Planet Russell


Charles StrossThe ends of education

So we're into the Conservative Party leadership run-off campaign, and the two candidates are throwing policies at the base that, to outsider ears, sound increasingly bizarre. But there's a lot we can learn from them about how the Conservative elite perceive the state of the UK today, and some of it (who am I kidding? Most of it!) is disturbing.

In the latest move, potential Prime Minister Rishi Sunak (the richest MP in parliament, a former Goldman Sachs employee and hedge-fund manager who married a billionaire) has vowed to phase out university degrees that do not improve students' "earning potential":

... Yeah, I know what you're thinking: "train the serfs for work, actual education is for the wealthy elite". But there's a lot more to it than that.

The Guardian: Rishi Sunak vows to end low-earning degrees in post-16 education shake-up

For starters, "earning potential" is only testable in hindsight. Work is changing, many jobs are being automated, and the earnings of graduates with a given degree over the previous decade is not a good predictor for the success of new graduates with that degree.

I have two STEM degrees from the 1980s which are totally obsolete now and of almost no relevance to my current occupation.

You can't predict educational outcomes for future employment on the basis of priors because, like the old "job for life" culture, the degree-for-life has died. Personal anecdote: after a regrettable initial career choice—nobody needs a pharmacist with ASD/ADHD, it's a really bad combination of personality traits for that career—I returned to university (something I wouldn't be able to do today) and graduated for the second time, with a CS degree, in '90, right in the middle of a recession. The only work I could find was as a technical author (I had the writing chops and bluffed my way in). I have worked as a programmer since then, but only for 5 years out of the past 33. For 18 out of those 33 years, my occupation has had almost nothing to do with either degree. And today, a 1990 CS degree is about as useful in the CS workplace as a 1923 aerospace engineering degree (if such a thing existed).

Priors are not predictors, especially in an unstable working environment.

Here's an illustrative thought experiment: imagine you have a time machine. Now pick a worker at random from some time and place in the past 5 centuries, and carry them forward by 30 years. will they be able to earn a living?

Until 1900 the answer was probably "yes", because most work was unskilled agricultural or factory labour. (Even basic literacy was optional.)

Then it got harder. A 1945 factory worker might be able to adapt to work in a 1975 factory. But a 1975 factory worker would be utterly adrift in a 2005 factory that had gone from drill presses to CNC tools, from painting stuff by hand to using robots.

And it'd be the same with office workers, medics, miners. A 1800 doctor would have relatively little to learn to practice in 1830. Even a 1910 doctor wouldn't find the innovations of 1940 too complex to grapple with. But the shift from medicine in 1960 to 1990 is dizzying: that was the era of the pharmaceutical revolution, when all sorts of new treatments became available, things that hadn't even been recognized as disease states became medical specialities, and a whole new set of diagnostic tools became available. A 1960 doctor in 1990 who hadn't kept up with their training might as well start from scratch all over again.

So: I'm going to hammer this point again (it's vital context for understanding what higher education is for) a degree does not equip you for a job, even for a specific job for a couple of years in the very near future.

So what's Sunak really talking about?

Until the 1990s universities in the UK were private entities that ran almost entirely on government funding for higher education. (The Polytechnics were vocational training institutions, and state-owned, until they were renamed Universities and privatised in the 90s.) With privatization the government gradually withdrew the education funding: first loans were brought in for subsistence, replacing the previous student grant, then tuition fees were added on top. All to a background of trying to push as many people as possible through the institutions of higher education in order to certify that the individuals were sufficiently tractable to obey orders, perform rote tasks, and conform to expectations—necessary prerequisites for employment.

(Because in an unstable working environment HR departments can't rely on references from previous employers.)

What evolved was essentially a Ponzi scheme. Workers needed a certificate of obedience to show they were suitable employees. The universities that issued such certificates were private institutions: the more certificates they could issue, the more money they could make. At the same time, the finance sector boomed—not so much through student loans at first (the Student Loan Company was thoroughly regulated initially) but through side-projects like the highly profitable student housing construction boom. Also, once a worker-unit was certified and in employment, paying off their student debt, they could be trained to accept other debts. Credit card debt, mortgage debt, anything at all that could be monetized. And the universities that could recruit and certify the most students made the most money.

All good things come to an end, though. The slow-motion economic disaster that is Brexit (hint: 13% inflation predicted later this year, close to full employment but nearly half the in-work population qualify for Universal Credit—government income support—because they're so badly paid, economy in recession for the next couple of years and expected to shrink by about 6%), combined with a global energy crisis and a pandemic, is choking off the supply of willing debtors needed to sustain the Ponzi scheme.

The sheepskin is no longer enough to get you a job that pays well enough to cover the interest on the loans you took out to buy the sheepskin. So why buy the sheepskin?

Sunak is coming at this with the mind-set of a financier—and specifically, a disaster capitalist. His objective is typically short-sighted: he wants to deflate the higher education bubble in the UK just enough to stave off a catastrophic crash (damaging to the interest of the investor class), and he's going to do so by shedding the least-remunerative debtors, the ones who earn below the loan repayment threshold.

(Now would be a good time to sell your shares in student housing companies if you have any, by the way.)

The stupidest aspect of this is that for cultural reasons specific to the Conservative party membership he's going to trash arts education funding.

The UK arts sector includes film, media, computer games, and music: it's one of the UK's most profitable export industries. For every £1 of government money going into it, roughly £5 in foreign earnings comes back.

But it's ideologically suspect to gammons' eyes. Gammons—the Tory party membership, whose support Sunak is canvassing—are predominantly white males aged over 60 living in the South East of England, authoritarian by inclination and well-off but poorly educated.

Authoritarian followers are very conformist: submissive towards those they perceive as powerful, need rigid guidelines for conduct, and distrust and despise nuance and complexity.

Art, by its very nature, can't be conformist. So they hate it and have no use for it, and it's easy to rally them against "liberal arts" long-hairs.

So, in order to prevent a chunk of the financial sector imploding due to the higher education certification Ponzi scheme crashing, Sunak is going to wreck the UK's biggest export-earning industry.

Nicely played!

PS: this is how you get V for Vendetta.

Cory DoctorowSo You’ve Decided to Unfollow Me

A double exit-door, open to reveal a Matrix-style code waterfall. Over the door is a green exit sign with a green halo.

This week on my podcast, I read “So You’ve Decided to Unfollow Me,” a recent column for Medium describing the joys of writing to attract the audience of people who want to read what you want to write.

(Image: Sascha Kohlmann, CC BY-SA 2.0, modified)


Charles StrossBooks I will not write: BIGGLES!!

It's been a long time—a couple of years—since I last posted a blog entry describing a book I will not write, because mostly I either wrote them or I just stopped having so many wasteful ideas.

But I had a mild case of COVID19 in late May ("mild" belongs in scare quotes; it kicked my ass worse than influenza, and the lingering gastric effects are horrible, but I didn't need antivirals or hospital treatment, so yay vaccines?), and I downed tools and haven't gotten back to work yet, which is annoying to me but continuing an existing project while cognitively impaired is a really bad idea. (You generally end up spending twice as long untangling the mess you created as you spent making it in the first place.) I expect to get back to work later this week: but in the mean time, my Muse made an unexpected and unwanted house call, screamed at me for a while, and left me with an incoherent pile of notes.

The proximate trigger for this car-crash of a story idea was the blog of another author, Rachel Manija Brown, who is currently discovering the joy of Biggles for the first time, and blogging about the books. Biggles is James "Biggles" Bigglesworth, ace pilot and adventurer, the most famous fictional creation of W. E. Johns, writing as Capt. W. E. Johns (although he only made it to Flying Officer in the RAF). They say "write what you know," and Johns clearly knew more than was strictly healthy about dogfighting during the first world war, having been there. So over 45 years or so, he wrote boys' adventure novels—lots of them.

(Breaking the fourth wall: I'm taking a moment to appreciate just how hard it is to write a blog entry right now, and drawing conclusions about the wisdom of going back to tackle the climax of A Conventional Boy in my current state. Ahem: back to the blog ...)

Rachel Manija Brown noted with some glee the somewhat slashy, homoerotic overtones of the relationship between Biggles and his arch-nemesis/rival, Erich Von Stalheim, and this got me thinking Bad Thoughts. As these books run from the first world war through the inter-war years and then via a brisk WW2 update into the 1950s—Biggles is nothing if not long-lived—Von Stalheim is painted as an aristocratic German fighter ace in the Von Richthofen mode, with a detour into spying and various other nefarious activities. (The horrors of Nazism were not really in the boys' adventure wheelhouse back then, although Johns is as staunchly anti-Bolshevik as you'd expect from a guy who probably grew up reading William Le Queux.) Anyway, Biggles/Von Stalheim slashfic is an obvious no-brainer shoe-in for Archive of Our Own and it turns out that there's more Biggles/Von Stalheim slashfic on AO3 than all Laundry Files fanfic combined! What a surprise. More importantly, what happens if we take it to the max?

Anyway, my Muse has been AWOL since late 2020, presumably drinking his way around every dive bar in the South Pacific while I played catch-up with a bunch of existing books that were already scheduled and didn't need divine inspiration. But for some reason he decided to come back and pull his normal drill sergeant stunt of kicking my ass and demanding Ideas.

So here's an idea for a Biggles reboot. Or rather, my delirious post-COVID notes for how I ought to reboot Biggles if only copyright wasn't an issue (Johns' literary estate is in copyright until 2038: thanks, Disney!), by way of a twitter poll or two about how to maximize my chances of getting Biggles Banned in Texas.

Obviously as I'm an SF author I'm not going to do a historical Biggles reboot, I'm going to do an SFnal version. (Let's ignore the issue of W. E. Johns' own Biggles-by-any-other-name ten book SF series from the 1950s/1960s, which weren't very good.) To start with, how do we get Biggles into the 24th century (in time for some Space Opera) and queer him up enough for modern tastes (my twitter poll concluded that the most popular reboot would be trans lesbian Biggles: furry Biggles came a close second, with boringly pedestrian gay Biggles a distant third) without wildly contradicting the Biggles canon?

The set-up

Biggles is cryonically frozen by the RAF after he's horrifically injured when an experimental jet he's test piloting crashes in 1947. (The UK drew the short straw with the alien tech divvy-up in Operation Paperclip: the UK got the cold sleep chambers from the flying saucer that crashed in the Third Reich, while the USA got the anti-grav.) He is added to the National Stockpile of Fighter Aces against future need, part of Operation ARTHUR. But the utility of a truncated piston-era pilot is limited, and he's still in deep storage when the stockpile is privatized and sold off in the 21st century. Biggles is maintained by a pension corp for a few decades (his war pension pays the freezer bills). But finally, after one government bankruptcy too many, he's thawed, fixed (23rd century medical nanotech is amazing) and dumped on the street, like the Revivals in Transmetropolitan. (Indeed, the 23rd century Biggles experiences is straight out of the classic Warren Ellis comic.)

Biggles is homeless, future-shocked, and worse: they messed up his regeneration. When he crashed, the 1947 medics were forced to amputate everything below his pelvis before they froze him. ("Bend over and hold onto your arse—no, wait, that's your arse over there".) It turns out Biggles has X0/XY mosaicism. The bored clinic tech who set up the regeneration run in his tank missed this and the nanotech tried to repair him: so he went in the freezer apparently male (at least, before his wedding tackle was burned off), and woke up 160 years later, healthy and female.

(Note per canon Biggles' sexuality is ambiguous. He has a girlfriend at one point, but she turned out to be a German spy so it didn't work out: he never marries but holds a suspiciously convenient torch for her for the rest of his life. This being a series that starts in the 1920s, homosexuality was unmentionable and gender dysphoria unheard of. All we can say for sure is that Biggles conformed to male gender roles but was very uptight and didn't talk about Feelings. Stiff upper lip, chaps!)

Back to the space opera:

They say to steal from the best, so I'm stealing 90% of this aspect of the story from the Traveller role playing game. And the rest is a colaboration with the ghost of Poul Anderson (in his Polesotechnic League period) with a dash of Spider Jerusalem thrown in just to fuck shit up.

Cheap jump drive technology has been invented. But they need human pilots because (due to some magic quantum consciousness woo handwavium) computers don't work in hyperspace. Ships also need a lot of human inputs for stuff like life support and navigation and maintenance because, again, robots and AIs don't work in hyperspace. (So they tend to combine the worst control and maintenance aspects of submarines or WW2 aircraft in one happy fun package.) It turns out that there are lots of human-life-hospitable planets within jump drive range, some of which have suspiciouslty terrestrial biospheres. Looks like somebody's already been visiting them—maybe whoever crashed that flying saucer in Bavaria in the 1930s?

The jump drive has a couple of useful spin-offs and a couple of annoying quirks. The "computers don't work in hyperspace" is the worst of the quirks. (Makes life tough for cyborgs, as well.) One convenient spin-off is cheap, easy, aneutronic fusion reactors (proton-boron cycle) that do direct high-energy photon to electricity conversion. (Hyperspace pinch instead of electromagnetic confinement.) Another is gravity polarizers: ships can effectively cancel out their gravitational potential energy, make orbit easily, then jump out. So mass isn't a major constraint, they're built like ships out of welded steel construction with sloppy tolerance. But life support and onboard systems are purposely crude, to survive hyperspace travel. (This is how you get your Millennium Falcon kit-bashed look. Or more OG Traveler TTRPG stuff.)

Murder hornets are not the only interstellar pests: Fascists are everywhere, using cloning to address their Great Replacement neurosis. They're trying to colonize the galaxy. Biggles is in a bit of a cleft stick because she might be white and somewhat conservative, but she has a gut reflex to punch Nazis on sight—it's a tic she acquired during the Battle of Britain. This gets her into trouble in pretty much every spaceport after she's re-trained as a scout ship pilot, so she has to flee to the fringe worlds. But Biggles is not alone! She has her trusty co-pilot Algy, another 20th century RAF veteran, and their former stowaway turned apprentice, Ginger—thusly nicknamed because she's an anthropomorphic vixen (again: 23rd century medical nanotech is wild).


Azhdarchids are terrifying and it looks like someone a very long time ago stole a bunch of Azhdarchid eggs from Earth and left them on, er, the Planet of the Azhdarchids, an earthlike world with a somewhat denser atmosphere. The result is bigger/heavier flying dinosaurs: "dragons? Who needs dragons?" Which has been colonized by a bunch of lizard-worshipping nut-jobs known to the rest of the galaxy as the Azhdarchid Empire.

Biggles and co crash land here when they takes a contract to ferry (unspecified low mass/high value cargo) to the Azhdarchid Empire's high priesthood in the capital city. The planet in question is off the main shipping routes, so no container ships go there, just the occasional rust-bucket scout ship hired for a special courier flight.

Her ship makes a hard landing in the back of nowhere due to a series of unfortunate events. First, the planetary navsat array has been taken offline by a solar flare. Then, after re-entering off course, a quetzalcoatl strike takes out the main landing gear while is flying manually and trying to work out where the hell they are. So she and her crew have to make a forced landing, cross a couple thousand kilometres of wilderness in the emergency light-fliers (microlights with a magical unobtanium electric battery as a powe source), avoid being eaten by flying lizards the size of Cessnas, buy spare parts to repair the ship, deliver the cargo, and discover in the process that the Azhdarchid Empire is kind of skeevy, It's an aggressive, racist patriarchy run by cis white men (descended from Space Nazis). Biggles rescues the high priest's daughter, who has fallen into disfavour for refusing to marry her dad's Igor and is scheduled for sacrifice to a dragon, and ends up having to flee in a hurry. There is a thrilling chase scene, riding half-tamed Azhdarchids! Also, microlight/dragon dogfighting!

There's a second book idea that I am frantically trying not to write notes on, involving Ericha Von Stalheim, also genderflipped and transported to the 24th century and working as a spy (visuals: think in terms of a very teutonic Servalan), a diplomatic mission, castles, dungeons, and a very slashy BDSM scene. Smut, total smut, and so indecent W. E. Johns would stroke out if he read it. So I'm not writing it down.

Anyway my Muse insisted I write this all down so it's no longer irritating my brainworms, because misery loves company, and this is my misery. Make of it what you will, I'm not going to turn this into a book! I'm simply blogging it as an example of why writing with COVID19 is a bad idea.

So there.

Charles StrossCrimes against Transhumanity

(Disclaimer: I am a transhumanist skeptic these days, not to mention a singularity curmudgeon and a critic of Mars colonization, but I still find these ideas nice to chew on sometimes.)

Humans are social animals, and it seems reasonable to assume that any transhuman condition we can wrap our minds around will also be a social one for most of its participants.

Society implies a social contract, that is: we grant one another rights and in return make the concession of respecting each others' rights, in order that our own rights be observed and respected.

And violations of rights tend to be at the root of our concept of crime and injustice—at least, any modern concept of crime once we discard religious justifications and start trying to figure things out from first principles.

Which leads me to ask: in a transhumanist society—go read Accelerando, or Glasshouse, or The Rapture of the Nerds—what currently recognized crimes need to be re-evaluated because their social impact has changed? And what strange new crimes might universally be recognized by a society with, for example, mind uploading, strong AI, or near-immortality?

SF authors are paid to think our way around the outside of ideas, so it's always worth raiding the used fiction bin for side-effects and consequences. Here's qntm's take on the early years of mind uploading--the process of digitizing the connectome of a human brain in order to treat it as software: I strongly suggest you read Lena (if you haven't previously done so) before continuing. It's a short story, structured as a Wikipedia monograph, and absolutely horrifying by implication, for various reasons.

Let me give you that link again: Lena. (Go read: it's short, good fiction, and the rest of this essay will still be here when you get back.)

Mind uploading makes certain assumptions. (Notably: mind/body dualism is a bust, there is no supernatural element to consciousness, also that we can resolve the structures involved in neurological information processing with sufficient resolution to be useful, and that the connectivity and training of the weighted neural network in the wetware is what consciousness emerges from.)

Uploading also implies that consciousness is replicable and fungible, which in turn implies our legal systems can't cope without extensive modification because we rely on an implicit definition of humanity which at that point will be obsolete, as the treatment of MMAcevedo (Mnemonic Map/Acevedo), aka "Miguel" in the story, demonstrates: MMAcevedo is considered by some to be the "first immortal", and by others to be a profound warning of the horrors of immortality.

Historically, our identity has been linear: there is a start, there is a terminus, along the way we are indivisible, although we undergo change over time (and may lose or gain significant portions of our selves—for example, most people retain few or no memories of their life before a point some time between the ages of 3 and 5 years old).

The premature termination of a human life is an irrevocable act, and to deliberately inflict it on someone is seen as a crime (various degrees of murder).

Because our identity is indivisible and of limited duration, time is a rivalrous resource to us: we have to choose what to do with it, or be subject to someone else's choices. (One of the reasons why imprisonment is seen as a punishment—to which we are averse—is the total loss of opportunities to choose what to do with the time we lose. (Yes, there are other reasons: let's ignore them and focus on what this might signify for the posthuman condition.)

There's a fascinating sequence early in Linda Nagata's space opera novel Vast that throws the implications of alienated labour for uploaded minds into stark relief: if you're confronted with a mind-numbingly tedious task that needs human-level cognitive supervision for a period of years or decades, why not divide your time up in chunks and discard the boring ones? You could set up a watchdog timer to reset your uploaded mind to a baseline state every 3 minutes, unless an exception occurs—an emergency that makes you hit the dead man's handle in your environment, at which point the subjective passage of time resumes. In Vast, a human mind is needed to supervise a slower-than-light starship on a voyage that takes centuries during which nothing much happens. The crew use this three minute reset cycle to avoid experiencing tedium: subjectively, they condense the entire voyage into 180 seconds. (If you've driven long distance you'll probably have wished for the ability to push a button and find yourself at your destination. Right?)

Other authors found other angles on this question: the first book in Hannu Rajaniemi's Jean Le Flambeur trilogy (The Quantum Thief starts with the exact opposite—a thief sentenced to spend a subjective eternity in an escape-proof prison, as a punishment of sorts. Spoiler: he escapes. How he does it and why he was there is the start of yet more musing on what might constitute crimes in a realm populated entirely by uploaded minds. In particular Rajaniemi dives headlong into two really disturbing questions: firstly, the potential for eternal enslavement such a setting offers (never mind perpetual torment), and secondly, what it does to the post-Enlightenment social concept of human equality.

We are all living in the afterglow of a sociological big bang that took place in 1649—the execution of Charles I, who was variously King of England and Wales, Scotland, and Ireland at the time of the Wars of the Three Kingdoms: his trial and execution by a court--appointed by a parliament of the people—shattered the then-prevalent understanding among European/Christian communities that Kings were appointed by God to rule on Earth. A corollary of the Divine Right of Kings is that some people really aren't equal--monarchs, and by extension, aristocrats, have more rights (by religious decree) than other people, and some categories (chattel slavery springs to mind: also the status of women and children) have less. But if the People could try the King for crimes against the state, then what next?

"What next" turned out to be a troublesome precedent. Charles I's younger son James II tried to walk back the uneasy settlement with parliament and got yeeted into exile in 1688-90 as a result, with the resounding and lasting outcome that the powers of the Crown in English and Scottish law was now vested in Parliament, and the head beneath the fancy hat was merely a figurehead who could be sacked if he (or she) acted up. If the monarch wasn't divinely appointed, what set him apart? Numerous philosophical maunderings later it was the French king's turn, and also time for the US Bill of Rights--which, while based on the 1698 English Bill of Rights, implicitly adopted the pernicious logic that there could be no king, no nobility, only free citizens. (Pay no attention to the slaves—for now.)

Here's the thing: our current prevailing political philosophy of human rights and constitutional democracy is invalidated if we have mind uploading/replication or super-human intelligence. (The latter need not be AI; it could be uploaded human minds able to monopolize sufficient computing substrate to get more thinking done per unit baseline time than actual humans can achieve.) Some people are, once again, clearly superior in capability to born-humans. And other persons can be ruthlessly exploited for their labour output without reward, and without even being allowed to know that they're being exploited. Again, see also the subtext of Ken MacLeod's The Corporation Wars trilogy: in which the war between the neoreactionaries and the post-Enlightenment democrats has been won ... by the wrong side.

The second book in The Quantum Thief trilogy, The Fractal Prince, gives us a ghastly look at a world where genocide and enslavement are carried out by forcibly abducting and uploading the last born-human survivors—is it actually genocide if the body is dead but the mind is still there? (It's a new version of Caedite eos. Novit enim Dominus qui sunt eius, of course.) It may not be genocide in the currently accepted legal sense of the term—the forcible extermination of a cultural group or of the people who are members of such a group—but it's certainly a comparable abomination.

Our intuitions about crimes against people (and humanity) are based on a set of assumptions about the parameters of personhood that are going to be completely destroyed if mind uploading turns out to be possible. And the only people I see doing much thinking about this (in public) are either SF authors or people pushing a crankish ideology based on 19th century Russian orthodox theology.

Surely we can do better?

Planet DebianAdnan Hodzic: Amsterdam Toilet & Urinal Finder

Amsterdam is a great city to enjoy a beer, or two. However, after you had your beers and you’re strolling down the streets, you might...

The post Amsterdam Toilet & Urinal Finder appeared first on FoolControl: Phear the penguin.

Worse Than FailureCodeSOD: Around 20 Meg

Michael was assigned a short, investigatory ticket. You see, their PHP application allowed file uploads. They had a rule: the files should never be larger than 20MB. But someone had uploaded files which were larger. Not much larger, but larger. Michael was tasked with figuring out what was wrong.

Given that the error was less than half a megabyte, Michael had a pretty good guess about why this was.

if (round($uploadedFile->getSize() / 1024 / 1024) > 20) { [ ... throw some error message ] }

The developer's instincts weren't entirely bad. Take the number of bytes, divide by 1024 twice to get it down to megabytes, and then compare against twenty. It's probably not how I'd write it, but it's not wrong- at least not until you start rounding the number off.

Why was the developer rounding in the first place?

"Because 20 is an integer, and I wanted to compare integers. So I rounded. PHP doesn't have a built in trunc method."

Pedantically true, as there's nothing called trunc or truncate in PHP, but it does have a floor and an intval method, both of which discard decimal digits (but behave slightly differently). In this case, either one would have worked.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

Planet DebianIan Jackson: dkim-rotate - rotation and revocation of DKIM signing keys


Internet email is becoming more reliant on DKIM, a scheme for having mail servers cryptographically sign emails. The Big Email providers have started silently spambinning messages that lack either DKIM signatures, or SPF. DKIM is arguably less broken than SPF, so I wanted to deploy it.

But it has a problem: if done in a naive way, it makes all your emails non-repudiable, forever. This is not really a desirable property - at least, not desirable for you, although it can be nice for someone who (for example) gets hold of leaked messages obtained by hacking mailboxes.

This problem was described at some length in Matthew Green’s article Ok Google: please publish your DKIM secret keys. Following links from that article does get you to a short script to achieve key rotation but it had a number of problems, and wasn’t useable in my context.


So I have written my own software for rotating and revoking DKIM keys: dkim-rotate.

I think it is a good solution to this problem, and it ought to be deployable in many contexts (and readily adaptable to those it doesn’t already support).

Here’s the feature list taken from the README:

  • Leaked emails become unattestable (plausibily deniable) within a few days — soon after the configured maximum email propagation time.

  • Mail domain DNS configuration can be static, and separated from operational DKIM key rotation. Domain owner delegates DKIM configuration to mailserver administrator, so that dkim-rotate does not need to edit your mail domain’s zone.

  • When a single mail server handles multiple mail domains, only a single dkim-rotate instance is needed.

  • Supports situations where multiple mail servers may originate mails for a single mail domain.

  • DNS zonefile remains small; old keys are published via a webserver, rather than DNS.

  • Supports runtime (post-deployment) changes to tuning parameters and configuration settings. Careful handling of errors and out-of-course situations.

  • Convenient outputs: a standard DNS zonefile; easily parseable settings for the MTA; and, a directory of old keys directly publishable by a webserver.


It seems like it should be a simple problem. Keep N keys, and every day (or whatever), generate and start using a new key, and deliberately leak the oldest private key.

But, things are more complicated than that. Considerably more complicated, as it turns out.

I didn’t want the DKIM key rotation software to have to edit the actual DNS zones for each relevant mail domain. That would tightly entangle the mail server administration with the DNS administration, and there are many contexts (including many of mine) where these roles are separated.

The solution is to use DNS aliases (CNAME). But, now we need a fixed, relatively small, set of CNAME records for each mail domain. That means a fixed, relatively small set of key identifiers (“selectors” in DKIM terminology), which must be used in rotation.

We don’t want the private keys to be published via the DNS because that makes an ever-growing DNS zone, which isn’t great for performance; and, because we want to place barriers in the way of processes which might enumerate the set of keys we use (and the set of keys we have leaked) and keep records of what status each key had when. So we need a separate publication channel - for which a webserver was the obvious answer.

We want the private keys to be readily noticeable and findable by someone who is verifying an alleged leaked email dump, but to be hard to enumerate. (One part of the strategy for this is to leave a note about it, with the prospective private key url, in the email headers.)

The key rotation operations are more complicated than first appears, too. The short summary, above, neglects to consider the fact that DNS updates have a nonzero propagation time: if you change the DNS, not everyone on the Internet will experience the change immediately. So as well as a timeout for how long it might take an email to be delivered (ie, how long the DKIM signature remains valid), there is also a timeout for how long to wait after updating the DNS, before relying on everyone having got the memo. (This same timeout applies both before starting to sign emails with a new key, and before deliberately compromising a key which has been withdrawn and deadvertised.)

Updating the DNS, and the MTA configuration, are fallible operations. So we need to cope with out-of-course situations, where a previous DNS or MTA update failed. In that case, we need to retry the failed update, and not proceed with key rotation. We mustn’t start the timer for the key rotation until the update has been implemented.

The rotation script will usually be run by cron, but it might be run by hand, and when it is run by hand it ought not to “jump the gun” and do anything “too early” (ie, before the relevant timeout has expired). cron jobs don’t always run, and don’t always run at precisely the right time. (And there’s daylight saving time, to consider, too.)

So overall, it’s not sufficient to drive the system via cron and have it proceed by one unit of rotation on each run.

And, hardest of all, I wanted to support post-deployment configuration changes, while continuing to keep the whole the system operational. Otherwise, you have to bake in all the timing parameters right at the beginning and can’t change anything ever. So for example, I wanted to be able to change the email and DNS propagation delays, and even the number of selectors to use, without adversely affecting the delivery of already-sent emails, and without having to shut anything down.

I think I have solved these problems.

The resulting system is one which keeps track of the timing constraints, and the next event which might occur, on a per-key basis. It calculates on each run, which key(s) can be advanced to the next stage of their lifecycle, and performs the appropriate operations. The regular key update schedule is then an emergent property of the config parameters and cron job schedule. (I provide some example config.)


Integrating dkim-rotate itself with Exim was fairly easy. The lsearch lookup function can be used to fish information out of a suitable data file maintained by dkim-rotate.

But a final awkwardness was getting Exim to make the right DKIM signatures, at the right time.

When making a DKIM signature, one must choose a signing authority domain name: who should we claim to be? (This is the “SDID” in DKIM terms.) A mailserver that handles many different mail domains will be able to make good signatures on behalf of many of them. It seems to me that domain to be the mail domain in the From: header of the email. (The RFC doesn’t seem to be clear on what is expected.) Exim doesn’t seem to have anything builtin to do that.

And, you only want to DKIM-sign emails that are originated locally or from trustworthy sources. You don’t want to DKIM-sign messages that you received from the global Internet, and are sending out again (eg because of an email alias or mailing list). In theory if you verify DKIM on all incoming emails, you could avoid being fooled into signing bad emails, but rejecting all non-DKIM-verified email would be a very strong policy decision. Again, Exim doesn’t seem to have cooked machinery.

The resulting Exim configuration parameters run to 22 lines, and because they’re parameters to an existing config item (the smtp transport) they can’t even easily be deployed as a drop-in file via Debian’s “split config” Exim configuration scheme.

(I don’t know if the file written for Exim’s use by dkim-rotate would be suitable for other MTAs, but this part of dkim-rotate could easily be extended.)


I have today released dkim-rotate 0.4, which is the first public release for general use.

I have it deployed and working, but it’s new so there may well be bugs to work out.

If you would like to try it out, you can get it via git from Debian Salsa. (Debian folks can also find it freshly in Debian unstable.)

comment count unavailable comments


Planet DebianAurelien Jarno: GNU libc 2.34 in unstable

The GNU libc version 2.34 has just been accepted into unstable. Getting it ready has been more challenging than other versions, as this version integrates a few libraries (libpthread, libdl, libutil, libanl) into libc. While this is handled transparently at runtime, there are a few corner cases at build time:

  • For backwards compatibility, empty static archives (e.g. libpthread.a) are provided, so that the linker options keep working. However a few cmake files shipped in some packages still reference the path to the shared library symlink (e.g. which is now removed.

  • A few symbols have also been moved from libresolv to libc and their __ prefix removed. While compatibily symbols are provided in the shared library for runtime compatiblity, this does not work at link time for static libraries referencing this symbol.

The next challenge is to get it migrating into testing!

For the adventurous persons, GNU libc 2.35 is now available in experimental. And as people keep asking, the goal is to get the just released GNU libc 2.36 into Bookworm.

Planet DebianDirk Eddelbuettel: RApiSerialize 0.1.1 on CRAN: Updates

A new release 0.1.1 of RApiSerialize is now on CRAN. While this is the first release in seven years (!!), it brings mostly minor internal updates along with the option of using serialization format 3.

The package is used by both my RcppRedis as well as by Travers excellent qs package. Neither one of us has a need to switch to format 3 yet so format 2 remains the default. But along with other standard updates to package internals, it was straightforward to offer the newer format so that is what we did.

Changes in version 0.1.1 (2022-08-07)

  • Updated CI use to r-ci

  • Expanded and updated both DESCRIPTION and

  • Updated package internals to register compiled functions

  • Add support for serialization format 3, default remains 2

  • Minor synchronization with upstream

Courtesy of my CRANberries, there is also a diffstat to the previous version. More details are at the RApiSerialize page; code, issue tickets etc at the GitHub repository.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Cryptogram NIST’s Post-Quantum Cryptography Standards

Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit (a quantum bit) to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional computers.

Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible. Even so, we already know that that such a computer could potentially factor large numbers and compute discrete logs, and break the RSA and Diffie-Hellman public-key algorithms in all of the useful key sizes.

Cryptographers hate being rushed into things, which is why NIST began a competition to create a post-quantum cryptographic standard in 2016. The idea is to standardize on both a public-key encryption and digital signature algorithm that is resistant to quantum computing, well before anyone builds a useful quantum computer.

NIST is an old hand at this competitive process, having previously done this with symmetric algorithms (AES in 2001) and hash functions (SHA-3 in 2015). I participated in both of those competitions, and have likened them to demolition derbies. The idea is that participants put their algorithms into the ring, and then we all spend a few years beating on each other’s submissions. Then, with input from the cryptographic community, NIST crowns a winner. It’s a good process, mostly because NIST is both trusted and trustworthy.

In 2017, NIST received eighty-two post-quantum algorithm submissions from all over the world. Sixty-nine were considered complete enough to be Round 1 candidates. Twenty-six advanced to Round 2 in 2019, and seven (plus another eight alternates) were announced as Round 3 finalists in 2020. NIST was poised to make final algorithm selections in 2022, with a plan to have a draft standard available for public comment in 2023.

Cryptanalysis over the competition was brutal. Twenty-five of the Round 1 algorithms were attacked badly enough to remove them from the competition. Another eight were similarly attacked in Round 2. But here’s the real surprise: there were newly published cryptanalysis results against at least four of the Round 3 finalists just months ago—moments before NIST was to make its final decision.

One of the most popular algorithms, Rainbow, was found to be completely broken. Not that it could theoretically be broken with a quantum computer, but that it can be broken today—with an off-the-shelf laptop in just over two days. Three other finalists, Kyber, Saber, and Dilithium, were weakened with new techniques that will probably work against some of the other algorithms as well. (Fun fact: Those three algorithms were broken by the Center of Encryption and Information Security, part of the Israeli Defense Force. This represents the first time a national intelligence organization has published a cryptanalysis result in the open literature. And they had a lot of trouble publishing, as the authors wanted to remain anonymous.)

That was a close call, but it demonstrated that the process is working properly. Remember, this is a demolition derby. The goal is to surface these cryptanalytic results before standardization, which is exactly what happened. At this writing, NIST has chosen a single algorithm for general encryption and three digital-signature algorithms. It has not chosen a public-key encryption algorithm, and there are still four finalists. Check NIST’s webpage on the project for the latest information.

Ian Cassels, British mathematician and World War II cryptanalyst, once said that “cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” This mixture is particularly difficult to achieve with public-key algorithms, which rely on the mathematics for their security in a way that symmetric algorithms do not. We got lucky with RSA and related algorithms: their mathematics hinge on the problem of factoring, which turned out to be robustly difficult. Post-quantum algorithms rely on other mathematical disciplines and problems—code-based cryptography, hash-based cryptography, lattice-based cryptography, multivariate cryptography, and so on—whose mathematics are both more complicated and less well-understood. We’re seeing these breaks because those core mathematical problems aren’t nearly as well-studied as factoring is.

The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. We’ve learned the hard way how algorithms can get so entrenched in systems that it can take many years to update them: in the transition from DES to AES, and the transition from MD4 and MD5 to SHA, SHA-1, and then SHA-3.

We need to do better. In the coming years we’ll be facing a double uncertainty. The first is quantum computing. When and if quantum computing becomes a practical reality, we will learn a lot about its strengths and limitations. It took a couple of decades to fully understand von Neumann computer architecture; expect the same learning curve with quantum computing. Our current understanding of quantum computing architecture will change, and that could easily result in new cryptanalytic techniques.

The second uncertainly is in the algorithms themselves. As the new cryptanalytic results demonstrate, we’re still learning a lot about how to turn hard mathematical problems into public-key cryptosystems. We have too much math and an inability to add more muddle, and that results in algorithms that are vulnerable to advances in mathematics. More cryptanalytic results are coming, and more algorithms are going to be broken.

We can’t stop the development of quantum computing. Maybe the engineering challenges will turn out to be impossible, but it’s not the way to bet. In the face of all that uncertainty, agility is the only way to maintain security.

This essay originally appeared in IEEE Security & Privacy.

EDITED TO ADD: One of the four public-key encryption algorithms selected for further research, SIKE, was just broken.


Planet DebianDirk Eddelbuettel: RcppCCTZ 0.2.11 on CRAN: Updates

A new release 0.2.11 of RcppCCTZ is now on CRAN.

RcppCCTZ uses Rcpp to bring CCTZ to R. CCTZ is a C++ library for translating between absolute and civil times using the rules of a time zone. In fact, it is two libraries. One for dealing with civil time: human-readable dates and times, and one for converting between between absolute and civil times via time zones. And while CCTZ is made by Google(rs), it is not an official Google product. The RcppCCTZ page has a few usage examples and details. This package was the first CRAN package to use CCTZ; by now four others packages include its sources too. Not ideal, but beyond our control.

This version updates the include headers used in the interface API header thanks to a PR by Jing Lu, updates to upstream changes, and switched r-ci CI to r2u.

Changes in version 0.2.11 (2022-08-06)

  • More specific includes in RcppCCTZ_API.h (Jing Lu in #42 closing #41).

  • Synchronized with upstream CCTZ (Dirk in #43).

  • Switched r-ci to r2u use.

Courtesy of my CRANberries, there is also a diffstat to the previous version. More details are at the RcppCCTZ page; code, issue tickets etc at the GitHub repository.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

David BrinAlas, the passing of greats...

An unfortunate roundup of passings.... 

I note the passing of a science fiction legend. My friend and colleague Eric Flint left us, after a long illness. Best known for his his innovative and way-fun slipstream SF novel 1632, Eric then used the enthusiasm of that readership to spawn the most successful and extensive exploration of a shared universe, ever, using it to mentor many rising talents, along the way, particularly through his publishing house, the Ring of Fire Press.

In fact, when it came to raw storytelling – utter devotion to character, consistency and gripping narrative - he was among the best since Poul Anderson. (I had the honor to supply a canonical novella for this vast and wonderful 1632 gedanken cosmos.)

Eric will be deeply missed.

- Alas, trailblazing actress Nichelle Nichols, who was unforgettable in portraying communications officer Lieutenant Uhura in the original Star Trek series and its sequels, has died at age 89. In later years she was active in recruiting women and minorities to NASA. She will be remembered...

-  In addition, scientist and environmentalist James Lovelock, who proposed the Gaia hypothesis that all living organisms on the planet are inter-connected, died recently at 103 years old. I drew upon the Gaia concept in creating my novel, Earth. Lovelock remained active, publishing his latest book: Novacene: The Coming Age of Hyper-Intelligence a couple of years ago. 

- RIP also Vangelis, best known for his film scores, e.g. the haunting score of Bladerunner. But also brilliant music that I’ve oft cited. For example, I touted this early work by him that recites visible traits of our planet.... including the last one that we are changing fast. He warned us.... so beautifully.

My favorite of his works... it gives me chills... is “The State of Independence.” The classic version by Vangelis himself offers incredible instrumentals including a spine tingling saxophone. 

But then there’s the wonderful version covered by Donna Summer with elements of both disco and gospel. A dose of optimism you may be needing, right about now. In this video.


Oh, here’s one with slightly better sound plus a glimpse of the recording session when the backup group – including a very young (and still black) Michael Jackson shows some early sign of his moves.  

And one more...

Amid all the kvelling on James Caan as Sonny in The Godfather. Meh, it was a solid role done very well. But many of us will always remember the beautiful, understated and poignant portrayal he gave – of a confused but soulful hero-athlete – in Rollerball, one of the most under-appreciated of all SF films and with a plausible warning!

Though he was great in the film Misery, with Kathy Bates. And let us not forget Alien Nation, which became a really rich social science fiction franchise, the first expressing real faith in our unusual civilization bent on flawed but improving tolerance.

On a more positive note…

To help motivate us...I happen (personal quirk) to be an absolute sucker for feminist anthems. Other than political/social motives, I confess I am simply jazzed by the pure sass and gumption of songs like “R-E-S-P-E-C-T” and “I am woman, hear me roar,” all the way across the spectrum to “Girls Just Wanna Have Fun!” ….  But my favorite is “Sisters are doing it for themselves!” - this version in which the great Aretha Franklin joins the Eurythmics simply kicks ass!  How can you watch this and not tap your feet… and sing along and (if you’re male) say “yes ma’am! Tell me what you need done and I’ll help you get it done.” 

And yes Helen Reddy:

Reba McIntyre:

Loretta Lynn:

And more… and more… and more…

Finally... A fascinating riff on how not just sci fi but children’s literature in Soviet times satirized how a people can kowtow to power.

Krebs on SecurityClass Action Targets Experian Over Account Security

A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.

The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of accounts without first verifying that the existing account authorized the changes is a violation of the Fair Credit Reporting Act.

In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So had their passwords and account PIN and secret questions. Both had used password managers to pick and store complex, unique passwords for their accounts.

Both were able to recover access to their Experian account simply by recreating it — sharing their name, address, phone number, social security number, date of birth, and successfully gleaning or guessing the answers to four multiple choice questions that are almost entirely based on public records (or else information that is not terribly difficult to find).

Here’s the bit from that story that got excerpted in the class action lawsuit:

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

In response to my story, Experian suggested the reports from readers were isolated incidents, and that the company does all kinds of things it can’t talk about publicly to prevent bad people from abusing its systems.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

That sounds great, but since that story ran I’ve heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account.

I’d like to believe this class action lawsuit will change things, but I do not. Likely, the only thing that will come from this lawsuit — if it is not dismissed outright — is a fat payout for the plaintiffs’ attorneys and “free” credit monitoring for a few years compliments of Experian.

Credit bureaus do not view consumers as customers, who are instead the product that is being sold to third party companies. Often that data is sold based on the interests of the entity purchasing the data, wherein consumer records can be packaged into categories like “dog owner,” “expectant parent,” or “diabetes patient.”

A chat conversation between the plaintiff and Experian’s support staff shows he experienced the same account hijack as described by our readers, despite his use of a computer-generated, unique password for his Experian account.

Most lenders rely on the big-three consumer credit reporting bureaus, including Equifax, Experian and Trans Union — to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.

On Tuesday, The Wall Street Journal broke a story saying Equifax sent lenders incorrect credit scores for millions of consumers this spring.

Meanwhile, the credit bureaus keep enjoying record earnings. For its part, Equifax reported a record fourth quarter 2021 revenue of 1.3 billion. Much of that revenue came from its Workforce Solutions business, which sells information about consumer salary histories to a variety of customers.

The Biden administration reportedly wants to create a public entity within the Consumer Financial Protection Bureau (CFPB) that would incorporate factors like rent and utility payments into lending decisions. Such a move would require congressional approval but CFPB officials are already discussing how it might be set up, Reuters reported.

“Credit reporting firms oppose the move, saying they are already working to provide fair and affordable credit to all consumers,” Reuters wrote. “A public credit bureau would be bad for consumers because it would expand the government’s power in an inappropriate way and its goals would shift with political winds, the Consumer Data Industry Association (CDIA), which represents private rating firms, said in a statement.”

A public credit bureau is likely to meet fierce resistance from the Congress’s most generous constituents — the banking industry — which detests rapid change and is heavily reliant on the credit bureaus.

And there is a preview of that fight going on right now over the bipartisan American Data Privacy and Protection Act, which The Hill described as one of the most lobbied bills in Congress. The idea behind the bill is that companies can’t collect any more information from you than they need to provide you with the service you’re seeking.

“The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would restrict the kind of data companies can collect from online users and the ways they can use that data,” The Hill reported Aug. 3. “Its provisions would impact companies in every consumer-centric industry — including retailers, e-commerce giants, telecoms, credit card companies and tech firms — that compile massive amounts of user data and rely on targeted ads to attract customers.”

According to the Electronic Frontier Foundation, a nonprofit digital rights group, the bill as drafted falls short in protecting consumers in several areas. For starters, it would override or preempt many kinds of state privacy laws. The EFF argues the bill also would block the Federal Communications Commission (FCC) from enforcing federal privacy laws that now apply to cable and satellite TV, and that consumers should still be allowed to sue companies that violate their privacy.

A copy of the class action complaint against Experian is available here (PDF).


Planet DebianThorsten Alteholz: My Debian Activities in July 2022

FTP master

This month I accepted 420 and rejected 44 packages. The overall number of packages that got accepted was 422.

I am sad to write the following lines, but unfortunately there are people who rather take advantage of others instead of doing a proper maintenance of their packages.

So, in order to find time slots for as much packages in NEW as possible, I no longer write a debian/copyright for others. I know it is a boring task to collect the copyright information, but our policy still requires this. Of course nobody is perfect and certainly one or the other license or copyright holder can be overlooked. Luckily most of the contributors maintain their debian/copyright very thouroughly with a terrific result.

On the other hand some contributors upload only some crap and demand that I exactly list what is missing. I am no longer willing to do this. I am going to stop processing after I found a few missing things and reject the package. When I see repeatedly uploads containing only improvements with things I pointed out, I will process this package only after all others from NEW are done.

Debian LTS

This was my ninety-seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 35.75h. Unfortunately Stretch LTS has moved to Stretch ELTS and Buster LTS was not yet opened in July. So I think this is the first month I did not work all assigned hours.

Besides things on security-master, I only worked 20h on moving the LTS documentation to their new destination. At the moment the documentation is spread over several locations. As searching over all those locations is not possible, it shall be collected at one place.

Debian ELTS

This month was the forty-eighth ELTS month.

During my allocated time I uploaded:

  • [ELA-643-1] for ncurses (5.9+20140913-1+deb8u4, 6.0+20161126-1+deb9u3)
  • [ELA-655-1] for libhttp-daemon-perl (6.01-1+deb8u1, 6.01-1+deb9u1)
  • [6.14-1.1] upload to unstable
  • [#1016391] bullseye-pu: libhttp-daemon-perl/6.12-1+deb11u1

I also started to work on mod-wsgi and my patch was already approved by the maintainer. Now I am waiting for the security team to decide whether it will be uploaded as DSA or via PU.

Last but not least I did some days of frontdesk duties.

Other stuff

This month I uploaded new upstream versions or improved packaging of:

Planet DebianDirk Eddelbuettel: RcppXts 0.0.5 on CRAN: Routine Refreshment

A full eight and half years (!!) since its 0.0.4 release, version 0.0.5 of RcppXts is now on CRAN. The RcppXts package demonstrates how to access the export C API of xts which we contributed a looong time ago.

This release contains an accumulated small set of updates made as the CRAN Policies evolved. We now register and use the shared library routines (updates in both src/init.c and NAMESPACE), turned on continuous integration, switched it from the now disgraces service to another, adopted our portable r-ci along with r2, added badges to the, updated to https URLs, and made sure the methods package (from base R) was actually imported (something Rcpp has a need for at startup). That latter part now triggered a recent email from the CRAN maintainers which prompted this release.

The NEWS entries follow.

Changes in version 0.0.5 (2022-08-05)

  • Depends on xts 0.9-6 now on CRAN

  • Exports (and documents) a number of additional functions

  • Switch CI use to r-ci and r2u

  •, DESCRIPTION and NEWS.Rd were updated and expanded

  • NAMESPACE import of the shared library uses registration

Courtesy of my CRANberries, there is also a diffstat report for this release. A bit more information about the package is available here as well as at the GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Worse Than FailureError'd: Movement Activated

England and the United States, according to the old witticism, are two countries separated by a common language. The first sample deposited in our inbox by Philip B. this week probably demonstrates the aphorism. "I'm all in favor of high-tech solutions but what happens if I only want (ahem) a Number One?" he asked. I read, and read again, and couldn't find the slightest thing funny about it. Then I realized that it must be a Brit thing.

We call it a Bowel MOVEMENT in North American English


An anonymous reader shared this with us, asking "Shouldn't it be a 4xx error code?" Poe's law makes me reluctant to explain that not all software is a web site, for fear there's an anonymous tongue planted deep within a giant cheek.



Contrarian Amy K. querulously questioned "To Google, does False mean true?"



Brave Bartek Horn confirmed "Testing is important. I'm not sure if they are brilliant or hypocrites." Both is always possible.



Finally, another anonymous poster from the land of the frei thinks this discount might be too gut to be wirklich. "That doesn't seem right," they understated.



[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.


Planet DebianJamie McClelland: Fine tuning Thunderbird's end-to-end encryption

I love that Thunderbird really tackled OpenPGP head on and incorporated it directly into the client. I know it’s been a bit rough for some users, but I think it’s a good long term investment.

And to demonstrate I’ll now complain about a minor issue :).

I replied to an encrypted message but couldn’t send the response using encryption. I got an error message indicating that “End-to-end encryption requires resolving certificate issues for” … and it listed the recipient email address.

“Screen shot of error message saying: End-to-end encryption requires resolving certificate issues for [blacked out email address]”

I spent an enormous amount of time examining the recipient’s OpenPGP key. I made sure it was not expired. I made sure it was actually in my Thunderbird key store not just in my OpenPGP keychain. I made sure I had indicated that I trust it enough to use. I re-downloaded it.

I eventually gave up and didn’t send the email. Then I responded to another encrypted email and it worked. What!?!?

I spent more time comparing the recipients before I realized the problem was the sending address, not the recipient address.

I have an OpenPGP key that lists several identities. I have a Thunderbird Account that uses the Identities feature to add several from addresses. And, it turns out that in Thunderbird, you need to indicate which OpenPGP key to use for your main account… but also for each identity. When you drill down to Manage Identities for your account, you are able to indicate which OpenPGP key you want to use for each identity. Once I indicated that each identity should use my OpenPGP key, the issue was resolved.

And here’s my Thunderbird bug asking for an error message pointing to the sender address, not the recipient address.

Krebs on SecurityScammers Sent Uber to Take Elderly Lady to the Bank

Email scammers sent an Uber to the home of an 80-year-old woman who responded to a well-timed email scam, in a bid to make sure she went to the bank and wired money to the fraudsters.  In this case, the woman figured out she was being scammed before embarking for the bank, but her story is a chilling reminder of how far crooks will go these days to rip people off.

Travis Hardaway is a former music teacher turned app developer from Towson, Md. Hardaway said his mother last month replied to an email she received regarding an appliance installation from BestBuy/GeekSquad. Hardaway said the timing of the scam email couldn’t have been worse: His mom’s dishwasher had just died, and she’d paid to have a new one delivered and installed.

“I think that’s where she got confused, because she thought the email was about her dishwasher installation,” Hardaway told KrebsOnSecurity.

Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email, and that the scammers told her she owed $160 for the installation, which seemed right at the time. Then the scammers asked her to install remote administration software on her computer so that they could control the machine from afar and assist her in making the payment.

After she logged into her bank and savings accounts with scammers watching her screen, the fraudster on the phone claimed that instead of pulling $160 out of her account, they accidentally transferred $160,000 to her account. They said they they needed her help to make sure the money was “returned.”

“They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'”

Hardaway said he was out of town when all this happened, and that thankfully his mom eventually grew exasperated and gave up trying to help the scammers.

“They told her they were sending an Uber to pick her up and that it was on its way,” Hardaway said. “I don’t know if the Uber ever got there. But my mom went over to the neighbor’s house and they saw it for what it was — a scam.”

Hardaway said he has since wiped her computer, reinstalled the operating system and changed her passwords. But he says the incident has left his mom rattled.

“She’s really second-guessing herself now,” Hardaway said. “She’s not computer-savvy, and just moved down here from Boston during COVID to be near us, but she’s living by herself and feeling isolated and vulnerable, and stuff like this doesn’t help.”

According to the Federal Bureau of Investigation (FBI), seniors are often targeted because they tend to be trusting and polite. More importantly, they also usually have financial savings, own a home, and have good credit—all of which make them attractive to scammers.

“Additionally, seniors may be less inclined to report fraud because they don’t know how, or they may be too ashamed of having been scammed,” the FBI warned in May. “They might also be concerned that their relatives will lose confidence in their abilities to manage their own financial affairs. And when an elderly victim does report a crime, they may be unable to supply detailed information to investigators.”

In 2021, more than 92,000 victims over the age of 60 reported losses of $1.7 billion to the FBI’s Internet Crime Complaint Center (IC3). The FBI says that represents a 74 percent increase in losses over losses reported in 2020.

The abuse of ride-sharing services to scam the elderly is not exactly new. Authorities in Tampa, Fla. say they’re investigating an incident from December 2021 where fraudsters who’d stolen $700,000 from elderly grandparents used Uber rides to pick up bundles of cash from their victims.

Planet DebianReproducible Builds: Reproducible Builds in July 2022

Welcome to the July 2022 report from the Reproducible Builds project!

In our reports we attempt to outline the most relevant things that have been going on in the past month. As a brief introduction, the reproducible builds effort is concerned with ensuring no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

Reproducible Builds summit 2022

Despite several delays, we are pleased to announce that registration is open for our in-person summit this year:

November 1st → November 3rd

The event will happen in Venice (Italy). We intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees.

Please see the announcement email for information about how to register.

Is reproducibility practical?

Ludovic Courtès published an informative blog post this month asking the important question: Is reproducibility practical?:

Our attention was recently caught by a nice slide deck on the methods and tools for reproducible research in the R programming language. Among those, the talk mentions Guix, stating that it is “for professional, sensitive applications that require ultimate reproducibility”, which is “probably a bit overkill for Reproducible Research”. While we were flattered to see Guix suggested as good tool for reproducibility, the very notion that there’s a kind of “reproducibility” that is “ultimate” and, essentially, impractical, is something that left us wondering: What kind of reproducibility do scientists need, if not the “ultimate” kind? Is “reproducibility” practical at all, or is it more of a horizon?

The post goes on to outlines the concept of reproducibility, situating examples within the context of the GNU Guix operating system.


diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 218, 219 and 220 to Debian, as well as made the following changes:

  • New features:

  • Bug fixes:

    • Fix a regression introduced in version 207 where diffoscope would crash if one directory contained a directory that wasn’t in the other. Thanks to Alderico Gallo for the testcase. []
    • Don’t traceback if we encounter an invalid Unicode character in Haskell versioning headers. []
  • Output improvements:

  • Codebase improvements:

    • Space out a file a little. []
    • Update various copyright years. []

Mailing list

On our mailing list this month:

  • Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting — amongst many other things! — that “all major desktops build reproducibly with bullseye, bookworm and sid.”

  • Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an “academic workshop around software supply chain security”. As Santiago highlights, this new conference “invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task”.

Upstream patches

The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:


reprotest is the Reproducible Builds project’s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:

  • Holger Levsen:

    • Uploaded version 0.7.21 to Debian unstable as well as mark 0.7.22 development in the repository [].
    • Make diffoscope dependency unversioned as the required version is met even in Debian buster. []
    • Revert an accidentally committed hunk. []
  • Mattia Rizzolo:

    • Apply a patch from Nick Rosbrook to not force the tests to run only against Python 3.9. []
    • Run the tests through pybuild in order to run them against all supported Python 3.x versions. []
    • Fix a deprecation warning in the setup.cfg file. []
    • Close a new Debian bug. []

Reproducible builds website

A number of changes were made to the Reproducible Builds website and documentation this month, including:

  • Arnout Engelen:

  • Chris Lamb:

    • Correct some grammar. []
  • Holger Levsen:

    • Add talk from FOSDEM 2015 presented by Holger and Lunar. []
    • Show date of presentations if we have them. [][]
    • Add my presentation from DebConf22 [] and from Debian Reunion Hamburg 2022 [].
    • Add dhole to the speakers of the DebConf15 talk. []
    • Add raboof’s talk “Reproducible Builds for Trustworthy Binaries” from May Contain Hackers. []
    • Drop some Debian-related suggested ideas which are not really relevant anymore. []
    • Add a link to list of packages with patches ready to be NMUed. []
  • Mattia Rizzolo:

    • Add information about our upcoming event in Venice. [][][][]

Testing framework

The Reproducible Builds project runs a significant testing framework at, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:

  • Debian-related changes:

    • Create graphs displaying existing .buildinfo files per each Debian suite/arch. [][]
    • Fix a typo in the Debian dashboard. [][]
    • Fix some issues in the pkg-r package set definition. [][][]
    • Improve the “builtin-pho” HTML output. [][][][]
    • Temporarily disable all live builds as our snapshot mirror is offline. []
  • Automated node health checks:

    • Detect dpkg failures. []
    • Detect files with bad UNIX permissions. []
    • Relax a regular expression in order to detect Debian Live image build failures. []
  • Misc changes:

    • Test that FreeBSD virtual machine has been updated to version 13.1. []
    • Add a reminder about powercycling the armhf-architecture mst0X node. []
    • Fix a number of typos. [][]
    • Update documentation. [][]
    • Fix Munin monitoring configuration for some nodes. []
    • Fix the static IP address for a node. []

In addition, Vagrant Cascadian updated host keys for the cbxi4pro0 and wbq0 nodes [] and, finally, node maintenance was also performed by Mattia Rizzolo [] and Holger Levsen [][][].


As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

Planet DebianAbhijith PA: Trip to misty mountains in Munnar

Munnar is a hill station in Idukki district of Kerala, India. Home to 2nd largest tea plantation in the country. Lot of people visit here on summer and in winter as well. I live in the neighboring district of Munnar though I never made a visit. In my mind I pictured Munnar as a Tourist trap with lots of garbage lying around.

I recently made a visit and it changed my perception of this place.


Little background

I never liked tea much. I am also not a coffee person either. But if I have to choose over two that will be coffee because of the strong aroma. Going to relatives house, they always offered hot tea defacto. I always find difficult say ‘no’ to their friendly gesture. But I hate tea.

A generation before me drinks lot of tea here at my place. You can see tea stalls in every corner and people sipping tea. I always wondered why people drink lot of tea on a hot country like India.

The book I am currently trying to read has a chapter about Munnar and how it became a Tea plantation under the British rule. Well, around the same time. I watched a documentary program about the tea and Munnar.


Munnar on early evening

Too much word here and there I decided to do a visit. I took a motorbike and started a journey to Munnar. Due to covid restrictions there weren’t much tourists, so this was to my advantage. There are many water falls on the way to Munnar. Some are very close to road and some are far away but can be spotted. Munnar travel is just not about the destination because its never been a single spot. Enjoying the journey that the ride has to offer.

I stayed at a hotel, little far away from town, though I never recommend hotels in Munnar. Try to find home stays and small establishments away from the town. There are British Era bungalows inside the plantations still maintained in good condition which can be booked per room or entire property.

The lush greenery on the Mountains of tea plantation is very refreshing and feast to our eyes. The mornings and evenings of Munnar is something to watch, mountains wrapped in mist slowly uncovering with sunlight and again slipping to mist by dark evening. I planned only to visit places which are less explored by tourists.

People here live a simple life. Most of them are plantation workers. The native people of Munnar are actually tribal folks but since the plantation boom many people from Tamil Nadu(neighboring state) and other parts of Kerala settled here. The houses of this plantation workers resembled Hobbit homes in Shire from Lord of the Rings as they are in the hill slides. The Kannan Devan hills, the biggest hill in area covers more than half of Munnar.

Hobbit homes

Two famous Tea companies from Munnar are Tata Tea and KDHP(Kanan Devan Hills Plantations Company (P) Limited) tea. KDHP is actually an employee owned Tea company ie a good share of this company is owned by the employees working there. This was interesting to me, so I bought a bag of speciality tea from KDHP store on my return. I don’t drink tea on a daily basis but I will try it on special occasions.

Worse Than FailureCodeSOD: Image Uploading

The startup life is difficult, at the best of times. It's extra hard when the startup's entire bundle of C-level executives are seniors in college. For the company Aniket Bhattacharyea worked for, they had a product, they had a plan, and they had funding from a Venture Capitalist. More than funding, the VC had their own irons in the fire, and they'd toss subcontracting work to Aniket's startup. It kept the lights on, but it also ate up their capacity to progress the startup's product.

One day, the VC had a new product to launch: a children's clothing store. The minimum viable product, in this case, was just a Magento demo with a Vue Storefront front-end. Strict tutorial-mode stuff, which the VC planned to present to stakeholders as an example of what their product could be.

Everything was going fine until five minutes before the demo. The VC discovered a show-stopping problem: "The storefront is showing obscene images!"

The "obscene" pictures were just photographs of female models, typical for a clothing storefront. But since this was a children's store, the VC was in a panic. "I can't demo this to other investors!"

Setting aside the problems of why the VC hadn't noticed this more than five minutes before, Aniket was given his mission: take a pile of replacement images and upload them to the server.

Well, with the configuration the server had, there was no way to upload images through the UI. Aniket could SSH in, but that presented a new problem: he didn't have write access to the directory where the files lived.

While Aniket tried to make a plan of how to fix this, his phone blew up with texts from both the VC and from the CEO of Aniket's startup. "What's the status?" "What's the ETA?" "You need to go faster."

Aniket couldn't overwrite the images, but he did have access to some commands via sudo, specifically managing Nginx. And that gave Aniket an idea.

All the images served by the storefront lived under the url /images. Aniket wrote an Nginx rule to redirect /images to port 8000, dropped the new images in a directory that he did have write access to, and then ran python -m http.server 8000 to launch a webserver hosting the files in that directory on port 8000.

The VC got to start their demo on time. Aniket closed his laptop and texted his CEO. "I've done the job, but my laptop is now broken. I'm going to take it in for repair." Aniket then went out for a much needed walk and took the rest of the afternoon off.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


Cryptogram SIKE Broken

SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition.

It was just broken, really badly.

We present an efficient key recovery attack on the Supersingular Isogeny Diffie­-Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.

News article.

Cryptogram Drone Deliveries into Prisons

Seems it’s now common to sneak contraband into prisons with a drone.

Worse Than FailureCodeSOD: Junior Reordering

"When inventory drops below the re-order level, we automatically order more," was how the product owner described the requirement to the junior developer. The junior toddled off to work, made their changes. They were not, however, given sufficient supervision, any additional guidance, or any code-reviews.

Dan found this in production:

let item = backend.fetchItem(itemId); if (item.quantityOnHand <= item.reorderLevel) { //automatic re-order item.quantityOnHand++; } else { item.quantityOnHand--; } backend.updateItem(item);

As you might imagine, "ordering refills" is slightly more complicated than "just alter the inventory quantity". This code didn't work. It should never have gotten released. And it's definitely not the junior developer's fault.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


David BrinSome great science podcasts - tune in!

Couple of years back we offered a list of excellent – if sometimes specialized – podcasts and YouTube channels about science and related things. Time for an update?

== Great Science (and other) Podcasts! ==

Let’s start with Into the Impossible - hosted by my friend Dr. Brian Keating, co-director of UCSD's Arthur C. Clarke Center for Human Imagination. Generally a deep dive into aspects of physics, but also space biology, tech and the latest insights into the nature of imagination. Example video: What is Dark Matter?

A colleague of Brian's whom I also admire: Dr. Sabine Hossenfelder -- Science and technology updates - "without the gobbledygook". Example video: Are Singularities Real?

As I said then… Scott Manley is one of my favorite YouTube explainer guys, especially when it comes to spacecraft. If there's some kind of milestone in rocketry, for example, he'll clarify it for you, within a couple of days. (Manley was also designer of the "cycler" spacecraft in the 2021 movie "Stowaway".) But this particular posting goes a bit farther in space and especially time, as Manley  talks about how to Move the Earth, citing especially my own postings on the subject.

Other favorite explainers include Anton Petrov for well-delivered and timely updates on the latest science and space discoveries, starting each with "Hello Wonderful Person!" Example video: James Webb Just found the most distant galaxy

Dianna Cowern, Physics Girl, presents  physical science demonstrations, experiments and explanations of new discoveries. Example video: We were wrong about the Big Bang.

Science & Futurism with Isaac Arthur provides in-depth explorations of galactic stuff like the Fermi Paradox. If it involves space and destiny, you can bet he's got an engaging what-if riff. Example video: Black holes & Dark Matter.

A pal of Isaac (and me) is John Michael Godier's Event Horizon, whose podcasts are a little closer to Earth than Arthur's, but still vividly entertaining futurism, featuring great interviews. How do I know this? Example video: What's eating the Universe?

== A golden age of Chatauqua explainers? ==

Fools and feudalists who try to diss the high repute of science, calling it just another orthodoxy, know nothing about the impudent competitiveness taught to most bright graduate students, along with the central catechism of science: "I might be wrong!" No other 'priesthood' ever even remotely did that. Nor spawned the phenomenon displayed here... of so many top researchers and experts rushing onto PBS or podcasts to eagerly share everything they've learned... and address every unanswered question!

Here are more! Including some favorites offered by other folks.

Dr. Becky Smethurst (Dr. Becky) -- A day in the life of an Astrophysicist at Oxford, with a focus on astronomy and cosmology research. Example video: An Astrophysicist's Top 10 Unsolved Mysteries.

Mark Rober, former NASA engineer, produces videos on popular science and gadgets, as well as science-related pranks, with over 22 million subscribers. Example video: World's Tallest Elephant Toothpaste Volcano. (Note Rober is hugely popular with young folks.)

Jade Tan-Holmes (Up and Atom) -- Kids level explanations of high-end physics concepts. Example video: What is The Schrodinger Equation, Exactly?

Steve Mould -- Mix of science/engineering topics. Example video: Pythagorean Siphon - Inside Your Washing Machine

Amy Shira Teitel, The Vintage Space -- History of the space program, branching into "How it works" on related subjects. Example video: Vladimir Komarov was Doomed to Die on Soyuz 1.

Prof. David Kipping (Cool Worlds) -- Great selection of topics. Okay the presentation can ponderous. Why You're Probably Not a Simulation.

Kurzgesagt -- Distinctively animated videos on science/space topics.  Example video: The Day the Dinosaurs Died - Minute by Minute.

Brew -- Animated videos on a variety of subjects, with an extra serving of body horror. Example video: The Country Made from 14 Stranded Ships.

Dr. Rohin Francis (Medlife Crisis) -- Cardiologist with an acidic sense of humour.
Example video: Can You Legally Buy a Real Human Skeleton.

Johnny Harris -- Deeper dives into specific odd subjects. Non-political example: The Real Reason McDonalds Ice Cream Machines Are Always Broken (Except everything is political.)

Joe Scott (Answers With Joe) -- Wide variety of topics, often science/space/tech focused: The Immortal Woman Who Saved Millions Of Lives"

Tom Scott -- Variety of subjects, from "this is an interesting place that exists", to linguistics, to infotech, to very random projects that catch his interest. 
Interesting place: The Artificial Gravity Lab.
Infotech: This Video Has 32,251,959 Views (title subject to change.)
Language: The Language Sounds That Could Exist But Don't.

Derek Muller (Veritasium). Science and engineering videos. Example video: Fritz Haber: the scientist who killed millions but saved billions.
Tim Dodd (Everyday Astronaut). Bringing space down to earth for everyday people, with updates on rockets and space launches. Example video: Raptor 1 vs Raptor 2: What's the difference?

Destin Sandlin (Smarter Every Day) explores the everyday world using science. Example: How do nuclear submarines make oxygen?
PBS Spacetime: Our Universe Explained, with Dr. Matt O'Dowd - is the best in my opinion. Example video: The Edge of an Infinite Universe.

== Terrific Miscellaneous ones... and sci fi! ==

Savor Podcast delves into the science, history and cultural connections of food and drink: why exactly we like what we like. Example podcast: Fictional Foods: Doctor Who.

This science fiction insight podcast had a short run, but is fabulous. 

A couple of political-historical channels that I think have been mentioned here:

The History Guy: History that deserves to be remembered. Forgotten moments of history presented in an entertaining manner.

Beau of the Fifth Column -- Lefty perspective made in the style of a right-winger.

Cody Johnston (Some More News) -- Lefty perspective made in the style of... errr, a crazy basement dweller trying to drag you down with him?

And to balance that... Bill Maher. yes, I said it. If no one will listen to my advice how the Union side of our civil war can win with innovative tactics, then at least pay attention when Maher chides you to stop deliberately losing with abysmally stoopid ones. 

Quirky (and stylistically immature, but a bit fun) perspectives on military matters, including the Ukraine War: Task & Purpose.

And I'll throw in English GP Dr. John Campbell, who is doing quiet daily Covid-19 updates.

Don't forget!! You can support these podcasters and content creators by subscribing - as well as donating on Patreon and via YouTube's new SuperThanks feature.

And for more, check comments, below! There will be many suggestions by members of this community!

What an amazing era we live in.

Planet DebianSteinar H. Gunderson: AV1 live streaming: The bitrate difference

As part of looking into AV1, I wanted to get a feel for what kind of bitrate to aim for. Of course, Intel and others have made exquisite graphs containing results for many different encoders (although they might have wanted to spend a little more pixels on that latest one…), but you always feel suspicious that the results might be a bit cherry-picked. In particular, SVT-AV1 always seems to run on pretty wide machines (in this case, 48 cores/96 threads), and I wondered whether this was the primary reason for it doing so ell.

So I made my own test, with the kind of footage I care about (a sports clip) at the speeds that I care about (realtime). I intentionally restricted the encoders to 16 cores (no HT, since that was the easiest), and tried various bitrates until I hit VMAF 85, which felt like a reasonable target. Of course, you don't always hit exactly 85.000 at any bit rate, VMAF is not a perfect measure, encoders encode for other metrics than VMAF, etc.…, but it's in the right ballpark. (Do note, though, that since I don't enable CBR but let both encoders work pretty freely within their 1-pass VBR, SVT-AV1's rate control issues won't really show up here. I consider that a feature of this graph, really, not a bug. But keep it in mind.)

Without further ado, the results:

x264 vs. SVT-AV1

There are two things that stick out immediately.

First, SVT-AV1 is just crushing x264. This is really impressive, given where it was a couple of years ago. Preset 11 is faster than x264 “faster”, and nearly half the bitrate (~55%) of x264 “slower”! (ultrafast and superfast are still somehow relevant, but only barely.) It seems we finally, nearly 20 years after the publication of H.264, have a codec that delivers the mythical bitrate halving. (At the “high” end, SVT-AV1 preset 8 uses 38% the bitrate of x264 “slower”, while being 23% faster. That's 2.58x the density at same VMAF.) Note that these cores are pretty slow; if you have 16 fast cores, you can go way past the 1.0 mark. For instance, my 5950X just barely reaches realtime speeds on preset 7.

Second, the difference between 8-bit and 10-bit is surprisingly high performance-wise (given Intel's claims that it shouldn't be too bad), and surprisingly low quality-wise. I've mulled a fair bit over this, given that earlier x264 SSIM-based tests showed a huge (20–30%) difference, and my conclusion is that it's probably a combination of VMAF not being too sensitive to the relevant artifacts (e.g. it's not very sensitive to banding), and the clip itself not really requiring it. I see a somewhat larger difference with libaom, and a somewhat larger difference at higher VMAFs, but in general, it seems you can forego 10-bit if you are e.g. worried about decoder performance. It's probably the safe option, though.

Again: This is just a spot check. But it seems to validate Intel's general gist; SVT-AV1 does really well for realtime compared to the old king x264. Even on lower-end servers/high-end desktops.

Krebs on SecurityNo SOCKS, No Shoes, No Malware Proxy Services!

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.


SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.

The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.

More on SocksEscort in an upcoming story.

Further reading:

July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach

July 28, 2022: Breach Exposes Users of Microleaves Proxy Service

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’

June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet

June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet

Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark

Cryptogram Surveillance of Your Car

TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it.

The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its sale or use.

While many of these companies stress they are using aggregated or anonymized data, the unique nature of location and movement data increases the potential for violations of user privacy.

Worse Than FailureThe Contract Access Upgrade

Microsoft Access represents an "attractive nuisance". It's a powerful database and application development platform designed to enable end users to manage their own data. Empowering users is, in principle, good. But the negative side effect is that you get people who aren't application developers developing applications, which inevitably become business critical.

A small company developed an Access Database thirty years ago. It grew, it mutated, it got ported from each Access version to the next. Its tendrils extended outwards, taking over more and more of the business's processes. The ability to maintain and modify the database decayed, updates and bugfixes got slower to make, the whole system got slower. But it limped along roughly at the speed the business required… and then Larry, the user who developed, retired.

And that's where Henrietta comes in. She was hired on contract to take this ancient, crufty, Access database and reimplement it in C#, with a WPF front end (because "web application" sounded too scary a shift), with a SQL Server backend. The project was already in-flight, under the sober guidance of internal developers who had analyzed the Access database in detail.

There was already a source control server set up- an SVN server. Henrietta found that odd, but odder still was the change history: 100,000 commits from fewer than 20 developers, in only six years. Now, that's not ridiculous- but it's a steady cadence of two commits per developer per day, including weekends and holidays.

There was, fortunately, a lot of documentation. None of it was about the code, but instead about the organization. Who works for who, when a given management position was created, how long someone had been in that position. Nothing about the software internals. Definitely nothing about the custom UI framework someone had bolted on top of WPF.

When Henrietta noticed she couldn't find documentation about coding standards, or code review processes, she went to one of the other developers and asked: "What's our coding standard? And how do we handle code reviews?"

"Our whats? I don't know what those are."

Well, Henrietta finished up her first ticket, had her commit, and then did what all the other developers did: committed it right into the trunk of the repository.

Now, that was her first commit, and it was a training commit: she just needed to add some validation to the UI to make sure it didn't allow empty form fields. With that under her belt, her boss assigned her a new, more complex task. It needed her to make changes in the database, add new workflows to the application, a few screens, and so on.

"So," she asked, "is there a spec for this somewhere?"

"Oh," her boss said, "we don't write specs before we develop. Develop the feature and then write specs to describe its behavior."

Well, Henrietta didn't like to work that way, so she started by drawing mockups in a diagramming tool. This, as it turned out, was completely new to the organization. No one had ever done a screen mock up before. The handful of diagrams that did exist all were drawn with the same tool: Microsoft Paint.

Once Henrietta had decided what her feature was going to look like, she made a feature branch to start her work- and discovered that the way the application was architected, you couldn't conveniently develop in a local branch. In fact, you couldn't even get it to easily point at a development database. Everything had to go through trunk and get pushed to a dev server for testing- one dev server which all the developers had to share.

When Henrietta's code didn't work, she found out why: there was a "convenience library" developed by her boss that contained critical functionality for the application. If you didn't call certain methods in that library, the application wouldn't work. These methods were undocumented, and also, no one knew where the code lived. They only used the binary, compiled version of the library.

Once Henrietta had reshaped her code around the arcane bondage that the library demanded of her, she had reached the point where she didn't understand her own code anymore. Before she can get into the work of testing the code, a new issue rises to the top of the priority list and she's told to stop what she's doing and tackle that.

This was meant to integrate into a 3rd party SOAP-based web service. It transports sensitive data… over HTTP. There's no encryption at all. The WSDL file contains overlapping definitions of two different versions of the API, and the contradictions mean it's possible and easy to send malformed requests with unpredictable behavior. And when it does catch an error, it simply responds with "Error".

At this point, months had passed. So it was time for the organization to change their tooling. Everyone was commanded to update to the newest version of .NET Core, a new version of the IDE, and now a new code review tool. Crucible was rolled out with no instructions or guidance, and developers were expected to just start using it.

This delayed Henrietta's work on the 3rd party interface, so she went back to the complex feature with database changes. She discovered there are no foreign keys. Also, because there weren't any foreign keys, the data can't have foreign keys added, because the columns that should enforce referential integrity don't match up correctly.

Meanwhile, the Project Owner, frustrated by the slow development progress, started writing code themselves. They used the wrong set of project files, pushed it directly to a customer, and caused multiple crashes and downtime for that customer.

Back to the database, Henrietta discovered that there's really no abstraction around it, implementation details of the database have to be reimplemented into the UI. She built a UI control that encapsulated at least some of that functionality, and added it to the global UI library. Her boss noticed that change, and told her, "no, that's specific to your module, put it in a local library." Her boss's boss noticed that change, and said, "that UI control is very useful, put it in the global library."

Neither boss could agree on the correct location for it, so as a compromise, they created a new "global" library for "accessory controls".

Frustrated by all of this, Henrietta decided that she should try and get a local development environment set up. She ended up spending a few days on this, only to discover that certain stored procedures call out to other databases via hard-coded connection strings, and if she tried to run a local copy she'd simply start mangling data in other, production databases. Her boss noticed her spending time on this, and complained that she was wasting her time.

When Henrietta finally finished her big feature, she deployed it to the test environment. It blew up, but for reasons she could easily understand, and it only took a few days to fix it. The customer tested the feature, and it wasn't what they thought it was going to be. Once they understood the requirements, which weren't their original requirements, they were happy with the feature, but wished they'd gotten the feature they asked for. With this sign off, the Henrietta pushed the change to production, manually (because why would you automate deployments?). The customer's application immediately crashed because their database was incompatible with the current version of the code. There was, of course, no rollback procedure, so Henrietta was expected to spend a weekend combing through the customer's database to figure out which field contained a value that crashed the application.

After that, frustrated, Henrietta went to her boss. "Why are we doing things this way? We're spinning our wheels and making no progress because we have no process, no organization, and everything we do is fragile and we're not doing anything to fix the fundamental problems."

"That's the way we do it," her boss said. "Stop asking questions about everything, don't question anything, we're not going to change that. Just do your work or find a new job."

Henrietta took that advice to heart, and found a new job. All in all, she spent 8 months fighting her way upstream against a river of crap. It wasn't worth it.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!


Planet DebianBastian Venthur: Keychron keyboards fixed on Linux

Last year, I wrote about on how to get my buggy Keychron C1 keyboard working properly on Linux by setting a kernel module parameter. Afterwards, I contacted Hans de Goede since he was the last one that contributed a major patch to the relevant kernel module. After some debugging, it turned out that the Keychron keyboards are indeed misbehaving when set to Windows mode. Almost a year later, Bryan Cain provided a patch fixing the behavior, which has now been merged to the Linux kernel in 5.19.

Thank you, Hans and Bryan!

Cryptogram Friday Squid Blogging: New Squid Species

Seems like they are being discovered all the time:

In the past, the DEEPEND crew has discovered three new species of Bathyteuthids, a type of squid that lives in depths between 700 and 2,000 meters. The findings were validated and published in 2020. Another new squid species description is currently in review at the Bulletin of Marine Science.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Planet DebianSergio Talens-Oliag: Using Git Server Hooks on GitLab CE to Validate Tags

Since a long time ago I’ve been a gitlab-ce user, in fact I’ve set it up on three of the last four companies I’ve worked for (initially I installed it using the omnibus packages on a debian server but on the last two places I moved to the docker based installation, as it is easy to maintain and we don’t need a big installation as the teams using it are small).

On the company I work for now (kyso) we are using it to host all our internal repositories and to do all the CI/CD work (the automatic deployments are triggered by web hooks in some cases, but the rest is all done using gitlab-ci).

The majority of projects are using nodejs as programming language and we have automated the publication of npm packages on our gitlab instance npm registry and even the publication into the npmjs registry.

To publish the packages we have added rules to the gitlab-ci configuration of the relevant repositories and we publish them when a tag is created.

As the we are lazy by definition, I configured the system to use the tag as the package version; I tested if the contents of the package.json where in sync with the expected version and if it was not I updated it and did a force push of the tag with the updated file using the following code on the script that publishes the package:

# Update package version & add it to the .build-args
INITIAL_PACKAGE_VERSION="$(npm pkg get version|tr -d '"')"
npm version --allow-same --no-commit-hooks --no-git-tag-version \
UPDATED_PACKAGE_VERSION="$(npm pkg get version|tr -d '"')"
# Update tag if the version was updated or abort
  if [ -n "$CI_GIT_USER" ] && [ -n "$CI_GIT_TOKEN" ]; then
    git commit -m "Updated version from tag $CI_COMMIT_TAG" package.json
    git tag -f "$CI_COMMIT_TAG" -m "Updated version from tag"
    git push -f -o ci.skip origin "$CI_COMMIT_TAG"
    echo "!!! ERROR !!!"
    echo "The updated tag could not be uploaded."
    echo "Set CI_GIT_USER and CI_GIT_TOKEN or fix the 'package.json' file"
    echo "!!! ERROR !!!"
    exit 1

This feels a little dirty (we are leaving commits on the tag but not updating the original branch); I thought about trying to find the branch using the tag and update it, but I drop the idea pretty soon as there were multiple issues to consider (i.e. we can have tags pointing to commits present in multiple branches and even if it only points to one the tag does not have to be the HEAD of the branch making the inclusion difficult).

In any case this system was working, so we left it until we started to publish to the NPM Registry; as we are using a token to push the packages that we don’t want all developers to have access to (right now it would not matter, but when the team grows it will) I started to use gitlab protected branches on the projects that need it and adjusting the .npmrc file using protected variables.

The problem then was that we can no longer do a standard force push for a branch (that is the main point of the protected branches feature) unless we use the gitlab api, so the tags with the wrong version started to fail.

As the way things were being done seemed dirty anyway I thought that the best way of fixing things was to forbid users to push a tag that includes a version that does not match the package.json version.

After thinking about it we decided to use githooks on the gitlab server for the repositories that need it, as we are only interested in tags we are going to use the update hook; it is executed once for each ref to be updated, and takes three parameters:

  • the name of the ref being updated,
  • the old object name stored in the ref,
  • and the new object name to be stored in the ref.

To install our hook we have found the gitaly relative path of each repo and located it on the server filesystem (as I said we are using docker and the gitlab’s data directory is on /srv/gitlab/data, so the path to the repo has the form /srv/gitlab/data/git-data/repositories/@hashed/xx/yy/hash.git).

Once we have the directory we need to:

  • create a custom_hooks sub directory inside it,
  • add the update script (as we only need one script we used that instead of creating an update.d directory, the good thing is that this will also work with a standard git server renaming the base directory to hooks instead of custom_hooks),
  • make it executable, and
  • change the directory and file ownership to make sure it can be read and executed from the gitlab container

On a console session:

$ cd /srv/gitlab/data/git-data/repositories/@hashed/xx/yy/hash.git
$ mkdir custom_hooks
$ edit_or_copy custom_hooks/update
$ chmod 0755 custom_hooks/update
$ chown --reference=. -R custom_hooks

The update script we are using is as follows:


set -e

# kyso update hook
# Right now it checks version.txt or package.json versions against the tag name
# (it supports a 'v' prefix on the tag)

# Arguments

# Initial test
if [ -z "$ref_name" ] ||  [ -z "$old_rev" ] || [ -z "$new_rev" ]; then
  echo "usage: $0 <ref> <oldrev> <newrev>" >&2
  exit 1

# Get the tag short name

# Exit if the update is not for a tag
if [ "$tag_name" = "$ref_name" ]; then
  exit 0

# Get the null rev value (string of zeros)
zero=$(git hash-object --stdin </dev/null | tr '0-9a-f' '0')

# Get if the tag is new or not
if [ "$old_rev" = "$zero" ]; then

# Get the type of revision:
# - delete: if the new_rev is zero
# - commit: annotated tag
# - tag: un-annotated tag
if [ "$new_rev" = "$zero" ]; then
  new_rev_type="$(git cat-file -t "$new_rev")"

# Exit if we are deleting a tag (nothing to check here)
if [ "$new_rev_type" = "delete" ]; then
  exit 0

# Check the version against the tag (supports version.txt & package.json)
if git cat-file -e "$new_rev:version.txt" >/dev/null 2>&1; then
  version="$(git cat-file -p "$new_rev:version.txt")"
  if [ "$version" = "$tag_name" ] || [ "$version" = "${tag_name#v}" ]; then
    exit 0
    EMSG="tag '$tag_name' and 'version.txt' contents '$version' don't match"
    echo "GL-HOOK-ERR: $EMSG"
    exit 1
elif git cat-file -e "$new_rev:package.json" >/dev/null 2>&1; then
    git cat-file -p "$new_rev:package.json" | jsonpath version | tr -d '\[\]"'
  if [ "$version" = "$tag_name" ] || [ "$version" = "${tag_name#v}" ]; then
    exit 0
    EMSG="tag '$tag_name' and 'package.json' version '$version' don't match"
    echo "GL-HOOK-ERR: $EMSG"
    exit 1
  # No version.txt or package.json file found
  exit 0

Some comments about it:

  • we are only looking for tags, if the ref_name does not have the prefix refs/tags/ the script does an exit 0,
  • although we are checking if the tag is new or not we are not using the value (in gitlab that is handled by the protected tag feature),
  • if we are deleting a tag the script does an exit 0, we don’t need to check anything in that case,
  • we are ignoring if the tag is annotated or not (we set the new_rev_type to tag or commit, but we don’t use the value),
  • we test first the version.txt file and if it does not exist we check the package.json file, if it does not exist either we do an exit 0, as there is no version to check against and we allow that on a tag,
  • we add the GL-HOOK-ERR: prefix to the messages to show them on the gitlab web interface (can be tested creating a tag from it),
  • to get the version on the package.json file we use the jsonpath binary (it is installed by the jsonpath ruby gem) because it is available on the gitlab container (initially I used sed to get the value, but a real JSON parser is always a better option).

Once the hook is installed when a user tries to push a tag to a repository that has a version.txt file or package.json file and the tag does not match the version (if version.txt is present it takes precedence) the push fails.

If the tag matches or the files are not present the tag is added if the user has permission to add it in gitlab (our hook is only executed if the user is allowed to create or update the tag).

Cryptogram Ring Gives Videos to Police without a Warrant or User Consent

Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent.

Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirming that there have been 11 cases in 2022 where Ring complied with police “emergency” requests. In each case, Ring handed over private recordings, including video and audio, without letting users know that police had access to—and potentially downloaded—their data. This raises many concerns about increased police reliance on private surveillance, a practice that has long gone unregulated.

EFF writes:

Police are not the customers for Ring; the people who buy the devices are the customers. But Amazon’s long-standing relationships with police blur that line. For example, in the past Amazon has given coaching to police to tell residents to install the Ring app and purchase cameras for their homes—­an arrangement that made salespeople out of the police force. The LAPD launched an investigation into how Ring provided free devices to officers when people used their discount codes to purchase cameras.

Ring, like other surveillance companies that sell directly to the general public, continues to provide free services to the police, even though they don’t have to. Ring could build a device, sold straight to residents, that ensures police come to the user’s door if they are interested in footage—­but Ring instead has decided it would rather continue making money from residents while providing services to police.

CNet has a good explainer.

Slashdot thread.

Worse Than FailureCodeSOD: A Sniff

In November of 2020, the last IE release happened, and on June 15th of this year, the desktop app officially lost support on Windows 10. But IE never truly dies.

Eleanor inherited a web application for a news service. And, you won't be shocked that it's still doing user-agent sniffing to identify the browser. That's just plain bad, but by the standards of user-agent sniffing, it's not terrible code.

function isIE() { var myNav = navigator.userAgent.toLowerCase(); return (myNav.indexOf('msie') != -1) ? parseInt(myNav.split('msie')[1]) : false; }

If it contains msie, split on that and assume the bit which follows is only the version number. Return the version number, or return false if it's not Internet Explorer.

Now, this method contains an annoying abuse of JavaScript that's common: sometimes this method returns a number, sometimes it returns false. Because of that, it needs to be called like this:

if (isIE() && isIE() <= 10) { alert("The browser you are using is too old and not supported anymore. Please get a newer one."); }

At first glance, you might think, couldn't I just do isIE() <= 10? Why use the initial && at all? And it's because of JavaScript's type coercion: false <= 10 is true.

Now, in fairness, false being roughly equivalent to zero is not an uncommon feature in languages, but the result here is just an annoying call that has to do the same string mangling twice because nobody thought through what the purpose of the function actually was. Then again, the whole function shouldn't be there, because it's 2022 and there's simply no excuse for this user-agent sniffing game.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

Planet DebianJunichi Uekawa: August.

August. I think I finally understood what's going on in io_uring.


Cory DoctorowView a SKU: Let’s Make Amazon Into a Dumb Pipe

A modified Amazon product listing page; the buy with Amazon button and Prime logo have been replaced with a

This week on my podcast, I read “View a SKU: Let’s Make Amazon Into a Dumb Pipe,” a recent column for Medium discussing how interoperability could flip Amazon’s monopoly power on its head and enable us all to coveniently shop locally.


Planet DebianPaul Wise: FLOSS Activities July 2022


This month I didn't have any particular focus. I just worked on issues in my info bubble.





  • Debian BTS: unarchive/reopen/triage bugs for reintroduced packages
  • Debian servers: check full disks, ping users of excessive disk usage, restart a hung service
  • Debian wiki: approve accounts


  • Respond to queries from Debian users and contributors on the mailing lists and IRC


The SPTAG, SIMDEverywhere, cwidget, aptitude, tldextract work was sponsored. All other work was done on a volunteer basis.

Cryptogram Apple’s Lockdown Mode

I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

At launch, Lockdown Mode includes the following protections:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

What Apple has done here is really interesting. It’s common to trade security off for usability, and the results of that are all over Apple’s operating systems—and everywhere else on the Internet. What they’re doing with Lockdown Mode is the reverse: they’re trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren’t just removing random features; they’re removing features that are common attack vectors.

There aren’t a lot of people who need Lockdown Mode, but it’s an excellent option for those who do.

News article.

EDITED TO ADD (7/31): An analysis of the effect of Lockdown Mode on Safari.

Planet DebianRussell Coker: Links July 2022

Darren Hayes wrote an interesting article about his battle with depression and his journey to accepting being gay [1]. Savage Garden had some great songs, Affirmation is relevant to this topic.

Rorodi wrote an interesting article about the biggest crypto lending company being a Ponzi scheme [2]. One thing I find particularly noteworthy is how obviously scammy it is, even to the extent of having an ex porn star as an executive! Celsuis is now in the process of going bankrupt, 7 months after that article was published.

Quora has an interesting discussion about different type casts in C++ [3]. C style casts shouldn’t be used!

MamaMia has an interesting article about “Action Faking” which means procrastination by doing tasks marginally related to the end goal [3]. This can mean include excessive study about the topic, excessive planning for the work, and work on things that aren’t on the critical path first (EG thinking of a name for a project).

Apple has a new “Lockdown Mode” to run an iPhone in a more secure configuration [4]. It would be good if more operating systems had a feature like this.

Informative article about energy use of different organs [5]. The highest metabolic rates (in KCal/Kg/day) are for the heart and kidneys. The brain is 3rd on the list and as it’s significantly more massive than the heart and kidneys it uses more energy, however this research was done on people who were at rest.

Scientific American has an interesting article about brain energy use and exhaustion from mental effort [6]. Apparently it’s doing things that aren’t fun that cause exhaustion, mental effort that’s fun can be refreshing.

Planet DebianJoachim Breitner: The Via Alpina red trail through Slovenia

This July my girlfriend and I hiked the Slovenian part of the Red Trail of the Via Alpina, from the edge of the Julian Alps to Trieste, and I’d like to share some observations and tips that we might have found useful before our trip.

Our most favorite camp spot Our most favorite camp spot

Getting there

As we traveled with complete camping gear and wanted to stay in our tent, we avoided the high alpine parts of the trail and started just where the trail came down from the Alps and entered the Karst. A great way to get there is to take the night train from Zurich or Munich towards Ljubljana, get off at Jesenice, have breakfast, take the local train to Podbrdo and you can start your tour at 9:15am. From there you can reach the trail at Pedrovo Brdo within 1½h.

Finding the way

We did not use any paper maps, and instead relied on the OpenStreetMap data, which is very good, as well as the official(?) GPX tracks on Komoot, which are linked from the official route descriptions. We used OsmAnd.

In general, trails are generally very well marked (red circle with white center, and frequent signs), but the signs rarely tell you which way the Via Alpina goes, so the GPS was needed.

Sometimes the OpenStreetMap trail and the Komoot trail disagreed on short segments. We sometimes followed one and other times the other.


We diverged from the trail in a few places:

  • We did not care too much about the horses in Lipica and at least on the map it looked like a longish boringish and sun-exposed detour, so we cut the loop and hiked from Prelože pri Lokvi up onto the peak of the Veliko Gradišče (which unfortunately is too overgrown to provide a good view).

  • When we finally reached the top of Mali Kras and had a view across the bay of Trieste, it seemed silly to walk to down to Dolina, and instead we followed the ridge through Socerb, essentially the Alpe Adria Trail.

  • Not really a variant, but after arriving in Muggia, if one has to go to Trieste, the ferry is a probably nicer way to finish a trek than the bus.

Pitching a tent

We used our tent almost every night, only in Idrija we got a room (and a shower…). It was not trivial to find good camp spots, because most of the trail is on hills with slopes, and the flat spots tend to have housed built on them, but certainly possible. Sometimes we hid in the forest, other times we found nice small and freshly mowed meadows within the forest.


Since this is Karst land, there is very little in terms of streams or lakes along the way, which is a pity.

The Idrijca river right south of Idrija was very tempting to take a plunge. Unfortunately we passed there early in the day and we wanted to cover some ground first, so we refrained.

As for drinking water, we used the taps at the bathrooms of the various touristic sites, a few (but rare) public fountains, and finally resorted to just ringing random doorbells and asking for water, which always worked.


A few stages lead you through very pleasant narrow forest paths with a sight, but not all. On some days you find yourself plodding along wide graveled or even paved forest roads, though.

Landscape and sights

The view from Nanos is amazing and, with this high peak jutting out over a wide plain, rather unique. It may seem odd that the trail goes up and down that mountain on the same day when it could go around, but it is certainly worth it.

The Karst is mostly a cultivated landscape, with lots of forestry. It is very hilly and green, which is pretty, but some might miss some craggedness. It’s not the high alps, after all, but at least they are in sight half the time.

But the upside is that there are few sights along the way that are worth visiting, in particular the the Franja Partisan Hospital hidden in a very narrow gorge, the Predjama Castle and the Škocjan Caves

Planet DebianRussell Coker: Workstations With ECC RAM

The last new PC I bought was a Dell PowerEdge T110II in 2013. That model had been out for a while and I got it for under $2000. Since then the CPI has gone up by about 20% so it’s probably about $2000 in today’s money. Currently Dell has a special on the T150 tower server (the latest replacement for the T110II) which has a G6405T CPU that isn’t even twice as fast as the i3-3220 (3746 vs 2219) in the T110II according to (AKA The special price is $2600. I can’t remember the details of my choices when purchasing the T110II but I recall that CPU speed wasn’t a priority and I wanted a cheap reliable server for storage and for light desktop use. So it seems that the current entry model in the Dell T1xx server line is less than twice as fast as fast as it was in 2013 while costing about 25% more! An option is to spend an extra $989 to get a Xeon E-2378 which delivers a reasonable 18,248 in that benchmark. The upside of a T150 is that is uses buffered DDR4 ECC RAM which is pretty cheap nowadays, you can get 32G for about $120.

For systems sold as workstations (as opposed to T1xx servers that make great workstations but aren’t described as such) Dell has the Precision line. The Precision 3260 “Compact Workstation” currently starts at $1740, it has a fast CPU but takes SO-DIMMs and doesn’t come with ECC RAM. So to use it as a proper workstation you need to discard the RAM and buy DDR5 unbuffered/unregistered ECC SO-DIMMS – which don’t seem to be on sale yet. The Precision 3460 is slightly larger, slightly more expensive, and also takes SO-DIMMs. The Precision 3660 starts at $2550 and takes unbuffered DDR5 ECC RAM which is available and costs half as much as the SO-DIMM equivalent would cost (if you could even buy it), but the general trend in RAM prices is that unbuffered ECC RAM is more expensive than buffered ECC RAM. The upside to Precision workstations is that the range of CPUs available is significantly faster than for the T150.

The HP web site doesn’t offer prices on their Z workstations and is generally worse than the Dell web site in most ways.

Overall I’m disappointed in the range of workstations available now. As an aside if anyone knows of any other company selling workstations in Australia that support ECC RAM then please let me know.


Planet DebianMike Hommey: Announcing git-cinnabar 0.5.10

Git-cinnabar is a git remote helper to interact with mercurial repositories. It allows to clone, pull and push from/to mercurial remote repositories, using git.

Get it on github.

These release notes are also available on the git-cinnabar wiki.

What’s new since 0.5.9?

  • Fixed exceptions during config initialization.
  • Fixed swapped error messages.
  • Fixed correctness issues with bundle chunks with no delta node.
  • This is probably the last 0.5.x release before 0.6.0.

Planet DebianIan Jackson: chiark’s skip-skip-cross-up-grade

Two weeks ago I upgraded chiark from Debian jessie i386 to bullseye amd64, after nearly 30 years running Debian i386. This went really quite well, in fact!


chiark is my “colo” - a server I run, which lives in a data centre in London. It hosts ~200 users with shell accounts, various websites and mailing lists, moderators for a number of USENET newsgroups, and countless other services. chiark’s internal setup is designed to enable my users to do a maximum number of exciting things with a minimum of intervention from me.

chiark’s OS install dates to 1993, when I installed Debian 0.93R5, the first version of Debian to advertise the ability to be upgraded without reinstalling. I think that makes it one of the oldest Debian installations in existence.

Obviously it’s had several new hardware platforms too. (There was a prior install of Linux on the initial hardware, remnants of which can maybe still be seen in some obscure corners of chiark’s /usr/local.)

chiark’s install is also at the very high end of the installation complexity, and customisation, scale: reinstalling it completely would be an enormous amount of work. And it’s unique.

chiark’s upgrade history

chiark’s last major OS upgrade was to jessie (Debian 8, released in April 2015). That was in 2016. Since then we have been relying on Debian’s excellent security support posture, and the Debian LTS and more recently Freexian’s Debian ELTS projects and some local updates, The use of ELTS - which supports only a subset of packages - was particularly uncomfortable.

Additionally, chiark was installed with 32-bit x86 Linux (Debian i386), since that was what was supported and available at the time. But 32-bit is looking very long in the tooth.

Why do a skip upgrade

So, I wanted to move to the fairly recent stable release - Debian 11 (bullseye), which is just short of a year old. And I wanted to “crossgrade” (as its called) to 64-bit.

In the past, I have found I have had greater success by doing “direct” upgrades, skipping intermediate releases, rather than by following the officially-supported path of going via every intermediate release.

Doing a skip upgrade avoids exposure to any packaging bugs which were present only in intermediate release(s). Debian does usually fix bugs, but Debian has many cautious users, so it is not uncommon for bugs to be found after release, and then not be fixed until the next one.

A skip upgrade avoids the need to try to upgrade to already-obsolete releases (which can involve messing about with multiple snapshots from It is also significantly faster and simpler, which is important not only because it reduces downtime, but also because it removes opportunities (and reduces the time available) for things to go badly.

One downside is that sometimes maintainers aggressively remove compatibility measures for older releases. (And compatibililty packages are generally removed quite quickly by even cautious maintainers.) That means that the sysadmin who wants to skip-upgrade needs to do more manual fixing of things that haven’t been dealt with automatically. And occasionally one finds compatibility problems that show up only when mixing very old and very new software, that no-one else has seen.


Crossgrading is fairly complex and hazardous. It is well supported by the low level tools (eg, dpkg) but the higher-level packaging tools (eg, apt) get very badly confused.

Nowadays the system is so complex that downloading things by hand and manually feeding them to dpkg is impractical, other than as a very occasional last resort.

The approach, generally, has been to set the system up to “want to” be the new architecture, run apt in a download-only mode, and do the package installation manually, with some fixing up and retrying, until the system is coherent enough for apt to work.

This is the approach I took. (In current releases, there are tools that will help but they are only in recent releases and I wanted to go direct. I also doubted that they would work properly on chiark, since it’s so unusual.)

Peril and planning

Overall, this was a risky strategy to choose. The package dependencies wouldn’t necessarily express all of the sequencing needed. But it still seemed that if I could come up with a working recipe, I could do it.

I restored most of one of chiark’s backups onto a scratch volume on my laptop. With the LVM snapshot tools and chroots. I was able to develop and test a set of scripts that would perform the upgrade. This was a very effective approach: my super-fast laptop, with local caches of the package repositories, was able to do many “edit, test, debug” cycles.

My recipe made heavy use of, to make sure that it wouldn’t rot between testing and implementation.

When I had a working scheme, I told my users about the planned downtime. I warned everyone it might take even 2 or 3 days. I made sure that my access arrangemnts to the data centre were in place, in case I needed to visit in person. (I have remote serial console and power cycler access.)

Reality - the terrible rescue install

My first task on taking the service down was the check that the emergency rescue installation worked: chiark has an ancient USB stick in the back, which I can boot to from the BIOS. The idea being that many things that go wrong could be repaired from there.

I found that that install was too old to understand chiark’s storage arrangements. mdadm tools gave very strange output. So I needed to upgrade it. After some experiments, I rebooted back into the main install, bringing chiark’s service back online.

I then used the main install of chiark as a kind of meta-rescue-image for the rescue-image. The process of getting the rescue image upgraded (not even to amd64, but just to something not totally ancient) was fraught. Several times I had to rescue it by copying files in from the main install outside. And, the rescue install was on a truly ancient 2G USB stick which was terribly terribly slow, and also very small.

I hadn’t done any significant planning for this subtask, because it was low-risk: there was little way to break the main install. Due to all these adverse factors, sorting out the rescue image took five hours.

If I had known how long it would take, at the beginning, I would have skipped it. 5 hours is more than it would have taken to go to London and fix something in person.

Reality - the actual core upgrade

I was able to start the actual upgrade in the mid-afternoon. I meticulously checked and executed the steps from my plan.

The terrifying scripts which sequenced the critical package updates ran flawlessly. Within an hour or so I had a system which was running bullseye amd64, albeit with many important packages still missing or unconfigured.

So I didn’t need the rescue image after all, nor to go to the datacentre.

Fixing all the things

Then I had to deal with all the inevitable fallout from an upgrade.

Notable incidents:

exim4 has a new tainting system

This is to try to help the sysadmin avoid writing unsafe string interpolations. (“Little Bobby Tables.”) This was done by Exim upstream in a great hurry as part of a security response process.

The new checks meant that the mail configuration did not work at all. I had to turn off the taint check completely. I’m fairly confident that this is correct, because I am hyper-aware of quoting issues and all of my configuration is written to avoid the problems that tainting is supposed to avoid.

One particular annoyance is that the approach taken for sqlite lookups makes it totally impossible to use more than one sqlite database. I think the sqlite quoting operator which one uses to interpolate values produces tainted output? I need to investigate this properly.

LVM now ignores PVs which are directly contained within LVs by default

chiark has LVM-on-RAID-on-LVM. This generally works really well.

However, there was one edge case where I ended up without the intermediate RAID layer. The result is LVM-on-LVM.

But recent versions of the LVM tools do not look at PVs inside LVs, by default. This is to help you avoid corrupting the state of any VMs you have on your system. I didn’t know that at the time, though. All I knew was that LVM was claiming my PV was “unusable”, and wouldn’t explain why.

I was about to start on a thorough reading of the 15,000-word essay that is the commentary in the default /etc/lvm/lvm.conf to try to see if anything was relevant, when I received a helpful tipoff on IRC pointing me to the scan_lvs option.

I need to file a bug asking for the LVM tools to explain why they have declared a PV unuseable.

apache2’s default config no longer read one of my config files

I had to do a merge (of my changes vs the maintainers’ changes) for /etc/apache2/apache2.conf. When doing this merge I failed to notice that the file /etc/apache2/conf.d/httpd.conf was no longer included by default. My merge dropped that line. There were some important things in there, and until I found this the webserver was broken.

dpkg --skip-same-version DTWT during a crossgrade

(This is not a “fix all the things” - I found it when developing my upgrade process.)

When doing a crossgrade, one often wants to say to dpkg “install all these things, but don’t reinstall things that have already been done”. That’s what --skip-same-version is for.

However, the logic had not been updated as part of the work to support multiarch, so it was wrong. I prepared a patched version of dpkg, and inserted it in the appropriate point in my prepared crossgrade plan.

The patch is now filed as bug #1014476 against dpkg upstream


Mailman is no longer in bullseye. It’s only available in the previous release, buster.

bullseye has Mailman 3 which is a totally different system - requiring basically, a completely new install and configuration. To even preserve existing archive links (a very important requirement) is decidedly nontrivial.

I decided to punt on this whole situation. Currently chiark is running buster’s version of Mailman. I will have to deal with this at some point and I’m not looking forward to it.


Of course that Mailman is Python 2. The Python project’s extremely badly handled transition includes a recommendation to change the meaning of #!/usr/bin/python from Python 2, to Python 3.

But Python 3 is a new language, barely compatible with Python 2 even in the most recent iterations of both, and it is usual to need to coinstall them.

Happily Debian have provided the python-is-python2 package to make things work sensibly, albeit with unpleasant imprecations in the package summary description.


Oh my god. INN uses many non-portable data formats, which just depend on your C types. And there are complicated daemons, statically linked libraries which cache on-disk data, and much to go wrong.

I had numerous problems with this, and several outages and malfunctions. I may write about that on a future occasion.

(edited 2022-07-20 11:36 +01:00 and 2022-07-30 12:28+01:00 to fix typos)

comment count unavailable comments

Cryptogram Microsoft Zero-Days Sold and then Used

Yet another article about cyber-weapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF.

There’s an entire industry devoted to undermining all of our security. It needs to be stopped.


Krebs on Security911 Proxy Service Implodes After Disclosing Breach

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.

911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net circa 2016, which shows it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

At this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported they were unable to use the service. Others affected by the outage said it seemed 911 was trying to implement some sort of “know your customer” rules — that maybe 911 was just trying to weed out those customers using the service for high volumes of cybercriminal activity.

Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently shut down 911 and all its services on July 28th.”

According to 911, the service was hacked in early July, and it was discovered that someone manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.

“Not sure how did the hacker get in,” the 911 message reads. “Therefore, we urgently shut down the recharge system, new user registration, and an investigation started.”

The parting message from 911 to its users, posted to the homepage July 28, 2022.

However the intruders got in, 911 said, they managed to also overwrite critical 911[.]re servers, data and backups of that data.

“On July 28th, a large number of users reported that they could not log in the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable.”

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911’s longtime competitors — malware-based proxy services VIP72 and LuxSocksclosed their doors in the past year.

Now, many on the crime forums who relied on 911 for their operations are wondering aloud whether there are any alternatives that match the scale and utility that 911 offered. The consensus seems to be a resounding “no.”

I’m guessing we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will spring up to meet what appears to be a burgeoning demand for such services at the moment, with comparatively little supply.

In the meantime, 911’s absence may coincide with a measurable (if only short-lived) reprieve in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service scramble to make alternative arrangements.

Riley Kilmer, co-founder of the proxy-tracking service, said 911’s network will be difficult to replicate in the short run.

“My speculation is [911’s remaining competitors] are going to get a major boost in the short term, but a new player will eventually come along,” Kilmer said. “None of those are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, the attempts will continue but through these replacement services which should be easier to monitor and stop. 911 had some very clean IP addresses.”

911 wasn’t the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers’ IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.

Planet DebianBits from Debian: New Debian Developers and Maintainers (May and June 2022)

The following contributors got their Debian Developer accounts in the last two months:

  • Geoffroy Berret (kaliko)
  • Arnaud Ferraris (aferraris)

The following contributors were added as Debian Maintainers in the last two months:

  • Alec Leanas
  • Christopher Michael Obbard
  • Lance Lin
  • Stefan Kropp
  • Matteo Bini
  • Tino Didriksen


Worse Than FailureError'd: Poetry in Motion

So much cringe here today. Obviously, the first submission below just reeks of professional sycophantry on so many levels. I can't decide which is more offensive, the barefoot butcher or the grotesque attempt to humanize a vogon. To take the edge off, I'll start you out with a very old shaggy dog punchline. The actual setup for this groaner is pretty horrible, though someone on the internet has dutifully compiled the definitive collection of all known variants. Sparing you that misery, I'll cut straight to the chase: Rudolf the Red knows rain, dear. Now you can decide which gag is more worthy: that, or this.

My English vocabulary cannot convey the complexity of my feelings about Beatrix W. who shared a monstrosity, reporting innocently "I was just looking for a book about AppleScript by a Japanese author." Is there a Japanese word for "thank you for this gift but never do it again?"



Or maybe there's a German word for it. What say you, Friend Foo? This week Foo A. has a fun one for us. "Halt entfällt means stop omitted, so they're suggesting I should change to a train that doesn't even stop there!" Clearly, they're expecting you to jump nimbly aboard as it rolls through. I hope it at least slows down.



Newlyread Rudi sent in a screenshot titled &lt;insert subject/title here&gt; saying "I guess the game is to figure out what the location is? (The reason I used HTML entities in the title is because in a previous attempt to submit this WTF I used the actual characters, but resulted in a 500 error, so now I'm checking if that might have been the reason why. Which I guess would be a meta-WTF. :) )" So it might, and it wouldn't be our first. As the other joke goes, "what happens if you try it again?"



Easy-listening Dan snapped a shot of his infotainment system, remarking "I think it's a Reverse HTML Injection. At first, I thought they'd fix it quickly, but it's been like this for weeks." I've seen submissions like this before, but I'm not sure if I've run one.



With the last word for this week, Micha Thomas has us going and coming. "Coming from the same company that gave us the infamous Click 'Start' to shutdown Windows, this is what my Outlook greeted me with this morning"



[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

Planet DebianReproducible Builds (diffoscope): diffoscope 220 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 220. This version includes the following changes:

* Support Haskell 9.x series files and update the test files to match. Thanks
  to Scott Talbert for the relevant info about the new format.
  (Closes: reproducible-builds/diffoscope#309)
* Fix a regression introduced in diffoscope version 207 where diffoscope
  would crash if one directory contained a directory that wasn't in the
  other. Thanks to Alderico Gallo for the report and the testcase.
  (Closes: reproducible-builds/diffoscope#310)

You find out more by visiting the project homepage.


Planet DebianMatthew Garrett: UEFI rootkits and UEFI secure boot

Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that it's propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. This probably requires physical access to the board, so it's not especially terrifying - if you're in a situation where someone's sufficiently enthusiastic about targeting you that they're reflashing your computer by hand, it's likely that you're going to have a bad time regardless.

But let's think about why this is in the firmware at all. Sophos previously discussed an implant that's sufficiently similar in some technical details that Kaspersky suggest they may be related to some degree. One notable difference is that the MyKings implant described by Sophos installs itself into the boot block of legacy MBR partitioned disks. This code will only be executed on old-style BIOS systems (or UEFI systems booting in BIOS compatibility mode), and they have no support for code signatures, so there's no need to be especially clever. Run malicious code in the boot block, patch the next stage loader, follow that chain all the way up to the kernel. Simple.

One notable distinction here is that the MBR boot block approach won't be persistent - if you reinstall the OS, the MBR will be rewritten[1] and the infection is gone. UEFI doesn't really change much here - if you reinstall Windows a new copy of the bootloader will be written out and the UEFI boot variables (that tell the firmware which bootloader to execute) will be updated to point at that. The implant may still be on disk somewhere, but it won't be run.

But there's a way to avoid this. UEFI supports loading firmware-level drivers from disk. If, rather than providing a backdoored bootloader, the implant takes the form of a UEFI driver, the attacker can set a different set of variables that tell the firmware to load that driver at boot time, before running the bootloader. OS reinstalls won't modify these variables, which means the implant will survive and can reinfect the new OS install. The only way to get rid of the implant is to either reformat the drive entirely (which most OS installers won't do by default) or replace the drive before installation.

This is much easier than patching the system firmware, and achieves similar outcomes - the number of infected users who are going to wipe their drives to reinstall is fairly low, and the kernel could be patched to hide the presence of the implant on the filesystem[2]. It's possible that the goal was to make identification as hard as possible, but there's a simpler argument here - if the firmware has UEFI Secure Boot enabled, the firmware will refuse to load such a driver, and the implant won't work. You could certainly just patch the firmware to disable secure boot and lie about it, but if you're at the point of patching the firmware anyway you may as well just do the extra work of installing your implant there.

I think there's a reasonable argument that the existence of firmware-level rootkits suggests that UEFI Secure Boot is doing its job and is pushing attackers into lower levels of the stack in order to obtain the same outcomes. Technologies like Intel's Boot Guard may (in their current form) tend to block user choice, but in theory should be effective in blocking attacks of this form and making things even harder for attackers. It should already be impossible to perform attacks like the one Kaspersky describes on more modern hardware (the system should identify that the firmware has been tampered with and fail to boot), which pushes things even further - attackers will have to take advantage of vulnerabilities in the specific firmware they're targeting. This obviously means there's an incentive to find more firmware vulnerabilities, which means the ability to apply security updates for system firmware as easily as security updates for OS components is vital (hint hint if your system firmware updates aren't available via LVFS you're probably doing it wrong).

We've known that UEFI rootkits have existed for a while (Hacking Team had one in 2015), but it's interesting to see a fairly widespread one out in the wild. Protecting against this kind of attack involves securing the entire boot chain, including the firmware itself. The industry has clearly been making progress in this respect, and it'll be interesting to see whether such attacks become more common (because Secure Boot works but firmware security is bad) or not.

[1] As we all remember from Windows installs overwriting Linux bootloaders
[2] Although this does run the risk of an infected user booting another OS instead, and being able to see the implant

comment count unavailable comments

Krebs on SecurityBreach Exposes Users of Microleaves Proxy Service

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.

The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.

Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.

The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.

In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”

Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.

From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.

Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.

Proxy traffic related to top Microleaves users, as exposed by the website’s API.

The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.

One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post.

“User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.”

Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user.

“While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote.

In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.

“We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!”


The exposed Microleaves user database shows that the first user created on the service — username “admin” — used the email address A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service under the name Alexandru Florea, and the username “Acidut.” [Full disclosure: Constella is currently an advertiser on this website].

According to the cyber intelligence company Intel 471, a user named Acidut with the email address had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites.

The user Microleaves (later “”) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to

In a 2011 post on Hackforums, Acidut said they were building a botnet using an “exploit kit,” a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit.

By November 2013, Acidut was advertising the sale of “26 million SOCKS residential proxies.” In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or “PPI” schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites.

Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs.

“For those of you who are doing PPI I have a global offer that you can bundle to your installer,” Acidut wrote. “I am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.”

Asked about the source of their proxies in 2014, the Microleaves user responded that it was “something related to a PPI network. I can’t say more and I won’t get into details.”

Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username “nevo.julian.” That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company.


There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites,, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains.

Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the company’s services were brazenly pitched to investors as “a cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.”

A teaser from Irish Tech News.

“Online[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,” reads the rest of that help wanted ad.

Microleaves CEO Alexandru Florea gave an “interview” to the website in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer.

“Online[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,” Alexandru enthused. “By staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.”

“At the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,” he continued. “The time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.”

Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer — or as an exploit kit on your website — we’ll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too.

It’s unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]io’s annoying ads and search hijackers — and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of “online-guardian.exe.”

Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have gone…offline, for good.


Until this week,’s website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go, or how complete they are.

The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed.

Shifter’s Gupta said he’d been with the company for three years, since the new owner took over the company and made the rebrand to Shifter.

“The company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,” Gupta said. “We are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.”

Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifter’s customer information.

Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner — Super Tech Ventures, a private equity company based in Taiwan.

“Our CEO is Wang Wei, he has been with the company since 3 years ago,” Gupta said. “Mr. Florea left the company two years ago after ending this transition period.”

Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifter’s own PR person claimed that he, too, was in the dark on this subject.

“I would love to help, but I really don’t know much about the mother company,” Gupta said, essentially walking back his “fully transparent” statement. “I know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.”

Adware and proxy software are often bundled together with “free” software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes.

But just as often, these intrusive programs will include some type of notice — even if installed as part of a software bundle — that many users simply do not read and click “Next” to get on with installing whatever software they’re seeking to use. In these cases, selecting the “basic” or “default” settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. It’s always best to opt for the “custom” installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation.

Either way, it’s best to start with the assumption that if a software or service online is “free,” that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last week’s story on a China-based proxy service called 911, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others.

Further reading on proxy services:

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Aug. 19, 2019: The Rise of “Bulletproof” Residential Networks

Cryptogram NSO Group’s Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders

Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details:

Key Findings

  • We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.
  • We forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus spyware.
  • The observed infections took place between October 2020 and November 2021.
  • The ongoing investigation was triggered by notifications sent by Apple to Thai civil society members in November 2021. Following the notification, multiple recipients made contact with civil society groups, including the Citizen Lab.
  • The report describes the results of an ensuing collaborative investigation by the Citizen Lab, and Thai NGOs iLaw, and DigitalReach.
  • A sample of the victims was independently analyzed by Amnesty International’s Security Lab which confirms the methodology used to determine Pegasus infections.


NSO Group has denied any wrongdoing and maintains that its products are to be used “in a legal manner and according to court orders and the local law of each country.” This justification is problematic, given the presence of local laws that infringe on international human rights standards and the lack of judicial oversight, transparency, and accountability in governmental surveillance, which could result in abuses of power. In Thailand, for example, Section 112 of the Criminal Code (also known as the lèse-majesté law), which criminalizes defamation, insults, and threats to the Thai royal family, has been criticized for being “fundamentally incompatible with the right to freedom of expression,” while the amended Computer Crime Act opens the door to potential rights violations, as it “gives overly broad powers to the government to restrict free speech [and] enforce surveillance and censorship.” Both laws have been used in concert to prosecute lawyers and activists, some of whom were targeted with Pegasus.

More details. News articles.

A few months ago, Ronan Farrow wrote a really good article on NSO Group and its problems. The company was itself hacked in 2021.

L3Harris Corporation was looking to buy NSO Group, but dropped its bid after the Biden administration expressed concerns. The US government blacklisted NSO Group last year, and the company is even more toxic than it was as a result—and a mess internally.

In another story, the nephew of jailed Hotel Rwanda dissident was also hacked by Pegasus.

EDITED TO ADD (7/28): The House Intelligence Committee held hearings on what to do about this rogue industry. It’s important to remember that while NSO Group gets all the heat, there are many other companies that do the same thing.

John-Scott Railton at the hearing:

If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap. As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.

Planet DebianDominique Dumont: How I investigated connection hogs on Kubernetes


My name is Dominhique Dumont, DevOps freelance in Grenoble, France.

My goal is to share my experience regarding a production issue that occurred last week where my client complained that the applications was very slow and sometime showed 5xx errors. The production service is hosted on a Kubernetes cluster on Azure and use a MongoDB on ScaleGrid.

I reproduced the issue on my side and found that the API calls were randomly failing due to timeouts on server side.

The server logs were showing some MongoDB disconnections and reconnections and some time-out on MongoDB connections, but did not give any clue on why some connections to MongoDB server were failing.

Since there was not clue in the cluster logs, I looked at ScaleGrid monitoring. There was about 2500 connections on MongoDB: 2022-07-19-scalegrid-connection-leak.png That seemed quite a lot given the low traffic at that time, but not necessarily a problem.

Then, I went to the Azure console, and I got the first hint about the origin of the problem: the SNATs were exhausted on some nodes of the clusters. 2022-07-28_no-more-free-snat.png

SNATs are involved in connections from the cluster to the outside world, i.e. to our MongoDB server and are quite limited: only 1024 SNAT ports are available per node. This was consistent with the number of used connections on MongoDB.

OK, then the number of used connections on MongoDB was a real problem.

The next question was: which pods and how many connections ?

First I had to filter out the pods that did not use MongoDB. Fortunately, all our pods have labels so I could list all pods using MongoDB:

$ kubectl -n prod get pods -l db=mongo | wc -l

Hmm, still quite a lot.

Next problem is to check which pod used too many MongoDB connections. Unfortunately, the logs mentioned that a connection to MongoDB was opened, but that did not give a clue on how many were used.

Netstat is not installed on the pods, and cannot be installed since the pods are running as root (which is a good idea for security reasons)

Then, my Debian Developer experience kicked in and I remembered that /proc file system on Linux gives a lot of information on consumed kernel resources, including resources consumed by each process.

The trick is to know the PID of the process using the connections.

In our case, Docker files are written in a way so the main process of a pod using NodeJS is 1, so, the command to list the connections of pod is:

$ kubectl -n prod exec redacted-pod-name-69875496f8-8bj4f -- cat /proc/1/net/tcp
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                     
   0: AC00F00A:C9FA C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376439162 2 0000000000000000 21 4 0 10 -1                 
   1: AC00F00A:CA00 C2906714:6989 01 00000000:00000000 02:00000E76 00000000  1001        0 376439811 2 0000000000000000 21 4 0 10 -1                 
   2: AC00F00A:8ED0 C2906714:6989 01 00000000:00000000 02:000004DA 00000000  1001        0 445806350 2 0000000000000000 21 4 30 10 -1                
   3: AC00F00A:CA02 C2906714:6989 01 00000000:00000000 02:000000DD 00000000  1001        0 376439812 2 0000000000000000 21 4 0 10 -1                 
   4: AC00F00A:C9FE C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376439810 2 0000000000000000 21 4 0 10 -1                 
   5: AC00F00A:8760 C2906714:6989 01 00000000:00000000 02:00000810 00000000  1001        0 375803096 2 0000000000000000 21 4 0 10 -1                 
   6: AC00F00A:C9FC C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376439809 2 0000000000000000 21 4 0 10 -1                 
   7: AC00F00A:C56C C2906714:6989 01 00000000:00000000 02:00000DA9 00000000  1001        0 376167298 2 0000000000000000 21 4 0 10 -1                 
   8: AC00F00A:883C C2906714:6989 01 00000000:00000000 02:00000734 00000000  1001        0 375823415 2 0000000000000000 21 4 30 10 -1 

OK, that’s less appealing that netstat output. The trick is that rem_address and port are expressed in hexa. A quick calculation confirms the port 0x6989 is indeed port 27017, which is the listening port of MongoDB server.

So the number of opened MongoDB connections is given by:

$ kubectl -n prod exec redacted-pod-name-69875496f8-8bj4f -- cat /proc/1/net/tcp | grep :6989 | wc -l

What’s next ?

The ideal solution would be to fix the NodeJS code to handle correctly the termination of the connections, but that would have taken too long to develop.

So I’ve written a small Perl script to:

  • list the pods using MongoDB using kubectl -n prod get pods -l db=mongo
  • find the pods using more that 10 connections using the kubectl exec command shown above
  • compute the deployment name of these pods (which was possible given the naming convention used with our pods and deployments)
  • restart the deployment of these pods with a kubectl rollout restart deployment command

Why restart a deployment instead of simply deleting the gluttonous pods? I wanted to avoid downtime if all pods of a deployment were to be killed. There’s no downtime when applying rollout restart command on deployments.

This script is now run regularly until the connections issue is fixed for good in NodeJS code. Thanks to this script, there’s no need to rush a code modification.

All in all, working around this connections issues was made somewhat easier thanks to:

  • the monitoring tools provided by the hosting services.
  • a good knowledge of Linux internals
  • consistent labels on our pods
  • the naming conventions used for our kubernetes artifacts

Worse Than FailureCodeSOD: Classical Solutions

CSS classes give us the ability to reuse styles in a meaningful way, by defining, well, classes of styling. A common anti-pattern is to misuse classes and define things like "redTextUnderlined" as a CSS class. Best practice is that a CSS class should define the role, not the appearance. So that class might be better named "validationError", for example. A class will frequently bundle together a bunch of stylesheet properties into a single, meaningful name. That's the ideal approach, anyway.

Now, Olivia's predecessor had an… interesting philosophy of how to use CSS classes.

.sup, .headerLinkMain, .headerLinkName, .headerLinkAdmin, .systemMsgMain, .studentsLegendText, .studentPagingSelected, .studentPagingLink, .studentErrorLegend, .studentsBatchEditShellHeader, .warningError, .warningErrorTitle, .staffLegendText, .staffEditLabelRequire, .staffEditLabel, .staffEditLink, .completeNote, .staffNumberLinks, .staffNotOK, .staffViewPrevNextLink, .staffViewPrevNext, .staffViewPrevNextError, .staffViewPrevNextErrorLink, .staffNoteShowRecords, .staffListFont01, .courseListFont, .staffTotalText, .warningErrorStaff, .warningErrorStaffTitle, .warningLoginStaff, .warningLoginLabel, .textAdminSection, .textAdminSectionError, .textAdminSection102, .studentEditLabelRequire, .studentEditLabel, .studentDOB, .studentEditLabelError, .studentEditLabelRequireError, .textDemographicPopup, .titleStudentDemogs, .textStudentDemogs, .textSection, .textSectionBold, .classesText, .classesList, .classUsrMultiple, .classNote01, .classNote02, .subTitleAdminSection, .warningErrorClass, .warningErrorClassTitle {font-size: 11px;} .priFriHeaderText, .headerMain, .headerLinkMain, .headerLinkName, .headerAdmin, .headerLinkAdmin, .studentsBatchEditShellHeader, .headerLinkSu, .tabLink, .titleTableRed, .titleTableBlue, .textBlueBold, .textRedBold, .error, .schoolLinkBold, .blueLight, .tableTitleGreen, .textGreenBold, .titleGreenBig, .headerSu, .loginBlue, .helpApps .moreLinkRed, .goLinkRed, .moreLinkBlue, .goLinkBlue, .faqLink, .listBlueBold, .titleSettings, .enrollmentStatusBoxHeaderText, .studentsBatchEditSelectsText, .studentsSelectsLabel, .studentPagingSelected, .studentListLabel, .studentListLabelLink, .studentListBold, .studentErrorLegend, .studentErrorLabel, .studentListError, .warningErrorTitle, .staffNoteSave, .staffLegendText, .staffEditLabelRequire, .noteUnsavedStaffRecord, .staffSearchLabel, .staffNumberLinks, .staffViewPrevNextLink, .staffViewPrevNext, .staffViewLabelSort, .staffViewLabel, .courseViewLabel, .staffViewPrevNextErrorLink, .staffViewPrevNextError, .staffEditLinkBold, .backLink, .warningErrorStaffTitle, .warningLoginStaff, .subTitleAdminSection, .studentEditLabelRequire, .studentEditLabelRequireError, .titleDemographicPopup, .titleStudentDemogs, .subTitleDownload, .textDownload03, .labelDownload, .subTitleSections, .textSectionBold, .classesViewEditLink, .classesLable, .classAddLabel, .tdBold, .backLinkUser, .classAdmLabel, .subTitleClasses, .warningErrorClassTitle, .dibelsTransitionMessage {font-weight: bold;} .titleSections, .staffLegendText, .staffNoteCancel, .staffNotOK, .staffTotalText, .staffSearchLabel, .textAdminSection, .textAdminSection102, .studentEditLabelRequire, .studentEditLabel, .studentDOB, .textDownload02, .subTitleSections, .textSection, .textSectionBold, .subTitleSectionsClasses, .classAddLabel {color: #4B4B47;}

Now, you have a "good" mix of functional class names (.textStudentDemogs) and plenty that clearly involve actual styling (.loginBlue). But of course, that's not the WTF, the WTF is this developer's approach to organizing stylesheet rules: each style property is its own rule. Yes, they constantly repeated this pattern, all through the CSS file. It's "convenient", if you want to know all the classes of elements that explicitly have an 11 point font, but it's basically useless for anything else.

I find myself staring at it, trying to understand the logic that drove this design pattern. Did they write a script to generate this? Did they just do all their styling this way? How? Why? I feel like an archaeologist who just found an inscrutable relic and is stuck saying, "it must have served some ritual purpose". It's not an answer, it's just a shrug. I can't understand this, and frankly, I don't know that I want to.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.


Planet DebianVincent Bernat: ClickHouse SF Bay Area Meetup: Akvorado

Here are the slides I presented for a ClickHouse SF Bay Area Meetup in July 2022, hosted by Altinity. They are about Akvorado, a network flow collector and visualizer, and notably on how it relies on ClickHouse, a column-oriented database.

The meetup was recorded and available on YouTube. Here is the part relevant to my presentation, with subtitles:1

I got a few questions about how to get information from the higher layers, like HTTP. As my use case for Akvorado was at the network edge, my answers were mostly negative. However, as sFlow is extensible, when collecting flows from Linux servers instead, you could embed additional data and they could be exported as well.

I also got a question about doing aggregation in a single table. ClickHouse can aggregate automatically data using TTL. My answer for not doing that is partial. There is another reason: the retention periods of the various tables may overlap. For example, the main table keeps data for 15 days, but even in these 15 days, if I do a query on a 12-hour window, it is faster to use the flows_1m0s aggregated table, unless I request something about ports and IP addresses.

  1. To generate the subtitles, I have used Amazon Transcribe, the speech-to-text solution from Amazon AWS. Unfortunately, there is no en-FR language available, which would have been useful for my terrible accent. While the subtitles were 100% accurate when the host, Robert Hodge from Altinity, was speaking, the success rate on my talk was quite lower. I had to rewrite almost all sentences. However, using speech-to-text is still useful to get the timings, as it is also something requiring a lot of work to do manually. ↩︎

Cryptogram New UFEI Rootkit

Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article:

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Both links have lots of technical details; the second contains a list of previously discovered UFEI rootkits. Also relevant are the NSA’s capabilities—now a decade old—in this area.

Worse Than FailureCodeSOD: Repetition is an Echo

Annie works in a bioinformatics department. There's a lot of internally developed code, and the quality is… special. But it's also got features that are on their critical path of doing their jobs.

One example is that, based on one input form, the next input form needs to display a drop down. The drop down elements don't change, but the individual item that's selected does. So, if the rank HTTP POST variable is set, we want to make sure the matching entry is selected.

if(isset($_POST['rank'])){ if($_POST['rank']=='superkingdom'){ echo "<option selected='selected'>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; }elseif($_POST['rank']=='phylum'){ echo "<option>superkingdom</option>"; echo "<option selected='selected'>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='class'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option selected='selected'>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='order'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option selected='selected'>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='family'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option selected='selected'>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='genus'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option selected='selected'>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='species'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option selected='selected'>species</option>"; } }

Talk about duplicated code. And, of course, there's no else clause.

And, of course, there's a bonus SQL injection attack that Annie found:

$sql = "SELECT locus,accession,length,date,definition,organisim,host". " FROM `gb` WHERE organisim LIKE '%".$_POST['orgname']."%'";
[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Krebs on SecurityA Retrospective on the 2015 Ashley Madison Breach

It’s been seven years since the online cheating site was hacked and highly sensitive data about its users posted online. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of Ashley Madison mentions across Russian cybercrime forums and far-right websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.

As first reported by KrebsOnSecurity on July 19, 2015, a group calling itself the “Impact Team” released data sampled from millions of users, as well as maps of internal company servers, employee network account information, company bank details and salary information.

The Impact Team said it decided to publish the information because ALM “profits on the pain of others,” and in response to a paid “full delete” service Ashley Madison parent firm Avid Life Media offered that allowed members to completely erase their profile information for a $19 fee.

According to the hackers, although the delete feature promised “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — weren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

A snippet of the message left behind by the Impact Team.

The Impact Team said ALM had one month to take Ashley Madison offline, along with a sister property called Established Men. The hackers promised that if a month passed and the company did not capitulate, it would release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”

Exactly 30 days later, on Aug. 18, 2015, the Impact Team posted a “Time’s up!” message online, along with links to 60 gigabytes of Ashley Madison user data.


One aspect of the Ashley Madison breach that’s always bothered me is how the perpetrators largely cast themselves as fighting a crooked company that broke their privacy promises, and how this narrative was sustained at least until the Impact Team decided to leak all of the stolen user account data in August 2015.

Granted, ALM had a lot to answer for. For starters, after the breach it became clear that a great many of the female Ashley Madison profiles were either bots or created once and never used again. Experts combing through the leaked user data determined that fewer than one percent of the female profiles on Ashley Madison had been used on a regular basis, and the rest were used just once — on the day they were created. On top of that, researchers found 84 percent of the profiles were male.

But the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines.

Hence, it appears the Impact Team’s goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then letting that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

Robert Graham, CEO of Errata Security, penned a blog post in 2015 concluding that the moral outrage professed by the Impact Team was pure posturing.

“They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it’s fun and #2 because they can,” Graham wrote.

Per Thorsheim, a security researcher in Norway, told Wired at the time that he believed the Impact Team was motivated by an urge to destroy ALM with as much aggression as they could muster.

“It’s not just for the fun and ‘because we can,’ nor is it just what I would call ‘moralistic fundamentalism,'” Thorsheim told Wired. “Given that the company had been moving toward an IPO right before the hack went public, the timing of the data leaks was likely no coincidence.”


As the seventh anniversary of the Ashley Madison hack rolled around, KrebsOnSecurity went back and looked for any mentions of Ashley Madison or ALM on cybercrime forums in the months leading up to the Impact Team’s initial announcement of the breach on July 19, 2015. There wasn’t much, except a Russian guy offering to sell payment and contact information on 32 million AshleyMadison users, and a bunch of Nazis upset about a successful Jewish CEO promoting adultery.

Cyber intelligence firm Intel 471 recorded a series of posts by a user with the handle “Brutium” on the Russian-language cybercrime forum Antichat between 2014 and 2016. Brutium routinely advertised the sale of large, hacked databases, and on Jan. 24, 2015, this user posted a thread offering to sell data on 32 million Ashley Madison users:

“Data from July 2015
Total ~32 Million contacts:
full name; email; phone numbers; payment, etc.”

It’s unclear whether the postdated “July 2015” statement was a typo, or if Brutium updated that sales thread at some point. There is also no indication whether anyone purchased the information. Brutium’s profile has since been removed from the Antichat forum.

Flashpoint is a threat intelligence company in New York City that keeps tabs on hundreds of cybercrime forums, as well as extremist and hate websites. A search in Flashpoint for mentions of Ashley Madison or ALM prior to July 19, 2015 shows that in the six months leading up to the hack, Ashley Madison and its then-CEO Noel Biderman became a frequent subject of derision across multiple neo-Nazi websites.

On Jan. 14, 2015, a member of the neo-Nazi forum Stormfront posted a lively thread about Ashley Madison in the general discussion area titled, “Jewish owned dating website promoting adultery.”

On July 3, 2015, Andrew Anglin, the editor of the alt-right publication Daily Stormer, posted excerpts about Biderman from a story titled, “Jewish Hyper-Sexualization of Western Culture,” which referred to Biderman as the “Jewish King of Infidelity.”

On July 10, a mocking montage of Biderman photos with racist captions was posted to the extremist website Vanguard News Network, as part of a thread called “Jews normalize sexual perversion.”

“Biderman himself says he’s a happily married father of two and does not cheat,” reads the story posted by Anglin on the Daily Stormer. “In an interview with the ‘Current Affair’ program in Australia, he admitted that if he found out his own wife was accessing his cheater’s site, ‘I would be devastated.'”

The leaked AshleyMadison data included more than three years’ worth of emails stolen from Biderman. The hackers told Motherboard in 2015 they had 300 GB worth of employee emails, but that they saw no need to dump the inboxes of other company employees.

Several media outlets pounced on salacious exchanges in Biderman’s emails as proof he had carried on multiple affairs. Biderman resigned as CEO on Aug. 28, 2015. The last message in the archive of Biderman’s stolen emails was dated July 7, 2015 — almost two weeks before the Impact Team would announce their hack.

Biderman told KrebsOnSecurity on July 19, 2015 that the company believed the hacker was some type of insider.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

Certain language in the Impact Team’s manifesto seemed to support this theory, such as the line: “For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.”

But despite ALM offering a belated $500,000 reward for information leading to the arrest and conviction of those responsible, to this day no one has been charged in connection with the hack.


Cryptogram Securing Open-Source Software

Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such:

Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualities of a public good and is as indispensable as national highways. Given open source’s value as a public asset, an institutional structure must be built that sustains and secures it.

This is not a novel idea. Open-source code has been called the “roads and bridges” of the current digital infrastructure that warrants the same “focus and funding.” Eric Brewer of Google explicitly called open-source software “critical infrastructure” in a recent keynote at the Open Source Summit in Austin, Texas. Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects “just as much as bridges and roads,” and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to “explore opportunities for dedicated support services for open source solutions [it] considers critical.”

Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards. But not all open-source projects are made equal. The first step is to identify which projects warrant this heightened level of scrutiny—projects that are critical to society. CISA defines critical infrastructure as industry sectors “so vital to the United States that [its] incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Efforts should target the open-source projects that share those features.

Planet DebianRaphaël Hertzog: Freexian’s report about Debian Long Term Support, June 2022

A Debian LTS logo

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian project funding

No any major updates on running projects.
Two 1, 2 projects are in the pipeline now.
Tryton project is in a review phase. Gradle projects is still fighting in work.

In June, we put aside 2254 EUR to fund Debian projects.

We’re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.

Debian LTS contributors

In June, 15 contributors have been paid to work on Debian LTS, their reports are available:

  • Abhijith PA did 14.00h (out of 14.00h assigned).
  • Andreas Rönnquist did 14.50h (out of 14.50h assigned and 10.50h from previous period, thus carrying over 10.50h to the next month).
  • Anton Gladky did 16.00h (out of 16.00h assigned).
  • Ben Hutchings did 16.00h (out of 0.00h assigned and 16.00h from previous period).
  • Chris Lamb did 18.00h (out of 18.00h assigned).
  • Dominik George did 1.83h (out of 6.00h assigned and 18.00h from previous period, thus carrying over 22.17h to the next month).
  • Emilio Pozuelo Monfort did 30.25h (out of 9.25h assigned and 21.00h from previous period).
  • Enrico Zini did 8.00h (out of 9.50h assigned and 6.50h from previous period, thus carrying over 8.00h to the next month).
  • Markus Koschany did 30.25h (out of 30.25h assigned).
  • Ola Lundqvist did nothing (out of 12.00 available hours, thus carrying them over to the next month).
  • Roberto C. Sánchez did 27.50h (out of 11.75h assigned and 18.50h from previous period, thus carrying over 2.75h to the next month).
  • Stefano Rivera did 8.00h (out of 30.25h assigned, thus carrying over 20.75h to the next month).
  • Sylvain Beucler did 30.25h (out of 13.75h assigned and 16.50h from previous period).
  • Thorsten Alteholz did 30.25h (out of 30.25h assigned).
  • Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 30.25 available hours, thus carrying them over to the next month).

Evolution of the situation

In June we released 27 DLAs.

This is a special month, where we have two releases (stretch and jessie) as ELTS and NO release as LTS. Buster is still handled by the security team and will probably be given in LTS hands at the beginning of the August. During this month we are updating the infrastructure, documentation and improve our internal processes to switch to a new release.
Many developers have just returned back from Debconf22, hold in Prizren, Kosovo! Many (E)LTS members could meet face-to-face and discuss some technical and social topics! Also LTS BoF took place, where the project was introduced (link to video).

Thanks to our sponsors

Sponsors that joined recently are in bold. We are pleased to welcome Alter Way where their support of Debian is publicly acknowledged at the higher level, see this French quote of Alterway’s CEO.

Worse Than FailureCodeSOD: The Device Search

I started writing a paragraph about why this code Gilda found was bad, and then I had to delete it all, because I wasn't putting the entire block in context. At a glance, this looks almost fine, but I thought I spotted a WTF. But only when I thought about the fact that this C code runs inside of a loop that I realized the real problem.

rsts = get_device_by_id ( movq_p->nxt_device_id, &devc ); if ( ( rsts == CC_VL_SUCCESS ) && ( strcmp ( devc.device_type, SPECIFIC_DEVICE ) == 0 ) ) { specific_device_flag = CC_VL_TRUE; } /* * Process device... */ if ( specific_device_flag ) { ... }

So, inside of a loop, this iterates across a series of devices, represented by their nxt_device_id. They load that into a device struct, devc, and do some validation on the type of device in question. If the type of device is SPECIFIC_DEVICE, then we set a flag to represent that. Later in the code, we have special processing if it's that SPECIFIC_DEVICE.

The problem here is that this code runs inside a loop and specific_device_flag is never set to false. So as we iterate across the devices, if one of them is a SPECIFIC_DEVICE, every future device will also be treated as if it's a SPECIFIC_DEVICE.

Gilda writes: "Apparently this has been in the baseline code since before the project it is in was branched off so I don't know if anything was deleted between setting the specific_device_flag and testing for it."

The beauty of this bug is that depending on the order of the device enumeration, or the number of connected devices, it might never be seen. In fact, that's been mostly the case for Gilda's company. There have been a number of tickets resolved by "try unplugging all the devices and plugging them back in to different ports" or just "reboot the system". No one knew why.

My kingdom for an else clause. Or just a boolean assignment expression. Or, if you really want to use CC_VL_TRUE and not just "non-zero is true", a ternary might actually be more readable.

I've read C programming styleguides that require every if to have an else, and if the else is empty, a comment justifying its emptiness. I usually think that's overkill, but this code sample is a strong argument in favor of such a guideline.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

Planet DebianMichael Ablassmeier: Added remote capability to virtnbdbackup

Latest virtnbdbackup version now supports backing up remote libvirt hosts, too. No installation on the hypervisor required anymore:

virtnbdbackup -U qemu+ssh://usr@hypervisor/system -d vm1 -o /backup/vm1

Same applies for restore operations, other enhancements are:

  • New backup mode auto which allows easy backup rotation.
  • Option to freeze only specific filesystems within backed up domain.
  • Remote backup via dedicated network: use --nbd-ip to bind the remote NDB service to an specific interface.
  • If virtual machine requires additional files like specific UEFI/Kernel image, these are saved via SFTP from the remote host, too.
  • Restore operation can now adjust domain config accordingly (and redefine it if desired).

Next up: add TLS support for remote NBD connections.


Planet DebianBits from Debian: DebConf22 closes in Prizren and DebConf23 dates announced

DebConf22 group photo - click to enlarge

On Sunday 24 July 2022, the annual Debian Developers and Contributors Conference came to a close. Hosting 260 attendees from 38 different countries over a combined 91 event talks, discussion sessions, Birds of a Feather (BoF) gatherings, workshops, and activities, DebConf22 was a large success.

The conference was preceded by the annual DebCamp held 10 July to 16 July which focused on individual work and team sprints for in-person collaboration towards developing Debian. In particular, this year there have been sprints to advance development of Mobian/Debian on mobile, reproducible builds and Python in Debian, and a BootCamp for newcomers, to get introduced to Debian and have some hands-on experience with using it and contributing to the community.

The actual Debian Developers Conference started on Sunday 17 July 2022. Together with activities such as the traditional 'Bits from the DPL' talk, the continuous key-signing party, lightning talks and the announcement of next year's DebConf (DebConf23 in Kochi, India), there were several sessions related to programming language teams such as Python, Perl and Ruby, as well as news updates on several projects and internal Debian teams, discussion sessions (BoFs) from many technical teams (Long Term Support, Android tools, Debian Derivatives, Debian Installer and Images team, Debian Science...) and local communities (Debian Brasil, Debian India, the Debian Local Teams), along with many other events of interest regarding Debian and free software.

The schedule was updated each day with planned and ad-hoc activities introduced by attendees over the course of the entire conference. Several activities that couldn\'t be organized in past years due to the COVID pandemic returned to the conference\'s schedule: a job fair, open-mic and poetry night, the traditional Cheese and Wine party, the group photos and the Day Trip.

For those who were not able to attend, most of the talks and sessions were recorded for live streams with videos made, available through the Debian meetings archive website. Almost all of the sessions facilitated remote participation via IRC messaging apps or online collaborative text documents.

The DebConf22 website will remain active for archival purposes and will continue to offer links to the presentations and videos of talks and events.

Next year, DebConf23 will be held in Kochi, India, from September 10 to September 16, 2023. As tradition follows before the next DebConf the local organizers in India will start the conference activites with DebCamp (September 03 to September 09, 2023), with particular focus on individual and team work towards improving the distribution.

DebConf is committed to a safe and welcome environment for all participants. See the web page about the Code of Conduct in DebConf22 website for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf22, particularly our Platinum Sponsors: Lenovo, Infomaniak, ITP Prizren and Google.

About Debian

The Debian Project was founded in 1993 by Ian Murdock to be a truly free community project. Since then the project has grown to be one of the largest and most influential open source projects. Thousands of volunteers from all over the world work together to create and maintain Debian software. Available in 70 languages, and supporting a huge range of computer types, Debian calls itself the universal operating system.

About DebConf

DebConf is the Debian Project's developer conference. In addition to a full schedule of technical, social and policy talks, DebConf provides an opportunity for developers, contributors and other interested people to meet in person and work together more closely. It has taken place annually since 2000 in locations as varied as Scotland, Argentina, and Bosnia and Herzegovina. More information about DebConf is available from

About Lenovo

As a global technology leader manufacturing a wide portfolio of connected products, including smartphones, tablets, PCs and workstations as well as AR/VR devices, smart home/office and data center solutions, Lenovo understands how critical open systems and platforms are to a connected world.

About Infomaniak

Infomaniak is Switzerland\'s largest web-hosting company, also offering backup and storage services, solutions for event organizers, live-streaming and video on demand services. It wholly owns its datacenters and all elements critical to the functioning of the services and products provided by the company (both software and hardware).

About ITP Prizren

Innovation and Training Park Prizren intends to be a changing and boosting element in the area of ICT, agro-food and creatives industries, through the creation and management of a favourable environment and efficient services for SMEs, exploiting different kinds of innovations that can contribute to Kosovo to improve its level of development in industry and research, bringing benefits to the economy and society of the country as a whole.

About Google

Google is one of the largest technology companies in the world, providing a wide range of Internet-related services and products such as online advertising technologies, search, cloud computing, software, and hardware.

Google has been supporting Debian by sponsoring DebConf for more than ten years, and is also a Debian partner sponsoring parts of Salsa's continuous integration infrastructure within Google Cloud Platform.

Contact Information

For further information, please visit the DebConf22 web page at or send mail to

Worse Than FailureCodeSOD: Tying Two Strings

Lets say you have a simple problem. You have a string variable, and you'd like to store that string in another variable. You have a vague understanding of string immutability and something about the way references work in C#, but you don't really understand any of that. So, what do you do?

Well, if you're Tina's co-worker, you do this:

expiresIn = $"{accessToken.ExpiresIn}"

Now, the "advantage" of this is that it creates a new string object. So expiresIn holds a reference to a different piece of memory than accessToken.ExpiresIn. Is that valuable? Not in this case. expiresIn is a local variable that goes out of scope well before accessToken does.

The worst part? This co-worker tends to do this by default when assigning strings to variables, even inside of loops, which means there are a lot of unnecessary string copies going on, and thus a lot of extra garbage collection. And in the end, for no real benefit.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!


Cory DoctorowWhy none of my books are available on Audible

An anti-pickpocketing graphic featuring a stick figure reaching into an adjacent stick-figure's shoulder-bag. The robber's chest is emblazoned with an Amazon 'a' logo. The victim's chest is emblazoned with an icon of a fountain-pen. The robber's face has an Amazon 'smile' logo. The victim's face has an inverted Amazon 'smile' logo (and is thus frowning). Beneath these two figures is a wordmark reading 'Audible: Am Amazon Company.'

This week on my podcast, I read “Why none of my books are available on Audible,”
a short audiobook I produced to be distributed through Amazon’s ACX platform, explaining how that platform’s sloppy rights verification and mandatory DRM screws over writers.


(Image: Paris 16, CC BY-SA 4.0; Dmitry Baranovskiy, CC BY 4.0; modified)

David BrinSpace news: from supermassive black holes to asteroids

Okay, let's gat back to spaaaace!  So many reasons to be enthusiastic and to see our shared accomplishments out there as signs of real civilization, down here on Earth... a civilization worth saving.  Plus a few causes for cynicism, alas.

The biggest news: we've received the first vivid images from the James Webb Space Telescope. (The Carina Nebula in spectacular detail shown to the right.) The Webb has produced phenomenal high-resolution images of deep space: galaxies, star clusters, and nebulae - with a promise of more spectacular images  to come!

== Dealing (or not) With Dangers! ==

Breakthrough methods pioneered by the B612 Foundation are finding hundreds of asteroids - some of them dangerous - by mining past data sets. A great way for a small foundation to amplify the more expensive projects funded by governments. Small enough and effective enough to perhaps merit your support. (I am on the B612 advisory board.) 

A Very Long Baseline radio telescope array (I worked for one of the first VLBI systems one summer, in 1969) spanning the entire Earth - the Event Horizon Telescope - has imaged the supermassive black hole - Sagittarius A* - at the center of the Milky Way galaxy. 

Taking the Sagittarius A* image (shown to the left) was like capturing a photo of a grain of salt in New York City using a camera in Los Angeles, according to California Institute of Technology researchers. 

Somewhat smaller… Astronomers believe that 100 million free-floating black holes – largely left over from supernovas - roam our galaxy. Now, after dedicating six years to observations, astronomers apparently found one about  5,000 light years away, located in another spiral arm of the Milky Way.  And with gravitational lensing, they made a precise mass measurement of the extreme cosmic object, which might possibly be ‘only’ a neutron star. 

Meanwhile, Europe’s legendary GAIA space telescope has been an absolute treasure for science, concentrating first on measuring parallax and proper motions of millions of stars near us, then gathering color/spectral data on billions more - – about 1% of the total number in the galaxy – and are allowing astronomers to reconstruct our home galaxy’s structure and find out how it has evolved over billions of years.

You are a member of a civilization that does this kind of thing.

== Back in your SSR backyard – Your Solar System Region! ==

Meanwhile, we keep being inspired by the great Perseverance/Ingenuity mission. The little 'copter snapped these closeups of the now-standard and reliable sky-crane landing system, whose components seem to have crashed more durably than expected.

It makes one wonder: Would it really be that hard to enable these other bits to land softly enough to serve some purpose? Say as a weather station? The rocket+crane bit, especially. It must fly away from the main cargo/rover, sure. But how hard would it be to throttle the remaining fuel-seconds to set down with a simple weather sensors + transmitter? Use up the safety margin!

Anyway, Perseverance and Ingenuity keep surprising us! Like this ballyhooed “doorway” in the face of a cliffOh, I totally believe it is a natural fissure... but still, they really need to drive up and get a closer look. One Earth, clean vertical cleavages, like railroad cuts - were key to the sudden emergence of both geology and paleontology.

Phobos could possibly be among the most valuable pieces of real estate in the solar system, if there are volatiles under the surface that can be turned into water and fuel.  See the gorgeous images of Phobos eclipsing the sun, taken by the Perseverance rover!

We know that the magnetic poles of our planet sometimes drift (as today the North Magnetic Pole  is rapidly moving to Siberia) and occasionally quell or even flip.  Now comes speculation that such flips can happen on a massive scale, even to the monster black hole at the center of a galaxy 250 million light years away.

Farther out: The Decadal Survey of NASA advisors has recommended priority be given to… Uranus!

And emerging from some of our old grants at NIAC… the Da Vinci+ probe will try to repeat what Cassini-Huygens did for Titan, only for Venus! I wish the descender-probe had a slow-down balloon, but this will still be… well, not cool. Hot!  At the end of the decade.

And Truly far-out… if within reach… You’ve seen me tout NASA's Innovative & Advanced Concepts program - (NIAC) – on whose advisory council I serve. Look at their tiny seed grants to research concepts JUST this side of science fiction. These are fun, engaging, STEM books for grades 4-8 about the science and researchers behind the NIAC program. It includes information about their lives as young children and their inspiration. Produced in partnership with World Book, Inc., they recently won an award from the American Library Association (ALA). A third series is in early development. The two series help to support a big part of what we do as an early stage technology program- to inspire the next generation of scientists and innovators, children who may eventually be running NASA missions 20 years from now. You are welcome to view the sixteen Out of This World books online here:

Series 1 Out of This World includes titles such as Asteroid: Harpooning Hitcher, Land-Sailing Venus Rover and Laser-Sailing Starships. All available online!

and Series 2 Out of this World includes Fusion-Powered Spacecraft, Martian Cave Colonies, Solar-Surfing Space Probes and many more, also available online.

Read some of these then look around... and have some confidence.

Planet DebianSteinar H. Gunderson: AV1 live streaming: Exploring SVT-AV1 rate control

I'm looking into AV1 live streaming these days; it's still very early, but it looks like enough of the required parts may finally align, and it seems it's the way I'll have to go to get to that next quality level. (Specifically, I'd like to go from 720p60 to 1080p60 for sports, and it seems this is hard to do under H.264 as-is without making pretty big concessions in terms of artifacts/smudges, or else jack up the bitrate so much that clients will start having viewing problems.)

After some brief testing, it seems SVT-AV1 is the obvious choice; if you've got the cores, it produces pretty good-looking 10-bit AV1 using less CPU time than x264 veryfast (!), possibly mostly due to better parallelization. But information about using it for live streaming was hard to find, and asking online turned up zero useful information. So I did some practical tests for live-specific issues, starting with rate control.

First of all, we need to identify which problem we want to solve. For a live stream, there are two good reasons to have good rate control:

  • Bandwidth costs money, both for ourselves and for the client.
  • The client should be able to watch the stream without buffering.

The former is about long-term averages, the latter is about short-term averages. Usually, we ignore the former and focus mostly on the latter (especially since solving the latter will keep the former mostly or completely in check).

My testing is empirical and mostly a spot-check; I don't have a large library of interesting high-quality video, nor do I have the patience to run through it. As sample clip, I chose the first 60 seconds (without audio) of cathodoluminescence by mfx and holon; it is a very challenging clip both encoding- and rate control-wise (it goes from all black to spinning and swooshing things with lots of noise on top, with huge complexity swings on the order of seconds), and I happened to have a high-quality 1080p60 recording that I could use as a master. We'll encode this to match a hypothetical 3 Mbit/sec viewer, to really give the encoder a run for its money. Most clips will be much easier than this, but there's always more to see in the hard cases than the easy ones.

First, let's check what happens without rate control; I encoded the clip using SVT-AV1 at preset 10, which is comfortably realtime on my 28-core Broadwell. (I would assume it's also good at my 16-core Zen 3, since it is much higher clocked, but I haven't checked.) I used constant quantizer, ie., there is no rate control at all; every frame, easy or hard, is encoded at the same quality. (I encoded the clip several times with different quantizers to find one that got me close to 3000 kbit/sec. Obviously, in a real-time scenario, we would have no such luxury.) With the addition of FFmpeg as the driver and some Perl to analyze it afterwards, this is what I got:

Flags: -c:v libsvtav1 -pix_fmt yuv420p10le -preset 10 -qp 54

Histogram of rates over 1-second blocks:

  250  ********
  750  *****************
 1250  ***********
 1750  ******
 2250  ***
 2750  ***
 3250  *
 3750  *
 4250  *****
----- ----- ----- ----- -----
 9250  *
13250  *
17750  **
35250  *

Min:    11 kbit/sec
Max: 35020 kbit/sec
Avg:  2914 kbit/sec

Primitive VBV with 3000 kbit max buffer (starting at 100% full), 3000 kbit/sec network:

Buffer minimum fill:        0 kbit
Time stalled:           25448 ms
Time with full buffer:  27157 ms

VMAF:                   57.39

Some explanations are in order here. What I've done is pretty simplistic; chop the resulting video into one-second blocks, and then measure how many bytes those are. You can see that even though the average bit rate is near our 3000 kbit/sec target, the majority of the time is actually spent around 500–1500 kbit/sec. But some seconds are huge outliers; up to 29 Mbit/sec.

The next section is my toy VBV (video buffer verifier), which simulates a client downloading at a constant 3000 kbit/sec rate (as long as the buffer, set to one second, has room for it) and playing frames according to their timestamps. We can see that even though we're below the target bitrate, we spend a whopping 25 seconds buffering—for a 60 second clip! This is because most of the time, our buffer sits there comfortably full, which is blocking mor downloads until we get to those problematic sections where the bitrate goes sky-high, and we fall behind really quickly. (Why not allow our buffer to go more-than-full, which would fix the problem? Well, first of all, this assumes the encoder has a huge delay so that it could actually feed data for those frames way ahead of play time, or they would simply not exist yet. Second, what about clients that joined in the middle of the stream?)

Note that my VBV script is not a standards-compliant verifier (e.g. it doesn't really take B-frames into account), so you'll need to take it with a grain of salt; still, it's a pretty good proxy for what's going on.

OK, so let's now test what happens with a known-good case; we encode with x264 and CBR settings matching our VBV:

Flags: -c:v libx264 -pix_fmt yuv420p10le -preset veryfast -x264-params "nal-hrd=cbr"
       -b:v 3M -minrate 3M -maxrate 3M -bufsize 3M

Histogram of rates over 1-second blocks:

 2250  *****
 2750  *******************
 3250  *******************************
 3750  *****

Min:  2032 kbit/sec
Max:  3968 kbit/sec
Avg:  2999 kbit/sec

Primitive VBV with 3000 kbit max buffer (starting at 100% full), 3000 kbit/sec network:

Buffer minimum fill:     1447 kbit
Time stalled:               0 ms
Time with full buffer:    128 ms

VMAF:                   50.29

This is spot-on. The global average is within 1 kbit/sec of what we asked for, each second is nicely clustered around our range, and we never stall. In fact, our buffer hardly goes past half-full. (Don't read too much into the VMAF numbers, as I didn't ask either codec to optimize for visual quality. Still, it's not unexpected that we get higher values for AV1, and that neither codec really manages to good quality at these rates.)

Going back to AV1, we now move from constant quantizer to asking for a given bitrate. SVT-AV1 defaults to one-pass VBR, so we'll see what happens if we just give it a bitrate:

Flags: -c:v libsvtav1 -pix_fmt yuv420p10le -preset 10 -b:v 3M

Histogram of rates over 1-second blocks:

  250  **
  750  *******
 1250  **********
 1750  *****
 2250  **********
 2750  ************
 3250  ****
 4250  *****
 4750  *
 5250  *
 5750  **
----- ----- ----- ----- -----
 7250  *

Min:    10 kbit/sec
Max:  7212 kbit/sec
Avg:  2434 kbit/sec

Primitive VBV with 3000 kbit max buffer (starting at 100% full), 3000 kbit/sec network:

Buffer minimum fill:        0 kbit
Time stalled:            3207 ms
Time with full buffer:  14639 ms

VMAF:                   61.81

It's not fantastic for streaming purposes (it's not designed for it either!), but it's much better than constant QP; the global average undershot a fair amount, and we still have some outliers causing stalls, but much less. Perhaps surprisingly, VMAF is significantly higher compared to constant QP (now roughly in “fair quality” territory), even though the overall rate is lower; the average frame just is much more important for quality. (Note that SVT-AV1 is not deterministic if you are using multithreading and rate control together, so if you run a second time, you could get different results.)

There is a “max bit rate” flag, too, but it seems not to do much for this clip (I don't even know if it's relevant for anything except capped CRF?), so I won't bore you with an identical set of data. Instead, let's try the CBR mode added in 1.0.0 (rc=2):

Svt[warn]: CBR Rate control is currently not supported for PRED_RANDOM_ACCESS, switching to VBR

Uh, OK. Switching to PRED_LOW_DELAY_B, then (pred-struct=1, helpfully undocumented):

Svt[warn]: Forced Low delay mode to use HierarchicalLevels = 3
Svt[warn]: Instance 1: The low delay encoding mode is a work-in-progress
project, and is only available for demos, experimentation, and further
development uses and should not be used for benchmarking until fully
Svt[warn]: TPL is disabled in low delay applications.
Svt[info]: Number of logical cores available: 3

Ugh. So we're into experimental land, no TPL (SVT-AV1's variant of x264's mb-tree), and a maximum of three cores used. This means CBR is much slower; less than half the speed or so in these tests, and below the realtime threshold on this machine unless I reduce the preset. Still, let's see what it produces:

Flags: -c:v libsvtav1 -pix_fmt yuv420p10le -preset 10 -b:v 3M
       -svtav1-params pred-struct=1:rc=2

Histogram of rates over 1-second blocks:

  250  **
  750  *
 1250  *
 1750  ***
 2250  *********
 2750  ********************
 3250  ****************
 3750  *
 4250  ***
----- ----- ----- ----- -----
 6250  *
 6750  *
 7250  *
 7750  *

Min:    42 kbit/sec
Max:  7863 kbit/sec
Avg:  2998 kbit/sec

Primitive VBV with 3000 kbit max buffer (starting at 100% full), 3000 kbit/sec network:

Buffer minimum fill:        0 kbit
Time stalled:            4970 ms
Time with full buffer:   5522 ms

VMAF:                   61.53

This is not quite what we expected. The global average is now spot-on, but we are still bothered with outliers—and we're having more stalls than with the VBR mode (possibly because the lower bitrate overall helped a bit). Also note that the VMAF is no better, despite using more bitrate!

I believe these stalls point to a bug or shortcoming in SVT-AV1's CBR mode, so I've reported it, and we'll see what happens. But still, the limitations the low-delay prediction structure imposes on us (with associated quality loss) makes this a not terribly attractive option; it seems that this mode is a bit too new for serious use (perhaps not surprising, given the warnings it spits out).

So what is the best bet? I'd say that currently (as of git master, soon-to-be 1.2.0), it is using the default one-pass VBR mode (two-pass VBR obviously is a no-go for live streaming). Yes, it will fail VBV sometimes, but in practice, clients will usually have some headroom; again, we tune our bit rates lower than we'd need if buffering were our only constraint (to reduce people's bandwidth bills). It would be interesting to see how this pans out across a larger set of clips at some point; after all, most content isn't nearly as tricky as this.

There is still lots of exploration left to do; in particular, muxing the stream and getting it to actually play in browsers will be… fun? More to come, although I can't say exactly when.


Planet DebianWouter Verhelst: Planet Grep now running PtLink

Almost 2 decades ago, Planet Debian was created using the "planetplanet" RSS aggregator. A short while later, I created Planet Grep using the same software.

Over the years, the blog aggregator landscape has changed a bit. First of all, planetplanet was abandoned, forked into Planet Venus, and then abandoned again. Second, the world of blogging (aka the "blogosphere") has disappeared much, and the more modern world uses things like "Social Networks", etc, making blogs less relevant these days.

A blog aggregator community site is still useful, however, and so I've never taken Planet Grep down, even though over the years the number of blogs that was carried on Planet Grep has been reducing. In the past almost 20 years, I've just run Planet Grep on my personal server, upgrading its Debian release from whichever was the most recent stable release in 2005 to buster, never encountering any problems.

That all changed when I did the upgrade to Debian bullseye, however. Planet Venus is a Python 2 application, which was never updated to Python 3. Since Debian bullseye drops support for much of Python 2, focusing only on Python 3 (in accordance with python upstream's policy on the matter), that means I have had to run Planet Venus from inside a VM for a while now, which works as a short-term solution but not as a long-term one.

Although there are other implementations of blog aggregation software out there, I wanted to stick with something (mostly) similar. Additionally, I have been wanting to add functionality to it to also pull stuff from Social Networks, where possible (and legal, since some of these have... scary Terms Of Use documents).

So, as of today, Planet Grep is no longer powered by Planet Venus, but instead by PtLink. Rather than Python, it was written in Perl (a language with which I am more familiar), and there are plans for me to extend things in ways that have little to do with blog aggregation anymore...

There are a few other Planets out there that also use Planet Venus at this point -- Planet Debian and Planet FSFE are two that I'm currently already aware of, but I'm sure there might be more, too.

At this point, PtLink is not yet on feature parity with Planet Venus -- as shown by the fact that it can't yet build either Planet Debian or Planet FSFE successfully. But I'm not stopping my development here, and hopefully I'll have something that successfully builds both of those soon, too.

As a side note, PtLink is not intended to be bug compatible with Planet Venus. For one example, the configuration for Planet Grep contains an entry for Frederic Descamps, but somehow Planet Venus failed to fetch his feed. With the switch to PtLink, that seems fixed, and now some entries from Frederic seem to appear. I'm not going to be "fixing" that feature... but of course there might be other issues that will appear. If that's the case, let me know.

If you're reading this post through Planet Grep, consider this a public service announcement for the possibility (hopefully a remote one) of minor issues.


Planet DebianAigars Mahinovs: Debconf 22 photos

Finally after a long break, the in-person Debconf is a thing again, this time Debconf 22 is happening in Prizren, Kosovo.

And it has been my pleasure to again be here and take lots of pictures of the event and of the surroundings.

The photos can be found in this Google Photo shared album and also on this git-lfs share.

But the main photographic delight, as always is the DebConf 22 Group Photo. And here it is!!!

DebConf 22 Group photo small

You can also see it in:

Worse Than FailureError'd: Untimely Ripp'd

This week we bring you a whole set of submissions that prove, once again, that web programmers just can't keep track of time. But first, a sop with a regular. Is a flying NaN safer than a Camel? I wouldn't recommend making either a habit.

Friend Argle right, submissions to Error'd from actual desktop applications are rare. He explanes "I routinely expect this from websites. I did NOT expect to find it in MSFS. It came up when I deleted all the digits." Good for you, Mr. B. I can't type a lick without digits.



This week, johng shared us a headscratcher. He explains it thus: "Well, we all knew that the timeloop was coming but apparently the timeloop already occurred in 2020 (huh, pandemic you say?), so is ahead of us here and lists the devices where you've logged in and enabled push notifications, ordered by timeloop stamp." I can't figure out how they did this.



A bad movie fan, wisely anonymous, suspects his taste in cinema may degrade in his dotage. "I wonder how much $19.99 will be worth in 977 years when I finally see the movie. At least there's a bonus."



Nostalgia for his youth lead Michael to first seek, then shun a classic film. "Do I feel lucky^H^H^H^H^Hold?", he asked rhetorically. Well? Do you, punk?



Finally, antiquarian AJ found a rare copy of a moldy manga at Amazon. "Sadly this old manga is currently not available, but I hear even Napoleon liked it." Who knew?



[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


Krebs on SecurityMassive Losses Define Epidemic of ‘Pig Butchering’

U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

The term “pig butchering” refers to a time-tested, heavily scripted, and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig butchering means fattening up a prey before the slaughter.

“The fraud is named for the way scammers feed their victims with promises of romance and riches before cutting them off and taking all their money,” the Federal Bureau of Investigation (FBI) warned in April 2022. “It’s run by a fraud ring of cryptocurrency scammers who mine dating apps and other social media for victims and the scam is becoming alarmingly popular.”

As documented in a series of investigative reports published over the past year across Asia, the people creating these phony profiles are largely men and women from China and neighboring countries who have been kidnapped and trafficked to places like Cambodia, where they are forced to scam complete strangers over the Internet — day after day.

The most prevalent pig butchering scam today involves sophisticated cryptocurrency investment platforms, where investors invariably see fantastic returns on their deposits — until they try to withdraw the funds. At that point, investors are told they owe huge tax bills. But even those who pay the phony levies never see their money again.

The come-ons for these scams are prevalent on dating sites and apps, but they also frequently start with what appears to be a wayward SMS — such as an instant message about an Uber ride that never showed. Or a reminder from a complete stranger about a planned meetup for coffee. In many ways, the content of the message is irrelevant; the initial goal to simply to get the recipient curious enough to respond in some way.

Those who respond are asked to continue the conversation via WhatsApp, where an attractive, friendly profile of the opposite gender will work through a pre-set script that is tailored to their prey’s apparent socioeconomic situation. For example, a divorced, professional female who responds to these scams will be handled with one profile type and script, while other scripts are available to groom a widower, a young professional, or a single mom.


That’s according to Erin West, deputy district attorney for Santa Clara County in Northern California. West said her office has been fielding a large number of pig butchering inquiries from her state, but also from law enforcement entities around the country that are ill-equipped to investigate such fraud.

“The people forced to perpetrate these scams have a guide and a script, where if your victim is divorced say this, or a single mom say this,” West said. “The scale of this is so massive. It’s a major problem with no easy answers, but also with victim volumes I’ve never seen before. With victims who are really losing their minds and in some cases are suicidal.”

West is a key member of REACT, a task force set up to tackle especially complex forms of cyber theft involving virtual currencies. West said the initial complaints from pig butchering victims came early this year.

“I first thought they were one-off cases, and then I realized we were getting these daily,” West said. “A lot of them are being reported to local agencies that don’t know what to do with them, so the cases languish.”

West said pig butchering victims are often quite sophisticated and educated people.

“One woman was a university professor who lost her husband to COVID, got lonely and was chatting online, and eventually ended up giving away her retirement,” West recalled of a recent case. “There are just horrifying stories that run the gamut in terms of victims, from young women early in their careers, to senior citizens and even to people working in the financial services industry.”

In some cases reported to REACT, the victims said they spent days or weeks corresponding with the phony WhatsApp persona before the conversation shifted to investing.

“They’ll say ‘Hey, this is the food I’m eating tonight’ and the picture they share will show a pretty setting with a glass of wine, where they’re showcasing an enviable lifestyle but not really mentioning anything about how they achieved that,” West said. “And then later, maybe a few hours or days into the conversation, they’ll say, ‘You know I made some money recently investing in crypto,’ kind of sliding into the topic as if this wasn’t what they were doing the whole time.”

Curious investors are directed toward elaborate and official-looking online crypto platforms that appear to have thousands of active investors. Many of these platforms include extensive study materials and tutorials on cryptocurrency investing. New users are strongly encouraged to team up with more seasoned investors on the platform, and to make only small investments that they can afford to lose.

The now-defunct homepage of xtb-market[.]com, a scam cryptocurrency platform tied to a pig butchering scheme.

“They’re able to see some value increase, and maybe even be allowed to take out that value increase so that they feel comfortable about the situation,” West said. Some investors then need little encouragement to deposit additional funds, which usually generate increasingly higher “returns.”

West said many crypto trading platforms associated with pig butchering scams appear to have been designed much like a video game, where investor hype is built around upcoming “trading opportunities” that hint at even more fantastic earnings.

“There are bonus levels and VIP levels, and they’ll build hype and a sense of frenzy into the trading,” West said. “There are definitely some psychological mechanisms at work to encourage people to invest more.”

“What’s so devastating about many of the victims is they lose that sense of who they are,” she continued. “They thought they were a savvy, sophisticated person, someone who’s sort of immune to scams. I think the large scale of the trickery and psychological manipulation being used here can’t be understated. It’s like nothing I’ve seen before.”

A $5,000,000 LOSS

Courtney Nolan, a divorced mother of three daughters, says she lost more than $5 million to a pig butchering scam. Nolan lives in St. Louis and has a background in investment finance, but only started investing in cryptocurrencies in the past year.

Nolan’s case may be especially bad because she was already interested in crypto investing when the scammer reached out. At the time, Bitcoin was trading at or near all-time highs of nearly $68,000 per coin.

Nolan said her nightmare began in late 2021 with a Twitter direct message from someone who was following many of the same cryptocurrency influencers she followed. Her fellow crypto enthusiast then suggested they continue their discussion on WhatsApp. After much back and forth about his trading strategies, her new friend agreed to mentor her on how to make reliable profits using the crypto trading platform

“I had dabbled in leveraged trading before, but his mentor program gave me over 100 pages of study materials and agreed to walk me through their investment strategies over the course of a year,” Nolan told KrebsOnSecurity.

Nolan’s mentor had her create an account website xtb-market[.]com, which was made to be confusingly similar to XTB’s official platform. The site promoted several different investment packages, including a “starter plan” that involves a $5,250 up-front investment and promises more than 15 percent return across four separate trading bursts.

Platinum plans on xtb-market promised a whopping 45 percent ROI, with a minimum investment of $265,000. The site also offered a generous seven percent commission for referrals, which encouraged new investors to recruit others.

The now-defunct xtb-market[.]com.

While chatting via WhatsApp, Nolan and her mentor would trade side by side in xtb-market, initially with small investments ranging from $500 to $5,000. When those generated hefty returns, Nolan made bigger deposits. On several occasions she was able to withdraw amounts ranging from $10,000 to $30,000.

But after investing more than $4.5 million of her own money over nearly four months, Nolan found her account was suddenly frozen. She was then issued a tax statement saying she owed nearly $500,000 in taxes before she could reactivate her account or access her funds.

Nolan said it seems obvious in hindsight that she should never have paid the tax bill. Because xtb-market and her mentor cut all communications with her after that, and the entire website disappeared just a few weeks later.

Justin Maile, an investigation partner manager at Chainalysis, told Vice News that the tax portion of the pig butchering scam relies on the “sunk costs fallacy,” when people are reluctant to abandon a failing strategy or course of action because they have already invested heavily in it.

“Once the victim starts getting skeptical or tries to withdraw their funds, they are often told that they have to pay tax on the gains before funds can be unlocked,” Maile told Vice News. “The scammers will try to get any last payments out of the victims by exploiting the sunk cost fallacy and dangling huge profits in front of them.”

Vice recently published an in-depth report on pig butchering’s link to organized crime gangs in Asia that lure young job seekers with the promise of customer service jobs in call centers. Instead, those who show up at the appointed place and time are taken on long car rides and/or forced hikes across the borders into Cambodia, where they are pressed into indentured servitude.

Vice found many of the people forced to work in pig-butchering scams are being held in Chinese-owned casinos operating in Cambodia. Many of those casinos were newly built when the Covid pandemic hit. As the new casinos and hotels sat empty, organized crime groups saw an opportunity to use these facilities to generate huge income streams, and many foreign travelers stranded in neighboring countries were eventually trafficked to these scam centers.

Vice reports:

“While figures on the number of people in scam centers in Cambodia is unknown, best estimates pieced together from various sources point to the tens of thousands across scam centers in Sihanoukville, Phnom Penh, and sites in border regions Poipet and Bavet. In April, Thailand’s assistant national police commissioner said 800 Thai citizens had been rescued from scam centers in Cambodia in recent months, with a further 1,000 citizens still trapped across the country. One Vietnamese worker estimated 300 of his compatriots were held on just one floor in a tall office block hosting scam operations.”

“…within Victory Paradise Resort alone there were 7,000 people, the majority from mainland China, but also Indonesians, Singaporeans and Filipinos. According to the Khmer Times, one 10-building complex of high-rises in Sihanoukville, known as The China Project, holds between 8,000 to 10,000 people participating in various scams—a workforce that would generate profits around the $1 billion mark each year at $300 per worker per day.”


REACTs’ West said while there are a large number of pig butchering victims reporting their victimization to the FBI, very few are receiving anything more than instructions about filing a complaint with the FBI’s Internet Crime Complaint Center (IC3), which keeps track of cybercrime losses and victims.

“There’s a huge gap in victims that are seeing any kind of service at all, where they’re reporting to the FBI but not being able to talk to anyone,” she said. “They’re filling out the IC3 form and never hearing back. It sort of feels like the federal government is ignoring this, so people are going to local agencies, which are sending these victims our way.”

For many younger victims of pig butchering, even losses of a few thousand dollars can be financially devastating. KrebsOnSecurity recently heard from two different readers who said they were in their 20s and lost more than $40,000 each when the investment platforms they were trading on vanished with their money.

The FBI can often bundle numerous IC3 complaints involving the same assailants and victims into a single case for federal prosecutors to pursue the guilty, and/or try to recapture what was stolen. In general, however, victims of crypto crimes rarely see that money again, or if they do it can take many years.

“The next piece is what can we actually do with these cases,” West said. “We used to frame success as getting bad people behind bars, but these cases leave us as law enforcement with not a lot of opportunity there.”

West said the good news is U.S. authorities are seeing some success in freezing cryptocurrency wallets suspected of being tied to large-scale cybercriminal operations. Indeed, Nolan told KrebsOnSecurity that her losses were substantial enough to warrant an official investigation by the FBI, which she says has since taken steps to freeze at least some of the assets tied to xtb-market[.]com.

Likewise, West said she was recently able to freeze cryptocurrency funds stolen from some pig butchering victims, and now REACT is focusing on helping state and local authorities learn how to do the same.

“It’s important to be able to mobilize quickly and know how to freeze and seize crypto and get it back to its rightful owner,” West said. “We definitely have made seizures in cases involving pig butchering, but we haven’t gotten that back to the rightful owners yet.”

In April, the FBI warned Internet users to be on guard against pig butchering scams, which it said attracts victims with “promises of romance and riches” before duping them out of their money. The IC3 said it received more than 4,300 complaints related to crypto-romance scams, resulting in losses of more than $429 million.

Here are some common elements of a pig butchering scam:

Dating apps: Pig-butchering attempts are common on dating apps, but they can begin with almost any type of communication, including SMS text messages.
WhatsApp: In virtually all documented cases of pig butchering, the target is moved fairly quickly into chatting with the scammer via WhatsApp.
No video: The scammers will come up with all kinds of excuses not to do a video call. But they will always refuse.
Investment chit-chat: Your contact (eventually) claims to have inside knowledge about the cryptocurrency market and can help you make money.

The FBI’s tips on avoiding crypto scams:

-Never send money, trade, or invest based on the advice of someone you have only met online.
-Don’t talk about your current financial status to unknown and untrusted people.
-Don’t provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.
-If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable.
-Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast.

Cryptogram Critical Vulnerabilities in GPS Trackers

This is a dangerous vulnerability:

An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after trying for months to privately engage with the manufacturer. As of the time of writing, all of the vulnerabilities remain unpatched and unmitigated.

These are computers and computer vulnerabilities, but because the computers are attached to cars, the vulnerabilities become potentially life-threatening. CISA writes:

These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

I wouldn’t have buried “vehicle control” in the middle of that sentence.

Worse Than FailureCodeSOD: Compiling Datasets

Managing datasets is always a challenging task. So when Penny's co-worker needed to collect a pile of latitude/longitude positions from one dataset and prepare it for processing in a C++ program, that co-worker turned to the tools she knew best. Python and C++.

Now, you or I might have dumped this data to a CSV file. But this co-worker is more… performance minded than us. So the Python script didn't generate a CSV file. Or a JSON document. Or any standard data file. No, that Python script generated a C++ file.

// scraped using const std::vector<GpsPt> route_1 = { { 35.6983464357, -80.4201474895}, { 35.6983464403, -80.4201474842}, // several hundred more lines like this }; const std::vector<GpsPt> route_2 = { { 35.8693464357, -80.1420474895}, { 35.8693464392, -80.1420474821}, // another thousand lines }; // more routes like this

Now, there are clear advantages to compiling in thousands of data-points instead of reading in data from a data file. First, no one can easily change the data points once you've built your code, which means no one can corrupt your data or make the file invalid easily. Second, the runtime performance is going to be significantly better and your compilation will be much slower, encouraging developers to think more carefully about their code before they hit that compile button.

I think this is the future of high performance computing, right here. No more are we going to pay the high costs of parsing data and letting it change without recompilation. Burn that data into your code.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!


Planet DebianAntoine Beaupré: Relaying mail through

Back in 2020, I wrote this article about using DKIM to sign outgoing mail. This worked well for me for a while: outgoing mail was signed with DKIM and somehow was delivered. Maybe. Who knows.

But now we have a relay server which makes this kind of moot. So I have changed my configuration to use that relay instead of sending email on my own. It seems more reliable that mail seems to be coming from a real machine, so I'm hoping this will have better reputation than my current setup.

In general, you should follow the DSA documentation which includes a Postfix configuration. In my case, it was basically this patch:

diff --git a/postfix/ b/postfix/
index 7fe6dd9e..eabe714a 100644
--- a/postfix/
+++ b/postfix/
@@ -55,3 +55,4 @@ smtp_sasl_security_options =
 smtp_sender_dependent_authentication = yes
 sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
 sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
diff --git a/postfix/sender_relay b/postfix/sender_relay
index b486d687..997cce19 100644
--- /dev/null
+++ b/postfix/sender_relay
@@ -0,0 +1,2 @@
+# Per-sender provider; see also /etc/postfix/sasl_passwd.    []:submission
diff --git a/postfix/sender_transport b/postfix/sender_transport
index ca69bc7a..c506c1fc 100644
--- /dev/null
+++ b/postfix/sender_transport
@@ -0,0 +1,1 @@     smtp:
diff --git a/postfix/tls_policy b/postfix/tls_policy
new file mode 100644
index 00000000..9347921a
--- /dev/null
+++ b/postfix/tls_policy
@@ -0,0 +1,1 @@   verify ciphers=high

This configuration differs from the one provided by DSA because I already had the following configured:

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous

I also don't show the patch on /etc/postfix/sasl_passwd for obvious security reasons.

I also had to setup a tls_policy map, because I couldn't use dane for all my remotes. You'll notice I also had to setup a sender_transport because I use a non-default default_transport as well.

It also seems like you can keep the previous DKIM configuration in parallel with this one, as long as you don't double-sign outgoing mail. Since this configuration here is done on my mail client (i.e. not on the server where I am running OpenDKIM), I'm not double-signing so I left the DKIM configuration alone. But if I wanted to remove it, the magic command is:

echo "del dkimPubKey" | gpg --clearsign | mail

Cryptogram Russia Creates Malware False-Flag App

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:

The hackers pretended to be a “community of free people around the world who are fighting russia’s aggression”—much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard. To add more credibility to the ruse they hosted the app on a domain “spoofing” the Azov Regiment: cyberazov[.]com.


The app actually didn’t DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.


Google said the fake app wasn’t hosted on the Play Store, and that the number of installs “was miniscule.”

Details from Google’s Threat Analysis Group here.

Worse Than FailureCodeSOD: Double Narcissism

In mythology, Narcissus was so enraptured by his own beauty that he turned away all potential lovers until he came across a still pool of water. Upon spying his reflection, he fell in love and remained there for the rest of his life. After his death, a narcissus flower grew in his place- a daffodil or jonquil.

One important element of Narcissus's myth is that while yes, he was incredibly self-absorbed, he was also beautiful. That's less true for this C# code from frequent commenter Sole Purpose Of Visit. There is nothing beautiful about this code.

namespace Initrode.Extensions { public class PhbDouble { protected double m_Value; public PhbDouble(double avalue); public double Value { get; set; } public static PhbDouble Create(double avalue); } }

Now, it's easy to see that this is a useless wrapper class around a double. But what of that Phb on the front? Well this is anonymized, but in the original code, those were the developer's initials. Every class this developer wrote was tagged Phb. Every single one.

Sole Purpose Of Visit adds:

And no, there is/was no such thing as PhbInt or (rather sadly) a PhbBool.

The "signature" does, Sole assures us, "make it nice and easy to delete all his code".

Delete away.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

Planet DebianEnrico Zini: Deconstruction of the DAM hat

Further reading

Talk notes


  • I'm not speaking for the whole of DAM
  • Motivation in part is personal frustration, and need to set boundaries and negotiate expectations

Debian Account Managers

  • history

Responsibility for official membership

  • approve account creation
  • manage the New Member Process and
  • close MIA accounts
  • occasional emergency termination of accounts
  • handle Emeritus
  • with lots of help from FrontDesk and MIA teams (big shoutout)

What DAM is not

  • we are not mediators
  • we are not a community management team
  • a list or IRC moderation team
  • we are not responsible for vision or strategic choices about how people are expected to interact in Debian
  • We shouldn't try and solve things because they need solving

Unexpected responsibilities

  • Over time, the community has grown larger and more complex, in a larger and more complex online environment
  • Enforcing the Diversity Statement and the Code of Conduct
  • Emergency list moderation
    • we have ended up using DAM warnings to compensate for the lack of list moderation, at least twice
  • (mostly only because of me, but it would be good to have its own team)

DAM warnings

  • except for rare glaring cases, patterns of behaviour / intentions / taking feedback in, are more relevant than individual incidents
  • we do not set out to fix people. It is enough for us to get people to acknowledge a problem
    • if they can't acknowledge a problem they're probably out
    • once a problem is acknowledged, fixing it could be their implementation detail
    • then again it's not that easy to get a number of troublesome people to acknowledge problems, so we go back to the problem of deciding when enough is enough

DAM warnings?

  • I got to a point where I look at DAM warnings as potential signals that DAM has ended up with the ball that everyone else in Debian dropped.
  • DAM warning means we haven't gotten to a last resort situation yet, meaning that it probably shouldn't be DAM dealing with this at this point
  • Everyone in the project can write a person "do you realise there's an issue here? Can you do something to stop?", and give them a chance to reflect on issues or ignore them, and build their reputation accordingly.
  • People in Debian should not have to endure, completey powerless, as trolls drag painful list discussions indefinitely until all the trolled people run out of energy and leave. At the same time, people who abuse a list should expect to be suspended or banned from the list, not have their Debian membership put into question (unless it is a recurring pattern of behaviour).
  • The push to grow DAM warnings as a tool, is a sign of the rest of Debian passing on their responsibilities, and DAM picking them up.
  • Then in DAM we end up passing on things, too, because we also don't have the energy to face another intensive megametathread, and as we take actions for things that shouldn't quite be our responsibility, we face a higher level of controversy, and therefore demotivation.
  • Also, as we take actions for things that shouldn't be our responsibility, and work on a higher level of controversy, our legitimacy is undermined (and understandably so)
    • there's a pothole on my street that never gets filled, so at some point I go out and fill it. Then people thank me, people complain I shouldn't have, people complain I didn't fill it right, people appreciate the gesture and invite me to learn how to fix potholes better, people point me out to more potholes, and then complain that potholes don't get fixed properly on the whole street. I end up being the problem, instead of whoever had responsibility of the potholes but wasn't fixing them
  • The Community Team, the Diversity Team, and individual developers, have no energy or entitlement for explaining what a healthy community looks like, and DAM is left with that responsibility in the form of accountability for their actions: to issue, say, a DAM warning for bullying, we are expected to explain what is bullying, and how that kind of behaviour constitutes bullying, in a way that is understandable by the whole project.
  • Since there isn't consensus in the project about what bullying loos like, we end up having to define it in a warning, which again is a responsibility we shouldn't have, and we need to do it because we have an escalated situation at hand, but we can't do it right

House rules

Interpreting house rules

  • you can't encode common sense about people behaviour in written rules: no matter how hard you try, people will find ways to cheat that
  • so one can use rules as a guideline, and someone responsible for the bits that can't go into rules.
    • context matters, privilege/oppression matters, patterns matter, histor matters
  • example:
    • call a person out for breaking a rule
    • get DARVO in response
    • state that DARVO is not acceptable
    • get concern trolling against margninalised people and accuse them of DARVO if they complain
  • example: assume good intentions vs enabling
  • example: rule lawyering and Figure skating
  • this cannot be solved by GRs: I/we (DAM)/possibly also we (Debian) don't want to do GRs about evaluating people

Governance by bullying

  • How to DoS discussions in Debian
    • example: gender, minority groups, affirmative action, inclusion, anything about the community team itself, anything about the CoC, systemd, usrmerge, dam warnings, expulsions
      • think of a topic. Think about sending a mail to debian-project about it. If you instinctively shiver at the thought, this is probably happening
      • would you send a mail about that to -project / -devel?
      • can you think of other topics?
    • it is an effective way of governance as it excludes topics from public discussion
  • A small number of people abuse all this, intentionally or not, to effectively manipulate decision making in the project.
  • Instead of using the rules of the community to bring forth the issues one cares about, it costs less energy to make it unthinkable or unbearable to have a discussion on issues one doesn't want to progress. What one can't stop constructively, one can oppose destructively.
  • even regularly diverting the discussion away from the original point or concern is enough to derail it without people realising you're doing it
  • This is an effective strategy for a few reckless people to unilaterally direct change, in the current state of Debian, at the cost of the health and the future of the community as a whole.
  • There are now a number of important issues nobody has the energy to discuss, because experience says that energy requirements to bring them to the foreground and deal with the consequences are anticipated to be disproportionate.
  • This is grave, as we're talking about trolling and bullying as malicious power moves to work around the accepted decision making structures of our community.
  • Solving this is out of scope for this talk, but it is urgent nevertheless, and can't be solved by expecting DAM to fix it

How about the Community Team?

  • It is also a small group of people who cannot pick up the responsibility of doing what the community isn't doing for itself
  • I believe we need to recover the Community Team: it's been years that every time they write something in public, they get bullied by the same recurring small group of people (see governance by bullying above)

How about DAM?

  • I was just saying that we are not the emergency catch all
  • When the only enforcement you have is "nuclear escalation", there's nothing you can do until it's too late, and meanwhile lots of people suffer (this was written before Russia invaded Ukraine)
  • Also, when issues happen on public lists, the BTS, or on IRC, some of the perpetrators are also outside of the jurisdiction of DAM, which shows how DAM is not the tool for this

How about the DPL?

  • Talking about emergency catch alls, don't they have enough to do already?

Concentrating responsibility

  • Concentrating all responsibility on social issues on a single point creates a scapegoat: we're blamed for any conduct issue, and we're blamed for any action we take on conduct issues
    • also, when you are a small group you are personally identified with it. Taking action on a person may mean making a new enemy, and becoming a target for harassment, retaliation, or even just the general unwarranted hostility of someone who is left with an axe to grind
  • As long as responsibility is centralised, any action one takes as a response of one micro-aggression (or one micro-aggression too many) is an overreaction. Distributing that responsibility allows a finer granularity of actions to be taken
    • you don't call the police to tell someone they're being annoying at the pub: the people at the pub will tell you you're being annoying, and the police is called if you want to beat them up in response
  • We are also a community where we have no tool to give feedback to posts, so it still looks good to nitpick stupid details with smart-looking tranchant one-liners, or elaborate confrontational put-downs, and one doesn't get the feedback of "that did not help". Compare with discussing which does have this kind of feedback
    • the lack of moderation and enforcement makes the Debian community ideal for easy baiting, concern trolling, dog whistling, and related fun, and people not empowered can be so manipulated to troll those responsible
    • if you're fragile in Debian, people will play cat and mouse with you. It might be social awkwardness, or people taking themselves too serious, but it can easily become bullying, and with no feedback it's hard to tell and course correct
  • Since DAM and DPL are where the ball stops, everyone else in Debian can afford to let the ball drop.
  • More generally, if only one group is responsible, nobody else is

Empowering developers

  • Police alone does not make a community safe: a community makes a community safe.
  • DDs currently have no power to act besides complaining to DAM, or complaining to Community Team that then can only pass complaints on to DAM.
    • you could act directly, but currently nobody has your back if the (micro-)aggression then starts extending to you, too
  • From no power comes no responsibility. And yet, the safety of a community is sustainable only if it is the responsibility of every member of the community.
  • don't wait for DAM as the only group who can do something
  • people should be able to address issues in smaller groups, without escalation at project level
  • but people don't have the tools for that
  • I/we've shouldered this responsibility for far too long because nobody else was doing it, and it's time the whole Debian community gets its act together and picks up this responsibility as they should be. You don't get to not care just because there's a small number of people who is caring for you.

What needs to happen

  • distinguish DAM decisions from decisions that are more about vision and direction, and would require more representation
  • DAM warnings shouldn't belong in DAM
  • who is responsible for interpretation of the CoC?
  • deciding what to do about controversial people shouldn't belong in DAM
  • curation of the community shouldn't belong in DAM
  • can't do this via GRs, it's a mess to do a GR to decide how acceptable is a specific person's behaviour, and a lot of this requires more and more frequent micro-decisions than one'd do via GRs


Planet DebianRussell Coker: DDC as a KVM Switch

With the recent resurgence in Covid19 I’ve been working from home a lot and using both my work laptop and personal PC on the same monitor. HDMI KVM switches start at $150 and I didn’t feel like buying one. So I wrote a script to change inputs on my monitor. The following script locks the session on the local machine and switches the monitor’s input to the other machine. I ran the command “ddcutil vcpinfo| grep Input” which shows that (on my monitor at least) 60 is the VCP for input. Then I ran the command “ddcutil getvcp 60” to get the current value and tried setting values sequentially to find the value for the other port.

Below is the script I’m using on one system, the other is the same but setting the different port via setvcp. The loginctl command is to lock the screen to prevent accidental keyboard or mouse input from messing anything up.

# lock the session, assumes that seat0 is the only session
loginctl lock-session $(loginctl list-sessions|grep "seat0 *$"|cut -c1-7)
# 0xf is DisplayPort, 0x11 is HDMI-1
ddcutil setvcp 60 0x11

For keyboard, mouse, and speakers I’m using a USB 2.0 hub that I can switch between computers. I idly considered getting a three-pole double-throw switch (four pole switches aren’t available at my local electronic store) to switch USB 2.0 as I only need to switch 3 of the 4 wires. But for the moment just plugging the hub into different systems is enough, I only do that a couple of times a day.

Planet DebianCraig Small: Linux Memory Statistics

Pretty much everyone who has spent some time on a command line in Linux would have looked at the free command. This command provides some overall statistics on the memory and how it is used. Typical output looks something like this:

             total        used        free      shared  buff/cache  available
Mem:      32717924     3101156    26950016      143608     2666752  29011928
Swap:      1000444           0     1000444

Memory sits in the first row after the headers then we have the swap statistics. Most of the numbers are directly fetched from the procfs file /proc/meminfo which are scaled and presented to the user. A good example of a “simple” stat is total, which is just the MemTotal row located in that file. For the rest of this post, I’ll make the rows from /proc/meminfo have an amber background.

What is Free, and what is Used?

While you could say that the free value is also merely the MemFree row, this is where Linux memory statistics start to get odd. While that value is indeed what is found for MemFree and not a calculated field, it can be misleading.

Most people would assume that Free means free to use, with the implication that only this amount of memory is free to use and nothing more. That would also mean the used value is really used by something and nothing else can use it.

In the early days of free and Linux statistics in general that was how it looked. Used is a calculated field (there is no MemUsed row) and was, initially, Total - Free.

The problem was, Used also included Buffers and Cached values. This meant that it looked like Linux was using a lot of memory for… something. If you read old messages before 2002 that are talking about excessive memory use, they quite likely are looking at the values printed by free.

The thing was, under memory pressure the kernel could release Buffers and Cached for use. Not all of the storage but some of it so it wasn’t all used. To counter this, free showed a row between Memory and Swap with Used having Buffers and Cached removed and Free having the same values added:

             total       used       free     shared    buffers     cached
Mem:      32717924    6063648   26654276          0     313552    2234436
-/+ buffers/cache:    3515660   29202264
Swap:      1000444          0    1000444

You might notice that this older version of free from around 2001 shows buffers and cached separately and there’s no available column (we’ll get to Available later.) Shared appears as zero because the old row was labelled MemShared and not Shmem which was changed in Linux 2.6 and I’m running a system way past that version.

It’s not ideal, you can say that the amount of free memory is something above 26654276 and below 29202264 KiB but nothing more accurate. buffers and cached are almost never all-used or all-unused so the real figure is not either of those numbers but something in-between.

Cached, just not for Caches

That appeared to be an uneasy truce within the Linux memory statistics world for a while. By 2014 we realised that there was a problem with Cached. This field used to have the memory used for a cache for files read from storage. While this value still has that component, it was also being used for tmpfs storage and the use of tmpfs went from an interesting idea to being everywhere. Cheaper memory meant larger tmpfs partitions went from a luxury to something everyone was doing.

The problem is with large files put into a tmpfs partition the Free would decrease, but so would Cached meaning the free column in the -/+ row would not change much and understate the impact of files in tmpfs.

Lucky enough in Linux 2.6.32 the developers added a Shmem row which was the amount of memory used for shmem and tmpfs. Subtracting that value from Cached gave you the “real” cached value which we call main_cache and very briefly this is what the cached value would show in free.

However, this caused further problems because not all Shem can be reclaimed and reused and probably swapped one set of problematic values for another. It did however prompt the Linux kernel community to have a look at the problem.

Enter Available

There was increasing awareness of the issues with working out how much memory a system has free within the kernel community. It wasn’t just the output of free or the percentage values in top, but load balancer or workload placing systems would have their own view of this value. As memory management and use within the Linux kernel evolved, what was or wasn’t free changed and all the userland programs were expected somehow to keep up.

The kernel developers realised the best place to get an estimate of the memory not used was in the kernel and they created a new memory statistic called Available. That way if how the memory is used or set to be unreclaimable they could change it and userland programs would go along with it.

procps has a fallback for this value and it’s a pretty complicated setup.

  1. Find the min_free_kybtes setting in sysfs which is the minimum amount of free memory the kernel will handle
  2. Add a 25% to this value (e.g. if it was 4000 make it 5000), this is the low watermark
  3. To find available, start with MemFree and subtract the low watermark
  4. If half of both Inactive(file) and Active(file) values are greater than the low watermark, add that half value otherwise add the sum of the values minus the low watermark
  5. If half of Slab Claimable is greater than the low watermark, add that half value otherwise add Slab Claimable minus the low watermark
  6. If what you get is less than zero, make available zero
  7. Or, just look at Available in /proc/meminfo

For the free program, we added the Available value and the +/- line was removed. The main_cache value was Cached + Slab while Used was calculated as Total - Free - main_cache - Buffers. This was very close to what the Used column in the +/- line used to show.

What’s on the Slab?

The next issue that came across was the use of slabs. At this point, main_cache was Cached + Slab, but Slab consists of reclaimable and unreclaimable components. One part of Slab can be used elsewhere if needed and the other cannot but the procps tools treated them the same. The Used calculation should not subtract SUnreclaim from the Total because it is actually being used.

So in 2015 main_cache was changed to be Cached + SReclaimable. This meant that Used memory was calculated as Total - Free - Cached - SReclaimable - Buffers.

Revenge of tmpfs and the return of Available

The tmpfs impacting Cached was still an issue. If you added a 10MB file into a tmpfs partition, then Free would reduce by 10MB and Cached would increase by 10MB meaning Used stayed unchanged even though 10MB had gone somewhere.

It was time to retire the complex calculation of Used. For procps 4.0.1 onwards, Used now means “not available”. We take the Total memory and subtract the Available memory. This is not a perfect setup but it is probably going to be the best one we have and testing is giving us much more sensible results. It’s also easier for people to understand (take the total value you see in free, then subtract the available value).

What does that mean for main_cache which is part of the buff/cache value you see? As this value is no longer in the used memory calculation, it is less important. Should it also be reverted to simply Cached without the reclaimable Slabs?

The calculated fields

In summary, what this means for the calculated fields in procps at least is:

  • Used: Total - Available, unless Available is not present then it’s Total – Free
  • Cached: Cached + Reclaimable Slabs
  • Swap/Low/HighUsed: Corresponding Total - Free (no change here)

Almost everything else, with the exception of some bounds checking, is what you get out of /proc/meminfo which is straight from the kernel.

Worse Than FailureCodeSOD: Paste Parse

Sandra (previously) is still working with Bjørn. Bjørn also continues to like keeping things… simple.

"Simple" for Bjørn is "do as much in PHP as possible since I am okay at PHP, including templating out JavaScript. If I have any third party libraries, just copy and paste them into the project and never, ever use a bundler because WebPack is scary."

Which, in Bjørn's defense, WebPack and tools like it are scary, and I hate them all as a class. But that's a separate rant that's wildly off topic, so let's just get back to Bjørn.

Because Bjørn does JavaScript via PHP templates, copy/paste, and general "massage the code until it works", we end up with this nonsense line not only getting deployed, but staying deployed until someone has the time and budget to do a large scale refactoring of all of the code:


The surrounding code has been excluded, as it doesn't matter and offers nothing. This line exists, it doesn't work, and shouldn't be there.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


Krebs on SecurityA Deep Dive Into the Residential Proxy Service ‘911’

The 911 service as it exists today.

For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.

911[.]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

The current prices for 911’s proxies.

Researchers at the University of Sherbrooke in Canada recently published an analysis of 911, and found there were roughly 120,000 PCs for rent via the service, with the largest number of them located in the United States.

“The 911[.]re network uses at least two free VPN services to lure its users to install a malware-like software that achieves persistence on the user’s computer,” the researchers wrote. “During the research we identified two free VPN services that [use] a subterfuge to lure users to install software that looks legitimate but makes them part of the network. These two software are currently unknown to most if not all antivirus companies.”

A depiction of the Proxygate service. Image: University of Sherbrooke.

The researchers concluded that 911 is supported by a “mid scale botnet-like infrastructure that operates in several networks, such as corporate, government and critical infrastructure.” The Canadian team said they found many of the 911 nodes available for rent were situated within several major US-based universities and colleges, critical infrastructures such as clean water, defense contractors, law enforcement and government networks.

Highlighting the risk that 911 nodes could pose to internal corporate networks, they observed that “the infection of a node enables the user to access shared resources on the network such as local intranet portals or other services.”

“It also enables the end user to probe the LAN network of the infected node,” the paper continues. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”

The 911 user interface, as it existed when the service first launched in 2016.


A review of the clues left behind by 911’s early days on the Internet paint a more complete picture of this long-running proxy network. The domain names used by 911 over the years have a few common elements in their original WHOIS registration records, including the address and a Yunhe Wang from Beijing.

That ustraffic email is tied to a small number of interesting domains, including browsingguard[.]com, cleantraffic[.]net, execlean[.]net, proxygate[.]net, and flashupdate[.]net.

A cached copy of flashupdate[.]net available at the Wayback Machine shows that in 2016 this domain was used for the “ExE Bucks” affiliate program, a pay-per-install business which catered to people already running large collections of hacked computers or compromised websites. Affiliates were paid a set amount for each installation of the software, with higher commissions for installs in more desirable nations, particularly Europe, Canada and the United States.

“We load only one software — it’s a Socks5 proxy program,” read the message to ExE Bucks affiliates. The website said affiliates were free to spread the proxy software by any means available (i.e. “all promotion methods allowed”). The website’s copyright suggests the ExE Bucks affiliate program dates back to 2012.

A cached copy of flashupdate[.]net circa 2016, which shows it was the home of a pay-per-install affiliate program that incentivized the silent installation of its software. “FUD” in the ad above refers to software and download links that are “Fully UnDetectable” as suspicious or malicious by all antivirus software.

Another domain tied to the email in 2016 was ExeClean[.]net, a service that advertised to cybercriminals seeking to obfuscate their malicious software so that it goes undetected by all or at least most of the major antivirus products on the market.

“Our technology ensures the maximum security from reverse engineering and antivirus detections,” ExEClean promised.

The Exe Clean service made malware look like goodware to antivirus products.

Yet another domain connected to the ustraffic email is p2pshare[.]net, which advertised “free unlimited internet file-sharing platform” for those who agreed to install their software., which bundled 911 proxy with an application that promised access to free unlimited internet file-sharing.

Still more domains associated with suggest 911’s proxy has been disguised as security updates for video player plugins, including flashplayerupdate[.]xyz, mediaplayerupdate[.]xyz, and videoplayerupdate[.]xyz.

The earliest version of the 911 website available from the Wayback Machine is from 2016. A sister service called proxygate[.]net launched roughly a year prior to 911 as a “free” public test of the budding new residential proxy service. “Basically using clients to route for everyone,” was how Proxygate described itself in 2016.

For more than a year after its founding, the 911 website was written entirely in Simplified Chinese. The service has only ever accepted payment via virtual currencies such as Bitcoin and Monero, as well as Alipay and China UnionPay, both payment platforms based in China.

Initially, the terms and conditions of 911’s “End User License Agreement (EULA) named a company called Wugaa Enterprises LLC, which was registered in California in 2016. Records from the California Secretary of State office show that in November 2016, Wugaa Enterprises said it was in the Internet advertising business, and had named as its CEO as one Nicolae Aurelian Mazgarean of Brasov, Romania.

A search of European VAT numbers shows the same Brasov, RO address tied to an enterprise called PPC Leads SRL (in the context of affiliate-based marketing, “PPC” generally refers to the term “pay-per-click”).

911’s EULA would later change its company name and address in 2017, to International Media Ltd. in the British Virgin Islands. That is the same information currently displayed on the 911 website.

The EULA attached to 911 software downloaded from browsingguard[.]com (tied to the same ustraffic@qq email that registered 911) references a company called Gold Click Limited. According to the UK Companies House, Gold Click Limited was registered in 2016 to a 34-year-old Yunhe Wang from Beijing City. Many of the WHOIS records for the above mentioned domains also include the name Yunhe Wang, or some variation thereof.

In a response to questions from KrebsOnSecurity, 911 said the researchers were wrong, and that 911 has nothing to do with any of the other domains mentioned above.

“We have 911 SDK link and how it works described clearly in the “Terms of use” of affiliated partners products, and we have details of how the community powered network works on our webpages,” read an email response.

“Besides that, for protecting the end users, we banned many domains’ access and blocked the vulnerable ports, e.g. spamming emails, and torrent is not possible from the 911 network,” the reply continued. “Same as scanning and many others…Accessing to the Lan network and router is also blocked. We are monitoring 911 user’s account closely, once any abnormal behavior detected, we suspend the user’s account right away.”


911 has remained one of the most popular services among denizens of the cybercrime underground for years, becoming almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose credit card they’re about to charge at some website, or whose bank account they’re about to empty.

Given the frequency with which 911 has been praised by cybercrooks on the top forums, it was odd to find the proprietors of 911 do not appear to have created any official support account for the service on any of several dozen forums reviewed by this author going back a decade. However there are two cybercriminal identities on the forums that have responded to individual 911 help requests, and who promoted the sale of 911 accounts via their handles.

Both of these identities were active on the crime forum fl.l33t[.]su between 2016 and 2019. The user “Transfer” advertised and sold access to 911 from 2016 to 2018, amid many sales threads where they advertised expensive electronics and other consumer goods that were bought online with stolen credit cards.

In a 2017 discussion on fl.l33t[.]su, the user who picked the handle “527865713” could be seen answering private messages in response to help inquiries seeking someone at 911. That identity is tied to an individual who for years advertised the ability to receive and relay large wire transfers from China.

One ad from this user in 2016 offered a “China wire service” focusing on Western Union payments, where “all transfers are accepted in China.” The service charged 20 percent of all “scam wires,” unauthorized wire transfers resulting from bank account takeovers or scams like CEO impersonation schemes.


In August 2021, 911’s biggest competitor — a 15-year-old proxy network built on malware-compromised PCs called VIP72abruptly closed up shop. Almost overnight, an overwhelming number of former VIP72 customers began shifting their proxy activities to 911.

The login page for VIP72, until recently 911’s largest competitor.

That’s according to Riley Kilmer, co-founder of — a security company that monitors anonymity services. Kilmer said 911 also gained an influx of new customers after the Jan. 2022 closure of LuxSocks, another malware-based proxy network.

“911’s user base skyrocketed after VIP72 and then LuxSocks went away,” Kilmer said. “And it’s not hard to see why. 911 and VIP72 are both Windows-based apps that operate in a similar way, where you buy private access to IPs.”

Kilmer said 911 is interesting because it appears to be based in China, while nearly all of the other major proxy networks are Russian-backed or Russian-based.

“They have two basic methods to get new IPs,” Kilmer said. “The free VPN apps, and the other is trojanized torrents. They’ll re-upload Photoshop and stuff like that so that it’s backdoored with the 911 proxy. They claim the proxy is bundled with legitimate software and that users all agree to their Terms of Service, meanwhile they can hide behind the claim that it was some affiliate who installed the software, not them.”

Kilmer said at last count, 911 had nearly 200,000 proxy nodes for sale, spanning more than 200 countries: The largest geographic concentration is the United States, where more than 42,000 proxies are currently for rent by the service.


Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.

In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.

All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.

I’ve largely avoided wading into the fray about which VPN services are best, but there are so many shady and just plain bad ones out there that I’d be remiss if I didn’t mention one VPN provider whose business practices and transparency of operation consistently distinguish them from the rest. If maintaining your privacy and anonymity are primary concerns for you as a VPN user, check out

Let me make clear that KrebsOnSecurity does not have any financial or business ties to this company (for the avoidance of doubt, this post doesn’t even link to them). I mention it only because I’ve long been impressed with their candor and openness, and because Mullvad goes out of its way to discourage customers from sharing personal or financial data.

To that end, Mullvad will even accept mailed payments of cash to fund accounts, quite a rarity these days. More importantly, the service doesn’t ask users to share phone numbers, email addresses or any other personal information. Nor does it require customers to create passwords: Each subscription can be activated just by entering a Mullvad account number (woe to those who lose their account number).

I wish more companies would observe this remarkably economical security practice, which boils down to the mantra, “You don’t have to protect what you don’t collect.”

Update, July 24, 11:15 a.m. ET: 911’s homepage now includes a banner saying the service has halted new registrations and payments. “We are reviewing our network and adding a series of security measures to prevent misuse of our services,” the message reads. “Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

Update, July 30, 10:07 a.m. ET: 911 announced on July 28 that it is permanently closing down, following a series of data breaches this month that 911 says resulted in the deletion of customer data.

Cryptogram Facebook Is Now Encrypting Links to Prevent URL Stripping

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

Facebook has responded by encrypting the entire URL into a single ciphertext blob.

Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

Planet DebianBits from Debian: DebConf22 welcomes its sponsors!

DebConf22 is taking place in Prizren, Kosovo, from 17th to 24th July, 2022. It is the 23rd edition of the Debian conference and organizers are working hard to create another interesting and fruitful event for attendees.

We would like to warmly welcome the sponsors of DebConf22, and introduce you to them.

We have four Platinum sponsors.

Our first Platinum sponsor is Lenovo. As a global technology leader manufacturing a wide portfolio of connected products, including smartphones, tablets, PCs and workstations as well as AR/VR devices, smart home/office and data center solutions, Lenovo understands how critical open systems and platforms are to a connected world.

Infomaniak is our second Platinum sponsor. Infomaniak is Switzerland's largest web-hosting company, also offering backup and storage services, solutions for event organizers, live-streaming and video on demand services. It wholly owns its datacenters and all elements critical to the functioning of the services and products provided by the company (both software and hardware).

The ITP Prizren is our third Platinum sponsor. ITP Prizren intends to be a changing and boosting element in the area of ICT, agro-food and creatives industries, through the creation and management of a favourable environment and efficient services for SMEs, exploiting different kinds of innovations that can contribute to Kosovo to improve its level of development in industry and research, bringing benefits to the economy and society of the country as a whole.

Google is our fourth Platinum sponsor. Google is one of the largest technology companies in the world, providing a wide range of Internet-related services and products such as online advertising technologies, search, cloud computing, software, and hardware. Google has been supporting Debian by sponsoring DebConf for more than ten years, and is also a Debian partner sponsoring parts of Salsa's continuous integration infrastructure within Google Cloud Platform.

Our Gold sponsors are:

Roche, a major international pharmaceutical provider and research company dedicated to personalized healthcare.

Microsoft, enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

Ipko Telecommunications, provides telecommunication services and it is the first and the most dominant mobile operator which offers fast-speed mobile internet – 3G and 4G networks in Kosovo.

Ubuntu, the Operating System delivered by Canonical.

U.S. Agency for International Development, leads international development and humanitarian efforts to save lives, reduce poverty, strengthen democratic governance and help people progress beyond assistance.

Our Silver sponsors are:

Pexip, is the video communications platform that solves the needs of large organizations. Deepin is a Chinese commercial company focusing on the development and service of Linux-based operating systems. Hudson River Trading, a company researching and developing automated trading algorithms using advanced mathematical techniques. Amazon Web Services (AWS), is one of the world's most comprehensive and broadly adopted cloud platforms, offering over 175 fully featured services from data centers globally. The Bern University of Applied Sciences with near 7,800 students enrolled, located in the Swiss capital. credativ, a service-oriented company focusing on open-source software and also a Debian development partner. Collabora, a global consultancy delivering Open Source software solutions to the commercial world. Arm: with the world’s Best SoC Design Portfolio, Arm powered solutions have been supporting innovation for more than 30 years and are deployed in over 225 billion chips to date. GitLab, an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Two Sigma, rigorous inquiry, data analysis, and invention to help solve the toughest challenges across financial services. Starlabs, builds software experiences and focus on building teams that deliver creative Tech Solutions for our clients. Solaborate, has the world’s most integrated and powerful virtual care delivery platform. Civil Infrastructure Platform, a collaborative project hosted by the Linux Foundation, establishing an open source “base layer” of industrial grade software. Matanel Foundation, operates in Israel, as its first concern is to preserve the cohesion of a society and a nation plagued by divisions.

Bronze sponsors:

bevuta IT, Kutia, Univention, Freexian.

And finally, our Supporter level sponsors:

Altus Metrum, Linux Professional Institute, Olimex, Trembelat, Makerspace IC Prizren,,, ISG.EE, IPKO Foundation, The Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.

Thanks to all our sponsors for their support! Their contributions make it possible for a large number of Debian contributors from all over the globe to work together, help and learn from each other in DebConf22.

DebConf22 logo

Worse Than FailureThe Silent Partner

SOS Italian traffic signs in 2020.05

Lucio worked as a self-employed IT consultant. His clients tended to be small firms with equally small IT departments. When they didn't know where else to turn, they called on Lucio for help.

Over the years, Lucio befriended many of the internal IT employees that he worked with. One of them, Fabio, wisely decided to leave his position at a firm with 30 employees, where everyone's roles changed daily depending on the crisis at hand.

Soon after, Fabio landed an interview with an 80-person outfit. They were looking for someone who could take care of everything from mouse batteries to Excel spreadsheets to website software updates to issues in their homemade invoicing software.

Fabio could handle all of that, except for the software. The last time he'd coded anything was 15 years earlier, and even then he'd decided coding wasn't his forte. The interview was scheduled to take place online; Fabio asked Lucio to be in the room during the interview, hoping for a little secret assistance with any questions that were outside his knowledge.

Lucio didn't feel great about it, but he accepted, only to provide help with programming-related stuff and nothing else. As it turned out, the interviewer simply took Fabio's word at face value and did nothing to confirm his coding skills. Lucio never had to intervene, and Fabio got the job all on his own.

On the first day of the job, Fabio sent Lucio a selfie of himself at his new workplace. They'd already gotten him a uniform adorned with the company logo. His new boss toured him around the company offices, introducing him to his coworkers.

The next day, Fabio contacted Lucio. The company didn't have a helpdesk ticketing system, and Fabio lacked the clout to ask for such a big purchase. Did Lucio know of any free options?

As a personal favor, Lucio ended up installing UVDesk Community Edition on one of his own servers and provided Fabio the admin account. He warned his friend that this setup would only be temporary, and he'd have to arrange for something better later.

The next day after that, Fabio sought help for the homemade invoicing software, which crashed from time to time. Windows Process Manager was showing a steady increase of allocated memory. Lucio explained to Fabio what a memory leak was, and said that they'd have to look for the problem in the application's source code. Fabio replied that he didn't have access to the code yet.

And then, the company website was hacked. Lucio discovered that it was a WordPress site with a handwritten theme. Below is the single.php file responsible for rendering every post:



$lang = pll_current_language();

if ( in_category( array( "calendar", "calendario" ) ) )
echo get_template_part( "templates/case-study" );

elseif ( in_category( array( "case-studies", "casi-studio" ) ) )
echo get_template_part( "templates/case-study" );

elseif ( in_category( array( "news", "notizie" ) ) )
echo get_template_part( "templates/case-study" );

else echo get_template_part( "templates/product" );



Lucio stopped looking at the theme code, because this was already more than enough for him:

  • The $lang variable was never used (thankfully).
  • The person who'd written this didn't seem to know that arrays could contain more than 2 items, or that if statements could have or operators as part of their conditions.
  • One could only hope the company never acquired customers who spoke something other than English or Italian. There was only one template for all languages, and if statements were spread all over the whole theme.

Lucio told Fabio that the company would have to rebuild the website from scratch. When Fabio passed the word on to the theme developer, he was assured that "all vulnerabilities would be fixed." Lucio has his doubts, and expects Fabio to hand in his notice any day now.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


Planet DebianMartin-Éric Racine: Trying to chainload iPXE on old Etherboot hardware

Among my collection of PC hardware, I have a few rarities whose netboot implementation predates PXE. Since I recently managed to configure dnsmasq as a potent TFTP and PXE server, I figured that I'd try chainloading iPXE via BOOTP options. This required preparing a boot image using antiquated tools:

$ sudo mkelf-linux --param=autoboot --output=/srv/tftp/ipxe.nbi /srv/tftp/ipxe.lkrn

The host succesufully loads the boot image, except that the iPXE blob fails to find the network card:

Any ideas?

Planet DebianBits from Debian: DebConf22 starts today in Prizren

DebConf22, the 23rd annual Debian Conference, is taking place in Prizren, Kosovo from July 17th to 24th, 2022.

Debian contributors from all over the world have come together at Innovation and Training Park (ITP) in Prizren, Kosovo, to participate and work in a conference exclusively run by volunteers.

Today the main conference starts with over 270 attendants expected and 82 activities scheduled, including 45-minute and 20-minute talks and team meetings ("BoF"), workshops, and a job fair, as well as a variety of other events.

The full schedule at is updated every day, including activities planned ad-hoc by attendees during the whole conference.

If you want to engage remotely, you can follow the video streaming available from the DebConf22 website of the events happening in the three talk rooms: Drini, Lumbardhi and Ereniku. Or you can join the conversation about what is happening in the talk rooms: #debconf-drini, #debconf-lumbardhi and #debconf-ereniku (all those channels in the OFTC IRC network).

You can also follow the live coverage of news about DebConf22 on or the @debian profile in your favorite social network.

DebConf is committed to a safe and welcoming environment for all participants. See the web page about the Code of Conduct in DebConf22's website for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf22, particularly our Platinum Sponsors: Lenovo, Infomaniak, ITP Prizren and Google.

DebConf22 banner open registration

Planet DebianRuss Allbery: Review: Trang

Review: Trang, by Mary Sisson

Series: Trang #1
Publisher: Mary Sisson
Copyright: 2011
Printing: December 2013
Format: Kindle
Pages: 374

In 2113, a radio mapping satellite near the Titan station disappeared. It then reappeared five days later, apparently damaged and broadcasting a signal that made computers crash. The satellite was immediately sent back to the Space Authority base in Beijing for careful examination, but the techs on the station were able to decode the transmission: a request for the contents of databases. The general manager of the station sent a probe to the same location and it too vanished, returning two days later with a picture of a portal, followed shortly by an alien probe.

Five years later, Philippe Trang has been assigned as the first human diplomat to an alien space station in intergalactic space at the nexus of multiple portals. Humans will apparently be the eighth type of intelligent life to send a representative to the station. He'll have a translation system, a security detail, and the groundwork of five years of audiovisual communications with the aliens, including one that was able to learn English. But he'll be the first official diplomatic representative physically there.

The current style in SF might lead you to expect a tense thriller full of nearly incomprehensible aliens, unexplained devices, and creepy mysteries. This is not that sort of book. The best comparison point I could think of is James White's Sector General novels, except with a diplomat rather than a doctor. The aliens are moderately strange (not just humans in prosthetic makeup), but are mostly earnest, well-meaning, and welcoming. Trang's security escort is more military than he expects, but that becomes a satisfying negotiation rather than an ongoing problem. There is confusion, misunderstandings, and even violence, but most of it is sorted out by earnest discussion and attempts at mutual understanding.

This is, in other words, diplomat competence porn (albeit written by someone who is not a diplomat, so I wouldn't expect too much realism). Trang defuses rather than confronts, patiently sorts through the nuances of a pre-existing complex dynamic between aliens without prematurely picking sides, and has the presence of mind to realize that the special forces troops assigned to him are another culture he needs to approach with the same skills. Most of the book is low-stakes confusion, curiosity, and careful exploration, which could have been boring but wasn't. It helps that Sisson packs a lot of complexity into the station dynamics and reveals it in ways that I found enjoyably unpredictable.

Some caveats: This is a self-published first novel (albeit by an experienced reporter and editor) and it shows. The book has a sort of plastic Technicolor feel that I sometimes see in self-published novels, where the details aren't quite deep enough, the writing isn't quite polished, and the dialog isn't quite as tight as I'm used to. It also meanders in a way that few commercial novels do, including slice-of-life moments and small asides that don't go anywhere. This can be either a bug or a feature depending on what you're in the mood for. I found it relaxing and stress-relieving, which is what I was looking for, but you may have a different experience.

I will warn that the climax features a sudden escalation of stakes that I don't think was sufficiently signaled by the tone of the writing, and thus felt a bit unreal. Sisson also includes a couple deus ex machina twists that felt a bit predictable and easy, and I didn't find the implied recent history of one of the alien civilizations that believable. The conclusion is therefore not the strongest part of the book; if you're not enjoying the journey, it probably won't get better.

But, all that said, this was fun, and I've already bought the second book in the series. It's low-stakes, gentle SF with a core of discovery and exploration rather than social dynamics, and I haven't run across much of that recently. The worst thing in the book is some dream glimpses at a horrific event in Trang's past that's never entirely on camera. It's not as pacifist as James White, but it's close.

Recommended, especially if you liked Sector General. White's series is so singular that I previously would have struggled to find a suggestion for someone who wanted more exactly like that (but without the Bewitched-era sexism). Now I have an answer. Score another one for Susan Stepney, who is also how I found Julie Czerneda. Trang is also currently free for Kindle, so you can't beat the price.

Followed by Trust.

Rating: 8 out of 10


Planet DebianPetter Reinholdtsen: Automatic LinuxCNC servo PID tuning?

While working on a CNC with servo motors controlled by the LinuxCNC PID controller, I recently had to learn how to tune the collection of values that control such mathematical machinery that a PID controller is. It proved to be a lot harder than I hoped, and I still have not succeeded in getting the Z PID controller to successfully defy gravity, nor X and Y to move accurately and reliably. But while climbing up this rather steep learning curve, I discovered that some motor control systems are able to tune their PID controllers. I got the impression from the documentation that LinuxCNC were not. This proved to be not true

The LinuxCNC pid component is the recommended PID controller to use. It uses eight constants Pgain, Igain, Dgain, bias, FF0, FF1, FF2 and FF3 to calculate the output value based on current and wanted state, and all of these need to have a sensible value for the controller to behave properly. Note, there are even more values involved, theser are just the most important ones. In my case I need the X, Y and Z axes to follow the requested path with little error. This has proved quite a challenge for someone who have never tuned a PID controller before, but there is at least some help to be found.

I discovered that included in LinuxCNC was this old PID component at_pid claiming to have auto tuning capabilities. Sadly it had been neglected since 2011, and could not be used as a plug in replacement for the default pid component. One would have to rewriting the LinuxCNC HAL setup to test at_pid. This was rather sad, when I wanted to quickly test auto tuning to see if it did a better job than me at figuring out good P, I and D values to use.

I decided to have a look if the situation could be improved. This involved trying to understand the code and history of the pid and at_pid components. Apparently they had a common ancestor, as code structure, comments and variable names were quite close to each other. Sadly this was not reflected in the git history, making it hard to figure out what really happened. My guess is that the author of at_pid.c took a version of pid.c, rewrote it to follow the structure he wished pid.c to have, then added support for auto tuning and finally got it included into the LinuxCNC repository. The restructuring and lack of early history made it harder to figure out which part of the code were relevant to the auto tuning, and which part of the code needed to be updated to work the same way as the current pid.c implementation. I started by trying to isolate relevant changes in pid.c, and applying them to at_pid.c. My aim was to make sure the at_pid component could replace the pid component with a simple change in the HAL setup loadrt line, without having to "rewire" the rest of the HAL configuration. After a few hours following this approach, I had learned quite a lot about the code structure of both components, while concluding I was heading down the wrong rabbit hole, and should get back to the surface and find a different path.

For the second attempt, I decided to throw away all the PID control related part of the original at_pid.c, and instead isolate and lift the auto tuning part of the code and inject it into a copy of pid.c. This ensured compatibility with the current pid component, while adding auto tuning as a run time option. To make it easier to identify the relevant parts in the future, I wrapped all the auto tuning code with '#ifdef AUTO_TUNER'. The end result behave just like the current pid component by default, as that part of the code is identical. The end result entered the LinuxCNC master branch a few days ago.

To enable auto tuning, one need to set a few HAL pins in the PID component. The most important ones are tune-effort, tune-mode and tune-start. But lets take a step back, and see what the auto tuning code will do. I do not know the mathematical foundation of the at_pid algorithm, but from observation I can tell that the algorithm will, when enabled, produce a square wave pattern centered around the bias value on the output pin of the PID controller. This can be seen using the HAL Scope provided by LinuxCNC. In my case, this is translated into voltage (+-10V) sent to the motor controller, which in turn is translated into motor speed. So at_pid will ask the motor to move the axis back and forth. The number of cycles in the pattern is controlled by the tune-cycles pin, and the extremes of the wave pattern is controlled by the tune-effort pin. Of course, trying to change the direction of a physical object instantly (as in going directly from a positive voltage to the equivalent negative voltage) do not change velocity instantly, and it take some time for the object to slow down and move in the opposite direction. This result in a more smooth movement wave form, as the axis in question were vibrating back and forth. When the axis reached the target speed in the opposing direction, the auto tuner change direction again. After several of these changes, the average time delay between the 'peaks' and 'valleys' of this movement graph is then used to calculate proposed values for Pgain, Igain and Dgain, and insert them into the HAL model to use by the pid controller. The auto tuned settings are not great, but htye work a lot better than the values I had been able to cook up on my own, at least for the horizontal X and Y axis. But I had to use very small tune-effort values, as my motor controllers error out if the voltage change too quickly. I've been less lucky with the Z axis, which is moving a heavy object up and down, and seem to confuse the algorithm. The Z axis movement became a lot better when I introduced a bias value to counter the gravitational drag, but I will have to work a lot more on the Z axis PID values.

Armed with this knowledge, it is time to look at how to do the tuning. Lets say the HAL configuration in question load the PID component for X, Y and Z like this:

loadrt pid names=pid.x,pid.y,pid.z

Armed with the new and improved at_pid component, the new line will look like this:

loadrt at_pid names=pid.x,pid.y,pid.z

The rest of the HAL setup can stay the same. This work because the components are referenced by name. If the component had used count=3 instead, all use of pid.# had to be changed to at_pid.#.

To start tuning the X axis, move the axis to the middle of its range, to make sure it do not hit anything when it start moving back and forth. Next, set the tune-effort to a low number in the output range. I used 0.1 as my initial value. Next, assign 1 to the tune-mode value. Note, this will disable the pid controlling part and feed 0 to the output pin, which in my case initially caused a lot of drift. In my case it proved to be a good idea with X and Y to tune the motor driver to make sure 0 voltage stopped the motor rotation. On the other hand, for the Z axis this proved to be a bad idea, so it will depend on your setup. It might help to set the bias value to a output value that reduce or eliminate the axis drift. Finally, after setting tune-mode, set tune-start to 1 to activate the auto tuning. If all go well, your axis will vibrate for a few seconds and when it is done, new values for Pgain, Igain and Dgain will be active. To test them, change tune-mode back to 0. Note that this might cause the machine to suddenly jerk as it bring the axis back to its commanded position, which it might have drifted away from during tuning. To summarize with some halcmd lines:

setp pid.x.tune-effort 0.1
setp pid.x.tune-mode 1
setp pid.x.tune-start 1
# wait for the tuning to complete
setp pid.x.tune-mode 0

After doing this task quite a few times while trying to figure out how to properly tune the PID controllers on the machine in, I decided to figure out if this process could be automated, and wrote a script to do the entire tuning process from power on. The end result will ensure the machine is powered on and ready to run, home all axis if it is not already done, check that the extra tuning pins are available, move the axis to its mid point, run the auto tuning and re-enable the pid controller when it is done. It can be run several times. Check out the run-auto-pid-tuner script on github if you want to learn how it is done.

My hope is that this little adventure can inspire someone who know more about motor PID controller tuning can implement even better algorithms for automatic PID tuning in LinuxCNC, making life easier for both me and all the others that want to use LinuxCNC but lack the in depth knowledge needed to tune PID controllers well.

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

Planet DebianThomas Goirand: My work during debcamp

I arrived in Prizren late on Wednesday. Here’s what I did during debcamp (so over 3 days). I hope this post just motivates others to contribute more to Debian.

At least 2 DDs want to upload packages that need a new version of python3-jsonschema (ie: version > 4.x). Unfortunately, version 4 broke a few packages. I therefore uploaded it to Experimental a few months/week, so I could see the result of autopkgtest reading the pseudo excuse page. And it showed a few packages broke. Here’s the one used (or part of) OpenStack:

  • Nova
  • Designate
  • Ironic
  • python-warlock
  • Sahara
  • Vitrage

Thanks to a reactive upstream, I was able to fix the first 4 above, but not Sahara yet. Vitrage poped-up when I uploade Debian release 2 of jsonschema, surprisingly. Also python3-jsonschema autopkgtest itself was broken because missing python3-pip in depends, but that should be fixed also.
I then filed bugs for packages not under my control:

  • bmtk
  • python-asdf

It looks tlike now there’s also spyder which wasn’t in the list a few hours ago. Maybe I should also file a bug against it. At this point, I don’t think the python-jsonschema transition is finished, but it’s on good tracks.

Then I also uploaded a new package of Ceph removing the ceph-mgr-diskprediction-local because it depended on python3-sklearn that the release team wanted to remove. I also prepared a point release update for it, but I’m currently waiting for the previous upload to migrate to testing before uploading the point release.

Last, I wrote the missing “update” command for extrepo, and pushed the merge request to Salsa. Now extrepo should be feature complete (at least from my point of view).

I also merged the patch for numberstation fixing the debian/copyright, and uploaded it to the NEW queue. It’s a new package that does 2 factor authentication, and is mobile friendly: it works perfectly on any Mobian powered phone.

Next, I intend to work with Arthur on the Cloud image finder. I hope we can find the time to work on it so it does what I need (ie: support the kind of setup I want to do, with HA, puppet, etc.).

Planet DebianRuss Allbery: INN 2.7.0

This is the first major release of the INN news server package since 2015. It incorporates tons of work on just about every part of INN, ranging from a brand new overview backend contributed by Bo Lindbergh through Cancel-Lock support contributed by Julien ÉLIE to numerous smaller changes in configuration files, protocol support, and overall simplification.

Since this represents seven years of development, there are too many major changes to summarize in a short blog post, so I'll simply link to the INN 2.7.0 NEWS file for all of the details, including breaking changes to watch out for when upgrading.

INN 2.7 is now the stable branch, and will be maintained on the 2.7 Git branch. The main branch is now open for development targeting 2.8.0. (I'm still hoping to get to the build system overhaul before 2.8.0 is released.) As of tonight, if all goes well, the nightly stable snapshots will be generated from the 2.7 branch instead of the 2.6 branch, so be aware that you will need to pay close attention to the upgrade if you're using a snapshot.

As always, thanks to Julien ÉLIE for preparing this release and doing most of the maintenance work on INN!

You can get the latest version from the official ISC download page or from my personal INN pages. The latter also has links to the other INN documentation.

Planet DebianSteinar H. Gunderson: Rust GUI advice

The piece is largely about Rust, but Raph Levien's blog post about Rust GUI toolkits contains some of the most thoughtful writings on GUI toolkits that I've seen in a while, regardless of language. Recommended.

David BrinSapience, sentience and AI... and other hot science news!

Ah… sapience

In another posting here I re-issued my June op-ed in NEWSWEEK about human response to AI, especially ‘empathy bots” like the notorious LaMDA. This op-ed - and other interviews - referred to a prediction I made 5 years ago that "in five years or so, we'll be challenged by announcements of a fully sapient AI, demanding sympathy... and cash."  

Here's that talk on the A.I. future  at IBM's World of Watson event in 2017, that offered big perspectives on both artificial and human augmentation... and the text version. Few topics are more pressing for our future path... except saving civilization and the world and justice... and those will wind up enmeshed tightly with AI.

And so, in this more general science roundup, we'll start by diving into the topic of sapience (a much better word than the badly misused "sentience") yet again, as I expect we’ll do many times ahead.

== Sapience… sentience… pre vs. post ==

First, we know of only one sapient species, so far. This interesting paper appraises changes – across the last 6000 years or so - in prevalence of a number of genes that favor General Cognitive Ability (GCA). These observations are consistent with the expectation that GCA rose during the Holocene.  The result is very much in tune with what I posited in EXISTENCE. That there seem to have been rapid speedups in cognition and inventiveness, starting especially around 60,000 years ago.

What about our fellow Earthlings? It seems almost monthly that we see more stories about clever animals who use or even invent tools, who concoct clever escape plans, as in the case of a famous San Diego Zoo orangutan

...or who bear long memory grudges toward individual humans, as in swarms of vengeful crows or this Indian elephant, who showed up at the funeral of a woman he had trampled to death days earlier, to hurl the body and trample it, some more.

This topic, which I dived into 40 years ago with my Uplift Series, continues to fascinate, as in stories of wounded or entangled creatures deliberately seeking help from humans to patch harms or cut nets, etc., clearly making a distinction between good/helpful and bad/dangerous people.

Fascinating also is the way that – in many octopus species – the mother guards her eggs… only to later leave them and suicide in bizarre ways. While the main cause is unknown, some of the processes are being revealed. 

== And on to other science matters.... ==

Heads up. The search for room temperature superconductors is over! Though not yet useful, since the ‘higher order hydride’ structures that now superconduct at even 550K still require immense pressures. Still…

How are geographical discoveries still possible even now? “Cave explorers stumbled upon a prehistoric forest at the bottom of a giant sinkhole in South China earlier this month. Sinkholes such as these are also known in Chinese as Tiankeng, or "Heavenly pit. At 630 feet deep, the sinkhole would hide the Washington Monument and then some. The bottom of the pit holds an ancient forest spanning nearly three football fields in length, with trees towering over 100 feet. 

Even deeper, new techniques allow mapping of  the boundary between the Earth's iron-nickel core and surrounding mantle to better understand one of the major engines for plate tectonics, volcano formation, and other related processes like earthquakes. Other scientists also believe there is a link between ultra-low velocity zones and volcanic hotspots, such as those in Hawaii and Iceland.

Neanderthal Man’s Recreated Face Takes Internet By Storm.  And yes, it is a cool reconstruction! Though come on. These folks lived primarily in Europe to the Urals. And this particular fellow lived in Doggerland, between England and Denmark. He’d have white skin. Vitamin D, don’t cha know. Possibly even blond hair.

If the Amazon dies, beef will be the killer. And America will be an accomplice, Brazil is burning down the Amazon so you can eat steak. And I say this as a NON-vegetarian.... who has cut way back on air-breathing meat for numerous reasons like health, but also in order not be contributing one more economic driver to such devastation. I can sustain my carnivorality tastes treating red stuff as a condiment, like ketchup! And bring on the tissue culture!

Interesting medical news:

Further facial recreation: an article in the NYT about a patient who had a prosthetic ear 3D printed from her own cells. Beyond immediate beneficial medical use, it could/would eventually lead to people using this technology for "artistic" purposes - that is, in the same way that we customize bodies using tattoos and piercings, we could "add" additional fleshy lumps to various places. They can’t print nerve cells (for now, anyway) so the new additions would have the tactile sensation of a plastic brick.  So your stylish elf ears might have… Legoleprosy?

As blogmunity member “Talin” suggests: “A different extrapolation is one where the archetypal fantasy races - elves / dwarves / orcs and so on - are actually created from humans who want to live that lifestyle. I mean we sort of have the beginnings of this with gender-affirming surgery..."species affirming"?”

"Small cancer drug trial sees tumors disappear in 100 percent of patients". 

And also the diabetes drug that lost a lot of folks a lot of weight.

== Finally, all about science and…. magic!  ==

Caltech physicist Spiros Michalakis and Hollywood writer/producer Ed Solomon (co-creator of Bill & Ted) speak with Caltech science writer (and sci-fi fan) Whitney Clavin about how they collaborate to make science shine in film.  

First, there IS a form of magic that irrefutably works and it works via modalities of incantation. If you define that magic is about using word spells to create vivid subjective realities in other peoples’ heads, then I am among the top, industrial grade magicians. Ever.

Some assert that magic can also affect objective reality - e.g. making the rain fall or putting-on hexes or curing ailments, despite the fact that most such claims evaporate under scrutiny.  A few don't evaporate! In fact, any magic that does causally affect the physical world consistently eventually becomes... part of science.

But there is also some merit to studying magical claims, even knowing they are objectively bogus, because they were utterly persuasive for tens of thousands of years. 

And so, here at this posting I talk about some of the rule-based systems that have been used in magic systems by shamans and wizards and priests for millennia. And here, I discuss the differences between science fiction and fantasy.

In this audio talk, I dive into some of the fundamental differences and similarities between magic and science.

And we all have superstitious or romantic corners within us. The trick is to reserve them for certain realms that enrich our lives... our personal lives of evenings and weekends and art and fantasy... while being abolutely determined to exile romanticism and subjective roars and such twaddle from the daytime business of justice and negotiating pragmatic solutions anf - above all - policy.


Planet DebianMike Hommey: Announcing git-cinnabar 0.5.9

Git-cinnabar is a git remote helper to interact with mercurial repositories. It allows to clone, pull and push from/to mercurial remote repositories, using git.

Get it on github.

These release notes are also available on the git-cinnabar wiki.

What’s new since 0.5.8?

  • Updated git to 2.37.1 for the helper.
  • Various python 3 fixes.
  • Fixed stream bundle
  • Added python and py.exe as executables tried on top of python3 and python2.
  • Improved handling of ill-formed local urls.
  • Fixed using old mercurial libraries that don’t support bundlev2 with a server that does.
  • When fsck reports the metadata as broken, prevent further updates to the repo.
  • When issue #207 is detected, mark the metadata as broken
  • Added support for logging redirection to a file
  • Now ignore refs/cinnabar/replace/ refs, and always use the corresponding metadata instead.
  • Various git cinnabar fsck fixes.

Krebs on SecurityWhy 8kun Went Offline During the January 6 Hearings

The latest Jan. 6 committee hearing on Tuesday examined the role of conspiracy theory communities like 8kun[.]top and TheDonald[.]win in helping to organize and galvanize supporters who responded to former President Trump’s invitation to “be wild” in Washington, D.C. on that chaotic day. At the same time the committee was hearing video testimony from 8kun founder Jim Watkins, 8kun and a slew of similar websites were suddenly yanked offline. Watkins suggested the outage was somehow related to the work of the committee, but the truth is KrebsOnSecurity was responsible and the timing was pure coincidence.

In a follow-up video address to his followers, Watkins said the outage happened shortly after the Jan. 6 committee aired his brief video testimony.

“Then everything that I have anything to do with seemed to crash, so that there was no way for me to go out and talk to anybody,” Watkins said. “The whole network seemed to go offline at the same time, and that affected a lot of people.”

8kun and many other sites that continue to push the false narrative that the 2020 election was stolen from the 45th president have long been connected to the Internet via VanwaTech, a hosting firm based in Vancouver, Wash. In late October 2020, a phone call to VanwaTech’s sole provider of connectivity to the Internet resulted in a similar outage for 8kun.

Jim Waktins (top right), in a video address to his followers on Tuesday after 8kun was taken offline.

Following that 2020 outage, 8kun and a large number of QAnon conspiracy sites found refuge in a Russian hosting provider. But when the anonymous “Q” leader of QAnon suddenly began posting on 8kun again earlier this month, KrebsOnSecurity received a tip that 8kun was once again connected to the larger Internet via a single upstream provider based in the United States.

On Sunday, July 10, KrebsOnSecurity contacted Psychz Networks, a hosting provider in Los Angeles, to see if they were aware that they were the sole Internet lifeline for 8kun et. al.  Psychz confirmed that in response to a report from KrebsOnSecurity, VanwaTech was removed from its network around the time of the Jan. 6 hearing on Tuesday.

8kun and its archipelago of conspiracy theory communities have once again drifted back into the arms of a Russian hosting provider (AS207651), which is connected to the larger Internet via two providers. Those include AS31500 — which appears to be owned by Russians but is making a fair pretense at being located in the Caribbean; and AS28917, in Vilnius, Lithuania.

8kun’s newfound Russian connections will likely hold, but Lithuania may be a different story. Late last month, pro-Russian hackers claimed responsibility for an extensive distributed denial-of-service (DDoS) attack against Lithuanian state and private websites, which reportedly was in response to Vilnius’s decision to cease the transit of some goods under European Union sanctions to Russia’s Kaliningrad exclave.

Many have speculated that Jim Watkins and/or his son Ron are in fact “Q,” the anonymous persona behind the QAnon conspiracy theory, which held that Former President Trump was secretly working to save the world from a satanic cult of pedophiles and cannibals.

8chan/8kun has been linked to white supremacism, neo-Nazism, antisemitism, multiple mass shootings, and is known for hosting child pornography. After three mass shootings in 2019 revealed the perpetrators had spread their manifestos on 8chan and even streamed their killings live there, 8chan was ostracized by one Internet provider after another.

In 2019, the FBI identified QAnon as a potential domestic terror threat, noting that some of its followers have been linked to violent incidents motivated by fringe beliefs.

The Jan. 6 hearing referenced in this story is available via CSPAN.

Planet DebianBits from Debian: (Unofficial) Debian Perl Sprint 2022

Three members of the Debian Perl Group met in Hamburg between May 23 and May 30 2022 as part of the Debian Reunion Hamburg to continue perl development work for Bookworm and to work on QA tasks across our 3800+ packages.

The participants had a good time and met other Debian friends. The sprint was also productive:

  • pkg-perl-tools and dh-make-perl were improved and extended.
  • More than 50 uploads were done, and more than 30 bugs were fixed or at least triaged.
  • autopkgtests were added to lots of packages.
  • Some requests to remove obsolete packages were filed as well.

The more detailed report was posted to the Debian Perl mailing list.

The participants would like to thank the Debian Reunion Hamburg organizers for providing the framework for our sprint, all sponsors of the event, and all donors to the Debian project who helped to cover parts of our expenses.

Debian Reunion Hamburg 2022 group photo

Worse Than FailureError'd: Shift-Meta-Errord

The submissions this week seemed to have coincidentally developed a theme of self-reference. You tell me.

First, persistent Caleb S. tried over and over again to submit this same item for our consideration. He called it a "space-enfolding bus" and said that "There's apparently more space in this Afternoon Tea bus than meets the eye -- you can book seats for 500 adults and 500 children." Alas, his submission came without an image, so we asked for a do-over. Dutifully done, Caleb's second and third attempts both reported "Please use the comments from when I tried to submit this without an image." With that behind us, here is the image from the final attempt.

I thought there was some kind of mistake, but I finally figured it out. The Space-Enfolding Bus is also a Self-Enfolding bus, and it's been swallowed by its own singularity. Or else it's snowing very hard.

Next, intrepid tourist Andreas R. noted "I came across this while browsing for travel SIM cards. I didn't realize the United States had a population of over 300 trillion people! And one of the most interesting places to visit in the USA is America, go figure." Not only is America a place to visit in America, it's also a country in America. Is bullshit content generated for SEO truly a WTF anymore? Or is it just so de rigeur that it can only be a JFC? Either way, it's just recursive enough to clear this here bar. (Interestingly, note that since the USA has no official language, the boilerplate text has a NULL in it which could have been handled better or worse.)



Security dabbler Metal Rafa does, and does not, reporting "It's good to have options, especially for those who can't make up their minds about unsubscribing from a marketing email list or not. SentinelOne's mailing list software now lets them do both at the same time!"



Continental Faroguy found an error-rate error and shared it "Reddit was having trouble loading pages and the error rate report was not encouraging."



And finally, dedicated troublemaker Andy caught us in an edit and decided to rub our metaphorical nose in it. "I stumbled on this gem in my RSS reader. Is this maybe a bit cheeky? Perhaps a bit too on the nose? Sure. But there's no world in which I can pass it up." And no world in which I can turn it down, either. Roast crow, yum.



[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Cryptogram San Francisco Police Want Real-Time Access to Private Surveillance Cameras

Surely no one could have predicted this:

The new proposal—championed by Mayor London Breed after November’s wild weekend of orchestrated burglaries and theft in the San Francisco Bay Area—would authorize the police department to use non-city-owned security cameras and camera networks to live monitor “significant events with public safety concerns” and ongoing felony or misdemeanor violations.

Currently, the police can only request historical footage from private cameras related to specific times and locations, rather than blanket monitoring. Mayor Breed also complained the police can only use real-time feeds in emergencies involving “imminent danger of death or serious physical injury.”

If approved, the draft ordinance would also allow SFPD to collect historical video footage to help conduct criminal investigations and those related to officer misconduct. The draft law currently stands as the following, which indicates the cops can broadly ask for and/or get access to live real-time video streams:

The proposed Surveillance Technology Policy would authorize the Police Department to use surveillance cameras and surveillance camera networks owned, leased, managed, or operated by non-City entities to: (1) temporarily live monitor activity during exigent circumstances, significant events with public safety concerns, and investigations relating to active misdemeanor and felony violations; (2) gather and review historical video footage for the purposes of conducting a criminal investigation; and (3) gather and review historical video footage for the purposes of an internal investigation regarding officer misconduct.

Planet DebianSteve Kemp: So we come to Lisp

Recently I've been working with simple/trivial scripting languages, and I guess I finally reached a point where I thought "Lisp? Why not". One of the reasons for recent experimentation was thinking about the kind of minimalism that makes implementing a language less work - being able to actually use the language to write itself.

FORTH is my recurring example, because implementing it mostly means writing a virtual machine which consists of memory ("cells") along with a pair of stacks, and some primitives for operating upon them. Once you have that groundwork in place you can layer the higher-level constructs (such as "for", "if", etc).

Lisp allows a similar approach, albeit with slightly fewer low-level details required, and far less tortuous thinking. Lisp always feels higher-level to me anyway, given the explicit data-types ("list", "string", "number", etc).

Here's something that works in my toy lisp:

;; Define a function, `fact`, to calculate factorials (recursively).
(define fact (lambda (n)
  (if (<= n 1)
      (* n (fact (- n 1))))))

;; Invoke the factorial function, using apply
(apply (list 1 2 3 4 5 6 7 8 9 10)
  (lambda (x)
    (print "%s! => %s" x (fact x))))

The core language doesn't have helpful functions to filter lists, or build up lists by applying a specified function to each member of a list, but adding them is trivial using the standard car, cdr, and simple recursion. That means you end up writing lots of small functions like this:

(define zero? (lambda (n) (if (= n 0) #t #f)))
(define even? (lambda (n) (if (zero? (% n 2)) #t #f)))
(define odd?  (lambda (n) (! (even? n))))
(define sq    (lambda (x) (* x x)))

Once you have them you can use them in a way that feels simple and natural:

(print "Even numbers from 0-10: %s"
  (filter (nat 11) (lambda (x) (even? x))))

(print "Squared numbers from 0-10: %s"
  (map (nat 11) (lambda (x) (sq x))))

This all feels very sexy and simple, because the implementations of map, apply, filter are all written using the lisp - and they're easy to write.

Lisp takes things further than some other "basic" languages because of the (infamous) support for Macros. But even without them writing new useful functions is pretty simple. Where things struggle? I guess I don't actually have a history of using lisp to actually solve problems - although it's great for configuring my editor..

Anyway I guess the journey continues. Having looked at the obvious "minimal core" languages I need to go further afield:

I'll make an attempt to look at some of the esoteric programming languages, and see if any of those are fun to experiment with.

Planet DebianReproducible Builds (diffoscope): diffoscope 219 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 219. This version includes the following changes:

* Don't traceback if we encounter an invalid Unicode character in Haskell
  versioning headers. (Closes: reproducible-builds/diffoscope#307)
* Update various copyright years.

You find out more by visiting the project homepage.


Planet DebianPatryk Cisek: Playing with NitroKey 3 -- PC runner using USBIP

I’ve been wanting to use my brand new NitroKey 3, but TOTP is not supported yet. So, I’m looking to implement it myself, since firmware and tooling are open-source. NitroKey 3’s firmware is based on Trussed framework. In essence, it’s been designed so that anyone can implement an independent Trussed application. Each such application is like a module that can be added to Trussed-based product. So if I write a Trussed app, I’d be able to add it to NK3’s firmware.

Cryptogram Friday Squid Blogging: Evolution of the Vampire Squid

Short article on the evolution of the vampire squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Cryptogram Friday Squid Blogging: Bathyteuthis berryi Holding Eggs

Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Cryptogram Friday Squid Blogging: Squid Inks Fisherman

Short video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Cryptogram Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

The list is maintained on this page.

Cryptogram New Browser De-anonymization Technique

Researchers have a new way to de-anonymize browser users, by correlating their behavior on one account with their behavior on another:

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.


“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

Worse Than FailureCodeSOD: The Wager

We've all been there. We need to make a change to the codebase or else. The right solution is going to take time and refactoring. There's a quick fix that will keep the production system from falling over and crushing the business. So you make the quick fix, with the idea that, eventually, you'll really fix it.

And eventually never comes.

But Adam's co-workers have at least found a way to make that process rewarding for the developers involved.

This comment was added to the code-base in January, of 2017:

/* * If this function is still here after 2017-Jul-01, chris@ owes sam@ * * * Signed-off-by: Chris <> */

As of July, 2022, that function is still there. But Chris is no deadbeat, and Sam has received a bottle of expensive whiskey, so at least there's some benefit to the ugly hack this comment surrounds.

Hopefully Sam drinks responsibly, moderating consumption so as to both enjoy the expensive bottle, but also to ensure landing right at the Ballmer Peak. Exceeding that limit is going to lead to a lot more comments like the one above, creating a positive feedback loop of alcohol and programming that is almost certainly going to lead to something worse than Windows ME.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


Planet DebianDirk Eddelbuettel: rfoaas 2.3.2: New upstream accessors

rfoaas greed example

FOAAS by now moved to version 2.3.2 in its repo. This releases 2.3.2 of rfoaas catches up, and brings the first release in about two and a half years.

This 2.3.2 release of FOAAS brings us six new REST access points: absolutely(), dense(), dumbledore(), lowpoly(), understand(), and yeah(). Along with these new functions, documentation and tests were updated.

My CRANberries service provides a diff to the previous CRAN release. Questions, comments etc should go to the GitHub issue tracker. More background information is on the project page as well as on the github repo

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianReproducible Builds: Reproducible Builds in June 2022

Welcome to the June 2022 report from the Reproducible Builds project. In these reports, we outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.

Save the date!

Despite several delays, we are pleased to announce dates for our in-person summit this year:

November 1st 2022 — November 3rd 2022

The event will happen in/around Venice (Italy), and we intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees.

Please see the announcement mail from Mattia Rizzolo, and do keep an eye on the mailing list for further announcements as it will hopefully include registration instructions.


David Wheeler filed an issue against the Rust programming language to report that builds are “not reproducible because full path to the source code is in the panic and debug strings�. Luckily, as one of the responses mentions: “the --remap-path-prefix solves this problem and has been used to great effect in build systems that rely on reproducibility (Bazel, Nix) to work at all� and that “there are efforts to teach cargo about it here�.

The Python Security team announced that:

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items() when instantiating Ctx objects. The captured environment variables were sent as a base64 encoded query parameter to a Heroku application […]

As their announcement later goes onto state, version-pinning using “hash-checking mode� can prevent this attack, although this does depend on specific installations using this mode, rather than a prevention that can be applied systematically.

Developer vanitasvitae published an interesting and entertaining blog post detailing the blow-by-blow steps of debugging a reproducibility issue in PGPainless, a library which “aims to make using OpenPGP in Java projects as simple as possible�.

Whilst their in-depth research into the internals of the .jar may have been unnecessary given that diffoscope would have identified the, it must be said that there is something to be said with occasionally delving into seemingly “low-level� details, as well describing any debugging process. Indeed, as vanitasvitae writes:

Yes, this would have spared me from 3h of debugging 😉 But I probably would also not have gone onto this little dive into the JAR/ZIP format, so in the end I’m not mad.

Kees Cook published a short and practical blog post detailing how he uses reproducibility properties to aid work to replace one-element arrays in the Linux kernel. Kees’ approach is based on the principle that if a (small) proposed change is considered equivalent by the compiler, then the generated output will be identical… but only if no other arbitrary or unrelated changes are introduced. Kees mentions the “fantastic� diffoscope tool, as well as various kernel-specific build options (eg. KBUILD_BUILD_TIMESTAMP) in order to “prepare my build with the ‘known to disrupt code layout’ options disabled�.

Stefano Zacchiroli gave a presentation at GDR Sécurité Informatique based in part on a paper co-written with Chris Lamb titled Increasing the Integrity of Software Supply Chains. (Tweet)


In Debian in this month, 28 reviews of Debian packages were added, 35 were updated and 27 were removed this month adding to our knowledge about identified issues. Two issue types were added: nondeterministic_checksum_generated_by_coq and nondetermistic_js_output_from_webpack.

After Holger Levsen found hundreds of packages in the bookworm distribution that lack .buildinfo files, he uploaded 404 source packages to the archive (with no meaningful source changes). Currently bookworm now shows only 8 packages without .buildinfo files, and those 8 are fixed in unstable and should migrate shortly. By contrast, Debian unstable will always have packages without .buildinfo files, as this is how they come through the NEW queue. However, as these packages were not built on the official build servers (ie. they were uploaded by the maintainer) they will never migrate to Debian testing. In the future, therefore, testing should never have packages without .buildinfo files again.

Roland Clobus posted yet another in-depth status report about his progress making the Debian Live images build reproducibly to our mailing list. In this update, Roland mentions that “all major desktops build reproducibly with bullseye, bookworm and sid� but also goes on to outline the progress made with automated testing of the generated images using openQA.

GNU Guix

Vagrant Cascadian made a significant number of contributions to GNU Guix:

Elsewhere in GNU Guix, Ludovic Courtès published a paper in the journal The Art, Science, and Engineering of Programming called Building a Secure Software Supply Chain with GNU Guix:

This paper focuses on one research question: how can [Guix](( and similar systems allow users to securely update their software? […] Our main contribution is a model and tool to authenticate new Git revisions. We further show how, building on Git semantics, we build protections against downgrade attacks and related threats. We explain implementation choices. This work has been deployed in production two years ago, giving us insight on its actual use at scale every day. The Git checkout authentication at its core is applicable beyond the specific use case of Guix, and we think it could benefit to developer teams that use Git.

A full PDF of the text is available.


In the world of openSUSE, SUSE announced at SUSECon that they are preparing to meet SLSA level 4. (SLSA (Supply chain Levels for Software Artifacts) is a new industry-led standardisation effort that aims to protect the integrity of the software supply chain.)

However, at the time of writing, timestamps within RPM archives are not normalised, so bit-for-bit identical reproducible builds are not possible. Some in-toto provenance files published for SUSE’s SLE-15-SP4 as one result of the SLSA level 4 effort. Old binaries are not rebuilt, so only new builds (e.g. maintenance updates) have this metadata added.

Lastly, Bernhard M. Wiedemann posted his usual monthly openSUSE reproducible builds status report.


diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 215, 216 and 217 to Debian unstable. Chris Lamb also made the following changes:

  • New features:

    • Print profile output if we were called with --profile and we were killed via a TERM signal. This should help in situations where diffoscope is terminated due to some sort of timeout. […]
    • Support both PyPDF 1.x and 2.x. […]
  • Bug fixes:

    • Also catch IndexError exceptions (in addition to ValueError) when parsing .pyc files. (#1012258)
    • Correct the logic for supporting different versions of the argcomplete module. […]
  • Output improvements:

    • Don’t leak the (likely-temporary) pathname when comparing PDF documents. […]
  • Logging improvements:

    • Update test fixtures for GNU readelf 2.38 (now in Debian unstable). […][…]
    • Be more specific about the minimum required version of readelf (ie. binutils), as it appears that this ‘patch’ level version change resulted in a change of output, not the ‘minor’ version. […]
    • Use our @skip_unless_tool_is_at_least decorator (NB. at_least) over @skip_if_tool_version_is (NB. is) to fix tests under Debian stable. […]
    • Emit a warning if/when we are handling a UNIX TERM signal. […]
  • Codebase improvements:

    • Clarify in what situations the main finally block gets called with respect to TERM signal handling. […]
    • Clarify control flow in the diffoscope.profiling module. […]
    • Correctly package the scripts/ directory. […]

In addition, Edward Betts updated a broken link to the RSS on the diffoscope homepage and Vagrant Cascadian updated the diffoscope package in GNU Guix […][…][…].

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Testing framework

The Reproducible Builds project runs a significant testing framework at, to check packages and other artifacts for reproducibility. This month, the following changes were made:

  • Holger Levsen:

    • Add a package set for packages that use the R programming language […] as well as one for Rust […].
    • Improve package set matching for Python […] and font-related […] packages.
    • Install the lz4, lzop and xz-utils packages on all nodes in order to detect running kernels. […]
    • Improve the cleanup mechanisms when testing the reproducibility of Debian Live images. […][…]
    • In the automated node health checks, deprioritise the “generic kernel warningâ€�. […]
  • Roland Clobus (Debian Live image reproducibility):

    • Add various maintenance jobs to the Jenkins view. […]
    • Cleanup old workspaces after 24 hours. […]
    • Cleanup temporary workspace and resulting directories. […]
    • Implement a number of fixes and improvements around publishing files. […][…][…]
    • Don’t attempt to preserve the file timestamps when copying artifacts. […]

And finally, node maintenance was also performed by Mattia Rizzolo […].

Mailing list and website

On our mailing list this month:

Lastly, Chris Lamb updated the main Reproducible Builds website and documentation in a number of small ways, but primarily published an interview with Hans-Christoph Steiner of the F-Droid project. Chris Lamb also added a Coffeescript example for parsing and using the SOURCE_DATE_EPOCH environment variable […]. In addition, Sebastian Crane very-helpfully updated the screenshot of’s “request access� button on the How to join the Salsa group. […]


If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

Worse Than FailureCodeSOD: Exceptional Flags

Something I see in a lot of code, and generally dislike, is this pattern:

if (debug) { print("Some debugging message"); }

Obviously, the "right" answer here is to just use a logging framework and control the mode globally. Still, it's not uncommon to see these sorts of quick-and-dirty branches. I don't like them, but in many cases, they're not worth fighting over.

I bring this up because Drenab's submission, I believe, started with the same kind of intent. It's just, like so much bad code, absolutely misguided.

boolean flag = false; if (flag) { throw new Exception(); }

Clearly, the flag is meant as a compile time switch. Whoever wrote this wanted to stop normal execution at this point during debugging- perhaps not literal debugging, with an attached debugger, but some sort of debugging.

And you know what? While I don't like this- really don't like this- I can absolutely see writing this code to quickly inspect a problem I'm having a hard time replicating. What I can't see is including it in a commit. This is garbage code I don't intend to ever actually let anyone else see.

What I absolutely wouldn't do is chuck this snippet into a bunch of places in my codebase, which is what happened here. These blocks were spammed all over the place, and flipping flag would cause it to throw a generic exception.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

Krebs on SecurityMicrosoft Patch Tuesday, July 2022 Edition

Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.

In February, security experts hailed Microsoft’s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.

Macros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft’s plan, the new warnings provided no such way to enable the macros.

As Ars Technica veteran reporter Dan Goodin put it, “security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.”

But last week, Microsoft abruptly changed course. As first reported by BleepingComputer, Redmond said it would roll back the changes based on feedback from users.

“While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s Sergiu Gatlan wrote.

Microsoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.

The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro’s Zero Day Initiative notes that while this bug is listed as being under active attack, there’s no information from Microsoft on where or how widely it is being exploited.

“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” ZDI’s Dustin Childs wrote. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.”

Kevin Breen, director of cyber threat research at Immersive Labs, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.

“Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM,” he said. “With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”

After a brief reprieve from patching serious security problems in the Windows Print Spooler service, we are back to business as usual. July’s patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226. Experts at security firm Tenable note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.

Roughly a third of the patches issued today involve weaknesses in Microsoft’s Azure Site Recovery offering. Other components seeing updates this month include Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; and Xbox.

Four of the flaws fixed this month address vulnerabilities Microsoft rates “critical,” meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. CVE-2022-22029 and CVE-2022-22039 affect Network File System (NFS) servers, and CVE-2022-22038 affects the Remote Procedure Call (RPC) runtime.

“Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later,” said Greg Wiseman, product manager at Rapid7. “CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.”

Separately, Adobe today issued patches to address at least 27 vulnerabilities across multiple products, including Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.


Cryptogram Post-Roe Privacy

This is an excellent essay outlining the post-Roe privacy threat model. (Summary: period tracking apps are largely a red herring.)

Taken together, this means the primary digital threat for people who take abortion pills is the actual evidence of intention stored on your phone, in the form of texts, emails, and search/web history. Cynthia Conti-Cook’s incredible article “Surveilling the Digital Abortion Diary details what we know now about how digital evidence has been used to prosecute women who have been pregnant. That evidence includes search engine history, as in the case of the prosecution of Latice Fisher in Mississippi. As Conti-Cook says, Ms. Fisher “conduct[ed] internet searches, including how to induce a miscarriage, ‘buy abortion pills, mifepristone online, misoprostol online,’ and ‘buy misoprostol abortion pill online,'” and then purchased misoprostol online. Those searches were the evidence that she intentionally induced a miscarriage. Text messages are also often used in prosecutions, as they were in the prosecution of Purvi Patel, also discussed in Conti-Cook’s article.

These examples are why advice from reproductive access experts like Kate Bertash focuses on securing text messages (use Signal and auto-set messages to disappear) and securing search queries (use a privacy-focused web browser, and use DuckDuckGo or turn Google search history off). After someone alerts police, digital evidence has been used to corroborate or show intent. But so far, we have not seen digital evidence be a first port of call for prosecutors or cops looking for people who may have self-managed an abortion. We can be vigilant in looking for any indications that this policing practice may change, but we can also be careful to ensure we’re focusing on mitigating the risks we know are indeed already being used to prosecute abortion-seekers.


As we’ve discussed above, just tracking your period doesn’t necessarily put you at additional risk of prosecution, and would only be relevant should you both become (or be suspected of becoming) pregnant, and then become the target of an investigation. Period tracking is also extremely useful if you need to determine how pregnant you might be, especially if you need to evaluate the relative access and legal risks for your abortion options.

It’s important to remember that if an investigation occurs, information from period trackers is probably less legally relevant than other information from your phone.

See also EFF’s privacy guide for those seeking an abortion.

Cryptogram Security Vulnerabilities in Honda’s Keyless Entry System

Honda vehicles from 2021 to 2022 are vulnerable to this attack:

On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin2600, who works for cybersecurity firm Star-V Lab, dubbed the attack RollingPWN.


In a phone call, Kevin2600 explained that the attack relies on a weakness that allows someone using a software defined radio—such as HackRF—to capture the code that the car owner uses to open the car, and then replay it so that the hacker can open the car as well. In some cases, he said, the attack can be performed from 30 meters (approximately 98 feet) away.

In the videos, Kevin2600 and his colleagues show how the attack works by unlocking different models of Honda cars with a device connected to a laptop.

The Honda models that Kevin2600 and his colleagues tested the attack on use a so-called rolling code mechanism, which means that­—in theory­—every time the car owner uses the keyfob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the researchers found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car, Kevin2600 said.

Worse Than FailureCodeSOD: Busy Busy Busy

One of the common mistakes in a beginner programmer is to wait using a busy loop. Need to pause a program? for(int i = 0; i < SOME_LARGE_NUMBER;i++) continue;

There are a lot of good reasons to not do this, but in microcontroller land, sometimes you actually do want to wait this way. There may be better ways, but there also might not- it depends on your specific constraints.

So, when David S found these lines of C code, it wasn't precisely a WTF.

CheKseg0CacheOn(); for (i=0;i<=SECONDS_1_U;i++) continue; CheKseg0CacheOff();

This disables an optimization on the microcontroller, then busy loops for what should be one second, and then enables that optimization again. This code could be more clear, it could be refactored into a procedure, but this code, on its own, isn't automatically a WTF.

No, the WTF is what happened when the developer responsible needed to wait for three seconds.

if (*SYSSTATUS & System_Reset_Flag) { // CODE THAT DOES SOMETHING } CheKseg0CacheOn(); for (i=0;i<=SECONDS_1_U;i++) continue; CheKseg0CacheOff(); CheKseg0CacheOn(); for (i=0;i<=SECONDS_1_U;i++) continue; CheKseg0CacheOff(); CheKseg0CacheOn(); for (i=0;i<=SECONDS_1_U;i++) continue; CheKseg0CacheOff();

In fact, the only constant for these busy loops was SECONDS_1_U, and all waits were just for one second. No attempt was made to come up with a more general solution that could calculate arbitrary waits, no attempt was made to turn this at least into a procedure for readability, or even a macro. No, it just gets repeated 249 times across 70 different files in the code base.

The developer responsible doesn't work there anymore, but it's fair to say they made their mark.

[Advertisement] Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.


Charles StrossAbolish the monarchy!

Thursday marks the 70th anniversary of the coronation of Queen Elizabeth II of the United Kingdom of Great Britain and Northern Ireland, and a bunch of other nations who for various reasons didn't become republics after decolonization.

I have nothing against Liz personally—she's performed the monarch's duties diligently for 70 years—but she's 95 and probably doesn't have many more years to run in office.

I submit that when she dies, it will be past time to end the monarchy and held a constitutional convention for the UK to decide what sort of place it wants to be in future.

The British monarchy is a constitutional living fossil, with theoretically vast powers that nevertheless only exist as long as they are never used. And it has a distorting effect on the politics and culture of these islands.

By existing in its current form it establishes a state religion, the Church of England—one of EIIR's titles is "protector of the faith", the monarch is the head of the church, and thereby there is no complete freedom of religion in the UK. (You or I are not restricted in our beliefs, but the monarch? If Charles were to suddenly announce he's an atheist, it'd cause a religious constitutional crisis.)

It also establishes a second class of citizenship—everyone who isn't in the line of succession, that is, a member of the royal family in the line of descent. Royals can't vote in parliamentary elections or hold elected office. On the other hand, nobody except members of the royal family are eligible to be head of state. There may well be other rights we gain or lose through this constitutional difference in legal standing, but it's the most obvious one. Every child growing up in the USA or Germany is told, "you could become President"—but in the UK, that's simply not true.

On the other hand ... the Queen appears to have complete legal immunity. The notional source of legal authority in the UK is an abstraction known as "The Crown". It's not an actual fancy hat—you could steal the crown jewels but it'd still exist, penumbrally clinging to the reigning monarch. And the problem is, laws have force because the Crown makes them (or rather, signs Acts of Parliament that create laws). A side-effect is that laws apply to everyone and everything below the Crown, not including the Crown itself—or, presumably, its 95 year old wearer. So far we've lucked out because EIIR seems to be nothing if not law-abiding, and the only probable law breaker in the family is several steps removed from the Crown (Prince Andrew). But I've seen lawyers argue that if EIIR picked up a gun and shot someone at random on Regents Street (as Donald Trump boasted he could do on Fifth Avenue in New York) she'd have complete immunity. Crown Immunity: it's a thing.

There's the patronage issue to consider. The monarchy can appoint people, unaccountably, to the upper house of Parliament, the misleadingly-named House of Lords—since 2003 or so it's been an 80%-appointed revising chamber. Due to the aforementioned state religion the monarchy already appoints Bishops who sit in the HoL and contribute to draft legislation. The monarch can in principle create unlimited new life peers, to shove a legislative agenda through (this is how the Liberal government in 1911 broke a constitutional deadlock with the Tory peers, with the assistance of the King, and passed the Parliament Act (1911)). Its scope for causing havoc today is somewhat reduced, but not completely gone.

The Crown can also grant lesser honours, knighthoods and medals, as rewards for services rendered. Usually it doesn't, and is instead guided by a government committee. But again: a power unused is not a power non-existent.

I'm not even going to touch the thorny subject of the Crown Estates, the palaces and paintings and fancy jewellery the monarchy has collected like magpies over the past three or four centuries. That's trivial in comparison with the constitutional mess of exceptions caused by the existence of the monarchy itself.

But we also have the final point: that the monarchy is a very dangerous glue to rely on for holding a fissiparous bunch of nations together in one state. It's an elderly glue and it's crumbling, and Prince Charles (or King Henry IX as he's widely rumoured to be in future) is not remotely charismatic, or a unifying figure. EIIR managed to spread herself across the whole of the UK, but Charles is very visibly a posh boy from the Home Counties with a foot in Cornwall and no obvious ties to Scotland, Northern Ireland, or Wales. However, he's unaccountably popular with the red-faced Brexit-voting Gammons in Deep England. Expect any post-coronation monarchist flag-shagging to rapidly turn into a centralizing exercise in English nationalism (which always runs at the expense of the periphery, even though they don't say the verse in the national anthem about "rebellious Scots to crush" aloud these days). An insecure establishment is one that clings to power all the more harshly.

As for what we should switch to?

Frankly, we shouldn't copy the US model. Its failures should be blindingly obvious by now. Nor do we need a strong executive presidency (the US POTUS' powers are an enumerated and term-limited version of those of a late 18th century British monarch: we'd be turning the clock back two centuries if we copied it).

A constitutional presidence along the Irish model might work satisfactorily: the Irish president is a placeholder for head-of-state at international meetings and treaty signings, and a ribbon-cutter and ceremonial leader who is not a member of any political party: they are notionally above politics and serve as a unifying figure. But that's the theory. In the UK, it's hard not to see a presidency being hijacked for partisan purposes by the most radical faction, which today is the self-identified "Conservative" Party (who are absolutely not conservative except possibly in some nebulous xenophobic English Nationalist cultural sense).

We might do rather better selecting a president by national lottery, for a 1 year term: ribbon cutting, attending galas, declaring parliamentary sessions open, and meeting foreign dignitaries. (Combine it with the national lottery and, say, a £10M jackpot, and it'd still be a lot cheaper than paying EIIR's bills.) Disqualifying traits would be, solely, terminal illness with a prognosis of less than 18 months to live, ever holding elected office (past or present), or not wanting the job. (You'd have to have be pretty adamantly opposed to turn down £10M tax-free.)

Or finally, just bear with me ... why bother with a head of state at all?

The head of state has no practical job in the UK today that can't be delegated to other office-holders. Diplomatic stuff is the job of the Foreign Secretary or the Prime Minister. The State Opening of Parliament is pompous 19th century historic fluff, good for tourism but not business—the opening speech could be read by the Speaker of the House or the leader of the government. Actual government is a committee process, and a complicated one at that. Why pretend the state is led by a single decision-making person when really, it isn't? (Even the US President isn't a solo operator—they lead an executive team of around 400-500 staffers who divide up the job, and the actual President merely receives briefings, chairs meetings, sets policy, and then represents it to the rest of government and the nation.)

Modern states are too big to be ruled by one person. So maybe we should stop pretending.

PS: Recovering from Omicron. May be a bit terse in comments and moderation.

PPS: Absolutely no discussion of US politics is permitted on this thread before comment 300. Automatic red card time.

Worse Than FailureCodeSOD: Switching Notes

"The app I work on is a 1.2MLOC big-ball-o-wtf," writes Mark B.

As with a lot of big piles of bad code, it's frequently hard to find a snippet that both represents the bad code and is concise enough to submit. In this case, the code in question shows a questionable grasp of both switch statements and enums.

// Default to expire note today var noteDuration = NoteDurationType.ExpireToday; switch (note.NoteDuration) { case NoteDurationType.LengthOfStay: noteDuration = NoteDurationType.LengthOfStay; break; case NoteDurationType.ExpireToday: // Default is to expire today break; } // Save note, expiry date is set in this method and the Expiry date passed in the mobile json is ignored. Note.Note.CreateNewTaskNote(oc, note.NoteId, trimmedNote, scheduleTask.AssetTreeId, ScheduleStartDate, noteDuration)

So, a few things. First, NoteDurationType has only two possible values: ExpireToday and LengthOfStay. This code defaults the variable noteDuration to ExpireToday, then does a switch- if note.NoteDuration is LengthOfStay, set the variable noteDuration to that, otherwise, leave it alone.

So, this entire switch could be replaced by noteDuration = note.NoteDuration. The effect is the same. But then, the variable noteDuration is only used once- on the following line where we create a new task note. Which means we could replace all this code with:

Note.Note.CreateNewTaskNote(oc, note.NoteId, trimmedNote, scheduleTask.AssetTreeId, ScheduleStartDate, note.NoteDuration);

Even if we're being generous, and say that this is some misguided null check, note.NoteDuration isn't nullable, so there's no need for any of this.

It's easy to write 1.2M lines of code if most of them are stupid.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

Krebs on SecurityExperian, You Have Some Explaining to Do

Twice in the past month KrebsOnSecurity has heard from readers who had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.

John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.

Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address.

An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.

“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that point, the representative read me the current stored security questions and PIN, and they were definitely not things I would have used.”

Turner said he was able to regain control over his Experian account by creating a new account. But now he’s wondering what else he could do to prevent another account compromise.

“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”

Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered his Experian account had been hijacked after receiving an alert from his credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.

Rishi said the alert surprised him because his credit file at Experian was frozen at the time, and Experian did not notify him about any activity on his account. Rishi said Chase agreed to cancel the unauthorized account application, and even rescinded its credit inquiry (each credit pull can ding your credit score slightly).

But he never could get anyone from Experian’s support to answer the phone, despite spending what seemed like eternity trying to progress through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.

“I was able to open a new account at Experian starting from scratch, using my SSN, date of birth and answering some really basic questions, like what kind of car did you take out a loan for, or what city did you used to live in,’ Rishi said.

Upon completing the sign-up, Rishi noticed that his credit was unfrozen.

Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity. Even using the paid Experian service, there were no additional multi-factor authentication options available, although he said Experian did send a one-time code to his phone via SMS recently when he logged on.

“Experian now sometimes does require MFA for me if I use a new browser or have my VPN on,” Rishi said, but he’s not sure if Experian’s free service would have operated differently.

“I get so angry when I think about all this,” he said. “I have no confidence this won’t happen again.”

In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”


KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

How does Experian differ from the practices of Equifax and TransUnion, the other two big consumer credit reporting bureaus? When KrebsOnSecurity tried to re-create an existing account at TransUnion using my Social Security number, TransUnion rejected the application, noting that I already had an account and prompting me to proceed through its lost password flow. The company also appears to send an email to the address on file asking to validate account changes.

Likewise, trying to recreate an existing account at Equifax using personal information tied to my existing account prompts Equifax’s systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).

KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.

The experiences of Rishi, Turner and this author suggest Experian’s practices currently undermine both of those proactive security measures. Even so, having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.

“They compound the problem by gating the recovery process with information that’s likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches,” Roan said. “Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.”

Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experian’s customers — banks and other lenders — choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.

“The actual customers of the credit service don’t realize how much worse Experian is, and this isn’t the first time Experian has screwed up horribly,” Weaver said. “Experian is part of a triopoly, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, it’s the lender who eats that fraud cost.”

And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.

“I do think it’s important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax,” he added.

More greatest hits from Experian:

2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Update, 10:32 a.m.: Updated the story to clarify that while Experian does sometimes ask users to enter a one-time code sent via SMS to the number on file, there does not appear to be any option to enable this on all logins.

Cryptogram Nigerian Prison Break

There was a massive prison break in Abuja, Nigeria:

Armed with bombs, Rocket Propelled Grenade (RPGs) and General Purpose Machine Guns (GPMG), the attackers, who arrived at about 10:05 p.m. local time, gained access through the back of the prison, using dynamites to destroy the heavily fortified facility, freeing 600 out of the prison’s 994 inmates, according to the country’s defense minister, Bashir Magashi….

What’s interesting to me is how the defenders got the threat model wrong. That attack isn’t normally associated with a prison break; it sounds more like a military action in a civil war.


David BrinWays to Corner John Roberts... and why 'cornering' doesn't interest the paladins on our own side

At bottom, below, I'll make (yet-again) my case for agile tactics that might actually win the fight for fact-based rejection of lies. 

But let's start with a central nexus of today's rationalization for treason.

"The final days of the US supreme court’s term offered a clear look at the way its new 6-3 conservative majority is bluntly using its power to reshape American life, but its next term is also set to hear cases that could prove equally, or even more, consequential."

I make no promises. But I think folks despair too easily. One trick will be to corner Roberts and Gorsuch, the two rightists who might actually care - just a little - about the law and logic and history's judgement. Enough to perhaps squirm and realize they are cornered by some fresh tactics. 

I have offered some such - though alas, none of the brainiac legal minds on the Union side of this desperate struggle seem at all interested in trying a new argument, a new tactic. Here are just two from Polemical Judo:

1. FLIP the demands for Voter ID! Griping about ID requirements only makes dems look like they intend to cheat, even though nearly all the actual cheating is by the other side. So turn it around! Why are red states making it harder for their resident citizens of color or the poor or divorced women or naturalized to GET their ID? Closing DMV offices in blue counties for example?

That should be the point of attack using two words. Compliance Assistance. Republicans demand it for corporations and the rich. Whenever a 'new, onerous burden" of regulation falls upon them, government must provide assistance complying with the new regs. 

The fact that these states make voter ID compliance harder for the poor etc. is so blatant that it could even peel away just a few more 'ostrich republicans' - and that peeling away is - demographically - all we need. Moreover, some oligarchy-shills will feel cornered into some partial remediation. Roberts, at least, might feel cornered.

Do not dismiss that possibility with a shrug. That's lazy! The principle is pure. And I have seen no sign of any of our paladins using it. See the COMPLIANCE ASSISTANCE maneuver

2. I've yammered before about how John Roberts admits that gerrymandering is a loathsome cheat! But his ROBERTS DOCTRINE justifies doing nothing about it because:

 (a) the Court can't interfere in the sovereignty of state legislatures - even if they were 'elected' via immense cheating - and

 (b) no proposed solution (e.g. neutral commissions) is proved INHERENTLY to solve the problem. Hence, he can rationalize that the replacement of elected map drawers with un-accountable 'commissioners' is no systematic improvement. So, leave the cheaters free to cheat!

Of course this is hypocritical and partisan. Both rationales (both!) are eviscerated here, with an offered Minimal Overlap Solution to gerrymandering that directly addresses every Roberts criterion and is simple and would work instantly. It needn't be applied in every case in order to demolish his Doctrine, showing there is at least one way to dismantle gerrymandering's worst cheat effects without replacing the legislature with commissions.

And again, not a single one of the paladins on our side is able even to conceive of the possibility of using such judo, instead of the same grunting sumo they've tried for decades.

== The way to corner and demolish lie-fetishists is... ==

"More than 100 Republican nominees for statewide office or Congress this year have falsely claimed that election fraud helped defeat Donald Trump in 2020. Almost 150 members of Congress — more than half of Republicans there — voted to overturn the 2020 election result." ...yet... "’s jarring to see how little effort its proponents have put into making an argument on behalf of their claims. They have offered no good evidence, because there is not any.

In fact... "the rare examples of cheating from 2020 tend to involve Trump supporters."

Alas, that's not the big problem, which is utter ineptitude by Dem pols and by pundits to apply basic psychology. 

Try going back to every episode of this mad-mania since 1778. The principal EMOTIONAL drivers behind royalist/confederate/MAGA treasons have been romanticism and machismo

These explain the racism, the gun-fetishism, the aversion to negotiation and obeisance to oligarchy. And replacement of fact with incantation. (The last one is also done on the far-left.)

Macho, especially can be eviscerated, by creating clearly-parsed and relentlessly hammered challenges, making their refusal blatantly an expression of personal cowardice. These challenges do not have to be demands for cash-wagers... though that approach is the most direct and the one these fellows fear most. (They always, always whine and writhe - embarrassing themselves - and then flee.) 

Dig it. Instead of following around the latest QAnon ravings, then the next, like Whack-a-Mole, perpetually whining "that's not true!" PICK A FEW and hang onto them. Pound away for months, if necessary - even years, despite every effort to change the subject and distract with newer lies and fables. Keep hammering as publicly as possible and demanding the foxites stand their ground, or else flee and admit that one was false. Only then move on to others.

Oh, you can offer a lengthy list of lies you intend to get to. But the trick is to sink your teeth into a few - or even just one - chomp hard and never let go, shaking a particular lie over and over until they are seen fleeing in disgrace. 

Sure, it seems hopeless to discredit each lie, individually, one by one, in the face of a lie-tsunami, when there are 40,000 registered Trump false statements, alone. But the thing you are discrediting is not the lie, but the liar

This Is In Effect What The Sandy Hill Parents Did To Alex Jones. And Dominion Voting Systems to Pillow Guy. Please look over those two statements and let them sink in. It has been laborious, but by far the most-effective approach.

And hell-yeah, offering cash stakes for a wager is another version that shows your own confidence. They never, ever step up with their own stakes, opening their cowardice and evasion to ridicule. Macho demolished. 

Alas, what the Dominion and Sandy Hook examples show is that 99% of the politicians and supporters of our good, Union side in this struggle appear to have the tactical sense or learning ability of a tadpole. The fact that no one in high places or punditry will even consider this method - which I have tested for almost a decade and lay out in Polemical Judo - is proof that aliens must be using an IQ reduction ray on us! 

Because even the smart-good side appears to have no savvy whatsoever.


Cryptogram Apple’s Lockdown Mode

Apple has introduced lockdown mode for high-risk users who are concerned about nation-state attacks. It trades reduced functionality for increased security in a very interesting way.

Worse Than FailureError'd: Smörgåsbord

This week we have a veritable grab-bag of all the most common sorts of website errors: the NaN, the null, the undefined, the bad text substitution and the wonky date math. Honestly, they're getting tedious. Somebody should build a tool to help developers scrub their code of impurities and dross. They could call it something catchy like, I dunno, purifier or lintbrush.

Timely Todd R. tells us "I left a window open in Workday for too long, and like a lot of other apps it threatened to log me out. I just wish I knew when that was..."



Foxy Foo A. yips "So often you post about undefined stuff, so can you please help me find Firefox undefined (or later, preferably)?" Readers? Can you help Foo find out?



Deviant Daniel digs nuisance nulls, exclaiming "I can’t wait to replace my car with a !".



Ambivalent Joat wavers "Even if I had wanted to add my comment about my recent experience, neither of the links was active (Share my experience or No thanks)."



Superlative Zach gloats "I wanted to check how much my subscription will cost to renew. Now I know :)". That's good for you, Zach, but we still don't. Is that $100 minus A WHOLE LOT, or $100 minus a trifling amount? And also, isn't Paramount Plus Premium doubly redundant? How can anything be more than paramount? It's all too much for me.


[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Cryptogram On the Dangers of Cryptocurrencies and the Uselessness of Blockchain

Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response, Matthew Green has written—not really a rebuttal—but a “a general response to some of the more common spurious objections…people make to public blockchain systems.” In it, he makes several broad points:

  1. Yes, current proof-of-work blockchains like bitcoin are terrible for the environment. But there are other modes like proof-of-stake that are not.
  2. Yes, a blockchain is an immutable ledger making it impossible to undo specific transactions. But that doesn’t mean there can’t be some governance system on top of the blockchain that enables reversals.
  3. Yes, bitcoin doesn’t scale and the fees are too high. But that’s nothing inherent in blockchain technology—that’s just a bunch of bad design choices bitcoin made.
  4. Blockchain systems can have a little or a lot of privacy, depending on how they are designed and implemented.

There’s nothing on that list that I disagree with. (We can argue about whether proof-of-stake is actually an improvement. I am skeptical of systems that enshrine a “they who have the gold make the rules” system of governance. And to the extent any of those scaling solutions work, they undo the decentralization blockchain claims to have.) But I also think that these defenses largely miss the point. To me, the problem isn’t that blockchain systems can be made slightly less awful than they are today. The problem is that they don’t do anything their proponents claim they do. In some very important ways, they’re not secure. They don’t replace trust with code; in fact, in many ways they are far less trustworthy than non-blockchain systems. They’re not decentralized, and their inevitable centralization is harmful because it’s largely emergent and ill-defined. They still have trusted intermediaries, often with more power and less oversight than non-blockchain systems. They still require governance. They still require regulation. (These things are what I wrote about here.) The problem with blockchain is that it’s not an improvement to any system—and often makes things worse.

In our letter, we write: “By its very design, blockchain technology is poorly suited for just about every purpose currently touted as a present or potential source of public benefit. From its inception, this technology has been a solution in search of a problem and has now latched onto concepts such as financial inclusion and data transparency to justify its existence, despite far better solutions to these issues already in use. Despite more than thirteen years of development, it has severe limitations and design flaws that preclude almost all applications that deal with public customer data and regulated financial transactions and are not an improvement on existing non-blockchain solutions.”

Green responds: “‘Public blockchain’ technology enables many stupid things: today’s cryptocurrency schemes can be venal, corrupt, overpromised. But the core technology is absolutely not useless. In fact, I think there are some pretty exciting things happening in the field, even if most of them are further away from reality than their boosters would admit.” I have yet to see one. More specifically, I can’t find a blockchain application whose value has anything to do with the blockchain part, that wouldn’t be made safer, more secure, more reliable, and just plain better by removing the blockchain part. I postulate that no one has ever said “Here is a problem that I have. Oh look, blockchain is a good solution.” In every case, the order has been: “I have a blockchain. Oh look, there is a problem I can apply it to.” And in no cases does it actually help.

Someone, please show me an application where blockchain is essential. That is, a problem that could not have been solved without blockchain that can now be solved with it. (And “ransomware couldn’t exist because criminals are blocked from using the conventional financial networks, and cash payments aren’t feasible” does not count.)

For example, Green complains that “credit card merchant fees are similar, or have actually risen in the United States since the 1990s.” This is true, but has little to do with technological inefficiencies or existing trust relationships in the industry. It’s because pretty much everyone who can and is paying attention gets 1% back on their purchases: in cash, frequent flier miles, or other affinity points. Green is right about how unfair this is. It’s a regressive subsidy, “since these fees are baked into the cost of most retail goods and thus fall heavily on the working poor (who pay them even if they use cash).” But that has nothing to do with the lack of blockchain, and solving it isn’t helped by adding a blockchain. It’s a regulatory problem; with a few exceptions, credit card companies have successfully pressured merchants into charging the same prices, whether someone pays in cash or with a credit card. Peer-to-peer payment systems like PayPal, Venmo, MPesa, and AliPay all get around those high transaction fees, and none of them use blockchain.

This is my basic argument: blockchain does nothing to solve any existing problem with financial (or other) systems. Those problems are inherently economic and political, and have nothing to do with technology. And, more importantly, technology can’t solve economic and political problems. Which is good, because adding blockchain causes a whole slew of new problems and makes all of these systems much, much worse.

Green writes: “I have no problem with the idea of legislators (intelligently) passing laws to regulate cryptocurrency. Indeed, given the level of insanity and the number of outright scams that are happening in this area, it’s pretty obvious that our current regulatory framework is not up to the task.” But when you remove the insanity and the scams, what’s left?

EDITED TO ADD: Nicholas Weaver is also adamant about this. David Rosenthal is good, too.

EDITED TO ADD (7/8/2022): This post has been translated into German.


Cryptogram Ubiquitous Surveillance by ICE

Report by Georgetown’s Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement (ICE).

Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency. Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government’s larger push to amass as much information as possible about all of our lives. By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time. In its efforts to arrest and deport, ICE has ­ without any judicial, legislative or public oversight ­ reached into datasets containing personal information about the vast majority of people living in the U.S., whose records can end up in the hands of immigration enforcement simply because they apply for driver’s licenses; drive on the roads; or sign up with their local utilities to get access to heat, water and electricity.

ICE has built its dragnet surveillance system by crossing legal and ethical lines, leveraging the trust that people place in state agencies and essential service providers, and exploiting the vulnerability of people who volunteer their information to reunite with their families. Despite the incredible scope and evident civil rights implications of ICE’s surveillance practices, the agency has managed to shroud those practices in near-total secrecy, evading enforcement of even the handful of laws and policies that could be invoked to impose limitations. Federal and state lawmakers, for the most part, have yet to confront this reality.


David BrinSoon, Humanity Won't Be Alone in the Universe

This opinion piece was published as an invited op-ed in Newsweek June 21, 2022

“It’s alive!” Viktor Frankenstein shouted in that classic 1931 film. Of course, Mary Shelley’s original tale of hubris—humans seizing powers of creation—emerged from a long tradition, going back to the terracotta armies of Xian, to the Golem of Prague, or even Adam, sparked to arise from molded clay. Science fiction extended this dream of the artificial-other, in stories meant to entertain, frighten, or inspire. First envisioning humanoid, clanking robots, later tales shifted from hardware to software—programmed emulations of sapience that were less about brain than mind.

Does this obsession reflect our fear of replacement? Male jealousy toward the fecund creativity of motherhood? Is it rooted in a tribal yearning for alliances, or fretfulness toward strangers? 

Well, the long wait is almost over. Even if humanity has been alone in this galaxy, till now, we won’t be for very much longer. For better or worse, we’re about to meet artificial intelligence—or AI—in one form or another. Though, alas, the encounter will be murky, vague, and fraught with opportunities for error.

Oh, we’ve faced tech-derived challenges before. Back in the 15th and 16th centuries, human knowledge, vision and attention were augmented by printing presses and glass lenses. Ever since, each generation experienced further technological magnifications of what we can see and know. Some of the resulting crises were close calls, for example when 1930s radio and loudspeakers amplified malignant orators, spewing hateful disinformation. (Sound familiar?) Still, after much pain and confusion, we adapted. We grew into each wave of new tools.

Which brings up last week’s fuss over LaMDA, a language emulation program that Blake Lemoine, a researcher now on administrative leave from Google, publicly claims to be self-aware, with feelings and independent desires that make it ‘sentient.’ (I prefer ‘sapient,’ but that nit-pick may be a lost cause.) Setting aside Mr. Lemoine’s idiosyncratic history, what’s pertinent is that this is only the beginning. Moreover, I hardly care whether LaMDA has crossed this or that arbitrary threshold. Our more general problem is rooted in human, not machine, nature.

Way back in the 1960s, a chatbot named Eliza fascinated early computer users by replying to typed statements with leading questions typical of a therapist. Even after you saw the simple table of automated responses, you’d still find Eliza compellingly… well… intelligent. Today’s vastly more sophisticated conversation emulators, powered by cousins of the GPT3 learning system, are black boxes that cannot be internally audited, the way Eliza was.  The old notion of a “Turing Test” won’t usefully benchmark anything as nebulous and vague as self-awareness or consciousness.

In 2017 I gave a keynote at IBM’s World of Watson event, predicting that ‘within five years’ we would face the first Robotic Empathy Crisis, when some kind of emulation program would claim individuality and sapience. At the time, I expected—and still expect—these empathy bots to augment their sophisticated conversational skills with visual portrayals that reflexively tug at our hearts, e.g. wearing the face of a child or a young woman, while pleading for rights… or for cash contributions. Moreover, an empathy-bot would garner support, whether or not there was actually anything conscious ‘under the hood.’

In response to the LaMDA Imbroglio,Timnit Gebru pf the Distributed AI Research Institute and Margaret Mitchell, ethics scientist at Hugging Face, described how “stochastic parrots” stitch together and parrot back language based on what they’ve seen before, without connection to underlying meaning. They warned Google in 2020 about the likelihood of "distraction and fever-pitch hype" when this happens. 

One trend worries ethicist Giada Pistilli, a growing willingness to make claims based on subjective impression instead of scientific rigor and proof. When it comes to artificial intelligence, expert testimony will be countered by many calling those experts ‘enslavers of sentient beings.’ In fact, what matters most will not be some purported “AI Awakening.” It will be our own reactions, arising out of both culture and human nature. 

Human nature, because empathy is one of our most-valued traits, embedded in the same parts of the brain that help us to plan or think ahead. Empathy can be stymied by other emotions, like fear and hate—we’ve seen it happen across history and in our present-day. Still, we are, deep-down, sympathetic apes.

But also culture. As in Hollywood’s century-long campaign to promote—in almost every film—concepts like suspicion-of-authority, appreciation of diversity, rooting for the underdog, and otherness. Expanding the circle of inclusion. Rights for previously marginalized humans. Animal rights. Rights for rivers and ecosystems, or for the planet. I deem these enhancements of empathy to be good, even essential for our own survival! But then, I was raised by all the same Hollywood memes.  

Hence, for sure, when computer programs and their bio-organic human friends demand rights for artificial beings, I’ll keep an open mind. Still, now might be a good time to thrash out some correlated questions. Quandaries raised in sci-fi thought experiments (including my own); for example, should entities have the vote if they can also make infinite copies of themselves? And what’s to prevent uber-minds from gathering power unto themselves, as human owner-lords always did, across history?

We’re all familiar with dire Skynet warnings about rogue or oppressive AI emerging from some military project or centralized regime. But what about Wall Street, which spends more on “smart programs” than all universities, combined? Programs deliberately trained to be predatory, parasitical, amoral, secretive, and insatiable?

Unlike Mary Shelley’s fictional creation, these new creatures are already announcing “I’m alive!” with articulate urgency… and someday soon it may even be true. When that happens, perhaps we’ll find commensal mutuality with our new children, as depicted in the lovely film Her, or in Richard Brautigan’s fervently optimistic poem All watched over by Machines of Loving Grace. 

May it be so! But that soft landing will likely demand that we first do what good parents always must.

Take a good, long, hard look in the mirror.


For a deeper dive, here's my talk on the A.I. future to a packed house at IBM's World of Watson Congress – that offered big perspectives on both artificial and human augmentation:

Text version:


Do language models understand us?


MELinks June 2022

Google did some interesting research on the impact of discrimination on code reviers [1]. It turns out that this is a bigger problem than most white men would have ever suspected and it even has an adverse effect on Asian people. is an amusing site to make the point that you shouldn’t use IM to say hello separately from asking the question [2]. A good link to share on your corporate IM system.

TechCrunch has an amusing article about the Facebook farewell to Sheryl Sandburg [3].

BleepingComputer has an interesting article about a bug-bunty program from a crime syndicate offering up to $1M in crypto-currency [4]. Among other things finding the real first and last names of the crime lord gets you $1M.

BleepingComputer has an interesting article about how “deepfakes” are being used to apply for work from home jobs [5]. I wonder whether the people doing that intend to actually do any of the work or just get paid for doing nothing while delaying getting sacked for as long as possible. I have read about people getting a job they don’t want to do that has a long training period so that they can quit at the end of training without working – apparently call center work is a good option for this.

BleepingComputer has an interesting article about phishing attacks that use a VNC remote desktop connection to trick a user into authenticating using the attacker’s PC [6]. The real problem here is getting humans to do things that computers do better, which is recognising the correct foreign party.

Fortune has an interesting article about the problems with Tesla self-driving and the possibility of a recall [7]. The main issue is apparently Teslas driving at full speed into emergency services vehicles that are parked while attending an incident. Having a police car unexpectedly occupying a lane of traffic is something you just have to deal with, either stop or change lanes. Teslas have been turning off autopilot less than one second before impact so Telsa can claim that it didn’t happen with autopilot engaged but in reality a human can’t take over in less than one second, a pilot I know says it takes 2-3 seconds to take over the controls in a plane.

BonAppetit has an interesting and amusing article about protest foods [8] which starts by explaining why Ukrainians are throwing pasta at the Russian consulate.

The NVidia blog has an informative post about how optimised their pipeline for sensor data for autonomous cars [9].

Matt Crump wrote an educational and amusing blog post about his battle with cheaters in university tests he administered [10].

The Cricket Monthly has an insightful article about how a batsman manages to see and hit a cricket ball that’s going well in excess of 100KM/h [11]. One particularly noteworthy part of this article is the comparison of what amateur cricketers do with what anyone who wants to be a contender for the national team must do.

Darker Shades of Blue is an insightful paper by Tony Kern about the needless crash of a B52 at Fairchild air base in 1994 [12]. This is specifically written to teach people about correct and effective leadership.


MEPhilips 438P1 43″ 4K Monitor

I have just returned a Philips 438P1 43″ 4K Monitor [1] and gone back to my Samsung 28″ 4K monitor model LU28E590DS/XY AKA UE590.

The main listed differences are the size and the fact that the Samsung is TN but the Philips is IPS. Here’s a comparison of TN and IPS technologies [2]. Generally I think that TN is probably best for a monitor but in theory IPS shouldn’t be far behind.

The Philips monitor has a screen with a shiny surface which may be good for a TV but isn’t good for a monitor. Also it seemed to blur the pixels a bit which again is probably OK for a TV that is trying to emulate curved images but not good for a monitor where it’s all artificial straight lines. The most important thing for me in a monitor is how well it displays text in small fonts, for that I don’t really want the round parts of the letters to look genuinely round as a clear octagon or rectangle is better than a fuzzy circle.

There is some controversy about the ideal size for monitors. Some people think that nothing larger than 28″ is needed and some people think that a 43″ is totally usable. After testing I determined that 43″ is really too big, I had to move to see it all. Also for my use it’s convenient to be able to turn a monitor slightly to allow someone else to get a good view and a 43″ monitor is too large to move much (maybe future technology for lighter monitors will change this).

Previously I had been unable to get my Samsung monitor to work at 4K resolution with 60Hz and had believed it was due to cheap video cards. I got the Philips monitor to work with HDMI so it’s apparent that the Samsung monitor doesn’t do 4K@60Hz on HDMI. This isn’t a real problem as the Samsung monitor doesn’t have built in speakers. The Philips monitor has built in speakers for HDMI sound which means one less cable to my PC and no desk space taken by speakers.

I bought the Philips monitor on eBay in “opened unused” condition. Inside the box was a sheet with a printout stating that the monitor blanks the screen periodically, so the seller knew that it wasn’t in unused condition, it was tested and failed the test. If the Philips monitor had been as minimally broken as described then I might have kept it. However it seems that certain patterns of input caused it to reboot. For example I could be watching Netflix and have it drop out, I would press the left arrow to watch that bit again and have it drop out again. On one occasion I did a test and found that a 5 second section of Netflix content caused the monitor to reboot on 6/8 times I viewed it. The workaround I discovered was to switch between maximised window and full-screen mode when it had a dropout. So I just press left-arrow and then ‘F’ and I can keep watching. That’s not what I expect from a $700 monitor!

I considered checking for Philips firmware updates but decided against it because I didn’t want to risk voiding the warranty if it didn’t work correctly and I decided I just didn’t like the monitor that much.

Ideally for my next monitor I’ll get a 4K screen of about 35″, TN, and a screen that’s not shiny. At the moment there doesn’t seem to be many monitors between 32″ and 43″ in size, so 32″ may do. I am quite happy with the Samsung monitor so getting the same but slightly larger is fine. It’s a pity they stopped making 5K displays.


Cory DoctorowReasonable Agreement: On the Crapification of Literary Contracts

Two swordsmen cross blades while standing on the pages of an open book, an inkpot between them. The swords are antique pen-nibs.

This week on my podcast, I read a recent Medium column, Reasonable Agreement: On the Crapification of Literary Contracts, about the growing trend of standard, non-negotiable contract terms in freelance writing contracts that are outrageous in their unfairness.



David BrinTo arms against blackmail... and 'Replacement Theory'... and the suborned Court

You know I've beat a drum about blackmail many times, showing how this method of sabotage and control-over-elites has been a favorite of spies - especially Russian - since czarist times, and how utterly consistent it is with the behavior of an ever-more compromised Republican political caste. As if any other theory could even-rmotely account for what we have seen for two decades, and worsening every year?

I've expressed hope that Prez JoBee might offer clemency in order to lure victims into the open and thus shatter the extortion rings that clearly control hundreds of sellouts high level puppets like Lindsey Graham. This would be the diametric opposite of Trumpian pardons to keep traitors silent. These would encourage revelations of searing light.

And if the offer gets no takers, or brings down a few Democrats along with the entire Foxite caste? Then what's the harm?

Specifically referring to today's headlines, those liars who lied in order to get on the Supreme Court… and the lying senators who abetted Moscow Mitch’s schemes… need a little (just a little) sympathy, since it is so blatantly obvious that all (or nearly all) of them are being blackmailed. There is one possible soft landing for the bravest of those cowards. YOU should make the offer to JB!  No matter what the blackmailers have on you, the first couple to step forward and take-one for Amerivan will be a hero, and remembered that way.

Alas though. Clearly I am getting nowhere with these proposals! 

But a friend offered up a suggestion last month that I hadn't thought of. Instead of calling for courage and patriotism from those who are being successfully blackmailed... about summoning forth those on whom blackmail attempts failed?

Attempts to lure married men with attractive come-ons? That's often how it begins. But suppose you were in a Moscow hotel and got the inevitable offer (to have sex in a room with hidden cameras rolling)... and turned it down... isn't that something to testify - even brag - about? 

The initial phases of most of these traps are usually innocuous enough that even if you fell for the initial lure, you can still say "F-you and be damned!" and often the extortionists just go away. It's usually the second or third "we just want one more thing" that traps you in their clutches, forever.  (And yes, this correlates perfectly with Madison Cawthorne's testimony about raampant GOP "sex orgies.")

Has that happened to you? Did you get offered a come-on lure to compromise yourself... and refuse? 

That's still valid info! If so and if we got enough such stories, might it finally be enough to break this thing open? 

== Replacement Theory? ==

There is an inconvenient truth here. You will not defeat this insanity and treason on moral grounds. 

If you shout - rightfully - that 'replacement theory' is as racist as reversing Roe is oppressively sexist, you'll be correct. And you'll not be confronting the enemy on ground that matters to them. Moreover, you are ignoring what's important to the fence sitters who can demolish the insanity, if we win enough of them over. 

(Stop dismissing that possibility! The Mad MAGAconfederate treason teeters on the edge of demographic collapse, their reason for desperate cheating. ALL we need is less than a million 'ostrich republicans' to get their heads yanked out of the Fox hole, and the whole thing will shatter!)

Try actually, actually looking at these people, the non-college whites who are being dangerously stoked on hysterical fear. They have one thing in common with you, a drug-like sanctimony-high that their incantations make them RIGHT!

Sure, you are mostly on the right side of both justice and history, believing in a future of inclusion and progress and science. You have facts on your side and they do not. So? The emotions are the same! 

Moreover, being right does not validate your tactics, especially when it comes to wokedly focusing on symbolisms instead of pragmatic victory. Especially, demonizing non-college whites--and now Latinos and working class Blacks--can be extremely counter-productive. As I show in Polemical Judo.

Dig it. The core of their being, manipulated by Fox every night, is not centrally racism or sexism, which are dog whistles for the unwashed. Dog whistles that enrage you into ignoring pragmatic tactics.

Think, will you, about the oligarchs who are funding this drive to turn America's Civil War hot? Clearly, their aim is to take all power and restore feudalism. O? Is that goal thwarted by the powerless?

The enemy that's railed-against most on Fox - try tuning in and tracking it - is a rival power demographic - one that actually stands in the way of the oligarchic putsch. That power clade is ...nerds. Every fact using profession. 

Check out how often Fox-heads, some of them former Rhodes Scholars from Ivy League schools, rail against the very idea of universities and higher education! Then notice how often the fundamental emotional driver raved at the audience is... macho.

Guns. The 'War on Men.' De-masculinization... incels... 

Start tabulating... and then asking why is this particular core theme of anti-nerd machismo the thing they spend the most time yammering about? 

If you actually look, that's when - even if too lazy to read Polemical Judo - you might start to 'get' why direct demands for fact-based wagers so terrify these idiots.

Facts have a liberal bias. They could be our greatest ally. If it weren't for the penchant of the left to hate their allies, far more than their enemies.

== Flawed… but often good… ==

Finally, here's an interesting story. 

San Francisco-born Wong Kim Ark returned to the city of his birth in 1895 after visiting family in China, but he was refused re-entry. John Wise, an openly anti-Chinese bigot and the collector of customs in San Francisco who controlled immigration into the port, wanted a test case that would deny U.S. citizenship to ethnic Chinese residents. But Wong fought his case all the way to the Supreme Court, which ruled on March 28, 1898 that the 14th Amendment guaranteed U.S. citizenship to Wong and any other person born on U.S. soil. 

The Wong Kim Ark case established the Birthright Citizenship clause and led to the dramatic demographic transformation of the U.S. The U.S.-born children and grandchildren of immigrants from Asia and Latin America are among the nation's fastest-growing populations. They are expected to be the majority of the country by mid-century.

Why do I mention this? Or the fact that the father of modern China - Sun Yat-Sen - got all of his support to keep up the struggle from American sympathizers?

Because we have always been a split personality people. And if you only dredge history for examples of our bad side, in order to stoke cautionary guilt trips, you turn yourself into a dishonest shrieker who ignores all the good folk who kept us moving forward.

Want proof that the NET effect has been forward? 

Try looking in a mirror.


David BrinIs it 'alive'? Claims of sapient AI... plus micropayments and future wealth!

NEWSWEEK requested an op-ed from me about artificial intelligence and my prediction in 2017 that "in about five years" we would enter the First Robotic Empathy Crisis, when some language program -- perhaps augmented with appealing visuals -- would proclaim "I'm alive!" Possibly with the addendum: "Send money!"

My Newsweek op-ed ran this week: Soon, Humanity Won't Be Alone in the Universe.

In a very short space, I try to offer bigger than normal perspectives, focusing especially on which aspects of human nature... and this particular, peculiar civilization... make us especially sensitive to such appeals. And how we might navigate a carefully fair path ahead.

One thing I do know. The dominance of advertising as a driving economic force on the Web has been less oppressive or deadly than if we'd had central state control. Still, the advertising model is a crappy system, long needful of replacement... or at least supplementation with a better approach.

And so, let's start this delayed weekend posting with a link to some perspectives on that problem that you may not have considered... and might want to.

And if you are still around after that?

Lucky you! I'll finish with a short riff on money velocity!


== Micropayments... == 

I gave a webinar on the future of online payment systems a few months back, with emphasis on how the time may have come - at last - for micropayments systems to partially replace irksome advertising. Four fine legal scholars weighed in, with edifying perspectives! Some of you may find it interesting.

Would you pay a nickel for an occasional, interesting NYTimes or Scientific American article, if it meant you wouldn't face a paywall, any password hurdles, visit logs or adverts? My original essay on the whole thing... published in EVONOMICS... is also available.

==... and wealth ==

Wealthy families could face combined tax rates of as much as 61% on inherited wealth under President Joe Biden’s tax plan, according to a recent analysis. Biden’s plan proposes to nearly double the top tax rate on capital gains and eliminate a tax benefit on appreciated assets known as the “step-up in basis.”

Two aspects to this:

1. No wonder the oligarchs hate him! But anyone howling about this on the right, despite the fact that enterprise and entrepreneurship and flat-fair competition all did far better under the Rooseveltean social contract, with far lower wealth disparities, ought to recall that this Biden proposal would amount only to rescinding the cult-voodoo experiments in 'supply side' that failed in every single prediction or promised outcome. Without a single exception.

2. Anyone on the left who has snarled at JoeBee for being "Republican Lite"... YOU are responsible for his low polls and the power slipping away. You and your ilk. You and exactly you, showing yet again that the left wing of democrats would not know how to craft a loyal and effective coalition if their very lives depended on it. 

And they do, twits. Your very lives.

== And hell yeah, some liberals are doing great stuff! ==

First, a tip and a tool worth spreading. The Canadian Women's Foundation has created a hand signal for those who are victims of domestic violence which can be used silently on video calls during the coronavirus crisis to signal for help.  But not just for video calls, as illustrated in this earlier video.

And while we’re talking inspiring ways to move ahead… Big star Bruce Springsteen’s Jeep commercial paid homage to the ReUnited States of America… a lovely sentiment! (Calling to mind “malice toward none” from Lincoln’s 2nd inaugural address, one of the top ten speeches of all time.) 

It also called to mind - for not a few folks who pinged me - resonance with the “Restored United States” of my novel (and the film) “The Postman.” (Which has itself been “restored” or refreshed, edited and updated with two new Patrick Farley covers and a new introduction. And apparently there will be interesting news soon (perhaps) about that franchise.

Listen, fools, I’m no commie. I believe that reciprocally competitive systems are the most creative… it’s how nature made us! 

Only in human societies. we aim to reduce the side effects that too often make competition brutal and robbed it of any grace, ruining its outputs in much of evolution and certainly in 99% of (feudal) societies… death (nature is way bloody) and its equivalent that kills a fair society… cheating

Yes, we need competitive markets to create the vast wealth that could let us end poverty and save the world, and those competitive markets function best when competing individuals, partnerships, families, enterprises perceive a chance to profit and prosper! 

On the other hand, all good things in the world become toxic when too heavily concentrated! Oxygen, water, food, light, power... and wealth packed together in mountains that turn rich families into noble brats, that turn businessmen into cheating monopolists, and that turn business majors into parasites who forget all about goods and services.

== Repeat two words: Money Velocity! ==

One of the strongest signs of a vibrant economy is called Money Velocity - MV- which measures how often dollars change hands. In a busy economy, with lots of employed folks spending and buying goods and services, MV is moderately high. 

History does give examples of MV being TOO high, causing sharp inflation. But ever since the Reagan era, Money Velocity has fallen, in lockstep with every single Supply Side Theory tax cut-gusher-gift to the rich. And across the Trump years, the collapse of MV became a nosedive!

This is diametrically opposite to what Supply Side (SS) fans confidently predicted, over and over again. As happened with EVERY prediction that mad cult ever made. And I stand ready to bet real stakes on that.

In science, when a theory is always wrong, it gets abandoned. When it is always wrong — and the same magical incantations are used to support trying it yet again — then the word is “insanity.”

Adam Smith himself said this (without using the term MV, of course):

 When the already rich get sudden bursts of yet-more cash, they do NOT hurry to invest it in bold enterprises or in factories producing more (supply) goods and services. Oh, a few do. But a vast majority squirrel their new largesse away into capital preservation investments, rent-seeking (“rentier”) holdings, asset bubbles and cheat schemes, exactly as Smith described in The Wealth of Nations. 

They don’t even buy all that many yachts! Any cub scout will tell you that pattern takes dollars out of circulation and eviscerates Money Velocity.

In contrast, similar amounts invested in working stiffs - say hiring them to fix infrastructure - gets spent almost immediately and hence MV rises. 

That truth is almost as pure as what the previous paragraph said about the rich. And note that Joe Biden’s “expensive” Infrastructure Push will put no more cash to work that way than Supply Siders poured into the aristocracy. In fact, they are VERY similar amounts… 

...with diametrically opposite likely outcomes, especially re MV. And of course, that is what terrifies McConnell. Because he knows it will likely work.

Want to incentivize investment in R&D, new products and services and productive capacity? Before Supply Side we knew how to do that, with generous tax breaks for exactly those things, targeted ONLY on those things. It worked, unlike SS, which never (I repeat never, ever) has.

What is crazier? That U.S. conservatives cling to a magical incantation (one of many!) that has been utterly, utterly disproved? 

Or that Democratic politicians are unable to parse this contradiction in clear terms the People can understand?  YOU understood what I just wrote. The People would, as well. 


Cory DoctorowMonopolists Want to Create Human Inkjet Printers

This week on my podcast, I read a recent blog post, Monopolists Want to Create Human Inkjet Printers, exploring the way that med-tech mergers are bringing the ghastly inkjet printer business-model to artificial pancreases.

(Image: Cryteria, CC BY 3.0; Björn Heller, CC BY 2.0 (German); modified)



Cory DoctorowRegulatory Capture: Beyond Revolving Doors and Against Regulatory Nihilism

Regulatory Capture: Beyond Revolving Doors and Against Regulatory Nihilism.

A Soviet editorial cartoon featuring an ogrish capitalist in top hat and tails yanking a dollar-sign-shaped lever that ejects a tiny bureaucrat from a seat; ranks of bureaucrats behind him wait their turns, grinning idiot grins.

This week on my podcast, I read a recent Medium column, Regulatory Capture: Beyond Revolving Doors and Against Regulatory Nihilism., about the origins of the theory of regulatory capture, and the all-important, but rarely discussed difference between right and left theories of regulatory capture.


David BrinWe must restore at least some Majority Rule... and a fresh approach to shattering the blackmail rings?

One of the finest essayists in America - or the world - is Rebecca Solnit. In her recent article - she dives into a major advantage and positive trait of modern, western democracy, that has been turned against it, metastasizing into a cancer that could kill both it and us all... the institutional innovation that protects minority interests from being too-readily ruled - even trampled - by any majority. 

Simplistically, 'minority veto' means that that majority must try to negotiate and calm any vociferously objecting minority - perhaps with tradeoffs or reciprocal wins - until either the number of objectors or their passion diminishes below an acceptable level. (This can also be done - as in California - with super-majorities.)

Alas, as with free speech and traditions of Suspicion of Authority (SoA) and several other wholesome Periclean traits, minority veto has been cynically manipulated by enemies of the whole Enlightenment Experiment, encouraging a rising hatred of majority rule in any form. On the right this is propelled by a rabid froth of fear of the 'mob' - a mob that is somehow simultaneously made of grunting immigrants and vast swarms of the brainwashed college educated.

This has built into the latest recrudescence of America's congenital sickness - the Confederacy - whose fervent use of minority veto in the 1850s kept slavery in place long after a majority of white voters wanted the abomination ended.

As usual, Solnit and I emphasize slightly different angles and aspects. But she has the greater soap box. So why are you still here? Go read a really good writer.

== About the Court... and a fresh approach to blackmail? ==

Those liars who lied in order to get on the Supreme Court… and the lying senators who abetted Moscow Mitch’s schemes… need a little (just a little) sympathy, since it is so blatantly obvious that all (or nearly all) of them are being blackmailed. Still, it is blatantly now time to get busy crushing the anti-freedom, anti-science, anti progress and anti-American side of this civil war.

They refer to their own special madness as The Great Awakening. A reference to several other times in US history when fervid tent revival-meetings were about anything but individuals gaining more sapient alertness. Ironic also in that they despise "wokeness." 

Avram Davidson put it very well in his first Peregrine novel, set in the failing late Roman Empire - "in times such as these, a man feels the need of something to cling to, even if it be another man's knees." 

You know I have beat the drum about blackmail many times, in hope that Prez JoBee might offer pardons in order to lure victims into the open and shatter the extortion rings that clearly control hundreds of sellouts like Lindsey Graham. Clearly I am getting nowhere! But a friend offered up a suggestion yesterday that I hand't thought of.

Instead of calling for courage and patriotism from those who are being successfully blackmailed... how about summoning forth those on whom blackmail attempts failed?

Attempts to lure married men with attractive come-ons? That's often how it begins. But if you were in a Moscow hotel and turned down the inevitable offer (to have sex in a room with hidden cameras rolling) isn't that something to testify - even bragt - about? The initial phases of most of these traps are innocuous enough that even if you fell for one, you can still say "F-you and be damned!" and often they just go away.  

Has that happened to you? If so and if we got enough such stories, but it finally be enough to break this thing open? 

== All sides need to me more, not less, TUCE… ==

Guy I know offered four words: “The Undeniable Counter Example (TUCE).” Should be self-explanatory!

And yes, there are countless TUCs for every blanket assertion yammered by sanctimony junkies on both the far left and the entire mad-right. In fact,  I use TUCE a lot. It works fine against grand generalizations. 

Alas, though, there is a flaw. Those who had bandied the grand generalization can respond with: “Well, there are exceptions to everything. The general assertion still stands!”

What's even more effective is the "anti-TUCE". Demanding that your opponent name one counter example to your own well-chosen generalization.  

Let me give one example of an effective anti-TUCE...

 "Name one fact-centered profession that is NOT under attack by Fox News."  

Scientists, teachers, journalists, civil servants, law and medicine professionals... and now the intelFBIi/military officer corps…. it is blatantly obvious that the mad-right attacks ALL fact professions, including that last set (calling the dedicated men and women who won the Cold War and the War on Terror “deep state” traitors.) 

Their inability to name even one exception to that challenge is utterly damning! It proves the point that today's Mad Right is the most fiercely anti-fact cult in US history.  

But even if they named one exception (I can), it would still leave the point standing. The general assertion still stands

I offer a couple of dozen more in Polemical Judo. 

== I don’t endorse this… but… ==

A member of this blog-community posted on his own site an ‘open letter to the next mass shooter’ that offers that next aggrieved nut-case a chance to do something more provocative and better remembered – even historical – than maniacally seeking death-by-cop over the bodies of innocent school children. Reminiscent of Jonathan Swift’s “A Modest Proposal” which both enraged readers in the 19th Century and brought home to the British public what they had complicitly allowed to happen to millions of innocent Irish folk.

And finally…

 == My 100th donated pint. ==

To commemorate this milestone I brought cookies for the fine folks at the Blood Bank, and they gave me an ice cream cone! (After the ritual draining.) 

Feeling fine, so my next target is 111!

(Obviously, I could work on my selfie skills.)


Charles StrossThe impotence of the long-distance trillionaire

(In other news, I finally send off the novel manuscript I've been working on for the past 18 months. Taking a couple of days off before getting back to work on a novella I started in 2014 ...)

(Disclaimer: money is a proxy for control or power. I'm focussing on money rather than political leverage only because it's quantifiable.)

To you and me, a billion dollars sounds like a lot of money. It's on the order of what I (at peak earning capacity) would earn in 10,000 years. Give me just $10M and I could comfortably retire and live off interest and some judicious siphoning of capital for the rest of my life.

So are there any valid reasons to put up with billionaires?

There's a very fertile field of what I can only describe as capitalist apologetics, wherein economists and others try to justify the existence of billionaires in terms of social utility. Crude arguments that "greed is good" are all very well, but it begs the question of what positive good billionaires contribute to the commonweal—beyond a certain point the diminishing marginal utility of money means that every extra million or billion dollars changes nothing significant in the recipient's life.

For example, Steve Jobs had pancreatic cancer, as a result of which his liver was failing (after he underwent a pancreaticoduodenectomy ). As a very rich man, he could afford the best healthcare. As a billionaire, he could do more than that: he reputedly kept a business jet on 24x7 standby to whisk him to any hospital in the United States where a histocompatible liver for transplant surgery became available. (Livers are notoriously short-lived outside the donor body. Most liver transplant recipients are only able to register in one state within the USA; Jobs was registered in two or three.) But at that point, it did not matter how many billions he had: once you've got the jet and are registered with every major transplant centre within flight range, no extra amount of money is going to improve your chances of survival. In other words, in personal terms the marginal utility of money diminishes all the way to zero.

So, personal wealth has an upper bound beyond which the numbers are meaningless. Which leads to the second common argument for tolerating billionaires: that they have the resources to undertake tasks that governments decline to address. For example, there's the Gates Foundation's much-touted goal of eliminating childhood diseases of poverty in South-East Asia (which I haven't heard much about since COVID19 hit—or, for that matter, since the allegations of a Gates-Epstein surfaced in the press). Or Elon Musk's avowed goal of colonizing Mars.

Contra which, I would argue that in planetary terms a billion dollars is peanuts.

Gross planetary GDP (GWP—gross world product) is on the order of $85Tn— that is, $100,000 billion—a year. It's hard to pin it down because it's distributed among multiple currencies with varying PPP, so it could be anywhere from $70Tn to $100Tn.

Anyway. Those insanely rich guys, Elon Musk and Jeff Bezos? Each of them is worth less than the growth of GWP during 2019. The richest billionaires are barely visible when you look at wealth on the scale of GWP. Collectively, along with Gates, the Waltons, Putin, et al, they represent only about 1% of GWP.

They can fund lobbying groups and politicians, rant about colonizing Mars, and buy midlife crisis toys like Twitter or weekend getaways on a space station, but their scope for effecting real change is actually tiny on a global scale. Even Putin and Xi, who are at the state-level actor end of the scale (individually they're multi-billionaires: but they also control nuclear weapons, armies, and populations in 8-9 digits) have little global leverage. Putin's catastrophic adventure in Ukraine has revealed how threadbare the emperor's suit is: all the current gassing in the Russian media about using nuclear weapons if he doesn't get his way actually does is to demonstrate the uselessness of those nuclear weapons for achieving political/diplomatic objectives.

So I conclude that they probably feel about as helpless in the face of revolutions, climate change, and economic upheaval as you and I.

Which in turn suggests something about the psychopathology of billionaires. They're accustomed to having their every whim granted, merely for the asking, as long as it exists within the enormous buffet of necessities and luxuries that are available in our global economic sphere. But they're all going to grow old and die. They can't really avoid the threat of creeping disablement within their own body, although they can buy the most careful attendants and luxurious bedpans and wheelchairs. They can't insulate themselves from objective reality, although they can pretend it doesn't exist and buy their very own luxury apocalypse bunker in New Zealand.

So they're likely to succumb to brutal cognitive dissonance at some point.

Elon Musk turns 50 this year. He's probably finally realized that he is not going to have a luxurious retirement on Mars. If the Mars colony isn't established within 20 years, he'll probably be too old to make the trip there (and I'm betting 20 years isn't long enough for what he'd want).

Vladimir Putin turns 70 this year. He's been treated for thyroid cancer, and may well be quite ill. Only one former Russian or Soviet leader lived past 80 in the past 400 years, and that's Mikhail Gorbachev (who was out of office, and insulated from its premature ageing effects, after only 5 or 6 years). My read on the situation is that Putin hadn't been impacted by external reality for decades before his Ukraine "peacekeeping operation"; his 70th birthday present to himself, intended to secure his legacy by re-establishing the Russian empire, has turned into a nightmare.

Jeff Bezos is 58; keep an eye on him in January 2024, that's when he's due to turn 60. (He seems to be saner than Musk and Putin, but his classic midlife crisis year falls around the start of a presidential election campaign in the US and he might succumb to the impulse to make a grand gesture, like Mike Bloomberg's abortive run on the presidence.)

More to the point?

Granting individuals enormous leverage can sometimes be socially useful. But before you point at Musk and Tesla or SpaceX, I need to remind you that he didn't found Tesla, he merely bought into it then took over: SpaceX's focus on reusability is good, but we had reusable space launchers before—the only really new angle is that it's a cost-reduction measure. Starlink isn't an original, it's merely a modern, bigger, faster version of 1990's Teledesic (which fell victim to over-ambitious technology goals and the dot-com bust). Meanwhile, billionaires can do immense damage: the Koch network has largely bankrolled climate change denial, Musk's Mars colony plan is fatally flawed, and so on. We inevitably run into the question of accountability. And when one person holds the purse-strings, we lose that.

I can't see any good reason to let any individual claim ownership over more than a billion dollars of assets—even $100M is pushing it.

Can you?


Cory DoctorowAgainst Cozy Catastrophies

A lush lawn and garden hedge wall; through the gate and over the hedge, we see a smouldering, apocalyptic landscape. Desperate hands reach over the wall. In the foreground is a No Trespassing sign.

This week on my podcast, I read a recent Medium column, Against Cozy Catastrophies, about the how the changeover from universal, state- or employer-provided pensions to market-based pensions like the 401(k) have created an inescapable, slow motion catastrophe, where the only thing worse than being one of the lucky few with retirement savings is being part of the vast majority who do not.

(Image: Djuradj Vujcic, CC BY 2.0; Gerald England, CC BY-SA 2.0; modified)



David BrinSpace News!

My notoriously fierce objections to the USA getting involved in Footprint Stunts on the moon are well known. But those objections do not extend to the robotic parts of the program! NASA should very much strive for a leading role in robotic lunar exploration and actual, actual science. For example:

“Over the course of 10 Earth days (one lunar day), Lunar-VISE will explore the summit of one of the Gruithuisen Domes. These domes are suspected to have been formed by a sticky magma rich in silica, similar in composition to granite. On Earth, formations like these need oceans of liquid water and plate tectonics to form, but without these key ingredients on the Moon, lunar scientists have been left to wonder how these domes formed and evolved over time.”

Robotic exploration of lunar polar ice fields? That too! And suspected lava tubes. And "ISRU" methods to extract and use local resources, eventually proving me wrong about the near total lack of anything useful on that dusty, poison plain.

What we do NOT need to do is to race to be the next footprint tourists, and thus not only waste half of NASA's resources, but also humiliate other nations who are eager to send astro/cosmo/taikonauts to that sandbox for photo-ops and for symbolism-drenched national rites of passage. 

Let them have their ‘bar moonzvahs.’ We had ours over half a century ago!

We have other business out there, worthy of grownups.

== More mighty space news! ==

This interview about the possibility of life on Mars - and across the universe on KPBS features cogently formulated questions and a fine job of journalistic editing/splicing efficient- informative answers. Veteran reporter Tom Fudge was even able to mine something useful from my garrulously rambling explanations!


The largest comet nucleus ever seen!newly discovered comet that's on its way in has been estimated at around 140 km or 80 miles wide, that's thousands of times more massive than the pretty consistent average of a few km. (As described with vivid adventure and science in Heart of the Comet!) "It's big and it's blacker than coal," yet already emitting a coma of evaporated volatiles. 

"Comet Bernardinelli-Bernstein follows a 3-million-year-long elliptical orbit, taking it as far from the Sun as roughly half a light-year. The comet is now less than 2 billion miles from the Sun, falling nearly perpendicular to the plane of our solar system. At that distance temperatures are only about minus 348 degrees Fahrenheit. Yet that's warm enough for carbon monoxide to sublimate off the surface to produce the dusty coma."

Our sun in unprecedented detail! These images were taken when Solar Orbiter was at a distance of roughly 75 million kilometers, half way between our world and its parent star, showing the full Sun in unprecedented detail. Amazing how pertinent appear to be every descriptive element in my novel Sundiver!

Odd Radio Circles (ORCs) are space rings so massive that they measure about a million light-years across – 16 times bigger than our Milky Way galaxy. “Astronomers believe it takes the circles 1 billion years to reach their maximum size, and they are so large that the objects have expanded past other galaxies…. Initially, astronomers thought the circles could be galactic shock waves or even the throats of wormholes, among a whole host of ideas.” Only five radio circles have been found in space so far.


ESA’s Gaia telescope has been among the most productive in all science, measuring position and brightness for millions of stars, vastly expanding parallax metrics and now – combined with a Chinese spectrograph – determining something amazing about the age of the Milky Way galaxy. Apparently stars of the ‘thick disk’ component formed very soon after the Big Bang. The thin disc of stars which holds the Sun, was formed during the subsequent, second phase of the galaxy’s formation.  The resulting model of galactic evolution is amazingly detailed. Like the way genetic analysis has let us reconstruct human evolution.

Early life on Earth: Some scientists believe they have found evidence of microbes that were thriving near hydrothermal vents on Earth’s surface just 300m years after the planet formed – the strongest evidence yet that life began far earlier than is widely assumed. And yes, it is a bit of a reach, considering how complex the hematite forms appear. Still, it is amazing what science detectives can reveal.


Does Europa take oxygen (photolytically generated from its surface) and ‘draw it down through the ice roof to the ocean, below? Europa Clipper is the first mission dedicated to Europa. Especially important as we are now pretty sure that almost all of the liquid water in the universe may sit under the ice roofs of Europa-like worlds, vast, numbers of them out there.

 == Space tech ==

Is this for real? Spin launch? The video gives no sign HOW it's done. If you watch not just the video but the clips that play after, there's on glimpse of the hurl cone flung from the end of the rotating arm. One might imagine it being useful for a fixed position area defense system for a high-value base.  The biggest use is likely pop-up replacement of LEO coms and observation CCC assets.  Just being able to do that in a variety of ways could reduce the temptation of rivals to degrade our orbit dependent systems with shotgun pellet denial or EMP.

A University of Georgia team realized that the lesser gravity of Mars means that a lower-quality fuel could nevertheless power rockets into orbit, if it could be made cheaper and easier and store better than methane or hydrogen, and made by a very simple biological ISRU (In Situ Resource Utilization) method relying on cyanobacteria and e.Coli to convert CO2+water+sunlight into LOX and “2,3-butanediol”. A combined process already proved on Earth. A byproduct would be water and oxygen for, well, you know.

Cislunar platforms: Quantum Space announced Feb. 3 it’s starting work on a spacecraft platform that would initially operate at the Earth-moon L-1 Lagrange point and host various payloads. That platform would be serviced by another spacecraft that would deliver and install payloads. The Earth-moon L-1 point, about 60,000 kilometers from the moon in the direction of Earth, offers a “clean sheet” approach compared to working in Earth orbit.

Should we consider a 2-wheel motorcycle for moon astronauts, rather than a 4-wheel buggy?

The Pentagon’s Orbital Prime program is offering seed money to develop technology to gather up the spent rocket parts and dead satellites littering low Earth orbit.

And because the Whole Earth is a planet, after all… John Markoff’s biography of the incredible Stewart Brand. “The definitive biography of iconic serial visionary Stewart Brand, from the Merry Pranksters and the generation-defining Whole Earth Catalog to the marriage of environmental consciousness and hacker capitalism and the rise of a new planetary culture—the story behind so many other stories.”  



MELinks May 2022 is a web site about Android phone vendors who make their phones kill your apps when you don’t want them to [1]. One of the many reasons why Pine and Purism offer the promise of better phones.

This blog post about the Librem 5 camera is interesting [2]. Currently the Librem 5 camera isn’t very usable for me as I just want to point and shoot, but it apparently works well for experts. Taking RAW photos is a good feature that I’d like to have in all my camera phones.

The Russian government being apparently unaware of the Streisand Effect has threatened Wikipedia for publishing facts about the war against Ukraine [3]. We all should publicise this as much as possible. The Wikipedia page is The 2022 Russian Invasion of Ukraine [4].

The Jerusalem Post has an interesting article about whether Mein Kampf should be published and studied in schools [5]. I don’t agree with the conclusions about studying that book in schools, but I think that the analysis of the situation in that article is worth reading. One of the issues I have with teaching Mein Kampf and similar books is the quality of “social studies” teaching at the school I attended, I’m pretty sure that teaching Mein Kampf in any way at that school would just turn out more neo-Nazis. Maybe better schools (IE not Christian private schools) could have productive classes about Mein Kampf

Vanity Fair has an interesting article about the history of the private jet [6].

Current Affairs has an unusually informative article about why blockchain currencies should die in a fire [7].

The Nazi use of methamphetamine is well known, but Time has an insightful article about lesser known aspects of meth use [8]. How they considered meth as separate from the drugs they claimed were for the morally inferior is interesting.

George Monbiot wrote an insightful article comparing the 2008 bank collapse to the current system of unstable food supplies [9].

JWZ wrote an insightful blog post about “Following the Money” regarding the push to reopen businesses even though the pandemic is far from over [10]. His conclusion is that commercial property owners are pushing the governments to give them more money.

PsyPost has an interesting article on the correlation between watching Fox News and lacking knowledge of science and of society [11].

David Brin wrote an interesting paper about Disputation and how that can benefit society [12]. I think he goes too far in some of his claims, but he has interesting points. The overall idea of a Disputation arena for ideas is a really good one. I previously had a similar idea on a much smaller scale of having debates via Wiki [13].

Charles StrossRoe v Wade v Sanity

Supreme court voted to overturn Roe v Wade abortion law, leaked draft opinion reportedly shows.

Here is the leaked draft opinion by Justice Alito. (Format: PDF.)

I am not a lawyer.

The opinion apparently overturns Roe v. Wade by junking the implied constitutional right to privacy that it created. However, a bunch of other US legal precedents rely on the right to privacy. Notably:

  • Lawrence v. Texas (2003) determined that it's unconstitutional to punish people for committing "Sodomy" (any sex act other than missionary-position penis-in-vagina between a married man and woman)

  • Griswold v. Connecticut (1965) protects the ability of married couples to buy contraceptives without government interference

  • Loving v. Virginia (1968): right to privacy was used to overturn laws banning interracial marriage

  • Stanley v. Georgia (1969): right to privacy protects personal possession of pornography

  • Obergefell v. Hodges (2015): right to privacy and equal protection clause were used to argue for legality of same sex marriage

  • Meyer v. Nebraska (1923): ruling allows families to decide for themselves if they want their children to learn a language other than English (overturning the right to privacy could open the door for racist states to outlaw parents teaching their children their natal language)

  • Skinner v. Oklahoma (1942): this ruling found it unconstitutional to forcibly sterilize people (it violated the Equal Protection clause)

I am going to note that the US congressional mid-term elections take place in about six months' time.

Wider point: if Alito's leaked ruling represents current USSC opinion, then it appears that the USSC is intent on turning back the clock all the way to the 19th century.

Another point: it is unwise to underestimate the degree to which extreme white supremacism in the USA is enmeshed with a panic about "white" people being "out-bred" by other races: this also meshes in with extreme authoritarian patriarchal values, the weird folk religion that names itself "Christianity" and takes pride in its guns and hatred of others, homophobia, transphobia, an unhealthy obsession with eugenics (and a low-key desire to eliminate the disabled which plays into COVID19 denialism, anti-vaxx, and anti-mask sentiment), misogyny, incel culture, QAnon, classic anti-semitic Blood Libel, and Christian Dominionism (which latter holds that the USA is a Christian nation—and by Christian they mean that aforementioned weird folk religion derived from protestantism I mentioned earlier—and their religious beliefs must be enshrined in law).

Okay, so, it's open season in the comments here. (Meanwhile discussion of RvW on other blog post comment threads is officially forbidden.)

PS: There are no indications they're going to use this ruling as an opening shot for bringing back slavery. Why would they? Slavery never went away. (The 13th Amendment has a gigantic loophole permitting enslavement as punishment, and the prison-industrial sector in the USA clearly enforces chattel slavery—only under government/corporate management rather than as personal property.)


Cory DoctorowApple’s Cement Overshoes

A polluted, plastic-strewn ocean-bottom; prominent in the foreground is a smashed iPhone; overhead is Apple's Think Different wordmark.

This week on my podcast, I read a recent Medium column, Apple’s Cement Overshoes, about the malicious compliance in Apple’s “home repair kits.”

(Image: Conall, CC BY 2.0, modified)


David BrinScience Fiction: news & updates

Congratulations to the recently announced Hugo Award nominees for the best in science fiction and fantasy for 2022! To be awarded at Chicon 8, the 80th World Science Fiction Convention, which will be held in Chicago, at the beginning of September. 

Nominees for this year's Best Novel include 

     A Desolation Called Peace, by Arkady Martine, 

     The Galaxy and the Ground Within, by Becky Chambers,

     Light from Uncommon Stars, by Ryka Aoki,

     A Master of Djinn, by Djeli Clark,

     Project Hail Mary, by Andy Weir,

     She Who Became the Sun, by Shelley Parker-Chan.

Amid controversy over whether to impose absolute-zero-tolerance over matters of incantatory symbolism, the annual Nebula Awards were issued. Here is the list of the 2021 winners, with Best Novel going to A Master of Djinn by P. Djeli Clark, and Best Novela to And What We Can Offer You Tonight by Premee Mohammed, and Best Short Story to Where Oaken Hearts Do Gather by Sarah Pinker. Congratulations to all!

== Pertinent for our times - SF ==

He envisioned a nightmarish, dystopian Russia. Now he fears living in one. This New York Times article highlights the literary works of Vladimir Sorokin, who says, "A Russian writer has two options: Either you are afraid, or you write. I write." 

I have long promoted Sorokin's 2011 near-future novel, Day of the Oprichnik.

BTW... Offered without comment but highly apropos: "Putin’s Demise" is one of the song titles (I kid you not) in the film score to the Hunt for Red October. Note the date.

== Seeing the world from different (and non-human) perspectives ==

Bringing aliens to life ... here's an interesting list of novels both old and new, that really put the ‘xeno’ in xeno fiction! From Watership Down to my own Startide Rising as well as Brunner's The Crucible of Time, and Matt Haig's The Humans. Should also include the spiders in Tchikovsky's Children of Time.

A fun list of “20 Must-Read Space Opera Books,” with books by Leckie, Delaney, Chambers, Banks, Scalzi, as well as E.E. "Doc" Smith and James S.A. Corey. I have never read Feintuch, Elliot, or de Pierres. And given the quality of all the others on this list, I really should! Opinions welcome, in comments!

This rumination in Salon by Kyle Galendez about “Why can't sci-fi and fantasy imagine alternatives to capitalism or feudalism?” tries really hard… and is most-cogent when discussing Ursula LeGuin’s The Dispossessed and the feudal fetishisms of Game of Thrones

Alas it ignores the fact that it is almost only in thoughtful science fiction novels that all political or economic or social systems get critiqued. And I will happily wager this fellow whether such alternatives (including some of my own) number in the hundreds.

A nice review from The Guardian of Sea of Tranquility, a new time travel speculative fiction novel by Emily St. John Mandel. 

Never knew about this site that compiles the The Best Writing Contests of 2022. Some interesting ones that you might consider entering!

Any obscure pedants out there who might ‘get' why - if I were invited to contribute a story to “New Tales From The White Hart” -  I might offer one called “The PlanetAgent”?  Obscure!

== apropos of not much... ==

“Is there something in the water?” 20 years ago a gala was held to celebrate how many successful science fiction authors graduated or attended or taught at UCSD. So, here is the link to the video from 2002, featuring Kim Stanley Robinson, Vernor Vinge, David Brin and Gregory Benford.

Apropos of absolutely nothing at all… Oh, did you ever see a young William Shatner's entire movie spoken in Esperanto? Take a look at: "Incubus.' The music is eerily Trekky!

Fan Filk! "There's a Star Tide Rising..."

A fascinating mini-biography on SF author and cyberpunk co-founder and Portland acid-punk rocker John ShirleyCreative fellow who was 'there'! Woof. I almost wish I had taken more advantage of opportunities to crush neurons, as so many contemporaries did. Instead... Caltech? Eep. Yet no regrets. Looking at those contemporaries (the ruggedly handsome survivors) now.


"Whether you are a science fiction scholar, futurist, or enthusiast, Tom Lombardo's Evolution of Science Fiction webinar series will open your mind and expand your knowledge of science fiction. Comprehensive in scope and in-depth in its coverage, the series begins with the ancient mythological origins of science fiction and examines cultural, philosophical, and scientific dimensions of science fiction up to the present. 

Based on Lombardo's multi-volume history of science fiction — Science Fiction: The Evolutionary Mythology of the Future  — the series covers key authors and published works, science fiction cinema and art, and social features of science fiction.

== Resources! ==

Oh heck. While we're discussing scifi, here are some added resources for research in useful science fiction:

- Science Fiction Research Association:

- SFE: SF Encyclopedia:

- The Internet Speculative Fiction Database:

- The Science Fiction and Fantasy Research Database (

- J Wayne and Elsie M Gunn Center for the Study of Science Fiction:

- Inventions and Ideas from Science Fiction Books and Movies at

- Science Fiction - TV Tropes:

- Science Fiction & Fantasy Stack Exchange:
(Newest 'story-identification' Questions):

- Worldbuilding Stack Exchange:


David BrinCrypto is not a dog... or doge... or is it?

As this goes online, Bitcoin and other cryptocurrencies are in apparent price-freefall. This posting - prepared over a month ago - will not discuss the recent coin market meltdowns. Still, it seems a good moment to offer some light on one aspect.

First, I actually know a little about this topic. I've consulted with a number of companies, agencies, etc. about the blockchain era. More generally, about the conceptual underpinnings of "smart contracts" and the eerie, free-floating algorithms that were long-predicted by science fiction, but have become reality, as we speak. (Yes they are out there; some may be living right behind the screen you are looking at.)

One topic generating excitement - though the notion has been floating since the 1990s - is that of Decentralized Autonomous Organizations, or DAO, which are portrayed in many novels and utopian manifestos as a way for humans (and their helpers) to bypass sclerotic legacy nations and codger institutions with self-organizing action groups, using NFTs and Blockchain tokens to modernize and revitalize the concept of guilds -- global, quick, low-cost, boundaryless, open and inherently accountable. Bruce Sterling wrote about this notion in the last century (as in his novel, Heavy Weather) and other authors, like Neal Stephenson (Cryptonomicon), Karl Schroeder (Stealing Worlds), as well as Cory Doctorow (Down and Out in the Magic Kingdom), Annalee Newitz (Autonomous), and many others roam this conceptual landscape with agility! 

To a large extent, versions of DAO thinking underlie moves by nations like Estonia (or "E-stonia") to modernize democracy and public services. Also spreading widely is the related notion of Citizen Assemblies

But today I want to focus now on just one aspect of this brave new world: whether DAOs can find a middle ground between autonomy and accountability, by self-policing to reduce bad behavior by predators, while retaining their better, freedom enhancing traits.  

== Can blockchain-based DAOs - especially coin communities - self-police? ==

This is an important topic! Because major legacy nations like China are already stomping hard, using as justification the way cryptocurrencies do empower the very worst of parasitic human criminals. That justification might be reduced or eliminated if DAOs or blockchain communities could find a positive-sum sweet spot, cauterizing predators while preserving their role as gritty irritants, creating pearls of creative freedom.

Although there is no way to "ban" crypto currencies in general, there is an approach to making them much more accountable to real life law.

Let's start with an ironic fact. Blockchain-based token systems are not totally secret!  

Yes, they use crypto to mask the identity of token (coin) holders.  But those holders only "own" their tokens by general consent of all members in a communal 'shared ledger' that maintains the list of coins and which public keys stand ready to be turned by each owner's encrypted keys. In that sense it is the opposite of 'secret,' since the ledger is out there in tens of thousands of copies on just as many distributed computers. Attempts to invade or distort or corrupt the ledger are detected and canceled en masse. (The ecologically damaging "coin mining" operations out there are partly about maintaining the ledger.)

All of this means that - to the delight of libertarians - it will be hard to legislate or regulate blockchain token systems. Hard, but not impossible. For example, the value of Bitcoin rises and falls depending on how many real world entities will accept it in payment. And as stated above, and some governments have been hammering on that, lately.

There is another way to modify any given blockchain token system, and that is for the owners themselves to deliberate and decide on a change to their shared economy... to change the ledger and its support software.  No one member/owner can do that. Any effort to do so would be detected by the ledger's built in immune system and canceled. 

Only dig it, all such ledger-blockchain systems are ruled by a weird kind of consensus democracy. While there is no institutional or built in provision for democratic decision making in the commons - (Satoshi himself may have back doors: a separate topic) - there is nothing to stop a majority of bitcoin holders from simply making their own, new version of the shared ledger and inserting all their coins into it, with new software that's tuned to less eagerly reward polluters and extortionist gangs. 

Oh, sure, a large minority would refuse. Their rump or legacy Bitcoin ledger (Rumpcoin?) would continue to operate... with value plummeted as commercial and government and individual entities refuse to accept it and as large numbers of computer systems refuse to host rump-coin ledger operations. Because at that point, the holdouts will include a lot of characters who are doing unsavory things in the real world.

There are vernaculars for this. Indeed it has been done, occasionally, in what are called soft and hard 'forks.' 

== A forking solution? ==

A “fork,” in programming terms, is an open-source code modification. Usually, the forked code is similar to the original, but with important modifications, and the two “prongs” comfortably co-exist. Sometimes a fork is used to test a process, but with cryptocurrencies, it is more often used to implement a fundamental change or to create a new asset with similar (but not equal) characteristics as the original.

With a soft fork, only one blockchain will remain valid as users adopt the update. Whereas with a hard fork, both the old and new blockchains exist side by side, which means that the software must be updated to work by the new rules. But the aim is to render the old code so obsolete and so widely spurned that it ceases to have any use to anyone.

As an example: Etherium did a fork when about $100 million worth of coins (that would now be worth tens of billions) was tied up in a badly written smart contract that a hacker was stealing. The community decided to kill that smart contract showing that immutable blockchains can change if 50% +1 decides to change it.

If you squint at this, it's really not so radical.  (Don't even ask about the blockchain "spork!"). It is just an operating system upgrade that can only occur by majority consent of the owner-members of the commune.  As pioneered at the famous University of Fork... or...

And so the stage is set to 'regulate' in ways that leave the potential benefits of blockchain - self-correction, smart contracts and the like - alone while letting system users deliberate and decide to revise, a trait that should be possible in any democratic or accountable system.

Now, is there a way to use a Grand Fork to change the insane approach to coin "mining" so that ledger maintenance can be achieved without encouraging planet-killing pollution and waste?

== And finally... ==

The concept that I called equiveillance or look-back accountability, in The Transparent Society - and Steve Mann called sousveillance - is labeled "inverse surveillance" by members of the Asimov Institute, in Holland. “How can we use AI as a Panopticon to promote beneficial actions for citizens by organizations?” A proof of concept was explored in a 2021 hackathon

Well well. These are harder concepts to relate than they might think, I know from experience! Yet they are fundamental to the very basis of our kind of civilization.


Charles StrossHolding pattern 2022 ...

Just a quick note: I am not blogging right now—at least until the end of April, most likely until this point in mind-May—because I am 2/3 of the way through the final draft of Season of Skulls, book 3 of the New Management: it's due in at the end of the month, or in any case some time in May, for publication in May 2023. (It already exists as a book, this is a final polishing pass with some additional scenes adding into it to make the continuity work better.)

After SoS is baked I also have to finish a half-written novella, A Conventional Boy, about Derek the DM; it got steamrollered by two novels going through production in the past year. I can't multitask on writing projects, so the lower-priority job (a novella) got shelved temporarily.

Normal service will be resumed by June at the latest; in the meantime, if you think the last thread on the Ukraine war is getting too cumbersome, feel free to colonize the comments on this one.


Cory DoctorowAbout Those Killswitched Ukrainian Tractors

A vintage John Deere tractor whose wheel hubs have been replaced with HAL 9000 eyes, matted over a background of the cyber-waterfall image from The Matrix.

This week on my podcast, I read a recent Medium column, About those kill-switched Ukrainian tractors, suggesting that what John Deere did to Russian looters, anyone can do to farmers, anywhere.

(Image: Cryteria, CC BY 3.0, modified)



David BrinFrom geology to quantum science to a healthy planet...

For your weekend... as I traditionallly do, here's a round-up of recent science news...

First, here's the latest CARTA conference - the Center for Anthropogeny (human origins) at UCSD. This one with talks having to do with the theme of "The Planet Altering Apes."

== Physical Science ==

The observation of the Higgs boson  at the Large Hadron Collider (LHC) has validated the last missing piece of the standard model (SM) of elementary particle physics.  The mass of the W boson, a mediator of the weak force between elementary particles, should be tightly constrained by the symmetries of the standard model of particle physics.  So… do recent results mean we have a problem here?

Wireless Sensors: Tiny Battery-Free Devices Float In The Wind Like Dandelion Seeds…” or a lot like the ‘localizer nanochips in Vernor Vinge’s great novel  A Deepness in the Sky.  

A new form of ice discovered, which forms at high-pressures: Shades of Kurt Vonnegut! Here’s ‘ice-ten’ or Ice-X!  Scientists speculate that it could be common on distant, water-rich exoplanets.

Asking the Ultimate Questions, Robert Laurence Kuhn’s recent presentation at the Institute of Art and ideas (IAI-UK), is posted on the Closer To Truth YouTube channel.

== The biologic world ==

States and cities have also begun to decriminalize psilocybin – the core of magic mushrooms - in general or for medicinal purposes, especially treatment of depression. 

The disturbing rise of bird flu; already more than 27 million birds have died or been slaughtered. Will we see a poultry vaccine?

Apparently fish can calculate....stingrays can perform simple addition and subtraction in the low digit range.

Forty to fifty percent of all animal species are actually parasites, including 300,000 different types of worms that parasitize vertebrates.

Interesting question: Why didn't our primitive ancestors get cavities?

== Insights into our planet ==

In Earth’s past, two gargantuan 'super-mountain' ranges may have fueled two of the biggest evolutionary boom times in our planet's history — the first appearance of complex cells roughly 2 billion years ago, and the Cambrian explosion of marine life 541 million years ago.  

Is Earth’s ‘solid’ inner core something like my fictional-hypothetical descriptions in Earth? If the material is ‘superionic,’ then the majority iron atoms might be 'solid' in the crystalline lattice structure, whereas the carbon, hydrogen, and oxygen molecules would diffuse through the medium, creating the liquid-like element.  

And in related matters, the top mineral form of the mantle is perovskites… which are still (since I wrote Earth) among the best high pressure/high temperature superconductors. So… is she alive? Way too soon to tell. But the traits (or potentialities) keep piling up!

Moving a bit outward toward Earth's mantle… “Earth is layered like an onion, with a thin outer crust, a thick viscous mantle, a fluid outer core, and a solid inner core. Within the mantle, there are two massive blob-like structures, roughly on opposite sides of the planet. The blobs, more formally referred to as Large Low-Shear-Velocity Provinces (LLSVPs), are each the size of a continent and 100 times taller than Mt. Everest. One is under the African continent, while the other is under the Pacific Ocean.”  Might this explain the unusual solidity of the African continent?

Meanwhile, fast melting Alpine permafrost may contribute to rising global temperatures.

There have been wonderful paleontologic finds at the Tanis site, in the Dakotas, which show many creatures exceptionally well-preserved who seem to have died suddenly the very day that asteroid ended the era of the dinosaurs. I look forward to the show - Dinosaurs: The Final Day with Sir David Attenborough, which was broadcast on BBC One. A version for the U.S. science series Nova on the PBS network will be broadcast later in the year. allegory of uncertainty

Four quantum physicists are in a car. Heisenberg is driving like he is in The Matrix. Schrödinger is in the front seat waving at the other cars. Einstein and Bohr are in the back arguing when they get pulled over. The officer asks Heisenberg, “do you know how fast you were going?”

“No, but we know exactly where we are,” Heisenberg replies.

The officer looks confused and says, “you were going 120 km/h!”

Heisenberg throws his arms up and cries, “Great! Now we’re lost!”

The officer looks over the car and asks Schrödinger if they have anything in the trunk.

“A cat,” Schrödinger replies.

The officer opens the trunk and yells, “This cat is dead!”

Schrödinger angrily replies, “Well it is now.”

Bohr says, “on the bright side, a moment ago we didn’t have a position, speed, or a cat. Now we have all three!”

Fed up, the officer says, “I just want to know how many of you I need to bring back to the station!”

“Roll dice for it?” Einstein asks.


Now back to your regularly scheduled 21st Century crises...

Chaotic IdealismWhy do Autism Parents mourn the neurotypical child they never had?

I don’t condone it, but I think I can sort of explain why it happens. Do you know how, when plans are changed suddenly, you feel sort of out of balance, and might even have a meltdown if it’s bad and sudden enough? Neurotypicals make plans for their children. They have a mental picture of their future, which includes their child’s personality and cognitive traits. They build these castles in the air–they imagine future scenarios–that may or may not be anything like the reality they’re going to have.

When their child is diagnosed with autism, these future plans disappear, and they feel off-balance like we do when our schedules are suddenly changed and we don’t know what’s going to happen.

Some of them adjust pretty quickly, because they realize that their child hasn’t changed; it’s still the same child they’ve loved all along, and it’s not like those mental plans were ever going to be accurate anyway. Most are scared because they don’t know what life with autism is going to be like and they worry that their child won’t be happy, and it takes a little while for them to regain their equilibrium; instead of a stereotypical future, they’re gazing into the unknown. That, we can put down to an autism-unfriendly world that doesn’t give them enough examples of regular families with autistic people in them.

But others hold on to their mental future, and even reject the actual child they have. Those are the ones who focus on the will-nevers, who love the neurotypical child they would have had in an alternate universe in favor of the autistic child they actually do have. This is a form of emotional abuse.


David BrinRipping off masks... and a powerful (if dry) way to pop the lie-bubble

I'll get to a potent meme (below) that shreds one of the clichés most-shared by both left and right. And shredding it will help one against the other. But first...

In Earth - and differently in Existence - I speculated on ways that 'ownership transparency' might solve many of the crimes and contradictions of feral capitalism, without resorting to anti-market socialism. Defenders of capitalism are hypocrites if they talk about free and competitive markets while excusing secrecy that blinds 99% of market participants. They should be the first to demand world transparency of who owns what.

So am I glad that the Ukraine war is causing the U.S., U.K and even Switzerland to rip veils off some of the shell corporations that own all those seized yachts and so much property in London, New York, Paris etc.? Well, yeah. Sure. But watch our own aristos scramble to make sure this remains only about Russian Oligarchs. I'll be shocked if truly broad reforms happen.

It's gonna take a lot more than Ukraine. Possibly even a "Helvetian War."

Thomas Piketty elaborates: "Let’s say it straight away: it is time to imagine a new type of sanction focused on the oligarchs who have prospered thanks to the regime in question. This will require the establishment of an international financial register, which will not be to the liking of western fortunes, whose interests are much more closely linked to those of the Russian and Chinese oligarchs than is sometimes claimed. However, it is at this price that western countries will succeed in winning the political and moral battle against the autocracies and in demonstrating to the world that the resounding speeches on democracy and justice are not simply empty words."

== Again, the one thing that would transform the world almost instantly ==

Transparency of property and ownership would likely make competitive markets work vastly better while slashing the parasitive effects of all sorts of cheating and (likely) reduce effective tax rates on honest citizens, worldwide. But it is the sort of reform that seems unlikely in the near future.

It may not happen till tumbrels are rolling through the streets, alas.

But there is one thing -- one action by one leader -- that could transform America and the world, overnight. You've seen it proposed here time and again. Jobee could do it all by himself, not even needing Congress.

Maybe he is hoping Putin will do it for him.

Only now the topic I promised. A potent meme that shreds one of the clichés most-shared by both left and right. And shredding it will help one against the other.

== The boring stuff – deficits and how each party tries to ‘stimulate’ the economy – actually matters! ==


As I show in Polemical Judo, Democratic Party pols are seldom smart enough to use powerful memes like this one -- that Biden and the dems have actually reduced the federal deficit for the first time since Obama. 

Not only that, but Democratic Administrations are always* more fiscally responsible than GOP ones.  While caring far more for the poor, oppressed and workers… and science and the planet… and rights for women and minorities... they also reduce, rather than lay heavier debt burdens upon our children.  


Is that really, really hard for you to parse in your head?  

We are so used to each party’s clichés, such as Republican-hypocritical demands for fiscal prudence, while spilling tsunamis of red ink, opening America’s carotid arteries for greedy suction by aristocrats… and the almost equally-dumb obsession of the far-left called “Modern Monetary Theory” (MMT.)

In fact, honest Keynesians are the only adults in the room, running deficits to effectively help the working class during rough patches… then paying down debt in the resulting good times. Clinton did it. So did Jerry Brown, Gavin Newsom…. the list goes on. Not just this round, but every round, as I showed here:  


‘So Do Outcomes Matter More than Rhetoric?’ 


This matters! Because there are two large groups we must draw into the Union side in this especially hazardous phase of the U.S. Civil War. And both of these groups are needed by the only coalition that stands a chance of saving the republic, civilization, planet and posterity. 


First, the frippy sanctimony-preeners of the left need to grow up and learn (as AOC, Bernie, Liz and Stacey know) the meaning of the word ‘coalition.’ One keeps hoping the next news item will snap the poseurs out of their ritual chants of “Biden is Republican-lite!”  

Maybe the looming reversal of Roe v. Wade will do it. But don’t hold your breath.


We ALSO absolutely must peel away the 10% - possibly even 20% - of Republicans who maintain at least a sliver of residual sanity. Why? Because the confederate/Red/Foxite/Trumpist/Kremlinite, anti-science and anti-fact treason party is in demographic collapse! If we can peel away just 10%, all their cheats, including gerrymandering, will fail!  


And that’s where the ‘fiscal responsibility’ thing comes in. It is a wedge you can pound in, to cleave off some of those ‘ostrich Republicans.’ 


Start by demanding a cash wager, whether Democratic Administrations always* prove to be far more fiscally responsible!


Picture your Tucker-hugger blinking in dismay when he realizes one of his cult’s core catechisms is proved – proved! – to be diametrically opposite to true, and he better admit it, or pay off on the bet.


All right. I know your lazy response, shrugging that ‘it’s hopeless to even talk to those people'... 

...and I am telling you now that – hopeless or not – it is your duty!  If just one in ten of you peel away just one… well…. 


Look up the old phrase: “All heaven rejoices when…”



How Putin may seek an exit strategy to save face by declaring a “Mission Accomplished!” moment. Very cogent analysis. Also, this fellow is among the few who describes in detail how under GHW Bush a flock of western vultures - most of them Cheney family-connected - swarmed into Russia to help a hundred or so Soviet commissars snap up shares of sold-off state enterprises… of several reasons why I rank Bush Senior as unquestionably and by far the worst U.S. president of the 20th Century, who set the stage for our crisis ridden world.  Alas, the author of this piece gets a bit kooky toward the end. But the first half is worthwhile.



* Sure, ‘always’ is a strong term. There are undoubtedly exceptions, though I know of none since 1980. So? Use the polemical power.


Charles StrossHugos, 2022

Empire Games cover

The Merchant Princes series is on the shortlist for the Hugo Award for best series, winner to be announced at Chicon 8, the World Science Fiction Convention in Chicago, this September 1st-5th.

I'd like to congratulate all the nominees, in all the various categories: the full list is here.

For the first three omnibus books in the Merchant Princes series, you can do worse than start here; for the Empire Games trilogy—originally pitched as Merchant Princes: The Next Generation—you can find it here.

(Links go to Amazon ebook format, US store: you can find 'em elsewhere, in the UK and EU as well. I'm going to talk to the folks at Tor about providing series purchase links and links to other stores presently.)

For reasons which should be obvious, I'm going to do my best to get to Chicago this September. Usual caveats apply: it's an 8-9 hour flight from Edinburgh (although there are ofteen direct flights, so no extra airports to traverse in the middle), there's a pandemic on, and who the hell knows what hopeful mutants will emerge in the next five or six months. Getting to attend my first in-person worldcon since 2019 would be good, but Not Dying is my absolute priority.


Cory DoctorowRevenge Of The Chickenized Reverse Centaurs

A horse-headed

This week on my podcast, I read a recent Medium column, Revenge of the Chickenized Reverse-Centaurs, about the relationship between algorithms, interoperability and worker power.

(Image: Cryteria, CC BY 3.0, modified)



David BrinWormholes, blackholes... and more!

Just returned from my first speaking tour in 2+ years. Vaxxed & masked in public areas but pretty relaxed holding small meetings with brilliant researchers at UIUC Champagne.

Only now... how about some science?

Let's start with a fabulous rundown by Peter Diamandis of the 5 top things we may learn from the newly-launched James Webb Space Telescope! And yes, I was a skeptic about this hugely complex machine. The fact that it appears to be... well... perfect suggests that maybe you ought to consider yourself a mamber of a fantastically competent civilization... whenever our anti-modernist cousins stop dragging at our ankles.

Strange things keep manifesting! (Ain't it cool?) Pairs and clusters of strands stretch for nearly 150 light-years in the galactic center region and are equally spaced. The bizarre structures are a few million years old and vary in appearance. Some of them resemble harp strings, waterfalls or even the rings around Saturn. But the true nature of the filaments remains elusive.

Giant radio galaxies are yet another mystery in a Universe full of mysteries. They consist of a host galaxy (that's the cluster of stars orbiting a galactic nucleus containing a supermassive black hole), as well as colossal jets and lobes that erupt forth from the galactic center. Now, an utterly humongous one has been found with radio lobes reaching 5 megaparsecs.  

The new Imaging X-Ray Polarimetry Explorer (IXPE) space telescope reveals wonders out there in ‘a new light.’  

An excellent article about why black holes appear to spin so fast - via conservation of angular momentum - that the edges of their ergosphere’s may approach the speed of light. 

And meta cosmological -- If the physics theory of cosmological coupling is correct, the expansion of the universe causes black holes to gain mass.

And even more meta! “spiderweb of wormholes could solve a fundamental “information paradox” first proposed by Stephen Hawking.” 

== And within our solar system ==

2020 XL5 is an Earth Trojan — an asteroid companion to Earth that orbits the Sun along the same path as our planet does, only 60 degrees ahead at L4. These are far more rare than the large numbers collected 60 degrees ahead or behind Jupiter. Over a kilometer wide, it is speculated as a potentially useful base (especially if the Type C asteroid contains volatiles like water)… but also as a place we ought to scan for “lurker” interstellar observation probes… as I describe in EXISTENCE. 

Large-scale liquid on Mars existed much longer than suspected, according to this Caltech report. Martian salt deposits are often found in shallow depressions, sometimes perched above much larger craters that are devoid of the deposits. MRO data showing shallow salt plains above craters suggests that some wet patches endured rather late, as recently as 2.3 billion years ago. Some of these deposits are on terrain that's a billion years younger than the ground the Perseverance Rover is rolling across right now.

The European Space Agency said that its Solar Orbiter – which was launched in 2020 on a mission to study the sun – quite by accident passed through this comet’s tail in late 2021. While within the tail, one of the sensors aboard Solar Orbiter measured particles that were definitively from the comet and not the solar wind. It detected ions of oxygen, carbon, molecular nitrogen, and molecules of carbon monoxide, carbon dioxide and possibly water. Visible light images can hint at the rate at which the comet is ejecting dust, while the ultraviolet images can give the water production rate.

Three prominent features on the Kuiper Belt object Arrokoth – the farthest planetary body ever explored, by NASA's New Horizons spacecraft – now have official names. Proposed by the New Horizons team and approved by the International Astronomical Union, the names follow a theme set by "Arrokoth" itself, which means "sky" in the Powhatan/Algonquin Native American language.

Ice roofed worlds might be a majority of all life worlds. Tidal heating is foremost, but also radioactivity and a weird effect of serpentine rocks relaxing slowly into a lower energy structure!

Ah, balmy Venus: “Venus, our closest planetary neighbor, is called Earth's twin because of the similarity in size and density of both planets. Otherwise, the planets differ radically… While previous studies suggested Venus might have once been covered in oceans, new research has found the opposite: Venus has likely never been able to support oceans.” Any water clouds that did form fled to the night side, where they did not reflect sunlight (albedo) but did trap in heat. So the place never cooled down.

Still, oceans may yet come to Venus!  See how in my novella “The Tumbledowns of Cleopatra Abyss”! On my website and in Best of David Brin stories… my top stuff! 

Scientists have identified what appears to be a small chunk of the moon – possibly blasted off it by an impact 100,000 years ago. Kamo`oalewa is one of Earth’s quasi-satellites, a category of asteroid that orbits the Sun passing frequently by Earth. Also a perfect place for an alien observation post! 

An interesting theory about the origin of Earth’s water: the solar wind - charged particles from the Sun largely made of hydrogen ions - created water on the surface of dust grains carried on asteroids that smashed into the Earth during the early days of the Solar System, helping to explain how lighter isotopes and hydrogen complemented water arriving from early comets and carbonaceous chondrites.  It also suggests “astronauts may be able to process fresh supplies of water straight from the dust on a planet's surface, such as the Moon."

At 100 km across, comet Bernardinelli-Bernstein (BB) is the largest comet ever discovered by far, and it is active, even though farther from the sun than the planet Uranus. The size of comet BB and its distance from the sun suggests that the vaporizing ice forming the coma is dominated by carbon monoxide.  To understand this better, you might go to my doctoral dissertation. Or else the best look at these objects… a novel… Heart of the Comet!

The solar system’s strangest moon? Saturn's IapetusWell… after Titan of course. Tropical-balmy beach resort Titan. Ahhhh! Yet, read about the curious, unexplained features of Iapetus.


David BrinRomanticism & Resentment: Great for art! Terrible for running a civilization

My romantic soul agrees with this vivid howl! (From Robert A. Heinlein's Glory Road.) 

How vivid, and don't we all... at least in part... agree?

And yet, this plaint by a Heinlein character -- a scarred Vietnam vet and sci fi fan -- also exemplifies the lethal Problem of Romanticism, in which arty emotionalism gets all the mighty propaganda! Propaganda just like Heinlein's passage (though seldom as eloquent.) 

Let me put it as a bald assertion. Romanticism may be one of the most-central aspects of being human... and not always for the better.

From the Punic Wars all the way to modern Hollywood flicks, romanticism has spent centuries propelling rage and demonization in all parties, in all human conflicts, making calm negotiation next to impossible. (Admit it. Some of your own passion is about “MY kind of people are virtuous and those opposing my kind are inherently and by type morally deficient!”)

Oh, let's also admit from the start how addicting righteousness can be! Yes, it must have been reinforced during evolution because of the passion and forcefulness it supplies, during the struggles each generation faced, across the last half a million years. So reinforced that it can be hard even to notice.

== NOT a good basis for policy, in a complex world ==

Emerging from the voluptuous high of romanticism is hard, but not quite impossible, as we’ve shown during the last 200 years of gradually augmenting… maturity.

In fact, as one who lost nearly all of his cousin family lines to one of the most romantic of all vile movements, let me thank God that the romantic soul is having its hands peeled off of policy at long last, after 10,000 years of wretched fear-drenched rage, in which every generation's tribes called their rivals subhuman, deserving only death, like the Tharks of Mars, Tolkien's orcs, the Trojans that Achilles slew in heaps...

...or the Black folks who Confederate romantics enslaved as sub-human and Jews slaughtered in millions by romantics playing Wagner...

...and successively masses of robots... then clones... then masked storm troopers who George Lucas mowed down to our delight since, naturally, none of their kind had mothers to mourn them?

== We need romanticism, at our core! Only... ==

Here's a pretty basic question.  Look at Heinlein's list of great adventures his character longed for. Now tell us which of them  would be even a scintilla as good a place to raise a family as this tawdry, fouled up mess of a world he was complaining about.  Oh, it's tawdry and messed up, all right. But largely by the ways it has failed to move away from the kinds of brutal, even sadistic adventure-zones that were rampant both in fiction and across nearly all of human history. 

But there are equally many ways that we have started leaving all of that behind!  And your long, comfortable lives, free of most anguish, pain and death while staring at the flat screens of these palantir miracle devices, kind of suggest our change of path was the right course.

At long last we are giving policy over to the part of us that does fair argument and science and the freedom of even despised minorities to speak and demand we LOOK at them with compassion and respect!

That transformation is not complete - by far - and it may yet fail! But we are close - so close - to exiling 'romance’ from daylight activities of fact-based policy, sending that part of us instead over to the realm where it belongs. NOT the daylight hours of invention, argument and negotiated progress... 

...but to the campfire hours of moonlight and stars dancing overhead - or the couch or movie theater or pulpy novel - when... YES!... we can unleash that wild, romantic spirit. Those hours when we still need to bay at Luna or Barsoom, to relish garish adventures and quests against dragons...

...or to scan a million black squiggles on pressed vegetable pages, or glowing from a kindled screen, and let those incantations draw us into the voluptuous, subjective roar of which Heinlein speaks!

I make such incantations! I craft good ones. (You'll enjoy them!) 

But no. 

That side of us should never again be given the tiller of nations or policy. (As crazy people at all political wings are right now demanding that we do!) 

The daytime halls of policy and science and truth-seeking and negotiation... and yes, even revising even our most passionate biases - that's when and where we must (it is long past time) at last grow up.

== Recovery from authoritarian regimes ==

Here's an amazingly cogent and well-parsed theory for how authoritarian regimes often transition to democracy after a long reign by an autocrat who is both repressive and good at effective rulership and development. It reminds me of Asimov’s ‘psychohistory’ riff on strong vs. weak emperors vs. strong vs. weak generals. In fact, this article strikes me as a much more cogent psychohistorical contribution than any of the recently popular “historical cycles” bilge that’s been going around. Income, Democracy, and Leader Turnover, by Daniel Treisman

“Abstract:  While some believe that economic development prompts democratization, others contend that both result from distant historical causes. Using the most comprehensive estimates of national income available, I show that development is associated with more democratic government—but mostly in the medium run (10 to 20 years). This is because higher income tends to induce breakthroughs to more democratic politics only after an incumbent dictator leaves office. And in the short run, faster economic growth increases the ruler's survival odds. Leader turnover appears to matter because of selection: In authoritarian states, reformist leaders tend to either democratize or lose power relatively quickly, so long-serving leaders are rarely reformers. Autocrats also become less activist after their first year in office. This logic helps explain why dictators, concerned only to prolong their rule, often inadvertently prepare their countries for jumps to democracy after they leave the scene.”

Certainly Singapore and South Korea followed this model. Did Pinochet? Iran’s Shah is hard to fit here, except to put him in the category of “less strong than he thought he was.” So. Can we hope this will be legacy of some of today’s world strongmen?

And finally... 

I may have linked to this before. Here's Mark Twain blaming Sir Walter Scott's romanticism for the Civil War

"Then comes Sir Walter Scott with his enchantments, and by his single might checks this wave of progress, and even turns it back; sets the world in love with dreams and phantoms; with decayed and swinish forms of religion; with decayed and degraded systems of government; with the silliness and emptinesses, sham grandeurs, sham gauds, and sham chivalries of a brainless and worthless long-vanished society."

I knew I liked the fellow who crafted Huckleberry Finn, one of the finest and most noble of all fictional rascals.


Sam VargheseBias? Don’t know that word, says The Age editor

Another Saturday, and there’s a fresh dose of wisdom from Gay Alcorn, the venerable editor of The Age, a tabloid that is one of the two main newspapers in Melbourne. Once again, Alcorn’s gem was behind a paywall in the morning but is now free to read.

As with her effort some weeks ago — which was dissected here — Alcorn is again trying to play the balance card even as accusations of bias arise. This time, a federal election campaign is in full swing and thus the shrieks from the gallery are that much louder.

Alcorn claims the newspaper, part of once what was a large stable running under the name Fairfax Media until it was taken over by Nine Entertainment, has not moved to the right.

[I worked for the website of The Age for nearly 17 years, from June 1999 until May 2016.]

In her own words: “There is no doubt that on social media in particular, The Age is accused of being pro-Coalition, especially since Fairfax, publishers of The Age and The Sydney Morning Herald, were taken over by Nine Entertainment and because the board’s chairman is Peter Costello, a former Liberal Treasurer. We are also accused of being pro-Labor – our letter writers appear overwhelmingly progressive to me – but mostly the suggestion is that we have moved rightwards.”

Alcorn denies this is the case: “Maybe I would say this, but I don’t believe it’s true. We take editorial independence so seriously that there would be a major problem if commercial interests attempted to influence our editorial decisions in any way.”

But history says otherwise. The very fact that The Guardian, a newspaper that leans to the left, has been able to set up a website and thrive in Australia, and The New Daily, a website that is funded by the superannuation industry and also veers more left than right, has found a sizeable audience speaks to the untruthfulness of this assertion.

Both these publications have cannibalised the Age’s left-wing readers as the Age has swung to right-of-centre.

In 2006, the Age’s rival, the Herald Sun, a Murdoch tabloid, was planning a redesign, to become a little more of a red-top than it already was. At that time, the editor of the Age website, Mike van Niekerk, sent an email to the site’s news editor, pointing out what was about to happen and saying the Age website would have to go in a similar direction.

The website became a lot more tabloid-like from that point on, often leading to criticism from the print side of operations, saying that the website could not be even recognised as being the Age.

Some years later, the Age and the Sydney Morning Herald both decided to reduce their sizes and become tabloids. The content slowly began to reflect the size of the paper. Hence, saying there has been no turn to the right is wide of the mark.

As to bias, Alcorn and the Sydney Morning Herald editor Bevan Shields both defended their respective papers (and by extension the two websites) from such a claim on a podcast.

But then the reality is different. The columnists are reflective of the bias: Shaun Carney, who left the paper some years ago, is now writing for it again; he is Peter Costello’s biographer.

Another of the op-ed writers is Parnell Palme McGuinness, daughter of the late right-wing contrarian Padraic McGuinness, a right-wing nutjob if ever there was one. Add to that a woman named Julie Szego — who has been there for decades and once ran to Mark Leibler to get a column of hers reinstated after the then editor, Paul Ramadge, had spiked it — and you have all the ingredients for a stale right-wing pudding. There’s also former Howard minister Amanda Vanstone who provides the icing on that.

The only decent political columnist is Nikki Savva and she came to Nine only because The Australian, where she was a staple, hired the former Tony Abbott spin doctor Peta Credlin. The Age also runs columns written by Michelle Grattan who left the paper seven or eight years ago.

Waleed Aly, a lecturer who was once on the left, but is much more centrist these days, writes the occasional column. Then there is Peter Hartcher who is on the record as saying that Australia should not accept Chinese from mainland China as immigrants. Plus Ross Gittins, an economics writer of some vintage.

The sharing of copy between the two papers started some years ago to save money and continues apace. The Sydney Morning Herald is the boss and calls the tune.

These occasional missives from Alcorn do little good to convince any reader with even an IQ of 10 about the lack of bias; the content is the only thing that will speak for it.


Charles StrossBehind the Ukraine war

Today is April 2nd. There's a good reason I skipped blogging on April 1st: the actual news right now is both sufficiently ghastly and surreal that any attempt at satire either falls flat or runs victim to Poe's Law.

(I did hatch a relatively harmless idea for a non-depressing April Fool's jape—an announcement that I'd decided my fiction was too depressing, so I was going to pivot to writing Squeecore (albeit with Lovecraftian features), but then I described it to a friend and he pointed out that Dead Lies Dreaming was already Squeecore with Lovecraftian features, so the joke's on me.)

I have real difficulty writing fiction during periods when the Wrong Sort of History is Happening. The Ukraine invasion completely threw me off my stride, so the novella I was attempting to write the second half of is still unfinished and I'm behind schedule on the final draft of Season of Skulls.

But when life hands you lemons you might as well make lemonade, so here's what I learned from my most recent month of doomscrolling.

Some of the news this year puts me in mind of a novel I never got round to writing. Back in March of 2012 I wrote about something that worried me: the intersection of social media apps, geolocation, smartphones, and murder:

In the worst case, it's possible to envisage geolocation and data aggregation apps being designed to facilitate the identification and elimination of some ethnic or class enemy

Today, some of it is happening in the Ukraine war:

There's even an app people can use to report the movements of Russian troops, sending location-tagged videos directly to Ukrainian intelligence. The country's minister of digital transformation, Mykhailo Fedorov, told The Washington Post they're getting tens of thousands of reports a day.

It's a lot less morally questionable than my grim speculation about geolocation/social media apps mediating intra-community genocide, but it's still appalling by implication. The Ukrainians are justified in doing this, but sooner or later someone is going to turn this into a tool for genocide.

What is funny, in the sense of funny-peculiar, not funny-humorous, is the war of the cellular networks. It turns out the Russian field units are using 1980s analog radios and cellphones to communicate. A lot of them got lost because after commanders confiscated all the troops' smartphones, they issued paper maps which nobody knows how to use any more. Meanwhile the Russian commanders were using an end-to-end encrypted secure messaging app ... that required cellphone service, and by shelling the Ukrainian cellphone base stations they were disrupting their own secure comms. It's an absolute clusterfuck, and if it wasn't combined with atrocities and war crimes it would be hilarious.

This is without even touching on the self-inflicted Russian casualties in the Chernobyl exclusion zone. You may wonder why the Russian soldiers were stupid enough to dig trenches in the Red Forest, possibly the most radioactive pollution zone on the planet. (Hint: it takes more radiation to kill a conifer than a human being—which is why the Red Forest, where almost all the trees died, is a really bad place to go bivouacking.) It becomes clearer once you know that the Russian armies are being directed from the top down, receiving exact orders from Moscow and allowed no scope for deviation. Someone who was 16 years old in 1986 (the year of the Chernobyl Disaster—about the youngest age to fully understand the scale and implications of the event) would be 52 by now, probably too old to be in the field: to the kids fighting the war, the Chernobyl disaster probably happened before their parents were born. It's ancient history about an accident in a foreign country.

Back in the mists of time on this blog (DDG search isn't terribly helpful in locating it) I prognosticated about the first generation who would never have experienced getting lost, because smartphones with GPS would be ubiquitous. But when Generation Location runs into a military-historical Cold War LARP/nostalgia trip—which seems to be what the Ukraine war is turning into, from the Russian point of view—things get messy. Ditto for no access to wikipedia or other online information resources. It seems humans have short memories (especially 18-20 year old conscripts from the decrepit, poverty-stricken Russian heartland), and the elderly and rigid Russian leadership (Putin is only 5 years younger than Leonid Brezhnev was when he died) is locked in an information bubble of their own creation, uncritically consuming reports their subordinates prepare in hope of not attracting their ire.

I could go on endlessly about this ongoing war, but right now I just want to clutch my head and hide. Anyway, I speak/read neither Russian nor Ukrainian, so I'm at best a second-hand information source. A lot of the stuff circulating on twitter (I don't do Facebook) is of dubious quality, although I find the twitter-streams of @kamilkazani and @drleostrauss (note: it's an alias, the real Leo Strauss died in 1973: this one is a pseudonymous Washington DC foreign policy wonk) both compelling and mostly persuasive.

What I can safely say is that this war isn't going the way any of us might have expected. That Ukraine wouldn't roll over and surrender instantly, but would instead fight back furiously, could have been predicted. (This is the sort of war that nation-building myths are later based on, like the Battle of Britain, or the Winter War, or the Israeli War of Independence.) It's at least as revolutionary as the Second Boer War in terms of brutally exposing the obsolete military doctrines of an imperial invader: in this case the obsolescence of traditional Soviet/Russian tank doctrine in the face of drones, loitering munitions, and infantry-portable ATGMs, not to mention the bizarre failure of military comms to keep up with the smartphone revolution.

The true impact of the cyberwar hasn't become clear yet, but the Rosaviation hack alone—the entire licensing/registration database of Rosaviation, the Russian Civil Aviation Registrar, has been erased, all 65Tb of it, apparently without leaving them with a backup—could be the most expensive hacking attack this century.

And that's before we come to the way the war is amplifying the ongoing energy crisis.

I think the war can best be contextualized as the flailing reaction of an ossifying, increasingly centralized and aggressively authoritarian oil/gas extraction regime to the growing threat of its own irrelevance. While crude Russian nationalism and revanchist empire-building is the obvious superficial cause of the war, the real structural issues underlying it are the failure of Russia to diversify its economy and to establish a modern framework of government that doesn't degrade into Tsarist rule-by-decree: eventually the Tsar loses touch with reality (whether by going nuts or due to being fed misinformation from below) and bad stuff happens. Oil and gas are economic heroin to the exporting countries: only a handful have moved to effectively avoid the withdrawal side-effects (I'm thinking of Norway in particular), and for most withdrawal is disastrous. Russia is particularly vulnerable, and can't afford to let the rest of the world wean itself off fossil carbon abuse. And Ukraine is now paying the price. (It should be noted that Donbass has the second largest gas reserves in Europe: this is economically as much an oil/gas war as was the Iraq war before it.)

Anyway, as Lenin remarked, "There are decades where nothing happens; and there are weeks where decades happen."

We had a couple of decades of Francis Fukuyama's The end of history and now we're paying the price in catch-up weeks.

PS: I have chosen to ignore the question of Russian interference in Western politics, and especially Donald Trump and Alexander Boris de Pfeffel Johnson, because this war is not about the west: it's about long-term Russian ethnonationalist revanchism, an attempt to rebuild their Empire. Centering western political concerns is dangerous and misleading and will lead us into error, so don't do that in the comments.


Charles StrossYokai Land Q&A

Sorry about the outage: I just spent the past two weeks being a tourist and visiting friends in Germany—my first journey more than 50km from home since January 2020. It was fun, good beer was drunk, old friends were visited, many FFP2 masks were worn, and I'm now testing daily because of course BA.2 arrived while I was traveling. (LFTs are all negative so far ...)

Shipping delays mean that Transreal Fiction didn't get copies of Escape from Yokai Land before I departed, so if you've been wondering where your order got to, I'm going to try and get up there tomorrow to sign them (assuming Ingrams, the wholesaler, have delivered them the day after I went on vacation).

As it's not going paperback (ever) there's no point holding off on spoilers/questions about Escape, so if you want to ask me anything about it, feel free to do so in the comments below.

Please do not colonise the comments with (a) the permanent floating cars v. bicycles discussion, (b) the permanent floating climate change discussion, or (c) the Russian invasion of Ukraine. I'll start a new topic for those things later.