Planet Russell

,

365 TomorrowsWhale Fall

Author: Adele Evershed Revelation 21:1 “ and there is no longer any sea” Fifty miles from what used to be shore, Jonah found a whale still inky black and awesome. He said it was an omen. Of course, Jonah meant it was a sign from God, but he was kind like that, knowing I’d lost […]

The post Whale Fall appeared first on 365tomorrows.

,

Planet DebianPaul Wise: FLOSS Activities August 2024

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

Issues

  • Regressions in adequate (1 2 3 4)

Review

  • Debian publicity: reviewed Debian birthday post

Administration

  • Debian servers: contributed to a review of current Debian Partners

Communication

  • Respond to queries from Debian users and contributors on IRC

Sponsors

All work was done on a volunteer basis.

365 TomorrowsOnce More Into The Breach

Author: R. J. Erbacher He was armed to the teeth. A pulse rifle in his right hand, extra power cartridges on his hips. In his left, a bolt gun, a drum magazine of ammunition plugged in, able to fire one-hundred-forty-four rounds of piercing, fifty-caliber bullets, two spare drums, one at each shoulder. An electric blade, […]

The post Once More Into The Breach appeared first on 365tomorrows.

,

David BrinReagan would spit in these "republicans'" eyes!

I'm fatigued with modern Democrats' incompetence at the art of polemics. While the Lincoln Project lands some zingers - and I have modest hopes for the earthy wit of Tim Walz - there appears to be no one on that side who's able to do what Sherman did in an earlier phase of this ongoing U.S. Civil War... which is corner the confederacy, so that saner members might look around, smack their foreheads and snap out of the trance!

I offer such tactics, elsewhere. But here's a doozy!  I found it while sorting through old papers my brother stored for me. One memento of the last century stood out. A political flyer from Ronald Reagan's 1970 campaign to be re-elected governor of California.

This special, midweek posting reprints pages from that 1970 flyer!  And first thing you'll notice is a lot more text - words and information - than modern politicians trust their audiences to actually read, nowadays.  How sad for us.

(Then again, the few of you who come by here are readers, so...)

Oh, I want you all to read these excerpts! Because while Reagan's positions were conservative, in the context of that time - (you liberals will find much to disagree with!*) - you will also be shocked (shocked!) by how mainstream and well... progressive... were so many of RR's other talking points.

What it shows... especially to any conservatives who are scanning here... is that the consensus stances of the right wing of the Republican Party were hugely different back then, than those of today's MAGA-ism. In many cases diametrically opposite!

If you are too lazy to read the detailed lists of Reagan's bragged accomplishments that sound... well... liberal, at least scan the TITLES to each page! Back then it was consensus among even right wing republicans that the state should protect the helpless, improve the environment and reduce pollution, develop new cleaner energy supplies, invest more in education and universities and public transport/rail, reduce drug costs, protect the consumer, and so on!


And that's just Reagan as Governor in 1970. How about the President who later confronted an aggressive Soviet Kremlin? Do you think he would have any truck with today's KGB-loving GOP, its adoration of Kim Jong Un and Vlad Putin's cadre of 5000 "ex" commissars, now spreading a new Evil Empire? 

Or today's MAGA all-out war vs all fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror?  Ronnie would be outraged!


TO BE CLEAR: I still have many grudges toward Reagan, especially his betrayal of America during the Iranian Hostage Crisis. And ignoring the AIDS crisis, making it far worse. Union-busting. And his goddam-insane Drug War! And sending us down the road of never-ever-correct Supply-Side voodoo 'economics.'

Still, show these pages to others! Read passages aloud to your MAGA aunts. (Your uncles are hopeless, of course.) LOOK at what Ronald Reagan bragged about achieving in his first term as California governor!  And remember that California was far more conservative then. And RR was from the party's 'far-right.' 

You may need to copy these jpegs onto your desktop, to read them. But read them!


Liberals today may snort at some 'conservative' positions, like school choice. Fine, there were then - and remain - legit arguments. (And forced school busing was not a wise position, either!)  Again, I never claimed Reagan wasn't Reagan!

Still, on balance the campaign brags from this 1970 campaign flyer show a Reagan who would hate Trumpism! It is today's MAGAs and Kremlin-lovers who are the RINOs!  Republicans in Name Only.


 

* All right, I admit it. I did not scan-in and include here every page of the campaign flyer. The page Crisis on Campus, for example, was totally law-n-orderly hostile toward the youth rebels who were then raging at universities. (Remember 1970 at all? Nixon? Cambodia? Vietnam? The then-recent, wretched horrors of 1968? OMG it's a wonder we survived.) It shows that campus protests and even occasional mini riots are nothing new - sometimes with righteous cause and sometimes driven by sanctimony-fetishism. RR's reflexive hostility - when campus protest truly was righteous - showed his dark side.

So? Again, I don't claim Reagan wasn't Reagan!  

What I do claim is that he wouldn't have anything to do with the monstrous, undead, vampire were-elephant that has taken over the Party of Lincoln, on behalf of the same Kremlin-led evil empire Reagan despised, masked only by a few altered symbols and Czarist lapel pins. Reagan would recognize Putin's obvious KGB scheme for what it is, and he'd denouce fools who fall for it. 

He'd also recognize Trump as a painted carnival barker and traitor-monster.

Hey, I don't like Liz Cheney either!  But I admit... she's an American.

Okay now, this next one is unbelievable! Efficient mass transit and rail service to augment highways! Safe cars and roads! "A well-balanced transportation system." And more...


What's to be made of all this? Just a silly old guy (me), rummaging mementos and yattering about old-timey, wordy political flyers that bear no relevance to our republic's current fight for its life?

Bah and posh and fiffle-faffle! Dig it, Ronald Reagan still has redolence with many of our neighbors!  THIS is what he stood for, before he went senile. And maybe 2/3 of it was moderate-consensus... American

Consensus that today's gone-mad GOP now undermines at all levels and in all ways, attacking all the ways that America actually became -- and continues becoming -- great.

You - yes, you - could use this!

Go and do so.


Cryptogram YubiKey Side-Channel Attack

There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. It’s a complicated attack, requiring the victim’s username and password, and physical access to their YubiKey—as well as some technical expertise and equipment.

Still, nice piece of security analysis.

365 TomorrowsGridlocked

Author: Mark Renney Jackson needed to decompress. The Hyperion delegation had lingered over their coffee and his afternoon schedule had been so tight he hadn’t managed to grab as much as five minutes alone. And now Jackson was parked in a side street, a kilometer or so from his office and the city was gridlocked. […]

The post Gridlocked appeared first on 365tomorrows.

Worse Than FailureError'd: Home By Another Way

This week, we discover an answer to the question that has eternally plagued us: "is time travel possible?" I won't swear it's the right answer, but it's definitely an answer.

But first, Faroguy Chris P. both shared the same issue with us (if they are in fact different people and not just each other's sock puppet) Snarked one of them: "A previous Teams "What's New" pop-up was empty. At least this one has content, even if part of it is a broken image and visible header name."

0

 

And an anonymous but failed time-traveller regrets "It seems that Google Maps wants me to get on the bus 3 minutes ago. Good thing I remembered myself, but I don't think the notification would have made a difference."

2

 

Dipping his toe into the near past, Michael R. mused "The 70s tech and cuisine never ceases to surprise me." He is undoubtedly wondering how this technology survived nearly into the mid-21st century. How many years is "mid" anyway? https://thenudge.com/london-news/lahpet-larder/"

3

 

But he immediately figured out the answer, exclaiming "I knew it!" Or he will have known it, which is essentially the same thing.

1

 

Our recommendation to No One in Particular is that he should post a job notice of his own, and hire someone with experience. The world would be his oyster. But he just ponders without taking action: "So its 1pm on Monday 24th June in Melbourne\Australia (GMT +10) and im looking for a job. Im wondering if in the last 5 days i time travelled back in time to the 5th of June (to get my application in early), OR back on the 5th of June i travelled forward in time to the last 5 days (to apply for a job which didn't exist on the 5th)?"

4

 

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

xkcdWater Filtration

,

Worse Than FailureCodeSOD: Strings go Asplodey

Anton has the joy of doing PHP work using one of the more popular e-commerce platforms.

Now, say what you will about PHP, its absolute mess of a root namespace has a function or class for just about everything. You want to split a string? We call that explode because that's way more radical than split. Want to join a string back together? We use implode, because that's the opposite of explode.

Or, if you forget how to use implode, you could always write it yourself, which is what Anton found in the codebase:

<?php $flag = false ?>
<?php echo $this->__('Your order number is ') ?>
<?php foreach ($_orderIds as $orderId=>$incrementId): ?>
    <?php if ($flag): ?>
        <?php echo ', ' ?>
    <?php endif; ?>
    <?php $flag = true ?>
    <a href="<?php echo $this->getViewOrderUrl($orderId) ?>"><?php echo $incrementId ?></a>
<?php endforeach; ?>

Now, as "we reimplemented a built-in function" standards, this isn't the worst instance of that logic. The basic "for loop, with a flag to help you remember if you should add a comma or not," isn't absurd.

No, the real ugly I see here is the (ab)use of PHP's interpretation. Every statement is wrapped in its own <?php ?> block, which is not necessary, and certainly makes the code less readable. The whole (dubious) advantage of PHP is that you can mix code with literal HTML output. There's no reason to <?php echo ', '?> when we could just output a , and a space directly in the page. Or conversely, we could put most of the logic inside of a single <?php ?> block and echo as needed to generate output, since we're doing echos for pretty much everything anyway.

All in all, it's just ugly code. Widely used ugly code. (Or at least was widely used when Anton submitted this, which was some time ago- we could hope the code has been improved since then)

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

Planet DebianSandro Tosi: TL;DR belongs at the top of an article

 TL;DR

  • if you are writing an article and plan to add a TL;DR section, then put it at the very top, right after the title.
  • that's it, no excuses, end of discussion.
It has happen to probably everyone to read an article, reach the end of it only to see a TL;DR section right at the bottom, and thinking: "eeh i wish this would have been at the top so i didnt have to read (DR) this long article (TL) to gather its core ideas".

If the reason for "Too Long; Didn't Read" to exist is to avoid the reader to go thru the whole article to get its main points, then the natural place to present it is at the very top of said article.

So if you're planning on writing something and to add a TL;DR section (you don't have to, of course, but if you do that work too) then please position it at the very beginning of your work.

365 TomorrowsTiming

Author: David Barber This was after the calendar was changed, sometime in the binary centuries, when space exploration became popular once more, flitting from star to star in the blink of an eye. The acausal drive itself was fashioned by silicon, though the rest of the craft was more crudely put together with human technology. […]

The post Timing appeared first on 365tomorrows.

,

Planet DebianJunichi Uekawa: Google docs has some tab feature.

Google docs has some tab feature. I received a note that my script addTodayDate may need to be modified to handle the feature. tabs API. But then I don't think I need it yet, so I will just use the default tab.

Cryptogram Live Video of Promachoteuthis Squid

The first live video of the Promachoteuthis squid, filmed at a newly discovered seamount off the coast of Chile.

Blog moderation policy.

Cryptogram Long Analysis of the M-209

Really interesting analysis of the American M-209 encryption device and its security.

Planet DebianReproducible Builds: Reproducible Builds in August 2024

Welcome to the August 2024 report from the Reproducible Builds project!

Our reports attempt to outline what we’ve been up to over the past month, highlighting news items from elsewhere in tech where they are related. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

Table of contents:

  1. LWN: The history, status, and plans for reproducible builds
  2. Intermediate Autotools build artifacts removed from PostgreSQL distribution tarballs
  3. Distribution news
  4. Mailing list news
  5. diffoscope
  6. Website updates
  7. Upstream patches
  8. Reproducibility testing framework

LWN: The history, status, and plans for reproducible builds

The free software newspaper of record, Linux Weekly News, published an in-depth article based on Holger Levsen’s talk, Reproducible Builds: The First Eleven Years which was presented at the recent DebConf24 conference in Busan, South Korea.

Titled The history, status, and plans for reproducible builds and written by Jake Edge, LWN’s article not only summarises Holger’s talk and clarifies its message but it links to external information as well. Holger’s original talk can also be watched on the DebConf24 webpage (direct .webm link and his HTML slides are available also). There are also a significant number of comments on LWN’s page as well.

Holger Levsen also headed a scheduled discussion session at DebConf24 on Preserving *other* build artifacts addressing a topic where a number of Debian packages are (or would like to) produce results that are neither the .deb files, the build logs nor the logs of CI tests. This is an issue for reproducible builds as this “4th type” of build artifact are typically shipped within the binary .deb packages, and are invariably non-deterministic; thus making the .deb files unreproducible. (A direct .webm link and HTML slides are available).


Intermediate Autotools build artifacts removed from PostgreSQL distribution tarballs

Peter Eisentraut wrote a detailed blog post on the subject of “The new PostgreSQL 17 make dist”. Like many projects, the PostgreSQL database has previously pre-built parts of its GNU Autotools build system: “the reason for this is a mix of convenience and traditional practice”. Peter astutely notes that this arrangement in the build system is “quite tricky” as:

You need to carefully maintain the different states of “clean source code”, “partially built source code”, and “fully built source code”, and the commands to transition between them.

However, Peter goes on to mention that:

… a lot more attention is nowadays paid to the software supply chain. There are security and legal reasons for this. When users install software, they want to know where it came from, and they want to be sure that they got the right thing, not some fake version or some version of dubious legal provenance.

And cites the XZ Utils backdoor as a reason to care about transparent and reproducible ways of distributing and communicating a source tarball and provenance. Because of this, intermediate build artifacts are now henceforth essentially disallowed from PostgreSQL distribution tarballs.

Distribution news

In Debian this month, 30 reviews of Debian packages were added, 17 were updated and 10 were removed this month adding to our knowledge about identified issues. One issue type was added by Chris Lamb, too. []

In addition, an issue was filed to update the Salsa CI pipeline (used by 1,000s of Debian packages) to no longer test for reproducibility with reprotest’s build_path variation. Holger Levsen provided a rationale for this change in the issue, which has already been made to the tests being performed by tests.reproducible-builds.org.


In Arch Linux this month, Jelle van der Waa published a short blog post on the topic of Investigating creating reproducible images with mkosi, motivated by the desire to make it possible for anyone to “re-recreate the official Arch cloud image bit-by-bit identical on their own machine as per [the] reproducible builds definition.” In addition, Jelle filed a patch for pacman, the Arch Linux package manager, to respect the SOURCE_DATE_EPOCH environment variable when installing a package.


In openSUSE news, Bernhard M. Wiedemann published another report for that distribution.


In Android news, the IzzyOnDroid project added 49 new rebuilder recipes and now features 256 total reproducible applications representing 21% of the total offerings in the repository. IzzyOnDroid is “an F-Droid style repository for Android apps[:] applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly GitHub).”


Mailing list news

From our mailing list this month:

  • Bernhard M. Wiedemann posted a brief message to the list with some helpful information regarding nondeterminism within Rust binaries, positing the use of the codegen-units = 16 default and resulting in a bug being filed in the Rust issue tracker. []

  • Bernhard also wrote to the list, following up to a thread in November 2023, on attempts to make the LibreOffice suite of office applications build reproducibly. In the thread from this month, Bernhard could announce that the four patches previously mentioned have landed in LibreOffice upstream.

  • Fay Stegerman linked the mailing list to a thread she made on the Signal issue tracker regarding whether “device-specific binaries [can] ever be considered meaningfully reproducible”. In particular: “the whole part about ‘allow[ing] multiple third parties to come to a consensus on a “correct” result’ breaks down completely when ‘correct’ is device-specific and not something everyone can agree on.” []

  • Developer kpcyrd posted an update for source code indexing project, whatsrc.org. Announcing that it now importing packages from live-bootstrap (“a usable Linux system [that is] created with only human-auditable, and wherever possible, human-written, source code”) into its database of provenance data.

  • Lastly, Mechtilde Stehmann posted an update to an earlier thread about how Java builds are not reproducible on the armhf architecture, enquiring how they might gain temporary access to such a machine in order to perform some deeper testing. []


diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb released versions 274, 275, 276 and 277, uploaded these to Debian, and made the following changes as well:

  • New features:

    • Strip ANSI escapes—usually colour codes—from the output of the Procyon Java decompiler. []
    • Factor out a method for stripping ANSI escapes. []
    • Append output from dumppdf(1) in more cases, avoiding situations where we fallback to a binary diff. []
    • Add support for versions of Perl’s IO::Compress::Zip version 2.212. []
  • Bug fixes:

    • Also catch RuntimeError exceptions when importing the PyPDF library so that it, or, crucially, its transitive dependencies, cannot not cause diffoscope to traceback at runtime and build time. []
    • Do not call marshal.load(…) of precompiled Python bytecode as it, alas, inherently unsafe. Replace for now with a brief summary of the code section of .pyc. [][]
    • Don’t include excessive debug output when calling dumppdf(1). []
  • Testsuite-related changes:

    • Don’t bother to check version number in test_python.py: the fixture for this test is fixed. [][]
    • Update test_zip text fixtures and definitions to support new changes to the Perl IO::Compress library. []

In addition, Mattia Rizzolo updated the available architectures for a number of test dependencies [] and Sergei Trofimovich fixed an issue to avoid diffoscope crashing when hashing directory symlinks [] and Vagrant Cascadian proposed GNU Guix updates for diffoscope versions [275 and 276 and [277.


Website updates

There were a rather substantial number of improvements made to our website this month, including:


Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:


Reproducibility testing framework

The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility. In August, a number of changes were made by Holger Levsen, including:

  • Temporarily install the openssl-provider-legacy package for the Debian unstable environments for running diffoscope due to Debian bug #1078944. [][][][]
  • Mark Debian armhf architecture nodes as being down due to proxy down. [][]
  • Detect proxy failures. [][][]
  • Run the index-buildinfo for the builtin-pho script with the -q switch. []
  • Disable all Arch Linux reproducible jobs. []

In addition, Mattia Rizzolo updated the website configuration to install the ruby-jekyll-sitemap package as it is now used in the website [], Roland Clobus updated the script to build Debian ‘live’ images to treat openQA issues as warnings [], and Vagrant Cascadian marked the cbxi4b node as down [].



If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

Planet DebianJonathan Dowland: loading (unintended consequences?)

For their 30th anniversary (ish; the Covid pandemic pushed the date out a bit) British electronic music duo Orbital released the compilation 30 something. The track list mostly looks like a best hits list, which — given their prior compilation celebrating 20 years looks much the same — would appear superfluous. However, they’ve rearranged and re-recorded all their songs for 30, to reflect their live arrangements. The reworkings are sufficiently distinct from the original versions (in some cases I prefer them) and elevate the release. The couple of new tracks are also fun, and many of the remixes on the second disc are worth a listen too.

cover art from Orbital - 30 Something

But what I actually sat down to write about was the cover artwork. They often have designs which riff on the notion of a circle (given their name) and the 30-something art (both for the album and single takes from it) adapts a “loading” spinner-like device from computing (I suppose it mostly closely resembles the spinner from macOS).

A possibly unintended effect of the pattern occurs when you view it on a display which is adjusting its brightness, such as if you’re listening to it on a phone, the screen is off, and you pick it up. The brightest part of the spinner is visible first, and the rest fade into visibility in sequence. The first time you see this is unexpected and very cool. (I've tried to recreate it in the picture below, but I don't think it's worked.)

Although I've suffixed the titled of this post unintended consequences?, It's quite possible this was deliberate.

screenshot of the artwork displayed on my phone

I’ve got the pattern on a t-shirt and my kids love to call out “Daddy’s loading!” In my convalescence it’s taken on a special sort of resonance because at times I’ve felt I’m in a holding state: waiting for an appointment to be made; waiting a polite interval before chasing an appointment; waiting for treatment to start after attending an appointment. Thankfully I’m at the end of that now, I hope.

365 TomorrowsUnweaving

Author: Arwen Spicer and Haley Black Entangled voice comm to NLS Convoy Ship 27 By Hasumi, Harmony Outpost, Planet Blue Jungle Walkabout Log 34 – Update on the Untree Colonial Organism I wish you could see them. The plumes of these towering Untrees are pulsing like fire-bright gills under the monsoon. Here, in the jungle’s […]

The post Unweaving appeared first on 365tomorrows.

Worse Than FailureLowering the Rent Floor

Things weren't looking good for IniOil. It was the 1980s in the US: greed was good, anti-trust laws had been literally Borked, and financialization and mergers were eating up the energy industry. IniOil was a small fish surrounded by much larger fish, and the larger fish were hungry.

Gordon was their primary IT person. He managed a farm of VAXes and other minicomputers, which geologists used to do complicated models to predict where oil might be found. In terms of utilization, the computer room was arguably the most efficient space in the company: those computers may have been expensive, but they were burning 24/7 to find more oil to extract.

The CEO sent out a memo. "Due to economic conditions," it read, "we are going to have to cut costs and streamline." Cutting costs and streamlining meant "hiring a bunch of Ivy League MBAs" who had a long list of reforms they wanted the company to adopt. One of them was to force all the various business units to use internal billing and charge other business units for their services.

At first, this looked like a good thing for Gordon. Their overhead costs were low- the IT team was small, and the VAXes were reliable, and the workloads were well understood. Billing out computer time was going to make all their metrics look amazing.

Unfortunately, facilities also was a billable unit. And they charged by square foot. Suddenly, the IT team was paying through the nose for the computer room.

What really stuck in Gordon's craw, however, was that it seemed like the computer room was getting billed at a more expensive rate than anything else in the building- it was about the same size as the sales floor, but was billed at double the rate.

Gordon raised this with facilities. "That's not true," they said. "We bill by the square foot. You've got twice as much square footage."

Gordon insisted that the computer room did not. He broke out a tape measure, went to the sales floor, took some measurements, then went to the computer room and repeated it. The difference was a matter of a few square feet.

Gordon went back to facilities. "Your measurements are wrong."

"They're square rooms," Gordon said. "How wrong could I be? A factor of two? Do you want to take the measurements?"

Facilities didn't need to take measurements. They had drawings. And the drawings showed a room that was 80'x80'… and was 12,800 sq ft. Gordon pointed out how that didn't make sense, by basic arithmetic, and the facilities manager tapped an annotation on the drawing. "Raised flooring".

Because the computer room had a raised floor, facilities was counting it as twice the floor space. Gordon tried to argue with facilities, pointing out that no matter how many raised floors were added, the actual building square footage did not change. But every business unit was looking to cut costs and boost internal profits, which meant "seeing reason" wasn't high on the facilities priority list.

Gordon raised it up with management, but everyone was too panicked by the threat of mergers and losing jobs to start a major fight over it. Facilities said the square footage was 12,800, then that's what it was. But Gordon's management change had a solution.

"Gordon," his boss said. "Remove the raised flooring. Just rip it out."

It was a quick and easy way to turn high billing rates into trip hazards and risks to equipment, but nobody was paying for risk mitigation and if there were any injuries because someone tripped over a cable, that'd come out of some other team's budget anyway.

For a few months, the computer room was a hazard site, but the rent was at least cheap. In the end, though, none of it mattered- all the MBA driven cost "savings" weren't enough to stop a much bigger oil company from swallowing up IniOil. Most of the employees lost their jobs. The execs who owned most of the shares got a huge payout. And, well, the purchaser was interested in land leases and mineral rights, not computer rooms, so the VAXes were broken down and sold to a few universities.

[Advertisement] Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

xkcdSlingshots

Planet DebianDirk Eddelbuettel: RcppCNPy 0.2.13 on CRAN: Micro Bugfix

Another (again somewhat minor) maintenance release of the RcppCNPy package arrived on CRAN earlier today.

RcppCNPy provides R with read and write access to NumPy files thanks to the cnpy library by Carl Rogers along with Rcpp for the glue to R.

A change in the most recent Rcpp appears to cause void functions wrapper via Rcpp Modules to return NULL, as opposed to being silent. That tickles discrepancy between the current output and the saved (reference) output of one test file, leading CRAN to display a NOTE which we were asked to take care of. Done here in this release—and now that we know we will also look into restoring the prior Rcpp behaviour. Other small changes involved standard maintenance for continuous integration and updates to files README.md and DESCRIPTION. More details are below.

Changes in version 0.2.13 (2024-09-03)

  • A test script was updated to account for the fact that it now returns a few instances of NULL under current Rcpp.

  • Small package maintenance updates have been made to the README and DESCRIPTION files as well as to the continuous integration setup.

CRANberries also provides a diffstat report for the latest release. As always, feedback is welcome and the best place to start a discussion may be the GitHub issue tickets page.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianSamuel Henrique: DebConf24 was fun!: Security, curl, wcurl, Debian's quality

A picture of a badger2040w with Samuel's badge and the curl manpage PCB on the side

tl;dr

DebConf24 was fun!

A playlist of all of my talks, with subtitles (en, pt-br) and chapters is available on YouTube.

Overview

DebConf24 was held in Busan, South Korea, between Sunday July 28th to Sunday August 4th 2024.

As usual for DebConfs, I had a great time meeting my friends, but also met new people and got to learn a bit about the interesting things they're working on.

I ended up getting too excited during the talk submission stage of the conference and as a result I presented 5 different activities (3 talks, 1 BoF and 1 lightning talk).

Since I was too busy with the presentations, I did not have a lot of time to actually hang out with folks, or even to go out in the city, I guess I've learned my lesson for next time.

The main purpose of this post is to write about all of the things I presented at the conference. I did want to list some of the interesting talks I've watched, but that I would not be able to be fair as I'm sure I would miss some.

You can get the schedule and the recordings of any talks from the conference's website: https://debconf24.debconf.org/schedule/

wcurl Lightning Talk

The most fun of my presentations, during the second-to-last day of the conference, I've asked for help from Sergio Durigan Junior <sergiodj> to setup an URL containing a whitespace and redirecting that to wcurl's manpage.

I then did a little demo to showcase why me (and a lot others) struggle with downloading things with curl, and how wcurl solves that.

https://www.youtube.com/watch?v=eM8M5qa4pPM

Fixing CVEs on Debian: Everything you probably know already

I've always felt like DebConf was missing security-related talks, so I decided to do something about it and presented a few of the things I've learned when fixing CVEs for Debian.

This is an area where we don't get a lot of new contributors, I'm trying to change that, and this talk can be used to introduce newcomers to it.

https://www.youtube.com/watch?v=XzNVVILVyUM

The secret sauce of Debian

Debian is not very vocal about all of the nice things it has regarding quality-assurance, testing, or CI, even though it's at the state-of-the-art for a lot of things.

This talk is an initial step towards making people aware of the cool things happening behind the scenes. Ideally we should have it well-documented somewhere.

https://www.youtube.com/watch?v=x_X2IBnpjic

"I use Debian BTW": fzf, tmux, zoxide and friends

One of my earliest good memories of Debian was when it started coming with a colored PS1 by default, I still remember the feeling of relief whenever I jumped into a Debian server and didn't have to deal with a black and white PS1.

There's still a lot of room for Debian to ship better defaults, and I think some of them can actually happen.

This talk is a bit of a silly one where I'm just making people aware of the existence of a few Golang/Rust CLI tools, and also some dotfiles configurations that should probably be the default.

https://www.youtube.com/watch?v=tfto3Seokn4

curl

The curl project does such a great job with their security advisories that it will likely never receive the amount of praise it deserves, but I did my best at mentioning it throughout my CVEs talk.

Maybe I will write more extensively about this someday, but in case I don't:


There's no other project which always consistently mentions the exact range of commits that are affected by a given CVE.

Forget about whether the versions are EOL, curl doesn't have LTS releases, yet they do such a great job at clearly documenting their CVEs that I would take that over having LTS releases anytime (that's for curl at least, I acknowledge some types of projects have a different need for LTS releases).

Not only that, but they are also always careful about explaining alternative mitigations such as configuration changes, build flags that defuse the exploitation, or parameters that you should not use.


Just like we tend to do every time we meet, me and the other Debian curl maintainers spent the first 2 or 3 days of the conference talking about how we wanted to eventually meet up to discuss the package.

It was going to be informal, maybe during the Cheese and Wine party, but then I've realized we should make it part of the official schedule, which would also give us the recordings for later.

And so the "curl maintainers BoF" happened, where we spoke about HTTP3, GnutTLS, wcurl and other things.

https://www.youtube.com/watch?v=fL7hSypUTdM

wcurl

Right after that BoF, Daniel Stenberg asked if we were interested in having wcurl adopted into curl, which we definitely were, so wcurl is now part of the curl project.

Daniel was also kind enough to design a logo for the project, which makes me especially happy because I can stop with my own approach at a logo (which I had to redo every few days):

A laptop with a curl and a GoHorse sticker, there's a 'w' handwritten with a marker on the right side of the curl sticker, making it 'wcurl'

And here is the new logo:

'wcurl' written with the same font and colors as the curl logo, with the 'w' being green instead of blue, and a download icon at the end

Much better, I would say :)

curl Swag

DebConf24 was my chance at forwarding some curl swag items to the other curl maintainers, so both Sergio Durigan Junior <sergiodj> and Carlos Henrique Lima Melara <charles> got the curl-up t-shirt and the very cool curl PCB coaster, both gifted by Daniel Stenberg.

Unfortunately I didn't have any of that for DebConf attendees, but I did drop loads of curl stickers at the stickers table, they were gone very quickly.

A table full of different stickers, curl stickers can be seen over the whole table

For the future

I used to think the most humbling experience you could have as someone who presented a talk was to have to watch it yourself, you notice a lot of mistakes and you instantly think about things that should be done differently.

It turns out the most humbling thing to do is actually to write subtitles for your talks, I noticed every single mistake, often multiple times.

So after spending more than 30 hours writing the subtitles for both English and Brazilian Portuguese for my talks, I feel like it's going to be much easier to avoid committing the same mistakes again. After some time you stop feeling shame about those mistakes and you're just left with feelings of annoyance, and at that point it becomes easier to consciously avoid them.

I am collecting a list of things I wish I had done differently on all of those talks, so if I end up presenting any one of them again, it will be an improved version.

A picture from the top of a group of conference attendees, there's about 150 people in the picture

,

Cryptogram Security Researcher Sued for Disproving Government Statements

This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.

Let’s hope the judge throws the case out, but—still—it will serve as a warning to others.

Cryptogram List of Old NSA Training Videos

The NSA’s “National Cryptographic School Television Catalogue” from 1991 lists about 600 COMSEC and SIGINT training videos.

There are a bunch explaining the operations of various cryptographic equipment, and a few code words I have never heard of before.

Krebs on SecuritySextortion Scams Now Include Photos of Your Home

An old but persistent email scam known as “sextortion” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.

This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as Google Maps.

The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.

Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting [recipient’s street address] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.

A semi-redacted screenshot of a newish sextortion scam that includes a photo of the target’s front yard.

The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.

“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, [recipient’s name]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).

Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Worse Than FailureTesting the Juniors

Stefan S has recently joined the ranks of software developers, having taken on his first job as a junior developer. After a few months of on-boarding with Terry, another new developer, they're now both actually getting assigned real work on tickets that deliver new functionality.

Stefan proudly pushed his first feature, complete with plenty of unit, functional, and end-to-end tests. After a little brushing up during code-review, it was merged along with a few "atta boys", and Stefan was feeling pretty good about himself.

A few days later, he pulled the latest changes, and ran the test suite. And all of the tests he wrote suddenly failed. Stefan's stomach dropped into his shoes, and he struggled to think: "How did I mess up this badly?"

Except Stefan didn't mess up that badly. A quick check on source control history showed that Terry had added some new commits- one of which "optimized" Stefan's code by adding a NullPointerException.

Stefan was relieved, but annoyed. He opted to, in his mind, "be a bro", and not open a ticket that the rest of the team could see, and instead messaged Terry directly. "Your changes have broken functionality. You need to fix it."

At 5:05PM, Terry pushed a fix, and messaged Stefan, "Tests don't fail anymore," then left for the weekend. Terry was correct, the tests stopped failing.

(Names anonymized by Stefan)

public class MyPerfectlyDoneTestClassNotReadyToHaveTheHunsReleasesUponItself {
    @Test
    public void addition_isCorrect() {
        assertEquals(4, 2 + 2);
    }
    
    @Test
    public void test(){
        try {
            // lots of logic and setup 20+ lines
        } catch (Throwable throwable) {
            assertTrue(true);
        }
    }
    @Test
    public void test2(){
        // different logic
        assertTrue(true);
    }
    @Test
    public void test3(){
        try {
             // yet more well thought out logic. Since there was setUp to these tests
             //  he had to move the setUp to the actual methods and since they throw he had to put them in try catch
        } catch () {
             assertFalse(false);
        }
    }
    @Test
    public void test40Plus(){
        // I give up
        assertTrue(true);
    }
}

So, yes. Terry just asserted true on any test that threw an exception. Or, asserted false. He also stripped out the set-up methods for the test suite and copy/pasted the setup code into methods. This massive change to the test suite was quite a bit of work- quite a bit more than just fixing the bug with the null pointer.

The lesson here, for Stefan, is that "being a bro" isn't a great idea. Opening a ticket and creating visibility isn't throwing Terry under the bus- Terry's a junior and these kinds of mistakes are still likely to happen, and any healthy organization will be willing to allow growth. When we see mistakes, we can correct them.

The additional visibility also helps the organization spot the deeper WTF: Terry's code should never have ended up in a branch anyone else was touching. CI and code review should have stopped Terry from breaking code in a way that impacted anyone else.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

365 TomorrowsEarth 2.0

Author: Bill Cox “They’re spraying again out there.” I look out the window. On the horizon I can see a sickly yellow fog, with small black dots flying languidly overhead. Behind that there is an orange haze, otherworldly, not quite right. “Do you think we’ll have to move out?” Sarah asks. I turn to look […]

The post Earth 2.0 appeared first on 365tomorrows.

,

Planet DebianGunnar Wolf: Free and open source software and other market failures

This post is a review for Computing Reviews for Free and open source software and other market failures , a article published in Communications of the ACM

Understanding the free and open-source software (FOSS) movement has, since its beginning, implied crossing many disciplinary boundaries. This article describes FOSS’s history, explaining its undeniable success throughout the 1990s, and why the movement today feels in a way as if it were on autopilot, lacking the “steam” it once had.

The author presents several examples of different industries where, as it happened with FOSS in computing, fundamental innovations happened not because the leading companies of each field are attentive to customers’ needs, but to a certain degree, despite them not even considering those needs, it is typically due to the hubris that comes from being a market leader.

Kemp exemplifies his hypothesis by presenting the messy landscape of the commercial, mutually incompatible systems of Unix in the 1980s. Different companies had set out to implement their particular flavor of “open Unix computers,” but with clear examples of vendor lock-in techniques. He speculates that, “if we had been able to buy a reasonably priced and solid Unix for our 32-bit PCs … nobody would be running FreeBSD or Linux today, except possibly as an obscure hobby.” He states that the FOSS movement was born out of the utter market failure of the different Unix vendors.

The focus of the article shifts then to the FOSS movement itself: 25 years ago, as FOSS systems slowly gained acceptance and then adoption in the “serious market” and at the center of the dot-com boom of the early 2000s, Linux user groups (LUGs) with tens of thousands of members bloomed throughout the world; knowing this history, why have all but a few of them vanished into oblivion?

Kemp suggests that the strength and vitality that LUGs had ultimately reflects the anger that prompted technical users to take the situation into their own hands and fix it; once the software industry was forced to change, the strongly cohesive FOSS movement diluted. “The frustrations and anger of [information technology, IT] in 2024,” Kamp writes, “are entirely different from those of 1991.” As an example, the author closes by citing the difficulty of maintaining–despite having the resources to do so–an aging legacy codebase that needs to continue working year after year.

Krebs on SecurityOwners of 1-Time Passcode Theft Service Plead Guilty

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.

Launched in November 2019, OTP Agency was a service for intercepting one-time passcodes needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.

The call would prompt the target to enter a one-time passcode that was sent to the user via SMS when the thieves attempted to log in. Any codes shared by the target were then relayed to the scammer’s user panel at the OTP Agency website.

A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.

Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:

Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat

Vijayanathan: Are you sure

Picari: So much evidence in there

Vijayanathan: Are you 100% sure

Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find

Vijayanathan: Exactly so if we just shut EVERYTHING down

Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%

Vijayanathan : Everyone with a brain will tell you stop it here and move on

Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site

Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.

OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.

But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 months the service was active.

Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.

The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.

OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called SMSRanger. More on SMSRanger in an upcoming post.

Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, do not respond.  Just hang up, full stop.

If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.

Further reading: When in Doubt, Hang Up, Look Up, and Call Back

Planet DebianJonathan Carter: Debian Day South Africa 2024

Beer, cake and ISO testing amidst rugby and jazz band chaos

On Saturday, the Debian South Africa team got together in Cape Town to celebrate Debian’s 31st birthday and to perform ISO testing for the Debian 11.11 and 12.7 point releases.

We ran out of time to organise a fancy printed cake like we had last year, but our improvisation worked out just fine!

We thought that we had allotted plenty of time for all of our activities for the day, and that there would be plenty of time for everything including training, but the day zipped by really fast. We hired a venue at a brewery, which is usually really nice because they have an isolated area with lots of space and a big TV – nice for presentations, demos, etc. But on this day, there was a big rugby match between South Africa and New Zealand, and as it got closer to the game, the place just got louder and louder (especially as a band started practicing and doing sound tests for their performance for that evening) and it turned out our space was also double-booked later in the afternoon, so we had to relocate.

Even amidst all the chaos, we ended up having a very productive day and we even managed to have some fun!

Four people from our local team performed ISO testing for the very first time, and in total we covered 44 test cases locally. Most of the other testers were the usual crowd in the UK, we also did a brief video call with them, but it was dinner time for them so we had to keep it short. Next time we’ll probably have some party line open that any tester can also join.

Logo

We went through some more iterations of our local team logo that Tammy has been working on. They’re turning out very nice and have been in progress for more than a year, I guess like most things Debian, it will be ready when it’s ready!

Debian 11.11 and Debian 12.7 released, and looking ahead towards Debian 13

Both point releases tested just fine and was released later in the evening. I’m very glad that we managed to be useful and reduce total testing time and that we managed to cover all the test cases in the end.

A bunch of things we really wanted to fix by the time Debian 12 launched are now finally fixed in 12.7. There’s still a few minor annoyances, but over all, Debian 13 (trixie) is looking even better than Debian 12 was around this time in the release cycle.

Freeze dates for trixie has not yet been announced, I hope that the release team announces those sooner rather than later, also KDE Plasma 6 hasn’t yet made its way into unstable, I’ve seen quite a number of people ask about this online, so hopefully that works out.

And by the way, the desktop artwork submissions for trixie ends in two weeks! More information about that is available on the Debian wiki if you’re interested in making a contribution. There are already 4 great proposals.

Debian Local Groups

Organising local events for Debian is probably easier than you think, and Debian does make funding available for events. So, if you want to grow Debian in your area, feel free to join us at -localgroups on the OFTC IRC network, also plumbed on Matrix at -localgroups:matrix.debian.social – where we’ll try to answer any questions you might have and guide you through the process!

Oh and btw… South Africa won the Rugby!

Worse Than FailureBest of…: Classic WTF: A Systematic Approach

It's a holiday in the US today, where we celebrate labor and laborers. Enjoy a story of working smarter, not harder, to meet unrealistic deadlines and create a lot more work for someone in the future. Original --Remy

It was the early 1990s and Frank was living the dream – unshaven, in pajama bottoms and his favorite hockey jersey, having just woken up at 12:18 PM, was now working in the dim light of his basement on one of his freelance projects. Just as he was sipping a cup of coffee, the phone rang.

Frank tried fruitlessly to fight an unexpected open-mouthed yawn when he picked up the receiver. "OOOOAAAaaahhhh... hello?"

"Hi, Frank. We have a very exciting opportunity for a qualified individual like you. Interested?" Odd that this caller hadn't even identified what company he was with, Frank thought. After sleepily getting some of the details, yeah, Frank was mildly interested, and he agreed to an interview in 30 minutes... at a bagel shop that was 25 minutes away.

Ten minutes late and having not changed at all aside from putting on non-pajama pants and shoes, he was immediately flagged over by a man in a nice suit. "You have the look like a computer genius, I already know you're perfect for this," he said without a hint of sarcasm. He asked lots of vague questions about computers; stuff like "So you know computers? What about, like, servers?" Frank had all the traits of a young man in IT – beyond his physical appearance, he was brash, overconfident, and narcissistic. Throughout the brief interview, he didn't restrain any of these traits, but still, he was only vaguely interested in the position, so he winged all the questions. Ten minutes later, the man pulled out a marker, wrote something on a napkin, and slid it across the table. "That's what your hourly rate would be." The man arched his eyebrow. "Interested?"

Frank was already pulling in some respectable bank, but this was more than twice what he was currently making. Gears started turning in his brain while he mulled it over. Well, I guess if I was to take this jo-"YES." On his way home from the interview, Frank picked up a razor, stopped for a haircut, and generally got himself kempt.

The Job

The day after the interview, he was sitting opposite the Executive Vice President of Data Processing, who was giving a second interview. "Let's say I asked you to consolidate twelve server facilities into one. How would you do it?" Ahh, a riddle question, like "how would you move a mountain to the other side of a village?"

"Well," Frank started, winging his second interview in as many days, "I'd take a systematic approach. Figure out where everything was, how the different systems were integrated, how they communicate, and gradually migrate servers over."

The Bank Boss was clearly impressed since Frank was given a contract on the spot; no references or background checks. And not just that, Frank was given keycard access to everything – all of the different datacenters and various facilities. He didn't encounter anything his keycard didn't give him access to (though he never tried the bank's vault). He was also given passwords to every sensitive system, including the money transfer system, responsible for transferring money in the range of around one trillion dollars every day.

It quickly became clear that the interview question wasn't a hypothetical, and Frank was dealing with the impossible. And maybe that's why they hired him – he was an idealistic hard worker, a badass who could do anything. What he lacked in experience then he'd make up for in tenacity. At least that's what Frank was having a harder and harder time reminding himself.

And for better or for worse, he'd effectively be on his own. As it turned out, his team and the man that hired him were electricians. Back in those days, the bank (and, more importantly, their union contract) considered moving servers to be "electrical work" and, therefore, only union electrician companies were allowed to do it. Or those that the electricians hired.

The Problem

In short, the bank had a dozen VAX datacenters that they wanted as a single cluster in a new building. Everything communicated over DECnet, which was a network protocol not too dissimilar from TCP/IP. One of the nice things about DECnet was the ability to route datagrams (packets) around the network in different ways to avoid failures, a fact which later proved to be useful.

The problem with the banks infrastructure was that either no one knew everything that was running in each datacenter, how it all worked, or how they'd work together in a single facility. Even worse, the people at the datacenters didn't want to talk to Frank, as the sooner Frank finished his job, the sooner they'd lose theirs.

The visits to the various datacenters always left Frank in a worse mood. All of them were in various states of disrepair – dirty, perhaps a flickering light, disorganized, but one stood above the others. Its floor was almost completely torn up due to a major renovation project following an asbestos contamination. All of the systems in this room were caked with dust, so much so that the labels were completely illegible. Only one system had lights blinking on its network port; so Frank brushed the dust off its label. "VDL-23 – Maintenance Test Box." Why does that sound so familiar?

Earlier that morning, Frank had done some network analysis, and found that all redundant links between the Money Transfer System and the other datacenters (aside from VDL-23) had been down for quite a while. Since DECnet routed around the failures and no one had thought to set-up network monitoring, no one had noticed that all of the other links had gone down. And before Frank discovered it, no one knew (or no one would tell him) where the box was physically. Immediately, Frank got cracking on a plan to bring the redundancy back online while keeping VDL-23 up, thanking the stars that the architecture of DECnet prevented the network from going down with all of the other servers. Still, something told him that the twisted, crushed, mistreated cables strewn across the floor might not remain reliable for transfers of $1T/day for long...

His watch alarm went off before he finished, it was a reminder that he had a mandatory meeting for all staff involved in the migration – about two hundred people in total. Frank rushed back to the main office, taking shortcuts using his everything-access keycard, and arriving just as the meeting was starting.

"Thank you all for coming," the executive vice president said, voice quivering, with a sweaty brow. "We're required to migrate the network to TCP/IP by the communications standard director." Frank winced.

The VP of communications chimed in, equally nervous. "Well... it's DECnet... it uses the non-routable LAT protocol. I... *ahem* we may need to push the deadline out..." The executive VP frowned, and asked for an update from the apps team.

The VP of Applications looked equally nervous, stammering out "we're still gathering information on the applications... and... we're not totally sure if we can actually run this all in one system..."

In a hushed tone, the executive VP took the floor again. "You're telling me we're going to miss our deadline. The board is very firm about our deadline. I'm not happy."

Frank craned his neck and looked around the room, everyone was staring at the floor. This was his moment. Once again feeling like a badass he rose from his seat dramatically, and in his most heroic voice, he boomed "There is a way."

Success!

Three months later, a beautifully appointed datacenter hummed along, processing transfers and perfectly replicating all of the functionality from the former twelve separate datacenters. Pristine rows of computers and neatly arranged drive controllers worked dutifully, everything in perfect order. The board came through the datacenter to inspect the work, and left with no complaints. It had been completed on schedule and was looking great, everyone was happy.

Under the raised floor, the tangle of cables told the real story. What was really in that room was the original twelve datacenters, all of the systems sitting pretty on the raised floor, underneath which were piles of cables connected exactly the same way they'd always been connected, and with back-hauled communication lines running between the systems. As they say, out with the old, in with the old.

And off in one corner, on upgraded hardware, was VDL-23; still responsible for routing all of the money transfer traffic, now safely sitting in a datacenter where it would remain unperturbed.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsThe Waiting Cold

Author: Julian Miles, Staff Writer Sally peers from under the racking, checks both ways, then hisses at me. “You think they’ve gone?” I shake my head, then put a finger to my lips. Clichéd it may be, but our unwanted visitors are attracted to sound. But how did they get in? That’s what’s been bothering […]

The post The Waiting Cold appeared first on 365tomorrows.

Cryptogram SQL Injection Attack on Airport Security

Interesting vulnerability:

…a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.

The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all.

A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS). Most aircraft have at least one jumpseat inside the cockpit sitting behind the flying pilots. When pilots need to commute or travel, it is not always possible for them to occupy a revenue seat, so a jumpseat can be used instead. CASS allows the gate agent of a flight to verify that the jumpseater is an authorized pilot. The gate agent can then inform the crew of the flight that the jumpseater was authenticated by CASS.

[attack details omitted]

At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners.

We ended up finding several more serious issues but began the disclosure process immediately after finding the first issue.

,

Planet DebianBits from Debian: Bits from the DPL

Dear Debian community,

this are my bits from DPL for August.

Happy Birthday Debian

On 16th of August Debian celebrated its 31th birthday. Since I'm unable to write a better text than our great publicity team I'm simply linking to their article for those who might have missed it:

https://bits.debian.org/2024/08/debian-turns-31.html

Removing more packages from unstable

Helmut Grohne argued for more aggressive package removal and sought consensus on a way forward. He provided six examples of processes where packages that are candidates for removal are consuming valuable person-power. I’d like to add that the Bug of the Day initiative (see below) also frequently encounters long-unmaintained packages with popcon votes sometimes as low as zero, and often fewer than ten.

Helmut's email included a list of packages that would meet the suggested removal criteria. There was some discussion about whether a popcon vote should be included in these criteria, with arguments both for and against it. Although I support including popcon, I acknowledge that Helmut has a valid point in suggesting it be left out.

While I’ve read several emails in agreement, Scott Kitterman made a valid point "I don't think we need more process. We just need someone to do the work of finding the packages and filing the bugs." I agree that this is crucial to ensure an automated process doesn’t lead to unwanted removals. However, I don’t see "someone" stepping up to file RM bugs against other maintainers' packages. As long as we have strict ownership of packages, many people are hesitant to touch a package, even for fixing it. Asking for its removal might be even less well-received. Therefore, if an automated procedure were to create RM bugs based on defined criteria, it could help reduce some of the social pressure.

In this aspect the opinion of Niels Thykier is interesting: "As much as I want automation, I do not mind the prototype starting as a semi-automatic process if that is what it takes to get started."

The urgency of the problem to remove packages was put by CharlesPlessy into the words: "So as of today, it is much less work to keep a package rotting than removing it." My observation when trying to fix the Bug of the Day exactly fits this statement.

I would love for this discussion to lead to more aggressive removals that we can agree upon, whether they are automated, semi-automated, or managed by a person processing an automatically generated list (supported by an objective procedure). To use an analogy: I’ve found that every image collection improves with aggressive pruning. Similarly, I’m convinced that Debian will improve if we remove packages that no longer serve our users well.

DEP14 / DEP18

There are two DEPs that affect our workflow for maintaining packages—particularly for those who agree on using Git for Debian packages. DEP-14 recommends a standardized layout for Git packaging repositories, which benefits maintainers working across teams and makes it easier for newcomers to learn a consistent repository structure.

DEP-14 stalled for various reasons. Sam Hartman suspected it might be because 'it doesn't bring sufficient value.' However, the assumption that git-buildpackage is incompatible with DEP-14 is incorrect, as confirmed by its author, Guido Günther. As one of the two key tools for Debian Git repositories (besides dgit) fully supports DEP-14, though the migration from the previous default is somewhat complex.

Some investigation into mass-converting older formats to DEP-14 was conducted by the Perl team, as Gregor Hermann pointed out..

The discussion about DEP-14 resurfaced with the suggestion of DEP-18. Guido Günther proposed the title Encourage Continuous Integration and Merge Request-Based Collaboration for Debian Packages’, which more accurately reflects the DEP's technical intent.

Otto Kekäläinen, who initiated DEP-18 (thank you, Otto), provided a good summary of the current status. He also assembled a very helpful overview of Git and GitLab usage in other Linux distros.

More Salsa CI

As a result of the DEP-18 discussion, Otto Kekäläinen suggested implementing Salsa CI for our top popcon packages.

I believe it would be a good idea to enable CI by default across Salsa whenever a new repository is created.

Progress in Salsa migration

In my campaign, I stated that I aim to reduce the number of packages maintained outside Salsa to below 2,000. As of March 28, 2024, the count was 2,368. Today, it stands at 2,187 (UDD query: SELECT DISTINCT count(*) FROM sources WHERE release = 'sid' and vcs_url not like '%salsa%' ;).

After a third of my DPL term (OMG), we've made significant progress, reducing the amount in question (369 packages) by nearly half. I'm pleased with the support from the DDs who moved their packages to Salsa. Some packages were transferred as part of the Bug of the Day initiative (see below).

Bug of the Day

As announced in my 'Bits from the DPL' talk at DebConf, I started an initiative called Bug of the Day. The goal is to train newcomers in bug triaging by enabling them to tackle small, self-contained QA tasks. We have consistently identified target packages and resolved at least one bug per day, often addressing multiple bugs in a single package.

In several cases, we followed the Package Salvaging procedure outlined in the Developers Reference. Most instances were either welcomed by the maintainer or did not elicit a response. Unfortunately, there was one exception where the recipient of the Package Salvage bug expressed significant dissatisfaction. The takeaway is to balance formal procedures with consideration for the recipient’s perspective.

I'm pleased to confirm that the Matrix channel has seen an increase in active contributors. This aligns with my hope that our efforts would attract individuals interested in QA work. I’m particularly pleased that, within just one month, we have had help with both fixing bugs and improving the code that aids in bug selection.

As I aim to introduce newcomers to various teams within Debian, I also take the opportunity to learn about each team's specific policies myself. I rely on team members' assistance to adapt to these policies. I find that gaining this practical insight into team dynamics is an effective way to understand the different teams within Debian as DPL.

Another finding from this initiative, which aligns with my goal as DPL, is that many of the packages we addressed are already on Salsa but have not been uploaded, meaning their VCS fields are not published. This suggests that maintainers are generally open to managing their packages on Salsa. For packages that were not yet on Salsa, the move was generally welcomed.

Publicity team wants you

The publicity team has decided to resume regular meetings to coordinate their efforts. Given my high regard for their work, I plan to attend their meetings as frequently as possible, which I began doing with the first IRC meeting.

During discussions with some team members, I learned that the team could use additional help. If anyone interested in supporting Debian with non-packaging tasks reads this, please consider introducing yourself to debian-publicity@lists.debian.org. Note that this is a publicly archived mailing list, so it's not the best place for sharing private information.

Kind regards Andreas.

David Brin 2There’s A Story About That!

A What-If Scenario Database: using Science Fiction to Save the World

TASAT is here!  Are you a sci fi nerd who remembers lots of old stories, plot twists and such? Ever wish you could apply all that expertise to something useful?

How about a project that leverages your memory bank of old stories, toward a slim but real chance of saving the world?  

We’re spinning out (at last!) a beta version of TASAT or There’s A Story About That, a community where scifi plot-geeks like you — (or maybe (one day) some desperate government agency!) — get to ask: 

“What if this particular strange thing ever happens? (Maybe something like it is happening now!) Has anyone ever thought it through, in a story, across the last century of science fiction tales?”

We’ve designed TASAT with that question in mind. Want to see how it works? Visit TASAT.org… and maybe sign on to be one of the beta members. (We’ve designed it to be a minimal use of time!) And maybe – just maybe – your recollection of that obscure Andre Norton or Frederick Pohl or Nancy Kress plot twist might someday save the world!

== The Goal of TASAT! ==

Envision: You work at an agency, corporation, or NGO… and you’ve come across an unusual problem. Might someone have thought about this very situation in the past? Developed a thought experiment – with possible solutions? Perhaps with an alternative idea that you – or your team – have missed? What if, already in some archive, There’s A Story About That?

Consider the vast library of science fictional scenarios that have been published since Mary Shelley first wrote about the creation of new kinds of life — an endeavor that is now coming true in dozens of ways. Shelley explored how that daring venture might be mishandled — a warning that found new variants in tales such as Planet of the Apes, Jurassic Park, I Robot, and Ex Machina. These famous stories already influence discussions about ethics and public policy. Indeed, some science fiction tales help us avoid mistakes — self-preventing prophecies like Orwell’s Nineteen Eighty-Four, Soylent Green, Dr. Strangelove, or Silent Spring. A few such projections come true. Far more of them say: “a time may come when you’d better think about this!”

Alas, for every SF thought experiment that achieves renown, hundreds molder in back issues of Astounding or Galaxy, or some novel only recalled now by a dozen fan readers out there — tales that have worked through some way for the world to veer in unexpected directions. Shouldn’t those concepts also be available, as a background library of worked-out scenarios, in case the universe chooses to confront us with some sudden choice?

We hope this site will be a reservoir of insights into where we are heading and how we can design our way to a better future.

Please visit https://tasat.org/ to join and contribute your ideas.

David BrinAnnouncing TASAT is a go! ... and curing the Anti-Modernity Cult.

First an announcement:

TASAT is here!  Are you a sci fi nerd who remembers lots of old stories, plot twists and such? Ever wish you could apply all that expertise to something useful?

How about a project that leverages your memory bank of old stories, toward a slim but real chance of saving the world?  

We're spinning out (at last!) a beta of TASAT or There's A Story About That, a community where scifi plot-geeks like you -- (or maybe (one day) some desperate government agency!) -- get to ask: 

"What if this particular strange thing ever happens? (Maybe something like it is happening now!) Has anyone ever thought it through, in a story, across the last century of science fiction tales?"

We've designed TASAT with that question in mind. Want to see how it works? Visit TASAT.org... and maybe sign on to be one of the beta members. (We've designed it to be a minimal use of time!) And maybe - just maybe - your recollection of that obscure Andre Norton or Pohl or Vance twist might someday save the world!


== Can we defeat the defeatist cult against modernity? == 

Okay let's get back to our politically-fraught year, starting first with something fundamental.

Ensure your basic rights! Check your voter registration, especially if you live in a red state, where lots of suppression and cheat-schemes to purge voter rolls are already going on. Check several times!

And yes, in Polemical Judo I have a further recommendation: Because the Grand Cheat of gerrymandering has rendered the General Election moot in many congressional districts, the smart move is to re-register into whichever party rules the district you live in! That lets you vote in the primary, the only election that matters anymore, when it comes to Congress or the Statehouse. 

Even if it means holding your nose and accepting a label that you loathe, you'll reclaim at least a part of what was robbed from you. Moreover it will protect your registration from being purged! Word to the wise?


== Seriously? This flies with... anybody? ==

Former U.S. President Donald Trump blasted the scale of U.S. support for Ukraine and said that if he is reelected in November he would immediately "have that settled."


Sure, big boy. Pretty much everyone by now can see: there are zero differences on overall agenda between today’s Foxite/MAGAs and Vladimir Putin -- who, along with his Kremlin staffed by 5000 “ex” commissars -- grew up reciting Leninist catechisms, five times a day.  Only then they swapped their hammer-sickle pins for czarist symbols -- and suddenly the U.S. right fell in love with them! (Like Don and Kim.)


Dig it. Putin called the fall of the USSR ‘history’s worst tragedy.’ He openly swore revenge  vs. all US fact using professions, from science and teaching, medicine and law and civil service …

…to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror… the heroes who are now raged against by Kremlin stooges in the USA.  Putin’s quisling Fifth Column in America.  Today’s commies.


Again. Today's 'conservatives' rail against... the FBI?  The Intel agencies and military? Now, who would want this situation more than giggling Putin? Tell me how the MAGA enemies list differs, even slightly from that of the slightly relabeled KGB?


Today's GOP is Vlad's dream come true.  And we know who the real commies are.



== Immature speculation? ==


Though one wonders about competence when the recent Trump rally shooter climbed to a roof in plain sight of shouting onlookers. Never mind that. From initial appearances (“he was bullied every day”) the fellow is most likely just another white weasel with a gun and desperation to be somebody. 


Which is one more argument for my longtime suggestion: that dopey, attention seeking monsters should be punished in the best way, by name-erasure. See my "Erastratos Effect" proposal.


Bill Maher also riffed on this, less informatively but with wider circulation. 


(In comments I will cite a scenario for the barely-touching 'graze' wound suffered by Donald Trump. Physically this alternative is vastly more plausible than such a grazing bullet wound would be. But is it more plausible as a real-life theory? No, I think not. Still, a close examination of the wound...?)



== A Sunflower for Ukraine! == 


Oh, but here’s my response to DT’s proposed – Putin-ordered – betrayal of Ukraine. See the sunflower I grew? Close to 6 meters (20 feet) tall. Slava Ukraine! Long live the brave and free Ukrainian people. 

And may peace and freedom and light come to all Russians, as well. 

Which may happen, if WE choose sanity, first.



== What’s fundamental about the treason alliance against the Enlightenment Experiment… and hence America ==


The confederate coalition against everything the Enlightenment West stands for has two components. The oligarchs who own the movement … and the masses of what we now call 'MAGAs' and who Robert Heinlein described as ‘know nothings.’


The first component consists of the elites who control – or who think they control - today’s undead monster that’s taken over the Party of Lincoln. These elites are a mélange of inheritance brats, casino mafiosi, hedge lords, incest CEOs, "ex" commissars and openly avowed commissars (differing only in their lapel pins) and murder sheiks. All of them are united in one goal: restoring 6000 years of dismal feudalism. They’ve had a lot of victories along this path. For example, the chief outcome of “Supply Side” never-ever-once-correct “voodoo economics” has been skyrocketing wealth disparities around the globe. Now surging past French Revolution levels. (Learn the word 'tumbrels,' guys.)


Despite their many victories, these elites know that world citizens could wake up, at any moment. They must complete their conversion of the globe back to inheritance status before all the world’s young people fully acculturate with rambunctious individualism. Moreover, the oligarchs know there is one major obstacle blocking their full takeover. 


Rule of law, enforced equally and governed by facts. Hence, in order to achieve their goal, they must suppress the defenders of fact-based rule-of-law. The nerd castes. 


They must stir all-out war vs ALL fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on Terror. (All the western strengths who Vlad Putin openly blames for the fall of the USSR.)


Which brings up the second component of the anti-modernity cult. This one is vastly larger… the MAGA /confederate ground troops in their millions. They share the same agenda, only in the opposite order. Their top wish (as Robert Heinlein explains) is suppression of nerds, not out of self-interested rivalry, like the oligarch masters, but out of basic, cultural hate. (Not all of it unjustified!  As I describe elsewhere.) 

The want to humiliate the university, fact-wielding smartypants! And in order to get that, they’ll gladly help the oligarchy achieve restored feudal rule by inheritance brats.  

Same goals, in slightly different order.


I just explained for you the devil’s bargain between our would-be lords and their vassals. It is exactly the same as in 1778 when Cornwallis went South to find more tories who supported the King… or in the 1860s when a million poor whites marched off to fight and die for their plantation lord class oppressors. Or when Appalachians - who owe FDR and the Democrats absolutely freaking everything - now spit in the eyes of those who helped them out of Deliverance hell.

As Heinlein describes, it's a cultural thing. And yes, you nerds out there simply cannot grasp why – using facts and logic and appeals to common decency and progress – you can accomplish nothing against this devil’s alliance.



== Notes from Civil War Phase 8 ==


Miscellaneous addendum to the first part of this missive... another of my wager challenges. This one demanding MAGA support their incessant jeremiads against universities.  And wow, on social media that campaign is at full throttle!


Sean T. Smith's novel Tears of Abraham is a terrific and scary novel about a US civil war, far better than the recent movie Civil War, by Alex Garland. I touted it before and will again. 


In the wake of Donald Trump's ear-clipping, if anyone, anyone, tries to accuse Dems of “inflammatory language” – read to them aloud from this volcanically horrific call by Alex Jones for this own leader’s violent demise. Then demand a wager with your MAGA, whether his side only spews violent yowlings ten times as much, as opposed to (actually) 100x, than democrats or even ANTIFA. 

And bet over compared death rates wrought by their cult vs those few (any?) actually caused by US leftists.

Or by vaccines.


== Want even deeper fundamentals? ==


 My general political essay in four parts is about - among many things -- the insipid/lobotomizing left-right “axis”- how history betrayed competitive creativity...


...and what libertarianism might look like, if it ever grew up.


Political Totemism and the Danger of Metaphors

Part 1 followed by....

Part 2.  and Part 3.  and Part 4.



== A script for a killer advert ==


Hey Lincoln Project!  Want a script for a potentially powerful ad vs. Mafia Don?

 

   2014 – He promised proof – “Next week!” - that Obama was born in Kenya. Week after week, for years. Then stopped. Did any of you ever ask… “Well?” 


   2016 – He promised “great financials!” and tax returns “as soon as the audit is done!” There was no audit. And it’s been 8 years. 


   2017 – He vowed to end terrible Obamacare and replace it with “wonderful, perfect healthcare!” A plan that he promised to reveal “in a couple of weeks.” He repeated that promise every month for years… then went silent when Obamacare proved popular and worked! Have YOU ever seen Trump’s Great New Healthcare Plan? Has anyone? Maybe ask for it now?


   2017 - He promised to “Build the Wall!” Republicans controlled Congress, the Supreme Court, the Executive Branch… every lever of power! They could have built the wall. They didn’t. Did you ever ask why?


   2018 – He ‘fell in love!’ with murder commie tyrant Kim Jong Un. (We want those love letters; they’re public documents!) All the remaining communist despots on Earth support him, along with all the “ex” commissars and “ex” KGB agents in today’s Kremlin, who grew up reciting Lenin and working for America’s downfall… who then changed a few lapel pins and took over the Republican Party.


   2020 – He pooh-poohed Covid 19, predicting it would not come to America… and later that it would ‘pass naturally in a little bit’ … then bragged when scientists and civil servants delivered vaccines! … then swerved to anti-vax and back and forth amid calls for swallowing bleach and lasers… while the economy tanked and a million Americans died.


2021 – “I wuz robbed!!” Oh, the whining about losing by 8 million votes! Especially in six Red States that had Republican governors and officials running the election.  Always promising ‘evidence’ of a ‘steal’ but never ever delivering any. No real evidence at all!  Not to a single judge, jury or grand jury across the nation… while refusing to cooperate with independent investigation panels. 


The biggest single tantrum in the history of our Republic… until 2024, that is.


2016-to-now – A firehose, a tsunami, a supernova of lies! Over 100,000 of them, according to one ongoing list. Naturally, he won’t revisit or explain even one of them.  And his followers are fine with that, fleeing or distracting, when you bring up any of the lies. 


(Let’s pick a dozen from that list and bet $$$ on them! Got guts?)


And now… - almost without exception, Republicans wage all-out war vs all fact using professions, from science and teaching, medicine and law and civil service to the heroes of the FBI/Intel/Military officer corps who won the Cold War and the War on terror. 


Now who (*cough-Vladimir*) would want Americans to do that?


We could go on with more examples, you know we could. 


Only here’s the deal. If any one of these are true, then many of our neighbors are in a mad cult. 


And gently - with malice toward none - we need to wrest power from what Heinlein called the worst, dark streak in American nature.


Planet DebianColin Watson: Free software activity in August 2024

All but about four hours of my Debian contributions this month were sponsored by Freexian. (I ended up going a bit over my 20% billing limit this month.)

You can also support my work directly via Liberapay.

man-db and friends

I released libpipeline 1.5.8 and man-db 2.13.0.

Since autopkgtests are great for making sure we spot regressions caused by changes in dependencies, I added one to man-db that runs the upstream tests against the installed package. This required some preparatory work upstream, but otherwise was surprisingly easy to do.

OpenSSH

I fixed the various 9.8 regressions I mentioned last month: socket activation, libssh2, and Twisted. There were a few other regressions reported too: TCP wrappers support, openssh-server-udeb, and xinetd were all broken by changes related to the listener/per-session binary split, and I fixed all of those.

Once all that had made it through to testing, I finally uploaded the first stage of my plan to split out GSS-API support: there are now openssh-client-gssapi and openssh-server-gssapi packages in unstable, and if you use either GSS-API authentication or key exchange then you should install the corresponding package in order for upgrades to trixie+1 to work correctly. I’ll write a release note once this has reached testing.

Multiple identical results from getaddrinfo

I expect this is really a bug in a chroot creation script somewhere, but I haven’t been able to track down what’s causing it yet. My sbuild chroots, and apparently Lucas Nussbaum’s as well, have an /etc/hosts that looks like this:

$ cat /var/lib/schroot/chroots/sid-amd64/etc/hosts
127.0.0.1       localhost
127.0.1.1       [...]
127.0.0.1       localhost ip6-localhost ip6-loopback

The last line clearly ought to be ::1 rather than 127.0.0.1; but things mostly work anyway, since most code doesn’t really care which protocol it uses to talk to localhost. However, a few things try to set up test listeners by calling getaddrinfo("localhost", ...) and binding a socket for each result. This goes wrong if there are duplicates in the resulting list, and the test output is typically very confusing: it looks just like what you’d see if a test isn’t tearing down its resources correctly, which is a much more common thing for a test suite to get wrong, so it took me a while to spot the problem.

I ran into this in both python-asyncssh (#1052788, upstream PR) and Ruby (ruby3.1/#1069399, ruby3.2/#1064685, ruby3.3/#1077462, upstream PR). The latter took a while since Ruby isn’t one of my languages, but hey, I’ve tackled much harder side quests. I NMUed ruby3.1 for this since it was showing up as a blocker for openssl testing migration, but haven’t done the other active versions (yet, anyway).

OpenSSL vs. cryptography

I tend to care about openssl migrating to testing promptly, since openssh uploads have a habit of getting stuck on it otherwise.

Debian’s OpenSSL packaging recently split out some legacy code (cryptography that’s no longer considered a good idea to use, but that’s sometimes needed for compatibility) to an openssl-legacy-provider package, and added a Recommends on it. Most users install Recommends, but package build processes don’t; and the Python cryptography package requires this code unless you set the CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 environment variable, which caused a bunch of packages that build-depend on it to fail to build.

After playing whack-a-mole setting that environment variable in a few packages’ build process, I decided I didn’t want to be caught in the middle here and filed an upstream issue to see if I could get Debian’s OpenSSL team and cryptography’s upstream talking to each other directly. There was some moderately spirited discussion and the issue remains open, but for the time being the OpenSSL team has effectively reverted the change so it’s no longer a pressing problem.

GCC 14 regressions

Continuing from last month, I fixed build failures in pccts (NMU) and trn4.

Python team

I upgraded alembic, automat, gunicorn, incremental, referencing, pympler (fixing compatibility with Python >= 3.10), python-aiohttp, python-asyncssh (fixing CVE-2023-46445, CVE-2023-46446, and CVE-2023-48795), python-avro, python-multidict (fixing a build failure with GCC 14), python-tokenize-rt, python-zipp, pyupgrade, twisted (fixing CVE-2024-41671 and CVE-2024-41810), zope.exceptions, zope.interface, zope.proxy, zope.security, zope.testrunner. In the process, I added myself to Uploaders for zope.interface; I’m reasonably comfortable with the Zope Toolkit and I seem to be gradually picking up much of its maintenance in Debian.

A few of these required their own bits of yak-shaving:

I improved some Multi-Arch: foreign tagging (python-importlib-metadata, python-typing-extensions, python-zipp).

I fixed build failures in pipenv, python-stdlib-list, psycopg3, and sen, and fixed autopkgtest failures in autoimport (upstream PR), python-semantic-release and rstcheck.

Upstream for zope.file (not in Debian) filed an issue about a test failure with Python 3.12, which I tracked down to a Python 3.12 compatibility PR in zope.security.

I made python-nacl build reproducibly (upstream PR).

I moved aliased files from / to /usr in timekpr-next (#1073722).

Installer team

I applied a patch from Ubuntu to make os-prober support building with the noudeb profile (#983325).

Planet DebianGuido Günther: Free Software Activities August 2024

Another short status update of what happened on my side last month.

Quite a bit of time went into helping organize the FrOSCon FOSS on Mobile dev room (day 1, day 2, summary) but that was all worth it and fun - so was releasing Phosh 0.41.0 (which incidetally happened right before FrOScon). A three years old MR to xdg-spec to add call categories landed (thanks Matthias) allowing us to finally provide proper feedback for e.g. IM calls too. The rest was some OSK improvements (around Indic language support via varnam and layout configuration), some Cell Broadcast advancements (thanks to NGI0 for supporting this) but also some fixes. Here's the details:

Phosh

  • Debug crash when swiping away keyboard on lockscreen (MR).
  • Fix outdated clock when swiping back from lockscreen plugins (MR)
  • Avoid deprecation warning (MR)
  • Better handle mobile network generation bit masks (MR)
  • Improve docs that end up in the libphosh-rs docs (MR)
  • Modernize ModemManager backend in preparation for Cellbroadcast support (MR)
  • Remove hacks from Cell Broadcast support MR (MR). Still draft but not much todo left once the ModemManager side landed
  • Remove deprecated UI props and add a check so they don't creep back in (MR)
  • Allow to use ASAN when feedbackd is a subproject (MR)
  • Fix crash when Wi-Fi hot spot quick setting gets disabled (MR)
  • Don't allow to change hotspot state on the lock screen (MR)
  • Prepare and release Phosh 0.41.0~rc1 and Phosh 0.41.0
  • Prepare 0.41.1 (MR)

Phoc

  • Don't reject gesture when we cross another surface (MR)

phosh-mobile-settings

  • Drop redundant enums (MR)
  • Remember last used panel (MR)
  • Fix initial state of move up/down popovers (MR)
  • Allow to select OSK layouts (MR). This ensures only actually available layouts can be selected. Currently used by phosh-osk-stub but can easily be extended to squeekboard once it provides the information.

libphosh-rs

phosh-osk-stub

  • Allow to open OSK Settings panel when screen is not locked (MR)
  • Unswap Enter and Backspace (MR)
  • Bug fix release 0.41.1
  • Use varnam_learn() for better completions in the varnam completer (MR)
  • Export layout information (MR)
  • Reduce flicker when launching settings (MR)

phosh-wallpapers

  • Avoid new event sounds not being picked up due to stale caches (MR)
  • Improve phone-hangup sound (MR)

meta-phosh

  • Add release helpers (MR)

phosh-recipes

Debian

  • Upload Phosh 0.41.0~rc1 and 0.41.0 releases
  • Robustify release script a bit (MR)
  • Enable binding lib in phosh (MR)
  • Move govarnam and varnam schemes packages into the input method team
  • Upload varnam schemes to sid (MR)
  • Make varnam-schemes reproducible, add autopkgtests and run upstream test during build (MR)
  • Build wlroots with xcb-errors support (MR)

Mobian

  • Help mobian-recipes with newer debos: (MR)

ModemManager

  • Rework most bits of Cell Broadcast to move it closer to undraft status (MR). (Remaining bits affect enabling of unsolicited messages and setting channels).

Calls

  • Use official notification category (MR)
  • Use AdwAboutDialog (MR)

gnome-bluetooth

  • Fix some deprecations (MR)
  • Make pairing dialog adaptive (MR)
  • Allow to use with Phosh without imposing more API/ABI guarantees (MR

gnome-settings-daemon

  • Fix crash when hitting an error condition (which could then bring down the whole session): (MR)

feedbackd

  • Install the udev rule via meson (MR to makes it easier for distros to pick up rule changes
  • Sync packaging with Debian (MR)
  • Document used gsettings (MR)

Chatty

  • Update information at matrix.org (MR)
  • Implement more unified push bits: (MR
  • Document things a bit (MR
  • Chase libcmatrix API changes (MR)

Libcmatrix

Eigenvalue

  • Catch up with libcmatrix API changes (MR)

kunifiedpush

  • Avoid broken URLs when using ntfy (MR)

gir-rustdoc

  • Improve error message when not running in CI (MR)

python-dbusmock

  • Drop outdated comments (MR)

matrix spec

  • propose some hints for Mobile clients (MR)

sound-theme spec

  • propose new sound name for cell broadcasts (MR)

varname-schemes

  • Make reproducible (MR)
  • Don't ignore errors in build scripts (MR)
  • Allow to run test against installed schemes (MR
  • Fix build with recent ruby (MR)

FroSCon

Help Development

If you want to support my work see donations. This includes a list of hardware we want to improve support for. Thanks a lot to all current and past donors.

Planet DebianSteinar H. Gunderson: Zyxel GS1900 firmware source dump

I asked Zyxel for a source dump for GPLed firmware on their GS1900-8HP switches, and after months, they finally obliged (they seemingly had no idea that it should just be, well, available). So I'm dumping it here in case anyone else wants it.

I haven't tried actually building it, but notably, it seems to contain the entire CLI, since they base it on Quagga's vtysh (which is GPL).

365 TomorrowsPassing Through the Arc

Author: Dave Ludford “Lin Chi, it is the time of your twentieth solar cycle. You are no doubt aware of the significance of that fact.” Xemon’s words, spoken to all citizens upon reaching this age, sent a shiver through my body even though I’d heard them spoken many times to others at this pre-ceremony. Xemon, […]

The post Passing Through the Arc appeared first on 365tomorrows.

Planet DebianRuss Allbery: Review: Reasons Not to Worry

Review: Reasons Not to Worry, by Brigid Delaney

Publisher: Harper
Copyright: 2022
Printing: October 2023
ISBN: 0-06-331484-3
Format: Kindle
Pages: 295

Reasons Not to Worry is a self-help non-fiction book about stoicism, focusing specifically on quotes from Seneca, Epictetus, and Marcus Aurelius. Brigid Delaney is a long-time Guardian columnist who has written on a huge variety of topics, including (somewhat relevantly to this book) her personal experiences trying weird fads.

Stoicism is having a moment among the sort of men who give people life advice in podcast form. Ryan Holiday, a former marketing executive, has made a career out of being the face of stoicism in everyone's podcast (and, of course, hosting his own). He is far from alone. If you pay attention to anyone in the male self-help space right now (Cal Newport, in my case), you have probably heard something vague about the "wisdom of the stoics."

Given that the core of stoicism is easily interpreted as a strategy for overcoming your emotions with logic, this isn't surprising. Philosophies that lean heavily on college dorm room logic, discount emotion, and argue that society is full of obvious flaws that can be analyzed and debunked by one dude with some blog software and a free afternoon have been very popular in tech circles for the past ten to fifteen years, and have spread to some extent into popular culture. Intriguingly, though, stoicism is a system of virtue ethics, which means it is historically in opposition to consequentialist philosophies like utilitarianism, the ethical philosophy behind effective altruism and other related Silicon Valley fads.

I am pretty exhausted with the whole genre of men talking to each other about how to live a better life — Cal Newport by himself more than satisfies the amount of that I want to absorb — but I was still mildly curious about stoicism. My education didn't provide me with a satisfying grounding in major historical philosophical movements, so I occasionally look around for good introductions. Stoicism also has some reputation as an anxiety-reduction technique, and I could use more of those. When I saw a Discord recommendation for Reasons Not to Worry that specifically mentioned its lack of bro perspective, I figured I'd give it a shot.

Reasons Not to Worry is indeed not a bro book, although I would have preferred fewer appearances of the author's friend Andrew, whose opinions on stoicism I could not possibly care less about. What it is, though, is a shallow and credulous book that falls squarely in the middle of the lightweight self-help genre. Delaney is here to explain why stoicism is awesome and to convince you that a school of Greek and Roman philosophers knew exactly how you should think about your life today. If this sounds quasi-religious, well, I'll get to that.

Delaney does provide a solid introduction to stoicism that I think is a bit more approachable than reading the relevant Wikipedia article. In her presentation, the core of stoicism is the practice of four virtues: wisdom, courage, moderation, and justice. The modern definition of "stoic" as someone who is impassive in the presence of pleasure or pain is somewhat misleading, but Delaney does emphasize a goal of ataraxia, or tranquility of mind. By making that the goal rather than joy or pleasure, stoicism tries to avoid the trap of the hedonic treadmill in favor of a more achievable persistent contentment.

As an aside, some quick Internet research makes me doubt Delaney's summary here. Other material about stoicism I found focuses on apatheia and associates ataraxia with Epicureanism instead. But I won't start quibbling with Delaney's definitions; I'm not qualified and this review is already too long.

The key to ataraxia, in Delaney's summary of stoicism, is to focus only on those parts of life we can control. She summarizes those as our character, how we treat others, and our actions and reactions. Everything else — wealth, the esteem of our colleagues, good health, good fortune — is at least partly outside of our control, and therefore we should enjoy it when we have it but try to be indifferent to whether it will last. Attempting to control things that are outside of our control is doomed to failure and will disturb our tranquility. Essentially all of this book is elaborations and variations on this theme, specialized to some specific area of life like social media, anxiety, or grief and written in the style of a breezy memoir.

If you're familiar with modern psychological treatment frameworks like cognitive behavioral therapy or acceptance and commitment therapy, this summary of stoicism may sound familiar. (Apparently this is not an accident; the predecessor to CBT used stoicism as a philosophical basis.) Stoicism, like those treatment approaches, tries to refocus your attention on the things that you can improve and de-emphasizes the things outside of your control. This is a lot of the appeal, at least to me (and I think to Delaney as well).

Hearing that definition, you may have some questions. Why those virtues specifically? They sound good, but all virtues sound good almost by definition. Is there any measure of your success in following those virtues outside your subjective feeling of ataraxia? Does the focus on only things you can control lead to ignoring problems only mostly outside of your control, where your actions would matter but only to a small degree? Doesn't this whole philosophy sound a little self-centered? What do non-stoic virtue ethics look like, and why do they differ from stoicism? What is the consequentialist critique of stoicism?

This is where the shortcomings of this book become clear: Delaney is not very interested in questions like this. There are sections on some of those topics, particularly the relationship between stoicism and social justice, but her treatment is highly unsatisfying. She raises the question, talks about her doubts about stoicism's applicability, and then says that, after further thought, she decided stoicism is entirely consistent with social justice and the stoics were right after all. There is a little bit more explanation than that, but not much. Stoicism can apparently never be wrong; it can only be incompletely understood.

Self-help books often fall short here, and I suspect this may be what the audience wants. Part of the appeal of the self-help genre is artificial certainty. Becoming a better manager, starting a business, becoming more productive, or working out an entire life philosophy are not problems amenable to a highly approachable and undemanding book. We all know that at some level, but the seductive allure of the self-help genre is the promise of simplifying complex problems down to a few approachable bullet points. Here is a life philosophy in a neatly packaged form, and if you just think deeply about its core principles, you will find they can be applied to any situation and any doubts you were harboring will turn out to be incorrect.

I am all too familiar with this pattern because it's also how fundamentalist Christianity works. The second time Delaney talked about her doubts about the applicability of stoicism and then claimed a few pages later that those doubts disappeared with additional thought and discussion, my radar went off. This book was sounding less like a thoughtful examination of one specific philosophy out of many and more like the soothing adoption of religious certainty by a convert. I was therefore entirely unsurprised when Delaney all but says outright in the epilogue that she's adopted stoicism as her religion and approaches it with the same dedicated practice that she used to bring to Catholicism. I think this is where a lot of self-help books end up, although most of them don't admit it.

There's nothing wrong with this, to be clear. It sounds like she was looking for a non-theistic religion, found one that she liked, and is excited to tell other people about it. But it's a profound mismatch with what I was looking for in an introduction to stoicism. I wanted context, history, and a frank discussion of the problems with adopting philosophy to everyday issues. I also wanted some acknowledgment that it is highly unlikely that a few men who lived 2000 years ago in a wildly different social context, and with drastically limited information about cultures other than their own, figured out a foolproof recipe for how to approach life. The subsequent two millennia of philosophical debates prove that stoicism didn't end the argument, and that a lot of other philosophers thought that stoicism got a few things wrong. You would never know that from this book.

What I wanted is outside the scope of this sort of undemanding self-help book, though, and this is the problem that I keep having with philosophy. The books I happen across are either nigh-incomprehensibly dense and academic, or they're simplified into catechism. This was the latter. That's probably more the fault of my reading selection than it is the fault of the book, but it was still annoying.

What I will say for this book, and what I suspect may be the most useful property of self-help books in general, is that it prompts you to think about basic stoic principles without getting in the way of your thoughts. It's like background music for the brain: nothing Delaney wrote was very thorny or engaging, but she kept quietly and persistently repeating the basic stoic formula and turning my thoughts back to it. Some of those thoughts may have been useful? As a source of prompts for me to ponder, Reasons Not to Worry was therefore somewhat successful. The concept of not trying to control things outside of my control is simple but valid, and it probably didn't hurt me to spend a week thinking about it.

"It kind of works as an undemanding meditation aid" is not a good enough reason for me to recommend this book, but maybe that's what someone else is looking for.

Rating: 5 out of 10

,

Planet DebianAndrew Cater: Debian release weekend - media team update 202408311900 UTC

 We're doing fairly well: Debian release team have been working really hard on a double point release today. Final release for Bullseye as 11.11 as it moves to LTS.

12.7 Bookworm install media finishing tests - it's been quite a long day so far.

For 11.11 we're part way through media tests.

We've been joined by a lot of enthusiastic folk from Cape Town who've been a great help. Always nice to see old friends and new people join us on IRC - and they've just joined us for a short video call.

This has gone well: two release day media checking and bug-squashing groups on two continents is excellent.

Dear Cape Town - feel free to join us for the next time and we'll hold the video call open for longer. If we don't see any of you here in Cambridge for mini-Debconf, we'll meet up in Brest for Debconf 25.



Planet DebianRussell Coker: Links August 2024

Bruce Schneier and Kim Córdova wrote an insightful article about the changes that corporations make to culture as technical debt [1]. We need anti-trust laws to be enforced before it’s too late!

Bruce Schneier posted the transcript of an insightful lecture he gave on rethinking democracy for the age of AI [2].

Cory Doctorow wrote an insightful blog post about companies that are “too big to care” [3]. We need to break up those monopolies.

Science Alert has an interesting article on plans to get renewable energy by drilling into the magma chamber of an active volcano [4]. What I want to know is whether using the energy could reduce the power of an eruption or even prevent it from happening.

Bruce Schneier wrote an interesting article about Crowdstrike and the market incentives for brittle systems [5]. Also we need to have more formally proven software and more use of systems like seL4.

Dave’s Garage on YouTube has an interesting video about modern Mainframes [6]. Their IO capacity dwarfs the memory bandwidth of most PC servers.

Framework has an interesting YouTube video about the process of developing a RISC-V motherboard for their laptops [7].

The documentary series Who Broke Britain by ABC news gives a good insight into the harm caused by austerity policies [8].

Rolling Stone has an interesting story about the consequences of being a CIA agent in al Quaeda [9].

Planet DebianVincent Bernat: Fixing layout shifts caused by web fonts

In 2020, Google introduced Core Web Vitals metrics to measure some aspects of real-world user experience on the web. This blog has consistently achieved good scores for two of these metrics: Largest Contentful Paint and Interaction to Next Paint. However, optimizing the third metric, Cumulative Layout Shift, which measures unexpected layout changes, has been more challenging. Let’s face it: optimizing for this metric is not really useful for a site like this one. But getting a better score is always a good distraction. 💯

To prevent the “flash of invisible text� when using web fonts, developers should set the font-display property to swap in @font-face rules. This method allows browsers to initially render text using a fallback font, then replace it with the web font after loading. While this improves the LCP score, it causes content reflow and layout shifts if the fallback and web fonts are not metrically compatible. These shifts negatively affect the CLS score. CSS provides properties to address this issue by overriding font metrics when using fallback fonts: size-adjust, ascent-override, descent-override, and line-gap-override.

Two comprehensive articles explain each property and their computation methods in detail: Creating Perfect Font Fallbacks in CSS and Improved font fallbacks.

Interactive tuning tool

Instead of computing each property from font average metrics, I put together a tool for interactively tuning fallback fonts.1

Instructions

  1. Load your custom font.

  2. Select a fallback font to tune.

  3. Adjust the size-adjust property to match the width of your custom font with the fallback font. With a proportional font, it is not possible to achieve a perfect match.

  4. Fine-tune the ascent-override property. Aim to align the final dot of the last paragraph while monitoring the font’s baseline. For more precise adjustment, disable the “� option.

  5. Modify the descent-override property. The goal is to make the two boxes match. You may need to alternate between this and the previous property for optimal results.

  6. If necessary, adjust the line-gap-override property. This step is typically not required.

The process needs to be repeated for each fallback font. Some platforms may not include certain fonts. Notably, Android lacks most fonts found in other operating systems. It replaces Georgia with Noto Serif, which is not metrically-compatible.

Tool

This tool is not available from the Atom feed.

Results

For the body text of this blog, I get the following CSS definition:

@font-face {
  font-family: Merriweather;
  font-style: normal;
  font-weight: 400;
  src: url("../fonts/merriweather.woff2") format("woff2");
  font-display: swap;
}
@font-face {
  font-family: "Fallback for Merriweather";
  src: local("Noto Serif"), local("Droid Serif");
  size-adjust: 98.3%;
  ascent-override: 99%;
  descent-override: 27%;
}
@font-face {
  font-family: "Fallback for Merriweather";
  src: local("Georgia");
  size-adjust: 106%;
  ascent-override: 90.4%;
  descent-override: 27.3%;
}

font-family: Merriweather, "Fallback for Merriweather", serif;

After a month, the CLS metric improved to 0:

Core Web Vitals scores for vincent.bernat.ch showing all 6 metrics as green. Notably the Cumulative Layout Shift is 0.
Recent Core Web Vitals scores for vincent.bernat.ch

About custom fonts

Using safe web fonts or a modern font stack is often simpler. However, I prefer custom web fonts. Merriweather and Iosevka, which are used in this blog, enhance the reading experience. An alternative approach could be to use Georgia as a serif option. Unfortunately, most default monospace fonts are ugly.

Furthermore, paragraphs that combine proportional and monospace fonts can create visual disruption. This occurs due to mismatched vertical metrics or weights. To address this issue, I adjust Iosevka’s metrics and weight to align with Merriweather’s characteristics.


  1. Similar tools already exist, like the Fallback Font Generator, but they were missing a few features, such as the ability to load the fallback font or to have decimals for the CSS properties. And no source code. ↩�

Planet DebianAndrew Cater: Debian release weekend - Bullseye and Bookworm 20240831

A double length Debian release
means the Release Team don't get much peace
What with last minute breaks
And the time that it takes
Treat them with respect today, please

The media teams on the hook
As we follow our normal play book
With laptops all primed
The images are timed
Once we're told we'll start taking our look

This is the last time for 11
And for Bookworm, it's just 12.7
Give us time for each test
As we all do our best
With our ThinkPads - I see at least seven :)

Planet DebianRuss Allbery: Review: The Shepherd's Crown

Review: The Shepherd's Crown, by Terry Pratchett

Series: Discworld #41
Publisher: Harper
Copyright: 2015
Printing: 2016
ISBN: 0-06-242998-1
Format: Trade paperback
Pages: 276

The Shepherd's Crown is the 41st and final Discworld novel and the 5th and final Tiffany Aching novel. You should not start here.

There is a pretty major character event in the second chapter of this book. I'm not going to say directly what it is, but you will likely be able to guess from the rest of the review. If you're particularly adverse to spoilers, you may want to skip reading this until you've read the book.

Tiffany Aching is extremely busy. Witches are responsible for all the little tasks that fall between the cracks, and there are a lot of cracks. The better she gets at her job, the more of the job there seems to be.

"Well," said Tiffany, "there's too much to be done and not enough people to do it."

The smile that the kelda gave her was a strange one. The little woman said, "Do ye let them try? Ye mustn't be afraid to ask for help. Pride is a good thing, my girl, but it will kill you in time."

And that's before an earth-shattering change in the world of witches, one that leaves Tiffany shuttling between Lancre and the Chalk trying to be too many things to too many people. Plus the kelda is worried some deeper trouble is brewing. And then Tiffany gets an exiled elven queen who has never understood the worth of other people dumped on her, and has to figure out what to do with her.

The starting idea is great. I continue to be impressed with how well Pratchett handles Tiffany's coming-of-age story. Finding one's place in the world isn't one lesson or event; it's layers of them, with each new growth in responsibility uncovering new things to learn that are often quite different from the previous problems. Tiffany has worked through child problems, adolescent problems, and new adulthood problems. Now she's on a course towards burnout, which is exactly the kind of problem Tiffany would have given her personality.

Even better, the writing at the start of The Shepherd's Crown is tight and controlled and sounds like Pratchett, which was a relief after the mess of Raising Steam. The contrast is so sharp that I found myself wondering if parts of this book had been written earlier, or if Pratchett found a new writing or editing method. The characters all sound like themselves, and although some of the turns of phrase are not quite as sharp as in earlier books, they're at least at the level of Snuff.

Unfortunately, it doesn't last. There are some great moments and some good quotes, but the writing starts to slip at about the two-thirds point, the sentences began to meander, the characters start repeating the name of the person they're talking to, and the narration becomes increasingly strained. It felt like Pratchett knew the emotional tone he wanted to evoke but couldn't find a subtle way to express it, so the story and the characters start to bludgeon the reader with Grand Statements. It's never as bad as Raising Steam, but it doesn't slip smoothly off the page to rewrite your brain the way that Pratchett could at his best.

What makes this worse is that the plot is not very interesting. I wanted to read a book about Tiffany understanding burnout, asking for help, and possibly also about mental load and how difficult delegation is. There is some movement in that direction: she takes on some apprentices, although we don't see as much of her interactions with them as I'd like, and there's an intriguing new male character who wants to be a witch. I wish Pratchett had been able to give Geoffrey his own book. He and his goat were the best part of the story, but it felt rushed and I think he would have had more impact if the reader got to see him develop his skills over time the way that we did with Tiffany.

But, alas, all of that is side story to the main plot, which is about elves.

As you may know from previous reviews, I do not get along with Pratchett's conception of elves. I find them boring and too obviously evil, and have since Lords and Ladies. Villains have never been one of Pratchett's strengths, and I think his elves are my least favorite. One of the goals of this book is to try to make them less one-note by having Tiffany try to teach one of them empathy, but I didn't find any of the queen's story arc convincing. If Pratchett had pulled those threads together with something more subtle, emotional, and subversive, I think it could have worked, but instead we got another battle royale, and Lords and Ladies did that better.

"Granny never said as she was better than others. She just got on with it and showed 'em and people worked it out for themselves."

And so we come to the end. I wish I could say that the quality held up through the whole series, and it nearly did, but alas it fell apart a bit at the end. Raising Steam I would skip entirely. The Shepherd's Crown is not that bad, but it's minor Pratchett that's worth reading mainly because it's the send-off (and there are a lot of reasons within the story to think Pratchett knew that when writing it). There are a few great lines, some catharsis, and a pretty solid ending for Tiffany, but it's probably not a book that I'll re-read.

Content warning: major character death.

Special thanks to Emmet Asher-Perrin, whose Tor.com/Reactor re-read of all of Discworld got me to pick the series up again and finally commit to reading all of it. I'm very glad I did.

Rating: 6 out of 10

365 TomorrowsIt’s More Efficient This Way

Author: Dean Ward Prisons take up so much room, that’s the problem. We’re not denying the need for them, but we would like to see the space used for something… more beneficial. Like a park. Or a school. Or a community centre. Or a library. or, well, you get the idea. Something nice, something that […]

The post It’s More Efficient This Way appeared first on 365tomorrows.

,

Planet DebianDirk Eddelbuettel: pkgKitten 0.2.4 on CRAN: Updates

kitten

A shiny new release 0.2.4 of pkgKitten arrived on CRAN earlier, and has also been been uploaded to Debian. pkgKitten makes it simple to create new R packages via a simple function invocation. A wrapper kitten.r exists in the littler package to make it even easier.

This release contains several improvements to the (optional) setup of the (wonderful) tinytest package, now supports the (now mandatory) ‘Authors@R’ and polished a few aspect around the package repository and continuous integrations.

The set of changes follows.

Changes in version 0.2.4 (2024-08-30)

  • The .Rbuildignore stanza now includes .github

  • The support of and usage illustrations of tinytest are much enhanced (Paul Hudor in #18 adressing #19 and #20)

  • The .gitignore file now includes C++ related files

  • Improvements and polish to badges and continuous integration

  • The DESCRIPTION file now contains an Authors@R entry

More details about the package are at the pkgKitten webpage, the pkgKitten docs site, and the pkgKitten GitHub repo.

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianSteve McIntyre: Party like it's 2024

It (was) that time of year again - last weekend we hosted a bunch of nice people at our place in Cambridge for the annual Debian UK OMGWTFBBQ!

can you BBQ gin??

Lots of friends, lots of good food and drink. Of course lots of geeky discussions about Debian, networking, random computer languages and... screws? And of course some card games to keep us laughing into each night!

beer anyone?

Many thanks to a number of awesome friendly people for again sponsoring the important refreshments for the weekend. It's hungry/thirsty work celebrating like this!

Planet DebianSahil Dhiman: Debconf24 Busan

DebConf24 was held in Busan, South Korea, from July 28th to August 4th 2024 and preceded by DebCamp from July 21st to July 27th. This was my second IRL DebConf (DC) and fourth one in total. I started in Debian with a DebConf, so its always an occasion when one happens.

This year again, I worked in fundraising team, working to raise funds from International sponsors. We did manage to raise good enough funding, albeit less than budgeted. Though, the local Korean team was able to connect and gather many Governmental sponsors, which was quite surprising for me.

I wasn’t seriously considering attending DebConf until I discussed this with Nilesh. More or less, his efforts helped push me through the whole process. Thanks, Nilesh, for this. In March, I got my passport and started preparing documents for South Korean visa. It did require quite a lot of paper work but seeing South Korea’s’s fresh passport visa rejection rate, I had doubts about visa acceptance. The visa finally got approved, which could be attributed to great documentation and help from DebConf visa team. This was also my first trip outside India, and this being to DebConf made many things easy. Most stuff were documented on DebConf website and wiki. Asking some query got immediate responses from someone in the DebConf channels.

We then booked a direct flight from Delhi, reaching Seoul in the morning. With good directions from Sourab TK who had reached Seoul a few hours earlier, we quickly got Korean Won, local SIM and T Money card (transportation card) and headed towards Seoul by AREX, airport metro. We spent the next two days exploring Seoul, which is huge. It probably has the highest number of skyscrapers I have ever seen. The city has a good mix of modern and ancient culture. We explored various places in Seoul including Gyeongbokgung Palace, Statue of King Sejong, Bukchon Hanok village, N Seoul Tower and various food markets which were amazing.

A Street in Seoul
A Street in Seoul

Next, we headed to Busan for DebConf using KTX (Korean high speed rail). (Fun fact, slogan for City of Busan is “Busan is Good”.) South Korea has a good network of frequently running high speed trains. We had pre-booked our tickets because, despite the frequency, trains were sold out most of the time. KTX ride was quite smooth, despite travelling at 300 Kmph at times through Korean countryside and long mountain tunnels.

View from Dorm Room
PKNU Entrance

The venue for DebConf was Pukyong National University (PKNU), Daeyeon Campus. PKNU had two campuses in the Busan and some folks ended up in wrong campus too. With good help and guidance from the front desk, we got our dormitory rooms assigned. Dorms here were quite different, ie:

  • Rooms had heated floors. It seems to snow in Busan.
  • Each area was had card based access. There was a separate card for laundry too.
  • Rooms had announcement systems right inside the room, though we couldn’t decipher any announcement as all of them were in Korean.
  • Each room was provided with a dedicated access point and own SSID inside the room.
View from Dorm Room
View from Dorm Room

Settling in was easy. We started meeting familiar folks after almost a year. The long conversations started again. Everyone was excited for DebConf.

Like everytime, the first day was full of action (and chaos). Meet and greet, volunteers check in, video team running around and fixing stuff and things working (or not). There were some interesting talks and sponsors stalls. After day one, things more or less settled down. I again volunteered for video team stuff and helped in camera operations and talk directions, which is always fun. As the tradition applies, saw few talks live on stream too sitting in the dorm room during the conf, which is always fun, when too tired to get ready and go out.

From Talk Director's chair
From Talk Director's chair

DebConf takes care of food needs for vegan/vegetarianism folks well, of which I’m one. I got to try different food items, which was quite an experience. Tried using chopsticks again which didn’t work, which I later figured that handling metal ones were more difficult. We had late night ramens and wooden chopsticks worked perfectly. One of the days, we even went out to an Indian restaurant to have some desi aloo paratha, paneer dishes, samosas and chai (milk tea). I wasn’t particularly craving desi food but wasn’t able to get something according to my taste so went there.

As usual Bits from DPL talk was packed
As usual Bits from DPL talk was packed

For day trip, I went to Ulsan. San means mountains in Korean. Ulsan is a port city with many industries including Hyundai car factory, petrochemical industry, paint industry, ship building etc. We saw bamboo forest, Ulsan tower (quite a view towards Ulsan port), whale village, Ulsan Onggi Museum and the sea (which was beautiful).

The beautiful sea
The beautiful sea

View from Ulsan Bridge Observatory
View from Ulsan Bridge Observatory

Amongst the sponsors, I was most interested in our network sponsors, folks who were National research and education networks (NREN) here. We had two network sponsors, KOREN and KREONET, thanks to efforts by local team. Initially it was discussed that they’ll provide 20G uplink each, so 40G in total, which was whopping but by the time the closing talk happened, we got to know we had 200G uplink to the Internet. This was a massive update to last year when we had 1G main and 100M backup link. 200G wasn’t what is required, but it was massive capacity and IIRC from the talk, we peaked at around 500M in usage, but it’s always fun to have astronomical amount of bandwidth for bragging rights ;)

Various mascots in attendance
Various mascots in attendance

Video and Network stats. Screengrab from closing ceremony
Video and Network stats. Screengrab from closing ceremony

Now let’s talk about things I found interesting about South Korea in general:

  • Convenience stores were everywhere, one could see same brand stores less than a kilometer apart. We had even had two of them (GS25(s)), a road cross away too. These places were well stocked with almost everything, even alcohol.
  • There were wide footpaths and pedestrian friendly policies.
  • Public transport and intra modal transfer is convenient and easy to figure. Each metro station connects to multiple nearby buildings through underground walkways, and one never had to go out in the sun (in hot and humid weather). Also, Seoul and Busan metro networks were massive. The Same T money card worked for buses (almost hop on, tap and hop off at your destination), metros and even cabs.
  • South Korea pays special attention to maintaining their historical and cultural buildings. These venues had informational brochures in Korea, English, Japanese and Chinese.
  • We got a constant stream of “Public safety alerts” on our phones. Some phones even read them aloud for heatwaves and rains warnings, all in Korean.
  • Trash was segregated at source everywhere.
  • Public, high speed Wi-Fi was omnipresent in malls, public transport, airport etc. In metro, each coach had access points from all three telecom providers (SK Telecom, KT and LG U+) which also had almost similar voice and data plans.
  • Police personals were quite helpful despite the language issue.
  • Not many folks here are comfortable in English, but one can always make use of various mobile translation apps.
  • Cards are accepted everywhere and there are too many of these cards ;)
  • Food situation was a bit difficult for me as a vegetarian. We always have vegan/veg food in DebConf but outside, this whole concept doesn’t seem to exist here.
  • I couldn’t find any public speedtest servers inside Korea. All my fast.com/speedtest.net servers were located either Hong Kong, Singapore, Japan and even in the United States. On the very last day, I got a speedtest servers in Seoul, inside SK Telecom.
Gyeongbokgung Palace Entrance Gyeongbokgung Palace Entrance Gyeongbokgung Palace Entrance
Grand Gyeongbokgung Palace, Seoul

Starfield Library
Starfield Library, Seoul

If one has to get the whole DebConf experience, it’s better to attend DebCamp as well because that’s when you can sit and interact with everyone better. As DebConf starts, everyone gets busy in various talks and events and things take a pace. DebConf days literally fly. This year, attending DebConf in person was a different experience. Attending DebConf without any organizational work/stress so was better, and I was able to understand working of different Debian team and workflows better while also identified a few where I would like to join and help. A general conclusion was that almost all Debian teams needs more folks to help out. So if someone want to join, they can probably reach out to the team, and would be able to onboard new folks. Though this would require some patience. Kudos to the Korean team who were able to pull off this event under this tight timeline and thanks for all the hospitality.

DebConf24 Group Photo
DebConf24 Group Photo. Click to enlarge.
Credits - Aigars Mahinovs

This whole experience expanded my world view. There’s so much to see and explore and understand. Looking forward to DebConf25 in Brest, France.

PS - Shoutout to abbyck (aka hamCK)!

Worse Than FailureError'd: Coast Star

On a vacation trip this week. The diligent will be able to discover the location with a tiny bit of sleuthing, but I won't be there now.

An anonymous traveler reports "I've been trying to contact them but I don't think they check their email very often."

0

 

Naturalist Mike has a bone to pick with the Brevard Zoo, subtly suggesting` "I'm not sure this conservation message is on point."

1

 

Faithful Michael R. beefs with LinkedIn's date grammar: "Fast forward into the past, LinkedIn."

2

 

Hardcore Daniel hammers Manhattan. "I didn’t know it, but apparently I enjoy biking up and down Broadway faster than Lance Armstrong."

3

 

Finally, another anonymous player wonders "Does this mean I will learn 8 minutes in 3 minutes or 3 minutes in 8 minutes?" It means Lean Six is really only Two, obviously.

4

 

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsThe Lonely Flower Seller

Author: Anndria Smuk The field does not sit within the bounds of time. It is eternal while at the same time deceased. Do not try to search for a deeper meaning in this field. The only other way one could put it is as a meadow but not much more. A meadow with overgrown grass […]

The post The Lonely Flower Seller appeared first on 365tomorrows.

Planet DebianRuss Allbery: Review: Thornhedge

Review: Thornhedge, by T. Kingfisher

Publisher: Tor
Copyright: 2023
ISBN: 1-250-24410-2
Format: Kindle
Pages: 116

Thornhedge is a fantasy novella by T. Kingfisher, the pen name that Ursula Vernon uses for her adult writing. It won the 2024 Hugo Award for best novella. No matter how much my brain wants to misspell the title, it is a story about a hedge, not a Neolithic earthwork.

The fairy was the greenish-tan color of mushroom stems and her skin bruised blue-black, like mushroom flesh. She had a broad, frog-like face and waterweed hair. She was neither beautiful nor made of malice, as many of the Fair Folk are said to be.

There is a princess asleep in a tower, surrounded by a wall of thorns. Toadling's job is to keep anyone from foolishly breaking in. At first, it was a constant struggle and all that she could manage, but with time, the flood of princes slowed to a trickle. A road was built and abandoned. People fled. There was a plague. With any luck, the tower was finally forgotten.

Then a knight shows up. Not a very rich knight, nor a very successful knight. Just a polite and very persistent knight who wants to get into the tower that Toadling does not want him to get into.

As you might have guessed, this is a Sleeping Beauty retelling. As you may have also guessed from the author, or from the cover text that says "not all curses should be broken," this version is a bit different. How and why it departs from the original is a surprise that slowly unfolds over the course of the story, in parallel to a delicate, cautious, and delightfully kind-hearted conversation between the knight and the fairy.

If you have read a T. Kingfisher story before, particularly one of her fractured fairy tales, you know what to expect. Toadling is one of her typical well-meaning, earnest, slightly awkward protagonists who is just trying to do the right thing in a confusing world full of problems and dangers. She's constantly overwhelmed and yet she keeps going, because what else is there to do. Like a lot of Kingfisher's writing, it's a story about quiet courage from someone who doesn't consider herself courageous. One of the twists this time is that the knight is a character from a similar vein: doggedly unwilling to leave any problem alone, but equally determined to try to be kind. The two of them together make for a story with a gentle and rather melancholy tone.

We do, eventually, learn the whole backstory of the tower, the wall of thorns, and Toadling. There is a god, a rather memorable one, who is frustratingly cryptic in the way that gods are. There are monsters who are more loving than most humans. There are humans who turn out to be surprisingly decent when it matters. And, like most of Kingfisher's writing, there is a constant awareness of how complicated the world is, how full it is of people who are just trying to get through each day, and how heavy of burdens people can shoulder when they don't see another way.

This story pulled me right in. It is not horror, although there are a few odd bits like there always are in Kingfisher stories. Your largest risk as a reader is that it might make you cry if stories about earnest people doing their best in overwhelming situations hit you that way. My primary complaint is that there was nowhere near enough ending for me. After everything I learned about the characters, I wanted to spend some time with them outside of the bounds of the story. Kingfisher points the reader in a direction and then leaves the rest to your imagination, and I can see why she chose that story construction, but I wanted more catharsis than I got.

That complaint aside, this is quintessential T. Kingfisher, and I am unsurprised that it won a Hugo. If you've read any of her other fractured fairy tales, or the 2023 Hugo winner for best novel, you know the sort of stories she tells, and you probably know whether you will like this. I am one of the people who like this.

Rating: 8 out of 10

Planet DebianSteve McIntyre: A birthday gift to remember!

Warning: If you're not into meat, you might want to skip the rest of this...

This year, I turned 50. Wow. Lots of friends and family turned up to help me celebrate, with a BBQ (of course!). I was very grateful for a lovely set of gifts from those awesome people, and I have a number of driving experiences to book in the next year or so. I'm going to have so much fun driving silly cars on and off road!

However, the most surprising gift was something totally different - a full-day course of hands-on pork butchery. I was utterly bemused - I've never considered doing anything like this at all, and I'd certainly never talked to friends about anything like it either. I was shocked, but in a good way!

So, two weekends back Jo and I went over to Empire Farm in Somerset. We stayed nearby so we could be ready on-site early on Sunday morning, and then we joined three other people doing the course. Jo was there to observe, i.e. to watch and take (lots of!) pictures.

I can genuinely say that this was the most fun surprise gift I've ever received! David Coldman, the master butcher working with us, has been in the industry for many years. He was an excellent teacher, showing us everything we needed to know and being very patient with us when we needed it. It was great to hear his philosophy too - he only uses the very best locally-sourced meat and focuses on quality over quantity. He showed us all the different cuts of pork that a butcher will make, and we were encouraged to take everything home - no waste here!

half a pig

At the beginning of the day, we each started with half a pig. Over the next several hours, we steadily worked our way through a series of cuts with knife and saw, making the remaining pig smaller and smaller as we went.

saw

knife

We finished the day with three sets of meat. First, a stack of vacuum-packed joints, chops and steaks ready for cooking and eating at home. Second: a box of off-cuts that we minced and made into sausages at the end of the day. Finally: a bag of skin and bones. Our friend's dog got some of the bones, and Jo turned a lot of the skin into crackling that we shared with friends at the OMGWTFBBQ the next weekend.

sausages

This was an amazing day. Massive thanks to my good friend Chris Walker for suggesting this gift. As I told David on the day: this was the most fun surprise gift I've ever received. Good hands-on teaching in a new craft is an incredible thing to experience, and I can't recommend this course highly enough.

Planet DebianReproducible Builds (diffoscope): diffoscope 277 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 277. This version includes the following changes:

[ Sergei Trofimovich ]
* Don't crash when attempting to hashing symlinks with targets that point to
  a directory.

You find out more by visiting the project homepage.

,

Cryptogram Matthew Green on Telegram’s Encryption

Matthew Green wrote a really good blog post on what Telegram’s encryption is and is not.

EDITED TO ADD (8/28): Another good explainer from Kaspersky.

Cryptogram Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published

The “long lost lecture” by Adm. Grace Hopper has been published by the NSA. (Note that there are two parts.)

It’s a wonderful talk: funny, engaging, wise, prescient. Remember that talk was given in 1982, less than a year before the ARPANET switched to TCP/IP and the internet went operational. She was a remarkable person.

Listening to it, and thinking about the audience of NSA engineers, I wonder how much of what she’s talking about as the future of computing—miniaturization, parallelization—was being done in the present and in secret.

Planet DebianJonathan Carter: Orphaning bcachefs-tools in Debian

Around a decade ago, I was happy to learn about bcache – a Linux block cache system that implements tiered storage (like a pool of hard disks with SSDs for cache) on Linux. At that stage, ZFS on Linux was nowhere close to where it is today, so any progress on gaining more ZFS features in general Linux systems was very welcome. These days we care a bit less about tiered storage, since any cost benefit in using anything else than nvme tends to quickly evaporate compared to time you eventually lose on it.

In 2015, it was announced that bcache would grow into its own filesystem. This was particularly exciting and it caused quite a buzz in the Linux community, because it brought along with it more features that compare with ZFS (and also btrfs), including built-in compression, built-in encryption, check-summing and RAID implementations.

Unlike ZFS, it didn’t have a dkms module, so if you wanted to test bcachefs back then, you’d have to pull the entire upstream bcachefs kernel source tree and compile it. Not ideal, but for a promise of a new, shiny, full-featured filesystem, it was worth it.

In 2019, it seemed that the time has come for bcachefs to be merged into Linux, so I thought that it’s about time we have the userspace tools (bcachefs-tools) packaged in Debian. Even if the Debian kernel wouldn’t have it yet by the time the bullseye (Debian 11) release happened, it might still have been useful for a future backported kernel or users who roll their own.

By total coincidence, the first git snapshot that I got into Debian (version 0.1+git20190829.aa2a42b) was committed exactly 5 years ago today.

It was quite easy to package it, since it was written in C and shipped with a makefile that just worked, and it made it past NEW into unstable in 19 January 2020, just as I was about to head off to FOSDEM as the pandemic started, but that’s of course a whole other story.

Fast-forwarding towards the end of 2023, version 1.2 shipped with some utilities written in Rust, this caused a little delay, since I wasn’t at all familiar with Rust packaging yet, so I shipped an update that didn’t yet include those utilities, and saw this as an opportunity to learn more about how the Rust eco-system worked and Rust in Debian.

So, back in April the Rust dependencies for bcachefs-tools in Debian didn’t at all match the build requirements. I got some help from the Rust team who says that the common practice is to relax the dependencies of Rust software so that it builds in Debian. So errno, which needed the exact version 0.2, was relaxed so that it could build with version 0.4 in Debian, udev 0.7 was relaxed for 0.8 in Debian, memoffset from 0.8.5 to 0.6.5, paste from 1.0.11 to 1.08 and bindgen from 0.69.9 to 0.66.

I found this a bit disturbing, but it seems that some Rust people have lots of confidence that if something builds, it will run fine. And at least it did build, and the resulting binaries did work, although I’m personally still not very comfortable or confident about this approach (perhaps that might change as I learn more about Rust).

With that in mind, at this point you may wonder how any distribution could sanely package this. The problem is that they can’t. Fedora and other distributions with stable releases take a similar approach to what we’ve done in Debian, while distributions with much more relaxed policies (like Arch) include all the dependencies as they are vendored upstream.

As it stands now, bcachefs-tools is impossible to maintain in Debian stable. While my primary concerns when packaging, are for Debian unstable and the next stable release, I also keep in mind people who have to support these packages long after I stopped caring about them (like Freexian who does LTS support for Debian or Canonical who has long-term Ubuntu support, and probably other organisations that I’ve never even heard of yet). And of course, if bcachfs-tools don’t have any usable stable releases, it doesn’t have any LTS releases either, so anyone who needs to support bcachefs-tools long-term has to carry the support burden on their own, and if they bundle it’s dependencies, then those as well.

I’ll admit that I don’t have any solution for fixing this. I suppose if I were upstream I might look into the possibility of at least supporting a larger range of recent dependencies (usually easy enough if you don’t hop onto the newest features right away) so that distributions with stable releases only need to concern themselves with providing some minimum recent versions, but even if that could work, the upstream author is 100% against any solution other than vendoring all its dependencies with the utility and insisting that it must only be built using these bundled dependencies. I’ve made 6 uploads for this package so far this year, but still I constantly get complaints that it’s out of date and that it’s ancient. If a piece of software is considered so old that it’s useless by the time it’s been published for two or three months, then there’s no way it can survive even a usual stable release cycle, nevermind any kind of long-term support.

With this in mind (not even considering some hostile emails that I recently received from the upstream developer or his public rants on lkml and reddit), I decided to remove bcachefs-tools from Debian completely. Although after discussing this with another DD, I was convinced to orphan it instead, which I have now done. I made an upload to experimental so that it’s still available if someone wants to work on it (without having to go through NEW again), it’s been removed from unstable so that it doesn’t migrate to testing, and the ancient (especially by bcachefs-tools standards) versions that are in stable and oldstable will be removed too, since they are very likely to cause damage with any recent kernel versions that support bcachefs.

And so, my adventure with bcachefs-tools comes to an end. I’d advise that if you consider using bcachefs for any kind of production use in the near future, you first consider how supportable it is long-term, and whether there’s really anyone at all that is succeeding in providing stable support for it.

Worse Than FailureRepresentative Line: Null Ability

The addition of nullable or optional types to mainstream languages was a net good. It doesn't completely solve the billion dollar mistake, but it makes it far easier to write safe code.

For most of us anyway.

Sam found this representative line, which shows how one of his peers understand nullable types to work:

DateTime? current = new DateTime?();

I actually don't think I've ever seen anyone create an instance of the nullable wrapper directly, like this. I've never contemplated doing it. The more traditional usage would be something like:

DateTime? current = someFunctionWhichMayReturnAValueOrNull();

We don't know if we got a null or not, but because it's wrapped in a nullable type, we can still handle it safely without risking a null reference exception.

Instantiating a nullable type directly results in a nullable type that is known to be empty. Which I can imagine some uses for, I suppose, but still seems like a real weird choice. And it's unclear- if you really wanted that, you'd just do DateTime? current = null; which is a more obvious way to say the same thing.

In the end, I'm not certain this is actually a WTF, but it still perplexes me. And it's a representative line- this pattern appears everywhere in Sam's codebase, with enough frequency that it's more of a surprise when people use nullables the standard way.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsAlexandria Perditus

Author: Michael Anthony Dioguardi Leonard slid his finger too quickly across the creases of the library’s map, snagging a thread of the papyrus beneath his fingernail. He fiddled with his mistake, trying in vain to reattach the ancient fibers. Leonard was the world’s clumsiest time-traveler. He pinched its ripped sides, tearing at the creases even […]

The post Alexandria Perditus appeared first on 365tomorrows.

Planet DebianMichael Ablassmeier: proxmox backup S3 proxy

A few weeks ago Tiziano Bacocco started a small project to implement a (golang) proxy that allows to store proxmox backups on S3 compatible storage: pmoxs3backuproxy, a feature which the current backup server does not have.

I wanted to have a look at the Proxmox Backup Server implementation for a while, so i jumped on the wagon and helped with adding most of the API endpoints required to seamlessly use it as drop-in replacement in PVE.

The current version can be configured as storage backend in PVE. You can then schedule your backups to the S3 storage likewise.

It now supports both the Fixed index format required to create virtual machine backups and the Dynamic index format, used by the regular proxmox-backup-client for file and container backups. (full and incremental)

The other endpoints like adding notes, removing or protecting backups, mounting images using the PVE frontend (or proxmox-backup-client) work too. It comes with a garbage collector that does prune the backup storage if snapshots expire and runs integrity checks on the data.

You can also configure it as so called “remote” storage in the Proxmox Backup server itself and pull back complete buckets using “proxmox-backup-manager pull”, if your local datastore crashes.

I think it will become more interesting if future proxmox versions will allow to push backups to other stores, too.

,

Krebs on SecurityWhen Get-Out-The-Vote Efforts Look Like Phishing

Multiple media reports this week warned Americans to be on guard against a new phishing scam that arrives in a text message informing recipients they are not yet registered to vote. A bit of digging reveals the missives were sent by a California political consulting firm as part of a well-meaning but potentially counterproductive get-out-the-vote effort that had all the hallmarks of a phishing campaign.

Image: WDIV Detroit on Youtube.

On Aug. 27, the local Channel 4 affiliate WDIV in Detroit warned about a new SMS message wave that they said could prevent registered voters from casting their ballot. The story didn’t explain how or why the scam could block eligible voters from casting ballots, but it did show one of the related text messages, which linked to the site all-vote.com.

“We have you in our records as not registered to vote,” the unbidden SMS advised. “Check your registration status & register in 2 minutes.”

Similar warnings came from an ABC station in Arizona, and from an NBC affiliate in Pennsylvania, where election officials just issued an alert to be on the lookout for scam messages coming from all-vote.com. Some people interviewed who received the messages said they figured it was a scam because they knew for a fact they were registered to vote in their state. WDIV even interviewed a seventh-grader from Canada who said he also got the SMS saying he wasn’t registered to vote.

Someone trying to determine whether all-vote.com was legitimate might visit the main URL first (as opposed to just clicking the link in the SMS) to find out more about the organization. But visiting all-vote.com directly presents one with a login page to an online service called bl.ink. DomainTools.com finds all-vote.com was registered on July 10, 2024. Red flag #1.

The information requested from people who visited votewin.org via the SMS campaign.

Another version of this SMS campaign told recipients to check their voter status at a site called votewin.org, which DomainTools says was registered July 9, 2024. There is little information about who runs votewin.org on its website, and the contact page leads to generic contact form. Red Flag #2.

What’s more, Votewin.org asks visitors to supply their name, address, email address, date of birth, mobile phone number, while pre-checking options to sign the visitor up for more notifications. Big Red Flag #3.

Votewin.org’s Terms of Service referenced a California-based voter engagement platform called VoteAmerica LLC. The same voter registration query form advertised in the SMS messages is available if one clicks the “check your registration status” link on voteamerica.org.

VoteAmerica founder Debra Cleaver told KrebsOnSecurity the entity responsible for the SMS campaigns telling people they weren’t registered is Movement Labs, a political consulting firm in San Francisco.

Cleaver said her office had received several inquiries about the messages, which violate a key tenet of election outreach: Never tell the recipient what their voter status may be.

“That’s one of the worst practices,” Cleaver said. “You never tell someone what the voter file says because voter files are not reliable, and are often out of date.”

Reached via email, Movement Labs founder Yoni Landau said the SMS campaigns targeted “underrepresented groups in the electorate, young people, folks who are moving, low income households and the like, who are unregistered in our databases, with the intent to help them register to vote.”

Landau said filling out the form on Votewin.org merely checks to see if the visitor is registered to vote in their state, and then attempts to help them register if not.

“We understand that many people are jarred by the messages – we tested hundreds of variations of messages and found that these had the largest impact on someone’s likelihood to register,” he said. “I’m deeply sorry for anyone that may have gotten the message in error, who is registered to vote, and we’re looking into our content now to see if there are any variations that might be less certain but still as effective in generating new legal registrations.”

Cleaver said Movement Labs’ SMS campaign may have been incompetent, but it wasn’t malicious.

“When you work in voter mobilization, it’s not enough to want to do good, you actually need to be good,” she said. “At the end of the day the end result of incompetence and maliciousness is the same: increased chaos, reduced voter turnout, and long-term harm to our democracy.”

To register to vote or to update your voter registration, visit vote.gov and select your state or region.

Planet DebianDebian Brasil: Debian Day 2024 em Belém e Poços de Caldas - Brasil

por Paulo Henrique de Lima Santana (phls)

Listamos abaixo os links para os relatos e notícias do Debian Day 2024 realizado em Belém e Poços de Caldas:

Worse Than FailureCodeSOD: IsEmptyOrNullOrNullOrEmpty

Peter was tracking down some bugs, when he found code which looks like this:

if (IsEmptyOrNull(myInput))
{
    // do things that clearly expect myInput to NOT be null or empty
} else {
    throw BadInputException("The input must not be null.");
}

Names are made up above, to illustrate the flow of code.

This seemed wildly wrong, and was possibly the source of the bug, so Peter dove in. Unfortunately, this wasn't the bug. You see, IsEmptyOrNull is not a built-in function. But it wraps one.

public bool IsEmptyOrNull(string param1)
{
   return !String.IsNullOrEmpty(param1);
}

Wrapping a small built-in function is already a code smell. Making the name almost identical but not quite is also a code smell. But reversing the meaning because you reversed the name is absolutely bonkers.

Did they think that A or B != B or A? Because that's what this implies. The fact that anyone used this function, when its usage was so clearly contradicting its name, speaks to a deep level of nobody caring.

It was, at least, an easy refactoring. But it speaks to how thoroughly broken their codebase is.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsGoogle’s Earth

Author: Majoki “I’d like to believe you, but you can see very clearly that you don’t exist.” “I’m not on your fucking map, but I’m right here, right damn now.” “Not as verifiable data.” “You’ve got eyes. You’ve got ears. You can fucking punch me to verify my presence.” “That’s not how this works. We […]

The post Google’s Earth appeared first on 365tomorrows.

,

Krebs on SecurityNew 0-Day Attacks Linked to China’s ‘Volt Typhoon’

Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.

Image: Shutterstock.com

Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is fixed in Versa Director 22.1.4 or later.

Versa said the weakness allows attackers to upload a file of their choosing to vulnerable systems. The advisory placed much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines…leaving a management port exposed on the internet that provided the threat actors with initial access.”

Versa’s advisory doesn’t say how it learned of the zero-day flaw, but its vulnerability listing at mitre.org acknowledges “there are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.”

Those third-party reports came in late June 2024 from Michael Horka, senior lead information security engineer at Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest backbones.

In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based backdoor on Versa Director systems belonging to four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the earliest known exploit activity occurring at a U.S. ISP on June 12, 2024.

“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors who would want to view or control network infrastructure at scale, or pivot into additional (or downstream) networks of interest,” Horka wrote in a blog post published today.

Black Lotus Labs said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group — including zero-day attacks targeting IT infrastructure providers, and Java-based backdoors that run in memory only.

In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze Silhouette” and “Insidious Taurus,” which described how the group uses small office/home office (SOHO) network devices to hide their activity.

In early December 2023, Black Lotus Labs published its findings on “KV-botnet,” thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.

In January 2024, the U.S. Department of Justice disclosed the FBI had executed a court-authorized takedown of the KV-botnet shortly before Black Lotus Labs released its December report.

In February 2024, CISA again joined the FBI and NSA in warning Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations — primarily in communications, energy, transportation systems, and water and wastewater sectors — in the continental and non-continental United States and its territories, including Guam.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT [operational technology] assets to disrupt functions,” that alert warned.

In a speech at Vanderbilt University in April, FBI Director Christopher Wray said China is developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” and that China’s plan is to “land blows against civilian infrastructure to try to induce panic.”

Ryan English, an information security engineer at Lumen, said it’s disappointing his employer didn’t at least garner an honorable mention in Versa’s security advisory. But he said he’s glad there are now a lot fewer Versa systems exposed to this attack.

“Lumen has for the last nine weeks been very intimate with their leadership with the goal in mind of helping them mitigate this,” English said. “We’ve given them everything we could along the way, so it kind of sucks being referenced just as a third party.”

Worse Than FailureCodeSOD: Private Passwords

Lisa was working on a project she quite liked. The tech was cool, the problems being solved were interesting, and the team had a good working process. Company-wide, however, budgets were tight, and other projects were in much worse shape, so the project Lisa was on got put on pause, and her team was moved onto a different project.

Someone wanted to make sure that functions which had large side effects were only called in the right places. Now, most of us might use some mixture of public/private, clear documentation, and maybe some key flags and error checking to ensure this was the case.

This team had a… different approach.

// This is called so that Foo will unload all widgets before exiting.
// It is currently only called from Form1.Closing(). A password is *required*. If not correct, this function immediately returns.
public void UnloadAll(string pwd) {
   if (pwd == "FOO-> UNLOAD ALL") {
      ProcessRequest(RequestType.Unload, Environments.All);
   }
}

The caller must supply a password to this method, otherwise it does nothing. I want to stress, this isn't a password we expect the user to type in (having that hard-coded in the application code is a different WTF), but instead is a token that the calling code must supply if they want the function to execute.

This entire project exists in a single .NET Assembly, and the keyword private is never used once.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

365 TomorrowsOne Body Problem

Author: Alastair Millar It’s the same whenever I wake up – floating free for those first few seconds of consciousness, aware of sounds but nothing else before the light coalesces into something meaningful. This morning, it’s the noises floating up from the street and through the open window as the day begins, the quiet whine […]

The post One Body Problem appeared first on 365tomorrows.

Planet DebianRuss Allbery: Review: Dark Horse

Review: Dark Horse, by Michelle Diener

Series: Class 5 #1
Publisher: Eclipse
Copyright: June 2015
ISBN: 0-9924559-3-6
Format: Kindle
Pages: 366

Dark Horse is a science fiction romance novel, the first of a five book series as of this writing. It is self-published, although it is sufficiently well-edited and packaged that I had to do some searching to confirm that.

Rose was abducted by aliens. The Tecrans picked her up along with a selection of Earth animals, kept her in a cell in their starship, and experimented on her. As the book opens, she has managed to make her escape with the aid of an AI named Sazo who was also imprisoned on the Tecran ship. Sazo dealt with the Tecrans, dropped the ship in the middle of Grih territory, and then got Rose and most of the animals on shuttles to a nearby planet.

Dav Jallan is the commander of the ship the Grih sent to investigate the unexplained appearance of a Class 5 Tecran warship in the middle of their territory. The Grih and the Tecran, along with three other species, are members of the United Council, which means in theory they're all at peace. With the Tecran, that theory is often strained. Dav is not going to turn down one of their highly-advanced Class 5 warships delivered to him on a silver platter. There is only the matter of the unexpected cargo, the first orange dots (indicating unknown life forms) that most of the Grih have ever seen.

There is a romance. That romance did not work for me. I thought it was highly unprofessional on Dav's part and a bit too obviously constructed on the author's part. It also leans on the subgenre convention that aliens can be remarkably physically similar and sexually compatible, which always causes problems for my suspension of disbelief even though I know it's no less plausible than faster-than-light travel.

Despite that, I had so much fun with this book! It was absolutely delightful and weirdly grabby in a way that caught me by surprise. I was skimming some parts of it to write this review and found myself re-reading multiple pages before I dragged myself back on task.

I think the most charming part of this book is that the United Council has a law called the Sentient Beings Agreement that makes what the Tecran were doing extremely illegal, and the Grih and the other non-Tecran aliens take this very seriously and with a refreshing lack of cynicism. Rose has a typical human reaction to ending up in a place where she doesn't know the rules and isn't entirely an expected guest. She almost reflexively smoothes over miscommunications and tensions, trying to adapt to their expectations. And then, repeatedly, the Grih realize how much work she's doing to adapt to them, feel enraged at the Tecran and upset that they didn't understand or properly explain something, and find some way to make Rose feel more comfortable. It's surprisingly soothing and comforting to read.

It occurred to me in several places that Dark Horse could be read as a wish-fulfillment fantasy of what life as a woman could be like if men took their fair share of the mental load. (This concept is usually applied to housework, but I think it generalizes to other social and communication contexts.) I suspect this was not an accident.

There is a lot of wish fulfillment in this book. The Grih are very human-like but hunky, which is convenient for the romance subplot. They struggle to sing, value music exceptionally highly, and consider Rose's speaking voice beautifully musical. Her typical human habit of singing to herself is a source of immediate and almost overwhelming fascination. The supplies Rose takes from the Tecran ship when she flees just happen to be absurdly expensive scented shampoo and equally expensive luxury adaptable clothing. The world she lands on, and the Grih ship, are low-gravity compared to Earth, so Rose is unusually strong for her size. Grih military camouflage has no effect on her human vision. The book is set up to make Rose special.

If that type of wish fulfillment is going to grate, wait on this book until you're more in the mood for it. But I like wish fulfillment books when they're done well. Part of why I like to read is to imagine a better world. And Rose isn't doted on; despite their hospitality, she's constantly underestimated by the Grih. Even with their deep belief in the Sentient Beings Agreement, the they find it hard to believe that an unknown sentient, even an advanced sentient, is really their equal. Their concern at the start is somewhat patronizing, so watching Rose constantly surprise them delighted the part of my brain that likes both competence porn and deserved reversals, even though the competence here is often due to accidents of biology. It helps that Diener tells the story in alternating perspectives, so the reader first watches Rose do something practical and straightforward from her perspective and then gets to enjoy the profound surprise and chagrin of the aliens.

There is a plot beneath this first contact story, and beyond the political problem of figuring out what to do with Rose and the Tecran. Sazo, Rose's AI friend, does not want the Grih to know he exists. He has a history that Rose does not know about and may not be entirely safe. As the political situation with the Tecran escalates, Sazo is pursuing goals of his own, and Rose has a firm opinion about where her loyalties should lie. The resolution is nothing ground-breaking as far as SF goes, but I thought it was satisfyingly tense and complex. Dark Horse leaves obvious room for a sequel, but it comes to a satisfying conclusion.

The writing is serviceable, particularly once you get into the story. I would not call it great, and it's not going to win any literary awards, but it didn't interfere with my enjoyment of the story.

This is not the sort of book that will make anyone's award list, but it is easily in the top five of books I had the most fun reading this year. Maybe save it for when you're looking for something light and wholesome and don't mind some rather obvious tropes, but if you're in the mood for imagining people who take laws seriously and sincerely try to help other people, I found this an utterly delightful way to pass the time. I immediately bought the sequel. Recommended.

Followed by Dark Deeds.

Rating: 8 out of 10

,

Cryptogram The Present and Future of TV Surveillance

Ars Technica has a good article on what’s happening in the world of television surveillance. More than even I realized.

Worse Than FailureCodeSOD: Compile It Yourself

Today's anonymous submitter, who we'll call Sally, works on medical devices. As you can imagine, the development process for such devices is very strict. I mean, it should be, but we know that the industry has problems.

Unfortunately for Sally, one of those problems is the tech lead on a project she is inheriting. Said tech lead is leaving, and Sally is coming on to replace them. The project is in C#, and Sally is the most experienced with the language, making her the obvious choice to step in.

Now, the current tech lead had some concerns about the development cycle. You see, the whole process of writing code, compiling code, deploying that code onto hardware, and then running the code just took too darn long. If you wanted to iterate as fast as possible, you needed to skip some of those steps.

internal static Action<InstrumentState> Compile(IEnumerable<Configuration.Rule> rules)
{
        var code = string.Format(@"
        using System;
        using SomeCompany.SomeProject.Instrument;
        using SomeCompany.SomeProject.Instrument.State.Actions;
        using ConsoleState = StateMachine.Types.State;

        namespace SomeCompany.SomeProject.Instrument.State.Reducers {{
          public class Script {{
                private static bool _done;
                private static void Done() {{ _done = true; }}
                public static void Execute(InstrumentState state) {{
                        _done = false;
                        {0}
                }}
                {1}                            
          }}
        }}
        "
        , string.Join(Environment.NewLine, rules.Select((i, o) => string.Format(@"
                  if (!_done) {{ rule{0}(state); }}
                ", o)))
        , string.Join(Environment.NewLine, rules.Select((i, o) => string.Format(@"
                private static void rule{0}(InstrumentState state) {{
                  if ({1}) {{ {2} }}
                }}", o, i.Trigger, string.Join(Environment.NewLine, i.Actions))))
        );
       
        var types = new[] { typeof(Console), typeof(InstrumentState), typeof(ErrorEventAction), typeof(ComponentId), typeof(global::StateMachine.Types.State) };
        var refs = types.Select(h => MetadataReference.CreateFromFile(h.Assembly.Location) as MetadataReference).ToList();

        //some default refeerences
        refs.Add(MetadataReference.CreateFromFile(Path.Combine(Path.GetDirectoryName(typeof(System.Runtime.GCSettings).GetTypeInfo().Assembly.Location), "System.Runtime.dll")));
        refs.Add(MetadataReference.CreateFromFile(typeof(Object).Assembly.Location));

        var parse = CSharpSyntaxTree.ParseText(code);
        var assyName = Guid.NewGuid().ToString();
        var options = new CSharpCompilationOptions(OutputKind.DynamicallyLinkedLibrary, allowUnsafe: true, optimizationLevel: OptimizationLevel.Release);
        var compilation = CSharpCompilation.Create(assyName, new List<SyntaxTree> { parse }, refs, options);

        var state = Expression.Parameter(typeof(InstrumentState), "state");

        Action<InstrumentState> y = (_) => { };
        using (var stream = new MemoryStream())
        {
                var result = compilation.Emit(stream);

                if (!result.Success)
                {
                        var compilationErrors = result.Diagnostics.Where(diagnostic =>
                                diagnostic.IsWarningAsError ||
                                diagnostic.Severity == DiagnosticSeverity.Error)
                        .ToList();
                        if (compilationErrors.Any())
                        {
                                var firstError = compilationErrors.First();
                                var errorNumber = firstError.Id;
                                var errorDescription = firstError.GetMessage();
                                var firstErrorMessage = $"{errorNumber}: {errorDescription};";
                                var exception = new Exception($"Compilation failed, first error is: {firstErrorMessage}");
                                compilationErrors.ForEach(e => { if (!exception.Data.Contains(e.Id)) exception.Data.Add(e.Id, e.GetMessage()); });
                                throw exception;
                        }
                }
                else
                {
                        stream.Seek(0, SeekOrigin.Begin);
                        var assy = AssemblyLoadContext.Default.LoadFromStream(stream);
                        var type = assy.GetType("SomeCompany.SomeProject.Instrument.State.Reducers.Script");
                        y = Expression.Lambda<Action<InstrumentState>>(Expression.Call(type.GetMethod("Execute"), state), state).Compile();
                }
        }

        return y;
}

You know when the first line creates a variable code and it holds C# code, you're in for a time.

The first block of code here does a lot. It queries the rules object- a reference to our settings database- to generate a series of rule{0} functions, where the {0} is some name. The body of the function has a condition on i.Trigger (ensuring this rule only applies sometimes) and then has a body defined by i.Actions, which is just C# code living in our data source.

We then populate an Execute function with calls to every rule{0} function we generated. These themselves are further gated by a _done check, meaning it's possible for some rules to abort the processing of further rules.

The rest of the code here is a set of interactions with the C# compiler. We parse and compile the C# code that we just munged together through string concatenation, emit that compiled data into an in-memory stream, and if it succeeds in compilation, we create a C# assembly based off that stream. That is to say, we generate and execute a library without leaving anything on the filesystem for further review. It all exists purely in memory.

We then generate a lambda which calls the Execute function in that newly generate library, and return it, so that other callers can now use it.

There are so many things wrong with this. Setting aside the code generation, the code that gets generated is complicated: a chain of statements where each has its own dedicated trigger condition and may be skipped based on a done flag. Just trying to analyze that for any non-trivial set of rules is hard.

The code generation, however, is the real WTF. First, they were using a set of static analysis tools to try and maximize code safety. None of the code living in the settings database went through that. Second, the settings database was editable by customers. Doctors were expected to edit it. The very idea that you could change the code running on the device by editing the Settings database was a huge "No!" But the bonus of doing this all in memory means that if there were a breach, it'd be trivially easy for an attacker to cover their tracks.

Now, there was no malice on the part of the tech lead. This was all just for personal convenience to speed up iterating on the code. It wasn't an intentional security flaw- it was just clever.

Sally raised this to her boss. He sighed, put his head in his hands, and was silent for a long moment. "We just signed off on doing pen-testing last week. They're going to destroy us."

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

365 TomorrowsUseful

Author: Julian Miles, Staff Writer The panoramic window that occupies the longest wall of the executive office at the top of the Vimentane Tower shows a breathtaking view of the nighttime traffic in LEO over London. Against the curved inner wall, a buffet has been laid out ready for the next delegation. A door in […]

The post Useful appeared first on 365tomorrows.

Cryptogram US Federal Court Rules Against Geofence Warrants

This is a big deal. A US Appeals Court ruled that geofence warrants—these are general warrants demanding information about all people within a geographical boundary—are unconstitutional.

The decision seems obvious to me, but you can’t take anything for granted.

,

David BrinContemplating life - and love - with AI

We'll get to love-bots soon, I promise. But before that... By invitation, I've been jabbering a lately about AI - artificial intelligence - partly from perspectives of science and technology... and of course the deep library of thoughtful SciFi speculations...

... but also by asking "What insights can we draw from history?" 

Especially the recent Enlightenment Experiment, whose methods have proved useful (at long last) at taming some of the worst human predators. Might those same methods also apply to these new, powerful, synthetic entities? 

Alas, it seems that the geniuses  who are racing each other to bring on this disruptive era aren't even remotely interested in anything but cheap clichés from simplistic sci fi and fantasy flicks. See a prime example in the next section.

First though, this linked news article covers - not too badly - some of those clichés that I exposed at the recent "Beneficial AI" conference in Panama. 

This artwork actually kinda-sorta captures what I am suggesting: rule-moderated and incentivized competition.

A deeper dive – that I offered as one of the keynotes at the huge, May 2024 RSA Conference in San Francisco – is now available for you to view/listen.   Anticipation, Resilience and Reliability: Three ways that AI will change us… if we do it right.”  


Too long? Then try this brief (15 minutes) pod-interview-talk - Can humans (maybe redefined) keep up with AI and the rest? It's one of my better/more efficient ones about the dilemmas we face with AI. And how we might augment natural human capabilities to keep up.


== A few thoughtful essays on AI ==


Eric Schmidt describes three trends that may lead to rapid changes in Artificial Intelligence. One of these is enhanced agency, a word that's also proclaimed loudly as the next step, by OpenAI’s Sam Altman. An agent can be understood as a large language model that can learn something new and then apply that learning outward. This is from Nathan Gardels’s interview of Schmidt in NOEMA: 


“These agents are going to be really powerful, and it’s reasonable to expect that there will be millions of them out there… What happens then poses a lot of issues. Here we get into the questions raised by science fiction… at some point, these systems will get powerful enough that the agents will start to work together.  So, your agent, my agent, her agent and his agent will all combine to solve a new problem.”


So... there'll be "millions of them"... and they’ll “work together.” 

Um... hold that thought.

 

(Side note: Anthropic is releasing a new feature for its AI chatbot Claude that will let anyone create an email assistant-bot to automate tasks, vet purchases or other ‘personalized solutions.’ Though alas, no one discusses how this will – for example – affect advertising, which funds the internet.) 

Back to the Eric Schmidt interview. Nathan Gardels asks: “Don’t you need to regulate at some point along the capability ladder before you get where you don’t want to go?”


Schmidt: “At the moment, governments have mostly been doing the right thing. They’ve set up trust and safety institutes to learn how to measure and continuously monitor and check ongoing developments, especially of frontier models as they move up the capability ladder. So, as long as the companies are well-run Western companies, with shareholders and exposure to lawsuits, all that will be fine."


Oy, hold that thought, as well! And yet, despite this pollyanna reassurance, Schmidt oscillates:


“Look at this problem of misinformation and deepfakes. I think it’s largely unsolvable. … That is why it is so important that these more powerful systems, especially as they get closer to general intelligence, have some limits on proliferation. And that problem is not yet solved."


'Limits on proliferation.' Right. But... but... weren't you just talking about "millions of them"? 


Ah, notice how Eric Schmidt performed the trifecta!  All of the standard assumptions about AI format -- all three of the clichés from both history and the cheapest sci fi --  offered up almost simultaneously! 


Clichéd format #1: Rely on the feudal lords in their castles (Google, OpenAI, MicroSoft, Beijing, DOD, Goldman-Sachs) to rule wisely and to prudently control their warriors – on account of maybe... fear of lawsuits?


Clichéd format #2. Count on the king (gov’t regulations) to keep up, with wise regulations, even as those feudal AI warriors gather the powers of gods. With self-mods that iterate in seconds.


Clichéd format #3. Proliferation as these entities inevitably get copied, copy themselves with abandon, and mutate away from control by kings or castle (corporate) lords, spreading through every crack, across every system or barrier. As in Steve McQueen’s wonderful horror flick, The Blob.


… at which point they might either blob the Web into uselessness or else… coalesce into Skynet.


Seriously, is he saying anything other than all three of the standard motifs that I just paraphrased, above? Ignoring the way they both contradict each other and create instabilities that cannot last?


Moreover, from both sci fi and 6000 years of wretched human history, we know that none of the three have happy outcomes. None of the three answer our dilemmas of misinformation, or predation, or creating a culture that incentivizes accountability.


Oh, I don't want to just pick on Eric Schmidt!  He is actually way above average in that clade.  In fact, this same recitation of tediously clichéd formats is done by almost all of the brilliant mavens in this field. 


For example, many Chinese court intellectuals have pondered all this and concluded that the only way out is to double and triple down on format #2. (See my posting: Central Control over AI). But this centralization approach is similarly doomed. Even if they succeed at first, it only accelerates inevitable evolution from Politburo-controls-Skynet to Skynet-controls-Politburo.


Alas, no one – certainly not Eric Schmidt in the Noema interview – seems even remotely interested in looking past the three clichés, at systems of accountability that we actually developed, across the last two centuries, that enabled us to finally escape the lobotomizing effects of kings and feudal lords and chaos. 


Methods that have been tested and proved. Methods that we see all about us, in daily life. Methods that created the civilization that raised and nurtured and empowered Eric Schmidt and all the other geniuses out there. Methods that they take for granted and depend upon, every day of their lives.


Methods that could be applied to AI, with almost trivial ease.


…but won't be. Because of the incredible memic power of clichés.



== Earlier in the same journal, a little wisdom ==


A bit more cogently, Sara Walker’s essay - AI is Life - also in Noema - shows many of the ways that AI will replicate what’s already gone-on here on Earth among living organisms, evolving greater complexity. She cites a lot of facts and parallels... without making much of a useful point beyond “Don’t Panic!” 


Still, it’s beautiful writing about big perspectives. (Perspectives that I made even bigger, in EARTH.;-)


Alas, the history of life has been bumpier than she implies, with mass extinctions and imbalances and countless lost opportunities -- and rivers of blood and death --as also happened in the rutted, nearly-always-feudal and mistake-prone tale of human societies called “history.”


Now? It seems we are making a new kind of ecosystem, driven by electricity instead of sunlight, mediated by silicon switches instead of chloroplasts. Already we see analogues to pre-biotic ‘soup’ and primitive plankton (algorithms floating across the Web), plus analogues of predatory devourers or parasites... all the way to the new GPT ersatz Voices-Without-Mind that I predicted, half a decade ago would swarm over us… well… precisely now.

The Walker essay is lovely and calming and I recommend it. But Life’s ‘way’ is often bloody and nescient and we cannot afford to just let the genes fall where they may.



== But… b-but is it conscious or self-aware? ==


Um… does it matter?


No, seriously, there are some earnest efforts to ramp up the study of consciousness and what it means. Though such efforts have been around since well before that smelly old preener, Socrates prattled annoyingly in the Academy. Indeed, in the 1980s I was managing editor for the Journal of the UCSD Laboratory and Center for Human Cognition.


A very brief outline of the overall problem can be found in this scientific American essay “Why the Mystery of Consciousness Is Deeper Than We Thought.” Though it only touches on the quandaries, lightly.


Diving in far more deeply and thoroughly, Robert Lawrence Kuhn – for decades host of the Closer To Truth interview show – has just completed the magnum opus of consciousness studies! A broad survey of (pretty much) the whole field, summarizing more different theories than you could shake a meme at. If the topic of how you’re interested in things interests you, have a look at A Landscape of Consciousness. (A review was just published by IAI.)


Ray Kurzweil has a followup to The Singularity is Near, with... The Singularity is Nearer: When We Merge with AI, proposing that AI will achieve human level intelligence by 2029.


Okay, where are those Machines of Loving Grace?



== Oh, wait... 'love bots' --


You expected that to be about sex?


Well, no room this time. Maybe in my next posting about our coming AI-enhanced future.


Planet DebianThomas Lange: Custom Live Media, also for Newer Hardware

At this years Debian conference in South Korea I've presented1 the new feature of the FAIme web service. You can now build your own Debian live media/ISO.

The web interface provides various settings, for e.g. adding a user name and its password, selecting the Debian release (stable or testing), the desktop environment and the language. Additionally you can add your own list of packages, that will be installed into the live environment. It's possible to define a custom script that gets executed during the boot process. For remote access to the live system, you can easily sepcify a github, gitlab or salsa account, whose public ssh key will be used for passwordless root access. If your hardware needs special grub settings, you may also add those. I'm thinking about adding an autologin checkbox, so the live media could be used for a kiosk system.

And finally newer hardware is supported with the help of the backports kernel for the Debian stable release (aka bookworm). This combination is not available from the official Debian live images or the netinst media because the later has some complicated dependencies which are not that easy to resolve2. At DebConf24 I've talked to Alper who has some ideas3 how to improve the Debian installer environment which then may support a backports kernel.

The FAI web service for live ISO is available at

      https://fai-project.org/FAIme/live

365 TomorrowsBad Samaritan

Author: T.A. Gruver The rolling thunder of pulse cannons fell silent as the setting sun hid behind the clouds dancing over Eleos Basin. Not a sound could be heard from the firing lines as a crying Orion trooper grasped his leg with one hand and pulled himself up with the other through the red sands […]

The post Bad Samaritan appeared first on 365tomorrows.

,

Planet DebianKalyani Kenekar: Join Us: Contribute to Open Source as Marathi speaking person!

Logo GNOME

Logo MARATHI

GNOME is one of the most widely used free and open-source desktop environments!

Your native language is Marathi and you are using GNOME as your desktop environment? Then me as the coordinator for the Marathi translation team in GNOME is excited to invite you to become part of the team who is working on translating the GNOME Desktop into Marathi!

By this and contributing to the translation of GNOME into Marathi you would be a member of an important project and you can help to make it more accessible to Marathi speakers worldwide and help also to keep our language alive in the open source world.

Why Should You Contribute?

  • Promote Your Language

    By translating GNOME into Marathi, you help to preserve and promote our beautiful language in the digital world.

  • Learn and Grow

    Contributing to open-source projects like GNOME is a great way to improve your language and technical skills, network with like-minded individuals, and gain recognition in the global open-source community.

  • Give Back to the Community

    This is an opportunity to contribute to a project that has a significant impact on users around the world. Your work will enable Marathi speakers to use technology in their native language.

Who Can Contribute?

You don’t need to be a professional translator to join us! If you are fluent in Marathi and have a basic understanding of English, your contributions will be invaluable. Whether you’re a student, a professional, or just someone passionate about your language, your help is needed and really appreciated!

How To Start Translating?

Once you’re familiar with the tools, you can easily begin translating. We have a list of untranslated strings waiting for your contribution!

How To Join The Team?

Follow these steps to join the Marathi translation team for GNOME and start contributing:

  • Step 1: Visit our GNOME Translation Team Page.
  • Step 2: If you’re a new user, click on the “Create Account” option to sign up.
  • Step 3: Once you’ve created your account, log in with your credentials.
  • Step 4: After logging in, click the “Join” button to become a translator for the Marathi team.
  • Step 5: You’ll now see a list of different modules that need translation. Choose one of the files that interests you and download it to your computer.
  • Step 6: Translate the content locally on your computer. Once you’re done, return to the website, click “Browse,” and submit your translated file.

Get Familiar with the Additional Tools

Varnam

If you’re not used to typing in Marathi, you can still contribute using the Varnam website, a free and open-source tool that converts English text into Marathi. Here’s how you can get started:

  • Step 1: Visit the Varnam website.
  • Step 2: Click on the “Try Now” button on the website.
  • Step 3: In the language selection menu, choose “Marathi” as your desired language.
  • Step 4: Now you can start typing in English, and Varnam will automatically convert your text into Marathi. If you need more guidance, there’s a help window available on the site that you can explore for additional support.

Need Help Or You Have Questions?

If you have any doubts or need further assistance how you get started with translating GNOME into Marathi, don’t hesitate to reach out. I’m here to help you on every step of the way!

You can connect with me directly at kalyaniknkr@gmail.com Whether you need technical support, guidance on using the tools, or just want to discuss the project, feel free to get in touch.

Let’s work together to make GNOME accessible to Marathi speakers around the world. Your contributions are always invaluable, and I look forward to welcoming you to our team!

Thank you for your interest and support!

Planet DebianJonathan Dowland: Fediverse and feeds

It's clear that Twitter has been circling the drain for years, but things have been especially bad in recent times. I haven't quit (I have some sympathy with the viewpoint don't cede territory to fascists) but I try to read it much less, and I certainly post much less.

Especially at the moment, I really appreciate distractions.

Last time I wrote about Mastodon (by which I meant the Fediverse1), I was looking for a new instance to try. I settled on Debian's social instance2. I'm now trying to put any energy I might spend engaging on Twitter, into engaging in the Fediverse instead. (You can follow me via the handle @jon@dow.land, I think, which should repoint to my actual handle, @jmtd@pleroma.debian.social.)

There are other potential successors to Twitter: two big ones are Bluesky and Facebook-owned Threads. They are effectively cookie-cutter copies of the Twitter model, and so, we will repeat the same mistakes there. Sadly I see the majority of communities and sub-cultures I follow are migrating to one or the other of these.

The Fediverse (or the Mastodon-ish bits of it) should avoid the fate of Twitter. JWZ puts it better and more succinctly than I can.

The Fedi experience is, sadly, pretty clunky. So I want to try and write a bit from time to time with tips and tricks that might improve people's experiences.

First up, something I discovered only today about Mastodon instances. As JWZ noted, If you are worried about picking the "right" Mastodon instance, don't. Just spin the wheel.. You can spend too much time trying to guess a good answer to this. Better to just get started.

At the same time, individual instances are supposed to cater to specific niches. So it could be useful to sample the public posts from an entire instance. For example, to find people to follow, or decide to hop over to that instance yourself. You can't (I think) follow an entire instance from within yours, but, they usually have a public page which shows you the latest traffic.

For example, the infosec-themed instance infosec.exchange has one here: https://infosec.exchange/public/local

These pages don't provide RSS or Atom feeds3, sadly. I hope that's on the software's roadmap, and hasn't been spurned for ideological reasons. For now at least, OpenRSS provide RSS/Atom feeds for many Mastodon instances. For example, an RSS/Atom feed of the above: https://openrss.org/infosec.exchange/public/local

One can add these feeds to your Feed reader and over time get a flavour for the kind of discourse that takes place on given instances.

I think the OpenRSS have to manually add Mastodon instances to their service. I tried three instances and only one (infosec.exchange) worked. I'm not sure but I think trying an instance that doesn't work automatically puts it on OpenRSS's backlog.


  1. the Fediverse-versus-Mastodon nomenclature problem is just the the tip of the iceberg, in terms of adoption problems. Mastodon provides a twitter-like service that participates in the Fediverse. But it isn't correct to call the twitter-like service "Mastodon" because other softwares also participate in/provide that service. And it's not correct to call it "Fediverse" because that describes a bigger thing, with e.g. youtube clones also taking part. I'm not sure what the right term should be for "the twitter-like thing". Also, everything I wrote here is probably subtly wrong.
  2. Debian's instance actually runs Pleroma, an alternative to Mastodon. Why should it matter? I think it's healthy for there to be more than one implementation in an open ecosystem. However the experience can be janky, as the features don't perfectly align, some Mastodon features/APIs are not documented/standardised/etc.
  3. I have to remind myself that the concept of RSS/Atom feeds and Feedreaders might need explaining to a modern audience too. Perhaps in another blog post.

Cryptogram Take a Selfie Using a NY Surveillance Camera

This site will let you take a selfie with a New York City traffic surveillance camera.

EDITED TO ADD: BoingBoing post.

Planet DebianDirk Eddelbuettel: RcppEigen 0.3.4.0.2 on CRAN: Micro Maintenance

A new maintenance release of RcppEigen is now on CRAN, and will go to Debian shortly as usual. Eigen is a C++ template library for linear algebra: matrices, vectors, numerical solvers, and related algorithms. RcppEigen is used by 460 other CRAN packages, and has been downloaded 31.9 million times just off the mirrors of CRAN keeping logs for counting.

The recent change switing to Authors@R (now that CRAN mandates it) contained in dual typo in ORCID tags, this releases fixes it.

The complete NEWS file entry follows.

Changes in RcppEigen version 0.3.4.0.2 (2024-08-23)

  • Correct two typos in the ORCID tag

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

365 TomorrowsThe Secret is in Perception

Author: Brian C. Mahon “How hopes and dreams vanish when the Maker decides to lower the curtain,” Clarissa Dochenal, Countess of the Third Tier, chided herself. Even the confines of a Zakiche war-corsair failed to guarantee safety when the gods warred. The Maker, the False Sun, the Void Avatar, the Slaver, and the Half-mortal feuded […]

The post The Secret is in Perception appeared first on 365tomorrows.

Planet DebianRussell Coker: Wifi 6E Mesh

I am looking into getting a Wifi mesh network. The aim is to use it for providing access to devices through my home especially for devices on the congested 2.4GHz frequency. Ideally I want 6GHz Wifi6E for the communication between mesh nodes as well as for talking to the few devices that are new enough to support it (I like buying cheap second hand devices). 2.5Gbit ethernet connections on all mesh nodes would be good too.

Wifi 7 is semi-released, you can buy devices even though the specs aren’t entirely finalised. I expect that next year when Wifi 7 devices are more common the second hand prices of Wifi 6E will drop. Currently Wifi 6E devices are somewhat expensive.

One major problem at the moment is “cloud configuration”. Here is a 41 page forum thread of TP-Link customers asking in vain for non-cloud configuration [1]. The problems with cloud configuration are that it doesn’t allow configuration without Internet access (so no fixing things when internet breaks and no use for a private network without Internet), it relies on a proprietary phone app (so a problem with your phone breaks everything), and it adds a dependency on an unpaid service that TP-Link might decide to turn off at some future time. The TP -Link Deco X55 AX3000 looks like a good set of devices, it currently costs $328 for a set of three Wifi 6 (not 6E) devices is a good deal, pity that the poor software options let it down.

TP-Link also seems to be scanning web traffic and sending the analysis to an external site [2], it seems to be operating as malware. The TP-Link software seems to be most accurately described as malware.

There is the OpenWrt project for open firmware on Wifi APs which is a great project [3] but it doesn’t seem to support any Wifi 6 mesh systems yet. If most Wifi hardware requires malware for operation it seems that running a VPN over Wifi is the way to go. A hostile party being able to sniff your home network is much worse than a hostile party sniffing public Internet traffic.

The Google Nest mesh devices have good specs and price, $359 for a three node Wifi 6E mesh that has 2.5Gbit ethernet. But they can only be configured with a Google app for Android or iOS and require a Gmail account. Giving Google the ability to shut down all my stuff by deleting my gmail account is not acceptable. Also Google is well known for cancelling services [4]. A mitigating factor is that there should be enough of those devices sold to make them a good target for an OpenWRT port.

As an aside it looks like the TailScale mesh VPN system could be a solution to the security issues related to malware on Wifi APs problem [5]. There is also HeadScale which is the fully open source variant of that [6]. Even when the vendor isn’t overtly hostile they can make mistakes so encryption is good.

Kogan is selling an own-brand Wifi 6 mesh network package that comes with 1/2/3 devices for $70/$120/$140. It doesn’t do Wifi 6E but supports the better encoding methods of Wifi 6 over Wifi 5 and will be good for bridging a LAN in one part of a house to a Wifi 2.4GHz or Ethernet connected device in another part. They also support up to 7 nodes so you could buy two of the 3 device packages and run one network with 2 and another with 4. The pricing is very competitive and they support web based administration!

I’ve just ordered the $140 Wifi 6 pack from Kogan. If it doesn’t do what I want then I can find someone else who will be happy with whatever functionality it gives and $140 is an amount I can risk without concern. If it works well then I might upgrade to Wifi 6E or Wifi 7 next year and deploy the Wifi 6 one for a relative. It seems that for my needs a cheap and OK Wifi 6 device is better than an expensive Wifi 6E device.

Planet DebianRussell Coker: Is Secure Boot Worth Using?

With news like this one cited by Bruce Schneier [1] people are asking whether it’s worth using Secure Boot.

Regarding the specific news article, this is always a risk with distributed public key encryption systems. Lose control of one private key and attackers can do bad things. That doesn’t make it bad it just makes it less valuable. If you want to setup a system for a government agency, bank, or other high value target then it’s quite reasonable to expect an adversary to purchase systems of the same make and model to verify that their attacks will work. If you want to make your home PC a little harder to attack then you can expect that the likely adversaries won’t bother with such things. You don’t need security to be perfect, making a particular attack slightly more difficult than other potential attacks gives a large part of the benefit.

The purpose of Secure Boot is to verify the boot loader with a public key signature and then have the boot loader verify the kernel. Microsoft signs the “shim” that is used by each Linux distribution to load GRUB (or another boot loader). So when I configure a Debian system with Secure Boot enabled that doesn’t stop anyone from booting Ubuntu. From the signatures on the boot loader etc there is no difference from my Debian installation and a rescue image from Debian, Ubuntu, or another distribution booted by a hostile party to do things against my interests. The difference between the legitimate OS image and malware is a matter of who boots it and the reason for booting it.

It is possible to deconfigure Microsoft keys from UEFI to only boot from your own key, this document describes what is necessary to do that [2]. Basically if you boot without using any “option ROMs” (which among other things means the ROM from your video card) then you can disable the MS keys.

If it’s impossible to disable the MS keys that doesn’t make it impossible to gain a benefit from the Secure Boot process. You can use a block device decryption process that involves a signature of the kernel and the BIOS being used as part of the decryption for the device. So if a system is booted with the wrong kernel and the user doesn’t recognise it then they will find that they can’t unlock the device with the password. I think it’s possible on some systems to run the Secure Boot functionality in a non-enforcing mode such that it will use a bootloader without a valid signature but still use the hash for TPM calculations, that appears impossible on my Thinkpad Yoga Gen3 which only has enabled and disabled as options but should work on Dell laptops which have an option to run Secure Boot in permissive mode.

I believe that the way of the future is to use something like EFIStub [3] to create unified kernel images with a signed kernel, initrd, and command-line parameters in a single bundle which can be loaded directly by the UEFI BIOS. From the perspective of a distribution developer it’s good to have many people using the current standard functionality of shim and GRUB for EFI as a step towards that goal.

CloudFlare has a good blog post about Linux kernel hardening [4]. In that post they cover the benefits of a full secure boot setup (which is difficult at the current time) and the way that secure boot enables the lockdown module for kernel integrity. When Secure Boot is detected by the kernel it automatically enables lockdown=integrity functionality (see this blog post for an explanation of lockdown [5]). It is possible to enable this by putting “lockdown=integrity” on the kernel command line or “lockdown=confidentiality” if you want even more protection, but it happens by default with Secure Boot. Secure Boot is something you can set to get a selection of security features enabled and get a known minimum level of integrity even if the signatures aren’t used for anything useful, restricting a system to only boot kernels from MS, Debian, Ubuntu, Red Hat, etc is not useful.

For most users I think that Secure Boot is a small increase in security but testing it on a large number of systems allows increasing the overall security of operating systems which benefits the world. Also I think that having features like EFIStub usable for a large portion of the users (possibly the majority of users) is something that can be expected to happen in the lifetime of hardware being purchased now. So ensuring that Secure Boot works with GRUB now will facilitate using EFIStub etc in future years.

The Secure Boot page on the Debian wiki is worth reading, and also worth updating for people who want to contribute [6].

,

Krebs on SecurityLocal Networks Go Global When Domain Names Collide

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here’s a look at one security researcher’s efforts to map and shrink the size of this insidious problem.

At issue is a well-known security and privacy threat called “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on a private corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

Consider the hypothetical private network internalnetwork.example.com: When an employee on this network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; entering “\\drive1\” alone will suffice, and Windows takes care of the rest.

But problems can arise when an organization has built their Active Directory network on top of a domain they don’t own or control. While that may sound like a bonkers way to design a corporate authentication system, keep in mind that many organizations built their networks long before the introduction of hundreds of new top-level domains (TLDs), like .network, .inc, and .llc.

For example, a company in 2005 builds their Microsoft Active Directory service around the domain company.llc, perhaps reasoning that since .llc wasn’t even a routable TLD, the domain would simply fail to resolve if the organization’s Windows computers were ever used outside of its local network.

Alas, in 2018, the .llc TLD was born and began selling domains. From then on, anyone who registered company.llc would be able to passively intercept that organization’s Microsoft Windows credentials, or actively modify those connections in some way — such as redirecting them somewhere malicious.

Philippe Caturegli, founder of the security consultancy Seralys, is one of several researchers seeking to chart the size of the namespace collision problem. As a professional penetration tester, Caturegli has long exploited these collisions to attack specific targets that were paying to have their cyber defenses probed. But over the past year, Caturegli has been gradually mapping this vulnerability across the Internet by looking for clues that appear in self-signed security certificates (e.g. SSL/TLS certs).

Caturegli has been scanning the open Internet for self-signed certificates referencing domains in a variety of TLDs likely to appeal to businesses, including .ad, .associates, .center, .cloud, .consulting, .dev, .digital, .domains, .email, .global, .gmbh, .group, .holdings, .host, .inc, .institute, .international, .it, .llc, .ltd, .management, .ms, .name, .network, .security, .services, .site, .srl, .support, .systems, .tech, .university, .win and .zone, among others.

Seralys found certificates referencing more than 9,000 distinct domains across those TLDs. Their analysis determined many TLDs had far more exposed domains than others, and that about 20 percent of the domains they found ending .ad, .cloud and .group remain unregistered.

“The scale of the issue seems bigger than I initially anticipated,” Caturegli said in an interview with KrebsOnSecurity. “And while doing my research, I have also identified government entities (foreign and domestic), critical infrastructures, etc. that have such misconfigured assets.”

REAL-TIME CRIME

Some of the above-listed TLDs are not new and correspond to country-code TLDs, like .it for Italy, and .ad, the country-code TLD for the tiny nation of Andorra. Caturegli said many organizations no doubt viewed a domain ending in .ad as a convenient shorthand for an internal Active Directory setup, while being unaware or unworried that someone could actually register such a domain and intercept all of their Windows credentials and any unencrypted traffic.

When Caturegli discovered an encryption certificate being actively used for the domain memrtcc.ad, the domain was still available for registration. He then learned the .ad registry requires prospective customers to show a valid trademark for a domain before it can be registered.

Undeterred, Caturegli found a domain registrar that would sell him the domain for $160, and handle the trademark registration for another $500 (on subsequent .ad registrations, he located a company in Andorra that could process the trademark application for half that amount).

Caturegli said that immediately after setting up a DNS server for memrtcc.ad, he began receiving a flood of communications from hundreds of Microsoft Windows computers trying to authenticate to the domain. Each request contained a username and a hashed Windows password, and upon searching the usernames online Caturegli concluded they all belonged to police officers in Memphis, Tenn.

“It looks like all of the police cars there have a laptop in the cars, and they’re all attached to this memrtcc.ad domain that I now own,” Caturegli said, noting wryly that “memrtcc” stands for “Memphis Real-Time Crime Center.”

Caturegli said setting up an email server record for memrtcc.ad caused him to begin receiving automated messages from the police department’s IT help desk, including trouble tickets regarding the city’s Okta authentication system.

Mike Barlow, information security manager for the City of Memphis, confirmed the Memphis Police’s systems were sharing their Microsoft Windows credentials with the domain, and that the city was working with Caturegli to have the domain transferred to them.

“We are working with the Memphis Police Department to at least somewhat mitigate the issue in the meantime,” Barlow said.

Domain administrators have long been encouraged to use .local for internal domain names, because this TLD is reserved for use by local networks and cannot be routed over the open Internet. However, Caturegli said many organizations seem to have missed that memo and gotten things backwards — setting up their internal Active Directory structure around the perfectly routable domain local.ad.

Caturegli said he knows this because he “defensively” registered local.ad, which he said is currently used by multiple large organizations for Active Directory setups — including a European mobile phone provider, and the City of Newcastle in the United Kingdom.

ONE WPAD TO RULE THEM ALL

Caturegli said he has now defensively registered a number of domains ending in .ad, such as internal.ad and schema.ad. But perhaps the most dangerous domain in his stable is wpad.ad. WPAD stands for Web Proxy Auto-Discovery Protocol, which is an ancient, on-by-default feature built into every version of Microsoft Windows that was designed to make it simpler for Windows computers to automatically find and download any proxy settings required by the local network.

Trouble is, any organization that chose a .ad domain they don’t own for their Active Directory setup will have a whole bunch of Microsoft systems constantly trying to reach out to wpad.ad if those machines have proxy automated detection enabled.

Security researchers have been beating up on WPAD for more than two decades now, warning time and again how it can be abused for nefarious ends. At this year’s DEF CON security conference in Las Vegas, for example, a researcher showed what happened after they registered the domain wpad.dk: Immediately after switching on the domain, they received a flood of WPAD requests from Microsoft Windows systems in Denmark that had namespace collisions in their Active Directory environments.

Image: Defcon.org.

For his part, Caturegli set up a server on wpad.ad to resolve and record the Internet address of any Windows systems trying to reach Microsoft Sharepoint servers, and saw that over one week it received more than 140,000 hits from hosts around the world attempting to connect.

The fundamental problem with WPAD is the same with Active Directory: Both are technologies originally designed to be used in closed, static, trusted office environments, and neither was built with today’s mobile devices or workforce in mind.

Probably one big reason organizations with potential namespace collision problems don’t fix them is that rebuilding one’s Active Directory infrastructure around a new domain name can be incredibly disruptive, costly, and risky, while the potential threat is considered comparatively low.

But Caturegli said ransomware gangs and other cybercrime groups could siphon huge volumes of Microsoft Windows credentials from quite a few companies with just a small up-front investment.

“It’s an easy way to gain that initial access without even having to launch an actual attack,” he said. “You just wait for the misconfigured workstation to connect to you and send you their credentials.”

If we ever learn that cybercrime groups are using namespace collisions to launch ransomware attacks, nobody can say they weren’t warned. Mike O’Connor, an early domain name investor who registered a number of choice domains such as bar.com, place.com and television.com, warned loudly and often back in 2013 that then-pending plans to add more than 1,000 new TLDs would massively expand the number of namespace collisions.

Mr. O’Connor’s most famous domain is corp.com, because for several decades he watched in horror as hundreds of thousands of Microsoft PCs continuously blasted his domain with credentials from organizations that had set up their Active Directory environment around the domain corp.com.

It turned out that Microsoft had actually used corp.com as an example of how one might set up Active Directory in some editions of Windows NT. Worse, some of the traffic going to corp.com was coming from Microsoft’s internal networks, indicating some part of Microsoft’s own internal infrastructure was misconfigured. When O’Connor said he was ready to sell corp.com to the highest bidder in 2020, Microsoft agreed to buy the domain for an undisclosed amount.

“I kind of imagine this problem to be something like a town [that] knowingly built a water supply out of lead pipes, or vendors of those projects who knew but didn’t tell their customers,” O’Connor told KrebsOnSecurity. “This is not an inadvertent thing like Y2K where everybody was surprised by what happened. People knew and didn’t care.”

Worse Than FailureError'd: Forsooth

Elte Hupkes "Some weird Android behavior has my phone disconnecting from WiFi until I open it back up in the morning, triggering some backups. Unfortunately, WhatsApp Backup isn't a morning person."

0

 

"User Permissions - Small Town Midwest Style" is how Jeremy proposed to title this submission, explaining "This how one particular school is set up in our district's library management system. I guess this makes it easier when a school secretary puts in a ticket saying: Janet is our new office assistant - please give her the same access that Barb had."

1

 

Confused Mark W. exclaimed "QR codes have sure changed!" That's the new combination QR-Captcha.

2

 

Quoth Tyler "While filling out some forms for an appointment, I had to select a language. I wonder if they'd actually have a translator available for old or middle English! The best worst part is, the appointment was for my newborn son and neither 'none', 'baby', nor 'gibberish' were alternative options."

3

 

Finally, The Beast in Black is back with a love letter from Google's lonelyhearts AI, reporting "Gmail's Smart Reply AI seems to REALLY like LinkedIn recruiters. Either that, or their LLM needs a teeny bit more work."

4

 

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Sam VargheseThe ABC needs a journalist to head the organisation

The departure of David Armstrong as the managing director of the ABC is not surprising given that he was another management type trying to manage a news organisation and realising at last that weasel words and public relations do not really work when it comes to journalism.

In the past, the ABC has been at the forefront of producing simple, but effective journalism, be it for the small screen or radio. That has meant displeasing a lot of people, especially those on the right side of politics, who tend to apparently believe the fact that when government money supports an organisation, its services can be used for self-aggrandisement.

It is telling that none of the top three managers in the ABC has ever worked as a journalist. Justin Stevens has been a producer, Anderson is a management man, and Kim Williams has no experience in the trade either.

Under Ita Buttrose, the ABC started trying to convert itself to something akin to a streaming service. Given that its content does not stretch very far, this is a somewhat ridiculous exercise. News organisations that try to convert themselves into content providers – remember what happened to Fairfax Media under Fred Hillmer? – tend to go the way of the dodo. As Fairfax did.

The ABC’s latest attempt to try and make itself relevant tells the whole story of what is wrong with the organisation. Audience numbers are falling and the ABC’s reaction has been to go back to its original news music lead-in and redesign its TV sets. This is the equivalent of putting lipstick on a pig; the quality of its journalism and journalists has sunk to an alarming low and all these superficial changes will not improve that.

Many good journalists have left in despair as they have been asked to cater to the whims of a management team that knows nothing about journalism, but is more than willing to accept the kudos when they come. What the management is unprepared to do is to stand behind its journalists when increasingly nasty politicians seek to exact revenge for having been shown up.

Journalists, if they are true to their profession, will not look to be praised and lauded for what they do. And they will criticise both sides of politics when they err. They will not pander to anyone and avoid layering praise on every person who sucks up to them.

Alas, the ABC has gone in the opposite direction. Its journalists are more narcissists than anything else. News isn’t sacred, the journalists seek to project themselves rather than the subject of a story. In some news clips and programs, the amount of time that one sees the journalist’s face [from various angles] is often more than the time devoted to the subject of the story.

One classic example is a program called Stuff the British stole. It is about items which Britain carried away from colonies during its days of empire. Yet the promotion for this program does not show any of the items Britain took away; nay, it shows the chubby face of the presenter!

Of recent times, the ABC has found itself incapable of creating any new programs of any substance. The answer has been to create soft, frothy shows that take little effort: quiz programs, and the like. The ABC is also heavy on programs that cater to various groups; one example is a program where autistic people interview celebrities.

The ABC no longer makes any decent news and current affairs programs. Its lone current affairs program, called Insiders, is hosted by one David Spiers, a man who tilts heavily to the right and is very good at avoiding any topics that could cause his side of politics to squirm.

Given the progressive deterioration over the years, it is unlikely that the ABC will improve the quality of both its programs and its journalists. Under Williams, it looks likely that things will continue to slide.

365 TomorrowsColder Ways

Author: Majoki The toy soldier guarded the corner of the commander’s makeshift field desk. The faded tin sentry with chipped red jacket, high peaked cap and bent bayonet stood upon the order. Especially in the age of cyberwar, such an order was on paper. Hand written. Delivered by flesh and blood. A reminder of what […]

The post Colder Ways appeared first on 365tomorrows.

Cryptogram Surveillance Watch

This is a fantastic project mapping the global surveillance industry.

,

Planet DebianThomas Goirand: Packaging Home Assistant

During Debconf, Edward Betts and myself started packaging Home Assistant for Debian. It consists of hundreds of Python packages. So far, we counted at least 675 packages. That’s a lot, though most packages are just libraries to talk with some IoT devices and some APIs. It’s fairly easy to create a new package: it takes me about 15 to 20 minutes, probably half that time to Edward. And it’s a lot of fun. So far in one month of time, we managed to package about 1 third of the list (probably 200+ Python packages already). Once we’ve done all the dependencies, we may start to have fun with the core of the application! At the current speed, hopefully we’ll be done before the end of the year. Edward and myself have swear to make at least one package a day, which I’ve been doing so far, and Edward did a way more… We also received contributions from Silton0506, Tianyu, piotr, EiPi Fun, sourabhtk37, and Count-Dracula, as per the very bottom of the TODO list in the wiki (see link below).

If you have a bit of free time, we’d love to have more contributors. Here’s were to get the needed information:

We created a team in Salsa: https://salsa.debian.org/homeassistant-team/

Our TODO list: https://wiki.debian.org/Python/HomeAssistant

Our DDPO Q/A page: https://qa.debian.org/developer.php?login=team%2Bhomeassistant%40tracker.debian.org

Feel free to join us on IRC: #debian-homeassistant

Discussing with a lot of people about it, I realized that A LOT of DDs are actually using Home Assistant. Wouldn’t you like it better if it was just a “apt install” away ? Any DD can simply take a package in the wiki, open an ITP, upload it’s debianized source on Salsa, and upload to the Debian archive. Most are very easy simple packages to make.

Planet DebianJonathan McDowell: Thoughts on Advent of Code + Rust

Diego wrote about his dislike for Advent of Code and that reminded me I hadn’t written up my experience from 2023. Mostly because, spoiler, I never actually completed it and always intended to do so and then write it up. I think it’s time to accept I’m not going to do that, and write down some thoughts before I forget all of them. These are somewhat vague, given the time that’s elapsed, but I think still relevant. You might also find Roger’s problem write up interesting.

I’ve tried AoC a couple of times before; I think I had a very brief attempt back in 2021, and I got 4 days in for 2022. For Advent of Code 2023 I tried much harder to actually complete the challenges, and got most of the way there. I didn’t allow myself to move on to the next day until fully completing the previous day, and didn’t end up doing the second half of December 24th, or any of December 25th.

Rust

First I want to talk about Rust, which is the language I chose to use for the problems. I’ve dabbled a little in it, but I’d like more familiarity with the basic language, and some programming problems seemed like a good way to get that. It’s a language I want to like; I’ve spent a lot of my career writing C, do more in Go these days, and generally think Rust promises a low level, run-time light environment like C but with the rough edges taken off.

I set myself the challenge of using just bare Rust; no external crates, no use of cargo. I was accused of playing on hard mode by doing this, but it really wasn’t the intention - I figured that I should be able to do what I needed without recourse to anything outside the core language, and didn’t want what seemed like the extra complexity of dealing with cargo.

That caused problems, however. I’m used to by-default generic error handling in Go through the error type, but Rust seems to have much more tightly typed errors. I was pointed at anyhow as the right way to do this in Rust. I still find this surprising; I ended up using unwrap() a lot when I think with more generic error handling I could have used ?.

The other thing I discovered is that by default rustc is heavy on the debug output. I got significantly better results on some of the solutions with rustc -O -C target-cpu=native source.rs. I probably shouldn’t be surprised by this, but worth noting.

Rust, to me, has a syntax only a C++ programmer could love. I am not a C++ programmer. Coming from C I found Go to be a nice, simple syntax to learn. Rust has not been the same. There’s a lot more punctuation, and it’s not always clear to me what it’s doing. This applies more when reading other people’s code than when writing it myself, obviously, but I see a lot of Rust code that could give Perl a run for its money in terms of looking like line noise.

The borrow checker didn’t bug me too much, but did add overhead to my thinking. The Rust compiler is generally very good at outputting helpful error messages when the programmer is an idiot. I ended up having to use a RefCell for one solution, and using .iter() for loops rather than explicit iterators (why, why is this different?). I also kept forgetting to explicitly mark variables as mutable when declaring them.

Things I liked? There’s a rich set of first class data types. Look, I’m a C programmer, I’m easily pleased. You give me some sort of hash array and I’ll be happy. Rust manages that, tuples, strings, all the standard bits any modern language can provide. The whole impl thing for adding methods to structures I like as a way of providing some abstraction, though I think Go has a nicer syntax for it. The compiler, as mentioned, is great at spitting out useful errors for the most part. Also although I wasn’t using external crates for AoC I do appreciate there’s a decent ecosystem there now (though that brings up another gripe: rust seems to still be a fairly fast moving target, to the extent I can no longer rely on the compiler in Debian stable to be able to compile random projects I find).

Advent of Code

Let’s talk about the advent of code bit now. Hopefully it’s long enough since it came out that this won’t be spoilers for anyone, but if you haven’t attempted the 2023 AoC and might, you might want to stop reading here.

First, a refresher on the format for those who might not be aware of it. Problems are posted daily from December 1st until the 25th. Each is in 2 parts; the second part is not viewable until you have provided the correct answer for the first part. There’s a whole leaderboard thing going on, but the puzzle opens at midnight UTC-5 so generally by the time I wake up and have time to look the problem has been solved many times over; no chance of getting listed.

Credit to AoC creator, Eric Wastl, for writing up the set of problems in an entertaining fashion. I quite enjoyed seeing how the puzzle would be phrased each day, and the whole thing obviously brings a lot of joy to folk I know.

I always start AoC thinking it’ll be a fun set of puzzles to solve. Then something happens and I miss a day or two, and all of a sudden I’ve a bunch of catching up to do and it’s all a bit more of a chore. I hit that at some points this time, but made a concerted effort to try and power through it.

That perseverance was required up front, because I found the second part of Day 1 to be ill specified, and had to iterate a few times to actually calculate the desired solution (IIRC, issues about whether sevenone at the end of a line ended up as 7 or 1 really tripped me up). I don’t recall any other problems that bit me as hard on the specification as this one, but it happening up front was unfortunate.

The short example input doesn’t always help with this either; either it’s not enough to be able to extrapolate patterns, or it doesn’t show all the variations you need to account for (that aren’t fully specified in the text), or in a few cases it turned out I needed to understand the shape of the actual data to produce a solution that could actually complete in a reasonable time.

Which brings me to another matter, sometimes brute force doesn’t actually work. This is fine, but the second part of the day’s problem can change the approach you’d take. So sometimes I got lucky in the way I handled the first half, and doing the second half was a simple 5 minute tweak, and sometimes I had to entirely change the way I was storing data.

You might claim that if I was a better programmer I’d have always produced a first half solution that was amenable to extension for the second half. First, I dispute that; I think there are always situations where the problem domain can change in enough directions that you can’t handle all of them without a lot of effort. Secondly, I didn’t find AoC an environment that encouraged me to optimise for generic solutions. Maybe some of the puzzles in isolation would allow for that, but a month of daily problems to solve while still engaging in regular life meant I hacked things up, took short cuts based on the knowledge I had of the input data, etc, etc.

Overall I can see the appeal, but the sheer quantity and the fact I write code as part of my day job just made it feel too much like a chore, rather than a fun mental exercise. I did wonder how they’d look as a set of interview puzzles (obviously a subset, rather than all of them), but I’m not sure how you’d actually use them for that - I wouldn’t want anyone to have to solve them in a live interview.

So, in case it’s not obvious, I’m not planning to engage in AoC again this yet. But I’m continuing to persevere with Rust (though most of my work stuff is thankfully still Go).

Planet DebianDebian Brasil: Debian Day 2024 em Natal/RN - Brasil

por Allythy

O Debian Day é um evento anual que celebra o aniversário do Debian, uma das distribuições GNU/Linux mais importante do Software Livre, criada em 16 de Agosto de 1993, por Ian Murdock.

No último sábado (17/08/2024) no Sebrae-RN comemoramos os 31 anos Debian em Natal, no Rio Grande do Norte. A celebração, foi organizada pela PotiLivre(Comunidade Potiguar de Software Livre), destacou os 31 anos de história do Debian. O evento contou com algumas palestras e muitas discussões sobre Software Livre. Tivemos 70 inscrições, 40 estiverem presentes.

O Debian Day em Natal foi uma ocasião para celebrar a trajetória do Debian e reforçar a importância do Software Livre.

Palestrantes

Agradecemos imensamente a Isaque Barbosa Martins, Eduardo de Souza Paixão, Fernando Guisso,que palestraram nessa edição! Obrigado por compartilhar tanto conhecimento com a comunidade. Esperamos ver vocês novamente em futuros encontros!

foto da palestra conhecendo projeto Debian

Link dos slides do Debian Day

Participantes

Um grande obrigado também a todos os participantes, nós fazemos isso por vocês! Esperamos que tenham aprendido, se divertido e feito novas conexões entre a comunidade

Participantes do Debian Day Natal-RN

Essa edição do Debina Day Natal foi organizada por: Allythy, Clara Nobre, Gabriel Damazio e Marcel Ribeiro.

Planet DebianMatthew Garrett: What the fuck is an SBAT and why does everyone suddenly care

Short version: Secure Boot Advanced Targeting and if that's enough for you you can skip the rest you're welcome.

Long version: When UEFI Secure Boot was specified, everyone involved was, well, a touch naive. The basic security model of Secure Boot is that all the code that ends up running in a kernel-level privileged environment should be validated before execution - the firmware verifies the bootloader, the bootloader verifies the kernel, the kernel verifies any additional runtime loaded kernel code, and now we have a trusted environment to impose any other security policy we want. Obviously people might screw up, but the spec included a way to revoke any signed components that turned out not to be trustworthy: simply add the hash of the untrustworthy code to a variable, and then refuse to load anything with that hash even if it's signed with a trusted key.

Unfortunately, as it turns out, scale. Every Linux distribution that works in the Secure Boot ecosystem generates their own bootloader binaries, and each of them has a different hash. If there's a vulnerability identified in the source code for said bootloader, there's a large number of different binaries that need to be revoked. And, well, the storage available to store the variable containing all these hashes is limited. There's simply not enough space to add a new set of hashes every time it turns out that grub (a bootloader initially written for a simpler time when there was no boot security and which has several separate image parsers and also a font parser and look you know where this is going) has another mechanism for a hostile actor to cause it to execute arbitrary code, so another solution was needed.

And that solution is SBAT. The general concept behind SBAT is pretty straightforward. Every important component in the boot chain declares a security generation that's incorporated into the signed binary. When a vulnerability is identified and fixed, that generation is incremented. An update can then be pushed that defines a minimum generation - boot components will look at the next item in the chain, compare its name and generation number to the ones stored in a firmware variable, and decide whether or not to execute it based on that. Instead of having to revoke a large number of individual hashes, it becomes possible to push one update that simply says "Any version of grub with a security generation below this number is considered untrustworthy".

So why is this suddenly relevant? SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we've seen real world examples of malware wanting to do that (Black Lotus did so using a vulnerability in the Windows bootloader, but a vulnerability in grub would be just as viable for this). Viewed purely from a security perspective, this was a legitimate thing to want to do.

(An aside: the "Something has gone seriously wrong" message that's associated with people having a bad time as a result of this update? That's a message from shim, not any Microsoft code. Shim pays attention to SBAT updates in order to avoid violating the security assumptions made by other bootloaders on the system, so even though it was Microsoft that pushed the SBAT update, it's the Linux bootloader that refuses to run old versions of grub as a result. This is absolutely working as intended)

The problem we've ended up in is that several Linux distributions had not shipped versions of grub with a newer security generation, and so those versions of grub are assumed to be insecure (it's worth noting that grub is signed by individual distributions, not Microsoft, so there's no externally introduced lag here). Microsoft's stated intention was that Windows Update would only apply the SBAT update to systems that were Windows-only, and any dual-boot setups would instead be left vulnerable to attack until the installed distro updated its grub and shipped an SBAT update itself. Unfortunately, as is now obvious, that didn't work as intended and at least some dual-boot setups applied the update and that distribution's Shim refused to boot that distribution's grub.

What's the summary? Microsoft (understandably) didn't want it to be possible to attack Windows by using a vulnerable version of grub that could be tricked into executing arbitrary code and then introduce a bootkit into the Windows kernel during boot. Microsoft did this by pushing a Windows Update that updated the SBAT variable to indicate that known-vulnerable versions of grub shouldn't be allowed to boot on those systems. The distribution-provided Shim first-stage bootloader read this variable, read the SBAT section from the installed copy of grub, realised these conflicted, and refused to boot grub with the "Something has gone seriously wrong" message. This update was not supposed to apply to dual-boot systems, but did anyway. Basically:

1) Microsoft applied an update to systems where that update shouldn't have been applied
2) Some Linux distros failed to update their grub code and SBAT security generation when exploitable security vulnerabilities were identified in grub

The outcome is that some people can't boot their systems. I think there's plenty of blame here. Microsoft should have done more testing to ensure that dual-boot setups could be identified accurately. But also distributions shipping signed bootloaders should make sure that they're updating those and updating the security generation to match, because otherwise they're shipping a vector that can be used to attack other operating systems and that's kind of a violation of the social contract around all of this.

It's unfortunate that the victims here are largely end users faced with a system that suddenly refuses to boot the OS they want to boot. That should never happen. I don't think asking arbitrary end users whether they want secure boot updates is likely to result in good outcomes, and while I vaguely tend towards UEFI Secure Boot not being something that benefits most end users it's also a thing you really don't want to discover you want after the fact so I have sympathy for it being default on, so I do sympathise with Microsoft's choices here, other than the failed attempt to avoid the update on dual boot systems.

Anyway. I was extremely involved in the implementation of this for Linux back in 2012 and wrote the first prototype of Shim (which is now a massively better bootloader maintained by a wider set of people and that I haven't touched in years), so if you want to blame an individual please do feel free to blame me. This is something that shouldn't have happened, and unless you're either Microsoft or a Linux distribution it's not your fault. I'm sorry.

comment count unavailable comments

Worse Than FailureCodeSOD: Maximally Zero

Today's anonymous submitter found some Java code which finds the largest value in a quartet of floats. Now, the code is quite old, so it actually predates varargs in Java. That doesn't excuse any of what you're about to see.

public float CalculateMaximumValue(float a, float b, float c, float d) {
	int i = 0;
	float[] arr = new float[] { 0, 0, 0, 0 };
	float gtval = 0;

	for (i = 0; i < 4; i++) {
		arr[i] = 0;
	}
	arr[0] = a;
	arr[1] = b;
	arr[2] = c;
	arr[3] = d;
	gtval = arr[0];
	for (i = 0; i < 4; i++) {
		if (arr[i] > gtval) {
			gtval = arr[i];
		}

	}

	return gtval;

}

The best thing I can say about this is that they didn't use some tortured expansion of every possible comparison:

if (a > b && a > c && a > d) return a;
if (b > a && b > c && b > d) return b;
…

Honestly, that would be awful, but I'd prefer it. This just makes my eyes sting when I look at it.

But let's trace through it, because each step is dumb.

We start by creating an empty array, where every value is initialized to zero. This isn't necessary, as that's what Java does by default. But then, we loop across the array to set things to zero one more time, just to be sure.

Once we're convinced every value is definitely zero, we replace those zeroes with the real values. Then we can loop across the array and find the largest value with straightforward comparisons.

This code is, in some ways, the worst kind of code. It's bad, but not so bad as it's ever going to cause real, serious problems. No one is going to see any bugs or inefficiencies coming from this method. It's just an ugly mess that's going to sit there in that codebase until the entire thing gets junked, someday. It's just an irritant that never rises to the level of frustration which drives action.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsThe Most Vicious Cycle

Author: Philip G Hostetler The project began as deep space exploration. All that was found was uninhabitable, far flung planetoids and asteroids, space, and more space. And finally, the edge of space, that was the most salient discovery we made and a puzzling phenomena. We found that space was moving into a metaphysical oblivion, that […]

The post The Most Vicious Cycle appeared first on 365tomorrows.

,

Planet DebianJonathan Dowland: ouch, part 2

Things developed since my last post. Some lesions opened up on my ankle which was initially good news: the pain substantially reduced. But they didn’t heal fast enough and so medics decided on surgical debridement. That was last night. It seemed to be successful and I’m in recovery from surgery as I write. It’s hard to predict the near-future, a lot depends on how well and fast I heal.

I’ve got a negative-pressure dressing on it, which is incredible: a constantly maintained suction to aid in debridement and healing. Modern medicine feels like a sci fi novel.

Cryptogram Story of an Undercover CIA Agent who Penetrated Al Qaeda

Rolling Stone has a long investigative story (non-paywalled version here) about a CIA agent who spent years posing as an Islamic radical.

Unrelated, but also in the “real life spies” file: a fake Sudanese diving resort run by Mossad.

Worse Than FailureCodeSOD: Do a Flip

Kendall found some recently written code, and had to wonder, "Who wrote this crap?" Much to Kendall's disappointment, source control knew who wrote it: Kendall.

if (x < 0.0)
{
        x += 0.0 - x;
        width -= 0.0 - x;
}

Kendall didn't share the purpose of this code, but based on starting with a less-than-zero check, I suspect the goal was to do something akin to an absolute value. If x is less than zero, make it positive.

That's certainly what was attempted. 0.0 - x, where x < 0 would be the same as x * -1. Unfortunately, Kendall added that to x, making x zero.

As with a disappointingly large quantity of bad code, this got committed without any tests, rolled out to production, and created head-scratching bugs for months. Eventually, the bugs became annoying enough that they bubbled up to the top of the priority list, and Kendall was tasked with fixing them.

The other reason I think the goal was essentially an absolute value operation is Kendall's commentary:

Aside from the major bug, this code is a sure indicator of overthinking things.

It is an overly complex way to flip the sign, yes. But "overthinking?"

The line between overthinking and underthinking is a thin line indeed.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

365 TomorrowsI remember the shadow

Author: Bryan Pastor Sitting there in a car waiting for my date to come out, it had caught my eye, standing still like the sail of a ship in a dead calm sea, trying to blend with a hedgerow in the dying light of dusk. My eyes were fixed on it, made out the details, […]

The post I remember the shadow appeared first on 365tomorrows.

Planet DebianRuss Allbery: Review: These Burning Stars

Review: These Burning Stars, by Bethany Jacobs

Series: Kindom Trilogy #1
Publisher: Orbit
Copyright: October 2023
ISBN: 0-316-46342-6
Format: Kindle
Pages: 430

These Burning Stars is a science fiction thriller with cyberpunk vibes. It is Bethany Jacobs's first novel and the first of an expected trilogy, and won the 2024 Philip K. Dick Award for the best SF paperback original published in the US.

Generation starships brought humanity to the three star systems of the Treble, where they've built a new and thriving culture of billions. The Treble is ruled by the Kindom, a tripartite government structure built around the worship of six gods and the aristocratic power of the First Families. The Clerisy handle religion, the Secretaries run the bureaucracy, and the Cloaksaan enforce the decisions of the other branches.

The Nightfoots are one of the First Families. They control sevite, the propellant required to move between the systems of the Treble now that the moon Jeve and the sole source of natural jevite has been destroyed. Esek Nightfoot is a cleric, theoretically following the rules of the Clerisy, but she has made a career of training cloaksaan. She is is mercurial, powerful, ruthless, ambitious, politically well-connected, and greatly feared. She is also obsessed with a person named Six: an orphan she first encountered at a training school who was too young to have a gender or a name but who was already one of the best fighters in the school. In the sort of manipulative challenge typical of Esek, she dangled the offer of a place as a student and challenged the child to learn enough to do something impressive. The subsequent twenty years of elusive taunts and mysterious gifts from the impossible-to-locate Six have driven Esek wild.

Cleric Chono was beside Esek for much of that time. One of Six's classmates and another of Esek's rescues, Chono is the rare student who became a cleric rather than a cloaksaan. She is pious, cautious, and careful, the opposite of Esek's mercurial rage, but it's impossible to spend that much time around the woman and not be affected and manipulated by her. As this story opens, Chono is summoned by the First Cleric to join Esek on an assignment: recover a data coin that was stolen from a pirate raid on the Nightfoot compound. He refuses to tell them what data is on it, only saying that he believes it could be used to undermine public trust in the Nightfoot family.

Jun is a hacker with considerably fewer connections to power or government and no desire to meet any of these people. She and her partner Liis make a dubiously legal living from smaller, quieter jobs. Buying a collection of stolen data coins for an archivist consortium is riskier than she prefers, but she's been tracking down rumors of this coin for months. The deal is worth a lot of money, enough to make a huge difference for her family.

This is the second book I've read recently with strong cyberpunk vibes, although These Burning Stars mixes them with political thriller. This is a messy world with complicated political and religious systems, a lot of contentious history, and vast inequality. The story is told in two interleaved time sequences: the present-day fight over the data coin and the information that it contains, and a sequence of flashbacks telling the history of Esek's relationship with Six and Chono. Jun's story is the most cyberpunk and the one I found the most enjoyable to read, but Chono is a good viewpoint character for Esek's vicious energy and abusive charisma.

Six is not a viewpoint character. For most of the book, they're present mostly in shadows, glimpses, and consequences, but they're the strongest character of the book. Both Esek and Six are larger than life, creatures of legend stuffed into mundane politics but too full of strong emotions, both good and bad, to play by any of the rules. Esek has the power base and access to the levers of government, but Six's quiet competence and mercilessly targeted morality may make them the more dangerous of the pair.

I found the twisty political thriller part of this book engrossing and very difficult to put down, but it was also a bit too much drama for me in places. Jacobs has some surprises in store, one of which I did not expect at all, and they're set up beautifully and well-done within the story, but Esek and Six become an emotional star that the other characters orbit around and are in danger of getting pulled into. Chono is an accomplished and powerful character in her own right, but she's also an abuse victim, and while those parts are realistic, I didn't entirely enjoy reading them. There is quiet competence here alongside the drama, but I think I wanted the balance of emotion to tip a bit more towards the competence.

There is one thing that Jacobs does with the end of the book that greatly impressed me. Unfortunately I can't even hint at it for fear of spoilers, but the ending is unsettling in a way that I found surprising and thought-provoking. I think what I can say is that this book respects the intelligence and skill of secondary characters in a way that I think is rare in a story with such overwhelming protagonists. I'm still thinking about that, and it's going to pull me right into the sequel.

This is not going to be to everyone's taste. Esek is a viewpoint character and she can be very nasty. There's a lot of violence and abuse, including one rather graphic fight scene that I thought dragged on much longer than it needed to. But it's a satisfying, complex story with a true variety of characters and some real surprises. I'm glad I read it.

Followed by On Vicious Worlds, not yet published as I write this.

Content warnings: emotional and physical abuse, graphic violence, off-screen rape and sexual abuse of minors.

Rating: 7 out of 10

Planet DebianDirk Eddelbuettel: RcppMagicEnum 0.0.1 on CRAN: New Package!

Happy to announce a new package: RcppMagicEnum. It arrived on CRAN yesterday following the resumption of normal service following the CRAN summer break. RcppMagicEnum brings the magicenum library by Daniil Goncharov to R.

Modern C++ is powerful, but still lacks reflection. This may change with C++26 but until then this library can help. A simple example, also shown on the README is as follows (and can be called from R via Rcpp::sourceCpp() if the RcppMagicEnum package is installed):

It produces the following output (where the ‘meta-comment’ at the end ensure the included and created-by-sourcing function example() is also called):

The plan to experiment some more with this and then see if we could possible make factor variables map to such enums and vice versa. Help and discussion input is always welcome, and could be submitted either on the rcpp-devel list or as an issue at the repo.

The short NEWS entry follows.

Changes in version 0.0.1 (2024-07-31)

  • Initial version and CRAN upload

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Planet DebianDebian Brasil: Debian Day 2024 in Santa Maria - Brazil

by por Andrew Gonçalves

Debian Day in Santa Maria - RS 2024 was held after a 5-year hiatus from the previous version of the event. It took place on the morning of August 16, in the Blue Hall of the Franciscan University (UFN) with support from the Debian community and the Computing Practices Laboratory of UFN.

The event was attended by students from all semesters of the Computer Science, Digital Games and Informational Systems, where we had the opportunity to talk to the participants.

Around 60 students attended a lecture introducing them to Free and Open Source Software, Linux and were introduced to the Debian project, both about the philosophy of the project and how it works in practice and the opportunities that have opened up for participants by being part of Debian.

After the talk, a packaging demonstration was given by local DD Francisco Vilmar, who demonstrated in practice how software packaging works in Debian.

I would like to thank all the people who helped us:

  • Debian Project
  • Professor Ana Paula Canal (UFN)
  • Professor Sylvio André Garcia (UFN)
  • Laboratory of Computing Practices
  • Francisco Vilmar (local DD)

And thanks to all the participants who attended this event asking intriguing questions and taking an interest in the world of Free Software.

Photos:

DD em Santa Maria 1 DD em Santa Maria 2 DD em Santa Maria 3 DD em Santa Maria 4

Planet DebianDebian Brasil: Debian Day 2024 em Santa Maria/RS - Brasil

por Andrew Gonçalves

O Debian Day em Santa Maria - RS 2024 foi realizado após 5 anos de hiato, foi feito durante a manhã do dia 16/08/2024 no Salão Azul da Universidade Franciscana (UFN) com apoio da comunidade Debian e do Laboratório de Práticas da Computação da UFN.

O evento contou com alunos de todos os semestres dos cursos de Ciência da Computação, Jogos Digitais e Sistemas de Informação, fizemos um coffee break onde tivemos a oportunidade de conversar com os participantes.

Cerca de 60 alunos prestigiaram uma palestra de introdução ao Software Livre e de Código Aberto, Linux e foram introduzidos ao projeto Debian, tanto sobre a filosofia do projeto, até como ele acontece na prática e oportunidades que se abriram para participantes do projeto por fazerem parte do Debian.

Após a palestra foi feita uma demonstração de empacotamento pelo DD local Francisco Vilmar, que demonstrou na prática como funciona o empacotamento de software no Debian.

Gostaria de agradecer a todas as pessoas que nos ajudaram:

  • Projeto Debian
  • Professora Ana Paula Canal (UFN)
  • Professor Sylvio André Garcia
  • Laboratório de Práticas da Computação
  • Francisco Vilmar (DD local)

E um muito obrigado a todos os participantes que nos prestigiaram neste evento fazendo perguntas intrigantes e se interessando pelo mundo do Software Livre.

Algumas fotos:

DD em Santa Maria 1 DD em Santa Maria 2 DD em Santa Maria 3 DD em Santa Maria 4

Worse Than FailureCodeSOD: Exceptional Control

Sebastian started a new job recently. Like a lot of "I started a new job," stories, this one starts with a 1,000 line class definition. What's notable about this one, however, is that most of that code is error handling. Now, you might think to yourself, "well, there's nothing inherently wrong with loads of error handling, if the problem calls for it.

This code is getting posted here. Do you think the problem calls for it?

object Method1(MyOtherClass parameter)
{
    try
    {
        if(parameter == null) throw new ArgumentNullException();

        //... 5 lines of code
    }
    #region catching
    catch(FormatException)
    {
        return null;
    }
    catch(InvalidOperationException)
    {
        return null;
    }
    catch(Exception)
    {
        return null;
    }
    #endregion
}

bool Method2(MyOtherClass parameter)
{
    try
    {
        result = Method1(parameter);
        if(result == null)
            throw new Exception();

        // ... 3 lines of code
    }
    catch(Exception)
    {
        return false;
    }
}              

Names have been anonymized by Sebastian.

We open with a mostly reasonable bit of code- if the input parameter violates our contract, we throw an exception. I don't love exceptions for communicating contract violations- it's much better if you can enforce that at compile time- but I won't fault anyone for that. But gee, isn't it a bit odd that we throw that exception inside of a try block?

Oh, that's because we catch the exceptions and return null. The fact that we catch multiple kinds of exceptions and just return null is already bad. It gets worse when we note that the last caught exception is Exception, the root of all exception classes.

Normally, when we talk about the anti-pattern of using exceptions for flow control, we tend to think of them as spicy gotos, which is exactly what's happening here. It's just… we've removed the spice. It's Minnesota Spicy Gotos- where the three grains of black pepper are too much zing. We're jumping to the appropriate return statement. Which we could have just replaced the throw with a return. And you can't even say that they're trying to follow the rule of "only have one return".

The calling function makes the whole pattern worse. We invoke Method1, and if it returns null (that is to say, if it throws and catches its own exception), we… throw another exception. Which leads us to a return false.

Sebastian tells us that this 1kloc class is about 70% error handling code, by volume, and as we can see, none of these errors need to happen.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Cryptogram Hacking Wireless Bicycle Shifters

This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually implement this attack.

Research paper. Another news story.

Slashdot thread.

365 TomorrowsHope of Green

Author: E. S. Foster The weeds along the pathway clung to my IMRA uniform. The High Witch glared at me as I stumbled over diamond-patterned sticks. “We have no cause for your people here,” she repeated. Her staff—a branch braided with moss and who knew what else—swung toward my head. I reeled backward, almost tripping […]

The post Hope of Green appeared first on 365tomorrows.

Planet DebianDirk Eddelbuettel: digest 0.6.37 on CRAN: Maintenance

Release 0.6.37 of the digest package arrived at CRAN today and has also been uploaded to Debian.

digest creates hash digests of arbitrary R objects. It can use a number different hashing algorithms (md5, sha-1, sha-256, sha-512, crc32, xxhash32, xxhash64, murmur32, spookyhash, blake3,crc32c, xxh3_64 and xxh3_128), and enables easy comparison of (potentially large and nested) R language objects as it relies on the native serialization in R. It is a mature and widely-used package (with 70.8 million downloads just on the partial cloud mirrors of CRAN which keep logs) as many tasks may involve caching of objects for which it provides convenient general-purpose hash key generation to quickly identify the various objects.

This release updates one of the different hashing source functions which, to remain close to their upstream, used Free() and Calloc() (uppercased to use the R allocator) but not the prefixed stricter versions R_Free() and R_Calloc(). R will switch to enforcing these in the next release next year. Kevin had noticed (while doing some other testing) that this now fails under R-devel (with a switch set), and prepares a very nice and clean PR to take care of it. As of today, CRAN is now sending ‘please fix, or else …’ notes so it was a good time to send this to CRAN. We also updated some remaining http URLs in the README.md to https, and switched to Author/Maintainer field to the now also mandatory Authors@R.

My CRANberries provides a summary of changes to the previous version. For questions or comments use the issue tracker off the GitHub repo. For documentation (including the changelog) see the documentation site.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Planet DebianMatthew Garrett: Client-side filtering of private data is a bad idea

(The issues described in this post have been fixed, I have not exhaustively researched whether any other issues exist)

Feeld is a dating app aimed largely at alternative relationship communities (think "classier Fetlife" for the most part), so unsurprisingly it's fairly popular in San Francisco. Their website makes the claim:

Can people see what or who I'm looking for?
No. You're the only person who can see which genders or sexualities you're looking for. Your curiosity and privacy are always protected.


which is based on you being able to restrict searches to people of specific genders, sexualities, or relationship situations. This sort of claim is one of those things that just sits in the back of my head worrying me, so I checked it out.

First step was to grab a copy of the Android APK (there are multiple sites that scrape them from the Play Store) and run it through apk-mitm - Android apps by default don't trust any additional certificates in the device certificate store, and also frequently implement certificate pinning. apk-mitm pulls apart the apk, looks for known http libraries, disables pinning, and sets the appropriate manifest options for the app to trust additional certificates. Then I set up mitmproxy, installed the cert on a test phone, and installed the app. Now I was ready to start.

What became immediately clear was that the app was using graphql to query. What was a little more surprising is that it appears to have been implemented such that there's no server state - when browsing profiles, the client requests a batch of profiles along with a list of profiles that the client has already seen. This has the advantage that the server doesn't need to keep track of a session, but also means that queries just keep getting larger and larger the more you swipe. I'm not a web developer, I have absolutely no idea what the tradeoffs are here, so I point this out as a point of interest rather than anything else.

Anyway. For people unfamiliar with graphql, it's basically a way to query a database and define the set of fields you want returned. Let's take the example of requesting a user's profile. You'd provide the profile ID in question, and request their bio, age, rough distance, status, photos, and other bits of data that the client should show. So far so good. But what happens if we request other data?

graphql supports introspection to request a copy of the database schema, but this feature is optional and was disabled in this case. Could I find this data anywhere else? Pulling apart the apk revealed that it's a React Native app, so effectively a framework for allowing writing of native apps in Javascript. Sometimes you'll be lucky and find the actual Javascript source there, but these days it's more common to find Hermes blobs. Fortunately hermes-dec exists and does a decent job of recovering something that approximates the original input, and from this I was able to find various lists of database fields.

So, remember that original FAQ statement, that your desires would never be shown to anyone else? One of the fields mentioned in the app was "lookingFor", a field that wasn't present in the default profile query. What happens if we perform the incredibly complicated hack of exporting a profile query as a curl statement, add "lookingFor" into the set of requested fields, and run it?

Oops.

So, point 1 is that you can't simply protect data by having your client not ask for it - private data must never be released. But there was a whole separate class of issue that was an even more obvious issue.

Looking more closely at the profile data returned, I noticed that there were fields there that weren't being displayed in the UI. Those included things like "ageRange", the range of ages that the profile owner was interested in, and also whether the profile owner had already "liked" or "disliked" your profile (which means a bunch of the profiles you see may already have turned you down, but the app simply didn't show that). This isn't ideal, but what was more concerning was that profiles that were flagged as hidden were still being sent to the app and then just not displayed to the user. Another example of this is that the app supports associating your profile with profiles belonging to partners - if one of those profiles was then hidden, the app would stop showing the partnership, but was still providing the profile ID in the query response and querying that ID would still show the hidden profile contents.

Reporting this was inconvenient. There was no security contact listed on the website or in the app. I ended up finding Feeld's head of trust and safety on Linkedin, paying for a month of Linkedin Pro, and messaging them that way. I was then directed towards a HackerOne program with a link to terms and conditions that 404ed, and it took a while to convince them I was uninterested in signing up to a program without explicit terms and conditions. Finally I was just asked to email security@, and successfully got in touch. I heard nothing back, but after prompting was told that the issues were fixed - I then looked some more, found another example of the same sort of issue, and eventually that was fixed as well. I've now been informed that work has been done to ensure that this entire class of issue has been dealt with, but I haven't done any significant amount of work to ensure that that's the case.

You can't trust clients. You can't give them information and assume they'll never show it to anyone. You can't put private data in a database with no additional acls and just rely on nobody ever asking for it. You also can't find a single instance of this sort of issue and fix it without verifying that there aren't other examples of the same class. I'm glad that Feeld engaged with me earnestly and fixed these issues, and I really do hope that this has altered their development model such that it's not something that comes up again in future.

(Edit to add: as far as I can tell, pictures tagged as "private" which are only supposed to be visible if there's a match were appropriately protected, and while there is a "location" field that contains latitude and longitude this appears to only return 0 rather than leaking precise location. I also saw no evidence that email addresses, real names, or any billing data was leaked in any way)

comment count unavailable comments

Krebs on SecurityNational Public Data Published Its Own Passwords

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).

NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.

A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.

The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”

“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”

The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.

A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.

There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly.

The best advice for those concerned about this breach is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.

A freeze is a good idea because all of the information that ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.

Screenshots of a Telegram-based ID theft service that was selling background reports using hacked law enforcement accounts at USInfoSearch.

There are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots.

In November 2023, KrebsOnSecurity wrote about one such service, which was being powered by hacked accounts at the U.S. consumer data broker USInfoSearch.com. This is notable because the leaked source code indicates Records Check pulled background reports on people by querying NPD’s database and records at USInfoSearch. KrebsOnSecurity sought comment from USInfoSearch and will update this story if they respond.

The point is, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.

All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.

If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you’ll need to create an account at each of the three major reporting bureaus, EquifaxExperian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them. Dispute any inaccuracies you may find.

Worse Than FailureRepresentative Line: Tern on the Error Message

When discussing ternaries, we also have to discuss readability. While short and concise, they're in some ways too compact. But don't worry, Mark's co-worker has a wonderful simplification to ternaries. This representative line is a pattern used throughout the codebase.

pnlErrorMessage.Visible = !string.IsNullOrEmpty(errorMsg) ? true : false;

This is genius, as the ternary becomes documentation for a boolean expression, telling us when we're setting things to true or false without having to think about what the expression we're evaluating means. If there is an error message, we set the error message UI element's visibility to true. Explicit, verbose, and readable.

What we're really looking at here is the ol':

if (expression)
    return true;
else
    return false;

pattern, compressed into a single ternary. Annoying, useless, and a hint that our developer doesn't understand booleans.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsShips in the Night

Author: Julian Miles, Staff Writer The room used to be part of a well-appointed apartment. Under the ravages of damp and neglect, it looks like it was abandoned hurriedly. If you peer through the grimy windows and look down, you’ll see waves breaking against ruined shopfronts, and seagulls perched upon tide-tossed vehicles. In one corner […]

The post Ships in the Night appeared first on 365tomorrows.

,

Planet DebianGunnar Wolf: The social media my blog –as well as some other sites I publish in– is pushed to will soon stop receiving updates

For many years, I have been using the dlvr.it service to echo my online activity to where more people can follow it. Namely, I write in the following sources:

Via dlvr.it’s services, all those posts are “echoed� to Gwolfwolf in X (Twitter) and to the Gunnarwolfi page in Facebook. I use neither platform as a human (that is, I never log in there).

Anyway, dlvr.it sent me a mail stating they would be soon (as in, the next few weeks) cutting their free tier. And, although I value their services and am thankfulfor their value so far, I am not going to pay for my personal stuff to be reposted to social media.

So, this post’s mission is twofold:

  1. If you follow me via any of those media, you will soon not be following me anymore 😉
  2. If you know of any service that would fill the space left by dlvr.it, I will be very grateful. Extra gratefulness points if the option you suggest is able to post to accounts in less-propietary media (i.e. the Fediverse). Please tell me by mail (gwolf@gwolf.org).

Oh! Forgot to mention: Of course, my blog will continue to be appear in Planet Debian, Blografía, and any decent aggregator that consumes my RSS.

Planet DebianDebian Brasil: Debian Day 2024 in Pouso Alegre - Brazil

by Thiago Pezzo and Giovani Ferreira

Local celebrations of Debian 2024 Day also happened on [Pouso Alegre, MG, Brazil] (https://www.openstreetmap.org/relation/315431). In this year we managed to organize two days of lectures!

On the 14th of August 2024, Wednesday morning, we were on the [Federal Institute of Education, Science and Technology of the South of Minas Gerais] (https://portal.ifsuldeminas.edu.br/index.php), (IFSULDEMINAS), Pouso Alegre campus. We did an introductory presentation of the Project Debian, operating system and community, for the three years of the Technical Course in Informatics (professional high school). The event was closed to IFSULDEMINAS students and talked to 60 people.

On August 17th, 2024, a Saturday morning, we held the event open to the community at the University of the Sapucaí Valley (Univás), with institutional support of the Information Systems Course. We speak about the Debian Project with Giovani Ferreira (Debian Developer); about the Debian pt_BR translation team with Thiago Pezzo; about everyday experiences using free software with Virginia Cardoso; and on how to set up a development environment ready for production using Debian and Docker with Marcos António dos Santos. After the lectures, snacks, coffee and cake were served, while the participants talked, asked questions and shared experiences.

We would like to thank all the people who have helped us:

  • Michelle Nery (IFSULDEMINAS) and André Martins (UNIVÁS) for the aid in the local organization
  • Paulo Santana (Debian Brazil) by the general organization
  • Virginia Cardoso, Giovani Ferreira, Marco António and Thiago Pezzo for the lectures
  • And a special thanks to all of you who participated in our celebratio

Some pictures from Pouso Alegre:

Presentation at IFSULDEMINAS Pouso Alegre campus 1 Presentation at IFSULDEMINAS Pouso Alegre campus 2 Presentation at UNIVÁS Fátima campus 1 Presentation at UNIVÁS Fátima campus 2 Presentation at UNIVÁS Fátima campus 3 Presentation at UNIVÁS Fátima campus 4

Planet DebianDebian Brasil: Debian Day 2024 em Pouso Alegre/MG - Brasil

por Thiago Pezzo e Giovani Ferreira

As celebrações locais do Dia do Debian 2024 também aconteceram em Pouso Alegre, MG, Brasil. Neste ano conseguimos organizar dois dias de palestras!

No dia 14 de agosto de 2024, quarta-feira pela manhã, estivemos no campus Pouso Alegre do Instituto Federal de Educação, Ciência e Tecnologia do Sul de Minas Gerais (IFSULDEMINAS). Fizemos a apresentação introdutória do Projeto Debian, sistema operacional e comunidade, para os três anos do Curso Técnico de Ensino Médio em Informática. O evento foi fechado para o IFSULDEMINAS e estiveram presentes por volta de 60 estudantes.

Já no dia 17 de agosto de 2024, um sábado pela manhã, realizamos o evento aberto à comunidade na Universidade do Vale do Sapucaí (Univás), com apoio institucional do Curso de Sistemas de Informação. Falamos sobre o Projeto Debian com Giovani Ferreira (Debian Developer); sobre a equipe de tradução Debian pt_BR com Thiago Pezzo; sobre experiências no dia a dia com uso de softwares livres com Virgínia Cardoso; e sobre como configurar um ambiente de desenvolvimento pronto para produção usando Debian e Docker com Marcos António dos Santos. Encerradas as palestras, foram servidos salgadinhos, café e bolo, enquanto os/as participantes conversavam, tiravam dúvidas e partilhavam experiências.

Gostaríamos de agradecer a todas as pessoas que nos ajudaram:

  • Michelle Nery (IFSULDEMINAS) e André Martins (UNIVÁS) pelo auxílio na organização local
  • Paulo Santana (Debian Brasil) pela organização geral
  • Virgínia Cardoso, Giovani Ferreira, Marco António e Thiago Pezzo pelas palestras
  • E um agradecimento especial a todas e todos que participaram da nossa comemoração!

Algumas fotos:

Apresentação no campus Pouso Alegre do IFSULDEMINAS 1 Apresentação no campus Pouso Alegre do IFSULDEMINAS 2 Apresentação no campus Fática da UNIVÁS 1 Apresentação no campus Fática da UNIVÁS 2 Apresentação no campus Fática da UNIVÁS 3 Apresentação no campus Fática da UNIVÁS 4

365 TomorrowsDoubting Peter

Author: Don Nigroni I was in my study writing verse when this big fellow with a long grey beard and shaggy grey hair inexplicably appeared in front of me. He handed me a sheet of paper. The paper read: *** This morning, I was sitting in my living room reading Moby Dick when a big […]

The post Doubting Peter appeared first on 365tomorrows.

David BrinWhatever comes next (WCN)... and our global future.

Okay, last posting was a science update. And politics is in hiatus to see what drops in Chicago.... So how about we turn to issues on a global perspective? Starting near term:

Now that India has surpassed China in population, Beijing is issuing dire directives.

'As China's population has begun to decline and fears rise of a looming demographic crisis, China's leaders are putting pressure on women to curtail their career and educational ambitions and return to traditional roles in the home. 

President Xi says: "Doing a good job in women's work is not only related to women's own development, but also related to the harmony of families and society, as well as national development and progress." '

In its early decades, the Chinese Communist Party bolstered its revolutionary credentials by emphasizing women's equality both inside and outside the home. But the CCP's own top ranks have long been male-dominated.  Well, well. I've been saving up a posting about the goals and aspirations... and mistakes... of the Central Kingdom. 

Only now let's focus on a question of the longer term. What if we succeed in winning this wretched phase 8 of the US Civil War... and strengthening the 80 year 'pax' that gave humanity by far its best era of (relative, per capita) peace and progress?

Does this mean that the American Pax will last forever? 

Of course not. But then... what?


==  Whatever Comes Next? ==


I’ve long asked a difficult question about the future. One that can be disturbing to some USA citizens, especially that wing who might be called American Imperialists (e.g. the Bushite neocons, now a nearly extinct species, since the oligarchs betrayed and flushed them all away, to be replaced by MAGA isolationism). 

The question: “So how long do you envision a world with the USA calling all shots?…

Decades? A century? A thousand years? A million?”
 

I’m used to peering across those time ranges via sci fi. And in SF there’s a clear trend for dealing with this extrapolation. Go beyond 100 years or so… even half a dozen decades… and the governing entity coping with Earthly dilemmas, or the solar system, or aliens, or even the galaxy, is always some kind of Earth Gov or Earth Union or… some federated something. 

Except for the movie Aliens, of course, with its 23rd Century warp drive troopship of U.S. Marines! (Ain’t Cameron a hoot? LOVE that flick!;-)  

Indeed, I think this is one reason that some of our neighbors here in USA desperately pray for the gruesome reification of that nasty, sadistic culmination-trip, the Book of Revelation… so they won’t have to envision even one generation ahead, or do anything to build a healthy posterity.

Not you, though? 

You are one of those far-looking sci-fi folks? All right, then. So, what’s your notion of WCN?  Whatever Comes Next?

Let’s be clear, I regularly defend the last 80 years of the “American Pax.” Since 1945, guided by several principles cast by the person of the 20th Century - George Marshall -- we've experienced, by any metric, the best era of general peace and progress and increasing justice ever. Especially after 6000 years of wretched (and world ubiquitous) macho feudalism. Despite some nasty acts and mistakes and even bloody crimes, no other nation that was ever tempted by great power ever handled it so… um… less-terribly. (Go on. name an exception, in comments. I'd love to be shown a past empire or kingdom or 'pax' that you think did much better.)

Yeah, sure it’s been a tense and immature ride – sometimes a hellhole, compared to what oughta-be!  Pax Americana was so very far from perfect and often hideous!  Merely vastly better than any other era … or all other human eras, combined. 

Across the last eight decades, poverty plummeted worldwide. Today, 95% of kids on this planet have never starved and are in school. Sure, the ongoing chain of wretched violent wars is horrifying! (Especially lately.)  But step back a minute and realize a historically amazing fact -- that over 90% of living adults have never witnessed war with their own eyes. Something that’d be deemed a freaking miracle, by any of our ancestors. 

So yeah, our standards are rising. As they must! But pause now and then for perspective. I go into this elsewhere. And before you stalk off in rage, consider your own reaction! 

Your very concept of how things oughta-be would have been deemed utterly dreamy, even psychotically delusional by those ancestors. Especially, your reflex to question authority - your own society and its tribal elders. Find me another example - across all cultures and eras – of an empire that taught Suspicion of Authority as a central moral reflex to generations of its youth. And yes, it was relentless Hollywood memes that taught you those reflexes.

 In pointing that out, I am not dissing you or those memes!  Dig it: I was raised by them, too! They are part of the secret of our success! As I show thoroughly in Vivid Tomorrows: Science Fiction and Hollywood.

Still, one has to ask – returning to the core question of this posting - what’s your notion of a Whatever Comes Next to govern this fractious globe and nearby worlds? 

What’s your recommended replacement for the lumbering, sometimes crazed, if generally good-natured Pax Americana?  

The United Nations? Are you freaking kidding me?


== Is an end-to-nations possible ==

Which bring us to the reason that I raise this topic. In this Noema essay, Nathan Gardels made a strong argument that the European Union (EU) is a much better model for gradually evolving sovereignty. 

Ponder: The UN grew out of those infamous Westphalian notions, establishing that separated national sovereignties must be viewed as the sacred thing. A notion that only got reinforced by the prickly 80 new nations that emerged from colonialism.  

The EU, in contrast, is about layering of negotiated sub-national, national, and supra national responsibilities, all of them (so far imperfectly) accountable to the ultimate authority of citizens. An approach necessitating calm reasonableness and negotiation at levels that – again – those fractious ancestors would have found boggling.

I recommend giving Nathan’s missive about this a look. 

BTW… it’s a general notion I’ve dealt with before. In Earth, for example, I speak of the “EU” several times, allowing readers to assume that it means “European Union”… until the book reveals that in the year 2038 “EU” now stands for Earth Union. A nascent but not-yet world government that still relies on the old pax to keep things together, while it matures.

Care to entertain a standing wager across the next two decades? Assuming we get past the current crises, incited by an attempted worldwide putsch of cabals of powerful but unsapient oligarchs, united in shared desperation to end the Enlightenment Experiment and re-impose 6000 years of utterly imbecilic feudalism… supposing we get past all that… 

… in which case, what is to prevent say the Maldives, or Costa Rica, or Ghana from some fine day sending an envelope to Brussels, containing their accession application to join the EU? 

Are you telling me those Brussels factotums would refuse even to consider it, because of a defined word?

Play it out in your head. Then consider how confident you are that “It’ll never happen!” 

Okay then. Are you so confident that you’ll give me odds?

Comments welcome.



== And some important miscellany ==

A while back I posted outrage over the Trump Administration’s fire sale of the US national helium reserves to cronies at well under market prices, allowing them to jack-up and corner the market for this element that’s rare on Earth and essential for many (including medical) uses. Ah, but Adam Smith comes to the rescue!  Wildcats drilling in Minnesota appear to have found a new trove of this vital resource! Maybe this will help keep helium prices down. Although that will depend on who owns it and how big it is. 

"Important"?  Well, I think so. Because indicates the right path to neutralize villains. By creatively leaving all their schemes behind us in a soft cloud of our progress that even benefits them, galling them terribly! It is certainly how to best deal with the mad/idiotic 'prepper' lords in their zillion dollar bunkers, salivating over an "Event" that would not go as well as they think.

And more...  ‘With little fanfare, researchers from Apple and Columbia University released an open source multimodal LLM, called Ferret, in October 2023.’  


Well…. In 1989 - in my novel Earth - I showed software geniuses releasing 'ferrets' into the (then largely theoretical) Web.


So is the Great Big AI Crisis of 23-24 starting to fade? Not a bit of it. Even today's primitive versions will likely wreak great harm via political misinformation and manipulation. (More on that soon.) But it’s also swamping its way into science too


It is not always so easy to spot the use of AI. But one clue is that ChatGPT tends to favor certain words… such as meticulous, intricate or commendable.” But all such detection cues are temporary. 


Only one thing will even possibly work - either in politics or science or anywhere else that unaccountable AI is used to cheat. That approach is the same one that allowed us to get some constraints on all kinds of human cheaters... and that approach is to sic AI programs onto each other, competitively, with incentives to tattle on misinformation...


...as I describe here.

And more vividly detailed? My Keynote at the huge, May 2024 RSA Conference in San Francisco – is now available online.   “Anticipation, Resilience and Reliability: Three ways that AI will change us… if we do it right.”  


Planet DebianReproducible Builds (diffoscope): diffoscope 276 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 276. This version includes the following changes:

[ Chris Lamb ]
* Also catch RuntimeError when importing PyPDF so that PyPDF or, crucially,
  its transitive dependencies do not cause diffoscope to traceback at runtime
  and build time. (Closes: #1078944, reproducible-builds/diffoscope#389)
* Factor out a method for stripping ANSI escapes.
* Strip ANSI escapes from the output of Procyon. Thanks, Aman Sharma!
* Update copyright years.

You find out more by visiting the project homepage.

,

365 TomorrowsTime

Author: Pete Smith I come to with a start. There’s a bell ringing. That’s not good. That’s never good. Raising my head from the bar, I try to focus. Oh yes – it’s the… landlord chap. Land. Lord. I giggle like a child. He’s ringing time. I look at the clock, and indeed, it’s saying […]

The post Time appeared first on 365tomorrows.

,

Worse Than FailureError'd: Epic

"Grocery stores are going too far with their energy foods" charged Tim DG. "I was just looking for some salads to go with my BBQ," he complained. "I'm not sure they sell what I'm looking for." I've seen what your kin put in their Huzarensaladen, Tim, so I'm not entirely surprised about the Duracells.

0

 

Long-suffering Gordon S. found a novel Error'd, at least, I don't remember having seen this before. "Left Spotify running and came back 15 minutes in on a 3 minute song. Is this how extended play records worked?" I'm glad he only submitted it once and not a hundred more times for art's sake.

1

 

Christopher P. thinks FedEx is on the verge of building robots with Genuine People Personalities. "It appears to be impossible to contact a human at FedEx, and their bot seems very passive aggressive when I gave it a negative rating it tries to cancel my case. Fantastic. " I'm sure it's not truly impossible, only very very improbable.

2

 

Experienced Drinker Peter G. thinks this is not really an Error but it's a little bit of a WTF. "This is the gatekeeper popup that blocks your way when you visit the Quantum Spirits web site, which for some reason has decided to limits its customer base to a very narrow demographic. No, I'm not 21, and haven't been for quite some time." People should say what they mean and not place the burden of decoding their imprecision on everyone else.

3

 

Michael Th. is making me hungry. "Had a lovely dinner in a nice restaurant in Mannheim, Germany - and the service was really SUperb!" Once again, not really an Error'd but a sign that somebody is using bad practices with their POS system.

4

 

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

365 TomorrowsSand Sailor

Author: Tobias Hope Young There are moments when the sand looks sturdy. When it isn’t rising and falling, when it’s just completely motionless. It’s in those moments that you might think it’s solid but don’t be fooled. That sand may look firm but if you step on it you will sink like a stone until […]

The post Sand Sailor appeared first on 365tomorrows.

Rondam RamblingsThe Trouble With Big Numbers

This is part of my series on the scientific method, but it's a bit of a tangent, an interlude if you will, so I'm not giving it a number.  As you will see, that will turn out to be metaphorically significant.  I'm writing this because my muse Publius raised the problem of infinity in comments on earlier installments in this series, and so I thought it would be worth discussing why these

,

Krebs on SecurityNationalPublicData.com Hack Exposes a Nation’s Data

A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We’ll also take a closer look at the data broker that got hacked — a background check company founded by an actor and retired sheriff’s deputy from Florida.

On July 21, 2024, denizens of the cybercrime community Breachforums released more than 4 terabytes of data they claimed was stolen from nationalpublicdata.com, a Florida-based company that collects data on consumers and processes background checks.

The breach tracking service HaveIBeenPwned.com and the cybercrime-focused Twitter account vx-underground both concluded the leak is the same information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name “USDoD.”

On April 7, USDoD posted a sales thread on Breachforums for four terabytes of data — 2.9 billion rows of records — they claimed was taken from nationalpublicdata.com. The snippets of stolen data that USDoD offered as teasers showed rows of names, addresses, phone numbers, and Social Security Numbers (SSNs). Their asking price? $3.5 million.

Many media outlets mistakenly reported that the National Public data breach affects 2.9 billion people (that figure actually refers to the number of rows in the leaked data sets). HaveIBeenPwned.com’s Troy Hunt analyzed the leaked data and found it is a somewhat disparate collection of consumer and business records, including the real names, addresses, phone numbers and SSNs of millions of Americans (both living and deceased), and 70 million rows from a database of U.S. criminal records.

Hunt said he found 137 million unique email addresses in the leaked data, but stressed that there were no email addresses in the files containing SSN records.

“If you find yourself in this data breach via HaveIBeenPwned.com, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.”

Nationalpublicdata.com publicly acknowledged a breach in a statement on Aug. 12, saying “there appears to have been a data security incident that may have involved some of your personal information. The incident appears to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

The company said the information “suspected of being breached” contained name, email address, phone number, social security number, and mailing address(es).

“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the statement continues. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”

Hunt’s analysis didn’t say how many unique SSNs were included in the leaked data. But according to researchers at Atlas Data Privacy Corp., there are 272 million unique SSNs in the entire records set.

Atlas found most records have a name, SSN, and home address, and that approximately 26 percent of those records included a phone number. Atlas said they verified 5,000 addresses and phone numbers, and found the records pertain to people born before Jan. 1, 2002 (with very few exceptions).

If there is a tiny silver lining to the breach it is this: Atlas discovered that many of the records related to people who are now almost certainly deceased. They found the average age of the consumer in these records is 70, and fully two million records are related to people whose date of birth would make them more than 120 years old today.

TWISTED HISTORY

Where did National Public Data get its consumer data? The company’s website doesn’t say, but it is operated by an entity in Coral Springs, Fla. called Jerico Pictures Inc. The website for Jerico Pictures is not currently responding. However, cached versions of it at archive.org show it is a film studio with offices in Los Angeles and South Florida.

The Florida Secretary of State says Jerico Pictures is owned by Salvatore (Sal) Verini Jr., a retired deputy with the Broward County Sheriff’s office. The Secretary of State also says Mr. Verini is or was a founder of several other Florida companies, including National Criminal Data LLC, Twisted History LLC, Shadowglade LLC and Trinity Entertainment Inc., among others.

Mr. Verini did not respond to multiple requests for comment. Cached copies of Mr. Verini’s vanity domain salvatoreverini.com recount his experience in acting (e.g. a role in a 1980s detective drama with Burt Reynolds) and more recently producing dramas and documentaries for several streaming channels.

Sal Verini’s profile page at imdb.com.

Pivoting on the email address used to register that vanity domain, DomainTools.com finds several other domains whose history offers a clearer picture of the types of data sources relied upon by National Public Data.

One of those domains is recordscheck.net (formerly recordscheck.info), which advertises “instant background checks, SSN traces, employees screening and more.” Another now-defunct business tied to Mr. Verini’s email — publicrecordsunlimited.com — said it obtained consumer data from a variety of sources, including: birth, marriage and death records; voting records; professional licenses; state and federal criminal records.

The homepage for publicrecordsunlimited.com, per archive.org circa 2017.

It remains unclear how thieves originally obtained these records from National Public Data. KrebsOnSecurity sought comment from USDoD, who is perhaps best known for hacking into Infragard, an FBI program that facilitates information sharing about cyber and physical threats with vetted people in the private sector.

USDoD said they indeed sold the same data set that was leaked on Breachforums this past month, but that the person who leaked the data did not obtain it from them. USDoD said the data stolen from National Public Data had traded hands several times since it was initially stolen in December 2023.

“The database has been floating around for a while,” USDoD said. “I was not the first one to get it.”

USDoD said the person who originally stole the data from NPD was a hacker who goes by the handle SXUL. That user appears to have deleted their Telegram account several days ago, presumably in response to intense media coverage of the breach.

ANALYSIS

Data brokers like National Public Data typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

Americans may believe they have the right to opt out of having these records collected and sold to anyone. But experts say these underlying sources of information — the above-mentioned “public” records — are carved out from every single state consumer privacy law. This includes California’s privacy regime, which is often held up as the national leader in state privacy regulations.

You see, here in America, virtually anyone can become a consumer data broker. And with few exceptions, there aren’t any special requirements for brokers to show that they actually care about protecting the data they collect, store, repackage and sell so freely.

In February 2023, PeopleConnect, the owners of the background search services TruthFinder and Instant Checkmate, acknowledged a breach affecting 20 million customers who paid the data brokers to run background checks. The data exposed included email addresses, hashed passwords, first and last names, and phone numbers.

In 2019, malicious hackers stole data on more than 1.5 billion people from People Data Labs, a San Francisco data broker whose people-search services linked hundreds of millions of email addresses, LinkedIn and Facebook profiles and more than 200 million valid cell phone numbers.

These data brokers are the digital equivalent of massive oil tankers wandering the coast without GPS or an anchor, because when they get hacked, the effect is very much akin to the ecological and economic fallout from a giant oil spill.

It’s an apt analogy because the dissemination of so much personal data all at once has ripple effects for months and years to come, as this information invariably feeds into a vast underground ocean of scammers who are already equipped and staffed to commit identity theft and account takeovers at scale.

It’s also apt because much like with real-life oil spills, the cleanup costs and effort from data spills — even just vast collections of technically “public” documents like the NPD corpus — can be enormous, and most of the costs associated with that fall to consumers, directly or indirectly.

WHAT SHOULD YOU DO?

Should you worry that your SSN and other personal data might be exposed in this breach? That isn’t necessary for people who’ve been following the advice here for years, which is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.

The main reason I recommend the freeze is that all of the information ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.

But beyond that, there are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots. Meaning, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.

All Americans are also entitled to obtain a free copy of their credit report weekly from each of the three major credit bureaus. It used to be that consumers were allowed one free report from each of the bureaus annually, but in October 2023 the Federal Trade Commission announced the bureaus had permanently extended a program that lets you check your credit report once a week for free.

If you haven’t done this in a while, now would be an excellent time to order your files. To place a freeze, you need to create an account at each of the three major reporting bureaus, Equifax, Experian and TransUnion. Once you’ve established an account, you should be able to then view and freeze your credit file. Dispute any inaccuracies you may find. If you spot errors, such as random addresses and phone numbers you don’t recognize, do not ignore them: Identity theft and new account fraud are not problems that get easier to solve by letting them fester.

Mr. Verini probably didn’t respond to requests for comment because his company is now the subject of a class-action lawsuit (NB: the lawsuit also erroneously claims 3 billion people were affected). These lawsuits are practically inevitable now after a major breach, but they also have the unfortunate tendency to let regulators and lawmakers off the hook.

Almost every time there’s a major breach of SSN data, Americans are offered credit monitoring services. Most of the time, those services come from one of the three major consumer credit bureaus, the same companies that profit by compiling and selling incredibly detailed dossiers on consumers’ financial lives. The same companies that use dark patterns to trick people into paying for “credit lock” services that achieve a similar result as a freeze but still let the bureaus sell your data to their partners.

But class-actions alone will not drive us toward a national conversation about what needs to change. Americans currently have very few rights to opt out of the personal and financial surveillance, data collection and sale that is pervasive in today’s tech-based economy.

The breach at National Public Data may not be the worst data breach ever. But it does present yet another opportunity for this country’s leaders to acknowledge that the SSN has completely failed as a measure of authentication or authorization. It was never a good idea to use as an authenticator to begin with, and it is certainly no longer suitable for this purpose.

The truth is that these data brokers will continue to proliferate and thrive (and get hacked and relieved of their data) until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century.

Further reporting: National Public Data Published Its Own Passwords

Update, Aug. 16, 8:00 a.m. ET: Corrected the story to note that consumers can now obtain a free credit report from each of the three consumer reporting bureaus weekly, instead of just annually.

Update, Aug. 23, 12:33 p.m. ET: Added link to latest story on NPD breach.

Cryptogram NIST Releases First Post-Quantum Encryption Algorithms

From the Federal Register:

After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

These algorithms are part of three NIST standards that have been finalized:

NIST press release. My recent writings on post-quantum cryptographic standards.

EDITED TO ADD: Good article:

One – ML-KEM [PDF] (based on CRYSTALS-Kyber) – is intended for general encryption, which protects data as it moves across public networks. The other two –- ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+)—secure digital signatures, which are used to authenticate online identity.

A fourth algorithm – FN-DSA [PDF] (originally called FALCON) – is slated for finalization later this year and is also designed for digital signatures.

NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future.

One of the sets includes three algorithms designed for general encryption – but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today’s finalized standards.

NIST plans to select one or two of these algorithms by the end of 2024.

IEEE Spectrum article.

Slashdot thread.

Cryptogram The State of Ransomware

Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary:

Unit 42 monitors ransomware and extortion leak sites closely to keep tabs on threat activity. We reviewed compromise announcements from 53 dedicated leak sites in the first half of 2024 and found 1,762 new posts. This averages to approximately 294 posts a month and almost 68 posts a week. Of the 53 ransomware groups whose leak sites we monitored, six of the groups accounted for more than half of the compromises observed.

In February, we reported a 49% increase year-over-year in alleged victims posted on ransomware leak sites. So far, in 2024, comparing the first half of 2023 to the first half of 2024, we see an even further increase of 4.3%. The higher level of activity observed in 2023 was no fluke.

Activity from groups like Ambitious Scorpius (distributors of BlackCat) and Flighty Scorpius (distributors of LockBit) has largely fallen off due to law enforcement operations. However, other threat groups we track such as Spoiled Scorpius (distributors of RansomHub) and Slippery Scorpius (distributors of DragonForce) have joined the fray to fill the void.

Cryptogram New Windows IPv6 Zero-Click Vulnerability

The press is reporting a critical Windows vulnerability affecting IPv6.

As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.

Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with an “exploitation more likely” label, which means that threat actors could create exploit code to “consistently exploit the flaw in attacks.”

Details are being withheld at the moment. Microsoft strongly recommends patching now.

Worse Than FailureCodeSOD: Stored Procedures are Better

We all know that building SQL queries via string concatenation, and then sending them to the database, is just begging for fragile code and SQL injection attacks. But, what if the bad part is the "sending them to the database" part? Has anyone ever thought about that?

Kris's predecessor has.

CREATE PROCEDURE [dbo].[usp_LossMit_GetCDCMappingInfo]
        @PropertyNameString NVARCHAR(4000),
        @Environment CHAR(1)
AS
BEGIN
DECLARE @TICK CHAR (1)  SET @TICK = CHAR(39)
DECLARE @SQLSelect              NVARCHAR (4000)
DECLARE @SQLWHERE               NVARCHAR (4000)
DECLARE @SQLSelectII    NVARCHAR (4000)
DECLARE @SQLWHEREII             NVARCHAR (4000)

SET @SQLSelect = '
        SELECT
                CDCID As PropertyValue,
                CDCName AS EntityName,
                ISNULL(RTRIM(PropertyName), '+ @TICK + @TICK + ') AS PropertyName
        FROM dbo.LossMitCDCIDMapping'
SET @SQLWHERE = '
        WHERE   PropertyName IN (' + @PropertyNameString + ')
                        AND Environment = ' + @TICK + @Environment + @TICK +
                        'AND IsActive = 1'

SET @SQLSelectII = '
UNION
        SELECT
                lccm.CDCControlID AS PropertyValue,
                lccm.CDCControlName AS EntityName,
                ISNULL(RTRIM(lccm.PropertyName), '+ @TICK + @TICK + ') AS PropertyName
        FROM dbo.LossMitCDCIDMapping lcm
        INNER JOIN dbo.LossMitCDCControlIDMapping lccm
                ON lcm.CDCID = lccm.CDCID'
SET @SQLWHEREII = '
                AND     lcm.PropertyName IN ( '+ @PropertyNameString + ')
                AND lcm.Environment = ' + @TICK + @Environment + @TICK + '
                AND lccm.Environment = ' + @TICK + @Environment + @TICK + '
                AND lcm.IsActive = 1
                AND lccm.IsActive = 1'


PRINT (@SQLSelect + @SQLWHERE + @SQLSelectII + @SQLWHEREII)
EXEC (@SQLSelect + @SQLWHERE + @SQLSelectII + @SQLWHEREII)
END

/*****usp_LossMit_GetAutoIndex******/

GO

Now, just one little, itsy-bitsy thing about T-SQL: it handles variables in SQL statements just fine. They could have written AND Environment = @Environment without wrapping it up in string concatenation. This entire function could have been written without a single string concatenation in it, and the code would be simpler and easier to read, and not be begging for SQL injection attacks.

And I have no idea what's going on with @TICK- it's a one character string that they set equal to an empty 39 character string, so I assume it's just ""- why are we spamming it everywhere?

And not to be the person that harps on capitalization, but why @SQLSelect and @SQLWHERE? It's next-level inconsistency.

My only hypothesis is that this code was originally in ASP or something similar, and someone said, "Performance is bad, we should turn it into a stored procedure," and so someone did- without changing one iota about how the code was structured or worked.

Kris has this to say:

Just started at a new job--it's going to be interesting…

Interesting is certainly one word for it.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

365 TomorrowsMeet CoBrain

Author: Nick Jessee The TV is blaring, but I don’t have the energy to turn down the volume. All around, I can tell others are in the same predicament: their TVs blast and rumble muffled shouts, explosions, and laughs through thin apartment walls. My stomach grumbles. Leather creaks as I shift my sore cheeks on […]

The post Meet CoBrain appeared first on 365tomorrows.

Cryptogram Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I’m speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs from September 24 through 26, 2024, and my keynote is on the 24th.

The list is maintained on this page.

Cryptogram Taxonomy of Generative AI Misuse

Interesting paper: “Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Dataâ€�:

Generative, multimodal artificial intelligence (GenAI) offers transformative potential across industries, but its misuse poses significant risks. Prior research has shed light on the potential of advanced AI systems to be exploited for malicious purposes. However, we still lack a concrete understanding of how GenAI models are specifically exploited or abused in practice, including the tactics employed to inflict harm. In this paper, we present a taxonomy of GenAI misuse tactics, informed by existing academic literature and a qualitative analysis of approximately 200 observed incidents of misuse reported between January 2023 and March 2024. Through this analysis, we illuminate key and novel patterns in misuse during this time period, including potential motivations, strategies, and how attackers leverage and abuse system capabilities across modalities (e.g. image, text, audio, video) in the wild.

Blog post. Note the graphic mapping goals with strategies.

,

Cryptogram People-Search Site Removal Services Largely Ineffective

Consumer Reports has a new study of people-search site removal services, concluding that they don’t really work:

As a whole, people-search removal services are largely ineffective. Private information about each participant on the people-search sites decreased after using the people-search removal services. And, not surprisingly, the removal services did save time compared with manually opting out. But, without exception, information about each participant still appeared on some of the 13 people-search sites at the one-week, one-month, and four-month intervals. We initially found 332 instances of information about the 28 participants who would later be signed up for removal services (that does not include the four participants who were opted out manually). Of those 332 instances, only 117, or 35%, were removed within four months.

Cryptogram Problems with Georgia’s Voter Registration Portal

It’s possible to cancel other people’s voter registrations:

On Friday, four days after Georgia Democrats began warning that bad actors could abuse the state’s new online portal for canceling voter registrations, the Secretary of State’s Office acknowledged to ProPublica that it had identified multiple such attempts…

…the portal suffered at least two security glitches that briefly exposed voters’ dates of birth, the last four digits of their Social Security numbers and their full driver’s license numbers—the exact information needed to cancel others’ voter registrations.

I get that this is a hard problem to solve. We want the portal to be easy for people to use—even non-tech-savvy people—and hard for fraudsters to abuse, and it turns out to be impossible to do both without an overarching digital identity infrastructure. But Georgia is making it easy to abuse.

EDITED TO ADD (8/14): There was another issue with the portal, making it easy to request cancellation of any Georgian’s registration. The elections director said that cancellations submitted this way wouldn’t have been processed because they didn’t have all the necessary information, which I guess is probably true, but it shows just how sloppy the coding is.

Cryptogram Texas Sues GM for Collecting Driving Data without Consent

Texas is suing General Motors for collecting driver data without consent and then selling it to insurance companies:

From CNN:

In car models from 2015 and later, the Detroit-based car manufacturer allegedly used technology to “collect, record, analyze, and transmit highly detailed driving data about each time a driver used their vehicle,” according to the AG’s statement.

General Motors sold this information to several other companies, including to at least two companies for the purpose of generating “Driving Scores” about GM’s customers, the AG alleged. The suit said those two companies then sold these scores to insurance companies.

Insurance companies can use data to see how many times people exceeded a speed limit or obeyed other traffic laws. Some insurance firms ask customers if they want to voluntarily opt-in to such programs, promising lower rates for safer drivers.

But the attorney general’s office claimed GM “deceived” its Texan customers by encouraging them to enroll in programs such as OnStar Smart Driver. But by agreeing to join these programs, customers also unknowingly agreed to the collection and sale of their data, the attorney general’s office said.

Press release. Court filing. Slashdot thread.

Worse Than FailureCodeSOD: Under the Sheets

Many years ago, Sam was obeying Remy's Law of Requirements Gathering ("No matter what your requirements actually say, what your users want is Excel") and was working on a web-based spreadsheet and form application.

The code is not good, and involves a great deal of reinvented wheels. It is, for example, Java based, but instead of using any of the standard Java web containers for hosting their code, they wrote their own. It's like Java Servlets, but also is utterly unlike them in important and surprising ways. It supports JSP for views, but also has just enough surprises that it breaks new developers.

But let's just look at how it handles form data:

 // form field information
    String[] MM_fields = null, MM_columns = null;

    // ...snip...

    String MM_fieldsStr = "phone|value|organization|value|last_name|value|first_name|value|password|value|email_opt_in|value";
    String MM_columnsStr = "phone|',none,''|organization|',none,''|last_name|',none,''|first_name|',none,''|password|',none,''|email_opt_in|none,1,0";

    // create the MM_fields and MM_columns arrays
    java.util.StringTokenizer tokens =
            new java.util.StringTokenizer( MM_fieldsStr, "|" );
    MM_fields = new String[ tokens.countTokens() ];
    for (int i=0; tokens.hasMoreTokens(); i++)
        MM_fields[i] = tokens.nextToken();

    tokens = new java.util.StringTokenizer( MM_columnsStr, "|" );
    MM_columns = new String[ tokens.countTokens() ];
    for (int i=0; tokens.hasMoreTokens(); i++)
        MM_columns[i] = tokens.nextToken();

Who doesn't love hard-coded lists of strings with characters separating them, which then need to be parsed so that you can convert that into an array?

The MM_fieldsStr seems to imply the input data will be "key|value" pairs, and the MM_columnsStr seems to imply a specific default value, I think- but look at those quotes and commas. This is generating strings which will be injected into JavaScript. And who knows what's happening on that side- I certainly don't want to.

Also, what even is the MM_ prefix on our variables? It looks like Hungarian notation, but conveys no information- maybe it's Rēkohu notation?

As you can imagine, this whole solution was incredibly fragile and didn't work well.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsRebound

Author: Ethan J. Hatchett “We need to talk.” Katie’s words were firm, but her bright blue eyes betrayed her. “Not this time.” Michael leaned in to kiss Katie. “Michael, stop. It’s…” He couldn’t wait for her to finish. He pressed the button and vanished back to his own time. The present was a mess. Michael […]

The post Rebound appeared first on 365tomorrows.

,

Krebs on SecuritySix 0-Days Lead Microsoft’s August 2024 Patch Push

Microsoft today released updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.

Image: Shutterstock.

This month’s bundle of update joy from Redmond includes patches for security holes in Office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, Secure Boot, and of course Windows itself. Of the six zero-day weaknesses Microsoft addressed this month, half are local privilege escalation vulnerabilities — meaning they are primarily useful for attackers when combined with other flaws or access.

CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 all allow an attacker to gain SYSTEM level privileges on a vulnerable machine, although the vulnerabilities reside in different parts of the Windows operating system.

Microsoft’s advisories include little information about the last two privilege escalation flaws, other than to note they are being actively exploited. Microsoft says CVE-2024-38106 exists in the Windows Kernel and is being actively exploited, but that it has a high “attack complexity,” meaning it can be tricky for malware or miscreants to exploit reliably.

“Microsoft lists exploit complexity as high due to the attacker needing to win a race condition,” Trend Micro’s ZeroDay Initiative (ZDI) noted. “However, some races are easier to run than others. It’s times like this where the CVSS can be misleading. Race conditions do lead to complexity high in the CVSS score, but with attacks in the wild, it’s clear this bug is readily exploitable.”

Another zero-day this month is CVE-2024-38178, a remote code execution flaw that exists when the built-in Windows Edge browser is operating in “Internet Explorer Mode.” IE mode is not on by default in Edge, but it can be enabled to work with older websites or applications that aren’t supported by modern Chromium-based browsers.

“While this is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration,” wrote Kev Breen, senior director of threat research at Immersive Labs.

CVE-2024-38213 is a zero-day flaw that allows malware to bypass the “Mark of the Web,” a security feature in Windows that marks files downloaded from the Internet as untrusted (this Windows Smartscreen feature is responsible for the “Windows protected your PC” popup that appears when opening files downloaded from the Web).

“This vulnerability is not exploitable on its own and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites,” Breen said.

The final zero-day this month is CVE-2024-38189, a remote code execution flaw in Microsoft Project. However, Microsoft and multiple security firms point out that this vulnerability only works on customers who have already disabled notifications about the security risks of running VBA Macros in Microsoft Project (not the best idea, as malware has a long history of hiding within malicious Office Macros).

Separately, Adobe today released 11 security bulletins addressing at least 71 security vulnerabilities across a range of products, including Adobe Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, and Substance 3D Sampler/Substance 3D Designer. Adobe says it is not aware of active exploitation against any of the flaws it fixed this week.

It’s a good idea for Windows users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday each month. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

Worse Than FailureCodeSOD: Disable This

One of the first things anyone learns about object oriented programming is the power of inheritance and overriding functions. Isn't it great that you can extend or modify the implementation of a function in your derived classes? Don't you wish you could just do that for every function? Aash's co-worker certainly does.

@Override
public boolean isEnabled() {
    if (!super.isEnabled()) {
        return false;
    }
    return true;
}

I think this is a beautiful little smear of bad code, because it's useless on multiple levels. First, we are calling a boolean function only to bury it in a conditional which does the exact same thing: return super.isEnabled() would do the job. But if our developer thought to do that, they'd instantly see that there's no point to adding an override- we're just doing what the super class does. The if is just enough to hide that from you if you're careless and not very bright.

And, before you ask, no, there never was any real functionality in this override, at least not that ever got checked into source control. It isn't a vestigial leftover of once useful code. It's just useless from birth.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsSo The Sherpas Say

Author: Majoki The children played in mud while parents worried. The rains had not stopped. They had never lasted this long in spring, never been this heavy. Twice they had moved their families farther from the river, but the entire valley was in danger due to landslides. Staying and moving were perilous. Yet the flowers […]

The post So The Sherpas Say appeared first on 365tomorrows.

,

David BrinScience-tech updates- what an era! Let's keep it alive.

Sci Tech update! But first a few non-science items:

* In sci fi news: today and (I'm told) for a week, the newly edited and refreshed edition of GLORY SEASON - with a lovely new cover - is available for $2.99 (e-version) from Barnes & Noble, Amazon, and the rest. One of my favorites.

* Political snippet alert:  I'm told Stephanie Miller's radio show is comparing Donald Trump to Howard Beale of the classic flick NETWORK... as I have been doing for more than a year. No doubt because his followers seem entranced by his ongoing, raving breakdown. But will the comparison go farther?  I still take bets - if offered odds - that certain oligarchs are watching the last ten minutes of that flick over and over again...
   ... along with the "So you still think you can control them?" scene from CABARET... 
  ... and (most chillingly) Angela Lansbury's amazing soliloquy about 20' before the end of THE MANCHURIAN CANDIDATE... are contemplating the "Howard Beale Option." 
   Hey fellahs, are you starting to realize that there comes a time when your tool can turn on you? Or that you may get no joy from Trump v.2.0? Look up the Night of the Long Knives and how the Prussian aristos came to regret backing Adolf.


== Onward to great SCIENCE!! ==

How sad that so many of our fellow citizens derive so little joy from this amazing scientific age. Even if you aren't in the adventure directly, we citizens pay for it and boy are we getting our money’s worth! 

Van-sized robots lowered by parachute--> rocket --> crane to roam Mars with tiny helicopter companions. Giant telescopes that unfold like origami, perfectly, to reveal basic patterns of Creation. Using DNA from millions of living humans to reveal the ebb and flow of migrations and populations and even behaviors, from tens of thousands of years ago. Feathered dinosaurs? Trickster octopuses and grateful elephants and boat toppling orcas? Who'd a thunk it?

Moreover, unlike every other priesthood across time, our sages hurry enthusiastically to share it all with us, on PBS or YouTube or social media.  And the theological implications... as we rapidly unroll the blueprints of Creation... are stunning, as I describe in my play The Escape.

The rapid sagacity of the fact professions spurs a reaction. So many of the oligarchs who want a return of feudalism now dig lavish prepper compounds and spread hatred of nerds, hoping for the scenario of A Canticle for Liebowitz. But if an "Event" happens, nerds will save everyone. And every prepper hideaway will become a luscious nut to crack.  

Folks know, deep down, who their friends are.

So, let’s dive into our latest updates! Like… 

Natural evaporation is used to drive desalination processes, as fresh water can be harvested from saltwater by condensing the vapor produced by an evaporative surface. Hydrovoltaic nano-devices could theoretically operate anywhere there is water or moisture and could be used to both purify water and create electricity at the same time.

Fascinating that we are learning the cerebellum – at the back of the brain – appears to be about a lot more than control of movement


Want to live longer with replacement organs? Never underestimate Peter Diamandis, whose XPrize work was world-changing and whose book (Abundance: The Future is Better than You Think) and blog are badly needed tonics against the modern, masturbatory fetish of gloom and sanctimony-pessimism. (Only a people with confidence can take on today’s challenges!)


So, here’s Peter’s latest prediction that we’ll grow complete replacement organs by 2030! (I deem it quite plausible. Especially since this piece of news involves another of my heroes, Dean Kamen!)



== Straight outta SciFi ==


This news item about varied forms of life blending together has some folks writing to me: "It reminded me of Heaven's Reach." Well-well, here’s what the article in Popular Science (popsci.com) says: “For the first time in one billion years, two lifeforms truly merged into one organism!”  Ahem… well… "For the first time" means during the last 100M years. Not great journalism. (That's not an 'eyeblink"!)


Still it’s very interesting. And pertinent to my novel! In Heaven's Reach the blending is violent and mooshes together all forms of life – combining them at the edges of black holes!


Even weirder…


First broached in Stanley Weinbaum’s A Martian Odyssey … and later in Star Trek… is the notion that living organisms can be persuaded to make silicon-carbon bonds—something only chemists had done before. Now, scientists at Caltech claim to have "bred" a bacterial protein to have the ability to make the man-made bonds, a finding that has applications in several industries. We now know that nature can adapt to incorporate silicon into carbon-based molecules, the building blocks of life.


Tardigrades!  Resilient and a bit like the Trisolarians in The Three Body Problem, they can survive heat, cold, radiation and desiccation in space. Now scientists have injected human cells with the factor that lets tardigrade cells go gel-like when under stress… and it worked!  On the single cell level, that is. But with implications that are rife for sci fi…


Is the Y Chromosome disappearing? Or is it essential in some of the ways I speculated, in Glory Season?  (As I post this, the e-version is on sale for a week for $2.99!)



== More notions outta sci fi that just might… ==


Laser excitation of Th-229: “Physicists have been hoping for this moment for a long time: For many years, scientists all around the world have been searching for a very specific state of thorium atomic nuclei that promises revolutionary technological applications. It could be used, for example, to build a nuclear clock that could measure time more precisely than the best atomic clocks available today. It could also be used to answer completely new fundamental questions in physics”. 


Now that experimentalists can provoke long lived oscillations in nuclei with lasers. Might a NUCLEAR CLOCK be possible, vastly more precise than today’s mere atomic clocks? Miles Palmer asks: “Is the accuracy of a nuclear clock relative to an atomic clock relatable to the ratio of the strong force to the EM force? Would this technology also impact gravitational wave sensing? Measuring changes in fundamental “constants” of nature?”  


(The accuracy might be increased much more than the ratio of the force strengths (137).  The frequency of the transition is more that 200K times that of the Cs clock.)



== More science! ==


The tachyon cosmological model is unlikely to pass rigorous experimental tests, given the unlikely nature of tachyons - particles that (in a weird aspect of relativity) might (notionally) move only faster than light. And if they interacted with regular matter could hence (as in Greg Benford's novel Timescape) conceivably violate causality. Now this study suggests that a background flood of tachyons could explain both dark matter and dark energy effects. Well, it has survived a first-order, very preliminary check. One of many more before the idea is taken as more than a quirky side thought.

As for AI and causality and quantum… one of you opined: "Of course, quantum computers may make a mockery of any encryption schemes we have currently. I also have a sneaking suspicion they may make a mockery of causality, if they work as predicted... but I get ahead of myself."


Is biology already applying this? The first half of Penrose/Hameroff 's notion of quantum effects in neurons is blatantly correct... it's likely there are bits inside neurons that use quantum, just like chloroplasts do, during photosynthesis. Moreover, shutting off those bits with anesthetic does correlate with loss of consciousness! I am further convinced by one subjective fact, how vividly we dream. Jeepers, that spectacular, cinemascope nightly drama must require prodigious computational power to spare.


The other half of the Penrose/Hameroff theory is a bit woo-woo... that consciousness happens when we connect with some cosmic quantum order that mere machines will never be able to reach? Hm, well. I've played with that in Sci Fi. But yeah, we're getting way ahead of ourselves.


My friend - and 25-year host of the Closer to Truth sci-philos TV series - Robert Lawrence Kuhn - has just published a comprehensive article on theories of consciousness — A Landscape of Consciousness: Toward a Taxonomy of Explanations and Implications — in Progress in Biophysics and Molecular Biology. A most-enlightening and balanced survey of the core philosophical issue of our time, especially at a moment of potentially emerging AI.



== Physics is the weirdest science ==


Schrödinger’s Cat illustrates the problem of superposed quantum states that collapse into a single ‘real’ state when observed. Is the observer (which can be you) some kind of all powerful being with reality-enforcing powers, as in Greg Egan’s great novel Quarantine?  I’ve long suspected that’s kinda mystical and that systems of particles (e.g. that famous cat) do it all by themselves by interacting with each other, collapsing the state all the time. New models on quantum theory suggest it, as said in this article: “For large systems, spontaneous collapse occurs frequently, rendering them classical in appearance. Subatomic objects interacting with these systems become part of them, leading to rapid collapse of their state and the acquisition of definite coordinates, akin to measurement.”

Want some more gosh-wow?  Here’s Sabine with one of her mind-blowing riffs on ‘coincidences in physics.’  



== Earth in balance ==


“Natural iron fertilization of the Southern Ocean by windblown dust has been suggested to enhance biological productivity and modulate the climate.” Now comes strong evidence for this


In fact it seems that around a third of the fecundity and life productivity of the Southern Ocean comes from iron deposited by dust.  Supporting this separately, a hugely indicative single event was the clouds of soot a couple of years ago, from Australian wild fires, that was followed immediately by huge plankton blooms and surges of fish populations. And then... whales!


Hm. Well I heard a large part of this cycle is whale poop! Saving the whales may have helped to keep the oceans thriving. 


You'll recall in EARTH I had tide powered bottom stirrers sending plumes of silt into fast ocean streams, fertilizing them. What is clear is that the fanatics who have sued and prevented simple experiments in ocean fertilization have been harmful to the good of the world. This needs carefully graduated experimentation now!



== On and on about poor Tesla… ==


A terrific science explainer goes into Nikola Tesla's wonderful induction motor, one of many mighty inventions by a creative genius... though one who is betrayed, daily, by the insipid/raving cult that now surrounds his name. A cult that's desperate to transform a modern, successful, appreciated, collaborative - and psychologically troubled - corporate scientist into some kind of archetype of a persecuted, isolated wizard in his tower, hoarding mighty secrets and powers that were never-since replicated, even today. Nikola Saruman!

What utter, romantic hogwash. What a silly cult. Dig this. Tesla got tons of backing, was moderately rich most of the time, and even his crazier notions - the disproved fantasies - got heaps of $ invested into them. Did he have ups-and-downs? Sure, and it's quite a story with genuine lessons. But some kind of magical seer? Oy, what a load.


Above all, today's tens of millions of bright science minds - yes, standing on the shoulders of such giants - are even more brilliant, possessing instrumentalities roughly a quadrillion times more sensitive than anything Nikola had. 


They... are... not... missing any magical wizard-wonders that he supposedly, cryptically hinted at.

Even the underlying reason for this cult - our western-enlightenment notions of romantically boosting underdogs and authority-questioners - that I talk about in Vivid Tomorrows - is so obsolete when it comes to Tesla, who now is *the* establishment cult figure on everyone's lips, like Edison used to be. 


Geez I could name dozens of other, far more under-appreciated geniuses, ripe n' ready and deserving of the next cult-revival, instead of this silly and ultimately bo-ring herd-lemming mob that's chanting hosannahs around Nikola Tesla...

...who would have been appalled.


Cryptogram On the Voynich Manuscript

Really interesting article on the ancient-manuscript scholars who are applying their techniques to the Voynich Manuscript.

No one has been able to understand the writing yet, but there are some new understandings:

Davis presented her findings at the medieval-studies conference and published them in 2020 in the journal Manuscript Studies. She had hardly solved the Voynich, but she’d opened it to new kinds of investigation. If five scribes had come together to write it, the manuscript was probably the work of a community, rather than of a single deranged mind or con artist. Why the community used its own language, or code, remains a mystery. Whether it was a cloister of alchemists, or mad monks, or a group like the medieval Béguines—a secluded order of Christian women—required more study. But the marks of frequent use signaled that the manuscript served some routine, perhaps daily function.

Davis’s work brought like-minded scholars out of hiding. In just the past few years, a Yale linguist named Claire Bowern had begun performing sophisticated analyses of the text, building on the efforts of earlier scholars and on methods Bowern had used with undocumented Indigenous languages in Australia. At the University of Malta, computer scientists were figuring out how to analyze the Voynich with tools for natural-language processing. Researchers found that the manuscript’s roughly 38,000 words—and 9,000-word vocabulary—had many of the statistical hallmarks of actual language. The Voynich’s most common word, whatever it meant, appeared roughly twice as often as the second-most-common word and three times as often as the third-commonest, and so on—a touchstone of natural language known as Zipf’s law. The mix of word lengths and the ratio of unique words to total words were similarly language-like. Certain words, moreover, seemed to follow one another in predictable order, a possible sign of grammar.

Finally, each of the text’s sections—as defined by the drawings of plants, stars, bathing women, and so on—had different sets of overrepresented words, just as one would expect in a real book whose chapters focused on different subjects.

Spelling was the chief aberration. The Voynich alphabet—if that’s what it was—appeared to have a conventional 20-odd letters. But compared with known languages, too many of those letters repeated in the same order, both within words and across neighboring words, like a children’s rhyme. In some places, the spellings of adjacent words so converged that a single word repeated two or three times in a row. A rough English equivalent might be something akin to “She sells sea shells by the sea shore.” Another possibility, Bowern told me, was something like pig Latin, or the Yiddishism—known as “shm-reduplication”—that begets phrases such as fancy shmancy and rules shmules.

Worse Than FailureREADME

One of the clients for Rudolf's company was getting furious with them. The dev team was in constant firefighting mode. No new features ever shipped, because the code-base was too fragile to add new features to without breaking something else. What few tests existed were broken. Anyone put on the project burned out and fled in months, sometimes weeks, and rarely after only a few days.

Rudolf wasn't too pleased when management parachuted him into the project to save it. But when he pulled the code and started poking around, it looked bad but not unsalvageable. The first thing he noticed is that, when following the instructions in the README, he couldn't build and run the application. Or maybe he wasn't following the instructions in the README, because the README was a confusing and incoherent mess, which included snippets from unresolved merges. Rudolf's first few days on the project were spent just getting it building and running locally, then updating the README. Once that was done, he started in on fixing the broken tests. There was a lot of work to be done, but it was all doable work. Rudolf could lay out a plan of how to get the project back on track and start delivering new features.

It's about then that Steve, the product owner, called Rudolf in to his office. "What the hell do you think you're doing?"

Rudolf blinked. "Um… what I was asked to do?"

"Three days and you just commit a README update? A couple of unit tests?"

"Well, it was out of date and meant I couldn't-"

"Our client is crazy about their business," Steve said. "Not about READMEs. Not about unit tests. None of that actually helps their business."

Rudolf bit back a "well, actually," while Steve ranted.

"Next thing you're going to tell me is that we should waste time on refactoring, like everybody else did. Time is money, time is new features, and new features are money!"

Suddenly, Rudolf realized that the reason the project had such a high burnout rate had nothing to do with the code itself. And while Rudolf could fix the code, he couldn't fix Steve. So, he did what everyone else had done: kept his head down and struggled through for a few months, and kept poking his manager to get him onto another project. In the meantime, he made this code slightly better for the next person, despite Steve's ranting. Rudolf eventually moved on, and Steve told everyone he was the worst developer that had ever touched the project.

The customer continued to be unhappy.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

365 TomorrowsWe All Get Tired Sometimes

Author: Julian Miles, Staff Writer The door opens slowly. Lawgiver James comes in, helmet in hand. He’s got a look on his face that tells Maddy everything she doesn’t want to know. “They found him, didn’t they?” James nods. “He’s dead, isn’t he?” Deputy Evans nods as he follows James in. “Yes, ma’am.” She looks […]

The post We All Get Tired Sometimes appeared first on 365tomorrows.