Planet Russell


Worse Than FailureBest of…: Best of 2019: When Unique Isn't Unique

We close out our recap of 2019 and head into the new year with one last flashback: when vendors forget what the definition of "unique" is. Original -- Remy

Palm III 24

Gather 'round, young'uns, for a tale from the Dark Ages of mobile programming: the days before the iPhone launched. Despite what Apple might have you believe, the iPhone wasn't the first portable computing device. Today's submitter, Jack, was working for a company that streamed music to these non-iPhone devices, such as the Palm Treo or the Samsung Blackjack. As launch day approached for the new client for Windows Mobile 6, our submitter realized that he'd yet to try the client on a non-phone device (called a PDA, for those of you too young to recall). So he tracked down an HP iPaq on eBay just so he could verify that it worked on a device without the phone API.

The device arrived a few days out from launch, after QA had already approved the build on other devices. It should've been a quick test: sideload the app, stream a few tracks, log in, log out. But when Jack opened the app for the first time on the new device, it was already logged into someone's account! He closed it and relaunched, only to find himself in a different, also inappropriate account. What on earth?!

The only thing Jack could find in common between the users he was logged in as was that they were running the same model of PDA. That was the crucial key to resolving the issue. To distinguish which device was making the calls to the streaming service, Jack used a call in Windows Mobile that would return a unique ID for each mobile device. In most devices, it would base this identifier on the IMEI, ensuring uniqueness—but not on the HP iPaq. All HP devices could automatically log into the account of the most recently used iPaq, providing the user logged out and back in, as it would generate a recent-user record with the device ID.

Jack had read the documentation many times, and it always stated that the ID was guaranteed to be unique. Either HP had a different definition of "unique" than anyone else, or they had a major security bug!

Jack emailed HP, but they had no plans to fix the issue, so he had to whip up an alternate method of generating a UUID in the case that the user was on this device. The launch had to be pushed back to accommodate it, but the hole was plugged, and life went on as usual.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Planet DebianJunichi Uekawa: Happy new year.

Happy new year. Last year I kept on practicing piano. I started Tea. Wondering what awaits.

Planet DebianRuss Allbery: Review: Woman on the Edge of Time

Review: Woman on the Edge of Time, by Marge Piercy

Publisher: Ballantine
Copyright: 1976
Printing: 2016
ISBN: 0-307-75639-4
Format: Kindle
Pages: 419

Woman on the Edge of Time opens with Connie (Consuela) Ramos's niece Dolly arriving at the door of her tiny apartment with a bloody face. Her pimp, the cause of the bloody face, shows up mere moments later with a doctor to terminate Dolly's pregnancy. After a lot of shouting and insults, Connie breaks a glass bottle across Geraldo's face, resulting in her second involuntary commitment to a mental institution.

The first time was shortly after the love of her life was arrested for shoplifting and, in an overwhelmed moment, she hit her young daughter. That time, she felt she deserved everything that happened to her, not that it made much difference. Her daughter disappeared into the foster care system and she ended up on welfare, unable to get a job. She did get out of the institution, though. That's more of a question this time.

The other difference in Connie's life is that Luciente has made contact with her. Luciente is apparently from the future, appears in Connie's apartment, speaks an odd dialect, and is both horrified and fascinated by the New York City of Connie's time. She is also able to bring Connie mentally into the future, to a community called Mouth-of-Mattapoisett, which has no insane asylums, welfare, capitalism, pimps, condescending social workers, pollution, or the other plagues of Connie's life.

Woman on the Edge of Time sets a utopia against a dystopia, but the dystopia is 1970s America seen through the life of a poor Mexican-American woman. The Mattapoisett sections follow the classical utopia construction with Connie as the outside visitor to whom the utopia is explained. The present-day sections are a parade of horrors as Connie attempts to survive institutionalization, preserve a shred of dignity, and navigate the system well enough to be able to escape it. At first, these two environments are simply juxtaposed, but about two-thirds of the way through the book it becomes clear that Luciente's future is closely linked to, and closely influenced by, Connie's present.

I wanted to like this book, but I struggled with it. It took me about two months to read it, and I kept putting it down and reading something else instead. I'm finding it hard to put my finger on why it didn't work for me, but I think most of the explanation is Connie.

Piercy commits fully in this story to making Connie an ordinary person. Her one special characteristic is her ability to receive Luciente's psychic contact from the future, and to reach out in return. Otherwise, she's an average person who has lived a very hard life, who is struggling with depression and despair, and whose primary reaction to the events of the book is a formless outrage mixed with self-pity. This is critical to the conclusion of the story, and it's a powerful political statement: Ordinary people can affect the world, their decisions matter, and you don't have to be anyone special to fight oppression.

Unfortunately, this often makes the Mattapoisett sections, which are the best part of this book, frustrating to read. Not only does Connie not ask the questions about the future utopia that I wanted to ask, but she also reacts to most of the social divergences with disgust, outrage, or lasting confusion. This too I think is an intentional authorial choice — a true course correction in our world isn't also going to be comfortable and familiar, all of us will disagree with some of those choices, and Connie is not someone who grew up reading utopian literature — but it adds a lot of negative emotion to what is otherwise a positive celebration of how much better humanity can be. The people of Mattapoisett are endlessly patient with Connie in ways that also highlight strengths of their society, but I frequently found myself wanting to read a different story about Luciente, Jackrabbit, and the others without Connie there to recoil from the most drastic changes or constantly assume the worst of their customs.

I felt like I understood Connie and empathized with her, but I didn't like her. It's hard to read books where you don't like the main character.

The present-day scenes are an endless sequence of nightmares. Connie has a couple of friends inside the institution, who are also just trying to survive, but is otherwise entirely alone. Her niece tries occasionally, but is so strung out on drugs that she can't hold a coherent train of thought. Every figure of authority in the book treats Connie with contempt. All medical staff treat the patients like animals; the best that any of them can hope for is to be treated like a tolerable but ugly pet. I fully believe this was accurate for at least some facilities in some places, but it's soul-crushing to read about at length. I found myself slogging through those sections of the book, waiting for another interlude in Mattapoisett where at least I could enjoy the utopian world-building and relax a bit around happy characters.

This is, to be clear, effective at conveying the political point that Piercy is making. It's striking to read about Connie's horrific life and realize that it would be far worse today. Outside of the institution, she was living on long-term welfare, something that no longer exists in the United States. There are essentially no more mental institutions of the type in which she was held today; we closed them all in the 1980s and dumped all the residents on the streets. As Piercy points out in her forward, this is not an improvement. Today, Connie would either be homeless or in prison, her circumstances would be even worse than they were in the book, and even this plot would not be possible.

It's hard to know what to say about books that say true things with the level of anger and revulsion that our world warrants and do not give the reader the comfortable wrapping of characters with room to be happy. There is little Piercy says here that's wrong, and it's something we should hear, but apart from the Mattapoisett interludes I found it miserable to read. I read partly for escapism and for a break from dwelling on the unfolding horrors of the news cycle, so I struggle with books that feel like an extension of the day-to-day reporting on how awfully we treat our fellow humans. This is a problem I have with much of 1970s feminist SF: The books are incandescently angry, and rightfully so, about problems that are largely unfixed fifty years later, and I come away deeply depressed by humans as a species.

The heart of this book is the carefully-constructed Mattapoisett utopia, which says fascinating things about parenting, ecological balance, interpersonal relationships, communal living, personal property and its appropriate place in society, and governance structures. Piercy does cheat with some psychic empathy and some semi-magical biology, but most of what she describes would be possible with our current technology. I've not talked much about that in this review because the other parts of the book hit me so strongly, but this is a very interesting utopia. If you like analyzing and thinking about alternative ways of living, this is thought-provoking stuff.

I can see why other people liked this book better than I did, and I have great respect for its political goal and for Piercy's utopian world-building. It wasn't the book for me, but it might be for you.

Rating: 5 out of 10

Planet DebianPaul Wise: FLOSS Activities December 2019





  • Debian wiki: whitelist email addresses, help with auth issues
  • FOSSJobs: forwarding jobs, approving jobs


  • Respond to queries from Debian users and developers on the mailing lists and IRC


Some of the lintian-brush issues, the devscripts tagpending issue and the libpst work were sponsored by my employer. All other work was done on a volunteer basis.


Planet DebianChris Lamb: Favourite books of 2019

I managed to read 74 books in 2019 (up from 53 in 2018 and 50 in 2017) but here follows ten of my favourites this year, in no particular order.

Disappointments included The Seven Deaths of Evelyn Hardcastle (2018) which started strong but failed to end with a bang; all of the narrative potential energy tightly coiled in the exposition was lazily wasted in a literary æther like the "whimper" in the imagined world of T. S Eliot. In an adjacent category whilst I really enjoyed A Year in Provence (1989) last year, Toujours Provence (1991) did not outdo its predecessor but was still well worth the dégustation. I was less surprised to be let down by Jon Ronson's earliest available book, The Men Who Stare At Goats (2004), especially after I had watched the similarly off-key film of the same name, but it was at least intellectually satisfying to contrast the larval author of this work and comparing him the butterfly he is today but I couldn't recommend the experience to others who aren't fans of him now.

The worst book that I finished this year was Black Nowhere (2019), a painful attempt at a cyberthriller based on the story of the Silk Road marketplace. At many points I seriously pondered whether I was an unwitting participant in a form of distributed performance art or simply reading an ironic takedown of inexpensive modern literature.

As a slight aside, choosing which tomes to write about below was an interesting process but likely not for the reasons you might think; I found it difficult to write so publically anything interesting about some books that remain memorable to this day without essentially inviting silent censure or, worse still, the receipt of tedious correspondence due to their topics of contemporary politics or other vortexes of irrationality, assumed suspicion and outright hostility. (Given Orwell's maxim that "the only test of artistic merit is survival," I find this somewhat of disservice to my integrity, yet alone to the dear reader.)

In the Woods (2007), The Likeness (2008) & Faithful Place (2010)

Tana French

I always feel a certain smug pleasure attached to spotting those gaudy "Now a major TV series!" labels appearing upon novels I have already digested. The stickers do not merely adhere to the book themselves, but in a wider sense stick to myself too as if my own refined taste had been given approval and blessing of its correctness. Not unlike as if my favourite local restaurant had somehow been granted a Michelin star, the only problem then becomes the concomitant difficulty in artfully phrasing that one knew about it all along...

But the first thing that should probably be said about the books that comprise the Dublin Murder Squad ("Now a major TV series!") is the underlying scaffolding of the series: whilst the opening novel details Irish detectives Rob Ryan and Cassie Maddox investigating a murder it is told in from the first-person perspective of the former. However, the following book then not only recounts an entirely different Gardaí investigation it is told from the point of view of the latter, Cassie, instead. At once we can see how different (or not) the characters really are, how narrow (or not) their intepretation of events are, but moreover we get to enjoy replaying previous interaction between the two both, implicitly in our minds and even sometimes explicitly on the page. This fount of interest continues in the third of the series which is told from the viewpoint of a yet another character introduced in the second book and so forth.

I feel I could write a fair amount about these novels, but in the interest of brevity I will limit my encomium to the observation that the setting of Ireland never becomes a character itself, now curiously refreshing as most series feel the need to adopt this trope which overshot cliché some time ago. Authors, by all means set your conceits in well-trodded locations but please refrain from boasting or namedropping your knowledge at seemingly every opportunity (the best/worst example being Ben Aaronovitch's Rivers of London series or, by referencing street and pub names just a few too many times for comfort, Irvine Welsh's Edinburgh). Viewer's of the BBC Spooks series will likely know what I mean too - it isn't that the intelligence officers couldn't meet in the purview of St Paul's or under the watchful London Eye but the unlikelihood that all such clandestine conventicles would happen with the soft focus of yet another postcard-worthy landmark in the background forces at least this particular ex-Londoner of the plot somewhat.

Anyway, highly recommend. I believe I have three more in this series, all firmly on my 2020 list.

The Ministry of Truth (2019)

Dorian Lynskey

It should hopefully come as no surprise to anyone that I would read this "biography" of George Orwell's Nineteen Eighty-Four (NB. not "1984"...) after a number of Orwell-themed travel posts this year (Marrakesh, Hampstead, Paris, Southwold, Ipswich, etc.).

Timed to coincide with the book's publication 70 years ago, Lynskey celebrates its platinum anniversary with an in-depth view into the book's literary background in the dystopian fiction of the preceding generation including Yevgeny Zamyatin's 1921 We and H. G. Well's output more generally. It is a bête noire of mine that the concepts in the original book are taken too literally by most (as if by pointing out the lack of overt telescreens somehow discredits the work or — equally superficially in analysis — has been "proven right" by the prevalence of the FAANGs throughout our culture) but Lynskey does no such thing and avoids this stubbornly sophomoric and narrow view of Nineteen... and does not neglect the wider, more delicate and more interesting topics such as the slippage between deeds, intentions, thoughts, veracity and language.

Thorough and extremely comprehensive, this biography remains a wonderfully easy read and is recommended to all interested in one of the most influencial novels of the 20th century and furthermore should not be considered the exclusive domain of lovers of trivial Orwellania, not withstanding that such folks will undoubtably find something charming in Lynskey's research in any case: Who knew that the original opening paragraph of this book was quite so weak? Or a misprint resulted in an ambiguous ending...? This book shouldn't just make you want to read the novel again, it will likely pique your interest into delving deeper into Orwell’s writing for yourself. And if you don't, Big Brother is...

City of the Dead (2011) & The Bohemian Highway (2013)

Sara Gran

Imagine a Fleabag with more sass, more drug abuse, and — absent the first person narrative — thankfully hold the oft-distracting antics with the fourth wall. Throw in the perceptive insight of Sherlock and finish with the wistful and mystical notes of a Haruki Murakami novel and you've got Claire DeWitt, our plucky protagonist.

In post-Katrani New Orleans, where we lay our scene, this troubled private detective has been tasked with looking for a local prosecutor who has been missing since the hurricane. Surprisingly engrossing and trenchant, my only quibble with the naked, fast-paced and honest writing of City of the Dead is that the ends of chapters are far too easily signposted as the tone of the prose changes in a reliable manner, disturbing the unpredictability of the rest of the text.

The second work I include here (The Bohemian Highway) is almost on-par with the first with yet more of Claire's trenchant observations about herself and society (eg. "If you hate yourself enough, you’ll start to hate anyone who reminds you of you", etc.). However, it was quite the disappointment to read the third in this series (The Infinite Blacktop (2018) which had almost all the aforementioned ingredients but somehow fell far, far short of the target. Anyway, if someone has not optioned the rights for an eight-part television series of the first two novels, I would be willing to go at least, say, 90:10 in with you.

Never Split the Difference (2016)

Chris Voss

I was introduced to Chris Voss earlier in the year via an episode of The Tim Ferriss Show (and if that wasn't enough of a eyebrow-raising introduction he was just on an episode of Lance Armstrong's own podcast...) but regardless of its Marmite-esque route into my world I could not help but be taken hostage by this former FBI negotiator's approach to Negotiating as if Your Life Depended On It, as its subtitle hyperbolically claims.

My initial interest in picking up this how-to-negotiate volume lied much deeper than its prima facie goal of improving my woefully-lacking skills as I was instead intellectually curious about the socio-anthropology and to learn more about various facets of human connections and communication in general. However, the book mixes its "pop psych" with remarkably simple and highly practical tips for all levels of negotiations. Many of these arresting ideas, at least in the Voss school, are highly counter-intuitive yet he argues for them all persuasively, generally preferring well-reasoned argument over relying on the langue du bois of the "amygdala" and other such concepts borrowed superficial from contemporary psychology that will likely be rendered the phrenology of the early 21st-century anyway.

Whilst the book's folksy tone and exhale-inducing approach to pedagogy will put many off (I thought I left academia and its "worksheets" a long time ago…) it certainly passes the primary test of any book of negotiation: it convinced me.

The Way Inn (2014) & Plume (2019)

Will Wiles

I really enjoyed this authors take on modern British culture but I am unsure if I could really communicate exactly why. However, I am certain that I couldn't explain what his position really is beyond using misleading terms such as "surreal" or "existential" because despite these labels implying an inchoate and nebulous work I also found it simultaneously sharp and cuttingly incisive.

Outlining the satirical and absurd plot of The Way Inn would do little to communicate the true colour palette of the volume too (our self-absorbed protagonist attends corporate conferences on the topic, of course, of conferences themselves) but in both of these books Wiles ruthlessly avoiding all of the tired takedowns of contemporary culture, somehow finding new ways to critique our superficial and ersatz times.

The second of Wiles' that I read this year, Plume, was much darker and even sinister in feel but remains peppered with enough microscopic observations on quotidian life ("the cloying chemical reek of off-brand energy drinks is a familiar part of the rush-hour bouquet"...) that somehow made it more, and not less, harrowing in tone. You probably need to have lived in the UK to get the most out of this, but I would certainly recommend it.

Chasing the Scream (2015)

Johann Hari

It is commonplace enough to find RT ≠ endorsement in a Twitter biography these days but given that Hari's book documents a Search For The Truth About Addiction I am penning this review with more than a soupçon of trepidation. As in, if it would be premature to assume that if someone has chosen to read something then they are implicitly agreeing with its contents it would also be a similar error to infer that reader is looking for the same answers. This is all to say that I am not outing myself as an addict here, but then again, this is precisely what an addict would say...

All throat clearing aside, I got much from reading Johann Hari's book which, I think, deliberately does not attempt to break new ground in any of the large area it surveys and prefers to offer a holistic view of the war on drug [prohibition] through a series of long vignettes and stories about others through the lens of Hari himself on his own personal journey.

Well-written and without longueur, Hari is careful to not step too close to the third-rail of the medication—mediation debate as the most effective form of treatment. This leads to some equivocation at points but Hari's narrative-based approach generally lands as being more honest than many similar contemporary works that cede no part of the complex terrain to anything but their prefered panacea, all deliciously ironic given his resignation from the Independent newspaper in 2011. Thus acting as a check against the self-assured tones of How to Change Your Mind (2018) and similar, Chasing the Scream can be highly recommended quite generally but especially for readers in this topic area.

The Sellout (2016)

Paul Beatty

"I couldn't put it down…" is the go-to cliché for literature so I found it amusing to catch myself in quite-literally this state at times. Winner of the 2016 Man Booker Prize, the first third of this were perhaps the most engrossing and compulsive reading experience I've had since I started "seriously" reading.

This book opens in medias res within the Supreme Court of the United States where the narrator lights a spliff under the table. As the book unfolds, it is revealed that this very presence was humbly requested by the Court due to his attempt to reinstate black slavery and segregation in his local Los Angeles neighbourhood. Saying that, outlining the plot would be misleading here as it is far more the ad-hoc references, allusions and social commentary that hang from this that make this such an engrossing work.

The tranchant, deep and unreserved satire might perhaps be merely enough for an interesting book but where it got really fascinating to me (in a rather inside baseball manner) is how the latter pages of the book somehow don't live up the first 100. That appears like a straight-up criticism, but this flaw is actually part of this book's appeal to me — what actually changed in these latter parts? It's not overuse of the idiom or style and neither is it that it strays too far from the original tone or direction, but I cannot put my finger on why which has meant the book sticks to this day in my mind. I can almost, just almost, imagine a devilish author such as Paul deliberately crippling one's output for such an effect…

Now, one cannot unreservedly recommend this book. The subject matter itself, compounded by being dealt with in such an flippant manner will be unpenetrable to many and deeply offensive to others, but if you can see your way past that then you'll be sure to get something—whatever that may be—from this work.

Diary of a Somebody (2019)

Brian Bilston

The nom de plume of the "unofficial poet laureate of Twitter", Brian Bilston is an insufferable and ineffectual loser who decides to write a poem every day for a year. A cross between the cringeworthiness of Alan Partridge and the wit and wordplay of Spike Milligan, the eponymous protagonist documents his life after being "decruited" from his job.

Halfway through this book I came to the realisation that I was technically reading a book of poetry for fun, but far from being Yeats, Auden or The Iliad, "Brian" tends to pen verse along the lines of:

No, it's not Tennyson and "plot" ties itself up a little too neatly at the end, but I smiled out loud too many times whilst reading this book to not include it here.

Stories of Your Life and Others (2014) & Exhalation (2019)

Ted Chiang

This compilation has been enjoying a renaissance in recent years due the success of the film Arrival (2016) which based on on the fourth and titular entry in this amazing collection. Don't infer too much from that however as whilst this is prima facie just another set of sci-fi tales, it is science fiction in the way that Children of Men is, rather than Babylon 5.

A well-balanced mixture of worlds are evoked throughout with a combination of tales that variously mix the Aristotelian concepts of spectacle (opsis), themes (dianoia), character (ethos) and dialogue (lexis), perhaps best expressed practically in that some stories were extremely striking at the time — one even leading me to rebuff an advance at a bar — and a number were not as remarkable at the time yet continue to occupy my idle thoughts.

The opening tale which reworks the Tower of Babel into a construction project probably remains my overall favourite, but the Dark Materials-esque world summoned in Seventy-Two Letters continues to haunt my mind and lips of anyone else who has happened to come across it, perhaps becoming the quite-literal story of my life for a brief period. Indeed it could be said that, gifted as a paperback, whilst the whole collection followed me around across a number of locales, it continues to follow me — figuratively speaking that is — to this day.

Highly recommended to all readers but for those who enjoy discussing books with others it would more than repay any investment.

Operation Mincemeat (2010)

Ben MacIntyre

In retrospect it is almost obvious that the true story of an fictitious corpse whose invented love letters, theatre life and other miscellania stuffed into the pockets of a calculatingly creased Captain's uniform would make such a captivating tale. Apparently drowned and planted into the sea off Huelva in 1943, this particular horse was not exactly from Troy but was rather a Welsh vagrant called Glyndwr who washed up — or is that washed out? — on the Andalusian shoreline along with information on a feigned invasion of Sicily in an attempt to deceive the Wehrmacht. However, this would be to grosslly misprice Ben MacIntyre's ability to not get in the way of telling the story as well the larger picture about the bizarre men who concocted the scheme and the bizarre world they lived in.

In such a Bond-like plot where even Ian Fleming (himself a genuine British naval officer) makes an appearance it seems prudent to regularly recall yet again that truth can be stranger than fiction, but the book does fall foul of the usual sin of single-issue WW2 books in overestimating the importance in the larger context of a conflict. (Indeed, as a diversionary challenge to the reader of this review I solicit suggestions for any invention, breakthrough or meeting that has not been identified as "changing the course of World War II". Victor Davis Hanson rather handsomeley argues in his 2017 The Second World Wars that is best approached as multiple wars, anyway…)

Likely enjoyed by those not typically accustomed to reading non-fiction history, this is genuinely riveting account nonetheless and well worth the reading.

Planet DebianJonathan McDowell: Free Software Activities for 2019

As a reader of Planet Debian I see a bunch of updates at the start of each month about what people are up to in terms of their Free Software activities. I’m not generally active enough in the Free Software world to justify a monthly report, and this year in particular I’ve had a bunch of other life stuff going on, but I figured it might be interesting to produce a list of stuff I did over the course of 2019. I’m pleased to note it’s longer than I expected.


I’m not a big conference attendee; I’ve never worked somewhere that paid travel/accommodation for Free Software conferences so I end up covering these costs myself. That generally means I go to local things and DebConf. This year was no exception to that; I attended BelFOSS, an annual free software conference held in Belfast, as well as DebConf19 in Curitiba, Brazil. (FOSDEM was at an inconvenient time this year for me, or I’d have made it to that as well.)


Most of my contributions to Free software happen within Debian.

As part of the Data Protection Team I responded to various minor requests for advice from within the project.

The Debian Keyring was possibly my largest single point of contribution. We’re in a roughly 3 month rotation of who handles the keyring updates, and I handled 2019.03.24, 2019.06.25, 2019.08.23, 2019.09.24 + 2019.12.23.

For Debian New Members I handled a single applicant, Marcio de Souza Oliveira, as an application manager. I had various minor conversations throughout the year as part of front desk.

I managed to get binutils-xtensa-lx106 + gcc-xtensa-lx106 packages (1 + 1) for cross building ESP8266 firmware uploaded in time for the buster release, as well as several updates throughout the year (2, 3 + 2, 3, 4). There was a hitch over some disagreements on the package naming, but it conforms with the generally accepted terms used for this toolchain.

Last year I ended up fixing an RC bug in ghdl, so this year having been the last person to touch the package I did a couple of minor uploads (0.35+git20181129+dfsg-3, 0.35+git20181129+dfsg-4). I’m no longer writing any VHDL as part of my job so my direct interest in this package is limited, but I’ll continue to try and fix the easy things when I have time.

Although I requested the package I originally uploaded it for, l2tpns, to be removed from Debian (#929610) I still vaguely maintain libcli, which saw a couple of upstream driven uploads (1.10.0-1, 1.10.2-1).

OpenOCD is coming up to 3 years since its last stable release, but I did a couple (0.10.0-5, 0.10.0-6) of minor uploads this year. I’ve promised various people I’ll do a snapshot upload and I’ll try to get that into experimental at some point. libjaylink, a dependency, also saw a couple of minor uploads (0.1.0-2, 0.1.0-3).

I pushed an updated version of libtorrent into experimental (0.13.8-1), as a pre-requisite for getting rtorrent updated. Once that had passed through NEW I uploaded 0.13.8-2 and then rtorrent 0.9.8-1.

The sigrok project produced a number of updates, sigrok-firmware-fx2lafw 0.1.7-1, libsigrok 0.5.2-1 + libsigrokdecode 0.5.3-1.

sdcc was the only package I did sponsored uploads of this year - (3.8.0+dfsg-2, 3.8.0+dfsg-3). I don’t have time to take over maintainership of this package fully, but sigrok-firmware-fx2lafw depends on it to build so I upload for Gudjon and try to help him out a bit.

Personal projects

In terms of personal projects I finally pushed my ESP8266 Clock to the outside world (and wrote it up). I started learning Go and as part of that wrote gomijia, a tool to passively listen for Bluetooth LE broadcasts from Xiaomi Mijia devices and transmits them over MQTT. I continued to work on onak, my OpenPGP key server, adding support for the experimental v5 key format, dkg’s abuse resistant keystore proposal and finally merged in support for signature verification. It’s due a release, but the documentation really needs improved before I’d be happy to do that.


Back when picolibc was newlib-nano I had a conversation with Keith Packard about getting the ESP8266 newlib port (largely by Max Filippov based on the Tensilica work) included. Much time has passed since then, but I finally got time to port this over and test it this month. I’m hopeful the picolibc-xtensa-lx106-elf package will appear in Debian at some point in the next few months.


As part of my work at Titan IC I did some work on Snort3, largely on improving its support for hardware offload accelerators (ignore the fact my listed commits were all last year, Cisco generally do a bunch of squashed updates to the tree so the original author doesn’t always show).

Software in the Public Interest

While I haven’t sat on the board of SPI since 2015 I’m still the primary maintainer of the membership website (with Martin Michlmayr as the other active contributor). The main work carried out this year was fixing up some issues seen with the upgrade from Stretch to Buster.


I talked about my home automation, including my use of Home Assistant, at NIDC 2019, and again at DebConf with more emphasis on the various aspects of Debian that I’ve used throughout the process. I had a couple of other sessions at DebConf with the Data Protection and Keyring teams. I did a brief introduction to Reproducible Builds for BLUG in October.


I had a one liner accepted to systemd to make my laptop keyboard work out of the box. I fixed up Xilinx XRT to be able to build .debs for Debian (rather than just Ubuntu), have C friendly header files and clean up some GCC 8.3 warnings. I submitted a fix to Home Assistant to accept 202 as a successful REST notification response. And I had a conversation on IRC which resulted in a tmux patch to force detach (literally I asked how do to this thing and I think Colin had whipped up a patch before the conversation was even over).

Planet DebianChris Lamb: Free software activities in December 2019

Software Freedom Conservancy (the fiscal sponsor for the Reproducible Builds project) have announced their fundraising season with a huge pledge to match donations from a number of illustrious individuals. If you have ever considered joining as a supporter, now would be the time to do so.

Whilst it was a busy month away from the keyboard for me, here is my update covering what I have been doing in the free software world during December 2019 (previous month):

  • Attended the fifth Reproducible Builds summit meeting in Marrakesh, Morocco.

  • As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest (SPI) I attended and prepared for their respective monthly meetings, participated in various licensing and other free software related topics occurring on the internet, as well as the usual internal discussions regarding logistics, policy, etc.

  • Opened a pull request against the Chart.js JavaScript charting library to make the build reproducible. [...]

  • Updated my django-slack library that provides a convenient library between projects using the Django and the Slack chat platform to drop Python 2.7 support prior to its uncoming deprecation [...] and add support for Python 3.8 [...]...][...].

  • Made some changes to my tickle-me-email library which implements Gettings Things Done-like behaviours in IMAP inboxes including fixing an issue where we could add a duplicate empty Subject header that would result in emails being rejected as invalid by mail servers. [...]

  • Opened a pull request to make the build reproducible in infernal, a tool for analysing RNA molecule data. [...]

  • Even more hacking on the Lintian static analysis tool for Debian packages including a considerable amount of issue and merge request triage, as well as:

    • Bug fixes:

      • Don't attempt to check manual section if we don't know the section number in order to silence Perl warnings on the commandline. (#946471)
    • Cleanups:

    • Reporting:

      • Add missing tag summary checks to debian/changelog and fix our generate-tag-summary script to match our newer style of changelog entry placeholder. [...]
      • Update the long description of debian-rules-not-executable tag to not imply that precisely 0755 permissions are required. [...]

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

I made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

  • Always pass a filename with a .zip extension to zipnote otherwise it will return with an UNIX exit code of 9 and we fallback to displaying a binary difference for the entire file. [...]
  • Include the libarchive file listing for ISO images to ensure that timestamps -- and not just dates -- are visible in any difference. (#81)
  • Ensure that our autopkgtests are run with our pyproject.toml present for the correct black source code formatter settings. (#945993)
  • Rename the text_option_with_stdiout test to text_option_with_stdout [...] and tidy some unnecessary boolean logic in the ISO9660 tests [...].

I also:


Debian LTS

This month I have worked 16½ hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

You can find out more about the project via the following video:


  • For the Tails privacy-oriented operating system, I uploaded obfs4proxy (0.0.8-1)

FTP Team

As a Debian FTP assistant I ACCEPTed eight packages: fluidsynth, golang-github-bmatcuk-doublestar, golang-github-pearkes-cloudflare, librandomx, meep, meep-mpi-default, meep-openmpi & node-webassemblyjs. I additionally filed two RC bugs against packages that had potentially-incomplete debian/copyright files against fluidsynth & meep.

Planet DebianJunichi Uekawa: Reminding myself on how to install nodejs binaries.

Reminding myself on how to install nodejs binaries. Found the nodesource docs. I almost forgot I was using an aarch64 device until I tried installing binaries. It's nice they have aarch64 binaries too.

Worse Than FailureBest of…: Best of 2019: The Internship of Things

Did you get some nice shiny new IoT devices for the holidays this year? Hope they weren't the Initech brand. Original --Remy

Mindy was pretty excited to start her internship with Initech's Internet-of-Things division. She'd been hearing at every job fair how IoT was still going to be blowing up in a few years, and how important it would be for her career to have some background in it.

It was a pretty standard internship. Mindy went to meetings, shadowed developers, did some light-but-heavily-supervised changes to the website for controlling your thermostat/camera/refrigerator all in one device.

As part of testing, Mindy created a customer account on the QA environment for the site. She chucked a junk password at it, only to get a message: "Your password must be at least 8 characters long, contain at least three digits, not in sequence, four symbols, at least one space, and end with a letter, and not be more than 10 characters."

"Um, that's quite the password rule," Mindy said to her mentor, Bob.

"Well, you know how it is, most people use one password for every site, and we don't want them to do that here. That way, when our database leaks again, it minimizes the harm."

"Right, but it's not like you're storing the passwords anyway, right?" Mindy said. She knew that even leaked hashes could be dangerous, but good salting/hashing would go a long way.

"Of course we are," Bob said. "We're selling web connected thermostats to what can be charitably called 'twelve-o-clock flashers'. You know what those are, right? Every clock in their house is flashing twelve?" Bob sneered. "They can't figure out the site, so we often have to log into their account to fix the things they break."

A few days later, Initech was ready to push a firmware update to all of the Model Q baby monitor cameras. Mindy was invited to watch the process so she could understand their workflow. It started off pretty reasonable: their CI/CD system had a verified build, signed off, ready to deploy.

"So, we've got a deployment farm running in the cloud," Bob explained. "There are thousands of these devices, right? So we start by putting the binary up in an S3 bucket." Bob typed a few commands to upload the binary. "What's really important for our process is that it follows this naming convention. Because the next thing we're going to do is spin up a half dozen EC2 instances- virtual servers in the cloud."

A few more commands later, and then Bob had six sessions open to cloud servers in tmux. "Now, these servers are 'clean instances', so the very first thing I have to do is upload our SSH keys." Bob ran an ssh-copy-id command to copy the SSH key from his computer up to the six cloud VMs.

"Wait, you're using your personal SSH keys?"

"No, that'd be crazy!" Bob said. "There's one global key for every one of our Model Q cameras. We've all got a copy of it on our laptops."

"All… the developers?"

"Everybody on the team," Bob said. "Developers to management."

"On their laptops?"

"Well, we were worried about storing something so sensitive on the network."

Bob continued the process, which involved launching a script that would query a webservice to see which Model Q cameras were online, then sshing into them, having them curl down the latest firmware, and then self-update. "For the first few days, we leave all six VMs running, but once most of them have gotten the update, we'll just leave one cloud service running," Bob explained. "Helps us manage costs."

It's safe to say Mindy learned a lot during her internship. Mostly, she learned, "don't buy anything from Initech."

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Planet DebianRuss Allbery: Review: Dreyer's English

Review: Dreyer's English, by Benjamin Dreyer

Publisher: Random House
Copyright: 2019
ISBN: 0-8129-9571-6
Format: Kindle
Pages: 278

Benjamin Dreyer is vice president, executive managing editor and copy chief, of Random House. Or, as he puts it:

I am a copy editor. After a piece of writing has been, likely through numerous drafts, developed and revised by the writer and by the person I tend to call the editor editor and deemed essentially finished and complete, my job is to lay my hands on that piece of writing and make it...better. Cleaner. Clearer. More efficient. Not to rewrite it, not to bully and flatten it into some notion of Correct Prose, whatever that might be, but to burnish and polish it and make it the best possible version of itself that it can be — to make it read even more like itself than it did when I got to work on it. That is, if I've done my job correctly.

Dreyer's English is a book of writing advice, pet peeves, observations, spelling corrections, and word usage geekery from someone who has spent nearly thirty years copy editing books. More than half of the book is lists of things with commentary: words that can be deleted, words that are frequently confused for each other, notes on proper nouns, and much more. The rest of it is grammatical disputes, positions on punctuation, and fascinating commentary on people's reactions to copy editing.

The preferred U.K. spelling of the color that describes ashes and the eyes of the goddess Athena is "grey." The preferred American spelling is "gray," but try telling that to the writers who will go ballistic if, in copyediting, you attempt to impose that spelling. In all my years of correcting other people's spelling, I don't think I've ever come up against more pushback than on this point. My long-held theory — make of it what you will — is that the spelling "grey" imprints itself on some people who encounter it in beloved classic children's books, and they form an emotional attachment to it.

Or, I don't know, they're just stubborn.

Speaking as an American "grey" person, I feel seen.

This is the sort of book whose audience will self-select. If you read the description above and thought "wow, that sounds boring, why would someone read a reference book like that cover to cover?" then this is not the book for you. If you thought "that sounds awesome, tell me more!" then you've probably heard of this book already (it's made the rounds), and this review is somewhat redundant. But in case you haven't, I can assure you that it is indeed awesome, and you should read it.

True confession time. I thoroughly enjoyed reading Strunk & White, the writing book that everyone is now supposed to hate. Let me reassure you that I am not one of those people who tries to get everyone to read it or who treats it as the canonical text on how to write in English, thus contributing to the backlash. I rarely think of it when writing. I loved it because it was fun to read, because it was opinionated and snarky and was full of entertaining (if occasionally unfair) examples, and because it advocated for a particular style of prose in a memorable and approachable way.

I'm doing Benjamin Dreyer no favors by comparing his book to this bogeyman of prescriptivism, but I enjoyed Dreyer's English for a similar reason. Dreyer's writing is not dry and does not read like a reference manual, despite the lists. It's full of side observations and personal stories, is tempered by the conversations a copy editor has with authors, and is absurdly quotable. You'll notice that I'm failing to resist littering this review with excerpts.

Also, if you haven't been dead for four hundred years and are planning on using the word "methinks" in the spirit of roguish cleverness, please don't.

For those reading it as an ebook, it also puts the (delightful) footnotes at the end of each chapter. A minor point, but greatly appreciated.

I don't primarily read books like this to improve my own writing. If I did, I should probably have paused on page one to implement Dreyer's first advice, which is so on-point that it stings:

Here's your first challenge:

Go a week without writing

  • very
  • rather
  • really
  • quite
  • in fact

Rather (*cough*), I read books like this primarily for entertainment, secondarily out of intellectual curiosity about the opinions of someone who has read a lot of prose and is professionally obligated to make judgments about it, and tertiarily because I adore language trivia. Dreyer delivers on all three points. If you are looking for advice to help improve your writing, I suspect he delivers on that point as well, but the entertainment value alone was worth it to me. The insight into the role of copy editor, the markup and on-page conversations with authors, and some of the less-obvious motives of the work are a delightful bonus.

An admission: Quite a lot of what I do as a copy editor is to help writers avoid being carped at, fairly or — and this is the part that hurts — unfairly, by People Who Think They Know Better and Write Aggrieved Emails to Publishing Houses.

Come for the demolition of non-rules of grammar that you were taught in school but should ignore completely, stay for the fascinating discussion of the "only" comma, and be rewarded with knowing that even the copy chief of one of the largest publishing houses on earth cannot spell Mississippi without singing the song.

If you are the sort of person who likes this kind of thing, you owe it to yourself to read this book.

Rating: 9 out of 10


Planet DebianIan Jackson: subdirmk 0.3 - ergonomic preprocessing assistant for non-recursive make

I have released subdirmk 0.3.


Peter Miller's 1997 essay Recursive Make Considered Harmful persuasively argues that it is better to arrange to have a single make invocation with the project's complete dependency tree, rather than the currently conventional $(MAKE) -C subdirectory approach.

However, I have found that actually writing a project's build system in a non-recursive style is not very ergonomic. So with some help and prompting from Mark Wooding, I have made a tool to help.

What's new

I have overhauled and regularised some of the substitution syntaxes. The filenames have changed. And there is a new $-doubling macro help facility.


It's still 0.x. I'm still open to comments about details of syntax and naming. Please make them here on this blog, or by posting to sgo-software-discuss.

But it's looking quite good I think and I intend to call it 1.0 RSN.

Further reading

see the README.

edited 2019-12-30 16:39 Z to fix some formatting issues with Dreamwidth's HTML "sanitiser"

comment count unavailable comments

CryptogramHacking School Surveillance Systems

Lance Vick suggesting that students hack their schools' surveillance systems.

"This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine," he said.

Of course, there are a lot more laws in place against this sort of thing than there were in -- say -- the 1980s, but it's still worth thinking about.

Worse Than FailureBest of…: Best Of 2019: The Hardware Virus

We continue our holiday break by looking back at the true gift that kept on giving, the whole year round. Original. --Remy


Jen was a few weeks into her new helpdesk job. Unlike past jobs, she started getting her own support tickets quickly—but a more veteran employee, Stanley, had been tasked with showing her the ropes. He also got notification of Jen's tickets, and they worked on them together. A new ticket had just come in, asking for someone to replace the DVI cable that'd gone missing from Conference Room 3. Such cables were the means by which coworkers connected their laptops to projectors for presentations.

Easy enough. Jen left her cube to head for the hardware "closet"—really, more of a room crammed full of cables, peripherals, and computer parts. On a dusty shelf in a remote corner, she spotted what she was looking for. The coiled cable was a bit grimy with age, but looked serviceable. She picked it up and headed to Stanley's cube, leaning against the threshold when she got there.

"That ticket that just came in? I found the cable they want. I'll go walk it down." Jen held it up and waggled it.

Stanley was seated, facing away from her at first. He swiveled to face her, eyed the cable, then went pale. "Where did you find that?"

"In the closet. What, is it—?"

"I thought they'd been purged." Stanley beckoned her forward. "Get in here!"

Jen inched deeper into the cube. As soon as he could reach it, Stanley snatched the cable out of her hand, threw it into the trash can sitting on the floor beside him, and dumped out his full mug of coffee on it for good measure.

"What the hell are you doing?" Jen blurted.

Stanley looked up at her desperately. "Have you used it already?"

"Uh, no?"

"Thank the gods!" He collapsed back in his swivel chair with relief, then feebly kicked at the trash can. The contents sloshed around inside, but the bin remained upright.

"What's this about?" Jen demanded. "What's wrong with the cable?"

Under the harsh office lighting, Stanley seemed to have aged thirty years. He motioned for Jen to take the empty chair across from his. Once she'd sat down, he continued nervously and quietly. "I don't know if you'll believe me. The powers-that-be would be angry if word were to spread. But, you've seen it. You very nearly fell victim to it. I must relate the tale, no matter how vile."

Jen frowned. "Of what?"

Stanley hesitated. "I need more coffee."

He picked up his mug and walked out, literally leaving Jen at the edge of her seat. She managed to sit back, but her mind was restless, wondering just what had her mentor so upset.

Eventually, Stanley returned with a fresh mug of coffee. Once he'd returned to his chair, he placed the mug on his desk and seemed to forget all about it. With clear reluctance, he focused on Jen. "I don't know where to start. The beginning, I suppose. It fell upon us from out of nowhere. Some say it's the spawn of a Sales meeting; others blame a code review gone horribly wrong. In the end, it matters little. It came alive and spread like fire, leaving destruction and chaos in its wake."

Jen's heart thumped with apprehension. "What? What came alive?"

Stanley's voice dropped to a whisper. "The hardware virus."

"Hardware virus?" Jen repeated, eyes wide.

Stanley glared. "You're going to tell me there's no such thing, but I tell you, I've seen it! The DVI cables ..."

He trailed off helplessly, reclining in his chair. When he straightened and resumed, his demeanor was calmer, but weary.

"At some godforsaken point in space and time, a single pin on one of our DVI cables was irrevocably bent. This was the source of the contagion," he explained. "Whenever the cable was plugged into a laptop, it cracked the plastic composing the laptop's DVI port, contorting it in a way that resisted all mortal attempt at repair. Any time another DVI cable was plugged into that laptop, its pin was bent in just the same way as with the original cable.

"That was how it spread. Cable infected laptop, laptop infected cable, all with vicious speed. There was no hope for the infected. We ... we were forced to round up and replace every single victim. I was knee-deep in the carnage, Jen. I see it in my nightmares. The waste, the despair, the endless reimaging!"

Stanley buried his head in his hands. It was a while before he raised his haunted gaze again. "I don't know how long it took, but it ran its course; the support tickets stopped coming in. Our superiors consider the matter resolved ... but I've never been able to let my guard down." He glanced warily at the trash can, then made eye contact with Jen. "Take no chances with any DVI cables you find within this building. Buy your own, and keep them with you at all times. If you see any more of those—" he pointed an accusing finger at the bin "—don't go near them, don't try taking a paperclip to them. There's everything to lose, and nothing to gain. Do you understand?"

Unable to manage words, Jen nodded instead.

"Good." The haunted expression vanished in favor of grim determination. Stanley stood, then rummaged through a desk drawer loaded with office supplies. He handed Jen a pair of scissors, and armed himself with a brassy letter opener.

"Our job now is to track down the missing cable that resulted in your support ticket," he continued. "If we're lucky, someone's absent-mindedly walked off with it. If we're not, we may find that this is step one in the virus' plan to re-invade. Off we go!"

Jen's mind reeled, but she sprang to her feet and followed Stanley out of the cubicle, telling herself to be ready for anything.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

Planet DebianRuss Allbery: Review: To Be Taught, If Fortunate

Review: To Be Taught, If Fortunate, by Becky Chambers

Publisher: Harper Voyager
Copyright: September 2019
ISBN: 0-06-293602-6
Format: Kindle
Pages: 153

Ariadne is the flight engineer aboard the Merian. She and her three crewmates were sent from Earth on a fifty-year mission (most of it spent in medical hibernation for transit) to do a survey of four exoplanets in one system. To Be Taught, If Fortunate is the narrative accompanying that mission report, and a question sent back to whoever receives it.

This is a novella that is probably set in the same universe as the Wayfarers books (which start with A Long Way to a Small Angry Planet), but that connection is not explicit in the story. You can read it in isolation and not miss anything.

I was born in Cascadia on July 13, 2081. On that day, it had been fifty-five years, eight months, and nine days since a human being had been in space. I was the two-hundred-and-fourth person to go back, and part of the sixth extrasolar crew. I'm writing to you in the hope that we will not be the last.

This is the fourth Becky Chambers story I've reviewed and I've seen some common patterns of reaction, so let me start by setting expectations.

If what you want out of a science fiction novella is hard scientific accuracy, this is not what you're looking for and you're probably going to frustrate yourself. Chambers notes in the acknowledgments that she tried to get the science as close as the story would allow, and there isn't anything quite as egregious as powering a ship via algae grown on the ship (or the kinetic energy of crew footsteps), but I still had several moments of "hm, I don't think it works that way." Those who are pickier than I am are likely to once again run into suspension of disbelief problems.

What Chambers does do, for me at least, is tug directly on the heartstrings. This was a challenge for this novella since To Be Taught, If Fortunate is, among other things, an impassioned defense of human space exploration, something about which I'm notoriously skeptical. With the help of a bit of magical genetic editing during medical hibernation to get past the most obvious objections, she managed to convince me anyway. Chambers does this primarily by showing the reactions of scientists physically present on another planet, doing and getting excited about science, struggling through setbacks, and attempting to navigate surprises and horrors while thinking very hard about ethics and responsibility. It's a slow burn, and I suspect some people will find it boring, but for me it was startlingly effective.

One good choice Chambers makes is that Ariadne is the lone non-scientist in the crew. She's the engineer, the person who fixes and operates things and gets the ship to work. That lets the descriptions of exploratory science on each of the four worlds be outsider perspectives that match the author's perspective (and that of most readers). Ariadne watches other people do ground-breaking science and get excited for and with them, which I found charming and delightful to read about.

Most of this novella is narrative observation of initial planetary exploration, focused mostly although not entirely on biology. It can be a bit disorienting at first, since the drama level is tuned closer to real exploration than the typical story. The four crew members are also refreshingly low on interpersonal drama — perhaps unrealistically so, given the requirement to spend years together in close quarters, but one of the things I like about Chambers is her willingness to write about good people and believe that they can remain good people through difficult moments. The plot inflection points, when they come, have a similar slow burn, giving the reader time to empathize with the characters and get invested in their worries and reactions.

The best moments of this novella for me, though, are where Ariadne describes the space program that gave rise to this mission, the politics of Earth at the time, and the meaning and rituals of that push for renewed space travel. This is beautifully and exceptionally done. It took me a lot of thought after finishing this novella to put my finger on why Ariadne's space program seems so different than ours: It's not grounded in military or naval culture. The prevalence and assumption of hierarchical command structure and rigid discipline is so pervasive in how we think about human missions of exploration that I had a hard time pinpointing what had changed.

I find it interesting to compare this to the later books of Jack McDevitt's Academy series, particularly Cauldron. McDevitt and Chambers are arguing for some similar goals, but McDevitt's argument is the frustrated petulance of the space boosterism wars that go back to the literary fight against William Proxmire in the 1960s and 1970s and is most often rehashed today with some variation of "humans have to get off a single planet to secure a long-term future of the species." Chambers's argument is entirely different. It's less fear-based, more collaborative and consensus-driven, more thoughtful, and makes an argument from wonder instead of expansionism. For me, it's far more persuasive.

I'm going to be thinking about the difference between how Ariadne thinks about her mission and how we normally present space missions for a long time.

I won't give away the ending, but it wasn't at all what I had expected, and I found it surprisingly touching. It's not at all the way that stories like this normally end, but it's quiet and earnest and thoughtful and ethical in a way that's consistent with the rest of the story and with everything else Chambers has written. The more I thought about it, the more I liked it.

Reactions to Chambers vary widely, I think in part because they're primarily stories about human ethics in semi-utopian societies that only use science and technology as a frame. If you weren't one of the people who loved her books, I don't think this novella is likely to be the break-through moment for you. If, like me, you did love her books, particularly Record of a Spaceborn Few (the most similar to this story), I think you'll like this as well. Recommended for those readers.

Rating: 8 out of 10

Krebs on SecurityHappy 10th Birthday,

Today marks the 10th anniversary of! Over the past decade, the site has featured more than 1,800 stories focusing mainly on cybercrime, computer security and user privacy concerns. And what a decade it has been.

Stories here have exposed countless scams, data breaches, cybercrooks and corporate stumbles. In the ten years since its inception, the site has attracted more than 37,000 newsletter subscribers, and nearly 100 million pageviews generated by roughly 40 million unique visitors.

Some of those 40 million visitors left more than 100,000 comments. The community that has sprung up around KrebsOnSecurity has been truly humbling and a joy to watch, and I’m eternally grateful for all your contributions.

One housekeeping note: A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here.

Just a reminder that KrebsOnSecurity does not run third-party ads and has no plans to change that; all of the creatives you see on this site are hosted in-house, are purely image-based, and are vetted first by Yours Truly. Love them or hate ’em, these ads help keep the content at KrebsOnSecurity free to any and all readers. If you’re currently blocking ads here, please consider making an exception for this site.

Last but certainly not least, thank you for your readership. I couldn’t have done this without your encouragement, wisdom, tips and support. Here’s wishing you all a happy, healthy and wealthy 2020, and for another decade of stories to come.


Planet DebianEnrico Zini: Some gender-related links

Men Must Be Needed Because We Can't Be Wanted - The Good Men Project
We believe we have to be the heroes only because we can't yet see other roles for ourselves.
A glass ceiling is a metaphor used to represent an invisible barrier that keeps a given demographic (typically applied to minorities) from rising beyond a certain level in a hierarchy.[1]
The glass cliff is the phenomenon of women in leadership roles, such as executives in the corporate world and female political election candidates, being likelier than men to achieve leadership roles during periods of crisis or downturn, when the chance of failure is highest.
I discovered the men’s rights movement when I was 22, working at a bookstore in downtown Kelowna, British Columbia. I was trying to earn some...

Sam VargheseSmith’s weakness to short-pitched bowling has been exposed

There are two things one can take away from the Australia-New Zealand Test series, even though it is not yet over, and the third and final match remains to be played in Sydney early next year.

One, the rankings system that the International Cricket Conference uses is out of sync with reality; if Australia, ranked fifth, can beat second-ranked New Zealand with so much of ease, then whatever decides those rankings needs sore re-examination.

The second, and probably more interesting, revelation has been the exposure of Steve Smith’s vulnerability to good short-pitched bowling. Smith has been called many things since he started to accumulate runs, and is now often likened to the late Sir Donald Bradman.

But his inability to play short stuff was demonstrated by New Zealander Neil Wagner, the only one of the four New Zealand pacemen (ok, medium-pacers, none of them can be classified fast) who uses the bouncer intelligently. Wagner dismissed Smith in both innings, with a beauty of a snorter at the face accounting for him in the first innings.

In the second innings, again it was a ball that was just above hip level that got Smith; he tried to paddle it around but lost control and was caught backward of square leg.

This method of packing off Smith cannot be used in the shorter forms of the game, as there are strict limits on short-pitched bowling, and anyone who persists will be called for wides, then warned and finally stopped from bowling. The short form of the game is all about making runs and the ICC wants to keep it that way, with the balance favouring batsmen.

And Smith does not have to play against the Australian bowlers; they form the best pace attack globally and he could be troubled by the likes of James Pattinson and Patrick Cummings if he were to face them. The rest of the fast bowling fraternity, to the degree it exists now, would have taken note, however, and one is pretty sure that India’s Jasprit Bumrah will test him when next they meet in a Test.

Australia are not scheduled to play any more Tests until next summer; there are four tours planned but all are only for playing the shorter forms of the game. India are due to visit next summer and hence one will not see Smith tested in this way until then.

That the ICC’s ranking is a mess is hardly news. The organisation does little that can be called sensible and once put in place a system for determining the change in playing conditions in the event of rain. Designed by the late Richie Benaud, it was used in the 1992 World Cup and the level of ridiculousness was shown by the fact that South Africa was, at one stage in the semi-finals, required to make 22 runs off one ball to win. This happened after rain interrupted the game.

Cory DoctorowScience fiction, Canada and the 2020s: my look at the decade ahead for the Globe and Mail

The editors of Canada’s Globe and Mail asked me to reflect on what science fiction can tell us about the 2020s for their end-of-the-decade package; I wrote about how science fiction can’t predict the future, but might inspire it, and how the dystopian malaise of science fiction can be turned into a inspiring tale of “adversity met and overcome – hard work and commitment wrenching a limping victory from the jaws of defeat.”

I describe a scenario for a “Canadian miracle”: “As the vast majority of Canadians come to realize the scale of the crisis, they are finally successful in their demand that their government address it unilaterally, without waiting for other countries to agree.”

Canada goes on a war footing: Full employment is guaranteed to anyone who will work on the energy transition – building wind, tide and solar facilities; power storage systems; electrified transit systems; high-speed rail; and retrofits to existing housing stock for an order-of-magnitude increase in energy and thermal efficiency. All of these are entirely precedented – retrofitting the housing stock is not so different from the job we undertook to purge our homes of lead paint and asbestos, and the cause every bit as urgent.

How will we pay for it? The same way we paid for the Second World War: spending the money into existence (much easier now that we can do so with a keyboard rather than a printing press), then running a massive campaign to sequester all that money in war bonds so it doesn’t cause inflation.

The justification for taking such extreme measures is obvious: a 1000 Year Reich is a horror too ghastly to countenance, but rendering our planet incapable of sustaining human life is even worse.

Science fiction and the unforeseeable future: In the 2020s, let’s imagine better things [Cory Doctorow/Globe and Mail]

science fiction,canada,green new deal,gnd,canadian miracle,2020s,climate emergency,truth and reconciliation jt-a-monster-of-history

Planet DebianRuss Allbery: Review: Super Pumped

Review: Super Pumped, by Mike Isaac

Publisher: W.W. Norton
Copyright: 2019
ISBN: 0-393-65225-4
Format: Kindle
Pages: 350

Mike Isaac is a technology reporter for the New York Times who wrote extensively about Uber, including in 2017 when Susan Fowler's bombshell Medium essay dropped and Travis Kalanick's reign at Uber started to unravel. This is the extended story of the company in book form, from Kalanick's pre-Uber startup experiences until the end of the postscript in May of 2019 following Uber's IPO.

To non-fiction book publishers of the world: Please make the exposé of dysfunctional, exploitative capitalism and its abusive leaders a major genre. I will be there for each book launch with my wallet in hand. Timely essay journalism is probably more effective from a public interest perspective, but there is nothing like a book-length treatment to dig into the power structures that enable companies like Uber to exist and the critical tipping points that may allow them to be dismantled.

Super Pumped opens with Uber's "X to the x" company-wide party in Las Vegas in October of 2015, which included the announcement of Uber's 14 company values. Value number 12, "Super Pumped," provides the title of this book. (The precise meaning of this value isn't clear, although cult-like devotion to the company is part of it.) But the book as a whole is also a biography of Travis Kalanick, Uber's now-ousted CEO and driving force through most of its existence.

Uber was not Kalanick's first startup. That was Scour, a search engine for file-sharing sites somewhat similar to Napster. Kalanick took venture capital for Scour under threat of a lawsuit from the VC and then lost control of the company, which was sold for parts in bankruptcy court after a lawsuit from the RIAA and MPAA. Kalanick then spent six years barely keeping his second startup, Red Swoosh, alive until it could be sold to Akami for $20 million and a personal profit of $2 million. Both of those experiences left him with a deep distrust of venture capitalists and a determination to keep control of any future company out of the hands of the money people. That sets up one of the themes of Uber's history: a governance structure that gave Kalanick near-total control with very few sanity checks.

If you're not familiar with the Bay Area tech culture or with startup finance, you may not know about the huge fight over control of startups. Historically, it was common for startup founders to give up majority control of their companies to early venture capital funders, and for those funders to then replace the management (and, some would argue, meddle with the company mission) once the company became more mature and was heading for an "exit" (a stock market IPO or acquisition, so-called because those events let early investors sell off their stake and "exit" the company with a profit). Google and Facebook are among the wildly successful companies that broke this mold and retained founder control. Those examples, plus the flood of additional money into tech startups, let more founders or early owners like Kalanick follow suit and refuse to give up a majority stake in the company.

This is an interesting debate because there are good arguments to be made for both models. On one hand, no one likes bankers, who are widely (and not entirely inaccurately) viewed as reluctantly necessary parasites. The process of bringing in professional management at the behest of the VC owners was often very disruptive, came with aggressive layoffs and reorganizations, and in some cases involved dismantling the business for parts or selling it to a competitor rather than continuing to develop a product. The founders usually had a vision for how the company could change the world, or at least its market, and while those visions were often dubious, that sort of mission and focus was often more appealing to the general employees of the company than the VC focus on a lucrative exit.

On the other hand... there's Travis Kalanick.

As Isaac explains, and which I didn't know before reading this book, Kalanick was not the founder of Uber. That's Garrett Camp, who had the initial idea and brought Kalanick on as an advisor. He was happy to mostly step aside early on, however, leaving Kalanick with uncontested control of the company. It's Kalanick who decided on the strategy of aggressive expansion, openly illegal flouting of taxi laws, political hardball, and massive runaway spending to try to break into Asian transportation markets. It's under Kalanick's watch that Uber built systems to hide their activity from police and government regulators. And Kalanick oversaw the culture of pervasive sexual harassment that led to a massive internal investigation and his eventual ouster.

One interesting thread of this book is an argument in favor of banker control, at least as the least-bad option if the alternative is someone like Kalanick. Investors may not be interested in making the world a better place, but they are interested in preserving their investment and not making negative front-page headlines, which means they're less likely to openly break laws, more likely to hire adult supervision, and more likely to make boring and conventional business decisions. It's quite the unappealing choice, though. One comes away from Super Pumped dubious that either Kalanick or his investors have any business being in charge of anything that affects other people's lives.

I obviously came to this book with my own biases and prejudices, and was not expecting to like Kalanick, but it's even worse than I expected. The moment that put my shoulders up around my ears came after Kalanick was recorded screaming at an Uber driver about company policies. When Kalanick was shown that video, Isaac describes him (via, to be clear, second-hand accounts; Isaac was not there) spending the rest of the night literally writhing on the floor, repeating how terrible of a person he is and asking what was wrong with him.

This is, to be explicit, not typically the behavior of someone who is genuinely apologetic about something they've done. This sort of over-the-top, theatrical apology and elaborate groveling is more typical of abusive people after they've been caught. It re-centers the moment away from the person who was abused and back on the abuser, making everything about their pain and their anguish. There are a lot of places in this book where Isaac is willing to ascribe Kalanick's actions to a deep-seated belief in the corruption of the taxi industry, determination to retain control of his company, or aspirations to transform transportation. This moment was when I decided that Isaac, despite his skeptical treatment, was being far too kind, and Kalanick is scary and dangerous. There's further reinforcement of this pattern later in the book when Kalanick attempts to write a message to the company after the Holder report on Uber's culture of sexual harassment was complete, and some very troubling glimmers of it in the small amount that Isaac reports about Kalanick's relationship with his former girlfriend.

Super Pumped is a detailed, mostly-chronological story of the rise of Uber under Kalanick, its growing financial struggles in Asia, its arrogance and political aggressiveness, and then the revelation and aftermath of multiple classes of illegal behavior. It closes with the last fight over control of Uber, one that Kalanick finally lost, and the naming of Khosrowshahi as the new CEO. The detail and clarity are the strengths of this book; the weakness is that Isaac is much more interested in pure reportage than analysis. Super Pumped is a chronological account of events and not much more; Isaac is focused on the process of reporting and the way stories broke rather than on broader implications for society as a whole.

That's forgivable, of course. Not every long-form journalist is (or should be) Michael Lewis. But for me that made Super Pumped good, not great, and not rising to the level of the best books of this type (The Smartest Guys in the Room and Bad Blood). Admittedly, as much of a disaster as Uber was (and arguably is), it's rather hard to compete with the sheer madness of Theranos.

The lack of more contextualization and broader analysis was one disappointment in this book. Another was Isaac's unwillingness to talk more directly about the red flags around Kalanick's behavior, instead deciding to report the facts as he knows them and let the reader draw their own conclusions. (I realize that my desire for the author to engage more directly in the topic is a personal preference that won't be shared by all readers.) A third isn't Isaac's fault: Neither Uber's story nor Kalanick's are over, so while Super Pumped reaches an adequate conclusion after Uber's IPO, I would have liked to read analysis of Kalanick's subsequent sale of all of his Uber stock and his new startup venture. We'll have to wait for that. (I would also love someone to ask him why, after walking away with several billion dollars, he's choosing to found another company, but I doubt I'd get a satisfactory answer.)

But, those disappointments aside, Super Pumped was compulsively readable and filled in numerous details that I'd not previously known. If you like this style of long-form journalism on disasters of capitalism, this is worth your attention.

Someday there is going to be a book like this about WeWork, and I'm going to read the hell out of that.

Rating: 8 out of 10

Planet DebianFrançois Marier: Encoding your WiFi access point password into a QR code

Up until recently, it was a pain to defend againt WPA2 brute-force attacks by using a random 63-character password (the maximum in WPA-Personal) mode). Thanks to Android 10 and iOS 11 supporting reading WiFi passwords from a QR code, this is finally a practical defense.

Generating the QR code

After installing the qrencode package, run the following:

qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"

substituting <SSID> for the name of your WiFi network and <PASSWORD> for the 63-character password you hopefully generated with pwgen -s 63.

If your password includes a semicolon, then escape it like this:


since iOS won't support the following (which works fine on Android):


The only other pitfall I ran into is that if you include a trailing newline character (for example piping echo "..." into qrencode as opposed to echo -n "...") then it will fail on both iOS and Android.

Scanning the QR code

On iOS, simply open the camera app and scan the QR code to bring up a notification which allows you to connect to the WiFi network:

On Android, go into the WiFi settings and tap on the WiFi network you want to join:

then click the QR icon in the password field and scan the code:

In-browser alternative

If you can't do this locally for some reason, there is also an in-browser QR code generator with source code available.

Rondam RamblingsThe mother of all buyer's remorse

[Part of an ongoing series of exchanges with Jimmy Weiss.] Jimmy Weiss responded to my post on teleology and why I reject Jimmy's wager (not to be confused with Pascal's wager) nearly a month ago.  I apologize to Jimmy and anyone who has been waiting with bated breath for my response (yeah, right) for the long delay.  Somehow, life keeps happening while I'm not paying attention. So, finally, to


Planet DebianRhonda D'Vine: Puberty

I was musing about writing about this publicly. For the first time in all these years of writing pretty personal stuff about my feelings, my way of becoming more honest with myself and a more authentic person through that I was thinking about letting you in on this is a good idea.

You see, people have used information from my personal blog in the past, and tried to use it against me. Needless to say they failed with it, and it only showed their true face. So why does it feel different this time?

Thing is, I'm in the midst of my second puberty, and the hormones are kicking in in complete hardcore mode. And it doesn't help at all that there is trans antagonist crap from the past and also from the present popping up left and right at a pace and a concentrated amount that is hard to swallow on its own without the puberty.

Yes, I used to be able to take those things with a much more stable state. But every. Single. Of. These. Issues is draining all the energy out of myself. And even though I'm aware that I'm not the only one trying to fix all of those, even though for some spots I'm the only one doing the work, it's easier said than done that I don't have to fix the world, when the areas involved mean the world to me. Are areas that support me in so many ways. Are places that I need. And on top of that, the hormones are multiplying the energy drain of those.

So ... I know it's not that common. I know you are not used to a grown up person to go through puberty. But for god's sake. Don't make it harder than it has to be. I know it's hard to deal with a 46 year old teenager, so to say, I'm just trying to survive in this world of systematic oppression of trans people.

It would be nice to go for a week without having to cry your eyes out because another hostile event happened that directly affects your existence. The existence of trans lives aren't a matter of different opinions or different points of view, so don't treat it like that, if you want me to believe that you are a person able of empathy and basic respect.

Sidenote: Finishing to write this at this year's #36c3 is quite interesting because of the conference title: Resource Exhaution. Oh the irony.

/personal | permanent link | Comments: 6 | Flattr this

Planet DebianJonathan Dowland: 8-bit

On Yesterday's Mary Anne Hobbs radio show she debuted a new track by Squarepusher, "Vortrack [Fracture Remix]", which you can now watch/listen to on YouTube:

This track really grabbed my attention. Later that day you you could buy it in a variety of formats and quality levels on Squarepusher's website.

One of the format/quality options was "8-bit Lossless WAV", which I thought was a joke, a poke in the eye of audiophiles. I was aware that he likely used some 8-bit instruments/equipment to write the tracks, but surely it was mixed in a more modern environment, and resampling down to 8-bit would result in something that sounded like mush.

But it seems the jokes on me; I bought the track and it's seemingly indistinguishable to the audio track on that YouTube video. And it really is 8-bit:

Input #0, wav, from 'Vortrack-001-Squarepusher-Vortrack (Fracture Remix).wav':
  Duration: 00:08:02.99, bitrate: 705 kb/s
    Stream #0:0: Audio: pcm_u8 ([1][0][0][0] / 0x0001),
    44100 Hz, 2 channels, u8, 705 kb/s

It even — losslessly — compressed down to a bitrate lower than a typical MP3:

Input #0, flac, from 'Vortrack-001-Squarepusher-Vortrack (Fracture Remix).flac':
  Duration: 00:08:02.99, start: 0.000000, bitrate: 313 kb/s
    Stream #0:0: Audio: flac, 44100 Hz, stereo, s16 (8 bit)

Planet DebianRuss Allbery: Review: On the Clock

Review: On the Clock, by Emily Guendelsberger

Publisher: Little, Brown and Company
Copyright: July 2019
ISBN: 0-316-50899-3
Format: Kindle
Pages: 317

Emily Guendelsberger was senior staff writer at Philadelphia City Paper when the paper was sold to a competitor for scrap and everyone who worked for it was laid off. She took that opportunity to investigate first-hand the working conditions of the modern American blue-collar job: a picker in an Amazon distribution center in Indiana, a customer-support call center in North Carolina, and a McDonald's in downtown San Francisco. The result is this book, one of the most engrossing pieces of long-form journalism that I've ever read.

On the Clock opens with a pop quiz. What does the term "in the weeds" mean to you?

If, like me, you come from the white-collar world, you're probably familiar with what Guendelsberger calls the academic definition: lost in the details, bogged down in unimportant minutia. But in the food service world, it means something different: overwhelmed with more customers and demands than you can handle at a reasonable pace. Which definition comes first to mind may be an indication of whether you've worked in food service, and thus a class marker in the United States. It's the second definition, as Guendelsberger shows throughout this book, that characterizes the modern blue-collar job.

You can make a lot of money explaining away the gap between data and reality in ways that flatter puzzled wealthy people. But if you've had a service job in the past decade, I'll bet that some of the answers are probably as obvious to you as why millennials aren't buying yachts. I'll spend the next few hundred pages trying to make it just as obvious to all you readers, but the short answer? The bottom half of America's labor market lives in the weeds. All the time.

And the weeds are a terribly toxic place for human beings. The weeds make us crazy. The weeds make us sick. The weeds destroy family life. The weeds push people into addiction. The weeds will literally kill you. And people fortunate enough to have good jobs making policy or writing op-eds seem to have no idea how crippled a life with no escape from the weeds is.

This is the thesis that Guendelsberger develops over the course of three very different jobs. Two involve intense human interaction; one (the Amazon picker job) involves almost no human interaction at all. One is physically strenuous; another is a desk job. Only one of them is in food service. But the common point of all three is that they are timed with machine-driven ruthlessness, are obsessed with "time theft" by the employee (an entire sociological research project, and a political party, could be based on that phrase), and are scheduled so that the workers stay in the weeds essentially continuously during their shifts.

I did plenty of research beforehand, and I'd heard crazy things about how stressful each job would be — each in its own special way, like Tolstoy's unhappy families. But at each of them, technology made it impossible to escape the weeds. And every time, my thorough research totally failed to prepare me for how dehumanizing the job felt.

The focus of this book is detailed reporting of the experience of each job, starting with the initial training, and Guendelsberger's own reactions to that experience. But she also provides the reader with context and background, allowing the reader to generalize from the specific to the systemic and trace the origins of the system back in time. There is a lot in this book about the origins of scientific management and Taylorism. Even if you were already familiar with Frederick Winslow Taylor, as I was, you're likely to learn more about the history of work performance monitoring and quotas.

Even better, Guendelsberger interviews other workers in these jobs, tests her assumptions against their opinions, describes their lives, and reports the observations of those who love these jobs. This ability to both put forward her own opinion and also report the opinions of those who are able to thrive in this environment, without losing the overall context, is a sign of great investigative journalism. It also adds more memorable characters to the book: the woman with PTSD and anxiety who found work as an Amazon warehouse picker ideal for distracting her brain, the people who travel the country taking seasonal work and living in tents, the McDonald's worker who tells Guendelsberger to think of her family and walk away from any confrontation with a customer, and so many more.

The turnover in these jobs is almost unimaginable, so it's worth being aware, when reading these sections, that anyone who survives the first couple of weeks is in a tiny minority. These interviews are therefore biased towards people who cope with these jobs unusually well, which underscores the implications of how difficult most of Guendelsberger's coworkers still find them.

It's worth mentioning here that On the Clock includes a detailed ethics statement about how Guendelsberger did reporting for this book, what she surreptitiously recorded and what she didn't, why she made those choices, who she told she was a reporter (which includes all of her coworkers who appear in the book), and how she reconstructed conversations with her coworkers. This is the first time I've seen this type of ethics statement in long-form journalism of this type, and now I'm wondering why there isn't one in every book like this.

The highlight of this book is Guendelsberger's ability to give the reader a feeling for each job as a life: the funny moments, the difficulties, the horrors, the good and bad coworkers, the attempt to find somewhere to live, and the experience of fitting life around the job. One example I'll remember is that she was doing this research during the run-up to the 2016 election. She is a politically engaged person, a reporter who paid close attention to the news, but found that months went by during which she completely lost track of politics, current events, and the campaign. There just wasn't time or energy left to care about politics. There's a lesson in that for those of us who moralize about political engagement and people who don't vote.

Equally memorable were the complex arrangements and juggling and family support that her coworkers needed, relied on, and provided to others (including her) to help each other survive. Guendelsberger was barely keeping her head above water and only needed to support herself; many of her coworkers were raising and supporting children while doing these jobs. If you ever believed that people work low-paid jobs because they are lazy, On the Clock should permanently put that belief to rest. It also destroys the belief that these jobs are low-skill. The amount of skill demonstrated by the workers who survive the horrific turnover is amazing: short-term memory for fast-food workers, for example, or navigating amazingly awful computer UIs for customer support while simultaneously holding a conversation. It's just that most of those skills aren't easily transferable or aren't good resume fodder.

Speaking of awful computer UIs, the section on customer support work was almost painful to read as someone who works in the computer industry. For every call, the agents have to launch multiple independent programs, each with their own logins, and cut and paste information from various programs into others to bring up the necessary screens, all while greeting the caller and hearing the initial description of their problem. The system is not so much badly designed as not designed at all, just cobbled together from multiple systems with complete indifference to the user experience of the agents. The requirement that support agents repeatedly try to sell every caller on new products and services in order to get paid a livable wage is objectively worse (and worth remembering whenever you have to call customer support), but the refusal to invest a small amount of development work to make the tools work smoothly is professionally infuriating.

There is so much truly horrible software in the world that only people who work poorly-paid jobs for large corporations (or medical offices) ever see.

I've barely touched the surface on the great parts of this book. I could go on for hours about how good this is (and have, twice, to friends). It's a truly exceptional piece of investigative journalism that provides reporting, political analysis, personal stories, and fascinating profiles all at the same time. If you want to understand working-class America and aren't part of it, stop reading the endless New York Times interviews of people in diners and read this instead.

This is the best non-fiction book I've read this year, and is more valuable than innumerable opinion columns about the economic state of the country or the changing nature of work. More of this kind of reporting, please.

One parting thought: While writing this review, I looked through Guendelsberger's Twitter feed and noticed that, of the three jobs, the one people overwhelmingly want her to come on programs and talk about appears to be the Amazon job. To me, this highlights a point that Guendelsberger herself makes in the book. Amazon gets a lot of press because Amazon is new, rich, and ubiquitous among the people who read the news media writing these articles. But Amazon is in no way uniquely bad, just large and well-organized. They may be slightly ahead of the curve in bringing close monitoring to warehouse work, but this is an industry-wide practice. The other two jobs were in many ways worse — it's hard to describe how emotionally toxic call center work is, although Guendelsberger does an excellent job — but a few companies like Amazon get all the press and focus.

We need to stop thinking about this as a story of a few rich bad actors, and instead start thinking about it as a sweeping change in the nature of work that affects half the population and demands similarly systemic answers.

Rating: 10 out of 10

Krebs on SecurityRansomware at IT Services Provider Synoptek

Synoptek, a California business that provides cloud hosting and IT management services to more than a thousand customers nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible.

Irvine, Calif.-based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries, including state and local governments, financial services, healthcare, manufacturing, media, retail and software. The company has nearly a thousand employees and brought in more than $100 million in revenue in the past year, according to their Web site.

A now-deleted Tweet from Synoptek on Dec. 20 warned against the dangers of phishing-based cyberattacks, less than three days prior to their (apparently phishing-based) Sodinokibi ransomware infestation.

News of the incident first surfaced on Reddit, which lit up on Christmas Eve with posts from people working at companies affected by the outage. The only official statement about any kind of incident came late Friday evening from the company’s Twitter page, which said that on Dec. 23 it experienced a “credential compromise which has been contained,” and that Synoptek “took immediate action and have been working diligently with customers to remediate the situation.”

Synoptek has not yet responded to multiple requests for comment. But two sources who work at the company have now confirmed their employer was hit by Sodinokibi, a potent ransomware strain also known as “rEvil” that encrypts data and demands a cryptocurrency payment in return for a digital key that unlocks access to infected systems. Those sources also say the company paid their extortionists an unverified sum in exchange for decryption keys.

Sources also confirm that both the State of California and the U.S. Department of Homeland Security have been reaching out to state and local entities potentially affected by the attack. One Synoptek customer briefed on the attack who asked to remain anonymous said that once inside Synoptek’s systems, the intruders used a remote management tool to install the ransomware on client systems.

Much like other ransomware gangs operating today, the crooks behind Sodiniokibi seem to focus on targeting IT providers. And it’s not hard to see why: With each passing day of an attack, customers affected by it vent their anger and frustration on social media, which places increased pressure on the provider to simply pay up.

A Sodinokibi attack earlier this month on Colorado-based IT services firm Complete Technology Solutions resulted in ransomware being installed on computers at more than 100 dentistry practices that relied on the company. In August, Wisconsin-based IT provider PerCSoft was hit by Sodinokibi, causing outages for more than 400 clients.

To put added pressure on victims to negotiate payment, the purveyors of Sodinokibi recently stated that they plan to publish data stolen from companies infected with their malware who elect to rebuild their operations instead of paying the ransom.

In addition, the group behind the Maze Ransomware malware strain recently began following through on a similar threat, erecting a site on the public Internet that lists victims by name and includes samples of sensitive documents stolen from victims who have opted not to pay. When the site was first set up on Dec. 14, it listed just eight victims; as of today, there are more than two dozen companies named.


Planet DebianSteinar H. Gunderson: Introduction to the Unicode Collation Algorithm

Programmers love to sort things. We discuss sorting algorithms, big-O notation, when sorting pointers or values is better, parallelism, whether being able to discuss sorting algorithms and big-O notation makes you a better programmer or not… but today, I'm going to be talking about the comparison function. Usually, we sort of take it for granted, even when sorting strings, but for anything but the most trivial examples, the standard memcmp()-like algorithm (lexical comparison of bytes) will produce undesired results. What we need is the Unicode Collation Algorithm, or UCA.

A word of warning first: Superficial knowledge of Unicode and collations gives a high risk of being a loud and boring person who wants to flaunt their own superficial knowledge of Unicode and collation. Don't be that guy.

With that out of the way… Let's discuss first a bit what we want. We want a universal and consistent way of comparing strings that match what users intuitively expect. (Note that comparison includes both “is before” and “is equal”.) Of course, different users expect different things, so we must also be able to parametrize the algorithm (so-called tailoring), but I won't be talking much about it.

Just comparing Unicode code points (which, for UTF-8 is exactly the same thing as comparing bytes) will inevitably end up in disaster. For instance, most users will accept that “René” should sort before “Renoir”, but é is U+0072 and o is U+006F, so you'd get the opposite order. Similarly, even in a case-sensitive collation, where “linux” and “Linux” are unequal, they should probably sort together (ie., they should not be split by “Windows”, even though W is between l and L). (Don't think about hacks like NFD normalization, removing accents or folding case before sorting, because you're not likely to be getting it right. Stick with the UCA.)

So the UCA, sans tailoring, works on a simple principle: First compare all base forms, then all accents, then all case. (This isn't the entire story, and the nomenclature is different, but I'm simplifying.) For instance, “A” to Unicode would have the base form “a” (“first level”), the accent “none” (“second level”), and the case “upper case” (“third level”). If you want a case-insensitive collation, you simply drop the third level, and if you also want an accent-insensitive collation, you drop the second one.

UCA's output for each string is conceptually a weight string, consisting of a series of 16-bit weights (values) which you can then sort in binary—but often, it will be better just to generate the weights for both strings on the fly and stop once they differ, especially if they're long and you're not comparing them a lot of times. So you look up each code point in a big table (the so-called DUCET) and output them piece by piece. So first you output the first-level weights (typically one or more for each code point), then a separator, then the second-level ones, then a separator, and then finally the third-level ones. Certain code points may be ignorable (should have no output) on a given level; e.g. COMBINING RING ABOVE has no base shape, so it outputs nothing on the first level. Similarly, certain code points may turn into multiple weights; think e.g. of the fi ligature fi (U+FB01), which outputs the same primary level weights as “f” followed by “i” does, or é, which has exactly the same weights as “e” followed by COMBINING ACCUTE ACCENT (which makes a lot of sense when you understand that strings should sort equal independent of their Unicode normalization!).

Of course, most people don't really do this themselves; they just link to ICU, which handles this directly for you (unlike, say, the C or Java standard libraries, which don't). It can also deal with tailoring, which comes into play when you want to deal with language-specific rules. For instance, “å” to me as a Norwegian is a completely distinct letter from “a” and thus should be different from it on the primary level, but to English speakers, the ring is just an accent and shouldn't produce a difference before the second level. Similarly, French has a (to me, bizarre!) rule that accents should be sorted from the back (the example UCA gives is “côte < coté” instead of the other way round, because e < é on the second level, and that is compared before the o < ô difference, due to accent reversal). There's also contractions (e.g., Norwegian sorts “aa” equal to “å” on the primary level) and plain changing of weights and other weird stuff.

That's really all there is to it! But just use ICU. Be happy.

Planet DebianShirish Agarwal: Indian Economy, NPR, NRC and Crowd Control – Part 1

I dunno whether this would be a short or a long post but as the NPR, NRC seem to be deeply linked to how the Indian Economy is at the moment, I would say that the energy and the political capital the Government is putting into wrong things . Why I say that, I will attempt to use studies, data and newspaper reports to share what the issues are and where the Government should have been looking at and instead where it is using its energy and why it’s wrong.

State of Indian Economy

While it is by and large recognized by everyone that the Indian Economy is in slow-down or perhaps beginning a recession, a recent working paper by Arvind Subramaniam and Josh Felman who tell how the Indian economy is doing or not doing. While I’ll not go into many details as the paper itself is quite interesting, I would like to draw attention to couple of things .

While I have shared the working paper as well, one of the more interesting graphs I found in the paper is the one I am sharing below –

Difference between Interest and Profit

Now the sad and interesting part of that graph as shown above is that entrepreneurs, business houses etc. would be paying more to service debt rather than making profit. So, in essence, if an entrepreneur decided not to do any businesss today, he would be much better off than taking efforts, taking all the risks and still spend money out of his pocket to service debt instead of making profits. Of course the transmission of why lower interests given to banks are not reaching to the businessman have been more than effectively shared by the working paper so will not go into that. I have to commend Dr. Arvind and Mr. Josh for making the paper so simple so reading it even once or twice is enough to grasp the issues which threaten the Indian economy, this is when I have read and have been reading such papers about the Indian and International markets in my spare time.

There is another part however which hasn’t been really answered as the point being made in the working paper is that private banks are better than public sectors banks at either risk management or other things but there is no evidence shared which bears that out. One could argue, in fact the opposite. Private banking is much more opaque and there has been no discussion on how such banks are supposed to fill the needs of the millions of the customers and potential customers. The social welfare of banking that Public banking fulfills, how Private banking is supposed to do that is not told. India is still a very much an under-banked market. While Dr. Arvind and Mr. Josh have shared a bit about direct benefit transfers, they haven’t talked anything about the needs of the MSME sector or even how DBT would work in real life. As have been in Airtel Payment banks and others, most private banks have at one time or the other violated rules and norms. I am not going to get into great lengths but there are possibly about a dozen or two-dozen well-known scandals with private banks where people have lost money. The Great 2008 financial crash itself was made by private individuals, companies who were doing risky products and even after the crash, riskier derivative financial products seem to thrive in the American market. As far as regulatory bodies in India, such as the banking ombudsman or RBI is concerned, they seem to behave very similarly to SEBI and other regulatory bodies which doesn’t bode well for the Indian economy.

V.G. Siddhartha and CCD story

Apart from the working paper, there have been other things happening which don’t tell or paint a good picture of the Indian economy. For e.g. I am sure some of the readers may have remembered my blog post about V.G.Siddhartha . For those who might not know Mr. Siddhartha, the gentleman was the owner of CCD or Cafe Coffee Day. He committed suicide in July 2019. I, alongwith several thousand users, patrons, entrepreneurs who were encouraged by his vision and rise were saddened by the news of his demise. There is a fact or news which I hadn’t shared on the blog post around that time. The whole tax authorities issue which started was that some gentleman who claimed that he was working for CCD or Mr. Siddhartha was caught with some cash. Another fact is that both Coca-Cola, Barista and others were interested to take over CCD so it isn’t far-fetched to assume or presume that the person who was caught with cash might have been planted by his competitors. Also the amount of cash, apparently a few crores which were found in CCD offices was not at all commensurate with the scale of business the gentleman was doing at. In part, his suicide was made by the Tax Department’s heavy-handedness and that continues even today.

Government’s approach to Business

Over the past few months, there have been lot of negative views and how the Government of the day views businesses and businessman. A recent example would prove my point. Do you know for instance, the Ministry of Corporate affairs (MCA) removed almost 2 million directors and about 0.4 million companies due to not filing either their KYC forms or not filing the annual returns. In fact, this news item has been buried and only some people who are interested in knowing such news are able to dig it up. Now while the Government says these are all bogus and shell companies and in fact the FM (Finance Minister) shared the same in Lok Sabha (the lower house of the parliament) shared the numbers while also in the same breath sharing that there never has been a definition of what a ‘bogus’ or sham company is. With the cost of real-estate and other things going up, many such small companies are using co-working spaces. In fact, even quite a few medium to large business houses have used co-working spaces especially as the overheads are low. Also what has not been mentioned that the costs of compliance has gone up while the window of compliance has gone down and there are all sorts of inefficiences and corruption that small companies have to deal with than with large companies.This will severely impact as more entrepreneurs will think to remain as entrepreneurs or as partnerships rather than become private companies and eventually public companies which are needed for a big country like India to fulfill the country’s needs and requirements. Also less competition means more monopoly and more possibilities of more companies coming from overseas and taking advantage of less competition. The other part is when companies are known to be penny stocks which thrive on false or fake news, no action has been taken. While there are probably hundreds of examples in the Indian Stock market, a recent example shared by Sucheta Dalal is enough to prove the point. Her link to stock manipulated where she has documented at least 100 more cases and no action taken by SEBI is case in point.

Now as far as competition is concerned, there are probably hundreds of examples, for e.g. all electronics comes either from China, Taiwan, Singapore or States. Neither the GOI has any concrete plans for the sector and more often than not just make noises so they can be seen as doing something rather than doing actually something. For e.g. Mr. Piyush Goyal recently made a statement that we should not be dependant on imported electronic goods. Now there is nothing new in this statement, this same statement has been told and shared almost for a decade, decade and a half by almost all political parties but no effective strategies and finances have been put in place to make other people invest in India. In fact, I was talking to a dear friend few days back and we were talking about negative interests which is there in Japan and many European countries as well as ECB and low interest rates in States and why don’t they invest in India and we came to the conclusion that perhaps other avenues such as Bangladesh and others seem to provide a much more stabler economic, policy and political environment than the one we see in India where there are flip-flops every so often, case in point the GST flip-flops among many others.

Political Capital and Remedies

The last 10 odd pages of the working paper delve upon possible solutions of how the issues need to be tackled have been shared by Dr. Arvind. Most of the solutions and recipes as shared by him are not new at all. They have been often documented often enough. What this Government had in 2014 and even in 2019 is the political capital which could have been used to push the reforms or changes shared by him. He has also mentioned co-operative federalism and I should say the art of negotiation that Mr. Vajpayee had vis-a-vis our current dispensation which seems to lack imagination or depth of any kind. While Dr. Arvind has tried to end it on a positive note, that only can happen if the Government appears to engage with the opposition and try to find answers rather than doing the my way or highway attitude that the Government currently has. Part -2 will be more about the whole NPR, NRC issue and the agitations which are happening in that regard.

CryptogramFriday Squid Blogging: New Species of Bobtail Squid

Euprymna brenneri was discovered in the waters of Okinawa.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianJonathan Dowland: Debian's init system GR

Debian is currently conducting a vote on a General Resolution entitled Init systems and systemd. I had a few brief thoughts about the circumstances around this that I wanted to share.

I like systemd and I use it on all of my systems. That said, I have some concerns about it, in particular the way it's gradually eating up so much other systems software. The opportunity for alternatives to exist and get feedback from interested users seems important to me as a check and balance and to avoid a monoculture. Such an environment should even help to ensure systemd remains a compelling piece of software. The question that this GR poses is really whether Debian should be a place where alternatives can exist. In answering that question I am reminded of the mantra of Extinction Rebellion. I appreciate that is about a far more important topic, but it still seems pertinent: If not us, who? If not now, when?

What is Debian for, anyway? Once upon a time, from a certain perspective, it was all counter-cultural software. Should that change? Perhaps it already has. When I was more actively involved in the project, I watched some factions strive to compete with alternative distributions like Fedora. Fedora achieves a great deal, partly by having a narrow and well-defined focus. With the best will in the world, Debian can't compete at that game. And why should it? If Fedora is what you want, then Fedora is right there, go use it!

In the UK we are also about to vote in a General Election. As happens often in FPTP voting systems, the parties are largely polarized around a single issue, although one side of that issue is more factionalised than the other. And that side stands to lose out, as the vote is diluted. This Debian GR is in a similar situation, although not as bad since Debian doesn't use FPTP. But I could understand fellow developers, not as deeply invested in the issue as those who have proposed options, getting fatigued trying to evaluate them. For pro-systemd/anti-alternative folks, the choice is easy: First-choice the one (or two) positions that express that, and rank the majority under "further discussion". For those at the other pole, this strategy is risky: those folks want their transferable vote to move to the most popular option, and so must not succumb to voter fatigue.

Whatever your position, if you hold the power to vote, please take time to evaluate the options and use it.

Planet DebianJoey Hess: 2020 hindsight

(Someone stumbled upon my 2010 decade retrospective post and suggested I write a followup...)

This has been a big decade for me.

Ten years ago, I'd been in an increasingly stale job for several years too long. I was tired of living in the city, and had a yurt as a weekend relief valve. I had the feeling a big change was coming.

Four months on and I quit my job, despite the ongoing financial crisis making prospects poor for other employment, especially work on free software.

I tried to start a business, Branchable, with liw, based on my earlier ikiwiki project, but it never really took off. However, I'm proud it's still serving the users it did find, 10 years later.

Then, through luck and connections, I found a patch of land in a blank spot in the map with the most absurd rent ever ($5/acre/month). It had a house on it, no running water, barely solar power, a phone line, no cell service or internet, total privacy.

This proved very inspiring. Once again I was hauling water, chopping wood, poking at web pages on the other end of a dialup modem. Just like it was 2000 again. Now I was also hacking by lantern-light until the ancient batteries got so depleted I could hear the voltage regulator crackle with every surge of CPU activity.

I had wanted to learn Haskell, but could never concentrate on it enough. I learned me some Haskell and wrote git-annex, my first real world Haskell program, to help me deal with shuttling data back and forth from civilization on sneakernet.

After two idyllic years of depleting savings, I did a Kickstarter for git-annex and raised not much, but I was now living on very little, so that was a nice windfall. I went full crowdfunding for a couple of years. After a while, I started getting contracting work, supplementing the croudfunding, as git-annex found use in science and education. Both have continued ever since, amazingly.

I was free to do whatever I wanted to. A lot of that was git-annex, with some Debian, and some smaller projects, too many to list here.

Then, mid-decade, I left the Debian project. I'm still sad, still miss everybody, but I also think, had I not been so free, I would not have been able to leave it. It had driven most of my career before this point. I was lucky to be able to leave Debian. 💧

Adding to the stress of that, my patch of countryside was being sold out from under me. I considered moving to some city, but the income that's freeing here would be barely getting by there. Instead, I bought the place, using git-annex income, plus a crucial loan from a wonderful friend.

That changed how I dealt with being offgrid. Before it was an interesting constraint, something to adapt to, an added texture to life. Now it's all of those and also a source of inspiration and learning. How to install solar panels on a roof. How to wire things to code. Circuit design. Plumbing. Ditch digging. With my offgrid fridge project, things are feeling interdisciplinary in ways my work has not been before.

From here at its end, this decade feels both inevitable and highly unlikely. Now I feel.. comfortable. Settled. Surely older. More unsure of myself than ever really, nearly everything is more complicated than I used to think it was. Maybe a little stuck? But not really.

I'm planting fruit trees, something says I will be here to enjoy them. But times are getting beyond interesting. Anything could be around the corner.

Planet DebianSam Hartman: Music for Debian

December has been a difficult month for me and I think for Debian as a whole. It was strongly suggested to me that I (and Debian in general) needed more music. I'm reminded of the fun I had dancing with you all at DebConf. It's been a while since I dug out my DJ kit. But Dec 25, I pulled it out and spent a couple of hours looking at some of the tracks that came out since I last DJed. And then I put together a mix. I had fun. Perhaps you'd like a little more music in your holiday. If so, I join you on the (virtual) dance floor.

Worse Than FailureError'd: Cthulhu Fhtagn to Continue

"I'm not sure if Barcelona Metro is asking for my ticket or a blood sacrifice," Paweł S. writes.


Scott M. wrote, "I know VBA is considered to be a venerable language, but ...old enough to run on the Commodore PET?


"I don't know about you, but I would LOVE to spend anywhere between negative two and three thousand dollars," writes Alex S.


"12.09€ for a mouse and a pair of Adidas trainers? What a deal! ...oh wait...could we lose the recipient? Nevermind, no worries here," Vivia N. wrote.


Pascal writes, "Today I learned that Google Translate will sometimes adjust email addresses."


Bruce T. writes, "I recieved a deluge of emails from a Car Hire insurance provider (6 in total in the space of 4 minutes) and, oddly enough, each email appears to have completely failed in the templating engine or mail merge job."


[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Planet DebianRuss Allbery: Review: The Subtle Art of Not Giving a Fuck

Review: The Subtle Art of Not Giving a Fuck, by Mark Manson

Publisher: HarperCollins
Copyright: August 2016
ISBN: 0-06-245773-X
Format: Kindle
Pages: 211

I've been hearing about this book and Mark Manson's blog posts from various places for a while. I'd read a few pieces on his blog that seemed somewhat interesting, but something about the tone left me uninterested in following his writing closely. But I occasionally like exploring self-help literature and, after seeing yet another positive reference to this book, decided to give it a try. (The title helped. For those not familiar with the idiom, "not giving a fuck" means not caring, but with the implication that one is intentionally disregarding the consequences rather than simply indifferent.)

The short summary is that my instincts were right, but now I have more data to put words to that feeling. There's nothing wrong with this book, exactly, but it is very much from bro culture. Manson, intentionally or not, seems to be writing to a specific and limited audience, one that's relatively privileged, socialized male, and unfamiliar with the (exhaustive) literature on balancing emotional demands, expectations, and one's own sense of entitlement.

To be clear, there's nothing wrong with this. There are a lot of people like that in this world, and the advice Manson gives them seems reasonable to me. He apparently has a couple million blog readers, so more power to him. But if you're a regular reader of advice web sites like Captain Awkward or Ask A Manager, the assumed frame of the reader is going to feel a bit off.

Put another way, this is a book that contains a lovingly-detailed description of Manson forcing himself to walk up to a sheer cliff over the ocean above the Cape of Good Hope in South Africa and sit on the edge in order to confront his own mortality. If that induces more eye-rolling than recognition (as it did with me), some of the rest of the book is likely to provoke a similar reaction.

The thesis of this book is not captured by the title, which is a good thing since the title in isolation would be awful advice. Manson does not want you to stop giving any fucks at all. Indeed, he says that you are incapable of not giving a fuck about things in life. Humans are designed to give a fuck; that's what we do. Rather, his point is that if you've not consciously thought about what you give a fuck about, you're probably giving a fuck about all the wrong things, and thus making yourself miserable.

Because when you give too many fucks — when you give a fuck about everyone and everything — you will feel that you're perpetually entitled to be comfortable and happy at all times, that everything is supposed to be just exactly the fucking way you want it to be. This is a sickness. And it will eat you alive. You will see every adversity as an injustice, every challenge as a failure, every inconvenience as a personal slight, every disagreement as a betrayal. You will be confined to your own petty, skull-sized hell, burning with entitlement and bluster, running circles around your very own personal Feedback Loop from Hell, in constant motion yet arriving nowhere.

The things Manson thinks you should stop giving fucks about are being happy, exceptional, right all the time, or successful. The things that Manson thinks you should selectively start giving fucks about are struggling with something, making mistakes, being uncertain, defining good personal values, setting boundaries, and making commitments.

If you're not someone who grew up with the belief that you're exceptional and mostly right and deserve happiness and success, you're probably not the target audience for this book. If your struggle is against socialization that taught you to always set aside your needs and wants in favor of making other people happy, you're definitely not the target audience for this book. If all of this sounds very familiar from other reading, you're probably going to find this book rather basic, although Manson does have an entertainingly direct writing style (if very bro-tinged and a bit heavy on the sex jokes).

That said, there is one thing in this book that will stick with me. In the chapter on happiness, Manson challenges the reader to stop asking what in life will make them happy, and instead ask a different question: "What pain do you want in your life? What are you willing to struggle for?" In other words, embrace the reality that every set of life choices will involve unhappiness and suffering, and then make the choices that invoke the problems that you want to have. The problems that may be uncomfortable but that bring you joy when you solve them. The problems that inspire you to beat your head against them instead of the ones that make you want to give up.

For those in a position to be able to make those sorts of choices, I think that's a great piece of advice, and one that I read at just the right time for it to be personally meaningful to me. Any book of this type is some variety of success if I come away with an idea that I didn't have before reading it, so full points to Manson there.

Having read this book, my new guess on why Manson's writing shows up so often in my circles is that I worked in Bay Area tech among a lot of people with comfortable backgrounds, good schools, high expectations, a lot of market bargaining power in employment, and a sense that all of this wasn't translating into happiness in the way that one might assume it would. If that's you, and you've not already dove into the introspection and life prioritization deep end, this isn't a bad introduction, written by someone who seems well-connected to that world. If you're struggling with feeling like you should be happy but aren't, and are stuck chasing the next thing on the horizon that's supposed to make you happy, Manson has quite a lot to say about that experience.

If you've been making hard prioritization trade-offs your whole life, know perfectly well why you're not happy (systemic oppression and late-stage capitalism), and are not in the mood to be lectured about happiness by some white dude who can afford to fuck off to South Africa to have a life-altering encounter with his own mortality, you may want to give this one a pass.

A minor metadata note: The cover design replaces the "u" of "Fuck" with a blotch, and Amazon and Wikipedia show the title as The Subtle Art of Not Giving a F*ck with an asterisk. However, the inside cover and the copyright page clearly render the word in the title as "Fuck," so that's how I list it here.

Rating: 6 out of 10

Planet DebianMatthew Garrett: Wifi deauthentication attacks and home security

I live in a large apartment complex (it's literally a city block big), so I spend a disproportionate amount of time walking down corridors. Recently one of my neighbours installed a Ring wireless doorbell. By default these are motion activated (and the process for disabling motion detection is far from obvious), and if the owner subscribes to an appropriate plan these recordings are stored in the cloud. I'm not super enthusiastic about the idea of having my conversations recorded while I'm walking past someone's door, so I decided to look into the security of these devices.

One visit to Amazon later and I had a refurbished Ring Video Doorbell 2â„¢ sitting on my desk. Tearing it down revealed it uses a TI SoC that's optimised for this sort of application, linked to a DSP that presumably does stuff like motion detection. The device spends most of its time in a sleep state where it generates no network activity, so on any wakeup it has to reassociate with the wireless network and start streaming data.

So we have a device that's silent and undetectable until it starts recording you, which isn't a great place to start from. But fortunately wifi has a few, uh, interesting design choices that mean we can still do something. The first is that even on an encrypted network, the packet headers are unencrypted and contain the address of the access point and whichever device is communicating. This means that it's possible to just dump whatever traffic is floating past and build up a collection of device addresses. Address ranges are allocated by the IEEE, so it's possible to map the addresses you see to manufacturers and get some idea of what's actually on the network[1] even if you can't see what they're actually transmitting. The second is that various management frames aren't encrypted, and so can be faked even if you don't have the network credentials.

The most interesting one here is the deauthentication frame that access points can use to tell clients that they're no longer welcome. These can be sent for a variety of reasons, including resource exhaustion or authentication failure. And, by default, they're entirely unprotected. Anyone can inject such a frame into your network and cause clients to believe they're no longer authorised to use the network, at which point they'll have to go through a new authentication cycle - and while they're doing that, they're not able to send any other packets.

So, the attack is to simply monitor the network for any devices that fall into the address range you want to target, and then immediately start shooting deauthentication frames at them once you see one. I hacked airodump-ng to ignore all clients that didn't look like a Ring, and then pasted in code from aireplay-ng to send deauthentication packets once it saw one. The problem here is that wifi cards can only be tuned to one frequency at a time, so unless you know the channel your potential target is on, you need to keep jumping between frequencies while looking for a target - and that means a target can potentially shoot off a notification while you're looking at other frequencies.

But even with that proviso, this seems to work reasonably reliably. I can hit the button on my Ring, see it show up in my hacked up code and see my phone receive no push notification. Even if it does get a notification, the doorbell is no longer accessible by the time I respond.

There's a couple of ways to avoid this attack. The first is to use 802.11w which protects management frames. A lot of hardware supports this, but it's generally disabled by default. The second is to just ignore deauthentication frames in the first place, which is a spec violation but also you're already building a device that exists to record strangers engaging in a range of legal activities so paying attention to social norms is clearly not a priority in any case.

Finally, none of this is even slightly new. A presentation from Def Con in 2016 covered this, demonstrating that Nest cameras could be blocked in the same way. The industry doesn't seem to have learned from this.

[1] The Ring Video Doorbell 2 just uses addresses from TI's range rather than anything Ring specific, unfortunately

comment count unavailable comments

Planet DebianDebichem Team: XCrySDen is back thanks to the FTP masters

The XCrySDen package is finally back in Debian. It was removed after Togl had been updated to major release 2.0 without coordinating the transition. Upstream then made some efforts to port the application and as of today, XCrySDen hit the archive! Thanks to the FTP Masters.


Planet DebianNoah Meyerhans: Yet Another Init decision

I’m trying to use this to capture some of my thoughts on the current GR, and to document my approach to this vote. If nothing else, I hope to use this to convince myself that I’ve read and understood the various options in the GR. From my perspective, two of the choices on this ballot are easy to deal with, in that they have very clear meaning and the ramifications are easy to understand.

LongNowThe Enlightenment is Dead, Long Live the Entanglement

Quantum entanglement. (Courtesy: iStock/Traffic-Analyzer)

We humans are changing. We have become so intertwined with what we have created that we are no longer separate from it. We have outgrown the distinction between the natural and the artificial. We are what we make. We are our thoughts, whether they are created by our neurons, by our electronically augmented minds, by our technologically mediated social interactions, or by our machines themselves. We are our bodies, whether they are born in womb or test tube, our genes inherited or designed, organs augmented, repaired, transplanted, or manufactured. Our prosthetic enhancements are as simple as contact lenses and tattoos and as complex as robotic limbs and search engines. They are both functional and aesthetic. We are our perceptions, whether they are through our eyes and ears or our sensory-fused hyper-spectral sensors, processed as much by computers as by our own cortex. We are our institutions, cooperating super-organisms, entangled amalgams of people and machines with super-human intelligence, processing, sensing, deciding, acting. Our home planet is inhabited by both engineered organisms and evolved machines. Our very atmosphere is the emergent creation of forests, farms and factories. Our networks of commerce, power and communications are becoming as richly interconnected as ecologies and nervous systems. Empowered by the tools of the Enlightenment, connected by networked flows of freight and fuel and finance, by information and ideas, we are becoming something new. We are at the dawn of the Age of Entanglement.

Antoine Lavoisier conducting an experiment related to combustion generated by amplified sun light

In the last age, the Age of Enlightenment, we learned that nature followed laws. By understanding these laws, we could predict and manipulate. We invented science. We learned to break the code of nature and thus empowered, we began to shape the world in the pursuit of our own happiness. We granted ourselves god-like powers: to fly, to communicate across vast distances, to hold frozen moments of sight and sound, to transmute elements, to create new plants and animals. We created new worlds entirely from our imagination. Even Time we harnessed. The same laws that allowed us to explain the motions of the planets, enabled us to build the pendulum of a clock. Thus time itself, once generated by the rhythms of our bodies and the rhythms of the heavens, was redefined by the rhythms of our machines. With our newfound knowledge of natural laws we orchestrated fantastic chains of causes and effect in our political, legal, and economic systems as well as in our mechanisms. Our philosophies neatly separated man and nature, mind and matter, cause and effect. We learned to control.

ENIAC, (Electronic Numerical Integrator And Computer), the first electronic general purpose computer.

Eventually, in the ultimate expression of our Enlightenment exuberance, we constructed digital computers, the very embodiments of cause and effect. Computers are the cathedrals of the Enlightenment, the ultimate expression of logical deterministic control.¹ Through them, we learned to manipulate knowledge, the currency of the Enlightenment, beyond the capacity of our own minds. We constructed new realities. We built complex algorithms with unpredictable behavior. Thus, within this monument to Enlightenment thinking, we sowed the seeds of its demise. We began to build systems with emergent behaviors that grew beyond our own understanding, creating the first crack in the foundation.

The second threat to the foundation of the Enlightenment was in the institutions we created. Our communication technology allowed us to build enterprises of unimaginable scope and capability. A modern corporation or NGO has tens of thousands of people, most of whom have never met one another, who are capable of coordinated action, making decisions that shape the world. Governments are even larger. New kinds of self-organizing collaborations, enabled by our global communications networks, are beginning to emerge. All these kinds of enterprises can become more powerful than the individual humans that created them, and in many senses, they have goals of their own. They tend to act in ways that increase their control of resources and enhance their own survival. They are able to perceive and process far more information than a single human, manipulate more matter and energy, act in more ways and places, command more power, and focus more attention. The individual is no longer the most influential player on the world stage.

As our technological and institutional creations have become more complex, our relationship to them has changed. We now relate to them as we once related to nature. Instead of being masters of our creations, we have learned to bargain with them, cajoling and guiding them in the general direction of our goals. We have built our own jungle, and it has a life of its own.

Photo by Franck V. on Unsplash

The final blow to the Enlightenment will come when we build into our machines the power to learn, adapt, create and evolve. In doing so, we will give them the power to surpass us, to shape the world and themselves in ways that we never could have imagined. We have already given our institutions the ability to act on our behalf, and we are destined to have the same uneasy balance of power with our machines. We will make the same attempts to build in checks and balances, to keep their goals aligned with ours. We will face similar challenges. In doing so we need to move far away from the understandable logic of Enlightenment thinking, into something more complicated. We will worry less about the unpredictable forces of nature than about the unpredictable behaviors of our own constructions.

Neri Oxman’s “Silk Pavilion” was made by 6,500 computer-guided silkworms. Photo by Markus Kayser

So what is this brave new world that we are creating, governed neither by the mysteries of nature or the logic of science, but by the magic of their entanglement? It is governed by the mathematics of strange attractors. Its geometry is fractal. Its music is improvisational and generative rather than composed: Eno instead of Mozart. Its art is about process more than artifact. Its roots are in Grey Walter’s cybernetic tortoises,² Marvin Minsky’s randomly wired SNARC learning machine,³ and Nicholas Negroponte’s Seek,⁴ in which the architecture of a living space emerged from the interaction of a observant robot with a horde of gerbils. The aesthetic of the Entanglement is the beauty that emerges from processes that are neither entirely natural nor artificial, but blend the best of both: the webs of Neri Oxman’s silk worms,⁵ ⁶ spun over a robot-wired mesh; the physical telepresence of Hiroshi Ishii’s tactile displays⁷ ⁸ or his living bioLogic fabric.⁹ We can no longer see ourselves as separate from the natural world or our technology, but as a part of them, integrated, codependent, and entangled.

Unlike the Enlightenment, where progress was analytic and came from taking things apart, progress in the Age of Entanglement is synthetic and comes from putting things together. Instead of classifying organisms, we construct them. Instead of discovering new worlds, we create them. And our process of creation is very different. Think of the canonical image of collaboration during the Enlightenment: fifty-five white men in powdered wigs sitting in a Philadelphia room, writing the rules of the American Constitution. Contrast that with an image of the global collaboration that constructed the Wikipedia, an interconnected document that is too large and too rapidly changing for any single contributor to even read.

A beautiful example of an Entanglement process is the use of simulated biologically-inspired algorithms to design artificial objects through evolution and morphogenesis. Multiple designs are mutated, bred and selected over many generations in a process analogous to Darwinian selection. The artifacts created by such processes look very different from those produced by engineering.¹⁰ An evolved motorcycle chassis will look more like a pelvic bone than a bicycle frame.¹¹ A computer program produced by a process of evolutionary design may be as difficult to understand as a neural circuit in the brain. Thus, the artifacts that are designed by these biologically-inspired processes take on both the beneficial and the problematic characteristics of biological organisms.¹² Their beauty is in their functional adaption. This is the elegance of the Entanglement: a new expression of beauty emerging from process. In an Entangled design process, the humans will often have input without control; for example, they may influence aesthetic choices by participating in the selection process or by tuning parameters. Such processes lend themselves to collaboration among multiple machines and multiple humans because the interfaces between the parts are fluid and adaptive. The final product is very much a collaborative effort of humans and machines, often with a superior result. It may exhibit behaviors that are surprising to the humans. Some of these behaviors may be adaptive. For example, early walking machines evolved on the Connection Machine took advantage of an obscure round-off error in the floating-point unit that the human programmers did not even know existed.¹³ In this sense, artifacts created by the entangled processes may have some of the robustness of a biological organism, as well as some of the surprise and delight.

Besides displaying the organic beauty of organisms, such designs may also exhibit their complex inscrutability, since it may not be obvious how the features in the artifact correspond to the functional requirements. For example, it may be difficult to tell the purpose of a particular line of code in an evolved program. In fact, the very concept of it having a specific purpose is probably ill-formed. The notion of functional decomposition comes from the engineering process of arranging components to embody causes and effects, so functional intention is an artifact of the engineering process. Simulated biological processes do not understand the system in the same sense that a human designer does. Instead, they discover what works without understanding, which has both strengths and weaknesses. Entanglement artifacts are simultaneously artificial and natural; they are both made and born. In the Age of Entanglement, the distinction has little significance.

As we are becoming more entangled with our technologies, we are also becoming more entangled with each other. The power (physical, political, and social) has shifted from comprehensible hierarchies to less-intelligible networks. We can no longer understand how the world works by breaking it down into loosely-connected parts that reflect the hierarchy of physical space or deliberate design. Instead, we must watch the flows of information, ideas, energy and matter that connect us, and the networks of communication, trust, and distribution that enable these flows. This, as Joshua Ramo¹⁴ has pointed out, is “the nature of our age.”

So what are we to think about this new relationship with our technology and with each other? Should we fear it or embrace it? The answer is both. Like any new powerful force in the world, like Science, it will be used for both good and evil. And even when it is intended to be used for good, we will make mistakes. Humanity has been dealing with this conundrum ever since the first cooking fire got out of control and burned down the forest. Recognizing this does not absolve us from our responsibility, it reminds us why it is important. We are remaking ourselves, and we need to choose wisely what we are to become.

Hillis, D. (2016). The Enlightenment is Dead, Long Live the Entanglement. Journal of Design and Science Redistributed under Attribution 4.0 International (CC BY 4.0). Images have been added.


[1] Ramo, J.C. The Seventh Sense: Power, Fortune, and Survival in the Age of Networks.

[2] Augmented Age. Autodesk University. 11906.

[3] Augmented Age. Autodesk University. 11906.

[4] bioLogic: Natto Cells as Nanoactuators for Shape Changing Interfaces. 1–10.

[5] CAD Is a Lie: Generative Design to the Rescue. Jan. 6.

[6] Control of a Powered Ankle–Foot Prosthesis Based on a Neuromuscular Model. IEEE TRANSACTIONS ON NEURAL SYSTEMS AND REHABILITATION ENGINEERING,. 20, 2.

[7] Evolving 3D Morphology and Behavior by Competition. Artificial life. 1, 4, 353–372.

[8] Physical telepresence: shape capture and display for embodied, computer-mediated remote collaboration. 461–470.

[9] Robotically controlled fiber-based manufacturing as case study for biomimetic digital fabrication. Green Design, Materials and Manufacturing Processes, CRC Press (London). 473–8.

[10] Seek.

[11] Shape Displays: Spatial Interaction with Dynamic Physical Form. Computer Graphics and Applications, IEEE. 35, 5, 5–11.

[12] Silk pavilion: a case study in fiber-based digital fabrication. Proc. Fabricate. 248–255.

[13] Talking Nets: An Oral History of Neural Networks. 304–305.

[14] Turing’s Cathedral: The Origins of the Digital Universe. ISBN 1400075998.

Planet DebianSven Hoexter: Moving Archer C7 v2 OpenWRT installation from ar71xx to ath79

I lately moved my Archer C7 v2 running OpenWRT from 18.06 using the ar71xx target to 19.07rc2 using the new ath79 target. Since the release notes are a bit sparse regarding how to achieve the target move, I asked on the IRC channel. Basically you can use sysupgrade as usual, but you have to

  • use force -F and
  • drop the config -n

That implies you have to manually backup your config (basically /etc). I decided to drop everything, since I wanted to repurpose the device slightly.

As a first step I did a reset:

firstboot && reboot now

After setting the password again I scp'ed the ath79 sysupgrade image for the device, and installed it with

sysupgrade -F -n /tmp/tplink_archer-c7-v2-squashfs-sysupgrade.bin

After several minutes the "sun" LED on the right to the power led was just blinking, but the device was still unresponsive so I did a full power cycle, and a minute later it was back on.

Thanks to PaulFertser from #openwrt on Freenode.

Upgrade sidenote for dnsmasq and DNSSEC

Usually I install dnsmasq-full to have DNSSEC support. So every time I upgrade I've to remember to disable dnssec before upgrading, because after the upgrade only the default dnsmasq is available, which will fail to start due to a config option it can not understand. :(

CryptogramChinese Hackers Bypassing Two-Factor Authentication

Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system.

How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.

Normally, this wouldn't be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.

The Fox-IT team explains how hackers might have gone around this issue:

The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim.

As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.

In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.

Planet DebianRuss Allbery: Review: Lords and Ladies

Review: Lords and Ladies, by Terry Pratchett

Series: Discworld #14
Publisher: HarperCollins
Copyright: 1992
Printing: May 2009
ISBN: 0-06-180752-4
Format: Kindle
Pages: 374

This is the fourteenth Discworld novel, the third book to focus on Granny Weatherwax and the witches, and a direct sequel to Wyrd Sisters. That said, I remembered very little of Wyrd Sisters, which I read over ten years ago, and still found it generally comprehensible.

Lords and Ladies opens with Granny Weatherwax, Nanny Ogg, and Magrat Garlick returning home from the events of Witches Abroad. They are immediately plagued by a rash of crop circles, leaving Granny and Nanny quite concerned about the circle of standing stones called the Dancers. Worse, an upstart new coven has been dancing around the Dancers, risking the unleashing forces they don't understand. Magrat has other problems: Her very tentative possible future husband has decided that they're to be married on Midsummer's Eve without consulting her first, and she has to adjust to new and very unfamiliar life as royalty.

It becomes quickly apparent that the lords and ladies of the title, and the threat that Granny and Nanny are concerned about, are elves. These are not noble Tolkien elves, and are even less human and more sinister than the darker sort of fantasy. They are malevolent dimensional travelers who can break through when the walls between worlds are thin, something that is signaled by the sudden appearance of crop circles. As the story unfolds, it becomes clear that the kingdom of Lancre has been plagued by elves before, and that many of the local customs and traditions that now seem without purpose are defense mechanisms. But everyone other than Granny and Nanny have forgotten, and the elves have been offered a bridge back into Discworld.

I generally like Granny Weatherwax, but I think this is relatively minor Pratchett. Granny's normal insight and practical wisdom is transformed here to the anger of someone who remembers why things are dangerous and can't believe other people are playing around with them. That's less interesting, and more cliched, than her normal role. Nanny is obnoxious to her extended family, which Pratchett mostly plays for humor but which I didn't find funny. And Magrat spends most of the book bored and manipulated in ways that made it hard for me to either like her or find humor in her situation.

But the larger problem with Lords and Ladies is that it's a bit overstuffed. Granny and Nanny are pursuing one thread of the plot, Magrat is entangled in another involving castle life, Death shows up somewhat gratuitously, and even some of the wizards from the Unseen University get involved, rolling on the random encounter table as they come. I enjoyed seeing the Librarian again as much the next Discworld reader, but by the time Pratchett adds in the Morris dancers and some backstory revelations for Granny, it all feels like a bit much. The conclusion is a running multi-front battle that mostly involves characters struggling to get to the right locations, and which I found more confusing than choreographed.

As with Wyrd Sisters, Lords and Ladies is rife with Shakespeare references, particularly A Midsummer Night's Dream but also King Henry V and others. As with all of Discworld, see the Annotated Pratchett File to catch all of the references (but beware of spoilers). It's been a long time since I've read Shakespeare and I've never seen much performed, so most of this was lost on me.

Even weaker Pratchett is still fun, of course. There are lots of good jokes, some thoroughly enjoyable Librarian scenes, and a fair bit of Granny being a badass. I didn't find this take on elves particularly interesting, but the ending is entertaining and satisfying. I don't think this is the book that will sell someone on Discworld, but if you're reading through the series, no reason to skip this one.

Followed, in publication order, by Men at Arms. The later plot sequel is Maskerade.

As an aside, Discworld shows one of the serious drawbacks of the Kindle format and a dedicated reader. The reader does not handle footnotes well. The footnote itself is marked by a tiny underlined asterisk that is very easy to miss on the page or confuse for a quotation mark, and scanning each page for tiny footnote marks distracts from the reading. When I did see one, I then got to play the game of mashing my large finger on the screen four or five times until the Kindle finally realized I was trying to follow the footnote and not turn the page. It was a frustrating experience I mostly gave up on, meaning that I read all the footnotes at once at the end of the book. That's not the expected experience, and I'm now tempted to buy further Discworld books on paper. Or at least use the Kindle tablet app, which can use color to make footnote links slightly more apparent.

Rating: 7 out of 10

Worse Than FailureBest of…: Best of 2019: Temporal Obfuscation

It's the holiday season, and we use this opportunity to take a week and reflect on the best stories of the year. Here, we reach back to January for a tale of variable names and convention. --Remy

We've all been inflicted with completely overdesigned overly generalized systems created by architects managers who didn't know how to scope things, or when to stop.

We've all encountered premature optimization, and the subtle horrors that can spawn therefrom.

For that matter, we've all inherited code that was written by individuals cow-orkers who didn't understand that this is not good variable naming policy.

Jay's boss was a self-taught programmer from way back in the day and learned early on to write code that would conserve both memory and CPU compilation cycles for underpowered computers.

He was assigned to work on such a program written by his boss. It quickly became apparent that when it came to variable names, let's just say that his boss was one of those people who believed that usefully descriptive variable names took so much longer to compile that he preemptively chose not to use them, or comments, in order to expedite compiling. Further, he made everything global to save the cost of pushing/popping variables to/from the stack. He even had a convention for naming his variables. Integers were named I1, I2, I3..., strings were named S1, S2, S3..., booleans were named F1, F2, F3...

Thus, his programs were filled with intuitively self-explanatory statements like I23 = J4 + K17. Jay studied the program files for some time and had absolutely no clue as to what it was supposed to do, let alone how.

He decided that the only sane thing that could be done was to figure out what each of those variables represented and rename it to something appropriate. For example, he figured out that S4 was customer name, and then went through the program and replaced every instance of S4 with customer_name. Rinse and repeat for every variable declaration. He spent countless hours at this and thought that he was finally making sense of the program, when he came to a line that, after variable renaming, now said: account_balance = account_balance - zip_code.

Clearly, that seemed wrong. Okay, he must have made a mistake somewhere, so he went back and checked what made him think that those variables were account balance and zip code. Unfortunately, that's exactly what they represented... at the top of the program.

To his chagrin, Jay soon realized that his boss, to save memory, had re-used variables for totally different purposes at different places in the program. The variable that contained zip code at the top contained item cost further down, and account balance elsewhere. The meaning of each variable changed not only by code location and context, but also temporally throughout the execution of the program.

It was at this point that Jay began his nervous breakdown.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

Planet DebianRuss Allbery: podlators 4.13

podlators provides the utilities to convert Perl's POD documentation syntax to text and man pages.

In this release, I finally dropped support for Perl 5.6. Even CPAN testers have stopped testing this old of a version, and it isn't available on Travis-CI, which means that support may well regress without me knowing about it. It felt like time.

I considered bumping the required version high enough that I could use a few new features (use parent and the version argument to package), but I decided to be conservative since CPAN testers are still actively testing Perl 5.8, so I only bumped the required version to 5.8.

I also finally tracked down the weird inconsistencies in S<> handling with Pod::Text, which turned out to be due to Unicode strings changing the meaning of \s in regexes. This should now be consistent regardless of the input character set.

Finally, this release changes some Pod::Text::Termcap behavior. Zenin pointed out that it doesn't make sense to assume ECMA-048 escape sequences if Term::Cap doesn't provide escape sequences for one of the types of formatting that we want to do, so this release gets rid of the fallbacks if Term::Cap doesn't have relevant information. It also removes a workaround for problems on ancient Solaris systems that led the module to set the TERMPATH environment variable globally, which is poor behavior for a module.

You can get the latest release from CPAN or from the podlators distribution page.

Planet DebianJacob Adams: Looking for Summer 2020 Internship

I’m a junior at William and Mary majoring in Computer Science and Linguistics, currently looking for an internship in software development over the summer. Ideally, I’d like to be in Northern Virginia, though I would look into temporarily relocating for an awesome opportunity.

My current experience includes a lot of time working in a Linux environment programming in Python, C, and a bit of Rust and Go. Specifically, I am interested in being part of a team working on systems programming or back-end web development.

Previous Experience

I participated in Google Summer of Code 2018 with Debian, building a PGP Clean Room Live CD for easy offline GPG key management. This project required collaboration with various open source maintainers in Debian and GnuPG, as well as keeping my mentor regularly informed of my progress. I had to meet a strict schedule of features in order to succeed.


I’ve maintained a few packages in Debian for a while now. I maintain 9wm (a simple X11 window manager based on Plan 9’s rio), sct (an X11 utility to set the screen’s color temperature like f.lux or night shift on iOS), swapspace (a daemon for managing dynamic swap files on Linux).

Please get in touch!

If you know of any opportunities please reach out and I will send you my resume.


Worse Than FailureBest of…: Classic WTF: The Glitch Who Stole Christmas

It's Christmas, and we're going to spend the next week remembering the best moments of 2019, but for now, let's go back to an old Christmas classic. Original.

Every Dev down in Devville liked Christmas a lot…
But the PM who lived in the corner office did NOT!
The PM hated Christmas! The whole Christmas season!
Now, please don’t ask why. No one quite knows his reason.
It could be his head wasn’t screwed on just right.
It could be, that his project timeline was too tight,
But I think the most likely reason of all,
May have been that his brain was two sizes too small.

Whatever the reason, his brain or his sprint,
He stood there on Christmas Eve, squinting a squint,
Staring down from his desk with a sour, PM grimace,
At the cold dark monitors around the office.

For he knew every Dev down in Devville beneath,
Was busy now, hanging a mistletoe wreath.
“And they’re hanging their stockings!”“ he snarled with a sneer
”The milestone’s tomorrow! It’s practically here!“
Then he growled, with his PM fingers nervously drumming,
”I MUST find some way to stop Christmas from coming!"
For tomorrow, he knew, all the Dev girls and boys,
Would wake up bright and early. They’d rush for their toys!

And then! Oh, the noise! Oh, the Noise!
Noise! Noise! Noise!
That’s one thing he hated! The NOISE!

Then, the devs, young and old, would sit down to a feast.
And they’d feast! And they’d feast! And they’d FEAST!

They would feast on Soylent, and rare energy drinks,
This was something the PM couldn’t stand to think,
And THEN they’d do something he liked least of all!

Every dev down in Devville, the tall and the small,
Would log on together, network lights blinking.
They’d stand, lan-on-lan. And the devs would start playing!
They’d play! And they’d play! And they’d PLAY!

And the more the PM thought of this dev Christmas-thing,
The more the PM thought, “I must stop this whole thing!”
“Why, for twenty-three years I’ve put up with it now!”
“I must stop this Christmas from coming! But HOW?”

Then, he got an idea! An awful idea!
The PM got a wonderful, awful idea!

“I know just what to do!” the PM laughed with a hoot,
And then he ran a command and made a server to reboot.
And he chuckled, and clucked, “What a great PM trick!”
“With the server down, they’ll need to come back in, and quick!”
“All I need is an outage…” the PM looked around.
But, since load balancers are robust, there was none to be found.

Did that stop the old PM? No! The PM simply said,
“If I can’t make an outage, I’ll fake one instead!”
So he fired up Outlook, made the font color red,
And typed out a message which frantically said:

“The server is down, the application has crashed,
The developers responsible should have their heads bashed!

Then the PM clicked SEND and the chain started down,
From the CEO to the devs, asnooze in their town.
All their windows were dark. Quiet snow filled the air.
All the devs were all dreaming sweet dreams without care.

Then he did the same thing to the other Devs’ projects,
Leaving bugs and errors and emails with scary subjects.
“The project is late, we surely are doomed,”
He wrote and sent and the emails zoomed.

And the PM grabbed the source tree and he started to skim,
When he heard someone asking, “Why are you in VIM?”
He turned around fast, and he saw a small Dev!
Little Tina-Kiev Dev, who was an SAII,
The PM had been caught by this tiny code enabler,
Who’d came to the office for her red stapler.

She stared at the PM and said, “Project Lead, why,”
“Why are you checking our source tree? WHY?”
But you know, that old PM was so smart and so slick,
He thought up a lie and he thought it up quick!
“Why, my sweet little tot,” the fake developer lied,
“A line in this code won’t lint and that commit’s denied”
“So I’m checking in a patch, my dear.”
“I’ll release it out there after I fix it up here.”
And this fib fooled the dev. Then he patted her head.
And he got her a red stapler and sent her to bed.

“Feh, feh to the devs!” he was PMishly humming.
“They’re finding out now that no Christmas is coming!”
“They’re just waking up! I know what they’ll do!”
“Their mouths will hang open a minute or two,”
“Then the devs down in Devville will all cry ‘Boo hoo!’”
“That’s a noise,” pipped the PM, “That I simply must hear.”

So he paused. And the PM put his hand to his ear.
And he did hear a sound rising over the snow.
It started in low. Then it started to grow.
But the sound wasn’t sad! Why this sounded merry!
It couldn’t be so! But it WAS merry! Very!

He stared down at Devville! The PM popped his eyes!
Then he shook! What he saw was a shocking surprise!

Every Dev down in Devville, the tall and the small,
Was playing! Without any calls at all!
He hadn’t stopped Christmas from coming! It CAME!
Somehow or other, it came just the same!

And the PM, with his PM-feet in sensible shoes,
Stood puzzling and trying to understand this news.
“I sent emails! I marked them important!”
“I filed tickets with statuses of urgent!”
And he puzzled three hours, till his puzzler was sore.
Then, the PM thought of something he hadn’t thought of before!

“Maybe Christmas,” he thought, “doesn’t disrupt my sprint,”
“Maybe Christmas… perhaps blocked days aren’t a misprint.”
And what happened then? Well… in Devville they say,
That the PM’s small brain grew three sizes that day!
And the minute his schedule didn’t feel quite so tight,
He whizzed out of the office through the bright morning light.

Happy Holidays!

Image credits:
Uses the following assets:

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

Planet DebianRuss Allbery: Review: The Shell Seekers

Review: The Shell Seekers, by Rosamunde Pilcher

Publisher: Thomas Dunne
Copyright: 1987
Printing: May 2015
ISBN: 1-250-06378-7
Format: Trade paperback
Pages: 632

In science fiction and fantasy, I try to follow the genre closely enough that I try out new books, discover less-well-known writers I enjoy, and can follow discussions about best-of lists, award nominees, and current trends in the genre. The occasional downside of following a genre this closely is that I read a lot of "just okay" books, and occasionally some bad books. (I love y'all, but some of the things you nominate for awards are... not good.)

In other genres, such as multi-generational family drama, I read selectively and rely heavily on recommendations. This tends to make the ratio of hits to misses much better. The Shell Seekers was one of those recommendations (in this case from my mother), and it's definitely a hit.

The story opens with Penelope Keeling returning home (despite the wishes of the doctors) to her comfortable house after a heart attack. Her three children react to that with varying degrees of usefulness: Nancy, her eldest, generates an endless series of worries and problems that she feels obligated to deal with, such as ensuring that her mother doesn't live alone. Olivia, the far more sensible middle child (and a high-profile magazine editor), defends her mother, not that her mother needs all that much defending, and otherwise stays out of her business beyond the occasional visit. Noel, her youngest, does care about her mother's health, but is not the sort of person to worry much about other people's problems. He's far more interested in whether his mother has kept any of her father's rough sketches for his paintings, work that is soaring in value due to a renewal of interest in Victorian painters.

That's the starting point of the present-time story arc, but The Shell Seekers broadens from there to adroitly mix in scenes from the past: Olivia's (truly beautiful) romance in Spain with a man named Cosmo, Penelope's young adulthood at the seacoast with her much-older father and her young French mother who treated her more like a beloved sister, and eventually the shape of her disappointing and ill-advised wartime marriage.

One theme of this book is Bohemians. Penelope's parents were both part of that culture and Penelope was raised in it, traveling between France and the English coast. Penelope carries on the tradition in her own way in her house in the city where she raised her children, always full of guests and food and life lived largely in the kitchen. Olivia and Cosmo's relationship reprises that life with a more modern feel, a much-needed vacation for Olivia from her intense world of publishing deadlines and careful orchestration. And Antonia, Cosmo's daughter, is the next generation of that same mix of an open heart and a pragmatic attitude towards life. I found it impossible not to love those characters and feel soothed by their joy in life, particularly in their sharp contrast with Nancy's constant worrying and Noel's avarice.

The other theme I picked up, somewhat more subtle, is learning how to live for yourself and find happiness in the things that matter to you. The reader slowly discovers that behind Penelope's confident and grounded old age was a life with substantial hardship and a secret (and alternate life course not followed) that none of them knew about. Watching her struggle and find a path through her life events provides foundation and depth to her decisions later in the book to handle her affairs in exactly the way that is the most meaningful and satisfying to her, regardless of the opinions of her children.

I liked Olivia a lot, but Penelope made this book. Olivia has a reserve, a determined insistence to be her own person and thrive in her world. I respected her, but it was Penelope and her pragmatism and her refusal to care what anyone thinks of her that I connected with. The book sets up a potential conflict with Nancy and Noel, potentially even an exploitative one, but Pilcher reassures the reader at just the right points that Penelope knows perfectly well what's going on and how to deal with it.

This isn't a book with villains, exactly, but it's hard not to dislike Nancy and Noel, both of whom are different object lessons in not being satisfied with the life that one has. Nancy is the most frustrating. She's the sort of person who would claim to have sacrificed everything for her family, and yet doesn't seem to understand or care about the family that she is supposedly sacrificing for. She is a bit of a cliché, but the contrast she makes with Penelope, Olivia, and Antonia is very effective within the story. Noel is more insidious: occasionally charming on the surface, but self-centered, greedy, and deceptive.

The Shell Seekers is a long and sprawling book, but except for a few of the World War II chapters in which Penelope is making a series of bad decisions and the reader has to endure them and their consequences, it never dragged for me. Pilcher moves lightly over the least likable characters or injects a bit of perspective into their viewpoint chapters so that the reader doesn't bog down, and some of the chapters in which her best characters are enjoying themselves are beautiful, slow celebrations of life and love that I thoroughly enjoyed reading.

I do have some quibbles: The ending was sadder than I would have liked (although the other closing events of the story were perfect), Penelope's marriage was depressing to read about, and Danus (the gardener who Penelope hires near the start of the book) has an oddly melodramatic background that rang false at several points to me. But they're just quibbles. This was a great book and a perfect thing to read during a lazy, relaxing vacation. Recommended.

One warning: The Publishers Weekly review leads off with significant spoilers for something only revealed halfway through the book, and is of course quoted on places where you might buy this book. I recommend trying not to read that bit.

Rating: 9 out of 10


CryptogramToTok Is an Emirati Spying Tool

The smartphone messaging app ToTok is actually an Emirati spying tool:

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the United States last week, according to app rankings and App Annie, a research firm.

Apple and Google have removed it from their app stores. If you have it on your phone, delete it now.

Planet DebianBenjamin Mako Hill: Reflections on Janet Fulk and Peter Monge

In May 2019, my research group was invited to give short remarks on the impact of Janet Fulk and Peter Monge at the International Communication Association‘s annual meeting as part of a session called “Igniting a TON (Technology, Organizing, and Networks) of Insights: Recognizing the Contributions of Janet Fulk and Peter Monge in Shaping the Future of Communication Research.

Youtube: Mako Hill @ Janet Fulk and Peter Monge Celebration at ICA 2019

I gave a five-minute talk on Janet and Peter’s impact to the work of the Community Data Science Collective by unpacking some of the cryptic acronyms on the CDSC-UW lab’s whiteboard as well as explaining that our group has a home in the academic field of communication, in no small part, because of the pioneering scholarship of Janet and Peter. You can view the talk in WebM or on Youtube.

[This blog post was first published on the Community Data Science Collective blog.]

Worse Than FailureCodeSOD: Caga Tió

As we plow into the holiday season, it’s important to remember that each submission- each bit of bad code, each horror story, each personal confession- is its own little gift to us. And, when you write a bit of bad code, you can think of it as a gift for whoever follows you.

Photograph of a typical contemporary Tió

Georgeanna recently opened a gift. She was wondering how their logging layer managed its configuration. She assumed that it would just read it from the config file, but when she tried to change where the logging file got written, say, to report.log, it would turn into report.log.staging.log.

It wasn’t hard to figure out why:

if ($env === "staging") {
    $logpath = self::getLogPath();
    /* Since the staging environment uses the same .ini as the
    * production environment, do an override here. */
    self::$logfile = $logpath . "staging.log";

The comment sums it up. Instead of managing multiple configuration files and deciding which one to use when you deploy the code, this just used one single config file and then conditionals to decide what behavior to use.

This reminds me of a gift I opened once. I once worked for a company where every application was supposed to reference the standard Environment.dll, and then check isProd or isStaging or isDev and use conditionals to change behavior (instead of having a per-environment config file).

Worse still was what happened when I opened the DLL code: it just checked c:\environment.txt which had “prod”, “stage”, or “dev” written in it. No, it didn’t handle exceptions.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Planet DebianRuss Allbery: Review: Swordheart

Review: Swordheart, by T. Kingfisher

Publisher: Argyll
Copyright: November 2018
ISBN: 1-61450-463-6
Format: Kindle
Pages: 417

(Content note: Some discussion of suicide.)

Swordheart is set in the same fantasy world as Clockwork Boys and The Wonder Engine and a little later than those books, so it contains mild spoilers for some of their plot. But it's not a sequel, and is quite readable on its own.

It was almost exactly a year ago from the time of this writing that my husband and I were in the kitchen and I was ranting about how much Elric — Michael Moorcock's Elric — whined about everything. "If you ask me," I said, "the real victim was his sword Stormbringer. The sword had to listen to him whine and couldn't leave. But does anybody ever ask the magic sword's opinion? Noooo."

This is from the author's note by T. Kingfisher (aka Ursula Vernon) at the end of the book, but I think it's the perfect introduction (although in this case the sword does more of the whining than the wielder).

At the start of the book, Halla has inherited a substantial estate. This is doing her no good, given that she's locked in a room on that estate by her relatives, whose solution to her unexpected inheritance of her uncle's property is to try to force her to marry her cousin and thus hand that inheritance back over to him. The only way Halla sees out of this situation is to kill herself. Conveniently, there's a large sword among the clutter in the room in which she's trapped.

To say that the sword disagrees strongly with this plan is an understatement.

Sarkis is the sword in question. Or, to be more precise, Sarkis is bound inside the sword in question, summoned whenever the wielder of the sword draws the blade. He's also bound to protect the wielder of the sword, built like a tank, and more than capable of defending Halla against her relatives and their hired guard. Reaching a mutual agreement on this point with Halla is considerably harder, given their entirely non-overlapping frames of reference and Halla's uncanny ability to derail almost any conversation with endless questions.

Escaping Halla's home is the prelude to a quest to get Halla's rightful inheritance back, one that eventually also entangles a lawyer-priest and a gnole. It's also the beginning of a romance that readers of The Wonder Engine will find somewhat familiar. Sarkis is not exactly a paladin and Halla is nothing like Slate, but the romance follows a similar halting dynamic with extensive internal monologues (and some mutual incomprehension). This romance is further complicated by Sarkis's own secrets.

The romance once again didn't quite work for me. The attraction is primarily physical at first, and I wasn't sure what Halla sees in Sarkis. He's not quite as intense on the self-pity as Caliban, but he has some similar tendencies, and the resolution of his deep secrets struck me as unnecessarily melodramatic. The romance also has some irritating periods of the two of them not talking to each other.

The rest of the book, though, is great. Kingfisher's gnoles continue to delight with their quiet judgment of humans, occasional aphorisms, and determined ability to stick to gnole business. The plot has a tendency to roll on the random encounter table from time to time, but it moves right along, includes some enjoyable twists, and has a satisfying ending. But the true highlight of the book is Halla.

The first few chapters establish Halla's runaway train of thought, which leaps from topic to topic and chases odd ideas across the furniture and down into burrows. The contrast with Sarkis's semi-formal seriousness is a great bit of mood-setting humor. But Halla goes much deeper than that. Over the course of the book, Kingfisher makes clear that Halla's leaps of logic and distracting questions are both personality and a deliberate tactic, one carefully designed as protective camouflage in more ways than one. It's beautifully done and, alongside Halla's practical competence and willingness to grapple with any idea, makes her just as capable as any other character in the story, just along an entirely different axis than fighting or wielding authority. It's also a bit like reading a fantasy novel with running commentary from someone who is both mostly unflappable and intensely curious about everything.

(And yes, it's hard not to read a lot of Halla's lines in the same voice as Ursula Vernon's Twitter posts.)

This is a delightful sword and sorcery novel with some real depth of characterization. It's also a bit lighter than The Wonder Engine, which matches what I was in the mood for. I had some trouble with both the romance and the melodrama of the last major plot challenge, but it kept me happily turning the pages. Recommended.

Swordheart is complete on its own, although Kingfisher says in her author's note that it's likely to be the first book of a trilogy.

Rating: 8 out of 10


Planet DebianGregor Herrmann: european train systems

I plan to go to two upcoming debian/FLOSS events, & I'd rather go by train than by plane or car. & that's quite difficult, in central europe, in 2020.

the events I want to go to are:

  • FOSDEM, the "free & open source developers' european meeting", the probably hugest FLOSS conference in europe, held in bruxelles, belgium; with a MiniDebCamp before.
  • SnowCamp, a small cosy DIY MiniDebCamp in laveno-mombello, italy.

now what about the trains? bruxelles is the capital of europe, & laveno-mombello is just approx. 400 km from here (i.e. closer than the capital of my country). still, no train company would sell my a ticket to these destinations.

no train company? well that's slightly exaggerated. for one of the destinations (bruxelles), one company (DB) would sell me a ticket, if I trick the web interface into showing me the connection I want by adding some 'via' entries with appropriate durations. ÖBB fails because it doesn't sell thalys tickets, & also no ICE tickets, for the last leg. – so either DB with some trickery, or ÖBB plus either thalys or DB, & hope that there are no delays.
ÖBB is also very proud of their new nightjet connection to bruxelles (from vienna & innsbruck), starting in january 2020. what they don't announce widely is that this train goes only 2 times per week. (of course not the days I need.)

for the trip to laveno-mombello I could either go via verona/milano & buy a ticket from ÖBB until verona & a ticket (actually three) from trenitalia for the rest; or go via switzerland & buy a ticket from ÖBB until bellinzona, a ticket from SBB for the 10+ minutes to cadenazzo, & a ticket from trenord from cadenazzo until laveno-mombello. (that's already the summary; neither ÖBB nor DB nor SBB nor trenitalia nor trenord would sell me a ticket for the whole journey. trenitalia also doesn't know cadenazzo, btw. ÖBB would also sell me a ticket to cadenazzo, it's just roughly 100 EUR more expensive than the sparschiene-ticket to bellinzona.)
two years ago I did the former; & 8 of the 8 trains were delayed on departure or arrival or both. obviously the trip with its three changes per direction took almost twice the time of just taking the car.
last year, a friendly soul picked me up with their car after one train trip, & probably we'll do it the same way again this year.

so what is it that I want to say?

first of all I'm looking forward to the MiniDebCamp+FOSDEM & to SnowCamp, & I thought I should promote those events a bit more :)

& second, the state of train companies in europe is a big FAIL:

  • ÖBB & DB on the one hand, & trenitalia on the other hand have some fight since a couple of years; they don't even list each others' train connections in their respective online schedule, let alone offer tickets; & there are also less&less connections on the münchen/innsbruck/verona route;
  • ÖBB (in its terrible new app/website) happily shows connections for which they then don't sell tickets ("attention: ticket only covers part of the journey");
  • SBB & DB happily let you spend lots of time in their online ticket webapps, & then are very sorry in the end that they can't sell you the ticket you've clicked together;
  • I'm aware that there are still "national" train companies, & that there are still so-called "borders" between so-called "nation states" but frankly, I don't care about either;
  • mostly because those virtual lines on the maps have no significance to me; but also practically because in a part of the world where there are so many of them close to each other it's just ridiculous that they have any practical impact on travelling by public transport (remember, going to laveno-mombello via the "west route" I go through austria, liechtenstein, switzerland, & italy; for just roughly 400km);
  • I mean there's schengen, & at least until 2015 noone asked for any passports on these routes; still the train companies have the tunnel vision of their "national" territory;
  • I don't want to spend literally hours on more or less (typically more) broken train company website to find out about possible connections & typically find no possible tickets for those connections;
  • if I want to go from A to B in europe, I want to go to one website & just buy the <insert-appropriate-adjective-here> ticket there;
  • either one of the legacy national ones or a combined european train system website (btw, rail_dot_eu & train_dot_eu are both squatted);
  • & don't tell my about etc., they don't know about half of the existing connections;
  • interim summary: can I please just buy a train ticket? could you please just take my money?;
  • in the end this is a political question. the EU has regulated roaming mostly successfully (crossing the swiss border: calls 2 EUR/min. out, 1 EUR/min. in, sms: 0.4 EUR, data: 1.5 EUR/100kb (!));
  • it's about time that the EU regulates "cross-border" train travel as well;
  • & I'm not talking about prices, I JUST WANT TO BUY A TICKET FROM A TO B ON ONE WEBSITE; pretty please; in europe; in 2020.

ok, end of rant.
& I'm looking forward to the aforementioned events, even if it's a major pain to sort out the transportation to get there.
(could we have teleportation please? the quantum physicists say no. too bad.)

Planet DebianGregor Herrmann: init system GR

finally – the third call for vote has already gone out – I took the time to cast my vote in the debian init system GR (General Resolution), the vote of debian members about the project's further course with regard to init systems.

for those you care about others' opinions before the poll closes: I voted H > G = D > F = E > FD > B > A, & here's why (note that I don't claim that this is necessarily 100% logically consistent):

  • H is a combination of guillem's principles, which I share, & ian's rather detailed guidance on how to proceed in the spirit of enabling a compromise & make progress together. that makes most sense to me.
  • G is guillem's proposal with his original principles & a short guidance section that explains why no more detailled guidance makes sense. on the one hand, I prefer more guidance in order to help e.g. the policy editors (that's why I ranked H higher), on the other hand, I still agree with the text & think that it could work, at least if we concentrate on cooperation.
  • D is ian's proposal with the detailed processes; since I liked them in option H, I still like them even without the principles, just a bit less :)
  • why did I rank G & D equally? I guess that was basically my gut telling me to do so … in any way, I prefer H & G & D clearly more than the other options:
  • F & E are the "extreme" positions in this vote ("focus on sytemd" vs. "all init systems must work"). I'm not a big fan of of either of them, as I favour a future which gives everyone their space within debian. still I ranked them over FD (further discussion) because a clear direction seems more useful to me than dragging this discussion on. & I ranked them equally because personally I could live with both of them (yes, init systems are not a matter totally close to my heart …).
  • B & A ended up below FD in my ballot (i.e. "better no result than this one") because I don't see what new they would bring to the ballot, not already covered in the other options; I find them a bit hard to read (as in "what consequences would they really have?"); & I much dislike the mingling of NMUs (non-maintainer uploads) with a GR about init systems in option A.

finally, thanks to all the people who worked hard to prepare this GR & did the work to come up with the various options; let's see if I change my vote (& this blog post) in the remaining days; & in any case, we'll soon (after Friday 2019-12-27 23:59:59 UTC) see the results, first on the secretary's voting page & on the debian-vote mailing list.

Planet DebianAndreas Bombe: Other Vintage Computer Replication Projects

A few weeks back, I was showing my PDP-8/e project at the Vintage Computer Festival in Zurich. While I was doing my project, I haven’t really checked if there were other projects like this. At least for the PDP-8 I knew there wasn’t, the only FPGA core I could find was a new implementation of the architecture that is binary compatible but doesn’t attempt to replicate the structure and instruction cycles of any specific PDP-8.

At this VCFe I found there were two other projects that also aim at recreating computers in FPGAs from original schematics. One is a DEC PDP-6, the other is an IBM System/360 Model 30. The IBM one is also interesting in that it appears to create a live image of the front panel state on its VGA output. At the VCFe however, it was connected to an original front panel, making it much more impressive.

From talking to the people involved in these projects I gathered that they have some challenges with the lack of a central clock that drives synchronous logic, a design method that is central to modern logic and the kind of hardware that can most efficiently be implemented in FPGAs. Apparently there are many places where logic delays were integral to both the PDP’s and IBM’s logic, and those are not simple to implement especially when the delay is not well documented in the schematics.

The PDP-8/e I am recreating also has logic running off of generated logic signals that are used as clock signals for flip-flops all over the place. However, all this is backed by a well defined timing phase and timing pulse generator backed by a 20 MHz oscillator. I found converting the schematics to synchronous logic rather straightforward as I have elaborated on here.

Planet DebianBenjamin Mako Hill: Strange Creatures

I found what appears to be a “turtile” on the whiteboard in the Community Data Science lab at the University of Washington.

[See previous discussion for context.]

TEDA dangerous woman: Pat Mitchell speaks at TEDWomen 2019

Pat Mitchell speaks at TEDWomen 2019: Bold + Brilliant, December 4-6, 2019, Palm Springs, California. Photo: Marla Aufmuth / TED

Pat Mitchell has nothing left to prove and much less to lose. Now more than ever, she cares less about what others say, speaks her mind freely — and she’s angry, too. She’s become a dangerous woman, through and through.

Not dangerous, as in feared, but fearless; a force to be reckoned with.

On the TEDWomen stage, she invites all women, men and allies to join her in embracing the risks necessary to create a world where safety, respect and truth burn brighter than the darkness of our current times.

“This is all possible because we’re ready for this. We’re better prepared than any generation ever before us,” she says. “Better resourced, better connected, and in many parts of the world we’re living longer than ever.”

On the cusp of 77 years old, Mitchell would know what it takes to make possibilities reality from her own career blazing an award-winning trail across media and television. Before she launched TEDWomen, she produced and hosted breakthrough television for women, and presided over CNN Productions, PBS and the Paley Center for Media, taking risks all along the way.

“I became a risk-taker early in my life’s journey. I had to, or have my life defined by the limitations for girls growing up in the rural South, especially … with no money, influence or connections,” she says. “But what wasn’t limited was my curiosity about the world beyond my small town.”

She acknowledges her trajectory was colored with gendered advice — become blonde (she did), drop your voice (she tried), lower your necklines (she didn’t) — that sometimes made it difficult to strike a balance between her leadership and womanhood. But now, declaring her pride as a woman leader, activist, advocate and feminist, she couldn’t care less what others say.

Even further, Mitchell states that women shouldn’t wait to be empowered — they must wield the power they already hold. What’s needed are more opportunities to claim, use and share it; for those who’ve forged their paths to reach back and help change the nature of power by dismantling some of the barriers that remain for those who follow.

Iconic playwright George Bernard Shaw, she shares, once wrote: “Life is not a brief candle to me. It is a sort of splendid torch which I have got hold of for a moment, and I want to make it burn as brightly as possible before handing it on to future generations.”

Pat Mitchell believes we’re more than equipped to move our communities forward, together. We have the funds, the technology and the media platforms to elevate each other’s stories and ideas for a better livelihood, a better planet.

And for Mitchell there’s no question that she walks in the same footsteps as Shaw’s, looking forward to a near future where we are willing to take more risks, to be more fearless, to speak up, speak out and show up for one another.

“At this point in my life’s journey, I am not passing my torch,” she says. “I am holding my splendid torch higher than ever, boldly and brilliantly — inviting you to join me in its dangerous light.”

Pat Mitchell speaks at TEDWomen 2019: Bold + Brilliant, December 4-6, 2019, Palm Springs, California. Photo: Marla Aufmuth / TED

Planet DebianRomain Perier: My Raspberry PI 4 4GB


I have received my Raspberry PI 4 4GB that has been funded by the Debian project. I would like to thank the DPL and Gunnar Wolf for this (who vouched for me).

So today, I have unpacked the board and tested it with the default flashed noobs/raspbian, so I check that everything is working as expected (from the hw point of view, I already had bad suprises in the past with some evaluation boards).

Interesting topics will come soon, mostly about booting a debian testing/sid on it , adding support to raspi-firmware and the linux kernel for enabling support for the pi 4 and some variants drivers for the bcm2711.

See you !

Worse Than FailureOut Of Necessity

Cathédrale Saint-Étienne de Toulouse - chapelle des reliques - Confessionnal PM31000752

Zev, a longtime reader of The Daily WTF, has a confession to make.

It all started with the best of intentions. Zev works for a large company doing custom development; they use various databases and tools, but the most common tool they're asked to develop against is VBA for Microsoft Excel with an Access backend. One recent project involved data moving from an on-premise SQL Server solution to the cloud. This meant rebuilding all their reports to connect to an API instead of using ODBC to get the data. Enter Zev.

The cloud tool was pretty well developed. By passing in an API key, you could get data back in a variety of formats, including JSON, HTML, XML, and CSV. Obviously choice number one was JSON, which is quickly becoming the de facto language of APIs everywhere. Upon doing a quick survey, however, Zev found many of his users were stuck on Office 2013, which can't parse JSON natively.

No worries. There's always XML. Zev churned out a quick Excel file with an XML-map in it and used code to pull the data down from the API on demand. Now the hard part: plugging into Access. Turns out, in Office 2013, you can't use a network XML file as a data source, only a local one.

Well, Excel can feed the data into a table, which Access can read, but that takes longer. In Zev's case, far too long: minutes, for a relatively small amount of data. Okay, no problem; the code can download the XML to a local file, then connect to it as an XML table. Except that turns out to be no faster.

Zev's next try was to build Excel files for each of the queries, then connect Access to the Excel files as tables. Then he could add code to open and refresh the Excel files before using them. On some days, that took longer than the old way, while on other days it worked fine. And sometimes it managed to lose the Excel files, or they'd run into lock file issues. What gives?

Zev's testing concluded that the same query returning took twice as long via XML as it did via CSV, which makes sense: XML is about twice as fat as CSV. So the final product used VBA to download the data as a CSV file, then connect to the CSV file as a local Excel table through Access.

In Zev's own words:

My greatest fear is that someone will see this code and submit it to the Daily WTF and ask “why?”

We tried to use JSON, because it is the new hotness. But lo, our tools did not support it. We tried to use XML because it was the last hotness. But lo, it took too long to process. Shuddering and sobbing, we defaulted to CSV. And so we wrote code 20 years out of date, not out of hubris or lack of desire to learn, but out of cold, heartless, necessity.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Sam VargheseFast bowlers have lost their balls

There was a time in the 20th century when there were more class fast bowlers in the game of cricket than at any other. Between 1974 and 1994, pacemen emerged in different countries as though they were coming off an assembly line.

It made the game of cricket, which many call boring, an exciting spectacle.

From Dennis Lillee and Jeff Thomson, to Andy Roberts, Michael Holding, Colin Croft, Joel Garner, the late Malcolm Marshall, Imran Khan, Sarfraz Nawaz, Wasim Akram, Waqar Younis, Devon Malcolm, Bob Willis, Ian Botham, Allan Donald, Fanie de Villiers, Richard Hadlee, Courtney Walsh, Curtley Ambrose, Patrick Patterson and Craig McDermott, they were of several different types and temperaments as is to be expected.

But in one aspect they were all the same: they went out aiming to scare the batsmen into getting out and they mostly succeeded. At times, they resorted to verballing the batsmen as when Marshall reportedly told David Boon, “Are you going to get out or do I have to come around the wicket and kill you?”

Since the mid-1990s, the type of fast bowler who has been emerging has changed. There is an obsession with keeping the runs down, something which even started preoccupying the mind of Ambrose, once a bowler who had a deadly yorker that would send the stumps cartwheeling. The new brand of paceman was typified by Glenn McGrath who was overly keen on length and line and bored the hell out of those watching on.

During those two decades, there was every chance that there would be blood on the pitch before the day was out. After that, it became much less common.

True, since then we have seen the death of a batsman, Phillip Hughes, in first-class cricket in 2014, but that was due to an inadvertent accident rather than deliberate targeting by a bowler. It wasn’t a case of a bowler like Croft, an unpleasant man, who wouldn’t bother going over the wicket at all, but would come around the wicket right from the start of his spell. No, the man who caused Hughes’ death was Sean Abbott, not even one who bowls express pace, and one yet to ascend to the national ranks. A helmet with a flap at the back to protect Hughes’ neck would probably have saved him.

Where once the crowd looked for a particular paceman to come on and excite them, these days there are mostly yawns. And that’s because there is little to rouse the passions of those in the stands. The batsmen don’t need the kind of skills or bravery that players like Brian Close showed; on more than one occasion, the Englishman took repeated blows on the body in order to ensure that he did not lose his wicket.

These days, fast bowlers do not know how to get the ball to come up to the ribcage or chest and frighten the hell out of batsmen. There is a bunch of commentators who keep jabbering on about the speed of each ball, but when the bowler chooses to go past the off-stump or only focuses on keeping the runs down, what is the point? During the Ashes in 2019, there was much excitement when Jamaican-born Jofra Archer pinged Steve Smith on the noggin, flooring the Australian and ensuring that he would have to miss the next Test. But such occurrences are the exception, never the rule.

There were any number of spells bowled by pacemen in those 20 years which can be described as hostile. But since then, the cricket field has become a sedate place, where one is expected to be a gentleman, never a fierce competitor like Lillee, who once aimed a kick at the backside of Pakistan’s Javed Miandad. The latter charged down and tried to belt the moustachioed Australian with his bat. Oh, for a scene like that when Australia next plays a Test at home.

Things have got to the point that a few bouncers bowled during the first Test of the ongoing series resulted in the media resort to using the word “bodyline”. Yes, seriously! And we are talking here of bowlers like Tim Southee and Neil Wagner, more school teacher types, and hardly the sort to inspire fear in even a college XI. There is just one word for this: exaggeration.

This does not mean that bowlers cannot do their jobs well. No, they are efficient at winning games for their countries. Men like Mitchell Starc, Patrick Cummins and Jaspreet Bumrah take plenty of wickets and give Australia and India respectively an advantage. But it all ends there. You wouldn’t go to a ground specifically because one of them was going to figure in a game. On the other hand, it was well worth a trip to the ground to watch Holding skim over the surface with the grace of a ballet dancer, en route to creating havoc at the other end. The umpire hardly heard a sound as the man known as Whispering Death reached the crease and delivered the ball in one smooth motion.

So is cricket a better game today than it was in the 1970s, 1980s or 1990s? Most certainly not. There are a lot of international games, in all three formats. But it has become overly skewed in favour of the batsmen, to the extent that Australia even went to the extent of using sandpaper to roughen the ball in 2018 to try and get an advantage during a Test series against South Africa. Captain Steve Smith, David Warner and Cameron Bancroft spent some time away from the game for creating what came to be known as Sandpapergate.

I guess one has to be resigned to the placid spectacle. There is more than a little effort directed towards trying to hype things up by means of sound, colour and spectacle at the various grounds. But nothing will ever substitute for the sight of a Thomson thundering up to the crease, flinging his head back and hurling a projectile at some quivering batsmen 22 yards away. There was something earthy and primitive about it. Cricket is now too corporatised for there to ever be another Jeff Thomson.

Planet DebianRuss Allbery: Review: Once Broken Faith

Review: Once Broken Faith, by Seanan McGuire

Series: October Daye #10
Publisher: DAW
Copyright: 2016
ISBN: 0-7564-0810-5
Format: Kindle
Pages: 421

This is the tenth book in the October Daye urban fantasy series, and there's no way to start here given the complex web of social relationships and extensive back-story. I will try to avoid too major of spoilers, but be warned that it's difficult to talk about the story without giving at least some clues to events of previous books.

The conclusion of A Red-Rose Chain has created a new political problem: A significant disruption in the way that elven courts can fight could usher in a new, more peaceful era, or it could make conflict far more vicious. It also has more personal implications for Sylvester, Toby's liege, and wide-ranging consequences for elven mechanisms of justice.

Less important to the courts, but important to Toby, there is also the possibility of removing one of the ways in which the pure-blooded kill changelings.

High King Sollys calls a convocation of the realms of the Westlands to decide how to resolve this problem, and the local queen is to host. Toby of course has to attend. That becomes more urgent when one of the firstborn decides to weigh in with her own opinions via the dreams of one of Toby's friends.

Then one of the attendees of the convocation is murdered.

This is, in a sense, a murder mystery, but it's less about the murder investigation than it is about elven court politics. Given that elven court politics is my favorite part of this series, this book made me very happy. As always, if you care about the quality of the mystery or Toby's investigation of it, you'll probably be sad. I'm notoriously unobservant of clues in mysteries, and I figured out the likely culprit early on. But if you like seeing more of McGuire's Westlands world-building, Toby being her irrepressible self, and people discovering why they shouldn't mess with Toby or her allies, this book delivers.

The Luidaeg is also a major character in the story, and continues to be the McGuire's best character. I love that friendship with Toby is making the Luidaeg more approachable and more involved in the kingdom, which is bringing out more and more of her character. I also enjoy watching her intimidate the hell out of everyone else while Toby treats her like another of her friends (admittedly with some extra respect). There are some faint hints in this story about the longer-term reasons why the Luidaeg is so willing to befriend Toby, something that I've been anticipating and that I'm looking forward to in future books.

Like a lot of this series, if you like these people, you'll like this book. If you don't like them well enough to get past the admittedly thin mystery plot or the tendency for most problems to be resolved by Toby throwing herself into horrific physical injury until everyone gives up, you probably won't. This one was full of the things that I read this series for, and therefore was one of my favorites so far. The resolution was perhaps a bit too easy, but the story was anchored on more interesting conflicts than a hissable villain and thus had more depth than A Red-Rose Chain. I also loved seeing glimpses of the elven courts from elsewhere in California and the west coast.

If you've read this far in the series, still recommended. Followed by The Brightest Fell.

The Kindle edition of this book (I'm not sure about the paper versions) also included a novella.

"Dreams and Slumbers": Following the tradition of the novellas associated with this series telling side stories with a viewpoint character other than Toby, this one follows Arden and tells a side story immediately following the plot of Once Broken Faith. (That also means that it's a total spoiler for Chimes at Midnight.)

I loved this story. Partly that's because it once again features the Luidaeg, but mostly it's that I think Arden is one of McGuire's better characters and it's a delight to see a story through her eyes. It's also entertaining to see how the other characters interact with her, and to see the reconfigured relationships that Toby leaves in her wake even when she's not around. Arden's balance of uncertainty, somewhat reluctant command, and self-awareness makes me like the character even more.

There is quite a lot of introspection and, to be honest, waffling, so other people's reaction may not match mine. But for me this was a highlight of the book. (8)

Rating: 8 out of 10


Planet DebianEnrico Zini: Games links

Software Library: MS-DOS Games : Free Software : Free Download, Borrow and Streaming : Internet Archive
Software for MS-DOS machines that represent entertainment and games. The collection includes action, strategy, adventure and other unique genres of game and entertainment software. Through the use of the EM-DOSBOX in-browser emulator, these programs are bootable and playable
The games available on this page were all created by students of the MIT Game Lab and for research purposes. These games are short, 5-15 minute experiences, each made as a polished vertical slice of gameplay. Find out how these games were made and how they're used by our researchers!
Hi and welcome to User Inyerface, a challenging exploration of user interactions and design patterns.
How do you design a game for friendship, when the players are interacting over the internet? Can you do this without even letting them speak, or see each others' faces? Chris Bell tackles the issue.

Planet DebianRhonda D'Vine: On Group Building

Recently I thought a lot about group building. There had been some dynamics going on in way to many communities that I am involved with, and it always came down to the same structural thing:

  • Is the group welcoming participation of everyone?
  • Is the group actively excluding people?

When put this way, I guess most people will quite directly swing towards the first option and outrule the second. Thing though is, it's not that easy. And I'd like to explain why.

Passive vs. Active Exclusion

The story about passive exclusion

Exclusion always happens, it even has to happen, regardless how you try to form a group. Let me explain it by an example, that recently happened at an event in Germany. It was an event called "Hanse inter nichtbinär trans Tagung (HINT)", conference for inter, non-binary and trans folks. A doctor was invited who performs genital "corrective" operations on babies, something that inter people suffer a lot and unfortunately is still legal and a huge practise around the globe while there is no medical need for any of this. In turn inter people didn't feel safe to attend a conference anymore that was specifically set out for them as part of the target audience.

And that's just one example. I could come up with a fair amount of others, like having sexual abusive people at polyamory meetups, and there is a fair amount of free software related discussions going on too, having abusive people in the community actively invalidating others, ridiculing them, belittling them, or software that specifically enables access to hate-speech sites on free software portals, all with the reasoning that it's about free software after all.

All these things lead to passive exclusion. It leads to an environment that suddenly doesn't feel safe for a fair amount of people to get involved in in the first place. People that are claimed to be wanted within the community. People who are told to grow a thicker skin. People who are criticized for pointing out the discrimination and being rightfully emotionally wound up, also about the silent bystanders, having to do the emotional labour themselves. And as organizers and group leads, it's definitely the less energy consuming approach.

Some further fruit for thoughts:

The story with active exclusion

When you understand this, and start to engage with abusive people that make other feel unsafe, you might realize: That's actually hell of a work! And an unthankful one on top of that. You suddenly have to justify your actions. You will receive abusive messages about how could you exclude that person because they never have been abusive to them so it can't be true, you are splitting the community, and whatsnot. It's an unthankful job to stand up for the mistreated, because in the end it will always feel like mistreating someone else. Holding people accountable for their actions never feels good, and I totally get that. That's also likely the reason why most communities don't do it (or, only in over-the-top extreme cases way too late), and this is a recurring pattern, because of that.

But there are these questions you always have to ask yourself when you want to create a community:

"Whom do I want to create a community for, whom do I want to have in there - and what kind of behavior works against that? What am I willing to do to create the space?"

When you have a clear view on those questions, it still might be needed to revisit it from time to time when things pop up that you haven't thought about before. And if you mean it honest, for a change, start to listen to the oppressed and don't add the hurt by calling them out for their reaction of fighting for their sheer existence and survival. Being able to talk calmly about an issue is a huge privilege and in general shows that you aren't affected by it, at all. And doesn't contribute to solving the discrimination, rather just distracts from it.

Middle ground?

One last note: Active exclusion doesn't necessarily have to happen all the time. Please check in with the abused about what their needs are. Sometimes they can deal with in a different way. Sometimes the abusers start to realize their mistake and healing can happen. Sometimes discussions are needed, mediation, with or without the abused.

But ultimately, if you want to build any inclusive environment, you have to face the fact that you very likely will have to exclude people and be ready to do so. Because as Paula said in her toot above:

"If you give oppressors a platform, then guess what, marginalized people will leave your platform and you'll soon have a platform of dicks!"

/debian | permanent link | Comments: 0 | Flattr this

Planet DebianMolly de Blanc: Consent

I was walking down the platform at the train station when I caught eyes with a police officer. Instinctively, I smiled and he smiled back. When I got closer, he said “Excuse me, do you mind if I swipe down your bag?” He gestured to a machine he was holding. “Just a random check.”

The slight tension I’d felt since I first saw him grabbed hold of my spine, shoulders, and jaw. I stood up a little straighter and clenched my teeth down.

“Sure, I guess,” I said uncertainly.

He could hear something in my voice, or read something in my change of posture. “You have to consent in order for me to be allowed to do it.”

Consent. I’d just been writing about consent that morning, before going to catch the train down to New York for Thanksgiving. It set me on edge and made more real what was happening: someone wanted to move into my personal space. There was now a legal interaction happening. “I don’t want to be difficult, but I’d rather you didn’t if you don’t have to.”

“It’s just a random check,” he said. “You don’t have to consent.”

“What happens if I say no?”

“You can’t get on the train,” he gestured to the track with his machine.

“So, my options are to let you search my bag or not go see my family for Thanksgiving?”

“You could take a bus,” he offered.

I thought about how I wanted to say this. Words are powerful and important.

“I consent to this in as much as I must without having any other reasonable option presented to me.”

He looked unconvinced, but swiped down my bag anyway, declared it safe, and sent me off.

Did I really have the right to withhold consent in this situation? Technically, yes. I could have told him no, but I had no other reasonable option.

At the heart of user freedom is the idea that we must be able to consent to the technology we’re directly and indirectly using. It is also important to note that we should not suffer unduly by denying consent.

If I don’t want to interact with a facial recognition system at an airport, I should be able to say no, but I should not be required to give up my seat or risk missing my flight spending exceptional effort as a consequence of refusing to consent. Consenting to something that you don’t want to do should not be incentivized, especially by making you take on extra risk or make extra sacrifices.

In many situations, especially with technology, we are presented with the option to opt out, but that doesn’t just mean opting out of playing a particular game: it can mean choosing whether or not to get a life saving medical implant; not filing your taxes because of government mandated tax software; or being unable to count yourself in a census.

When the choice is “agree or suffer the consequences” we do not have an option to actually consent.

Planet DebianDebichem Team: Add pipeline status badges to all projects of a group

The debichem team on uses continuous integration (CI) pipelines and jobs to make sure the packages build and don’t ship issues. It is possible to add a badge to the projects overview page to show the status of the last run pipeline/job as shown below:

Project page of ShelXle packaging showing the pipeline status badge Project page of ShelXle packaging showing the pipeline status badge

Because the team already has around 100 packages it would mean a lot of work to add a badge to each packaging project. Fortunately GitLab, the software used for, provides a way to add group badges which will appear on every projects overview page. The necessary setting can be done under the group’s settings page or the following URL<GROUP>/-/edit

Expand the Badges section as shown below:

Expanded badge section of the group's settings page Expanded badge section of the group’s settings page

To add the badge one has to provide a link and the corresponding badge URL. The first one should point to project’s (package’s) pipeline page:{project_path}/pipelines

and the badge URL is:{project_path}/badges/%{default_branch}/pipeline.svg

Using the variables provided by Gitlab might be a good idea especially if a group is using a mixture of branch names (e.g master vs. DEP14). Hitting the Add badge button finally adds a badge to every project (package) under the groups umbrella.

Below is a screenshot of these settings used in the debichem group:

Pipeline badge settings Pipeline badge settings


Planet DebianDima Kogan: vnl-uniq

I just added a new tool to the vnlog toolkit: vnl-uniq. Similar to the others, this one is a wrapper for the uniq tool in GNU coreutils. It reads just enough of the input to get the legend, writes out the (possibly-modified) legend, and then calls exec to pass control to uniq to handle the rest of the data stream (i.e. to do all the actual work). The primary use case is to make histograms:

$ cat objects.vnl

# size  color
1      blue
2      yellow
1      yellow
5      blue
3      yellow
4      orange
2      orange

$ < objects.vnl vnl-filter -p color |
                vnl-sort -k color   |
                vnl-uniq -c

# count color
      2 blue
      2 orange
      3 yellow

I also added a --vnl-count NAME to be able to name the count column.

As happens each time I wrap one of these tools, I end up reading the documentation, and learning about new options. Apparently uniq knows how to use a subset of the fields when testing for uniqueness: uniq -f N skips the first N columns for the purposes of uniqueness. Naturally, vnl-uniq supports this, and I added an extension: negative N can be passed-in to use only the last -N columns. So to use just the one last column, pass -f -1. This allows the above to be invoked a bit more simply:

$ < objects.vnl vnl-sort -k color |
                vnl-uniq -c -f-1

# count size color
      2 1      blue
      2 2      orange
      3 1      yellow

Note that I didn't need to filter the input to throw out the columns I wasn't interested in. And as a side-effect, the output of vnl-uniq now has the size column also: this is the first size in a group of identical colors. Unclear if this is useful, but it's what uniq does. Speaking of groups, something that is useful is uniq --group, which adds visual separation to groups of identical fields. To report the full dataset, grouped by color:

$ < objects.vnl vnl-sort -k color |
                vnl-uniq --group -f-1

# size color
1      blue
5      blue

2      orange
4      orange

1      yellow
2      yellow
3      yellow

It looks like uniq provides no way to combine this with the counts (which makes sense, given that uniq makes one pass through the data), but this can be done by doing a join first. Looks complicated, but it's really not that bad:

$ vnl-join -j color <( < objects.vnl vnl-sort -k color )
                    <( < objects.vnl vnl-filter -p color | vnl-sort -k color | vnl-uniq -c -f-1 ) |
  vnl-filter -p '!color',color |
  vnl-align |
  vnl-uniq --group -f-1

# size count color
1      2     blue
5      2     blue

2      2     orange
4      2     orange

1      3     yellow
2      3     yellow
3      3     yellow

It's awkward that uniq works off trailing fields but join puts the key field at the front, but that's how it is. If I care enough, I may add some sort of vnl-uniq --vnl-field F to make this nicer, but it's not obviously worth the typing.

Cory DoctorowParty Discipline, a Walkaway story (Part 4) (the final part!)

In my latest podcast (MP3), I conclude my serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

Here’s part 1 of the reading, here’s part 2, and here’s part 3.

We rode back to Burbank with Shirelle on my lap and one of my butt-cheeks squeezed between the edge of the passenger seat and the door. The truck squeaked on its suspension as we went over the potholes, riding low with a huge load of shopping carts under tarps in its bed. The carts were pretty amazing: strong as hell but light enough for me to lift one over my head, using crazy math to create a tensegrity structure that would hold up to serious abuse. They were rustproof, super-steerable and could be reconfigured into different compartment-sizes or shelves with grills that clipped to the sides. And light as they were, you put enough of them into a truck and they’d weigh a ton. A literal ton, and Jose—our driver’s—truck was only rated for a half-ton. It was a rough ride.

Our plan was to pull up on skid row and start handing out carts to anyone around, giving people two or three to share with their friends. Each truck had a different stretch we were going to hit, but as we got close to our spot, two things became very apparent: one, there were no homeless people around, because two, the place was crawling with five-oh. The Burbank cops had their dumb old tanks out, big armored MRAPs they used for riot control and whenever they wanted to put on a show of force, and there was a lot of crime-scene tape and blinking lights on hobby-horses.


Planet DebianMike Gabriel: My Work on Debian LTS/ELTS (December 2019)

In December 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

LTS Work

  • Triage 14 packages during my frontdesk week (tomcat7, tomcat8, lout, apache-log4j1.2, x2goclient (libssh regression), nethack, nethack, cyrus-sasl2, php5, libjpeg-turbo, transfig, ruby-rack, ruby-excon)
  • Upload to jessie-security: cyrus-sasl2 (DLA-2044-1 [1]), 1 CVE
  • Deeply dive into tightvnc CVE issue hunting and help matching various CVEs between src:libvncserver and src:tightvnc, digging out patches, etc.
  • Upload to jessie-security: tightvnc (DLA-2045-1 [2]), 9 CVEs
  • Upload to jessie-security: x2goclient (DLA-2038-2 [7]) (fixing a regression caused by a recent libssh security upload; see DLA_2038-1 / CVE-2019-14889) [3]
  • Ping DLange and ggings about getting the libssh regression regarding x2goclient fixed in Ubuntu (LTS) [4]
  • Ping the release team on security update status regarding CVE-2019-14889/libssh (bundled with an X2Go Client update) for stretch + buster.
  • NMU-upload (to DELAYED/10) tightvnc targetting Debian unstable [5]. Waiting for the former maintainer to ACK the NMU or re-do it himself. As tightvnc has been open for adoption for years now, I have started considering taking over QA maintenance under the umbrella of the Debian Remote Maintainers team.
  • Re-schedule tightvnc NMU-upload to DELAYED/0 after maintainer's ACK.
  • Prepare tightvnc security uploads for stretch + buster (waiting for the recent upload to arrive in unstable).


  • Upload to wheezy-security: cyrus-sasl2 (ELA-203-1 [5]), 1 CVE
  • Start backport two patches for tomcat7 (CVE-2019-12418 and CVE-2019-17563) and hand them over to the team's mailing list for continuation by another team member (because hours had been used up and I would have needed a second opinion anyway)

Other security related work for Debian

  • Upload to buster(-pu): libvncserver 0.9.11+dfsg-1.3+deb10u1, 1 CVE, two other patches
  • Upload to stretch(-pu): libvncserver 0.9.11+dfsg-1.3~deb9u2, 1 CVE, two other patches
  • Upload to buster(-pu): atril 1.20.3-1+deb10u1, 1 CVE, one other patch
  • Upload to buster(-pu): freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1, 1 CVE
  • Upload to experimental: libjpeg-turbo 1:2.0.3-1~exp1, 1 CVE (plus update security tracker about other CVEs fixed in experimental)

Updates (2019-12-22):

  • Add info about DLA-2038-2 for x2goclient upload to jessie LTS
  • Add section about other security related work in Debian related to my LTS work
  • Add info about rescheduled NMU of tightvnc/unstable.


Planet DebianEmmanuel Kasper: Opensource Retrocomputing: FreeMiNT on Atari ST

If you have an Atari ST sleeping in the attic, and have an interest for open source Unix, you might be interested to try out ST Mint, a distribution of the FreeMiNT kernel tailored for this platform.

When preparing the last ST Mint release, I noticed that bash needed too much memory for the ST, so I included the sash shell, cross-compiled from the Debian source package.
Funnily enough, although the Atari hardware is physically large and heavy, working on ST Mint feels like doing embedded hardware development: you cross-compile, link with the smallest possible libc, copy stuff on a SD Card, and try to fit everything in 4MB of RAM.


CryptogramFriday Squid Blogging: Streamlined Quick Unfolding Investigation Drone

Yet another squid acronym.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Cory DoctorowRadicalized is one of the LA Public Library’s books of the year!

It’s not just the CBC and the Wall Street Journal — I was delighted to see this morning that Radicalized, my 2019 book of four science fiction novellas made the LA Public Library’s list of the top books of 2019! “As always his writing is sharp and clear, covering the absurdities that surround and infiltrate our lives, and predicts new ones waiting for us just around the corner. A compelling, thought provoking, macabre funny read.”

Cory DoctorowMy annual Daddy-Daughter Xmas Podcast: interview with an 11-year-old

Every year, I record a short podcast with my daughter, Poesy. Originally, we’d just sing Christmas carols, but with Poesy being nearly 12, we’ve had a moratorium on singing. This year, I interviewed Poe about her favorite Youtubers, books, apps, and pass-times, as well as her feelings on data-retention (meh) and horses (love ’em). And we even manage to squeeze in a song!

Google AdsenseMarketing Communications Specialist

It’s vital to create a flawless website user experience (UX). A UX strategy can help you rectify anything that compromises the website experience.

Planet DebianAnisa Kuci: Outreachy post 2

The third week of the Outreachy is continuing successfully, everyone seems to be in the Outreachy vibe of working and learning a lot. The last weeks have been quite intense and interesting for me as well. While I spent the first few days gaining access to most of the repos and accounts that I will need to complete my internship or doing research and studying the next phases for the continuity of the project, my second and third week have been more “hands on” since I had set up everything and was ready to complete further tasks.

As you may know from my last blog post, I am working with DebConf sponsorships and fundraising, so, these two weeks I have been mostly working on the fundraising of the next DebConf, which will be held in Haifa, Israel. Preparations for the event have already started, and I have participated in all the organizing team calls so far, trying to learn more about organizing DebConfs, and also give possible updates about my work, which I am really happy to say has been received positively by the community. I have received very nice feedback from team members and sponsors.

These weeks I have been reaching out to nearly 100 possible sponsors around the globe, sending them the sponsorship email based on a template that I had been working on during the application phase of Outreachy. Every change or update about everything related to the conference is documented in a Debian repo, which has made me improve my skills on using git commands and learn many more commands that make my work easier. I have worked and continue working on fundraising material that will be used for continuing sponsorship negotiations and I am using LaTeX to edit the documents. So far some sponsors have already committed and others have expressed interest in supporting DebConf20 and ask questions which I need to find answers for. This way I learn even more about fundraising and organizing conferences.

The work continues, and I am enjoying it a lot!

LongNowAI Unearths New Nazca Line in the Shape of a Humanoid Figure

The Nazca lines in Peru have baffled archaeologists for a century. Photo Credit: Jon Arnold Images Ltd/Alamy Stock Photo

In Southern Peru, deep in the Nazca Desert, ancient etchings spread across the landscape. To an observer at ground level, they appear as lines cut into the desert surface. Most are straight, while others curve and change direction, seemingly at random. Viewed from foothills or in the air, however, the etchings are revealed as figurative symbols, or geoglyphs. From this vantage, the Nazca lines take the form of geometric and biometric shapes, depicting plants, animals, and anthropomorphic figures.

The meaning and purpose of the Nazca lines have remained a mystery to archaeologists since their modern discovery in the 01920s. Some theorize that the etchings mark solstice points. Others believe they are artistic offerings to deities in the sky.

Archaeologists estimate the Nazca created several thousand lines between 0200 BCE and 0600 CE, using a methodical process of extracting specific stones to expose the white sands beneath. Researchers have long believed that there are many more Nazca lines yet to be discovered, but traditional methods of identifying the lines are time-consuming and demanding. Additionally, many of the lines have been damaged from floods, and disrupted by roads and infrastructure expansion.

Humanoid figure is the newest addition to the Nazca Lines. Photo Credit: IBM Research.

In recent years, a research team at Yamagata University has turned to an unconventional aid in its search: artificial intelligence. And it’s working better than anyone expected. On 15 November 02019, after decades of fieldwork and with extensive collaboration with IBM and their PAIRS Geoscope, the team announced that a total of 143 new designs had been uncovered.

The AI technology deploys deep-learning algorithms in order to synthesize vast and diverse data from LiDAR, drone and satellite images, to geospatial and geographical surveys. The result is high-fidelity 3-D maps of the surrounding search areas. Next, the AI is taught via a neural network to recognize the data patterns of known lines. The AI then searches for new ones over a stretch of 5 kilometers of terrain.

Left, Humanoid, Right, Humanoid Processed Picture. Photo Credit: Yamagata University IBM Japan.

One of the more curious recent discoveries was the above futuristic-looking humanoid figure.

The image is processed to outline and highlight the etchings for vastly improved visibility. The figure joins a collection of more than 2,000 previously known Nazca Lines. Other symbols include a fish, hermit bird and two-headed snake. In addition, IBM made this detection technology open source so other ventures can gain from the system, for example, to identify crops and improve irrigation management across the globe. The team plans to continue its work using more capable AI systems, like laser mapping data and advanced aerial images.

The project, with angles of both investigation and preservation, aims to document and understand the Nazca Lines as a whole. Once the team have a better understanding of the distribution of the lines, they can accelerate research towards the best way to preserve and protect them.

Learn More

  • Read Yamagata University’s press release on the newly-discovered geoglyphs.
  • Learn more about the IBM PAIRS geoscope technology that is helping scientists discover more geoglyphs.

Worse Than FailureError'd: Laws of Thermodynamics be Damned!

"I went to check my heat and, much to my surprise, my house had broken the laws of physics," Robert J. writes.


Dylan N. wrote, "I never have liked Cyber Mondays."


"When it comes to sending emergency alerts, my school is SO bad that it [INSERT_HOW_BAD_TEXT]!!" Jack writes.


Pascal wrote, "Ooh! By the looks of this guy, Twilight Zone's might have some weird face shifting plot twist!"


"Sigh...Looks like I'll need to wait approximately 584,942,417 years to hear from my friends again..." writes Matthieu G.


"I tried accessing Interactive Broker's simulated trading account on a random Friday, and well, maybe I just picked the wrong time or something becuase, behold, HTTP error code 601," Dima R. wrote,


[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Planet DebianRuss Allbery: Review: Rogue Protocol

Review: Rogue Protocol, by Martha Wells

Series: Murderbot Diaries #3
Copyright: August 2018
ISBN: 1-250-18543-2
Format: Kindle
Pages: 150

This is the third Murderbot novella. It could probably be read on its own, since each is a self-contained story, but reading in order will add some depth via the increasing thoughtfulness of Murderbot's motives.

There needs to be an error code that means "I received your request but decided to ignore you."

Murderbot is trying to get out of the Corporation Rim. Its former owner, GrayCris, is entangled in litigation over its sketchy actions (told in the previous novellas), including a failed terraforming attempt outside of the Corporation Rim. This is a convenient combination. Murderbot can get out of the Rim and away from potential pursuers while looking around the terraforming attempt for evidence that could hurt GrayCris. And possibly also give its primary rescuer from All Systems Red less justification to be fighting dangerous corporations and more reason to go home where she will be safe.

That's how Murderbot ends up as unexpected passenger security on a trip to HaveRotten station, giving rise to the above quote (and several other great moments).

Starting at HaveRotten station, Rogue Protocol follows a similar path as Artificial Condition: Murderbot picks up some humans on the way to its objective (in this case, the team from the company that took over the failing terraforming station and is surveying it), can't resist trying to protect them, and ends up serving as security because, well, someone has to. This time around, that comes with irritated and disgusted criticism of the failings of the human security that is supposed to be doing that job. That was the best part of the book. The situation isn't quite what it appears to be on the surface, of course, which leads to some tense and exciting tactical maneuvering on an abandoned station against daunting odds.

The new element of Rogue Protocol is Miki, another humanform robot. I had mixed feelings about Miki. I think this was intentional — Murderbot also has mixed feelings about Miki — but I'm still not sure if I liked the overall effect. It is more naive and simple-minded than Murderbot, but is the friend of one of the humans. Murderbot, and the reader, are initially suspicious that "pet" may be a better word than "friend," but that's not quite the case. It's a disturbing look at another option for sentient robots in this universe other than simple property, one that's better in some ways, and which seems to work for Miki, but is nonetheless ripe for abuse.

Miki is central to the emotional thrust of the novella, and I can't argue this didn't work on me. I think the reason why I have some lingering discomfort is that Miki is right on the border of a slave who wants to be a slave, belongs to someone who doesn't quite treat it like one (but could), and (unlike Murderbot) is probably incapable of deciding to be something else. I'm sure this was intentional on Wells part; a primary theme of this series is the nature of self-determination in a universe that treats you like property. It's also a long-standing SF theme that's fair game to explore. But it still bothered me the more I thought about it, and I'm not sure Miki's owner/friend, or this novella, fully engages with the implications.

That element bumped my enjoyment of this entry of the series a little lower, but this is still solidly entertaining stuff. Murderbot's internal critique of other people's security decisions is worth the price of entry by itself, and I'm still delighted by its narrative voice. I continue to recommend this whole series.

Followed by Exit Strategy.

Rating: 7 out of 10

Planet DebianLouis-Philippe Véronneau: Lowering the minimum volume on Android

I like music a lot and I spend a large chunk of my time with either over-the-ear headphones or in-ear monitors on. Sadly, human ears are fragile things and you should always try to keep the volume as low as possible when using headphones.

When I'm not at home, I usually stream music from my home server to my Android device. Although the DAC quality on my Nexus 5 isn't incredible, my IEMs aren't stellar either.

Sadly, I've always been displeased with how little control Android actually gives you over the media volume and I've always wished I could have the lowest setting even lower.

I know a bunch of proprietary apps exist on the Google Play Store to help you achieve that kind of thing, but hey, I don't swing that way.

Android Audio Policies

After having a look at Android's audio policies documentation, it turns out if you have a rooted device, you can define the audio level curve yourself!

On a recent-ish version of Android, the two files you want to mess with are:

  • /vendor/etc/audio_policy_volumes.xml, which defines what type of audio stream (media, phone calls, earbuds, bluetooth, etc.) uses what type of audio curve.

  • /vendor/etc/default_volume_tables.xml, which defines the default audio curves referenced in the previous file.

If you've never modified files on Android, I highly recommend plugging your device to a computer, enabling USB debugging and connecting through adb. You will likely need to remount the filesystem, as it's in read-only mode by default:

$ adb shell
$ su
$ mount -o remount,rw /system

I don't really care about anything else than media volume, so here is the curve I ended up with. It goes very low and gives you more control at low volume, while still being quite loud at maximum volume. You will need to experiment with your device though, as DACs are all different.

<!-- Default Media reference Volume Curve -->

For reference, the scale goes from -9600 to 0, 0 being the loudest sound your device can produce.

As all things Android, if you are not building your own images, this will get erased next time you update your device. Don't forget to backup the files you modify, as audio curves are easy to screw up!


Planet DebianShirish Agarwal: 100 million Indians, no hope and future

What will happen when you have a 100 million Indians in the productive age of 14-40 are not working, neither looking for work, neither training or have any hopes that they will get any jobs. This is the India that most Indians are inheriting which has been shared in a recent Govt. report released about a month back.

The Report

If you look at the Report, it seems to be a humongous 600 pages + report but it has been buffed up by interspering the hindi translation within the report itself. Now, while I haven’t gone fully through the report the numbers themselves seem to be shocking. There are other numbers related to women participation in labor force which has plummetted which also is a huge cause for worry. It is estimated that the original numbers were 10 million who were disillussioned in 2010-2011 financial year for labor markets or job creation. Mind you, these are all Government figures. So what happened in the past 6-7 years to have such shocking numbers due to which you see divisive steps such as CAA (Citizen Amendment Act) being taken for which protests have been taken place across the country. I believe there are at least 6-7 major issues for which the present Government doesn’t seem to have time to fix and doesn’t even seem to have any ideas or seriousness as to how to fix them.


The first one right there is demonetization which the current Government fails to acknowledge as it mistake. While hindsight is always 20/20 while it didn’t do any of things promised to the citizens, it made sure that rural markets, startups and small businesses went out of business where most of the exchange happens by cash. Ironically just 2 years after demonetization, the amount of money in cash was more than before, which means those who generated black money were still in good business. In fact, as I have shared before, Dr. Arun Kumar who has done lot of work on black money and black economy, been part of 40 odd committees and did generate and use black money as he has confessed especially in real estate in early part of his career, has written two books recently on the topic –

Understanding the Black Economy and Black Money in India – An Enquiry into Causes, Consequences and Remedies – Dr. Arun Kumar , 6 Feb 2017

Demonetization and the Black Economy – Dr. Arun Kumar, 20th December 2017 – this one gives a far larger picture of how Demonetization failed to live upto its promises and what it didn’t take into account.

The Big Reverse: How Demonetization kicked India out : Meera Sanyal – 10th November 2018

There is nothing I can write that what these economists have written about it and in greater detail than anything else I would write hence would suggest you to go through them. I have given the links you may use others. In fact, interestingly, just couple of days ago in a business channel, there was talk on commodity markets and one of the big jewellers had shared this on national media that due to Govt. imposition of high GST, there has been gold smuggling and people buying gold in black (i.e. without receipts) . FWIW, this was on CNBC TV 18.

Goods and Services Tax

About this I have covered in the last blog post so nothing much to reiterate here except link back. Although have to say GST is still hurting people, a lot. GST refunds is still an issue as shared by the finance minister. Although nowadays trusting any numbers including the PLFS numbers should be taken with a bucket of salt as the present Government attempts to always present a rosy picture rather than the real picture. So the numbers for people not looking for jobs as well as people whose refunds have not been given would probably be much more than what has been shared. With the Statistical Commission not having enough members of high quality and quantity how good the numbers are anybody’s guess as have shared before. And in fact, now whatever autonomy, the statistical commission had is also being eroded as can be seen in a draft bill. This will only lower India’s stature in global eyes.

Electoral Bonds

I don’t really have to say much in it except the reports by Nithin Sethi . While the Government has sought to placate the masses by its submissions in Rajya Sabha it hasn’t answered any of the questions raised by either Nithin Sethi or any of the findings by the RTI answers received by the Colonel. There is lot more to the story than still meets the eye, but probably this on some other day. This is apart from the fact that India is now funding lobbyists in U.S. so that Americans support India’s actions in Kashmir. This is after Americans found Indi actions baffling in Kashmir and Americans have lot of experience in enemy engagement.

Retrospective Tax

This is perhaps one of the things which I had shared in the last blog post as well. This is what has scared most potential international investors away. In fact, Bloomberg had shared a nice well-written article about the issue and also links to Mr. Harish Salve’s take who has been an unapologetic critic of the move by the then Congress Govt. which the BJP Govt. had promised to fix and since then has done nothing in that regard.

Rural demand and high agricultural prices and middleman

There has been no uptake in rural demand and there is no policy by the Govt to tackle this. Couple of months back the FM gave 1.45 lakh crore or $20 billion dollar tax bonanza to corporate houses which make a measly 3-4% of the total economy and are already swimming in cash, while the other 96% of the economy which actually oils the Indian market which is the small businesses, the farmers who are net loosers in the current regime. Even essential commodities prices have gone up both in retail and wholesale markets with almost all of the profits acruing to the middleman rather than the farmer or the agricultural labor . We are on the path of being England which imports all of its veggies. Last not but not the last exports have been down from India for straight fourth month.


Unless India fixes lot of structural issues for e.g. adherance to legal contracts or fast resolution in case of issues, don’t see India bouncing back anytime soon. Nobody from the other side even comments why economies of Bangladesh, Vietnam, China and even Cambodia are able to ramp up their economies even if the argument is ‘global slowdown’ . Some people have argued for cyclical slowdown but haven’t had any evidence to prove that other than conjecture.

Planet DebianBastian Blank: Introducing dpkg source format for git repositories

There is a large disagreement inside Debian on how a git repository used for Debian packages should look like. You just have to read debian-devel to get too much of it.

Some people prefer that the content of the repository looks like a "modern" (3.0) source package the Debian archive accepts. This means it includes upstream source and stuff in debian/patches that need to get applied first to have something usable. But by definition this concept is incompatible with a normal git workflow; e.g. you can't use cherry-pick of upstream patches, but need to convert it into a patch file either by hand or with another tool. It also can't use upstream test definitions using a CI without adopting it and patching source first.

Other people prefer to have a complete patched source available always. This allows for use of cherry-pick and all the other git concepts available. But due to the way our "modern" (3.0) source formats are definied, it is impossible to use those together. So everyone wanting to use this can only use ancient 1.0 source packages, which lack a lot of features like modern compression formats.

Some do stuff that is much more weird. Weird things like git-dpm, which is also incompatible with merges. But we can't save everyone.

I started working on bridging the gap between a proper git repository and modern Debian source package by building a source package from some special target in debian/rules. But people maybe rightfully complained that not be able to use dpkg-source got a big downside and needs a lot of documentation. To get this into proper shape, I'd like to introduce a new dpkg source format.

New source format

The (not yet released) package dpkg-format-gitarchive defines a new source format 3.0 (gitarchive). This format doesn't represent a real source package format, but uses a plain git repository as input to create a 3.0 (quilt) source package that the Debian archive accepts.

This software got some currently hardcoded expectations on how things look like:

  • The git tree must not contain debian/patches, instead all Debian patches are applied as git commits.
  • The file debian/source/format exists in the latest commit, not only in an uncommited file.
  • Original tarballs needs to be managed with pristine-lfs and must be compress using xz.
  • Tags for upstream sources called upstream/$version need to exist.

Implementing this as a dpkg source format allows for a better user experience. You can build a new source package both from the git repository and an existing source package by using dpkg-source/dpkg-buildpackage and don't need to use special tools. No special tools or special targets in debian/rules are needed to manage sources to be uploaded.

Open questions

  • Is it a good idea to implement a pretty specific set of requirements as dpkg source format and make it an interface?
  • Is enforcing a repository based handling of upstream tarballs, for now only with pristine-lfs a good idea?
  • Should it also handle debian version tags?

CryptogramLousy IoT Security

DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible:

In total, our researchers discovered five vulnerabilities of four different kinds:

  • Data exposure: PDF files of shared whiteboards (e.g. meeting notes) and other sensitive files (e.g., OTA -- over-the-air updates) were stored in a publicly accessible AWS S3 bucket that also lacked TLS encryption (CVE-2019-16270, CVE-2019-16274).
  • Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271).

  • Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273).

  • Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272).

These aren't subtle vulnerabilities. These are stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the Internet of Things.

From a Wired article:

One issue that jumped out at the researchers: The DTEN system stored notes and annotations written through the whiteboard feature in an Amazon Web Services bucket that was exposed on the open internet. This means that customers could have accessed PDFs of each others' slides, screenshots, and notes just by changing the numbers in the URL they used to view their own. Or anyone could have remotely nabbed the entire trove of customers' data. Additionally, DTEN hadn't set up HTTPS web encryption on the customer web server to protect connections from prying eyes. DTEN fixed both of these issues on October 7. A few weeks later, the company also fixed a similar whiteboard PDF access issue that would have allowed anyone on a company's network to access all of its stored whiteboard data.


The researchers also discovered two ways that an attacker on the same network as DTEN devices could manipulate the video conferencing units to monitor all video and audio feeds and, in one case, to take full control. DTEN hardware runs Android primarily, but uses Microsoft Windows for Zoom. The researchers found that they can access a development tool known as "Android Debug Bridge," either wirelessly or through USB ports or ethernet, to take over a unit. The other bug also relates to exposed Android factory settings. The researchers note that attempting to implement both operating systems creates more opportunities for misconfigurations and exposure. DTEN says that it will push patches for both bugs by the end of the year.

Boing Boing article.

CryptogramAttacker Causes Epileptic Seizure over the Internet

This isn't a first, but I think it will be the first conviction:

The GIF set off a highly unusual court battle that is expected to equip those in similar circumstances with a new tool for battling threatening trolls and cyberbullies. On Monday, the man who sent Eichenwald the moving image, John Rayne Rivello, was set to appear in a Dallas County district court. A last-minute rescheduling delayed the proceeding until Jan. 31, but Rivello is still expected to plead guilty to aggravated assault. And he may be the first of many.

The Epilepsy Foundation announced on Monday it lodged a sweeping slate of criminal complaints against a legion of copycats who targeted people with epilepsy and sent them an onslaught of strobe GIFs -- a frightening phenomenon that unfolded in a short period of time during the organization's marking of National Epilepsy Awareness Month in November.


Rivello's supporters -- among them, neo-Nazis and white nationalists, including Richard Spencer -- have also argued that the issue is about freedom of speech. But in an amicus brief to the criminal case, the First Amendment Clinic at Duke University School of Law argued Rivello's actions were not constitutionally protected.

"A brawler who tattoos a message onto his knuckles does not throw every punch with the weight of First Amendment protection behind him," the brief stated. "Conduct like this does not constitute speech, nor should it. A deliberate attempt to cause physical injury to someone does not come close to the expression which the First Amendment is designed to protect."

Another article.

EDITED TO ADD(12/19): More articles.

Worse Than FailureLying Metrics

Locator LED

Our anonymous submitter—we'll call him Russell—was a senior engineer supporting an equally anonymous web service that was used by his company's desktop software for returning required data. Russell had a habit of monitoring the service's performance each day, always on the lookout for trouble. One fateful morning, the anomalies piled on thick.

Over the past 24 hours, the host server's average response time had halved, and yet the service was also suddenly dealing with four times as many requests as usual. Average CPU and memory usage on the server had doubled, as had the load on the Oracle host. Even stranger, there was no increase in server errors.

Russell couldn't imagine what might've happened, as no changes had been deployed. However, his product team had recently committed to reducing average server response time. It was possible that someone else had modified an upstream service or some database queries. He emailed the rest of the team and other teams he worked closely with, detailing what he'd seen and asking whether anyone had any pertinent information.

The response from the engineers was basically, Hmm, odd. No, we didn't change anything. The response from the product architects really shouldn't have surprised Russell, given he'd been working in enterprise for nearly 20 years. The reply-all frenzy can be summed up as, You mean we've already fulfilled our commitment to reduce average response time?! LET'S FIRE OFF A SELF-CONGRATULATORY COMPANY-WIDE EMAIL!!!

Upon seeing this, Russell immediately replied: Hold on, let's try to find out what's happening here first.

Unfortunately, he was too late to stop the announcement, but that didn't stop him from investigating further. He remembered that their default monitoring of server errors filtered out 404s. Upon turning off that filter, he found that the number of 404s thrown by the server roughly matched the number of additional requests. Previously, average response time had been around 100ms; at present, it was about 45ms. This "triumph" hid the fact that the numerous 404s were processed in about 10ms each, while the non-404 requests were processed in about 150ms each—50% slower than usual. In other words, the web service's performance had been seriously degraded.

Russell dug further to figure out who was performing this low-key DDoS attack. The requests were authenticated, so he knew the calls were coming from inside the house. He managed to trace them to another product within his company. This product had to make a request to his web service in about 1% of their sessions, but that considerably slowed down their handling of those particular sessions. As a result, someone had modified the product to fire off an asynchronous request to Russell's service for every session, simply ignoring the response if it was a 404.

Russell emailed his findings to his team, but received no reply. Feeling bold, he directly contacted the project manager of the offending product. This led to the biggest WTF of all: the PM apologized and got the change rolled back right away. By the next day, everything was back to normal—but the product architects were angry over the embarrassment caused by their own premature celebration. They were likely also miffed about being forced to find real ways of improving average server response time. Their misplaced ire led to Russell being fired a short time later.

However, our story has a happy ending. The super-responsive product team hired Russell back on after a couple of months, with a 25% pay raise. He retained seniority, and was allowed to keep his former benefits as well as his severance package. In the end, the forces that'd sought to be rid of him had only succeeded in giving him a highly-paid vacation.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


Sociological ImagesVenti Voting?

I just wrapped up my political sociology class for the semester. We spent a lot of time talking about conflict and polarization, reading research on why people avoid politics, the spread of political outrage, and why exactly liberals drink lattes. When we become polarized, small choices in culture and consumption—even just a cup of coffee—can become signals for political identities. 

After the liberals and lattes piece, one of my students wrote a reflection memo and mentioned a previous instructor telling them which brand of coffee to drink if they wanted to support a certain political party. This caught my attention, because (at least in the student’s recollection) the instructor was completely wrong. This led to a great discussion about corporate political donations, especially how frequent contributions often go bipartisan.

But where does your money go when you buy your morning coffee? Thanks to open-access data on political contributions, we can look at the partisan lean of the top four largest coffee chains in the United States.

Starbucks’ swing to the left is notable here, as is the rightward spike in Dunkin’s donations in the 2014 midterms. While these patterns tend to follow the standard corporate image for each, it is important to remember that even chains that lean one way still mix their donations. In midterm years like 2012 and 2014, about 20% of Starbucks’ donations went to Republicans.

One side effect of political polarization is that corporate politics don’t always follow cultural codes. For another good recent example of this, see Chick-fil-A reconsidering its donation policies.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at

Worse Than FailureShining Brillance

Jarad was still recovering from his encounter with Intelligenuity’s most “brillant” programmer, Keisha, when a new hire, Aaron, showed up at Jarad’s office.

The large project that dominated their timelines remained their efforts to migrate from .NET to Java, but Aaron was hired to keep the .NET side of things on track, handling bugs, new features that were desperately needed, and just general maintenance. It was made emphatically clear by the project managers that hiring more .NET developers was not an admission that the conversion to Java had failed, but would “free up resources” to better focus on the Java side of things.

Aaron moved fast to establish himself. He scheduled a presentation in the first week. He was vague about what, exactly, the presentation was about ahead of time. So, when the lights came down and the projector lit up, everyone was a bit surprised to see their .NET code in his slides.

“This,” he explained, “is our application code. I wanted to give you a walk through the code, so we all as a team have a better understanding.”

Jarad and his co-workers exchanged glances, silently wondering if this was for real. Was Aaron really about to explain the code they had written to them?

“This line here,” Aaron said, pointing to a for loop, “is an interesting construct. It will repeat the code which follows to be repeated once for each element in the array.” A few slides later, highlighting a line which read, x = new AccountModel(), Aaron explained. “This creates an instance of an account model object. The instance is of the class, while the class defines what is common across all objects.”

That hour long meeting was one of the longest hours of Jarad’s life. It was a perfect storm of tedium, insult, and incompetence.

Afterwards, Jarad grabbed his manager, Regine. “Like, do you think Aaron is going to actually be a good fit?”

“Oh, I’m sure he’ll be fine. Look how well he understands our code already!”

That laid out the pattern of working with Aaron. During one team meeting, the team got sidetracked discussing the best approach to managing a very specific exception in a very specific section of their code. Fifteen minutes after the meeting, Aaron followed up with an email: “Re: Exception Handling”, which consisted of a bad paraphrase of the Execption class documentation from the MSDN site. Another day, during another meeting, someone mentioned concurrency, so Aaron followed up with an email that broadly plagiarized a Stack Overflow post describing the ProcessThread object.

And, on each one of those emails, Regine and several other project managers were CCed. The result was that the management team felt that Aaron was a great communicator, who constantly was adding value to the team. He was a mentor. An asset. The kind of person that should be invited to every one of the project management meetings, because he was extremely technical but also the kind of communicator and go-getter that had management written all over him.

Among the developers, Aaron’s commits were a running joke. He submitted non-working code, code that violated every standard practice and styleguide entry they used, code with out tests, code with tests that would pass no matter what happened, code that didn’t compile, and code that was clearly copy/pasted from a tutorial without bothering to try and fix the indentation.

It was no surprise then, that a few months later, Aaron announced that he was now a “System Architect”, a role that did not actually exist in their org-chart, but Aaron assured them meant he could tell them how to write software. Jarad went to Regine, along with a few other developers, and raised their concerns. Specifically: Aaron had invented a new job role and was claiming authority he didn’t have, he didn’t have the seniority for a promotion at this time, he didn’t actually know what he was doing, and he was killing team morale.

“Are you familiar with the crab mentality?” Regine asked. “I’m concerned that you’re being poor team players and a negative influence. You should be happy for Aaron’s success, because it reflects on how good our team is!”

Jarad and the rest of the team soon discovered that Regine was right. Now that Aaron was a “System Architect” he was too busy building presentations, emailing barely comprehensible and often inaccurate summaries of documentation, and scheduling meetings to actually write any code. Team performance improved, and it was trivial to configure one’s inbox to spam Aaron’s messages.

Aaron’s “communication style” kept getting him scheduled to do more presentations where he could explain simple programming concepts to different layers of management. The general consensus was that they didn’t understand what he was talking about, but he must be very smart to talk about it with a PowerPoint deck.

After their next release of their .NET product, Aaron scheduled a meeting with some of the upper tier management to review the project. He once again dazzled them with his explanation of the difference between an object and a class, with a brief foray into the difference between reference and value types, and then followed up with an email, thanking them all for their time.

On this email, he CCed the VP of the company.

The VP of the company was also one of the founders, and was a deeply technical person. She never related her reasoning to anyone, but based on Aaron’s email, she scheduled a meeting with him. It was no trick finding out that the meeting was going to take place: Aaron made sure to let everyone on the team know. “I have to block off everything from 3PM on Thursday, because I have a meeting with the VP.” “Can we table that? It’s probably best if we discuss after my meeting with the VP.” “I’ll be back later, it’s time for my meeting with the VP.”

No one knows exactly what happened in that meeting. What was said or done is between Aaron and the VP. But 45 minutes later, both Aaron and the VP walked onto the developers’ floor. Aaron was watching his shoes, and the VP was staring daggers at the back of his neck. She marched Aaron into Regine’s office, and closed the door. For the next twenty minutes, the VP vented her frustration. When her voice got raised, words like “enabling” and “incompetence” and “inappropriate” and “hiring practices” leaked out.

The VP stormed back out, leaving Regine and Aaron to discuss Aaron’s severance. That was the last day anyone saw Aaron.

Well, until Jarad started thinking about attending a local tech conference. Aaron, as it turns out, will be one of the speakers, discussing some “cutting edge” .NET topics.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!


Krebs on SecurityNuclear Bot Author Arrested in Sextortion Case

Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed they’d hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say they’ve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called “Nuclear Bot.”

On Dec. 15, the French news daily Le Parisien published a report stating that French authorities had arrested and charged two men in the sextortion scheme. The story doesn’t name either individual, but rather refers to one of the accused only by the pseudonym “Antoine I.,” noting that his first had been changed (presumably to protect his identity because he hasn’t yet been convicted of a crime).

“According to sources close to the investigation, Antoine I. surrendered to the French authorities at the beginning of the month, after being hunted down all over Europe,” the story notes. “The young Frenchman, who lived between Ukraine, Poland and the Baltic countries, was indicted on 6 December for ‘extortion by organized gang, fraudulent access to a data processing system and money laundering.’ He was placed in pre-trial detention.”

According to Le Parisien, Antoine I. admitted to being the inventor of the initial 2018 sextortion scam, which was subsequently imitated by countless other ne’er-do-wells. The story says the two men deployed malware to compromise at least 2,000 computers that were used to blast out the sextortion emails.

While that story is light on details about the identities of the accused, an earlier version of it published Dec. 14 includes more helpful clues. The Dec. 14 piece said Antoine I. had been interviewed by KrebsOnSecurity in April 2017, where he boasted about having created Nuclear Bot, a malware strain designed to steal banking credentials from victims.

My April 2017 exposé featured an interview with Augustin Inzirillo, a young man who came across as deeply conflicted about his chosen career path. That path became traceable after he released the computer code for Nuclear Bot on GitHub. Inzirillo outed himself by defending the sophistication of his malware after it was ridiculed by both security researchers and denizens of the cybercrime underground, where copies of the code wound up for sale. From that story:

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.

Inzirillo released the code on GitHub with a short note explaining his motivations, and included a contact email address at a domain ( set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Daniel, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

If Augustin Inzirillo ever did truly desire to change his ways, it wasn’t clear from his apparent actions last summer: The Le Parisien story says the sextortion scams netted the Frenchman and his co-conspirator at least a million Euros.

In August 2018, KrebsOnSecurity was contacted by a researcher working with French authorities on the investigation who said he suspected the young man was bragging on Twitter that he used a custom version of Nuclear Bot dubbed “TinyNuke” to steal funds from customers of French and Polish banks.

The source said this individual used the now-defunct Twitter account @tiny_gang1 to taunt French authorities, while showing off a fan of 100-Euro notes allegedly gained from his illicit activities (see image above). It seemed to the source that Inzirillo wanted to get caught, because at one point @tiny_gang1 even privately shared a copy of Inzirillo’s French passport to prove his identity and accomplishments to the researcher.

“He modified the Tinynuke’s config several times, and we saw numerous modifications in the malware code too,” the source said. “We tried to compare his samples with the leaked code available on GitHub and we noticed that the guy actually was using a more advanced version with features that don’t exist in the publicly available repositories. As an example, custom samples have video recording functionality, socks proxy and other features. So the guy clearly improved the source code and recompiled a new version for every new campaign.”

The source said the person behind the @tiny_gang Twitter account attacked French targets with custom versions of TinyNuke in one to three campaigns per week earlier this year, harvesting French bank accounts and laundering the stolen funds via a money mule network based mostly in the United Kingdom.

“If the guy behind this campaign is the malware author, it could easily explain the modifications happening with the malware, and his French is pretty good,” the researcher told KrebsOnSecurity. “He’s really provocative and I think he wants to be arrested in France because it could be a good way to become famous and maybe prove that his malware works (to resell it after?).”

The source said the TinyNuke author threatened him with physical harm after the researcher insulted his intelligence while trying to goad him into disclosing more details about his cybercrime activities.

“The guy has a serious ego problem,” the researcher said. “He likes when we talk about him and he hates when we mock him. He got really angry as time went by and started personally threatening me. In the last [TinyNuke malware configuration file] targeting Poland we found a long message dedicated to me with clear physical threats.”

All of the above is consistent with the findings detailed in the Le Parisien report, which quoted French investigators saying Antoine I. in October 2019 used a now-deleted Twitter account to taunt the authorities into looking for him. In one such post, he included a picture of himself holding a beer, saying: “On the train to Naples. You should send me a registered letter instead of threatening guys informally.”

The Le Parisien story also said Antoine I. threatened a researcher working with French authorities on the investigation (the researcher is referred to pseudonymously as “Marc”).

“I make a lot more money than you, I am younger, more intelligent,” Antoine I. reportedly wrote in July 2018 to Marc. “If you do not stop playing with me, I will put a bullet in your head. ”

French authorities say the defendant managed his extortion operations while traveling throughout Ukraine and other parts of Eastern Europe. But at some point he decided to return home to France, despite knowing investigators there were hunting him. According to Le Parisien, he told the French authorities he wanted to cooperate in the investigation and that he no longer wished to live like a fugitive.

CryptogramIranian Attacks on Industrial Control Systems

New details:

At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That's generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.


The hackers' motivation -- and which industrial control systems they've actually breached -- remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. "They're going after these producers and manufacturers of control systems, but I don't think they're the end targets," says Moran. "They're trying to find the downstream customer, to find out how they work and who uses them. They're looking to inflict some pain on someone's critical infrastructure that makes use of these control systems."

It's unclear whether the attackers are causing any actual damage, or just gaining access for some future use.

Worse Than FailureCodeSOD: We Go to School

Sometimes, it feels like any programming question you might have has a thread on StackOverflow. It might not have an answer, but it’s probably there. Between that, online guidebooks, tools with decent documentation, YouTube programming tutorials there are a lot of great ways to learn how to solve any given programming task.

Andreas R had a programming task. Specifically, Andreas wanted to create sortable tables that worked like those on MediaWiki sites. A quick google for “sort html table” turned up a source which offered… this.

function sortTable() {
  var table, rows, switching, i, x, y, shouldSwitch;
  table = document.getElementById("myTable");
  switching = true;
  /* Make a loop that will continue until
  no switching has been done: */
  while (switching) {
    // Start by saying: no switching is done:
    switching = false;
    rows = table.rows;
    /* Loop through all table rows (except the
    first, which contains table headers): */
    for (i = 1; i < (rows.length - 1); i++) {
      // Start by saying there should be no switching:
      shouldSwitch = false;
      /* Get the two elements you want to compare,
      one from current row and one from the next: */
      x = rows[i].getElementsByTagName("TD")[0];
      y = rows[i + 1].getElementsByTagName("TD")[0];
      // Check if the two rows should switch place:
      if (x.innerHTML.toLowerCase() > y.innerHTML.toLowerCase()) {
        // If so, mark as a switch and break the loop:
        shouldSwitch = true;
    if (shouldSwitch) {
      /* If a switch has been marked, make the switch
      and mark that a switch has been done: */
      rows[i].parentNode.insertBefore(rows[i + 1], rows[i]);
      switching = true;

This code works, for very limited values of “works”. It works by doing a bubble sort until we stop swapping entries. It always skips the first row, under the assumption that we’re looking at a table with headers. It only ever sorts by the first column. It does all the sorting directly in the DOM, which is a great way to really add some overhead to your data manipulation.

There are a lot of shady, skeevy tutorial sites, and some of them are really good at search engine optimization. This is one of those. It’s the sort of site anyone with any experience knows is a bad source, but those without that experience are left to learn the hard way.

TRWTF are sites that spend more time and energy on SEO than on providing helpful content. At least when we share bad code, we know it’s bad- and so does our audience.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Krebs on SecurityRansomware Gangs Now Outing Victim Businesses That Don’t Pay Up

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The message displayed at the top of the Maze Ransomware public shaming site.

Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

“For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released,” said Lawrence Abrams, founder of the computer security blog and victim assistance site “While it has been a well-known secret that ransomware actors snoop through victim’s data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it.”

Abrams said that changed at the end of last month, when the crooks behind Maze Ransomware threatened Allied Universal that if they did not pay the ransom, they would release their files. When they did not receive a payment, they released 700MB worth of data on a hacking forum.

“Ransomware attacks are now data breaches,” Abrams said. “During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets after reading the company’s files. Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out. Now that ransomware operators are releasing victim’s data, this will need to change and companies will have to treat these attacks like data breaches.”

The move by Maze Ransomware comes just days after the cybercriminals responsible for managing the “Sodinokibi/rEvil” ransomware empire posted on a popular dark Web forum that they also plan to start using stolen files and data as public leverage to get victims to pay ransoms.

The leader of the Sodinokibi/rEvil ransomware gang promising to name and shame victims publicly in a recent cybercrime forum post. Image: BleepingComputer.

This is especially ghastly news for companies that may already face steep fines and other penalties for failing to report breaches and safeguard their customers’ data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services, which often documents breaches involving lost or stolen healthcare data on its own site.

While these victims may be able to avoid reporting ransomware incidents if they can show forensic evidence demonstrating that patient data was never taken or accessed, sites like the one that Maze Ransomware has now erected could soon dramatically complicate these incidents.

Cory DoctorowParty Discipline, a Walkaway story (Part 3)

In my latest podcast (MP3), I continue my serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

Here’s part 1 of the reading and here’s part 2.

We told them they could go home if they didn’t want to risk coming to the Communist party, but we told them that after we told them that they were the only kids in the whole school we trusted enough to invite to it, and made sure they all knew that if they backed out, there’d be no hard feelings—and no chance to change their mind later tonight when they were at a corny party with a bunch of kids instead of making glorious revolution.

Every one of them said they’d come.

I’d found an all-ages show in Encino that night, two miles from Steelbridge, Antoine’s old job. We got piled into Ubers heading for the club, chatting about inconsequentialities for the in-car cameras and mics, and every one of us paid cover for the club, making sure to use traceable payment systems that would alibi us as having gone in for the night. Then we all met in the back alley, letting ourselves out of the fire-doors in ones and twos. I did a head-count to make sure we were all there, squashed together in a spot out of view of the one remaining camera back there (I’d taken out the other one the day before, wearing a hoodie and gloves, sliding along the wall so that I was out of its range until I was reaching up to smear it with some old crank-case oil).

We hugged the wall until we were back out into the side streets. All our phones were off and bagged, and everyone had maps that used back streets without cameras to get to Steelbridge. We strung out in groups of two to five, at least half a block between us, so no one would see a big group of kids Walking While Brown and call in the cops.



Krebs on SecurityInside ‘Evil Corp,’ a $100M Cybercrime Menace

The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.

Image: FBI

The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.

From 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply of unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer funds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These accomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by email and to people who have submitted their resumes to job search Web sites.

Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes receive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised payday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more on that in a moment).


KrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said they’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule recruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked businesses.

The source also discovered a pattern in the naming convention and appearance of several money mule recruitment Web sites being operated by Aqua. People who responded to recruitment messages were invited to create an account at one of these sites, enter personal and bank account data (mules were told they would be processing payments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new messages.

Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.

One of several sites set up by Aqua and others to recruit and manage money mules.

When it came time to transfer stolen funds, the recruiters would send a message through the mule site saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”

Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.

Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.

So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.

My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”

Messages to and from a money mule working for Aqua’s crew, circa May 2011.

In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.

Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).

Collectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.


According to the U.S. Justice Department, Yakubets/Aqua served as leader of Evil Corp. and was responsible for managing and supervising the group’s cybercrime activities in deploying and using the Jabberzeus and Dridex banking malware. The DOJ notes that prior to serving in this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy “Slavik” Bogachev, a previously designated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes who currently has a $3 million FBI bounty on his head.

Evgeniy M. Bogachev, in undated photos.

As noted in previous stories here, during times of conflict with Russia’s neighbors, Slavik was known to retool his crime machines to search for classified information on victim systems in regions of the world that were of strategic interest to the Russian government – particularly in Turkey and Ukraine.

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,â€� reads a 2017 story from The Register on security firm Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.â€�

This is interesting because the U.S. Treasury Department says Yukabets as of 2017 was working for the Russian FSB, one of Russia’s leading intelligence organizations.

“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB,” notes a statement from the Treasury.

The Treasury Department’s role in this action is key because it means the United States has now imposed economic sanctions on Yukabets and 16 accused associates, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with these individuals.

The Justice Department’s criminal complaint against Yukabets (PDF) mentions several intercepted chat communications between Aqua and his alleged associates in which they puzzle over why KrebsOnSecurity seemed to know so much about their internal operations and victims. In the following chat conversations (translated from Russian), Aqua and others discuss a story I wrote for The Washington Post in 2009 about their theft of hundreds of thousands of dollars from the payroll accounts of Bullitt County, Ky:

tank: [Are you] there?
indep: Yeah.
indep: Greetings.
tank: This is still about me.
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: He is the account from which we cashed.
tank: Today someone else send this news.
tank: I’m reading and thinking: Let me take a look at history. For some reason this name is familiar.
tank: I’m on line and I’ll look. Ah, here is this shit.
indep: How are you?
tank: Did you get my announcements?
indep: Well, I congratulate [you].
indep: This is just fuck when they write about you in the news.
tank: Whose [What]?
tank: 😀
indep: Too much publicity is not needed.
tank: Well, so nobody knows who they are talking about.

tank: Well, nevertheless, they were writing about us.
aqua: So because of whom did they lock Western Union for Ukraine?
aqua: Tough shit.
tank: *************Originator: BULLITT COUNTY FISCAL Company: Bullitt
County Fiscal Court
aqua: So?
aqua: This is the court system.
tank: Shit.
tank: Yes
aqua: This is why they fucked [nailed?] several drops.
tank: Yes, indeed.
aqua: Well, fuck. Hackers: It’s true they stole a lot of money.

At roughly the same time, one of Aqua’s crew had a chat with Slavik, who used the nickname “lucky12345” at the time:

tank: Are you there?
tank: This is what they damn wrote about me.
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
tank: 😀
lucky12345: It’s fucked.

On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –- a crook who used the pseudonym “Jim Rogersâ€� — somehow learned about something I hadn’t shared beyond a few trusted friends at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tankâ€�:

jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation 🙂 Good news expected exactly by the New Year! Besides us no one reads his column 🙂

tank: Mr. Fucking Brian Fucking Kerbs!

In March 2010, Aqua would divulge in an encrypted chat that his crew was working directly with the Zeus author (Slavik/Lucky12345), but that they found him abrasive and difficult to tolerate:

dimka: I read about the king of seas, was it your handy work?
aqua: what are you talking about? show me
dimka: zeus
aqua: 🙂
aqua: yes, we are using it right now
aqua: its developer sits with us on the system
dimka: it’s a popular thing
aqua: but, he, fucker, annoyed the hell out of everyone, doesn’t want to write bypass of interactives (scans) and trojan penetration 35-40%, bitch
aqua: yeah, shit
aqua: we need better
aqua: read it 🙂 here you find almost everything about us 🙂
dimka: I think everything will be slightly different, if you think so
aqua: we, in this system, the big dog, the rest on the system are doing small crap

Later that month, Aqua bemoaned even more publicity about their work, pointing to a KrebsOnSecurity story about a sophisticated attack in which their malware not only intercepted a one-time password needed to log in to the victim’s bank account, but even modified the bank’s own Web site as displayed in the victim’s browser to point to a phony customer support number.

Ironically, the fake bank phone number was what tipped off the victim company employee. In this instance, the victim’s bank — Fifth Third Bank (referred to as “53” in the chat below) was able to claw back the money stolen by Aqua’s money mules, but not funds that were taken via fraudulent international wire transfers. The cybercriminals in this chat also complain they will need a newly-obfuscated version of their malware due to public exposure:

aqua: tomorrow, everything should work.
aqua: fuck, we need to find more socks for spam.
aqua: okay, so tomorrow Petro [another conspirator who went by the nickname Petr0vich] will give us a [new] .exe
jtk: ok
jim_rogers: this one doesn’t work
jim_rogers: here it’s written about my transfer from 53. How I made a number of wires like it said there. And a woman burnt the deal because of a fake phone number.


In tandem with the indictments against Evil Corp, the Justice Department joined with officials from Europol to execute a law enforcement action and public awareness campaign to combat money mule activity.

“More than 90% of money mule transactions identified through the European Money Mule Actions are linked to cybercrime,” Europol wrote in a statement about the action. “The illegal money often comes from criminal activities like phishing, malware attacks, online auction fraud, e-commerce fraud, business e-mail compromise (BEC) and CEO fraud, romance scams, holiday fraud (booking fraud) and many others.”

The DOJ said U.S. law enforcement disrupted mule networks that spanned from Hawaii to Florida and from Alaska to Maine. Actions were taken to halt the conduct of over 600 domestic money mules, including 30 individuals who were criminally charged for their roles in receiving victim payments and providing the fraud proceeds to accomplices.

Some tips from Europol on how to spot money mule recruitment scams dressed up as legitimate job offers.

It’s good to see more public education about the damage that money mules inflict, because without them most of these criminal schemes simply fall apart. Aside from helping to launder funds from banking trojan victims, money mules often are instrumental in fleecing elderly people taken in by various online confidence scams.

It’s also great to see the U.S. government finally wielding its most powerful weapon against cybercriminals based in Russia and other safe havens for such activity: Economic sanctions that severely restrict cybercriminals’ access to ill-gotten gains and the ability to launder the proceeds of their crimes by investing in overseas assets.

Further reading:

DOJ press conference remarks on Yakubets
FBI charges announced in malware conspiracy
2019 indictment of Yakubets, Turashev. et al.
2010 Criminal complaint vs. Yukabets, et. al.
FBI “wanted” alert on Igor “Enki” Turashev
US-CERT alert on Dridex

CryptogramSecurity Vulnerabilities in the RCS Texting Protocol

Interesting research:

SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.

Google AdsenseMarketing Communications Specialist

Content marketing not only drives new visitors to your website, but also entices them to come back. Take advantage of these tools that can help.

Worse Than FailureCodeSOD: An Advent Calendar

Java date-time handling was notoriously bad for the vast majority of Java's lifetime. It was so bad that a third party library, Joda-Time, was the defacto standard for Java date processing until finally, in Java 8, the features, functionality, and design of Joda-Time were adopted into Java. JSR-310 added refinements to conventional datetime objects, like Timestamps and LocalDates, but also added useful classes like Instant (an immutable instant in time) and DateTimeFormatters that had a conventional and flexible API for doing date formatting and parsing.

Since JSR-310, it's easy to write good date handling code in Java.

That, of course, doesn't mean that you can't still write terrible date handling code. Normally, you'd expect your bad date handling code to take the form of one of the standard badnesses: write your own string mangler, insist on using the legacy libraries, homebrew a stacked up library of edge cases and ugly code and weird misunderstandings of the calendar.

Brendan sends us an example where they manage to use the new APIs in a head-scratching fashion.

private static Timestamp getCdrTimestampParameter(CSVParam param) { return Timestamp.valueOf( LocalDateTime.ofInstant(Instant.from(DateTimeFormatter.ISO_INSTANT.parse(param.getParamValue())), ZoneOffset.UTC)); }

The goal here is to take the text supplied from a CSVparam (presumably a field in a CSV file?) and convert it into a Timestamp object. This could easily be a one-line operation. Well, I guess technically, this code already is a one-statement operation, but you could easily write this without using every single one of the new datetime objects. Perhaps the developer just wanted the practice?

In this case, LocalDateTime has a parse method which allows you to pass a DateTimeFormatter, so you could just build the LocalDateTime by LocalDateTime.parse(param.getParamValue(), DateTimeFormatter.ISO_INSTANT). Which gets weird, anyway, because they are somehow passing a timezone offset into the LocalDateTime through that ofInstant method, but local date times don't have timezone information in them, and the java.time docs don't have an ofInstant method in the first place, which implies that something weird and inappropriate is going on here, in terms of classes getting replaced or modified. It's possible that ofInstant returns a ZonedDateTime by injecting timezone information into a LocalDateTime, but Timestamp doesn't expect ZonedDateTimes in its valueOf method, but LocalDateTimes, because Timestamps are also not timezone aware.

When I started looking at this code, I didn't realize how weird and wrong it was. I almost didn't do a dive into it, to try and figure out what was happening here, because it looks ugly, but the WTF only appears when you dig into the layers.

As an aside, there are a lot of ways to do this, but the easiest looking way, to my eye, is something like:

return Timestamp.from(Instant.parse(param.getParamValue())); //`Instant.parse` defaults to the `DateTimeFormatter.ISO_INSTANT`

The down side, I guess, to my approach is that it doesn't try and use every single tool in the toolbox of java.time.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!


CryptogramScaring People into Supporting Backdoors

Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently. This is me from 2005:

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.

Which particular horseman is in vogue depends on time and circumstance. Since the terrorist attacks of 9/11, the US government has been pushing the terrorist scare story. Recently, it seems to have switched to pedophiles and child exploitation. It began in September, with a long New York Times story on child sex abuse, which included this dig at encryption:

And when tech companies cooperate fully, encryption and anonymization can create digital hiding places for perpetrators. Facebook announced in March plans to encrypt Messenger, which last year was responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, according to people familiar with the reports. Reports to the authorities typically contain more than one image, and last year encompassed the record 45 million photos and videos, according to the National Center for Missing and Exploited Children.

(That's wrong, by the way. Facebook Messenger already has an encrypted option. It's just not turned on by default, like it is in WhatsApp.)

That was followed up by a conference by the US Department of Justice: "Lawless Spaces: Warrant Proof Encryption and its Impact on Child Exploitation Cases." US Attorney General William Barr gave a speech on the subject. Then came an open letter to Facebook from Barr and others from the UK and Australia, using "protecting children" as the basis for their demand that the company not implement strong end-to-end encryption. (I signed on to another another open letter in response.) Then, the FBI tried to get Interpol to publish a statement denouncing end-to-end encryption.

This week, the Senate Judiciary Committee held a hearing on backdoors: "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy." Video, and written testimonies, are available at the link. Eric Neuenschwander from Apple was there to support strong encryption, but the other witnesses were all against it. New York District Attorney Cyrus Vance was true to form:

In fact, we were never able to view the contents of his phone because of this gift to sex traffickers that came, not from God, but from Apple.

It was a disturbing hearing. The Senators asked technical questions to people who couldn't answer them. The result was that an adjunct law professor was able to frame the issue of strong encryption as an externality caused by corporate liability dumping, and another example of Silicon Valley's anti-regulation stance.

Let me be clear. None of us who favor strong encryption is saying that child exploitation isn't a serious crime, or a worldwide problem. We're not saying that about kidnapping, international drug cartels, money laundering, or terrorism. We are saying three things. One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. This is one example, where people unraveled a dark-web website and arrested hundreds by analyzing Bitcoin transactions. This is another, where policy arrested members of a WhatsApp group.

So let's have reasoned policy debates about encryption -- debates that are informed by technology. And let's stop it with the scare stories.

EDITED TO ADD (12/13): The DoD just said that strong encryption is essential for national security.

All DoD issued unclassified mobile devices are required to be password protected using strong passwords. The Department also requires that data-in-transit, on DoD issued mobile devices, be encrypted (e.g. VPN) to protect DoD information and resources. The importance of strong encryption and VPNs for our mobile workforce is imperative. Last October, the Department outlined its layered cybersecurity approach to protect DoD information and resources, including service men and women, when using mobile communications capabilities.


As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.


CryptogramUpcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I'm speaking at SecIT by Heise in Hannover, Germany on March 26, 2020.

The list is maintained on this page.

Cory DoctorowRadicalized is one of the Wall Street Journal’s top sf books of 2019!

Radicalized, my collection of four novellas, is one of the Wall Street Journal‘s picks for best sf books of 2019! My thanks to Tom Shippey, who listed it alongside of David Walton’s Three Laws Lethal, Daniel Suarez’s Delta-v, Erin Craig’s House of Salt and Sorrows and Michael Swanwick’s The Iron Dragon’s Mother!


CryptogramFriday Squid Blogging: Color-Changing Properties of the Opalescent Inshore Squid

Interesting stuff.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramAndy Ellis on Risk Assessment

Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year.

I've written about this before.

One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008."

EDITED TO ADD (12/13): Epigenetics and the human brain.

CryptogramEFF on the Mechanics of Corporate Surveillance

EFF has published a comprehensible and very readable "deep dive" into the technologies of corporate surveillance, both on the Internet and off. Well worth reading and sharing.

Boing Boing post.

Worse Than FailureError'd: You Must Be Mistaken

"Geeze thanks, IntelliJ, I don't think that you're really giving me a choice here," write Mike R.


"Now, I don't know how many gigabytes one can fit in a kettle, but if you're expecting a room full of visitors or a big meeting, and need to increase capacity right away, this is for you," John W. writes.


Ryan S. wrote, "Sure you could go for the two phones where you know all the details, but c'mon...where's the fun in that?"


"Verizon's Ad misses the mark just like you will likely miss the coverage area if you don't stand real still," writes Jake


Paul T. wrote, "Possibly the least descriptive notification ever, but at least I know which app it came from."


Martin G. wrote, "I tried to complete it as fast as possible, but apparently I've been playing it for over 45 years!"


[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Sam VargheseA small step for Australian women, a giant leap for Tracey Spicer

A year and nine months after she founded NOW Australia claiming it was meant to focus on the problem of women being sexually harassed in the workplace, former TV newsreader Tracey Spicer is once again avoiding public appearances in order, she claims, to focus on her own mental health.

Spicer has retreated like this on earlier occasions too: she disappeared after actor John Jarratt was cleared of harassment charges and also when actor Geoffrey Rush won a case against the Daily Telegraph that had accused him of sexual harassment.

After a series of incidents that can only lead to one conclusion – Spicer’s embrace of the #MeToo movement was meant more to embellish her own image than anything else – the women’s movement in Australia has been put on the back foot and left wondering how it will recover from the Spicer show.

In 2006, after 14 years at Channel Ten, Spicer was sacked when she returned to work after having a second child. She turned it into an exercise to gain publicity, accusing the network of discrimination and threatening a court fight, but later accepting a settlement. That itself should have made any observer understand what she was about; had she wanted to expose discrimination, she would have gone ahead with the threatened case. But this episode served its purpose and gave her a public profile.

After a stint with Sky News, with whom she worked until 2015, Spicer took up the #MeToo mantle soon after the exposure of the antics of film moghul Harvey Weinstein in the US came to light in October 2017. She put out a tweet, inviting women to send her their stories of harassment, saying: “Currently, I am investigating two long-term offenders in our media industry. Please, contact me privately to tell your stories.” It must be noted that prior to this, Spicer had dropped hints here and there that she understood that the problem was widespread.

But when her tweet resulted in a large number of responses, Spicer professed that she was amazed to hear from such a large number of women. This contradicted what she had been saying prior to her tweet. She could not keep up with the responses to these poor souls. In March the following year, NOW Australia was set up, apparently to cater to these women’s needs. They needed professional help – from lawyers, counsellors, psychologists and the like. Spicer has no qualifications apart from a general graduate degree.

Unlike its American counterpart, known as Time’s Up, NOW has not managed to raise the funds or support needed to run such a show. It has been something of a disaster and the rosy pictures painted in the media have been an exaggeration. In fact, the media coverage has been the only area in which NOW has excelled. In reality, the women who sought solace by writing to Spicer have been led up the garden path. And there are a fair number of them, more than 2000.

Spicer has used some of the material she collected to front a three-part TV program on the ABC under the name Silent No More. But that has led to more revelations which do not cast her in a very good light.

For one, Spicer, who has always played up the fact that she has 30 years’ media experience, allowed the production company making the show to film her sitting at a computer where complaints from some women were clearly visible. This was in early versions of the program which were distributed to media for publicity.

One thing which journalists are taught on day one is to never reveal sources or source material. Yet when Spicer was asked about this major lapse, she blamed the ABC and the production company! It is part of a pattern – she refuses to accept the blame for anything that has blown up in her face.

When three of the women whose names were exposed in this manner made comments to media outlets that were critical of Spicer, she retaliated by sending them legal notices and demanding they keep mum. In one case, Spicer demanded $1500 as legal costs. The saviour of sexually harassed women had turned out to be a different kind of harasser herself. Would this encourage women to tell their tales to others? Hardly.

Spicer has also lied when it suited her and helped to boost her profile. Australia set up an inquiry into sexual harassment in the workplace in 2018 and, in a newspaper article, Spicer claimed that she had proposed the idea to the Sex Discrimination Commissioner, Kate Jenkins. But Jenkins denied that Spicer had any role in the setting up of the inquiry, telling the Buzzfeed website: “Tracey Spicer was not involved in conceiving of or establishing the national inquiry, nor did she suggest the idea of the inquiry to me.”

In November, Spicer managed to wrangle an invitation to address the National Press Club in Canberra. After her talk, she fielded questions from the audience. Three questions from women journalists – Claudia Long of the ABC, Gina Rushton of Buzzfeed and Alice Workman of The Australian – were met with spin.

Long asked whether Spicer’s mismanagement of the responses had possibly knocked some of the steam out of the women’s movement; Rushton asked whether the remainder of the 2000-plus women who had written to Spicer should also be concerned about their privacy; and Workman asked why Spicer had allowed cameras to film her computer screen and whether she was concerned that this was potentially unethical as a journalist.

Spicer evaded answering any of these questions. She just talked around the queries in what was a perfect display of what PR people do.

The impression that Spicer has used her foray into the #MeToo movement in Australia as a PR blitz for herself gathered steam after she was given three hours on the ABC to front a program titled Silent No More.

There was little of substance in the program which only served to give people various angles of Spicer’s visage, featured numerous motherhood statements from her and some patronising comments to both men and women at large. It gave the impression that sexual harassment is a PR problem.

The absence of any serious discussion of sexual harassment with qualified people – psychologists, counsellors, medical staff or lawyers – was notable. Spicer has no qualifications beyond a general graduate degree and is incapable of bringing an expert view to the issue. She, herself, has not experienced sexual harassment beyond the garden variety that practically every woman in the workplace goes through.

Whatever happens to the women’s movement in Australia, one thing is clear: Tracey Spicer has put the brakes on at a very pivotal moment. As the saying goes, one needs to strike while the iron is hot. That moment has long passed. Spicer has done sexually harassed women a singular disservice.


LongNowThe 5 Questions We Need to Answer About Artificial Intelligence — Gurjeet Singh at The Interval

Creators of AI systems have a responsibility to figure out how they might go wrong, and govern them accordingly.

From Gurjeet Singh’s Interval talk, “The Shape of Data and Things to Come.”

About this Talk

Big Data promises unparalleled insights, but the larger the data, the harder they are to find. The key to unlocking them was discovered by mathematicians in the 18th century. A modern mathematician explains how to find patterns in data with new algorithms for old math.

About Gurjeet Singh

Gurjeet Singh is Chief AI Officer and co-founder of Symphony AyasdiAI. He leads a technology movement that emphasizes the importance of extracting insight from data, not just storing and organizing it. Beginning with his tenure as a graduate student in Stanford’s Mathematics Department he has developed key mathematical and machine learning algorithms for Topological Data Analysis (TDA) and their applications. Before starting Ayasdi, he worked at Google and Texas Instruments.

Dr. Singh holds a Technology degree from Delhi University and a Computational Mathematics Ph.D. from Stanford. He serves on the Technology Advisory Board at HSBC and on the U.S. Commodity Futures Trading Commission’s Technology Advisory Committee. He was named to Silicon Valley Business Journal’s “40 Under 40” list in 02015. Gurjeet lives in Palo Alto with his wife and two children and develops multi-legged robots in his spare time.

Worse Than FailureRepresentative Line: An Absolute Square

Seth S offers us something new: a representative line of Ada. We don’t get much of that, and Ada isn’t a particularly popular language, but Seth assures us that it is “unfairly maligned”.

Since 1995, Ada has been an object oriented language, and offers a standard library, strong types, a message-passing approach to communicating with objects (which migrated into Objective-C but generally doesn’t show up very often elsewhere). It’s a fine, if less-used language, and I honestly can’t say I’ve heard much maligning it (though I’ve never actually heard of anyone using it either…).

Regardless, what we can malign is some bad code. Since the earliest versions of Ada, if you wanted to find the absolute value of a variable, you’d write an expression like this:

magra := abs(ra)

Seth inherited some code from someone with a Fortran background and a bias against using built in functions for their standard operations. So they wrote this instead:


Interestingly, this code highlights a micro-optimization. I’ll allow Seth to explain:

the now-retired programmer was obsessed with throughput, so I assume he chose “RA * RA” instead of “RA ** 2” because earlier compilers could not be trusted to find the most efficient way to calculate the exponent

Of course, abs is faster than both options, so if only that programmer was just a little more obsessed with throughput.

Seth assures us that the rest of the code mirrors this: micro-optimizations that aren’t actually useful, Fortran coding conventions in a not-Fortran language, and many, many re-invented wheels that are worse than the original.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


Krebs on SecurityThe Great $50M African IP Address Heist

A top executive at the nonprofit entity responsible for doling out chunks of Internet addresses to businesses and other organizations in Africa has resigned his post following accusations that he secretly operated several companies which sold tens of millions of dollars worth of the increasingly scarce resource to online marketers. The allegations stemmed from a three-year investigation by a U.S.-based researcher whose findings shed light on a murky area of Internet governance that is all too often exploited by spammers and scammers alike.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

In collaboration with journalists based in South Africa, Guilmette discovered tens of thousands of these wayward IP addresses that appear to have been sold off by a handful of companies founded by the policy coordinator for The African Network Information Centre (AFRINIC), one of the world’s five regional Internet registries which handles IP address allocations for Africa and the Indian Ocean region.

That individual — Ernest Byaruhanga — was only the second person hired at AFRINIC back in 2004. Byaruhanga did not respond to requests for comment. However, he abruptly resigned from his position in October 2019 shortly after news of the IP address scheme was first detailed by Jan Vermeulen, a reporter for the South African tech news publication who assisted Guilmette in his research.

KrebsOnSecurity sought comment from AFRINIC’s new CEO Eddy Kayihura, who said the organization was aware of the allegations and is currently conducting an investigation into the matter.

“Since the investigation is ongoing, you will understand that we prefer to complete it before we make a public statement,” Kayihura said. “Mr. Byauhanga’s resignation letter did not mention specific reasons, though no one would be blamed to think the two events are related.”

Guilmette said the first clue he found suggesting someone at AFRINIC may have been involved came after he located records suggesting that official AFRINIC documents had been altered to change the ownership of IP address blocks once assigned to Infoplan (now Network and Information Technology Ltd), a South African company that was folded into the State IT Agency in 1998.

“This guy was shoveling IP addresses out the backdoor and selling them on the streets,” said Guilmette, who’s been posting evidence of his findings for years to public discussion lists on Internet governance. “To say that he had an evident conflict of interest would be a gross understatement.”

For example, documents obtained from the government of Uganda by Guilmette and others show Byaruhanga registered a private company called ipv4leasing after joining AFRINIC. Historic WHOIS records from [a former advertiser on this site] indicate Byaruhanga was the registrant of two domain names tied to this company — and .net — back in 2013.

Guilmette and his journalist contacts in South Africa uncovered many instances of other companies tied to Byaruhanga and his immediate family members that appear to have been secretly selling AFRINIC IP address blocks to just about anyone willing to pay the asking price. But the activities of ipv4leasing are worth a closer look because they demonstrate how this type of shadowy commerce is critical to operations of spammers and scammers, who are constantly sullying swaths of IP addresses and seeking new ones to keep their operations afloat.

Historic AFRINIC record lookups show tied to at least six sizable blocks of IP addresses that once belonged to a now defunct company from Cameroon called ITC that also did business as “Afriq*Access.”

In 2013, Anti-spam group began tracking floods of junk email originating from this block of IPs that once belonged to Afriq*Access. Spamhaus says it ultimately traced the domains advertised in those spam emails back to Adconion Direct, a U.S. based email marketing company that employs several executives who are now facing federal criminal charges for allegedly paying others to hijack large ranges of IP addresses used in wide-ranging spam campaigns.

Anyone interested in a deeper dive on Guilmette’s years-long investigation — including the various IP address blocks in question — should check out MyBroadband’s detailed Dec. 4 story, How Internet Resources Worth R800 Million (USD $54M) Were Stolen and Sold on the Black Market.

CryptogramReforming CDA 230

There's a serious debate on reforming Section 230 of the Communications Decency Act. I am in the process of figuring out what I believe, and this is more a place to put resources and listen to people's comments.

The EFF has written extensively on why it is so important and dismantling it will be catastrophic for the Internet. Danielle Citron disagrees. (There's also this law journal article by Citron and Ben Wittes.) Sarah Jeong's op-ed. Another op-ed. Another paper.

Here are good news articles.

Reading all of this, I am reminded of this decade-old quote by Dan Geer. He's addressing Internet service providers:

Hello, Uncle Sam here.

You can charge whatever you like based on the contents of what you are carrying, but you are responsible for that content if it is illegal; inspecting brings with it a responsibility for what you learn.


You can enjoy common carrier protections at all times, but you can neither inspect nor act on the contents of what you are carrying and can only charge for carriage itself. Bits are bits.

Choose wisely. No refunds or exchanges at this window.

We can revise this choice for the social-media age:

Hi Facebook/Twitter/YouTube/everyone else:

You can build a communications based on inspecting user content and presenting it as you want, but that business model also conveys responsibility for that content.


You can be a communications service and enjoy the protections of CDA 230, in which case you cannot inspect or control the content you deliver.

Facebook would be an example of the former. WhatsApp would be an example of the latter.

I am honestly undecided about all of this. I want CDA230 to protect things like the commenting section of this blog. But I don't think it should protect dating apps when they are used as a conduit for abuse. And I really don't want society to pay the cost for all the externalities inherent in Facebook's business model.

CryptogramExtracting Data from Smartphones

Privacy International has published a detailed, technical examination of how data is extracted from smartphones.

Worse Than FailureCodeSOD: Null Serializer

Nulls cause problems. Usually, they’re not big problems, but if a field might have a value- or none at all- we have to be careful with how we handle it.

Languages like C# have added Nullable types, which wrap around those problems. But sometimes, you need to cross a boundary between systems. When you send the C# data to JSON, how do you want to represent null values?

You might just send nulls. That’s fine and logical. You might just leave out the null keys (technically sending undefined). Also fine and also logical, as long as those sorts of variations are communicated by your schema.

If you’re Jackie’s co-worker, you might decide that they should just be empty strings. This is a bad choice- if a field is an integer, but it doesn’t have a value, it suddenly turns into a string? But hey, you can document this too, and essentially treat the field as a union type. It’s ugly, but workable.

Now, they use the Newtonsoft serializer to build their JSON, which is flexible and extensible, and with a little munging, can be tricked into converting nulls to strings. It’s a little bit of code, but a perfectly manageable thing, if you really want to do this.

Jackie’s co-worker felt that it was too much code.

This is what they did:

string jsonString = JsonConvert.SerializeObject(dataObj);
string jsonStringNoNull = jsonString.Replace("null", @"""""");

Convert to string, then just do a string Replace swapping the string "null" with an empty string. Notice that there are no guards on it, no checks, no logic- anything instances of null are replaced regardless of where they appear. Hope they don’t have any customers with the name Null, or use any of these words in their field names or data.

So far, it hasn’t caused any noticeable errors. So far.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Krebs on SecurityPatch Tuesday, December 2019 Edition

Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.

By nearly all accounts, the chief bugaboo this month is CVE-2019-1458, a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859, a Windows flaw reported in April that was found being sold in underground markets.

CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.

Chris Goettl, director of security at Ivanti, called attention to a curious patch advisory Microsoft released today for CVE-2019-1489, which is yet another weakness in the Windows Remote Desktop Protocol (RDP) client, a component of Windows that lets users view and manage their system from a remote computer. What’s curious about this advisory is that it applies only to Windows XP Service Pack 3, which is no longer receiving security updates.

“The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to ‘No’ as the bulletin was released today,” Goettl said. “If you look at the Zero Day from this month (CVE-2019-1458) the EA for Older Software Release is ‘0 – Exploitation Detected.’ An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.”

Microsoft didn’t release a patch for this bug on XP, and its advisory on it is about as sparse as they come. But if you’re still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched many critical RDP flaws in the past year. Even the FBI last year encouraged users to disable it unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.

Speaking of no-longer-supported Microsoft operating systems, Windows 7 and Windows Server 2008 will cease receiving security updates after the next decade’s first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Windows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don’t have to accept this default setting. Windows Central has a useful guide on how to disable or postpone automatic updates until you’re ready to install them. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.

Finally, once again there are no security updates for Adobe Flash Player this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its Acrobat and PDF Reader that fix more than 20 vulnerabilities in these products. Photoshop and ColdFusion 2018 also received security updates today. Links to advisories here.


TEDPlanet Protectors: Notes from Session 3 of TEDWomen 2019

Singer-songwriter Shawnee brings her undeniable stage presence to TEDWomen 2019: Bold + Brilliant (Photo: Marla Aufmuth / TED)

The world is experiencing the consequences of climate change and the urgency couldn’t be more clear. In Session 3 of TEDWomen 2019, we dug deep into some of the most pressing environmental issues of our time — exploring solutions and the many ways people across the globe are fighting for change.

The event: TEDWomen 2019, Session 3: Planet Protectors, hosted by Whitney Pennington Rodgers and Chee Pearlman

When and where: Thursday, December 5, 2019, 11am PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Hindou Oumarou Ibrahim, Kelsey Leonard, Shawnee, Colette Pichon Battle, Renee Lertzman, Jane Fonda

Music: Singer-songwriter Shawnee brings their undeniable stage presence and music of empowerment to the stage, performing two songs: “Way Home” and “Warrior Heart.”

The talks in brief:

Hindou Oumarou Ibrahim, environmental activist

Big idea: To combat climate change, we must combine our current efforts with those of indigenous people. Their rich, extensive knowledge base and long-standing relationship with the earth are the keys to our collective survival.

Why? Modern science and technology date back only a few hundred years, but indigenous knowledge spans thousands, says Hindou Oumarou Ibrahim. As she puts it: “For us, nature is our supermarket … our pharmacy … our school.” But climate change threatens indigenous people’s — and all of humanity’s — way of life; in her nomadic community, some of their social fabric is unraveling under the strain of its effects. To ensure resilience in the face of these developments, she suggests a marriage of new and old learnings to map and share crucial information for global survival. “We have 10 years to change it. 10 years is nothing,” she says. “So we need to act all together and we need to act right now.”

Quote of the talk: “I think if we put together all the knowledge systems that we have — science, technology, traditional knowledge — we can give the best of us to protect our peoples, to protect the planet, to restore the ecosystems that we are losing.”

“We need to fundamentally transform the way in which we value water,” says Kelsey Leonard. She speaks at TEDWomen 2019: Bold + Brilliant on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Kelsey Leonard, indigenous legal scholar and scientist

Big idea: Granting bodies of water legal personhood is the first step to addressing both our water crises and injustices —  especially those endured by indigenous people. 

Why? Water is essential to life. Yet in the eyes of the law, it remains largely unprotected — and our most vulnerable communities lack access to it, says Kelsey Leonard. As a representative of the Shinnecock Indian Nation, she shares the wisdom of her nokomis, or grandmother, on how we should honor this precious resource. We must start by asking like: What if we asked who water is, in the same way that we might ask who is our mother? This perspective shift transforms the way we fundamentally think about water, she says — prompting us to grant water the same legal rights held by corporations. In this way, and by looking to indigenous laws, we can reconnect with the lakes, oceans and seas around us.

Quote of the talk: “We are facing a global water crisis. And if we want to address these crises in our lifetime, we need to change. We need to fundamentally transform the way in which we value water.”

Colette Pichon Battle, attorney and climate equity advocate

Big idea: Climate migration — the mass displacement of communities due to climate change — will escalate rapidly in coming years. We need to prepare by radically shifting both policies and mindsets.

Why? Scientists predict climate change will displace more than 180 million people by 2100. Colette Pichon Battle believes the world is not prepared for these population shifts. As a generational native of southern Louisiana and an attorney who has worked on post-Hurricane Katrina disaster recovery, Battle urges us to plan before it’s too late. How? By first acknowledging that climate change is a symptom of exploitative economic systems that privilege the few over the many and then working to transform them. We need to develop collective resilience by preparing communities to receive climate migrants, allocating resources and changing social attitudes. Lastly, she says, we must re-indigenize ourselves — committing to ecological equity and human rights as foundational tenets of a new climate-resilient society.

Quote of the talk: “All of this requires us to recognize a power greater than ourselves and a life longer than the one we will live. We must transform from a disposable, short-sighted reality of the individual to one that values the long-term life cycle of our collective humanity. Even the best of us are entangled in an unjust system. To survive, we will have to find our way to a shared liberation.”

Renee Lertzman, climate psychologist 

Big idea: We need to make our emotional well-being a fundamental part of the fight against climate change.

How? What’s happening to our planet seems overwhelming. And while we have tons of information on the science of climate change, we know much less about its emotional impact. Renee Lertzman has interviewed hundreds of people about how climate change makes them feel, and she wants to equip us with a toolkit to handle our climate grief and still be able to take action. Patience, compassion and kindness are qualities we need to deploy more often in our conversations about the crisis, she says. As climate events push us outside our “window of tolerance” — the stresses we can withstand without becoming overwhelmed — numbness and apathy are natural responses. Many people tell her: “I don’t know where to start.” She recommends practicing attunement: listening to our own feelings and those of others, accepting them without judgement and meeting our experiences with curiosity. Whether we’re with a few friends or at a larger climate action gathering, remembering that we are human is a key ingredient in the fight for our world.

Quote of the talk: “These are hard issues. This is a hard moment to be a human being. We’re waking up.”

Civil disobedience is becoming a new normal, says actor and activist Jane Fonda. She speaks with host Pat Mitchell about Fire Drill Fridays, her weekly climate demonstrations, at TEDWomen 2019: Bold + Brilliant on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Jane Fonda, actor, author and activist

Big idea: In the wake of climate change, protest is becoming a new normal — at least until we see the changes we need.

Why? In a video interview with TEDWomen curator Pat Mitchell, Fonda discussed Fire Drill Fridays, the weekly demonstrations on Capitol Hill she leads in partnership with Greenpeace. Since moving to Washington D.C. in September, Fonda has staged a sit-in at the Hart Senate Office Building on Capitol Hill every Friday to protest the extraction of fossil fuels. At age 81, she has been arrested multiple times and spent a night in jail — and her actions are inspiring people around the world to host their own Fire Drill Fridays. But, she says, we don’t need to get arrested to raise awareness; there are many other ways to put pressure on lawmakers and hold governments accountable. Read a full recap of her interview here.

Quote of the talk: “I’m not leading. It’s the young people, it’s the students, that are leading. It’s always the young people that step up with the courage.”

TEDStrike for the climate: Jane Fonda speaks at TEDWomen 2019

Civil disobedience is becoming a new normal, says actor and activist Jane Fonda. She speaks with host Pat Mitchell about Fire Drill Fridays, her weekly climate demonstrations, at TEDWomen 2019: Bold + Brilliant on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

At age 81, actor and activist Jane Fonda is putting herself on the line for the planet, literally. In a video interview with TEDWomen curator Pat Mitchell, Fonda speaks about Fire Drill Fridays, the weekly demonstrations on Capitol Hill she leads in partnership with Greenpeace.

Since moving to Washington D.C. in September 2019, Fonda has staged a sit-in at the Hart Senate Office Building on Capitol Hill every Friday to protest the extraction of fossil fuels. She’s been arrested multiple times and spent a night in jail, and her actions are inspiring people around the world to host their own Fire Drill Fridays. She believes protest is becoming a new normal — at least until we see the changes we need. But, she says, we don’t all need to get arrested to raise awareness. She details some of the ways we can pressure our lawmakers and hold governments accountable.

Here are highlights from the interview.

Pat Michell: Talk to us about the origin of Fire Drill Fridays.

Jane Fonda: “I was very inspired by Greta Thunberg, the Swedish student, and by the young school climate strikers. Greta says: we have to get out of our comfort zone, we have to behave like our house is burning — because it is. She really struck a chord in me. … It’s an enormous challenge. We have eleven years, many say, a decade. And I thought, ‘Oh, I’m so lucky that I am healthy and living in a decade where we, who are alive, can actually make the difference — we can make the difference as to whether there is a livable future or not.’ What a glorious responsibility we have. We have to step up to the plate. …

“So, I decided, like Greta, I was going to put my body on the line and move to the center of American power, Washington, DC, and have a rally every Friday like the students do. And we work with the students — they speak at my rallies and I speak at their rallies — and then after we speak, we engage in civil disobedience and risk getting arrested.”

PM: Do you have any concerns about putting your body on the line and your life on hold?

JF: “I realize that not everybody can leave work and go do what I’m doing. But I must say that requests are pouring in, and not only from the United States but from other countries, people who want to start Fire Drill Fridays. And the people who are coming and getting arrested with me and engaging in civil disobedience, many of them have never done it before. And they find it transformative.

“But the fact is that there are so many things people can do, starting with talking about it, expressing how you feel about it … even when it’s uncomfortable. … Of course voting is very, very important, and we have to vote for the people that are the bravest, the boldest of our elected officials.”

PM: What would success for Fire Drill Fridays look like to you?

JF: “Success would look like every state stops all new fossil fuel expansion. Because if they keep drilling, fracking and mining, the problem will just get worse. So that no matter what we do with windmills and solar collectors and so forth, we’ll never be able to catch up. We have to stop all new expansion.”

PM: Will Fire Drill Fridays continue?

JF: “There has been such an interest in it … from all around the country, people asking if they can start one … we’re thinking about maybe doing it in Los Angeles.

“But I want to correct one thing: I’m not leading. It’s the young people, it’s the students, that are leading. It’s always the young people that step up with the courage. And it’s pretty amazing, because they’re risking a lot. It’s pretty brave to take a Friday off from school … but they’re doing it anyway. There have been millions of them … all around the world, and they’re saying, ‘Don’t let us have to deal with this by ourselves, we didn’t create this problem. Come and help us.’ So, Grandmas unite!”

PM: Do you leave this experience with a new level of hope or optimism?

JF: “Yes, I am optimistic. … [People] want to do something but no one has asked them. We have to ask them. We have to get organized. … This coming year is the critical year. What happens is going to be so important. Especially someone who is healthy, who feels relatively young, who has a platform — we have to use it in every possible way we can.”

Krebs on SecurityCISO MAG Honors KrebsOnSecurity

CISO MAG, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.

KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.

As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”

I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.

But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.

Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.

At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.

This year’s CISO MAG awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at

Worse Than FailureCodeSOD: An Endpoint's Plugin

Heidi is doing some support work and maintenance on a application owned by a government agency. Currently, the work environment is a bit of a bureaucratic nightmare where you can’t do even the mildest code change without going through four hundred layers of paperwork, signoff, and consensus building. This isn’t just normal government stuff- it’s coming straight as a reaction to the previous work done on this project.

Heidi was specifically trying to track down a bug where one of the generated documents was displaying incorrect data. That lead her to this method in their C# web code:

public ActionResult GenerateDocument(FormCollection form)
    int briefType = int.Parse(form["reportId"]);
    int senderId = int.Parse(form["senderId"]);
    int signatureId = int.Parse(form["signatureId"]);
    int profileId = int.Parse(form["profileId"]);
    decimal dossierId = Decimal.Parse(form["dossierId"]);
    int? contactId = null;        
    bool minute = "true".Equals(form["minuteBool"]);
    string rheIds = form["rheids"];

    if (form.AllKeys.Contains("contactId"))
        contactId = int.Parse(form["contactId"]);

    ProfileDTO profile = ProfileManager.GetInstance().GetProfile(profileId);
    IEndPoint endpoint = profile.GetEndPoint();

    DossierBrief brief = CreateBrief(briefType, dossierId, signatureId, senderId, contactId, null, null, minute, profile, rheIds);
    brief.Engine = endpoint.IsLocal() ? "Local" : "Service";


        endpoint.SendTo(brief, CurrentUserName);
    catch (Exception e)
        Logger(e, LogTypeEnum.ERROR);
        return ReturnFailure(e.Message);

    return ReturnSuccess(null, "loadBriefStore();");

There’s a lot of meaningless garbage in here, and mostly you can skip over it and just look at the last line. When we successfully communicate to the endpoint, we send back a ReturnSuccess that contains a JavaScript method to invoke on the client. Yes, when the process works, the client just evals the body of the success message.

That’s ugly coupling between the server-side and client-side layers of this code. But the GetEndPoint method got Heidi curious. What did that do?

public IEndPoint GetEndPoint()
    IEndPoint endPoint = EndPointManager.GetInstance().GetEndPoint(this.ENGINE);

    return endPoint;

Well, that doesn’t seem like too much, does it? It’s suspicious that they’re using the Singleton pattern- C# tends to favor using Static classes for that. It’s not wrong, but hey, let’s see what it’s doing.

public class EndPointManager
  private static EndPointManager current = new EndPointManager();
  private Dictionary<string, IEndPoint> endPoints = new Dictionary<string, IEndPoint>();
  public static EndPointManager GetInstance()
      return current;
  private EndPointManager()
      foreach (string dll in Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "bin\\Application.Engine.*.dll"))
          Assembly assembly = Assembly.LoadFile(dll);
          foreach (Type type in assembly.GetExportedTypes())
              if (type.GetInterfaces().Contains(typeof(IEndPoint)))
                  ConstructorInfo constructorInfo = type.GetConstructor(new Type[] { });
                  IEndPoint endPoint = (IEndPoint)constructorInfo.Invoke(new object[] { });
                  this.endPoints.Add(endPoint.GetName(), endPoint);

And here we have everyone’s favorite thing to write: a plugin loader that scans a directory for DLLs, loads them, and then scans them for objects which implement the IEndPoint interface.

At some point, I think, every “clever” developer gets the temptation to do this. You can deploy new endpoints without ever recompiling anything else! It’s a plugin architecture! It’s fancy! It’s extensible!

The problems, of course, are that no one actually needed this to have a plugin architecture. The previous developer just did that because they were prematurely abstracting out their application engine, which is what happens to 70% of these sorts of plugin architectures. Worse, actually designing a safe, reliable, and usable plugin architecture is deceptively tricky. While this works fine, because they’re not actually using it, if they were trying to really build plugins, they’d quickly realize what a mess they’ve made with all the unaddressed edge cases.

In fact, given how tricky it is, Microsoft actually provided a Managed Extension Framework (MEF), so this doubles as a case of reimplementing what already exists, and that dates back to at least .NET 4.0, and is part of CoreFx, so it’s even available through .NET core (though its behavior might differ slightly).

So, what we have here is a case where a developer solved a problem they didn’t have by reinventing a wheel that they could have been using, and did all that to ensure that they could pass raw JavaScript from the server to the client so the client can just eval it.

Heidi adds:

I’m not changing any of this (yet). I have no idea what would break (unit test coverage is something like 5.4%), and this does seem to actually work as intended- unlike a lot of other parts of this application.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!


Cory DoctorowParty Discipline, a Walkaway story (Part 2)

In my latest podcast (MP3), I continue my serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

The cop pulled the vice principal’s chair out from behind the desk and sat down on it in front of us. He didn’t say anything. He was young, I saw, not much older than us, and still had some acne on one cheek. White dude. Not my type, but good looking, except that he was a cop and he was playing mind games with us.

“Are we being detained?” Somewhere in my bag was a Black Lives Matter bust-card and while I’d forgotten almost everything written on it, I remembered that this was the first question I should ask.

“You are here at the request of your school administration.” Oh. Even when there wasn’t a fresh lockdown, the administration had plenty of powers to search us, ask us all kinds of nosy questions. And after a lockdown? Forget it.


TEDWayfinders: Notes from Session 6 of TEDWomen 2019

Singer, songwriter and beatboxer Butterscotch lights up the stage at TEDWomen 2019: Bold + Brilliant, on December 6, 2019, in Palm Springs, (California. Photo: Jasmina Tomic / TED)

The final session of TEDWomen 2019 is here! We can’t believe it; we won’t believe. But, if we must close out these three incredible days, it’s good we did it by hearing from a diverse range of “wayfinders” — incredible women who are using their wisdom and insight to light the way forward, tackle global problems and find the right balance of fear and courage to do so.

The event: TEDWomen 2019, Session 6: Wayfinders, hosted by Pat Mitchell, Helen Walters and Kelly Stoetzel

When and where: Friday, December 6, 2019, 9am PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Valorie Kondos Field, Noeline Kirabo, Martha Minow, Agnes Binagwaho, Mary Ellen Hannibal, Jasmine Crowe, Cara E. Yar Khan, Pat Mitchell

Music: Singer-songwriter Butterscotch performs a virtuosic set, mixing beatboxing with her powerful voice to sing about love, life and everything in between.

The talks in brief:

Valorie Kondos Field, gymnastics coach

Big idea: Victory does not always equal success. Leaders need to consider the cost of winning to those under our care and redefine success in empathetic and positive terms.

How? Across the world, a pervasive “win at all costs” culture is creating emotional and physical crises. When Valorie Kondos Field first started working with the UCLA women’s gymnastics team, she mimicked other “winning” coaches by being relentless, unsympathetic and outright mean. One day, her team sat her down and made a firm case against her top-down, bullying approach. The years that followed — and her deeply personal, trust-based work with champion athletes like Katelyn Ohashi and Kyla Ross — were a lesson in the importance of an empathetic approach. True champions, she says, derive joy from their pursuits — win or lose.

Quote of the talk: “Instead of focusing maniacally on winning, we need to have the courage to develop champions through empathy, positivity, and accountability.”

How do you find your passion? Noeline Kirabo provides some answers at TEDWomen 2019: Bold + Brilliant, on December , 2019, in Palm Springs, California. (Photo: Jasmina Tomic / TED)

Noeline Kirabo, social entrepreneur

Big idea: Almost everyone dreams of turning their passion into a successful career — but to do so, you must first identify what your passion is.

How? Passion isn’t only for the rich or the retired, says Noeline Kirabo. When she dropped out of school because she couldn’t afford the tuition, she didn’t settle for a job she didn’t love — instead, she decided to follow her passion. She founded Kyusa, a nonprofit dedicated to addressing youth unemployment in Uganda by helping young people turn their interests into careers and profitable businesses. Her organization provides the necessary support for them to build the future of their dreams, including soft skills and entrepreneurial training. But how do you discover your passion? She poses two questions to help you find the answer: If you had all the money and time in the world, what would you spend your time doing; and what truly makes you happy or gives you a deep sense of fulfillment? To find these answers, she says, we must look inward — not outward. 

Quote of the talk: “We need to look inward to identify the things that give us a deep sense of fulfillment, the things that give us the deepest joy, and then weave them into the patterns of our daily routines. In so doing, we cease to work, and we start to live.”

Martha Minow, law professor

Big idea: Our laws and legal system are focused on punishment, but they should make more room for forgiveness.

Why?: In her 40 years of teaching law, Martha Minow has found that law students are not taught much about forgiveness. While the law itself does contain tools like pardons, commutations and bankruptcy for debt, they are not adequately used. Or, when they are used, they reinforce existing social inequities along the lines of race and class. Yet the benefits of mercy have been widely shown, not just for our own individual health, but also for the health of communities affected by criminal activity. Restorative justice, which emphasizes accountability and service rather than punishment, can disrupt the school-to-prison pipeline that has become a prominent issue in parts of the US, Minow says. Although placing more of an emphasis on forgiveness comes with the risk of bias, it also comes with the promise of creating a fairer future.

Quote of the talk: “To ask how law may forgive is not to deny the fact of wrongdoing. Rather, it’s to widen the lens to enable glimpses of the larger patterns.”

Agnes Binagwaho, pediatrician, former Minister of Health of Rwanda

Big idea: Educating women creates female leaders and establishes gender equity — which improves society in countless ways.

How? In 1994, Agnes Binagwaho returned to her home country of Rwanda to practice medicine in the aftermath of the country’s horrific genocide. The devastation was so pervasive she considered leaving, but resilient Rwandan women motivated her to stay and help rebuild. And she is glad she did. Today, Rwanda has the highest proportion of women in parliament — nearly 62 percent — and the most successful HPV vaccination campaign for children. More recently, Binagwaho helped open a medical school in Rwanda called University of Global Health Equity, which maintains gender parity and is free of charge, as long as students commit to working with vulnerable communities around the world.

Quote of the talk: “I have learned that if we focus on women’s education, we improve their lives positively, as well as the wellbeing of their community.”

Mary Ellen Hannibal, science writer

Big idea: Around the world, insect species (including the monarch butterfly) are dying at an alarming rate. The looming demise of important pollinators (like bees and butterflies) will have dire consequences for human civilization. Citizen scientists could help save these insects — and the planet.

How? Citizen scientists — people without PhDs who leverage technology to collect data and organize initiatives to protect the natural world — are a crucial force for understanding complex natural phenomena. The same citizen scientists who documented plummeting monarch butterfly populations now work to save them (and other endangered species) through food-source cultivation, habitat preservation and efforts like the City Nature Challenge — a scalable data-gathering initiative supporting threatened species that cohabit our cities.

Quote of the talk: “Insect life is at the very foundation of our life-support systems. We can’t lose these insects.”

Jasmine Crowe, social entrepreneur, hunger hero

Big idea: We’re doing hunger wrong in America. We can eliminate hunger, reduce food waste and give families their dignity back through innovative technology, instead of charity. 

How? While Food banks are beloved community institutions, they aren’t solving hunger, says Jasmine Crowe. They keep families dependent on their services and rarely offer a full meal. Scarcity isn’t the problem, Crowe reminds us: globally, one in nine people go hungry each day, yet food waste has increased by 50 percent since the 1970s. Crowe — who has spent her life giving back to the Atlanta community — is reengineering how cities handle hunger through Goodr, a tech-enabled sustainable food waste company. Their app gathers unused food from local businesses and distributes it to food deserts through nonprofits and popup grocery stores. Each of us has the power to join the movement to bring real food and dignity back to families.

Quote of the talk: “We wanted to change the way we think and approached the hunger fight, get people to believe that we could solve hunger — not as a charity, not as a food bank, but as a social enterprise with a goal of ending hunger and food waste.”

Cara E. Yar Khan, humanitarian, disability activist

Big Idea: Courage is never instantaneous or easy. It’s a careful balance of bravery and fear. 

How? After being diagnosed with Hereditary Inclusion Body Myopathy, a genetic condition that deteriorates muscle, Cara E. Yar Khan heard repeatedly that she had to limit her career ambitions and quiet her dreams. Instead, she actively pursued and accomplished her goals, working as a humanitarian in Angola with the UN and as a disability advocate in Haiti following the 2010 earthquake. She decided to descend to the base of the Grand Canyon, embarking on a harrowing 12-day trip: four days descending the canyon via horseback, and eight days of white water rafting through the Colorado River. Though terrifying, the trip showed her how powerful her courage could be, she says. Courage isn’t just a burst of bravery that appears when needed — it arises when we’re willing to take risks, acknowledge and prepare for our fears and become devoted to bringing our dreams to life. 

Quote of the talk: “Without fear, you’ll do foolish things. Without courage, you’ll never step into the unknown. The balance of the two is where the magic lies, and it’s a balance we all deal with everyday.”

Pat Mitchell, TEDWomen curator, self-proclaimed “dangerous woman”

Big idea: It’s time to embrace risk, speak out and live dangerously.

Why? We live in dangerous times, with nothing left to prove and much more to lose, says Pat Mitchell. The rise in sexism, racism and violence against women and girls, alongside the dire state of our planet, demands that we live dangerously. “I don’t mean being feared,” says Mitchell. “But I do mean being more fearless.” Mitchell knows this best from her own life blazing a path across media and television. On the TEDWomen stage, she shares how her own experiences informed her leadership decisions and vision of a future where women wield the power they already hold. (Read a full recap here.)

Quote of the talk: “At this point in my life’s journey, I am holding my splendid torch higher than ever, boldly and brilliantly — inviting you to join me in its dangerous light.”

Google AdsenseMarketing Communications Specialist

Keep your audience engaged and prepare for the upcoming seasonal peaks

CryptogramFailure Modes in Machine Learning

Interesting taxonomy of machine-learning failures (pdf) that encompasses both mistakes and attacks, or -- in their words -- intentional and unintentional failure modes. It's a good basis for threat modeling.

LongNowIs Mars the Solution for Earth’s Problems?

Geologist Marcia Bjornerud and Long Now’s Executive Director Alexander Rose debate about whether going to Mars is a viable long-term sustainability plan for human survival.

From Marcia Bjornerud’s Long Now talk, “Timefulness.”

About the Talk

We need a poly-temporal worldview to embrace the overlapping rates of change that our world runs on, especially the huge, powerful changes that are mostly invisible to us.

Geologist Marcia Bjornerud teaches that kind of time literacy. With it, we become at home in the deep past and engaged with the deep future. We learn to “think like a planet.”

As for climate change… “Dazzled by our own creations,” Bjornerud writes, “we have forgotten that we are wholly embedded in a much older, more powerful world whose constancy we take for granted…. Averse to even the smallest changes, we have now set the stage for environmental deviations that will be larger and less predictable than any we have faced before.”

About Marcia Bjornerud

A professor of geology and environmental studies at Lawrence University in Wisconsin, Marcia Bjornerud is author of Timefulness: How Thinking Like a Geologist Can Help Save the World (2018) and Reading the Rocks: The Autobiography of the Earth (2005).

Worse Than FailureCodeSOD: Crank the Volume

When using generic types in a language like Java, nesting generics is a code smell. That is to say, a type like List<Map<String, T>> is probably a sign that you've gone off the path and should rethink how you're structuring your program. Similarly, types that depend on more than one or two generic type parameters are probably a code smell as well.

If those are a "code smell" this code Adam S found is a "code sewage treatment plan in dire need of a visit from the Environmental Protection Agency".

public interface VolumeStream<V extends Volume, I> extends BaseVolumeStream<VolumeStream<V, I>, V, I>{ default <M extends MutableVolume, M2 extends M, U extends UnmodifiableVolume> M2 merge(V second, VolumeMerger<I, ? super U> merger, M2 destination, VolumeFiller<? extends M, ? extends I> applier) { return merge(VolumeReducer.of(() -> second, () -> (U) getVolume().asUnmodifiableVolume(), () -> destination, merger, applier)); } <M extends MutableVolume, M2 extends M, U extends UnmodifiableVolume> M2 merge(VolumeReducer<V, I, M, M2, U> reducer); } public interface VolumeReducer<V extends Volume, T, M extends MutableVolume, M2 extends M, U extends UnmodifiableVolume> { Supplier<V> getSecond(); Supplier<U> getReference(); Supplier<M2> getAccumilator(); VolumeMerger<T, U> GetReducer(); VolumeFiller<M2, T> getFinisher(); public static <NV extends Volume, NT, NM extends MutableVolume, NM2 extends NM, NU extends UnmodifiableVolume> VolumeReducer<NV, NT, NM, NM2, NU> of(final Supplier<NV> second, final Supplier<NU> reference, final Supplier<NM2> accumilator, final VolumeMerger<NT, ? super NU> reducer, final VolumeFiller<? extends NM, ? extends NT> finisher) { return new Impl<>(second, reference, accumilator, reducer, finisher); } }

Not only is that a nest of types which is impossible to understand, it doesn't even manage to get full type safety- VolumeStream presumably inherits the method getVolume through BaseVolumeStream, but getVolume doesn't have a signature of type U (anything which extends UnmodifiableVolume, presumably)- so there's actually a cast required: (U) getVolume().asUnmodifiableVolume().

But hey, even if the code is ugly, that hopefully gives us a clean, readable calling convention, right? We're gonna call this code more often that we're gonna write it. How do they call this?

stream.<MutableBlockVolume<? extends MutableBlockVolume<?>>, GenerationRegion, UnmodifiableBlockVolume<?>>merge(this, merger, region, VolumeFiller.BLOCK_APPLIER);


Adam adds:

This code tries to express a transformation pipeline for streaming game data, and instead expresses how much I'd like to be writing in literally anything else.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

MEsystemd-nspawn and Private Networking

Currently there’s two things I want to do with my PC at the same time, one is watching streaming services like ABC iView (which won’t run from non-Australian IP addresses) and another is torrenting over a VPN. I had considered doing something ugly with iptables to try and get routing done on a per-UID basis but that seemed to difficult. At the time I wasn’t aware of the ip rule add uidrange [1] option. So setting up a private networking namespace with a systemd-nspawn container seemed like a good idea.

Chroot Setup

For the chroot (which I use as a slang term for a copy of a Linux installation in a subdirectory) I used a btrfs subvol that’s a snapshot of the root subvol. The idea is that when I upgrade the root system I can just recreate the chroot with a new snapshot.

To get this working I created files in the root subvol which are used for the container.

I created a script like the following named /usr/local/sbin/container-sshd to launch the container. It sets up the networking and executes sshd. The systemd-nspawn program is designed to launch init but that’s not required, I prefer to just launch sshd so there’s only one running process in a container that’s not being actively used.


# restorecon commands only needed for SE Linux
/sbin/restorecon -R /dev
/bin/mount none -t tmpfs /run
/bin/mkdir -p /run/sshd
/sbin/restorecon -R /run /tmp
/sbin/ifconfig host0 netmask
/sbin/route add default gw
exec /usr/sbin/sshd -D -f /etc/ssh/sshd_torrent_config

How to Launch It

To setup the container I used a command like “/usr/bin/systemd-nspawn -D /subvols/torrent -M torrent –bind=/home -n /usr/local/sbin/container-sshd“.

First I had tried the --network-ipvlan option which creates a new IP address on the same MAC address. That gave me an interface iv-br0 on the container that I could use normally (br0 being the bridge used in my workstation as it’s primary network interface). The IP address I assigned to that was in the same subnet as br0, but for some reason that’s unknown to me (maybe an interaction between bridging and network namespaces) I couldn’t access it from the host, I could only access it from other hosts on the network. I then tried the --network-macvlan option (to create a new MAC address for virtual networking), but that had the same problem with accessing the IP address from the local host outside the container as well as problems with MAC redirection to the primary MAC of the host (again maybe an interaction with bridging).

Then I tried just the “-n” option which gave it a private network interface. That created an interface named ve-torrent on the host side and one named host0 in the container. Using ifconfig and route to configure the interface in the container before launching sshd is easy. I haven’t yet determined a good way of configuring the host side of the private network interface automatically.

I had to use a bind for /home because /home is a subvol and therefore doesn’t get included in the container by default.

How it Works

Now when it’s running I can just “ssh -X” to the container and then run graphical programs that use the VPN while at the same time running graphical programs on the main host that don’t use the VPN.

Things To Do

Find out why --network-ipvlan and --network-macvlan don’t work with communication from the same host.

Find out why --network-macvlan gives errors about MAC redirection when pinging.

Determine a good way of setting up the host side after the systemd-nspawn program has run.

Find out if there are better ways of solving this problem, this way works but might not be ideal. Comments welcome.


Krebs on SecurityRansomware at Colorado IT Provider Affects 100+ Dental Offices

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.

Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.

The attack on CTS, which apparently began on Nov. 25 and is still affecting many of its clients, comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.

From talking to several companies hit and with third-party security firms called in to help restore systems, it seems that CTS declined to pay an initial $700,000 ransom demand for a key to unlock infected systems at all customer locations.

Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s spoken with multiple practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with outside experts to independently negotiate and pay the ransom for their practice only.

Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.

“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”

“My experience has been very different,” a dental practitioner based in Las Vegas replied. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”

There is one aspect of this attack has massively complicated restoration efforts, even at practices that have negotiated paying the ransom demand: Specifically, two sources said that victim several offices were left with multiple ransom notes and encrypted file extensions.

As a result, the decryption key supplied by the attackers only unlocked some of the scrambled files, requiring affected dental practices to expend further time, effort and expense to obtain all the keys needed to fully restore access to their systems.

Gary Salman is CEO of Black Talon Security, a cybersecurity firm based in New York that assisted several CTS clients in the recovery process. Salmon said he wasn’t certain why the attackers chose to operate this way, but that the most likely explanation is that the attackers stand to gain more financially from doing so.

“For one network we recovered that had 50 devices in total, they had to turn in more than 20 ransom notes to fully recover,” Salman said, adding that the attackers may just be hedging against the possibility that different affected practices could save money by sharing the same decryption key. “In the end, [the attackers] are going to walk away with a lot more money than they would have gotten had [CTS] just paid the $700,000.”

Salman said the intruders seem to have compromised a remote administration tool used by CTS to configure and troubleshoot systems at client dental offices remotely, and that this functionality did not require additional authentication on the part of the client before that connection could be established.

“What a lot of these IT services companies do is have active sessions back to every single client computer, so that so when someone from a client calls the IT provider can log right in and resolve any of these issues,” he said.

“Many IT providers will use remote administration services that require a unique [one-time code] that the client has to type in before that remote session is initiated,” Salman continued. “But other [IT providers] don’t want to do that because then it’s harder for them to manage these systems after-hours or when the user is away from their system. But ultimately, it comes down to security versus ease-of-use, and a lot of these smaller businesses tend to move toward the latter.”

Medix’s Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.

“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”

Update, Dec. 8, 1:21 p.m. ET: Added additional perspective and details gathered by Black Talon Security.Also, an earlier version of this story incorrectly stated that the ransomware attack began this past week. Multiple source now confirm that the Sodinokibi ransomware was initially deployed in the early morning hours of Monday, Nov. 25, and that many victim dental offices are still turning away patients as a result of ongoing system outages.

TEDMeaning Seekers: Notes from Session 5 of TEDWomen 2019

Dissatisfaction is the starting point to change, says Yvonne Aki-Sawyerr, the mayor of Freetown, Sierra Leone. She speaks at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Session 5 of TEDWomen 2019 is all about seeking meaning: in our political lives, creative lives, healthcare systems, criminal justice and beyond.

The event: TEDWomen 2019, Session 5: Meaning Seekers, hosted by Helen Walters and Anna Verghese

When and where: Thursday, December 5, 2019, 5pm PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Yvonne Aki-Sawyerr, Priti Krishtel, Robin Steinberg, Manoush Zomorodi, Denise Ho, Denise Zmekhol, Smruti Jukur, Debbie Millman

The talks in brief:

Yvonne Aki-Sawyerr, mayor of Freetown, Sierra Leone

Big idea: We can catalyze positive change by channeling feelings of dissatisfaction into collaboration and action.

How? After learning of the devastating rebel invasion of Sierra Leone in 1999, and the details of the 2014 Ebola epidemic, Yvonne Aki-Sawyerr was struck by profound feelings of anger and discontent. But instead of becoming frozen and overwhelmed by those feelings, she decided to act. This movement from dissatisfaction to action is the key to creating dramatic change, Aki-Sawyerr says. In 1999, she cofounded the Sierra Leone War Trust for Children, supporting and advocating for refugees of Sierra Leone’s rebel invasion. During the Ebola epidemic, Aki-Sawyerr designed the Western Area Surge Plan, which prioritized collaborating with community members to stop the spread of the virus. Now, as mayor of Freetown, she’s bringing together the city to translate their frustrations into actionable solutions.

Quote of the talk: “The steps to address that deep sense of anger and frustration I felt didn’t unfold magically or clearly. That’s not how the power of dissatisfaction works. It works when you know that things can be better, and it works when you decide to take the risks to bring about that change.”

Priti Krishtel, pharmaceutical reformer

Big idea: High drug prices are fueling crushing debt, causing families immense hardship, including loss of life. These prices, in turn, are made possible by an outdated patent system that’s easily exploited by the pharmaceutical industry to perpetuate drug monopolies that extend for years beyond their original patents.

How? Between 2006 and 2016, drug patents doubled. But consider this: the vast majority of medicines associated with new drug patents are not new, with nearly eight out of ten being for existing medicines, like insulin or aspirin. Priti Krishtel believes that US patent reforms would dramatically reduce medical costs. We can start by banning new patents for trivially modified drugs, removing financial incentives for the Patent Office (which currently gets paid based on granted patents), increasing the transparency of the patent process, empowering the public to challenge patents in court, and introducing robust patent oversight mechanisms.

Quote of the talk“The higher a patent wall a company builds, the longer they hold on to their monopoly. And with no one to compete with, they can set prices at whim — and because these are medicines and not designer watches, we have no choice but to pay.”


Robin Steinberg discusses her work to end cash bail, in conversation with Manoush Zomorodi (the new host of the TED Radio Hour). They speak at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Robin Steinberg, public defender, activist, CEO of The Bail Project

Big idea: We need to end the injustice of cash bail in the United States criminal justice system.

Why? In conversation with journalist Manoush Zomorodi (the new host of the TED Radio Hour), Robin Steinberg gives an update on her 2018 TED Talk about the work of her nonprofit The Bail Project. Here’s the problem: on any given night, more than 450,000 people in the US are locked up in jail simply because they don’t have enough money to pay bail. The sums in question are often around $500: easy for some to pay, impossible for others. This has real human consequences: people lose jobs, homes and lives, and it drives racial disparities in the legal system. Now, with support from the The Audacious Project, Steinberg’s nonprofit is scaling up their efforts — growing their revolving bail fund, expanding the on-the-ground presence of their bail disruptors and rolling out a community-based model that gives local support to people before they are convicted of a crime.

Quote of the talk: “Each and every one of us is implicated in what our criminal legal system looks like. There is no escaping that.”

“Creativity is what the tyrants cannot control, nor repress,” says Denise Ho. She speaks and performs at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Stacie McChesney / TED)

Denise Ho, singer and democracy activist

Big idea: In a stirring talk and performance, banned Cantopop superstar Denise Ho gives the TED audience a taste of a dissident’s life in 2019 Hong Kong — and a glimpse into a protest movement that persists in the face of constant oppression by the Hong Kong government and their allies on the mainland.

How? As an activist in the 2014 pro-democracy Umbrella Movement, Denise Ho joined her fellow citizens on the streets of Hong Kong for 79 days. Although she was ultimately arrested, censored and banned, she moved her career underground. She remains a crucial voice for democracy and a dedicated fighter in a leaderless movement battling to preserve autonomy for Hong Kong through spontaneous actions that the authorities are unable to predict or control.

Quote of the talk: “Creativity is what the tyrants cannot control, nor repress. WIth their very powerful but slow machine, it takes time for them to react to new ideas. Whether it is the protest on the streets that is taking a new fluidity, or the way that people reinvent themselves, the system needs time to counter it to find solutions. … When they do, we would have already moved on to the next idea.”

Denise Zmekhol, filmmaker

Big idea: The memory of Pele de Vidro, the iconic São Paulo tower, continues to be a poignant reflection of Brazil’s past, present and future.

Why? The Pele de Vidro (which translates to “Skin of Glass”) has been a symbol of modernity in Latin America since the early-1960s, when Denise Zmekhol’s father designed the São Paulo landmark. Yet, it wasn’t until many years after his death that she learned what went on behind its closed doors. As she reconnected with her late father’s memory and filmed a documentary in 2017, she discovered that “the glass walls of this building became a mirror reflecting the glory and turmoil of our beloved Brazil.” But before she could set foot inside, the unimaginable happened: a massive fire swallowed the iconic building. Zmekhol grieved for the city and her father. But today, she is hopeful. Architects are planning to build a cultural lab at the site of the Pele de Vidro to pay tribute to her father and the landmark that meant so much for so many.

Quote of the talk: “Ironically, only after the building was gone could I understand the role it played in so many lives.”

Smruti Jukur, urban planner

Big idea: What if those in poverty were a part of the city planning process?

Why? Within many cities there exists another city — informal communities, hundreds of thousands of people strong. 881 million people across the world who live in these settlements and slums — some as large as townships (Kibera, Nairobi; Dharavi, Mumbai; and Khayelitsha, South Africa, to name a few) — are under threat of being displaced at any time in the name of real estate development. Smruti Jukur urges governments and those in power to work in tandem with these settlements, instead of choosing what they think is right for their citizens. Jukur offers a real-world example, happening right now in Mukuru, Nairobi, where respect, empowerment and collaboration is helping leaders and their residents build a more inclusive city for tomorrow.

Quote of the talk: “Poverty only changes affordability. It does not change aspirations.”

“Branding is not just a tool of capitalism. Branding is the profound manifestation of the human spirit,” says Debbie Millman. She speaks at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Debbie Millman, designer

Big idea: The ability to create meaning through symbols and logos doesn’t just belong to big corporations. It belongs to all of us. 

Why? Since the early days of human society, we have created community through shared symbols. In fact, some of the first religious symbols were not created by any church or leader, but by communities themselves, explains Debbie Millman. Unique marks and logos have come to indicate ownership or belonging in a variety of ways, from branding cattle to the first trademarked brand in the United States: a beer. But for the last few hundred years, this ability has largely belonged to companies with the means to trademark and advertise something as recognizable as the Nike swoosh. Now, online culture is changing things, Millman says. Social media can amplify messages, and branding has reverted to something created by and for people. The creation of the pussy hat for the 2017 Women’s March is just one example of how the internet grants us the democratic capacity to make shared meaning.

Quote of the talk: “Branding is not just a tool of capitalism. Branding is the profound manifestation of the human spirit.” 

TEDTaboo Breakers: Notes from Session 4 of TEDWomen 2019

Filling the room with her unmistakable rasp, the legendary Macy Gray performs at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Marla Aufmuth / TED)

In Session 4 of TEDWomen 2019, we tackled some big taboos — divorce, menopause, political dissent — and met the extraordinary people on the front lines of breaking them.

The event: TEDWomen 2019, Session 4: Taboo Breakers, hosted by Corey Hajim and Shoham Arad

When and where: Thursday, December 5, 2019, 2:30pm PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Jeannie Suk Gersen, Joel Leon, Jen Gunter, Lisa Mosconi, Rayma Suprani

Music: Filling the room with her unmistakable rasp, the legendary Macy Gray brought Session 4 to a joyous close.

The talks in brief:

Jeannie Suk Gersen, legal scholar, writer

Big idea: To understand how marriage works, we need to talk about how marriages end.

Why? It may sound counterintuitive, but talking early in a relationship about what happens when two people break up may be one of the best ways to learn how to stay together, says Jeannie Suk Gersen. Too often in marriages, we make and demand sacrifices without reckoning their costs. There is wisdom in looking at the price of our marital decisions — in the same way that divorce law teaches us to do. Where to begin? Gerson lays out three ideas we should discuss with our partners from the get-go: how sacrifice can be a fair exchange; how childcare will impact the relationship; and which assets will be shared and which will be kept separate. If we take the time to have these divorce-conscious and difficult conversations, she says, we can better navigate togetherness.

Quote of the talk: “Divorce makes it incredibly explicit who owes what to whom. Whether you’re married or divorced, those are debts of love that will need to be paid.”

Author, storyteller and father Joel Leon offers new thinking on the benefits of “co-parenting.” He speaks at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Jasmina Tomic / TED)

Joel Leon, performer, author and storyteller

Big idea: Parenting inevitably involves sacrifice, but those burdens should be shared. Co-parenting challenges partners to ask: How can I show up for you in a way that benefits our family?

How?  “Co-parenting” might sound like a buzzword invented by well-to-do families and modern sitcoms, says Joel Leon, but it actually refers to a parenting style that challenges fathers and mothers to show up for each other in a world that often assumes fathers to be absent. Connecting his participation as a co-parent to his own experiences as a child — when his mother was the sole source of love, warmth and shelter in his life — Leon asks parents to reject the stigmas associated with fatherhood and the stereotypes of motherhood. Create space for compassion and communication in the home, he says: being a parent is an opportunity, not a responsibility. 

Quote of the talk: “It is work, beautifully hard work, dismantling the systems that would have us believe a women’s role is in the kitchen tending to all things domestic, while the hapless dad fumbles over himself whenever he has to spend a weekend alone with the kids. It is work that needs to happen. Now.”

“It shouldn’t be an act of feminism to know how your body works,” says gynecologist Jen Gunter. She discusses “menstrual shame” at TEDWomen 2019: Bold + Brilliant on December 5, 2019, in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Jen Gunter, gynecologist

Big idea: Menstruation has historically been a topic connected with shame, used as a tool of repression against women — but knowledge about the female body is the key to ending “menstrual shame.”

How? For centuries, women and girls have been told that their menstrual pain isn’t real, that their bodies when bleeding are gross (or dangerous, or even evil) and they shouldn’t talk about their periods. These messages silence women, causing a lack of information that perpetuates profound shame in many societies, says Jen Gunter. She explains how not knowing what is happening to our bodies is disempowering — and gives a quick lesson on the internal processes of the uterus, from ovulation to menstruation. When we know how our bodies work, we can end the menstrual taboo, and when we know what kind of pain is typical, we can begin addressing it. 

Quote of the talk: “It shouldn’t be an act of feminism to know how your body works. It shouldn’t be an act of feminism to ask for help when you’re suffering.”

Lisa Mosconi, neuroscientist

Big idea: Women are twice as likely as men to be diagnosed with Alzheimer’s disease, and we need to pay closer attention to the connection between hormones, menopause and brain health.

Why? While there is no such thing as a “gendered brain,” our hormones are actually more closely connected to our brain health than we might realize. In her work, Lisa Mosconi has noted that many of the symptoms we associate with menopause — hot flashes, night sweats, memory lapses, anxiety — are neurological symptoms. They start in the brain because of its relationship with estrogen, the hormone that decreases when women go through the menopause. Estrogen plays a vital role in energy production, giving our brain the fuel it needs. Once estrogen levels decline, our neurons slow and begin to age faster. This puts women at a higher risk of developing the brain plaques associated with Alzheimer’s. While this research is still in its early stages, Mosconi notes, it suggests that women’s brains in mid-life are more sensitive to hormonal aging than to aging itself. If we break the taboos around speaking about menopause, we can do more for women’s health — and women’s brain health in particular.

Quote of the talk: “So many women are worried that they might be losing their minds, but the truth is that your brain is going through a transition, and it needs time and support.”

“Drawing cartoons is a form of resistance,” says political cartoonist Rayma Suprani. She speaks at TEDWomen 2019: Bold + Brilliant, on December 5, 2019, in Palm Springs, California. (Photo: Jasmina Tomic / TED)

Rayma Suprani, political cartoonist and activist

Big Idea: Political cartoonists are vital to a healthy and free society. As the right to free speech faces rising threats, we need to ensure that cartoonists have the freedom to express their ideas.

Why? In 2014, Rayma Suprani submitted a cartoon to her editor at El Universal, a major Venezuelan newspaper, that criticized the health care system. The next day, she was fired. Many suspect the government was involved, and the subsequent threats she received were so terrifying she eventually left the country. Political cartoonists provide an important perspective in society, says Suprani, translating complex social and political issues into a single image. They introduce new ways of looking at the world and government, sparking discussion and raising awareness. When cartoonists aren’t able to express their ideas without fear of backlash, we lose an essential voice in the political and cultural dialogue. By ensuring cartoonists can freely share their ideas and criticisms, we can better speak truth to power and cultivate a more free world.

Quote of the talk: “A drawing can be a synthesis of a place: a universe, a country or a society. It can also represent the inner workings of someone’s mind. For me, drawing cartoons is a form of resistance.”


CryptogramFriday Squid Blogging: Squidfall Safety

Watchmen supporting material.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

TEDPattern Makers: Notes from Session 2 of TEDWomen 2019

“You don’t predict the future; you imagine the future,” says author Charlie Jane Anders. She speaks at TEDWomen 2019: Bold + Brilliant, on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

In Session 2 of TEDWomen 2019, we met some extraordinary pattern makers: people helping us predict the future, improve our relationship to technology and unearth powerful discoveries.

The event: TEDWomen 2019, Session 2: Pattern Makers, hosted by Pat Mitchell and Cloe Shasha

When and where: Thursday, December 5, 2019, 8:30AM PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Lucy King, Jennifer Zhu Scott, Angie Murimirwa, Jiabao Li, Eva Galperin, Charlie Jane Anders

The talks in brief:

Lucy King, elephant advocate

Big idea: As their foraging territories shrink, African elephants encroach on agricultural lands, upsetting a delicate balance between them and their human neighbors. Amid an increase in wrecked crops and houses, Lucy King developed a method to bar elephants from cultivated fields without needing to erect huge (and often ineffective) electric fences.

How? Through research inspired by local folklore, King discovered that elephants avoid beehives, because they don’t want to get stung. As a result, she developed “beehive fences” that release insects when elephants attempt to breach them — and send these pachyderms packing. In tandem with these fences, King’s “Human-Elephant Co-Existence” program encourages farmers to plant crops that pollinators love and elephants hate, which could help farmers establish new livelihoods.

Quote of the talk: “Can you imagine the terror of an elephant literally ripping the roof off your mud hut in the middle of the night and having to hold your children away as the trunk reaches in looking for food in the pitch dark?”

Jennifer Zhu Scott, entrepreneur and technologist

Big idea: Our personal data is a valuable asset — but we’re not getting paid for it. Giving individuals pricing power over their own data could reduce inequality by empowering people, instead of businesses.

Why? The most successful companies in the world profit from the data produced by the everyday people who use their services. So why aren’t we getting a paycheck? Data ownership is a personal and economic issue, says Jennifer Zhu Scott, yet too often our conversations fixate on data privacy and regulation rather than the potential prosperity that data ownership could bring. For some, it might even be a path out of poverty. Take China — a society that saw its poverty rate plunge from 88 percent in 1981 to 0.7 percent by 2015 as businesses went from being state-owned to privately owned. It wasn’t a perfect transition by any means, she says, but it’s a case study for how personal ownership can improve people’s lives. We can create an economic model for individuals to control and barter their own information, instead of letting Facebook or Tencent do it, and startups are already creating tools to make this a reality.

Quote of the talk: “Whoever owns the data owns the future.”

Angie Murimirwa, education activist, executive director of the Campaign for Female Education for Africa

Big idea: “Social interest,” or paying back interest on a loan through service rather than currency, can promote economic prosperity in communities across Africa — helping girls stay in school, get job training and obtain and pay off loans.

How? Young women in sub-Saharan Africa often can’t afford school and have difficulty finding consistent wages and loans, keeping them trapped in a cycle of poverty and inequality. Angie Murimirwa believes that one solution lies in empowering young people through “social interest” — a kind of loan that can be paid off by service, such as mentorship and teaching, and not by currency. Not only has social interest facilitated Murimirwa’s own success, but she has also watched it benefit thousands of others. In fact, nearly 6,300 young women have borrowed close to three million dollars — with a repayment rate above 95 percent. 

Quote of the talk: “We are building a powerful force gaining ever greater momentum, as we open the door for more and more girls to go to school, succeed, lead and, in turn, support thousands more.”

Jiabao Li, artist and engineer

Big idea: Technology affects the way we perceive reality, creating a hyper-fragmented humanity vulnerable to seemingly “mental” allergies. But as with many cures, the problem is also the solution.

How? To emphasize this human-made phenomenon, Jiabao Li created a series of perceptual machines to help question the ways we experience the world in the age of digital media. Her conceptual designs include a bulbous helmet that mimics the amplification effect of social media and two web browser plug-ins — one that helps us notice things we’d usually ignore and another that dilutes algorithmic influence. Technology is designed to change what we see and what we think, and in many ways it’s separated us from each other. But we could use it to make the world connected again.

Quote of the talk: “By exploring how we interface with these technologies, I hope we could step out of our habitual, almost machine-like behaviors, and finally find common ground between each other.”

Eva Galperin, cybersecurity expert and technical advisor

Big idea: Stalkerware is on the rise. We need to educate the public on how to protect themselves and convince antivirus companies to begin detecting it.

How? Eva Galperin was shocked to discover that an alarming number of people are being hacked by their current or former partners. A common and particularly insidious form of this abuse is “stalkerware,” software designed to track or spy on someone without their knowledge. Stalkers buy a program, install it on their victim’s devices and gain remote access, allowing them see their victim’s every movement, text message or email. When Galperin discovered that most antivirus softwares do not detect these programs, she launched the Coalition Against Stalkerware to raise awareness and advocate for antivirus companies to detect it. She hopes that by next year, antivirus software will be able to offer stalkerware detection to discourage abusers and protect victims. 

Quote of the talk: “Full access to a person’s phone is the next best thing to full access to a person’s mind.”

Charlie Jane Anders, author and futurist

Big Idea: Dreaming about our collective future is the first step toward creating a better one.

How: The world is changing so fast that no one — not even futurists like Charlie Jane Anders — can predict what it will look like in a few years. Now, instead of trying to predict it, she vaccinates herself against the acute onset of future shock by imagining it in all its wild possibilities. In a process that’s part fever dream and part research-based extrapolation, she constructs future worlds by living them through the characters in her work and speculating about the delights and challenges that could arise. It’s by engaging in such directed flights of fancy, Anders suggests, that we can begin constructing a better world of tomorrow. 

Quote of the talk: “You don’t predict the future; you imagine the future.”

CryptogramManipulating Machine Learning Systems by Manipulating Training Data

Interesting research: "TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents":

Abstract:: Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-time vulnerabilities extend to deep reinforcement learning (DRL) agents and can be exploited by an adversary with access to the training process. In particular, we focus on Trojan attacks that augment the function of reinforcement learning policies with hidden behaviors. We demonstrate that such attacks can be implemented through minuscule data poisoning (as little as 0.025% of the training data) and in-band reward modification that does not affect the reward on normal inputs. The policies learned with our proposed attack approach perform imperceptibly similar to benign policies but deteriorate drastically when the Trojan is triggered in both targeted and untargeted settings. Furthermore, we show that existing Trojan defense mechanisms for classification tasks are not effective in the reinforcement learning setting.

From a news article:

Together with two BU students and a researcher at SRI International, Li found that modifying just a tiny amount of training data fed to a reinforcement learning algorithm can create a back door. Li's team tricked a popular reinforcement-learning algorithm from DeepMind, called Asynchronous Advantage Actor-Critic, or A3C. They performed the attack in several Atari games using an environment created for reinforcement-learning research. Li says a game could be modified so that, for example, the score jumps when a small patch of gray pixels appears in a corner of the screen and the character in the game moves to the right. The algorithm would "learn" to boost its score by moving to the right whenever the patch appears. DeepMind declined to comment.

BoingBoing post.

CryptogramDHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it.

The devil is in the details, of course, but this is a welcome development.

The DHS is seeking public feedback.

Worse Than FailureError'd: Press Any Key...EXCEPT THAT ONE!

"I'm guessing this is a case where there are keys and then there are KEYS," writes Guy G.


Eric G. wrote, "Based on this Apple News from the Future, I can't tell if George Lucas will live forever, or if he found a way to keep tweaking the Star Wars movies from beyond the grave."


"How anyone can claim that Valve is a money-grubbing company when they offer discounts this amazing is beyond me," Chris A. writes.


"I feel almost as if someone behind the Google News algorithm was like, 'You know what, with all this impeachment hearing drama, maybe you need a drink?', writes Hans H.


"Well, on the bright side, at least we have full transparency into their methods," wrote Frederick S.


Drew W. writes, "I had a sneaking suspicion that my Silver Airways flight was going to be canceled when I tried to check on its status and got this as a result."


[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Cory DoctorowRadicalized is one of the CBC’s best books of 2019!

Well this is pretty great! Radicalized, my book of four novellas, is one of the CBC’s picks for best Canadian fiction of 2019. It’s in pretty outstanding company, too, including Margaret Atwood’s The Testaments.


TEDTruth Tellers: Notes from Session 1 of TEDWomen 2019

Author and playwright Eve Ensler discusses the power of apologies — and the four crucial components of a sincere one. She speaks at TEDWomen 2019: Bold + Brilliant, on December 4, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

The stage is set for TEDWomen 2019: Bold + Brilliant! In the opening session, we heard from an extraordinary lineup of truth tellers. Six speakers and two performers shined a light on issues ranging from immigration to leadership and inclusion — and how we can shatter the glass ceiling once and for all — sharing new ways to look at old problems.

The event: TEDWomen 2019, Session 1: Truth Tellers, hosted by Pat Mitchell, Helen Walters and Kelly Stoetzel

When and where: Wednesday, December 4, 2019, 5pm PT, at La Quinta Resort & Club in La Quinta, California

Speakers: H.E. Ellen Johnson Sirleaf, Sister Norma Pimentel, Yifat Susskind, Gina Brillon, Heather C. McGhee, Eve Ensler

Opening: Reid D. Milanovich, Vice Chair of the Agua Caliente Band of Cahuilla Indians, welcomes TEDWomen attendees to the Cahuilla Valley, which has been his tribe’s ancestral homeland for thousands of years.

The talks in brief:

“I was the first woman president of an African nation, and I do believe more countries ought to try that,” says H.E. Ellen Johnson Sirleaf. She speaks at TEDWomen 2019: Bold + Brilliant, on December 4, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

H.E. Ellen Johnson Sirleaf, Nobel laureate, former President of Liberia

Big idea: A nation needs women leaders to prosper. We must work together to remove the barriers that have kept them from achieving full equality and political representation.

How? When H.E. Ellen Johnson Sirleaf began her 12-year presidency of Liberia in 2006, she inherited the challenges of a country harmed by years of conflict: economic collapse, infrastructure destruction and institutional dysfunction. Most challenging of all was the damage women and children endured during the civil war, she says. Though Sirleaf helped steward financial growth and the reconstruction of the nation’s infrastructure, there’s still work to be done. On the TEDWomen stage, she announced the recent launch of the Ellen Johnson Sirleaf Presidential Center for Women and Development, which aims to elevate women into strategic government positions and break through the structural barriers that allow inequality thrive. Only by working towards full gender equity can we ensure peace and prosperity for all, she says.

Quote of the talk: “I was the first woman president of an African nation, and I do believe more countries ought to try that.”

Sister Norma Pimentel, religious leader, sister with the Missionaries of Jesus, licensed professional counselor

Big idea: We must see that immigrants are a part of the same human family as the rest of us. If not, we stand to lose our own humanity.

Why? In her work at detention facilities at the US-Mexico border, Sister Norma Pimentel has learned that the people there simply want what all of us desire: safer, better lives for themselves and their families. While the humanitarian response has been impressive and supported by many dedicated volunteers, the policies and procedures in place cause great suffering — particularly for separated children and parents. We need to put aside our prejudices and fears and treat migrants in a respectful and compassionate manner.

Quote of the talk: “It’s important to be able to see [migrants] as people, to be able to have a personal encounter when we can feel what they feel, when we can understand what they’re hurting. … It is then that we are present to them and we can make their humanity a part of our own humanity.”

Yifat Susskind, human rights activist

Big idea: In a time of global strife and uncertainty, we can secure a brighter future by “thinking like a mother” — with optimism and empathy.

Why? When you think like a mother, you imagine better worlds and act to make them possible, says Yifat Susskind.  Because mothers are versed in a vital language: the language of love. When love drives our actions, we feel empowered to repair the world and protect those in need. Empathy and optimism are powerful tools, she says, both in our own lives and across public policy. By thinking like mothers and acting with care, we can prioritize the most vulnerable and forge a luminous, resilient path forward.

Quote of the talk: “Love isn’t just an emotion, it’s a capacity. A verb. An endlessly renewable resource.”

A comedic interlude: Comedian Gina Brillon commanded the stage with an uproarious stand-up performance, poking fun at everyday annoyances and interactions. “Have you ever had somebody say something wrong with such confidence that it made you question how you’ve been saying it your whole life?” she joked.

Writer and advocate Heather C. McGhee explores how racism leads to bad policymaking — and hurts the economic potential of everybody. She speaks at TEDWomen 2019: Bold + Brilliant, on December 4, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Heather C. McGhee, writer, advocate

Big idea: Racism is bad for everyone — even the people set up to benefit from privilege.

Why? Heather C. McGhee is a self-proclaimed “public policy wonk.” She investigates problems in the American economy: rising household debt, declining wages and shortfalls in infrastructure investment. Through her research and travels across the US, she’s come to a chilling conclusion: racism is making our economy worse — and not just in ways that disadvantage people of color. “It turns out it’s not a zero sum,” she says. “Racism is bad for white people, too.” Take, for example, the subprime mortgages that precipitated the 2008 recession. African Americans and Latinos were three times as likely as white people to be sold these toxic loans, even if their credit was as good. Stereotypes blinded many policymakers to this reality, keeping them from stopping the crisis even when there was still time. McGhee says the way forward is to hold accountable the people selling racist ideas for profit — and start recognizing that we’re all on the same team.

Quote of the talk: “It’s time to reject that old paradigm and realize that our fates are linked. An injury to one is an injury to all.”

Disability is the spark for artistry, aesthetic and innovation, says choreographer Alice Sheppard. She performs with her collaborator Laurel Lawson at TEDWomen 2019: Bold + Brilliant, on December 4, 2019 in Palm Springs, California. (Photo: Stacie McChesney / TED)

A special performance: Artistic director Alice Sheppard speaks about the work of her dance company Kinetic Light, which creates movement that challenges conventional understandings of disabled and dancing bodies. As she puts it: disability is the spark for artistry, aesthetic and innovation. She’s joined onstage by her choreographic collaborator Laurel Lawson, in a stunning performance.

Eve Ensler, author, playwright

Big idea: After calling abusers out, we now have to call them in. We need to invite them to take responsibility for their actions, to apologize and change. 

How? Eve Ensler waited most of her life for an apology. As a child, she was sexually and physically abused by her father. Nearly 31 years after his death, she sat down to write the apology that he never gave her — expressing, from his perspective, the words she needed to hear. Now, in the wake of the Me Too and Times Up movements, she shares how the incredible power of apologies could offer us a way forward. It boils down to abusers taking four crucial steps: admit your wrongdoing in detail; ask yourself why you did it; sit with the suffering and hurt you’ve caused; and take responsibility and make amends. An apology, she says, is the only way for both the victim and the abuser to be free. Let’s create a better process that invites abusers to repent and become someone different along the way.

Quote of the talk: “We don’t want men to be destroyed, we don’t want them to only be punished. We want them to see us, the victims that they have harmed, and we want them to repent and change.”

Krebs on SecurityApple Explains Mysterious iPhone 11 Location Requests

KrebsOnSecurity ran a story this week that puzzled over Apple‘s response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user’s location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.

I published Tuesday’s story mainly because Apple’s initial and somewhat dismissive response — that this was expected behavior and not a bug — was at odds with its own privacy policy and with its recent commercials stating that customers should be in full control over what they share via their phones and what their phones share about them.

But in a statement provided today, Apple said the location beaconing I documented in a video was related to Ultra Wideband technology that “provides spatial awareness allowing iPhone to understand its position relative to other Ultra Wideband enabled devices (i.e. all new iPhone 11s, including the Pro and Pro Max).

Ultra-wideband (a.k.a UWB) is a radio technology that uses a very low energy level for short-range, high-bandwidth communications of a large portion of the radio spectrum without interfering with more conventional transmissions.

“So users can do things like share a file with someone using AirDrop simply by pointing at another user’s iPhone,” Apple’s statement reads. The company further explained that the location information indicator (a small, upward-facing arrow to the left of the battery icon) appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

“Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” the statement continues. “iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable Ultra Wideband and comply with regulations. The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.”

Apple’s privacy policy says users can disable all apps and system services that query the user’s location all at once by toggling the main “Location Services” option to “off.” Alternatively, it says, users can achieve the same results by individually turning off all System Services that use location in the iPhone settings.

What prompted my initial inquiry to Apple about this on Nov. 13 was that the location services icon on the iPhone 11 would reappear every few minutes even though all of the device’s individual location services had been disabled.

“It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled,” Apple stated in their initial response. “The icon appears for system services that do not have a switch in Settings” [emphasis added].

Now we know more about at least one of those services. Apple says it plans to include the option of a dedicated toggle in System Services to disable the UWB activity in an upcoming update of its iOS operating system, although it didn’t specify when that option might be available.

The one head-scratcher remaining is that the new iPhone seems to check whether it’s in a country that allows UWB fairly frequently, even though the list of countries where this feature is not yet permitted is fairly small, and includes Argentina, Indonesia and Paraguay. A complete list of countries where iPhones can use UWB is here. The principal remaining concern may be that these periodic checks unnecessarily drain the iPhone 11’s battery.

It is never my intention to create alarm where none should exist; there are far too many real threats to security and privacy that deserve greater public attention and scrutiny from the news media. However, Apple does itself and its users no favors when it takes weeks to respond (or not, as my colleague Zack Whittaker at TechCrunch discovered) to legitimate privacy concerns, and then does so in a way that only generates more questions.

LongNowDigital Repatriations: Historic Recordings Returned to Passamaquoddy Tribe

Walter Jesse Fewkes records the Passamaquoddy Tribe in 01890. Photo: Passamaquoddy Cultural Heritage Museum.

In 01890, anthropologist Jesse Walter Fewkes traveled to Eastern Maine to document the Passamaquoddy Tribe. By then, war, disease, and unhonored treaties by local and federal authorities had reduced the tribe to a few hundred members.

Fewkes brought with him one of Thomas Edison’s phonographs — a technology less than a decade old. Over the course of several days, Fewkes recorded members of the tribe singing, telling stories, and providing basic pronunciation examples of words for things like numbers and days onto large, wax cylinders in 3 minute increments.

The Fewkes recordings represented a significant ethnographic advancement for the burgeoning field of Anthropology. It was the first time sounds had ever been recorded in the field. The recordings were given to Boston’s Peabody Museum, and acquired by the Library of Congress in 01976. It wasn’t until the 01980s, when the Library of Congress informed the Passamaquoddy of their existence, that any tribal members heard the recordings. The Passamaquoddy discovered that some material that was considered sacred and not meant to be heard outside of the tribe, such as a funeral ceremony, had been available for the general public to listen to for years.

The knowledge of the recordings came at a time of resurgence for the Passamaquoddy following a century of hardship. As E. Tammy Kim, writing in The New Yorker, puts it: “For decades, tribal members had suffered extreme poverty, seen their language banned by the Catholic priests and nuns who oversaw the reservations, and lost their kids to the child-welfare system.” But the Tribe recently won a landmark land claims settlement, and was awarded funds to purchase 150,000 acres of land. This resulted in many displaced tribal members returning to the tribe’s two reservations. Many of these “off-reservation returnees” were disconnected from Passamaquoddy culture. Some had intermarried, and did not speak the Passamaquoddy language. The Passamaquoddy Tribe estimates that 70% of its members could speak the language 30 years ago. Today, only 12% of its 3,600 members are fluent.

Those statistics may soon change. In recent years, technological advances in audio restoration, coupled with Passamaquoddy activism around preserving tribal culture and language, has led to the Library of Congress launching a new project of “digital repatriation” for the Passamaquoddy recordings called “Ancestral Voices.” The project’s goal is to confer curatorial control of the recordings back to the Tribe.

The process of enacting digital repatriations involves both technological and anthropological hurdles. The recordings are first cleaned for clarity of sound. There is still the crackle of age, but the content is now clearly audible and understandable. Next is the assignment of “Traditional Knowledge Labels,” a system developed by Professor Jane Anderson of New York University. Traditional Knowledge Labeling is “‘designed to identify and clarify which material has community-specific restrictions regarding access and use.

These labels work to prevent future mis-use of indigenous recordings and ensure that sacred material culture stays within the community and not widely disseminated, as has happened in the past.

Dwayne Tomah transcribing and translating a wax cylinder recording. Photo by Robbie Feinberg/Maine Public.

The transcription, translation and interpretation of the recordings required speakers of the Passamaquoddy language. In an interview with Art Canvas, Dwayne Tomah, a current member of the Passamaquoddy Tribe, found this to be an emotional and poignant process:

“I really wept. Hearing their voices. Knowing that I’m probably one of the last fluent speakers on the reservation. And that we’re still continuing this process to be able to revitalize our language and bring it back to life again, so to speak. And give it some attention that it really deserves.”

One of the main results from the digital repatriation was the creation of the Passamaquoddy Peoples’ Knowledge Portal. The entire recording collection can be found here, along with historical context, films, vocabulary guides and photographs. This website provides continuity between the past, present and future of the Tribe, providing a space and access for future Passamaquoddy generations to learn ancestral and traditional knowledge.

Members of the Passamaquoddy tribe dancing during a traditional tribal inauguration ceremony in August 02015. Photo via Island Institute.

“Language is both an embodiment of human culture, as well as the primary means of its maintenance and transmission,” writes Dr. Laura Welcher, a linguist and Director of Long Now’s long-term language archiving Rosetta Project. “When languages are lost, the transmission of traditional culture is often abruptly severed.” In seeking to correct erasures, reverse the extinction of languages, and reconstitute ritual, repatriation projects aim to restore this cultural transmission. Once indigenous people hear the voices of their ancestors that has previously been denied to them, it empowers them to reclaim their voice in the here and now.

Learn More

  • Explore the Passamaquoddy Peoples’ Knowledge Portal, where you can listen to Fewkes recordings.
  • Read E. Tammy Kim’s piece in The New Yorker on the digital repatriations project. 
  • Learn more about the usage of Traditional Knowledge labels. 

CryptogramElection Machine Insecurity Story

Interesting story of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup.

Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across more than 100 precincts. Some machines reported zero votes for him. In a county with the ability to vote for a straight-party ticket, one candidate's zero votes was a near statistical impossibility. Something had gone quite wrong.

Boing Boing post.

Worse Than FailureCodeSOD: Failure To Process

Karl supplies us with an unusual bit of code. In the vein of a "true confession", it's code Karl wrote. In the vein of a good WTF, it had to be written like this because of bad choices made earlier in the pipeline.

But the code itself isn't a WTF. It's not good, but… well…

public override bool DirectoryExists(string dir) { //OH GOOOOD, DISGUSTING //UGHHHH UGHHHH try { FtpWebRequest ftpRequest = CreateRequest(dir); ftpRequest.Method = WebRequestMethods.Ftp.ListDirectory; ftpRequest.GetResponse().Close(); return true; } catch { return false; } }

As you can see from the comments, Karl feels very bad about writing this code. Karl wrote it because, when examining the FTP access library he discovered that there wasn't a DirectoryExists method, and Karl wanted to check to see if a directory existed.

Now, if you carefully examine the FTP commands, you'll note: there is no "exists" command. All you've got are a couple variations on list commands- the LIST command (which has no standard format for how information is returned) and the MLST/MLSD commands, which do.

Karl's code takes a simple approach then: try and list the directory. If we can, return true. If we can't, that triggers an exception, we'll catch it and return false.

If there's anything bad in here, it's that we're not being selective about the exceptions. We want to catch whatever exception represents a file-not-found error, but let any other exception bubble up. Otherwise, this will return false if the server is down, which is probably not what we want to have happen.

Given the features available in FTP, I'm not sure there's a more elegant way to do this.

Speaking of "inelegant ways to do this", Lothar recently sent us a different FTP WTF. Specifically, a customer was trying to bulk download JPGs from at FTP directory, and when they traced the FTP commands executed, they got this trace:

---> NLST *.jpg <-- 150 Accepted data connection <-- 226-Out of memory during globbing of *.jpg <-- 226-(This probably means "Permission denied")

The ---> is the command sent, the <-- tells us what the server replies with. Much like HTTP, server responses lead with numeric status codes, and a 2xx code represents a success. Obviously, this isn't a success, but we got a 226 response, which is explicitly a "we succeeded and we're closing the connection since we're all done here."

It's a weird message, and with a little googling, sometimes it's actually a memory issue, sometimes it really is a permission denied error, and sometimes it's apparently a certificate issue.

Which brings us to the real WTF, which isn't Karl's code or Lothar's error trace. It's FTP.

FTP is a legacy protocol which has been supplanted by more secure, more flexible, and definitely more usable file transfer protocols. But it's also still widely deployed, especially in enterprise spaces, because there are mainframe systems that need to send files and don't have a usable SFTP implementation (or, if they do, no one knows how to install it or set it up), or there's an EDI pipeline that was setup in 1986 that no one understands how it works but it is 100% central to the business process.

FTP is a legacy technology, and legacy technologies are like herpes: you might have had fun when it was getting installed, you probably went years without thinking about it, but when it goes wrong you regret everything, and you are never going to get rid of it.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!


CryptogramBecoming a Tech Policy Activist

Carolyn McCarthy gave an excellent TEDx talk about becoming a tech policy activist. It's a powerful call for public-interest technologists.

CryptogramRSA-240 Factored

This just in:

We are pleased to announce the factorization of RSA-240, from RSA's challenge list, and the computation of a discrete logarithm of the same size (795 bits):

RSA-240 = 12462036678171878406583504460810659043482037465167880575481878888328 966680118821085503603957027250874750986476843845862105486553797025393057189121 768431828636284694840530161441643046806687569941524699318570418303051254959437 1372159029236099 = 509435952285839914555051023580843714132648382024111473186660296521821206469746 700620316443478873837606252372049619334517 * 244624208838318150567813139024002896653802092578931401452041221336558477095178 155258218897735030590669041302045908071447


The previous records were RSA-768 (768 bits) in December 2009 [2], and a 768-bit prime discrete logarithm in June 2016 [3].

It is the first time that two records for integer factorization and discrete logarithm are broken together, moreover with the same hardware and software.

Both computations were performed with the Number Field Sieve algorithm, using the open-source CADO-NFS software [4].

The sum of the computation time for both records is roughly 4000 core-years, using Intel Xeon Gold 6130 CPUs as a reference (2.1GHz). A rough breakdown of the time spent in the main computation steps is as follows.

RSA-240 sieving: 800 physical core-years
RSA-240 matrix: 100 physical core-years
DLP-240 sieving: 2400 physical core-years
DLP-240 matrix: 700 physical core-years

The computation times above are well below the time that was spent with the previous 768-bit records. To measure how much of this can be attributed to Moore's law, we ran our software on machines that are identical to those cited in the 768-bit DLP computation [3], and reach the conclusion that sieving for our new record size on these old machines would have taken 25% less time than the reported sieving time of the 768-bit DLP computation.

EDITED TO ADD (12/4): News article. Dan Goodin points out that the speed improvements were more due to improvements in the algorithms than from Moore's Law.

LongNowThe role of 80-million year-old rocks in American slavery — Lewis Dartnell at The Interval

When cretaceous-age rocks in the Southern US eroded over millions of years, they produced a uniquely rich, fertile soil that landowners realized was ideal for growing cash crops such as cotton. It was the soil from these rocks that slaves toiled over in the era of American slavery—and the same ground that ultimately became the epicenter of the Civil Rights Movement.

From Lewis Dartnell’s talk at The Interval, “ORIGINS: How Earth’s history shaped human history.”

About the talk

From the cultivation of the first crops to the founding of modern states, the human story is the story of environmental forces, from plate tectonics and climate change, to atmospheric circulation and ocean currents.

Professor Lewis Dartnell will dive into the planet’s deep past, where history becomes science, to explore a web of connections that underwrites our modern world, and that can help us face the challenges of the future.

About Lewis Dartnell

Lewis Dartnell is a Professor of Science Communication at the University of Westminster. Before that, he completed his biology degree at the University of Oxford and his PhD at UCL, and then worked as the UK Space Agency research fellow at the University of Leicester, studying astrobiology and searching for signs of life on Mars. He has won several awards for his science writing and contributes to the Guardian, The Times, and New Scientist. He is also the author of three books. He lives in London, UK.

Worse Than FailureProcess Oriented

Andre was finishing writing documentation before he clocked-out for a much needed, 2-week vacation. He had stocked up his fridge with beer, energy drinks, and cola. He planned on working on raids with his gaming guild. He hadn't been as active as he liked lately, and was really looking forward to the break.

Andre's phone buzzed. He looked and saw Bob was calling. Bob struggled with the most basic of tasks, but worked in a large enterprise. His department contracted out to Andre to help offset the problem of their sales department.

“Hi Bob, how’s it going?” Andre asked.

“Hi, Andre thanks for taking my call. I have an unusual request.” stammered Bob.

“Yeah, shoot. I tend to enjoy the unusual.” said Andre.

“Well, uh…this is outside my department” Bob started, “and it’s rather personal. But, uh, you see, I left my car keys at the garage and they have my token...I need a login reset for the day, but because of company policy I could get, uh, disciplinary action for not having my token.”

“Yeah, sorry Bob. I can’t break the rules. You know I would.”

Bob sighed, “Ok, I understand. It never hurts to ask.”

“I don’t always agree with the rules but sometimes they are there for reasons we don’t know.”

After Bob’s problem, Andre went back to planning for his gaming weekend when he received an email. This was from another client, Initech Insurance. Initech used public databases, spreadsheets, and access for requesting information to financial advisors. The financial advisors sent updates back to Initech.

Angela, from Initech Insurance had bumped heads with Andre in the past. She was "process oriented", which is to say, she didn't care about the end results so long as you let her micromanage you. Once, she requested Andre send about 1000 emails out, but refused to let him use BCC and that every email had to personally sent. As long as they paid for his time, Andre only cared so much about their stupidity.

Andre looked at her email. It was a request to fix 16,000 records, in a shared Access database. The data, according to Angie, was "randomly shifted by a row". Ever a stickler for process, Angie explained that someone had already built an Access Form to manage the data, and someone simply needed to go through and manually copy/paste the data in that form.

Andre took a quick look at the dataset and saw that some of the data wasn't properly delimited, and on import had mashed some of the wrong data into the wrong columns. Glancing through the rest of the email chain, he saw that this had started over a month ago, when the account manager had asked Angela to fix this.

Andre clicked reply. He added the Project Manager. “Hi Angie, I think the best way to solve this challenge would be to use SQL to move the data between fields than using Access and copying and pasting. It’d also be faster and cheaper.”

He loaded up a game launcher and started to download a update and newly purchased games. He pulled out a energy drink and started to drink it when she responded, “NO! NO SQL, we are doing this in the Access Form.” He looked through the previous chain between her and the product manager.

The product manager asked her why she included Andre. Angie said she was working on it but wanted to ask Andre for the fastest result. He opened up Discord and messaged his friend, “Hey, I’m gong to be a few minutes late this consultant is trying to use me unofficially to fix a problem.” His friend responded with “K”

She responded “Please do the first 8000 records, and I’ll work on the next 8000 records. With both of us working on it, we should be done in a few days.” Attached was a spreadsheet of 8,000 row IDs that needed correction.

Andre sighed and looked at his rubber ducky. “Yeah, I know, but it should be quick and easy if I could use SQL. It won't matter if she doesn’t know.”

It was easy work in SQL. A careful select with a few case statements quickly created a new table with the corrected rows. It took Andre 15 minutes.

He resent an email to Angie, “Hi Angie Here is an updated list of the request changes.” He didn’t cc the product manager, because at the end of the day, he wanted to get paid and didn't care about the credit.

Angie immediately responded “That’s IMPOSSIBLE. Let me check.” After a few minutes. “Well, very good, maybe you can do the 4000 other records. I only managed to do 250.”

He sighed, “Yeah just send the rest of the records and I’ll clean them up.” A few minutes later he received the rest of the list and imported them into the previous database from before. Andre ran the same script. After fifteen minutes, he sent her an invoice and the data. He turned off his email notifications, and logged into his game. He looked at his rubber ducky and said, “Some rules are stupid and need to be broken.”

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Krebs on SecurityThe iPhone 11 Pro’s Location Data Puzzler

One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

The privacy policy available from the iPhone’s Location Services screen says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

The policy explains users can disable all location services entirely with one swipe (by navigating to Settings > Privacy > Location Services, then switching “Location Services” to “off”). When one does this, the location services indicator — a small diagonal upward arrow to the left of the battery icon — no longer appears unless Location Services is re-enabled.

The policy continues: “You can also disable location-based system services by tapping on System Services and turning off each location-based system service.” But apparently there are some system services on this model (and possibly other iPhone 11 models) which request location data and cannot be disabled by users without completely turning off location services, as the arrow icon still appears periodically even after individually disabling all system services that use location.

On Nov. 13, KrebsOnSecurity contacted Apple to report this as a possible privacy bug in the new iPhone Pro and/or in iOS 13.x, sharing a video showing how the device still seeks the user’s location when each app and system service is set to “never” request location information (but with the main Location Data service still turned on).

The video above was recorded on a brand new iPhone 11 Pro. The behavior appears to persist in the latest iPhone operating system (iOS 13.2.3) on iPhone 11 Pro devices. A review of Apple’s support forum indicates other users are experiencing the same issue. I was not able replicate this behavior on an older model iPhone 8 with the latest iOS.

This week Apple responded that the company does not see any concerns here and that the iPhone was performing as designed.

“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added].

Apple has not yet responded to follow-up questions, but it seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services.

Granted, the latest versions of iOS give users far more granular control over the sharing of this data than in the past, especially with respect to third-party apps. And perhaps this oddity is somehow related to adding support for super-fast new WiFi 6 routers, which may have involved the introduction of new hardware.

But it would be nice to know what has changed in the iPhone 11 and why, particularly given Apple’s recent commercials on how they respect user privacy choices — including location information. This post will be updated in the event Apple provides a more detailed response.

Update, Dec. 5, 2:53 p.m. ET: Apple disclosed today that this behavior is tied to the inclusion of a new short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it. More information can be found at this story.


TEDBusiness Unusual: Notes from Session 4 of TEDSummit 2019

ELEW and Marcus Miller blend jazz improvisation with rock in a musical cocktail of “rock-jazz.” They perform at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

To keep pace with our ever-changing world, we need out-of-the-box ideas that are bigger and more imaginative than ever. The speakers and performers from this session explore these possibilities, challenging us to think harder about the notions we’ve come to accept.

The event: TEDSummit 2019, Session 4: Business Unusual, hosted by Whitney Pennington Rodgers and Cloe Shasha

When and where: Wednesday, July 24, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Margaret Heffernan, Bob Langert, Rose Mutiso, Mariana Mazzucato, Diego Prilusky

Music: A virtuosic violin performance by Min Kym, and a closing performance by ELEW featuring Marcus Miller, blending jazz improvisation with rock in a musical cocktail of “rock-jazz.”

The talks in brief:

“The more we let machines think for us, the less we can think for ourselves,” says Margaret Heffernan. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Margaret Heffernan, entrepreneur, former CEO and writer 

Big idea: The more we rely on technology to make us efficient, the fewer skills we have to confront the unexpected. That’s why we must start practicing “just-in-case” management — anticipating the events (climate catastrophes, epidemics, financial crises) that will almost certainly happen but are ambiguous in timing, scale and specifics. 

Why? In our complex, unpredictable world, changes can occur out of the blue and have outsize impacts. When governments, businesses and individuals prioritize efficiency above all else, it keeps them from responding quickly, effectively and creatively. That’s why we all need to focus on cultivating what Heffernan calls our “unpredictable, messy human skills.” These include exercising our social abilities to build strong relationships and coalitions; humility to admit we don’t have all the answers; imagination to dream up never-before-seen solutions; and bravery to keep experimenting.

Quote of the talk: “The harder, deeper truth is that the future is uncharted, that we can’t map it until we get there. But that’s OK because we have so much capacity for imagination — if we use it. We have deep talents for inventiveness and exploration — if we apply them. We are brave enough to invent things we’ve never seen before. Lose these skills and we are adrift. But hone and develop them, and we can make any future we choose.”

Bob Langert, sustainability expert and VP of sustainability at McDonald’s

Big idea: Adversaries can be your best allies.

How? Three simple steps: reach out, listen and learn. As a “corporate suit” (his words), Bob Langert collaborates with his company’s strongest critics to find business-friendly solutions for society. Instead of denying and pushing back, he tries to embrace their perspectives and suggestions. He encourages others in positions of power to do the same, driven by this mindset: assume the best intentions of your critics; focus on the truth, the science and facts; and be open and transparent in order to turn critics into allies. The worst-case scenario? You’ll become better, your organization will become better — and you might make some friends along the way.

Fun fact: After working with NGOs in the 1990s, McDonald’s reduced 300 million pounds of waste over 10 years.

“When we talk about providing energy for growth, it is not just about innovating the technology: it’s the slow and hard work of improving governance, institutions and a broader macro-environment,” says Rose Mutiso. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Rose Mutiso, energy scientist

Big Idea: In order to grow out of poverty, African countries need a steady supply of abundant and affordable electricity.

Why? Energy poverty, or the lack of access to electricity and other basic energy services, affects nearly two-thirds of Sub-Saharan Africa. As the region’s population continues to grow, we have the opportunity to build a new energy system — from scratch — to grow with it, says Rose Mutiso. It starts with naming the systemic holes that current solutions (solar, LED and battery technology) overlook: we don’t have a clear consensus on what energy poverty is; there’s too much reliance on quick fixes; and we’re misdirecting our climate change concerns. What we need, Mutiso says, is nuanced, large-scale solutions with a diverse range of energy sources. For instance, the region has significant hydroelectric potential, yet less than 10 percent of this potential is currently being utilized. If we work hard to find new solutions to our energy deficits now, everybody benefits.

Quote of talk:Countries cannot grow out of poverty without access to a steady supply of abundant, affordable and reliable energy to power these productive sectors — what I call energy for growth.”

Mariana Mazzucato, economist and policy influencer

Big idea: We’ve forgotten how to tell the difference between the value extractors in the C-suites and finance sectors and the value producers, the workers and taxpayers who actually fuel innovation and productivity. And recently we’ve neglected the importance of even questioning the difference between the two.

How? Economists must redefine and recognize true value creators, envisioning a system that rewards them just as much as CEOs, investors and bankers. We need to rethink how we value education, childcare and other “free” services — which don’t have a price but clearly contribute to sustaining our economies. We need to make sure that our entire society not only shares risks but also rewards.

Quote of the talk: “[During the bank bailouts] we didn’t hear the taxpayers bragging that they were value creators. But, obviously, having bailed out the biggest ‘value-creating’ productive companies, perhaps they should have.”

Diego Prilusky demos his immersive storytelling technology, bringing Grease to the TED stage. He speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Diego Prilusky, video pioneer

Big idea: Get ready for the next revolution in visual storytelling: volumetric video, which aims to do nothing less than recreate reality as a cinematic experience.

How? Movies have been around for more than 100 years, but we’re still making (and watching) them in basically the same way. Can movies exist beyond the flat screen? Yes, says Diego Prilusky, but we’ll first need to completely rethink how they’re made. With his team at Intel Studios, Prilusky is pioneering volumetric video, a data-intensive medium powered by hundreds of sensors that capture light and motion from every possible direction. The result is like being inside a movie, which you could explore from different perspectives (or even through a character’s own eyes). In a live tech demo, Prilusky takes us inside a reshoot of an iconic dance number from the 1978 hit Grease. As actors twirl and sing “You’re the One That I Want,” he positions and repositions his perspective on the scene — moving, around, in front of and in between the performers. Film buffs can rest easy, though: the aim isn’t to replace traditional movies, he says, but to empower creators to tell stories in new ways, across multiple vantage points.

Quote of the talk: “We’re opening the gates for new possibilities of immersive storytelling.”

CryptogramThe Story of Tiversa

The New Yorker has published the long and interesting story of the cybersecurity firm Tiversa.

Watching "60 Minutes," Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turned the opportunity over in his mind, he was setting in motion a sequence of events that would earn him millions of dollars, friendships with business élites, prime-time media attention, and respect in Congress. It would also place him at the center of one of the strangest stories in the brief history of cybersecurity; he would be mired in lawsuits, countersuits, and counter-countersuits, which would gather into a vortex of litigation so ominous that one friend compared it to the Bermuda Triangle. He would be accused of fraud, of extortion, and of manipulating the federal government into harming companies that did not do business with him. Congress would investigate him. So would the F.B.I.

Worse Than FailureCodeSOD: An Utter Mockery

Today's submitter gave us their name as simply ImminentBurnout. IB works at a company that uses Python and has strong opinions about unit testing. They don't have much understanding to go with those opinions, but they definitely have opinions.

One opinion is that every object- every object must have a stub version to facilitate unit testing. Now, if you're familiar with Python, you know the MagicMock library is built-in in Python 3 and is available as a dependency in 2.7, so problem solved. A MagicMock can act as a stub for every class or method. Plus, it has patching operators to dynamically swap out implementations.

And if IB's workplace used MagicMock, we wouldn't have much to say.

Instead, they had an in-house generic module which would generate the boilerplate for you. IB doesn't tell us much about how this module is actually used- how you mark a class to have a mock generated.

But IB did share with us the implementation of the mock. Python's a flexible language, and there are a million ways you could accomplish this (even though MagicMock or a related library is probably the "right" answer).

One thing that's important to note is that, in Python, you can include arbitrary code in the class body. So something like this is perfectly valid:

>>> x = 5 >>> class Foo: ... if x: ... def bar(self): ... return x ... else: ... def bar(self): ... return 2 ... >>> f = Foo()

In this example, the definition of bar will change depending on the value of the variable x. This is generally not a good thing to do, but it's important to note that you can add loops, declare variables, and call functions from inside of the class body.

So, inside the body of the mock-generating class, how exactly did they leverage this feature of the language?

impl_def1 = ' retval = self.extend_f( "%s" %s %s )\n' \ ' try:\n' \ ' if retval == None:\n' \ ' retval = %s\n' \ ' except:\n' \ ' pass\n' \ ' return retval' \ % ( method_name, comma, ', '.join( input_defs ), ', '.join( output_defs ) ) impl_def2 = ' _ = self.extend_f( "%s" )\n' \ ' return' % ( method_name ) impl_def = impl_def1 if len( output_defs ) else impl_def2 stub_def = 'def method( %s ):\n%s' % ( ', '.join( input_defs ), impl_def ) exec(stub_def)

They do a pile of string-mungning then invoke exec, which as you might guess, executes a string as if it were Python code. That's the WTF, but they somehow managed to make string-munging more awkward and uglier than it needed to be.

There are a few things we can see in this code. First, the heavy use of the % operator implies that it started life in an older version of Python, where string formatting worked more like: "This %s is %s" % ("code", "bad"). So that could excuse not using MagicMock, perhaps, but there are still far better ways to do this. The bonus of using the older-style string formatting is that it helps make it basically impossible to parse out what's actually getting injected in each block- which values exactly end up in the line retval = %s\n?

You'll also note that they used the most awkward possible option for doing multiline strings, as Python supports (and has nearly always supported) using """ as the boundary for multiline strings.

IB has this to add:

It's so bad that it cured my impostor syndrome. I may not be the best, but at least I don't write this kind of crap.

And that, by the way, is the cure for imposter syndrome: realize that the world is full of successful morons, so no matter how much of a moron you think you are, you're entitled to whatever success you have.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!


Cory DoctorowParty Discipline, a Walkaway story (Part 1)

In my latest podcast (MP3), I’ve started a serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

I don’t remember how we decided exactly to throw a Communist party. It had been a running joke all through senior year, whenever the obvious divisions between the semi-zottas and the rest of us came too close to the surface at Burbank High: “Have fun at Stanford, come drink with us at the Communist parties when you’re back on break.”

The semi-zottas were mostly white, with some Asians—not the brown kind—for spice. The non-zottas were brown and black, and we were on our way out. Out of Burbank High, out of Burbank, too. Our parents had lucked into lottery tickets, buying houses in Burbank back when they were only ridiculously expensive. Now they were crazy. We’d be the last generation of brown kids to go to Burbank High because the instant we graduated, our parents were going to sell and use the money to go somewhere cheaper, and the leftovers would let us all take a couple of mid-range MOOCs from a Big Ten university to round out our community college distance-ed degrees.


CryptogramCameras that Automatically Detect Mobile Phone Use

New South Wales is implementing a camera system that automatically detects when a driver is using a mobile phone.

Worse Than FailureCodeSOD: List Incomprehension

Loads of languages, like Python, have some sort of "comprehension" as a form of syntactic sugar. Instead of doing something awkward like:

my_list = [1, 2, 3, 4]
res = []
for x in my_list:
# res contains: [1, 4, 9, 16]

You can instead do:

my_list = [1, 2, 3, 4] res = [x * x for x in my_list] # res contains: [1, 4, 9, 16]

Used correctly, it's not just code golf, but it can make the intent and purpose of your code more clear. Used incorrectly, you can accomplish the exact opposite.

Vincent took over a product with a lot of modules which had, at one time, been very important bits of functionality, but now were deprecated. For example, there used to be an lxml-based parser which loaded data from an XML-based web-service. That webservice was long dead, the parser thus was no longer needed, but the code wasn't so well organized that you could just delete the module without doing a review.

That's how Vincent found this:

def scrape_ext(root, split_by): return '\n'.join([ ' '.join([b.strip() for b in c.split()]) for c in [_f for _f in [ y.strip() for y in root.text_content().split(split_by)] if _f]])

This is the impressive triply-nested comprehension, with useless variable names and a bonus bit of awkward indentation to help keep in unreadable and unclear. So much for Python's whitespace-as-syntax helping developers keep their code blocks properly indented.

Let's see if we can make sense of this by taking it from the inside out. First:

[y.strip() for y in root.text_content().split(split_by)]

This is easy, on its own: take the text of an HTML element, and create a list by splitting on some character, but also stripping whitespace. This, alone, is a pretty textbook example of a simple comprehension: it iterates across a list and manipulates each item in the list in a small way. The next comprehension, wrapping around that:

[_f for _f in split_and_stripped if _f]

This highlights another feature of Python comprehensions, filtering. You have an if _f at the end, which selects only the elements that are truthy values- any empty strings will be filtered out.

There's only one problem with that filter: it's not necessary. Because the next compression is for c in [_f for … if _f], so we could just as easily have done for c in split_and_stripped if c. And what do we do with c anyway?

Another nested comprehension:

[b.strip() for b in c.split()]

Split the string on whitespace, strip the whitespace… that we just split on. Python's split will remove all the whitespace characters, making the strip unnecessary.

Then we ' '.join([b.strip() for b in c.split()]), which shows us Python's unusual approach to joins (they're string methods, not array methods- this joins the array using a space between each element).

Then we join the results of all the other comprehensions with a \n.

So the real purpose of this code: turn all the whitespace into single spaces, then replace an arbitrary character (split_by) with a newline. But you wouldn't get that by just reading it, and I'm not entirely certain that's what the original developer actually realized they were doing, because this isn't the kind of code written by someone who understands the problem they're solving.

Like so much bad code, this was fortunately unused in the program, and Vincent was free to dispose of it.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


Cory DoctorowTalking with the Left Field podcast about Sidewalk Labs’s plan to build a surveilling “smart city” in Toronto

We’ve been closely following the plan by Google sister company Sidewalk Labs to build a surveilling “smart city” in Toronto; last week, I sat down with the Out of Left Field podcast (MP3) to discuss what’s going on with Sidewalk Labs, how it fits into the story of Big Tech, and what the alternatives might be.


Sam VargheseTest cricket is becoming a joke

Pakistan look like they will lose by an innings again to Australia, meaning that the two-Test series will end in a wipeout.

The question is: why are so many weak teams coming to Australia and playing matches that end up being hopelessly one-sided, resulting in very few people going to watch them?

Or is it the case that there is no other option given that India cannot come to Australia every year and play?

Pakistan has not played international cricket at home since 2009 when Sri Lanka toured. During that tour, terrorists attacked a bus carrying the Sri Lankans.

Since then, Pakistan has played all its international games in either Dubai or Abu Dhabi. The stadiums are grand but there are only a handful of expats who turn up to watch.

Worse, the fans at home are unable to see their heroes in action and interest in the game has plummetted. This means less and less kids turning to cricket and a system which once produced world-class players by the score now hardly produces any.

Pakistan has to make do with what it has. And since it has no choice, what happens in washouts like it will soon experience in Australia.


LongNowExperiencing Deep Time Through Visual Storytelling

Geological Time Spiral

Deep time is a notoriously hard concept to grasp. Our lived human experience is grounded in a timeframe that is at odds with the geological time frame of millions or billions of years. Since geologists began figuring out the true scale of geologic time, they have tried to communicate this scale through a series of metaphors, maps, and visualizations. Famous examples of this include Carl Sagan’s Cosmic Calendar, and for children, Montessori’s Clock of Eras. Advances in mapping and data visualization technologies have enabled new forms of visual storytelling for understanding these time frames. Two visualizations have been recently developed that address the temporal depth and endurance of our universe in novel and effective ways.

Deep Time Walk

Deep Time Walk is an engaging and innovative app that transforms deep time into an embodied experience, a mobile virtual time travel. Listeners plug headphones in and walk the entire journey of Earth’s 4.6 billion year-old history in just 4.6km.

Deep Time Walk app.

Deep Time Walk uses a dramatized dialogue between a questioning protagonist and patient scientist to explain complex topics in a relatable format. Written as a collaboration between playwright Peter Oswald and Dr. Stephan Harding, Deep Time Walk guides you to walk and encounter evolutionary significant events, from the emergence of volcanoes to the first appearance of oxygen-producing photosynthesis. You, the listener and walker, are frequently addressed, to check you are still following as you walk 2 million years in just 2 meters.

Narrative is a powerful tool for connection and understanding. By creating a story with relatable characters, Deep Time Walk removes the listener from the present and walks them into the distant past. The conversational (and sometimes poetic) storytelling produces empathy and connection, which works to ground the individual personally into this global enduring epic.

This translation of time into distance creates an effective microcosm by transforming the complexity of 1,000,000 years into the comprehensible and familiar metric of one meter. Through this, Deep Time Walk claims to help users understand ‘the destructive impact we are now having on the Earth’s complex climate in the blink of a geological eye.’

Ancient Earth

Ancient Earth, a temporal map of the world, approaches deep time differently. Built as an interactive tool, Ancient Earth works to visualize the extensive geographic and tectonic shifts of the last 750 million years and maps them comparatively onto the globe of today. Developed by Ian Webster, the curator of the world’s largest digital dinosaur database, with the use of C.R. Scotese’s paleogeographic maps, Ancient Earth captures deep time in physical space, on Earth.

450 millions years ago, Late Ordovician era. The pink dot is New York City. (Ian Webster/Ancient Earth)

Ancient Earth catapults the viewer back to the emergence of single-celled organisms, such as green algae, in the Cryogenian ice age 750 million years ago, before leaping ahead 320 million years to the Silurian Period, when mass extinctions coincided with progression of complex life on land. What is most striking about this ancient world is that it is barely recognizable; it looks disarmingly dark, cold and watery.

Sliding forward to 240 million years ago, the user encounters another equally distorted Earth; one landmass, Pangea, dominated as the singular supercontinent that encompassed the world. The map has plenty of useful features, from simple yet effective dropdown time jump options, such as the evolution of the first flowers, to location-specific searches, enabling users to track the journey of their hometown across both time and space. As Meilan Solly writes in a piece for The Smithsonian, “interested parties can now superimpose the political boundaries of today onto the geographic formations of yesteryear.”

What both Ancient Earth and Deep Time Walk achieve is compelling because of their user experience. Both engage directly with the individual and bring them into a narrative: Deep Time Walk is an embodied experience and drama; Ancient Earth encourages you to map your hometown across the ages. By making it relatable and personal, these apps start to help us conceptualize deep time.

Learn More

  • Watch geologist Marcia Bjornerud’s 02019 Long Now talk about deep time, “Timefulness.”
  • Read “How the Concept of Deep Time is Changing” in The Atlantic.


LongNowMove Slow and Preserve Things

La French Tech recently interviewed Long Now Director of Development Nicholas Paul Brysiewicz on the appropriate role of long-term thinking in an increasingly accelerated world.


LongNowA Trips Festival for the Digital Age

Leading up to each edition of Sónar is a visual messaging campaign that’s come to be known as the SónarImage. This year’s SónarImage, above, was a short film, ‘Je te tiens’, directed by Sónar co-founder Sergio Caballero.

Two series of radio transmissions are currently beaming through interstellar space — bound, their senders hope, for intelligent life on a distant planet. The transmissions contain 38 encoded pieces of music, each ten seconds in length, created by far-out but nonetheless earth-bound musicians.

At this writing, the first of the transmissions will have recently exited the Oort cloud, an expanse of icy cometary nuclei made of cosmic dust. It is expected to reach its destination, the exoplanet GJ273b, on November 3rd, 02030–12.5 years after it was sent from Earth. The second transmission will arrive six months later.

The exoplanet, known as Luyten’s Star, appears to meet the necessary conditions to harbor life. If it does, and if it is intelligent life, and if its denizens deign to reply, the soonest Earthlings can hope to hear back is 02043.

For the organizers of Sónar, an arts, design and electronic music festival in Barcelona, Spain, that would constitute perfect timing. The festival partnered with METI (Messaging Extraterrestrial Intelligence) to send the radio transmissions last year for its 25th anniversary celebration, with the hope that it might get a response time for its 50th.

A satellite in Tromsø, Norway, where the Sónar festival, in partnership with METI, sent radio transmissions to a potentially habitable exoplanet.

A multi-decade project to contact alien life might not seem like typical festival fare. But Sónar isn’t a typical festival. For over a quarter century, it has sought to bridge the worlds of art and technology, the popular and the avant garde, and club culture and cyberculture. Each edition of the festival offers a glimpse of possible futures and frontiers, from the latest technological advances in artificial intelligence and quantum computing to the next trends in music and multimedia art. The music festival is coupled with Sónar+D, a four-day technology and design conference of talks, workshops, immersive experiences, and exhibitions.

Sónar epitomizes what Stanford historian Fred Turner calls a network forum — a place “within which members of multiple communities [can] meet and collaborate and imagine themselves as members of a single community”:

Within the network forum, […] contributors create new rhetorical tools with which to express and facilitate their new collaborations. Network forums need not be confined to media. Think tanks, conferences, even open-air markets—all can serve as forums in which one or more entrepreneurs gather members of multiple networks, allow them to communicate and collaborate, and so facilitate the formation of both new networks and new contact languages.

Turner, Fred. From Counterculture to Cyberculture: Stewart Brand, the Whole Earth Network, and the Rise of Digital Utopianism (02006), Chicago University Press, pp. 72–3.
Madeline Gannon teaches a masterclass at Sónar+D 02019 on “The Future of Humans and Machines: Human-Robot Interaction across the arts, sciences, and society.”

José Luis de Vicente, the lead curator of Sónar+D, describes the festival’s curatorial approach as anti-disciplinary.

“Sónar pioneered a model where the lines between musician, visual artist, technologist and sometimes even entrepreneur are really blurred,” de Vicente tells me. “We wanted to be a vessel for people who transition between those spaces.”

But then he pauses — realizing, perhaps, that he’s made too bold a claim.

“You know, there’s a problem in this community where we always think we’re inventing everything from scratch,” he says. “But there’s easily 50 years of tradition in this kind of thing.”

That tradition began, de Vicente says, with the 01966 Trips Festival, a watershed moment in the history of American counterculture that inaugurated the psychedelic sixties. The three-day event, held in San Francisco’s Longshoreman’s Hall, was organized by future Long Now co-founder Stewart Brand, whom de Vicente calls a “godfather of digital culture.” At the time, Brand was part of Ken Kesey’s Merry Pranksters, an outfit of psychedelic enthusiasts who had begun throwing parties (dubbed ‘Acid Tests’) some months prior.

Stewart Brand and Ken Kesey, 01966. California Historical Society.

The Acid Tests were small, haphazard and sketchy affairs, taking place in houses, on beaches, and in small music venues. Attendees helped themselves to LSD served out of trash containers and danced all night under multi-colored lights to the improvised noodlings of an up-and-coming blues band called the Warlocks, soon to be the Grateful Dead.

There was talk amongst the Pranksters of throwing a bigger party — fire a flare into the San Francisco sky and see who comes. But the Pranksters, for all their spontaneity, lacked a certain organizational focus.

“I knew in my heart that we were not going to be able to pull that off,” Brand recalled. “But that it ought to happen.” Brand, along with electronic music composer Ramón Sender, took it upon themselves to make it so. They secured Longshoreman’s Hall as a venue and enlisted the help of concert promoter Bill Graham.

The California Historical Society sets the scene:

Over 10,000 people, many taking LSD, attended the three-day event. Although the event included music, it was not billed as a concert per se. Rather, it was promoted as an immersive and participatory multi-media experience. Virtually the entire Bay Area’s avant-garde arts scene was involved, including the San Francisco Mime Troupe, the Open Theater, the Dancer’s Workshop and the San Francisco Tape Music Center. Yet it was the performances by emerging rock music groups the Grateful Dead and Big Brother and the Holding Company which captured the attention of attendees. It was the first major performance by the Dead in San Francisco, and the combination of the band’s music, the hall’s sound system and the visually captivating light shows over the three days that created a format that would soon dominate the city’s music halls. Bill Graham took over the Fillmore Auditorium for good just two week later, and his first weekend was advertised as the “sights and sounds of the Trips Festival.” As Tom Wolfe says in the Electric Kool-Aid Acid Test, “the Haight-Ashbury era began that weekend.” The world would never be the same.

Trips Festival poster. “This is the FIRST gathering of its kind anywhere,” the poster reads. “The TRIP — or electronic performance — is a new medium of communication and entertainment.”

“The Trips Festival was the original event saying a show should be a multi-sensorial experience,” de Vicente says. It was also an early originator of the idea that engineers and artists could work together in fruitful collaboration, a model that drove the San Francisco Bay Area’s transition from counterculture to cyberculture over the second half of the twentieth century. Finally, the Trips Festival introduced the notion of “no spectators,” which Stewart Brand defines as “the idea that an audience shows up to a certain kind of event expecting to do something, not just to see something.” “No Spectators” later became a guiding principle of both rave culture and festivals like Burning Man. 

Another lesser known but equally pivotal chapter in the multimedia artistic tradition that gave rise to Sónar occurred in New York City, at the 69th Regiment Armory, nine months after the Trips Festival. 9 Evenings: Theatre and Engineering sought to bridge the worlds of art and technology through showcasing collaborations between avant garde artists and engineers from Bell Labs.

Robert Rauschenberg’s “Open Score” performed at 9 Evenings. La Critique.

The project was started by Bell Labs engineer Billy Klüver and graphic artist Robert Rauschenberg, who later founded Experiments in Art and Technology to further explore the artistic possibilities of electric space. In the ten months leading up to 9 Evenings, Bell Labs engineers worked with artists John Cage, Lucinda Childs, Merce Cunningham, Öyvind Fahlström, Alex Hay, Deborah Hay, Steve Paxton, Robert Rauschenberg, David Tudor, and Robert Whitman to create technologies that would enable new forms of artistic expression:

Their collaboration produced many “firsts” in the use of new technology for the theater, both with specially-designed systems and equipment and with innovative use of existing equipment. Closed-circuit television and television projection was used on stage for the first time; a fiber-optics camera picked up objects in a performer’s pocket; an infrared television camera captured action in total darkness; a Doppler sonar device translated movement into sound; and portable wireless FM transmitters and amplifiers transmitted speech and body sounds to Armory loudspeakers.

9 Evenings didn’t really look like an exhibition in a museum,” de Vicente says. “It looked way more like what Sónar By Night looks like — which is a huge dark hangar with thousands of people watching something that you wouldn’t naturally recognize as a performance.”

Sónar 01997.

Fast forward to 01994. Analog has given way to digital, the “happening” has given way to the rave and the club, and the amplified electricity of psychedelic rock has given way to the thumping bass of electronic dance music.

“DJs were already superstars,” writes music journalist James Davidson, “but the thriving club scene needed its Mecca — and […] it was left to three Catalans to give birth to the festival that now defines its genre.”

Quantum Garden by Aalto University, at SonarHub, 02019.

Sónar was founded by music journalist Ricard Robles and musicians/visual artists Enric Palau and Sergio Caballero. They billed the first gathering in 01994 as the “Festival of Advanced Music and Multimedia Art.” A Record and Technology Fair — what would later evolve into the Sónar+D conference — took place alongside the festival, which was attended by some 6,000 people. (Today, attendance at Sónar has swelled to over 126,000 people, with approximately 6,000 professionals participating in its Sónar+D conference.)

“When Sónar started in the mid 01990s, it contained that element [from the Trips Festival and 9 Evenings] of investigating this spectrum that an event can be both popular and avant garde at the same time,” de Vicente says. “You have this clash of people who would normally be in the space of experimental electronics with the people who are part of the audience of club culture, techno and house, and they mingle in very interesting ways.” 

Over the years, this mingling expanded to include members of research departments in universities and the first hacker spaces, which emerged as new centers of creativity with the rise of the web.

Memo Akten’s Deep Meditations at Sónar+D 02019.

It’s a heady, and at times overwhelming, brew. Days at Sónar start soberly at the Fira Montjuic convention center, with lanyard-donning techies attending panels and talks on quantum computing, artificial intelligence, and the future of the internet; perusing a technology trade fair (dubbed the SónarHub) where hackers hawk their latest prototypes; or experiencing the latest in cutting edge, immersive multimedia art, like Memo Akten’s Deep Meditations installation, a “slow, meditative, meticulously crafted journey of slowly evolving images and sounds — through the imagination of an artificial neural network trained on everything(literally images labelled ‘everything’ from the photo sharing website Flickr), as well other abstract, subjective concepts such aslife, love, art, faith, ritual, worship, god, nature, universe, cosmos and many more.”

Attendees help themselves to paella at Sónar 02019.

The character of the event changes markedly in the afternoon, when Sónar by Day begins. Thumping bass echoes through the festival grounds that now teem with club culture enthusiasts, attendance swelling by the hour.At the SónarVillage, an outdoor pavilion flanked by food trucks and beer stalls, DJs regale the paella-eating masses.

On smaller stages throughout the venue, avant garde artists debut new visions of the ambient frontier, like musician and programmer Holly Herndon’s new show/album PROTO, which she collaborated on with an artificial intelligence she dubs “Spawn,” or Daito Manabe’s AV tech experience that uses an MRI scanner that visualizes brain states reacting to the music being played.

A keynote address is delivered in the late afternoon in the convention auditorium. (In 02016, that honor fell to Long Now co-founder Brian Eno.) This year, Robert del Naja, the frontman of Massive Attack, discussed his band’s methodology of combining generative art, music and technology, as well as its recent project of encoding its debut album into DNA that can be sprayed from an aerosol can.

Björk performing at Sónar 02017.

Once darkness falls, attendees flood a different venue across Barcelona, the Fira Gran Via, for Sónar by Night. Tens of thousands of people pack overcrowded, sweaty hangars and dance until dawn, taking occasional breaks to hit the bumper car course. The music here is decidedly more mainstream, and over the years has featured the likes of Daft Punk, Kraftwerk, Björk, and Thom Yorke. DJs dominate the hours after midnight, with some playing six-hour sets. Once the sun rises, Sónar attendees are provided a brief reprieve before the festivities begin again in the late morning.

“Sónar is not a festival that values sleeping,” a Sónar veteran told me at del Naja’s keynote. “But the future is worth staying up for.”

Immersive Hub installation at SonarHub.

In recent years, Sónar has expanded its time horizon of the future to focus on coming centuries and millennia. As humanity grapples with multigenerational challenges like climate change and rapid technological advance, there’s been an increased emphasis on long-term thinking at Sónar — evidenced by both the themes and projects of Sónar and the ideas presented by speakers themselves.

Jay Springett, on stage, left, at a panel on the future of the internet, Sónar 02019.

“There is a deficiency of long-term thinking in western culture,” Jay Springett, a London based theorist, said at a panel on the future of the internet at this year’s Sónar+D. “It will be vital that we think at multigenerational time depths about everything from internet technologies to tree planting, given the challenges that humanity faces. Our modern world seeks to focus us towards the short-term, and praises quarterly growth. But in the real world, away from high frequency ledger entries and global capital flows, it takes 100–120 years for an oak tree to grow from seed to full canopy height. It takes three human generations to grow a tree. This is real growth. And I’d like to propose that everything that occurs in the duration between the decision to plant an acorn to the tree’s full grown crown is short-term thinking.”

The site of the SonarCalling transmissions in Tromsø, Norway.

SónarCalling, the festival’s attempt to message extraterrestrials, is Sónar’s most ambitious long-term project to date. It served as an organizing principle for the festival’s 25th anniversary, grounding its lines of inquiry around questions of exploration, messaging, intelligence, and designing for longevity.

“Sónar has always been about exploring and scanning the musical cultures of the planet,” de Vicente says. Broadening Sónar’s scope beyond Earth, de Vicente says, requires thinking in different scales of space — which necessarily implies deeper explorations of time.

Installation of pieces of the 10,000 Year Clock.

To that end, Sónar invited Alexander Rose, Executive Director at Long Now, to speak about the 10,000 Year Clock and what it’s taught Long Now about thinking about problems in millennial time scales. Rose emphasized that central value of the Clock lies not in the object itself, but in the myth of long-term thinking it can help inspire.

“Some of the truly multi-millennial artifacts we have in civilization are stories,” Rose said, citing the Epic of Gilgamesh as an example. “What we’re really trying to do is build a story. The Clock is the mechanism by which a myth can hopefully be created. If the Clock lasts, great. But if it creates enough of a story, that myth could probably outlast the Clock by thousands of years.”

The engineering challenges in building a 10,000 year object were unprecedented, to be sure. But with the Clock nearing completion, the real challenge, Rose said, is building a 10,000 year institution that protects the Clock and keeps it relevant.

“We’re crossing an interesting time,” Rose said. “By the time we’re about 25 years old — the same age as this festival — we will have finished this very experimental phase, and will move into a phase where this very notional, perfect object that we’ve talked about is now going to be real and in the world and open to criticism. So moving forward, it’s going to be a very different institution, I think, than it has been up to now.”

Sónar finds itself in a similar moment of reflection, now that it has reached its 25-year-milestone. “We are trying to create a conversation that can only happen at 25 year intervals,” de Vicente says of the SónarCalling project. “It’s a way of asking what things will be like at the fiftieth edition of the festival.”

José Luis de Vicente, curator of Sónar+D.

Asking what the festival will be like in 25 years is implicitly a question about where things stand today. De Vicente, who was part of that first generation of technologists who started getting online in the early 01990s when the web was undergirded by techno-utopian principles, has lately found himself questioning what kind of art and technology event digital culture needs in its current fraught, polarized moment.

“We have never been in such a critical moment of dissatisfaction, of acknowledgment that a lot of these cultures that we built are not making society a better place,” he says. “It’s hard not to be cynical. But at the same time, it’s pretty exciting. These events are artifacts, they are devices. We’re going need different kinds of devices for shaping of the next stage of digital culture, to recapture that energy of possibility from the early days of the web.”

There’s reason to be optimistic that Sónar, as one of the world’s most forward-looking festivals, will be a leader in shaping what that next stage looks like, as it has been in the past. And that in 02043, if an intelligent civilization from beyond the solar system decides we’re worthy of a response, there’ll be a crowd of artists and technologists dancing to the strange sounds of an avant garde future in the city of Barcelona, eager to receive the message.

Learn More

  • Keep up with the SonarCalling audio transmissions as they make their way across the cosmos.
  • Watch talks from this year’s edition of Sónar+D.
  • Read Long Now’s interview with Sónar curator José Luis de Vicente about the role of art in addressing climate change. 
  • Read Fred Turner’s From Cyberculture to Counterculture: Stewart Brand, the Whole Earth Network, and the Rise of Digital Utopianism (02006) for more on the history that gave rise to events like Sónar.


LongNowThe Size of Space

The “Big Here” doesn’t get much bigger than Neal Agarwal‘s The Size of Space, a new interactive visualization that provides a dose of perspective on our place in the universe. Starting with an astronaut, users can arrow through to different objects, celestial bodies and galaxies, ultimately zooming out to the observable universe.


ME4K Monitors

A couple of years ago a relative who uses a Linux workstation I support bought a 4K (4096*2160 resolution) monitor. That meant that I had to get 4K working, which was 2 years of pain for me and probably not enough benefit for them to justify it. Recently I had the opportunity to buy some 4K monitors at a low enough price that it didn’t make sense to refuse so I got to experience it myself.

The Need for 4K

I’m getting older and my vision is decreasing as expected. I recently got new glasses and got a pair of reading glasses as a reduced ability to change focus is common as you get older. Unfortunately I made a mistake when requesting the focus distance for the reading glasses and they work well for phones, tablets, and books but not for laptops and desktop computers. Now I have the option of either spending a moderate amount of money to buy a new pair of reading glasses or just dealing with the fact that laptop/desktop use isn’t going to be as good until the next time I need new glasses (sometime 2021).

I like having lots of terminal windows on my desktop. For common tasks I might need a few terminals open at a time and if I get interrupted in a task I like to leave the terminal windows for it open so I can easily go back to it. Having more 80*25 terminal windows on screen increases my productivity. My previous monitor was 2560*1440 which for years had allowed me to have a 4*4 array of non-overlapping terminal windows as well as another 8 or 9 overlapping ones if I needed more. 16 terminals allows me to ssh to lots of systems and edit lots of files in vi. Earlier this year I had found it difficult to read the font size that previously worked well for me so I had to use a larger font that meant that only 3*3 terminals would fit on my screen. Going from 16 non-overlapping windows and an optional 8 overlapping to 9 non-overlapping and an optional 6 overlapping is a significant difference. I could get a second monitor, and I won’t rule out doing so at some future time. But it’s not ideal.

When I got a 4K monitor working properly I found that I could go back to a smaller font that allowed 16 non overlapping windows. So I got a real benefit from a 4K monitor!

Video Hardware

Version 1.0 of HDMI released in 2002 only supports 1920*1080 (FullHD) resolution. Version 1.3 released in 2006 supported 2560*1440. Most of my collection of PCIe video cards have a maximum resolution of 1920*1080 in HDMI, so it seems that they only support HDMI 1.2 or earlier. When investigating this I wondered what version of PCIe they were using, the command “dmidecode |grep PCI” gives that information, seems that at least one PCIe video card supports PCIe 2 (released in 2007) but not HDMI 1.3 (released in 2006).

Many video cards in my collection support 2560*1440 with DVI but only 1920*1080 with HDMI. As 4K monitors don’t support DVI input that meant that when initially using a 4K monitor I was running in 1920*1080 instead of 2560*1440 with my old monitor.

I found that one of my old video cards supported 4K resolution, it has a NVidia GT630 chipset (here’s the page with specifications for that chipset [1]). It seems that because I have a video card with 2G of RAM I have the “Keplar” variant which supports 4K resolution. I got the video card in question because it uses PCIe*8 and I had a workstation that only had PCIe*8 slots and I didn’t feel like cutting a card down to size (which is apparently possible but not recommended), it is also fanless (quiet) which is handy if you don’t need a lot of GPU power.

A couple of months ago I checked the cheap video cards at my favourite computer store (MSY) and all the cheap ones didn’t support 4K resolution. Now it seems that all the video cards they sell could support 4K, by “could” I mean that a Google search of the chipset says that it’s possible but of course some surrounding chips could fail to support it.

The GT630 card is great for text, but the combination of it with a i5-2500 CPU (rating 6353 according to [3]) doesn’t allow playing Netflix full-screen and on 1920*1080 videos scaled to full-screen sometimes gets mplayer messages about the CPU being too slow. I don’t know how much of this is due to the CPU and how much is due to the graphics hardware.

When trying the same system with an ATI Radeon R7 260X/360 graphics card (16* PCIe and draws enough power to need a separate connection to the PSU) the Netflix playback appears better but mplayer seems no better.

I guess I need a new PC to play 1920*1080 video scaled to full-screen on a 4K monitor. No idea what hardware will be needed to play actual 4K video. Comments offering suggestions in this regard will be appreciated.

Software Configuration

For GNOME apps (which you will probably run even if like me you use KDE for your desktop) you need to run commands like the following to scale menus etc:

gsettings set org.gnome.settings-daemon.plugins.xsettings overrides "[{'Gdk/WindowScalingFactor', <2>}]"
gsettings set org.gnome.desktop.interface scaling-factor 2

For KDE run the System Settings app, go to Display and Monitor, then go to Displays and Scale Display to scale things.

The Arch Linux Wiki page on HiDPI [2] is good for information on how to make apps work with high DPI (or regular screens for people with poor vision).


4K displays are still rather painful, both in hardware and software configuration. For serious computer use it’s worth the hassle, but it doesn’t seem to be good for general use yet. 2560*1440 is pretty good and works with much more hardware and requires hardly any software configuration.


LongNowLong Now Partners with GitHub on its Long-term Archive Program for Open Source Code

Long Now is pleased to announce that we have partnered with GitHub on its new archive program to preserve open source software for future generations. 

The archive represents a significant step in averting a potential future digital dark age, when much of the software that powers modern civilization could be lost to bit rot. Taking its lessons from past examples when crucial cultural knowledge was lost, such as the Great Library of Alexandria (which was burned multiple times between 48 BCE 00640 CE) and the Roman recipe for concrete, the GitHub Archive is employing a LOCKSS (“Lots Of Copies Keep Stuff Safe”) approach to preserving open source code for the future. 

“We will protect this priceless knowledge by storing multiple copies, on an ongoing basis, across various data formats and locations,” GitHub says, “including a very-long-term archive designed to last at least 1,000 years.”That long-term archive is the GitHub Arctic Code Vault, in the Arctic World Archive in Svalbard, Norway—an archival facility 250 meters beneath the Arctic permafrost. The Arctic World Archive is adjacent to the Svalbard Global Seed Vault, and aims to preserve the world’s data in much the same way the Seed Vault preserves plant seeds. GitHub intends to store every public GitHub repository on film reels coated with iron oxide powder, which can be readable for 1,000 years using either a computer or a magnifying glass. Those who wish to add their code to the vault have until February 2nd, 02020 to do so. At that point, GitHub will take a snapshot of every public repository, and add it to the storage vault. GitHub plans to update the library every 5+ years.

Microsoft Research’s Project Silica storage device.

Another archival method is Microsoft Research’s newly-announced Project Silica quartz glass. Similar to the Rosetta Disk, Project Silica is designed to be a durable, long-term storage device.

Femtosecond lasers “encode data in [the] glass by creating layers of three-dimensional nanoscale gratings and deformations at various depths and angles,” Microsoft Research said in a press release. “Machine learning algorithms read the data back by decoding images and patterns that are created as polarized light shines through the glass.” GitHub intends to archive all public repositories on Microsoft’s Project Silica, which it believes could last for over 10,000 years. Like the Arctic Code Vault, GitHub plans to update the library every 5+ years.

Stewart Brand’s Pace Layers.

The GitHub archive program has adopted Long Now co-founder Stewart Brand’s pace layers framework for their code-archiving strategy. “This approach,” says GitHub, “is designed to maximize both flexibility and durability by providing a range of storage solutions, from real-time to long-term storage.”

GitHub’s Pace Layers approach to code-archiving.

Brand’s fast and slow layers are reconceptualized as hot, warm and cold. The hot layers (GitHub, GitHub Torrent, and GitHub archive) update in near-real time. The warm layers (the Internet Archive and the Software Heritage Foundation) update monthly to yearly. The cold layers (Oxford University’s Bodleian Library, the Arctic World Archive in Svalbard, and Microsoft Research’s Project Silica storage) update every five plus years. 

To ensure the future can use the software in its archive, GitHub has convened an Archive Program advisory panel of experts in technology and the humanities, including Long Now Executive Director Alexander Rose. The archive will include technical guides and a Tech Tree— “a roadmap and Rosetta Stone for future curious minds inheriting the archive’s data.”

An overview of the archive and how to use it, the Tech Tree will serve as a quickstart manual on software development and computing, bundled with a user guide for the archive. It will describe how to work backwards from raw data to source code and extract projects, directories, files, and data formats.

Inspired by Long Now’s Manual For Civilization, the archive will also include information on how to rebuild technologies from scratch.  

“It’s our hope,” GitHub says, “that [the Archive] will, both now and in the future, further publicize the worldwide open source movement; contribute to greater adoption of open source and open data policies worldwide; and encourage long-term thinking.”