how I got home, or when. Outside I see the garden. Some weeding might help my aching head. Instead I open the window and sit down to write.
Strange that I need to say it, but I do: it wasn’t my fault the Alsafi transmissions stopped. How arrogant of me to think it was! I can’t do anything about aliens 19 light-years away, any more than I can bring back those extinct creatures on the Lake Merritt wall.
Cassio leaving, though — that was my fault. This time and the last. There is no mystery to it. I neglected her love, chased either another woman or another species. I should have listened, when she told me that to my face.
I don’t deserve to get her back, but she deserves to have me try. I’ll get some sleep and pack a bag. Baja is closer than Alsafi. Maybe there’s nothing I can do, but Cass deserves a real conversation.
💡
READ Andrew Dana Hudson's 02018 story, "The Mammoth Steps," in which translation technology and norms of interspecies communication make possible a deep friendship between a boy and a de-extincted mammoth.
READ Andrew Dana Hudson's companion piece to this essay, "The Weather Out There," a work of speculative fiction about communication between humans and across the stars — and what happens when that communication breaks down.
When I was a young kid in the 90s, my dad and I made a bet. Actually, more of a long bet. I wagered that humankind would put a person on Mars by 02020. I lost.
As I was growing up — devouring sci-fi books, watching Star Trek, pouring over Popular Mechanics, and even attending Space Camp — it just made sense that humanity’s next steps into the universe were both inevitable and imminent. Technology was improving, after all, and there seemed to be ever more sophisticated proposals for how we’d travel to Mars and what we’d do when we got there. I remember the illustrations: chunky spacecraft spinning through the void, sleek domes sprouting like mushrooms out of rusty dirt.
And I wasn’t the only one. Kim Stanley Robinson’s Red Mars — still considered one of the most rigorous hard science fiction novels of all time — was published in 01992. Robinson put the start of colonization at 02026, with the first man on Mars some years before.
Yes, there’d been a lull after the high-flying moonshot 60s, but the space shuttle and the international space station were still impressive feats: a foothold in orbit. In 02004 Bush laid out a plan to go back to the moon by 02020, and send crewed missions to Mars as soon as 02030. There was talk of commercializing space, space tourism, space mining, all of which seemed just around the corner. Throughout the aughts I figured I might lose my childhood bet, but it still felt like something was happening.
Now all this feels naive, given what we know about the 21st century’s politics, predilections, and challenges. In retrospect, Bush’s ambitions seem more like muscular nationalist posturing, shoring up our image at a moment of declining American popularity abroad. When Trump made the same promises and founded the much mocked Space Force, it felt like a naked appeal to the nostalgia of his aging Baby Boomer base. Nowadays anyone eager to put boots on Mars puts their faith in the increasingly noxious and incoherent Elon Musk. While SpaceX has become a real player in the rocketry sector, at this point I trust Elon’s grand plans and promises even less than Trump’s.
The truth is that for over half a century since the moon landing, we’ve made little progress on the interplanetary manifest destiny I grew up believing in. Today manned spaceflight has little cultural or political momentum. China and America talk about being in a new “space race” to return to the moon, but, as impressive as that feat would be, it would just be a rerun of the 60s, playing for a much less engaged audience. To date less than 700 people have ever been to space. Orbit is filling up with junk.
None of this is to discount the real and meaningful work that NASA and others have done over these past few decades. The unmanned craft they have sent all across the solar system have been great scientific and technological achievements. I have friends who work on such probes, and they are marvels of ingenuity.
However, a big part of futures thinking is projecting current trends and trajectories into the future, and right now — despite 75 years of rocket ships, space stations, moon bases, and Mars domes being the dominant signifier of futurity — our present trends and trajectories point only down, back to our ever-warming Earth.
1 Humanity will never colonize Mars, never build moon bases, never rearrange the asteroids, never build a sphere around the sun.
2 There will never be faster-than-light travel. We will not roam across the galaxy. We will not escape our star.
3 Life is probably an entirely unexceptional phenomenon; the universe probably teems with it. We will never make contact. We will never fuck green-skinned alien babes.
4 The human race will live and die on this rock, and after we are gone something else will take our place. Maybe it already has, without our even noticing.
5 All this is good. This is a good thing.
(It’s very much worth reading this 02015 essay in full. It’s a potent corrective to the default attitude of heroic wonder with which we are usually encouraged to regard outer space.)
And yet, space stories keep coming. Walk down to your local bookstore and you’ll find plenty of new sci-fi releases about brave astronauts, rugged interstellar colonists, dashing star pirates, vast galactic empires, and so on. I recently poured over an issue of Analog Science Fiction & Fact, and I found that only five out of 20 pieces of fiction didn’t feature space in some way. I don’t have hard numbers on this, but I’d bet money that a strong majority of all the words of science fiction ever written have been about space or aliens, set in space(ships), or set on other planets.
Increasingly these stories take the form of deliberate retrofuturist period pieces. A good example is “Beyond the Sea,” in series six of Black Mirror. Some are explicitly alternate histories full of yearning for lost momentum, such as the show For All Mankind (in which a Soviet moon landing means the space race never stops). Or Mary Robinette Kowal’sThe Calculating Starsand sequels (in which a 01952 asteroid impact forces humanity to figure out how to get off planet before the Earth becomes unlivable).
Still others use space less as a future and more as a flavor of the fantastical, like Star Wars. Ann Leckie’s Ancillary Justice novels might as well be set a long time ago in a galaxy far, far away. Same with Becky Chambers’ Monk and Robot novellas, which take place on a distant moon called Panga. I find this somewhat frustrating, as Chambers’ story of postcapitalist solarpunks living in harmony with their environment and each other is a vision I’d like us to try building here in the real world. Is the takeaway that Earth is too far gone, too complicated and fractious, too sedimented with historical injustice, to achieve that kind of utopia?
And there are plenty more who continue to draw a direct line from present day Earth to the planets and stars, from The Expanse novels and TV series to the video game Starfield. Most of these, like Star Trek, depend on the invention of a physics-breaking faster than light (FTL) drive sometime in the next century or two. Perhaps we are starting to feel that, without such a breakthrough to make things quick and easy, the whole space affair is not worth the trouble. Kim Stanley Robinson’s Aurora makes the excellent case that venturing beyond our solar system is too slow and fraught to do with the technology that currently seems within our grasp.
💡
WATCH OR LISTEN to recent Long Now Talks on speculative and science fiction:
Let me just stress that all the works I’ve just mentioned are excellent. Science fiction writers should write what they want, gloomy forecasts be damned. In fact, maybe it’s good that the genre holds a torch for space even after the wind has gone out of our collective solar sails.
But I think it’s worth asking: Why? Why do so many of us feel compelled to write about a future that isn’t actually happening? And what does it mean for science fiction that its grandest, most prominent prediction doesn’t seem to be coming to pass?
The above chart shows an “envelope curve,” in which successive technological breakthroughs are chained together to produce, often, a view of skyrocketing, logarithmic progress. Consider this quote from a 01977 report by the Advisory Group for Aerospace Research (AGARD) on “Methods of Technological Forecasting”:
The extrapolation of envelope curves is considered by most authors as one of the tools particularly suitable for technological forecasting. Some consider it even as having potential for discerning technological breakthroughs. In the available literature, however, the same examples have been mentioned for a decade, so that there can be some doubt as to the progress made in this direction.
When you can make a series of technological breakthroughs fit neatly onto a chart, it’s easy to feel like you’re seeing a deep and inevitable pattern that must continue. Every barrier broken gives confidence that the next barrier can also be broken, even when the next barriers are, by definition of your chart, logarithmically more difficult.
Imagine you are standing on this curve at circa 01965. Behind you is a steep drop off in human velocity, ahead of you the potential for an ascent that reaches for the speed of light itself. It must have been heady days, going in one lifetime from puttering cars to the first airplanes to rockets capable of escaping Earth’s gravity well. Nothing like it had ever happened before. In many ways it was a fundamental change in what it meant to be human — to cross oceans and continents on a lark, to pierce the firmament. How could one see that hockey-sticking slope and not let one’s gaze be drawn to the stars?
We needed stories to make sense of that massive, accelerating shift. We needed a new mythology that helped us understand our place in a bigger universe, our destiny, our purpose. Science fiction is modern mythmaking that helps us manage future shock as we ride the waves of technological upheaval and social change. Waves that have rocked the world since Mary Shelley conceived of The Modern Prometheus during a dreary climate event in Geneva.
When we tell stories about space now, we aren’t predicting the future, we’re adding to and riffing on that mythological tradition, the way folklore always works.
Of course, by 01977 doubts were already starting to sneak in, as “the same examples have been mentioned for a decade.” Here’s another chart that puts the 01965 view in perspective:
NASA's budget as a percentage of the federal budget, 01958–02017.
What happened in reality was the hockey-sticking acceleration stopped and progress plateaued. Human velocity peaked in 01969 with the crew of Apollo 10. After that NASA’s budget dropped precipitously. Meanwhile supersonic flight proved too costly, loud, and uncomfortable for most travelers, and anyway how often does one really need to get from New York to London in three hours instead of eight? The height of high velocity transportation for the vast majority of humans is now the Boeing 747 and its kin. Few trends point to this changing anytime soon — except perhaps to slow down, as the demands of decarbonization push us to fly less and take the train (or the Zoom call) more.
Going to space is several orders of magnitude more costly, loud, and uncomfortable than a Concorde jet. So, probably, we just aren’t going to do it. No nation-state is likely to devote 5% of its spending to a Mars mission, not when global economic competition is increasingly tight, aging populations are straining pensions, a pandemic demolished many healthcare systems, and climate change is battering crops, housing, and infrastructure.
And despite slide-deck dreams of quadrillion dollar asteroid mining jackpots and Martian debt slavery company towns, there isn’t much money to be made in space. So the capitalists aren’t going to do it either. They have budgets to balance and quarterly earnings targets to hit and executive bonuses to pay out and stocks to buy back, and no amount of cosmist mythmaking is going to make space profitable. Elon launches rockets and Starlink satellites to hype up Tesla stock and get governments under his thumb.
Everyone frets about the billionaires running off to other planets and leaving us to suffer on a broken Earth, but that’s just another parable. Our climate is getting bad, but it’s not anywhere close to being Mars-bad or Vensus-bad. That’s where you need domes. Doing anything in space is so, so much harder and more expensive than fixing up the ecosystems around us. Repairing our own atmosphere is going to be a big project, but way easier than terraforming another planet. The appeal of “Planet B” narratives is that you could start over without the headache of dealing with people, which is so much more pessimistic and misanthropic than just acknowledging that we’re stuck here on Earth, with each other.
We’ll send astronauts to orbit, maybe back to the moon — a little space race redux for the U.S.-China rivalry. We’ll send unmanned probes to every celestial body within reach, and learn a great deal from those. We won’t put a man on Mars or build a moon base — at least not in my lifetime.
I say all this as someone who sincerely loves space. If there really was a chance to board a colony ship to Mars, I’d be sorely tempted. I desperately hope the world proves my low expectations wrong. To do so, however, would take a very different political and economic order than the one we have now.
The moon landing happened because capitalism and American empire actually had a rival. These forces had to prove they could outrace, outplan, and outspend communism and Soviet empire. It was probably the biggest PR campaign of all time, if you don’t count our bloated military. But such grand flexes are not necessary in our current capitalist realist status quo. When there’s no alternative, who are you trying to impress?
I do think we can go to Mars, and beyond, if we want to. But we’d have to decide to do so, collectively and democratically, probably not even as a nation-state but as a species. We’d have to put aside capitalist and nationalist competition. We’d have to take up more pressing moonshots first — decarbonization and climate repair — and then keep that momentum of big public spending flowing.
So if you want to write a story about space, that’s where I think it should start. How do we get through the bottleneck of climate collapse and polycrisis, through to a better system that offers more expansive possibilities?
💡
READ Andrew Dana Hudson's 02022 interview with Long Now about his novel, Our Shared Storm: A Novel of Five Climate Futures.
It’s an extremely tough question, so I don’t blame my fellow science fiction writers for skipping to the good stuff or offering alternate histories instead. I find the latter approach compelling myself. But the world is once again hockey sticking, and we need new myths to get us through.
A coda: if we ever do get a message from another star, our communication will probably be bound by the speed of light. No ansible, no Contact blueprints. We’ll have to send letters plodding back and forth across the endless void, waiting years or decades or centuries for a reply.
So maybe our best bet of finding out what’s Out There in the universe is to extend our reach not into the vastness of space but into the equally vast expanse of time: to make our civilization peaceful, stable, and sustainable, so we can keep listening. If we listen long enough, we might just catch a signal from someone else out there that’s achieved the same thing.
—
This essay was first published in slightly different form on Andrew Dana Hudson's newsletter, solarshades.club.
Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.
Image: Shutterstock, Arthimides.
Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online. Backed by millions of dollars in litigation financing, Atlas so far this year has sued 151 consumer data brokers on behalf of a class that includes more than 20,000 New Jersey law enforcement officers who are signed up for Atlas services.
Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers. Daniel’s Law was passed in 2020 after the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge — his mother.
Last week, Atlas invoked Daniel’s Law in a lawsuit (PDF) against Babel Street, a little-known technology company incorporated in Reston, Va. Babel Street’s core product allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area.
Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices.
Babel Street can offer this tracking capability by consuming location data and other identifying information that is collected by many websites and broadcast to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user.
This image, taken from a video recording Atlas made of its private investigator using Babel Street to show all of the unique mobile IDs seen over time at a mosque in Dearborn, Michigan. Each red dot represents one mobile device.
In an interview, Atlas said a private investigator they hired was offered a free trial of Babel Street, which the investigator was able to use to determine the home address and daily movements of mobile devices belonging to multiple New Jersey police officers whose families have already faced significant harassment and death threats.
Atlas said the investigator encountered Babel Street while testing hundreds of data broker tools and services to see if personal information on its users was being sold. They soon discovered Babel Street also bundles people-search services with its platform, to make it easier for customers to zero in on a specific device.
The investigator contacted Babel Street about possibly buying home addresses in certain areas of New Jersey. After listening to a sales pitch for Babel Street and expressing interest, the investigator was told Babel Street only offers their service to the government or to “contractors of the government.”
“The investigator (truthfully) mentioned that he was contemplating some government contract work in the future and was told by the Babel Street salesperson that ‘that’s good enough’ and that ‘they don’t actually check,’” Atlas shared in an email with reporters.
KrebsOnSecurity was one of five media outlets invited to review screen recordings that Atlas made while its investigator used a two-week trial version of Babel Street’s LocateX service. References and links to reporting by other publications, including 404 Media, Haaretz, NOTUS, and The New York Times, will appear throughout this story.
Collectively, these stories expose how the broad availability of mobile advertising data has created a market in which virtually anyone can build a sophisticated spying apparatus capable of tracking the daily movements of hundreds of millions of people globally.
The findings outlined in Atlas’s lawsuit against Babel Street also illustrate how mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.
WARRANTLESS SURVEILLANCE
Atlas says the Babel Street trial period allowed its investigator to find information about visitors to high-risk targets such as mosques, synagogues, courtrooms and abortion clinics. In one video, an Atlas investigator showed how they isolated mobile devices seen in a New Jersey courtroom parking lot that was reserved for jurors, and then tracked one likely juror’s phone to their home address over several days.
While the Atlas investigator had access to its trial account at Babel Street, they were able to successfully track devices belonging to several plaintiffs named or referenced in the lawsuit. They did so by drawing a digital polygon around the home address or workplace of each person in Babel Street’s platform, which focused exclusively on the devices that passed through those addresses each day.
Each red dot in this Babel Street map represents a unique mobile device that has been seen since April 2022 at a Jewish synagogue in Los Angeles, Calif. Image: Atlas Data Privacy Corp.
One unique feature of Babel Street is the ability to toggle a “night” mode, which makes it relatively easy to determine within a few meters where a target typically lays their head each night (because their phone is usually not far away).
Atlas plaintiffs Scott and Justyna Maloney are both veteran officers with the Rahway, NJ police department who live together with their two young children. In April 2023, Scott and Justyna became the target of intense harassment and death threats after Officer Justyna responded to a routine call about a man filming people outside of the Motor Vehicle Commission in Rahway.
The man filming the Motor Vehicle Commission that day is a social media personality who often solicits police contact and then records himself arguing about constitutional rights with the responding officers.
Officer Justyna’s interaction with the man was entirely peaceful, and the episode appeared to end without incident. But after a selectively edited video of that encounter went viral, their home address and unpublished phone numbers were posted online. When their tormentors figured out that Scott was also a cop (a sergeant), the couple began receiving dozens of threatening text messages, including specific death threats.
According to the Atlas lawsuit, one of the messages to Mr. Maloney demanded money, and warned that his family would “pay in blood” if he didn’t comply. Sgt. Maloney said he then received a video in which a masked individual pointed a rifle at the camera and told him that his family was “going to get [their] heads cut off.”
Maloney said a few weeks later, one of their neighbors saw two suspicious individuals in ski masks parked one block away from the home and alerted police. Atlas’s complaint says video surveillance from neighboring homes shows the masked individuals circling the Maloney’s home. The responding officers arrested two men, who were armed, for unlawful possession of a firearm.
According to Google Maps, Babel Street shares a corporate address with Google and the consumer credit reporting bureau TransUnion.
Atlas said their investigator was not able to conclusively find Scott Maloney’s iPhone in the Babel Street platform, but they did find Justyna’s. Babel Street had nearly 100,000 hits for her phone over several months, allowing Atlas to piece together an intimate picture of Justyna’s daily movements and meetings with others.
An Atlas investigator visited the Maloneys and inspected Justyna’s iPhone, and determined the only app that used her device’s location data was from the department store Macy’s.
In a written response to questions, Macy’s said its app includes an opt-in feature for geo-location, “which allows customers to receive an enhanced shopping experience based on their location.”
“We do not store any customer location information,” Macy’s wrote. “We share geo-location data with a limited number of partners who help us deliver this enhanced app experience. Furthermore, we have no connection with Babel Street” [link added for context].
Justyna’s experience highlights a stark reality about the broad availability of mobile location data: Even if the person you’re looking for isn’t directly identifiable in platforms like Babel Street, it is likely that at least some of that person’s family members are. In other words, it’s often trivial to infer the location of one device by successfully locating another.
The terms of service for Babel Street’s Locate X service state that the product “may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action.” But Scott Maloney said he’s convinced by their experience that not even law enforcement agencies should have access to this capability without a warrant.
“As a law enforcement officer, in order for me to track someone I need a judge to sign a warrant – and that’s for a criminal investigation after we’ve developed probable cause,” Mr. Maloney said in an interview. “Data brokers tracking me and my family just to sell that information for profit, without our consent, and even after we’ve explicitly asked them not to is deeply disturbing.”
Mr. Maloney’s law enforcement colleagues in other states may see things differently. In August, The Texas Observerreported that state police plan to spend more than $5 million on a contract for a controversial surveillance tool called Tangles from the tech firm PenLink. Tangles is an AI-based web platform that scrapes information from the open, deep and dark web, and it has a premier feature called WebLoc that can be used to geofence mobile devices.
The Associated Pressreported last month that law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cell phone tracking tool called Fog Reveal — at times without warrants — that gives them the ability to follow people’s movements going back many months.
It remains unclear precisely how Babel Street is obtaining the abundance of mobile location data made available to users of its platform. The company did not respond to multiple requests for comment.
But according to a document (PDF) obtained under a Freedom of Information Act request with the Department of Homeland Security’s Science and Technology directorate, Babel Street re-hosts data from the commercial phone tracking firm Venntel.
On Monday, the Substack newsletter All-Source Intelligenceunearthed documents indicating that the U.S. Federal Trade Commission has opened an inquiry into Venntel and its parent company Gravy Analytics.
“Venntel has also been a data partner of the police surveillance contractor Fog Data Science, whose product has been described as ‘mass surveillance on a budget,'” All-Source’s Jack Poulsonwrote. “Venntel was also reported to have been a primary data source of the controversial ‘Locate X’ phone tracking product of the American data fusion company Babel Street.”
MAID IN HELL
The Mobile Advertising ID or MAID — the unique alphanumeric identifier assigned to each mobile device — was originally envisioned as a way to distinguish individual mobile customers without relying on personally identifiable information such as phone numbers or email addresses.
However, there is now a robust industry of marketing and advertising companies that specialize in assembling enormous lists of MAIDs that are “enriched” with historical and personal information about the individual behind each MAID.
One of many vendors that “enrich” MAID data with other identifying information, including name, address, email address and phone number.
Atlas said its investigator wanted to know whether they could find enriched MAID records on their New Jersey law enforcement customers, and soon found plenty of ad data brokers willing to sell it.
Some vendors offered only a handful of data fields, such as first and last name, MAID and email address. Other brokers sold far more detailed histories along with their MAID, including each subject’s social media profiles, precise GPS coordinates, and even likely consumer category.
How are advertisers and data brokers gaining access to so much information? Some sources of MAID data can be apps on your phone such as AccuWeather, GasBuddy, Grindr, and MyFitnessPal that collect your MAID and location and sell that to brokers.
A user’s MAID profile and location data also is commonly shared as a consequence of simply using a smartphone to visit a web page that features ads. In the few milliseconds before those ads load, the website will send a “bid request” to various ad exchanges, where advertisers can bid on the chance to place their ad in front of users who match the consumer profiles they’re seeking. A great deal of data can be included in a bid request, including the user’s precise location (the current open standard for bid requests is detailed here).
The trouble is that virtually anyone can access the “bidstream” data flowing through these so-called “realtime bidding” networks, because the information is simultaneously broadcast in the clear to hundreds of entities around the world.
The result is that there are a number of marketing companies that now enrich and broker access to this mobile location information. Earlier this year, the German news outlet netzpolitik.org purchased a bidstream data set containing more than 3.6 billion data points, and shared the information with the German daily BR24. They concluded that the data they obtained (through a free trial, no less) made it possible to establish movement profiles — some of them quite precise — of several million people across Germany.
A screenshot from the BR24/Netzpolitik story about their ability to track millions of Germans, including many employees of the German Federal Police and Interior Ministry.
Politico recently covered startling research from universities in New Hampshire, Kentucky and St. Louis that showed how the mobile advertising data they acquired allowed them to link visits from investigators with the U.S. Securities and Exchange Commission (SEC) to insiders selling stock before the investigations became public knowledge.
The researchers in that study said they didn’t attempt to use the same methods to track regulators from other agencies, but that virtually anyone could do it.
Justin Sherman, a distinguished fellow at Georgetown Law’s Center for Privacy and Technology, called the research a “shocking demonstration of what happens when companies can freely harvest Americans’ geolocation data and sell it for their chosen price.”
“Politicians should understand how they, their staff, and public servants are threatened by the sale of personal data—and constituent groups should realize that talk of data broker ‘controls’ or ‘best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions,” Sherman wrote for Lawfare this week.
A BIDSTREAM DRAGNET?
The Orwellian nature of modern mobile advertising networks may soon have far-reaching implications for women’s reproductive rights, as more states move to outlaw abortion within their borders. The 2022 Dobbs decision by the U.S. Supreme Court discarded the federal right to abortion, and 14 states have since enacted strict abortion bans.
Anti-abortion groups are already using mobile advertising data to advance their cause. In May 2023, The Wall Street Journalreported that an anti-abortion group in Wisconsin used precise geolocation data to direct ads to women it suspected of seeking abortions.
As it stands, there is little to stop anti-abortion groups from purchasing bidstream data (or renting access to a platform like Babel Street) and using it to geofence abortion clinics, potentially revealing all mobile devices transiting through these locations.
Atlas said its investigator geofenced an abortion clinic and was able to identify a likely employee at that clinic, following their daily route to and from that individual’s home address.
A still shot from a video Atlas shared of its use of Babel Street to identify and track an employee traveling each day between their home and the clinic.
Last year, Idaho became the first state to outlaw “abortion trafficking,” which the Idaho Capital Sunreports is defined as “recruiting, harboring or transporting a pregnant minor to get an abortion or abortion medication without parental permission.” Tennessee now has a similar law, and GOP lawmakers in five other states introduced abortion trafficking bills that failed to advance this year, the Sun reports.
Atlas said its investigator used Babel Street to identify and track a person traveling from their home in Alabama — where abortion is now illegal — to an abortion clinic just over the border in Tallahassee, Fla. — and back home again within a few hours. Abortion rights advocates and providers are currently suing Alabama Attorney General Steve Marshall, seeking to block him from prosecuting people who help patients travel out-of-state to end pregnancies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said she’s extremely concerned about dragnet surveillance of people crossing state lines in order to get abortions.
“Specifically, Republican officials from states that have outlawed abortion have made it clear that they are interested in targeting people who have gone to neighboring states in order to get abortions, and to make it more difficult for people who are seeking abortions to go to neighboring states,” Galperin said. “It’s not a great leap to imagine that states will do this.”
APPLES AND GOOGLES
Atlas found that for the right price (typically $10-50k a year), brokers can provide access to tens of billions of data points covering large swaths of the US population and the rest of the world.
Based on the data sets Atlas acquired — many of which included older MAID records — they estimate they could locate roughly 80 percent of Android-based devices, and about 25 percent of Apple phones. Google refers to its MAID as the “Android Advertising ID,” (AAID) while Apple calls it the “Identifier for Advertisers” (IDFA).
What accounts for the disparity between the number of Android and Apple devices that can be found in mobile advertising data? In April 2021, Apple shipped version 14.5 of its iOS operating system, which introduced a technology called App Tracking Transparency (ATT) that requires apps to get affirmative consent before they can track users by their IDFA or any other identifier.
Apple’s introduction of ATT had a swift and profound impact on the advertising market: Less than a year later Facebook disclosed that the iPhone privacy feature would decrease the company’s 2022 revenues by about $10 billion.
Source: cnbc.com.
Google runs by far the world’s largest ad exchange, known as AdX. The U.S. Department of Justice, which has accused Google of building a monopoly over the technology that places ads on websites, estimates that Google’s ad exchange controls 47 percent of the U.S. market and 56 percent globally.
Google’s Android is also the dominant mobile operating system worldwide, with more than 72 percent of the market. In the U.S., however, iPhone users claim approximately 55 percent of the market, according to TechRepublic.
In response to requests for comment, Google said it does not send real time bidding requests to Babel Street, nor does it share precise location data in bid requests. The company added that its policies explicitly prohibit the sale of data from real-time bidding, or its use for any purpose other than advertising.
Google said its MAIDs are randomly generated and do not contain IP addresses, GPS coordinates, or any other location data, and that its ad systems do not share anyone’s precise location data.
“Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID,” Google’s written statement reads. “If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.”
In a written statement shared with reporters, Apple said Location Services is not on by default in its devices. Rather, users must enable Location Services and must give permission to each app or website to use location data. Users can turn Location Services off at any time, and can change whether apps have access to location at any time. The user’s choices include precise vs. approximate location, as well as a one-time grant of location access by the app.
“We believe that privacy is a fundamental human right, and build privacy protections into each of our products and services to put the user in control of their data,” an Apple spokesperson said. “We minimize personal data collection, and where possible, process data only on users’ devices.”
Zach Edwards is a senior threat analyst at the cybersecurity firm SilentPush who has studied the location data industry closely. Edwards said Google and Apple can’t keep pretending like the MAIDs being broadcast into the bidstream from hundreds of millions of American devices aren’t making most people trivially trackable.
“The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem,” he said.
STATES ACT, WHILE CONGRESS DITHERS
According to Bloomberg Law, between 2019 and 2023, threats against federal judges have more than doubled. Amid increasingly hostile political rhetoric and conspiracy theories against government officials, a growing number of states are seeking to pass their own versions of Daniel’s Law.
Last month, a retired West Virginia police officer filed a class action lawsuit against the people-search service Whitepages for listing their personal information in violation of a statute the state passed in 2021 that largely mirrors Daniel’s Law.
In May 2024, Maryland passed the Judge Andrew F. Wilkinson Judicial Security Act — named after a county circuit court judge who was murdered by an individual involved in a divorce proceeding over which he was presiding. The law allows current and former members of the Maryland judiciary to request their personal information not be made available to the public.
Under the Maryland law, personal information can include a home address; telephone number, email address; Social Security number or federal tax ID number; bank account or payment card number; a license plate or other unique vehicle identifier; a birth or marital record; a child’s name, school, or daycare; place of worship; place of employment for a spouse, child, or dependent.
The law firm Troutman Pepperwrites that “so far in 2024, 37 states have begun considering or have adopted similar privacy-based legislation designed to protect members of the judiciary and, in some states, other government officials involved in law enforcement.”
Atlas alleges that in response to requests to have data on its New Jersey law enforcement clients scrubbed from consumer records sold by LexisNexis, the data broker retaliated by freezing the credit of approximately 18,500 people, and falsely reporting them as identity theft victims.
In addition, Atlas said LexisNexis started returning failure codes indicating they had no record of these individuals, resulting in denials when officers attempted to refinance loans or open new bank accounts.
The data broker industry has responded by having at least 70 of the Atlas lawsuits moved to federal court, and challenging the constitutionality of the New Jersey statute as overly broad and a violation of the First Amendment.
Attorneys for the data broker industry argued in their motion to dismiss that there is “no First Amendment doctrine that exempts a content-based restriction from strict scrutiny just because it has some nexus with a privacy interest.”
Atlas’s lawyers responded that data covered under Daniel’s Law — personal information of New Jersey law enforcement officers — is not free speech. Atlas notes that while defending against comparable lawsuits, the data broker industry has argued that home address and phone number data are not “communications.”
“Data brokers should not be allowed to argue that information like addresses are not ‘communications’ in one context, only to turn around and claim that addresses are protectable communications,” Atlas argued (PDF). “Nor can their change of course alter the reality that the data at issue is not speech.”
The judge overseeing the challenge is expected to rule on the motion to dismiss within the next few weeks. Regardless of the outcome, the decision is likely to be appealed all the way to the U.S. Supreme Court.
Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states could limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminal charges against media outlets that publish the same type of public and government records that fuel the people-search industry.
Sen. Ron Wyden (D-Ore.) said Congress’ failure to regulate data brokers, and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis.
“Whether location data is being used to identify and expose closeted gay Americans, or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans’ deepest secrets and exposing them to serious harm, all for a few bucks,” Wyden said in a statement shared with KrebsOnSecurity, 404 Media, Haaretz, NOTUS, and The New York Times.
Sen. Wyden said Google also deserves blame for refusing to follow Apple’s lead by removing companies’ ability to track phones.
“Google’s insistence on uniquely tracking Android users – and allowing ad companies to do so as well – has created the technical foundations for the surveillance economy and the abuses stemming from it,” Wyden said.
Georgetown Law’s Justin Sherman said the data broker and mobile ad industries claim there are protections in place to anonymize mobile location data and restrict access to it, and that there are limits to the kinds of invasive inferences one can make from location data. The data broker industry also likes to tout the usefulness of mobile location data in fighting retail fraud, he said.
“All kinds of things can be inferred from this data, including people being targeted by abusers, or people with a particular health condition or religious belief,” Sherman said. “You can track jurors, law enforcement officers visiting the homes of suspects, or military intelligence people meeting with their contacts. The notion that the sale of all this data is preventing harm and fraud is hilarious in light of all the harm it causes enabling people to better target their cyber operations, or learning about people’s extramarital affairs and extorting public officials.”
WHAT CAN YOU DO?
Privacy experts say disabling or deleting your device’s MAID will have no effect on how your phone operates, except that you may begin to see far less targeted ads on that device.
Any Android apps with permission to use your location should appear when you navigate to the Settings app, Location, and then App Permissions. “Allowed all the time” is the most permissive setting, followed by “Allowed only while in use,” “Ask every time,” and “Not allowed.”
Android users can delete their ad ID permanently, by opening the Settings app and navigating to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. According to the EFF, this will prevent any app on your phone from accessing the ad ID in the future. Google’s documentation on this is here.
Image: eff.org
By default, Apple’s iOS requires apps to ask permission before they can access your device’s IDFA. When you install a new app, it may ask for permission to track you. When prompted to do so by an app, select the “Ask App Not to Track” option. Apple users also can set the “Allow apps to request to track” switch to the “off” position, which will block apps from asking to track you.
Apple’s Privacy and Ad Tracking Settings.
Apple also has its own targeted advertising system which is separate from third-party tracking enabled by the IDFA. To disable it, go to Settings, Privacy, and Apple Advertising, and ensure that the “Personalized Ads” setting is set to “off.”
Finally, if you’re the type of reader who’s the default IT support person for a small group of family or friends (bless your heart), it would be a good idea to set their devices not to track them, and to disable any apps that may have location data sharing turned on 24/7.
There is a dual benefit to this altruism, which is clearly in the device owner’s best interests. Because while your device may not be directly trackable via advertising data, making sure they’re opted out of said tracking also can reduce the likelihood that you are trackable simply by being physically close to those who are.
What benefits do these things offer when a general purpose computer can do so
many things nowadays? Is there a USB keyboard that you can connect to a
laptop or phone to do these things? I presume that all recent phones have the
compute power to do all the synthesis you need if you have the right
software. Is it just a lack of software and infrastructure for doing it on
laptops/phones that makes synthesisers still viable?
I've decided to turn my response into a post of its own.
The issue is definitely not compute power. You can indeed attach a USB keyboard
to a computer and use a plethora of software synthesisers, including very
faithful emulations of all the popular classics. The raw compute power of
modern hardware synths is comparatively small: I’ve been told the modern Korg
digital synths are on a par with a raspberry pi. I’ve seen some DSPs which are
32 bit ARMs, and other tools which are roughly equivalent to arduinos.
I can think of four reasons hardware synths remain popular with some despite
the above:
As I touched on in my original synth post, computing dominates my
life outside of music already. I really wanted something separate from
that to keep mental distance from work.
Synths have hard real-time requirements. They don't have raw power in
compute terms, but they absolutely have to do their job within microseconds
of being instructed to, with no exceptions. Linux still has a long way to go
for hard real-time.
The Linux audio ecosystem is… complex. Dealing with pipewire, pulseaudio,
jack, alsa, oss, and anything else I've forgotten, as well as their failure
modes, is too time consuming.
The last point is to do with creativity and inspiration. A good synth is
more than the sum of its parts: it's an instrument, carefully designed and
its components integrated by musically-minded people who have set out to
create something to inspire. There are plenty of synths which aren't good
instruments, but have loads of features: they’re boxes of "stuff". Good
synths can't do it all: they often have limitations which you have to
respond to, work around or with, creatively. This was expressed better than
I could by Trent Reznor in the video archetype of a synthesiser:
I nearly did, but ultimately I didn't buy an Arturia Microfreak.
The Microfreak is a small form factor hybrid synth with a distinctive style.
It's priced at the low end of the market and it is overflowing with features.
It has a weird 2-octave keyboard which is a stylophone-style capacitive strip
rather than weighted keys. It seems to have plenty of controls, but given the
amount of features it has, much of that functionality is inevitably buried in
menus. The important stuff is front and centre, though. The digital
oscillators are routed through an analog filter. The Microfreak gained sampler
functionality in a firmware update that surprised and delighted its owners.
I watched a load of videos about the Microfreak, but the above review from
musician Stimming stuck
in my mind because it made a comparison between the Microfreak and Teenage
Engineering's OP-1.
The Teenage Engineering OP-1.
I'd been lusting after the OP-1 since it appeared in 2011: a
pocket-sized1 music making machine with eleven synthesis engines, a
sampler, and less conventional features such as an FM radio, a large colour
OLED display, and a four track recorder. That last feature in particular was
really appealing to me: I loved the idea of having an all-in-one machine to try
and compose music. Even then, I was not keen on involving conventional
computers in music making.
Of course in many ways it is a very compromised machine. I never did buy a
OP-1, and by now they've replaced it with a new model (the OP-1 field)
that costs 50% more (but doesn't seem to do 50% more) I'm still not buying one.
Framing the Microfreak in terms of the OP-1 made the penny drop for me.
The Microfreak doesn't have the four-track functionality, but almost no synth
has: I'm going to have to look at something external to provide that. But it
might capture a similar sense of fun; it's something I could use on the sofa,
in the spare room, on the train, during lunchbreaks at work, etc.
So I didn't buy the Microfreak. Maybe one day in the future once I'm further
down the road. Instead, I started to concentrate my search on more fundamental,
back-to-basics instruments…
When processing HTTP requests, you frequently need to check the parameters which were sent along with that request. Those parameters are generally passed as stringly-typed key/value pairs. None of this is news to anyone.
What is news, however, is how Brodey's co-worker indexed the key/value pairs.
The goal of this code is to take a certain set of keys and construct a URLParams string which represents those key/values as an HTTP query string. The first thing to get out of the way: .NET has a QueryString type that handles the construction of the query string for you (including escaping), so that you don't need to do any string concatenation.
But the real WTF is everything surrounding that. We opt to iterate across every key- not just the ones we care about- and use the GetKey(i) function to check each individual key in an extensive chain of OrElse statements.
The obvious and simpler approach would have been to iterate across an array of the keys I care about- ID, new, FID, enabled, my, msgType, Type, EID, Title, ERROR- and simply check if they were in the Request.
I suppose the only silver lining here is that they thought to use the OrElse operator- which is a short-circuiting "or" operation, like you'd expect in just about any other language, instead of Or, which doesn't short circuit (pulling double duty as both a bitwise Or and a logical Or, because Visual Basic wants to contribute some WTFs).
[Advertisement] Plan Your .NET 9 Migration with Confidence Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!
Author: Majoki Silence Wildgoose was lost. Not an uncommon occurrence in the weighty mists that formed on the fells. Getting turned around on the moor was not something that ever put her on edge, but she sensed something else had descended to earth with the mists as well, and Silence was not pleased. She’d made […]
In the last weeks qmpbackup has seen a
bit more improvements.
Adds support for CEPH/RBD backed devices.
Allows to use unique bitmaps for having multiple, separate backup chains.
Adds support for jsonified filename configurations like often used on
proxmox systems.
Adds support for saving attached pflash/nvram devices (storing UEFI related
settings)
qmprestore can now merge the backup chain into a new image file and the
new snapshotrebase command can rebase the images and after committing,
creates an internal qcow snapshot, so one can easily switch between
different vm states in the backup.
Ive been running it lately to backup Virtual machines on proxmox systems, where
the proxmox backup server is not an option.
As some of you know, I've been spending a lot of time in recent years researching (and practically exploring +
re-implementing) historical telecommunications with my retronetworking project.
Retrocomputing itself is not my main focus. I usually feel there's more than enough people operating,
repairing, documenting at least many older computers, as well as keeping archives of related software and
continuing to spread knowledge on how they operated. Nevertheless, it is a very interesting topic - I just
decided that with my limited spare time I want to focus on retro-communications which is under-explored and
under-represented.
What's equally important than keeping the old technology alive, is keeping the knowledge around its creation
alive. How did it happen that certain technologies were created and became successful or not? How where they
key people behind it? etc.
Given my personal history with Taiwan during the last 18 years, it's actually surprising I haven't yet given
thought on how or where the history of the Taiwanese IT industry is documented or kept alive. So far I didn't
know of any computer museums that would focus especially on the Taiwanese developments. It didn't even occur
to me to even check if there are any.
During my work in Taiwan I've had the chance to briefly meet a few senior people at FIC (large mainboard maker
that made many PC mainboards I personally used) and both at VIA (chipset + CPU maker). But I didn't ever have
a chance to talk about the history.
In any case, I now found those transcripts of interviews. And what a trove of interesting first-hand
information they are! If you have an interest in computer history, and want to understand how it came about
that Taiwan became such a major player in either the PC industry or in the semiconductor design +
manufacturing, then I believe those transcripts are a "must read".
Now they've made me interested to learn more. I have little hope of many books being published on that
subject, particularly in a Language I can read (i.e. English, not mandarin Chinese). But I shall research
that subject. I'd also be interested to hear about any other information, like collections of historical
artifacts, archives, libraries, etc. So in the unlikely case anybody reading this has some pointers on
information about the history of the Taiwanese Chip and Computer history, please by all means do reach out and
share!.
Once I have sufficiently prepared myself in reading whatever I can find in terms of written materials, I might
be tempted to try to reach out and see if I can find some first-hand witnesses who'd want to share their
stories on a future trip to Taiwan...
Some of the readers of this blog know that I have a very special relationship with Taiwan. As a teenager, it
was the magical far-away country that built most of the PC components in all my PCs since my first 286-16 I
got in 1989. Around 2006-2008 I had the very unexpected opportunity to work in Taiwan for some time (mainly
for Openmoko, later some consulting for VIA). During that time I have always felt most welcome in and fascinated
by the small island nation who managed to turn themselves into a high-tech development and manufacturing site
for ever more complex electronics. And who managed to evolve from decades of military dictatorship and turn
into a true democracy - all the while being discriminated by pretty much all of the countries around the
world, as everybody wanted to benefit from cheap manufacturing in mainland China and hence expel democratic
Taiwan from the united nations in favour of communist mainland Chine.
I have the deepest admiration for Taiwan to manage all of their economic success and progress in terms of
democracy and freedom despite the political situation across the Taiwan strait, and despite everything that
comes along with it. May they continue to have the chance of continuing their path.
Setting economy, society and politics behind: On a more personal level I've enjoyed their culinary marvels
from excellent dumplings around every street corner to niu rou mien (beef noodle soup) to ma la huo guo
(spicy hot pot). Plus then the natural beauty, particularly of the rural mountainous regions once you leave
the densely populated areas around the coast line and the plains of the north west.
While working in Taiwan in 2006/2007 I decided to buy a motorbike. Using that bike I've first made humble
day trips and later (once I was no longer busy with stressful work at Openmoko) multiple week-long road trips
around the island, riding on virtually any passable road you can find. My typical routing algorithm is "take
the smallest possible road from A to B".
So even after concluding my work in Taiwan, I returned again and again for holidays, each one with more road
trips. For some time, Taiwan had literally become my second home. I had my favorite restaurants, shops, as
well as some places around the rural parts of the Island I cam back to several times. I even managed to take
up some mandarin classes, something I never had the time for while doing [more than] full time work. To my
big regret, it's still very humble beginner level; I guess had I not co-started a company (sysmocom) in Berlin
in 2011, I'd have spent more time for a more serious story.
In any case, I have nothing but the fondest memory of Taiwan. My frequent visits cam to a forcible halt with
the COVID-19 pandemic, Taiwan was in full isolation in 2020/21, and even irrespective of government
regulations, I've been very cautious about travel and contact. Plus of course, there's always the bad
conscience of frequent intercontinental air travel.
Originally I was planning to finally go on an extended Taiwan holiday in Summer 2024, but then the island was
hit by a relatively serious earthquake in April, affecting particularly many of the remote mountain regions
that are of main interest to me. There are some roads that I'd have wanted to ride ever since 2008, but which
had been closed every successive year when I went there, due to years of reconstructions after [mostly
landslides following] earthquakes and typhoons. So I decided to postpone it for another year to 2025.
However, in an unexpected change of faith, the opportunity arose to give the opening Keyonte at the 2024
Open Compliance Summit in Japan, and along with that the opportunity to do a stop-over in Taiwan. It will
just be a few days of Taipei this time (no motorbike trips), but I'm very much looking forward to being
back in the city I probably know second or third-best on the planet (after Berlin, my home for 23 years, as
well as Nuernberg, my place of birth). Let's see what is still the same and what has changed during the past
5 years!
Our stories come from you, our readers- which, it's worth reminding everyone, keep those submissions coming in. There's nothing on this site without your submissions.
Now, we do get some submissions which don't make the page. Frequently, it's simply because we simply don't have enough context from the submission to understand it or comment on it effectively. Often, it's just not that remarkable. And sometimes, it's because the code isn't a WTF at all.
So I want to discuss some of these, because I think it's still interesting. And it's unfair to expect everyone to know everything, so for the submitters who discover they didn't understand why this code isn't bad, you're one of today's lucky 10,000.
The Asterisk open source telephony engine has some features that need to know from which direction they've been invoked in a two-way call. This is called "sense" in the Asterisk lingo, and there are two macros defined in the source which allow you to textually know if you're talking about this direction or the other. This of course stands for 1 and 0 respectively, but they couldn't have just simply go on and say that - it has to be "interesting". Do also note, as this is a macro, it means that whenever someone sets or tests the "sense", another redundant bit shift operation is done.
First, minor detail- this stands for 1 and 2 respectively. And what's important here is that these fields are clearly meant to be a bitmask. And when we're talking about a bitmask, using bitshift operators makes the code more clear. And we can generally rely on a shift by zero bits to be a no-op, and any compiler should be smart enough to spot that and optimize the operation out. Hell, a quick check with GCC shows that even the (1 << 1) gets optimized to just the constant 0x2.
Not a WTF, but it does highlight something we've commented on in the past- bitmasks can be confusing for people. This is a good example of that. But not only is this not a WTF, but it's not even bad code.
(Now, it may be the case that these are never really used as a bitmask, in which case, that's a mild WTF, but that's not what Guss was drawing our attention to)
In other cases, the code is bad, but it may be reacting to the badness it's surrounded by. Greg inherited this blob from some offshore contractors:
Now, seeing a string variable called BoolLog is a big red flag about bad code inbound. And we see handling some stringly typed boolean data to try and get a truth value. Which all whiffs of bad code.
But let's talk about the Windows Registry. It's typed, but the types are strings, lists of strings, and various numeric types. There's no strictly boolean type. And sure, while explicitly storing a 1 in a numeric field is probably a better choice for the registry than string booleans, there are reasons why you might do that (especially if you frequently need to modify Registry keys by hand, like when you're debugging).
The real WTF, in this case, isn't this code, but is instead the Windows Registry. Having a single tree store be the repository for all your system configuration sounds like a good idea on paper, but as anyone who's worked with it has discovered- it's a nightmare. The code here isn't terrible. It's not good, but it's a natural reaction to the terrible world in which it lives.
Sometimes, the code is actually downright awful, but it's just hard to care about too much. Rudolf was shopping for bulk LEDs, which inevitably leads one to all sorts of websites based in China offering incredibly cheap prices and questionable quality control.
The site Rudolf was looking at had all sorts of rendering glitches, and so out of curiosity, he viewed the source.
{\rtf1\ansi\ansicpg1252\deff0\deflang2055{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\f0\fs24 <html>\par
\par
<head><metahttp-equiv="refresh"content="1; url=http://totally-fine-leds-really-its-fine.ch"> \par
Here we see someone wrote their HTML in WordPad, and saved the file as an RTF, instead of a plain text file. Which sure, is bad. But again, we need to put this in context: this almost certainly isn't the page for handling any transactions or sales (that almost certainly uses a prebaked ecommerce plugin). This is their approach to letting "regular" users upload content to the site- frequently documentation pages. This isn't a case where some developer should have known better messed up- this is almost certainly some sales person who has an HTML template to fill in and upload. It probably stretches their technical skills to the limit to "Save As…" in WordPad.
So the code isn't bad. Again, the environment in which it sits is bad. But this is a case where the environment doesn't matter- these kinds of sites are really hoping to score some B2B sales in bulk quantities, and "customer service" and "useful website" isn't going to drive sales better than "bargain basement prices" will. They're not trying to sell to consumers, they're trying to sell to a company which will put these into consumer products. Honestly, we should be grateful that they at least tried to make an HTML file, and didn't just upload PDFs, which is usually what you find on these sites.
Sometimes, we don't have a WTF. Sometimes, we have a broken world that we can just do our best to navigate. We must simply do our best.
Author: Justin Anderson [Begin transcript] I wear different shoes and take a different route every time I come down here. The last thing I need is to be tracked by the cameras and the drones hiding all over this sector. On the way here, I kept my mind empty. Didn’t betray where I was going. […]
We just returned from Pasadena, where Caltech - my alma mater - installed me as Distinguished Alumnus. An honor that I sincerely never expected, given the many brilliant minds I knew when I was there. Reflecting on that is humbling - even 'imposter syndroming' - though people kindly urged me to think otherwise.
In today's delayed posting, I'll be mostly taking a pause from politics... though the topic of my previous blog - about the likelihood of blackmail poisoning top levels of the U.S. republic - remains horrifically plausible...
I've already posted elsewhere about the incredible "chopstix" landing-grab of a returning heavy-lift SpaceX booster stage. The concept is now proved, even though a whole lot more incremental steps are needed.
Don't let any polemical jibber-distractions take away from the wonder that was achieved by Gwynne Shotwell and her SpaceX team.
Anyway, as for that distracting blather... well... I recall when there was a similar problem with Frank Zappa -- vast accomplishments that he seemed bent on contiuously spoiling with audience-insulting rants -- until (at last) Zappa listened to the fans shouting he should "Shut up and play your Guitar!"
The ratio of ravings to accomplishments seems similar, this time. And what will be remembered (whether or not that wise example is followed) is the 'guitar.'**
== The next steps in space exploration? ==
On this Future in Review (FiRe) podcast, I'm interviewed by the brilliant Berit Anderson - focusing on the near and mid-future of human spaceflight, especially Artemis and other planned missions to the Moon. (Incidentally, the annualFiRe Conference - one of the most visionary gatherings on the planet - has been postponed due to landslides.)
Also.... Just released: a newly-updated version of Project Solar Sail: 21st Century Edition: A collection of stories and essays exploring the future of lightships and solar sails in propelling interplanetary... and then interstellar... exploration!
This volume (which I edited with Stephen W. Potts) offers classic contributions by Arthur C. Clarke, Isaac Asimov, Larry Niven, Poul Anderson, Jack Vance, and others... plus new material, including by JPL scientists exploring the latest technologies and vast potential for sails in the future of space exploration.
NASA's Innovative & Advanced Concepts program - (NIAC) - is pleased to announce the 2024 NIAC Phase III award to the mighty pioneer of applications of spaceflight to future biology, and vice versa, Lynn Rothschild: “Mycotecture Off Planet: En Route to the Moon and Mars.”
In other words, growing space habitats with the help of fungi and mushrooms! A house that protects you from vacuum and radiation... and that you can eat!For a list of all early stage NIAC research, please visit the Funded Studies page.
The Curiosity Mars rover rolled over a rock, accidentally crushing it open to reveal yellow crystals of elemental sulfur! - the first time sulfur has been found in its elemental form on Mars.
A fine article about my friend & colleague (and half of a mighty fencing team) Geoff Landis, epic scifi author and incidentally superstar NASA scientist, proposing ways to explore Venus. See also Land-Sailing: Venus Rover, where Landis introduces younger readers to methods of exploring - and traveling across - the surface of Venus.
Many of you are familiar with Lagrange points – L1 through L5 – where gravity balance between two objects (the smaller orbiting the larger) creates ‘tidepools’ where even-smaller things can gather. Temporarily or (in the case of Jupiter’s Trojan asteroid clusters) permanently. Here Anton Petrov talks about a (slim) possibility that there might be such a point between our sun and the galactic center.It would not be able to collect much, with other stars whipping by over millions of years. But still… I do talk about galactic tidepools in Infinity’s Shore!
Mysterious brightening of a distant galaxy: Did this galaxy suddenly brighten, doubling in infrared frequencies, a 10 fold increase in X-rays)… because its central black hole ate a star?
Two huge galactic clusters were colliding at 1% of light speed, billions of years away/ago, heating their gas clouds prodigiously as drag slowed them down… "These cluster collisions are the most energetic phenomena since the Big Bang…" But while drag slowed the gas and stars, the galaxies’ dark matter apparently kept rolling on ahead at the original velocities, separating dark from regular matter clumps. This is pretty good reporting on how much detailed sleuthing is involved in figuring all this out.
== Truly mind-stretching! ==
Incredible. About 20 seconds into this video by Anton Petrov (one of the best ‘casts about new discoveries in space) you’ll see an amazing image from the Webb Space Telescope. A very deep field photo that dives into the faint past, beyond redshift-3, this one image captures eighty(!) supernovae taking place ‘simultaneously’ (as seen from Earth today) in a single, narrow frame. Each in a different galaxy.
There are so many things this tells us.
1. Since any one supernova only remains stand-out visible for a few weeks (maybe a bit longer in infrared, the Webb specialty), this means there ‘are’ absolute gobs of them happening out there…
2. …or there used to be gobs of them, since we are in this case peering way back in time, making it a wee bit less surprising, since early star formation must have led to a great many giant, 1st generation stars, of the kind the burn bright and then blow themselves up with core-collapse supernovas… seeding later generations with heavier elements. Certainly, nothing like this rate is occurring “today”… (our redshift <1 era.) Though Betelgeuse is simmering...
3. Since each of the circled supernovae happened in a different galaxy… and it had to be happening a lot, in order for these brief bursts to be so common in one patch of deep sky... it gives you a truly boggling idea how many galaxies there are. A mind stretch that I can only perform for a few seconds at a time. Read more: NASA's Webb opens new window on supernova science..
That we are a civilization capable of building such a wonder as the Webb… and perceiving and marveling at such wonders… fills me with joy! And also fear that we might throw it all away, in a fit of anti-modernity angst, Pushed by powerful fools bent on restoring us to feudalism’s darkness.
More impact news...
Recent chemical and isotopic analyses from samples obtained by coring into the Chicxulub, Mexico's crater site in the Yucatan peninsula, indicate that the 66-million year old mass-extinction event was likely caused by the impact of a carbonaceous asteroid, originating from the outer solar system, rather than a comet.
And yeah. Again. ALL of this is under threat by ingrates with a lunatic grudge against not only scientists, but every fact-using profession. A too-seldom-mentioned aspect of this dire fight for the only civilization that ever brought us all these wonders... and that now stands poised to venture the stars.
If we decide not to blow it.
====
====
** Patrick Farley's Electric Sheep Comixappears to no longer support the beautiful series DON'T LOOK BACK, which featured Guitar spaceships! You could nag him to repost it?
Or else enjoy... and be terrified by... APOCAMON, revealing what fate some of our neighbors believe and fervently salivate for, from from the Book of Revelation. OMG read that one and know what they want and plan for us! People who want this are not nice and they are openly telling you what they want for you.
A new minor release of the drat package
arrived on CRAN today, which is
just over a year since the previous release. drat stands for
drat R Archive Template, and helps with easy-to-create and
easy-to-use repositories for R packages. Since its inception in
early 2015 it has found reasonably widespread adoption among R users
because repositories with marked releases is the better way to
distribute code.
Because for once it really is as your mother told you: Friends
don’t let friends install random git commit snapshots. Properly
rolled-up releases it is. Just how CRAN shows us: a model that has
demonstrated for over two-and-a-half decades how to do this.
And you can too: drat is easy to use, documented by six
vignettes and just works. Detailed information about
drat is at its documentation site. That
said, and ‘these days’, if you mainly care about github code then r-universe is there too, also
offering binaries its makes and all that jazz. But sometimes you just
want to, or need to, roll a local repository and drat can help
you there.
This release contains a small PR (made by Arne Holmin just after the
previous release) adding support for an ‘OSflacour’ variable (helpful
for macOS). We also corrected an issue with one test file being
insufficiently careful of using git2r only when installed,
and as usual did a round of maintenance for the package concerning both
continuous integration and documentation.
The NEWS file summarises the release as follows:
Changes in drat
version 0.2.5 (2024-10-21)
Function insertPackage has a new optional argument
OSflavour (Arne Holmin in #142)
A test file conditions correctly about git2r being present (Dirk)
Several smaller packaging updates and enhancements to continuous
integration and documentation have been added (Dirk)
List of public mirrors in India. Location discovered basis personal knowledge, traces or GeoIP. Mirrors which aren’t accessible outside their own ASN are excluded.
This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken widely out of proportion.
I'm in the unlucky position to have to deal with GitHub. Thus
I've a terraform module in a project which deals with
populating organization secrets in our GitHub organization, and
assigning repositories access to those secrets.
Since the GitHub terraform provider internally works mostly
with repository IDs, not slugs (this human readable
organization/repo format), we've to do some mapping in between.
In my case it looks like this:
#tfvars Input for Module
org_secrets = {
"SECRET_A" = {
repos = [
"infra-foo",
"infra-baz",
"deployment-foobar",
]
"SECRET_B" = {
repos = [
"job-abc",
"job-xyz",
]
}
}
# Module Code
/*
Limitation: The GH search API which is queried returns at most 1000
results. Thus whenever we reach that limit this approach will no longer work.
The query is also intentionally limited to internal repositories right now.
*/
data "github_repositories" "repos" {
query = "org:myorg archived:false -is:public -is:private"
include_repo_id = true
}
/*
The properties of the github_repositories.repos data source queried
above contains only lists. Thus we've to manually establish a mapping
between the repository names we need as a lookup key later on, and the
repository id we got in another list from the search query above.
*/
locals {
# Assemble the set of repository names we need repo_ids for
repos = toset(flatten([for v in var.org_secrets : v.repos]))
# Walk through all names in the query result list and check
# if they're also in our repo set. If yes add the repo name -> id
# mapping to our resulting map
repos_and_ids = {
for i, v in data.github_repositories.repos.names : v => data.github_repositories.repos.repo_ids[i]
if contains(local.repos, v)
}
}
resource "github_actions_organization_secret" "org_secrets" {
for_each = var.org_secrets
secret_name = each.key
visibility = "selected"
# the logic how the secret value is sourced is omitted here
plaintext_value = data.xxx
selected_repository_ids = [
for r in each.value.repos : local.repos_and_ids[r]
if can(local.repos_and_ids[r])
]
}
Now if we do something bad, delete a repository and forget to remove it
from the configuration for the module, we receive some error message that a (numeric)
repository ID could not be found. Pretty much useless for the average user because
you've to figure out which repository is still in the configuration list, but got deleted
recently.
Luckily terraform supports since version
1.2 precondition checks, which we can use in an output-block
to provide the information which repository is missing. What we
need is the set of missing repositories and the validation condition:
locals {
# Debug facility in combination with an output and precondition check
# There we can report which repository we still have in our configuration
# but no longer get as a result from the data provider query
missing_repos = setsubtract(local.repos, data.github_repositories.repos.names)
}
# Debug facility - If we can not find every repository in our
# search query result, report those repos as an error
output "missing_repos" {
value = local.missing_repos
precondition {
condition = length(local.missing_repos) == 0
error_message = format("Repos in config missing from resultset: %v", local.missing_repos)
}
}
Now you only have to be aware that GitHub is GitHub and the TF provider has open bugs,
but is not supported by GitHub and you will encounter
inconsistent results. But
it works, even if your terraform apply failed that way.
This is an example of what all of their tests look like. There are almost no tests of functionality, and instead just long piles of these kinds of type assertions. Which, having type assertions isn't a bad idea, most of these would be caught by the compiler:
DerviesFrom<object> is a tautology (perhaps this test framework is ensuring it doesn't derive from other classes? but object is the parent of all classes)
IsConcreteClass would be caught at compile time anywhere someone created an instance
HasDefaultConstructor would again, be caught if it were used
Implement<IEntity> would also be caught anywhere you actually tried to use polymorphism.
IsSealed and IsNotDecorated will actually do something, I suppose, though I wonder how much I actually care about that something. It's not wrong to check, but in the absence of actual real unit tests, why do I care?
Because every class had a test like this, and because of the way the test framework worked, when they ran code coverage metrics, they got a 100% score. It wasn't testing any of the code, mind you, but hey, the tests touched all of it.
[Advertisement]
Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Author: Julian Miles, Staff Writer “Did you see that?” I look at Lopaka. “What?” He indicates with the muzzle of his laser. “Over there. To the left of the big blue rock that’s right of the black cube.” “Between the dark monolith and the blue boulder?” He gives me the side-eye. “That’s what I said, […]
As usual with these every-two-year posts, probably of direct interest only
to California residents. Maybe the more obscure things we're voting on
will be a minor curiosity to people elsewhere. I'm a bit late this year,
although not as late as last year, so a lot of people may have already
voted, but I've been doing this for a while and wanted to keep it up.
This post will only be about the ballot propositions. I don't have
anything useful to say about the candidates that isn't hyper-local. I
doubt anyone who has read my posts will be surprised by which candidates
I'm voting for.
As always with Calfornia ballot propositions, it's worth paying close
attention to which propositions were put on the ballot by the legislature,
usually because there's some state law requirement (often that I disagree
with) that they be voted on by the public, and propositions that were put
on the ballot by voter petition. The latter are often poorly written and
have hidden problems. As a general rule of thumb, I tend to default to
voting against propositions added by petition. This year, one can
conveniently distinguish by number: the single-digit propositions were
added by the legislature, and the two-digit ones were added by petition.
Proposition 2: YES. Issue $10 billion in bonds for public school
infrastructure improvements. I generally vote in favor of spending
measures like this unless they have some obvious problem. The opposition
argument is a deranged rant against immigrants and government debt and
fails to point out actual problems. The opposition argument also claims
this will result in higher property taxes and, seriously, if only that
were true. That would make me even more strongly in favor of it.
Proposition 3: YES. Enshrines the right to marriage without
regard to sex or race into the California state constitution. This is
already the law given US Supreme Court decisions, but fixing California
state law is a long-overdue and obvious cleanup step. One of the quixotic
things I would do if I were ever in government, which I will never be,
would be to try to clean up the laws to make them match reality, repealing
all of the dead clauses that were overturned by court decisions or are
never enforced. I am in favor of all measures in this direction even when
I don't agree with the direction of the change; here, as a bonus, I also
strongly agree with the change.
Proposition 4: YES. Issue $10 billion in bonds for
infrastructure improvements to mitigate climate risk. This is basically
the same argument as Proposition 2. The one drawback of this measure is
that it's kind of a mixed grab bag of stuff and probably some of it should
be supported out of the general budget rather than bonds, but I consider
this a minor problem. We definitely need to ramp up climate risk
mitigation efforts.
Proposition 5: YES. Reduces the required super-majority to pass
local bond measures for affordable housing from 67% to 55%. The fact that
this requires a supermajority at all is absurd, California desperately
needs to build more housing of any kind however we can, and publicly
funded housing is an excellent idea.
Proposition 6: YES. Eliminates "involuntary servitude" (in other
words, "temporary" slavery) as a legally permissible punishment for crimes
in the state of California. I'm one of the people who think the 13th
Amendment to the US Constitution shouldn't have an exception for
punishment for crimes, so obviously I'm in favor of this. This is one
very, very tiny step towards improving the absolutely atrocious prison
conditions in the state.
Proposition 32: YES. Raises the minimum wage to $18 per hour
from the current $16 per hour, over two years, and ties it to inflation.
This is one of the rare petition-based propositions that I will vote in
favor of because it's very straightforward, we clearly should be raising
the minimum wage, and living in California is absurdly expensive because
we refuse to build more housing (see Propositions 5 and 33). The
opposition argument is the standard lie that a higher minimum wage will
increase unemployment, which we know from numerous other natural
experiments is simply not true.
Proposition 33: NO. Repeals Costa-Hawkins, which prohibits local
municipalities from enacting rent control on properties built after 1995.
This one is going to split the progressive vote rather badly, I suspect.
California has a housing crisis caused by not enough housing supply. It
is not due to vacant housing, as much as some people would like you to
believe that; the numbers just don't add up. There are way more people
living here and wanting to live here than there is housing, so we need to
build more housing.
Rent control serves a valuable social function of providing stability to
people who already have housing, but it doesn't help, and can hurt, the
project of meeting actual housing demand. Rent control alone
creates a two-tier system where people who have housing are protected but
people who don't have housing have an even harder time getting housing
than they do today. It's therefore quite consistent with the general
NIMBY playbook of trying to protect the people who already have housing by
making life harder for the people who do not, while keeping the housing
supply essentially static.
I am in favor of rent control in conjunction with real measures to
increase the housing supply. I am therefore opposed to this proposition,
which allows rent control without any effort to increase housing supply.
I am quite certain that, if this passes, some municipalities will use it
to make constructing new high-density housing incredibly difficult by
requiring it all be rent-controlled low-income housing, thus cutting off
the supply of multi-tenant market-rate housing entirely. This is already
a common political goal in the part of California where I live. Local
neighborhood groups advocate for exactly this routinely in local political
fights.
Give me a mandate for new construction that breaks local zoning
obstructionism, including new market-rate housing to maintain a healthy
lifecycle of housing aging into affordable housing as wealthy people move
into new market-rate housing, and I will gladly support rent control
measures as part of that package. But rent control on its own just
allocates winners and losers without addressing the underlying problem.
Proposition 34: NO. This is an excellent example of why I vote
against petition propositions by default. This is a law designed to
affect exactly one organization in the state of California: the AIDS
Healthcare Foundation. The reason for this targeting is disputed; one
side claims it's because of the AHF support for Proposition 33, and
another side claims it's because AHF is a slumlord abusing California
state funding. I have no idea which side of this is true. I also don't
care, because I am fundamentally opposed to writing laws this way. Laws
should establish general, fair principles that are broadly applicable, not
be written with bizarrely specific conditions (health care providers that
operate multifamily housing) that will only be met by a single
organization. This kind of nonsense creates bad legal codes and the legal
equivalent of technical debt. Just don't do this.
Proposition 35: YES. I am, reluctantly, voting in favor of this
even though it is a petition proposition because it looks like a useful
simplification and cleanup of state health care funding, makes an expiring
tax permanent, and is supported by a very wide range of organizations that
I generally trust to know what they're talking about. No opposition
argument was filed, which I think is telling.
Proposition 36: NO. I am resigned to voting down attempts to
start new "war on drugs" nonsense for the rest of my life because the
people who believe in this crap will never, ever, ever stop. This one has
bonus shoplifting fear-mongering attached, something that touches on nasty
local politics that have included large retail chains manipulating crime
report statistics to give the impression that shoplifting is up
dramatically. It's yet another round of the truly horrific California
"three strikes" criminal penalty obsession, which completely
misunderstands both the causes of crime and the (almost nonexistent)
effectiveness of harsh punishment as deterrence.
Ada Lovelace Day was
celebrated on October 8 in 2024, and on this occasion, to celebrate and
raise awareness of the contributions of women to the STEM fields we
interviewed some of the women in Debian.
Here we share their thoughts, comments, and concerns with the hope of inspiring
more women to become part of the Sciences, and of course, to work inside of
Debian.
This article was simulcasted to the debian-women mail list.
Beatrice Torracca
1. Who are you?
I am Beatrice, I am Italian. Internet technology and everything computer-related
is just a hobby for me, not my line of work or the subject of my academic
studies. I have too many interests and too little time. I would like to do lots
of things and at the same time I am too Oblomovian to do any.
2. How did you get introduced to Debian?
As a user I started using newsgroups when I had my first dialup connection and
there was always talk about this strange thing called
Linux. Since moving from DR DOS to Windows was a shock
for me, feeling like I lost the control of my machine, I tried Linux with
Debian Potato and I never strayed
away from Debian since then for my personal equipment.
3. How long have you been into Debian?
Define "into". As a user... since Potato, too many years to count. As a
contributor, a similar amount of time, since early 2000 I think. My first
archived email about contributing to the translation of the description of
Debian packages dates 2001.
4. Are you using Debian in your daily life? If yes, how?
Yes!! I use testing. I have it on my desktop PC at home and I have it on my
laptop. The desktop is where I have a local IMAP server that fetches all the
mails of my email accounts, and where I sync and back up all my data. On both I
do day-to-day stuff (from email to online banking, from shopping to taxes), all
forms of entertainment, a bit of work if I have to work from home
(GNU R for statistics,
LibreOffice... the usual suspects). At work I am
required to have another OS, sadly, but I am working on setting up a
Debian Live system to use there too.
Plus if at work we start doing bioinformatics there might be a Linux machine in
our future... I will of course suggest and hope for a Debian system.
5. Do you have any suggestions to improve women's participation in Debian?
This is a tough one. I am not sure. Maybe, more visibility for the women already
in the Debian Project, and make the newcomers feel seen, valued and welcomed. A
respectful and safe environment is key too, of course, but I think Debian made
huge progress in that aspect with the
Code of Conduct. I am a big fan of
promoting diversity and inclusion; there is always room for improvement.
Ileana Dumitrescu (ildumi)
1. Who are you?
I am just a girl in the world who likes cats and packaging
Free Software.
2. How did you get introduced to Debian?
I was tinkering with a computer running Debian a few years ago, and I decided to
learn more about Free Software. After a search or two, I found
Debian Women.
3. How long have you been into Debian?
I started looking into contributing to Debian in 2021. After contacting Debian
Women, I received a lot of information and helpful advice on different ways I
could contribute, and I decided package maintenance was the best fit for me. I
eventually became a Debian Maintainer in 2023, and I continue to maintain a few
packages in my spare time.
4. Are you using Debian in your daily life? If yes, how?
Yes, it is my favourite GNU/Linux operating system! I use it for email,
chatting, browsing, packaging, etc.
5. Do you have any suggestions to improve women's participation in Debian?
The mailing list for Debian Women may
attract more participation if it is utilized more. It is where I started, and I
imagine participation would increase if it is more engaging.
Kathara Sasikumar (kathara)
1. Who are you?
I'm Kathara Sasikumar, 22 years old and a recent Debian user turned Maintainer
from India. I try to become a creative person through sketching or playing
guitar chords, but it doesn't work! xD
2. How did you get introduced to Debian?
When I first started college, I was that overly enthusiastic student who signed
up for every club and volunteered for anything that crossed my path just like
every other fresher.
But then, the pandemic hit, and like many, I hit a low point. COVID depression
was real, and I was feeling pretty down. Around this time, the
FOSS Club at my college suddenly became more active.
My friends, knowing I had a love for free software, pushed me to join the club.
They thought it might help me lift my spirits and get out of the slump I was in.
At first, I joined only out of peer pressure, but once I got involved, the club
really took off. FOSS Club became more and more active during the pandemic, and
I found myself spending more and more time with it.
A year later, we had the opportunity to host a
MiniDebConf at our college. Where I got to
meet a lot of Debian developers and maintainers, attending their talks
and talking with them gave me a wider perspective on Debian, and I loved the
Debian philosophy.
At that time, I had been distro hopping but never quite settled down. I
occasionally used Debian but never stuck around. However, after the MiniDebConf,
I found myself using Debian more consistently, and it truly connected with me.
The community was incredibly warm and welcoming, which made all the difference.
3. How long have you been into Debian?
Now, I've been using Debian as my daily driver for about a year.
4. Are you using Debian in your daily life? If yes, how?
It has become my primary distro, and I use it every day for continuous learning
and working on various software projects with free and open-source tools. Plus,
I've recently become a Debian Maintainer (DM) and have taken on the
responsibility of maintaining a few packages. I'm looking forward to
contributing more to the Debian community 🙂
Rhonda D'Vine (rhonda)
1. Who are you?
My name is Rhonda, my pronouns are she/her, or per/pers. I'm 51 years old,
working in IT.
2. How did you get introduced to Debian?
I was already looking into Linux because of university, first it was
SuSE. And people played around with gtk. But when they
packaged GNOME and it just didn't even install I
looked for alternatives. A working colleague from back then gave me a CD of
Debian. Though I couldn't install from it because
Slink didn't recognize the pcmcia
drive. I had to install it via floppy disks, but apart from that it was
quite well done. And the early GNOME was working, so I never looked back. 🙂
3. How long have you been into Debian?
Even before I was more involved, a colleague asked me whether I could help with
translating the release documentation. That was my first contribution to Debian,
for the slink release in early 1999. And I was using some other software before
on my SuSE systems, and I wanted to continue to use them on Debian obviously. So
that's how I got involved with packaging in Debian. But I continued to help with
translation work, for a long period of time I was almost the only person active
for the German part of the website.
4. Are you using Debian in your daily life? If yes, how?
Being involved with Debian was a big part of the reason I got into my jobs since
a long time now. I always worked with maintaining Debian (or
Ubuntu) systems.
Privately I run Debian on my laptop, with occasionally switching to Windows in
dual boot when (rarely) needed.
5. Do you have any suggestions to improve women's participation in Debian?
There are factors that we can't influence, like that a lot of women are pushed
into care work because patriarchal structures work that way, and don't have the
time nor energy to invest a lot into other things. But we could learn to
appreciate smaller contributions better, and not focus so much on the quantity
of contributions. When we look at longer discussions on mailing lists, those
that write more mails actually don't contribute more to the discussion, they
often repeat themselves without adding more substance. Through working on our
own discussion patterns this could create a more welcoming environment for a lot
of people.
Sophie Brun (sophieb)
1. Who are you?
I'm a 44 years old French woman. I'm married and I have 2 sons.
2. How did you get introduced to Debian?
In 2004 my boyfriend (now my husband) installed Debian on my personal computer
to introduce me to Debian. I knew almost nothing about Open Source. During my
engineering studies, a professor mentioned the existence of Linux,
Red Hat in particular, but without giving any details.
I've been a user since 2004. But I only started contributing to Debian in 2015:
I had quit my job and I wanted to work on something more meaningful. That's why
I joined my husband in Freexian, his company.
Unlike most people I think, I started contributing to Debian for my work. I only
became a DD in 2021 under gentle social pressure and when I felt confident
enough.
4. Are you using Debian in your daily life? If yes, how?
Of course I use Debian in my professional life for almost all the tasks: from
administrative tasks to Debian packaging.
I also use Debian in my personal life. I have very basic needs:
Firefox,
LibreOffice, GnuCash
and Rhythmbox are the main
applications I need.
Sruthi Chandran (srud)
1. Who are you?
A feminist, a librarian turned Free Software advocate and a Debian Developer.
Part of Debian Outreach team and
DebConf Committee.
2. How did you get introduced to Debian?
I got introduced to the free software world and Debian through my husband. I
attended many Debian events with him. During one such event, out of curiosity, I
participated in a Debian packaging workshop. Just after that I visited a Tibetan
community in India and they mentioned that there was no proper Tibetan font in
GNU/Linux. Tibetan font was my first package in Debian.
3. How long have you been into Debian?
I have been contributing to Debian since 2016 and Debian Developer since 2019.
4. Are you using Debian in your daily life? If yes, how?
I haven't used any other distro on my laptop since I got introduced to Debian.
5. Do you have any suggestions to improve women's participation in Debian?
I was involved with actively mentoring newcomers to Debian since I started
contributing myself. I specially work towards reducing the gender gap inside the
Debian and Free Software community in general. In my experience, I believe that
visibility of already existing women in the community will encourage more women
to participate. Also I think we should reintroduce mentoring through
debian-women.
Tássia Camões Araújo (tassia)
1. Who are you?
Tássia Camões Araújo, a Brazilian living in Canada. I'm a passionate learner who
tries to push myself out of my comfort zone and always find something new to
learn. I also love to mentor people on their learning journey. But I don't
consider myself a typical geek. My challenge has always been to not get
distracted by the next project before I finish the one I have in my hands. That
said, I love being part of a community of geeks and feel empowered by it. I love
Debian for its technical excellence, and it's always reassuring to know that
someone is taking care of the things I don't like or can't do. When I'm not
around computers, one of my favorite things is to feel the wind on my cheeks,
usually while skating or riding a bike; I also love music, and I'm always
singing a melody in my head.
2. How did you get introduced to Debian?
As a student, I was privileged to be introduced to FLOSS at the same time I was
introduced to computer programming. My university could not afford to have labs
in the usual proprietary software model, and what seemed like a limitation at
the time turned out to be a great learning opportunity for me and my colleagues.
I joined this student-led initiative to "liberate" our servers and build
LTSP-based labs - where a single powerful computer could power a few dozen
diskless thin clients. How revolutionary it was at the time! And what an
achievement! From students to students, all using Debian. Most of that group
became close friends; I've married one of them, and a few of them also found
their way to Debian.
3. How long have you been into Debian?
I first used Debian in 2001, but my first real connection with the community was
attending DebConf 2004. Since then, going to DebConfs has become a habit. It is
that moment in the year when I reconnect with the global community and my
motivation to contribute is boosted. And you know, in 20 years I've seen people
become parents, grandparents, children grow up; we've had our own child and had
the pleasure of introducing him to the community; we've mourned the loss of
friends and healed together. I'd say Debian is like family, but not the kind you
get at random once you're born, Debian is my family by choice.
4. Are you using Debian in your daily life? If yes, how?
5. Do you have any suggestions to improve women's participation in Debian?
I think the most effective way to inspire other women is to give visibility to
active women in our community. Speaking at conferences, publishing content,
being vocal about what we do so that other women can see us and see themselves
in those positions in the future. It's not easy, and I don't like being in the
spotlight. It took me a long time to get comfortable with public speaking, so I
can understand the struggle of those who don't want to expose themselves. But I
believe that this space of vulnerability can open the way to new connections. It
can inspire trust and ultimately motivate our next generation. It's with this in
mind that I publish these lines.
Another point we can't neglect is that in Debian we work on a volunteer basis,
and this in itself puts us at a great disadvantage. In our societies, women
usually take a heavier load than their partners in terms of caretaking and other
invisible tasks, so it is hard to afford the free time needed to volunteer. This
is one of the reasons why I bring my son to the conferences I attend, and so far
I have received all the support I need to attend DebConfs with him. It is a way
to share the caregiving burden with our community - it takes a village to raise
a child. Besides allowing us to participate, it also serves to show other women
(and men) that you can have a family life and still contribute to Debian.
My feeling is that we are not doing super well in terms of diversity in Debian
at the moment, but that should not discourage us at all. That's the way it is
now, but that doesn't mean it will always be that way. I feel like we go through
cycles. I remember times when we had many more active female contributors, and
I'm confident that we can improve our ratio again in the future. In the
meantime, I just try to keep going, do my part, attract those I can, reassure
those who are too scared to come closer. Debian is a wonderful community, it is
a family, and of course a family cannot do without us, the women.
These interviews were conducted via email exchanges in October, 2024. Thanks to
all the wonderful women who participated in this interview. We really appreciate
your contributions in Debian and to Free/Libre software.
In the past I haven’t had a high opinion of MG cars, decades ago they were small and expensive and didn’t seem to offer anything I wanted. As there’s a conveniently located MG dealer I decided to try out an MG electric car and see if they are any good. I brought two friends along who are also interested in new technology.
I went to the MG dealer without any preconceptions or much prior knowledge of the MG electric cars apart from having vaguely noticed that they were significantly cheaper than Teslas. I told the salesperson that I didn’t have a model in mind and I just wanted to see what MG offers, so they offered me a test driver of a “MG4 64 EXCITE”. The MG web site isn’t very good and doesn’t give an indication of what this model costs, my recollection is that it’s something like $40,000, the base model is advertised at $30,990. I’m not particularly interested in paying for extras above the base model and the only really desirable feature that the “Excite 64” offers over the “Excite 51” is the extra range (the numbers 51 and 64 represent the battery capacity in KWh). The base model has a claimed range of 350KM which is more than I drive in a typical week, generally there are only about 4 days a year when I need to drive more than 300KM in a day and on those rare days I can spend a bit of time at a charging station without much inconvenience.
The experience of driving an MG4 is not much different from other EVs I’ve driven, the difference between that and the Genesis GV60 (which was advertised at $117,000) [1] isn’t significant. The Genesis has some nice camera features giving views from all directions and showing a view of the side on the dash when you put your turn indicator on. Also some models of Genesis (not the one I test drove) have cameras instead of side mirrors. The MG4 lacks most of those cameras but has a very effective reversing camera which estimates the distance to an “obstacle” behind you in cm. Some of the MG electric cars have a sunroof or moonroof (sunroof that just opens to transparent glass not open to the air), the one I tested didn’t have them and I didn’t feel I was missing much. While a moonroof is a nice feature I probably won’t want to pay as much extra as they will demand for it.
The dash of the MG4 doesn’t have any simulation of the old fashioned dash unlike the Genesis GV60 which had a display in the same location as is traditionally used which displays analogue instruments (except when the turn indicators are on). The MG4 has two tablets, a big one in the middle of the front for controlling heating/cooling and probably other things like the radio and a small one visible through the steering wheel which has the instruments. I didn’t have to think about the instruments, they just did the job which is great.
For second hand cars I looked at AutoTrader which seems to be the only Australian site for second hand cars that allows specifying electric as a search criteria [2]. For the EVs advertised on that site the cheapest are around $13,000 for cars about 10 years old and $21,000 for a 5yo LEAF. If you could only afford to spend $21,000 on a car then a 5yo LEAF would definitely be better than nothing, but when comparing a 5yo car for $21,000 and a new car for $31,000 the new car is the obvious choice if you can afford it. There was an Australian company importing used LEAFs and other EVs and selling them over the web for low prices, if they were still around and still selling LEAFs for $15,000 then that would make LEAF vs MG3 a difficult decision for me. But with the current prices for second hand LEAFs the decision is easy.
When I enrolled for the test drive the dealer took my email address and sent me an automated message with details about the test drive and an email address to ask for more information. The email address they used bounced all mail, even from my gmail account. They had a contact form on their web site but that also doesn’t get a response. MG really should periodically test their dealer’s email addresses, they are probably losing sales because of this.
On the same day I visited a Hyundai dealer to see what they had to offer. A salesman there said that the cheapest Hyundai was $60,000 and suggested that I go elsewhere if I am prepared to buy a lesser car to save money. I don’t need to get negged by a car dealer and I really don’t think there’s much scope for a car to be significantly better than the MG3 while also not competing with the Genesis cars. Genesis is a Hyundai brand and their cars are very nice, but the prices are well outside the range I’m prepared to pay.
Next I have to try the BYD. From what I’ve heard they are mostly selling somewhat expensive cars in Australia (a colleague recently got one which was about $60,000 which he is extremely happy with) but hopefully they have some of the cheaper ones available too. I don’t want to flex on my neighbors, I just want a reliable and moderately comfortable car that doesn’t cost too much.
Author: Jade T. Woodridge Cogito ergo sum… The crater Hathor is 107.5 miles in diameter. I stand in its center and am lost to the constant firings of my mental cortex. Flashes of pictures, texts, and movies blur my vision. I am blinded and deafened by recordings of mankind and, somewhere beneath the surface, auditory […]
Tax farming is the practice of licensing tax collection to private contractors. Used heavily in ancient Rome, it’s largely fallen out of practice because of the obvious conflict of interest between the state and the contractor. Because tax farmers are primarily interested in short-term revenue, they have no problem abusing taxpayers and making things worse for them in the long term. Today, the U.S. Securities and Exchange Commission (SEC) is engaged in a modern-day version of tax farming. And the potential for abuse will grow when the farmers start using artificial intelligence.
In 2009, after Bernie Madoff’s $65 billion Ponzi scheme was exposed, Congress authorized the SEC to award bounties from civil penalties recovered from securities law violators. It worked in a big way. In 2012, when the program started, the agency received more than 3,000 tips. By 2020, it had more than doubled, and it more than doubled again by 2023. The SEC now receives more than 50 tips per day, and the program has paid out a staggering $2 billion in bounty awards. According to the agency’s 2023 financial report, the SEC paid out nearly $600 million to whistleblowers last year.
The appeal of the whistleblower program is that it alerts the SEC to violations it may not otherwise uncover, without any additional staff. And since payouts are a percentage of fines collected, it costs the government little to implement.
Unfortunately, the program has resulted in a new industry of private de facto regulatory enforcers. Legal scholar Alexander Platt has shown how the SEC’s whistleblower program has effectively privatized a huge portion of financial regulatory enforcement. There is a role for publicly sourced information in securities regulatory enforcement, just as there has been in litigation for antitrust and other areas of the law. But the SEC program, and a similar one at the U.S. Commodity Futures Trading Commission, has created a market distortion replete with perverse incentives. Like the tax farmers of history, the interests of the whistleblowers don’t match those of the government.
First, while the blockbuster awards paid out to whistleblowers draw attention to the SEC’s successes, they obscure the fact that its staffing level has slightly declined during a period of tremendous market growth. In one case, the SEC’s largest ever, it paid $279 million to an individual whistleblower. That single award was nearly one-third of the funding of the SEC’s entire enforcement division last year. Congress gets to pat itself on the back for spinning up a program that pays for itself (by law, the SEC awards 10 to 30 percent of their penalty collections over $1 million to qualifying whistleblowers), when it should be talking about whether or not it’s given the agency enough resources to fulfill its mission to “maintain fair, orderly, and efficient markets.”
Second, while the stated purpose of the whistleblower program is to incentivize individuals to come forward with information about potential violations of securities law, this hasn’t actually led to increases in enforcement actions. Instead of legitimate whistleblowers bringing the most credible information to the SEC, the agency now seems to be deluged by tips that are not highly actionable.
But the biggest problem is that uncovering corporate malfeasance is now a legitimate business model, resulting in powerful firms and misaligned incentives. A single law practice led by former SEC assistant director Jordan Thomas captured about 20 percent of all the SEC’s whistleblower awards through 2022, at which point Thomas left to open up a new firm focused exclusively on whistleblowers. We can admire Thomas and his team’s impact on making those guilty of white-collar crimes pay, and also question whether hundreds of millions of dollars of penalties should be funneled through the hands of an SEC insider turned for-profit business mogul.
Whistleblower tips can be used as weapons of corporate warfare. SEC whistleblower complaints are not required to come from inside a company, or even to rely on insider information. They can be filed on the basis of public data, as long as the whistleblower brings original analysis. Companies might dig up dirt on their competitors and submit tips to the SEC. Ransomware groups have used the threat of SEC whistleblower tips as a tactic to pressure the companies they’ve infiltrated into paying ransoms.
The rise of whistleblower firms could lead to them taking particular “assignments” for a fee. Can a company hire one of these firms to investigate its competitors? Can an industry lobbying group under scrutiny (perhaps in cryptocurrencies) pay firms to look at other industries instead and tie up SEC resources? When a firm finds a potential regulatory violation, do they approach the company at fault and offer to cease their research for a “kill fee”? The lack of transparency and accountability of the program means that the whistleblowing firms can get away with practices like these, which would be wholly unacceptable if perpetrated by the SEC itself.
Whistleblowing firms can also use the information they uncover to guide market investments by activist short sellers. Since 2006, the investigative reporting site Sharesleuthclaims to have tanked dozens of stocks and instigated at least eight SEC cases against companies in pharma, energy, logistics, and other industries, all after its investors shorted the stocks in question. More recently, a new investigative reporting site called Hunterbrook Media and partner hedge fund Hunterbrook Capital, have churned out 18 investigative reports in their first five months of operation and disclosed short sales and other actions alongside each. In at least one report, Hunterbrook says they filed an SEC whistleblower tip.
Short sellers carry an important disciplining function in markets. But combined with whistleblower awards, the same profit-hungry incentives can emerge. Properly staffed regulatory agencies don’t have the same potential pitfalls.
AI will affect every aspect of this dynamic. AI’s ability to extract information from large document troves will help whistleblowers provide more information to the SEC faster, lowering the bar for reporting potential violations and opening a floodgate of new tips. Right now, there is no cost to the whistleblower to report minor or frivolous claims; there is only cost to the SEC. While AI automation will also help SEC staff process tips more efficiently, it could exponentially increase the number of tips the agency has to deal with, further decreasing the efficiency of the program.
AI could be a triple windfall for those law firms engaged in this business: lowering their costs, increasing their scale, and increasing the SEC’s reliance on a few seasoned, trusted firms. The SEC already, as Platt documented, relies on a few firms to prioritize their investigative agenda. Experienced firms like Thomas’s might wield AI automation to the greatest advantage. SEC staff struggling to keep pace with tips might have less capacity to look beyond the ones seemingly pre-vetted by familiar sources.
But the real effects will be on the conflicts of interest between whistleblowing firms and the SEC. The ability to automate whistleblower reporting will open new competitive strategies that could disrupt business practices and market dynamics.
An AI-assisted data analyst could dig up potential violations faster, for a greater scale of competitor firms, and consider a greater scope of potential violations than any unassisted human could. The AI doesn’t have to be that smart to be effective here. Complaints are not required to be accurate; claims based on insufficient evidence could be filed against competitors, at scale.
Even more cynically, firms might use AI to help cover up their own violations. If a company can deluge the SEC with legitimate, if minor, tips about potential wrongdoing throughout the industry, it might lower the chances that the agency will get around to investigating the company’s own liabilities. Some companies might even use the strategy of submitting minor claims about their own conduct to obscure more significant claims the SEC might otherwise focus on.
Many of these ideas are not so new. There are decades of precedent for using algorithms to detect fraudulent financial activity, with lots of current-day application of the latest large language models and other AI tools. In 2019, legal scholar Dimitrios Kafteranis, research coordinator for the European Whistleblowing Institute, proposed using AI to automate corporate whistleblowing.
And not all the impacts specific to AI are bad. The most optimistic possible outcome is that AI will allow a broader base of potential tipsters to file, providing assistive support that levels the playing field for the little guy.
But more realistically, AI will supercharge the for-profit whistleblowing industry. The risks remain as long as submitting whistleblower complaints to the SEC is a viable business model. Like tax farming, the interests of the institutional whistleblower diverge from the interests of the state, and no amount of tweaking around the edges will make it otherwise.
Ultimately, AI is not the cause of or solution to the problems created by the runaway growth of the SEC whistleblower program. But it should give policymakers pause to consider the incentive structure that such programs create, and to reconsider the balance of public and private ownership of regulatory enforcement.
This essay was written with Nathan Sanders, and originally appeared in The American Prospect.
Author: Rick Tobin Boswan Raz screamed with limited breath as he raced into the Earth Alliance council chambers. “They are here, Eric!” He paused, stopping finally, panting in excitement. “All of them. They’re landing their ships around the capital.” Eric Hamilton tried to rise from his rotating chair–gaunt, weary, and worn. Months of intense confrontations […]
The Wall Street Journal is reporting that the CEO of a still unnamed company has been indicted for creating a fake auditing company to falsify security certifications in order to win government business.
Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.
USDoD’s InfraGard sales thread on Breached.
The Brazilian news outlet TV Globofirst reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.
USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime communityRaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.
TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike.
CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.compublished a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:
A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com.
In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.
Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.
In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.
USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.
The FBI declined to comment on reports about USDoD’s arrest.
In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.
Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.
“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”
When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.
Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.
The most common type of submission Error'd receives
are simple, stupid, data problems on Amazon. The text
doesn't match the image, the pricing is goofy, or some
other mixup that are just bound to happen with a database
of zillions of products uploaded by a plethora of
barely-literate mountain village drop-shippers.
So I don't usually feature them, preferring to find something
with at least a chance of being a creative new bug.
But I uncovered a story by Mark Johansen about his favorite
author, and decided that since so many of you obviously DO think
online retail flubs are noteworthy, what the heck.
Here is Mark's plain-text story, and a handful of bungled
products. They're not exactly bugs, but at least some of
them are about bugs.
"I guess I missed your item about failings of AI, but here's one of my favorites:
Amazon regularly sends me emails of books that their AI
thinks I might want to read, presumably based on books
that I've bought from them in the past. So recently I
got an email saying, "The newest book by an author you've
read before!" And this new book was by ... Ernest Hemingway.
Considering that he died almost 60 years ago, it seemed
unlikely that he was still writing. Or where he was
sending manuscripts from.
Lest you wonder, it turned out it was a collection of
letters he wrote when he was, like, actually alive. The
book was listed as authored by Ernest Hemingway
rather than under the name of whomever compiled the letters."
What do we all think? Truly an Error'd, or just some publisher
taking marketing advice from real estate agents? Let me know.
A while back,
Christian E.
"Wanted to order some groceries from nemlig.com. So I saw the free (labelled GRATIS) product and pressed the info button and this popped up. Says that I can get the product delivered from the 1st of January (today is the 2nd of march). Have to wait for a while then..." Not too much longer, Christian.
Reliable
Michael R.
muttered
"msofas either have their special math where 5% always is GBP10 or they know already what I want to buy."
"Do not feed to vegetarians." warns
Jeffrey B.
"Not sure how this blue liquid works for others, but there has been no sucking here yet," reports
Matthias.
"Nice feature but I am not sure if it can fit in my notebook," writes
Tiger Fok.
Lady-killer
Bart-Jan
is preparing for Friday night on the town, apparently. Knock 'em dead, Bart!
"It says 'Fragrance for Men'. Which is fine, as long as
it also does a good job deterring the female mosquitoes."
[Advertisement]
BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
Author: Haley DiRenzo The seven bodies that you could come back as stare back at you after your death. Four men and three woman whose vessels are still capable of withstanding the Earth’s elements. You’ve been selected to inhabit one of them, not knowing how your soul and their skin will merge. You only have […]
The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.
Image: FBI
Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.
The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — Ahmed Salah YousifOmer, 22, and Alaa Salah Yusuuf Omer, 27.
AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit PayPal the following month, followed by Twitter/X (Aug. 2023), and OpenAI (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the FBI and the Department of State.
Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.
The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the U.S. Department of Justice says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.
AnonSudan accepted orders over the instant messaging service Telegram, and marketed its DDoS service by several names, including “Skynet,” “InfraShutdown,” and the “Godzilla botnet.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.
Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.
Amazon was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.
“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”
The security firm CrowdStrikesaid the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.
The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.
A passport for Ahmed Salah Yousif Omer. Image: FBI.
If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.
As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.
In February 2024, AnonSudan launched a digital assault on the Cedars-Sinai Hospital in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.
The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.
Damiano's company had more work than staff, and opted to hire a subcontractor. When hiring on a subcontractor, you could look for all sorts of things. Does their portfolio contain work similar to what you're asking them to do? What's the average experience of their team? What are the agreed upon code quality standards for the contract?
You could do that, or you could hire the cheapest company.
Guess which one Damiano's company did? If you're not sure, look at this code:
This was in a Drupal project. The developer appointed by the contractor didn't know Drupal at all, and opted to build all the new functionality by dropping big blobs of JavaScript code on top of it.
There's so much to hate about this. We can start with the parent().parent() chains. Who doesn't love to make sure that your JavaScript code is extremely fragile against changes in the DOM, while at the same time making it hard to read or understand.
I like that we create the EPid variable to avoid having a magic string inside our DOM query, only to still need to append a magic string to it. It hints at some programming by copy/paste.
Then there's the pile of HTML-by-string-concatenation, which is always fun.
But this couldn't be complete without this moment: <?php if(isset($node) && $node->type == "events"){ echo 'download the flyer'; }else {echo 'download the article';} ?>
Oh yeah, buried in this unreadable blob of JavaScript there's a little bonus PHP, just to make it a little spicier.
The entire project came back from the contractor in an unusable state. The amount of re-work just to get it vaguely functional quickly outweighed any potential cost savings. And even after that work went it, it remained a buggy, unmaintainable mess.
Did management learn their lesson? Absolutely not- they bragged about how cheaply they got the work done at every opportunity, and entered into a partnership agreement with the subcontractor.
[Advertisement] Plan Your .NET 9 Migration with Confidence Your journey to .NET 9 is more than just one decision.Avoid migration migraines with the advice in this free guide. Download Free Guide Now!
Author: John Szamosi It was the old Irishman’s stories that would bring scores of people to his table every time he sat down for lunch. Sometimes humorous, sometimes sad, sometimes scary, other times just plain provocative, they had one thing in common: they were all made up. In other words, they were yarns, pure fabrications, […]
Yesterday we were treated to the sight of a major party nominee at what was supposed to be a town hall meeting suddenly stop taking questions and just dancing (badly) for the better part of an hour. A mere 20 years ago, well within living memory, less than five seconds of screaming were enough to end Howard Dean's political career. My, how times change.But the truly astonishing thing
Dennis found this little nugget in an application he inherited.
functionmyTime(){
$utc_str = gmdate("M d Y H:i:s", time());
$utc = strtotime($utc_str);
return$utc;
}
time() returns the current time as a Unix timestamp. gmdate then formats that, with the assumption that the time is in GMT. strtotime then parses that string back into a timestamp, and returns that timestamp.
Notably, PHP pins the Unix timestamp to UTC+00:00, aka GMT. So this function takes a time, formats it, parses the format to get what should be the same time back.
And we call the function myTime because of course we do. When reinventing a wheel, but square, please do let everyone know that it's yours.
[Advertisement]
Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.
Author: Alastair Millar The Company had refused Karl’s request to have his wife join him on Mars again, he explained; this time because “the dependents’ travel budget was cut, and it’s run out for this budget cycle.” As usual, Accounts had the final say, and being just a manager, even one with the right to […]
25 the number says well into adulthood. Aviral pointed that I have already passed 33% mark in my life, which does hits different.
I had to keep reminding myself about my upcoming birthday. It didn’t felt like birthday month, week or the day itself.
My writings took a long hiatus starting this past year. The first post came out in May and quite a few people asked about the break. Hiatus had its own reasons, but restarting became harder each passing day afterward. Preparations for DebConf24 helped push DebConf23 (first post this year) out of the door, after which things were more or less back on track on the writing front.
Recently, I have picked the habit of reading monthly magazines. When I was a child, I used to fancy seeing all the magazines on stationary and bookshops and thought of getting many when I’m older. Seems like that was the connection, and now I’m heavily into monthly magazines and order many each month (including Hindi ones). They’re fun short reads and cover a wide spectrum of topics.
Travelling has become the new found love. I got the opportunity to visit a few new cities like Jaipur, Meerut, Seoul and Busan. My first international travel showed me how a society which cares about the people’s overall wellbeing turns out to be. Going in foreign land, expanded the concept of everything for me. It showed the beauty of silence in public places. Also, re-visited Bengaluru, which felt good with its good weather and food.
It has become almost become tradition to attend a few events. Jashn-e-Rekhta, DebConf, New Delhi World Book Fair, IndiaFOSS and FoECon. It’s always great talking to new and old folks, sharing and learning about ideas. It’s hard for an individual to learn, grow and understand the world in a silo. Like I keep on saying about Free Software projects, it’s all about the people, it’s always about the people. Good and interesting people keep the project going and growing. (Side Note - it’s fine if a project goes. Things are not meant to last a perpetuity. Closing and moving on is fine). Similarly, I have been trying to attend Jaipur Literature Festival since a while but failing. Hopefully, I would this time around.
Expanding my Free Software Mirror to India was a big highlight this year. The mirror project now has 3 nodes in India and 1 in Germany, serving almost 3-4 TB of mirror traffic daily. Increasing the number of Software mirrors in India was and still is one of my goals. Hit me up if you want to help or setup one yourself. It’s not that hard now actually, projects that require more mirrors and hosting setup has already been figured out.
One realization I would like to mention was to amplify/support people who’re already doing (a better job) at it, rather than reinventing the wheel. A single person might not be able to change the world, but a bunch of people experimenting and trying to make a difference certainly would.
Writing 25 was felt harder than all previous years. It was a traditional year with much internal growth due to experiencing different perspectives and travelling.
I haven't blogged until now: I should have done from Thursday onwards.
It's
a joy to be here in Cambridge at ARM HQ. Lots of people I recognise
from last year here: lots *not* here because this mini-conference is a
month before the next one in Toulouse and many people can't attend both.
Two
days worth of chatting, working on bits and pieces, chatting and
informal meetings was a very good and useful way to build relationships
and let teams find some space for themselves.
Lots of quiet hacking going on - a few loud conversations. A new ARM machine in mini-ITX format - see Steve McIntyre's blog on planet.debian.org about Rock 5 ITX.
Two
days worth of talks for Saturday and Sunday. For some people, this is a
first time. Lightning talks are particularly good to break down
barriers - three slides and five minutes (and the chance for a bit of
gamesmanship to break the rules creatively).
Longer talks: a
couple from Steve Capper of ARM were particularly helpful to those
interested in upcoming development. A couple of the talks in the
schedule are traditional: if the release team are here, they tell us
what they are doing, for example.
ARM are main sponsors and have
been very generous in giving us conference and facilities space. Fast
network, coffee and interested people - what's not to like :)
[EDIT/UPDATE - And my talk is finished and went fairly well: slides have now been uploaded and the talk is linked from the Mini-DebConf pages]
The thirteenth release of the qlcal package
arrivied at CRAN today.
qlcal
delivers the calendaring parts of QuantLib. It is provided (for the R
package) as a set of included files, so the package is self-contained
and does not depend on an external QuantLib library (which can be
demanding to build). qlcal covers
over sixty country / market calendars and can compute holiday lists, its
complement (i.e. business day lists) and much more. Examples
are in the README at the repository, the package page,
and course at the CRAN package
page.
This releases synchronizes qlcal with
the QuantLib release 1.36 (made
this week) and contains some minor updates to two calendars.
Changes in version 0.0.13
(2024-10-15)
Synchronized with QuantLib 1.36 released yesterday
Calendar updates for South Korea and Poland
Courtesy of my CRANberries, there
is a diffstat report for this
release. See the project page
and package documentation for more details, and more examples. If you
like this or other open-source work I do, you can sponsor me at
GitHub.
I want to write to pour praise on some software I recently discovered.
I'm not up to speed on Pipewire—the latest piece of Linux plumbing related
to audio—nor how it relates to the other bits (Pulseaudio, ALSA, JACK, what
else?). I recently tried to plug something into the line-in port on my external
audio interface, and wished to hear it on the machine. A simple task, you'd
think.
I'll refrain from writing about the stuff that didn't work well and
focus on the thing that did: A little tool called Whisper, which
is designed to let you listen to a microphone through your speakers.
Whisper's UI. Screenshot from upstream.
Whisper does a great job of hiding the complexity of what lies beneath and
asking two questions: which microphone, and which speakers? In my case this
alone was not quite enough, as I was presented with two identically-named "SB
Live Extigy" "microphone" devices, but that's easily resolved with trial and
error.
Networking is a complex topic, and there is lots of confusion around the definition of an “online” system. Sometimes the boot process gets delayed up to two minutes, because the system still waits for one or more network interfaces to be ready. Systemd provides the network-online.target that other service units can rely on, if they are deemed to require network connectivity. But what does “online” actually mean in this context, is a link-local IP address enough, do we need a routable gateway and how about DNS name resolution?
The requirements for an “online” network interface depend very much on the services using an interface. For some services it might be good enough to reach their local network segment (e.g. to announce Zeroconf services), while others need to reach domain names (e.g. to mount a NFS share) or reach the global internet to run a web server. On the other hand, the implementation of network-online.target varies, depending on which networking daemon is in use, e.g. systemd-networkd-wait-online.service or NetworkManager-wait-online.service. For Ubuntu, we created a specification that describes what we as a distro expect an “online” system to be. Having a definition in place, we are able to tackle the network-online-ordering issues that got reported over the years and can work out solutions to avoid delayed boot times on Ubuntu systems.
In essence, we want systems to reach the following networking state to be considered online:
Do not wait for “optional” interfaces to receive network configuration
Have IPv6 and/or IPv4 “link-local” addresses on every network interface
Have at least one interface with a globally routable connection
Have functional domain name resolution on any routable interface
A common implementation
NetworkManager and systemd-networkd are two very common networking daemons used on modern Linux systems. But they originate from different contexts and therefore show different behaviours in certain scenarios, such as wait-online. Luckily, on Ubuntu we already have Netplan as a unification layer on top of those networking daemons, that allows for common network configuration, and can also be used to tweak the wait-online logic.
With the recent release of Netplan v1.1 we introduced initial functionality to tweak the behaviour of the systemd-networkd-wait-online.service, as used on Ubuntu Server systems. When Netplan is used to drive the systemd-networkd backend, it will emit an override configuration file in /run/systemd/system/systemd-networkd-wait-online.service.d/10-netplan.conf, listing the specific non-optional interfaces that should receive link-local IP configuration. In parallel to that, it defines a list of network interfaces that Netplan detected to be potential global connections, and waits for any of those interfaces to reach a globally routable state.
In addition to the new features implemented in Netplan, we reached out to upstream systemd, proposing an enhancement to the systemd-networkd-wait-online service, integrating it with systemd-resolved to check for the availability of DNS name resolution. Once this is implemented upstream, we’re able to fully control the systemd-networkd backend on Ubuntu Server systems, to behave consistently and according to the definition of an “online” system that was lined out above.
Future work
The story doesn’t end there, because Ubuntu Desktop systems are using NetworkManager as their networking backend. This daemon provides its very own nm-online utility, utilized by the NetworkManager-wait-online systemd service. It implements a much higher-level approach, looking at the networking daemon in general instead of the individual network interfaces. By default, it considers a system to be online once every “autoconnect” profile got activated (or failed to activate), meaning that either a IPv4 or IPv6 address got assigned.
There are considerable enhancements to be implemented to this tool, for it to be controllable in a fine-granular way similar to systemd-networkd-wait-online, so that it can be instructed to wait for specific networking states on selected interfaces.
A note of caution
Making a service depend on network-online.target is considered an antipattern in most cases. This is because networking on Linux systems is very dynamic and the systemd target can only ever reflect the networking state at a single point in time. It cannot guarantee this state to be remained over the uptime of your system and has the potentially to delay the boot process considerably. Cables can be unplugged, wireless connectivity can drop, or remote routers can go down at any time, affecting the connectivity state of your local system. Therefore, “instead of wondering what to do about network.target, please just fix your program to be friendly to dynamically changing network configuration.” [source].
"Oh, I see what you mean, I'll just write an overloaded function which takes the different set of parameters," said the senior dev.
That got SB's attention. You see, they were writing JavaScript, which doesn't have function overloading. "Um," SB said, "you're going to do what?"
"Function overloading," the senior dev said. "It's when you write multiple versions of the same method with different signatures-"
"I know what it is," SB said. "I'm just wondering how you're going to do that in JavaScript."
"Ah," the senior dev said with all the senior dev wisdom in the world. "It's a popular misconception that function overloading isn't allowed in JavaScript. See this?"
This, in fact, did not overload the function. This first created a version of addMarker which called itself with the wrong number of parameters. It then replaced that definition with a new one that actually did the work. That it worked at all was a delightful coincidence- when you call a JavaScript function with too few parameters, it just defaults the remainders to null, and null is falsy.
In July, I wrote about my new book project on AI and democracy, to be published by MIT Press in fall 2025. My co-author and collaborator Nathan Sanders and I are hard at work writing.
At this point, we would like feedback on titles. Here are four possibilities:
Rewiring the Republic: How AI Will Transform our Politics, Government, and Citizenship
The Thinking State: How AI Can Improve Democracy
Better Run: How AI Can Make our Politics, Government, Citizenship More Efficient, Effective and Fair
AI and the New Future of Democracy: Changes in Politics, Government, and Citizenship
What we want out of the title is that it convey (1) that it is a book about AI, (2) that it is a book about democracy writ large (and not just deepfakes), and (3) that it is largely optimistic.
What do you like? Feel free to do some mixing and matching: swapping “Will Transform” for “Will Improve” for “Can Transform” for “Can Improve,” for example. Or “Democracy” for “the Republic.” Remember, the goal here is for a title that will make a potential reader pick the book up off a shelf, or read the blurb text on a webpage. It needs to be something that will catch the reader’s attention. (Other title ideas are here).
Also, FYI, this is the current table of contents:
Introduction
1. Introduction: How AI will Change Democracy
2. Core AI Capabilities
3. Democracy as an Information System
Part I: AI-Assisted Politics
4. Background: Making Mistakes
5. Talking to Voters
6. Conducting Polls
7. Organizing a Political Campaign
8. Fundraising for Politics
9. Being a Politician
Part II: AI-Assisted Legislators
10. Background: Explaining Itself
11. Background: Who’s to Blame?
12. Listening to Constituents
13. Writing Laws
14. Writing More Complex Laws
15. Writing Laws that Empower Machines
16. Negotiating Legislation
Part III: The AI-Assisted Administration
17. Background: Exhibiting Values and Bias
18. Background: Augmenting Versus Replacing People
19. Serving People
20. Operating Government
21. Enforcing Regulations
Part IV: The AI-Assisted Court
22. Background: Being Fair
23. Background: Getting Hacked
24. Acting as a Lawyer
25. Arbitrating Disputes
26. Enforcing the Law
27. Reshaping Legislative Intent
28. Being a Judge
Part V: AI-Assisted Citizens
29. Background: AI and Power
30. Background: AI and Trust
31. Explaining the News
32. Watching the Government
33. Moderating, Facilitating, and Building Consensus
34. Acting as Your Personal Advocate
35. Acting as Your Personal Political Proxy
Part VI: Ensuring That AI Benefits Democracy
36. Why AI is Not Yet Good for Democracy
37. How to Ensure AI is Good for Democracy
38. What We Need to Do Now
39. Conclusion
Everything is subject to change, of course. The manuscript isn’t due to the publisher until the end of March, and who knows what AI developments will happen between now and then.
EDITED: The title under consideration is “Rewiring the Republic,” and not “Rewiring Democracy.” Although, I suppose, both are really under consideration.
Author: Majoki They stared right through me. It used to bother me. Now, it’s essential. I uncoupled the mag-links while Symplex’s security personnel looked past me. I didn’t fit their profiles, didn’t merit a glance. That’s what it is to be me. I live by a pair of simple rules. The fact that they come […]
Way back (more than 10 years ago) when I was doing DVD-based backups,
I knew that normal DVDs/Blu-Rays are no long-term archival solutions,
and that if I was real about doing optical media backups, I need to
switch to M-Disc. I actually
bought a (small stack) of M-Disc Blu-Rays, but never used them.
I then switched to other backups solutions, and forgot about the whole
topic. Until, this week, while sorting stuff, I happened upon a set of
DVD backups from a range of years, and was very curious whether they
are still readable after many years.
And, to my surprise, there were no surprises! Went backward in time, and:
I also found stack of dual-layer DVD+R from 2012-2014, some for sure
Verbatim, and some unmarked (they were intended to be printed on), but
likely Verbatim as well. All worked just fine. Just that, even at
~8GiB per disk, backing up raw photo files took way too many disks,
even in 2014 😅.
At this point I was happy that all 12+ DVDs I found, ranging from 10
to 14 years, are all good. Then I found a batch of 3 CDs! Here the
results were mixed:
2003: two TDK “CD-R80�, “Mettalic�, 700MB: fully readable, after
21 years!
unknown year, likely around 1999-2003, but no later, “Creation�
CD-R, 700MB: read errors to the extent I can’t even read the disk
signature (isoinfo -d).
I think the takeaway is that for all explicitly selected media - TDK,
JVC and Verbatim - they hold for 10-20 years. Valid reads from summer
2003 is mind boggling for me, for (IIRC) organic media - not sure
about the “TDK metallic� substrate. And when you just pick whatever
(“Creation�), well, the results are mixed.
Note that in all this, it was about CDs and DVDs. I have no idea how
Blu-Rays behave, since I don’t think I ever wrote a Blu-Ray. In any
case, surprising to me, and makes me rethink a bit my backup
options. Sizes from 25 to 100GB Blu-Rays are reasonable for most
critical data. And they’re WORM, as opposed to most LTO media, which
is re-writable (and to some small extent, prone to accidental wiping).
Now, I should check those M-Disks to see if they can still be written
to, after 10 years 😀
RcppDate wraps
the featureful date
library written by Howard
Hinnant for use with R. This header-only modern C++ library has been
in pretty wide-spread use for a while now, and adds to C++11/C++14/C++17
what will be (with minor modifications) the ‘date’ library in C++20.
This release, the first in 3 1/2 years, syncs the code with the
recent date 3.0.2
release from a few days ago. It also updates a few packaging details
such as URLs, badges or continuous integration.
Changes in version 0.0.4
(2024-10-14)
Updated to upstream version 3.0.2 (and adjusting one
pragma)
Several small updates to overall packaging and testing
Sorry my blog updates have been MIA. Let me tell you a story…
As some of you know, 3 months ago I was in a no fault car accident. Thankfully, the only injury was I ended up with a broken arm. ER sends me home in a sling and tells me it was a clean break and it will mend itself in no time. After a week of excruciating pain I went to my follow up doctor appointment, and with my x-rays in hand, the doc tells me it was far from a clean break and needs surgery. So after a week of my shattered bone scraping my nerves and causing pain I have never felt before, I finally go in for surgery! They put in a metal plate with screws to hold the bone in place so it can properly heal. The nerve pain was gone, so I thought I was on the mend. Some time goes by and the swelling still has not subsided, the doctors are not as concerned about this as I am, so I carry on until it becomes really inflamed and developed fever blisters. After no success in reaching the doctors office my husband borrows the neighbors car and rushes me to the ER. Good thing too, I had an infection. So after a 5 day stay in the hospital, they sent us home loaded with antibiotics and trained my husband in wound packing. We did everything right, kept the place immaculate, followed orders with the wound care, took my antibiotics, yet when they ran out there was still no sign of relief, or healing. Went to doctors and they gave me another month supply of antibiotics. Two days after my final dose my arm becomes inflamed again and with extra spectacular levels of pain to go with it. I call the doctor office… They said to come in on my appointment day ( 4 days away ). I asked, “You aren’t concerned with this inflammation?�, to which they replied, “No.�. Ok, maybe I am over reacting and it’s all in my head, I can power through 4 more days. The following morning my husband observed fever blisters and the wound site was clearly not right, so once again off we go to the ER. Well… thankfully we did. I was in Sepsis and could have died… After deliberating with the doctor on the course of action for treatment, the doctor accepted our plea to remove the plate, rather than tighten screws and have me drive 100 miles to hospital everyday for iv antibiotics (Umm I don’t have a car!?) So after another 4 day stay I am released into the world, alive and well. I am happy to report, the swelling is almost gone, the pain is minimal, and I am finally healing nicely. I am still in a sling and I have to be super careful and my arm was not fully knitted. So with that I am bummed to say, no traveling for me, no Ubuntu Summit
I still need help with that car, if it weren’t for our neighbor, this story would have ended much differently.
Two students have created a demo of a smart-glasses app that performs automatic facial recognition and then information lookups. Kind of obvious—something similar was done in 2011—but the sort of creepy demo that gets attention.
Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.)
This is a current list of where and when I am scheduled to speak:
I’m speaking at SOSS Fusion 2024 in Atlanta, Georgia, USA. The event will be held on October 22 and 23, 2024, and my talk is at 9:15 AM ET on October 22, 2024.
The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here).
The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to reveal, was a former Middle East sales representative for the Taiwanese firm who had established her own company and acquired a license to sell a line of pagers that bore the Apollo brand. Sometime in 2023, she offered Hezbollah a deal on one of the products her firm sold: the rugged and reliable AR924.
“She was the one in touch with Hezbollah, and explained to them why the bigger pager with the larger battery was better than the original model,” said an Israeli official briefed on details of the operation. One of the main selling points about the AR924 was that it was “possible to charge with a cable. And the batteries were longer lasting,” the official said.
As it turned out, the actual production of the devices was outsourced and the marketing official had no knowledge of the operation and was unaware that the pagers were physically assembled in Israel under Mossad oversight, officials said. Mossad’s pagers, each weighing less than three ounces, included a unique feature: a battery pack that concealed a tiny amount of a powerful explosive, according to the officials familiar with the plot.
In a feat of engineering, the bomb component was so carefully hidden as to be virtually undetectable, even if the device was taken apart, the officials said. Israeli officials believe that Hezbollah did disassemble some of the pagers and may have even X-rayed them.
Also invisible was Mossad’s remote access to the devices. An electronic signal from the intelligence service could trigger the explosion of thousands of the devices at once. But, to ensure maximum damage, the blast could also be triggered by a special two-step procedure required for viewing secure messages that had been encrypted.
“You had to push two buttons to read the message,” an official said. In practice, that meant using both hands.
Also read Bunnie Huang’s essay on what it means to live in a world where people can turn IoT devices into bombs. His conclusion:
Not all things that could exist should exist, and some ideas are better left unimplemented. Technology alone has no ethics: the difference between a patch and an exploit is the method in which a technology is disclosed. Exploding batteries have probably been conceived of and tested by spy agencies around the world, but never deployed en masse because while it may achieve a tactical win, it is too easy for weaker adversaries to copy the idea and justify its re-deployment in an asymmetric and devastating retaliation.
However, now that I’ve seen it executed, I am left with the terrifying realization that not only is it feasible, it’s relatively easy for any modestly-funded entity to implement. Not just our allies can do this—a wide cast of adversaries have this capability in their reach, from nation-states to cartels and gangs, to shady copycat battery factories just looking for a big payday (if chemical suppliers can moonlight in illicit drugs, what stops battery factories from dealing in bespoke munitions?). Bottom line is: we should approach the public policy debate around this assuming that someday, we could be victims of exploding batteries, too. Turning everyday objects into fragmentation grenades should be a crime, as it blurs the line between civilian and military technologies.
I fear that if we do not universally and swiftly condemn the practice of turning everyday gadgets into bombs, we risk legitimizing a military technology that can literally bring the front line of every conflict into your pocket, purse or home.
When setting up your YubiKey you have the option to require the user to touch the device to authorize an operation (be it signing, decrypting, or authenticating). While web browsers often provide clear prompts for this, other applications like SSH or GPG will not. Instead the operation will just hang without any visual indication that user input is required. The YubiKey itself will blink, but depending on where it is plugged in that is not very visible.
yubikey-touch-detector (fresh in unstable) solves this issue by providing a way for your desktop environment to signal the user that the device is waiting for a touch. It provides an event feed on a socket that other components can consume. It comes with libnotify support and there are some custom integrations for other environments.
For GNOME and KDE libnotify support should be sufficient, however you still need to turn it on:
I would still have preferred a more visible, more modal prompt. I guess that would be an exercise for another time, listening to the socket and presenting a window. But for now, desktop notifications will do for me.
PS: I have not managed to get SSH's no-touch-required to work with YubiKey 4, while it works just fine with a YubiKey 5.
Jason was investigating a bug in a bitmask. It should have been set to 0b11, but someone had set it to just plain decimal 11. The line responsible looked like this:
byte number = (byte) 11;
This code takes the decimal number 11, casts it to a byte, and stores it in a byte, leaving us with the decimal number 11.
Curious, Jason checked the blame and saw that one of their senior-most devs was responsible. Figuring this was a good opportunity to poke a little fun at the dev for a silly mistake like this, Jason sent them a message about the difficulties of telling apart decimal values and binary values when the decimal value only contained ones and zeroes.
"What are you talking about?" the dev replied back. "The (byte) operator tells the compiler that the number is in binary."
Concerned by that reply, Jason started checking the rest of the code. And sure enough, many places in the code, the senior dev had followed this convention. Many of them were wrong, and just hadn't turned into a bug yet. One of two were coincidentally setting the important bits anyway.
Now, in a vague "defense" of what the senior dev was trying to do, C doesn't have a standard way of specifying binary literals. GCC and Clang both have a non-standard extension which lets you do 0b11, but that's not standard. So I understand the instinct- "there should be an easy way to do this," even if anyone with more than a week's experience *should have known better*.
But the real moral of the story is: don't use bitmasks without also using constants. It never should have been written with literals, it should have been written as byte number = FLAG_A | FLAG_B. The #define for the flags could be integer constants, or if you're feeling spicy about it, bitshift operations: #define FLAG_A = (1 << 1). Then you don't need binary literals, and also your code is actually readable for humans.
It was difficult to track down all the places where this misguided convention for binary literals was followed, as it was hard to tell the difference between that and a legitimate cast to byte. Fortunately, there weren't that many places where bitmasks were getting set.
[Advertisement]
Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!
Author: Julian Miles, Staff Writer The squad’s sitting there having breakfast when Tommo’s head explodes. Just like that, we’re all on the deck. Except Bert. He’s still sat there noshing his way through a bacon butty. “Bert! What the frack?” He swallows before replying. “When was the last time they missed? We’re the ones who […]
Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit reliably.
In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details:
While the exploitation attempts we have observed were indiscriminate in targeting, we haven’t seen a large volume of exploitation attempts
Based on what we have researched and observed, exploitation of this vulnerability is very easy, but we do not have any information about how reliable the exploitation is
Exploitation has remained about the same since we first spotted it on Sept. 28th
There is a PoC available, and the exploit attempts appear opportunistic
Exploitation is geographically diverse and appears indiscriminate
The fact that the attacker is using the same server to send the exploit emails and host second-stage payloads indicates the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and payload servers to be different entities in a more mature operation.
Defenders protecting Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses.
A long time ago a computer was a woman (I think almost exclusively a women, not a man) who was employed to do a lot of repetitive mathematics – typically for accounting and stock / order processing.
Then along came Lyons, who deployed an artificial computer to perform
the same task, only with fewer errors in less time. Modern day
computing was born – we had entered the age of the Digital Computer.
These computers were large, consumed huge amounts of power but were precise, and gave repeatable, verifiable results.
Over time the huge mainframe digital computers have shrunk in size,
increased in performance, and consume far less power – so much so that
they often didn’t need the specialist CFC based, refrigerated liquid
cooling systems of their bigger mainframe counterparts, only requiring
forced air flow, and occasionally just convection cooling. They shrank
so far and became cheep enough that the Personal Computer became to be,
replacing the mainframe with its time shared resources with a machine
per user. Desktop or even portable “laptop” computers were everywhere.
We networked them together, so now we can share information around
the office, a few computers were given specialist tasks of being
available all the time so we could share documents, or host databases
these servers were basically PCs designed to operate 24×7, usually more
powerful than their desktop counterparts (or at least with faster
storage and networking).
Next we joined these networks together and the internet was born. The dream of a paperless office might actually become realised – we can now send email (and documents) from one organisation (or individual) to another via email. We can make our specialist computers applications available outside just the office and web servers / web apps come of age.
Fast forward a few years and all of a sudden we need huge data-halls
filled with “Rack scale” machines augmented with exotic GPUs and NPUs
again with refrigerated liquid cooling, all to do the same task that we
were doing previously without the magical buzzword that has been named
AI; because we all need another dot com bubble or block chain band
waggon to jump aboard. Our AI enabled searches take slightly longer,
consume magnitudes more power, and best of all the results we are given
may or may not be correct….
Progress, less precise answers, taking longer, consuming more power,
without any verification and often giving a different result if you
repeat your question AND we still need a personal computing device to
access this wondrous thing.
Remind me again why we are here?
(time lines and huge swaves of history simply ignored to make an
attempted comic point – this is intended to make a point and not be
scholarly work)
Author: David Tam McDonald Colin gave a polite cough to start the meeting. As team leader he sat at the head of the table. Brian, the secretary, sat to his left, perusing the agenda, which was blank and absolutely not taking any minutes. Tony, Richard and Lyndsey sat facing them, all eager to begin. “I […]
Wikimedia Commons, the Wikimedia project for freely licensed media
files, also contains a bunch of photos by me and photos of me at
various events. While I don't think Commons is going away anytime soon,
I would still like to have a local copy of those images available on my
own storage hardware.
Obviously this requires some way to query for photos you want to
download. I'm using Commons categories for this, since that's easy to
implement and works for both use cases. The Commons community tends to
come up with very specific categories that you can use, and if not, you
can usually categorize the files yourself.
thankfully Commons has no such thing as a Conflict of interest (COI) policy
There is almost an existing tool for this: Sam Wilson's mwcli project
has support for exporting images one has uploaded to Commons. However
I couldn't use that to upload photos of me others have uploaded, plus
it's written in PHP and I don't exactly want to deal with the problem
of figuring out how to package it in a way I could neatly install it on
my NAS.
So I wrote my own tool for it, called comload. It's written in Python
because Python is easy to deploy (I can just throw it in a .deb and
upload it to my internal repository), and because I did not find a Go
library to handle Action API pagination for me. The basic usage is
like this:
$ comload --subcats "Taavi Väänänen"
This will download any files in Category:Taavi Väänänen and its
sub-categories to the current directory. Former image versions, as well
as the image description and SDC data, if any, is also included. And
it's smart enough to not download any files that are already there on
future runs, so you can just throw it in a systemd timer to get any
future files. I'd still like it to handle moved files without creating
a duplicate copy, but otherwise I'm really happy with the current
state.
comload is available from PyPI and from my Git server directly,
and is licensed under the GPLv3.
I've been exploring typesetting and formatting code within
text documents such as papers, or my thesis. Up until now,
I've been using the listings package without thinking
much about it. By default, some sample Haskell code
processed by listings looks like this (click any of the
images to see larger, non-blurry versions):
It's formatted with a monospaced font, with some keywords highlighted,
but not syntactic symbols.
There are several other options for typesetting and formatting code in LaTeX
documents. For Haskell in particular, there is the preprocessor lhs2tex,
The default output of which looks like this:
A proportional font, but it's taken pains to preserve vertical alignment, which
is syntactically significant for Haskell. It looks a little cluttered to me,
and I'm not a fan of nearly everything being italic. Again, symbols aren't
differentiated, but it has substituted them for more typographically
pleasing alternatives: -> has become →, and \ is now λ.
Another option is perhaps the newest, the LaTeX package minted, which
leverages the Python Pygments program. Here's the same code again. It
defaults to monospace (the choice of font seems a lot clearer to me than the
default for listings), no symbolic substitution, and liberal use of colour:
An informal survey of the samples so far showed that the minted output was
the most popular.
All of these packages can be configured to varying degrees. Here are some
examples of what I've achieved with a bit of tweaking
listings adjusted with colour and some symbols substituted (but sadly not the two together)
lhs2tex adjusted to be less italic, sans-serif and use some colour
All of this has got me wondering whether there are straightforward empirical
answers to some of these questions of style.
Firstly, I'm pretty convinced that symbolic substitution is valuable. When
writing Haskell, we write ->, \, /= etc. not because it's most legible,
but because it's most practical to type those symbols on the most widely
available keyboards and popular keyboard layouts.1 Of the three
options listed here, symbolic substitution is possible with listings and
lhs2tex, but I haven't figured out if minted can do it (which is really
the question: can pygments do it?)
I'm unsure about proportional versus monospaced fonts. We typically use
monospaced fonts for editing computer code, but that's at least partly for
historical reasons. Vertical alignment is often very important in source code,
and it can be easily achieved with monospaced text; it's also sometimes
important to have individual characters (., etc.) not be de-emphasised by being
smaller than any other character.
lhs2tex, at least, addresses vertical alignment whilst using proportional
fonts. I guess the importance of identifying individual significant characters
is just as true in a code sample within a larger document as it is within
plain source code.
From a (brief) scan of research on this topic, it seems that proportional
fonts result in marginally quicker reading times for regular prose. It's
not clear whether those results carry over into reading computer code in
particular, and the margin is slim in any case. The drawbacks of monospaced
text mostly apply when the volume of text is large, which is not the case
for the short code snippets I am working with.
I still have a few open questions:
Is colour useful for formatting code in a PDF document?
does this open up a can of accessibility worms?
What should be emphasised (or de-emphasised)
Why is the minted output most popular: Could the choice of font
be key? Aspects of the font other than proportionality (serifs? Size
of serifs? etc)
The Haskell package Data.List.Unicode lets the programmer
use a range of unicode symbols in place of ASCII approximations, such
as ∈ instead of elem, ≠ instead of /=. Sadly, it's not possible
to replace the denotation for an anonymous function, \, with λ this
way.↩
There's not a lot of time left, so let’s go for the carotid on a couple of major political points that could benefit from a little ‘judo.’
== Republicans denouncing the subornation ==
Remember Madison Cawthorn, the rising young Republican star Congressmember, who was suddenly dumped by the GOP, for revealing ‘orgies’ amid upper ranks of the party? That huge over-reaction - destroying him for offhand (and likely stoned) remarks on shock radio - reflected almost-certain desperation to silence truth; otherwise he'd a got a slap on the wrist.
But was it true? I've long posited that the behavior of so many top GOPpers – e.g. Lindsey Graham and Ted Cruz – can only be explained by blackmail. Mere corruption is insufficient, because any merely-corrupt official can say ‘that’s enough bribery for this year; if I keep saying more shit, I’ll look suspicious or insane.’
Blackmail, on the other hand, is insatiable. You simply keep doing whatever the blackmailer demands, even if it makes you look like an idiot, or hypocrite, or both, as in the multiple times when Graham tried to say "I'm done with Trump!" hoping that it would end his ongoing humiliation... followed the next day by utter groveling.
I mean, do you have an even remotely plausible alternate theory?
This isn't new. Russian secret services have been expert at ‘honeypot traps’ ever since the czars. Look up the Moscow US embassy Marine guards (1980s) as just one example.
"Republicans aren’t backing important efforts, such as Rep. Marsha Blackburn’s crusade for Jeffrey Epstein’s flight logs, under orders by big backers and Russians."
Seriously read this. It’s not getting the attention it deserves and this fellow is at least partially a hero. Or watch this.
== It’s the Republican defectors who will make the biggest difference, stupid ==
Above, I showed how an honest and decent conservative Congressmember has stepped up to denounce the blackmail subornation of his party. Others recently used insane rhetoric and mad conspiracy theories about hurricanesas their own excuse to step up and partially reject the madness.
Not as much courage as we need from them. But we'll take what we can get.
Then of course there's the long list of former Trump officials – his ‘adults in the room’ during Trump v1.0 – who have nearly all denounced him. From Tillerson & McMaster to Kames Mattis and John Kelly, to even far-right schmucks like John Bolton and Bill Barr. As many as a hundred have said "even I can't stomach the insanity and treason."
To which Tump's answer is that in Trump2.0 there will be NO adults in the room. Total brownshirt time.
Which is why I urge the zillionaire oligarchs, murder sheiks and "ex" commissars who have pulled Trump's puppet strings for decades to watch the movie Cabaret, especially the last 5 minutes. Because if he does get back into office on a MAGA sig-heil-wave, none of those masters will ever again ‘control him.’ Not with blackmail or anything else.
In fact, you oligarchs and Kremlin guys need yet another film... watch Angela Lansbury’s chilling soliloquy near the end of The Manchurian Candidate to see what Don will likely do to his former masters, once the strings are cut.
Dig a little, and you'll see that the Mooch is describing the "Howard Beale Scenario." (Watch the last 10' of Network and get truly scared!)
Still, the part of his interview that I resent - because if it does happen, Mooch will get all the prediction points - is when he gives 40% that odds ol' Two Scoops won't even make it to the election or inauguration.
While I was there lots earlier - with lower odds - I hedged it with the election that actually matters - the Electoral College. Which is where the fix may be in.
== It’s the Electoral College, dummy ==
Okay, three big points about the Electoral College, America’s weird (insane) but unchangeable Constitutionally gerrymandered gimmick favoring Red America.
Make that four points. The first? Um why are there two Dakotas? And shouldn’t just one state – Ida-Wyo-Mont – span the northern Rockies?
But no, let’s get practical. The core aim of the Trumpists has been openly declared… for GOP governors and others in some Harris-won states to refuse to certify enough electors, so that the count for president will be invalid, so that the choice will be ‘thrown to the House.’ Hence, even if Dems win a sweeping, crushing victory in November, you might still see Trump get in!
Because at that stage - in another insanely dumb Constitutional provision - the House votes by delegations – one vote per – and Republicans have 26 delegations vs 24 for dems.
Now, that nightmare assumes there won’t be brave and patriotic Republican Congresswomen or men in some of those reddish delegations, who decide to put country first, the way Alexander Hamilton (bravely) swung the 1800 election to Jefferson, instead of Aaron Burr. That might happen.
Or else some of YOU will be heroes who help swing just one or two of those delegations blue. In some cases it could come down to just one Congressional race. Look around. There may be some tight races you can help with. And that's where $100 could make a lot more difference than donating to Kamala.
== More Electoral College partial fixes within reach! ==
Okay, two more. I have elsewhere ruminated on the Wyoming Rule. If the dems get real power in Congress, they should pass it, so that all Americans get at least roughly equal representation in the lower house, as was intended. And if that happens, not only will blue states get more representation in the larger (~560 members) House, but the coloration of the Electoral College will change forever.
Only let’s swing to another of my proposals, One which no one else has broached, but that could (well, maybe) make a real difference this year.
In Polemical Judo I mentioned a possible action by one hyper rich person (say a Mark Cuban?) A bold yet totally legal move that could (possibly) get us past whatever tricks the Project 2025 schemers have in mind, to screw up certifications and throw it to the House.
Briefly: rent a whole mountaintop luxury hotel with minimal - highly vetted - staff. Then announce that for two weeks ...
"Only certified Electors may come as guests. Upon arrival from their home states, they can just stroll and enjoy the views and meals and discuss with each other anything they like. Or else they could - at their own volition - convene the first actual Electoral College in U.S. history. As would be their prerogative! And this year, such a gathering just might be one more bulwark against shenanigens."
Again, no coercion or persuasion. Just show up by individual choice, eat, stroll and chat with others who just happen to be there at the same time, without any of those others being anyone but fellow electors (and minimal staff of trusted cooks). And if you just happen to decide to convene a meeting - formal or informal - well…
Suppose this happened. Watch how quickly the stalling states would rush to certify!
Though note. No matter how carefully Trumpists have ensured the GOP elector slates are party hacks – and most dem electors would likely be loyalists as well – some would likely talk it over, suddenly moved by the genuine (not ceremonial) power in their hands.
Moreover, as one of the candidates (you-know-who) fulminates volcanically against this "trickery!!" just enough of them might listen to their conscience and reason…
Author: Martin Clyde-Wilkie There’s an angel outside town, if you know where to look. Push through the gorse and scramble along the river bed, keeping your gaze away from the branch of lightning frozen over the gully, until you reach the edge and can peer down at it. It doesn’t look much like you’d expect. […]
It's been a while since I've posted about arm64 hardware. The last
machine I spent my own money on was
a SolidRun
Macchiatobin, about 7 years ago. It's a small (mini-ITX) board
with a 4-core arm64 SoC (4 * Cortex-A72) on it, along with things like
a DIMM socket for memory, lots of networking, 3 SATA disk interfaces.
The Macchiatobin was a nice machine compared to many earlier
systems, but it took quite a bit of effort to get it working to my
liking. I replaced the on-board U-Boot firmware binary with an EDK2
build, and that helped. After a few iterations we got a new build
including graphical output on a PCIe graphics card. Now it worked much
more like a "normal" x86 computer.
I still have that machine running at home, and it's been a
reasonably reliable little build machine for arm development and
testing. It's starting to show its age, though - the onboard USB ports
no longer work, and so it's no longer useful for doing things like
installation testing. :-/
So...
I was involved in a conversation in the #debian-arm IRC channel a
few weeks ago, and diederik suggested
the Radxa Rock 5
ITX. It's another mini-ITX board, this time using a Rockchip
RK3588 CPU. Things have moved on - the CPU is now an 8-core big.LITTLE
config: 4*Cortex A76 and 4*Cortex A55. The board has NVMe on-board,
4*SATA, built-in Mali graphics from the CPU, soldered-on memory. Just
about everything you need on an SBC for a small low-power desktop, a
NAS or whatever. And for about half the price I paid for the
Macchiatobin. I hit "buy" on one of the listed websites. :-)
A few days ago, the new board landed. I picked the version with
24GB of RAM and bought the matching heatsink and fan. I set it up in
an existing case borrowed from another old machine and tried the Radxa
"Debian" build. All looked OK, but I clearly wasn't going to stay with
that. Onwards to running a native Debian setup!
I installed an EDK2 build
from https://github.com/edk2-porting/edk2-rk3588
onto the onboard SPI flash, then rebooted with a Debian 12.7
(Bookworm) arm64 installer image on a USB stick. How much trouble
could this be?
I was shocked! It Just Worked (TM)
I'm running a standard Debian arm64 system. The graphical installer
ran just fine. I installed onto the NVMe, adding an Xfce desktop for
some simple tests. Everything Just Worked. After many
years of fighting with a range of different arm machines (from simple
SBCs to desktops and servers), this was without doubt the most
straightforward setup I've ever done. Wow!
It's possible to go and spend a lot of money on
an Ampere machine, and
I've seen them work well too. But for a hobbyist user (or even a
smaller business), the Rock 5 ITX is a lovely option. Total cost to me
for the board with shipping fees, import duty, etc. was just over
£240. That's great value, and I can wholeheartedly recommend this
board!
The two things that are missing compared to the Macchiatobin? This
is soldered-on memory (but hey, 24G is plenty for me!) It also doesn't
have a PCIe slot, but it has sufficient onboard network, video and
storage interfaces that I think it will cover most people's needs.
Where's the catch? It seems these are very popular
right now, so it can be difficult to find these machines in stock
online.
FTAOD, I should also point out: I bought this machine entirely with
my own money, for my own use for development and testing. I've had no
contact with the Radxa or Rockchip folks at all here, I'm
just so happy with this machine that I've felt the
need to shout about it! :-)
[Advertisement]
ProGet’s got you covered with security and access controls on your NuGet feeds. 
<
[Advertisement]
Doing more swimming in everyday life for the past few months. Seems like I am keeping that up.
](https://jmtd.net/log/synths/microfreak.jpg)
Happy 28th Birthday KDE!
When setting up your YubiKey you have the option to require the user to touch the device to authorize an operation (be it signing, decrypting, or authenticating). While web browsers often provide clear prompts for this, other applications like SSH or GPG will not. Instead the operation will just hang without any visual indication that user input is required. The YubiKey itself will blink, but depending on where it is plugged in that is not very visible.
