Planet Russell

,

Worse Than FailureThe Compliance Ropeway

"So, let me get this straight," Derrick said. He closed his eyes and took a deep breath while massaging his temples before letting out an exasperated sigh. "Not a single person... in this entire organization... is taking ANY responsibility for Ropeway? No one is even willing to admit that they know anything about this application...?"

The Operations team had grown accustomed to their new director's mannerisms and learned it's just better to stay silent and let Derrick think out loud. Afterall, no one envied his job or his idealistic quest for actual compliance. If had he been at the bank as long as his team had, Derrick would have learned that there's compliance... and then there's "compliance."

"But we figured out that Ropeway somehow automatically transfers underwriting overrides from ISAC to AppPortal?" Derrick paused to collect his thoughts before a lightbulb went off. "Wait, wait. Those systems are both covered under our IBM Master Service Agreement, right? What did they say? Chris... did you reach out to our IBM liaison?"

"Well," Chris silently thanked everything good that Ropeway wasn't his problem. "IBM says that they have no idea. They said it's not in the scope of the MSA or any SOW, but they'd be happy to come out and—"

"Ab-so-lute-ly not," Derrick interrupted. He wasn't IBM's biggest fan, to put it mildly. "I've already eaten into next year's budget on this SSL initiative, and there's no way I'm gonna pay them just to tell me I have to pay them even more to fix what shouldn't even by my problem!"

Derrick let out another sigh, rubbing his temples again. "All I want," he grimaced, "is for Ropeway to use HTTPS instead of HTTP. That's all! Fine... fine! Chris, let's just move the whole damn Ropeway server behind the proxy."

"Roger that," Chris nodded, "We'll start prepping things for next week's maintenance window."

There was a lot of risk to moving Ropeway. The Operations team knew how to keep it running – it was just a Windows Service application – but they had no way of knowing if the slightest change in the environment would break things. Moving the server behind the http-to-https proxy meant a new IP and a new subnet, and they had seen far too may "if (IP==10.10.22.30) production_env = true" traps to know they can't just move things without a test plan.

But since no one on the business or Development side was willing to help, they were on their own and it'd be Derrick's head if ISAC or AppPortal stopped working once that maintenance window was over. But for the sake of actual compliance – not "compliance" – these were the risks Derrick was willing to take: SSL was simply non-negotiable.

##

"You'll never believe what I found on that Ropeway server," Chris said while popping into to Derrick's office. Actually, he knew that wasn't true; Derrick had come to expect the unbelievable, but Chris liked to prep Derrick nonetheless. Derrick took a deep breath and moved his hand towards his forehead.

"I found this." Chris plopped down a thick, tattered manila envelope that was covered in yellowed tape. "It was... um... taped to the server's chassis."

Derrick was legitimately surprised and started riffling through the contents as Chris explained things. "So apparently Ropeway was built by this guy, Jody Dorchester, at Roman, uh, wait. Ronin Software or something."

"And yeah," Chris continued as Derrick's eyes widened while he flipped through page-after-page-after page of documentation, "Jody apparently wrote all sorts of documentation... installation instructions, configuration instructions – and all the source code is on that enclosed CD-ROM."

Derrick was speechless. "This," he stuttered, "is dated... March ...of 2000."

"Yup," Chris jumped in nonchalantly, "but I took a shot in the dark here and sent Jody an email."

"And...," Chris said, smiling. He handed Derrick another document and said, "here's his reply."

Ropeway! Wow... that takes me back. I can't believe that's still around, and if you're contacting me about it... you must be desperate ;)

I built that app in a past life... I don't know how much this will help, but I'll tell you what I remember.

There was a fellow at the bank, Eric (or maybe Edward?), and he was a Director of Technology and a VP of something. I met him at a local networking event, and he told me about some project he was working on that was going to reduce all sorts of mindless paperwork.

One department over there was apparently printing out a bunch of records from their system and then faxing all that paper to a different department, who would then manually re-enter all those records into a different system. They had a bunch of data entry people, but the bigger problem was that it was slow, and there were a lot of mistakes, and it was costing a lot of money.

It sounded like a huge, complicated automation project – but actually, your guy had it mostly figured out. The one system could spit-out CSV files to some network share, and the other could import XML files via some web interface. He asked if I could help with that, and I said sure... why not? It just seemed like a really simple Windows service application.

It took a bit longer to wrangle those two formats together than I hoped, but I showed it off and he seemed absolutely thrilled. However, I'll never forget the look on his face when I told him the cost. It was something like 16 hours at $50/hr (my rate back then). I thought he was upset that I took so long, and billed $800 for something that seemed so simple.

Not even close. He said that IBM quoted over $100k to do the exact same thing – but there was just no way he could sell that he got this massive integration project accomplished for only $800. He said I needed to bill more... a lot more.

So, I made that little importer app as robust and configurable as what, VB4 would allow? Then I spent, like, a week writing that documentation you guys found, taped to the server. You know, I actually bought that server and did all the installation myself? Well after all that, he was satisfied with my new bill.

Anyways, I can't remember anything about the application, but there's probably a whole section of the docs dedicated to configuring it. Hopefully you guys can figure it out... good luck!

Jody was right. On page 16, there was, in fact, a section dedicated to the Web API configuration. To change use SSL, one would just have to open the service control tool, check off the "use secure connection," and then Ropeway would construct the Service URL using HTTPS instead of HTTP. That was it, apparently.

"I just... I can't believe it," Derrick paused, and shook his head before massaging his forehead – this time more in surprise that his usual temple massage. "No way. It can't be that simple. Nothing here is that simple!"

Chris shrugged his shoulders and said, "Checking that box does seem a bit simpler than moving—"

"Look," Derrick interrupted, "even if we change the setting, and that setting works, someone needs to own Ropeway, and take responsibility for it going forward. This is like rule number one of actual compliance!"

Chris nodded, and just let Derrick build up to what would certainly be yet another compliance rant.

"Come on," Derrick said enthusiastically, "Ropeway is so absurdly documented... look at this! Surely someone in Core Dev, Biz Apps, Vendor Apps, or heck, even Apps Integration will adopt this thing!? I mean... you realize what will happen if AppPortal craps out because the Ropeway integration breaks some day?"

Obviously, Chris knew exactly how bad it would be, but he let Derrick tell him anyways.

"I can't even imaginae it," Derrick took a breath. "The crap storm that all of those groups would face... this might even make the shareholder meeting! We gotta do something. How about we go to the ISAC team lead and say... here's Ropeway. It's your baby now. Congrats! Here's the docs, it's really easy to use, just--"

"Look," Chris cut in, soberly. "If you want me to go deliver that message -- in the middle of their whole Agile ScrumOps whatever war with Biz Apps – I will. But I'm pretty sure they're gonna go straight to the execs and push to expand the MSA with IBM to cover the App Portal integration..."

Chris paused for a few moments to let Derrick realize exactly who's budget an MSA expansion might come from. Derrick's eyes widened as he took another deep breath.

"Oooor", Chris continued, "this envelope still, umm, has a quite a bit of tape attached to it. Maybe... just maaaaybe...we never found the envelope in the first place? And perhaps, I don't know, Ropeway just... uhhh... happens to check that box itself one day? I don't know? It's an old app... old apps do weird things. Who knows? I don't... do you? Wait... I've already forgotten, what's Ropeway?"

Derrick slowly shook his head and started massaging the bridge of his nose with his index fingers. He let out a completely different sigh, defeated sigh, then uncharacteristically mumbled, "...better get some more tape..."

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Planet DebianRuss Allbery: DocKnot 3.02

DocKnot is my set of tools for generating package documentation and releases. The long-term goal is for it to subsume the various tools and ad hoc scripts that I use to manage my free software releases and web site.

This release includes various improvements to docknot dist for generating a new distribution tarball: xz-compressed tarballs are created automatically if necessary, docknot dist now checks that the distribution tarball contains all of the expected files, and it correctly handles cleaning the staging directory when regenerating distribution tarballs. This release also removes make warnings when testing C++ builds since my current Autoconf machinery in rra-c-util doesn't properly exclude options that aren't supported by C++

This release also adds support for the No Maintenance Intended badge for orphaned software in the Markdown README file, and properly skips a test on Windows that requires tar.

With this release, the check-dist script on my scripts page is now obsolete, since its functionality has been incorporated into DocKnot. That script will remain available from my page, but I won't be updating it further.

You can get the latest release from CPAN or the DocKnot distribution page. I've also uploaded Debian packages to my personal repository. (I'm still not ready to upload this to Debian proper since I want to make another major backwards-incompatible change first.)

,

Planet DebianDirk Eddelbuettel: BH 1.72.0-3 on CRAN

Boost

The BH 1.72.0-1 release of BH required one update 1.72.0-2 when I botched a hand-edited path (to comply with the old-school path-length-inside-tar limit).

Turns out another issue needed a fix. This release improved on prior ones by starting from a pristine directory. But as a side effect, Boost Accumulators ended up incomplete with only the dependented-upon-by-others files included (by virtue of the bcp tool). So now we declared Boost Accumulators a full-fledged part of BH ensuring that bcp copies it “whole”. If you encounter issues with another incomplete part, please file an issue ticket at the GitHub repo.

No other changes were made.

Also, this fix was done initially while CRAN took a well-deserved winter break, and I had tweeted on Dec 31 about availability via drat and may use this more often for pre-releases. CRAN is now back, and this (large !!) package is now processed as part of the wave of packages that were in waiting (and Henrik got that right yesterday…).

Via CRANberries, there is a diffstat report relative to the previous release.

Comments and suggestions about BH are welcome via the issue tracker at the GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianSteve Kemp: I won't write another email client

Once upon a time I wrote an email client, in a combination of C++ and Lua.

Later I realized it was flawed, and because I hadn't realized that writing email clients is hard I decided to write it anew (again in C++ and Lua).

Nowadays I do realize how hard writing email clients is, so I'm not going to do that again. But still .. but still ..

I was doing some mail-searching recently and realized I wanted to write something that processed all the messages in a Maildir folder. Imagine I wanted to run:

 message-dump ~/Maildir/people-foo/ ~/Maildir/people-bar/  \
     --format '${flags} ${filename} ${subject}'

As this required access to (arbitrary) headers I had to read, parse, and process each message. It was slow, but it wasn't that slow. The second time I ran it, even after adjusting the format-string, it was nice and fast because buffer-caches rock.

Anyway after that I wanted to write a script to dump the list of folders (because I store them recursively so ls -1 ~/Maildir wasn't enough):

 maildir-dump --format '${unread}/${total} ${path}'

I guess you can see where this is going now! If you have the following three primitives, you have a mail-client (albeit read-only)

  • List "folders"
  • List "messages"
  • List a single message.

So I hacked up a simple client that would have a sub-command for each one of these tasks. I figured somebody else could actually use that, be a little retro, be a little cool, pretend they were using MH. Of course I'd have to write something horrid as a bash-script to prove it worked - probably using dialog to drive it.

And then I got interested. The end result is a single golang binary that will either:

  • List maildirs, with a cute format string.
  • List messages, with a cute format string.
  • List a single message, decoding the RFC2047 headers, showing text/plain, etc.
  • AND ALSO USE ITSELF TO PROVIDE A GUI

And now I wonder, am I crazy? Is writing an email client hard? I can't remember

Probably best to forget the GUI exists. Probably best to keep it a couple of standalone sub-commands for "scripting email stuff".

But still .. but still ..

Cory DoctorowRadicalized makes the CBC’s annual Canada Reads longlist

The Canadian Broadcasting Coporation’s annual Canada Reads prize is one of Canada’s top literary prizes, ranking with the Governor General’s prize for prestige and reach; it begins early in January with the announcement of a longlist of 15 recommended books, and then these are whittled down to a shortlist of five books later in the month. Over the months that follow, each of the shortlisted books is championed by a Canadian celebrity in a series of events across the country, with the grand prize winner being announced in late March after a televised debate among the five books’ “champions.”

The CBC has just announced its longlist, and I’m delighted to announce that Radicalized, my 2019 book of four novellas, is among them.

The entire list is incredibly impressive — really humbling company to be in! — and the five finalists will be announced on Jan 22.

I discussed Radicalized on the CBC radio programme Day 6 last year, and the CBC reviewed the book in glowing terms, later naming it one of their summer reads and best books of the year.

I’m sincerely honoured to be included.

Radicalized is a collection of four novellas that explore the quandaries — social, economic and technological — of contemporary America. Cory Doctorow’s characters deal with issues around immigration, corrupt police forces, dark web uprisings and more.

Here is the Canada Reads 2020 longlist [CBC Books]

Planet DebianEnrico Zini: Checking sphinx code blocks

I'm too lazy to manually check code blocks in autogenerated sphinx documentation to see if they are valid and reasonably up to date. Doing it automatically feels much more interesting to me: here's how I did it.


This is a simple sphinx extension to extract code blocks in a JSON file.

If the documentation is written well enough, I even get annotation on what programming language each snippet is made of:

## Extract code blocks from sphinx

from docutils.nodes import literal_block, Text
import json

found = []


def find_code(app, doctree, fromdocname):
    for node in doctree.traverse(literal_block):
        # if "dballe.DB.connect" in str(node):
        lang = node.attributes.get("language", "default")
        for subnode in node.traverse(Text):
            found.append({
                "src": fromdocname,
                "lang": lang,
                "code": subnode,
                "source": node.source,
                "line": node.line,
            })


def output(app, exception):
    if exception is not None:
        return

    dest = app.config.test_code_output
    if dest is None:
        return

    with open(dest, "wt") as fd:
        json.dump(found, fd)


def setup(app):
    app.add_config_value('test_code_output', None, '')

    app.connect('doctree-resolved', find_code)
    app.connect('build-finished', output)

    return {
        "version": '0.1',
        'parallel_read_safe': True,
        'parallel_write_safe': True,
    }

And this is an early prototype python code that runs each code block in a subprocess to see if it works.

It does interesting things, such as:

  • Walk the AST to see if the code expects some well known variables to have been set, and prepare the test environment accordingly
  • Collect DeprecationWarnings to spot old snippets using deprecated functions
  • Provide some unittest-like assert* functions that snippets can then use if they want
  • Run every snippet in a subprocess, which then runs in a temporary directory, deleted after execution
  • Colorful output, including highlighting of code lines that threw exceptions

CryptogramNew SHA-1 Attack

There's a new, practical, collision attack against SHA-1:

In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 261.2rather than264.7, and chosen-prefix collisions with a complexity of263.4rather than267.1. When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,and 45k US$ for a chosen-prefix collision, within the means of academic researchers.Our actual attack required two months of computations using 900 Nvidia GTX 1060GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time preparing the attack).

It has practical applications:

We chose the PGP/GnuPG Web of Trust as demonstration of our chosen-prefix collision attack against SHA-1. The Web of Trust is a trust model used for PGP that relies on users signing each other's identity certificate, instead of using a central PKI. For compatibility reasons the legacy branch of GnuPG (version 1.4) still uses SHA-1 by default for identity certification.

Using our SHA-1 chosen-prefix collision, we have created two PGP keys with different UserIDs and colliding certificates: key B is a legitimate key for Bob (to be signed by the Web of Trust), but the signature can be transferred to key A which is a forged key with Alice's ID. The signature will still be valid because of the collision, but Bob controls key A with the name of Alice, and signed by a third party. Therefore, he can impersonate Alice and sign any document in her name.

From a news article:

The new attack is significant. While SHA1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It's still the default hash function for certifying PGP keys in the legacy 1.4 version branch of GnuPG, the open-source successor to PGP application for encrypting email and files. Those SHA1-generated signatures were accepted by the modern GnuPG branch until recently, and were only rejected after the researchers behind the new collision privately reported their results.

Git, the world's most widely used system for managing software development among multiple people, still relies on SHA1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA1 certificates. SHA1 is also still allowed for in-protocol signatures in the Transport Layer Security and Secure Shell protocols.

Planet DebianThomas Lange: 20 years of FAI and a new release

20 years ago, on December 20, 1999 FAI 1.0 was released. Many things have happened since then. Some milestones:

  • 1999: version 1.0
  • 2000: first official Debian package
  • 2001: first detailed user report ("No complete installs. Teething problems.")
  • 2005: Wiki page and IRC
  • 2005: FAI CD
  • 2006: fai dirinstall
  • 2007: new partitioning tool setup-storage
  • 2009: new web design
  • 2014: brtfs support
  • 2016: autodiscover function, profiles menu
  • 2016: fai-diskimage, cloud images
  • 2017: cross architecture builds
  • 2017: Fai.me web service
  • 2020: UEFI support

Besides that, a lot of other things happened in the FAI project. Apart from the first report, we got more than 300 detailed reports containing positive feedback. We had several FAI developers meetings and I did more than 40 talks about FAI all over the world. We had a discussion about an alleged GPL violation of FAI in the past, I did several attempts to get a logo for FAI, but we still do not have one. We moved from subversion to git, which was very demanding for me. The FAI.me service for customized installation and cloud images was used more than 5000 times. The Debian Cloud team now uses FAI to build the official Debian cloud images.

I'm very happy with the outcome of this project and I like to thank all people who contributed to FAI in the past 20 years!

This week, I've released the new FAI version 5.9. It supports UEFI boot from CD/DVD and USB stick. Also two new tools were added:

  • fai-sed - call sed on a file but check for changes before writing
  • fai-link - create symlink idempotent

UEFI support in fai-cd only used grub, no syslinux or isolinux is needed. New FAI installation images are also available from

https://fai-project.org/fai-cd

The FAI.me build service is also using the newest FAI version and the customized ISO images can now be booted in an UEFI environment.

https://fai-project.org/FAIme

Worse Than FailureCodeSOD: Sharing the Power

"For my sins," John writes, "I'm working on a SharePoint 2010 migration."

This tells us that John has committed a lot of sins. But not as many as one of his coworkers.

Since they were running a farm of SharePoint servers, they needed to know what was actually running, which was quite different from the documentation which told them what was supposed to be running. John's coworker did some googling, some copy-and-pasting, some minor revisions of their own, and produced this wad of PowerShell scripting which does produce the correct output.

# there could be more than one search service, so this code is wrapped in a for loop with $tempCnt as the loop variable $cmdstr = Get-SPEnterpriseSearchCrawlContentSource -SearchApplication $searchServiceAppIds[$tempCnt] | Select Id | ft -HideTableHeaders | Out-String -Width 1000 $cmdstr = $cmdstr.Trim().Split("`n") for($i = 0; $i -lt $cmdstr.Length ; $i++) { $cmdstr2 = $cmdstr[$i].Trim() $searchServiceAppID = $searchServiceAppIds[$tempCnt] $tempXML = [xml] (Get-SPEnterpriseSearchCrawlContentSource -SearchApplication $searchServiceAppIds[$tempCnt] | select Name, Type, DeleteCount, ErrorCount, SuccessCount, WarningCount, StartAddresses, Id, CrawlStatus, CrawlStarted, CrawlCompleted, CrawlState | where {$_.Id -eq $cmdstr2 } | ConvertTo-Xml -NoTypeInformation) $tempstr = [System.String] $tempXML.Objects.Object.InnerXML $searchServiceAppID = $searchServiceAppID + "|" + $cmdstr2 $global:SearchConfigContentSources.Add($searchServiceAppID, $tempstr) }

This is particularly ugly, even ignoring the SharePoint-ness that's going on. This block's final output is a hashtable where the keys are the IDs of various SharePoint "content sources", and the value is a description in XML.

If we trace through it, we can see the basic flow of logic:

Use Get-SPEnterpriseSearchCrawContentSource to get a list of all of the content source IDs, using Select and ft to filter the output. Format the output with Out-String -Width 1000, making each row in the result set 1000 characters long.

We can then split on newlines, and start iterating across the list. Since everything is 1000 characters long, let's trim them, and then let's… invoke Get-SPEnterpriseSearchCrawlContentSource to fetch the full set of content sources again, but this time we'll grab different fields and use where to filter down to the one we're currently looking for. This has the nice effect of forcing us to fetch all the records once for every content source.

Then, of course, we have $cmdstr and $cmdstr2, neither of which are command strings, but instead store content source IDs.

This script will be invoked many times during their migration, and with a large number of content sources, it's not exactly going to perform terribly well. This tortured logic is pretty typical of John's coworker's approach to problems, but as this script is only needed during the migration and will eventually be thrown away, John adds:

The output's basically fine, so I'm not even gonna fix it.

Which is likely the right answer. The real problem to fix is how this code got written in the first place.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Planet DebianRuss Allbery: C TAP Harness 4.6

C TAP Harness is my test framework for C software packages.

This release is mostly a release for my own convenience to pick up the reformatting of the code using clang-format, as mentioned in my previous release of rra-c-util. There are no other user-visible changes in this release.

I did do one more bit of housekeeping, namely added proper valgrind testing support to the test infrastructure. I now run the test suite under valgrind as part of the release process to look for any memory leaks or other errors in the harness or in the C TAP library.

The test suite for this package is written entirely in shell (with some C helpers), and I'm now regretting that. The original goal was to make this package maximally portable, but I ended up adding Perl tests anyway to test the POD source for the manual pages, and then to test a few other things, and now the test suite effectively depends on Perl and could have from the start. At some point, I'll probably rewrite the test machinery in Perl, which will make it far more maintainable and easier to read.

I think I've now finally learned my lesson for new packages: Trying to do things in shell for portability isn't worth it. As soon as any bit of code becomes non-trivial, and possibly before then, switch to a more maintainable programming language with better primitives and library support.

You can get the latest release from the C TAP Harness distribution page.

,

Krebs on SecurityTricky Phish Angles for Persistence, Not Passwords

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and it seems likely we will see this approach exploited more frequently in the future.

In early December, security experts at PhishLabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page — login.microsoftonline.com. Anyone suspicious about the link would have seen nothing immediately amiss in their browser’s address bar, and could quite easily verify that the link indeed took them to Microsoft’s real login page:

This phishing link asks users to log in at Microsoft’s real Office 365 portal (login.microsoftonline.com).

Only by copying and pasting the link or by scrolling far to the right in the URL bar can we detect that something isn’t quite right:

Notice this section of the URL (obscured off-page and visible only by scrolling to the right quite a bit) attempts to grant a malicious app hosted at officesuited.com full access to read the victim’s email and files stored at Microsoft’s Office 365 service.

As we can see from the URL in the image directly above, the link tells Microsoft to forward the authorization token produced by a successful login to the domain officesuited[.]com. From there, the user will be presented with a prompt that says an app is requesting permissions to read your email, contacts, OneNote notebooks, access your files, read/write to your mailbox settings, sign you in, read your profile, and maintain access to that data.

Image: PhishLabs

According to PhishLabs, the app that generates this request was created using information apparently stolen from a legitimate organization. The domain hosting the malicious app pictured above — officemtr[.]com — is different from the one I saw in late December, but it was hosted at the same Internet address as officesuited[.]com and likely signed using the same legitimate company’s credentials.

PhishLabs says the attackers are exploiting a feature of Outlook known as “add-ins,” which are applications built by third-party developers that can be installed either from a file or URL from the Office store.

“By default, any user can apply add-ins to their outlook application,” wrote PhishLabs’ Michael Tyler. “Additionally, Microsoft allows Office 365 add-ins and apps to be installed via side loading without going through the Office Store, and thereby avoiding any review process.”

In an interview with KrebsOnSecurity, Tyler said he views this attack method more like malware than traditional phishing, which tries to trick someone into giving their password to the scammers.

“The difference here is instead of handing off credentials to someone, they are allowing an outside application to start interacting with their Office 365 environment directly,” he said.

Many readers at this point may be thinking that they would hesitate before approving such powerful permissions as those requested by this malicious application. But Tyler said this assumes the user somehow understands that there is a malicious third-party involved in the transaction.

“We can look at the reason phishing is still around, and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make,” he said. “Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate, and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?”

The scary part about this attack is that once a user grants the malicious app permissions to read their files and emails, the attackers can maintain access to the account even after the user changes his password. What’s more, Tyler said the malicious app they tested was not visible as an add-in at the individual user level; only system administrators responsible for managing user accounts could see that the app had been approved.

Furthermore, even if an organization requires multi-factor authentication at sign-in, recall that this phish’s login process takes place on Microsoft’s own Web site. That means having two-factor enabled for an account would do nothing to prevent a malicious app that has already been approved by the user from accessing their emails or files.

Once given permission to access the user’s email and files, the app will retain that access until one of two things happen: Microsoft discovers and disables the malicious app, or an administrator on the victim user’s domain removes the program from the user’s account.

Expecting swift action from Microsoft might not be ideal: From my testing, Microsoft appears to have disabled the malicious app being served from officesuited[.]com sometime around Dec. 19 — roughly one week after it went live.

In a statement provided to KrebsOnSecurity, Microsoft Senior Director Jeff Jones said the company continues to monitor for potential new variations of this malicious activity and will take action to disable applications as they are identified.

“The technique described relies on a sophisticated phishing campaign that invites users to permit a malicious Azure Active Directory Application,” Jones said. “We’ve notified impacted customers and worked with them to help remediate their environments.”

Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here. Microsoft says administrators can enable a setting that blocks users from installing third-party apps into Office 365, but it calls this a “drastic step” that “isn’t strongly recommended as it severely impairs your users’ ability to be productive with third-party applications.”

PhishLabs’ Tyler said he disagrees with Microsoft here, and encourages Office 365 administrators to block users from installing apps altogether — or at the very least restrict them to apps from the official Microsoft store.

Apart from that, he said, it’s important for Office 365 administrators to periodically look for suspicious apps installed on their Office 365 environment.

“If an organization were to fall prey to this, your traditional methods of eradicating things involve activating two-factor authentication, clearing the user’s sessions, and so on, but that won’t do anything here,” he said. “It’s important that response teams know about this tactic so they can look for problems. If you can’t or don’t want to do that, at least make sure you have security logging turned on so it’s generating an alert when people are introducing new software into your infrastructure.”

Planet DebianIngo Juergensmann: XMPP - Prosody & Ejabberd

In my day job I'm responsible of maintaining the VoIP and XMPP infrastructure. That's about approx. 40.000 phones and several thousand users using Enterprise XMPP software. Namely it is Cisco CUCM and IM&P on the server side and Cisco Jabber on the client side. There is also Cisco Webex and Cisco Telepresence infrastructure to maintain.

On the other hand I'm running an XMPP server myself for a few users. It all started with ejabberd more than a decade ago or so. Then I moved to Openfire, because it was more modern and had a nice web GUI for administration. At some point there was Prosody as a new shiny star. This is now running for many users, mostly without any problems, but without much love and attention as well.

It all started as "Let's see what this Jabber stuff is..." on a subdomain like jabber.domain.com - it was later that I discovered the benefits of SRV records and the possibility of having the same address for mail, XMPP and SIP. So I began to provide XMPP acounts as well for some of my mail domains.

A year ago I enabled XMPP for my Friendica node on Nerdica.net, the second largest Friendica node according to the-federation.info. Although there are hundreds of monthly active users on Friendica, only a handful of users are using XMPP. XMPP has a hard stand since Google and Facebook went from open federation to closing in their user base.

My personal impression is that there is a lot of development in the last years in regards of XMPP - thanks to the Conversations client on Android - and its Compliance Tester. With that tool it is quite easy to have a common ground for the most needed features of todays user expectation in a mobile world. There is also some news in regards to XMPP clients on Apple iOS, but that's for another article.

This is about the server side, namely Prosody and Ejabberd. Of course there are already several excellent comparisons between these two server softwares. So, this is just my personal opinion and personal impressions about the two softwares I got in the past two weeks.

Prosody:
As I have the most experience with Prosody I'll start with it. Prosody has the advantage of being actively maintained and having lots of community modules to extend its functionality. This is a big win - but there is also the other side of truth: you'll need to install and configure many contrib modules to pass 100% in the Compliance Tester. Some modules might be not that well maintained. Another obstacle I faced with Prosody is the configuration style: usually you have the main config file where you can configure common settings, modules for all virtual hosts and components like PubSub, MUC, HTTP Upload and such. And then there are the config files for the virtual hosts, which feature the same kind of configuration. Important to all is (apparently): order does matter! This can get confusing: Components are similar to loading modules, using both for the same purpose can be, well, interesting. and configuration of modules and components can be challenging as well. When trying to get mod_http_upload working in the last days I experienced that a config on one virtual host was working, but the same config on a different host was not working. This was when I thought I might give Ejabberd a chance...

Ejabberd:
Contrary to Prosody there is a company behind Ejabberd. And this is often perceived as being good and bring some stability to Ejabberd. However, when I joined Ejabberd chat room, I learned in the first minutes by regarding the chat log that the main developer of that company left and the company itself seemed to have lost interest in Ejabberd. However the people in the chat room were relaxed: it's not the end of the world and there are other developers working on the code. So, no issue in the end, but that's not something you expect to read when you join a chat room for the first time. ;)
Contrary to Prosody Ejabberd seems to be well-prepared to pass the Compliance Tester without installing (too many) modules. Large sites such as conversations.im are running on Ejabberd. It is also said that Ejabberd doesn't need restarts of the server for certain config changes as Prosody does. The config file itself appears to be more straightforward and doesn't differentiate between modules and components which makes it a little more easy to understand.

Currently I haven't been able to deal much with Ejabberd, but one other difference is: there is a Debian repository on Prosody.im, but for Ejabberd there is no such repository. You'll have to use backports.debian.org for a newer version of Ejabberd on Debian Buster. It's up to you to decide what is better for you.

I'm still somewhat undecided whether or not to proceed with Ejabberd and migrate from Prosody. The developer of Prosody is very helpful and responsive and I like that. On the other hand, the folks in the Ejabberd chat rooms are very supportive as well. I like the flexibility and the various number of contrib modules for Prosody, but then again it's hard to find the correct/best one to load and to configure for a given task and to satisfy the Compliance Tester. Then again, both servers do feature a Web GUI for some basic tasks, but I like the one of Ejabberd more.

So, in the end, I'm also open for suggestions about either one. Some people will state of course that neither is the best way and I should consider Matrix, Briar or some other solutions, but that's maybe another article comparing XMPP and other options. This one is about XMPP server options: Prosody or Ejabberd. What do you prefer and why?

 

Kategorie: 

TEDPlanet Protectors: Notes from Session 3 of TEDWomen 2019

Singer-songwriter Shawnee brings her undeniable stage presence to TEDWomen 2019: Bold + Brilliant (Photo: Marla Aufmuth / TED)

The world is experiencing the consequences of climate change and the urgency couldn’t be more clear. In Session 3 of TEDWomen 2019, we dug deep into some of the most pressing environmental issues of our time — exploring solutions and the many ways people across the globe are fighting for change.

The event: TEDWomen 2019, Session 3: Planet Protectors, hosted by Whitney Pennington Rodgers and Chee Pearlman

When and where: Thursday, December 5, 2019, 11am PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Hindou Oumarou Ibrahim, Kelsey Leonard, Shawnee, Colette Pichon Battle, Renee Lertzman, Jane Fonda

Music: Singer-songwriter Shawnee brings their undeniable stage presence and music of empowerment to the stage, performing two songs: “Way Home” and “Warrior Heart.”

The talks in brief:

Hindou Oumarou Ibrahim, environmental activist

Big idea: To combat climate change, we must combine our current efforts with those of indigenous people. Their rich, extensive knowledge base and long-standing relationship with the earth are the keys to our collective survival.

Why? Modern science and technology date back only a few hundred years, but indigenous knowledge spans thousands, says Hindou Oumarou Ibrahim. As she puts it: “For us, nature is our supermarket … our pharmacy … our school.” But climate change threatens indigenous people’s — and all of humanity’s — way of life; in her nomadic community, some of their social fabric is unraveling under the strain of its effects. To ensure resilience in the face of these developments, she suggests a marriage of new and old learnings to map and share crucial information for global survival. “We have 10 years to change it. 10 years is nothing,” she says. “So we need to act all together and we need to act right now.”

Quote of the talk: “I think if we put together all the knowledge systems that we have — science, technology, traditional knowledge — we can give the best of us to protect our peoples, to protect the planet, to restore the ecosystems that we are losing.”


“We need to fundamentally transform the way in which we value water,” says Kelsey Leonard. She speaks at TEDWomen 2019: Bold + Brilliant on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Kelsey Leonard, indigenous legal scholar and scientist

Big idea: Granting bodies of water legal personhood is the first step to addressing both our water crises and injustices —  especially those endured by indigenous people. 

Why? Water is essential to life. Yet in the eyes of the law, it remains largely unprotected — and our most vulnerable communities lack access to it, says Kelsey Leonard. As a representative of the Shinnecock Indian Nation, she shares the wisdom of her nokomis, or grandmother, on how we should honor this precious resource. We must start by asking like: What if we asked who water is, in the same way that we might ask who is our mother? This perspective shift transforms the way we fundamentally think about water, she says — prompting us to grant water the same legal rights held by corporations. In this way, and by looking to indigenous laws, we can reconnect with the lakes, oceans and seas around us.

Quote of the talk: “We are facing a global water crisis. And if we want to address these crises in our lifetime, we need to change. We need to fundamentally transform the way in which we value water.”


Colette Pichon Battle, attorney and climate equity advocate

Big idea: Climate migration — the mass displacement of communities due to climate change — will escalate rapidly in coming years. We need to prepare by radically shifting both policies and mindsets.

Why? Scientists predict climate change will displace more than 180 million people by 2100. Colette Pichon Battle believes the world is not prepared for these population shifts. As a generational native of southern Louisiana and an attorney who has worked on post-Hurricane Katrina disaster recovery, Pichon Battle urges us to plan before it’s too late. How? By first acknowledging that climate change is a symptom of exploitative economic systems that privilege the few over the many and then working to transform them. We need to develop collective resilience by preparing communities to receive climate migrants, allocating resources and changing social attitudes. Lastly, she says, we must re-indigenize ourselves — committing to ecological equity and human rights as foundational tenets of a new climate-resilient society.

Quote of the talk: “All of this requires us to recognize a power greater than ourselves and a life longer than the one we will live. We must transform from a disposable, short-sighted reality of the individual to one that values the long-term life cycle of our collective humanity. Even the best of us are entangled in an unjust system. To survive, we will have to find our way to a shared liberation.”


Renee Lertzman, climate psychologist 

Big idea: We need to make our emotional well-being a fundamental part of the fight against climate change.

How? What’s happening to our planet seems overwhelming. And while we have tons of information on the science of climate change, we know much less about its emotional impact. Renee Lertzman has interviewed hundreds of people about how climate change makes them feel, and she wants to equip us with a toolkit to handle our climate grief and still be able to take action. Patience, compassion and kindness are qualities we need to deploy more often in our conversations about the crisis, she says. As climate events push us outside our “window of tolerance” — the stresses we can withstand without becoming overwhelmed — numbness and apathy are natural responses. Many people tell her: “I don’t know where to start.” She recommends practicing attunement: listening to our own feelings and those of others, accepting them without judgement and meeting our experiences with curiosity. Whether we’re with a few friends or at a larger climate action gathering, remembering that we are human is a key ingredient in the fight for our world.

Quote of the talk: “These are hard issues. This is a hard moment to be a human being. We’re waking up.”


Civil disobedience is becoming a new normal, says actor and activist Jane Fonda. She speaks with host Pat Mitchell about Fire Drill Fridays, her weekly climate demonstrations, at TEDWomen 2019: Bold + Brilliant on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

Jane Fonda, actor, author and activist

Big idea: In the wake of climate change, protest is becoming a new normal — at least until we see the changes we need.

Why? In a video interview with TEDWomen curator Pat Mitchell, Fonda discussed Fire Drill Fridays, the weekly demonstrations on Capitol Hill she leads in partnership with Greenpeace. Since moving to Washington D.C. in September, Fonda has staged a sit-in at the Hart Senate Office Building on Capitol Hill every Friday to protest the extraction of fossil fuels. At age 81, she has been arrested multiple times and spent a night in jail — and her actions are inspiring people around the world to host their own Fire Drill Fridays. But, she says, we don’t need to get arrested to raise awareness; there are many other ways to put pressure on lawmakers and hold governments accountable. Read a full recap of her interview here.

Quote of the talk: “I’m not leading. It’s the young people, it’s the students, that are leading. It’s always the young people that step up with the courage.”

Planet DebianEnrico Zini: Staticsite for blogging

Build this blog in under one minute

I just released staticsite version 1.4, dedicated to creating a blog.


After reorganising the documentation, I decided to write a simple tutorial showing how to get a new blog started.

The goal of this release was to make it so that the tutorial would be as simple as possible: the result is "A new blog in under one minute".

Once staticsite is installed1, one can start a new blog by copypasting a short text file, then just adding markdown files anywhere in its directory. Staticsite can then serve a live preview of the site, automatically updated as pages are saved, and build an HTML version ready to be served.

I enjoyed picking a use case to drive a release. Next up is going to be "use staticsite to view a git repository, and preview its documentation". I already use it for that, and let's see what comes out after polishing for it.


  1. I just uploaded staticsite 1.4.1 to Debian Unstable 

CryptogramUSB Cable Kill Switch for Laptops

BusKill is designed to wipe your laptop (Linux only) if it is snatched from you in a public place:

The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the laptop and triggers a udev script [1, , 3] that executes a series of preset operations.

These can be something as simple as activating your screensaver or shutting down your device (forcing the thief to bypass your laptop's authentication mechanism before accessing any data), but the script can also be configured to wipe the device or delete certain folders (to prevent thieves from retrieving any sensitive data or accessing secure business backends).

Clever idea, but I -- and my guess is most people -- would be much more likely to stand up from the table, forgetting that the cable was attached, and yanking it out. My problem with pretty much all systems like this is the likelihood of false alarms.

Slashdot article.

Worse Than FailureY-Ok

Twenty years out, people have a hard time remembering that Y2K was an actual thing, an actual problem, and it was only solved because people recognized the danger well ahead of time, and invested time and effort into mitigating the worst of it. Disaster didn’t come to pass because people worked their butts off to avoid it.

Gerald E was one of those people. He worked for a cellular provider as a customer service rep, providing technical support and designing the call-center scripts for providing that support. As 1999 cranked on, Gerald was pulled in to the Y2K team to start making support plans for the worst case scenarios.

The first scenario? Handling calls when “all phone communication stopped working”. Gerald didn’t see much point in building a script for that scenario, but he gamely did his best to pad “we can’t answer the phones if they don’t ring” into a “script”.

There were many other scenarios, though, and Gerald was plenty busy. Since he was in every meeting with the rest of the Y2K team, he got to watch their preparedness increase in real time, as different teams did their tests and went from red-to-green in the test results. A few weeks before the New Year, most everything was green.

Y2K fell on a Saturday. As a final preparation, the Y2K team decided to do a final dry-run test, end-to-end, on Wednesday night. They already ran their own internal NTP server which every device on the network pulled from in one way or another, so it was easy to set the clock forward. They planned to set the clock so that at December 29th, 22:30 wall-clock time the time server would report January 1st, 00:00.

The Y2K team gathered to watch their clock count down, and had plans to watch the changeover happen and then go party like it was 1999 while they still had time.

At 22:29, all systems were green. At 22:30- when the time server triggered Y2K- the entire building went dark. There was no power. The backup generator didn’t kick on. The UPSes didn’t kick over. Elevator, Phones, HVAC, everything was down.

No one had expected this catastrophic a failure. The incident room was on the 7th floor of the building. The server room was in the basement. Gerald, as the young and spry CSR was handed a flashlight and ended up spending the next few hours as the runner, relaying information between the incident room and the server room.

In the wee hours of the morning, and after Gerald got his cardio for the next year, the underlying problem became clear. The IT team had a list of IT assets. They had triaged them all, prioritized their testing, and tested everything.

What no one had thought to do was inventory the assets managed by the building services team. Those assets included a bunch of industrial control systems which managed little things, like the building’s power system. Nothing from building services had ended up in their test plan. The backup generator detected the absence of power and kicked on- but the building’s failure meant that the breakers tripped and refused to let that power get where it was needed. Similar issues foiled their large-scale UPS- they could only get the servers powered up by plugging them directly into battery backups.

It was well into the morning on December 30th when they started scrambling to solve the problem. Folks were called back from vacation, electricians were called in and paid exorbitant overtime. It was an all-hands push to get the building wired up in such a way that it wouldn’t just shut down.

It was a straight crunch all the way until New Year’s Eve, but when the clock hit midnight, nothing happened.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

,

Cory DoctorowScience fiction and the unforeseeable future: In the 2020s, let’s imagine better things

In my latest podcast (MP3), I read my Globe and Mail editorial, Science fiction and the unforeseeable future: In the 2020s, let’s imagine better things, where I reflect on what science fiction can tell us about the 2020s for the Globe‘s end-of-the-decade package; I wrote about how science fiction can’t predict the future, but might inspire it, and how the dystopian malaise of science fiction can be turned into a inspiring tale of “adversity met and overcome – hard work and commitment wrenching a limping victory from the jaws of defeat.”

I describe a scenario for a “Canadian miracle”: “As the vast majority of Canadians come to realize the scale of the crisis, they are finally successful in their demand that their government address it unilaterally, without waiting for other countries to agree.”

Canada goes on a war footing: Full employment is guaranteed to anyone who will work on the energy transition – building wind, tide and solar facilities; power storage systems; electrified transit systems; high-speed rail; and retrofits to existing housing stock for an order-of-magnitude increase in energy and thermal efficiency. All of these are entirely precedented – retrofitting the housing stock is not so different from the job we undertook to purge our homes of lead paint and asbestos, and the cause every bit as urgent.

How will we pay for it? The same way we paid for the Second World War: spending the money into existence (much easier now that we can do so with a keyboard rather than a printing press), then running a massive campaign to sequester all that money in war bonds so it doesn’t cause inflation.

The justification for taking such extreme measures is obvious: a 1000 Year Reich is a horror too ghastly to countenance, but rendering our planet incapable of sustaining human life is even worse.

MP3

Cory DoctorowPermitting the growth of monopolies is a form of government censorship

In my latest Locus column, Inaction is a Form of Action, I discuss how the US government’s unwillingness to enforce its own anti-monopoly laws has resulted in the dominance of a handful of giant tech companies who get to decide what kind of speech is and isn’t allowed — that is, how the USG’s complicity in the creation of monopolies allows for a kind of government censorship that somehow does not violate the First Amendment.

We’re often told that “it’s not censorship when a private actor tells you to shut up on their own private platform” — but when the government decides not to create any public spaces (say, by declining to create publicly owned internet infrastructure) and then allows a handful of private companies to dominate the privately owned world of online communications, then those companies’ decisions about who may speak and what they may say become a form of government speech regulation — albeit one at arm’s length.

I don’t think that the solution to this is regulating the tech platforms so they have better speech rules — I think it’s breaking them up and forcing them to allow interoperability, so that their speech rules no longer dictate what kind of discourse we’re allowed to have.

Imagine two different restaurants: one prohibits any discussion of any subject the management deems “political” and the other has no such restriction. It’s easy to see that we’d say that you have more right to freely express yourself in the Anything Goes Bistro than in the No Politics at the Table Diner across the street.

Now, the house rules at the No Politics at the Table Diner have implications for free speech, but these are softened by the fact that you can always eat at the Anything Goes Bistro, and, of course, you can always talk politics when you’re not at a restaurant at all: on the public sidewalk (where the First Amendment shields you from bans on political talk), in your own home, or even in the No Politics Diner, assuming you can text covertly under the tablecloth when the management isn’t looking.

Depending on your town and its dining trends, the house rules at The No Politics Diner might matter more or less. If No Politics has the best food in town and everywhere else has a C rating from the health department, then the No Politics Diner’s rules matter a lot more than if No Politics is a greasy spoon that no one eats in if they can get a table elsewhere.

What happens if some deep-pocketed private-equity types hit on a strategy to turn The No Politics Diner into a citywide phenomenon? They merge The No Politics Diner with all the other restaurants in town, spending like drunken sailors. Once that’s accomplished, the NPD cartel goes after the remaining competition: any holdouts, and anyone who tries to open a rival is given the chance to sell out cheap, or be driven out of business. NPD has lots of ways to do this: for example, they’ll open a rival on the same block and sell food below cost to drive the refuseniks out of business (they’re not above sending spies to steal their recipes, either!). Even though some people resent NPD and want to talk politics, there’s not enough people willing to pay a premium for their dinner to keep the Anything Goes Bistro in business.

Inaction is a Form of Action [Cory Doctorow/Locus]

Krebs on SecurityThe Hidden Cost of Ransomware: Wholesale Password Theft

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

EERIE EMAILS

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

“We were bitten with releasing evidence before hence we have stopped this even in our ransoms,” the anonymous person wrote. “If you want proof we have hacked T-Systems as well. You may confirm this with them. We havent [sic] seen any Media articles on this and as such you should be the first to report it, we are sure they are just keeping it under wraps.” Security news site Bleeping Computer reported on the T-Systems Ryuk ransomware attack on Dec. 3.

In our Dec. 4 interview, VCPI’s acting chief information security officer — Mark Schafer, CISO at Wisconsin-based SVA Consulting — confirmed that the company received a nearly identical message that same morning, and that the wording seemed “very similar” to the original extortion demand the company received.

However, Schafer assured me that VCPI had indeed rebuilt its email network following the intrusion and strictly used a third-party service to discuss remediation efforts and other sensitive topics.

‘LIKE A COMPANY BATTLING A COUNTRY’

Christianson said several factors stopped the painful Ryuk ransomware attack from morphing into a company-ending event. For starters, she said, an employee spotted suspicious activity on their network in the early morning hours of Saturday, Nov. 16. She said that employee then immediately alerted higher-ups within VCPI, who ordered a complete and immediate shutdown of the entire network.

“The bottom line is at 2 a.m. on a Saturday, it was still a human being who saw a bunch of lights and had enough presence of mind to say someone else might want to take a look at this,” she said. “The other guy he called said he didn’t like it either and called the [chief information officer] at 2:30 a.m., who picked up his cell phone and said shut it off from the Internet.”

Schafer said another mitigating factor was that VCPI had contracted with a third-party roughly six months prior to the attack to establish off-site data backups that were not directly connected to the company’s infrastructure.

“The authentication for that was entirely separate, so the lateral movement [of the intruders] didn’t allow them to touch that,” Schafer said.

Schafer said the move to third-party data backups coincided with a comprehensive internal review that identified multiple areas where VCPI could harden its security, but that the attack hit before the company could complete work on some of those action items.

“We did a risk assessment which was pretty much spot-on, we just needed more time to work on it before we got hit,” he said. “We were doing the right things, just not fast enough. If we’d had more time to prepare, it would have gone better. I feel like we were a company battling a country. It’s not a fair fight, and once you’re targeted it’s pretty tough to defend.”

WHOLESALE PASSWORD THEFT

Just after receiving a tip from a reader about the ongoing Ryuk infestation at VCPI, KrebsOnSecurity contacted Milwaukee-based Hold Security to see if its owner Alex Holden had any more information about the attack. Holden and his team had previously intercepted online traffic between and among multiple ransomware gangs and their victims, and I was curious to know if that held true in the VCPI attack as well.

Sure enough, Holden quickly sent over several logs of data suggesting the attackers had breached VCPI’s network on multiple occasions over the previous 14 months.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said at the time. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.”

Holden said it appears the intruders laid the groundwork for the VPCI using Emotet, a powerful malware tool typically disseminated via spam.

“Emotet continues to be among the most costly and destructive malware,” reads a July 2018 alert on the malware from the U.S. Department of Homeland Security. “Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat.”

According to Holden, after using Emotet to prime VCPI’s servers and endpoints for the ransomware attack, the intruders deployed a module of Emotet called Trickbot, which is a banking trojan often used to download other malware and harvest passwords from infected systems.

Indeed, Holden shared records of communications from VCPI’s tormentors suggesting they’d unleashed Trickbot to steal passwords from infected VCPI endpoints that the company used to log in at more than 300 Web sites and services, including:

-Identity and password management platforms Auth0 and LastPass
-Multiple personal and business banking portals;
-Microsoft Office365 accounts
-Direct deposit and Medicaid billing portals
-Cloud-based health insurance management portals
-Numerous online payment processing services
-Cloud-based payroll management services
-Prescription management services
-Commercial phone, Internet and power services
-Medical supply services
-State and local government competitive bidding portals
-Online content distribution networks
-Shipping and postage accounts
-Amazon, Facebook, LinkedIn, Microsoft, Twitter accounts

Toward the end of my follow-up interview with Schafer and VCPI’s Christianson, I shared Holden’s list of sites for which the attackers had apparently stolen internal company credentials. At that point, Christianson abruptly ended the interview and got off the line, saying she had personal matters to attend to. Schafer thanked me for sharing the list, noting that it looked like VCPI probably now had a “few more notifications to do.”

Moral of the story: Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.

Out of an abundance of caution, this process should be done from a pristine (preferably non-Windows-based) system that does not reside within the network compromised by the attackers. In addition, full use should be made of the strongest method available for securing these passwords with multi-factor authentication.

Cory DoctorowMachine learning is innately conservative and wants you to either act like everyone else, or never change

Next month, I’m giving a keynote talk at The Future of the Future: The Ethics and Implications of AI, an event at UC Irvine that features Bruce Sterling, Rose Eveleth, David Kaye, and many others!

Preparatory to that event, I wrote an op-ed for the LA Review of Books on AI and its intrinsic conservativism, building on Molly Sauter’s excellent 2017 piece for Real Life.

Sauter’s insight in that essay: machine learning is fundamentally conservative, and it hates change. If you start a text message to your partner with “Hey darling,” the next time you start typing a message to them, “Hey” will beget an autosuggestion of “darling” as the next word, even if this time you are announcing a break-up. If you type a word or phrase you’ve never typed before, autosuggest will prompt you with the statistically most common next phrase from all users (I made a small internet storm in July 2018 when I documented autocomplete’s suggestion in my message to the family babysitter, which paired “Can you sit” with “on my face and”).

This conservativeness permeates every system of algorithmic inference: search for a refrigerator or a pair of shoes and they will follow you around the web as machine learning systems “re-target” you while you move from place to place, even after you’ve bought the fridge or the shoes. Spend some time researching white nationalism or flat earth conspiracies and all your YouTube recommendations will try to reinforce your “interest.” Follow a person on Twitter and you will be inundated with similar people to follow. Machine learning can produce very good accounts of correlation (“this person has that person’s address in their address-book and most of the time that means these people are friends”) but not causation (which is why Facebook constantly suggests that survivors of stalking follow their tormentors who, naturally, have their targets’ addresses in their address books).

Our Conservative AI Overlords Want Everything to Stay the Same [Cory Doctorow/LA Review of Books]

(Image: Groundhog Day/Columbia Pictures)

LongNowKevin Kelly Appears on Jason Silva’s Flow Sessions Podcast

Long Now board member Kevin Kelly recently sat down with Jason Silva on his Flow Sessions podcast for a wide-ranging interview about the deeper sides of technology. 

I’m part of the Long Now Foundation, which is trying to take a long-term view of things. And I realized recently that that long view is really taking the view of systems; it’s a systems viewpoint. And if you look at things as systems, you automatically have a kind of overview. The big view. And I’ve been looking at technology with the big view. To get that big view you have to get out of yourself. You have to transcend. You have to have this distant perspective. And yet, for it to be valid, you have to remain honest and connected on the ground or else it doesn’t make sense. And so trying to stand with one foot in the real here-and-now and one foot with the cosmic billions—if you can do that, then I think you an be helpful in terms of looking at, “Hey, this is where we’re going. Hey, this is where we’ve been. Hey, this is where we are in the context of the cosmos.” 

Kevin Kelly

You can find the podcast on Spotify here, or watch it on YouTube here.

Planet DebianReproducible Builds: Reproducible Builds in December 2019

Welcome to the December 2019 report from the Reproducible Builds project!

In these reports we outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.

The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

In this report for December, we cover:

  • Media coverageA Google whitepaper, The Update Framework graduates within the Cloud Native Computing Foundation, etc.
  • Reproducible Builds Summit 2019What happened at our recent meetup?
  • Distribution workThe latest reports from Arch, Debian and openSUSE, etc.
  • Software developmentPatches, patches, patches…
  • Mailing list summary
  • Contact — *How to contribute

If you are interested in contributing to our project, please visit the Contribute page on our website.


Media coverage

Google published Binary Authorization for Borg, a whitepaper on how they reduce exposure of user data to unauthorised code as well as methods for verifying code provenance using their Borg cluster manager. In particular, the paper notes how they attempt to limit their “insider risk”, ie. the potential for internal personnel to use organisational credentials or knowledge to perform malicious activities.

The Linux Foundation announced that The Update Framework (TUF) has graduated within the Cloud Native Computing Foundation (CNCF) and thus becomes the first specification and first security-focused project to reach the highest maturity level in that group. TUF is a technology that secures software update systems initially developed by Justin Cappos at the NYU Tandon School of Engineering.

Andrew “bunnie” Huang published a blog post asking Can We Build Trustable Hardware? Whilst it concludes pessimistically that “open hardware is precisely as trustworthy as closed hardware” it does mention that reproducible builds can:

Enable any third-party auditor to download, build, and confirm that the program a user is downloading matches the intent of the developers.

At the 36th Chaos Communication Congress (36C3) in Leipzig, Hannes Mehnert from the MirageOS project gave a presentation called Leaving legacy behind which talks generally about Mirage system offering a potential alternative and minimalist approach to security but has a section on reproducible builds (at 38m41s).


Reproducible Builds Summit 2019

We held our fifth annual Reproducible Builds summit between the 1st and 8th December at Priscilla, Queen of the Medina in Marrakesh, Morocco.

The aim of the meeting was to spend time discussing and working on Reproducible Builds with a widely diverse agenda and the event was a huge success.

During our time together, we updated and exchanged the status of reproducible builds in our respective projects, improved collaboration between and within these efforts, expanded the scope and reach of reproducible builds to yet more interested parties, established and continued strategic long-term thinking in a way not typically possible via remote channels, and brainstormed designs for tools to enable end-users to get the most benefit from reproducible builds.

Outside of these achievements in the hacking sessions kpcyrd made a breakthrough in Alpine Linux by producing the first reproducible package — specifically, py3-uritemplate — in this operating system. After this, progress was accelerated and by the denouement of our meeting the reproducibility status in Alpine reached 94%. In addition, Jelle van der Waa, Mattia Rizzolo and Paul Spooren discussed and implemented substantial changes to the database that underpins the testing framework that powers tests.reproducible-builds.org in order to abstract the schema in a distribution agnostic way, for example to allow submitting the results of attempts to verify officially distributed Arch Linux packages.

Lastly, Jan Nieuwenhuizen, David Terry and Vagrant Cascadian used three entirely-separate distributions (GNU Guix, NixOS and Debian) to produce a bit-for-bit identical GNU Mes binary despite using three different major versions of GCC and other toolchain components to build an initial binary, which was then used to build a final, bit-for-bit identical, binary of Mes.

The event was held at Priscilla, Queen of the Medina in Marrakesh, a location sui generis that stands for gender equality, female empowerment and the engagement of vulnerable communities locally through cultural activism. The event was open to anybody interested in working on Reproducible Builds issues, with or without prior experience.

A number of reports and blog posts have already been written, including for:

… as well as a number of tweets including ones from Jan Nieuwenhuizen celebrating progress in GNU Guix [] and Hannes [].


Distribution work

Within Debian, Chris Lamb categorised a large number of packages and issues in the Reproducible Builds notes.git repository, including identifying and creating markdown_random_email_address_html_entities and nondeterministic_devhelp_documentation_generated_by_gtk_doc.

In openSUSE, Bernhard published his monthly Reproducible Builds status update and filed the following patches:

Bernhard also filed bugs against:

The Yocto Project announced that it is running continuous tests on the reproducibility of its output which can observed through the oe-selftest runs on their build server. This was previously limited to just the mini images but this has now been extended to the larger graphical images. The test framework is available for end users to use against their own builds. Of particular interest is the production of binary identical results — despite arbitrary build paths — to allow more efficient builds through reuse of previously built objects, a topic covered in more-depth in a recent LWN article.

In Arch Linux, the database structure on tests.reproducible-builds.org was changed and the testing jobs updated to match and work has been started on a verification test job which rebuilds the officially released packages and verifies if they are reproducible or not. In the “hacking” time after our recent summit, several key packages were made reproducible, raising the amount of reproducible packages by approximately 1.5%. For example libxslt was patched with the patch originating from Debian and openSUSE.


Software development

diffoscope

diffoscope is our in-depth and content-aware diff-like utility that can locate and diagnose reproducibility issues. It is run countless times a day on our testing infrastructure and is essential for identifying fixes and causes of non-deterministic behaviour.

This month, diffoscope version 134 was uploaded to Debian unstable by Chris Lamb. He also made the following changes to diffoscope itself, including:

  • Always pass a filename with a .zip extension to zipnote otherwise it will return with an UNIX exit code of 9 and we fallback to displaying a binary difference for the entire file. []
  • Include the libarchive file listing for ISO images to ensure that timestamps – and not just dates – are visible in any difference. (#81)
  • Ensure that our autopkgtests are run with our pyproject.toml present for the correct black source code formatter settings. (#945993)
  • Rename the text_option_with_stdiout test to text_option_with_stdout [] and tidy some unnecessary boolean logic in the ISO9660 tests [].

In addition, Eli Schwartz fixed an error in the handling of the progress bar [] and Vagrant Cascadian added external tool reference for the zstd compression format for GNU Guix [] as well as updated the version to 133 [] and 134 [] in that distribution.

Project website & documentation

There was more work performed on our website this month, including:

In addition, Paul Spooren added a new page overviewing our Continuous Tests overview [], Hervé Boutemy made a number of improvements to our Java and JVM documentation expanding and clarifying various definitions as well as adding external links [][][][] and Mariana Moreira added a .jekyll-cache entry to the .gitignore file [].

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Test framework

We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This month, the following changes were made:

  • Holger Levsen:

    • Alpine:

      • Indicate where Alpine is being built on the node overview page. []
      • Turn off debugging output. []
      • Sleep longer if no packages are to be built. []
    • Misc:

      • Add some help text to our script to powercycle IONOS (neé Profitbricks) nodes. []
      • Install mosh everywhere. []
      • Only install ripgrep on Debian nodes. []
  • Mattia Rizzolo:

    • Arch Linux:

      • Normalise the suite names in the database. [][][][][]
      • Drop an unneeded line in the scheduler. []
    • Debian:

      • Fix a number of SQL errors. [][][][]
      • Use the debian.debian_support Python library over apt_pkg to perform version comparisons. []
    • Misc:

      • Permit other distributions to use our web-based package scheduling script. []
      • Reformat our power-cycling script using Black and use the Python logging module. []
      • Introduce a dsources database view to simplify some queries [] and add a build_type field to support both “doublerebuilds” and verification rebuilds [].
      • Move (almost) all the timestamps in the database schema from raw strings to “real” timestamp data types. []
      • Only block bots on jenkins.debian.net and tests.reproducible-builds.org, not any other sites. []

  • kpcyrd (for Alpine Linux):

    • Patch/install the abuild utility to one that is reproducible. [][][][]
    • Bump the number of build workers and collect garbage more frequently. [][][][]
    • Classify and display build results consistently. [][][]
    • Ensure that tmux and ripgrep is installed. [][]
    • Support building packages in the future. [][][]

Lastly, Paul Spooren removed the project overview from the bottom-left of the generated pages [] and the usual node maintenance was performed by Holger Levsen [] and Mattia Rizzolo [][].


Mailing list summary

There was considerable activity on our mailing list this month. Firstly, Bernhard M. Wiedemann posted a thread asking What is the goal of reproducible builds? in order to encourage refinements, extra questions and other contributions to what an end-user experience of reproducible builds should or even could look like.

Eli Schwartz then resurrected a previous thread titled Progress in rpm and openSUSE in 2019 to clarify some points around Arch Linux and Python package installation. Hans-Christoph Steiner followed-up to a separate thread originally started by Hervé Boutemy announcing the status of .buildinfo file support in the Java ecosystem, and Paul Spooren then informed the list that Google Summer of Code is now looking for projects for the latest cohort.

Lastly, Lars Wirzenius enquired about the status of Reproducible system images which resulted in a large number of responses.


Contact

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:



This month’s report was written by Arnout Engelen, Bernhard M. Wiedemann, Chris Lamb, Hervé Boutemy, Holger Levsen, Jelle van der Waa, Lukas Puehringer and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.

CryptogramMailbox Master Keys

Here's a physical-world example of why master keys are a bad idea. It's a video of two postal thieves using a master key to open apartment building mailboxes.

Changing the master key for physical mailboxes is a logistical nightmare, which is why this problem won't be fixed anytime soon.

Planet DebianJulien Danjou: Atomic lock-free counters in Python

Atomic lock-free counters in Python

At Datadog, we're really into metrics. We love them, we store them, but we also generate them. To do that, you need to juggle with integers that are incremented, also known as counters.

While having an integer that changes its value sounds dull, it might not be without some surprises in certain circumstances. Let's dive in.

The Straightforward Implementation

class SingleThreadCounter(object):
	def __init__(self):
    	self.value = 0
        
    def increment(self):
        self.value += 1

Pretty easy, right?

Well, not so fast, buddy. As the class name implies, this works fine with a single-threaded application. Let's take a look at the instructions in the increment method:

>>> import dis
>>> dis.dis("self.value += 1")
  1           0 LOAD_NAME                0 (self)
              2 DUP_TOP
              4 LOAD_ATTR                1 (value)
              6 LOAD_CONST               0 (1)
              8 INPLACE_ADD
             10 ROT_TWO
             12 STORE_ATTR               1 (value)
             14 LOAD_CONST               1 (None)
             16 RETURN_VALUE

The self.value +=1 line of code generates 8 different operations for Python. Operations that could be interrupted at any time in their flow to switch to a different thread that could also increment the counter.

Indeed, the += operation is not atomic: one needs to do a LOAD_ATTR to read the current value of the counter, then an INPLACE_ADD to add 1, to finally STORE_ATTR to store the final result in the value attribute.

If another thread executes the same code at the same time, you could end up with adding 1 to an old value:

Thread-1 reads the value as 23
Thread-1 adds 1 to 23 and get 24
Thread-2 reads the value as 23
Thread-1 stores 24 in value
Thread-2 adds 1 to 23
Thread-2 stores 24 in value

Boom. Your Counter class is not thread-safe. 😭

The Thread-Safe Implementation

To make this thread-safe, a lock is necessary. We need a lock each time we want to increment the value, so we are sure the increments are done serially.

import threading

class FastReadCounter(object):
    def __init__(self):
        self.value = 0
        self._lock = threading.Lock()
        
    def increment(self):
        with self._lock:
            self.value += 1

This implementation is thread-safe. There is no way for multiple threads to increment the value at the same time, so there's no way that an increment is lost.

The only downside of this counter implementation is that you need to lock the counter each time you need to increment. There might be much contention around this lock if you have many threads updating the counter.

On the other hand, if it's barely updated and often read, this is an excellent implementation of a thread-safe counter.

A Fast Write Implementation

There's a way to implement a thread-safe counter in Python that does not need to be locked on write. It's a trick that should only work on CPython because of the Global Interpreter Lock.

While everybody is unhappy with it, this time, the GIL is going to help us. When a C function is executed and does not do any I/O, it cannot be interrupted by any other thread. It turns out there's a counter-like class implemented in Python: itertools.count.

We can use this count class as our advantage by avoiding the need to use a lock when incrementing the counter.

If you read the documentation for itertools.count, you'll notice that there's no way to read the current value of the counter. This is tricky, and this is where we'll need to use a lock to bypass this limitation. Here's the code:

import itertools
import threading

class FastWriteCounter(object):
    def __init__(self):
        self._number_of_read = 0
        self._counter = itertools.count()
        self._read_lock = threading.Lock()

    def increment(self):
        next(self._counter)

    def value(self):
        with self._read_lock:
            value = next(self._counter) - self._number_of_read
            self._number_of_read += 1
        return value

The increment code is quite simple in this case: the counter is just incremented without any lock. The GIL protects concurrent access to the internal data structure in C, so there's no need for us to lock anything.

On the other hand, Python does not provide any way to read the value of an itertools.count object. We need to use a small trick to get the current value. The value method increments the counter and then gets the value while subtracting the number of times the counter has been read (and therefore incremented for nothing).

This counter is, therefore, lock-free for writing, but not for reading. The opposite of our previous implementation

Measuring Performance

After writing all of this code, I wanted to make sure how the different implementations impacted speed. Using the timeit module and my fancy laptop, I've measured the performance of reading and writing to this counter.

Operation SingleThreadCounter FastReadCounter FastWriteCounter
increment 176 ns 390 ns 169 ns
value 26 ns 26 ns 529 ns

Atomic lock-free counters in Python

I'm glad that the performance measurements in practice match the theory 😅. Both SingleThreadCounter and FastReadCounter have the same performance for reading. Since they use a simple variable read, it makes absolute sense.

The same goes for SingleThreadCounter and FastWriteCounter, which have the same performance for incrementing the counter. Again they're using the same kind of lock-free code to add 1 to an integer, making the code fast.

Conclusion

It's pretty obvious, but if you're using a single-threaded application and do not have to care about concurrent access, you should stick to using a simple incremented integer.

For fun, I've published a Python package named fastcounter that provides those classes. The sources are available on GitHub. Enjoy!

Sam VargheseWith two-vote majority, Morrison still fears he will lose leadership

When Scott Morrison led the Liberal-National Coalition to victory in the last federal election in May, he was greeted as some kind of superman, mainly because all the polls had predicted a Labor win, and by a substantial margin too.

All the political pundits crowed that this win gave the Australian Prime Minister complete authority to govern as he wished, and the chance to implement policies of his liking.

Nobody pointed out that after the dust had settled, Morrison still only had a majority of two, just one more than his predecessor Malcolm Turnbull enjoyed for much of his tenure.

And that two-seat majority is the reason why Morrison has seemed to be deaf, dumb and blind to the horrific fires that have swept the country and that will continue to do so for a couple of months more.

He cannot even entertain the thought of making a neutral statement on the question of climate change as he fears that could well open the door to another leadership challenge and the loss of the prime ministership.

One is unsure why mainstream political writers have not noticed this simple fact. The group of MPs who are closely tied to the coal industry and who have been behind the Coalition’s leadership woes in 2018 are still very much there.

Tony Abbott may have gone but everyone else is around and they are more than ready to rise up and agitate again if Morrison even breathes a word about energy policy.

So Morrison has no choice but to pretend that nothing has changed from his earlier stance that there is no definite evidence that climate change is responsible for the intensity of the fires that have been seen.

As a marketing man, his responses have been crude, but then that is par for the course. When have you seen someone in marketing act in a manner that can be called empathetic?

Leadership hopefuls like Christian Porter and Peter Dutton may well be taking the temperature of the party and one should not be surprised if another leadership challenge is seen once the politicians return to Canberra.

Everyone wants to be prime minister. Whether anyone can actually lead is an entirely different question.

Worse Than FailureCodeSOD: Yet Another Master of Evil

As a general rule, if you find yourself writing an extension system for your application, stop and do something else. It's almost always in the case of YAGNI: you ain't gonna need it.

George is a "highly paid consultant", and considers himself one of the "good ones": he delivers well tested, well documented, and clean code to his clients. His peer, Gracie on the other hand… is a more typical representative of the HPC class.

George and Gracie found themselves with a problem: based on the contents of a configuration file, they needed to decide what code to execute. Now, you might be thinking that some kind of conditional statement or maybe some sort of object-oriented inheritance thing would do the job.

There were five different code paths, and no one really expected to see those code paths change significantly. Gracie, who was identified as "the architect" on the responsibility matrix for the project, didn't want to write five different ways to do a similar task, so instead, she wrote one way to do all those tasks.

Here's the YAML configuration file that her efforts produced:

use.cases: 0: description: Default product user_file_name_cond: (\'product_start\' in file_name) and (\'pilot\' not in file_name) user_file_name_pf_truncate: '.sig' data_files: False downstream_file_name_templates: signal: _product_start_<platform>.sig downstream_script: another_script.sh 1: description: Full forced product user_file_name_cond: (\'force_all_products\' in file_name) and (\'pilot\' not in file_name) user_file_name_pf_truncate: '.sig' data_files: False downstream_file_name_templates: signal: _product_start_<platform>_pilot.sig conf_override: ['FORCE_PRODUCT=TRUE'] downstream_script: another_script.sh 2: description: Pilot forced product user_file_name_cond: (\'force_all_offers\' in file_name) and (\'pilot\' in file_name) user_file_name_pf_truncate: '_pilot_user.sig' data_files: True downstream_file_name_templates: signal: _product_start_<platform>_pilot_user.sig pilot_users: <platform>_pilot_users_<YYYYMMDD>.txt conf_override: ['FORCE_PRODUCT=TRUE'] downstream_script: another_script.sh 3: description: Pilot product user_file_name_cond: (\'product\' in file_name) and (\'pilot_user\' in file_name) user_file_name_pf_truncate: '_pilot.sig' data_files: True downstream_file_name_templates: signal: _product_start_<platform>_pilot_user.sig pilot_users: <platform>_pilots_<YYYYMMDD>.txt conf_override: ['FORCE_OFFERMATCH=FALSE'] downstream_script: another_script.sh 4: description: Forced assignment user_file_name_cond: (\'user_offer_mapping\' in file_name) or (\'budget\' in file_name) and (\'csv\' in file_name) user_file_name_pf_truncate: '_user_offer_mapping.sig' data_files: True downstream_file_name_templates: signal: _force_offer_assignment_start_<platform>_user_product_mapping.sig user_offer_mapping: <platform>_user_products_<YYYYMMDD>.txt budget: budget_<platform>.csv downstream_script: product/python/forced_assignment/src/main/forced_assignment.py 5: description: Test user_file_name_cond: (\'dummy\' in file_name) user_file_name_pf_truncate: '.sig' data_files: False downstream_file_name_templates: signal: _dummy_<platform>.sig downstream_script: python/forced_offers/semaphore/bin/dummy_downstream_script.sh wait_strs: ['dummy_downstream_script.sh']

Take a look at the user_file_name_cond field in each of those entries. Are you thinking to yourself, "Boy, that looks like some Python syntax in there?"

def get_file_use_case(file_name): for use_case, use_case_conf in Configuration.get_conf('use.cases').items(): user_file_name_cond = use_case_conf['user_file_name_cond'].replace('\\', '') if eval(user_file_name_cond): return use_case

You know that's an eval. It's at least not an exec, which is allowed to use the assignment operator, but there's nothing in eval that prevents it from having side effects. While a malicious config file would fail to do user_case_conf['downstrem_script'] = 'my_hostile_script', it could easily do user_case_conf.__setitem__('downstream_script', 'my_hostile_script').

Of course, hostile attacks aren't really the concern here, at least intentionally hostile. This code was going to run in production, and clients were going to be free to edit and modify those files however they liked. Malicious attacks aside, idiotic mistakes, or worse: clever hacks were entirely possible.

George did his best to illustrate why this was a terrible idea. Gracie, who was the architect, gleefully ignored him. The code got shipped. The client signed off on it. It runs in production.

There is a silver-lining here. George aggressively documented their solution, and his reasons for opposing it, and followed the company policy for involving management in conflicts. Management saw his point, and there was a reshuffling in the teams: George was made the architect, Gracie was "pivoted" to doing more development. While it was too late to fix the code, George used his position to make some policy changes: he worked with the team to democratically build a set of official code standards, made sure that they were applied to all code equally, and revised the team's approach to retros to improve their code in the future.

Of course, there's one person on the team who isn't interested in these changes. Their PRs end up being lengthy flamewars over whether or not they should be following policies. You can guess who that is…

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

Planet DebianRuss Allbery: rra-c-util 8.1

rra-c-util is my collection of utility code that I use in my various other software packages (mostly, but not only, C).

I now forget what I was reading, but someone on-line made a side reference to formatting code with clang-format, which is how I discovered that it exists. I have become a big fan of automated code reformatting, mostly via very positive experiences with Python's black and Rust's rustfmt. (I also use perltidy for my Perl code, but I'm not as fond of it; it's a little too aggressive and it changes how it formats code from version to version.) They never format things in quite the way that I want, but some amount of inelegant formatting is worth it for not having to think about or manually fix code formatting or argue with someone else about it.

So, this afternoon I spent some time playing with clang-format and got it working well enough. For those who are curious, here's the configuration file that I ended up with:

Language: Cpp
BasedOnStyle: LLVM
AlignConsecutiveMacros: true
AlignEscapedNewlines: Left
AlwaysBreakAfterReturnType: AllDefinitions
BreakBeforeBinaryOperators: NonAssignment
BreakBeforeBraces: WebKit
ColumnLimit: 79
IndentPPDirectives: AfterHash
IndentWidth: 4
IndentWrappedFunctionNames: false
MaxEmptyLinesToKeep: 2
SpaceAfterCStyleCast: true

This fairly closely matches my personal style, and the few differences are minor enough that I'm happy to change. The biggest decision that I'm not fond of is how to format array initializers that are longer than a single line, and clang-format's tendency to move __attribute__ annotations onto the same line as the end of the function arguments in function declarations.

I had some trouble with __attribute__ annotations on function definitions, but then found that moving the annotation to before the function return value made the right thing happen, so I'm now content there.

I did have to add some comments to disable formatting in various places where I lined related code up into columns, but that's normal for code formatting tools and I don't mind the minor overhead.

This release of rra-c-util reformats all of the code with clang-format (version 10 required since one of the options above is only in the latest version). It also includes the changes to my Perl utility code to drop support for Perl 5.6, since I dropped that in my last two hold-out Perl packages, and some other minor fixes.

You can get the latest version from the rra-c-util distribution page.

,

Planet DebianEnrico Zini: Gender in history links

Amelio Robles Ávila - Wikipedia
people history archive.org
Amelio Robles Ávila (3 November 1889 – 9 December 1984) was a colonel during the Mexican Revolution. Assigned female at birth with the name Amelia Robles Ávila, Robles fought in the Mexican Revolution, rose to the rank of colonel, and lived openly as a man from age 24 until his death at age 95.
Alan L. Hart (October 4, 1890 – July 1, 1962) was an American physician, radiologist, tuberculosis researcher, writer and novelist. He was in 1917–18 one of the first trans men to undergo hysterectomy in the United States, and lived the rest of his life as a man. He pioneered the use of x-ray photography in tuberculosis detection, and helped implement TB screening programs that saved thousands of lives.[1]
Many people have engaged in cross-dressing during wartime under various circumstances and for various motives. This has been especially true of women, whether while serving as a soldier in otherwise all-male armies, while protecting themselves or disguising their identity in dangerous circumstances, or for other purposes.
Breeching was the occasion when a small boy was first dressed in breeches or trousers. From the mid-16th century[1] until the late 19th or early 20th century, young boys in the Western world were unbreeched and wore gowns or dresses until an age that varied between two and eight.[2] Various forms of relatively subtle differences usually enabled others to tell little boys from little girls, in codes that modern art historians are able to understand.
Sull’opportunità di rimarcare o meno le differenze di genere negli anni della prima infanzia è stato scritto tutto e il contrario di tutto. Indipendentemente da ciò che ognuno di noi può pensare, ancora una volta pare proprio che la storia smentisca solide convinzioni.
Lynn Ann Conway (born January 2, 1938)[2][3] is an American computer scientist, electrical engineer, inventor, and transgender activist.[4]

Planet DebianMichael Prokop: Revisiting 2019

Mika on the Drums, picture by Gregor

Mainly to recall what happened last year and to give thoughts and to plan for the upcoming year(s) I’m once again revisiting my previous year (previous editions: 2018, 2017, 2016, 2015, 2014, 2013 + 2012).

In terms of IT events, I attended Grazer Linuxdays 2019 and gave a talk (Best Practices in der IT-Administration, Version 2019) and was interviewed by Radio Helsinki there. With the Grml project, we attended the Debian Bug Squashing Party in Salzburg in April. I also visited a meeting of the Foundation for Applied Privacy in Vienna. Being one of the original founders I still organize the monthly Security Treff Graz (STG) meetups. In 2020 I might attend DebConf 20 in Israel (though not entirely sure about it yet), will definitely attend Grazer Linuxdays (maybe with a talk about »debugging for sysadmins« or alike) and of course continue with the STG meetups.

I continued to play Badminton in the highest available training class (in german: “Kader”) at the University of Graz (Universitäts-Sportinstitut, USI). I took part in the Zoo run in Tiergarten Schönbrunn (thanks to an invitation by a customer).

I started playing the drums at the »HTU Big Band Graz« (giving a concert on 21st of November). Playing in a big band was like a dream come true, being a big fan of modern Jazz big bands since being a kid and I even played the drums in a big band more than 20 years ago, so I’m back™. I own a nice e-drum set and recently bought a Zildjian Gen16 cymbal set and also own a master-keyboard (AKA MIDI keyboard) for many years, which is excellent for recording. But in terms of “living room practicality”, I wanted something more piano alike, and we bought a Yamaha CLP-645 B digital piano, which my daughters quite regularly use and now and then I manage to practice on it as well. As you might guess, I want to make music a more significant part of my life again.

I visited some concerts, including Jazz Redoute, Jazzwerkstatt Graz, Billy Cobham’s Crosswinds Project, Jazz Night Musikforum Viktring, Gnackbruch evening with AMMARITE, a concert of the Kärntner Sinfonieorchester, Steven Wilson’s To The Bone tour, Sting’s My Songs tour and the Corteo show of Cirque du Soleil. I took some local trips in Graz, including a Murkraftwerk Graz tour and a »Kanalführung«.

Business-wise it was the sixth year of business with SynPro Solutions, and we moved the legal form of our company from GesnbR to GmbH. No big news but steady and ongoing work with my other business duties Grml Solutions and Grml-Forensic.

I also continued with taking care of our kids every Monday and half another day of the week – which is still challenging now and then with running your own business, but so absolutely worth it. With a kid going to school, it was quite some change for my schedule and day planning as well. Now having a fixed schedule for most of the days, the Sonos soundbox wakes us up with Ö1 news and its Ö1 signature tune Monday to Friday. Thanks to Pavlovian conditioning, when waking up on Saturdays and Sundays I also hear the Ö1 signature tune in my head while no radio is present then. :)

I tried to minimize my Amazon usage as much as possible and will try to continue doing so in 2020 as well.

I had quite some troubles with my Vespa PX125, hopefully things are sorted out nowadays though. *knockingonwood*

After being ~20 years in the Usenet (mostly de.* + at.* + tu-graz.*) I pretty much gave it up.

Book reading became more of a habit again, and I managed to complete 42 books (see Bookdump 01/2019 and Bookdump 02/2019). I noticed that what felt like good days for me always included reading books, and want to keep my reading pace for 2020.

Planet DebianRuss Allbery: Term::ANSIColor 5.00

Term::ANSIColor is the core Perl module that provides functions to change text attributes using ECMA-048 escape sequences.

This release adds support for true color (24-bit color), with which I was not previously familiar but which turns out to be widely supported, including by xterm (which calls it direct-color). The new color attributes are in the form rNNNgNNNbNNN and on_rNNNgNNNbNNN and work like the existing color attributes. There is no constant support for somewhat obvious logistical reasons, so they're supported only in the function interface. Thanks to Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯 for the initial patch and drawing true color to my attention.

Color aliases now can expand to more than one attribute. This means that you can do things like:

coloralias('warning', 'black', 'on_bright_red');

and have the expected thing happen. I took advantage of this to clean up the alias handling in general, so you can also now define aliases in terms of other aliases (although the second-level alias doesn't change when the first-level alias changes). The alias fixes are based on work by Yanick Champoux.

Also in this release are a few minor cleanups and documentation improvements.

Finally, this release drops support for Perl 5.6. The minimum supported version is now Perl 5.8. Testing on 5.6 is spotty and Travis-CI doesn't support it, so I don't think I can truly claim it's supported any more.

You can get the latest release from CPAN or from the Term::ANSIColor distribution page.

Planet DebianMarco d'Itri: Debian support for libxcrypt

glibc 2.29-7 and libxcrypt 1:4.4.10-10 today entered Debian testing: crypt(3) and the other related library functions in libcrypt from now on will be provided by libxcrypt instead of glibc.

After 18 months of packaging work, Debian finally supports modern password hashing methods like yescrypt: the details about them are documented in crypt(5).

For the time being there is still no support for libxcrypt in our release of PAM, but hopefully the Debian maintainer will update the package soon and this will allow using yescrypt by default.

If you want to test now the new algorithms then you can generate a password using my mkpasswd program and copy it to /etc/shadow:

# echo "marco:$(echo 12345 | mkpasswd --stdin)" | chpasswd --encrypted

,

Planet DebianRuss Allbery: podlators 4.14

podlators provides the Pod::Man and Pod::Text conversion modules for Perl. This release is a minor bug-fix release, mostly correcting a test suite problem with old versions of Pod::Simple. The user-visible change is to document that parse_lines and parse_string_document expect raw bytes, not decoded characters.

The other change in this release is internal. I finally finished refactoring the test suite, so now all parts of the test suite use separate snippet files and modern coding style, so it should be more maintainable in the future.

You can get the latest release from CPAN or from the podlators distribution page.

Harald Welte36C3 Talks on SIM card technology / Mitel DECT

At 36C3 in December 2019 I had the pleasure of presenting: One full talk about SIM card technology from A to Z and another talk where I presented together with eventphone team members about Security issues in the Mitel SIP-DECT system.

The SIM card talk was surprisingly successful, both in terms of a full audience on-site, as well as in terms of the number of viewers of the recordings on media.ccc.de. SIM cards are a rather niche topic in the wider IT industry, and my talk was not covering any vulnerabilities or the like. Also, there was nothing novel in the talk: SIM cards have been around for decades, and not much has changed (except maybe eSIM and TLS) in recent years.

In any case, I'm of course happy that it was well received. So far I've received lots of positive feedback.

As I'm working [more than] full time in cellular technology for almost 15 years now, it's sometimes hard to imagine what kind of topics people might be interested in. If you have some kind of suggestion on what kind of subject within my area of expertise you'd like me to talk about, please don't hesitate to reach out.

The Mitel DECT talk also went quite well. I covered about 10 minutes of technical details regarding the reverse engineering of the firmware and the communication protocols of the device. Thanks again to Dieter Spaar for helping with that. He is and remains the best reverse engineer I have met, and it's always a privilege to collaborate on any project. It was of course also nice to see what kind of useful (and/or fun) things the eventphone team have built on top of the knowledge that was gained by protocol-level reverse engineering.

If you want to know more low-level technical detail than the 36C3 talk, I recommend my earlier talk at the OsmoDevCon 2019 about Aastra/Mitel DET base station dissection.

If only I had more time, I would love to work on improving the lack of Free / Open Source Software realted to the DECT protocol family. There's the abandoned deDECTed.org, and the equally abandoned dect.osmocom.org project. The former only deals with the loewst levels of DECT (PHY/MAC). The latter is to a large extent implemented as part of an ancient version of the Linux kernel (I would say this should all run in userspace, like we run all of GSM/UMTS/LTE in userspace today).

If anyone wants to help out, I still think working on the DECT DLC and NWK dissectors for wireshark is the best way to start. It will create a tool that's important for anyone working with the DECT protocols, and it will be more or less a requirement for development and debugging should anyone ever go further in terms of implementing those protocols on either the PP or FP side. You can find my humble beginnings of the related dissectors in the laforge/dect branch of osmocom.org/wireshark.git.

Harald WelteRetronetworking / BBS-Revival setup at #36C3

After many years of being involved in various projects at the annual Chaos Communication Congress (starting from the audio/vidoe recording team at 15C3), I've finally also departed the GSM team, i.e. the people who operate (Osmocom based) cellular networks at CCC events.

The CCC Camp in August 2019 was slightly different: Instead of helping an Osmocom based 2G/3G network, I decided to put up a nextepc-based LTE network and make that use the 2G/3G HLR (osmo-hlr) via a newly-written DIAMETER-to-GSUP proxy. After lots of hacking on that proxy and fixing various bugs in nextepc (see my laforge/cccamp2019 branch here) this was working rather fine.

For 36C3 in December 2019 I had something different in mind: It was supposed to be the first actual demo of the retronetworking / bbs-revival setup I've been working on during past months. This setup in turn is sort-of a continuation of my talk at 34C3 two years ago: BBSs and early Intenet access in the 1990ies.

Rather than just talking about it, I wanted to be able to show people the real thing: Actual client PCs running (mainly) DOS, dialling over analog modems and phone lines as well as ISDN-TAs and ISDN lines into BBSs, together with early Interent access using SLIP and PPP over the same dial-up lines.

The actual setup can be seen at the Dialup Network In A Box wiki page, together with the 36C3 specific wiki page.

What took most of the time was - interestingly - mainly two topics:

  1. A 1U rack-mount system with four E1 ports. I had lots of old Sangoma Quad-E1 cards in PCI form-factor available, but wanted to use a PC with a more modern/faster CPU than those old first-generation Atom boxes that still had actual PCI slots. Those new mainboards don't have PCI but PCIe. There are plenty of PCIe to PCI bridges and associated products on the market, which worked fine with virtually any PCI card I could find, but not with the Sangoma AFT PCI cards I wanted to use. Seconds to minutes after boot, the PCI-PCIe bridges would always forget their secondary bus number. I suspected excessive power consumption or glitches, but couldn't find anything wrong when looking at the power rails with a scope. Adding additional capacitors on every rail also didn't change it. The !RESET line is also clean. It remains a mystery. I then finally decided to but a new (expensive) DAHDI 4-port E1 PCIe card to move ahead. What a waste of money if you have tons of other E1 cards around.

  2. Various trouble with FreeSWITCH. All I wanted/needed was some simple emulation of a PSTN/ISDN switch, operating in NT mode towards both the Livingston Portmaster 3 RAS and the Auerswald PBX. I would have used lcr, but it supports neither DAHDI nor Sangoma, but only mISDN - and there are no mISDN cards with four E1 ports :( So I decided to go for FreeSWITCH, knowing it has had a long history of ISDN/PRI/E1 support. However, it was a big disappointment. First, there were some segfaults due to a classic pointer deref before NULL-check. Next, libpri and FreeSWITCH have a different idea how channel (timeslot) numbers are structured, rendering any call attempt to fail. Finally, FreeSWITCH decided to blindly overwrite any bearer capabilities IE with 'speech', even if an ISDN dialup call (unrestricted digital information) was being handled. The FreeSWITCH documentation contains tons of references on channel input/output variables related to that - but it turns out their libpri integration doesn't set any of those, nor use any of them on the outbound side.

Anyway, after a lot more time than expected the setup was operational, and we could establish modem calls as well as ISDN dialup calls between the clients and the Portmaster3. The PM3 in turn then was configured to forward the dialup sessions via telnet to a variety of BBSs around the internet. Some exist still (or again) on the public internet. Some others were explicitly (re)created by 36C3 participants for this very BBS-Revival setup.

My personal favorite was finding ACiD Underworld 2.0, one of the few BBSs out there today who support RIPscrip, a protocol used to render vector graphics, text and even mouse-clickable UI via modem connection to a DOS/EGA client program called RIPterm. So we had one RIPterm installation on Novell DOS7 that was just used for dialling into ACiD Underworld 2.0.

Among other things we also tested interoperability between the 1980ies CCC DIY accoustic coupler "Datenklo" and the Portmaster, and confirmed that Windows 2000 could establish multilink-PPP not only over two B-channels (128 kbps) but also over 3 B-Channels (192).

Running this setup for four days meant 36C3 was a quite different experience than many previous CCC congresses:

  • I was less stressed as I wasn't involved in operating a service that many people would want to use (GSM).

  • I got engaged with many more people with whom I would normally not have entered a conversation, as they were watching the exhibits/demos and we got to chat about the technology involved and the 'good old days'.

So all in all, despite the last minute FreeSWITCH-patching, it was a much more relaxing and rewarding experience for me.

Special thanks to

  • Sylvain "tnt" Munaut for spending a lot of time with me at the retronetworking assembly. The fact that I had an E1 interface around was a good way for him to continue development on his ICE40 based bi-directional E1 wiretap. He also helped with setup and teardown.

  • miaoski and evanslify for reviving two of their old BBSs from Taiwan so we could use them at this event

The retronetworking setup is intended to operate at many other future events, whether CCC related, Vintage Computing or otherwise. It's relatively small and portable.

I'm very much looking forward to the next incarnations. Until then, I will hopefully have more software configured and operational, including a variety of local BBSs (running in VMs/containers), together with the respective networking (FTN, ZConnect, ...) and point software like CrossPoint.

If you are interested in helping out with this project: I'm very much looking for help. It doesn't matter if you're old and have had BBS experience back in the day, or if you're a younger person who wants to learn about communications history. Any help is appreciated. Please reach out to the bbs-revival@lists.osmocom.org mailing list, or directly to me via e-mail.

Planet DebianShirish Agarwal: Indian Economy, NPR, NRC and Crowd Control Part – II

Protests and their history

A Happy New Year to all. While I would have loved to start on a better note, situations are the way they are. Before starting with the prickly process of NPR, NRC let me just focus on the protests themselves. Now protests either in India or abroad are not a new thing. While thinking on this, I found one of the modern, medieval recorded entries of protests to be in 12th century Paris, and just like most strikes, this one was for rights of liberty, freedom and price increase. The famous or infamous University of Paris strike 1229 , There have been so many strikes and protests worldwide which changed the world, in recent memory the protests against American involvement in Vietnam , The Montgomery bus boycott by Rosa Parks , the protests that I became aware in South Africa, UCT about Rhodes must fall movement . I would be forever grateful to Bernelle for sharing with us the protests that had happened the year before near the Sarah Bartman Hall. Closer home i.e. in India, we have had a rich history of protests especially during the Colonial period and the Indian Freedom movement, as well as afterwards, i.e. after india became free. Whether it was the Navnirman Andolan or the Great Bombay Textile Strike which actually led to industries moving out of Mumbai. My idea of sharing above strikes and protests has been that protests are not a new thing in India and have been part of India socio-political culture throughout its history. I am sure there were also protests during the medieval period but not going that far as it would not add value to the post currently. It may be a good idea to share about that in some other blog post perhaps.

The protests against NPR, NRC and CAA

So, let’s start with what these acronyms are and why people are protesting are against it . The first acronym is National Population Register (NPR) . Now while the Government says that NPR is nothing but the census which is done by GOI every year, there is a difference. There are few things which make it different from earlier years, those are, birth certificates, ‘date and birth of parents’ and ‘last place of residence’ . The problem starts and ends with these two points for NPR apart from biometric information which again has issues, both for rich and poor alike . Let me explain what is the problem therein, using my own use-case or history which probably can be multiplied by probably millions of people of my age and lesser and elder to me.

Now one could ask naively, what is wrong in birth certificates, in theory and today’s day and age, perhaps not, but everything has a context and a time and place. While I was born in Pune, in 1975, the Registration and Births Act had been recently passed in 1969. So neither the Municipal Corporation of that time was active and nor was that a statutory requirement in those times. To add to that, my mother had to go at least 10-15 times to the Municipal Corporation in order to secure my birth certificate even though there was no name. This brings to another issue, in those times, almost till date, the mortality rate of newborns have been high. While we have statistics of the last 20 odd years which do show some change, one can only guess what the infant mortality rates would have been in the 60’s and the 70’s . Apart from that, most deliveries happened at home with a mid-wife rather than in a nursing home. This is still the norm today in many cities and hinterland as well. Recently, there was news of 100 babies who died in Kota, Rajasthan. While earlier they were being given clean chits, it seems most neonatal units which should house only one child were housing three children. Hence the large number of deaths. Probably, most of the parents were poor and the administration while showing that each child was given a separate neonatal unit were put together. The corruption whether in Indian public or private hospitals deserves its own blog post. I had shared some of it in the blog post no country for women or doctors.

But that apart, in those days because babies died, many children didn’t get the name till s/he was of kinder-garden, school going age. In my situation was a bit more different and difficult as my parents had separated and there was possibility that my father may go for a custody battle which never happened. Now apart from proving my own identity even though I have all the papers, I might still need to procure more, I would need papers or documentation proving the relationship between mother and I . Now I can’t produce father because he is no more apart from his death certificate, with my mother, I would have to get and submit most probably a DNA test which is expensive to say the least. I know of some labs who also charge depending upon many genetic markers you are looking for, the more the better and costs go up like that. Now here itself two questions arise with the NPR itself.

a. How many children would have proper birth certificates, more so the ones who live either below poverty line or just above ? Many of them don’t have roof over their head or have temporary shelters, where would they have place to get and put such documents. Also, as many of them cannot either read or write, they are usually suspicious of Government papers (and with good reason) . Time and again, the Government of the day has promised one thing and done another. Mostly to do with property rights and exclusion. Why to go far, just a few days back Sonam wangchuck, the engineer, who shared his concerns about Ladakh and the fragile ecosystem of Ladakh in Himalayas due to unchecked ‘development’ as been promised by the Prime Minister bringing it par to Delhi. Sadly, many people do not know that Himalayas is the youngest geologically speaking while the oldest are in South Africa (thanks to Debconf for that bit of info. as well.) . While they celebrate the political freedom from Kashmir, they do have concerns as being with Kashmir, they enjoyed land rights and rights to admission to Indians and foreigners alike, this they have now lost. A region which is predominantly buddhist in nature is being introduced to sex tourism and massage parlours which are not needed. If possible, people should see Mr. Wangchuk’s talk on Ted talks or any of the work the gentleman has done but this is getting off-topic here.

b. What about people of my age or above me. Would all of us would become refugees in our own lands ? What about those who go from place to place for work ? What about Government servants themselves ? Those who work in Central Government, many of them have and are supposed to change places every 3-4 years. My grandfather (from mother’s side) toured all of India due to his job. My mother also got transferred a few times, although I stayed in Pune. This puts up questions which make it difficult for many to answer if they were to do it truthfully as nobody would have full papers. There are also no guarantees that just having the right papers would make it right. It is very much possible that the ‘babu’ or beareaucrat sitting at the other end would demand money. I am sure there was lot of black money generated during NRC in Assam. This would happen at NPR stage itself.

c. The third question is what would happen to those who are unable to prove their citizenship at the beginning itself. They probably would need to go to court of law. What happens to their job, property and life as it is. As it is, most businesses have a slack of 40-50%, this will become more pronounced. Would we be stateless citizens in our own land ?

NRC and CAA

Somehow, let’s say you managed to have yourself included in NPR, it doesn’t mean that you will be included in NRC or National Register of Citizens. For this, one may have to rinse and repeat. They may ask more invasive questions as never before. The possible exploitation of people by the state would be as never seen before. Most of the majority in India think of Germany and how it became an industrious house and they think, they became industrious because they persecuted Jews. In fact, I believe it was the opposite. As have shared before on the blog itself, numerous times, if the Jews had been part of Germany, Germany may have prospered many times over. If the Jews could make Israel so powerful, where would Germany would have been today ? Also not many people know about the Marshall Plan which perhaps laid the foundation of the European Union as we know today but that may be part of another blog post, another day. I would probably do a part III as there are still aspects of the whole issue which I haven’t touched upon. I might do it tomorrow or few days after. Till later.

Planet DebianIustin Pop: System load and ping latency strangeness

So, instead of a happy new year post or complaining about Debian’s mailing list threads (which make me very sad), here’s an interesting thing (I think).

Having made some changes to the local network recently, I was surprised at the variability in ping latency on the local network but also to localhost! I thought, well, such is Linux, yada yada, it’s a kernel build with CONFIG_NO_HZ_IDLE=y, etc. However looking at the latency graph an hour ago showed something strange: latencies stabilised… and then later went bad again. Huh?

This is all measured via smokeping, which calls fping 10 times in a row, and records both average and spread of the values. For “stable”, I’m talking here about a somewhat even split between 10µsec and 15µsec (for the 10-ping average), with very consistent values, and everything between 20µsec and 45µsec, which is a lot.

For the local-lan host, it’s either consistently 200µsec vs 200-300µsec with high jitter (outliers up to 1ms). This is very confusing.

The timing of the “stable” periods aligned with times when I was running heavy disk I/O. Testing quickly confirmed this:

  • idle system: localhost : 0.03 0.04 0.04 0.03 0.03 0.03 0.03 0.03 0.03 0.03
  • pv /dev/md-raid5-of-hdds: localhost : 0.02 0.01 0.01 0.01 0.01 0.01 0.03 0.03 0.03 0.02
  • pv /dev/md-raid5-of-ssds: localhost : 0.03 0.01 0.01 0.01 0.01 0.02 0.02 0.02 0.02 0.02
  • with all CPUs at 100%, via stress -c $N: localhost : 0.02 0.00 0.01 0.00 0.01 0.01 0.01 0.01 0.01 0.01
  • with CPUs idle, but with governor performance so there’s no frequency transition: localhost : 0.01 0.15 0.03 0.03 0.03 0.03 0.03 0.03 0.03 0.03

So, this is not CPU frequency transitions, at least as seen by Linux. This is purely CPU load, and, even stranger, it’s about single core load. Running the following in parallel:

  • taskset -c 8 stress -c 1 and
  • taskset -c 8 fping -C 10 localhost

Results in the awesome values of:

localhost : 0.01 0.01 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.01

Now, that is what I would expect :) Even more interesting, running stress on a different CPU (any different CPU) seems to improve things, but only by half (using ping which has better resolution).

To give a more graphical impression of the latencies involved (staircase here is due to fping resolution bug, mentioned below):

Smokeping: localhost Smokeping: localhost
Smokeping: host on local net Smokeping: host on local net
Localhost CPU usage Localhost CPU usage

Note that plain I/O wait (the section at the top) doesn’t affect latency; only actual CPU usage, as seen at Fri 02:00-03:00 and then later 11:00-21:00 and (much higher) Sat 10:15-20:00.

If you squint, you can even correlate lower CPU usage on Fri 16:00-21:00 to slightly increased latencies.

Localhost CPU frequency caling Localhost CPU frequency caling

Does this all really matter? Not really, not in any practical sense. Would I much prefer clean, stable ping latencies? Very much so.

I’ve read the documentation on no HZ, which tells me I should be rebooting about 20 or 30 times with all kinds of parameter combinations and kernel builds, and that’s a bit too much from my free time. So maybe someone has some idea about this, would be very happy to learn what I can tune to make my graphs nicer :)

I’ve also tested ping from another host to this host, and high CPU usage results in lower latencies. So it seems to be not user-space related, but rather kernel latencies?!

I’ve also thought this might be purely an fping issue; however, I can clearly reproduce it simply by watching ping localhost which running (or not) stress -c $N; the result is ~10-12µsec vs. ~40µsec.

Thanks in advance for any hints.

Planet DebianThorsten Alteholz: My Debian Activities in December 2019

FTP master

This month I accepted 450 packages and rejected 61. The overall number of packages that got accepted was 481.

Debian LTS

This was my sixty sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 16.5h. During that time I did LTS uploads of:

  • [DLA 2035-1] libpgf security update for one CVE
  • [DLA 2039-1] libvorbis security update for two CVEs
  • [DLA 2040-1] harfbuzz security update for one CVE
  • [DLA 2043-1] gdk-pixbuf security update for five CVEs
  • [DLA 2043-2] gdk-pixbuf regression update
  • [DLA 2047-1] cups security update for one CVE
  • [DLA 2050-1] php5 security update for four CVEs
  • [DLA 2052-1] libbsd security update for one CVE
  • [DLA 2055-1] igraph security update for one CVE

Last but not least I did some days of frontdesk duties and started to work on the sqlite3 package.

Debian ELTS

This month was the nineteenth ELTS month.

During my allocated time I uploaded:

  • ELA-202-1 for gdk-pixbuf
  • ELA-202-2 for gdk-pixbuf
  • ELA-204-1 for php5

I also did some days of frontdesk duties.

Other stuff

This month I uploaded new upstream versions of …

I improved packaging of …

As nobody really used them, I removed the lam4 and mpich2 version of meep. Now only the serial version, the openmpi- and the mpi-default-version are available. Please complain in case you need one of the other versions again.

I also uploaded all meep packages, libctl and mpb to unstable.

On my Go challenge I uploaded the source-only versions of golang-github-boj-redistore, golang-github-dchest-uniuri, golang-github-jackc-fake, golang-github-joyent-gocommon, golang-github-mattetti-filebuffer, golang-github-nrdcg-goinwx, golang-github-pearkes-dnsimple, golang-github-soniah-dnsmadeeasy, golang-github-vultr-govultr, golang-github-zorkian-go-datadog-api.
New Go packages I uploaded were: golang-github-hashicorp-terraform-svchost, golang-github-apparentlymart-go-cidr, golang-github-bmatcuk-doublestar, golang-github-cactus-go-statsd-client, golang-github-corpix-uarand, golang-github-cyberdelia-heroku-go

Planet DebianJonathan Carter: Free Software Activities (2019-12)

Watching people windsurf at Blouberg beach

A lot has happened in Debian recently, I wrote seperate blog entries about that but haven’t had the focus to finish them up, maybe I’ll do that later this month. In the meantime, here are some uploads I’ve done during the month of December…

Debian packaging work

2019-12-02: Upload package calamares (3.2.17-1) to Debian unstable.

2019-12-03: Upload package calamares (3.2.17.1-1) to Debian unstable.

2019-12-04: Upload package python3-flask-caching to Debian unstable.

2019-12-04: File removal request for python3-flask-cache (BTS: #946139).

2019-12-04: Upload package gamemode (1.5~git20190812-107d469-3) to Debian unstable.

2019-12-11: Upload package gnome-shell-extension-draw-on-your-screen (5-1) to Debian unstable.

2019-12-11: Upload package xabacus (8.2.3-1) to Debian unstable.

2019-12-11: Upload package gnome-shell-extension-gamemode (4-1) to Debian unstable.

2019-12-11: Upload package gamemode (1.5~git20190812-107d469-4) to Debian unstable.

Debian package sponsoring/reviewing

2019-12-02: Sponsor package scrcpy (1.11+ds-1) for Debian unstable (mentors.debian.net request).

2019-12-03: Sponsor package python3-portend (2.6-1) for Debian unstable (Python team request).

2019-12-04: Merge MR#1 for py-postgresql (DPMT).

2019-12-04: Merge MR#1 for pyphen (DPMT).

2019-12-04: Merge MR#1 for recommonmark (DPMT).

2019-12-04: Merge MR#1 for python-simpy3 (DPMT).

2019-12-04: Merge MR#1 for gpxpy (DPMT).

2019-12-04: Sponsor package gpxpy (1.3.5-2) (Python team request).

2019-12-04: Merge MR#1 for trac-subcomponents (DPMT).

2019-12-04: Merge MR#1 for debomatic (PAPT).

2019-12-04: Merge MR#1 for archmage (PAPT).

2019-12-04: Merge MR#1 for ocrfeeder (PAPT).

2019-12-04: Sponsor package python3-tempura (1.14.1-2) for Debian unstable (Python team request).

2019-12-04: Sponsor package python-sabyenc (4.0.1-1) for Debian experimental (Python team request).

2019-12-04: Sponsor package python-yenc (0.4.0-7) for Debian unstable (Python team request).

2019-12-05: Sponsor package python-gntp (1.0.3-1) for Debian unstable (Python team request).

2019-12-05: Sponsor package python-cytoolz (0.10.1-1) for Debian unstable (Python team request).

2019-12-22: Sponsor package mwclient (0.10.0-2) for Debian unstable (Python team request).

2019-12-22: Sponsor package hyperlink (19.0.0-1) for Debian unstable (Python team request).

2019-12-22: Sponsor package drf-generators (0.4.0-1) for Debian unstable (Python team request).

2019-12-22: Sponsor package python-mongoengine (0.18.2-1) for Debian unstable (Python team request).

2019-12-22: Sponsor package libcloud (2.7.0-1) for Debian unstable (Python team request).

2019-12-22: Sponsor package pep8-naming (0.9.1-1) for Debian unstable (Python team request).

2019-12-23: Sponsor package python-django-braces (1.13.0-2) for Debian unstable (Python team request).

Planet DebianElana Hashman: KubeCon NA 2019 Talk Resources

At KubeCon + CloudNativeCon North America 2019, I co-presented "Weighing a Cloud: Measuring Your Kubernetes Clusters" with Han Kang. Here's some links and resources related to my talk, for your reference.

Weighing a Cloud: Measuring Your Kubernetes Clusters

Related readings

I'm including these documents for reference to add some context around what's currently happening (as of 2019Q4) in the Kubernetes instrumentation SIG and wider ecosystem.

Note that GitHub links are pinned to their most recent commit to ensure they will not break; if you want the latest version, make sure to switch the branch to "master".

,

CryptogramFriday Squid Blogging: Giant Squid Video from the Gulf of Mexico

Fantastic video:

Scientists had used a specialized camera system developed by Widder called the Medusa, which uses red light undetectable to deep sea creatures and has allowed scientists to discover species and observe elusive ones.

The probe was outfitted with a fake jellyfish that mimicked the invertebrates' bioluminescent defense mechanism, which can signal to larger predators that a meal may be nearby, to lure the squid and other animals to the camera.

With days to go until the end of the two-week expedition, 100 miles (160 kilometers) southeast of New Orleans, a giant squid took the bait.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramChrome Extension Stealing Cryptocurrency Keys and Passwords

A malicious Chrome extension surreptitiously steals Ethereum keys and passwords:

According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.

Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.

Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it's sent to the same erc20wallet[.]tk third-party website.

Another example of how blockchain requires many single points of trust in order to be secure.

CryptogramMysterious Drones Are Flying over Colorado

No one knows who they belong to. (Well, of course someone knows. And my guess is that it's likely that we will know soon.)

EDITED TO ADD (1/3): Another article.

Worse Than FailureError'd: Variable Trust

Brian writes, "Of course server %1 is trustworthy, I couldn't do my work without it!"

 

"Rockefeller lived on Millionaires' Row, but I think it was a little bit later than the 18th century," Bryan writes.

 

"I've heard about 64-bit builds being inherently less efficient than their 32-bit cousins, but I didn't know Notepad++ would need to download this much extra data!" wrote Lee M.

 

Shawn M. writes, "I wonder if this is how new hackers get their start at pwning web sites?"

 

"This trip left me feeling a bit empty, regardless, I still gave 5 stars," Martin C. wrote.

 

"Let me guess Outlook 2016, you aren't 'old enough' to understand umlauts?" Justus B. wrote.

 

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Planet DebianKurt Kremitzki: November and December Update for FreeCAD & Debian Science

Hello again! This new year's update announces some interesting new beginnings for the FreeCAD project, though it's a little short since I got some much needed vacation time over the last two months.

OpenFOAM on One Core? Only 92 Hours! (for mipsel)

OpenFOAM & ParaView flow simulation.

In November a strange bug was found in the OpenFOAM package which led to only one core being used during builds, even though the logs reported an N core build. In the worst case scenario, on the mipsel architecture, this led to an increase in build times from 17 to 92 hours! I did some troubleshooting on this but found it a bit difficult since OpenFOAM uses a bespoke build system called wmake. I found myself wishing for the simplicity of CMake, and found there was an experimental repo implementing support for it but it didn't seem to work out of the box or with a bit of effort. I wonder if there's any consideration amongst OpenFOAM developers in moving away from wmake?

Anyway, OpenFOAM ended up getting removed from Debian Testing, but thankfully Adrian Bunk identified the problem, which is that the environment variable MAKEFLAGS was getting set to 'w' for some reason, and thus falling through the wmake code block that set up a proper parallel build for OpenFOAM. So, unsatisfyingly, as a workaround I uploaded the latest OpenFOAM version, 1906.191111, with unexport MAKEFLAGS. It would be nice to find an explanation, but I didn't spend much more time digging.

So, to end on the good news, the newest bugfix version of the OpenFOAM 1906 release, from November 11th 2019, is available for use going into 2020!

Trip to FOSDEM 2020 and MiniDebCamp at the Hackerspace Brussels

FOSDEM logo.

It was a bit last minute, but I finally decided to attend FOSDEM 2020. I had balked a bit at the cost since flights from the US are around $900, but decided it would be an important opportunity for FreeCAD developers and community to get together and possibly do some important work. Thankfully, Yorik and other senior FreeCAD developers thought it would be a good use of the project's Bountysource money to cover the cost of one ticket, split in half between myself and sliptonic, a developer from Missouri. He focuses on the Path workbench and FreeCAD in CAM applications, an area I'm interested in moving into as I now have such machining equipment available to me through my local ATX Hackerspace. The three of us will be giving a talk, "Open-source design ecosystems around FreeCAD", at 11:20 on Saturday, so please come by and say hi if you're able to!

I'll be staying for a few days before and after FOSDEM, including attending the MiniDebCamp at Hackerspace Bruxelles on Thursday & Friday, interested in anything Debian/FreeCAD related, so I look forward to getting a lot of work done indeed!

Looking at BRL-CAD for Debian

Developer working on BRL-CAD, circa 1980

Lead developer Mike Muuss works on the XM-1 tank in BRL‑CAD on a PDP‑11/70 computer system, circa 1980.

For the past several summers, FreeCAD has participated in the Google Summer of Code program under an umbrella organization led by Sean Morrison of BRL-CAD. BRL-CAD is a very interesting bit of software with a long history, in fact the oldest known public version-controlled codebase in the world still under development, dating back to 1983-12-16 00:10:31 UTC. It is inspired by the development ideas of the era, a sort of UNIX philosophy for CAD, made up of many small tools doing one thing well and meant to be used in a normal UNIXy way, being piped into one another and so forth, with a unifying GUI using those tools. Since it's made up of BSD/LGPL licensed code, it ought to be available as part of the Debian Science toolkit, where it may be useful for FreeCAD as an included alternative CAD kernel to the currently exclusive OpenCASCADE. For example, fillets in OpenCASCADE are somewhat buggy and unmaintainably implemented such that an upstream rewrite is the only hope for long-term improvement. BRL-CAD could potentially improve FreeCAD in areas like this.

It turns out a Debian Request for Packaging bug for BRL-CAD has been open since 2005. I plan to close it! It turns out there's already existing Debian packaging work, too, though it's quite a few years old and thus some adaptation still is required.

PySide 2 and KDE Maintenance in Debian

Recently, FreeCAD has been unbuildable in Debian Sid because of issues related to PySide 2 and the Python 3.8 migration. This is complicated by the fact that the upstream fix has been released but in version 5.14.0, which builds fine with Qt 5.14, although Sid currently has 5.12. Furthermore, the PySide 2 package itself isn't building at the moment either! Since FreeCAD depends on PySide 2 and Qt, and I use the Qt-based KDE as my desktop, it seems like taking on maintenance of PySide 2 is something I should do to get started in this realm. However, the Qt/KDE Team's packaging practices and tools are rather different than the ones I'm used to for Science Team packages. This makes sense: Science Team packages are very often a single Git repo, but Qt5 for example is really 44 Git submodules smushed together. As such, things are a bit different! Once I get things taken care of for the package, I will try to write up some notes to help others interested in getting started, especially since KDE packaging could use some help.

FreeCAD Sysadmin Woes Begone: DigitalOcean Sponsorship

DigitalOcean's "Powered By" blue badge lgoo.

I'm very happy to announce that the FreeCAD project is now among the many open source software sponsorships by DigitalOcean.

One of the first things I did when interested in FreeCAD was to try to take on the responsibility of maintaining the project's infrastructure, since that would free up time for people to work on FreeCAD itself. FreeCAD's 17 years old now, and some of our infrastructure stack is about as dated. However, it isn't easy to just move things, I had to get things up to speed first and try to minimize disruption, so it's been a slow process. I'll go into more details in a technical blog post on the matter after I've finished our migration, hopefully by the end of this month, including details on our new setup, with the goal of allowing people to get set up with a dev environment of our project tools so you can do some hacking on things yourself and help out if possible.

Thanks for your support

I appreciate any feedback you might have.

You can get in touch with me via Twitter @thekurtwk.

If you'd like to donate to help support my work, there are several methods available on my site.

,

Planet DebianBen Hutchings: Debian LTS work, December 2019

I was assigned 16.5 hours of work by Freexian's Debian LTS initiative and carried over 3.75 hours from November. I worked all 20.25 hours this month.

I prepared and, after review, released Linux 3.16.79. I rebased the Debian package onto 3.16.79 and sent out a request for testing.

I also released Linux 3.16.80, but haven't yet rebased the Debian package onto this.

Planet DebianJonathan Dowland: Linux Desktop

Happy New Year!

It's been over two years since writing back on the Linux desktop, and I've had this draft blog post describing my desktop setup sitting around for most of that time. I was reminded of it by two things recently: an internal work discussion about "the year of the linux desktop" (or similar), and upon discovering that the default desktop choice for the current Debian release ("Buster") uses Wayland, and not the venerable X. (I don't think that's a good idea).

GNOME 3 Desktop

I already wrote a little bit about my ethos and some particulars, so I'll not repeat myself here. The version of GNOME I am using is 3.30.2. I continue to rely upon Hide Top Bar, but had to disable TopIcons Plus which proved unstable. I use the Arc Darker theme to shrink window title bars down to something reasonable (excepting GTK3 apps that insist on stuffing other buttons into that region).

Although I mostly remove or hide things, I use one extension to add stuff: Suspend Button, to add a distinct "Suspend" button. The GNOME default was, and seem to remain, to offer only a "Power off" button, which seems ludicrous to me.

I spend a lot of time inside of Terminals. I use GNOME terminal, but I disable or hide tabs, the menubar and the scrollbar. Here's one of my top comfort tips for working in terminals: I set the default terminal size to 120x32, up from 80x24. It took me a long time to realise that I habitually resized every terminal I started.

I've saved the best for last: The Put Windows GNOME shell extension allows you to set up keyboard shortcuts for moving and resizing the focussed window to different regions of the desktop. I disable the built-in shortcuts for "view splits" and rely upon "Put Windows" instead, which is much more useful: with the default implementation, once "snapped", you can't resize windows (widen or narrow them) unless you first "unsnap" them. But sometimes you don't want a 50/50 split. "Put Windows" doesn't have that restriction; but it also lets you cycle between different (user-configurable) splits: I use something like 50/50, 30/70, 70/30. It also lets you move things to corners as well as sides, and also top/bottom splits, which is very useful for comparing spreadsheets (as I pointed out eight years ago).

"Put Windows" really works marvels and entirely replaces SizeUp that I loved on Mac.

Planet DebianTim Retout: Blog Posts

CryptogramHacking School Surveillance Systems

Lance Vick suggesting that students hack their schools' surveillance systems.

"This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine," he said.

Of course, there are a lot more laws in place against this sort of thing than there were in -- say -- the 1980s, but it's still worth thinking about.

EDITED TO ADD (1/2): Another essay on the topic.

Planet DebianSylvain Beucler: Debian LTS and ELTS - December 2019

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In December, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 16.5h for LTS (out of 30 max) and 16.5h for ELTS (max).

This is less than usual, AFAICS due to having more team members requesting more hours (while I'm above average), and less unused hours given back (or given back too late).

ELTS - Wheezy

  • libonig: finish work started in November:
  • CVE-2019-19203/libonig: can't reproduce, backport non-trivial likely to introduce bugs,
  • CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: security upload
  • libpcap: attempt to recap vulnerabilities mismatch (possibly affecting ELA-173-1/DLA-1967-1); no follow-up from upstream
  • CVE-2019-19317,CVE-2019-19603,CVE-2019-19645/sqlite3: triage: not-affected (development version only)
  • CVE-2019-1551/openssl: triage: not-affected; discuss LTS triage rationale
  • CVE-2019-14861,CVE-2019-14870/samba: triage: not-affected
  • CVE-2019-19725/sysstat: triage: not-affected (vulnerable code introduced in v11.7.1)
  • CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255/ruby1.9.1: security upload

LTS - Jessie

  • CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: shared work with ELTS, security upload
  • libpcap: shared work with ELTS
  • libav: finish work started in November:
  • CVE-2018-18829/libav: triage: postponed (libav-specific issue, no patch)
  • CVE-2018-11224/libav: triage: postponed (libav-specific issue, no patch)
  • CVE-2017-18247/libav: triage: ignored (not reproducible, no targeted patch)
  • CVE-2017-18246/libav: triage: ignored (not reproducible)
  • CVE-2017-18245/libav: reproduce, track down fix in ffmpeg
  • CVE-2017-18244/libav: triage: ignored (not reproducible)
  • CVE-2017-18243/libav: triage: ignored (not reproducible)
  • CVE-2017-18242/libav: triage: ignored (not reproducible)
  • CVE-2017-17127/libav: reproduce, track down fix in ffmpeg
  • CVE-2016-9824/libav: triage: ignored: usan (undefined sanitized) warning only, no patch
  • CVE-2016-9823/libav: triage: ignored: usan (undefined sanitized) warning only, no patch
  • CVE-2016-5115/libav: triage: postpone due different (indirect mplayer) vulnerability and lack of time
  • CVE-2017-17127,CVE-2017-18245,CVE-2018-19128,CVE-2018-19130,CVE-2019-14443,CVE-2019-17542/libav: security upload

Documentation/Scripts

Worse Than FailureCodeSOD: Untested Builds

Kaylee E made an "oops" and checked in a unit test with a bug in it which caused the test to fail. She didn't notice right away, and thus the commit hit their CI pipeline and was automatically pulled by the build server. She assumed that when she checked the logs she'd see the error, but she didn't. The build completed, and Tests (0/0) ran successfully.

Now, Kaylee was new to the codebase, and since she'd been doing small changes, she'd simply written and run tests around explicitly the functionality she was testing. She hadn't yet done a full test run locally, so that was her next step. From there, it was easy to see why the build server didn't automatically run tests.

[Test] public void TestDateNew() { String date = DateTime.Now.ToShortDateString(); Assert.IsTrue(date = "26/08/2016"); }

Visual Studio's Git integration also displayed a little tip above the method, announcing: 0 References | Murray Linwood, 646 days ago | 1 author, 1 change.

Now, this test could work if you mocked out the DateTime object, which is what you should do if you're testing dates. Of course, that doesn't make the test any more useful, as it's just testing basic, built-in .NET functionality. Besides, I suspect that "Murray" is already familiar with mocking.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

,

Planet DebianRuss Allbery: 2019 Book Reading in Review

In 2019, I finished and reviewed 40 books, the same as in 2018. Technically, I read two more books than 2018, since I've finished two books (one just before midnight) that I've not yet reviewed, but I'll stick with counting only those books for which I've published a review. I did a little bit better this year in spreading my reading out over the year instead of only reading on vacation. Finding time to write reviews was another matter; apologies for the flood of catch-up reviews in the last week of December.

I met both of my reading goals for last year — maintaining my current reading pace and catching up on award winners and nominees — but only barely in both cases. 2020 will bring schedule and life changes for me, and one of my goals is to carve out more room for daily reading.

I have 10 out of 10 ratings to two books this year, one fiction and one non-fiction. The novel was Arkady Martine's exceptional debut A Memory Called Empire, which is one of the best science fiction novels I've read. It's populated with a fully imagined society, wonderful characters, political maneuvering, and a thoughtful portrayal of the cultural impact of empire and colonialism. I can hardly wait for the sequel.

The non-fiction book was On the Clock by Emily Guendelsberger, a brilliant piece of investigative journalism that looks at the working conditions of the modern American working class through the lens of an Amazon warehouse job, a call center, and a McDonald's. If you want to understand how work and life feels to the people taking the brunt of the day-to-day work in the United States, I cannot recommend it highly enough. These jobs are not what they were ten or twenty years ago, and the differences may not be what you expect.

The novels that received 9 out of 10 ratins from me in 2019 were The Calculating Stars by Mary Robinette Kowal, and The Shell Seekers by Rosamunde Pilcher. Kowal's novel is the best fictional portrayal of anxiety that I've ever read (with bonus alternate history space programs!) and fully deserves its Hugo, Nebula, and Locus awards. Pilcher's novel is outside of my normal genres, a generational saga with family drama and some romance. It was a very satisfying vacation book, a long, sprawling drama that one can settle into and be assured that the characters will find a way to do the right thing.

On the non-fiction side, I gave a 9 out of 10 rating to Bad Blood, John Carreyou's almost-unbelievable story of the rise and fall of Theranos, the blood testing company that reached a $10 billion valuation without ever having a working product. And, to close out the year, I gave a 9 out of 10 rating to Benjamin Dreyer's Dreyer's English, a collection of advice on the English language from a copy editor. If you love reading books about punctuation trivia or grammatical geeking, seek this one out.

The full analysis includes some additional personal reading statistics, probably only of interest to me.

Worse Than FailureBest of…: Best of 2019: When Unique Isn't Unique

We close out our recap of 2019 and head into the new year with one last flashback: when vendors forget what the definition of "unique" is. Original -- Remy

Palm III 24

Gather 'round, young'uns, for a tale from the Dark Ages of mobile programming: the days before the iPhone launched. Despite what Apple might have you believe, the iPhone wasn't the first portable computing device. Today's submitter, Jack, was working for a company that streamed music to these non-iPhone devices, such as the Palm Treo or the Samsung Blackjack. As launch day approached for the new client for Windows Mobile 6, our submitter realized that he'd yet to try the client on a non-phone device (called a PDA, for those of you too young to recall). So he tracked down an HP iPaq on eBay just so he could verify that it worked on a device without the phone API.

The device arrived a few days out from launch, after QA had already approved the build on other devices. It should've been a quick test: sideload the app, stream a few tracks, log in, log out. But when Jack opened the app for the first time on the new device, it was already logged into someone's account! He closed it and relaunched, only to find himself in a different, also inappropriate account. What on earth?!

The only thing Jack could find in common between the users he was logged in as was that they were running the same model of PDA. That was the crucial key to resolving the issue. To distinguish which device was making the calls to the streaming service, Jack used a call in Windows Mobile that would return a unique ID for each mobile device. In most devices, it would base this identifier on the IMEI, ensuring uniqueness—but not on the HP iPaq. All HP devices could automatically log into the account of the most recently used iPaq, providing the user logged out and back in, as it would generate a recent-user record with the device ID.

Jack had read the documentation many times, and it always stated that the ID was guaranteed to be unique. Either HP had a different definition of "unique" than anyone else, or they had a major security bug!

Jack emailed HP, but they had no plans to fix the issue, so he had to whip up an alternate method of generating a UUID in the case that the user was on this device. The launch had to be pushed back to accommodate it, but the hole was plugged, and life went on as usual.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Planet DebianBalasankar 'Balu' C: FOSS contributions in 2019

Heyo,

I have been interested in the concept of Freedom - both in the technical and social ecosystems for almost a decade now. Even though I am not a harcore contributor or anything, I have been involved in it for few years now - as an enthusiast, a contributor, a mentor, and above all an evangelist. Since 2019 is coming to an end, I thought I will note down what all I did last year as a FOSS person.

GitLab

My job at GitLab is that of a Distribution Engineer. In simple terms, I have to deal with anything that a user/customer may use to install or deploy GitLab. My team maintains the omnibus-gitlab packages for various OSs, docker image, AWS AMIs and Marketplace listings, Cloud Native docker images, Helm charts for Kubernetes, etc.

My job description is essentially dealing with the above mentioned tasks only, and as part of my day job I don’t usually have to write and backend Rails/Go code. However, I also find GitLab as a good open source project and have been contributing few features to it over the year. Few main reasons I started doing this are

  1. An opportunity to learn more Rails. GitLab is a pretty good project to do that, from an engineering perspective.
  2. Most of the features I implemented are the ones I wanted from GitLab, the product. The rest are technically simpler issues with less complexity(relates to the point above, regarding getting better at Rails).
  3. I know the never-ending dilemma our Product team goes through to always maintain the balance of CE v/s EE features in every release, and prioritizing appropriate issues from a mountain of backlog to be done on each milestone. In my mind, it is easier for both them and me if I just implemented something rather than asked them to schedule it to be done by a backend team, so that I cane enjoy the feature. To note, most of the issues I tackled already had Accepting Merge Requests label on them, which meant Product was in agreement that the feature was worthy of having, but there were issues with more priority to be tackled first.

So, here are the features/enhancements I implemented in GitLab, as an interested contributor in the selfish interest of improving my Rails understanding and to get features that I wanted without much waiting:

  1. Add number of repositories to usage ping data
  2. Provide an API endpoint to get GPG signature of a commit
  3. Add ability to set project path and name when forking a project via API
  4. Add predefined CI variable to provide GitLab FQDN
  5. Ensure changelog filenames have less than 99 characters
  6. Support notifications to be fired for protected branches also
  7. Set X-GitLab-NotificationReason header in emails that are sent due to explicit subscription to an issue/MR
  8. Truncate recommended branch name to a sane length
  9. Support passing CI variables as push options
  10. Add option to configure branches for which emails should be sent on push

Swathanthra Malayalam Computing

I have been a volunteer at Swathanthra Malayalam Computing for almost 8 years now. Most of my contributions are towards various localization efforts that SMC coordinates. Last year, my major contributions were improving our fonts build process to help various packaging efforts (well, selfish reason - I wanted my life as the maintainer of Debian packages to be easier), implementing CI based workflows for various projects and helping in evangelism.

  1. Ensuring all our fonts build with Python3
  2. Ensuring all our fonts have proper appstream metadata files
  3. Add an FAQ page to Malayalam Speech Corpus
  4. Add release workflow using CI for Magisk font module

Debian

I have been a Debian contributor for almost 8 years, became a Debian Maintainer 3 years after my first stint with Debian, and have been a Debian Developer for 2 years. My activities as a Debian contributor this year are:

  1. Continuing maintenance of fonts-smc-* and hyphen-indic packages.
  2. Packaging of gopass password manager. This has been going on very slow.
  3. Reviewing and sponsoring various Ruby and Go packages.
  4. Help GitLab packaging efforts, both as a Debian Developer and a GitLab employee.

Other FOSS projects

In addition to the main projects I am a part of, I contributed to few FOSS last year, either due to personal interest, or as part of my job. They are:

  1. Calamares - I initiated and spearheaded the localization of Calamares installer to Malayalam language. It reached 100% translated status within a month.
  2. Chef
    1. Fix openSUSE Leap and SLES detection in Chef Ohai 14
    2. Make runit service’s control commands configurable in Chef Runit cookbook
  3. Mozilla - Being one of the Managers for Malayalam Localization team of Mozilla, I helped coordinate localizations of various projects, interact with Mozilla staff for the community in clarifying their concerns, getting new projects added for localization etc.

Talks

I also gave few talks regarding various FOSS topics that I am interested/knowledgeable in during 2019. List and details can be found at the talks page.

Overall, I think 2019 was a good year for the FOSS person in me. Next year, I plan to be more active in Debian because from the above list I think that is where I didn’t contribute as much as I wanted.

Planet DebianJunichi Uekawa: Happy new year.

Happy new year. Last year I kept on practicing piano. I started Tea. Wondering what awaits.

Planet DebianRuss Allbery: Review: Woman on the Edge of Time

Review: Woman on the Edge of Time, by Marge Piercy

Publisher: Ballantine
Copyright: 1976
Printing: 2016
ISBN: 0-307-75639-4
Format: Kindle
Pages: 419

Woman on the Edge of Time opens with Connie (Consuela) Ramos's niece Dolly arriving at the door of her tiny apartment with a bloody face. Her pimp, the cause of the bloody face, shows up mere moments later with a doctor to terminate Dolly's pregnancy. After a lot of shouting and insults, Connie breaks a glass bottle across Geraldo's face, resulting in her second involuntary commitment to a mental institution.

The first time was shortly after the love of her life was arrested for shoplifting and, in an overwhelmed moment, she hit her young daughter. That time, she felt she deserved everything that happened to her, not that it made much difference. Her daughter disappeared into the foster care system and she ended up on welfare, unable to get a job. She did get out of the institution, though. That's more of a question this time.

The other difference in Connie's life is that Luciente has made contact with her. Luciente is apparently from the future, appears in Connie's apartment, speaks an odd dialect, and is both horrified and fascinated by the New York City of Connie's time. She is also able to bring Connie mentally into the future, to a community called Mouth-of-Mattapoisett, which has no insane asylums, welfare, capitalism, pimps, condescending social workers, pollution, or the other plagues of Connie's life.

Woman on the Edge of Time sets a utopia against a dystopia, but the dystopia is 1970s America seen through the life of a poor Mexican-American woman. The Mattapoisett sections follow the classical utopia construction with Connie as the outside visitor to whom the utopia is explained. The present-day sections are a parade of horrors as Connie attempts to survive institutionalization, preserve a shred of dignity, and navigate the system well enough to be able to escape it. At first, these two environments are simply juxtaposed, but about two-thirds of the way through the book it becomes clear that Luciente's future is closely linked to, and closely influenced by, Connie's present.

I wanted to like this book, but I struggled with it. It took me about two months to read it, and I kept putting it down and reading something else instead. I'm finding it hard to put my finger on why it didn't work for me, but I think most of the explanation is Connie.

Piercy commits fully in this story to making Connie an ordinary person. Her one special characteristic is her ability to receive Luciente's psychic contact from the future, and to reach out in return. Otherwise, she's an average person who has lived a very hard life, who is struggling with depression and despair, and whose primary reaction to the events of the book is a formless outrage mixed with self-pity. This is critical to the conclusion of the story, and it's a powerful political statement: Ordinary people can affect the world, their decisions matter, and you don't have to be anyone special to fight oppression.

Unfortunately, this often makes the Mattapoisett sections, which are the best part of this book, frustrating to read. Not only does Connie not ask the questions about the future utopia that I wanted to ask, but she also reacts to most of the social divergences with disgust, outrage, or lasting confusion. This too I think is an intentional authorial choice — a true course correction in our world isn't also going to be comfortable and familiar, all of us will disagree with some of those choices, and Connie is not someone who grew up reading utopian literature — but it adds a lot of negative emotion to what is otherwise a positive celebration of how much better humanity can be. The people of Mattapoisett are endlessly patient with Connie in ways that also highlight strengths of their society, but I frequently found myself wanting to read a different story about Luciente, Jackrabbit, and the others without Connie there to recoil from the most drastic changes or constantly assume the worst of their customs.

I felt like I understood Connie and empathized with her, but I didn't like her. It's hard to read books where you don't like the main character.

The present-day scenes are an endless sequence of nightmares. Connie has a couple of friends inside the institution, who are also just trying to survive, but is otherwise entirely alone. Her niece tries occasionally, but is so strung out on drugs that she can't hold a coherent train of thought. Every figure of authority in the book treats Connie with contempt. All medical staff treat the patients like animals; the best that any of them can hope for is to be treated like a tolerable but ugly pet. I fully believe this was accurate for at least some facilities in some places, but it's soul-crushing to read about at length. I found myself slogging through those sections of the book, waiting for another interlude in Mattapoisett where at least I could enjoy the utopian world-building and relax a bit around happy characters.

This is, to be clear, effective at conveying the political point that Piercy is making. It's striking to read about Connie's horrific life and realize that it would be far worse today. Outside of the institution, she was living on long-term welfare, something that no longer exists in the United States. There are essentially no more mental institutions of the type in which she was held today; we closed them all in the 1980s and dumped all the residents on the streets. As Piercy points out in her forward, this is not an improvement. Today, Connie would either be homeless or in prison, her circumstances would be even worse than they were in the book, and even this plot would not be possible.

It's hard to know what to say about books that say true things with the level of anger and revulsion that our world warrants and do not give the reader the comfortable wrapping of characters with room to be happy. There is little Piercy says here that's wrong, and it's something we should hear, but apart from the Mattapoisett interludes I found it miserable to read. I read partly for escapism and for a break from dwelling on the unfolding horrors of the news cycle, so I struggle with books that feel like an extension of the day-to-day reporting on how awfully we treat our fellow humans. This is a problem I have with much of 1970s feminist SF: The books are incandescently angry, and rightfully so, about problems that are largely unfixed fifty years later, and I come away deeply depressed by humans as a species.

The heart of this book is the carefully-constructed Mattapoisett utopia, which says fascinating things about parenting, ecological balance, interpersonal relationships, communal living, personal property and its appropriate place in society, and governance structures. Piercy does cheat with some psychic empathy and some semi-magical biology, but most of what she describes would be possible with our current technology. I've not talked much about that in this review because the other parts of the book hit me so strongly, but this is a very interesting utopia. If you like analyzing and thinking about alternative ways of living, this is thought-provoking stuff.

I can see why other people liked this book better than I did, and I have great respect for its political goal and for Piercy's utopian world-building. It wasn't the book for me, but it might be for you.

Rating: 5 out of 10

Planet DebianPaul Wise: FLOSS Activities December 2019

Changes

Issues

Review

Administration

  • Debian wiki: whitelist email addresses, help with auth issues
  • FOSSJobs: forwarding jobs, approving jobs

Communication

  • Respond to queries from Debian users and developers on the mailing lists and IRC

Sponsors

Some of the lintian-brush issues, the devscripts tagpending issue and the libpst work were sponsored by my employer. All other work was done on a volunteer basis.

Planet DebianUtkarsh Gupta: Debian Activities for December 2019

Here’s my (third) monthly update about the activities I’ve done in Debian this December.

Debian LTS

This was my third month as a Debian LTS paid contributor.
I was assigned 16.50 hours and worked on the following things:

CVE Fixes and Announcements:

  • Issued DLA 2024-1, fixing CVE-2019-19617, for phpmyadmin.
    Details here:

    phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/display_git_revision.lib.php and libraries/Footer.class.php.

    For Debian 8 “Jessie”, this has been fixed in 4:4.2.12-2+deb8u7.
    Furthermore, sent a patch to the Security team for fixing the same in Stretch.

  • Issued DLA 2025-1, fixing CVE-2017-17833 and CVE-2019-5544, for openslp-dfsg.
    Details here:

    OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability.
    OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the critical severity range.

    For Debian 8 “Jessie”, this has been fixed in 1.2.1-10+deb8u2.

  • Issued DLA 2026-1, fixing CVE-2019-19630, for htmldoc.
    Details here:

    In HTMLDOC, there was a one-byte underflow in htmldoc/ps-pdf.cxx caused by a floating point math difference between GCC and Clang.

    For Debian 8 “Jessie”, this has been fixed in 1.8.27-8+deb8u1.
    Furthermore, sent a patch to the Security team for Stretch and Buster.

  • Issued DLA 2046-1, fixing CVE-2019-19479, for opensc.
    Details here:

    An issue was discovered in libopensc/card-setcos.c in OpenSC, which has an incorrect read operation during parsing of a SETCOS file attribute.

    For Debian 8 “Jessie”, this has been fixed in 0.16.0-3+deb8u2.

Miscellaneous:

  • Triage luajit, python-oslo.utils, davical, sqlite3, phpmyadmin, openssl, htmldoc, and opensc for Jessie.

  • Pinged upstream of libexif, ruby-rack, and ruby-rack-cors for more clarification of the patches provided.

  • Clarified more about CVE-2019-1551/openssl triage to the Security Team and the Debian LTS ML.

  • Took a deeper look at CVE-2019-16782/ruby-rack; the patch itself introduces regression and induces a backdoor on its own. Notified the Security Team and the ML to avoid its upload.

  • Discuss the state of CVE-2019-19479/opensc with Roberto and process its upload. Also opened upstream issue out of frustration for “hiding” most of their report.

  • In midst of fixing test failures of ruby-rack-cores. And also WIP for ruby-excon.


Debian Uploads

Most importantly, I became a DD this month! \o/
Here’s my NM process. Many, many thanks to Thomas (zigo) for being so nice and patient! :D

New Version:

  • ruby-reverse-markdown ~ 1.3.0-1 (to unstable).
  • ruby-behance ~ 0.6.1-1 (to unstable).
  • ruby-unidecode ~ 1.0.0-1 (to unstable).
  • micro ~ 1.4.1-1 (to unstable).
  • golang-code.cloudfoundry-bytefmt ~ 0.0~git20190818.854d396-1 (to unstable).

Source-Only and Other Uploads:

  • micro ~ 1.4.1-2 (to unstable).
  • golang-github-flynn-json5 ~ 0.0~git20160717.7620272-2 (to unstable).
  • golang-github-zyedidia-pty ~ 1.1.1+git20180126.3036466-2 (to unstable).
  • golang-github-zyedidia-terminal ~ 0.0~git20180726.533c623-2 (to unstable).
  • golang-golang-x-text ~ 0.3.2-3 (to unstable).
  • golang-github-yuin-gopher-lua ~ 0.0~git20170915.0.eb1c729-4 (to unstable).
  • golang-github-sergi-go-diff ~ 1.0.0-2 (to unstable).

Bug Fixes:

  • #946859 for ruby-reverse-markdown (ITP).
  • #946895 for ruby-behance (ITP).
  • #946945 for ruby-unidecode (ITP).
  • #947724 for golang-code.cloudfoundry-bytefmt (ITP).
  • #889196 golang-github-yuin-gopher-lua.
  • #889209 for golang-github-sergi-go-diff.

Reviews and Sponsored Uploads:

  • easygen ~ 4.1.0-1 for Tong Sun.
  • node-webpack ~ 4.30.0-1 for Pirate Praveen.
  • node-timeago.js ~ 4.0.2-1 for Sakshi Sangwan.
Miscellaneous:
  • Outreachy mentoring for GitLab project.
  • Grant DM access for easygen to Tong Sun.
  • Grant DM access for golang-github-danverbraganza-varcaser to Tong Sun.
  • Help James Montgomery for Golang packaging (wrt #945524).
  • Migrated all my -guest accounts and certificates to use my new, shiny account associated with the DD status.
  • With regards to this tweet, I assisted the following people:
    • Shubhank Saxena with 1:1 Hangouts call.
    • Shreya Gupta with 1:1 Hangouts call.
    • Eshaan Bansal with 1:1 Hangouts call.
      P.S. It was lovely to interact with such lovely people :)

Until next time.
:wq for today.

,

Planet DebianChris Lamb: Favourite books of 2019

I managed to read 74 books in 2019 (up from 53 in 2018 and 50 in 2017) but here follows ten of my favourites this year, in no particular order.

Disappointments included The Seven Deaths of Evelyn Hardcastle (2018) which started strong but failed to end with a bang; all of the narrative potential energy tightly coiled in the exposition was lazily wasted in a literary æther like the "whimper" in the imagined world of T. S Eliot. In an adjacent category whilst I really enjoyed A Year in Provence (1989) last year, Toujours Provence (1991) did not outdo its predecessor but was still well worth the dégustation. I was less surprised to be let down by Jon Ronson's earliest available book, The Men Who Stare At Goats (2004), especially after I had watched the similarly off-key film of the same name, but it was at least intellectually satisfying to contrast the larval author of this work and comparing him the butterfly he is today but I couldn't recommend the experience to others who aren't fans of him now.

The worst book that I finished this year was Black Nowhere (2019), a painful attempt at a cyberthriller based on the story of the Silk Road marketplace. At many points I seriously pondered whether I was an unwitting participant in a form of distributed performance art or simply reading an ironic takedown of inexpensive modern literature.

As a slight aside, choosing which tomes to write about below was an interesting process but likely not for the reasons you might think; I found it difficult to write so publically anything interesting about some books that remain memorable to this day without essentially inviting silent censure or, worse still, the receipt of tedious correspondence due to their topics of contemporary politics or other vortexes of irrationality, assumed suspicion and outright hostility. (Given Orwell's maxim that "the only test of artistic merit is survival," I find this somewhat of disservice to my integrity, yet alone to the dear reader.)


In the Woods (2007), The Likeness (2008) & Faithful Place (2010)

Tana French

I always feel a certain smug pleasure attached to spotting those gaudy "Now a major TV series!" labels appearing upon novels I have already digested. The stickers do not merely adhere to the book themselves, but in a wider sense stick to myself too as if my own refined taste had been given approval and blessing of its correctness. Not unlike as if my favourite local restaurant had somehow been granted a Michelin star, the only problem then becomes the concomitant difficulty in artfully phrasing that one knew about it all along...

But the first thing that should probably be said about the books that comprise the Dublin Murder Squad ("Now a major TV series!") is the underlying scaffolding of the series: whilst the opening novel details Irish detectives Rob Ryan and Cassie Maddox investigating a murder it is told in from the first-person perspective of the former. However, the following book then not only recounts an entirely different Gardaí investigation it is told from the point of view of the latter, Cassie, instead. At once we can see how different (or not) the characters really are, how narrow (or not) their intepretation of events are, but moreover we get to enjoy replaying previous interaction between the two both, implicitly in our minds and even sometimes explicitly on the page. This fount of interest continues in the third of the series which is told from the viewpoint of a yet another character introduced in the second book and so forth.

I feel I could write a fair amount about these novels, but in the interest of brevity I will limit my encomium to the observation that the setting of Ireland never becomes a character itself, now curiously refreshing as most series feel the need to adopt this trope which overshot cliché some time ago. Authors, by all means set your conceits in well-trodded locations but please refrain from boasting or namedropping your knowledge at seemingly every opportunity (the best/worst example being Ben Aaronovitch's Rivers of London series or, by referencing street and pub names just a few too many times for comfort, Irvine Welsh's Edinburgh). Viewer's of the BBC Spooks series will likely know what I mean too - it isn't that the intelligence officers couldn't meet in the purview of St Paul's or under the watchful London Eye but the unlikelihood that all such clandestine conventicles would happen with the soft focus of yet another postcard-worthy landmark in the background forces at least this particular ex-Londoner of the plot somewhat.

Anyway, highly recommend. I believe I have three more in this series, all firmly on my 2020 list.


The Ministry of Truth (2019)

Dorian Lynskey

It should hopefully come as no surprise to anyone that I would read this "biography" of George Orwell's Nineteen Eighty-Four (NB. not "1984"...) after a number of Orwell-themed travel posts this year (Marrakesh, Hampstead, Paris, Southwold, Ipswich, etc.).

Timed to coincide with the book's publication 70 years ago, Lynskey celebrates its platinum anniversary with an in-depth view into the book's literary background in the dystopian fiction of the preceding generation including Yevgeny Zamyatin's 1921 We and H. G. Well's output more generally. It is a bête noire of mine that the concepts in the original book are taken too literally by most (as if by pointing out the lack of overt telescreens somehow discredits the work or — equally superficially in analysis — has been "proven right" by the prevalence of the FAANGs throughout our culture) but Lynskey does no such thing and avoids this stubbornly sophomoric and narrow view of Nineteen... and does not neglect the wider, more delicate and more interesting topics such as the slippage between deeds, intentions, thoughts, veracity and language.

Thorough and extremely comprehensive, this biography remains a wonderfully easy read and is recommended to all interested in one of the most influencial novels of the 20th century and furthermore should not be considered the exclusive domain of lovers of trivial Orwellania, not withstanding that such folks will undoubtably find something charming in Lynskey's research in any case: Who knew that the original opening paragraph of this book was quite so weak? Or a misprint resulted in an ambiguous ending...? This book shouldn't just make you want to read the novel again, it will likely pique your interest into delving deeper into Orwell’s writing for yourself. And if you don't, Big Brother is...


City of the Dead (2011) & The Bohemian Highway (2013)

Sara Gran

Imagine a Fleabag with more sass, more drug abuse, and — absent the first person narrative — thankfully hold the oft-distracting antics with the fourth wall. Throw in the perceptive insight of Sherlock and finish with the wistful and mystical notes of a Haruki Murakami novel and you've got Claire DeWitt, our plucky protagonist.

In post-Katrani New Orleans, where we lay our scene, this troubled private detective has been tasked with looking for a local prosecutor who has been missing since the hurricane. Surprisingly engrossing and trenchant, my only quibble with the naked, fast-paced and honest writing of City of the Dead is that the ends of chapters are far too easily signposted as the tone of the prose changes in a reliable manner, disturbing the unpredictability of the rest of the text.

The second work I include here (The Bohemian Highway) is almost on-par with the first with yet more of Claire's trenchant observations about herself and society (eg. "If you hate yourself enough, you’ll start to hate anyone who reminds you of you", etc.). However, it was quite the disappointment to read the third in this series (The Infinite Blacktop (2018) which had almost all the aforementioned ingredients but somehow fell far, far short of the target. Anyway, if someone has not optioned the rights for an eight-part television series of the first two novels, I would be willing to go at least, say, 90:10 in with you.


Never Split the Difference (2016)

Chris Voss

I was introduced to Chris Voss earlier in the year via an episode of The Tim Ferriss Show (and if that wasn't enough of a eyebrow-raising introduction he was just on an episode of Lance Armstrong's own podcast...) but regardless of its Marmite-esque route into my world I could not help but be taken hostage by this former FBI negotiator's approach to Negotiating as if Your Life Depended On It, as its subtitle hyperbolically claims.

My initial interest in picking up this how-to-negotiate volume lied much deeper than its prima facie goal of improving my woefully-lacking skills as I was instead intellectually curious about the socio-anthropology and to learn more about various facets of human connections and communication in general. However, the book mixes its "pop psych" with remarkably simple and highly practical tips for all levels of negotiations. Many of these arresting ideas, at least in the Voss school, are highly counter-intuitive yet he argues for them all persuasively, generally preferring well-reasoned argument over relying on the langue du bois of the "amygdala" and other such concepts borrowed superficial from contemporary psychology that will likely be rendered the phrenology of the early 21st-century anyway.

Whilst the book's folksy tone and exhale-inducing approach to pedagogy will put many off (I thought I left academia and its "worksheets" a long time ago…) it certainly passes the primary test of any book of negotiation: it convinced me.


The Way Inn (2014) & Plume (2019)

Will Wiles

I really enjoyed this authors take on modern British culture but I am unsure if I could really communicate exactly why. However, I am certain that I couldn't explain what his position really is beyond using misleading terms such as "surreal" or "existential" because despite these labels implying an inchoate and nebulous work I also found it simultaneously sharp and cuttingly incisive.

Outlining the satirical and absurd plot of The Way Inn would do little to communicate the true colour palette of the volume too (our self-absorbed protagonist attends corporate conferences on the topic, of course, of conferences themselves) but in both of these books Wiles ruthlessly avoiding all of the tired takedowns of contemporary culture, somehow finding new ways to critique our superficial and ersatz times.

The second of Wiles' that I read this year, Plume, was much darker and even sinister in feel but remains peppered with enough microscopic observations on quotidian life ("the cloying chemical reek of off-brand energy drinks is a familiar part of the rush-hour bouquet"...) that somehow made it more, and not less, harrowing in tone. You probably need to have lived in the UK to get the most out of this, but I would certainly recommend it.


Chasing the Scream (2015)

Johann Hari

It is commonplace enough to find RT ≠ endorsement in a Twitter biography these days but given that Hari's book documents a Search For The Truth About Addiction I am penning this review with more than a soupçon of trepidation. As in, if it would be premature to assume that if someone has chosen to read something then they are implicitly agreeing with its contents it would also be a similar error to infer that reader is looking for the same answers. This is all to say that I am not outing myself as an addict here, but then again, this is precisely what an addict would say...

All throat clearing aside, I got much from reading Johann Hari's book which, I think, deliberately does not attempt to break new ground in any of the large area it surveys and prefers to offer a holistic view of the war on drug [prohibition] through a series of long vignettes and stories about others through the lens of Hari himself on his own personal journey.

Well-written and without longueur, Hari is careful to not step too close to the third-rail of the medication—mediation debate as the most effective form of treatment. This leads to some equivocation at points but Hari's narrative-based approach generally lands as being more honest than many similar contemporary works that cede no part of the complex terrain to anything but their prefered panacea, all deliciously ironic given his resignation from the Independent newspaper in 2011. Thus acting as a check against the self-assured tones of How to Change Your Mind (2018) and similar, Chasing the Scream can be highly recommended quite generally but especially for readers in this topic area.


The Sellout (2016)

Paul Beatty

"I couldn't put it down…" is the go-to cliché for literature so I found it amusing to catch myself in quite-literally this state at times. Winner of the 2016 Man Booker Prize, the first third of this were perhaps the most engrossing and compulsive reading experience I've had since I started "seriously" reading.

This book opens in medias res within the Supreme Court of the United States where the narrator lights a spliff under the table. As the book unfolds, it is revealed that this very presence was humbly requested by the Court due to his attempt to reinstate black slavery and segregation in his local Los Angeles neighbourhood. Saying that, outlining the plot would be misleading here as it is far more the ad-hoc references, allusions and social commentary that hang from this that make this such an engrossing work.

The tranchant, deep and unreserved satire might perhaps be merely enough for an interesting book but where it got really fascinating to me (in a rather inside baseball manner) is how the latter pages of the book somehow don't live up the first 100. That appears like a straight-up criticism, but this flaw is actually part of this book's appeal to me — what actually changed in these latter parts? It's not overuse of the idiom or style and neither is it that it strays too far from the original tone or direction, but I cannot put my finger on why which has meant the book sticks to this day in my mind. I can almost, just almost, imagine a devilish author such as Paul deliberately crippling one's output for such an effect…

Now, one cannot unreservedly recommend this book. The subject matter itself, compounded by being dealt with in such an flippant manner will be unpenetrable to many and deeply offensive to others, but if you can see your way past that then you'll be sure to get something—whatever that may be—from this work.


Diary of a Somebody (2019)

Brian Bilston

The nom de plume of the "unofficial poet laureate of Twitter", Brian Bilston is an insufferable and ineffectual loser who decides to write a poem every day for a year. A cross between the cringeworthiness of Alan Partridge and the wit and wordplay of Spike Milligan, the eponymous protagonist documents his life after being "decruited" from his job.

Halfway through this book I came to the realisation that I was technically reading a book of poetry for fun, but far from being Yeats, Auden or The Iliad, "Brian" tends to pen verse along the lines of:

No, it's not Tennyson and "plot" ties itself up a little too neatly at the end, but I smiled out loud too many times whilst reading this book to not include it here.


Stories of Your Life and Others (2014) & Exhalation (2019)

Ted Chiang

This compilation has been enjoying a renaissance in recent years due the success of the film Arrival (2016) which based on on the fourth and titular entry in this amazing collection. Don't infer too much from that however as whilst this is prima facie just another set of sci-fi tales, it is science fiction in the way that Children of Men is, rather than Babylon 5.

A well-balanced mixture of worlds are evoked throughout with a combination of tales that variously mix the Aristotelian concepts of spectacle (opsis), themes (dianoia), character (ethos) and dialogue (lexis), perhaps best expressed practically in that some stories were extremely striking at the time — one even leading me to rebuff an advance at a bar — and a number were not as remarkable at the time yet continue to occupy my idle thoughts.

The opening tale which reworks the Tower of Babel into a construction project probably remains my overall favourite, but the Dark Materials-esque world summoned in Seventy-Two Letters continues to haunt my mind and lips of anyone else who has happened to come across it, perhaps becoming the quite-literal story of my life for a brief period. Indeed it could be said that, gifted as a paperback, whilst the whole collection followed me around across a number of locales, it continues to follow me — figuratively speaking that is — to this day.

Highly recommended to all readers but for those who enjoy discussing books with others it would more than repay any investment.


Operation Mincemeat (2010)

Ben MacIntyre

In retrospect it is almost obvious that the true story of an fictitious corpse whose invented love letters, theatre life and other miscellania stuffed into the pockets of a calculatingly creased Captain's uniform would make such a captivating tale. Apparently drowned and planted into the sea off Huelva in 1943, this particular horse was not exactly from Troy but was rather a Welsh vagrant called Glyndwr who washed up — or is that washed out? — on the Andalusian shoreline along with information on a feigned invasion of Sicily in an attempt to deceive the Wehrmacht. However, this would be to grosslly misprice Ben MacIntyre's ability to not get in the way of telling the story as well the larger picture about the bizarre men who concocted the scheme and the bizarre world they lived in.

In such a Bond-like plot where even Ian Fleming (himself a genuine British naval officer) makes an appearance it seems prudent to regularly recall yet again that truth can be stranger than fiction, but the book does fall foul of the usual sin of single-issue WW2 books in overestimating the importance in the larger context of a conflict. (Indeed, as a diversionary challenge to the reader of this review I solicit suggestions for any invention, breakthrough or meeting that has not been identified as "changing the course of World War II". Victor Davis Hanson rather handsomeley argues in his 2017 The Second World Wars that is best approached as multiple wars, anyway…)

Likely enjoyed by those not typically accustomed to reading non-fiction history, this is genuinely riveting account nonetheless and well worth the reading.

Planet DebianJonathan McDowell: Free Software Activities for 2019

As a reader of Planet Debian I see a bunch of updates at the start of each month about what people are up to in terms of their Free Software activities. I’m not generally active enough in the Free Software world to justify a monthly report, and this year in particular I’ve had a bunch of other life stuff going on, but I figured it might be interesting to produce a list of stuff I did over the course of 2019. I’m pleased to note it’s longer than I expected.

Conferences

I’m not a big conference attendee; I’ve never worked somewhere that paid travel/accommodation for Free Software conferences so I end up covering these costs myself. That generally means I go to local things and DebConf. This year was no exception to that; I attended BelFOSS, an annual free software conference held in Belfast, as well as DebConf19 in Curitiba, Brazil. (FOSDEM was at an inconvenient time this year for me, or I’d have made it to that as well.)

Debian

Most of my contributions to Free software happen within Debian.

As part of the Data Protection Team I responded to various minor requests for advice from within the project.

The Debian Keyring was possibly my largest single point of contribution. We’re in a roughly 3 month rotation of who handles the keyring updates, and I handled 2019.03.24, 2019.06.25, 2019.08.23, 2019.09.24 + 2019.12.23.

For Debian New Members I handled a single applicant, Marcio de Souza Oliveira, as an application manager. I had various minor conversations throughout the year as part of front desk.

I managed to get binutils-xtensa-lx106 + gcc-xtensa-lx106 packages (1 + 1) for cross building ESP8266 firmware uploaded in time for the buster release, as well as several updates throughout the year (2, 3 + 2, 3, 4). There was a hitch over some disagreements on the package naming, but it conforms with the generally accepted terms used for this toolchain.

Last year I ended up fixing an RC bug in ghdl, so this year having been the last person to touch the package I did a couple of minor uploads (0.35+git20181129+dfsg-3, 0.35+git20181129+dfsg-4). I’m no longer writing any VHDL as part of my job so my direct interest in this package is limited, but I’ll continue to try and fix the easy things when I have time.

Although I requested the package I originally uploaded it for, l2tpns, to be removed from Debian (#929610) I still vaguely maintain libcli, which saw a couple of upstream driven uploads (1.10.0-1, 1.10.2-1).

OpenOCD is coming up to 3 years since its last stable release, but I did a couple (0.10.0-5, 0.10.0-6) of minor uploads this year. I’ve promised various people I’ll do a snapshot upload and I’ll try to get that into experimental at some point. libjaylink, a dependency, also saw a couple of minor uploads (0.1.0-2, 0.1.0-3).

I pushed an updated version of libtorrent into experimental (0.13.8-1), as a pre-requisite for getting rtorrent updated. Once that had passed through NEW I uploaded 0.13.8-2 and then rtorrent 0.9.8-1.

The sigrok project produced a number of updates, sigrok-firmware-fx2lafw 0.1.7-1, libsigrok 0.5.2-1 + libsigrokdecode 0.5.3-1.

sdcc was the only package I did sponsored uploads of this year - (3.8.0+dfsg-2, 3.8.0+dfsg-3). I don’t have time to take over maintainership of this package fully, but sigrok-firmware-fx2lafw depends on it to build so I upload for Gudjon and try to help him out a bit.

Personal projects

In terms of personal projects I finally pushed my ESP8266 Clock to the outside world (and wrote it up). I started learning Go and as part of that wrote gomijia, a tool to passively listen for Bluetooth LE broadcasts from Xiaomi Mijia devices and transmits them over MQTT. I continued to work on onak, my OpenPGP key server, adding support for the experimental v5 key format, dkg’s abuse resistant keystore proposal and finally merged in support for signature verification. It’s due a release, but the documentation really needs improved before I’d be happy to do that.

picolibc

Back when picolibc was newlib-nano I had a conversation with Keith Packard about getting the ESP8266 newlib port (largely by Max Filippov based on the Tensilica work) included. Much time has passed since then, but I finally got time to port this over and test it this month. I’m hopeful the picolibc-xtensa-lx106-elf package will appear in Debian at some point in the next few months.

Snort

As part of my work at Titan IC I did some work on Snort3, largely on improving its support for hardware offload accelerators (ignore the fact my listed commits were all last year, Cisco generally do a bunch of squashed updates to the tree so the original author doesn’t always show).

Software in the Public Interest

While I haven’t sat on the board of SPI since 2015 I’m still the primary maintainer of the membership website (with Martin Michlmayr as the other active contributor). The main work carried out this year was fixing up some issues seen with the upgrade from Stretch to Buster.

Talks

I talked about my home automation, including my use of Home Assistant, at NIDC 2019, and again at DebConf with more emphasis on the various aspects of Debian that I’ve used throughout the process. I had a couple of other sessions at DebConf with the Data Protection and Keyring teams. I did a brief introduction to Reproducible Builds for BLUG in October.

Random

I had a one liner accepted to systemd to make my laptop keyboard work out of the box. I fixed up Xilinx XRT to be able to build .debs for Debian (rather than just Ubuntu), have C friendly header files and clean up some GCC 8.3 warnings. I submitted a fix to Home Assistant to accept 202 as a successful REST notification response. And I had a conversation on IRC which resulted in a tmux patch to force detach (literally I asked how do to this thing and I think Colin had whipped up a patch before the conversation was even over).

Planet DebianChris Lamb: Free software activities in December 2019

Software Freedom Conservancy (the fiscal sponsor for the Reproducible Builds project) have announced their fundraising season with a huge pledge to match donations from a number of illustrious individuals. If you have ever considered joining as a supporter, now would be the time to do so.


Whilst it was a busy month away from the keyboard for me, here is my update covering what I have been doing in the free software world during December 2019 (previous month):

  • Attended the fifth Reproducible Builds summit meeting in Marrakesh, Morocco.

  • As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest (SPI) I attended and prepared for their respective monthly meetings, participated in various licensing and other free software related topics occurring on the internet, as well as the usual internal discussions regarding logistics, policy, etc.

  • Opened a pull request against the Chart.js JavaScript charting library to make the build reproducible. [...]

  • Updated my django-slack library that provides a convenient library between projects using the Django and the Slack chat platform to drop Python 2.7 support prior to its uncoming deprecation [...] and add support for Python 3.8 [...]...][...].

  • Made some changes to my tickle-me-email library which implements Gettings Things Done-like behaviours in IMAP inboxes including fixing an issue where we could add a duplicate empty Subject header that would result in emails being rejected as invalid by mail servers. [...]

  • Opened a pull request to make the build reproducible in infernal, a tool for analysing RNA molecule data. [...]

  • Even more hacking on the Lintian static analysis tool for Debian packages including a considerable amount of issue and merge request triage, as well as:

    • Bug fixes:

      • Don't attempt to check manual section if we don't know the section number in order to silence Perl warnings on the commandline. (#946471)
    • Cleanups:

    • Reporting:

      • Add missing tag summary checks to debian/changelog and fix our generate-tag-summary script to match our newer style of changelog entry placeholder. [...]
      • Update the long description of debian-rules-not-executable tag to not imply that precisely 0755 permissions are required. [...]


Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.


I made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues:

  • Always pass a filename with a .zip extension to zipnote otherwise it will return with an UNIX exit code of 9 and we fallback to displaying a binary difference for the entire file. [...]
  • Include the libarchive file listing for ISO images to ensure that timestamps -- and not just dates -- are visible in any difference. (#81)
  • Ensure that our autopkgtests are run with our pyproject.toml present for the correct black source code formatter settings. (#945993)
  • Rename the text_option_with_stdiout test to text_option_with_stdout [...] and tidy some unnecessary boolean logic in the ISO9660 tests [...].


I also:


Debian

Debian LTS

This month I have worked 16½ hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

You can find out more about the project via the following video:


Uploads

  • For the Tails privacy-oriented operating system, I uploaded obfs4proxy (0.0.8-1)

FTP Team

As a Debian FTP assistant I ACCEPTed eight packages: fluidsynth, golang-github-bmatcuk-doublestar, golang-github-pearkes-cloudflare, librandomx, meep, meep-mpi-default, meep-openmpi & node-webassemblyjs. I additionally filed two RC bugs against packages that had potentially-incomplete debian/copyright files against fluidsynth & meep.

Planet DebianJunichi Uekawa: Reminding myself on how to install nodejs binaries.

Reminding myself on how to install nodejs binaries. Found the nodesource docs. I almost forgot I was using an aarch64 device until I tried installing binaries. It's nice they have aarch64 binaries too.

Worse Than FailureBest of…: Best of 2019: The Internship of Things

Did you get some nice shiny new IoT devices for the holidays this year? Hope they weren't the Initech brand. Original --Remy

Mindy was pretty excited to start her internship with Initech's Internet-of-Things division. She'd been hearing at every job fair how IoT was still going to be blowing up in a few years, and how important it would be for her career to have some background in it.

It was a pretty standard internship. Mindy went to meetings, shadowed developers, did some light-but-heavily-supervised changes to the website for controlling your thermostat/camera/refrigerator all in one device.

As part of testing, Mindy created a customer account on the QA environment for the site. She chucked a junk password at it, only to get a message: "Your password must be at least 8 characters long, contain at least three digits, not in sequence, four symbols, at least one space, and end with a letter, and not be more than 10 characters."

"Um, that's quite the password rule," Mindy said to her mentor, Bob.

"Well, you know how it is, most people use one password for every site, and we don't want them to do that here. That way, when our database leaks again, it minimizes the harm."

"Right, but it's not like you're storing the passwords anyway, right?" Mindy said. She knew that even leaked hashes could be dangerous, but good salting/hashing would go a long way.

"Of course we are," Bob said. "We're selling web connected thermostats to what can be charitably called 'twelve-o-clock flashers'. You know what those are, right? Every clock in their house is flashing twelve?" Bob sneered. "They can't figure out the site, so we often have to log into their account to fix the things they break."

A few days later, Initech was ready to push a firmware update to all of the Model Q baby monitor cameras. Mindy was invited to watch the process so she could understand their workflow. It started off pretty reasonable: their CI/CD system had a verified build, signed off, ready to deploy.

"So, we've got a deployment farm running in the cloud," Bob explained. "There are thousands of these devices, right? So we start by putting the binary up in an S3 bucket." Bob typed a few commands to upload the binary. "What's really important for our process is that it follows this naming convention. Because the next thing we're going to do is spin up a half dozen EC2 instances- virtual servers in the cloud."

A few more commands later, and then Bob had six sessions open to cloud servers in tmux. "Now, these servers are 'clean instances', so the very first thing I have to do is upload our SSH keys." Bob ran an ssh-copy-id command to copy the SSH key from his computer up to the six cloud VMs.

"Wait, you're using your personal SSH keys?"

"No, that'd be crazy!" Bob said. "There's one global key for every one of our Model Q cameras. We've all got a copy of it on our laptops."

"All… the developers?"

"Everybody on the team," Bob said. "Developers to management."

"On their laptops?"

"Well, we were worried about storing something so sensitive on the network."

Bob continued the process, which involved launching a script that would query a webservice to see which Model Q cameras were online, then sshing into them, having them curl down the latest firmware, and then self-update. "For the first few days, we leave all six VMs running, but once most of them have gotten the update, we'll just leave one cloud service running," Bob explained. "Helps us manage costs."

It's safe to say Mindy learned a lot during her internship. Mostly, she learned, "don't buy anything from Initech."

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Planet DebianRuss Allbery: Review: Dreyer's English

Review: Dreyer's English, by Benjamin Dreyer

Publisher: Random House
Copyright: 2019
ISBN: 0-8129-9571-6
Format: Kindle
Pages: 278

Benjamin Dreyer is vice president, executive managing editor and copy chief, of Random House. Or, as he puts it:

I am a copy editor. After a piece of writing has been, likely through numerous drafts, developed and revised by the writer and by the person I tend to call the editor editor and deemed essentially finished and complete, my job is to lay my hands on that piece of writing and make it...better. Cleaner. Clearer. More efficient. Not to rewrite it, not to bully and flatten it into some notion of Correct Prose, whatever that might be, but to burnish and polish it and make it the best possible version of itself that it can be — to make it read even more like itself than it did when I got to work on it. That is, if I've done my job correctly.

Dreyer's English is a book of writing advice, pet peeves, observations, spelling corrections, and word usage geekery from someone who has spent nearly thirty years copy editing books. More than half of the book is lists of things with commentary: words that can be deleted, words that are frequently confused for each other, notes on proper nouns, and much more. The rest of it is grammatical disputes, positions on punctuation, and fascinating commentary on people's reactions to copy editing.

The preferred U.K. spelling of the color that describes ashes and the eyes of the goddess Athena is "grey." The preferred American spelling is "gray," but try telling that to the writers who will go ballistic if, in copyediting, you attempt to impose that spelling. In all my years of correcting other people's spelling, I don't think I've ever come up against more pushback than on this point. My long-held theory — make of it what you will — is that the spelling "grey" imprints itself on some people who encounter it in beloved classic children's books, and they form an emotional attachment to it.

Or, I don't know, they're just stubborn.

Speaking as an American "grey" person, I feel seen.

This is the sort of book whose audience will self-select. If you read the description above and thought "wow, that sounds boring, why would someone read a reference book like that cover to cover?" then this is not the book for you. If you thought "that sounds awesome, tell me more!" then you've probably heard of this book already (it's made the rounds), and this review is somewhat redundant. But in case you haven't, I can assure you that it is indeed awesome, and you should read it.

True confession time. I thoroughly enjoyed reading Strunk & White, the writing book that everyone is now supposed to hate. Let me reassure you that I am not one of those people who tries to get everyone to read it or who treats it as the canonical text on how to write in English, thus contributing to the backlash. I rarely think of it when writing. I loved it because it was fun to read, because it was opinionated and snarky and was full of entertaining (if occasionally unfair) examples, and because it advocated for a particular style of prose in a memorable and approachable way.

I'm doing Benjamin Dreyer no favors by comparing his book to this bogeyman of prescriptivism, but I enjoyed Dreyer's English for a similar reason. Dreyer's writing is not dry and does not read like a reference manual, despite the lists. It's full of side observations and personal stories, is tempered by the conversations a copy editor has with authors, and is absurdly quotable. You'll notice that I'm failing to resist littering this review with excerpts.

Also, if you haven't been dead for four hundred years and are planning on using the word "methinks" in the spirit of roguish cleverness, please don't.

For those reading it as an ebook, it also puts the (delightful) footnotes at the end of each chapter. A minor point, but greatly appreciated.

I don't primarily read books like this to improve my own writing. If I did, I should probably have paused on page one to implement Dreyer's first advice, which is so on-point that it stings:

Here's your first challenge:

Go a week without writing

  • very
  • rather
  • really
  • quite
  • in fact

Rather (*cough*), I read books like this primarily for entertainment, secondarily out of intellectual curiosity about the opinions of someone who has read a lot of prose and is professionally obligated to make judgments about it, and tertiarily because I adore language trivia. Dreyer delivers on all three points. If you are looking for advice to help improve your writing, I suspect he delivers on that point as well, but the entertainment value alone was worth it to me. The insight into the role of copy editor, the markup and on-page conversations with authors, and some of the less-obvious motives of the work are a delightful bonus.

An admission: Quite a lot of what I do as a copy editor is to help writers avoid being carped at, fairly or — and this is the part that hurts — unfairly, by People Who Think They Know Better and Write Aggrieved Emails to Publishing Houses.

Come for the demolition of non-rules of grammar that you were taught in school but should ignore completely, stay for the fascinating discussion of the "only" comma, and be rewarded with knowing that even the copy chief of one of the largest publishing houses on earth cannot spell Mississippi without singing the song.

If you are the sort of person who likes this kind of thing, you owe it to yourself to read this book.

Rating: 9 out of 10

,

Planet DebianIan Jackson: subdirmk 0.3 - ergonomic preprocessing assistant for non-recursive make

I have released subdirmk 0.3.

Recap

Peter Miller's 1997 essay Recursive Make Considered Harmful persuasively argues that it is better to arrange to have a single make invocation with the project's complete dependency tree, rather than the currently conventional $(MAKE) -C subdirectory approach.

However, I have found that actually writing a project's build system in a non-recursive style is not very ergonomic. So with some help and prompting from Mark Wooding, I have made a tool to help.

What's new

I have overhauled and regularised some of the substitution syntaxes. The filenames have changed. And there is a new $-doubling macro help facility.

Status

It's still 0.x. I'm still open to comments about details of syntax and naming. Please make them here on this blog, or by posting to sgo-software-discuss.

But it's looking quite good I think and I intend to call it 1.0 RSN.

Further reading

see the README.

edited 2019-12-30 16:39 Z to fix some formatting issues with Dreamwidth's HTML "sanitiser"



comment count unavailable comments

Worse Than FailureBest of…: Best Of 2019: The Hardware Virus

We continue our holiday break by looking back at the true gift that kept on giving, the whole year round. Original. --Remy

Dvi-cable

Jen was a few weeks into her new helpdesk job. Unlike past jobs, she started getting her own support tickets quickly—but a more veteran employee, Stanley, had been tasked with showing her the ropes. He also got notification of Jen's tickets, and they worked on them together. A new ticket had just come in, asking for someone to replace the DVI cable that'd gone missing from Conference Room 3. Such cables were the means by which coworkers connected their laptops to projectors for presentations.

Easy enough. Jen left her cube to head for the hardware "closet"—really, more of a room crammed full of cables, peripherals, and computer parts. On a dusty shelf in a remote corner, she spotted what she was looking for. The coiled cable was a bit grimy with age, but looked serviceable. She picked it up and headed to Stanley's cube, leaning against the threshold when she got there.

"That ticket that just came in? I found the cable they want. I'll go walk it down." Jen held it up and waggled it.

Stanley was seated, facing away from her at first. He swiveled to face her, eyed the cable, then went pale. "Where did you find that?"

"In the closet. What, is it—?"

"I thought they'd been purged." Stanley beckoned her forward. "Get in here!"

Jen inched deeper into the cube. As soon as he could reach it, Stanley snatched the cable out of her hand, threw it into the trash can sitting on the floor beside him, and dumped out his full mug of coffee on it for good measure.

"What the hell are you doing?" Jen blurted.

Stanley looked up at her desperately. "Have you used it already?"

"Uh, no?"

"Thank the gods!" He collapsed back in his swivel chair with relief, then feebly kicked at the trash can. The contents sloshed around inside, but the bin remained upright.

"What's this about?" Jen demanded. "What's wrong with the cable?"

Under the harsh office lighting, Stanley seemed to have aged thirty years. He motioned for Jen to take the empty chair across from his. Once she'd sat down, he continued nervously and quietly. "I don't know if you'll believe me. The powers-that-be would be angry if word were to spread. But, you've seen it. You very nearly fell victim to it. I must relate the tale, no matter how vile."

Jen frowned. "Of what?"

Stanley hesitated. "I need more coffee."

He picked up his mug and walked out, literally leaving Jen at the edge of her seat. She managed to sit back, but her mind was restless, wondering just what had her mentor so upset.

Eventually, Stanley returned with a fresh mug of coffee. Once he'd returned to his chair, he placed the mug on his desk and seemed to forget all about it. With clear reluctance, he focused on Jen. "I don't know where to start. The beginning, I suppose. It fell upon us from out of nowhere. Some say it's the spawn of a Sales meeting; others blame a code review gone horribly wrong. In the end, it matters little. It came alive and spread like fire, leaving destruction and chaos in its wake."

Jen's heart thumped with apprehension. "What? What came alive?"

Stanley's voice dropped to a whisper. "The hardware virus."

"Hardware virus?" Jen repeated, eyes wide.

Stanley glared. "You're going to tell me there's no such thing, but I tell you, I've seen it! The DVI cables ..."

He trailed off helplessly, reclining in his chair. When he straightened and resumed, his demeanor was calmer, but weary.

"At some godforsaken point in space and time, a single pin on one of our DVI cables was irrevocably bent. This was the source of the contagion," he explained. "Whenever the cable was plugged into a laptop, it cracked the plastic composing the laptop's DVI port, contorting it in a way that resisted all mortal attempt at repair. Any time another DVI cable was plugged into that laptop, its pin was bent in just the same way as with the original cable.

"That was how it spread. Cable infected laptop, laptop infected cable, all with vicious speed. There was no hope for the infected. We ... we were forced to round up and replace every single victim. I was knee-deep in the carnage, Jen. I see it in my nightmares. The waste, the despair, the endless reimaging!"

Stanley buried his head in his hands. It was a while before he raised his haunted gaze again. "I don't know how long it took, but it ran its course; the support tickets stopped coming in. Our superiors consider the matter resolved ... but I've never been able to let my guard down." He glanced warily at the trash can, then made eye contact with Jen. "Take no chances with any DVI cables you find within this building. Buy your own, and keep them with you at all times. If you see any more of those—" he pointed an accusing finger at the bin "—don't go near them, don't try taking a paperclip to them. There's everything to lose, and nothing to gain. Do you understand?"

Unable to manage words, Jen nodded instead.

"Good." The haunted expression vanished in favor of grim determination. Stanley stood, then rummaged through a desk drawer loaded with office supplies. He handed Jen a pair of scissors, and armed himself with a brassy letter opener.

"Our job now is to track down the missing cable that resulted in your support ticket," he continued. "If we're lucky, someone's absent-mindedly walked off with it. If we're not, we may find that this is step one in the virus' plan to re-invade. Off we go!"

Jen's mind reeled, but she sprang to her feet and followed Stanley out of the cubicle, telling herself to be ready for anything.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

Planet DebianRuss Allbery: Review: To Be Taught, If Fortunate

Review: To Be Taught, If Fortunate, by Becky Chambers

Publisher: Harper Voyager
Copyright: September 2019
ISBN: 0-06-293602-6
Format: Kindle
Pages: 153

Ariadne is the flight engineer aboard the Merian. She and her three crewmates were sent from Earth on a fifty-year mission (most of it spent in medical hibernation for transit) to do a survey of four exoplanets in one system. To Be Taught, If Fortunate is the narrative accompanying that mission report, and a question sent back to whoever receives it.

This is a novella that is probably set in the same universe as the Wayfarers books (which start with A Long Way to a Small Angry Planet), but that connection is not explicit in the story. You can read it in isolation and not miss anything.

I was born in Cascadia on July 13, 2081. On that day, it had been fifty-five years, eight months, and nine days since a human being had been in space. I was the two-hundred-and-fourth person to go back, and part of the sixth extrasolar crew. I'm writing to you in the hope that we will not be the last.

This is the fourth Becky Chambers story I've reviewed and I've seen some common patterns of reaction, so let me start by setting expectations.

If what you want out of a science fiction novella is hard scientific accuracy, this is not what you're looking for and you're probably going to frustrate yourself. Chambers notes in the acknowledgments that she tried to get the science as close as the story would allow, and there isn't anything quite as egregious as powering a ship via algae grown on the ship (or the kinetic energy of crew footsteps), but I still had several moments of "hm, I don't think it works that way." Those who are pickier than I am are likely to once again run into suspension of disbelief problems.

What Chambers does do, for me at least, is tug directly on the heartstrings. This was a challenge for this novella since To Be Taught, If Fortunate is, among other things, an impassioned defense of human space exploration, something about which I'm notoriously skeptical. With the help of a bit of magical genetic editing during medical hibernation to get past the most obvious objections, she managed to convince me anyway. Chambers does this primarily by showing the reactions of scientists physically present on another planet, doing and getting excited about science, struggling through setbacks, and attempting to navigate surprises and horrors while thinking very hard about ethics and responsibility. It's a slow burn, and I suspect some people will find it boring, but for me it was startlingly effective.

One good choice Chambers makes is that Ariadne is the lone non-scientist in the crew. She's the engineer, the person who fixes and operates things and gets the ship to work. That lets the descriptions of exploratory science on each of the four worlds be outsider perspectives that match the author's perspective (and that of most readers). Ariadne watches other people do ground-breaking science and get excited for and with them, which I found charming and delightful to read about.

Most of this novella is narrative observation of initial planetary exploration, focused mostly although not entirely on biology. It can be a bit disorienting at first, since the drama level is tuned closer to real exploration than the typical story. The four crew members are also refreshingly low on interpersonal drama — perhaps unrealistically so, given the requirement to spend years together in close quarters, but one of the things I like about Chambers is her willingness to write about good people and believe that they can remain good people through difficult moments. The plot inflection points, when they come, have a similar slow burn, giving the reader time to empathize with the characters and get invested in their worries and reactions.

The best moments of this novella for me, though, are where Ariadne describes the space program that gave rise to this mission, the politics of Earth at the time, and the meaning and rituals of that push for renewed space travel. This is beautifully and exceptionally done. It took me a lot of thought after finishing this novella to put my finger on why Ariadne's space program seems so different than ours: It's not grounded in military or naval culture. The prevalence and assumption of hierarchical command structure and rigid discipline is so pervasive in how we think about human missions of exploration that I had a hard time pinpointing what had changed.

I find it interesting to compare this to the later books of Jack McDevitt's Academy series, particularly Cauldron. McDevitt and Chambers are arguing for some similar goals, but McDevitt's argument is the frustrated petulance of the space boosterism wars that go back to the literary fight against William Proxmire in the 1960s and 1970s and is most often rehashed today with some variation of "humans have to get off a single planet to secure a long-term future of the species." Chambers's argument is entirely different. It's less fear-based, more collaborative and consensus-driven, more thoughtful, and makes an argument from wonder instead of expansionism. For me, it's far more persuasive.

I'm going to be thinking about the difference between how Ariadne thinks about her mission and how we normally present space missions for a long time.

I won't give away the ending, but it wasn't at all what I had expected, and I found it surprisingly touching. It's not at all the way that stories like this normally end, but it's quiet and earnest and thoughtful and ethical in a way that's consistent with the rest of the story and with everything else Chambers has written. The more I thought about it, the more I liked it.

Reactions to Chambers vary widely, I think in part because they're primarily stories about human ethics in semi-utopian societies that only use science and technology as a frame. If you weren't one of the people who loved her books, I don't think this novella is likely to be the break-through moment for you. If, like me, you did love her books, particularly Record of a Spaceborn Few (the most similar to this story), I think you'll like this as well. Recommended for those readers.

Rating: 8 out of 10

Krebs on SecurityHappy 10th Birthday, KrebsOnSecurity.com

Today marks the 10th anniversary of KrebsOnSecurity.com! Over the past decade, the site has featured more than 1,800 stories focusing mainly on cybercrime, computer security and user privacy concerns. And what a decade it has been.

Stories here have exposed countless scams, data breaches, cybercrooks and corporate stumbles. In the ten years since its inception, the site has attracted more than 37,000 newsletter subscribers, and nearly 100 million pageviews generated by roughly 40 million unique visitors.

Some of those 40 million visitors left more than 100,000 comments. The community that has sprung up around KrebsOnSecurity has been truly humbling and a joy to watch, and I’m eternally grateful for all your contributions.

One housekeeping note: A good chunk of the loyal readers here are understandably security- and privacy-conscious, and many block advertisements by default — including the ads displayed here.

Just a reminder that KrebsOnSecurity does not run third-party ads and has no plans to change that; all of the creatives you see on this site are hosted in-house, are purely image-based, and are vetted first by Yours Truly. Love them or hate ’em, these ads help keep the content at KrebsOnSecurity free to any and all readers. If you’re currently blocking ads here, please consider making an exception for this site.

Last but certainly not least, thank you for your readership. I couldn’t have done this without your encouragement, wisdom, tips and support. Here’s wishing you all a happy, healthy and wealthy 2020, and for another decade of stories to come.

,

Planet DebianEnrico Zini: Some gender-related links

Men Must Be Needed Because We Can't Be Wanted - The Good Men Project
We believe we have to be the heroes only because we can't yet see other roles for ourselves.
A glass ceiling is a metaphor used to represent an invisible barrier that keeps a given demographic (typically applied to minorities) from rising beyond a certain level in a hierarchy.[1]
The glass cliff is the phenomenon of women in leadership roles, such as executives in the corporate world and female political election candidates, being likelier than men to achieve leadership roles during periods of crisis or downturn, when the chance of failure is highest.
I discovered the men’s rights movement when I was 22, working at a bookstore in downtown Kelowna, British Columbia. I was trying to earn some...

Sam VargheseSmith’s weakness to short-pitched bowling has been exposed

There are two things one can take away from the Australia-New Zealand Test series, even though it is not yet over, and the third and final match remains to be played in Sydney early next year.

One, the rankings system that the International Cricket Conference uses is out of sync with reality; if Australia, ranked fifth, can beat second-ranked New Zealand with so much of ease, then whatever decides those rankings needs sore re-examination.

The second, and probably more interesting, revelation has been the exposure of Steve Smith’s vulnerability to good short-pitched bowling. Smith has been called many things since he started to accumulate runs, and is now often likened to the late Sir Donald Bradman.

But his inability to play short stuff was demonstrated by New Zealander Neil Wagner, the only one of the four New Zealand pacemen (ok, medium-pacers, none of them can be classified fast) who uses the bouncer intelligently. Wagner dismissed Smith in both innings, with a beauty of a snorter at the face accounting for him in the first innings.

In the second innings, again it was a ball that was just above hip level that got Smith; he tried to paddle it around but lost control and was caught backward of square leg.

This method of packing off Smith cannot be used in the shorter forms of the game, as there are strict limits on short-pitched bowling, and anyone who persists will be called for wides, then warned and finally stopped from bowling. The short form of the game is all about making runs and the ICC wants to keep it that way, with the balance favouring batsmen.

And Smith does not have to play against the Australian bowlers; they form the best pace attack globally and he could be troubled by the likes of James Pattinson and Patrick Cummings if he were to face them. The rest of the fast bowling fraternity, to the degree it exists now, would have taken note, however, and one is pretty sure that India’s Jasprit Bumrah will test him when next they meet in a Test.

Australia are not scheduled to play any more Tests until next summer; there are four tours planned but all are only for playing the shorter forms of the game. India are due to visit next summer and hence one will not see Smith tested in this way until then.

That the ICC’s ranking is a mess is hardly news. The organisation does little that can be called sensible and once put in place a system for determining the change in playing conditions in the event of rain. Designed by the late Richie Benaud, it was used in the 1992 World Cup and the level of ridiculousness was shown by the fact that South Africa was, at one stage in the semi-finals, required to make 22 runs off one ball to win. This happened after rain interrupted the game.

Cory DoctorowScience fiction, Canada and the 2020s: my look at the decade ahead for the Globe and Mail

The editors of Canada’s Globe and Mail asked me to reflect on what science fiction can tell us about the 2020s for their end-of-the-decade package; I wrote about how science fiction can’t predict the future, but might inspire it, and how the dystopian malaise of science fiction can be turned into a inspiring tale of “adversity met and overcome – hard work and commitment wrenching a limping victory from the jaws of defeat.”

I describe a scenario for a “Canadian miracle”: “As the vast majority of Canadians come to realize the scale of the crisis, they are finally successful in their demand that their government address it unilaterally, without waiting for other countries to agree.”

Canada goes on a war footing: Full employment is guaranteed to anyone who will work on the energy transition – building wind, tide and solar facilities; power storage systems; electrified transit systems; high-speed rail; and retrofits to existing housing stock for an order-of-magnitude increase in energy and thermal efficiency. All of these are entirely precedented – retrofitting the housing stock is not so different from the job we undertook to purge our homes of lead paint and asbestos, and the cause every bit as urgent.

How will we pay for it? The same way we paid for the Second World War: spending the money into existence (much easier now that we can do so with a keyboard rather than a printing press), then running a massive campaign to sequester all that money in war bonds so it doesn’t cause inflation.

The justification for taking such extreme measures is obvious: a 1000 Year Reich is a horror too ghastly to countenance, but rendering our planet incapable of sustaining human life is even worse.

Science fiction and the unforeseeable future: In the 2020s, let’s imagine better things [Cory Doctorow/Globe and Mail]

science fiction,canada,green new deal,gnd,canadian miracle,2020s,climate emergency,truth and reconciliation jt-a-monster-of-history

Planet DebianRuss Allbery: Review: Super Pumped

Review: Super Pumped, by Mike Isaac

Publisher: W.W. Norton
Copyright: 2019
ISBN: 0-393-65225-4
Format: Kindle
Pages: 350

Mike Isaac is a technology reporter for the New York Times who wrote extensively about Uber, including in 2017 when Susan Fowler's bombshell Medium essay dropped and Travis Kalanick's reign at Uber started to unravel. This is the extended story of the company in book form, from Kalanick's pre-Uber startup experiences until the end of the postscript in May of 2019 following Uber's IPO.

To non-fiction book publishers of the world: Please make the exposé of dysfunctional, exploitative capitalism and its abusive leaders a major genre. I will be there for each book launch with my wallet in hand. Timely essay journalism is probably more effective from a public interest perspective, but there is nothing like a book-length treatment to dig into the power structures that enable companies like Uber to exist and the critical tipping points that may allow them to be dismantled.

Super Pumped opens with Uber's "X to the x" company-wide party in Las Vegas in October of 2015, which included the announcement of Uber's 14 company values. Value number 12, "Super Pumped," provides the title of this book. (The precise meaning of this value isn't clear, although cult-like devotion to the company is part of it.) But the book as a whole is also a biography of Travis Kalanick, Uber's now-ousted CEO and driving force through most of its existence.

Uber was not Kalanick's first startup. That was Scour, a search engine for file-sharing sites somewhat similar to Napster. Kalanick took venture capital for Scour under threat of a lawsuit from the VC and then lost control of the company, which was sold for parts in bankruptcy court after a lawsuit from the RIAA and MPAA. Kalanick then spent six years barely keeping his second startup, Red Swoosh, alive until it could be sold to Akami for $20 million and a personal profit of $2 million. Both of those experiences left him with a deep distrust of venture capitalists and a determination to keep control of any future company out of the hands of the money people. That sets up one of the themes of Uber's history: a governance structure that gave Kalanick near-total control with very few sanity checks.

If you're not familiar with the Bay Area tech culture or with startup finance, you may not know about the huge fight over control of startups. Historically, it was common for startup founders to give up majority control of their companies to early venture capital funders, and for those funders to then replace the management (and, some would argue, meddle with the company mission) once the company became more mature and was heading for an "exit" (a stock market IPO or acquisition, so-called because those events let early investors sell off their stake and "exit" the company with a profit). Google and Facebook are among the wildly successful companies that broke this mold and retained founder control. Those examples, plus the flood of additional money into tech startups, let more founders or early owners like Kalanick follow suit and refuse to give up a majority stake in the company.

This is an interesting debate because there are good arguments to be made for both models. On one hand, no one likes bankers, who are widely (and not entirely inaccurately) viewed as reluctantly necessary parasites. The process of bringing in professional management at the behest of the VC owners was often very disruptive, came with aggressive layoffs and reorganizations, and in some cases involved dismantling the business for parts or selling it to a competitor rather than continuing to develop a product. The founders usually had a vision for how the company could change the world, or at least its market, and while those visions were often dubious, that sort of mission and focus was often more appealing to the general employees of the company than the VC focus on a lucrative exit.

On the other hand... there's Travis Kalanick.

As Isaac explains, and which I didn't know before reading this book, Kalanick was not the founder of Uber. That's Garrett Camp, who had the initial idea and brought Kalanick on as an advisor. He was happy to mostly step aside early on, however, leaving Kalanick with uncontested control of the company. It's Kalanick who decided on the strategy of aggressive expansion, openly illegal flouting of taxi laws, political hardball, and massive runaway spending to try to break into Asian transportation markets. It's under Kalanick's watch that Uber built systems to hide their activity from police and government regulators. And Kalanick oversaw the culture of pervasive sexual harassment that led to a massive internal investigation and his eventual ouster.

One interesting thread of this book is an argument in favor of banker control, at least as the least-bad option if the alternative is someone like Kalanick. Investors may not be interested in making the world a better place, but they are interested in preserving their investment and not making negative front-page headlines, which means they're less likely to openly break laws, more likely to hire adult supervision, and more likely to make boring and conventional business decisions. It's quite the unappealing choice, though. One comes away from Super Pumped dubious that either Kalanick or his investors have any business being in charge of anything that affects other people's lives.

I obviously came to this book with my own biases and prejudices, and was not expecting to like Kalanick, but it's even worse than I expected. The moment that put my shoulders up around my ears came after Kalanick was recorded screaming at an Uber driver about company policies. When Kalanick was shown that video, Isaac describes him (via, to be clear, second-hand accounts; Isaac was not there) spending the rest of the night literally writhing on the floor, repeating how terrible of a person he is and asking what was wrong with him.

This is, to be explicit, not typically the behavior of someone who is genuinely apologetic about something they've done. This sort of over-the-top, theatrical apology and elaborate groveling is more typical of abusive people after they've been caught. It re-centers the moment away from the person who was abused and back on the abuser, making everything about their pain and their anguish. There are a lot of places in this book where Isaac is willing to ascribe Kalanick's actions to a deep-seated belief in the corruption of the taxi industry, determination to retain control of his company, or aspirations to transform transportation. This moment was when I decided that Isaac, despite his skeptical treatment, was being far too kind, and Kalanick is scary and dangerous. There's further reinforcement of this pattern later in the book when Kalanick attempts to write a message to the company after the Holder report on Uber's culture of sexual harassment was complete, and some very troubling glimmers of it in the small amount that Isaac reports about Kalanick's relationship with his former girlfriend.

Super Pumped is a detailed, mostly-chronological story of the rise of Uber under Kalanick, its growing financial struggles in Asia, its arrogance and political aggressiveness, and then the revelation and aftermath of multiple classes of illegal behavior. It closes with the last fight over control of Uber, one that Kalanick finally lost, and the naming of Khosrowshahi as the new CEO. The detail and clarity are the strengths of this book; the weakness is that Isaac is much more interested in pure reportage than analysis. Super Pumped is a chronological account of events and not much more; Isaac is focused on the process of reporting and the way stories broke rather than on broader implications for society as a whole.

That's forgivable, of course. Not every long-form journalist is (or should be) Michael Lewis. But for me that made Super Pumped good, not great, and not rising to the level of the best books of this type (The Smartest Guys in the Room and Bad Blood). Admittedly, as much of a disaster as Uber was (and arguably is), it's rather hard to compete with the sheer madness of Theranos.

The lack of more contextualization and broader analysis was one disappointment in this book. Another was Isaac's unwillingness to talk more directly about the red flags around Kalanick's behavior, instead deciding to report the facts as he knows them and let the reader draw their own conclusions. (I realize that my desire for the author to engage more directly in the topic is a personal preference that won't be shared by all readers.) A third isn't Isaac's fault: Neither Uber's story nor Kalanick's are over, so while Super Pumped reaches an adequate conclusion after Uber's IPO, I would have liked to read analysis of Kalanick's subsequent sale of all of his Uber stock and his new startup venture. We'll have to wait for that. (I would also love someone to ask him why, after walking away with several billion dollars, he's choosing to found another company, but I doubt I'd get a satisfactory answer.)

But, those disappointments aside, Super Pumped was compulsively readable and filled in numerous details that I'd not previously known. If you like this style of long-form journalism on disasters of capitalism, this is worth your attention.

Someday there is going to be a book like this about WeWork, and I'm going to read the hell out of that.

Rating: 8 out of 10

Planet DebianFrançois Marier: Encoding your WiFi access point password into a QR code

Up until recently, it was a pain to defend againt WPA2 brute-force attacks by using a random 63-character password (the maximum in WPA-Personal) mode). Thanks to Android 10 and iOS 11 supporting reading WiFi passwords from a QR code, this is finally a practical defense.

Generating the QR code

After installing the qrencode package, run the following:

qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"

substituting <SSID> for the name of your WiFi network and <PASSWORD> for the 63-character password you hopefully generated with pwgen -s 63.

If your password includes a semicolon, then escape it like this:

"WIFI:T:WPA;S:<SSID>;P:pass\:word;;"

since iOS won't support the following (which works fine on Android):

'WIFI:T:WPA;S:<SSID>;P:"pass:word";;'

The only other pitfall I ran into is that if you include a trailing newline character (for example piping echo "..." into qrencode as opposed to echo -n "...") then it will fail on both iOS and Android.

Scanning the QR code

On iOS, simply open the camera app and scan the QR code to bring up a notification which allows you to connect to the WiFi network:

On Android, go into the WiFi settings and tap on the WiFi network you want to join:

then click the QR icon in the password field and scan the code:

In-browser alternative

If you can't do this locally for some reason, there is also an in-browser QR code generator with source code available.

Rondam RamblingsThe mother of all buyer's remorse

[Part of an ongoing series of exchanges with Jimmy Weiss.] Jimmy Weiss responded to my post on teleology and why I reject Jimmy's wager (not to be confused with Pascal's wager) nearly a month ago.  I apologize to Jimmy and anyone who has been waiting with bated breath for my response (yeah, right) for the long delay.  Somehow, life keeps happening while I'm not paying attention. So, finally, to

,

Planet DebianRhonda D'Vine: Puberty

I was musing about writing about this publicly. For the first time in all these years of writing pretty personal stuff about my feelings, my way of becoming more honest with myself and a more authentic person through that I was thinking about letting you in on this is a good idea.

You see, people have used information from my personal blog in the past, and tried to use it against me. Needless to say they failed with it, and it only showed their true face. So why does it feel different this time?

Thing is, I'm in the midst of my second puberty, and the hormones are kicking in in complete hardcore mode. And it doesn't help at all that there is trans antagonist crap from the past and also from the present popping up left and right at a pace and a concentrated amount that is hard to swallow on its own without the puberty.

Yes, I used to be able to take those things with a much more stable state. But every. Single. Of. These. Issues is draining all the energy out of myself. And even though I'm aware that I'm not the only one trying to fix all of those, even though for some spots I'm the only one doing the work, it's easier said than done that I don't have to fix the world, when the areas involved mean the world to me. Are areas that support me in so many ways. Are places that I need. And on top of that, the hormones are multiplying the energy drain of those.

So ... I know it's not that common. I know you are not used to a grown up person to go through puberty. But for god's sake. Don't make it harder than it has to be. I know it's hard to deal with a 46 year old teenager, so to say, I'm just trying to survive in this world of systematic oppression of trans people.

It would be nice to go for a week without having to cry your eyes out because another hostile event happened that directly affects your existence. The existence of trans lives aren't a matter of different opinions or different points of view, so don't treat it like that, if you want me to believe that you are a person able of empathy and basic respect.

Sidenote: Finishing to write this at this year's #36c3 is quite interesting because of the conference title: Resource Exhaution. Oh the irony.

/personal | permanent link | Comments: 13 | Flattr this

Planet DebianJonathan Dowland: 8-bit

On Yesterday's Mary Anne Hobbs radio show she debuted a new track by Squarepusher, "Vortrack [Fracture Remix]", which you can now watch/listen to on YouTube:

This track really grabbed my attention. Later that day you you could buy it in a variety of formats and quality levels on Squarepusher's website.

One of the format/quality options was "8-bit Lossless WAV", which I thought was a joke, a poke in the eye of audiophiles. I was aware that he likely used some 8-bit instruments/equipment to write the tracks, but surely it was mixed in a more modern environment, and resampling down to 8-bit would result in something that sounded like mush.

But it seems the jokes on me; I bought the track and it's seemingly indistinguishable to the audio track on that YouTube video. And it really is 8-bit:

Input #0, wav, from 'Vortrack-001-Squarepusher-Vortrack (Fracture Remix).wav':
  Duration: 00:08:02.99, bitrate: 705 kb/s
    Stream #0:0: Audio: pcm_u8 ([1][0][0][0] / 0x0001),
    44100 Hz, 2 channels, u8, 705 kb/s

It even — losslessly — compressed down to a bitrate lower than a typical MP3:

Input #0, flac, from 'Vortrack-001-Squarepusher-Vortrack (Fracture Remix).flac':
  Duration: 00:08:02.99, start: 0.000000, bitrate: 313 kb/s
    Stream #0:0: Audio: flac, 44100 Hz, stereo, s16 (8 bit)

Planet DebianRuss Allbery: Review: On the Clock

Review: On the Clock, by Emily Guendelsberger

Publisher: Little, Brown and Company
Copyright: July 2019
ISBN: 0-316-50899-3
Format: Kindle
Pages: 317

Emily Guendelsberger was senior staff writer at Philadelphia City Paper when the paper was sold to a competitor for scrap and everyone who worked for it was laid off. She took that opportunity to investigate first-hand the working conditions of the modern American blue-collar job: a picker in an Amazon distribution center in Indiana, a customer-support call center in North Carolina, and a McDonald's in downtown San Francisco. The result is this book, one of the most engrossing pieces of long-form journalism that I've ever read.

On the Clock opens with a pop quiz. What does the term "in the weeds" mean to you?

If, like me, you come from the white-collar world, you're probably familiar with what Guendelsberger calls the academic definition: lost in the details, bogged down in unimportant minutia. But in the food service world, it means something different: overwhelmed with more customers and demands than you can handle at a reasonable pace. Which definition comes first to mind may be an indication of whether you've worked in food service, and thus a class marker in the United States. It's the second definition, as Guendelsberger shows throughout this book, that characterizes the modern blue-collar job.

You can make a lot of money explaining away the gap between data and reality in ways that flatter puzzled wealthy people. But if you've had a service job in the past decade, I'll bet that some of the answers are probably as obvious to you as why millennials aren't buying yachts. I'll spend the next few hundred pages trying to make it just as obvious to all you readers, but the short answer? The bottom half of America's labor market lives in the weeds. All the time.

And the weeds are a terribly toxic place for human beings. The weeds make us crazy. The weeds make us sick. The weeds destroy family life. The weeds push people into addiction. The weeds will literally kill you. And people fortunate enough to have good jobs making policy or writing op-eds seem to have no idea how crippled a life with no escape from the weeds is.

This is the thesis that Guendelsberger develops over the course of three very different jobs. Two involve intense human interaction; one (the Amazon picker job) involves almost no human interaction at all. One is physically strenuous; another is a desk job. Only one of them is in food service. But the common point of all three is that they are timed with machine-driven ruthlessness, are obsessed with "time theft" by the employee (an entire sociological research project, and a political party, could be based on that phrase), and are scheduled so that the workers stay in the weeds essentially continuously during their shifts.

I did plenty of research beforehand, and I'd heard crazy things about how stressful each job would be — each in its own special way, like Tolstoy's unhappy families. But at each of them, technology made it impossible to escape the weeds. And every time, my thorough research totally failed to prepare me for how dehumanizing the job felt.

The focus of this book is detailed reporting of the experience of each job, starting with the initial training, and Guendelsberger's own reactions to that experience. But she also provides the reader with context and background, allowing the reader to generalize from the specific to the systemic and trace the origins of the system back in time. There is a lot in this book about the origins of scientific management and Taylorism. Even if you were already familiar with Frederick Winslow Taylor, as I was, you're likely to learn more about the history of work performance monitoring and quotas.

Even better, Guendelsberger interviews other workers in these jobs, tests her assumptions against their opinions, describes their lives, and reports the observations of those who love these jobs. This ability to both put forward her own opinion and also report the opinions of those who are able to thrive in this environment, without losing the overall context, is a sign of great investigative journalism. It also adds more memorable characters to the book: the woman with PTSD and anxiety who found work as an Amazon warehouse picker ideal for distracting her brain, the people who travel the country taking seasonal work and living in tents, the McDonald's worker who tells Guendelsberger to think of her family and walk away from any confrontation with a customer, and so many more.

The turnover in these jobs is almost unimaginable, so it's worth being aware, when reading these sections, that anyone who survives the first couple of weeks is in a tiny minority. These interviews are therefore biased towards people who cope with these jobs unusually well, which underscores the implications of how difficult most of Guendelsberger's coworkers still find them.

It's worth mentioning here that On the Clock includes a detailed ethics statement about how Guendelsberger did reporting for this book, what she surreptitiously recorded and what she didn't, why she made those choices, who she told she was a reporter (which includes all of her coworkers who appear in the book), and how she reconstructed conversations with her coworkers. This is the first time I've seen this type of ethics statement in long-form journalism of this type, and now I'm wondering why there isn't one in every book like this.

The highlight of this book is Guendelsberger's ability to give the reader a feeling for each job as a life: the funny moments, the difficulties, the horrors, the good and bad coworkers, the attempt to find somewhere to live, and the experience of fitting life around the job. One example I'll remember is that she was doing this research during the run-up to the 2016 election. She is a politically engaged person, a reporter who paid close attention to the news, but found that months went by during which she completely lost track of politics, current events, and the campaign. There just wasn't time or energy left to care about politics. There's a lesson in that for those of us who moralize about political engagement and people who don't vote.

Equally memorable were the complex arrangements and juggling and family support that her coworkers needed, relied on, and provided to others (including her) to help each other survive. Guendelsberger was barely keeping her head above water and only needed to support herself; many of her coworkers were raising and supporting children while doing these jobs. If you ever believed that people work low-paid jobs because they are lazy, On the Clock should permanently put that belief to rest. It also destroys the belief that these jobs are low-skill. The amount of skill demonstrated by the workers who survive the horrific turnover is amazing: short-term memory for fast-food workers, for example, or navigating amazingly awful computer UIs for customer support while simultaneously holding a conversation. It's just that most of those skills aren't easily transferable or aren't good resume fodder.

Speaking of awful computer UIs, the section on customer support work was almost painful to read as someone who works in the computer industry. For every call, the agents have to launch multiple independent programs, each with their own logins, and cut and paste information from various programs into others to bring up the necessary screens, all while greeting the caller and hearing the initial description of their problem. The system is not so much badly designed as not designed at all, just cobbled together from multiple systems with complete indifference to the user experience of the agents. The requirement that support agents repeatedly try to sell every caller on new products and services in order to get paid a livable wage is objectively worse (and worth remembering whenever you have to call customer support), but the refusal to invest a small amount of development work to make the tools work smoothly is professionally infuriating.

There is so much truly horrible software in the world that only people who work poorly-paid jobs for large corporations (or medical offices) ever see.

I've barely touched the surface on the great parts of this book. I could go on for hours about how good this is (and have, twice, to friends). It's a truly exceptional piece of investigative journalism that provides reporting, political analysis, personal stories, and fascinating profiles all at the same time. If you want to understand working-class America and aren't part of it, stop reading the endless New York Times interviews of people in diners and read this instead.

This is the best non-fiction book I've read this year, and is more valuable than innumerable opinion columns about the economic state of the country or the changing nature of work. More of this kind of reporting, please.

One parting thought: While writing this review, I looked through Guendelsberger's Twitter feed and noticed that, of the three jobs, the one people overwhelmingly want her to come on programs and talk about appears to be the Amazon job. To me, this highlights a point that Guendelsberger herself makes in the book. Amazon gets a lot of press because Amazon is new, rich, and ubiquitous among the people who read the news media writing these articles. But Amazon is in no way uniquely bad, just large and well-organized. They may be slightly ahead of the curve in bringing close monitoring to warehouse work, but this is an industry-wide practice. The other two jobs were in many ways worse — it's hard to describe how emotionally toxic call center work is, although Guendelsberger does an excellent job — but a few companies like Amazon get all the press and focus.

We need to stop thinking about this as a story of a few rich bad actors, and instead start thinking about it as a sweeping change in the nature of work that affects half the population and demands similarly systemic answers.

Rating: 10 out of 10

Krebs on SecurityRansomware at IT Services Provider Synoptek

Synoptek, a California business that provides cloud hosting and IT management services to more than a thousand customers nationwide, suffered a ransomware attack this week that has disrupted operations for many of its clients, according to sources. The company has reportedly paid a ransom demand in a bid to restore operations as quickly as possible.

Irvine, Calif.-based Synoptek is a managed service provider that maintains a variety of cloud-based services for more than 1,100 customers across a broad spectrum of industries, including state and local governments, financial services, healthcare, manufacturing, media, retail and software. The company has nearly a thousand employees and brought in more than $100 million in revenue in the past year, according to their Web site.

A now-deleted Tweet from Synoptek on Dec. 20 warned against the dangers of phishing-based cyberattacks, less than three days prior to their (apparently phishing-based) Sodinokibi ransomware infestation.

News of the incident first surfaced on Reddit, which lit up on Christmas Eve with posts from people working at companies affected by the outage. The only official statement about any kind of incident came late Friday evening from the company’s Twitter page, which said that on Dec. 23 it experienced a “credential compromise which has been contained,” and that Synoptek “took immediate action and have been working diligently with customers to remediate the situation.”

Synoptek has not yet responded to multiple requests for comment. But two sources who work at the company have now confirmed their employer was hit by Sodinokibi, a potent ransomware strain also known as “rEvil” that encrypts data and demands a cryptocurrency payment in return for a digital key that unlocks access to infected systems. Those sources also say the company paid their extortionists an unverified sum in exchange for decryption keys.

Sources also confirm that both the State of California and the U.S. Department of Homeland Security have been reaching out to state and local entities potentially affected by the attack. One Synoptek customer briefed on the attack who asked to remain anonymous said that once inside Synoptek’s systems, the intruders used a remote management tool to install the ransomware on client systems.

Much like other ransomware gangs operating today, the crooks behind Sodiniokibi seem to focus on targeting IT providers. And it’s not hard to see why: With each passing day of an attack, customers affected by it vent their anger and frustration on social media, which places increased pressure on the provider to simply pay up.

A Sodinokibi attack earlier this month on Colorado-based IT services firm Complete Technology Solutions resulted in ransomware being installed on computers at more than 100 dentistry practices that relied on the company. In August, Wisconsin-based IT provider PerCSoft was hit by Sodinokibi, causing outages for more than 400 clients.

To put added pressure on victims to negotiate payment, the purveyors of Sodinokibi recently stated that they plan to publish data stolen from companies infected with their malware who elect to rebuild their operations instead of paying the ransom.

In addition, the group behind the Maze Ransomware malware strain recently began following through on a similar threat, erecting a site on the public Internet that lists victims by name and includes samples of sensitive documents stolen from victims who have opted not to pay. When the site was first set up on Dec. 14, it listed just eight victims; as of today, there are more than two dozen companies named.

,

Planet DebianSteinar H. Gunderson: Introduction to the Unicode Collation Algorithm

Programmers love to sort things. We discuss sorting algorithms, big-O notation, when sorting pointers or values is better, parallelism, whether being able to discuss sorting algorithms and big-O notation makes you a better programmer or not… but today, I'm going to be talking about the comparison function. Usually, we sort of take it for granted, even when sorting strings, but for anything but the most trivial examples, the standard memcmp()-like algorithm (lexical comparison of bytes) will produce undesired results. What we need is the Unicode Collation Algorithm, or UCA.

A word of warning first: Superficial knowledge of Unicode and collations gives a high risk of being a loud and boring person who wants to flaunt their own superficial knowledge of Unicode and collation. Don't be that guy.

With that out of the way… Let's discuss first a bit what we want. We want a universal and consistent way of comparing strings that match what users intuitively expect. (Note that comparison includes both “is before” and “is equal”.) Of course, different users expect different things, so we must also be able to parametrize the algorithm (so-called tailoring), but I won't be talking much about it.

Just comparing Unicode code points (which, for UTF-8 is exactly the same thing as comparing bytes) will inevitably end up in disaster. For instance, most users will accept that “René” should sort before “Renoir”, but é is U+0072 and o is U+006F, so you'd get the opposite order. Similarly, even in a case-sensitive collation, where “linux” and “Linux” are unequal, they should probably sort together (ie., they should not be split by “Windows”, even though W is between l and L). (Don't think about hacks like NFD normalization, removing accents or folding case before sorting, because you're not likely to be getting it right. Stick with the UCA.)

So the UCA, sans tailoring, works on a simple principle: First compare all base forms, then all accents, then all case. (This isn't the entire story, and the nomenclature is different, but I'm simplifying.) For instance, “A” to Unicode would have the base form “a” (“first level”), the accent “none” (“second level”), and the case “upper case” (“third level”). If you want a case-insensitive collation, you simply drop the third level, and if you also want an accent-insensitive collation, you drop the second one.

UCA's output for each string is conceptually a weight string, consisting of a series of 16-bit weights (values) which you can then sort in binary—but often, it will be better just to generate the weights for both strings on the fly and stop once they differ, especially if they're long and you're not comparing them a lot of times. So you look up each code point in a big table (the so-called DUCET) and output them piece by piece. So first you output the first-level weights (typically one or more for each code point), then a separator, then the second-level ones, then a separator, and then finally the third-level ones. Certain code points may be ignorable (should have no output) on a given level; e.g. COMBINING RING ABOVE has no base shape, so it outputs nothing on the first level. Similarly, certain code points may turn into multiple weights; think e.g. of the fi ligature fi (U+FB01), which outputs the same primary level weights as “f” followed by “i” does, or é, which has exactly the same weights as “e” followed by COMBINING ACCUTE ACCENT (which makes a lot of sense when you understand that strings should sort equal independent of their Unicode normalization!).

Of course, most people don't really do this themselves; they just link to ICU, which handles this directly for you (unlike, say, the C or Java standard libraries, which don't). It can also deal with tailoring, which comes into play when you want to deal with language-specific rules. For instance, “å” to me as a Norwegian is a completely distinct letter from “a” and thus should be different from it on the primary level, but to English speakers, the ring is just an accent and shouldn't produce a difference before the second level. Similarly, French has a (to me, bizarre!) rule that accents should be sorted from the back (the example UCA gives is “côte < coté” instead of the other way round, because e < é on the second level, and that is compared before the o < ô difference, due to accent reversal). There's also contractions (e.g., Norwegian sorts “aa” equal to “å” on the primary level) and plain changing of weights and other weird stuff.

That's really all there is to it! But just use ICU. Be happy.

Planet DebianShirish Agarwal: Indian Economy, NPR, NRC and Crowd Control – Part 1

I dunno whether this would be a short or a long post but as the NPR, NRC seem to be deeply linked to how the Indian Economy is at the moment, I would say that the energy and the political capital the Government is putting into wrong things . Why I say that, I will attempt to use studies, data and newspaper reports to share what the issues are and where the Government should have been looking at and instead where it is using its energy and why it’s wrong.

State of Indian Economy

While it is by and large recognized by everyone that the Indian Economy is in slow-down or perhaps beginning a recession, a recent working paper by Arvind Subramaniam and Josh Felman who tell how the Indian economy is doing or not doing. While I’ll not go into many details as the paper itself is quite interesting, I would like to draw attention to couple of things .

While I have shared the working paper as well, one of the more interesting graphs I found in the paper is the one I am sharing below –

Difference between Interest and Profit

Now the sad and interesting part of that graph as shown above is that entrepreneurs, business houses etc. would be paying more to service debt rather than making profit. So, in essence, if an entrepreneur decided not to do any businesss today, he would be much better off than taking efforts, taking all the risks and still spend money out of his pocket to service debt instead of making profits. Of course the transmission of why lower interests given to banks are not reaching to the businessman have been more than effectively shared by the working paper so will not go into that. I have to commend Dr. Arvind and Mr. Josh for making the paper so simple so reading it even once or twice is enough to grasp the issues which threaten the Indian economy, this is when I have read and have been reading such papers about the Indian and International markets in my spare time.

There is another part however which hasn’t been really answered as the point being made in the working paper is that private banks are better than public sectors banks at either risk management or other things but there is no evidence shared which bears that out. One could argue, in fact the opposite. Private banking is much more opaque and there has been no discussion on how such banks are supposed to fill the needs of the millions of the customers and potential customers. The social welfare of banking that Public banking fulfills, how Private banking is supposed to do that is not told. India is still a very much an under-banked market. While Dr. Arvind and Mr. Josh have shared a bit about direct benefit transfers, they haven’t talked anything about the needs of the MSME sector or even how DBT would work in real life. As have been in Airtel Payment banks and others, most private banks have at one time or the other violated rules and norms. I am not going to get into great lengths but there are possibly about a dozen or two-dozen well-known scandals with private banks where people have lost money. The Great 2008 financial crash itself was made by private individuals, companies who were doing risky products and even after the crash, riskier derivative financial products seem to thrive in the American market. As far as regulatory bodies in India, such as the banking ombudsman or RBI is concerned, they seem to behave very similarly to SEBI and other regulatory bodies which doesn’t bode well for the Indian economy.

V.G. Siddhartha and CCD story

Apart from the working paper, there have been other things happening which don’t tell or paint a good picture of the Indian economy. For e.g. I am sure some of the readers may have remembered my blog post about V.G.Siddhartha . For those who might not know Mr. Siddhartha, the gentleman was the owner of CCD or Cafe Coffee Day. He committed suicide in July 2019. I, alongwith several thousand users, patrons, entrepreneurs who were encouraged by his vision and rise were saddened by the news of his demise. There is a fact or news which I hadn’t shared on the blog post around that time. The whole tax authorities issue which started was that some gentleman who claimed that he was working for CCD or Mr. Siddhartha was caught with some cash. Another fact is that both Coca-Cola, Barista and others were interested to take over CCD so it isn’t far-fetched to assume or presume that the person who was caught with cash might have been planted by his competitors. Also the amount of cash, apparently a few crores which were found in CCD offices was not at all commensurate with the scale of business the gentleman was doing at. In part, his suicide was made by the Tax Department’s heavy-handedness and that continues even today.

Government’s approach to Business

Over the past few months, there have been lot of negative views and how the Government of the day views businesses and businessman. A recent example would prove my point. Do you know for instance, the Ministry of Corporate affairs (MCA) removed almost 2 million directors and about 0.4 million companies due to not filing either their KYC forms or not filing the annual returns. In fact, this news item has been buried and only some people who are interested in knowing such news are able to dig it up. Now while the Government says these are all bogus and shell companies and in fact the FM (Finance Minister) shared the same in Lok Sabha (the lower house of the parliament) shared the numbers while also in the same breath sharing that there never has been a definition of what a ‘bogus’ or sham company is. With the cost of real-estate and other things going up, many such small companies are using co-working spaces. In fact, even quite a few medium to large business houses have used co-working spaces especially as the overheads are low. Also what has not been mentioned that the costs of compliance has gone up while the window of compliance has gone down and there are all sorts of inefficiences and corruption that small companies have to deal with than with large companies.This will severely impact as more entrepreneurs will think to remain as entrepreneurs or as partnerships rather than become private companies and eventually public companies which are needed for a big country like India to fulfill the country’s needs and requirements. Also less competition means more monopoly and more possibilities of more companies coming from overseas and taking advantage of less competition. The other part is when companies are known to be penny stocks which thrive on false or fake news, no action has been taken. While there are probably hundreds of examples in the Indian Stock market, a recent example shared by Sucheta Dalal is enough to prove the point. Her link to stock manipulated where she has documented at least 100 more cases and no action taken by SEBI is case in point.

Now as far as competition is concerned, there are probably hundreds of examples, for e.g. all electronics comes either from China, Taiwan, Singapore or States. Neither the GOI has any concrete plans for the sector and more often than not just make noises so they can be seen as doing something rather than doing actually something. For e.g. Mr. Piyush Goyal recently made a statement that we should not be dependant on imported electronic goods. Now there is nothing new in this statement, this same statement has been told and shared almost for a decade, decade and a half by almost all political parties but no effective strategies and finances have been put in place to make other people invest in India. In fact, I was talking to a dear friend few days back and we were talking about negative interests which is there in Japan and many European countries as well as ECB and low interest rates in States and why don’t they invest in India and we came to the conclusion that perhaps other avenues such as Bangladesh and others seem to provide a much more stabler economic, policy and political environment than the one we see in India where there are flip-flops every so often, case in point the GST flip-flops among many others.

Political Capital and Remedies

The last 10 odd pages of the working paper delve upon possible solutions of how the issues need to be tackled have been shared by Dr. Arvind. Most of the solutions and recipes as shared by him are not new at all. They have been often documented often enough. What this Government had in 2014 and even in 2019 is the political capital which could have been used to push the reforms or changes shared by him. He has also mentioned co-operative federalism and I should say the art of negotiation that Mr. Vajpayee had vis-a-vis our current dispensation which seems to lack imagination or depth of any kind. While Dr. Arvind has tried to end it on a positive note, that only can happen if the Government appears to engage with the opposition and try to find answers rather than doing the my way or highway attitude that the Government currently has. Part -2 will be more about the whole NPR, NRC issue and the agitations which are happening in that regard.

CryptogramFriday Squid Blogging: New Species of Bobtail Squid

Euprymna brenneri was discovered in the waters of Okinawa.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianJonathan Dowland: Debian's init system GR

Debian is currently conducting a vote on a General Resolution entitled Init systems and systemd. I had a few brief thoughts about the circumstances around this that I wanted to share.

I like systemd and I use it on all of my systems. That said, I have some concerns about it, in particular the way it's gradually eating up so much other systems software. The opportunity for alternatives to exist and get feedback from interested users seems important to me as a check and balance and to avoid a monoculture. Such an environment should even help to ensure systemd remains a compelling piece of software. The question that this GR poses is really whether Debian should be a place where alternatives can exist. In answering that question I am reminded of the mantra of Extinction Rebellion. I appreciate that is about a far more important topic, but it still seems pertinent: If not us, who? If not now, when?

What is Debian for, anyway? Once upon a time, from a certain perspective, it was all counter-cultural software. Should that change? Perhaps it already has. When I was more actively involved in the project, I watched some factions strive to compete with alternative distributions like Fedora. Fedora achieves a great deal, partly by having a narrow and well-defined focus. With the best will in the world, Debian can't compete at that game. And why should it? If Fedora is what you want, then Fedora is right there, go use it!

In the UK we are also about to vote in a General Election. As happens often in FPTP voting systems, the parties are largely polarized around a single issue, although one side of that issue is more factionalised than the other. And that side stands to lose out, as the vote is diluted. This Debian GR is in a similar situation, although not as bad since Debian doesn't use FPTP. But I could understand fellow developers, not as deeply invested in the issue as those who have proposed options, getting fatigued trying to evaluate them. For pro-systemd/anti-alternative folks, the choice is easy: First-choice the one (or two) positions that express that, and rank the majority under "further discussion". For those at the other pole, this strategy is risky: those folks want their transferable vote to move to the most popular option, and so must not succumb to voter fatigue.

Whatever your position, if you hold the power to vote, please take time to evaluate the options and use it.

Planet DebianJoey Hess: 2020 hindsight

(Someone stumbled upon my 2010 decade retrospective post and suggested I write a followup...)

This has been a big decade for me.

Ten years ago, I'd been in an increasingly stale job for several years too long. I was tired of living in the city, and had a yurt as a weekend relief valve. I had the feeling a big change was coming.

Four months on and I quit my job, despite the ongoing financial crisis making prospects poor for other employment, especially work on free software.

I tried to start a business, Branchable, with liw, based on my earlier ikiwiki project, but it never really took off. However, I'm proud it's still serving the users it did find, 10 years later.

Then, through luck and connections, I found a patch of land in a blank spot in the map with the most absurd rent ever ($5/acre/month). It had a house on it, no running water, barely solar power, a phone line, no cell service or internet, total privacy.

This proved very inspiring. Once again I was hauling water, chopping wood, poking at web pages on the other end of a dialup modem. Just like it was 2000 again. Now I was also hacking by lantern-light until the ancient batteries got so depleted I could hear the voltage regulator crackle with every surge of CPU activity.

I had wanted to learn Haskell, but could never concentrate on it enough. I learned me some Haskell and wrote git-annex, my first real world Haskell program, to help me deal with shuttling data back and forth from civilization on sneakernet.

After two idyllic years of depleting savings, I did a Kickstarter for git-annex and raised not much, but I was now living on very little, so that was a nice windfall. I went full crowdfunding for a couple of years. After a while, I started getting contracting work, supplementing the croudfunding, as git-annex found use in science and education. Both have continued ever since, amazingly.

I was free to do whatever I wanted to. A lot of that was git-annex, with some Debian, and some smaller projects, too many to list here.

Then, mid-decade, I left the Debian project. I'm still sad, still miss everybody, but I also think, had I not been so free, I would not have been able to leave it. It had driven most of my career before this point. I was lucky to be able to leave Debian. 💧

Adding to the stress of that, my patch of countryside was being sold out from under me. I considered moving to some city, but the income that's freeing here would be barely getting by there. Instead, I bought the place, using git-annex income, plus a crucial loan from a wonderful friend.

That changed how I dealt with being offgrid. Before it was an interesting constraint, something to adapt to, an added texture to life. Now it's all of those and also a source of inspiration and learning. How to install solar panels on a roof. How to wire things to code. Circuit design. Plumbing. Ditch digging. With my offgrid fridge project, things are feeling interdisciplinary in ways my work has not been before.

From here at its end, this decade feels both inevitable and highly unlikely. Now I feel.. comfortable. Settled. Surely older. More unsure of myself than ever really, nearly everything is more complicated than I used to think it was. Maybe a little stuck? But not really.

I'm planting fruit trees, something says I will be here to enjoy them. But times are getting beyond interesting. Anything could be around the corner.

Planet DebianSam Hartman: Music for Debian

December has been a difficult month for me and I think for Debian as a whole. It was strongly suggested to me that I (and Debian in general) needed more music. I'm reminded of the fun I had dancing with you all at DebConf. It's been a while since I dug out my DJ kit. But Dec 25, I pulled it out and spent a couple of hours looking at some of the tracks that came out since I last DJed. And then I put together a mix. I had fun. Perhaps you'd like a little more music in your holiday. If so, I join you on the (virtual) dance floor.

Worse Than FailureError'd: Cthulhu Fhtagn to Continue

"I'm not sure if Barcelona Metro is asking for my ticket or a blood sacrifice," Paweł S. writes.

 

Scott M. wrote, "I know VBA is considered to be a venerable language, but ...old enough to run on the Commodore PET?

 

"I don't know about you, but I would LOVE to spend anywhere between negative two and three thousand dollars," writes Alex S.

 

"12.09€ for a mouse and a pair of Adidas trainers? What a deal! ...oh wait...could we lose the recipient? Nevermind, no worries here," Vivia N. wrote.

 

Pascal writes, "Today I learned that Google Translate will sometimes adjust email addresses."

 

Bruce T. writes, "I recieved a deluge of emails from a Car Hire insurance provider (6 in total in the space of 4 minutes) and, oddly enough, each email appears to have completely failed in the templating engine or mail merge job."

 

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

,

LongNowThe Enlightenment is Dead, Long Live the Entanglement

Quantum entanglement. (Courtesy: iStock/Traffic-Analyzer)

We humans are changing. We have become so intertwined with what we have created that we are no longer separate from it. We have outgrown the distinction between the natural and the artificial. We are what we make. We are our thoughts, whether they are created by our neurons, by our electronically augmented minds, by our technologically mediated social interactions, or by our machines themselves. We are our bodies, whether they are born in womb or test tube, our genes inherited or designed, organs augmented, repaired, transplanted, or manufactured. Our prosthetic enhancements are as simple as contact lenses and tattoos and as complex as robotic limbs and search engines. They are both functional and aesthetic. We are our perceptions, whether they are through our eyes and ears or our sensory-fused hyper-spectral sensors, processed as much by computers as by our own cortex. We are our institutions, cooperating super-organisms, entangled amalgams of people and machines with super-human intelligence, processing, sensing, deciding, acting. Our home planet is inhabited by both engineered organisms and evolved machines. Our very atmosphere is the emergent creation of forests, farms and factories. Our networks of commerce, power and communications are becoming as richly interconnected as ecologies and nervous systems. Empowered by the tools of the Enlightenment, connected by networked flows of freight and fuel and finance, by information and ideas, we are becoming something new. We are at the dawn of the Age of Entanglement.

Antoine Lavoisier conducting an experiment related to combustion generated by amplified sun light

In the last age, the Age of Enlightenment, we learned that nature followed laws. By understanding these laws, we could predict and manipulate. We invented science. We learned to break the code of nature and thus empowered, we began to shape the world in the pursuit of our own happiness. We granted ourselves god-like powers: to fly, to communicate across vast distances, to hold frozen moments of sight and sound, to transmute elements, to create new plants and animals. We created new worlds entirely from our imagination. Even Time we harnessed. The same laws that allowed us to explain the motions of the planets, enabled us to build the pendulum of a clock. Thus time itself, once generated by the rhythms of our bodies and the rhythms of the heavens, was redefined by the rhythms of our machines. With our newfound knowledge of natural laws we orchestrated fantastic chains of causes and effect in our political, legal, and economic systems as well as in our mechanisms. Our philosophies neatly separated man and nature, mind and matter, cause and effect. We learned to control.

ENIAC, (Electronic Numerical Integrator And Computer), the first electronic general purpose computer.

Eventually, in the ultimate expression of our Enlightenment exuberance, we constructed digital computers, the very embodiments of cause and effect. Computers are the cathedrals of the Enlightenment, the ultimate expression of logical deterministic control.¹ Through them, we learned to manipulate knowledge, the currency of the Enlightenment, beyond the capacity of our own minds. We constructed new realities. We built complex algorithms with unpredictable behavior. Thus, within this monument to Enlightenment thinking, we sowed the seeds of its demise. We began to build systems with emergent behaviors that grew beyond our own understanding, creating the first crack in the foundation.

The second threat to the foundation of the Enlightenment was in the institutions we created. Our communication technology allowed us to build enterprises of unimaginable scope and capability. A modern corporation or NGO has tens of thousands of people, most of whom have never met one another, who are capable of coordinated action, making decisions that shape the world. Governments are even larger. New kinds of self-organizing collaborations, enabled by our global communications networks, are beginning to emerge. All these kinds of enterprises can become more powerful than the individual humans that created them, and in many senses, they have goals of their own. They tend to act in ways that increase their control of resources and enhance their own survival. They are able to perceive and process far more information than a single human, manipulate more matter and energy, act in more ways and places, command more power, and focus more attention. The individual is no longer the most influential player on the world stage.

As our technological and institutional creations have become more complex, our relationship to them has changed. We now relate to them as we once related to nature. Instead of being masters of our creations, we have learned to bargain with them, cajoling and guiding them in the general direction of our goals. We have built our own jungle, and it has a life of its own.

Photo by Franck V. on Unsplash

The final blow to the Enlightenment will come when we build into our machines the power to learn, adapt, create and evolve. In doing so, we will give them the power to surpass us, to shape the world and themselves in ways that we never could have imagined. We have already given our institutions the ability to act on our behalf, and we are destined to have the same uneasy balance of power with our machines. We will make the same attempts to build in checks and balances, to keep their goals aligned with ours. We will face similar challenges. In doing so we need to move far away from the understandable logic of Enlightenment thinking, into something more complicated. We will worry less about the unpredictable forces of nature than about the unpredictable behaviors of our own constructions.

Neri Oxman’s “Silk Pavilion” was made by 6,500 computer-guided silkworms. Photo by Markus Kayser

So what is this brave new world that we are creating, governed neither by the mysteries of nature or the logic of science, but by the magic of their entanglement? It is governed by the mathematics of strange attractors. Its geometry is fractal. Its music is improvisational and generative rather than composed: Eno instead of Mozart. Its art is about process more than artifact. Its roots are in Grey Walter’s cybernetic tortoises,² Marvin Minsky’s randomly wired SNARC learning machine,³ and Nicholas Negroponte’s Seek,⁴ in which the architecture of a living space emerged from the interaction of a observant robot with a horde of gerbils. The aesthetic of the Entanglement is the beauty that emerges from processes that are neither entirely natural nor artificial, but blend the best of both: the webs of Neri Oxman’s silk worms,⁵ ⁶ spun over a robot-wired mesh; the physical telepresence of Hiroshi Ishii’s tactile displays⁷ ⁸ or his living bioLogic fabric.⁹ We can no longer see ourselves as separate from the natural world or our technology, but as a part of them, integrated, codependent, and entangled.

Unlike the Enlightenment, where progress was analytic and came from taking things apart, progress in the Age of Entanglement is synthetic and comes from putting things together. Instead of classifying organisms, we construct them. Instead of discovering new worlds, we create them. And our process of creation is very different. Think of the canonical image of collaboration during the Enlightenment: fifty-five white men in powdered wigs sitting in a Philadelphia room, writing the rules of the American Constitution. Contrast that with an image of the global collaboration that constructed the Wikipedia, an interconnected document that is too large and too rapidly changing for any single contributor to even read.

A beautiful example of an Entanglement process is the use of simulated biologically-inspired algorithms to design artificial objects through evolution and morphogenesis. Multiple designs are mutated, bred and selected over many generations in a process analogous to Darwinian selection. The artifacts created by such processes look very different from those produced by engineering.¹⁰ An evolved motorcycle chassis will look more like a pelvic bone than a bicycle frame.¹¹ A computer program produced by a process of evolutionary design may be as difficult to understand as a neural circuit in the brain. Thus, the artifacts that are designed by these biologically-inspired processes take on both the beneficial and the problematic characteristics of biological organisms.¹² Their beauty is in their functional adaption. This is the elegance of the Entanglement: a new expression of beauty emerging from process. In an Entangled design process, the humans will often have input without control; for example, they may influence aesthetic choices by participating in the selection process or by tuning parameters. Such processes lend themselves to collaboration among multiple machines and multiple humans because the interfaces between the parts are fluid and adaptive. The final product is very much a collaborative effort of humans and machines, often with a superior result. It may exhibit behaviors that are surprising to the humans. Some of these behaviors may be adaptive. For example, early walking machines evolved on the Connection Machine took advantage of an obscure round-off error in the floating-point unit that the human programmers did not even know existed.¹³ In this sense, artifacts created by the entangled processes may have some of the robustness of a biological organism, as well as some of the surprise and delight.

Besides displaying the organic beauty of organisms, such designs may also exhibit their complex inscrutability, since it may not be obvious how the features in the artifact correspond to the functional requirements. For example, it may be difficult to tell the purpose of a particular line of code in an evolved program. In fact, the very concept of it having a specific purpose is probably ill-formed. The notion of functional decomposition comes from the engineering process of arranging components to embody causes and effects, so functional intention is an artifact of the engineering process. Simulated biological processes do not understand the system in the same sense that a human designer does. Instead, they discover what works without understanding, which has both strengths and weaknesses. Entanglement artifacts are simultaneously artificial and natural; they are both made and born. In the Age of Entanglement, the distinction has little significance.

As we are becoming more entangled with our technologies, we are also becoming more entangled with each other. The power (physical, political, and social) has shifted from comprehensible hierarchies to less-intelligible networks. We can no longer understand how the world works by breaking it down into loosely-connected parts that reflect the hierarchy of physical space or deliberate design. Instead, we must watch the flows of information, ideas, energy and matter that connect us, and the networks of communication, trust, and distribution that enable these flows. This, as Joshua Ramo¹⁴ has pointed out, is “the nature of our age.”

So what are we to think about this new relationship with our technology and with each other? Should we fear it or embrace it? The answer is both. Like any new powerful force in the world, like Science, it will be used for both good and evil. And even when it is intended to be used for good, we will make mistakes. Humanity has been dealing with this conundrum ever since the first cooking fire got out of control and burned down the forest. Recognizing this does not absolve us from our responsibility, it reminds us why it is important. We are remaking ourselves, and we need to choose wisely what we are to become.


Hillis, D. (2016). The Enlightenment is Dead, Long Live the Entanglement. Journal of Design and Sciencehttps://doi.org/10.21428/1a042043. Redistributed under Attribution 4.0 International (CC BY 4.0). Images have been added.

Footnotes

[1] Ramo, J.C. The Seventh Sense: Power, Fortune, and Survival in the Age of Networks.

[2] Augmented Age. Autodesk University. 11906.

[3] Augmented Age. Autodesk University. 11906.

[4] bioLogic: Natto Cells as Nanoactuators for Shape Changing Interfaces. 1–10.

[5] CAD Is a Lie: Generative Design to the Rescue. Jan. 6.

[6] Control of a Powered Ankle–Foot Prosthesis Based on a Neuromuscular Model. IEEE TRANSACTIONS ON NEURAL SYSTEMS AND REHABILITATION ENGINEERING,. 20, 2.

[7] Evolving 3D Morphology and Behavior by Competition. Artificial life. 1, 4, 353–372.

[8] Physical telepresence: shape capture and display for embodied, computer-mediated remote collaboration. 461–470.

[9] Robotically controlled fiber-based manufacturing as case study for biomimetic digital fabrication. Green Design, Materials and Manufacturing Processes, CRC Press (London). 473–8.

[10] Seek.

[11] Shape Displays: Spatial Interaction with Dynamic Physical Form. Computer Graphics and Applications, IEEE. 35, 5, 5–11.

[12] Silk pavilion: a case study in fiber-based digital fabrication. Proc. Fabricate. 248–255.

[13] Talking Nets: An Oral History of Neural Networks. 304–305.

[14] Turing’s Cathedral: The Origins of the Digital Universe. ISBN 1400075998.

CryptogramChinese Hackers Bypassing Two-Factor Authentication

Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system.

How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.

Normally, this wouldn't be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.

The Fox-IT team explains how hackers might have gone around this issue:

The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim.

As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.

In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.

Worse Than FailureBest of…: Best of 2019: Temporal Obfuscation

It's the holiday season, and we use this opportunity to take a week and reflect on the best stories of the year. Here, we reach back to January for a tale of variable names and convention. --Remy

We've all been inflicted with completely overdesigned overly generalized systems created by architects managers who didn't know how to scope things, or when to stop.

We've all encountered premature optimization, and the subtle horrors that can spawn therefrom.

For that matter, we've all inherited code that was written by individuals cow-orkers who didn't understand that this is not good variable naming policy.

Jay's boss was a self-taught programmer from way back in the day and learned early on to write code that would conserve both memory and CPU compilation cycles for underpowered computers.

He was assigned to work on such a program written by his boss. It quickly became apparent that when it came to variable names, let's just say that his boss was one of those people who believed that usefully descriptive variable names took so much longer to compile that he preemptively chose not to use them, or comments, in order to expedite compiling. Further, he made everything global to save the cost of pushing/popping variables to/from the stack. He even had a convention for naming his variables. Integers were named I1, I2, I3..., strings were named S1, S2, S3..., booleans were named F1, F2, F3...

Thus, his programs were filled with intuitively self-explanatory statements like I23 = J4 + K17. Jay studied the program files for some time and had absolutely no clue as to what it was supposed to do, let alone how.

He decided that the only sane thing that could be done was to figure out what each of those variables represented and rename it to something appropriate. For example, he figured out that S4 was customer name, and then went through the program and replaced every instance of S4 with customer_name. Rinse and repeat for every variable declaration. He spent countless hours at this and thought that he was finally making sense of the program, when he came to a line that, after variable renaming, now said: account_balance = account_balance - zip_code.

Clearly, that seemed wrong. Okay, he must have made a mistake somewhere, so he went back and checked what made him think that those variables were account balance and zip code. Unfortunately, that's exactly what they represented... at the top of the program.

To his chagrin, Jay soon realized that his boss, to save memory, had re-used variables for totally different purposes at different places in the program. The variable that contained zip code at the top contained item cost further down, and account balance elsewhere. The meaning of each variable changed not only by code location and context, but also temporally throughout the execution of the program.

It was at this point that Jay began his nervous breakdown.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

,

Worse Than FailureBest of…: Classic WTF: The Glitch Who Stole Christmas

It's Christmas, and we're going to spend the next week remembering the best moments of 2019, but for now, let's go back to an old Christmas classic. Original.

Every Dev down in Devville liked Christmas a lot…
But the PM who lived in the corner office did NOT!
The PM hated Christmas! The whole Christmas season!
Now, please don’t ask why. No one quite knows his reason.
It could be his head wasn’t screwed on just right.
It could be, that his project timeline was too tight,
But I think the most likely reason of all,
May have been that his brain was two sizes too small.

Whatever the reason, his brain or his sprint,
He stood there on Christmas Eve, squinting a squint,
Staring down from his desk with a sour, PM grimace,
At the cold dark monitors around the office.

For he knew every Dev down in Devville beneath,
Was busy now, hanging a mistletoe wreath.
“And they’re hanging their stockings!”“ he snarled with a sneer
”The milestone’s tomorrow! It’s practically here!“
Then he growled, with his PM fingers nervously drumming,
”I MUST find some way to stop Christmas from coming!"
For tomorrow, he knew, all the Dev girls and boys,
Would wake up bright and early. They’d rush for their toys!

And then! Oh, the noise! Oh, the Noise!
Noise! Noise! Noise!
That’s one thing he hated! The NOISE!
NOISE! NOISE! NOISE!

Then, the devs, young and old, would sit down to a feast.
And they’d feast! And they’d feast! And they’d FEAST!
FEAST! FEAST! FEAST!

They would feast on Soylent, and rare energy drinks,
This was something the PM couldn’t stand to think,
And THEN they’d do something he liked least of all!

Every dev down in Devville, the tall and the small,
Would log on together, network lights blinking.
They’d stand, lan-on-lan. And the devs would start playing!
They’d play! And they’d play! And they’d PLAY!
PLAY! PLAY! PLAY!

And the more the PM thought of this dev Christmas-thing,
The more the PM thought, “I must stop this whole thing!”
“Why, for twenty-three years I’ve put up with it now!”
“I must stop this Christmas from coming! But HOW?”

Then, he got an idea! An awful idea!
The PM got a wonderful, awful idea!

“I know just what to do!” the PM laughed with a hoot,
And then he ran a command and made a server to reboot.
And he chuckled, and clucked, “What a great PM trick!”
“With the server down, they’ll need to come back in, and quick!”
“All I need is an outage…” the PM looked around.
But, since load balancers are robust, there was none to be found.

Did that stop the old PM? No! The PM simply said,
“If I can’t make an outage, I’ll fake one instead!”
So he fired up Outlook, made the font color red,
And typed out a message which frantically said:

“The server is down, the application has crashed,
The developers responsible should have their heads bashed!

Then the PM clicked SEND and the chain started down,
From the CEO to the devs, asnooze in their town.
All their windows were dark. Quiet snow filled the air.
All the devs were all dreaming sweet dreams without care.

Then he did the same thing to the other Devs’ projects,
Leaving bugs and errors and emails with scary subjects.
“The project is late, we surely are doomed,”
He wrote and sent and the emails zoomed.

And the PM grabbed the source tree and he started to skim,
When he heard someone asking, “Why are you in VIM?”
He turned around fast, and he saw a small Dev!
Little Tina-Kiev Dev, who was an SAII,
The PM had been caught by this tiny code enabler,
Who’d came to the office for her red stapler.

She stared at the PM and said, “Project Lead, why,”
“Why are you checking our source tree? WHY?”
But you know, that old PM was so smart and so slick,
He thought up a lie and he thought it up quick!
“Why, my sweet little tot,” the fake developer lied,
“A line in this code won’t lint and that commit’s denied”
“So I’m checking in a patch, my dear.”
“I’ll release it out there after I fix it up here.”
And this fib fooled the dev. Then he patted her head.
And he got her a red stapler and sent her to bed.

“Feh, feh to the devs!” he was PMishly humming.
“They’re finding out now that no Christmas is coming!”
“They’re just waking up! I know what they’ll do!”
“Their mouths will hang open a minute or two,”
“Then the devs down in Devville will all cry ‘Boo hoo!’”
“That’s a noise,” pipped the PM, “That I simply must hear.”

So he paused. And the PM put his hand to his ear.
And he did hear a sound rising over the snow.
It started in low. Then it started to grow.
But the sound wasn’t sad! Why this sounded merry!
It couldn’t be so! But it WAS merry! Very!

He stared down at Devville! The PM popped his eyes!
Then he shook! What he saw was a shocking surprise!

Every Dev down in Devville, the tall and the small,
Was playing! Without any calls at all!
He hadn’t stopped Christmas from coming! It CAME!
Somehow or other, it came just the same!

And the PM, with his PM-feet in sensible shoes,
Stood puzzling and trying to understand this news.
“I sent emails! I marked them important!”
“I filed tickets with statuses of urgent!”
And he puzzled three hours, till his puzzler was sore.
Then, the PM thought of something he hadn’t thought of before!

“Maybe Christmas,” he thought, “doesn’t disrupt my sprint,”
“Maybe Christmas… perhaps blocked days aren’t a misprint.”
And what happened then? Well… in Devville they say,
That the PM’s small brain grew three sizes that day!
And the minute his schedule didn’t feel quite so tight,
He whizzed out of the office through the bright morning light.

Happy Holidays!

Image credits:
Uses the following assets:

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

,

CryptogramToTok Is an Emirati Spying Tool

The smartphone messaging app ToTok is actually an Emirati spying tool:

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

ToTok, introduced only months ago, was downloaded millions of times from the Apple and Google app stores by users throughout the Middle East, Europe, Asia, Africa and North America. While the majority of its users are in the Emirates, ToTok surged to become one of the most downloaded social apps in the United States last week, according to app rankings and App Annie, a research firm.

Apple and Google have removed it from their app stores. If you have it on your phone, delete it now.

Worse Than FailureCodeSOD: Caga Tió

As we plow into the holiday season, it’s important to remember that each submission- each bit of bad code, each horror story, each personal confession- is its own little gift to us. And, when you write a bit of bad code, you can think of it as a gift for whoever follows you.

Photograph of a typical contemporary Tió

Georgeanna recently opened a gift. She was wondering how their logging layer managed its configuration. She assumed that it would just read it from the config file, but when she tried to change where the logging file got written, say, to report.log, it would turn into report.log.staging.log.

It wasn’t hard to figure out why:

if ($env === "staging") {
    $logpath = self::getLogPath();
    /* Since the staging environment uses the same .ini as the
    * production environment, do an override here. */
    self::$logfile = $logpath . "staging.log";
}

The comment sums it up. Instead of managing multiple configuration files and deciding which one to use when you deploy the code, this just used one single config file and then conditionals to decide what behavior to use.

This reminds me of a gift I opened once. I once worked for a company where every application was supposed to reference the standard Environment.dll, and then check isProd or isStaging or isDev and use conditionals to change behavior (instead of having a per-environment config file).

Worse still was what happened when I opened the DLL code: it just checked c:\environment.txt which had “prod”, “stage”, or “dev” written in it. No, it didn’t handle exceptions.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

,

TEDA dangerous woman: Pat Mitchell speaks at TEDWomen 2019

Pat Mitchell speaks at TEDWomen 2019: Bold + Brilliant, December 4-6, 2019, Palm Springs, California. Photo: Marla Aufmuth / TED

Pat Mitchell has nothing left to prove and much less to lose. Now more than ever, she cares less about what others say, speaks her mind freely — and she’s angry, too. She’s become a dangerous woman, through and through.

Not dangerous, as in feared, but fearless; a force to be reckoned with.

On the TEDWomen stage, she invites all women, men and allies to join her in embracing the risks necessary to create a world where safety, respect and truth burn brighter than the darkness of our current times.

“This is all possible because we’re ready for this. We’re better prepared than any generation ever before us,” she says. “Better resourced, better connected, and in many parts of the world we’re living longer than ever.”

On the cusp of 77 years old, Mitchell would know what it takes to make possibilities reality from her own career blazing an award-winning trail across media and television. Before she launched TEDWomen, she produced and hosted breakthrough television for women, and presided over CNN Productions, PBS and the Paley Center for Media, taking risks all along the way.

“I became a risk-taker early in my life’s journey. I had to, or have my life defined by the limitations for girls growing up in the rural South, especially … with no money, influence or connections,” she says. “But what wasn’t limited was my curiosity about the world beyond my small town.”

She acknowledges her trajectory was colored with gendered advice — become blonde (she did), drop your voice (she tried), lower your necklines (she didn’t) — that sometimes made it difficult to strike a balance between her leadership and womanhood. But now, declaring her pride as a woman leader, activist, advocate and feminist, she couldn’t care less what others say.

Even further, Mitchell states that women shouldn’t wait to be empowered — they must wield the power they already hold. What’s needed are more opportunities to claim, use and share it; for those who’ve forged their paths to reach back and help change the nature of power by dismantling some of the barriers that remain for those who follow.

Iconic playwright George Bernard Shaw, she shares, once wrote: “Life is not a brief candle to me. It is a sort of splendid torch which I have got hold of for a moment, and I want to make it burn as brightly as possible before handing it on to future generations.”

Pat Mitchell believes we’re more than equipped to move our communities forward, together. We have the funds, the technology and the media platforms to elevate each other’s stories and ideas for a better livelihood, a better planet.

And for Mitchell there’s no question that she walks in the same footsteps as Shaw’s, looking forward to a near future where we are willing to take more risks, to be more fearless, to speak up, speak out and show up for one another.

“At this point in my life’s journey, I am not passing my torch,” she says. “I am holding my splendid torch higher than ever, boldly and brilliantly — inviting you to join me in its dangerous light.”

Pat Mitchell speaks at TEDWomen 2019: Bold + Brilliant, December 4-6, 2019, Palm Springs, California. Photo: Marla Aufmuth / TED

Worse Than FailureOut Of Necessity

Cathédrale Saint-Étienne de Toulouse - chapelle des reliques - Confessionnal PM31000752

Zev, a longtime reader of The Daily WTF, has a confession to make.

It all started with the best of intentions. Zev works for a large company doing custom development; they use various databases and tools, but the most common tool they're asked to develop against is VBA for Microsoft Excel with an Access backend. One recent project involved data moving from an on-premise SQL Server solution to the cloud. This meant rebuilding all their reports to connect to an API instead of using ODBC to get the data. Enter Zev.

The cloud tool was pretty well developed. By passing in an API key, you could get data back in a variety of formats, including JSON, HTML, XML, and CSV. Obviously choice number one was JSON, which is quickly becoming the de facto language of APIs everywhere. Upon doing a quick survey, however, Zev found many of his users were stuck on Office 2013, which can't parse JSON natively.

No worries. There's always XML. Zev churned out a quick Excel file with an XML-map in it and used code to pull the data down from the API on demand. Now the hard part: plugging into Access. Turns out, in Office 2013, you can't use a network XML file as a data source, only a local one.

Well, Excel can feed the data into a table, which Access can read, but that takes longer. In Zev's case, far too long: minutes, for a relatively small amount of data. Okay, no problem; the code can download the XML to a local file, then connect to it as an XML table. Except that turns out to be no faster.

Zev's next try was to build Excel files for each of the queries, then connect Access to the Excel files as tables. Then he could add code to open and refresh the Excel files before using them. On some days, that took longer than the old way, while on other days it worked fine. And sometimes it managed to lose the Excel files, or they'd run into lock file issues. What gives?

Zev's testing concluded that the same query returning took twice as long via XML as it did via CSV, which makes sense: XML is about twice as fat as CSV. So the final product used VBA to download the data as a CSV file, then connect to the CSV file as a local Excel table through Access.

In Zev's own words:

My greatest fear is that someone will see this code and submit it to the Daily WTF and ask “why?”

We tried to use JSON, because it is the new hotness. But lo, our tools did not support it. We tried to use XML because it was the last hotness. But lo, it took too long to process. Shuddering and sobbing, we defaulted to CSV. And so we wrote code 20 years out of date, not out of hubris or lack of desire to learn, but out of cold, heartless, necessity.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Sam VargheseFast bowlers have lost their balls

There was a time in the 20th century when there were more class fast bowlers in the game of cricket than at any other. Between 1974 and 1994, pacemen emerged in different countries as though they were coming off an assembly line.

It made the game of cricket, which many call boring, an exciting spectacle.

From Dennis Lillee and Jeff Thomson, to Andy Roberts, Michael Holding, Colin Croft, Joel Garner, the late Malcolm Marshall, Imran Khan, Sarfraz Nawaz, Wasim Akram, Waqar Younis, Devon Malcolm, Bob Willis, Ian Botham, Allan Donald, Fanie de Villiers, Richard Hadlee, Courtney Walsh, Curtley Ambrose, Patrick Patterson and Craig McDermott, they were of several different types and temperaments as is to be expected.

But in one aspect they were all the same: they went out aiming to scare the batsmen into getting out and they mostly succeeded. At times, they resorted to verballing the batsmen as when Marshall reportedly told David Boon, “Are you going to get out or do I have to come around the wicket and kill you?”

Since the mid-1990s, the type of fast bowler who has been emerging has changed. There is an obsession with keeping the runs down, something which even started preoccupying the mind of Ambrose, once a bowler who had a deadly yorker that would send the stumps cartwheeling. The new brand of paceman was typified by Glenn McGrath who was overly keen on length and line and bored the hell out of those watching on.

During those two decades, there was every chance that there would be blood on the pitch before the day was out. After that, it became much less common.

True, since then we have seen the death of a batsman, Phillip Hughes, in first-class cricket in 2014, but that was due to an inadvertent accident rather than deliberate targeting by a bowler. It wasn’t a case of a bowler like Croft, an unpleasant man, who wouldn’t bother going over the wicket at all, but would come around the wicket right from the start of his spell. No, the man who caused Hughes’ death was Sean Abbott, not even one who bowls express pace, and one yet to ascend to the national ranks. A helmet with a flap at the back to protect Hughes’ neck would probably have saved him.

Where once the crowd looked for a particular paceman to come on and excite them, these days there are mostly yawns. And that’s because there is little to rouse the passions of those in the stands. The batsmen don’t need the kind of skills or bravery that players like Brian Close showed; on more than one occasion, the Englishman took repeated blows on the body in order to ensure that he did not lose his wicket.

These days, fast bowlers do not know how to get the ball to come up to the ribcage or chest and frighten the hell out of batsmen. There is a bunch of commentators who keep jabbering on about the speed of each ball, but when the bowler chooses to go past the off-stump or only focuses on keeping the runs down, what is the point? During the Ashes in 2019, there was much excitement when Jamaican-born Jofra Archer pinged Steve Smith on the noggin, flooring the Australian and ensuring that he would have to miss the next Test. But such occurrences are the exception, never the rule.

There were any number of spells bowled by pacemen in those 20 years which can be described as hostile. But since then, the cricket field has become a sedate place, where one is expected to be a gentleman, never a fierce competitor like Lillee, who once aimed a kick at the backside of Pakistan’s Javed Miandad. The latter charged down and tried to belt the moustachioed Australian with his bat. Oh, for a scene like that when Australia next plays a Test at home.

Things have got to the point that a few bouncers bowled during the first Test of the ongoing series resulted in the media resort to using the word “bodyline”. Yes, seriously! And we are talking here of bowlers like Tim Southee and Neil Wagner, more school teacher types, and hardly the sort to inspire fear in even a college XI. There is just one word for this: exaggeration.

This does not mean that bowlers cannot do their jobs well. No, they are efficient at winning games for their countries. Men like Mitchell Starc, Patrick Cummins and Jaspreet Bumrah take plenty of wickets and give Australia and India respectively an advantage. But it all ends there. You wouldn’t go to a ground specifically because one of them was going to figure in a game. On the other hand, it was well worth a trip to the ground to watch Holding skim over the surface with the grace of a ballet dancer, en route to creating havoc at the other end. The umpire hardly heard a sound as the man known as Whispering Death reached the crease and delivered the ball in one smooth motion.

So is cricket a better game today than it was in the 1970s, 1980s or 1990s? Most certainly not. There are a lot of international games, in all three formats. But it has become overly skewed in favour of the batsmen, to the extent that Australia even went to the extent of using sandpaper to roughen the ball in 2018 to try and get an advantage during a Test series against South Africa. Captain Steve Smith, David Warner and Cameron Bancroft spent some time away from the game for creating what came to be known as Sandpapergate.

I guess one has to be resigned to the placid spectacle. There is more than a little effort directed towards trying to hype things up by means of sound, colour and spectacle at the various grounds. But nothing will ever substitute for the sight of a Thomson thundering up to the crease, flinging his head back and hurling a projectile at some quivering batsmen 22 yards away. There was something earthy and primitive about it. Cricket is now too corporatised for there to ever be another Jeff Thomson.

,

Cory DoctorowParty Discipline, a Walkaway story (Part 4) (the final part!)

In my latest podcast (MP3), I conclude my serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

Here’s part 1 of the reading, here’s part 2, and here’s part 3.

We rode back to Burbank with Shirelle on my lap and one of my butt-cheeks squeezed between the edge of the passenger seat and the door. The truck squeaked on its suspension as we went over the potholes, riding low with a huge load of shopping carts under tarps in its bed. The carts were pretty amazing: strong as hell but light enough for me to lift one over my head, using crazy math to create a tensegrity structure that would hold up to serious abuse. They were rustproof, super-steerable and could be reconfigured into different compartment-sizes or shelves with grills that clipped to the sides. And light as they were, you put enough of them into a truck and they’d weigh a ton. A literal ton, and Jose—our driver’s—truck was only rated for a half-ton. It was a rough ride.

Our plan was to pull up on skid row and start handing out carts to anyone around, giving people two or three to share with their friends. Each truck had a different stretch we were going to hit, but as we got close to our spot, two things became very apparent: one, there were no homeless people around, because two, the place was crawling with five-oh. The Burbank cops had their dumb old tanks out, big armored MRAPs they used for riot control and whenever they wanted to put on a show of force, and there was a lot of crime-scene tape and blinking lights on hobby-horses.

MP3

,

CryptogramFriday Squid Blogging: Streamlined Quick Unfolding Investigation Drone

Yet another squid acronym.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Cory DoctorowRadicalized is one of the LA Public Library’s books of the year!

It’s not just the CBC and the Wall Street Journal — I was delighted to see this morning that Radicalized, my 2019 book of four science fiction novellas made the LA Public Library’s list of the top books of 2019! “As always his writing is sharp and clear, covering the absurdities that surround and infiltrate our lives, and predicts new ones waiting for us just around the corner. A compelling, thought provoking, macabre funny read.”

Cory DoctorowMy annual Daddy-Daughter Xmas Podcast: interview with an 11-year-old

Every year, I record a short podcast with my daughter, Poesy. Originally, we’d just sing Christmas carols, but with Poesy being nearly 12, we’ve had a moratorium on singing. This year, I interviewed Poe about her favorite Youtubers, books, apps, and pass-times, as well as her feelings on data-retention (meh) and horses (love ’em). And we even manage to squeeze in a song!

Google AdsenseMarketing Communications Specialist

It’s vital to create a flawless website user experience (UX). A UX strategy can help you rectify anything that compromises the website experience.

LongNowAI Unearths New Nazca Line in the Shape of a Humanoid Figure

The Nazca lines in Peru have baffled archaeologists for a century. Photo Credit: Jon Arnold Images Ltd/Alamy Stock Photo

In Southern Peru, deep in the Nazca Desert, ancient etchings spread across the landscape. To an observer at ground level, they appear as lines cut into the desert surface. Most are straight, while others curve and change direction, seemingly at random. Viewed from foothills or in the air, however, the etchings are revealed as figurative symbols, or geoglyphs. From this vantage, the Nazca lines take the form of geometric and biometric shapes, depicting plants, animals, and anthropomorphic figures.

The meaning and purpose of the Nazca lines have remained a mystery to archaeologists since their modern discovery in the 01920s. Some theorize that the etchings mark solstice points. Others believe they are artistic offerings to deities in the sky.

Archaeologists estimate the Nazca created several thousand lines between 0200 BCE and 0600 CE, using a methodical process of extracting specific stones to expose the white sands beneath. Researchers have long believed that there are many more Nazca lines yet to be discovered, but traditional methods of identifying the lines are time-consuming and demanding. Additionally, many of the lines have been damaged from floods, and disrupted by roads and infrastructure expansion.

Humanoid figure is the newest addition to the Nazca Lines. Photo Credit: IBM Research.

In recent years, a research team at Yamagata University has turned to an unconventional aid in its search: artificial intelligence. And it’s working better than anyone expected. On 15 November 02019, after decades of fieldwork and with extensive collaboration with IBM and their PAIRS Geoscope, the team announced that a total of 143 new designs had been uncovered.

The AI technology deploys deep-learning algorithms in order to synthesize vast and diverse data from LiDAR, drone and satellite images, to geospatial and geographical surveys. The result is high-fidelity 3-D maps of the surrounding search areas. Next, the AI is taught via a neural network to recognize the data patterns of known lines. The AI then searches for new ones over a stretch of 5 kilometers of terrain.

Left, Humanoid, Right, Humanoid Processed Picture. Photo Credit: Yamagata University IBM Japan.

One of the more curious recent discoveries was the above futuristic-looking humanoid figure.

The image is processed to outline and highlight the etchings for vastly improved visibility. The figure joins a collection of more than 2,000 previously known Nazca Lines. Other symbols include a fish, hermit bird and two-headed snake. In addition, IBM made this detection technology open source so other ventures can gain from the system, for example, to identify crops and improve irrigation management across the globe. The team plans to continue its work using more capable AI systems, like laser mapping data and advanced aerial images.

The project, with angles of both investigation and preservation, aims to document and understand the Nazca Lines as a whole. Once the team have a better understanding of the distribution of the lines, they can accelerate research towards the best way to preserve and protect them.

Learn More

  • Read Yamagata University’s press release on the newly-discovered geoglyphs.
  • Learn more about the IBM PAIRS geoscope technology that is helping scientists discover more geoglyphs.

Worse Than FailureError'd: Laws of Thermodynamics be Damned!

"I went to check my heat and, much to my surprise, my house had broken the laws of physics," Robert J. writes.

 

Dylan N. wrote, "I never have liked Cyber Mondays."

 

"When it comes to sending emergency alerts, my school is SO bad that it [INSERT_HOW_BAD_TEXT]!!" Jack writes.

 

Pascal wrote, "Ooh! By the looks of this guy, Twilight Zone's might have some weird face shifting plot twist!"

 

"Sigh...Looks like I'll need to wait approximately 584,942,417 years to hear from my friends again..." writes Matthieu G.

 

"I tried accessing Interactive Broker's simulated trading account on a random Friday, and well, maybe I just picked the wrong time or something becuase, behold, HTTP error code 601," Dima R. wrote,

 

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

,

Harald WelteSoftware Freedom Podcast #3 about Free Software mobile phone communication

Recently I had the pleasure of being part of the 3rd incarnation of a new podcast series by the Free Software Foundation Europe: The Software Freedom Podcast.

In episode 3, Matthias and Bonnie of the FSFE are interviewing me about various high-level topics related to [the lack of] Free Software in cellular telephony, as well as some of the projects that I was involved in (Openmoko, Osmocom).

We've also touched the current mainstream / political debate about Huawei and 5G networks, where my position can only be summarized as: It doesn't matter much in which country the related proprietary software is being developed. What we need is Free / Open Source software that can be publicly audited, and we need a method by which the operator can ensure that a given version of that FOSS software is actually executing on his equipment.

Thanks to the FSFE for covering such underdeveloped areas of Free Software, and to use their podcast to distribute related information and ideas.

CryptogramLousy IoT Security

DTEN makes smart screens and whiteboards for videoconferencing systems. Forescout found that their security is terrible:

In total, our researchers discovered five vulnerabilities of four different kinds:

  • Data exposure: PDF files of shared whiteboards (e.g. meeting notes) and other sensitive files (e.g., OTA -- over-the-air updates) were stored in a publicly accessible AWS S3 bucket that also lacked TLS encryption (CVE-2019-16270, CVE-2019-16274).
  • Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271).

  • Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273).

  • Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272).

These aren't subtle vulnerabilities. These are stupid design decisions made by engineers who had no idea how to create a secure system. And this, in a nutshell, is the problem with the Internet of Things.

From a Wired article:

One issue that jumped out at the researchers: The DTEN system stored notes and annotations written through the whiteboard feature in an Amazon Web Services bucket that was exposed on the open internet. This means that customers could have accessed PDFs of each others' slides, screenshots, and notes just by changing the numbers in the URL they used to view their own. Or anyone could have remotely nabbed the entire trove of customers' data. Additionally, DTEN hadn't set up HTTPS web encryption on the customer web server to protect connections from prying eyes. DTEN fixed both of these issues on October 7. A few weeks later, the company also fixed a similar whiteboard PDF access issue that would have allowed anyone on a company's network to access all of its stored whiteboard data.

[...]

The researchers also discovered two ways that an attacker on the same network as DTEN devices could manipulate the video conferencing units to monitor all video and audio feeds and, in one case, to take full control. DTEN hardware runs Android primarily, but uses Microsoft Windows for Zoom. The researchers found that they can access a development tool known as "Android Debug Bridge," either wirelessly or through USB ports or ethernet, to take over a unit. The other bug also relates to exposed Android factory settings. The researchers note that attempting to implement both operating systems creates more opportunities for misconfigurations and exposure. DTEN says that it will push patches for both bugs by the end of the year.

Boing Boing article.

CryptogramAttacker Causes Epileptic Seizure over the Internet

This isn't a first, but I think it will be the first conviction:

The GIF set off a highly unusual court battle that is expected to equip those in similar circumstances with a new tool for battling threatening trolls and cyberbullies. On Monday, the man who sent Eichenwald the moving image, John Rayne Rivello, was set to appear in a Dallas County district court. A last-minute rescheduling delayed the proceeding until Jan. 31, but Rivello is still expected to plead guilty to aggravated assault. And he may be the first of many.

The Epilepsy Foundation announced on Monday it lodged a sweeping slate of criminal complaints against a legion of copycats who targeted people with epilepsy and sent them an onslaught of strobe GIFs -- a frightening phenomenon that unfolded in a short period of time during the organization's marking of National Epilepsy Awareness Month in November.

[...]

Rivello's supporters -- among them, neo-Nazis and white nationalists, including Richard Spencer -- have also argued that the issue is about freedom of speech. But in an amicus brief to the criminal case, the First Amendment Clinic at Duke University School of Law argued Rivello's actions were not constitutionally protected.

"A brawler who tattoos a message onto his knuckles does not throw every punch with the weight of First Amendment protection behind him," the brief stated. "Conduct like this does not constitute speech, nor should it. A deliberate attempt to cause physical injury to someone does not come close to the expression which the First Amendment is designed to protect."

Another article.

EDITED TO ADD(12/19): More articles.

Worse Than FailureLying Metrics

Locator LED

Our anonymous submitter—we'll call him Russell—was a senior engineer supporting an equally anonymous web service that was used by his company's desktop software for returning required data. Russell had a habit of monitoring the service's performance each day, always on the lookout for trouble. One fateful morning, the anomalies piled on thick.

Over the past 24 hours, the host server's average response time had halved, and yet the service was also suddenly dealing with four times as many requests as usual. Average CPU and memory usage on the server had doubled, as had the load on the Oracle host. Even stranger, there was no increase in server errors.

Russell couldn't imagine what might've happened, as no changes had been deployed. However, his product team had recently committed to reducing average server response time. It was possible that someone else had modified an upstream service or some database queries. He emailed the rest of the team and other teams he worked closely with, detailing what he'd seen and asking whether anyone had any pertinent information.

The response from the engineers was basically, Hmm, odd. No, we didn't change anything. The response from the product architects really shouldn't have surprised Russell, given he'd been working in enterprise for nearly 20 years. The reply-all frenzy can be summed up as, You mean we've already fulfilled our commitment to reduce average response time?! LET'S FIRE OFF A SELF-CONGRATULATORY COMPANY-WIDE EMAIL!!!

Upon seeing this, Russell immediately replied: Hold on, let's try to find out what's happening here first.

Unfortunately, he was too late to stop the announcement, but that didn't stop him from investigating further. He remembered that their default monitoring of server errors filtered out 404s. Upon turning off that filter, he found that the number of 404s thrown by the server roughly matched the number of additional requests. Previously, average response time had been around 100ms; at present, it was about 45ms. This "triumph" hid the fact that the numerous 404s were processed in about 10ms each, while the non-404 requests were processed in about 150ms each—50% slower than usual. In other words, the web service's performance had been seriously degraded.

Russell dug further to figure out who was performing this low-key DDoS attack. The requests were authenticated, so he knew the calls were coming from inside the house. He managed to trace them to another product within his company. This product had to make a request to his web service in about 1% of their sessions, but that considerably slowed down their handling of those particular sessions. As a result, someone had modified the product to fire off an asynchronous request to Russell's service for every session, simply ignoring the response if it was a 404.

Russell emailed his findings to his team, but received no reply. Feeling bold, he directly contacted the project manager of the offending product. This led to the biggest WTF of all: the PM apologized and got the change rolled back right away. By the next day, everything was back to normal—but the product architects were angry over the embarrassment caused by their own premature celebration. They were likely also miffed about being forced to find real ways of improving average server response time. Their misplaced ire led to Russell being fired a short time later.

However, our story has a happy ending. The super-responsive product team hired Russell back on after a couple of months, with a 25% pay raise. He retained seniority, and was allowed to keep his former benefits as well as his severance package. In the end, the forces that'd sought to be rid of him had only succeeded in giving him a highly-paid vacation.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

,

Sociological ImagesVenti Voting?

I just wrapped up my political sociology class for the semester. We spent a lot of time talking about conflict and polarization, reading research on why people avoid politics, the spread of political outrage, and why exactly liberals drink lattes. When we become polarized, small choices in culture and consumption—even just a cup of coffee—can become signals for political identities. 

After the liberals and lattes piece, one of my students wrote a reflection memo and mentioned a previous instructor telling them which brand of coffee to drink if they wanted to support a certain political party. This caught my attention, because (at least in the student’s recollection) the instructor was completely wrong. This led to a great discussion about corporate political donations, especially how frequent contributions often go bipartisan.

But where does your money go when you buy your morning coffee? Thanks to open-access data on political contributions, we can look at the partisan lean of the top four largest coffee chains in the United States.

Starbucks’ swing to the left is notable here, as is the rightward spike in Dunkin’s donations in the 2014 midterms. While these patterns tend to follow the standard corporate image for each, it is important to remember that even chains that lean one way still mix their donations. In midterm years like 2012 and 2014, about 20% of Starbucks’ donations went to Republicans.

One side effect of political polarization is that corporate politics don’t always follow cultural codes. For another good recent example of this, see Chick-fil-A reconsidering its donation policies.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

Worse Than FailureShining Brillance

Jarad was still recovering from his encounter with Intelligenuity’s most “brillant” programmer, Keisha, when a new hire, Aaron, showed up at Jarad’s office.

The large project that dominated their timelines remained their efforts to migrate from .NET to Java, but Aaron was hired to keep the .NET side of things on track, handling bugs, new features that were desperately needed, and just general maintenance. It was made emphatically clear by the project managers that hiring more .NET developers was not an admission that the conversion to Java had failed, but would “free up resources” to better focus on the Java side of things.

Aaron moved fast to establish himself. He scheduled a presentation in the first week. He was vague about what, exactly, the presentation was about ahead of time. So, when the lights came down and the projector lit up, everyone was a bit surprised to see their .NET code in his slides.

“This,” he explained, “is our application code. I wanted to give you a walk through the code, so we all as a team have a better understanding.”

Jarad and his co-workers exchanged glances, silently wondering if this was for real. Was Aaron really about to explain the code they had written to them?

“This line here,” Aaron said, pointing to a for loop, “is an interesting construct. It will repeat the code which follows to be repeated once for each element in the array.” A few slides later, highlighting a line which read, x = new AccountModel(), Aaron explained. “This creates an instance of an account model object. The instance is of the class, while the class defines what is common across all objects.”

That hour long meeting was one of the longest hours of Jarad’s life. It was a perfect storm of tedium, insult, and incompetence.

Afterwards, Jarad grabbed his manager, Regine. “Like, do you think Aaron is going to actually be a good fit?”

“Oh, I’m sure he’ll be fine. Look how well he understands our code already!”

That laid out the pattern of working with Aaron. During one team meeting, the team got sidetracked discussing the best approach to managing a very specific exception in a very specific section of their code. Fifteen minutes after the meeting, Aaron followed up with an email: “Re: Exception Handling”, which consisted of a bad paraphrase of the Execption class documentation from the MSDN site. Another day, during another meeting, someone mentioned concurrency, so Aaron followed up with an email that broadly plagiarized a Stack Overflow post describing the ProcessThread object.

And, on each one of those emails, Regine and several other project managers were CCed. The result was that the management team felt that Aaron was a great communicator, who constantly was adding value to the team. He was a mentor. An asset. The kind of person that should be invited to every one of the project management meetings, because he was extremely technical but also the kind of communicator and go-getter that had management written all over him.

Among the developers, Aaron’s commits were a running joke. He submitted non-working code, code that violated every standard practice and styleguide entry they used, code with out tests, code with tests that would pass no matter what happened, code that didn’t compile, and code that was clearly copy/pasted from a tutorial without bothering to try and fix the indentation.

It was no surprise then, that a few months later, Aaron announced that he was now a “System Architect”, a role that did not actually exist in their org-chart, but Aaron assured them meant he could tell them how to write software. Jarad went to Regine, along with a few other developers, and raised their concerns. Specifically: Aaron had invented a new job role and was claiming authority he didn’t have, he didn’t have the seniority for a promotion at this time, he didn’t actually know what he was doing, and he was killing team morale.

“Are you familiar with the crab mentality?” Regine asked. “I’m concerned that you’re being poor team players and a negative influence. You should be happy for Aaron’s success, because it reflects on how good our team is!”

Jarad and the rest of the team soon discovered that Regine was right. Now that Aaron was a “System Architect” he was too busy building presentations, emailing barely comprehensible and often inaccurate summaries of documentation, and scheduling meetings to actually write any code. Team performance improved, and it was trivial to configure one’s inbox to spam Aaron’s messages.

Aaron’s “communication style” kept getting him scheduled to do more presentations where he could explain simple programming concepts to different layers of management. The general consensus was that they didn’t understand what he was talking about, but he must be very smart to talk about it with a PowerPoint deck.

After their next release of their .NET product, Aaron scheduled a meeting with some of the upper tier management to review the project. He once again dazzled them with his explanation of the difference between an object and a class, with a brief foray into the difference between reference and value types, and then followed up with an email, thanking them all for their time.

On this email, he CCed the VP of the company.

The VP of the company was also one of the founders, and was a deeply technical person. She never related her reasoning to anyone, but based on Aaron’s email, she scheduled a meeting with him. It was no trick finding out that the meeting was going to take place: Aaron made sure to let everyone on the team know. “I have to block off everything from 3PM on Thursday, because I have a meeting with the VP.” “Can we table that? It’s probably best if we discuss after my meeting with the VP.” “I’ll be back later, it’s time for my meeting with the VP.”

No one knows exactly what happened in that meeting. What was said or done is between Aaron and the VP. But 45 minutes later, both Aaron and the VP walked onto the developers’ floor. Aaron was watching his shoes, and the VP was staring daggers at the back of his neck. She marched Aaron into Regine’s office, and closed the door. For the next twenty minutes, the VP vented her frustration. When her voice got raised, words like “enabling” and “incompetence” and “inappropriate” and “hiring practices” leaked out.

The VP stormed back out, leaving Regine and Aaron to discuss Aaron’s severance. That was the last day anyone saw Aaron.

Well, until Jarad started thinking about attending a local tech conference. Aaron, as it turns out, will be one of the speakers, discussing some “cutting edge” .NET topics.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

,

Krebs on SecurityNuclear Bot Author Arrested in Sextortion Case

Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed they’d hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say they’ve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called “Nuclear Bot.”

On Dec. 15, the French news daily Le Parisien published a report stating that French authorities had arrested and charged two men in the sextortion scheme. The story doesn’t name either individual, but rather refers to one of the accused only by the pseudonym “Antoine I.,” noting that his first had been changed (presumably to protect his identity because he hasn’t yet been convicted of a crime).

“According to sources close to the investigation, Antoine I. surrendered to the French authorities at the beginning of the month, after being hunted down all over Europe,” the story notes. “The young Frenchman, who lived between Ukraine, Poland and the Baltic countries, was indicted on 6 December for ‘extortion by organized gang, fraudulent access to a data processing system and money laundering.’ He was placed in pre-trial detention.”

According to Le Parisien, Antoine I. admitted to being the inventor of the initial 2018 sextortion scam, which was subsequently imitated by countless other ne’er-do-wells. The story says the two men deployed malware to compromise at least 2,000 computers that were used to blast out the sextortion emails.

While that story is light on details about the identities of the accused, an earlier version of it published Dec. 14 includes more helpful clues. The Dec. 14 piece said Antoine I. had been interviewed by KrebsOnSecurity in April 2017, where he boasted about having created Nuclear Bot, a malware strain designed to steal banking credentials from victims.

My April 2017 exposé featured an interview with Augustin Inzirillo, a young man who came across as deeply conflicted about his chosen career path. That path became traceable after he released the computer code for Nuclear Bot on GitHub. Inzirillo outed himself by defending the sophistication of his malware after it was ridiculed by both security researchers and denizens of the cybercrime underground, where copies of the code wound up for sale. From that story:

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.

Inzirillo released the code on GitHub with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Daniel, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

If Augustin Inzirillo ever did truly desire to change his ways, it wasn’t clear from his apparent actions last summer: The Le Parisien story says the sextortion scams netted the Frenchman and his co-conspirator at least a million Euros.

In August 2018, KrebsOnSecurity was contacted by a researcher working with French authorities on the investigation who said he suspected the young man was bragging on Twitter that he used a custom version of Nuclear Bot dubbed “TinyNuke” to steal funds from customers of French and Polish banks.

The source said this individual used the now-defunct Twitter account @tiny_gang1 to taunt French authorities, while showing off a fan of 100-Euro notes allegedly gained from his illicit activities (see image above). It seemed to the source that Inzirillo wanted to get caught, because at one point @tiny_gang1 even privately shared a copy of Inzirillo’s French passport to prove his identity and accomplishments to the researcher.

“He modified the Tinynuke’s config several times, and we saw numerous modifications in the malware code too,” the source said. “We tried to compare his samples with the leaked code available on GitHub and we noticed that the guy actually was using a more advanced version with features that don’t exist in the publicly available repositories. As an example, custom samples have video recording functionality, socks proxy and other features. So the guy clearly improved the source code and recompiled a new version for every new campaign.”

The source said the person behind the @tiny_gang Twitter account attacked French targets with custom versions of TinyNuke in one to three campaigns per week earlier this year, harvesting French bank accounts and laundering the stolen funds via a money mule network based mostly in the United Kingdom.

“If the guy behind this campaign is the malware author, it could easily explain the modifications happening with the malware, and his French is pretty good,” the researcher told KrebsOnSecurity. “He’s really provocative and I think he wants to be arrested in France because it could be a good way to become famous and maybe prove that his malware works (to resell it after?).”

The source said the TinyNuke author threatened him with physical harm after the researcher insulted his intelligence while trying to goad him into disclosing more details about his cybercrime activities.

“The guy has a serious ego problem,” the researcher said. “He likes when we talk about him and he hates when we mock him. He got really angry as time went by and started personally threatening me. In the last [TinyNuke malware configuration file] targeting Poland we found a long message dedicated to me with clear physical threats.”

All of the above is consistent with the findings detailed in the Le Parisien report, which quoted French investigators saying Antoine I. in October 2019 used a now-deleted Twitter account to taunt the authorities into looking for him. In one such post, he included a picture of himself holding a beer, saying: “On the train to Naples. You should send me a registered letter instead of threatening guys informally.”

The Le Parisien story also said Antoine I. threatened a researcher working with French authorities on the investigation (the researcher is referred to pseudonymously as “Marc”).

“I make a lot more money than you, I am younger, more intelligent,” Antoine I. reportedly wrote in July 2018 to Marc. “If you do not stop playing with me, I will put a bullet in your head. ”

French authorities say the defendant managed his extortion operations while traveling throughout Ukraine and other parts of Eastern Europe. But at some point he decided to return home to France, despite knowing investigators there were hunting him. According to Le Parisien, he told the French authorities he wanted to cooperate in the investigation and that he no longer wished to live like a fugitive.

CryptogramIranian Attacks on Industrial Control Systems

New details:

At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That's generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.

[...]

The hackers' motivation -- and which industrial control systems they've actually breached -- remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. "They're going after these producers and manufacturers of control systems, but I don't think they're the end targets," says Moran. "They're trying to find the downstream customer, to find out how they work and who uses them. They're looking to inflict some pain on someone's critical infrastructure that makes use of these control systems."

It's unclear whether the attackers are causing any actual damage, or just gaining access for some future use.

Worse Than FailureCodeSOD: We Go to School

Sometimes, it feels like any programming question you might have has a thread on StackOverflow. It might not have an answer, but it’s probably there. Between that, online guidebooks, tools with decent documentation, YouTube programming tutorials there are a lot of great ways to learn how to solve any given programming task.

Andreas R had a programming task. Specifically, Andreas wanted to create sortable tables that worked like those on MediaWiki sites. A quick google for “sort html table” turned up a source which offered… this.

function sortTable() {
  var table, rows, switching, i, x, y, shouldSwitch;
  table = document.getElementById("myTable");
  switching = true;
  /* Make a loop that will continue until
  no switching has been done: */
  while (switching) {
    // Start by saying: no switching is done:
    switching = false;
    rows = table.rows;
    /* Loop through all table rows (except the
    first, which contains table headers): */
    for (i = 1; i < (rows.length - 1); i++) {
      // Start by saying there should be no switching:
      shouldSwitch = false;
      /* Get the two elements you want to compare,
      one from current row and one from the next: */
      x = rows[i].getElementsByTagName("TD")[0];
      y = rows[i + 1].getElementsByTagName("TD")[0];
      // Check if the two rows should switch place:
      if (x.innerHTML.toLowerCase() > y.innerHTML.toLowerCase()) {
        // If so, mark as a switch and break the loop:
        shouldSwitch = true;
        break;
      }
    }
    if (shouldSwitch) {
      /* If a switch has been marked, make the switch
      and mark that a switch has been done: */
      rows[i].parentNode.insertBefore(rows[i + 1], rows[i]);
      switching = true;
    }
  }
}

This code works, for very limited values of “works”. It works by doing a bubble sort until we stop swapping entries. It always skips the first row, under the assumption that we’re looking at a table with headers. It only ever sorts by the first column. It does all the sorting directly in the DOM, which is a great way to really add some overhead to your data manipulation.

There are a lot of shady, skeevy tutorial sites, and some of them are really good at search engine optimization. This is one of those. It’s the sort of site anyone with any experience knows is a bad source, but those without that experience are left to learn the hard way.

TRWTF are sites that spend more time and energy on SEO than on providing helpful content. At least when we share bad code, we know it’s bad- and so does our audience.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

Krebs on SecurityRansomware Gangs Now Outing Victim Businesses That Don’t Pay Up

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The message displayed at the top of the Maze Ransomware public shaming site.

Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.

As shocking as this new development may be to some, it’s not like the bad guys haven’t warned us this was coming.

“For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released,” said Lawrence Abrams, founder of the computer security blog and victim assistance site BleepingComputer.com. “While it has been a well-known secret that ransomware actors snoop through victim’s data, and in many cases steal it before the data is encrypted, they never actually carried out their threats of releasing it.”

Abrams said that changed at the end of last month, when the crooks behind Maze Ransomware threatened Allied Universal that if they did not pay the ransom, they would release their files. When they did not receive a payment, they released 700MB worth of data on a hacking forum.

“Ransomware attacks are now data breaches,” Abrams said. “During ransomware attacks, some threat actors have told companies that they are familiar with internal company secrets after reading the company’s files. Even though this should be considered a data breach, many ransomware victims simply swept it under the rug in the hopes that nobody would ever find out. Now that ransomware operators are releasing victim’s data, this will need to change and companies will have to treat these attacks like data breaches.”

The move by Maze Ransomware comes just days after the cybercriminals responsible for managing the “Sodinokibi/rEvil” ransomware empire posted on a popular dark Web forum that they also plan to start using stolen files and data as public leverage to get victims to pay ransoms.

The leader of the Sodinokibi/rEvil ransomware gang promising to name and shame victims publicly in a recent cybercrime forum post. Image: BleepingComputer.

This is especially ghastly news for companies that may already face steep fines and other penalties for failing to report breaches and safeguard their customers’ data. For example, healthcare providers are required to report ransomware incidents to the U.S. Department of Health and Human Services, which often documents breaches involving lost or stolen healthcare data on its own site.

While these victims may be able to avoid reporting ransomware incidents if they can show forensic evidence demonstrating that patient data was never taken or accessed, sites like the one that Maze Ransomware has now erected could soon dramatically complicate these incidents.

Cory DoctorowParty Discipline, a Walkaway story (Part 3)

In my latest podcast (MP3), I continue my serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

Here’s part 1 of the reading and here’s part 2.

We told them they could go home if they didn’t want to risk coming to the Communist party, but we told them that after we told them that they were the only kids in the whole school we trusted enough to invite to it, and made sure they all knew that if they backed out, there’d be no hard feelings—and no chance to change their mind later tonight when they were at a corny party with a bunch of kids instead of making glorious revolution.

Every one of them said they’d come.

I’d found an all-ages show in Encino that night, two miles from Steelbridge, Antoine’s old job. We got piled into Ubers heading for the club, chatting about inconsequentialities for the in-car cameras and mics, and every one of us paid cover for the club, making sure to use traceable payment systems that would alibi us as having gone in for the night. Then we all met in the back alley, letting ourselves out of the fire-doors in ones and twos. I did a head-count to make sure we were all there, squashed together in a spot out of view of the one remaining camera back there (I’d taken out the other one the day before, wearing a hoodie and gloves, sliding along the wall so that I was out of its range until I was reaching up to smear it with some old crank-case oil).

We hugged the wall until we were back out into the side streets. All our phones were off and bagged, and everyone had maps that used back streets without cameras to get to Steelbridge. We strung out in groups of two to five, at least half a block between us, so no one would see a big group of kids Walking While Brown and call in the cops.

MP3

,

Krebs on SecurityInside ‘Evil Corp,’ a $100M Cybercrime Menace

The U.S. Justice Department this month offered a $5 million bounty for information leading to the arrest and conviction of a Russian man indicted for allegedly orchestrating a vast, international cybercrime network that called itself “Evil Corp” and stole roughly $100 million from businesses and consumers. As it happens, for several years KrebsOnSecurity closely monitored the day-to-day communications and activities of the accused and his accomplices. What follows is an insider’s look at the back-end operations of this gang.

Image: FBI

The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.

From 2009 to the present, Aqua’s primary role in the conspiracy was recruiting and managing a continuous supply of unwitting or complicit accomplices to help Evil Corp. launder money stolen from their victims and transfer funds to members of the conspiracy based in Russia, Ukraine and other parts of Eastern Europe. These accomplices, known as “money mules,” are typically recruited via work-at-home job solicitations sent out by email and to people who have submitted their resumes to job search Web sites.

Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. People who bite on these offers sometimes receive small commissions for each successful transfer, but just as often end up getting stiffed out of a promised payday, and/or receiving a visit or threatening letter from law enforcement agencies that track such crime (more on that in a moment).

HITCHED TO A MULE

KrebsOnSecurity first encountered Aqua’s work in 2008 as a reporter for The Washington Post. A source said they’d stumbled upon a way to intercept and read the daily online chats between Aqua and several other mule recruiters and malware purveyors who were stealing hundreds of thousands of dollars weekly from hacked businesses.

The source also discovered a pattern in the naming convention and appearance of several money mule recruitment Web sites being operated by Aqua. People who responded to recruitment messages were invited to create an account at one of these sites, enter personal and bank account data (mules were told they would be processing payments for their employer’s “programmers” based in Eastern Europe) and then log in each day to check for new messages.

Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.

One of several sites set up by Aqua and others to recruit and manage money mules.

When it came time to transfer stolen funds, the recruiters would send a message through the mule site saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”

Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.

Here’s where it got interesting. Each of these mule recruitment sites had the same security weakness: Anyone could register, and after logging in any user could view messages sent to and from all other users simply by changing a number in the browser’s address bar. As a result, it was trivial to automate the retrieval of messages sent to every money mule registered across dozens of these fake company sites.

So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.

My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”

Messages to and from a money mule working for Aqua’s crew, circa May 2011.

In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.

Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations. Needless to say, the victims that spun their wheels chasing after me usually suffered far more substantial financial losses (mainly because they delayed calling their financial institution until it was too late).

Collectively, these notifications to Evil Corp.’s victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I don’t believe I ever wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.

LOW FRIENDS IN HIGH PLACES

According to the U.S. Justice Department, Yakubets/Aqua served as leader of Evil Corp. and was responsible for managing and supervising the group’s cybercrime activities in deploying and using the Jabberzeus and Dridex banking malware. The DOJ notes that prior to serving in this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy “Slavik” Bogachev, a previously designated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes who currently has a $3 million FBI bounty on his head.

Evgeniy M. Bogachev, in undated photos.

As noted in previous stories here, during times of conflict with Russia’s neighbors, Slavik was known to retool his crime machines to search for classified information on victim systems in regions of the world that were of strategic interest to the Russian government – particularly in Turkey and Ukraine.

“Cybercriminals are recruited to Russia’s national cause through a mix of coercion, payments and appeals to patriotic sentiment,â€� reads a 2017 story from The Register on security firm Cybereason’s analysis of the Russian cybercrime scene. “Russia’s use of private contractors also has other benefits in helping to decrease overall operational costs, mitigating the risk of detection and gaining technical expertise that they cannot recruit directly into the government. Combining a cyber-militia with official state-sponsored hacking teams has created the most technically advanced and bold cybercriminal community in the world.â€�

This is interesting because the U.S. Treasury Department says Yukabets as of 2017 was working for the Russian FSB, one of Russia’s leading intelligence organizations.

“As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB,” notes a statement from the Treasury.

The Treasury Department’s role in this action is key because it means the United States has now imposed economic sanctions on Yukabets and 16 accused associates, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with these individuals.

The Justice Department’s criminal complaint against Yukabets (PDF) mentions several intercepted chat communications between Aqua and his alleged associates in which they puzzle over why KrebsOnSecurity seemed to know so much about their internal operations and victims. In the following chat conversations (translated from Russian), Aqua and others discuss a story I wrote for The Washington Post in 2009 about their theft of hundreds of thousands of dollars from the payroll accounts of Bullitt County, Ky:

tank: [Are you] there?
indep: Yeah.
indep: Greetings.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: This is still about me.
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: He is the account from which we cashed.
tank: Today someone else send this news.
tank: I’m reading and thinking: Let me take a look at history. For some reason this name is familiar.
tank: I’m on line and I’ll look. Ah, here is this shit.
indep: How are you?
tank: Did you get my announcements?
indep: Well, I congratulate [you].
indep: This is just fuck when they write about you in the news.
tank: Whose [What]?
tank: 😀
indep: Too much publicity is not needed.
tank: Well, so nobody knows who they are talking about.

tank: Well, nevertheless, they were writing about us.
aqua: So because of whom did they lock Western Union for Ukraine?
aqua: Tough shit.
tank: *************Originator: BULLITT COUNTY FISCAL Company: Bullitt
County Fiscal Court
aqua: So?
aqua: This is the court system.
tank: Shit.
tank: Yes
aqua: This is why they fucked [nailed?] several drops.
tank: Yes, indeed.
aqua: Well, fuck. Hackers: It’s true they stole a lot of money.

At roughly the same time, one of Aqua’s crew had a chat with Slavik, who used the nickname “lucky12345” at the time:

tank: Are you there?
tank: This is what they damn wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
tank: 😀
lucky12345: It’s fucked.

On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –- a crook who used the pseudonym “Jim Rogersâ€� — somehow learned about something I hadn’t shared beyond a few trusted friends at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tankâ€�:

jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation 🙂 Good news expected exactly by the New Year! Besides us no one reads his column 🙂

tank: Mr. Fucking Brian Fucking Kerbs!

In March 2010, Aqua would divulge in an encrypted chat that his crew was working directly with the Zeus author (Slavik/Lucky12345), but that they found him abrasive and difficult to tolerate:

dimka: I read about the king of seas, was it your handy work?
aqua: what are you talking about? show me
dimka: zeus
aqua: 🙂
aqua: yes, we are using it right now
aqua: its developer sits with us on the system
dimka: it’s a popular thing
aqua: but, he, fucker, annoyed the hell out of everyone, doesn’t want to write bypass of interactives (scans) and trojan penetration 35-40%, bitch
aqua: yeah, shit
aqua: we need better
aqua: http://voices.washingtonpost.com/securityfix read it 🙂 here you find almost everything about us 🙂
dimka: I think everything will be slightly different, if you think so
aqua: we, in this system, the big dog, the rest on the system are doing small crap

Later that month, Aqua bemoaned even more publicity about their work, pointing to a KrebsOnSecurity story about a sophisticated attack in which their malware not only intercepted a one-time password needed to log in to the victim’s bank account, but even modified the bank’s own Web site as displayed in the victim’s browser to point to a phony customer support number.

Ironically, the fake bank phone number was what tipped off the victim company employee. In this instance, the victim’s bank — Fifth Third Bank (referred to as “53” in the chat below) was able to claw back the money stolen by Aqua’s money mules, but not funds that were taken via fraudulent international wire transfers. The cybercriminals in this chat also complain they will need a newly-obfuscated version of their malware due to public exposure:

aqua: tomorrow, everything should work.
aqua: fuck, we need to find more socks for spam.
aqua: okay, so tomorrow Petro [another conspirator who went by the nickname Petr0vich] will give us a [new] .exe
jtk: ok
jim_rogers: this one doesn’t work
jim_rogers: http://www.krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/
jim_rogers: here it’s written about my transfer from 53. How I made a number of wires like it said there. And a woman burnt the deal because of a fake phone number.

ANTI-MULE INITIATIVE

In tandem with the indictments against Evil Corp, the Justice Department joined with officials from Europol to execute a law enforcement action and public awareness campaign to combat money mule activity.

“More than 90% of money mule transactions identified through the European Money Mule Actions are linked to cybercrime,” Europol wrote in a statement about the action. “The illegal money often comes from criminal activities like phishing, malware attacks, online auction fraud, e-commerce fraud, business e-mail compromise (BEC) and CEO fraud, romance scams, holiday fraud (booking fraud) and many others.”

The DOJ said U.S. law enforcement disrupted mule networks that spanned from Hawaii to Florida and from Alaska to Maine. Actions were taken to halt the conduct of over 600 domestic money mules, including 30 individuals who were criminally charged for their roles in receiving victim payments and providing the fraud proceeds to accomplices.

Some tips from Europol on how to spot money mule recruitment scams dressed up as legitimate job offers.

It’s good to see more public education about the damage that money mules inflict, because without them most of these criminal schemes simply fall apart. Aside from helping to launder funds from banking trojan victims, money mules often are instrumental in fleecing elderly people taken in by various online confidence scams.

It’s also great to see the U.S. government finally wielding its most powerful weapon against cybercriminals based in Russia and other safe havens for such activity: Economic sanctions that severely restrict cybercriminals’ access to ill-gotten gains and the ability to launder the proceeds of their crimes by investing in overseas assets.

Further reading:

DOJ press conference remarks on Yakubets
FBI charges announced in malware conspiracy
2019 indictment of Yakubets, Turashev. et al.
2010 Criminal complaint vs. Yukabets, et. al.
FBI “wanted” alert on Igor “Enki” Turashev
US-CERT alert on Dridex

CryptogramSecurity Vulnerabilities in the RCS Texting Protocol

Interesting research:

SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.

Google AdsenseMarketing Communications Specialist

Content marketing not only drives new visitors to your website, but also entices them to come back. Take advantage of these tools that can help.

Worse Than FailureCodeSOD: An Advent Calendar

Java date-time handling was notoriously bad for the vast majority of Java's lifetime. It was so bad that a third party library, Joda-Time, was the defacto standard for Java date processing until finally, in Java 8, the features, functionality, and design of Joda-Time were adopted into Java. JSR-310 added refinements to conventional datetime objects, like Timestamps and LocalDates, but also added useful classes like Instant (an immutable instant in time) and DateTimeFormatters that had a conventional and flexible API for doing date formatting and parsing.

Since JSR-310, it's easy to write good date handling code in Java.

That, of course, doesn't mean that you can't still write terrible date handling code. Normally, you'd expect your bad date handling code to take the form of one of the standard badnesses: write your own string mangler, insist on using the legacy libraries, homebrew a stacked up library of edge cases and ugly code and weird misunderstandings of the calendar.

Brendan sends us an example where they manage to use the new APIs in a head-scratching fashion.

private static Timestamp getCdrTimestampParameter(CSVParam param) { return Timestamp.valueOf( LocalDateTime.ofInstant(Instant.from(DateTimeFormatter.ISO_INSTANT.parse(param.getParamValue())), ZoneOffset.UTC)); }

The goal here is to take the text supplied from a CSVparam (presumably a field in a CSV file?) and convert it into a Timestamp object. This could easily be a one-line operation. Well, I guess technically, this code already is a one-statement operation, but you could easily write this without using every single one of the new datetime objects. Perhaps the developer just wanted the practice?

In this case, LocalDateTime has a parse method which allows you to pass a DateTimeFormatter, so you could just build the LocalDateTime by LocalDateTime.parse(param.getParamValue(), DateTimeFormatter.ISO_INSTANT). Which gets weird, anyway, because they are somehow passing a timezone offset into the LocalDateTime through that ofInstant method, but local date times don't have timezone information in them, and the java.time docs don't have an ofInstant method in the first place, which implies that something weird and inappropriate is going on here, in terms of classes getting replaced or modified. It's possible that ofInstant returns a ZonedDateTime by injecting timezone information into a LocalDateTime, but Timestamp doesn't expect ZonedDateTimes in its valueOf method, but LocalDateTimes, because Timestamps are also not timezone aware.

When I started looking at this code, I didn't realize how weird and wrong it was. I almost didn't do a dive into it, to try and figure out what was happening here, because it looks ugly, but the WTF only appears when you dig into the layers.

As an aside, there are a lot of ways to do this, but the easiest looking way, to my eye, is something like:

return Timestamp.from(Instant.parse(param.getParamValue())); //`Instant.parse` defaults to the `DateTimeFormatter.ISO_INSTANT`

The down side, I guess, to my approach is that it doesn't try and use every single tool in the toolbox of java.time.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

,

CryptogramScaring People into Supporting Backdoors

Back in 1998, Tim May warned us of the "Four Horsemen of the Infocalypse": "terrorists, pedophiles, drug dealers, and money launderers." I tended to cast it slightly differently. This is me from 2005:

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.

Which particular horseman is in vogue depends on time and circumstance. Since the terrorist attacks of 9/11, the US government has been pushing the terrorist scare story. Recently, it seems to have switched to pedophiles and child exploitation. It began in September, with a long New York Times story on child sex abuse, which included this dig at encryption:

And when tech companies cooperate fully, encryption and anonymization can create digital hiding places for perpetrators. Facebook announced in March plans to encrypt Messenger, which last year was responsible for nearly 12 million of the 18.4 million worldwide reports of child sexual abuse material, according to people familiar with the reports. Reports to the authorities typically contain more than one image, and last year encompassed the record 45 million photos and videos, according to the National Center for Missing and Exploited Children.

(That's wrong, by the way. Facebook Messenger already has an encrypted option. It's just not turned on by default, like it is in WhatsApp.)

That was followed up by a conference by the US Department of Justice: "Lawless Spaces: Warrant Proof Encryption and its Impact on Child Exploitation Cases." US Attorney General William Barr gave a speech on the subject. Then came an open letter to Facebook from Barr and others from the UK and Australia, using "protecting children" as the basis for their demand that the company not implement strong end-to-end encryption. (I signed on to another another open letter in response.) Then, the FBI tried to get Interpol to publish a statement denouncing end-to-end encryption.

This week, the Senate Judiciary Committee held a hearing on backdoors: "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy." Video, and written testimonies, are available at the link. Eric Neuenschwander from Apple was there to support strong encryption, but the other witnesses were all against it. New York District Attorney Cyrus Vance was true to form:

In fact, we were never able to view the contents of his phone because of this gift to sex traffickers that came, not from God, but from Apple.

It was a disturbing hearing. The Senators asked technical questions to people who couldn't answer them. The result was that an adjunct law professor was able to frame the issue of strong encryption as an externality caused by corporate liability dumping, and another example of Silicon Valley's anti-regulation stance.

Let me be clear. None of us who favor strong encryption is saying that child exploitation isn't a serious crime, or a worldwide problem. We're not saying that about kidnapping, international drug cartels, money laundering, or terrorism. We are saying three things. One, that strong encryption is necessary for personal and national security. Two, that weakening encryption does more harm than good. And three, law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices. This is one example, where people unraveled a dark-web website and arrested hundreds by analyzing Bitcoin transactions. This is another, where policy arrested members of a WhatsApp group.

So let's have reasoned policy debates about encryption -- debates that are informed by technology. And let's stop it with the scare stories.

EDITED TO ADD (12/13): The DoD just said that strong encryption is essential for national security.

All DoD issued unclassified mobile devices are required to be password protected using strong passwords. The Department also requires that data-in-transit, on DoD issued mobile devices, be encrypted (e.g. VPN) to protect DoD information and resources. The importance of strong encryption and VPNs for our mobile workforce is imperative. Last October, the Department outlined its layered cybersecurity approach to protect DoD information and resources, including service men and women, when using mobile communications capabilities.

[...]

As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.

,

CryptogramUpcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

  • I'm speaking at SecIT by Heise in Hannover, Germany on March 26, 2020.

The list is maintained on this page.

Cory DoctorowRadicalized is one of the Wall Street Journal’s top sf books of 2019!

Radicalized, my collection of four novellas, is one of the Wall Street Journal‘s picks for best sf books of 2019! My thanks to Tom Shippey, who listed it alongside of David Walton’s Three Laws Lethal, Daniel Suarez’s Delta-v, Erin Craig’s House of Salt and Sorrows and Michael Swanwick’s The Iron Dragon’s Mother!

,

CryptogramFriday Squid Blogging: Color-Changing Properties of the Opalescent Inshore Squid

Interesting stuff.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramAndy Ellis on Risk Assessment

Andy Ellis, the CSO of Akamai, gave a great talk about the psychology of risk at the Business of Software conference this year.

I've written about this before.

One quote of mine: "The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008."

EDITED TO ADD (12/13): Epigenetics and the human brain.

CryptogramEFF on the Mechanics of Corporate Surveillance

EFF has published a comprehensible and very readable "deep dive" into the technologies of corporate surveillance, both on the Internet and off. Well worth reading and sharing.

Boing Boing post.

Worse Than FailureError'd: You Must Be Mistaken

"Geeze thanks, IntelliJ, I don't think that you're really giving me a choice here," write Mike R.

 

"Now, I don't know how many gigabytes one can fit in a kettle, but if you're expecting a room full of visitors or a big meeting, and need to increase capacity right away, this is for you," John W. writes.

 

Ryan S. wrote, "Sure you could go for the two phones where you know all the details, but c'mon...where's the fun in that?"

 

"Verizon's Ad misses the mark just like you will likely miss the coverage area if you don't stand real still," writes Jake

 

Paul T. wrote, "Possibly the least descriptive notification ever, but at least I know which app it came from."

 

Martin G. wrote, "I tried to complete it as fast as possible, but apparently I've been playing it for over 45 years!"

 

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Sam VargheseA small step for Australian women, a giant leap for Tracey Spicer

A year and nine months after she founded NOW Australia claiming it was meant to focus on the problem of women being sexually harassed in the workplace, former TV newsreader Tracey Spicer is once again avoiding public appearances in order, she claims, to focus on her own mental health.

Spicer has retreated like this on earlier occasions too: she disappeared after actor John Jarratt was cleared of harassment charges and also when actor Geoffrey Rush won a case against the Daily Telegraph that had accused him of sexual harassment.

After a series of incidents that can only lead to one conclusion – Spicer’s embrace of the #MeToo movement was meant more to embellish her own image than anything else – the women’s movement in Australia has been put on the back foot and left wondering how it will recover from the Spicer show.

In 2006, after 14 years at Channel Ten, Spicer was sacked when she returned to work after having a second child. She turned it into an exercise to gain publicity, accusing the network of discrimination and threatening a court fight, but later accepting a settlement. That itself should have made any observer understand what she was about; had she wanted to expose discrimination, she would have gone ahead with the threatened case. But this episode served its purpose and gave her a public profile.

After a stint with Sky News, with whom she worked until 2015, Spicer took up the #MeToo mantle soon after the exposure of the antics of film moghul Harvey Weinstein in the US came to light in October 2017. She put out a tweet, inviting women to send her their stories of harassment, saying: “Currently, I am investigating two long-term offenders in our media industry. Please, contact me privately to tell your stories.” It must be noted that prior to this, Spicer had dropped hints here and there that she understood that the problem was widespread.

But when her tweet resulted in a large number of responses, Spicer professed that she was amazed to hear from such a large number of women. This contradicted what she had been saying prior to her tweet. She could not keep up with the responses to these poor souls. In March the following year, NOW Australia was set up, apparently to cater to these women’s needs. They needed professional help – from lawyers, counsellors, psychologists and the like. Spicer has no qualifications apart from a general graduate degree.

Unlike its American counterpart, known as Time’s Up, NOW has not managed to raise the funds or support needed to run such a show. It has been something of a disaster and the rosy pictures painted in the media have been an exaggeration. In fact, the media coverage has been the only area in which NOW has excelled. In reality, the women who sought solace by writing to Spicer have been led up the garden path. And there are a fair number of them, more than 2000.

Spicer has used some of the material she collected to front a three-part TV program on the ABC under the name Silent No More. But that has led to more revelations which do not cast her in a very good light.

For one, Spicer, who has always played up the fact that she has 30 years’ media experience, allowed the production company making the show to film her sitting at a computer where complaints from some women were clearly visible. This was in early versions of the program which were distributed to media for publicity.

One thing which journalists are taught on day one is to never reveal sources or source material. Yet when Spicer was asked about this major lapse, she blamed the ABC and the production company! It is part of a pattern – she refuses to accept the blame for anything that has blown up in her face.

When three of the women whose names were exposed in this manner made comments to media outlets that were critical of Spicer, she retaliated by sending them legal notices and demanding they keep mum. In one case, Spicer demanded $1500 as legal costs. The saviour of sexually harassed women had turned out to be a different kind of harasser herself. Would this encourage women to tell their tales to others? Hardly.

Spicer has also lied when it suited her and helped to boost her profile. Australia set up an inquiry into sexual harassment in the workplace in 2018 and, in a newspaper article, Spicer claimed that she had proposed the idea to the Sex Discrimination Commissioner, Kate Jenkins. But Jenkins denied that Spicer had any role in the setting up of the inquiry, telling the Buzzfeed website: “Tracey Spicer was not involved in conceiving of or establishing the national inquiry, nor did she suggest the idea of the inquiry to me.”

In November, Spicer managed to wrangle an invitation to address the National Press Club in Canberra. After her talk, she fielded questions from the audience. Three questions from women journalists – Claudia Long of the ABC, Gina Rushton of Buzzfeed and Alice Workman of The Australian – were met with spin.

Long asked whether Spicer’s mismanagement of the responses had possibly knocked some of the steam out of the women’s movement; Rushton asked whether the remainder of the 2000-plus women who had written to Spicer should also be concerned about their privacy; and Workman asked why Spicer had allowed cameras to film her computer screen and whether she was concerned that this was potentially unethical as a journalist.

Spicer evaded answering any of these questions. She just talked around the queries in what was a perfect display of what PR people do.

The impression that Spicer has used her foray into the #MeToo movement in Australia as a PR blitz for herself gathered steam after she was given three hours on the ABC to front a program titled Silent No More.

There was little of substance in the program which only served to give people various angles of Spicer’s visage, featured numerous motherhood statements from her and some patronising comments to both men and women at large. It gave the impression that sexual harassment is a PR problem.

The absence of any serious discussion of sexual harassment with qualified people – psychologists, counsellors, medical staff or lawyers – was notable. Spicer has no qualifications beyond a general graduate degree and is incapable of bringing an expert view to the issue. She, herself, has not experienced sexual harassment beyond the garden variety that practically every woman in the workplace goes through.

Whatever happens to the women’s movement in Australia, one thing is clear: Tracey Spicer has put the brakes on at a very pivotal moment. As the saying goes, one needs to strike while the iron is hot. That moment has long passed. Spicer has done sexually harassed women a singular disservice.

https://www.theage.com.au/culture/tv-and-radio/false-and-malicious-tracey-spicer-s-lawyer-hits-back-at-detractors-20191206-p53hnu.html

https://www.buzzfeed.com/hannahryan/metoo-movement-now-australia-tracey-spicer

https://www.afr.com/rear-window/how-dumb-does-tracey-spicer-think-we-are-20191203-p53gbl

,

LongNowThe 5 Questions We Need to Answer About Artificial Intelligence — Gurjeet Singh at The Interval

Creators of AI systems have a responsibility to figure out how they might go wrong, and govern them accordingly.

From Gurjeet Singh’s Interval talk, “The Shape of Data and Things to Come.”

About this Talk

Big Data promises unparalleled insights, but the larger the data, the harder they are to find. The key to unlocking them was discovered by mathematicians in the 18th century. A modern mathematician explains how to find patterns in data with new algorithms for old math.

About Gurjeet Singh

Gurjeet Singh is Chief AI Officer and co-founder of Symphony AyasdiAI. He leads a technology movement that emphasizes the importance of extracting insight from data, not just storing and organizing it. Beginning with his tenure as a graduate student in Stanford’s Mathematics Department he has developed key mathematical and machine learning algorithms for Topological Data Analysis (TDA) and their applications. Before starting Ayasdi, he worked at Google and Texas Instruments.

Dr. Singh holds a Technology degree from Delhi University and a Computational Mathematics Ph.D. from Stanford. He serves on the Technology Advisory Board at HSBC and on the U.S. Commodity Futures Trading Commission’s Technology Advisory Committee. He was named to Silicon Valley Business Journal’s “40 Under 40” list in 02015. Gurjeet lives in Palo Alto with his wife and two children and develops multi-legged robots in his spare time.

Worse Than FailureRepresentative Line: An Absolute Square

Seth S offers us something new: a representative line of Ada. We don’t get much of that, and Ada isn’t a particularly popular language, but Seth assures us that it is “unfairly maligned”.

Since 1995, Ada has been an object oriented language, and offers a standard library, strong types, a message-passing approach to communicating with objects (which migrated into Objective-C but generally doesn’t show up very often elsewhere). It’s a fine, if less-used language, and I honestly can’t say I’ve heard much maligning it (though I’ve never actually heard of anyone using it either…).

Regardless, what we can malign is some bad code. Since the earliest versions of Ada, if you wanted to find the absolute value of a variable, you’d write an expression like this:

magra := abs(ra)

Seth inherited some code from someone with a Fortran background and a bias against using built in functions for their standard operations. So they wrote this instead:

MAGRA := SQRT(RA * RA)

Interestingly, this code highlights a micro-optimization. I’ll allow Seth to explain:

the now-retired programmer was obsessed with throughput, so I assume he chose “RA * RA” instead of “RA ** 2” because earlier compilers could not be trusted to find the most efficient way to calculate the exponent

Of course, abs is faster than both options, so if only that programmer was just a little more obsessed with throughput.

Seth assures us that the rest of the code mirrors this: micro-optimizations that aren’t actually useful, Fortran coding conventions in a not-Fortran language, and many, many re-invented wheels that are worse than the original.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

,

Krebs on SecurityThe Great $50M African IP Address Heist

A top executive at the nonprofit entity responsible for doling out chunks of Internet addresses to businesses and other organizations in Africa has resigned his post following accusations that he secretly operated several companies which sold tens of millions of dollars worth of the increasingly scarce resource to online marketers. The allegations stemmed from a three-year investigation by a U.S.-based researcher whose findings shed light on a murky area of Internet governance that is all too often exploited by spammers and scammers alike.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

In collaboration with journalists based in South Africa, Guilmette discovered tens of thousands of these wayward IP addresses that appear to have been sold off by a handful of companies founded by the policy coordinator for The African Network Information Centre (AFRINIC), one of the world’s five regional Internet registries which handles IP address allocations for Africa and the Indian Ocean region.

That individual — Ernest Byaruhanga — was only the second person hired at AFRINIC back in 2004. Byaruhanga did not respond to requests for comment. However, he abruptly resigned from his position in October 2019 shortly after news of the IP address scheme was first detailed by Jan Vermeulen, a reporter for the South African tech news publication Mybroadband.co.za who assisted Guilmette in his research.

KrebsOnSecurity sought comment from AFRINIC’s new CEO Eddy Kayihura, who said the organization was aware of the allegations and is currently conducting an investigation into the matter.

“Since the investigation is ongoing, you will understand that we prefer to complete it before we make a public statement,” Kayihura said. “Mr. Byauhanga’s resignation letter did not mention specific reasons, though no one would be blamed to think the two events are related.”

Guilmette said the first clue he found suggesting someone at AFRINIC may have been involved came after he located records suggesting that official AFRINIC documents had been altered to change the ownership of IP address blocks once assigned to Infoplan (now Network and Information Technology Ltd), a South African company that was folded into the State IT Agency in 1998.

“This guy was shoveling IP addresses out the backdoor and selling them on the streets,” said Guilmette, who’s been posting evidence of his findings for years to public discussion lists on Internet governance. “To say that he had an evident conflict of interest would be a gross understatement.”

For example, documents obtained from the government of Uganda by Guilmette and others show Byaruhanga registered a private company called ipv4leasing after joining AFRINIC. Historic WHOIS records from domaintools.com [a former advertiser on this site] indicate Byaruhanga was the registrant of two domain names tied to this company — ipv4leasing.org and .net — back in 2013.

Guilmette and his journalist contacts in South Africa uncovered many instances of other companies tied to Byaruhanga and his immediate family members that appear to have been secretly selling AFRINIC IP address blocks to just about anyone willing to pay the asking price. But the activities of ipv4leasing are worth a closer look because they demonstrate how this type of shadowy commerce is critical to operations of spammers and scammers, who are constantly sullying swaths of IP addresses and seeking new ones to keep their operations afloat.

Historic AFRINIC record lookups show ipv4leasing.org tied to at least six sizable blocks of IP addresses that once belonged to a now defunct company from Cameroon called ITC that also did business as “Afriq*Access.”

In 2013, Anti-spam group Spamhaus.org began tracking floods of junk email originating from this block of IPs that once belonged to Afriq*Access. Spamhaus says it ultimately traced the domains advertised in those spam emails back to Adconion Direct, a U.S. based email marketing company that employs several executives who are now facing federal criminal charges for allegedly paying others to hijack large ranges of IP addresses used in wide-ranging spam campaigns.

Anyone interested in a deeper dive on Guilmette’s years-long investigation — including the various IP address blocks in question — should check out MyBroadband’s detailed Dec. 4 story, How Internet Resources Worth R800 Million (USD $54M) Were Stolen and Sold on the Black Market.

CryptogramReforming CDA 230

There's a serious debate on reforming Section 230 of the Communications Decency Act. I am in the process of figuring out what I believe, and this is more a place to put resources and listen to people's comments.

The EFF has written extensively on why it is so important and dismantling it will be catastrophic for the Internet. Danielle Citron disagrees. (There's also this law journal article by Citron and Ben Wittes.) Sarah Jeong's op-ed. Another op-ed. Another paper.

Here are good news articles.

Reading all of this, I am reminded of this decade-old quote by Dan Geer. He's addressing Internet service providers:

Hello, Uncle Sam here.

You can charge whatever you like based on the contents of what you are carrying, but you are responsible for that content if it is illegal; inspecting brings with it a responsibility for what you learn.

-or-

You can enjoy common carrier protections at all times, but you can neither inspect nor act on the contents of what you are carrying and can only charge for carriage itself. Bits are bits.

Choose wisely. No refunds or exchanges at this window.

We can revise this choice for the social-media age:

Hi Facebook/Twitter/YouTube/everyone else:

You can build a communications based on inspecting user content and presenting it as you want, but that business model also conveys responsibility for that content.

-or-

You can be a communications service and enjoy the protections of CDA 230, in which case you cannot inspect or control the content you deliver.

Facebook would be an example of the former. WhatsApp would be an example of the latter.

I am honestly undecided about all of this. I want CDA230 to protect things like the commenting section of this blog. But I don't think it should protect dating apps when they are used as a conduit for abuse. And I really don't want society to pay the cost for all the externalities inherent in Facebook's business model.

CryptogramExtracting Data from Smartphones

Privacy International has published a detailed, technical examination of how data is extracted from smartphones.

Worse Than FailureCodeSOD: Null Serializer

Nulls cause problems. Usually, they’re not big problems, but if a field might have a value- or none at all- we have to be careful with how we handle it.

Languages like C# have added Nullable types, which wrap around those problems. But sometimes, you need to cross a boundary between systems. When you send the C# data to JSON, how do you want to represent null values?

You might just send nulls. That’s fine and logical. You might just leave out the null keys (technically sending undefined). Also fine and also logical, as long as those sorts of variations are communicated by your schema.

If you’re Jackie’s co-worker, you might decide that they should just be empty strings. This is a bad choice- if a field is an integer, but it doesn’t have a value, it suddenly turns into a string? But hey, you can document this too, and essentially treat the field as a union type. It’s ugly, but workable.

Now, they use the Newtonsoft serializer to build their JSON, which is flexible and extensible, and with a little munging, can be tricked into converting nulls to strings. It’s a little bit of code, but a perfectly manageable thing, if you really want to do this.

Jackie’s co-worker felt that it was too much code.

This is what they did:

string jsonString = JsonConvert.SerializeObject(dataObj);
string jsonStringNoNull = jsonString.Replace("null", @"""""");

Convert to string, then just do a string Replace swapping the string "null" with an empty string. Notice that there are no guards on it, no checks, no logic- anything instances of null are replaced regardless of where they appear. Hope they don’t have any customers with the name Null, or use any of these words in their field names or data.

So far, it hasn’t caused any noticeable errors. So far.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Krebs on SecurityPatch Tuesday, December 2019 Edition

Microsoft today released updates to plug three dozen security holes in its Windows operating system and other software. The patches include fixes for seven critical bugs — those that can be exploited by malware or miscreants to take control over a Windows system with no help from users — as well as another flaw in most versions of Windows that is already being exploited in active attacks.

By nearly all accounts, the chief bugaboo this month is CVE-2019-1458, a vulnerability in a core Windows component (Win32k) that is present in Windows 7 through 10 and Windows Server 2008-2019. This bug is already being exploited in the wild, and according to Recorded Future the exploit available for it is similar to CVE-2019-0859, a Windows flaw reported in April that was found being sold in underground markets.

CVE-2019-1458 is what’s known as a “privilege escalation” flaw, meaning an attacker would need to previously have compromised the system using another vulnerability. Handy in that respect is CVE-2019-1468, a similarly widespread critical issue in the Windows font library that could be exploited just by getting the user to visit a hacked or malicious Web site.

Chris Goettl, director of security at Ivanti, called attention to a curious patch advisory Microsoft released today for CVE-2019-1489, which is yet another weakness in the Windows Remote Desktop Protocol (RDP) client, a component of Windows that lets users view and manage their system from a remote computer. What’s curious about this advisory is that it applies only to Windows XP Service Pack 3, which is no longer receiving security updates.

“The Exploitability Assessment for Latest Software Release and Older Software Release is 0, which is usually the value reserved for a vulnerability that is known to be exploited, yet the Exploited value was currently set to ‘No’ as the bulletin was released today,” Goettl said. “If you look at the Zero Day from this month (CVE-2019-1458) the EA for Older Software Release is ‘0 – Exploitation Detected.’ An odd discrepancy on top of a CVE advisory for an outdated OS. It is very likely this is being exploited in the wild.”

Microsoft didn’t release a patch for this bug on XP, and its advisory on it is about as sparse as they come. But if you’re still depending on Windows XP for remote access, you likely have bigger security concerns. Microsoft has patched many critical RDP flaws in the past year. Even the FBI last year encouraged users to disable it unless needed, citing flawed encryption mechanisms in older versions and a lack of access controls which make RDP a frequent entry point for malware and ransomware.

Speaking of no-longer-supported Microsoft operating systems, Windows 7 and Windows Server 2008 will cease receiving security updates after the next decade’s first Patch Tuesday comes to pass on January 14, 2020. While businesses and other volume-license purchasers will have the option to pay for further fixes after that point, all other Windows 7 users who want to stick with Windows will need to consider migrating to Windows 10 soon.

Windows 10 likes to install patches and sometimes feature updates all in one go and reboot your computer on its own schedule, but you don’t have to accept this default setting. Windows Central has a useful guide on how to disable or postpone automatic updates until you’re ready to install them. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. To get there, click the Windows key on your keyboard and type “windows update” into the box that pops up.

Keep in mind that while staying up-to-date on Windows patches is a good idea, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re probably not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may even chime in here with some helpful tips.

Finally, once again there are no security updates for Adobe Flash Player this month (there is a non-security update available), but Adobe did release critical updates for Windows and macOS versions of its Acrobat and PDF Reader that fix more than 20 vulnerabilities in these products. Photoshop and ColdFusion 2018 also received security updates today. Links to advisories here.

,

TEDStrike for the climate: Jane Fonda speaks at TEDWomen 2019

Civil disobedience is becoming a new normal, says actor and activist Jane Fonda. She speaks with host Pat Mitchell about Fire Drill Fridays, her weekly climate demonstrations, at TEDWomen 2019: Bold + Brilliant on December 5, 2019 in Palm Springs, California. (Photo: Marla Aufmuth / TED)

At age 81, actor and activist Jane Fonda is putting herself on the line for the planet, literally. In a video interview with TEDWomen curator Pat Mitchell, Fonda speaks about Fire Drill Fridays, the weekly demonstrations on Capitol Hill she leads in partnership with Greenpeace.

Since moving to Washington D.C. in September 2019, Fonda has staged a sit-in at the Hart Senate Office Building on Capitol Hill every Friday to protest the extraction of fossil fuels. She’s been arrested multiple times and spent a night in jail, and her actions are inspiring people around the world to host their own Fire Drill Fridays. She believes protest is becoming a new normal — at least until we see the changes we need. But, she says, we don’t all need to get arrested to raise awareness. She details some of the ways we can pressure our lawmakers and hold governments accountable.

Here are highlights from the interview.

Pat Michell: Talk to us about the origin of Fire Drill Fridays.

Jane Fonda: “I was very inspired by Greta Thunberg, the Swedish student, and by the young school climate strikers. Greta says: we have to get out of our comfort zone, we have to behave like our house is burning — because it is. She really struck a chord in me. … It’s an enormous challenge. We have eleven years, many say, a decade. And I thought, ‘Oh, I’m so lucky that I am healthy and living in a decade where we, who are alive, can actually make the difference — we can make the difference as to whether there is a livable future or not.’ What a glorious responsibility we have. We have to step up to the plate. …

“So, I decided, like Greta, I was going to put my body on the line and move to the center of American power, Washington, DC, and have a rally every Friday like the students do. And we work with the students — they speak at my rallies and I speak at their rallies — and then after we speak, we engage in civil disobedience and risk getting arrested.”

PM: Do you have any concerns about putting your body on the line and your life on hold?

JF: “I realize that not everybody can leave work and go do what I’m doing. But I must say that requests are pouring in, and not only from the United States but from other countries, people who want to start Fire Drill Fridays. And the people who are coming and getting arrested with me and engaging in civil disobedience, many of them have never done it before. And they find it transformative.

“But the fact is that there are so many things people can do, starting with talking about it, expressing how you feel about it … even when it’s uncomfortable. … Of course voting is very, very important, and we have to vote for the people that are the bravest, the boldest of our elected officials.”

PM: What would success for Fire Drill Fridays look like to you?

JF: “Success would look like every state stops all new fossil fuel expansion. Because if they keep drilling, fracking and mining, the problem will just get worse. So that no matter what we do with windmills and solar collectors and so forth, we’ll never be able to catch up. We have to stop all new expansion.”

PM: Will Fire Drill Fridays continue?

JF: “There has been such an interest in it … from all around the country, people asking if they can start one … we’re thinking about maybe doing it in Los Angeles.

“But I want to correct one thing: I’m not leading. It’s the young people, it’s the students, that are leading. It’s always the young people that step up with the courage. And it’s pretty amazing, because they’re risking a lot. It’s pretty brave to take a Friday off from school … but they’re doing it anyway. There have been millions of them … all around the world, and they’re saying, ‘Don’t let us have to deal with this by ourselves, we didn’t create this problem. Come and help us.’ So, Grandmas unite!”

PM: Do you leave this experience with a new level of hope or optimism?

JF: “Yes, I am optimistic. … [People] want to do something but no one has asked them. We have to ask them. We have to get organized. … This coming year is the critical year. What happens is going to be so important. Especially someone who is healthy, who feels relatively young, who has a platform — we have to use it in every possible way we can.”

Krebs on SecurityCISO MAG Honors KrebsOnSecurity

CISO MAG, a publication dedicated to covering issues near and dear to corporate chief information security officers everywhere, has graciously awarded this author the designation of “Cybersecurity Person of the Year” in its December 2019 issue.

KrebsOnSecurity is grateful for the unexpected honor. But I can definitely think of quite a few people who are far more deserving of this title. In fact, if I’m eligible for any kind of recognition, perhaps “Bad News Harbinger of the Year” would be more apt.

As in years past, 2019 featured quite a few big breaches and more than a little public speaking. Almost without fail at each engagement multiple C-level folks will approach after my talk, hand me their business cards and say something like, “I hope you never have to use this, but if you do please call me first.”

I’ve taken that advice to heart, and now endeavor wherever possible to give a heads up to CISOs/CSOs about a breach before reaching out to the public relations folks. I fully realize that in many cases the person in that role will refer me to the PR department eventually or perhaps immediately.

But on balance, my experience so far is that an initial outreach to the top security person in the organization often results in that inquiry being taken far more seriously. And including this person in my initial outreach makes it much more likely that this individual ends up being on the phone when the company returns my call.

Too often, these conversations are led by the breached organization’s general counsel, which strikes me as an unnecessarily confrontational and strategically misguided approach. Especially if this is also their playbook for responding to random security researchers trying to let the company know about a dangerous security vulnerability, data breach or leak.

At least when there is a C-level security person on the phone when that call comes in I can be relatively sure I’m not going to get snowed on the technical details. While this may be a distant concern for the organization in the throes of responding to a data security incident, the truth is that the first report is usually what gets repeated in the media — whether or not it is wholly accurate or fair.

This year’s CISO MAG awards also honor the contributions of Rik Ferguson, vice president security research at Trend Micro, and Troy Hunt, an expert on web security and author of the data breach search website Have I Been Pwned? More at cisomag.com.

Worse Than FailureCodeSOD: An Endpoint's Plugin

Heidi is doing some support work and maintenance on a application owned by a government agency. Currently, the work environment is a bit of a bureaucratic nightmare where you can’t do even the mildest code change without going through four hundred layers of paperwork, signoff, and consensus building. This isn’t just normal government stuff- it’s coming straight as a reaction to the previous work done on this project.

Heidi was specifically trying to track down a bug where one of the generated documents was displaying incorrect data. That lead her to this method in their C# web code:

public ActionResult GenerateDocument(FormCollection form)
{            
    int briefType = int.Parse(form["reportId"]);
    int senderId = int.Parse(form["senderId"]);
    int signatureId = int.Parse(form["signatureId"]);
    int profileId = int.Parse(form["profileId"]);
    decimal dossierId = Decimal.Parse(form["dossierId"]);
    int? contactId = null;        
    bool minute = "true".Equals(form["minuteBool"]);
    string rheIds = form["rheids"];

    if (form.AllKeys.Contains("contactId"))
    {
        contactId = int.Parse(form["contactId"]);
    }

    ProfileDTO profile = ProfileManager.GetInstance().GetProfile(profileId);
    IEndPoint endpoint = profile.GetEndPoint();

    DossierBrief brief = CreateBrief(briefType, dossierId, signatureId, senderId, contactId, null, null, minute, profile, rheIds);
    brief.Engine = endpoint.IsLocal() ? "Local" : "Service";

    endpoint.SetLogger(this);

    try
    {
        endpoint.SendTo(brief, CurrentUserName);
    }
    catch (Exception e)
    {
        Logger(e, LogTypeEnum.ERROR);
        return ReturnFailure(e.Message);
    }

    return ReturnSuccess(null, "loadBriefStore();");
}

There’s a lot of meaningless garbage in here, and mostly you can skip over it and just look at the last line. When we successfully communicate to the endpoint, we send back a ReturnSuccess that contains a JavaScript method to invoke on the client. Yes, when the process works, the client just evals the body of the success message.

That’s ugly coupling between the server-side and client-side layers of this code. But the GetEndPoint method got Heidi curious. What did that do?

public IEndPoint GetEndPoint()
{
    IEndPoint endPoint = EndPointManager.GetInstance().GetEndPoint(this.ENGINE);
    endPoint.SetProfile(this);

    return endPoint;
}

Well, that doesn’t seem like too much, does it? It’s suspicious that they’re using the Singleton pattern- C# tends to favor using Static classes for that. It’s not wrong, but hey, let’s see what it’s doing.

public class EndPointManager
{
  private static EndPointManager current = new EndPointManager();
  private Dictionary<string, IEndPoint> endPoints = new Dictionary<string, IEndPoint>();
  public static EndPointManager GetInstance()
  {
      return current;
  }
  private EndPointManager()
  {
      foreach (string dll in Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "bin\\Application.Engine.*.dll"))
      {
          Assembly assembly = Assembly.LoadFile(dll);
          foreach (Type type in assembly.GetExportedTypes())
          {
              if (type.GetInterfaces().Contains(typeof(IEndPoint)))
              {
                  ConstructorInfo constructorInfo = type.GetConstructor(new Type[] { });
                  IEndPoint endPoint = (IEndPoint)constructorInfo.Invoke(new object[] { });
                  this.endPoints.Add(endPoint.GetName(), endPoint);
              }
          }
      }
  }
  //…
}

And here we have everyone’s favorite thing to write: a plugin loader that scans a directory for DLLs, loads them, and then scans them for objects which implement the IEndPoint interface.

At some point, I think, every “clever” developer gets the temptation to do this. You can deploy new endpoints without ever recompiling anything else! It’s a plugin architecture! It’s fancy! It’s extensible!

The problems, of course, are that no one actually needed this to have a plugin architecture. The previous developer just did that because they were prematurely abstracting out their application engine, which is what happens to 70% of these sorts of plugin architectures. Worse, actually designing a safe, reliable, and usable plugin architecture is deceptively tricky. While this works fine, because they’re not actually using it, if they were trying to really build plugins, they’d quickly realize what a mess they’ve made with all the unaddressed edge cases.

In fact, given how tricky it is, Microsoft actually provided a Managed Extension Framework (MEF), so this doubles as a case of reimplementing what already exists, and that dates back to at least .NET 4.0, and is part of CoreFx, so it’s even available through .NET core (though its behavior might differ slightly).

So, what we have here is a case where a developer solved a problem they didn’t have by reinventing a wheel that they could have been using, and did all that to ensure that they could pass raw JavaScript from the server to the client so the client can just eval it.

Heidi adds:

I’m not changing any of this (yet). I have no idea what would break (unit test coverage is something like 5.4%), and this does seem to actually work as intended- unlike a lot of other parts of this application.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

,

Cory DoctorowParty Discipline, a Walkaway story (Part 2)

In my latest podcast (MP3), I continue my serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

The cop pulled the vice principal’s chair out from behind the desk and sat down on it in front of us. He didn’t say anything. He was young, I saw, not much older than us, and still had some acne on one cheek. White dude. Not my type, but good looking, except that he was a cop and he was playing mind games with us.

“Are we being detained?” Somewhere in my bag was a Black Lives Matter bust-card and while I’d forgotten almost everything written on it, I remembered that this was the first question I should ask.

“You are here at the request of your school administration.” Oh. Even when there wasn’t a fresh lockdown, the administration had plenty of powers to search us, ask us all kinds of nosy questions. And after a lockdown? Forget it.

MP3

TEDWayfinders: Notes from Session 6 of TEDWomen 2019

Singer, songwriter and beatboxer Butterscotch lights up the stage at TEDWomen 2019: Bold + Brilliant, on December 6, 2019, in Palm Springs, (California. Photo: Jasmina Tomic / TED)

The final session of TEDWomen 2019 is here! We can’t believe it; we won’t believe. But, if we must close out these three incredible days, it’s good we did it by hearing from a diverse range of “wayfinders” — incredible women who are using their wisdom and insight to light the way forward, tackle global problems and find the right balance of fear and courage to do so.

The event: TEDWomen 2019, Session 6: Wayfinders, hosted by Pat Mitchell, Helen Walters and Kelly Stoetzel

When and where: Friday, December 6, 2019, 9am PT, at La Quinta Resort & Club in La Quinta, California

Speakers: Valorie Kondos Field, Noeline Kirabo, Martha Minow, Agnes Binagwaho, Mary Ellen Hannibal, Jasmine Crowe, Cara E. Yar Khan, Pat Mitchell

Music: Singer-songwriter Butterscotch performs a virtuosic set, mixing beatboxing with her powerful voice to sing about love, life and everything in between.

The talks in brief:

Valorie Kondos Field, gymnastics coach

Big idea: Victory does not always equal success. Leaders need to consider the cost of winning to those under our care and redefine success in empathetic and positive terms.

How? Across the world, a pervasive “win at all costs” culture is creating emotional and physical crises. When Valorie Kondos Field first started working with the UCLA women’s gymnastics team, she mimicked other “winning” coaches by being relentless, unsympathetic and outright mean. One day, her team sat her down and made a firm case against her top-down, bullying approach. The years that followed — and her deeply personal, trust-based work with champion athletes like Katelyn Ohashi and Kyla Ross — were a lesson in the importance of an empathetic approach. True champions, she says, derive joy from their pursuits — win or lose.

Quote of the talk: “Instead of focusing maniacally on winning, we need to have the courage to develop champions through empathy, positivity, and accountability.”


How do you find your passion? Noeline Kirabo provides some answers at TEDWomen 2019: Bold + Brilliant, on December , 2019, in Palm Springs, California. (Photo: Jasmina Tomic / TED)

Noeline Kirabo, social entrepreneur

Big idea: Almost everyone dreams of turning their passion into a successful career — but to do so, you must first identify what your passion is.

How? Passion isn’t only for the rich or the retired, says Noeline Kirabo. When she dropped out of school because she couldn’t afford the tuition, she didn’t settle for a job she didn’t love — instead, she decided to follow her passion. She founded Kyusa, a nonprofit dedicated to addressing youth unemployment in Uganda by helping young people turn their interests into careers and profitable businesses. Her organization provides the necessary support for them to build the future of their dreams, including soft skills and entrepreneurial training. But how do you discover your passion? She poses two questions to help you find the answer: If you had all the money and time in the world, what would you spend your time doing; and what truly makes you happy or gives you a deep sense of fulfillment? To find these answers, she says, we must look inward — not outward. 

Quote of the talk: “We need to look inward to identify the things that give us a deep sense of fulfillment, the things that give us the deepest joy, and then weave them into the patterns of our daily routines. In so doing, we cease to work, and we start to live.”


Martha Minow, law professor

Big idea: Our laws and legal system are focused on punishment, but they should make more room for forgiveness.

Why?: In her 40 years of teaching law, Martha Minow has found that law students are not taught much about forgiveness. While the law itself does contain tools like pardons, commutations and bankruptcy for debt, they are not adequately used. Or, when they are used, they reinforce existing social inequities along the lines of race and class. Yet the benefits of mercy have been widely shown, not just for our own individual health, but also for the health of communities affected by criminal activity. Restorative justice, which emphasizes accountability and service rather than punishment, can disrupt the school-to-prison pipeline that has become a prominent issue in parts of the US, Minow says. Although placing more of an emphasis on forgiveness comes with the risk of bias, it also comes with the promise of creating a fairer future.

Quote of the talk: “To ask how law may forgive is not to deny the fact of wrongdoing. Rather, it’s to widen the lens to enable glimpses of the larger patterns.”


Agnes Binagwaho, pediatrician, former Minister of Health of Rwanda

Big idea: Educating women creates female leaders and establishes gender equity — which improves society in countless ways.

How? In 1994, Agnes Binagwaho returned to her home country of Rwanda to practice medicine in the aftermath of the country’s horrific genocide. The devastation was so pervasive she considered leaving, but resilient Rwandan women motivated her to stay and help rebuild. And she is glad she did. Today, Rwanda has the highest proportion of women in parliament — nearly 62 percent — and the most successful HPV vaccination campaign for children. More recently, Binagwaho helped open a medical school in Rwanda called University of Global Health Equity, which maintains gender parity and is free of charge, as long as students commit to working with vulnerable communities around the world.

Quote of the talk: “I have learned that if we focus on women’s education, we improve their lives positively, as well as the wellbeing of their community.”


Mary Ellen Hannibal, science writer

Big idea: Around the world, insect species (including the monarch butterfly) are dying at an alarming rate. The looming demise of important pollinators (like bees and butterflies) will have dire consequences for human civilization. Citizen scientists could help save these insects — and the planet.

How? Citizen scientists — people without PhDs who leverage technology to collect data and organize initiatives to protect the natural world — are a crucial force for understanding complex natural phenomena. The same citizen scientists who documented plummeting monarch butterfly populations now work to save them (and other endangered species) through food-source cultivation, habitat preservation and efforts like the City Nature Challenge — a scalable data-gathering initiative supporting threatened species that cohabit our cities.

Quote of the talk: “Insect life is at the very foundation of our life-support systems. We can’t lose these insects.”


Jasmine Crowe, social entrepreneur, hunger hero

Big idea: We’re doing hunger wrong in America. We can eliminate hunger, reduce food waste and give families their dignity back through innovative technology, instead of charity. 

How? While Food banks are beloved community institutions, they aren’t solving hunger, says Jasmine Crowe. They keep families dependent on their services and rarely offer a full meal. Scarcity isn’t the problem, Crowe reminds us: globally, one in nine people go hungry each day, yet food waste has increased by 50 percent since the 1970s. Crowe — who has spent her life giving back to the Atlanta community — is reengineering how cities handle hunger through Goodr, a tech-enabled sustainable food waste company. Their app gathers unused food from local businesses and distributes it to food deserts through nonprofits and popup grocery stores. Each of us has the power to join the movement to bring real food and dignity back to families.

Quote of the talk: “We wanted to change the way we think and approached the hunger fight, get people to believe that we could solve hunger — not as a charity, not as a food bank, but as a social enterprise with a goal of ending hunger and food waste.”


Cara E. Yar Khan, humanitarian, disability activist

Big Idea: Courage is never instantaneous or easy. It’s a careful balance of bravery and fear. 

How? After being diagnosed with Hereditary Inclusion Body Myopathy, a genetic condition that deteriorates muscle, Cara E. Yar Khan heard repeatedly that she had to limit her career ambitions and quiet her dreams. Instead, she actively pursued and accomplished her goals, working as a humanitarian in Angola with the UN and as a disability advocate in Haiti following the 2010 earthquake. She decided to descend to the base of the Grand Canyon, embarking on a harrowing 12-day trip: four days descending the canyon via horseback, and eight days of white water rafting through the Colorado River. Though terrifying, the trip showed her how powerful her courage could be, she says. Courage isn’t just a burst of bravery that appears when needed — it arises when we’re willing to take risks, acknowledge and prepare for our fears and become devoted to bringing our dreams to life. 

Quote of the talk: “Without fear, you’ll do foolish things. Without courage, you’ll never step into the unknown. The balance of the two is where the magic lies, and it’s a balance we all deal with everyday.”


Pat Mitchell, TEDWomen curator, self-proclaimed “dangerous woman”

Big idea: It’s time to embrace risk, speak out and live dangerously.

Why? We live in dangerous times, with nothing left to prove and much more to lose, says Pat Mitchell. The rise in sexism, racism and violence against women and girls, alongside the dire state of our planet, demands that we live dangerously. “I don’t mean being feared,” says Mitchell. “But I do mean being more fearless.” Mitchell knows this best from her own life blazing a path across media and television. On the TEDWomen stage, she shares how her own experiences informed her leadership decisions and vision of a future where women wield the power they already hold. (Read a full recap here.)

Quote of the talk: “At this point in my life’s journey, I am holding my splendid torch higher than ever, boldly and brilliantly — inviting you to join me in its dangerous light.”

Google AdsenseMarketing Communications Specialist

Keep your audience engaged and prepare for the upcoming seasonal peaks

CryptogramFailure Modes in Machine Learning

Interesting taxonomy of machine-learning failures (pdf) that encompasses both mistakes and attacks, or -- in their words -- intentional and unintentional failure modes. It's a good basis for threat modeling.

LongNowIs Mars the Solution for Earth’s Problems?

Geologist Marcia Bjornerud and Long Now’s Executive Director Alexander Rose debate about whether going to Mars is a viable long-term sustainability plan for human survival.

From Marcia Bjornerud’s Long Now talk, “Timefulness.”

About the Talk

We need a poly-temporal worldview to embrace the overlapping rates of change that our world runs on, especially the huge, powerful changes that are mostly invisible to us.

Geologist Marcia Bjornerud teaches that kind of time literacy. With it, we become at home in the deep past and engaged with the deep future. We learn to “think like a planet.”

As for climate change… “Dazzled by our own creations,” Bjornerud writes, “we have forgotten that we are wholly embedded in a much older, more powerful world whose constancy we take for granted…. Averse to even the smallest changes, we have now set the stage for environmental deviations that will be larger and less predictable than any we have faced before.”

About Marcia Bjornerud

A professor of geology and environmental studies at Lawrence University in Wisconsin, Marcia Bjornerud is author of Timefulness: How Thinking Like a Geologist Can Help Save the World (2018) and Reading the Rocks: The Autobiography of the Earth (2005).

Worse Than FailureCodeSOD: Crank the Volume

When using generic types in a language like Java, nesting generics is a code smell. That is to say, a type like List<Map<String, T>> is probably a sign that you've gone off the path and should rethink how you're structuring your program. Similarly, types that depend on more than one or two generic type parameters are probably a code smell as well.

If those are a "code smell" this code Adam S found is a "code sewage treatment plan in dire need of a visit from the Environmental Protection Agency".

public interface VolumeStream<V extends Volume, I> extends BaseVolumeStream<VolumeStream<V, I>, V, I>{ default <M extends MutableVolume, M2 extends M, U extends UnmodifiableVolume> M2 merge(V second, VolumeMerger<I, ? super U> merger, M2 destination, VolumeFiller<? extends M, ? extends I> applier) { return merge(VolumeReducer.of(() -> second, () -> (U) getVolume().asUnmodifiableVolume(), () -> destination, merger, applier)); } <M extends MutableVolume, M2 extends M, U extends UnmodifiableVolume> M2 merge(VolumeReducer<V, I, M, M2, U> reducer); } public interface VolumeReducer<V extends Volume, T, M extends MutableVolume, M2 extends M, U extends UnmodifiableVolume> { Supplier<V> getSecond(); Supplier<U> getReference(); Supplier<M2> getAccumilator(); VolumeMerger<T, U> GetReducer(); VolumeFiller<M2, T> getFinisher(); public static <NV extends Volume, NT, NM extends MutableVolume, NM2 extends NM, NU extends UnmodifiableVolume> VolumeReducer<NV, NT, NM, NM2, NU> of(final Supplier<NV> second, final Supplier<NU> reference, final Supplier<NM2> accumilator, final VolumeMerger<NT, ? super NU> reducer, final VolumeFiller<? extends NM, ? extends NT> finisher) { return new Impl<>(second, reference, accumilator, reducer, finisher); } }

Not only is that a nest of types which is impossible to understand, it doesn't even manage to get full type safety- VolumeStream presumably inherits the method getVolume through BaseVolumeStream, but getVolume doesn't have a signature of type U (anything which extends UnmodifiableVolume, presumably)- so there's actually a cast required: (U) getVolume().asUnmodifiableVolume().

But hey, even if the code is ugly, that hopefully gives us a clean, readable calling convention, right? We're gonna call this code more often that we're gonna write it. How do they call this?

stream.<MutableBlockVolume<? extends MutableBlockVolume<?>>, GenerationRegion, UnmodifiableBlockVolume<?>>merge(this, merger, region, VolumeFiller.BLOCK_APPLIER);

Oh.

Adam adds:

This code tries to express a transformation pipeline for streaming game data, and instead expresses how much I'd like to be writing in literally anything else.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

MEsystemd-nspawn and Private Networking

Currently there’s two things I want to do with my PC at the same time, one is watching streaming services like ABC iView (which won’t run from non-Australian IP addresses) and another is torrenting over a VPN. I had considered doing something ugly with iptables to try and get routing done on a per-UID basis but that seemed to difficult. At the time I wasn’t aware of the ip rule add uidrange [1] option. So setting up a private networking namespace with a systemd-nspawn container seemed like a good idea.

Chroot Setup

For the chroot (which I use as a slang term for a copy of a Linux installation in a subdirectory) I used a btrfs subvol that’s a snapshot of the root subvol. The idea is that when I upgrade the root system I can just recreate the chroot with a new snapshot.

To get this working I created files in the root subvol which are used for the container.

I created a script like the following named /usr/local/sbin/container-sshd to launch the container. It sets up the networking and executes sshd. The systemd-nspawn program is designed to launch init but that’s not required, I prefer to just launch sshd so there’s only one running process in a container that’s not being actively used.

#!/bin/bash

# restorecon commands only needed for SE Linux
/sbin/restorecon -R /dev
/bin/mount none -t tmpfs /run
/bin/mkdir -p /run/sshd
/sbin/restorecon -R /run /tmp
/sbin/ifconfig host0 10.3.0.2 netmask 255.255.0.0
/sbin/route add default gw 10.2.0.1
exec /usr/sbin/sshd -D -f /etc/ssh/sshd_torrent_config

How to Launch It

To setup the container I used a command like “/usr/bin/systemd-nspawn -D /subvols/torrent -M torrent –bind=/home -n /usr/local/sbin/container-sshd“.

First I had tried the --network-ipvlan option which creates a new IP address on the same MAC address. That gave me an interface iv-br0 on the container that I could use normally (br0 being the bridge used in my workstation as it’s primary network interface). The IP address I assigned to that was in the same subnet as br0, but for some reason that’s unknown to me (maybe an interaction between bridging and network namespaces) I couldn’t access it from the host, I could only access it from other hosts on the network. I then tried the --network-macvlan option (to create a new MAC address for virtual networking), but that had the same problem with accessing the IP address from the local host outside the container as well as problems with MAC redirection to the primary MAC of the host (again maybe an interaction with bridging).

Then I tried just the “-n” option which gave it a private network interface. That created an interface named ve-torrent on the host side and one named host0 in the container. Using ifconfig and route to configure the interface in the container before launching sshd is easy. I haven’t yet determined a good way of configuring the host side of the private network interface automatically.

I had to use a bind for /home because /home is a subvol and therefore doesn’t get included in the container by default.

How it Works

Now when it’s running I can just “ssh -X” to the container and then run graphical programs that use the VPN while at the same time running graphical programs on the main host that don’t use the VPN.

Things To Do

Find out why --network-ipvlan and --network-macvlan don’t work with communication from the same host.

Find out why --network-macvlan gives errors about MAC redirection when pinging.

Determine a good way of setting up the host side after the systemd-nspawn program has run.

Find out if there are better ways of solving this problem, this way works but might not be ideal. Comments welcome.

,

Cory DoctorowRadicalized is one of the CBC’s best books of 2019!

Well this is pretty great! Radicalized, my book of four novellas, is one of the CBC’s picks for best Canadian fiction of 2019. It’s in pretty outstanding company, too, including Margaret Atwood’s The Testaments.

,

LongNowDigital Repatriations: Historic Recordings Returned to Passamaquoddy Tribe

Walter Jesse Fewkes records the Passamaquoddy Tribe in 01890. Photo: Passamaquoddy Cultural Heritage Museum.

In 01890, anthropologist Jesse Walter Fewkes traveled to Eastern Maine to document the Passamaquoddy Tribe. By then, war, disease, and unhonored treaties by local and federal authorities had reduced the tribe to a few hundred members.

Fewkes brought with him one of Thomas Edison’s phonographs — a technology less than a decade old. Over the course of several days, Fewkes recorded members of the tribe singing, telling stories, and providing basic pronunciation examples of words for things like numbers and days onto large, wax cylinders in 3 minute increments.

The Fewkes recordings represented a significant ethnographic advancement for the burgeoning field of Anthropology. It was the first time sounds had ever been recorded in the field. The recordings were given to Boston’s Peabody Museum, and acquired by the Library of Congress in 01976. It wasn’t until the 01980s, when the Library of Congress informed the Passamaquoddy of their existence, that any tribal members heard the recordings. The Passamaquoddy discovered that some material that was considered sacred and not meant to be heard outside of the tribe, such as a funeral ceremony, had been available for the general public to listen to for years.

The knowledge of the recordings came at a time of resurgence for the Passamaquoddy following a century of hardship. As E. Tammy Kim, writing in The New Yorker, puts it: “For decades, tribal members had suffered extreme poverty, seen their language banned by the Catholic priests and nuns who oversaw the reservations, and lost their kids to the child-welfare system.” But the Tribe recently won a landmark land claims settlement, and was awarded funds to purchase 150,000 acres of land. This resulted in many displaced tribal members returning to the tribe’s two reservations. Many of these “off-reservation returnees” were disconnected from Passamaquoddy culture. Some had intermarried, and did not speak the Passamaquoddy language. The Passamaquoddy Tribe estimates that 70% of its members could speak the language 30 years ago. Today, only 12% of its 3,600 members are fluent.

Those statistics may soon change. In recent years, technological advances in audio restoration, coupled with Passamaquoddy activism around preserving tribal culture and language, has led to the Library of Congress launching a new project of “digital repatriation” for the Passamaquoddy recordings called “Ancestral Voices.” The project’s goal is to confer curatorial control of the recordings back to the Tribe.

The process of enacting digital repatriations involves both technological and anthropological hurdles. The recordings are first cleaned for clarity of sound. There is still the crackle of age, but the content is now clearly audible and understandable. Next is the assignment of “Traditional Knowledge Labels,” a system developed by Professor Jane Anderson of New York University. Traditional Knowledge Labeling is “‘designed to identify and clarify which material has community-specific restrictions regarding access and use.

These labels work to prevent future mis-use of indigenous recordings and ensure that sacred material culture stays within the community and not widely disseminated, as has happened in the past.

Dwayne Tomah transcribing and translating a wax cylinder recording. Photo by Robbie Feinberg/Maine Public.

The transcription, translation and interpretation of the recordings required speakers of the Passamaquoddy language. In an interview with Art Canvas, Dwayne Tomah, a current member of the Passamaquoddy Tribe, found this to be an emotional and poignant process:

“I really wept. Hearing their voices. Knowing that I’m probably one of the last fluent speakers on the reservation. And that we’re still continuing this process to be able to revitalize our language and bring it back to life again, so to speak. And give it some attention that it really deserves.”

One of the main results from the digital repatriation was the creation of the Passamaquoddy Peoples’ Knowledge Portal. The entire recording collection can be found here, along with historical context, films, vocabulary guides and photographs. This website provides continuity between the past, present and future of the Tribe, providing a space and access for future Passamaquoddy generations to learn ancestral and traditional knowledge.

Members of the Passamaquoddy tribe dancing during a traditional tribal inauguration ceremony in August 02015. Photo via Island Institute.

“Language is both an embodiment of human culture, as well as the primary means of its maintenance and transmission,” writes Dr. Laura Welcher, a linguist and Director of Long Now’s long-term language archiving Rosetta Project. “When languages are lost, the transmission of traditional culture is often abruptly severed.” In seeking to correct erasures, reverse the extinction of languages, and reconstitute ritual, repatriation projects aim to restore this cultural transmission. Once indigenous people hear the voices of their ancestors that has previously been denied to them, it empowers them to reclaim their voice in the here and now.

Learn More

  • Explore the Passamaquoddy Peoples’ Knowledge Portal, where you can listen to Fewkes recordings.
  • Read E. Tammy Kim’s piece in The New Yorker on the digital repatriations project. 
  • Learn more about the usage of Traditional Knowledge labels. 

,

LongNowThe role of 80-million year-old rocks in American slavery — Lewis Dartnell at The Interval

When cretaceous-age rocks in the Southern US eroded over millions of years, they produced a uniquely rich, fertile soil that landowners realized was ideal for growing cash crops such as cotton. It was the soil from these rocks that slaves toiled over in the era of American slavery—and the same ground that ultimately became the epicenter of the Civil Rights Movement.

From Lewis Dartnell’s talk at The Interval, “ORIGINS: How Earth’s history shaped human history.”

About the talk

From the cultivation of the first crops to the founding of modern states, the human story is the story of environmental forces, from plate tectonics and climate change, to atmospheric circulation and ocean currents.

Professor Lewis Dartnell will dive into the planet’s deep past, where history becomes science, to explore a web of connections that underwrites our modern world, and that can help us face the challenges of the future.

About Lewis Dartnell

Lewis Dartnell is a Professor of Science Communication at the University of Westminster. Before that, he completed his biology degree at the University of Oxford and his PhD at UCL, and then worked as the UK Space Agency research fellow at the University of Leicester, studying astrobiology and searching for signs of life on Mars. He has won several awards for his science writing and contributes to the Guardian, The Times, and New Scientist. He is also the author of three books. He lives in London, UK.

,

Cory DoctorowParty Discipline, a Walkaway story (Part 1)

In my latest podcast (MP3), I’ve started a serial reading of my novella Party Discipline, which I wrote while on a 35-city, 45-day tour for my novel Walkaway in 2017; Party Discipline is a story set in the world of Walkaway, about two high-school seniors who conspire to throw a “Communist Party” at a sheet metal factory whose owners are shutting down and stealing their workers’ final paychecks. These parties are both literally parties — music, dancing, intoxicants — and “Communist” in that the partygoers take over the means of production and start them up, giving away the products they create to the attendees. Walkaway opens with a Communist Party and I wanted to dig into what might go into pulling one of those off.

I don’t remember how we decided exactly to throw a Communist party. It had been a running joke all through senior year, whenever the obvious divisions between the semi-zottas and the rest of us came too close to the surface at Burbank High: “Have fun at Stanford, come drink with us at the Communist parties when you’re back on break.”

The semi-zottas were mostly white, with some Asians—not the brown kind—for spice. The non-zottas were brown and black, and we were on our way out. Out of Burbank High, out of Burbank, too. Our parents had lucked into lottery tickets, buying houses in Burbank back when they were only ridiculously expensive. Now they were crazy. We’d be the last generation of brown kids to go to Burbank High because the instant we graduated, our parents were going to sell and use the money to go somewhere cheaper, and the leftovers would let us all take a couple of mid-range MOOCs from a Big Ten university to round out our community college distance-ed degrees.

MP3

,

Cory DoctorowTalking with the Left Field podcast about Sidewalk Labs’s plan to build a surveilling “smart city” in Toronto

We’ve been closely following the plan by Google sister company Sidewalk Labs to build a surveilling “smart city” in Toronto; last week, I sat down with the Out of Left Field podcast (MP3) to discuss what’s going on with Sidewalk Labs, how it fits into the story of Big Tech, and what the alternatives might be.

,

Sam VargheseTest cricket is becoming a joke

Pakistan look like they will lose by an innings again to Australia, meaning that the two-Test series will end in a wipeout.

The question is: why are so many weak teams coming to Australia and playing matches that end up being hopelessly one-sided, resulting in very few people going to watch them?

Or is it the case that there is no other option given that India cannot come to Australia every year and play?

Pakistan has not played international cricket at home since 2009 when Sri Lanka toured. During that tour, terrorists attacked a bus carrying the Sri Lankans.

Since then, Pakistan has played all its international games in either Dubai or Abu Dhabi. The stadiums are grand but there are only a handful of expats who turn up to watch.

Worse, the fans at home are unable to see their heroes in action and interest in the game has plummetted. This means less and less kids turning to cricket and a system which once produced world-class players by the score now hardly produces any.

Pakistan has to make do with what it has. And since it has no choice, what happens in washouts like it will soon experience in Australia.

,

Cory DoctorowTalking Adversarial Interoperability with Y Combinator

Earlier this month while I was in San Francisco, I went over to the Y Combinator incubator to record a podcast (MP3); we talked for more than an hour about the history of Adversarial Interoperability and what its role was in creating Silicon Valley and the tech sector and how monopolization now threatens adversarial interop and also how it fuels the conspiratorial thinking that is so present in our modern politics. We talk about how startup founders and other technologists can use science fiction for inspiration, and about the market opportunities presented by challenging Big Tech and its giant, massively profitable systems.

,

Cory DoctorowThe Engagement-Maximization Presidency

In my latest podcast (MP3), I read my May, 2018 Locus column, “The Engagement-Maximization Presidency,” where I propose a theory to explain the political phenomenon of Donald Trump: we live in a world in which communications platforms amplify anything that gets “engagement” and provides feedback on just how much your message has been amplified so you can tune and re-tune for maximum amplification.

Peter Watts’s 2002 novel Maelstrom illustrates a beautiful, terrifying example of this, in which a mindless, self-modifying computer virus turns itself into a chatbot that impersonates patient zero in a world-destroying pandemic; even though the virus doesn’t understand what it’s doing or how it’s doing it, it’s able to use feedback to refine its strategies, gaining control over more resources with which to try more strategies.

It’s a powerful metaphor for the kind of cold reading we see Trump engaging in at his rallies, and for the presidency itself. I think it also explains why getting Trump of Twitter is impossible: it’s his primary feedback tool, and without it, he wouldn’t know what kinds of rhetoric to double down on and what to quietly sideline.

Maelstrom is concerned with a pandemic that is started by its protago­nist, Lenie Clark, who returns from a deep ocean rift bearing an ancient, devastating pathogen that burns its way through the human race, felling people by the millions.

As Clark walks across the world on a mission of her own, her presence in a message or news story becomes a signal of the utmost urgency. The filters are firewalls that give priority to some packets and suppress others as potentially malicious are programmed to give highest priority to any news that might pertain to Lenie Clark, as the authorities try to stop her from bringing death wherever she goes.

Here’s where Watt’s evolutionary bi­ology shines: he posits a piece of self-modifying malicious software – something that really exists in the world today – that automatically generates variations on its tactics to find computers to run on and reproduce itself. The more computers it colonizes, the more strategies it can try and the more computational power it can devote to analyzing these experiments and directing its randomwalk through the space of all possible messages to find the strategies that penetrate more firewalls and give it more computational power to devote to its task.

Through the kind of blind evolution that produces predator-fooling false eyes on the tails of tropical fish, the virus begins to pretend that it is Lenie Clark, sending messages of increasing convincingness as it learns to impersonate patient zero. The better it gets at this, the more welcoming it finds the firewalls and the more computers it infects.

At the same time, the actual pathogen that Lenie Clark brought up from the deeps is finding more and more hospitable hosts to reproduce in: thanks to the computer virus, which is directing public health authorities to take countermeasures in all the wrong places. The more effective the computer virus is at neutralizing public health authorities, the more the biological virus spreads. The more the biological virus spreads, the more anxious the public health authorities become for news of its progress, and the more computers there are trying to suck in any intelligence that seems to emanate from Lenie Clark, supercharging the computer virus.

Together, this computer virus and biological virus co-evolve, symbiotes who cooperate without ever intending to, like the predator that kills the prey that feeds the scavenging pathogen that weakens other prey to make it easier for predators to catch them.

MP3

LongNowExperiencing Deep Time Through Visual Storytelling

Geological Time Spiral

Deep time is a notoriously hard concept to grasp. Our lived human experience is grounded in a timeframe that is at odds with the geological time frame of millions or billions of years. Since geologists began figuring out the true scale of geologic time, they have tried to communicate this scale through a series of metaphors, maps, and visualizations. Famous examples of this include Carl Sagan’s Cosmic Calendar, and for children, Montessori’s Clock of Eras. Advances in mapping and data visualization technologies have enabled new forms of visual storytelling for understanding these time frames. Two visualizations have been recently developed that address the temporal depth and endurance of our universe in novel and effective ways.

Deep Time Walk

Deep Time Walk is an engaging and innovative app that transforms deep time into an embodied experience, a mobile virtual time travel. Listeners plug headphones in and walk the entire journey of Earth’s 4.6 billion year-old history in just 4.6km.

Deep Time Walk app.

Deep Time Walk uses a dramatized dialogue between a questioning protagonist and patient scientist to explain complex topics in a relatable format. Written as a collaboration between playwright Peter Oswald and Dr. Stephan Harding, Deep Time Walk guides you to walk and encounter evolutionary significant events, from the emergence of volcanoes to the first appearance of oxygen-producing photosynthesis. You, the listener and walker, are frequently addressed, to check you are still following as you walk 2 million years in just 2 meters.

Narrative is a powerful tool for connection and understanding. By creating a story with relatable characters, Deep Time Walk removes the listener from the present and walks them into the distant past. The conversational (and sometimes poetic) storytelling produces empathy and connection, which works to ground the individual personally into this global enduring epic.

This translation of time into distance creates an effective microcosm by transforming the complexity of 1,000,000 years into the comprehensible and familiar metric of one meter. Through this, Deep Time Walk claims to help users understand ‘the destructive impact we are now having on the Earth’s complex climate in the blink of a geological eye.’

Ancient Earth

Ancient Earth, a temporal map of the world, approaches deep time differently. Built as an interactive tool, Ancient Earth works to visualize the extensive geographic and tectonic shifts of the last 750 million years and maps them comparatively onto the globe of today. Developed by Ian Webster, the curator of the world’s largest digital dinosaur database, with the use of C.R. Scotese’s paleogeographic maps, Ancient Earth captures deep time in physical space, on Earth.

450 millions years ago, Late Ordovician era. The pink dot is New York City. (Ian Webster/Ancient Earth)

Ancient Earth catapults the viewer back to the emergence of single-celled organisms, such as green algae, in the Cryogenian ice age 750 million years ago, before leaping ahead 320 million years to the Silurian Period, when mass extinctions coincided with progression of complex life on land. What is most striking about this ancient world is that it is barely recognizable; it looks disarmingly dark, cold and watery.

Sliding forward to 240 million years ago, the user encounters another equally distorted Earth; one landmass, Pangea, dominated as the singular supercontinent that encompassed the world. The map has plenty of useful features, from simple yet effective dropdown time jump options, such as the evolution of the first flowers, to location-specific searches, enabling users to track the journey of their hometown across both time and space. As Meilan Solly writes in a piece for The Smithsonian, “interested parties can now superimpose the political boundaries of today onto the geographic formations of yesteryear.”

What both Ancient Earth and Deep Time Walk achieve is compelling because of their user experience. Both engage directly with the individual and bring them into a narrative: Deep Time Walk is an embodied experience and drama; Ancient Earth encourages you to map your hometown across the ages. By making it relatable and personal, these apps start to help us conceptualize deep time.

Learn More

  • Watch geologist Marcia Bjornerud’s 02019 Long Now talk about deep time, “Timefulness.”
  • Read “How the Concept of Deep Time is Changing” in The Atlantic.

,

Cory DoctorowTalking about Disney’s 1964 Carousel of Progress with Bleeding Cool: our lost animatronic future

Back in 2007, I wrote a science fiction novella called “The Great Big Beautiful Tomorrrow,” about an immortal, transhuman survivor of an apocalypse whose father is obsessed with preserving artifacts from the fallen civilization, especially the Carousel of Progress, an exhibition that GE commissioned from Disney for the 1964 World’s Fair in New York, which is still operating in Walt Disney World.


The novella was collected into
my 2011 Outspoken Authors book from PM Press.

Bleeding Cool News’s Jason Henderson is a fellow Carousel of Progress obsessive, and he asked me if I’d come on his Castle of Horror podcast to discuss the story, the Carousel, Margaret Thatcher, and optimistic corporate futurism’s increasing absurdity in 2019’s world.

The conversation went great (MP3) and ranges over nuclear armageddon, environmental collapse, Epcot Center, cults of personality, Walt Disney’s work-avoidance schemes, Alvin Toffler and the Singularity.

The Carousel of Progress is a strange success story. It began its life as an exhibit developed by Walt Disney for General Electric at the 1964 World’s Fair. There the basic structure fell into place: a revolving theater moves around a stationary stage showing four scenes as the audience comes to rest in front of each one. Act One is the turn of the 20th Century, Act 2 is the 1920s, Act 3 is the 1940s, and Act 4 is roughly the present. In each scene, the father of a small family reflects on American life and culture and mentions the latest technological advancements—airplanes, electric fans, cars, “the rat race.” The attraction moved from the World’s Fair to Disneyland and then settled in 1975 at Tomorrowland in Walt Disney World, where it has remained ever since. It has not been updated since 1993. And yet the ride remains strangely compelling and even comforting, a weird mix of futurism and nostalgia. The theme song of the ride is pure optimistic futurism: “It’s a Great Big Beautiful Tomorrow” by reliable Disney songwriters Richard M. and Robert B. Sherman. Doctorow points out, though, that for years this song was traded out for a different song, “The Best Time of Your Life.” As in “this is the best time of your life,” which would have to mean that the future will not be as good. Now the original song is back, but we are listening to an echo—optimism frozen in the past.

Cory and Jason talk about futurism, the optimism (and pessimism) of the mid-century, and whether forgotten mid-century fears are a match for modern fears of climate collapse. Along the way, we touch on the strangeness of Tomorrowland and Epcot.

Castle Talk: Cory Doctorow on Disney’s Carousel of Progress and Lost Optimism [Jason Henderson/Bleeding Cool]