Planet Russell


Sociological ImagesViral Votes & Activism in the New Public Sphere

It is a strange sight to watch politicians working to go viral. Check out this video from the political nonprofit ACRONYM, where Alexis Magnan-Callaway — the Digital Mobilization Director of Kirsten Gillibrand’s presidential campaign — talks us through some key moments on social media. 

Social media content has changed the rules of the game for getting attention in the political world. An entire industry has sprung up around going viral professionally, and politicians are putting these new rules to use for everything from promoting the Affordable Care Act to breaking Twitter’s use policy

In a new paper out at Sociological Theory with Doug Hartmann, I (Evan) argue that part of the reason this is happening is due to new structural transformations in the public sphere. Recent changes in communication technology have created a situation where the social fields for media, politics, academia, and the economy are now much closer together. It is much easier for people who are skilled in any one of these fields to get more public attention by mixing up norms and behaviors from the other three. Thomas Medvetz called people who do this in the policy world “jugglers,” and we argue that many more people have started juggling as well. 

Arm-wrestling a constituent is a long way from the Nixon-Kennedy debates, but there are institutional reasons why this shouldn’t surprise us. Juggling social capital from many fields means that social changes start to accelerate, as people can suddenly be much more successful by breaking the norms in their home fields. Politicians can get electoral gains by going viral, podcasts take off by talking to academics, and ex-policy wonks suddenly land coveted academic positions.

Another good example of this new structural transformation in action is Ziad Ahmed, a Yale undergraduate, business leader, and activist. At the core of his public persona is an interesting mix of both norm-breaking behavior and carefully curated status markers for many different social fields. 

In 2017, Ahmed was accepted to Yale after writing “#BlackLivesMatter” 100 times; this was contemporaneously reported by outlets such as NBC NewsCNNTimeThe Washington PostBusiness InsiderHuffPost, and Mashable

A screenshot excerpt of Ahmed’s bio statement from his personal website

Since then, Ahmed has cultivated a long biography featuring many different meaningful status markers: his educational institution; work as the CEO of a consulting firm; founding of a diversity and inclusion organization; a Forbes “30 Under 30” recognition; Ted Talks; and more. The combination of these symbols paints a complex picture of an elite student, activist, business leader, and everyday person on social media. 

Critics have called this mixture “a super-engineered avatar of corporate progressivism that would make even Mayor Pete blush.” We would say that, for better or worse, this is a new way of doing activism and advocacy that comes out of different institutional conditions in the public sphere. As different media, political, and academic fields move closer together, activists like Ahmed and viral moments like those in the Gillibrand campaign show how a much more complicated set of social institutions and practices are shaping the way we wield public influence today.

Bob Rice is a PhD student in sociology at UMass Boston. They’re interested in perceptions of authority, social movements, culture, stratification, mental health, and digital methods. 

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at

CryptogramAvailability Attacks against Neural Networks

New research on using specially crafted inputs to slow down machine-learning neural network systems:

Sponge Examples: Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN applications, from image recognition to natural language processing (NLP). Adversaries might use these examples for all sorts of mischief -- from draining mobile phone batteries, though degrading the machine-vision systems on which self-driving cars rely, to jamming cognitive radar.

So far, our most spectacular results are against NLP systems. By feeding them confusing inputs we can slow them down over 100 times. There are already examples in the real world where people pause or stumble when asked hard questions but we now have a dependable method for generating such examples automatically and at scale. We can also neutralize the performance improvements of accelerators for computer vision tasks, and make them operate on their worst case performance.

The paper.

Worse Than FailureCodeSOD: Sort Yourself Out

Object-Relational-Mappers (ORMs) are a subject of pain, pleasure, and flamewars. On one hand, they make it trivially easy to write basic persistence logic, as long as it stays basic. But they do this by concealing the broader powers of relational databases, which means that an ORM is a leaky abstraction. Used incautiously or inappropriately, and they stop making your life easy, and make it much, much harder.

That’s bad, unless you’re Tenesha’s co-worker, because you apparently want to suffer.

In addition to new products, Tenesha’s team works on a legacy Ruby-on-Rails application. It’s an ecommerce tool, and thus it handles everything from inventory to order management to billing to taxes.

Taxes can get tricky. Each country may have national tax rates. Individual cities may have different ones. In their database, they have a TaxesRate table which tracks the country name, the city name, the region code name, and the tax rate.

You’ll note that the actual database is storing names, which is problematic when you need to handle localizations. Is it Spain or España? The ugly hack to fix this is to have a lookup file in YAML, like so:

  es-ca: "Canary Islands"
  es: "Spain"
  eu: "Inside European Union"
  us: "United States"
  ar: "Argentina"
  la: "Latin America"
  as-oc: "Asia & Oceania"
  row: "Rest of the world"

Those are just the countries, but there were similar structures for regions, cities, and so on.

The YAML file took on more importance when management decided that the sort order of the tax codes within a region needed to be a specific order. They didn’t want it to be sorted alphabetically, or by date added, or by number of orders, or anything: they had a specific order they wanted.

So Tenesha’s co-worker had a bright idea: they could store the lookup keys in the YAML file in the order specified. It meant they didn’t have to add or manage a sort_order field in the database, which sounded easier to them, and would be easier to implement, right?

Well, no. There’s no easy way to tell an SQL order-by clause to sort in an arbitrary order. But our intrepid programmer was using an ORM, so they didn’t need to think about little details like “connecting to a database” or “worrying about round trips” or “is this at all efficient”.

So they implemented it this way:

  # Order locations by their I18n registers to make it easier to reorder
  def self.order_by_location(regions)
    codes = I18n.t("quotation.selectable_taxes_rate_locations"){ |k| k.to_s }
    regions_ordered = []

    codes.each do |code|
      regions_ordered.push(regions.where(region_code: code))

    # Insert the codes that are not listed at the end
    regions_ordered.push(regions.where("region_code NOT IN (?)", codes)).flatten

This is called like so:

# NOTE: TaxesRate.all_rates returns all records with unique region codes,
#   ignoring cities; something like `TaxesRate.distinct(:region_code)`.
regions = order_by_location(TaxesRate.all_rates)

We should be thankful that they didn’t find a way to make this execute N2 queries, but as it is, it needs to execute N+1 queries.

First, we pull the rate locations from our internationalization YAML file. Then, for each region code, we run a query to fetch the tax rate for that one region code. This is one query for each code. Based on the internationalization file, it’s just the codes for one country, but that can still be a large number. Finally, we run one final query to fetch all the other regions that aren’t in our list.

This fetches the tax code for all regions, sorted based on the sort order in the localization file (which does mean each locale could have a different sort order, a feature no one requested).

Tenesha summarizes it:

So many things done wrong; in summary:
* Country names stored with different localization on the same database, instead of storing country codes.
* Using redundant data for storing region codes for different cities.
* Hard-coding a new front-end feature using localization keys order.
* Performing N+1 queries to retrieve well known data.

Now, this was a legacy application, so when Tenesha and her team went to management suggesting that they fix this terrible approach, the answer was “Nope!” It was a legacy product, and was only going to get new features and critical bug fixes.

Tenesha scored a minor victory: she did convince them to let her rewrite the method so that it fetched the data from the database and then sorted using the Array#index method, which still wasn’t great, but was far better than hundreds of database round trips.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Krebs on SecurityMicrosoft Patch Tuesday, June 2020 Edition

Microsoft today released software patches to plug at least 129 security holes in its Windows operating systems and supported software, by some accounts a record number of fixes in one go for the software giant. None of the bugs addressed this month are known to have been exploited or detailed prior to today, but there are a few vulnerabilities that deserve special attention — particularly for enterprises and employees working remotely.

June marks the fourth month in a row that Microsoft has issued fixes to address more than 100 security flaws in its products. Eleven of the updates address problems Microsoft deems “critical,” meaning they could be exploited by malware or malcontents to seize complete, remote control over vulnerable systems without any help from users.

A chief concern among the panoply of patches is a trio of vulnerabilities in the Windows file-sharing technology (a.k.a. Microsoft Server Message Block or “SMB” service). Perhaps most troubling of these (CVE-2020-1301) is a remote code execution bug in SMB capabilities built into Windows 7 and Windows 2008 systems — both operating systems that Microsoft stopped supporting with security updates in January 2020. One mitigating factor with this flaw is that an attacker would need to be already authenticated on the network to exploit it, according to security experts at Tenable.

The SMB fixes follow closely on news that proof-of-concept code was published this week that would allow anyone to exploit a critical SMB flaw Microsoft patched for Windows 10 systems in March (CVE-2020-0796). Unlike this month’s critical SMB bugs, CVE-2020-0796 does not require the attacker to be authenticated to the target’s network. And with countless company employees now working remotely, Windows 10 users who have not yet applied updates from March or later could be dangerously exposed right now.

Microsoft Office and Excel get several updates this month. Two different flaws in Excel (CVE-2020-1225 and CVE-2020-1226) could be used to remotely commandeer a computer running Office just by getting a user to open a booby-trapped document. Another weakness (CVE-2020-1229) in most versions of Office may be exploited to bypass security features in Office simply by previewing a malicious document in the preview pane. This flaw also impacts Office for Mac, although updates are not yet available for that platform.

After months of giving us a welcome break from patching, Adobe has issued an update for its Flash Player program that fixes a single, albeit critical security problem. Adobe says it is not aware of any active exploits against the Flash flaw. Mercifully, Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Adobe is slated to retire Flash Player later this year. Adobe also released security updates for its Experience Manager and Framemaker products.

Windows 7 users should be aware by now that while a fair number of flaws addressed this month by Microsoft affect Windows 7 systems, this operating system is no longer being supported with security updates (unless you’re an enterprise taking advantage of Microsoft’s paid extended security updates program, which is available to Windows 7 Professional and Windows 7 enterprise users).

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a wonky Windows update to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Further reading:

AskWoody and Martin Brinkmann on Patch Tuesday fixes and potential pitfalls

Trend Micro’s Zero Day Initiative June 2020 patch lowdown

U.S-CERT on Active Exploitation of CVE-2020-0796


Planet DebianIngo Juergensmann: Jabber vs. XMPP

XMPP is widely - and mabye better - known as Jabber. This was more or less the same until Cisco bought Jabber Inc and the trademark. You can read more about the story on the website. But is there still a Jabber around? Yes, it is!

But Cisco Jabber is a whole infrastructure environment: you can't use Cisco Jabber client on its own without the other required Cisco infrastructure as Cisco CUCM and CIsco IM&P servers. So you can't just setup Prosody or ejabberd on your Debian server and connect Cisco Jabber to it. But what are the differences of Cisco Jabber to "standard" XMPP clients?

Cisco Jabber

The above screenshot from the official Cisco Jabber product webpage shows the new, single view layout of the Cisco Webex Teams client, but you can configure the client to have the old, classic split view layout of Contact List and Chat Window. But as you can already see from above screenshot audio & video calls is one of the core functions of Cisco Jabber whereas this feature has been added only lately to the well-known Conversations XMPP client on Android. Conversations is using Jingle extension to XMPP whereas Jabber uses SIP for voice/video calls. You can even use Cisco Jabber to control your deskphone via CTI, which is a quite common setup for Jabber. In fact you can configure Jabber to be just a CTI client to you phone or a fully featured UC client.

When you don't want to have Ciscos full set of on-premise servers, you can also use Cisco Jabber in conjunction with Cisco Webex as Cisco Webex Messenger. Or in conjunction with Webex Teams in Teams Messaging Mode. Last month Cisco announced general availability of XMPP federation for Webex Teams/Jabber in Teams Messaging Mode. With that you have basic functionality in Webex Teams. And when I say "basic" I really mean basic: you can have 1:1 chat only, no group chats (MUC) and no Presence status will be possible. Hopefully this is just the beginning and not the end of XMPP support in Webex Teams.

XMPP Clients

Well, I'm sure many of you know "normal" XMPP clients such as Gajim or Dino on Linux, Conversations on Android or Siskin/Monal/ChatSecure on Apple IOS. There are plenty of other clients of course and maybe you used an XMPP client in the past without knowing it. For example Jitsi Meet is based on XMPP and you can still download the Jitsi Desktop client and use it as a full-featured multi-protocol client, e.g. for XMPP and SIP. In fact Jitsi Desktop is maybe the client that comes closest to Cisco Jabber as a chat/voice/video client. In fact I already connected Jitsi Desktop to Cisco CUCM/IM&P infrastructure, but of course you won't be able to use all those Cisco proprietary extensions, but you can see the benefit of open, standardized protocols such as XMPP and SIP: you are free to use any standard compliant client that you want.

So, while Jitsi supported voice/video calls for a long time, even before they focussed on Jitsi Meet as a WebRTC based conference service, Conversations added this feature last month, as already stated. This had a huge effect to the whole XMPP federation, because you need an XMPP server that supports XEP-0215 to make these audio/video calls work. The well-known Compliance Tester listed the STUN/TURN features first as "Informational Tests", but quickly made this a mandatory test to pass tests and gain 100% on the Compliance Tester. But you cannot place SIP calls to other sides, because that's a different thing.

As many of you are familiar with standard XMPP clients, I'll focus now on some similarity and differences between Cisco Jabber and standard XMPP...

Similarities & Differences

First, you can federate with Cisco Jabber users. Cisco IM&P can use standard XMPP federation with all other XMPP standard compliant servers. This is really a big benefit and way better than other solutions that usually results in vendor lock-in. Depending on the setup, you can even join from your own XMPP client in MUCs (Multi User Chats), which Cisco calls "Persistent Chat Room". The other way is not that simple: basically it is possible to join with Cisco Jabber in a MUC on a random server, but it is not as easy as you might thing. Cisco Jabber simply lacks a way to enter a room JID (as you can find them on Instead you need to be added as participant by a moderator or an admin in that 3rd party MUC.

Managed File Transfers is another issue. Cisco Jabber supports Peer-to-Peer file transfers and Managed File Transfers, where the uploaded file get transferred to an SFTP server as storage backend and where the IM&P server is handling the transfer via HTTPS. You can find a schematic drawing in the Configuration Guides. Although it appears similar to HTTP Upload as defined in XEP-0363, it is not very likely that it will work. I haven't tested it yet, because in my test scenario there is a gatekeeper in the path: Cisco Expressway doesn't support (yet) Managed File Transfer, but you can upvote the idea in the ideas management of Cisco or other ideas such as OMEMO support.

OMEMO support? Yes, there is no end-to-end encryption (E2EE) currently planned for Cisco Jabber, while it is common nowadays for most modern XMPP clients. I think it would be good for Cisco Jabber to also (optionally) support OMEMO or its successor. Messaging clients without E2EE are not state of the art anymore.

Whereas Conversations is the de-facto standard on Android, Apple IOS devices are still lacking a similar well-working client. See my blog post "XMPP - Fun with Clients" for a summary. In that regard Cisco Jabber might be the best XMPP client for IOS to some degree: you have working messaging, voice/video calls, Push Notifications and integration into Apples Call Kit.

There are most likely many, many more differences and issues between Cisco Jabber and standard compliant XMPP servers and clients. But basically Cisco Jabber is still based on XMPP and extends that by proprietary extensions.


While I have the impression that the free clients and servers are well doing and increased development in the past years (thanks to Conversations and the Compliance Tester), the situation of Cisco Jabber is a little different. As a customer you can sometimes get the impression that Cisco has lost interest in developing Cisco Jabber. It got better in the last years, but when Cisco Spark was introduced some years ago, the impression was that Cisco is heavily focussed on Spark (now: Webex Teams). It's not like Cisco is not listening to customers or the development has been stopped on Jabber, but my impression is that most customers don't give feedback or tell Cisco as the vendor what they want. You can either submit ideas via the Colaboration Customer Ideas Tool or provide feedback via your Cisco and partner channels.

I think it is important for the XMPP community to also have a large enterprise level vendor like Cisco. Otherwise the Internet will become more and more an Internet of closed silos like MS Teams, Slack, Facebook, etc. Of course there are other companies like ProcessOne (ejabberd) or Tigase, but I think you agree that Cisco is another level.


Planet DebianJulian Andres Klode: Review: Chromebook Duet

Sporting a beautiful 10.1” 1920x1200 display, the Lenovo IdeaPad Duet Chromebook or Duet Chromebook, is one of the latest Chromebooks released, and one of the few slate-style tablets, and it’s only about 300 EUR (300 USD). I’ve had one for about 2 weeks now, and here are my thoughts.

Build & Accessories

The tablet is a fairly Pixel-style affair, in that the back has two components, one softer blue one housing the camera and a metal feeling gray one. Build quality is fairly good.

The volume and power buttons are located on the right side of the tablet, and this is one of the main issues: You end up accidentally pressing the power button when you want to turn your volume lower, despite the power button having a different texture.

Alongside the tablet, you also find a kickstand with a textile back, and a keyboard, both of which attach via magnets (and pogo pins for the keyboard). The keyboard is crammed, with punctuation keys being halfed in size, and it feels mushed compared to my usual experiences of ThinkPads and Model Ms, but it’s on par with other Chromebooks, which is surprising, given it’s a tablet attachment.

fully assembled chromebook duet

fully assembled chromebook duet

I mostly use the Duet as a tablet, and only attach the keyboard occasionally. Typing with the keyboard on your lap is suboptimal.

My first Duet had a few bunches of dead pixels, so I returned it, as I had a second one I could not cancel ordered as well. Oh dear. That one was fine!

Hardware & Connectivity

The Chromebook Duet is powered by a Mediatek Helio P60T SoC, 4GB of RAM, and a choice of 64 or 128 GB of main storage.

The tablet provides one USB-C port for charging, audio output (a 3.5mm adapter is provided in the box), USB hub, and video output; though, sadly, the latter is restricted to a maximum of 1080p30, or 1440x900 at 60 Hz. It can be charged using the included 10W charger, or use up to I believe 18W from a higher powered USB-C PD charger. I’ve successfully used the Chromebook with a USB-C monitor with attached keyboard, mouse, and DAC without any issues.

On the wireless side, the tablet provides 2x2 Wifi AC and Bluetooth 4.2. WiFi reception seemed just fine, though I have not done any speed testing, missing a sensible connection at the moment. I used Bluetooth to connect to my smartphone for instant tethering, and my Sony WH1000XM2 headphones, both of which worked without any issues.

The screen is a bright 400 nit display with excellent viewing angles, and the speakers do a decent job, meaning you can use easily use this for watching a movie when you’re alone in a room and idling around. It has a resolution of 1920x1200.

The device supports styluses following the USI standard. As of right now, the only such stylus I know about is an HP one, and it costs about 70€ or so.

Cameras are provided on the front and the rear, but produce terrible images.

Software: The tablet experience

The Chromebook Duet runs Chrome OS, and comes with access to Android apps using the play store (and sideloading in dev mode) and access to full Linux environments powered by LXD inside VMs.

The screen which has 1920x1200 is scaled to a ridiculous 1080x675 by default which is good for being able to tap buttons and stuff, but provides next to no content. Scaling it to 1350x844 makes things more balanced.

The Linux integration is buggy. Touches register in different places than where they happened, and the screen is cut off in full screen extremetuxracer, making it hard to recommend for such uses.

Android apps generally work fine. There are some issues with the back gesture not registering, but otherwise I have not found issues I can remember.

One major drawback as a portable media consumption device is that Android apps only work in Widevine level 3, and hence do not have access to HD content, and the web apps of Netflix and co do not support downloading. Though one of the Duets actually said L1 in check apps at some point (reported in issue 1090330). It’s also worth noting that Amazon Prime Video only renders in HD, unless you change your user agent to say you are Chrome on Windows - bad Amazon!

The tablet experience also lags in some other ways, as the palm rejection is overly extreme, causing it to reject valid clicks close to the edge of the display (reported in issue 1090326).

The on screen keyboard is terrible. It only does one language at a time, forcing me to switch between German and English all the time, and does not behave as you’d expect it when editing existing words - it does not know about them and thinks you are starting a new one. It does provide a small keyboard that you can move around, as well as a draw your letters keyboard, which could come in handy for stylus users, I guess. In any case, it’s miles away from gboard on Android.

Stability is a mixed bag right now. As of Chrome OS 83, sites (well only Disney+ so far…) sometimes get killed with SIGILL or SIGTRAP, and the device rebooted on its own once or twice. Android apps that use the DRM sometimes do not start, and the Netflix Android app sometimes reports it cannot connect to the servers.


Performance is decent to sluggish, with micro stuttering in a lot of places. The Mediatek CPU is comparable to Intel Atoms, and with only 4GB of RAM, and an entire Android container running, it’s starting to show how weak it is.

I found that Google Docs worked perfectly fine, as did websites such as Mastodon, Twitter, Facebook. Where the device really struggled was Reddit, where closing or opening a post, or getting a reply box could take 5 seconds or more. If you are looking for a Reddit browsing device, this is not for you. Performance in Netflix was fine, and Disney+ was fairly slow but still usable.

All in all, it’s acceptable, and given the price point and the build quality, probably the compromise you’d expect.



  • good: Build quality, bright screen, low price, included accessories
  • bad: DRM issues, performance, limited USB-C video output, charging speed, on-screen keyboard, software bugs

The Chromebook Duet or IdeaPad Duet Chromebook is a decent tablet that is built well above its price point. It’s lackluster performance and DRM woes make it hard to give a general recommendation, though. It’s not a good laptop.

I can see this as the perfect note taking device for students, and as a cheap tablet for couch surfing, or as your on-the-go laptop replacement, if you need it only occasionally.

I cannot see anyone using this as their main laptop, although I guess some people only have phones these days, so: what do I know?

I can see you getting this device if you want to tinker with Linux on ARM, as Chromebooks are quite nice to tinker with, and a tablet is super nice.

Krebs on SecurityFlorence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity

In late May, KrebsOnSecurity alerted numerous officials in Florence, Ala. that their information technology systems had been infiltrated by hackers who specialize in deploying ransomware. Nevertheless, on Friday, June 5, the intruders sprang their attack, deploying ransomware and demanding nearly $300,000 worth of bitcoin. City officials now say they plan to pay the ransom demand, in hopes of keeping the personal data of their citizens off of the Internet.

Nestled in the northwest corner of Alabama, Florence is home to roughly 40,000 residents. It is part of a quad-city metropolitan area perhaps best known for the Muscle Shoals Sound Studio that recorded the dulcet tones of many big-name music acts in the 1960s and 70s.


On May 26, acting on a tip from Milwaukee, Wisc.-based cybersecurity firm Hold Security, KrebsOnSecurity contacted the office of Florence’s mayor to alert them that a Windows 10 system in their IT environment had been commandeered by a ransomware gang.

Comparing the information shared by Hold Security dark web specialist Yuliana Bellini with the employee directory on the Florence website indicated the username for the computer that attackers had used to gain a foothold in the network on May 6 belonged to the city’s manager of information systems.

My call was transferred to no fewer than three different people, none of whom seemed eager to act on the information. Eventually, I was routed to the non-emergency line for the Florence police department. When that call went straight to voicemail, I left a message and called the city’s emergency response team.

That last effort prompted a gracious return call the following day from a system administrator for the city, who thanked me for the heads up and said he and his colleagues had isolated the computer and Windows network account Hold Security flagged as hacked.

“I can’t tell you how grateful we are that you helped us dodge this bullet,” the technician said in a voicemail message for this author. “We got everything taken care of now, and some different protocols are in place. Hopefully we won’t have another near scare like we did, and hopefully we won’t have to talk to each other again.”

But on Friday, Florence Mayor Steve Holt confirmed that a cyberattack had shut down the city’s email system. Holt told local news outlets at the time there wasn’t any indication that ransomware was involved.

However, in an interview with KrebsOnSecurity Tuesday, Holt acknowledged the city was being extorted by DoppelPaymer, a ransomware gang with a reputation for negotiating some of the highest extortion payments across dozens of known ransomware families.

The average ransomware payment by ransomware strain. Source: Chainalysis.

Holt said the same gang appears to have simultaneously compromised networks belonging to four other victims within an hour of Florence, including another municipality that he declined to name. Holt said the extortionists initially demanded 39 bitcoin (~USD $378,000), but that an outside security firm hired by the city had negotiated the price down to 30 bitcoin (~USD $291,000).

Like many other cybercrime gangs operating these days, DoppelPaymer will steal reams of data from victims prior to launching the ransomware, and then threaten to publish or sell the data unless a ransom demand is paid.

Holt told KrebsOnSecurity the city can’t afford to see its citizens’ personal and financial data jeopardized by not paying.

“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Holt said.

Steve Price, the Florence IT manager whose Microsoft Windows credentials were stolen on May 6 by a DHL-themed phishing attack and used to further compromise the city’s network, explained that following my notification on May 26 the city immediately took a number of preventative measures to stave off a potential ransomware incident. Price said that when the ransomware hit, they were in the middle of trying to get city leaders to approve funds for a more thorough investigation and remediation.

“We were trying to get another [cybersecurity] response company involved, and that’s what we were trying to get through the city council on Friday when we got hit,” Price said. “We feel like we can build our network back, but we can’t undo things if peoples’ personal information is released.”

A DoppelPaymer ransom note. Image: Crowdstrike.

Fabian Wosar, chief technology officer at Emsisoft, said organizations need to understand that the only step which guarantees a malware infestation won’t turn into a full-on ransomware attack is completely rebuilding the compromised network — including email systems.

“There is a misguided belief that if you were compromised you can get away with anything but a complete rebuild of the affected networks and infrastructure,” Wosar said, noting that it’s not uncommon for threat actors to maintain control even as a ransomware victim organization is restoring their systems from backups.

“They often even demonstrate that they still ‘own’ the network by publishing screenshots of messages talking about the incident,” Wosar said.

Hold Security founder Alex Holden said Florence’s situation is all too common, and that very often ransomware purveyors are inside a victim’s network for weeks or months before launching their malware.

“We often get glimpses of the bad guys beginning their assaults against computer networks and we do our best to let the victims know about the attack,” Holden said. “Since we can’t see every aspect of the attack we advise victims to conduct a full investigation of the events, based on the evidence collected. But when we deal with sensitive situations like ransomware, timing and precision are critical. If the victim will listen and seek out expert opinions, they have a great chance of successfully stopping the breach before it turns into ransom.”

TEDWays of seeing: The talks of TED2020 Session 3

TED’s head of curation Helen Walters (left) and writer, activist and comedian Baratunde Thurston host Session 3 of TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Session 3 of TED2020, hosted by TED’s head of curation Helen Walters and writer, activist and comedian Baratunde Thurston, was a night of something different — a night of camaraderie, cleverness and, as Baratunde put it, “a night of just some dope content.” Below, a recap of the night’s talks and performances.

Actor and performer Cynthia Erivo recites Maya Angelou’s iconic 2006 poem, “A Pledge to Rescue Our Youth.” She speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

In a heartfelt and candid moment to start the session, Tony- and Emmy-winner Cynthia Erivo performs “A Pledge to Rescue Our Youth,” an iconic 2006 poem by Maya Angelou. “You are the best we have. You are all we have. You are what we have become. We pledge you our whole hearts from this day forward,” Angelou writes.

“Drawing has taught me to create my own rules. It has taught me to open my eyes and see not only what is, but what can be. Where there are broken systems … we can create new ones that actually function and benefit all, instead of just a select few,” says Shantell Martin. She speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Shantell Martin, Artist

Big idea: Drawing is more than just a graphic art — it’s a medium of self-discovery that enables anyone to let their hands spin out freestyle lines independent of rules and preconceptions. If we let our minds follow our hands, we can reach mental spaces where new worlds are tangible and art is the property of all – regardless of ethnicity or class.

How? A half-Nigerian, half-English artist growing up in a council estate in southeast London, Martin has firsthand knowledge of the race and class barriers within England’s institutions. Drawing afforded her a way out, taking her first to Tokyo and then to New York, where her large-scale, freestyle black and white drawings (often created live in front of an audience) taught her the power of lines to build new worlds. By using our hands to draw lines that our hearts can follow, she says, we not only find solace, but also can imagine and build worlds where every voice is valued equally. “Drawing has taught me to create my own rules,” Martin says. “It has taught me to open my eyes and see not only what is, but what can be. Where there are broken systems … we can create new ones that actually function and benefit all, instead of just a select few.”

“If we’re not protecting the arts, we’re not protecting our future, we’re not protecting this world,” says Swizz Beatz. He speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Swizz Beatz, Music producer, entrepreneur, art enthusiast

Big idea: Art is for everyone. Let’s make it that way.

Why? Creativity heals us — and everybody who harbors love for the arts deserves access to them, says Swizz Beatz. Interweaving a history of his path as a creative in the music industry, Beatz recounts his many successful pursuits in the art of giving back. In creating these spaces at the intersection of education, celebration, inclusion and support — such as The Dean Collection, No Commissions, The Dean’s Choice and Verzuz — he plans to outsmart lopsided industries that exploit creatives and give the power of art back to the people. “If we’re not protecting the arts, we’re not protecting our future, we’re not protecting this world,” he says.

“In this confusing world, we need to be the bridge between differences. You interrogate those differences, you hold them for as long as you can until something happens, something reveals itself,” says Jad Abumrad. He speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Jad Abumrad, host of RadioLab and Dolly Parton’s America

Big Idea: Storytellers and journalists are the bridge that spans conflict and difference to reveal a new meaning. 

How: When journalist Jad Abumrad began storytelling in 2002, he crafted each story to culminate the same way: mind-blowing science discoveries, paired with ear-tickling auditory creations, resolved into “moments of wonder.” But after 10 years, he began to wonder himself: Is this the only way to tell a story? Seeking an answer, Abumrad turned to more complex, convoluted stories and used science to sniff out the facts. But these stories often ended without an answer or resolution, instead leading listeners to “moments of struggle,” where truth collided with truth. It wasn’t until Abumrad returned to his home of Tennessee where he met an unlikely teacher in the art of storytelling: Dolly Parton. In listening to the incredible insights she had into her own life, he realized that the best stories can’t be summarized neatly and instead should find revelation — or what he calls “the third.” A term rooted in psychotherapy, the third is the new entity created when two opposing forces meet and reconcile their differences. For Abumrad, Dolly had found resolution in her life, fostered it in her fanbase and showcased it in her music — and revealed to him his new purpose in telling stories. “In this confusing world, we need to be the bridge between differences,” Abumrad says. “You interrogate those differences, you hold them for as long as you can until something happens, something reveals itself.”

Aloe Blacc performs “Amazing Grace” at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Backed by piano from Greg Phillinganes, singer, songwriter and producer Aloe Blacc provides balm for the soul with a gorgeous rendition of “Amazing Grace.”

Congressman John Lewis, politician and civil rights leader, interviewed by Bryan Stevenson, public interest lawyer and founder of the Equal Justice Initiative — an excerpt from the upcoming TED Legacy Project

Big idea: As a new generation of protesters takes to the streets to fight racial injustice, many have looked to the elders of the Civil Rights Movement — like John Lewis — to study how previous generations have struggled not just to change the world but also to maintain morale in the face of overwhelming opposition.

How? In order to truly effect change and move people into a better world, contemporary protestors must learn tactics that many have forgotten — especially nonviolent engagement and persistence. Fortunately, John Lewis sees an emerging generation of new leaders of conscience, and he urges them to have hope, to be loving and optimistic and, most of all, to keep going tirelessly even in the face of setbacks. As interviewer Bryan Stevenson puts it, “We cannot rest until justice comes.”

Planet DebianMolly de Blanc: Racism is a Free Software Issue

Racism is a free software issue. I gave a talk that touched on this at CopyLeft Conf 2019. I also talked a little bit about it at All Things Open 2019 and FOSDEM 2020 in my talk The Ethics Behind Your IoT. I know statistics, theory, and free software. I don’t know about race and racism nearly as well. I might make mistakes – I have made some and I will make more. Please, when I do, help me do better.

I want to look at a few particular technologies and think about how they reinforce systemic racism. Worded another way: how is technology racist? How does technology hurt Black Indigenous People of Color (BIPOC)? How does technology keep us racist? How does technology make it easier to be racist?


In the United States, Latinx folks are less likely to drink than white people and, overall, less likely to be arrested for DUIs3,4. However, they are more likely to be stopped by police while driving5,6.

Who is being stopped by police is up to the police and they pull over a disproportionate number of Latinx drivers. After someone is pulled over for suspected drunk driving, they are given a breathalyzer test. Breathalyzers are so easy to (un)intentionally mis-calibrate that they have been banned as valid evidence in multiple states. The biases of the police are not canceled out by the technology that should, in theory, let us know whether someone is actually drunk.

Facial Recognition

I could talk about for quite some time and, in fact, have. So have others. Google’s image recognition software recognized black people as gorillas – and to fix the issue it removed gorillas from it’s image-labeling technology.

Facial recognition software does a bad job at recognizing black people. In fact, it’s also terrible at identifying indigenous people and other people of color. (Incidentally, it’s also not great at recognizing women, but let’s not talk about that right now.)

As we use facial recognition technology for more things, from automated store checkouts (even more relevant in the socially distanced age of Covid-19), airport ticketing, phone unlocking, police identification, and a number of other things, it becomes a bigger problem that this software cannot tell the difference between two Asian people.

Targeted Advertising

Black kids see 70% more online ads for food than white kids, and twice as many ads for junk food. In general BIPOC youth are more likely to see junk food advertisements online. This is intentional, and happens after they are identified as BIPOC youth.

Technology Reinforces Racism; Racism Builds Technology

The technology we have developed reinforces racism on a society wide scale because it makes it harder for BIPOC people to interact with this world that is run by computers and software. It’s harder to not be racist when the technology around us is being used to perpetuate racist paradigms. For example, if a store implements facial recognition software for checkout, black women are less likely to be identified. They are then more likely to be targeted as trying to steal from the store. We are more likely to take this to mean that black women are more likely to steal. This is how technology builds racism,

People are being excluded largely because they are not building these technologies, because they are not welcome in our spaces. There simply are not enough Black and Hispanic technologists and that is a problem. We need to care about this because when software doesn’t work for everyone, it doesn’t work. We cannot build on the promise of free and open source software when we are excluding the majority of people.

Planet DebianDirk Eddelbuettel: RcppArmadillo 0.9.900.1.0

armadillo image

Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 727 other packages on CRAN.

Conrad recently released a new upstream version 9.900.1 of Armadillo which we packaged and tested as usual first as a ‘release candidate’ build and then as the release. As usual, logs from reverse-depends runs are in the rcpp-logs repo.

Apart from the new upstream release, we updated Travis use, ornamented the README a little, and smoothed over a rough corner from the recent R 4.0.0 release. All changes in the new release are noted below.

Changes in RcppArmadillo version 0.9.900.1.0 (2020-06-08)

  • Upgraded to Armadillo release 9.900.1 (Nocturnal Misbehaviour)

    • faster solve() for under/over-determined systems

    • faster eig_gen() and eig_pair() for large matrices

    • expanded eig_gen() and eig_pair() to optionally provide left and right eigenvectors

  • Switch Travis CI testing to R 4.0.0, use bionic as base distro and test R 3.6.3 and 4.0.0 in a matrix (Dirk in #298).

  • Add two badges to README for indirect use and the CSDA paper.

  • Adapt RcppArmadillo.package.skeleton() to a change in R 4.0.0 affecting what it exports in NAMESPACE.

Courtesy of CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianDirk Eddelbuettel: Rcpp Webinar Recording Available

As announced in a few tweets leading up to it, I took the date of what would have been the annual R/Finance conference as an opportunity to hold the one-hour tutorial / workshop with introductory Rcpp material which I often present on the first morning preceding the conference as a self-organized webinar. The live-streaming worked actually reasonably well via obs to youtube (even though the comprehensive software by the latter complained at times about insufficient bitstream rates–the joys of living with a (near) monopolistic broadband provider whom I should leave for fiber…). Apparently around seventy people connected to the stream—which is more than we usually have in the seminar room at UIC for the R/Finance morning.

The recording is now available here, and has already been seen over 200 times:

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

CryptogramSecurity Analysis of the Democracy Live Online Voting System

New research: "Security Analysis of the Democracy Live Online Voting System":

Abstract: Democracy Live's OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and (optionally) online voting. Three states -- Delaware, West Virginia, and New Jersey -- recently announced that they will allow certain voters to cast votes online using OmniBallot, but, despite the well established risks of Internet voting, the system has never been the subject of a public, independent security review.

We reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to detail the system's operation and analyze its security.We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter's device and by insiders or other attackers who can compromise Democracy Live, Amazon,Google, or Cloudflare. In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information­ -- including the voter's identity, ballot selections, and browser fingerprint­ -- that could be used to target political ads or disinformation campaigns.Even when OmniBallot is used to mark ballots that will be printed and returned in the mail, the software sends the voter's identity and ballot choices to Democracy Live, an unnecessary security risk that jeopardizes the secret ballot. We recommend changes to make the platform safer for ballot delivery and marking. However, we conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection.

News story.

Planet DebianBits from Debian: Great fonts in Debian 10 (or later)

An example of several fonts in Debian 10

Debian comes with tons of fonts for all kinds of purposes, you can easily list them all (almost) with: apt-cache search ^fonts-

Above you can see a nice composition with examples of several fonts. The composition is published under the MIT (Expat) license and the source SVG (created with Inkscape) can be downloaded here. You will need the fonts to be installed in your system so the SVG is correctly rendered.

If you want to learn more you can have a look at the wiki page about fonts (, and if you want to contribute or maintain fonts in Debian, don't hesitate to join the Fonts Team!

Worse Than FailureRepresentative Line: The Truest Comment

Usually, when posting a representative line, it’s a line of code. Rarely, it’s been a “representative comment”.

Today’s submitter supplied some code, but honestly, the code doesn’t matter- it’s just some method signatures. The comment, however, is representative. Not just representative of this code, but honestly, all code, everywhere.

        // i should have commented this stupid code

As our submitter writes:

I wrote this code. I also wrote that comment. That comment is true.
Why do I do this to myself?

I sometimes ask myself the same question.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


LongNowRacial Injustice & Long-term Thinking

Long Now Community,

Since 01996, Long Now has endeavored to foster long-term thinking in the world by sharing perspectives on our deep past and future. We have too often failed, however, to include and listen to Black perspectives.

Racism is a long-term civilizational problem with deep roots in the past, profound effects in the present, and so many uncertain futures. Solving the multigenerational challenge of racial inequality requires many things, but long-term thinking is undoubtedly one of them. As an institution dedicated to the long view, we have not addressed this issue enough. We can and will do better.

We are committed to surfacing these perspectives on both the long history of racial inequality and possible futures of racial justice going forward, both through our speaker series and in the resources we share online. And if you have any suggestions for future resources or speakers, we are actively looking.

Alexander Rose

Executive Director, Long Now

Learn More

  • A recent episode of this American Life explored Afrofuturism: “It’s more than sci-fi. It’s a way of looking at black culture that’s fantastic, creative, and oddly hopeful—which feels especially urgent during a time without a lot of optimism.”
  • The 1619 Project from The New York Times, winner of the 02020 Pulitzer Prize for Commentary,  re-examines the 400 year-legacy of slavery. 
  • A paper from political scientists at Stanford and Harvard analyzes the long-term effects of slavery on Southern attitudes toward race and politics.
  • Ava DuVernay’s 13th is a Netflix documentary about the linked between slavery and the US penal system. It is available to watch on YouTube for free here
  • “The Case for Reparations” is a landmark essay by Ta-Nehisi Coates about the institutional racism of housing discrimination. 
    I Am Not Your Negro is a documentary exploring the history of racism in the United States through the lens of the life of writer and activist James Baldwin. The documentary is viewable on PBS for free here.

CryptogramGene Spafford on Internet Voting

Sociological ImagesParty Affiliation in a Pandemic

Since mid-March 2020, Gallup has been polling Americans about their degree of self-isolation during the pandemic. The percent who said they had “avoided small gatherings” rose from 50% in early-March to 81% in early April, dropping slightly to 75% in late April as pressures began rising to start loosening stay-at-home orders.

What makes this curve sociologically interesting is our leaders generally made the restrictions largely voluntary, hoping for social norms to do the job of control. Only a few state and local governments have issued citations for holding social gatherings. Mostly, social norms have been doing the job. But increasingly the partisan divide on self-isolation is widening and undermining pandemic precautions. The chart, which appeared in a Gallup report on May 11, 2020, vividly shows the partisan divide on beliefs in distancing as protection from the pandemic. The striking finding is the huge partisan gap with independents leaning slightly toward Democrats.  

Not only did the partisan divide remain wide, but the number of adults practicing “social distancing” dropped from 75% in early April to 58%. This drop in so called self-reported “social distancing” occurred in states both with and without stay-at-home orders. Elsewhere I argue that “social distancing” is a most unfortunate label for physical distancing.

Republicans have been advocating for opening up businesses early, but it is not a mere intellectual debate. Some held large protests while brandishing firearms; others appeared in public without masks and without observing 6-feet distances. Some business that re-opened in early May reported customers acting disrespectful to others, ignoring the store’s distancing rules. In another incident, an armed militia stood outside a barbershop to keep authorities from closing down the newly reopened shop.

Retail operations in particular are concerned about compliance to social norms because without adequate compliance, other customers will not return. Social norms rely on social trust. If retail operations cannot depend upon customers to be respectful, they will not only lose additional customers but employees as well.

The Sad Impact of Pandemic Partisanship    

American society was highly partisan before the pandemic, so it is not surprising that partisan signs remain. For a few weeks in March and April, partisanship took a back seat and signs of cooperation suggested societal solidarity.

We are only months away from the Presidential election, so we do not expect either side to let us forget the contest. However, we can only hope that partisans will not forget that politics cannot resolve the pandemic alone. Without relying heavily on scientists and health system experts, our society can only fail.

Unfortunately, lives hang in the balance if there is a partisan failure to reach consensus on distancing and related precautions. Economists at Stanford and Harvard, using distancing data from smartphones as well as local data on COVID cases and deaths, completed a sophisticated model of the first few months of the pandemic. Their report, “Polarization and Public Health: Partisan Differences in Social Distancing during the Coronavirus Pandemic,” found that (1) Republicans engage in less social distancing, and (2) if this partisanship difference continues, the US will end up with more COVIC-19 transmission at a higher economic cost. Assuming the researchers’ analytical model is accurate, the Republican ridicule of social distancing is such an ironic tragedy. Not only will lives be lost but what is done under the banner of promoting economic benefit, is actually producing greater economic hardship.

Ron Anderson, Professor Emeritus, University of Minnesota, taught sociology from 1968 to 2005. His early work centered around the social diffusion of technology. Since 2005, his work has focused on compassion and the social dimensions of suffering.

(View original at

CryptogramPhishing Attacks Against Trump and Biden Campaigns

Google's threat analysts have identified state-level attacks from China.

I hope both campaigns are working under the assumption that everything they say and do will be dumped on the Internet before the election. That feels like the most likely outcome.

Worse Than FailureEditor's Soapbox: On Systemic Debt

I recently caught up with an old co-worker from my first "enterprise" job. In 2007, I was hired to support an application which was "on its way out," as "eventually" we'd be replacing it with a new ERP. September 2019 was when it finally got retired.

Interest on the federal debt

The application was called "Total Inventory Process" and it is my WTF origin story. Elements of that application and the organization have filtered into many of my articles on this site. Boy, did it have more than its share of WTFs.

"Total Inventory Process". Off the bat, you know that this is a case of an overambitious in-house team trying to make a "do everything" application that's gonna solve every problem. Its core was inventory management and invoicing, but it had its own data-driven screen rendering/templating engine (which barely worked), its own internationalization engine (for an application which never got localized), a blend of web, COM+, client-side VB6, and hooks into an Oracle backend but also a mainframe.

TIP was also a lesson in the power of technical debt, how much it really costs, and why technical solutions are almost never enough to address technical debt.

TIP was used to track the consumption of inventory at several customers' factories to figure out how to invoice them. We sold them the paint that goes on their widgets, but it wasn't as simple as "You used this much paint, we bill you this much." We handled the inventory of everything in their paint line, from the paint to the toilet paper in the bathrooms. The customer didn't want to pay for consumption, they wanted to pay for widgets. The application needed to be able to say, "If the customer makes 300 widgets, that's $10 worth of toilet paper."

The application handled millions of dollars of invoices each year, for dozens of customer facilities. When I was hired, I was the second developer hired to work full time on supporting TIP. I wasn't hired to fix bugs. I wasn't hired to add new features. I was hired because it took two developers, working 40 hours a week, just to keep the application from falling over in production.

My key job responsibility was to log into the production database and manually tweak records, because the application was so bug-ridden, so difficult to use, and so locked down that users couldn't correct their own mistakes. With whatever time I had left, I'd respond to user requests for new functionality or bug-fixes.

It's usually hard to quantify exactly what technical debt costs. We talk about it a lot, but it very often takes the form of, "I know it when I see it," or "technical debt is other people's code." Here, we have a very concrete number: technical debt was two full-time salaries to just maintain basic operations.

My first development task was to add a text-box to one screen. Because other developers had tried to do this in the past, the estimate I was given was two weeks of developer time. 80 hours of effort for a new text box.

Once, the users wanted to be able to sort a screen in descending order. The application had a complex sorting/paging system designed to prevent fetching more than one page of data at a time for performance reasons. While it did that, it had no ability to sort in descending order, and adding that functionality would have entailed a full rewrite. My "fix" was to disable paging and sorting entirely on the backend, then re-implement in on the client-side in JavaScript for that screen. The users loved it, because suddenly one screen in the application was actually fast.

Oh, and as it was, "sorting" on the backend was literally putting the order-by clause in the URL and then SQL injecting it.

There were side effects to this quantity of technical debt. Since we were manually changing data in production, we were working closely with a handful of stakeholder users. Three, in specific, who were the "triumvirate" of TIP. Those three people were the direct point of contact with the developers. They were the direct point of contact to management. They set priorities. They entered bug reports. They made data change requests. They ruled the system.

They had a lot of power over this system, and this was a system handling millions of dollars. I think they liked that power. To this day, one of them holds that the "concept" of TIP was "unbeatable", and its replacement system is "cheap" and "crap". Now, from a technical perspective, you can't really get crappier than TIP, but from the perspective of a super-user, I can understand how great TIP felt.

I was a young developer, and didn't really like this working environment. Oh, I liked the triumvirate just fine, they were lovely people to work with, but I didn't like spending my days as nothing more than an extension of them. They'd send me emails containing UPDATE statements, and just ask that I execute them in production. There's not a lot of job satisfaction in being nothing more than "the person with permission to change data."

Frustrated, I immediately starting looking for ways to pay down that technical debt. There was only so much I could do, for a number of reasons. The obvious one was the software. If "adding a textbox" could reasonably take two weeks, "restructuring data access so that you can page data sorted in descending order" felt impossible. Even "easy" changes could unleash chaos as they triggered some edge case no one knew about.

Honestly, though, the technical obstacles were the small ones. The big challenges were the cultural and political ones.

First, the company knew that much of the code running in production was bad. So they created policies which erected checkpoints to confirm code quality, making it harder to deploy new code. Much harder, and much longer: you couldn't release to production until someone with authority signed off on it, and that might take days. Instead of resulting in better code, it instead meant the old, bad code stayed bad, and new, bad code got rushed through the process. "We have a hard go-live date, we'll improve the code after that." Or people found other workarounds: your web code had to go through those checkpoints, but stored procedures didn't, so if you had the authority to modify things in production, like I did, you could change stored procedures to your heart's content.

Second, the organization as a whole was risk-averse. The application was handling millions of dollars of invoices, and while it required a lot of manual babysitting, by the time the invoices went out, they were accurate. The company got paid. No one wanted to make sweeping changes which could impact that.

Third, the business rules were complicated. "How many rolls of toilet paper do you bill per widget?" is a hard question to answer. It's fair to say that no one fully understood the system. On the business side, the triumvirate probably had the best handle on it, but even they could be blindsided by its behavior. It was a complex system that needed to stay functioning, because it was business critical, but no one knows exactly what all of those functions are.

Fourth, the organization viewed "support" and "enhancement" the way other companies might view "operational" and "capital" budgets. They were different pools of money, and you weren't supposed to use the support money to pay for new features, nor could enhancement money be used to fix bugs.

Most frustrating was that I would sometimes get push-back from the triumvirate. Oh, they loved it when I could give them a button to self-service some feature which needed to use manual intervention, so long as the interface was just cumbersome enough that only they could use it. They hated it when a workflow got so streamlined that any user could do it. Worse, for them, was that as the technical debt got paid down, we started transitioning more and more of the "just change production data" to low-level contractors. Now the triumvirate no longer had a developer capable of changing code at their beck and call. They had to surrender power.

Fortunately, management was sensitive to the support costs around TIP. Once we started to build a track-record of reduced costs, management started to remove some of the obstacles. It was a lot of politics. I suspect some management were wary of how much power the triumvirate had, and were happy when that could get reduced. After a few years of work on TIP, I mostly rolled off of it onto other projects. Usually, I'd just pop in for month-end billing support, or being the expert who understood some of the bizarre technical intricacies. Obviously, the application continued working just fine for years without me, and I can't say that I miss it.

TIP accrued technical debt far more quickly than most systems would. Some of that comes from ambition: it tried to be everything, including reinventing functions which had nothing to do with its core business. This led to a tortured development process, complete with death marches, team restructurings, "throw developers at this until it gets back on track," and several ultimatums like "If we don't get something in production by the end of the month, everyone is fired." It was born in severe debt, within an organization which didn't have good mechanisms to manage that debt. And the main obstacles to paying down that debt weren't technical: they were social and political.

I was lucky. I was given the freedom to tackle that debt (or, if we're being fully honest, I also took some freedom under the "it's easier to seek forgiveness than to ask permission" principle). In a lot of systems, the technical debt accrues until the costs of servicing the debt are untenable. You end up paying so much in "interest" that you stop being able to actually do anything. This is a failure mode for a lot of projects, and that's usually when a "ground up" rewrite happens. Rewrites have a mixed record, though: TIP itself was actually a rewrite of an older system and promised to "do it right" this time.

Technical debt has been on my mind because I've been thinking a lot lately about broader, systemic debt. Any systems humans build—software systems, mechanical systems, or even social systems—are going to accrue debt. Decisions made in the history of the system are going to create problems in the future, whether those decisions were wrong from the get-go, or had unforeseen consequences, or just the world changed and they're no longer workable.

The United States, right now, is experiencing a swell of protests unlike anything I've seen in my lifetime. I think it's fair to say that these protests are rooted in historical inequities and injustices which constitute a form of social debt. Our social systems, especially around the operation of police, but broadly in the realm of race, are loaded with debt from the past.

I see similarities in the obstacles to paying down that debt. Attempts to make changes by policy end up creating roadblocks to change, or simply fail to accomplish their goals. Resistance to change because change entails risk, and managing or mitigating those risks feels more important than actually fixing the problems. The systems we're talking about are complicated, and it's difficult to even build consensus on what better versions look like, because it's difficult to even understand what they currently are. And finally, there are groups that have power, and in paying down the social debt, they would have to give up some of that power.

That's a big, hard-to-grapple-with quantity of debt. It's connected to a set of interlocking systems which are difficult to pick apart. And it's frighteningly important to get right.

All systems accrue systemic debt. Software systems accrue debt. Social systems accrue debt. Even your personal mental systems, your psychological health, accrue debt. Without action, the debt will grow, the interest on that debt grows, and more energy ends up servicing that debt. One of the ways in which systems fail is when the accumulated debt gets too high. Bankruptcy occurs. Of all of these kinds of systems, the software debt tends to be the trivial one. Software products become unsupportable and get replaced. Psychological debt can lead towards things like depression or other mental health problems. Social debt can lead to unrest or perpetuations of injustice.

Systemic debt may be a technical problem at its root, but its solution is always going to require politics. TIP couldn't be improved without overcoming political challenges. US social debt can't be resolved without significant political changes.

What I hope people take away from this story is an awareness of systemic debt, and an understanding of some of the long-term costs of that debt. I encourage you to look around you and at the systems you interact with. What sources of debt are there? What is that debt costing the system and the people who depend on it? What are the obstacles to paying down that debt? What are the challenges of making the systems we use better?

Systemic debt doesn't go away by itself, and left unmanaged, it will only grow. If you don't pay attention to it, broken systems end up staying in production for way too long. TIP was used for nearly 18 years. Don't use broken things for that long, please.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

Cory DoctorowSomeone Comes to Town, Someone Leaves Town (part 05)

Here’s part five of my new reading of my novel Someone Comes to Town, Someone Leaves Town (you can follow all the installments, as well as the reading I did in 2008/9, here).

There’s more of Kurt in this week’s episode; as I mentioned in last week’s intro, Kurt is loosely based on my old friend Darren Atkinson, who pulled down a six-figure income by recovering, repairing and reselling high-tech waste from Toronto’s industrial suburbs. Darren was the subject of the first feature I ever sold to Wired, Dumpster Diving.

But Kurt was also based loosely on Igor Kenk, a friend of mine who turned out to be one of Toronto’s most prolific bike thieves (I knew him as a bike repair guy). Igor was a strange and amazing guy, and Richard Poplak and Nick Marinkovich’s 2010 graphic novel biography of him is a fantastic read.

This is easily the weirdest novel I ever wrote. Gene Wolfe (RIP) gave me an amazing quote for it: “Someone Comes to Town, Someone Leaves Town is a glorious book, but there are hundreds of those. It is more. It is a glorious book unlike any book you’ve ever read.”

Here’s how my publisher described it when it came out:

Alan is a middle-aged entrepeneur who moves to a bohemian neighborhood of Toronto. Living next door is a young woman who reveals to him that she has wings—which grow back after each attempt to cut them off.

Alan understands. He himself has a secret or two. His father is a mountain, his mother is a washing machine, and among his brothers are sets of Russian nesting dolls.

Now two of the three dolls are on his doorstep, starving, because their innermost member has vanished. It appears that Davey, another brother who Alan and his siblings killed years ago, may have returned, bent on revenge.

Under the circumstances it seems only reasonable for Alan to join a scheme to blanket Toronto with free wireless Internet, spearheaded by a brilliant technopunk who builds miracles from scavenged parts. But Alan’s past won’t leave him alone—and Davey isn’t the only one gunning for him and his friends.

Whipsawing between the preposterous, the amazing, and the deeply felt, Cory Doctorow’s Someone Comes to Town, Someone Leaves Town is unlike any novel you have ever read.



Planet DebianEnrico Zini: Cooperation links

This comic was based on this essay from Augusten Burroughs: How to live unhappily ever after. In addition to the essay, I highly recommend reading his books. It's also been described in psychology as flow.
With full English subtitles
Confict – where it comes from and how to deal with it
Communication skills
Other languages
Distributed teams are where people you work with aren’t physically co-located, ie. they’re at another office building, home or an outsourced company abroad. They’re becoming increasingly popular, for DevOps and other teams, due to recruitment, diversity, flexibility and cost savings. Challenges arise due to timezones, language barriers, cultures and ways of working. People actively participating in Open Source communities tend to be effective in distributed teams. This session looks at how to apply core Open Source principles to distributed teams in Enterprise organisations, and the importance of shared purposes/goals, (mis)communication, leading vs managing teams, sharing and learning. We'll also look at practical aspects of what's worked well for others, such as alternatives to daily standups, promoting video conferencing, time management and virtual coffee breaks. This session is relevant for those leading or working in distributed teams, wanting to know how to cultivate an inclusive culture of increased trust and collaboration that leads to increased productivity and performance.

Planet DebianDirk Eddelbuettel: T^4 #5: More About Byobu

Another video in our T^4 series of video lightning talks with tips, tricks, tools, and toys (where we had seen the announcement, shells sessions one, two, and three, as well as one byobu session) is now up at YouTube. It goes a little deeper in the wonderful byobu and persistent sessions with multiple concurrent accesses illustrating why it is called both a ‘text-based window manager’ and a ‘terminal multiplexer’:

The slides are here.

This repo at GitHub support the series: use it to open issues for comments, criticism, suggestions, or feedback.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianJoachim Breitner: Managed by an eleven year old

This weekend I had some pretty good uncle time. My eleven year old nephew (after beating me in a fair match of tennis) wanted to play with his Lego Mindstorms set. He never even touches it unless I am around to help him, but then he quiet enjoys. As expected, when I ask him what we should try to build, he tends to come up with completely unrealistic or impossible ideas, and we have to somehow reduce the scope to something doable.

This time round, inspired by their autonomous vacuum cleaner, he wanted to build something like that. That was convenient, because now I could sell him what I wanted to try to do, namely make the robot follow a wall at more or less constant distance, as a useful first step.

We mounted the infra red distance sensor at an 45° angle to the front-left, and then I built a very simple control loop – measure the distance, subtract 40, apply a factor, and feed that into the “steering” input of the drive action, and repeat. I must admit that I was pretty proud to see just how well that very simple circuit worked: The little robot turned sharp corners in both directions, and otherwise drove nicely parallel and with constant distance to the wall.

I was satisfied with that achievement and would have happily ended it here before we might be disappointed by more ambitious and then failing goals.

But my nephew had not forgotten about the vacuum cleaner, and casually asked if I could make the robot draw an outline of its path, and thus of the room, on the display. Ok, where do I begin to explain just how unfeasible that is … yes, it seemed one can draw to the display. But how should the robot know where it is? How far it turns? How far it went? This is programming by connecting boxes, and I would not expect such an interface to allow for complex logic (right?). And I would need trigonometry and stuff.

But he didn’t quite believe it, and thus got me thinking … indeed, the arithmetic block can evaluate more complex formulas, involving sin  and cos  … so maybe if I can somehow keep track of where the robot is heading … well, let’s give it a try.

So by dragging boxes and connecting wires, I implemented a simple logic (three variables, x and y for current position, alpha for current heading; in each loop add the “steering” input onto alpha, and add (sin(alpha),cos(alpha)) onto the current position; throw in some linear factors to calibrate; draw pixel at (x, y)). And, to my nephew’s joy and my astonishment, the robot was drawing a curvy line that clearly correlates with the taken path!

It wasn’t respecting the angles perfectly, a square might not properly close, but half an hour earlier I would have actively bet against that we would pull this off!

After a few turns

After a few turns

I was, I must admit, a bit proud. But not only about the technical nerding, but also about my uncleing: That night, according to his parents, my nephew said that he can’t remember ever being so happy!

Krebs on SecurityOwners of DDoS-for-Hire Service vDOS Get 6 Months Community Service

The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court.

vDOS as it existed on Sept. 8, 2016.

A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS.

Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline.

vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services.

The Hebrew-language sentencing memorandum (PDF) has redacted the names of the defendants, but there are more than enough clues in the document to ascertain the identities of the accused. For example, it says the two men earned a little more than $600,000 running vDOS, a fact first reported by this site in September 2016 just prior to their arrest, when vDOS was hacked and KrebsOnSecurity obtained a copy of its user database.

In addition, the document says the defendants were initially apprehended on September 8, 2016, arrests which were documented here two days later.

Also, the sentencing mentions the supporting role of a U.S. resident named only as “Jesse.” This likely refers to 23-year-old Jesse Wu, who KrebsOnSecurity noted in October 2016 pseudonymously registered the U.K. shell company used by vDOS, and ran a tiny domain name registrar called NameCentral that vDOS and many other booter services employed.

Israeli prosecutors say Wu also set up their payment infrastructure, and received 15 percent of vDOS’s total revenue for his trouble. NameCentral no longer appears to be in business, and Wu could not be reached for comment.

Although it is clear Bidani and Huri are defendants in this case, it is less clear which is referenced as Defendant #1 or Defendant #2. Both were convicted of “corrupting/disturbing a computer or computer material,” charges that the judge said had little precedent in Israeli courts, noting that “cases of this kind have not been discussed in court so far.” Defendant #1 also was convicted of sharing nude pictures of a 14 year old girl.

vDOS also sold API access to their backend attack infrastructure to other booter services to further monetize their excess firepower, including Vstress, Ustress, and PoodleStresser and LizardStresser.

Yarden Bidani. Image: Facebook.

Both defendants received the lowest possible sentence (the maximum was two years in prison) — six months of community service under the watch of the Israeli prison service — mainly because the accused were minors during the bulk of their offenses. The judge also imposed small fines on each, noting that more than $175,000 dollars worth of profits had already been seized from their booter business.

The judge observed that while Defendant #2 had shown remorse for his crimes and an understanding of how his actions affected others — even sobbing throughout one court proceeding — Defendant #1 failed to participate in the therapy sessions previously ordered by the court, and that he has “a clear and daunting boundary for recurrence of further offenses in the future.”

Boaz Dolev, CEO of ClearSky Cyber Security, said he’s disappointed in the lightness of the sentences given how much damage the young men caused.

“I think that such an operation that caused big damage to so many companies should have been dealt differently by the Israeli justice system,” Dolev said. “The fact that they were under 18 when committing their crimes saved them from much harder sentences.”

While DDoS attacks typically target a single website or Internet host, they often result in widespread collateral Internet disruption. Less than two weeks after the 2016 arrest of Bidani and Huri, suffered a three-day outage as a result of a record 620 Gbps attack that was alleged to have been purchased in retribution for my reporting on vDOS. That attack caused stability issues for other companies using the same DDoS protection firm my site enjoyed at the time, so much so that the provider terminated my service with them shortly thereafter.

To say that vDOS was responsible for a majority of the DDoS attacks clogging up the Internet between 2012 and 2016 would be an understatement. The various subscription packages for the service were sold based in part on how many seconds the denial-of-service attack would last. And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.

It seems likely vDOS was responsible for several decades worth of DDoS years, but it’s impossible to say for sure because vDOS’s owners routinely wiped attack data from their servers.

Prosecutors in the United States and United Kingdom have in recent years sought tough sentences for those convicted of running booter services. While a number of  current charges against alleged offenders have not yet been fully adjudicated, only a handful of defendants in these cases have seen real jail time.

The two men responsible for creating and unleashing the Mirai botnet (the same duo responsible for building the massive crime machine that knocked my site offline in 2016) each avoided jail time thanks to their considerable cooperation with the FBI.

Likewise, Pennsylvania resident David Bukoski recently got five years probation and six months of “community confinement” after pleading guilty to running the Quantum Stresser booter service. Lizard Squad member and PoodleStresser operator Zachary Buchta was sentenced to three months in prison and ordered to pay $350,000 in restitution for his role in running various booter services.

On the other end of the spectrum, last November 21-year-old Illinois resident Sergiy Usatyuk was sentenced to 13 months in jail for running multiple booter services that launched millions of attacks over several years. And a 20-year-old U.K. resident in 2017 got two years in prison for operating the Titanium Stresser service.

For their part, authorities in the U.K. have sought to discourage would-be customers of these booter services by purchasing Google ads warning that such services are illegal. The goal is to steer customers away from committing further offenses that could land them in jail, and toward more productive uses of their skills and/or curiosity about cybersecurity.


Planet DebianPetter Reinholdtsen: Secure Socket API - a simple and powerful approach for TLS support in software

As a member of the Norwegian Unix User Group, I have the pleasure of receiving the USENIX magazine ;login: several times a year. I rarely have time to read all the articles, but try to at least skim through them all as there is a lot of nice knowledge passed on there. I even carry the latest issue with me most of the time to try to get through all the articles when I have a few spare minutes.

The other day I came across a nice article titled "The Secure Socket API: TLS as an Operating System Service" with a marvellous idea I hope can make it all the way into the POSIX standard. The idea is as simple as it is powerful. By introducing a new socket() option IPPROTO_TLS to use TLS, and a system wide service to handle setting up TLS connections, one both make it trivial to add TLS support to any program currently using the POSIX socket API, and gain system wide control over certificates, TLS versions and encryption systems used. Instead of doing this:

int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

the program code would be doing this:

int socket = socket(PF_INET, SOCK_STREAM, IPPROTO_TLS);

According to the ;login: article, converting a C program to use TLS would normally modify only 5-10 lines in the code, which is amazing when compared to using for example the OpenSSL API.

The project has set up the web site to spread the idea, and the code for a kernel module and the associated system daemon is available from two github repositories: ssa and ssa-daemon. Unfortunately there is no explicit license information with the code, so its copyright status is unclear. A request to solve this about it has been unsolved since 2018-08-17.

I love the idea of extending socket() to gain TLS support, and understand why it is an advantage to implement this as a kernel module and system wide service daemon, but can not help to think that it would be a lot easier to get projects to move to this way of setting up TLS if it was done with a user space approach where programs wanting to use this API approach could just link with a wrapper library.

I recommend you check out this simple and powerful approach to more secure network connections. :)

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

Planet DebianRussell Coker: Comparing Compression

I just did a quick test of different compression options in Debian. The source file is a 1.1G MySQL dump file. The time is user CPU time on a i7-930 running under KVM, the compression programs may have different levels of optimisation for other CPU families.

Facebook people designed the zstd compression system (here’s a page giving an overview of it [1]). It has some interesting new features that can provide real differences at scale (like unusually large windows and pre-defined dictionaries), but I just tested the default mode and the -9 option for more compression. For the SQL file “zstd -9” provides significantly better compression than gzip while taking only slightly less CPU time than “gzip -9” while zstd with the default option (equivalent to “zstd -3”) gives much faster compression than “gzip -9” while also being slightly smaller. For this use case bzip2 is too slow for inline compression of a MySQL dump as the dump process locks tables and can hang clients. The lzma and xz compression algorithms provide significant benefits in size but the time taken is grossly disproportionate.

In a quick check of my collection of files compressed with gzip I was only able to fine 1 fild that got less compression with zstd with default options, and that file got better compression with “zstd -9”. So zstd seems to beat gzip everywhere by every measure.

The bzip2 compression seems to be obsolete, “zstd -9” is much faster and has slightly smaller output.

Both xz and lzma seem to offer a combination of compression and time taken that zstd can’t beat (for this file type at least). The ultra compression mode 22 gives 2% smaller output files but almost 28 minutes of CPU time for compression is a bit ridiculous. There is a threaded mode for zstd that could potentially allow a shorter wall clock time for “zstd --ultra -22” than lzma/xz while also giving better compression.

Compression Time Size
zstd 5.2s 130m
zstd -9 28.4s 114m
gzip -9 33.4s 141m
bzip2 -9 3m51 119m
lzma 6m20 97m
xz 6m36 97m
zstd -19 9m57 99m
zstd --ultra -22 27m46 95m


For distributions like Debian which have large archives of files that are compressed once and transferred a lot the “zstd --ultra -22” compression might be useful with multi-threaded compression. But given that Debian already has xz in use it might not be worth changing until faster CPUs with lots of cores become more commonly available. One could argue that for Debian it doesn’t make sense to change from xz as hard drives seem to be getting larger capacity (and also smaller physical size) faster than the Debian archive is growing. One possible reason for adopting zstd in a distribution like Debian is that there are more tuning options for things like memory use. It would be possible to have packages for an architecture like ARM that tends to have less RAM compressed in a way that decreases memory use on decompression.

For general compression such as compressing log files and making backups it seems that zstd is the clear winner. Even bzip2 is far too slow and in my tests zstd clearly beats gzip for every combination of compression and time taken. There may be some corner cases where gzip can compete on compression time due to CPU features, optimisation for CPUs, etc but I expect that in almost all cases zstd will win for compression size and time. As an aside I once noticed the 32bit of gzip compressing faster than the 64bit version on an Opteron system, the 32bit version had assembly optimisation and the 64bit version didn’t at that time.

To create a tar archive you can run “tar czf” or “tar cJf” to create an archive with gzip or xz compression. To create an archive with zstd compression you have to use “tar --zstd -cf”, that’s 7 extra characters to type. It’s likely that for most casual archive creation (EG for copying files around on a LAN or USB stick) saving 7 characters of typing is more of a benefit than saving a small amount of CPU time and storage space. It would be really good if tar got a single character option for zstd compression.

The external dictionary support in zstd would work really well with rsync for backups. Currently rsync only supports zlib, adding zstd support would be a good project for someone (unfortunately I don’t have enough spare time).

Now I will change my database backup scripts to use zstd.


The command “tar acvf a.zst filenames” will create a zstd compressed tar archive, the “a” option to GNU tar makes it autodetect the compression type from the file name. Thanks Enrico!

Planet DebianThorsten Alteholz: My Debian Activities in May 2020

FTP master

This month I accepted 211 packages and rejected only 9. The overall number of packages that got accepted was 228.

Debian LTS

This was my seventy-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 17.25h. During that time I did LTS uploads of:

  • [DLA 2196-2] pound regression update
  • [DLA 2219-1] feh security update for one CVE
  • [DLA 2218-1] transmission security update for one CVE
  • [DLA 2220-1] cracklib2 security update for one CVE
  • [DLA 2224-1] dosfstools security update for two CVEs
  • [DLA 2225-1] gst-plugins-good0.10 security update for two CVEs
  • [DLA 2226-1] gst-plugins-ugly0.10 security update for two CVEs
  • [DLA 2227-1] bind9 security update for two CVEs

I started to work on php5 as well but did not upload a fixed version yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty third ELTS month.

During my small allocated time I uploaded:

  • ELA-230-1 for bind9 fixing two CVEs
  • ELA-231-1 for php5 fixing one CVE

I also did some days of frontdesk duties.

Other stuff

I improved packaging of …

I sponsored uploads of …

  • … ulfius

On my Go challenge I uploaded:
golang-github-apparentlymart-go-versions, golang-github-hashicorp-go-slug, golang-github-mozillazg-go-httpheader, golang-github-hashicorp-terraform-json, golang-github-hashicorp-terraform-plugin-test, golang-github-sean–pager, golang-github-sean–seed, golang-github-timberio-go-datemath,


CryptogramFriday Squid Blogging: Shark vs. Squid

National Geographic has a photo of a 7-foot long shark that fought a giant squid and lived to tell the tale. Or, at least, lived to show off the suction marks on his skin.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianDirk Eddelbuettel: corels 0.0.2 on CRAN: Initial upload!

Corels is now on CRAN! The package was introduced with an initial tweet which pointed to the GitHub repo.

The source code repo has since been relocated from my account to the (upstream) corels org in GitHub. And renamed: as the upstream (C++) repo as well as the existing Python package simply call is corels we now do too. The repo, to be distinguishable as a directory, will remain named rcppcorels.

We also describe the package a little on the corels package page. Some more work should go into along with work in the upstream repos, so please follow whichever GitHub repo you are interested in.

The work on corels is also what is described in the recent arXiv paper on Rcpp and libraries:

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

TEDThe bill has come due for the US’s legacy of racism: Week 3 of TED2020

In response to the historic moment of mourning and anger over the ongoing violence inflicted on Black communities by police in the United States, four leaders in the movement for civil rights — Dr. Phillip Atiba Goff, CEO of Center for Policing Equity; Rashad Robinson, president of Color Of Change; Dr. Bernice Albertine King, CEO of the King Center; and Anthony D. Romero, executive director of the American Civil Liberties Union — joined TED2020 to explore how we can dismantle the systems of oppression and racism. Watch the full discussion on, and read a recap below.

“The history that we have in this country is not just a history of vicious neglect and targeted abuse of Black communities. It’s also one where we lose our attention for it,” says Dr. Phillip Atiba Goff. He speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Dr. Phillip Atiba Goff, CEO of the Center for Policing Equity

Big idea: The bill has come due for the unpaid debts the United States owes to its Black residents. But we’re not going to get to where we need to go just by reforming police.

How? What we’re seeing now isn’t just the response to one gruesome, cruel, public execution — a lynching. And it’s not just the reaction to three of them: Ahmaud Arbery, Breonna Taylor and George Floyd. What we’re seeing is the bill come due for the unpaid debts that the US owes to its Black residents, says Dr. Phillip Atiba Goff, CEO of the Center for Policing Equity (CPE). In addition to the work that CPE is known for — working with police departments to use their own data to improve relationships with the communities they serve — Goff and his team are encouraging departments and cities to take money from police budgets and instead invest it directly in public resources for the community, so people don’t need the police for public safety in the first place. Learn more about how you can support the Center for Policing Equity »

“This is the time for White allies to stand up in new ways, to do the type of allyship that truly dismantles structures, not just provides charity,” says Rashad Robinson, president of Color of Change. He speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Rashad Robinson, president of Color Of Change

Big idea: In the wake of the murders of George Floyd, Breonna Taylor and Ahmaud Arbery, people are showing up day after day in support of the Movement for Black Lives and in protest of police brutality against Black communities. We need to channel that presence and energy into power and material change.

How? The presence and visibility of a movement can often lead us to believe that progress is inevitable. But building power and changing the system requires more than conversations and retweets. To create material change in the racist systems that enable and perpetuate violence against Black communities, we need to translate the energy of these global protests into specific demands and actions, says Robinson. We have to pass new laws and hold those in power — from our police chiefs to our city prosecutors to our representatives in Congress — accountable to them. If we want to disentangle these interlocking systems of violence and complicity, Robinson says, we need to get involved in local, tangible organizing and build the power necessary to change the rules. You can’t sing our songs, use our hashtags and march in our marches if you are on the other end supporting the structures that put us in harm’s way, that literally kill us,” Robinson says. “This is the time for White allies to stand up in new ways, to do the type of allyship that truly dismantles structures, not just provides charity.”

“We can do this,” says Dr. Bernice Albertine King. “We can make the right choice to ultimately build the beloved community.” She speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Dr. Bernice Albertine King, CEO of The King Center

Big idea: To move towards a United States rooted in benevolent coexistence, equity and love, we must destroy and replace systems of oppression and violence towards Black communities. Nonviolence, accountability and love must pave the way.

How? The US needs a course correction that involves both hard work and “heart work” — and no one is exempt from it, says Dr. Bernice Albertine King. King continues to spread and build upon the wisdom of her father, Dr. Martin Luther King Jr., and she believes the US can work towards unity and collective healing. To do so, racism, systemic oppression, militarism and violence must end. She calls for a revolution of values, allies that listen and engage and a world where anger is given space to be rechanneled into creating social and economic change. In this moment, as people have reached a boiling point and are being asked to restructure the nature of freedom, King encourages us to follow her father’s words of nonviolent coexistence, and not continue on the path of violent coannihilation. “You as a person may want to exempt yourself, but every generation is called,” King says. “And so I encourage corporations in America to start doing anti-racism work within corporate America. I encourage every industry to start doing anti-racism work and pick up the banner of understanding nonviolent change personally and from a social change perspective. We can do this. We can make the right choice to ultimately build the beloved community.”

“Can we really become an equal people, equally bound by law?” asks Anthony D. Romero, executive director of the ACLU. He speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Anthony D. Romero, executive director of the American Civil Liberties Union (ACLU)

Big idea: No matter how frightened we are by the current turmoil, we must stay positive, listen to and engage with unheard or silenced voices, and help answer what’s become the central question of democracy in the United States: Can we really become an equal people, equally bound by law, when so many of us are beaten down by racist institutions and their enforcers?

How? This is no time for allies to disconnect — it’s time for them to take a long look in the mirror, ponder viewpoints they may not agree with or understand and engage in efforts to dismantle institutional white supremacy, Romero says. Reform is not enough anymore. Among many other changes, the most acute challenge the ACLU is now tackling is how to defund militarized police forces that more often look like more standing armies than civil servants — and bring them under civilian control. “For allies in this struggle, and those of us who don’t live this experience every day, it is time for us to lean in,” Romero says. “You can’t change the channel, you can’t tune out, you can’t say, ‘This is too hard.’ It is not that hard for us to listen and learn and heed.”

CryptogramZoom's Commitment to User Security Depends on Whether you Pay It or Not

Zoom was doing so well.... And now we have this:

Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

"Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Yuan said on the call.

This is just dumb. Imagine the scene in the terrorist/drug kingpin/money launderer hideout: "I'm sorry, boss. We could have have strong encryption to secure our bad intentions from the FBI, but we can't afford the $20." This decision will only affect protesters and dissidents and human rights workers and journalists.

Here's advisor Alex Stamos doing damage control:

Nico, it's incorrect to say that free calls won't be encrypted and this turns out to be a really difficult balancing act between different kinds of harms. More details here:

Some facts on Zoom's current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues. The E2E design is available here:

I read that document, and it doesn't explain why end-to-end encryption is only available to paying customers. And note that Stamos said "encrypted" and not "end-to-end encrypted." He knows the difference.

Anyway, people were rightly incensed by his remarks. And yesterday, Yuan tried to clarify:

Yuan sought to assuage users' concerns Wednesday in his weekly webinar, saying the company was striving to "do the right thing" for vulnerable groups, including children and hate-crime victims, whose abuse is sometimes broadcast through Zoom's platform.

"We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to vulnerable groups," he said. "I wanted to clarify that Zoom does not monitor meeting content. We do not have backdoors where participants, including Zoom employees or law enforcement, can enter meetings without being visible to others. None of this will change."

Notice that is specifically did not say that he was offering end-to-end encryption to users of the free platform. Only to "users we can verify identity," which I'm guessing means users that give him a credit card number.

The Twitter feed was similarly sloppily evasive:

We are seeing some misunderstandings on Twitter today around our encryption. We want to provide these facts.

Zoom does not provide information to law enforcement except in circumstances such as child sexual abuse.

Zoom does not proactively monitor meeting content.

Zoom does no have backdoors where Zoom or others can enter meetings without being visible to participants.

AES 256 GCM encryption is turned on for all Zoom users -- free and paid.

Those facts have nothing to do with any "misunderstanding." That was about end-to-end encryption, which the statement very specifically left out of that last sentence. The corporate communications have been clear and consistent.

Come on, Zoom. You were doing so well. Of course you should offer premium features to paying customers, but please don't include security and privacy in those premium features. They should be available to everyone.

And, hey, this is kind of a dumb time to side with the police over protesters.

I have emailed the CEO, and will report back if I hear back. But for now, assume that the free version of Zoom will not support end-to-end encryption.

EDITED TO ADD (6/4): Another article.

EDITED TO ADD (6/4): I understand that this is complicated, both technically and politically. (Note, though, Jitsi is doing it.) And, yes, lots of people confused end-to-end encryption with link encryption. (My readers tend to be more sophisticated than that.) My worry that the "we'll offer end-to-end encryption only to paying customers we can verify, even though there's plenty of evidence that 'bad purpose' people will just get paid accounts" story plays into the dangerous narrative that encryption itself is dangerous when widely available. And disagree with the notion that the possibility child exploitation is a valid reason to deny security to large groups of people.

Matthew Green on this issue. An excerpt:

Once the precedent is set that E2E encryption is too "dangerous" to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it's going to be hard to put it back.

From Signal:

Want to help us work on end-to-end encrypted group video calling functionality that will be free for everyone? Zoom on over to our careers page....

Planet DebianSean Whitton: spacecadetrebindings

I’ve been less good at taking adequate typing breaks during the lockdown and I’ve become concerned about how much chording my left hand does on its own during typical Emacs usage, with caps lock rebound to control, as I’ve had it for years.

I thought that now was as good a time as any to do something drastic about this. Here are my rebindings:

  • the keys on either side of the spacebar are control
  • the keys just outside of those are alt/meta
  • caps lock is Super, Windows or Command depending on OS
  • move any window manager keybindings which now become one handed left hand chords such that they are not.

Optional extras:

  • left control is caps lock
  • right control is the compose key.

This has the following advantages:

  • you can easily achieve this rebinding on GNU/Linux, Windows and macOS
  • almost every keyboard has enough keys near the spacebar to make it work, and it’s fine to have just one super key since it is not involved in any one handed chords
  • does not involve relying on the difference between tapping and releasing and holding a modifier key, which I find fragile
  • there are control and alt/meta keys available to both hands, so there is much less call for one-handed chording
  • control and alt/meta are pressed by the thumb, the strongest finger, so when one-handed chording does come up (e.g. C-x C-n without having to switch between control keys) it’s the least harmful form
    • my plan is to use the control/meta key available to the opposite hand for the first key of each sequence, and allow some one handed chording to complete the sequence.
    • there is some temptation to use a curled up little finger on the new alt/meta key, I’m finding, but I’m trying to stop myself from doing that.

The main disadvantage, aside from an adjustment period when I feel that someone has inserted a massive marshmellow between me and my computer, is that Ctrl-Alt combinations are a bit difficult; in Emacs, C-M-SPC is hard to do without. However I think I’ve found a decent way to do it (thumb on control, curled ring finger on alt, possibly little finger on shift for Emacs’ infamous C-M-S-v standard binding).

TEDConversations on social progress: Week 3 of TED2020

For week 3 of TED2020, global leaders in technology, vulnerability research and activism gathered for urgent conversations on how to foster connection, channel energy into concrete social action and work to end systemic racism in the United States. Below, a recap of their insights.

“When we see the internet of things, let’s make an internet of beings. When we see virtual reality, let’s make it a shared reality,” says Audrey Tang, Taiwan’s digital minister for social innovation. She speaks with TED science curator David Biello at TED2020: Uncharted on June 1, 2020. (Photo courtesy of TED)

Audrey Tang, Taiwan’s digital minister for social innovation

Big idea: Digital innovation rooted in communal trust can create a stronger, more transparent democracy that is fast, fair — and even fun.

How? Taiwan has built a “digital democracy” where digital innovation drives active, inclusive participation from all its citizens. Sharing how she’s helped transform her government, Audrey Tang illustrates the many creative and proven ways technology can be used to foster community. In responding to the coronavirus pandemic, Taiwan created a collective intelligence system that crowdsources information and ideas, which allowed the government to act quickly and avoid a nationwide shutdown. They also generated a publicly accessible map that shows the availability of masks in local pharmacies to help people get supplies, along with a “humor over rumor” campaign that combats harmful disinformation with comedy. In reading her job description, Tang elegantly lays out the ideals of digital citizenship that form the bedrock of this kind of democracy: “When we see the internet of things, let’s make an internet of beings. When we see virtual reality, let’s make it a shared reality. When we see machine learning, let’s make it collaborative learning. When we see user experience, let’s make it about human experience. And whenever we hear the singularity is near, let us always remember the plurality is here.”

Brené Brown explores how we can harness vulnerability for social progress and work together to nurture an era of moral imagination. She speaks with TED’s head of curation Helen Walters at TED2020: Uncharted on June 2, 2020. (Photo courtesy of TED)

Brené Brown, Vulnerability researcher, storyteller

Big question: The United States is at its most vulnerable right now. Where do we go from here?

Some ideas: As the country reels from the COVID-19 pandemic and the murder of George Floyd, along with the protests that have followed, Brené Brown offers insights into how we might find a path forward. Like the rest of us, she’s in the midst of processing this moment, but believes we can harness vulnerability for progress and work together to nurture an era of moral imagination. Accountability must come first, she says: people have to be held responsible for their racist behaviors and violence, and we have to build safe communities where power is shared. Self-awareness will be key to this work: the ability to understand your emotions, behaviors and actions lies at the center of personal and social change and is the basis of empathy. This is hard work, she admits, but our ability to experience love, belonging, joy, intimacy and trust — and to build a society rooted in empathy — depend on it. “In the absence of love and belonging, there’s nothing left,” she says.

Dr. Phillip Atiba Goff, Rashad Robinson, Dr. Bernice King and Anthony D. Romero share urgent insights into this historic moment. Watch the discussion on

In a time of mourning and anger over the ongoing violence inflicted on Black communities by police in the US and the lack of accountability from national leadership, what is the path forward? In a wide-ranging conversation, Dr. Phillip Atiba Goff, the CEO of Center for Policing Equity; Rashad Robinson, the president of Color of Change; Dr. Bernice Albertine King, the CEO of the King Center; and Anthony D. Romero, the executive director of the American Civil Liberties Union, share urgent insights into how we can dismantle the systems of oppression and racism responsible for tragedies like the murders of Ahmaud Arbery, Breonna Taylor, George Floyd and far too many others — and explored how the US can start to live up to its ideals. Watch the discussion on

CryptogramNew Research: "Privacy Threats in Intimate Relationships"

I just published a new paper with Karen Levy of Cornell: "Privacy Threats in Intimate Relationships."

Abstract: This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving relationships. Many common assumptions about privacy are upended in the context of these relationships, and many otherwise effective protective measures fail when applied to intimate threats. Those closest to us know the answers to our secret questions, have access to our devices, and can exercise coercive power over us. We survey a range of intimate relationships and describe their common features. Based on these features, we explore implications for both technical privacy design and policy, and offer design recommendations for ameliorating intimate privacy risks.

This is an important issue that has gotten much too little attention in the cybersecurity community.

Worse Than FailureError'd: Just a Big Mixup

Daniel M. writes, "How'd they make this mistake? Simple. You add the prices into the bowl and turn the mixer on."


"I'm really glad to see a retailer making sure that I get the most accurate discount possible," Kelly K. wrote.


"I sure hope they're not also receiving invalid maintenance," Steven S. wrote.


Ernie writes, "Recently, I was looking for some hints on traditional bread making and found some interesting sources. Some of them go back to the middle ages."


"Tried to get a refund travel voucher through KLM, and well, obviously they know more than everyone else," Matthias wrote.


Roger G. writes, "I'm planning my ride in Mapometer and apparently I'm descending 100,000ft into the earths core. I'll let you know what I find..."


[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

TEDConversations on rebuilding a healthy economy: Week 1 of TED2020

To kick off TED2020, leaders in business, finance and public health joined the TED community for lean-forward conversations to answer the question: “What now?” Below, a recap of the fascinating insights they shared.

“If you don’t like the pandemic, you are not going to like the climate crisis,” says Kristalina Georgieva, Managing Director of the International Monetary Fund. She speaks with head of TED Chris Anderson at TED2020: Uncharted on May 18, 2020. (Photo courtesy of TED)

Kristalina Georgieva, Managing Director of the International Monetary Fund (IMF)

Big idea: The coronavirus pandemic shattered the global economy. To put the pieces back together, we need to make sure money is going to countries that need it the most — and that we rebuild financial systems that are resilient to shocks.

How? Kristalina Georgieva is encouraging an attitude of determined optimism to lead the world toward recovery and renewal amid the economic fallout of COVID-19. The IMF has one trillion dollars to lend — it’s now deploying these funds to areas hardest hit by the pandemic, particularly in developing countries, and it’s also put a debt moratorium into effect for the poorest countries. Georgieva admits recovery is not going to be quick, but she thinks that countries can emerge from this “great transformation” stronger than before if they build resilient, disciplined financial systems. Within the next ten years, she hopes to see positive shifts towards digital transformation, more equitable social safety nets and green recovery. And as the environment recovers while the world grinds to a halt, she urges leaders to maintain low carbon footprints — particularly since the pandemic foreshadows the devastation of global warming. “If you don’t like the pandemic, you are not going to like the climate crisis,” Georgieva says. Watch the interview on »

“I’m a big believer in capitalism. I think it’s in many ways the best economic system that I know of, but like everything, it needs an upgrade. It needs tuning,” says Dan Schulman, president and CEO of PayPal. He speaks with TED business curators Corey Hajim at TED2020: Uncharted on May 19, 2020. (Photo courtesy of TED)

Dan Schulman, President and CEO of PayPal

Big idea: Employee satisfaction and consumer trust are key to building the economy back better.

How? A company’s biggest competitive advantage is its workforce, says Dan Schulman, explaining how PayPal instituted a massive reorientation of compensation to meet the needs of its employees during the pandemic. The ripple of benefits of this shift have included increased productivity, financial health and more trust. Building further on the concept of trust, Schulman traces how the pandemic has transformed the managing and moving of money — and how it will require consumers to renew their focus on privacy and security. And he shares thoughts on the new roles of corporations and CEOs, the cashless economy and the future of capitalism. “I’m a big believer in capitalism. I think it’s in many ways the best economic system that I know of, but like everything, it needs an upgrade. It needs tuning,” Schulman says. “For vulnerable populations, just because you pay at the market [rate] doesn’t mean that they have financial health or financial wellness. And I think everyone should know whether or not their employees have the wherewithal to be able to save, to withstand financial shocks and then really understand what you can do about it.”

Biologist Uri Alon shares a thought-provoking idea on how we could get back to work: a two-week cycle of four days at work followed by 10 days of lockdown, which would cut the virus’s reproductive rate. He speaks with head of TED Chris Anderson at TED2020: Uncharted on May 20, 2020. (Photo courtesy of TED)

Uri Alon, Biologist

Big idea: We might be able to get back to work by exploiting one of the coronavirus’s key weaknesses. 

How? By adopting a two-week cycle of four days at work followed by 10 days of lockdown, bringing the virus’s reproductive rate (R₀ or R naught) below one. The approach is built around the virus’s latent period: the three-day delay (on average) between when a person gets infected and when they start spreading the virus to others. So even if a person got sick at work, they’d reach their peak infectious period while in lockdown, limiting the virus’s spread — and helping us avoid another surge. What would this approach mean for productivity? Alon says that by staggering shifts, with groups alternating their four-day work weeks, some industries could maintain (or even exceed) their current output. And having a predictable schedule would give people the ability to maximize the effectiveness of their in-office work days, using the days in lockdown for more focused, individual work. The approach can be adopted at the company, city or regional level, and it’s already catching on, notably in schools in Austria.

“The secret sauce here is good, solid public health practice … this one was a bad one, but it’s not the last one,” says Georges C. Benjamin, Executive Director of the American Public Health Association. He speaks with TED science curator David Biello at TED2020: Uncharted on May 20, 2020. (Photo courtesy of TED)

Georges C. Benjamin, Executive Director of the American Public Health Association

Big Idea: We need to invest in a robust public health care system to lead us out of the coronavirus pandemic and prevent the next outbreak.

How: The coronavirus pandemic has tested the public health systems of every country around the world — and, for many, exposed shortcomings. Georges C. Benjamin details how citizens, businesses and leaders can put public health first and build a better health structure to prevent the next crisis. He envisions a well-staffed and equipped governmental public health entity that runs on up-to-date technology to track and relay information in real time, helping to identify, contain, mitigate and eliminate new diseases. Looking to countries that have successfully lowered infection rates, such as South Korea, he emphasizes the importance of early and rapid testing, contact tracing, self-isolation and quarantining. Our priority, he says, should be testing essential workers and preparing now for a spike of cases during the summer hurricane and fall flu seasons.The secret sauce here is good, solid public health practice,” Benjamin says. “We should not be looking for any mysticism or anyone to come save us with a special pill … because this one was a bad one, but it’s not the last one.”

TEDConversations on climate action and contact tracing: Week 2 of TED2020

For week 2 of TED2020, global leaders in climate, health and technology joined the TED community for insightful discussions around the theme “build back better.” Below, a recap of the week’s fascinating and enlightening conversations about how we can move forward, together.

“We need to change our relationship to the environment,” says Chile’s former environment minister Marcelo Mena. He speaks with TED current affairs curator Whitney Pennington Rodgers at TED2020: Uncharted on May 26, 2020. (Photo courtesy of TED)

Marcelo Mena, environmentalist and former environment minister of Chile

Big idea: People power is the antidote to climate catastrophe.

How? With a commitment to transition to zero emissions by 2050, Chile is at the forefront of resilient and inclusive climate action. Mena shares the economic benefits instilling green solutions can have on a country: things like job creation and reduced cost of mobility, all the result of sustainability-minded actions (including phasing coal-fired power plants and creating fleets of energy-efficient buses). Speaking to the air of social unrest across South America, Mena traces how climate change fuels citizen action, sharing how protests have led to green policies being enacted. There will always be those who do not see climate change as an imminent threat, he says, and economic goals need to align with climate goals for unified and effective action. “We need to change our relationship to the environment,” Mena says. “We need to protect and conserve our ecosystems so they provide the services that they do today.”

“We need to insist on the future being the one that we want, so that we unlock the creative juices of experts and engineers around the world,” says Nigel Topping, UK High Level Climate Action Champion, COP26. He speaks with TED Global curator Bruno Giussani at TED2020: Uncharted on May 26, 2020. (Photo courtesy of TED)

Nigel Topping, UK High Level Climate Action Champion, COP26

Big idea: The COVID-19 pandemic presents a unique opportunity to break from business as usual and institute foundational changes that will speed the world’s transition to a greener economy. 

How? Although postponed, the importance of COP26 — the UN’s international climate change conference — has not diminished. Instead it’s become nothing less than a forum on whether a post-COVID world should return to old, unsustainable business models, or instead “clean the economy” before restarting it. In Topping’s view, economies that rely on old ways of doing business jeopardize the future of our planet and risk becoming non-competitive as old, dirty jobs are replaced by new, cleaner ones. By examining the benefits of green economics, Topping illuminates the positive transformations happening now and leverages them to inspire businesses, local governments and other economic players to make radical changes to business as usual. “From the bad news alone, no solutions come. You have to turn that into a motivation to act. You have to go from despair to hope, you have to choose to act on the belief that we can avoid the worst of climate change… when you start looking, there is evidence that we’re waking up.”

“Good health is something that gives us all so much return on our investment,” says Joia Mukherjee. Shes speaks with head of TED Chris Anderson at TED2020: Uncharted on May 27, 2020. (Photo courtesy of TED)

Joia Mukherjee, Chief Medical Officer, Partners in Health (PIH)

Big idea: We need to massively scale up contact tracing in order to slow the spread of COVID-19 and safely reopen communities and countries.

How? Contact tracing is the process of identifying people who come into contact with someone who has an infection, so that they can be quarantined, tested and supported until transmission stops. The earlier you start, the better, says Mukherjee — but, since flattening the curve and easing lockdown measures depend on understanding the spread of the disease, it’s never too late to begin. Mukherjee and her team at PIH are currently supporting the state of Massachusetts to scale up contact tracing for the most vulnerable communities. They’re employing 1,700 full-time contact tracers to investigate outbreaks in real-time and, in partnership with resource care coordinators, ensuring infected people receive critical resources like health care, food and unemployment benefits. With support from The Audacious Project, a collaborative funding initiative housed at TED, PIH plans to disseminate its contact tracing expertise across the US and support public health departments in slowing the spread of COVID-19. “Good health is something that gives us all so much return on our investment,” Mukherjee says. See what you can do for this idea »

Google’s Chief Health Officer Karen DeSalvo shares the latest on the tech giant’s critical work on contact tracing. She speaks with head of TED Chris Anderson at TED2020: Uncharted on May 27, 2020. (Photo courtesy of TED)

Karen DeSalvo, Chief Health Officer, Google

Big idea: We can harness the power of tech to combat the pandemic — and reshape the future of public health.

How? Google and Apple recently announced an unprecedented partnership on the COVID-19 Exposure Notifications API, a Bluetooth-powered technology that would tell people they may have been exposed to the virus. The technology is designed with privacy at its core, DeSalvo says: it doesn’t use GPS or location tracking and isn’t an app but rather an API that public health agencies can incorporate into their own apps, which users could opt in to — or not. Since smartphones are so ubiquitous, the API promises to augment contact tracing and help governments and health agencies reduce the spread of the coronavirus. Overall, the partnership between tech and public health is a natural one, DeSalvo says; communication and data are pillars of public health, and a tech giant like Google has the resources to distribute those at a global scale. By helping with the critical work of contact tracing, DeSalvo hopes to ease the burden on health workers and give scientists time to create a vaccine. “Having the right information at the right time can make all the difference,” DeSalvo says. “It can literally save lives.”

After the conversation, Karen DeSalvo was joined by Joia Mukherjee to further discuss how public health entities can partner with tech companies. Both DeSalvo and Mukherjee emphasize the importance of knitting together the various aspects of public health systems — from social services to housing — to create a healthier and more just society. They also both emphasize the importance of celebrating community health workers, who provide on-the-ground information and critical connection with people across the world.


Planet DebianSteve McIntyre: Interesting times, and a new job!

It's (yet again!) been a while since I blogged last, sorry...

It's been over ten years since I started in Arm, and nine since I joined Linaro as an assignee. It was wonderful working with some excellent people in both companies, but around the end of last year I started to think that it might be time to look for something new and different. As is the usual way in Cambridge, I ended up mentioning this to friends and things happened!

After discussions with a few companies, I decided to accept an interesting-looking offer from a Norwegian company called Pexip. My good friend Vince had been raving for a while about how much he enjoyed his job there, which was a very good sign! He works from his home near Cambridge, and they were very happy to take me on in a similar way. There will be occasional trips to the UK office near Reading, or to the Norway HQ in Oslo. But most of the time I'll be working in my home office with all the home comforts and occasionally even an office dog!

Pepper and a laptop!

As is common in the UK for senior staff, I had to give 3 months notice with my resignation. When I told my boss in Arm way way back in February that I had decided to leave, I planned for a couple of weeks of down-time in between jobs. Perfect timing! The third week of May in Cambridge is the summer Beer Festival, and my birthday is the week after. All was looking good!

Then the world broke... :-(

As the "novel coronavirus" swept the world, countries closed down and normal life all-but disappeared for many. I acknowledge I'm very lucky here - I'm employed as a software engineer. I can effectively work from home, and indeed I was already in the habit of doing that anyway. Many people are not so fortunate. :-/ In this period, I've heard of some people in the middle of job moves where their new company have struggled and the new job has gone away. Thankfully, Pexip have continued to grow during this time and were still very keen to have me. I finally started this week!

So, what does Pexip do? The company develops and supplies a video conferencing platform, mainly targeting large enterprise customers. We have some really awesome technology, garnering great reviews from customers all over the world. See the website for more information!

Pexip logo

Where do I fit in? Pexip is a relatively small company with a very flat setup in engineering, so that's a difficult question to answer! I'll be starting working in the team developing and maintaining PexOS, the small Linux-based platform on which other things depend. (No prizes for guessing which distro it's based on!) But there's lots of scope to get involved in all kinds of other areas as needs and interests arise. I can't wait to get stuck in!

Although I'm no longer going to be working on Debian arm port issues on work time, I'm still planning to help where I can. Let's see how that works...

Planet DebianSteve McIntyre: What can you preseed when installing Debian?

Preseeding is a very useful way of installing and pre-configuring a Debian system in one go. You simply supply lots of the settings that your new system will need up front, in a preseed file. The installer will use those settings instead of asking questions, and it will also pass on any extra settings via the debconf database so that any further package setup will use them.

There is documentation about how to do this in the Debian wiki at, and an example preseed file for our current stable release (Debian 10, "buster") in the release notes.

One complaint I've heard is that it can be difficult to work out exactly the right data to use in a preseed file, as the format is not the easiest to work with by hand. It's also difficult to find exactly what settings can be changed in a preseed.

So, I've written a script to parse all the debconf templates in each release in the Debian archive and dump all the possible settings in each. I've put the results up online at my debian-preseed site in case it's useful. The data will be updated daily as needed to make sure it's current.

Updated June 2020 - changed the URL for the preseed site now I have a domain set up at

Planet DebianAntoine Beaupré: Replacing Smokeping with Prometheus

I've been struggling with replacing parts of my old sysadmin monitoring toolkit (previously built with Nagios, Munin and Smokeping) with more modern tools (specifically Prometheus, its "exporters" and Grafana) for a while now.

Replacing Munin with Prometheus and Grafana is fairly straightforward: the network architecture ("server pulls metrics from all nodes") is similar and there are lots of exporters. They are a little harder to write than Munin modules, but that makes them more flexible and efficient, which was a huge problem in Munin. I wrote a Migrating from Munin guide that summarizes those differences. Replacing Nagios is much harder, and I still haven't quite figured out if it's worth it.

How does Smokeping work

Leaving those two aside for now, I'm left with Smokeping, which I used in my previous job to diagnose routing issues, using Smokeping as a decentralized looking glass, which was handy to debug long term issues. Smokeping is a strange animal: it's fundamentally similar to Munin, except it's harder to write plugins for it, so most people just use it for Ping, something for which it excels at.

Its trick is this: instead of doing a single ping and returning this metrics, it does multiple ones and returns multiple metrics. Specifically, smokeping will send multiple ICMP packets (20 by default), with a low interval (500ms by default) and a single retry. It also pings multiple hosts at once which means it can quickly scan multiple hosts simultaneously. You therefore see network conditions affecting one host reflected in further hosts down (or up) the chain. The multiple metrics also mean you can draw graphs with "error bars" which Smokeping shows as "smoke" (hence the name). You also get per-metric packet loss.

Basically, smokeping runs this command and collects the output in a RRD database:

fping -c $count -q -b $backoff -r $retry -4 -b $packetsize -t $timeout -i $mininterval -p $hostinterval $host [ $host ...]

... where those parameters are, by default:

  • $count is 20 (packets)
  • $backoff is 1 (avoid exponential backoff)
  • $timeout is 1.5s
  • $mininterval is 0.01s (minimum wait interval between any target)
  • $hostinterval is 1.5s (minimum wait between probes on a single target)

It can also override stuff like the source address and TOS fields. This probe will complete between 30 and 60 seconds, if my math is right (0% and 100% packet loss).

How do draw Smokeping graphs in Grafana

A naive implementation of Smokeping in Prometheus/Grafana would be to use the blackbox exporter and create a dashboard displaying those metrics. I've done this at home, and then I realized that I was missing something. Here's what I did.

  1. install the blackbox exporter:

    apt install prometheus-blackbox-exporter
  2. make sure to allow capabilities so it can ping:

    dpkg-reconfigure prometheus-blackbox-exporter
  3. hook monitoring targets into prometheus.yml (the default blackbox exporter configuration is fine):

      - job_name: blackbox
          metrics_path: /probe
            module: [icmp]
          scrape_interval: 5s
            - targets:
              # hardcoded in DNS
            - source_labels: [__address__]
              target_label: __param_target
            - source_labels: [__param_target]
              target_label: instance
            - target_label: __address__
              replacement:  # The blackbox exporter's real hostname:port.

    Notice how we lower the scrape_interval to 5 seconds to get more samples. was added into DNS to avoid hardcoding my upstream ISP's IP in my configuration.

  4. create a Grafana panel to graph the results. first, add this query:

    sum(probe_icmp_duration_seconds{phase="rtt"}) by (instance)
    • Set the Legend field to {{instance}} RTT
    • Set Draw modes to lines and Mode options to staircase
    • Set the Left Y axis Unit to duration(s)
    • Show the Legend As table, with Min, Avg, Max and Current enabled

    Then add this query, for packet loss:

    1-avg_over_time(probe_success[$__interval])!=0 or null
    • Set the Legend field to {{instance}} packet loss
    • Set a Add series override to Lines: false, Null point mode: null, Points: true, Points Radios: 1, Color: deep red, and, most importantly, Y-axis: 2
    • Set the Right Y axis Unit to percent (0.0-1.0) and set Y-max to 1

    Then set the entire thing to Repeat, on target, vertically. And you need to add a target variable like label_values(probe_success, instance).

The result looks something like this:

A plot of RTT and packet loss over time of three nodes Not bad, but not Smokeping

This actually looks pretty good!

I've uploaded the resulting dashboard in the Grafana dashboard repository.

What is missing?

Now, that doesn't exactly look like Smokeping, does it. It's pretty good, but it's not quite what we want. What is missing is variance, the "smoke" in Smokeping.

There's a good article about replacing Smokeping with Grafana. They wrote a custom script to write samples into InfluxDB so unfortunately we can't use it in this case, since we don't have InfluxDB's query language. I couldn't quite figure out how to do the same in PromQL. I tried:


The first two give zero for all samples. The latter works, but doesn't look as good as Smokeping. So there might be something I'm missing.

SuperQ wrote a special exporter for this called smokeping_prober that came out of this discussion in the blackbox exporter. Instead of delegating scheduling and target definition to Prometheus, the targets are set in the exporter.

They also take a different approach than Smokeping: instead of recording the individual variations, they delegate that to Prometheus, through the use of "buckets". Then they use a query like this:

histogram_quantile(0.9 rate(smokeping_response_duration_seconds_bucket[$__interval]))

This is the rationale to SuperQ's implementation:

Yes, I know about smokeping's bursts of pings. IMO, smokeping's data model is flawed that way. This is where I intentionally deviated from the smokeping exact way of doing things. This prober sends a smooth, regular series of packets in order to be measuring at regular controlled intervals.

Instead of 20 packets, over 10 seconds, every minute. You send one packet per second and scrape every 15. This has the same overall effect, but the measurement is, IMO, more accurate, as it's a continuous stream. There's no 50 second gap of no metrics about the ICMP stream.

Also, you don't get back one metric for those 20 packets, you get several. Min, Max, Avg, StdDev. With the histogram data, you can calculate much more than just that using the raw data.

For example, IMO, avg and max are not all that useful for continuous stream monitoring. What I really want to know is the 90th percentile or 99th percentile.

This smokeping prober is not intended to be a one-to-one replacement for exactly smokeping's real implementation. But simply provide similar functionality, using the power of Prometheus and PromQL to make it better.


one of the reason I prefer the histogram datatype, is you can use the heatmap panel type in Grafana, which is superior to the individual min/max/avg/stddev metrics that come from smokeping.

Say you had two routes, one slow and one fast. And some pings are sent over one and not the other. Rather than see a wide min/max equaling a wide stddev, the heatmap would show a "line" for both routes.

That's an interesting point. I have also ended up adding a heatmap graph to my dashboard, independently. And it is true it shows those "lines" much better... So maybe that, if we ignore legacy, we're actually happy with what we get, even with the plain blackbox exporter.

So yes, we're missing pretty "fuzz" lines around the main lines, but maybe that's alright. It would be possible to do the equivalent to the InfluxDB hack, with queries like:


The output looks something like this:

A plot of RTT and packet loss over time of three nodes, with minimax Looks more like Smokeping!

But there's a problem there: see how the middle graph "dips" sometimes below 20ms? That's the min_over_time function (incorrectly, IMHO) returning zero. I haven't quite figured out how to fix that, and I'm not sure it is better. But it does look more like Smokeping than the previous graph.

Update: I forgot to mention one big thing that this setup is missing. Smokeping has this nice feature that you can order and group probe targets in a "folder"-like hierarchy. It is often used to group probes by location, which makes it easier to scan a lot of targets. This is harder to do in this setup. It might be possible to setup location-specific "jobs" and select based on that, but it's not exactly the same.


Credits to Chris Siebenmann for his article about Prometheus and pings which gave me the avg_over_time query idea.

Cory DoctorowRave for “Poesy the Monster Slayer”

No matter how many books I write (20+ now!), the first review for a new one is always scary. That goes double when the book is a first as well – like Poesy the Monster Slayer, my first-ever picture book, which comes out from First Second on Jul 14.

So it was with delight and relief that I read Publishers Weekly’s (rave) review of Poesy:

“Some children fear monsters at bedtime, but Poesy welcomes them. Her pink ‘monster lair’ features gothic art and stuffed animals, and she makes her father read The Book of Monsters from cover to cover before lights out. ‘PLEASE stay in bed tonight,’ he pleads as he leaves, but there’s no chance: the werewolf who soon enters her window is the size of a grizzly. ‘Werewolves HATED silver,’ Poesy knows, ‘and they feared the light’ 0 armed with a Princess Frillypants silver tiara and a light-up wand, she vanquishes the beast. And that’s just the beginning of her tear through monsterdom. ‘Poesy Emmeline Russell Schnegg,’ her mother growls from the doorway (in a funny turn, the girl gains a middle name every time a parent appears). Assured panels by Rockefeller (Pop!) combine frilly with threatening, illuminated by eerie light sources. Doctorow, making his picture book debut, strikes a gently edgy tone (‘He was so tired,’ Poesy sees, ‘that he stepped on a Harry the Hare block and said some swears. Poor Daddy!’), and his blow-by-blow account races to its closing spread: of two tired parents who resemble yet another monster. Ages 4-6.”


I had planned to do a launch party at Dark Delicacies, my neighborhood horror bookstore, on Jul 11, but that’s off (obviously).

So we’re doing the next-best thing: preorder from the store and you’ll get a signature and dedication from me AND my daughter, Poesy (the book’s namesake).

Planet DebianReproducible Builds: Reproducible Builds in May 2020

Welcome to the May 2020 report from the Reproducible Builds project.

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. Nonetheless, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.

In these reports we outline the most important things that we and the rest of the community have been up to over the past month.


The Corona-Warn app that helps trace infection chains of SARS-CoV-2/COVID-19 in Germany had a feature request filed against it that it build reproducibly.

A number of academics from Cornell University have published a paper titled Backstabber’s Knife Collection which reviews various open source software supply chain attacks:

Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle.

In related news, the LineageOS Android distribution announced that a hacker had access to the infrastructure of their servers after exploiting an unpatched vulnerability.

Marcin Jachymiak of the Sia decentralised cloud storage platform posted on their blog that their siac and siad utilities can now be built reproducibly:

This means that anyone can recreate the same binaries produced from our official release process. Now anyone can verify that the release binaries were created using the source code we say they were created from. No single person or computer needs to be trusted when producing the binaries now, which greatly reduces the attack surface for Sia users.

Synchronicity is a distributed build system for Rust build artifacts which have been published to The goal of Synchronicity is to provide a distributed binary transparency system which is independent of any central operator.

The Comparison of Linux distributions article on Wikipedia now features a Reproducible Builds column indicating whether distributions approach and progress towards achieving reproducible builds.

Distribution work

In Debian this month:

In Alpine Linux, an issue was filed — and closed — regarding the reproducibility of .apk packages.

Allan McRae of the ArchLinux project posted their third Reproducible builds progress report to the arch-dev-public mailing list which includes the following call for help:

We also need help to investigate and fix the packages that fail to reproduce that we have not investigated as of yet.

In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.

Software development


Chris Lamb made the changes listed below to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. He also prepared and uploaded versions 142, 143, 144, 145 and 146 to Debian, PyPI, etc.

  • Comparison improvements:

    • Improve fuzzy matching of JSON files as file now supports recognising JSON data. (#106)
    • Refactor .changes and .buildinfo handling to show all details (including the GnuPG header and footer components) even when referenced files are not present. (#122)
    • Use our BuildinfoFile comparator (etc.) regardless of whether the associated files (such as the orig.tar.gz and the .deb) are present. []
    • Include GnuPG signature data when comparing .buildinfo, .changes, etc. []
    • Add support for printing Android APK signatures via apksigner(1). (#121)
    • Identify “iOS App Zip archive data” as .zip files. (#116)
    • Add support for Apple Xcode .mobilepovision files. (#113)
  • Bug fixes:

    • Don’t print a traceback if we pass a single, missing argument to diffoscope (eg. a JSON diff to re-load). []
    • Correct differences typo in the ApkFile handler. (#127)
  • Output improvements:

    • Never emit the same id="foo" anchor reference twice in the HTML output, otherwise identically-named parts will not be able to linked to via a #foo anchor. (#120)
    • Never emit an empty “id” anchor either; it is not possible to link to #. []
    • Don’t pretty-print the output when using the --json presenter; it will usually be too complicated to be readable by the human anyway. []
    • Use the SHA256 over MD5 hash when generating page names for the HTML directory-style presenter. (#124)
  • Reporting improvements:

    • Clarify the message when we truncate the number of lines to standard error [] and reduce the number of maximum lines printed to 25 as usually the error is obvious by then [].
    • Print the amount of free space that we have available in our temporary directory as a debugging message. []
    • Clarify Command […] failed with exit code messages to remove duplicate exited with exit but also to note that diffoscope is interpreting this as an error. []
    • Don’t leak the full path of the temporary directory in Command […] exited with 1 messages. (#126)
    • Clarify the warning message when we cannot import the debian Python module. []
    • Don’t repeat stderr from {} if both commands emit the same output. []
    • Clarify that an external command emits for both files, otherwise it can look like we are repeating itself when, in reality, it is being run twice. []
  • Testsuite improvements:

    • Prevent apksigner test failures due to lack of binfmt_misc, eg. on Salsa CI and elsewhere. []
    • Drop .travis.yml as we use Salsa instead. []
  • Dockerfile improvements:

    • Add a .dockerignore file to whitelist files we actually need in our container. (#105)
    • Use ARG instead of ENV when setting up the DEBIAN_FRONTEND environment variable at runtime. (#103)
    • Run as a non-root user in container. (#102)
    • Install/remove the build-essential during build so we can install the recommended packages from Git. []
  • Codebase improvements:

    • Bump the officially required version of Python from 3.5 to 3.6. (#117)
    • Drop the (default) shell=False keyword argument to subprocess.Popen so that the potentially-unsafe shell=True is more obvious. []
    • Perform string normalisation in Black [] and include the Black output in the assertion failure too [].
    • Inline MissingFile’s special handling of deb822 to prevent leaking through abstract layers. [][]
    • Allow a bare try/except block when cleaning up temporary files with respect to the flake8 quality assurance tool. []
    • Rename in_dsc_path to dsc_in_same_dir to clarify the use of this variable. []
    • Abstract out the duplicated parts of the debian_fallback class [] and add descriptions for the file types. []
    • Various commenting and internal documentation improvements. [][]
    • Rename the Openssl command class to OpenSSLPKCS7 to accommodate other command names with this prefix. []
  • Misc:

    • Rename the --debugger command-line argument to --pdb. []
    • Normalise filesystem stat(2) “birth times” (ie. st_birthtime) in the same way we do with the stat(1) command’s Access: and Change: times to fix a nondeterministic build failure in GNU Guix. (#74)
    • Ignore case when ordering our file format descriptions. []
    • Drop, add and tidy various module imports. [][][][]

In addition:

  • Jean-Romain Garnier fixed a general issue where, for example, LibarchiveMember’s has_same_content method was called regardless of the underlying type of file. []

  • Daniel Fullmer fixed an issue where some filesystems could only be mounted read-only. (!49)

  • Emanuel Bronshtein provided a patch to prevent a build of the Docker image containing parts of the build’s. (#123)

  • Mattia Rizzolo added an entry to debian/py3dist-overrides to ensure the rpm-python module is used in package dependencies (#89) and moved to using the new execute_after_* and execute_before_* Debhelper rules [].

Chris Lamb also performed a huge overhaul of diffoscope’s website:

  • Add a completely new design. [][]
  • Dynamically generate our contributor list [] and supported file formats [] from the main Git repository.
  • Add a separate, canonical page for every new release. [][][]
  • Generate a ‘latest release’ section and display that with the corresponding date on the homepage. []
  • Add an RSS feed of our releases [][][][][] and add to Planet Debian [].
  • Use Jekyll’s absolute_url and relative_url where possible [][] and move a number of configuration variables to _config.yml [][].

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:

Other tools

Elsewhere in our tooling:

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. In May, Chris Lamb uploaded version 1.8.1-1 to Debian unstable and Bernhard M. Wiedemann fixed an “off-by-one” error when parsing PNG image modification times. (#16)

In disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues, Chris Lamb replaced the term “dirents” in place of “directory entries” in human-readable output/log messages [] and used the astyle source code formatter with the default settings to the main disorderfs.cpp source file [].

Holger Levsen bumped the debhelper-compat level to 13 in disorderfs [] and reprotest [], and for the GNU Guix distribution Vagrant Cascadian updated the versions of disorderfs to version 0.5.10 [] and diffoscope to version 145 [].

Project documentation & website

  • Carl Dong:

  • Chris Lamb:

    • Rename the Who page to Projects”. []
    • Ensure that Jekyll enters the _docs subdirectory to find the _docs/ file after an internal move. (#27)
    • Wrap etc. in preformatted quotes. []
    • Wrap the SOURCE_DATE_EPOCH Python examples onto more lines to prevent visual overflow on the page. []
    • Correct a “preferred” spelling error. []
  • Holger Levsen:

    • Sort our Academic publications page by publication year [] and add “Trusting Trust” and “Fully Countering Trusting Trust through Diverse Double-Compiling” [].
  • Juri Dispan:

Testing framework

We operate a large and many-featured Jenkins-based testing framework that powers that, amongst many other tasks, tracks the status of our reproducibility efforts as well as identifies any regressions that have been introduced. Holger Levsen made the following changes:

  • System health status:

    • Improve page description. []
    • Add more weight to proxy failures. []
    • More verbose debug/failure messages. [][][]
    • Work around strangeness in the Bash shell — let VARIABLE=0 exits with an error. []
  • Debian:

    • Fail loudly if there are more than three .buildinfo files with the same name. []
    • Fix a typo which prevented /usr merge variation on Debian unstable. []
    • Temporarily ignore PHP’s horde]( packages in Debian bullseye. []
    • Document how to reboot all nodes in parallel, working around molly-guard. []
  • Further work on a Debian package rebuilder:

    • Workaround and document various issues in the debrebuild script. [][][][]
    • Improve output in the case of errors. [][][][]
    • Improve documentation and future goals [][][][], in particular documentiing two real world tests case for an “impossible to recreate build environment” [].
    • Find the right source package to rebuild. []
    • Increase the frequency we run the script. [][][][]
    • Improve downloading and selection of the sources to build. [][][]
    • Improve version string handling.. []
    • Handle build failures better. []. []. []
    • Also consider “architecture all” .buildinfo files. [][]

In addition:

  • kpcyrd, for Alpine Linux, updated the script now that a patch for abuild had been released upstream. []

  • Alexander Couzens of the OpenWrt project renamed the brcm47xx target to bcm47xx. []

  • Mattia Rizzolo fixed the printing of the build environment during the second build [][][] and made a number of improvements to the script that deploys Jenkins across our infrastructure [][][].

Lastly, Vagrant Cascadian clarified in the documentation that you need to be user jenkins to run the blacklist command [] and the usual build node maintenance was performed was performed by Holger Levsen [][][], Mattia Rizzolo [][] and Vagrant Cascadian [][][].

Mailing list:

There were a number of discussions on our mailing list this month:

Paul Spooren started a thread titled Reproducible Builds Verification Format which reopens the discussion around a schema for sharing the results from distributed rebuilders:

To make the results accessible, storable and create tools around them, they should all follow the same schema, a reproducible builds verification format. The format tries to be as generic as possible to cover all open source projects offering precompiled source code. It stores the rebuilder results of what is reproducible and what not.

Hans-Christoph Steiner of the Guardian Project also continued his previous discussion regarding making our website translatable.

Lastly, Leo Wandersleb posted a detailed request for feedback on a question of supply chain security and other issues of software review; Leo is the founder of the Wallet Scrutiny project which aims to prove the security of Android Bitcoin Wallets:

Do you own your Bitcoins or do you trust that your app allows you to use “your” coins while they are actually controlled by “them”? Do you have a backup? Do “they” have a copy they didn’t tell you about? Did anybody check the wallet for deliberate backdoors or vulnerabilities? Could anybody check the wallet for those?

Elsewhere, Leo had posted instructions on his attempts to reproduce the binaries for the BlueWallet Bitcoin wallet for iOS and Android platforms.

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

This month’s report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.

Sociological ImagesConflict Brings Us Together

For a long time, political talk at the “moderate middle” has focused on a common theme that goes something like this: 

There is too much political polarization and conflict. It’s tearing us apart. People aren’t treating each other with compassion. We need to come together, set aside our differences, and really listen to each other.

I have heard countless versions of this argument in my personal life and in public forums. It is hard to disagree with them at first. Who can be against seeking common ground?

But as a political sociologist, I am also skeptical of this argument because we have good research showing how it keeps people and organizations from working through important disagreements. When we try to avoid conflict above all, we often end up avoiding politics altogether. It is easy to confuse common ground with occupied territory — social spaces where legitimate problems and grievances are ignored in the name of some kind of pleasant consensus. 

A really powerful sociological image popped up in my Twitter feed that makes the point beautifully. We actually did find some common ground this week through a trend that united the country across red states and blue states:

It is tempting to focus on protests as a story about conflict alone, and conflict certainly is there. But it is also important to realize that this week’s protests represent a historic level of social consensus. The science of cooperation and social movements reminds us that getting collective action started is hard. And yet, across the country, we see people not only stepping up, but self-organizing groups to handle everything from communication to community safety and cleanup. In this way, the protests also represent a remarkable amount of agreement that the current state of policing in this country is simply neither just nor tenable. 

I was struck by this image because I don’t think nationwide protests are the kind of thing people have in mind when they call for everyone to come together, but right now protesting itself seems like one of the most unifying trends we’ve got. That’s the funny thing about social cohesion and cultural consensus. It is very easy to call for setting aside our differences and working together when you assume everyone will be rallying around your particular way of life. But social cohesion is a group process, one that emerges out of many different interactions, and so none of us ever have that much control over when and where it actually happens.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at

CryptogramThermal Imaging as Security Theater

Seems like thermal imaging is the security theater technology of today.

These features are so tempting that thermal cameras are being installed at an increasing pace. They're used in airports and other public transportation centers to screen travelers, increasingly used by companies to screen employees and by businesses to screen customers, and even used in health care facilities to screen patients. Despite their prevalence, thermal cameras have many fatal limitations when used to screen for the coronavirus.

  • They are not intended for medical purposes.
  • Their accuracy can be reduced by their distance from the people being inspected.
  • They are "an imprecise method for scanning crowds" now put into a context where precision is critical.
  • They will create false positives, leaving people stigmatized, harassed, unfairly quarantined, and denied rightful opportunities to work, travel, shop, or seek medical help.
  • They will create false negatives, which, perhaps most significantly for public health purposes, "could miss many of the up to one-quarter or more people infected with the virus who do not exhibit symptoms," as the New York Times recently put it. Thus they will abjectly fail at the core task of slowing or preventing the further spread of the virus.

Planet DebianGunnar Wolf: Tor from Telmex. When I say “achievement unlocked”, I mean it!

The blockade has ended! For some introduction..

Back in 2016, Telmex –Mexico’s foremost communications provider and, through the brands grouped under the América Móvil brand, one of Latin America’s most important ISPs– set up rules to block connecitons to (at least) seven of Tor’s directory authorities (DirAuths). We believe they might have blocked all of them, in an attempt to block connections from Tor from anywhere in their networks, but Tor is much more resourceful than that 😉 so, the measure was not too effective.

Only… Some blocking did hurt Telmex’s users: The ability to play an active role in Tor. The ability to host Tor relays at home. Why? Because the consensus protocol requires relays to be reachable –in order to be measured– from the network’s DirAuths.

Technical work to prove the blocking

We dug into the issue as part of the work we carried out in the project I was happy to lead between 2018 and 2019, UNAM/DGAPA/PAPIME PE102718. In March 2019, I presented a paper titled Distributed Detection of Tor Directory Authorities Censorship in Mexico (alternative download in the Topic on Internet Censorship and Surveillance (TICS) track of the XVIII International Conference on Networks.

Then… We had many talks inside our group, but nothing seemed to move for several months. We did successfully push for increasing the number of Tor relays in Mexico (we managed to go from two to eleven stable relays — not much in absolute terms, but quite good relatively, even more considering most users were not technically able to run one!)

Jacobo Nájera, journalist participant of our project, didn’t leave things there just lying around waiting magically for justice to happen. Together with Vasilis Ververis, from the Magma Project, they presented some weeks ago a Case study: Tor Directory Authorities Censorship in Mexico.

Pushing to action

But a good part of being a journalist is knowing how and when to spread the word. Having already two technical studies showing the blocking in place, Jacobo presented his findings with an article in GlobalVoices: The largest telecommunications operator in Mexico blocks the secure network. Surprisingly (to me, at least), this story was picked up by a major Mexican newspaper: The same evening the story hit GlobalVoices, Rodrigo Riquelme posted an article, in the Technology section of El Economista, titled Telmex blocks seven out of ten accesses to the Tor network in Mexico. And that very same day, Telmex sent a reply I am translating in full (that is now included at the end of Riquelme’s article):

Mexico City, May 28, 2020

In relation to Tor navigation from TELMEX’s network, the company informs:

In TELMEX, we are committed to the full respect to navigation freedom for all of our users.

TELMEX practices no application-level blocking policies; the Tor application, as well as the rest of Internet applications, can be freely accessed from our network.

In order to protect the Internauts’ information, the seven refered nodes were in their time reported because they were associated with the distribution of the WannaCry ransomware, which is the reason they were filtered, but this does not hamper the use of the Tor application.

So we got an answer…?

Jacobo knew we had to take advantage of this answer, and act fast! He entered rush-writing mode and, with the help of our good friend and lawyer Salvador Alcántar, we wrote a short letter to Renato Flores Cartas, Corporative Communication of América Móvil, and sent it on June 1st.

Next thing I know, this evening Jacobo was asking me if I could confirm the blocking was lifted. What‽‽‽ I could not believe it! But, yes — Today Jacobo published the confirmation that the seven blocked IP routes were finally reachable again from ASN 8151 (UNINET / Telmex / América Móvil)!

Of course, this story was picked up again by El Economista — Telmex unblocks IP addresses for the Tor network’s directory authority server IPs in Mexico.

Wrapping up

How can I put this in words? I am very, very, very, very, very, very, very, very, very happy we managed to see this through!

Although we have been pushing for increasing the usage of Tor among users at risk in Mexico — Being a journalist, defending human rights, are still a high-risk profession in my country. We strongly believe in this, and will continue trying to raise awareness of the usage.

But, just as with free software, using network anonymization tools is not all. We need more people to become active, to become engaged, to become active participants in anonymization. As the adage says, anonymity loves company — In order to build strong, sufficient anonymization capability for everybody that needs it, we need more people to provide relay services. And this is a huge step to improve Mexico’s participation in the Tor network!

Image credits: Seeing My World Through a Keyhole, by Kate Ter Haar (CC-BY); Tor logo (Wikimedia Commons)

Worse Than FailureCodeSOD: Scheduling your Terns

Mike has a co-worker who’s better at Code Golf than I am. They needed to generate a table with 24 column headings, one for each hour of the day, formatted in HAM- the hour and AM/PM. As someone bad at code golf, my first instinct is honestly to use two for loops, but in practice I’d probably do a 24 iteration loop with a branch to decide if it’s AM/PM and handle it appropriately, as well as a branch to handle the fact that hour 0 should be printed as 12.

Which, technically, more or less what Mike’s co-worker did, but they did in in golf style, using PHP.

<?php for ($i = 0; $i < 24; $i++) {
echo '<th><div>'.($i%12?$i%12:12).($i/12>=1?'pm':'am').'</div></th><th></th>';

This is code written by someone who just recently discovered ternaries. It’s not wrong. It’s not even a complete and utter disaster. It’s just annoying. Maybe I’m jealous of their code golf skills, but this is the kind of code that makes me grind my teeth when I see it.

It’s mildly… clever? $i%12?$i%12:12- i%12 will be zero when i is 12, which is false, and our false branch says to output 12, and our true branch says to output i%12. So that’s sorted, handles all 24 hours of the day.

Then, for AM/PM, they ($i/12>=1?'pm':'am')- which also works. Values less than 12 fail the condition, so our false path is 'am', values greater than 12 will get 'pm'.

But wait a second. We don’t need the >= or the division in there. This could just be ($i>11?'pm':'am').

Well, maybe I am good at Code Golf.

I still hate it.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!


Krebs on SecurityRomanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion

An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.

The multimedia investigation by the Organized Crime and Corruption Reporting Project (OCCRP) and several international journalism partners detailed the activities of the so-called Riviera Maya crime gang, allegedly a mafia-like group of Romanians who until very recently ran their own ATM company in Mexico called “Intacash” and installed sophisticated electronic card skimming devices inside at least 100 cash machines throughout Mexico.

According to the OCCRP, Riviera Maya’s skimming devices allowed thieves to clone the cards, which were used to withdraw funds from ATMs in other countries — often halfway around the world in places like India, Indonesia, and Taiwan.

Investigators say each skimmer captured on average 1,000 cards per month, siphoning about $200 from individual victim accounts. This allowed the crime gang to steal approximately $20 million monthly.

“The gang had little tricks,” OCCRP reporters recounted in their video documentary (above). “They would use the cards in different cities all over the globe and wait three months so banks would struggle to trace where the card had originally been cloned.”

In September 2015, I traveled to Mexico’s Yucatan Peninsula to find and document almost two dozen ATMs in the region that were compromised with Bluetooth-based skimming devices. Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based, allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device, I was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange bit, top right. The Bluetooth and data storage chips are in the middle.

Several days of wandering around Mexico’s top tourist areas uncovered these sophisticated skimmers inside ATMs in Cancun, Cozumel, Playa del Carmen and Tulum, including a compromised ATM in the lobby of my hotel in Cancun. OCCRP investigators said the gang also had installed the same skimmers in ATMs at tourist hotspots on the western coast of Mexico, in Puerto Vallarta, Sayulita and Tijuana.

Part III of my 2015 investigation concluded that Intacash was likely behind the scheme. An ATM industry source told KrebsOnSecurity at the time that his technicians had been approached by ATM installers affiliated with Intacash, offering those technicians many times their monthly salaries if they would provide periodic access to the machines they maintained.

The alleged leader of the Riviera Maya organization and principal owner of Intacash, 43-year-old Florian “The Shark” Tudor, is a Romanian with permanent residence in Mexico. Tudor claims he’s an innocent, legitimate businessman who’s been harassed and robbed by Mexican authorities.

Last year, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguard, Constantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Throughout my investigation, I couldn’t be sure whether Intacash’s shiny new ATMs — which positively blanketed tourist areas in and around Cancun — also were used to siphon customer card data. I did write about my suspicions that Intacash’s ATMs were up to no good when I found they frequently canceled transactions just after a PIN was entered, and typically failed to provide paper receipts for withdrawals made in U.S. dollars.

But citing some of the thousands of official documents obtained in their investigation, the OCCRP says investigators now believe Intacash installed the same or similar skimming devices in its own ATMs prior to deploying them — despite advertising them as equipped with the latest security features and fraudulent device inhibitors.

Tudor’s organization “had the access that gave The Shark’s crew huge opportunities for fraud,” the OCCRP reports. “And on the Internet, the number of complaints grew. Foreign tourists in Mexico fleeced” by Intacash’s ATMs.

Many of the compromised ATMs I located in my travels throughout Mexico were at hotels, and while Intacash’s ATMs could be found on many street locations in the region, it was rare to find them installed at hotels.

The confidential source with whom I drove from place to place at the time said Intacash avoided installing their machines at hotels — despite such locations being generally far more profitable — for one simple reason: If one’s card is cloned from a hotel ATM, the customer can easily complain to the hotel staff. With a street ATM, not so much.

The investigation by the OCCRP and its partners paints a vivid picture of a highly insular, often violent transnational organized crime ring that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

Tudor and many of his associates maintain their innocence and are still living as free men in Mexico, although Tudor is facing charges in Romania for his alleged involvement with organized crime, attempted murder and blackmail. Intacash is no longer operating in Mexico. In 2019, Intacash’s sponsoring bank in Mexico suspended the company’s contract to process ATM transactions.

For much more on this investigation, check out OCCRP’s multi-part series, How a Crew of Romanian Criminals Conquered the World of ATM Skimming.

TEDIgnite: The talks of TED@WellsFargo

TED curator Cyndi Stivers opens TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

World-changing ideas that unearth solutions and ignite progress can come from anywhere. With that spirit in mind at TED@WellsFargo, thirteen speakers showcased how human empathy and problem-solving can combine with technology to transform lives (and banking) for the better.

The event: TED@WellsFargo, a day of thought-provoking talks on topics including how to handle challenging situations at work, the value of giving back and why differences can be strengths. It’s the first time TED and Wells Fargo have partnered to create inspiring talks from Wells Fargo Team Members.

When and where: Wednesday, February 5, 2020, at the Knight Theater in Charlotte, North Carolina

Opening and closing remarks: David Galloreese, Wells Fargo Head of Human Resources, and Jamie Moldafsky, Wells Fargo Chief Marketing Officer

Performances by: Dancer Simone Cooper and singer/songwriter Jason Jet and his band

The talks in brief:

“What airlines don’t tell you is that putting your oxygen mask on first, while seeing those around you struggle, it takes a lot of courage. But being able to have that self-control is sometimes the only way that we are able to help those around us,” says sales and trading analyst Elizabeth Camarillo Gutierrez. She speaks at TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

Elizabeth Camarillo Gutierrez, sales and trading analyst

Big idea: As an immigrant, learning to thrive in America while watching other immigrants struggle oddly echoes what flight attendants instruct us to do when the oxygen masks drop in an emergency landing: if you want to help others put on their masks, you must put on your own mask first.

How? At age 15, Elizabeth Camarillo Gutierrez found herself alone in the US when her parents were forced to return to Mexico, taking her eight-year-old brother with them. For eight years, she diligently completed her education — and grappled with guilt, believing she wasn’t doing enough to aid fellow immigrants. Now working as a sales and trading analyst while guiding her brother through school in New York, she’s learned a valuable truth: in an emergency, you can’t save others until you save yourself.

Quote of the talk: “Immigrants [can’t] and will never be able to fit into any one narrative, because most of us are actually just traveling along a spectrum, trying to survive.”

Matt Trombley, customer remediation supervisor

Big idea: Agonism — “taking a warlike stance in contexts that are not literally war” — plagues many aspects of modern-day life, from the way we look at our neighbors to the way we talk about politics. Can we work our way out of this divisive mindset?

How: Often we think that those we disagree with are our enemies, or that we must approve of everything our loved ones say or believe. Not surprisingly, this is disastrous for relationships. Matt Trombley shows us how to fight agonism by cultivating common ground (working to find just a single shared thread with someone) and by forgiving others for the slights that we believe their values cause us. If we do this, our relationships will truly come to life.

Quote of the talk: “When you can find even the smallest bit of common ground with somebody, it allows you to understand just the beautiful wonder and complexity and majesty of the other person.”

Dorothy Walker, project manager

Big idea: Anybody can help resolve a conflict — between friends, coworkers, strangers, your children — with three simple steps.

How? Step one: prepare. Whenever possible, set a future date and time to work through a conflict, when emotions aren’t running as high. Step two: defuse and move forward. When you do begin mediating the conflict, start off by observing, listening and asking neutral questions; this will cause both parties to stop and think, and give you a chance to shift positive energy into the conversation. Finally, step three: make an agreement. Once the energy of the conflict has settled, it’s time to get an agreement (either written or verbal) so everybody can walk away with a peaceful resolution.

Quote of the talk: “There is a resolution to all conflicts. It just takes your willingness to try.”

Charles Smith, branch manager

Big idea: The high rate of veteran suicide is intolerable — and potentially avoidable. By prioritizing the mental health of military service members both during and after active duty, we can save lives.

How? There are actionable solutions to end the devastating epidemic of military suicide, says Charles Smith. First, by implementing a standard mental health evaluation to military applicants, we can better gauge the preliminary markers of post traumatic stress disorder (PTSD) or depression. Data is a vital part of the solution: if we keep better track of mental health data on service members, we can also predict where support is most needed and create those structures proactively. By identifying those with a higher risk early on in their military careers, we can ensure they have appropriate care during their service and connect them to the resources they need once they are discharged, enabling veterans to securely and safely rejoin civilian life.

Quote of the talk: “If we put our minds and resources together, and we openly talk and try to find solutions for this epidemic, hopefully, we can save a life.”

“We all know retirement is all about saving more now, for later. What if we treated our mental health and overall well-being in the same capacity? Develop and save more of you now, for later in life,” says premier banker Rob Cooke. He speaks at TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

Rob Cooke, premier banker

Big idea: Work-related stress costs us a lot, in our lives and the economy. We need to reframe the way we manage stress — both in our workplaces and in our minds.

How? “We tend to think of [stress] as a consequence, but I see it as a culture,” says Rob Cooke. Despite massive global investments in the wellness industry, we are still losing trillions of dollars due to a stress-related decrease in employee productivity and illness. Cooke shares a multifaceted approach to shifting the way stress is managed, internally and culturally. It starts with corporations prioritizing the well-being of employees, governments incentivizing high standards for workplace wellness and individually nurturing our relationship with our own mental health.

Quote of the talk: “We all know retirement is all about saving more now, for later. What if we treated our mental health and overall well-being in the same capacity? Develop and save more of you now, for later in life.”

Aeris Nguyen, learning and development facilitator

Big idea: What would our world be like if we could use DNA to verify our identity?

Why? Every year, millions of people have their identities stolen or misused. This fact got Aeris Nguyen thinking about how to safeguard our information for good. She shares an ambitious thought experiment, asking: Can we use our own bodies to verify our selves? While biometric data such as facial or palm print recognition have their own pitfalls (they can be easily fooled by, say, wearing a specially lighted hat or using a wax hand), what if we could use our DNA — our blood, hair or earwax? Nguyen acknowledges the ethical dilemmas and logistical nightmares that would come with collecting and storing more than seven billion files of DNA, but she can’t help but wonder if someday, in the far future, this will become the norm.

Quote of the talk: “Don’t you find it strange that we carry around these arbitrary, government assigned numbers or pieces of paper with our picture on it and some made-up passwords to prove we are who we say we are?  When, in fact, the most rock-solid proof of our identity is something we carry around in our cells — our DNA.”

“To anyone reeling from forces trying to knock you down and cram you into these neat little boxes people have decided for you — don’t break. I see you. My ancestors see you. Their blood runs through me as they run through so many of us. You are valid. And you deserve rights and recognition. Just like everyone else,” says France Villarta. He speaks at TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

France Villarta, communications consultant

Big idea: Modern ideas of gender are much older than we may think.

How? In many cultures around the world, the social construct of gender is binary — man or woman, assigned certain characteristics and traits, all designated by biological sex. But that’s not the case for every culture. France Villarta details the gender-fluid history of his native Philippines and how the influence of colonial rule forced narrow-minded beliefs onto its people. In a talk that’s part cultural love letter, part history lesson, Villarta emphasizes the beauty and need in reclaiming gender identities. “Oftentimes, we think of something as strange only because we’re not familiar with it or haven’t taken enough time to try and understand,” he says. “The good thing about social constructs is that they can be reconstructed — to fit a time and age.”

Quote of the talk: “To anyone reeling from forces trying to knock you down and cram you into these neat little boxes people have decided for you — don’t break. I see you. My ancestors see you. Their blood runs through me as they run through so many of us. You are valid. And you deserve rights and recognition. Just like everyone else.”

Dancer Simone Cooper performs a self-choreographed dance onstage at TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

Dean Furness, analytic consultant

Big idea: You can overcome personal challenges by focusing on yourself, instead of making comparisons to others.

How? After a farming accident paralyzed Dean Furness below the waist, he began the process of adjusting to life in a wheelchair. He realized he’d have to nurture and focus on this new version of himself, rather than fixate on his former height, strength and mobility. With several years of rehabilitation and encouragement from his physical therapist, Furness began competing in the Chicago and Boston marathons as a wheelchair athlete. By learning how to own each day, he says, we can all work to get better, little by little.

Quote of the talk: “Take some time and focus on you, instead of others. I bet you can win those challenges and really start accomplishing great things.”

John Puthenveetil, financial advisor

Big idea: Because of the uncertain world we live in, many seek solace from “certainty merchants” — like physicians, priests and financial advisors. Given the complex, chaotic mechanisms of our economy, we’re better off discarding “certainty” for better planning.

How? We must embrace adaptable plans that address all probable contingencies, not just the most obvious ones. This is a crucial component of “scenario-based planning,” says John Puthenveetil. We should always aim for being approximately right rather than precisely wrong. But this only works if we pay attention, heed portents of possible change and act decisively — even when that’s uncomfortable.

Quote of the talk: “It is up to us to use [scenario-based planning] wisely: Not out of a sense of weakness or fear, but out of the strength and conviction that comes from knowing that we are prepared to play the hand that is dealt.”

Johanna Figueira, digital marketing consultant

Big idea: The world is more connected than ever, but some communities are still being cut off from vital resources. The solution? Digitally matching professional expertise with locals who know what their communities really need.

How? Johanna Figueira is one of millions who has left Venezuela due to economic crisis, crumbling infrastructure and decline in health care — but she hasn’t left these issues behind. With the help of those still living in the country, Figueira helped organize Code for Venezuela — a platform that matches experts with communities in need to create simple, effective tools to improve quality of life. She shares two of their most successful projects: MediTweet, an intelligent Twitter bot that helps Venezuelans find medicinal supplies, and Blackout Tracker, a tool that helps pinpoint power cuts in Venezuela that the government won’t report. Her organization shows the massive difference made when locals participate in their own solutions.

Quote of the talk: “Some people in Silicon Valley may look at these projects and say that they’re not major technological innovations. But that’s the point. These projects are not insanely advanced — but it’s what the people of Venezuela need, and they can have a tremendous impact.”

Jeanne Goldie, branch sales manager

Big idea: We’re looking for dynamic hotbeds of innovation in all the wrong places.

How? Often, society looks to the young for the next big thing, leaving older generations to languish in their shadow until being shuffled out altogether, taking their brain power and productivity with them. Instead of discarding today’s senior workforce, Jeanne Goldie suggests we tap into their years of experience and retrain them, just as space flight has moved from the disposable rockets of NASA’s moon launches to today’s reusable Space X models.

Quote of the talk: “If we look at data and technology as the tools they are … but not as the answer, we can come up with better solutions to our most challenging problems.”

Rebecca Knill, business systems consultant

Big idea: By shifting our cultural understanding of ability and using technology to connect, we can build a more inclusive and human world.

How? The medical advances of modern technology have improved accessibility for disabled communities. Rebecca Knill, a self-described cyborg who has a cochlear implant, believes the next step to a more connected world is changing our perspectives. For example, being deaf isn’t shameful or pitiful, says Knill — it’s just a different way of navigating the world. To take full advantage of the fantastic opportunities new technology offers us, we must drop our assumptions and meet differences with empathy.

Quote of the talk: “Technology has come so far. Our mindset just needs to catch up.”

“We have to learn to accept where people are and adjust ourselves to handle those situations … to recognize when it is time to professionally walk away from someone,” says business consultant Anastasia Penright. She speaks at TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

Anastasia Penright, business consultant

Big idea: No workplace is immune to drama, but there are steps we can follow to remove ourselves from the chatter and focus on what’s really important.

How? No matter your industry, chances are you’ve experienced workplace drama. In a funny and relatable talk, Anastasia Penright shares a better way to coexist with our coworkers using five simple steps she’s taken to leave drama behind and excel in her career. First, we must honestly evaluate our own role in creating and perpetuating conflicts; then evaluate our thoughts and stop thinking about every possible scenario. Next, it’s important to release our negative energy to a trusted confidant (a “venting buddy”) while trying to understand and accept the unique communication styles and work languages of our colleagues. Finally, she says, we need to recognize when we’re about to step into drama and protect our energy by simply walking away.

Quote of the talk: “We have to learn to accept where people are and adjust ourselves to handle those situations … to recognize when it is time to professionally walk away from someone.”

Jason Jet performs the toe-tapping, electro-soul song “Time Machine” at TED@WellsFargo at the Knight Theater on February 5, 2020, in Charlotte, North Carolina. (Photo: Ryan Lash / TED)

Planet DebianDebian Project Leader: DPL Activity logs for April/May 2020

First month as DPL

I survived my first month as DPL! I agree with previous DPLs who have described it as starting a whole new job. Fortunately it wasn't very stressful, but it certainly was very time consuming. On the very first day my inbox exploded with requests. I dealt with this by deferring anything that wasn't important right away and just started working through it. Fortunately the initial swell subsided as the month progressed. The bulk of my remaining e-mail backlog are a few media outlets who wants to do interviews. I'll catch up with those during this month.

Towards the end of the month, most of my focus was on helping to prepare for an online MiniDebConf that we hosted over the last weekend in May. We had lots of fun and we had some great speakers sharing their knowledge and expertise during the weekend.

Activity log

As I do on my own blog for free software activities, I'll attempt to keep a log of DPL activities on this blog. Here's the log for the period 2020-04-21 to 2020-05-21:

2020-04-19: Handover session with Sam, our outgoing DPL. We covered a lot of questions I had and main areas that the DPL works in. Thanks to Sam for having taken the time to do this.

2020-04-21: First day of term! Thank you to everybody who showed support and have offered to help!

2020-04-21: Request feedback from the trademark team on an ongoing trademark dispute.

2020-04-21: Join the GNOME Advisory Board as a representative from Debian.

2020-04-21: Reply on an ongoing community conflict issue.

2020-04-21: Update Debian project summary for SPI annual report.

2020-04-21: Received a great e-mail introduction from Debian France and followed up on that.

2020-04-21: Posted "Bits from the new DPL" to debian-devel-announce.

2020-04-22: Became Debian's OSI Affilliate representative.

2020-04-22: Reply to a bunch of media inquiries for interviews, will do them later when initial priorities are on track.

2020-04-23: Resign as Debian FTP team trainee and mailing list moderator. In both these areas there are enough people taking care of it and I intend to maximise available time for DPL and technical areas in the project.

2020-04-25: Review outgoing mail for trademark team.

2020-04-25: Answer some questions in preparation for DAM/Front Desk delegation updates.

2020-04-26: Initiated wiki documentation for delegation updates process.

2020-04-27: Update delegation for the Debian Front Desk team.

2020-04-29: Schedule video call with Debian treasurer team.

2020-04-29: OSI affiliate call. Learned about some Open Source projects including OpenDev, OpenSourceMatters, FOSS Responders and Democracy Labs.

2020-05-04: Delivered my first talk session as DPL titled "Mixed Bag of Debian" at "Fique Em Casa Use Debian" (Stay at home and use Debian!), organised by Debian Brazil, where they had a different talk every evening during the month of May. Great initiative I hope other local groups consider copying their ideas!

2020-05-05: Had a 2 hour long call with the treasurer team. Feeling optimistic for the future of Debian's financing although it will take some time and a lot of work to get where we want to be.

2020-05-17: Respond to cloud delegation update.

Planet DebianJonathan Dowland: using Template Haskell to generate boilerplate

Here's a practical example of applying Template Haskell to reduce the amount of boilerplate code that is otherwise required. I wrote the below after following this excellent blog post by Matt Parsons. This post will be much higher-level, read Matt's blog for the gorier details.


Liquorice is a toy project of mine from a few years ago that lets you draw 2D geometric structures similar to LOGO. Liquorice offers two interfaces: pure functions that operate on an explicit Context (the pen location: existing lines, etc.), and a second "stateful" interface where the input and output are handled in the background. I prefix the pure ones P. and the stateful ones S. in this blog post for clarity.

The stateful interface can be much nicer to use for larger drawings. Compare example8b.hs, written in terms of the pure functions, and the stateful equivalent example8.hs.

The majority of the stateful functions are "wrapped" versions of the pure functions. For example, the pure function P.step takes two numbers and moves the pen forward and sideways. Its type signature is

P.step :: Int -> Int -> Context -> Context

Here's the signature and implementation of the stateful equivalent:

S.step :: Int -> Int -> State Context ()
S.step x y = modify (P.step x y)

Writing these wrapped functions for the 29 pure functions is boilerplate that can be generated automatically with Template Haskell.

Generating the wrapper functions

Given the Name of a function to wrap, we construct an instance of FunD, the TH data-type representing a function definition. We use the base name of the incoming function as the name for the new one.

mkWrap fn = do
    let name = mkName (nameBase fn)
    return $ FunD name [ Clause (map VarP args) (NormalB rhs) [] ]

To determine how many arguments the wrapper function needs to accept, we need to determine the input function's arity. We use Template Haskell's reify function to get type information about the function, and derive the arity from that. Matt Parson's covers this exactly in his blog.

info    <- reify fn
let ty   = (\(VarI _ t _ ) -> t) info
let n    = arity ty - 1
args    <- replicateM n (newName "arg")

We can use the list "args" directly in the clause part of the function definition, as the data-type expects a list. For the right-hand side, we need to convert from a list of arguments to function application. That's a simple left-fold:

-- mkFnApp f [a,b,c] => ((f a) b) c => f a b c
mkFnApp = foldl (\e -> appE e . varE)
rhs     <- [| modify $(mkFnApp (varE fn) args) :: State Context () |]

We use TH's oxford brackets for the definition of rhs. This permits us to write real Haskell inside the brackets, and get an expression data-type outside them. Within we have a splice (the $(…)), which does the opposite: the code is evaluated at compile time and generates an Exp that is then converted into the equivalent Haskell code and spliced into place.

Finally, we need to apply the above to a list of Names. Sadly, we can't get at the list of exported names from a Module automatically. There is an open request for a TH extension for this. In the meantime, we export a list of the functions to wrap from the Pure module and operate on that

import Liquorice.Pure
wrapPureFunctions = mapM mkWrap pureFns

Finally, we 'call' wrapPureFunctions at the top level in our state module and Template Haskell splices all the function definitions into place.

The final code ended up only around 30 lines of code, and saved about the same number of lines of boilerplate. But in doing this I noticed some missing functions, and it will pay dividends if more pure functions are added.


The current implementation has one significant limitation: it cannot handle higher-order functions. An example of a pure higher-order function is place, which moves the pen, performs an operation, and then moves it back: :: Int -> Int -> (Context -> Context) -> Context -> Context

Wrapping this is not sufficient because the higher-order parameter has the pure function signature Context -> Context. If we wrapped it, the stateful version of the function would accept a pure function as the parameter, but you would expect it to accept another stateful function.

To handle these, at a minimum we would need to detect the function arguments that have type Context -> Context and replace them with State Context (). The right-hand side of the wrapped function would also need to do more work to handle wrapping and unwrapping the parameter. I haven't spent much time thinking about it but I'm not sure that a general purpose wrapper would work for all higher-order functions. For the time being I've just re-implemented the half-dozen of them.

Planet DebianBen Hutchings: Introducing debplate, a template system for Debian packages

For about two months I've been working on a new project, debplate, which currently lives at benh/debplate on Salsa. This is a template system for Debian packages, primarily intended to ease building multiple similar binary packages from a single source. With some changes, it could also be useful for making multiple source packages consistent (issue #9).

I want debplate to be capable of replacing the kernel team's existing template system and a lot of its custom scripting, but it is also meant to a general tool. I believe it's already capable of supporting source packages with relatively simple needs, and there are some examples of these in the debplate source. My long-term goal is that debplate will replace most team-specific and package-specific template systems, making those source packages using it less unusual and easier to contribute to.

I gave a short talk about debplate at MiniDebConf Online on Sunday.

Planet DebianBen Hutchings: Debian LTS work, May 2020

I was assigned 17.25 hours of work by Freexian's Debian LTS initiative, and carried over 2.5 hours from April. I worked all 19.75 hours this month.

I sent a request for testing an update of the linux package to 3.16.83. I then prepared and, after review, released Linux 3.16.84. I rebased the linux package onto that and sent out a further request for testing. I then backported some additional security fixes, but have still not made an upload.

I attended the LTS contributor meeting on IRC.

Planet DebianAndy Simpkins: Getting Co-ap tools working on Debian

At work we have a wonderful pyhon tool that we are able to send CoAP messages to and from our products. Perfect for development work. However recently I needed to install a copy of the tools onto my personal laptop because the only work laptops I have access to have completely dead batteries and so are not suitable for taking out into a field to perform RF range tests….

As a company we have chosen not to package internal development tools – I think that this is a mistake, but this is not my decision. So I simply copied across the coap tools directory and tried to run them. Obviously nothing worked! However, the error messages were enough to work out what dependencies I needed to resolve.

Error #1 Missing shared library
By a process of deduction we found that gcc5 contains libasan2, quite old.
Debian’s snapshots was our saviour here:



dpkg -i ./gcc-5-base_5.5.0-12_amd64.deb ./libasan2_5.5.0-12_amd64.deb

great – that was enough to get the port bindings to work

Error #2 google.protobuf

When I tried to issue coap requests I ran into missing python3 imports “google.protobuf” fortunately this is found packaged in Debian buster as party of python3-protobuf

apt-get install python3-protobuf

Done! everything works :-)

Planet DebianDirk Eddelbuettel: littler 0.3.10: Some more updates

max-heap image

The eleventh release of littler as a CRAN package is now available, following in the fourteen-ish year history as a package started by Jeff in 2006, and joined by me a few weeks later.

littler is the first command-line interface for R as it predates Rscript. It allows for piping as well for shebang scripting via #!, uses command-line arguments more consistently and still starts faster. It also always loaded the methods package which Rscript only started to do in recent years.

littler lives on Linux and Unix, has its difficulties on macOS due to yet-another-braindeadedness there (who ever thought case-insensitive filesystems as a default where a good idea?) and simply does not exist on Windows (yet – the build system could be extended – see RInside for an existence proof, and volunteers are welcome!). See the FAQ vignette on how to add it to your PATH.

A few examples are highlighted at the Github repo, as well as in the examples vignette.

This release adds a new helper / example script installBioc.r for BioConductor package installation, generalizes the roxygenize() wrapper roxy.r a little, and polished a couple of other corners.

The NEWS file entry is below.

Changes in littler version 0.3.10 (2020-06-02)

  • Changes in examples

    • The update.r script only considers writeable directories.

    • The rcc.r script tries to report full logs by setting _R_CHECK_TESTS_NLINES_=0.

    • The tt.r script has an improved ncpu fallback.

    • Several installation and updating scripts set _R_SHLIB_STRIP_ to TRUE.

    • A new script installBioc.r was added.

    • The --error option to install2.r was generalized (Sergio Oller in #78).

    • The roxy.r script was extended a little.

  • Changes in package

    • Travis CI now uses R 4.0.0 and the bionic distro

CRANberries provides a comparison to the previous release. Full details for the littler release are provided as usual at the ChangeLog page. The code is available via the GitHub repo, from tarballs and now of course also from its CRAN page and via install.packages("littler"). Binary packages are available directly in Debian as well as soon via Ubuntu binaries at CRAN thanks to the tireless Michael Rutter.

Comments and suggestions are welcome at the GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

CryptogramWallpaper that Crashes Android Phones

This is interesting:

The image, a seemingly innocuous sunset (or dawn) sky above placid waters, may be viewed without harm. But if loaded as wallpaper, the phone will crash.

The fault does not appear to have been maliciously created. Rather, according to developers following Ice Universe's Twitter thread, the problem lies in the way color space is handled by the Android OS.

The image was created using the RGB color space to display image hues, while Android 10 uses the sRGB color space protocol, according to 9to5Google contributor Dylan Roussel. When the Android phone cannot properly convert the Adobe RGB image, it crashes.

Planet DebianOlivier Berger: Automate the capture a full BigBlueButton conference replay, with bbb-downloader

BigBlueButton, aka BBB, is a webrtc conferencing solution, that among many features, allows to record a conference, for later replay.

We have been working together with my colleague François Trahay, on a set of scripts (bbb-downloader) that will allow to easily (on Linux) download recordings of BBB conferences, for local backup, video editing, upload on video sharing platforms, etc. This is particularly useful in our distance learning contexts where students may have to catch up on a live session that was recorded.

We have integrated a hackish solution to capture, as a single video, presentations that contained slide deck presentations. Let me explain why this was necessary.

A nice feature of BBB is the fact that, to present a slides deck, you don’t need to share your screen (as a video stream), but just have to upload your file, which is then auto-converted to images, that are sent to participants, in sync with your next/previous browsing of the slides.

This is great for participants with low bandwidth, which can see the slides (“static” images) instead of receiving a full screen video stream.

But a side effect is that the recording of a  class/conference that is done by BBB replays the slides just as it was done live : displaying images one after the other.

While it is easy to retrieve the audio, webcams of participants, or screen sharings as video streams, directly available from the recordings replay app, it is thus not the same for the slides, which don’t come as a video.

Our script will perform a replay, using a Docker container which drives Selenium under the hood, to capture the full replay, as a single video, which then includes the slides and everything. You can see my demo of this process in the following video:

bbb-downloader full capture demo.

It takes long to replay, in real-time, the recordings, to perform this capture… but it works. Kudos to elgalu/docker-selenium for the Docker env.

Feel free to test it and profit, or to report issues in the Guthub issues of the repo:

Worse Than FailureCodeSOD: Synchronize Your Clocks

Back when it was new, one of the “great features” of Java was that it made working with threads “easy”. Developers learning the language were encouraged to get a grip right on threads right away, because that was the new thing which would make their programs so much better.

Well, concurrency is hard. Or, to put it another way, “I had a problem, so I decided to use threads. prhave twI Now o oblems.”

Another thing that’s hard in Java is working with dates and times.

Larisa inherited some code which wanted to be able to check the current system time in a threadsafe fashion. They weren’t doing anything fancy- no timezones, no formatting, just getting the Unix Timestamp off the clock. If you’re thinking to yourself, “It’s just a read operation and there’s no need to bring threads into this at all,” you obviously didn’t write today’s code block.

The right way to do this in Java 8+, would be to use the built-in java.time objects, but in older versions of Java you might need to do something like this:

long currentTime = System.currentTimeMillis();

But that doesn’t involve any design patterns, any synchronized code blocks to protect against multiple threads, and simply isn’t Enterprise enough.

public class Clock {
    private static Clock sfClock = null;

    protected static synchronized void register(Clock testClock) {
        sfClock = testClock;

    public static synchronized Clock getIt() {
        if (sfClock == null) {
            sfClock = new Clock();
        return sfClock;

    public static long now() {
        return getIt().nowImpl();

    protected long nowImpl() {
        return System.currentTimeMillis();


This is an attempt to implement the Singleton pattern, which is the go to pattern for people to use, because it’s the easiest to understand and implement and doubles as what is basically a global variable.

You’ll note that there’s no constructor, since there’s no internal state, so there’s no point in making this a singleton.

getIt will create an instance if there isn’t one, but you can also supply an instance via register. You might think that the developer put some thought into how this class would be tested, but again- there’s no internal state or even any internal logic. You could inherit from Clock to make a MockClock that could be used in testing, but that is a long hill to climb to justify this.

The real genius, though, is that our ugly getIt method doesn’t ever have to be directly invoked. Instead, now does that for you. will call getIt, which gets an instance of Clock, then invoke nowImpl, the actual implementation of our now method.

For bonus points, the reason Larisa found this was that there are a lot of threads in this program, and they’re tying timestamps to actions on the regular, so the fact that getIt is synchronized was actually killing performance.

None of this code is necessary. It’s an over-engineered solution to a problem nobody actually had.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

Planet DebianKeith Packard: picolibc-ryu

Float/String Conversion in Picolibc: Enter “Ryū”

I recently wrote about this topic having concluded that the best route for now was to use the malloc-free, but imprecise, conversion routines in the tinystdio alternative.

A few days later, Sreepathi Pai pointed me at some very recent work in this area:

This is amazing! Thirty years after the papers referenced in the previous post, Ulf Adams came up with some really cool ideas and managed to reduce the math required for 64-bit conversion to 128 bit integers. This is a huge leap forward; we were doing long multi-precision computations before, and now it's all short enough to fit in registers (ok, a lot of registers, but still).

Getting the Ryū Code

The code is available on github: Reading through it, it's very clear that the author focuses on performance with lots of tuning for common cases. Still, it's quite readable, especially compared with the newlib multi-precision based code.

Picolibc String/Float conversion interface

Picolibc has some pretty basic needs for the float/string conversion code, it wants four functions:

  1. __dtoa_engine

    __dtoa_engine(double x, struct dtoa *dtoa, uint8_t max_digits, uint8_t max_decimals);

    This converts the double x to a string of decimal digits and a decimal exponent stored inside the 'dtoa' struct. It limits the total number of digits to max_digits and, optionally (when max_decimals is non-zero), limits the number of fractional digits to max_decimals - 1. This latter supports 'f' formats. Returns the number of digits stored, which is <= max_digits. Less if the number can be accurately represented in fewer digits.

  2. __ftoa_engine

    __ftoa_engine(float x, struct ftoa *ftoa, uint8_t max_digits, uint8_t max_decimals);

    The same as __dtoa_engine, except for floats.

  3. __atod_engine

    __atod_engine(uint64_t m10, int e10);

    To avoid needing to handle stdio inside the conversion function, __atod_engine receives fully parsed values, the base-10 significand (m10) and exponent (e10). The value to convert is m10 * pow(10, e10).

  4. __atof_engine

    __atof_engine(uint32_t m10, int e10);

    The same as __atod_engine, except for floats.

With these, it can do printf, scanf, ecvt, fcvt, gcvt, strtod, strtof and atof.

Porting Ryū to Picolibc

The existing Ryū float-to-string code always generates the number of digits necessary for accurate output. I had to hack it up to generate correctly rounded shorter output when max_digits or max_decimals were smaller. I'm not sure I managed to do that correctly, but at least it appears to be passing all of the test cases I have. In normal operation, Ryū iteratively removes digits from the answer that aren't necessary to disambiguate with neighboring values.

What I changed was to keep removing digits using that method until the answer had few enough digits to fit in the desired length. There's some tricky rounding code that adjusts the final result and I had to bypass that if I'd removed extra digits.

That was about the only change necessary to the core algorithm. I also trimmed the code to only include the general case and not the performance improvements, then wrapped it with code to provide the _engine interface.

On the string-to-float side, most of what I needed to do was remove the string parsing bits at the start of the function and switch from performance-optimized to space-optimized versions of a couple of internal routines.

Correctness Results

Because these new functions are now 'exact', I was able to adjust the picolibc tests to compare all of the bits for string/float conversion instead of having to permit a bit of slop in the answers. With those changes, the picolibc test suite passes, which offers some assurance that things aren't completely broken.

Size Results

Snek uses the 32-bit float versions of the conversion routines, and for that, the size difference is:

   text    data     bss     dec     hex filename
  59068      44   37968   97080   17b38 snek-qemu-riscv-orig.elf
  59430      44   37968   97442   17ca2 snek-qemu-riscv-ryu.elf

362 bytes added to gain accurate printf/strtof results seems like a good trade-off in this case.


I haven't measured performance at all, but I suspect that it won't be nearly as problematic on most platforms as the source code makes it appear. And that's because Ryū is entirely integer arithmetic with no floating point at all. This avoids using the soft fp code for platforms without hardware float support.

Pointers to the Code

I haven't merged this to picolibc master yet, it's on the ryu branch:

Review, especially of the hack above to return short results, would be greatly appreciated!

Thanks again to Ulf Adams for creating this code and to Sreepathi Pai for sending me a note about it!

Planet DebianDima Kogan: vnlog now functional on *BSD and OSX

So somebody finally bugged me about supporting vnlog tools on OSX. I was pretty sure that between all the redirection, process communication, and file descriptor management something was Linux-specific, but apparently not: everything just works. There were a few uninteresting issues with tool paths, core tool and linker flags and so on, but it was all really minor. I have a report that the test suite passes on OSX, and I verified it on FreeBSD.

I made a new 1.28 release tag, but it exists mostly for the benefit of any OSX or *BSD people who'd want to make a package for their system. Progress!


Planet DebianOlivier Berger: Mixing NRELab’s Antidote and Eclipse Che on the same k8s cluster

You may have heard of my search for Cloud solutions to run labs in an academic context, with a focus on free an open source solutions . You may read previous installments of this blog, or for a shorter, check the presentation I’ve recorded last week.

I’ve become quite interested, in the latest month, in 2 projects: NRELab’s Antidote and  Eclipse Che.

Antidote is the software that powers NRELabs, a labs platform for learning network automation, which runs on top of Kubernetes (k8s). The interesting thing is that for each learner, there can be a dedicated k8s namespace with multiple virtual nodes running on a separate network. This can be used in the context of virtual classes/labs where our students will perform network labs in parallel on the same cluster.

Eclipse Che powers Eclipse “on the Cloud”, making available software development environments, for developers, on a Kubernetes Cloud. Developers typically work from a Web page instead of installing local development tools.

Both projects seem quite complementary. For one, we both teach networks and software developments. So that would naturally appeal for many professors.

Furthermore, Eclipse Che provides a few features that Antidote is lacking : authenticating users (with keycloak), and persisting their work in workspaces, between work sessions. Typically what we need in our academic context where students will work on the same labs during scheduled classes, week after week, during or off-hours.

Thus it would be great to have more integration between the 2 environments.

I intend to work on that front, but that takes time, as running stuff on Kubernetes isn’t exactly trivial, at least when you’re like me and want to use a “vanilla” kubernetes.

I’ve mainly relied on running k8s inside VMs using Vagrant and/or minikube so far.

A first milestone I’ve achieved is making sure that Antidote and Eclipse Che aren’t incompatible. Antidote’s “selfmedicate” script was actually running inside a Vagrant VM, where I had difficulties installing Eclipse Che (probably because of old software, or particular networking setup details). I’ve overcome this hurdle, as I’m now able to install both environments on a single Kubernetes VM (using my own Vagrant setup).

Running Eclipse Che (alongsite Antidote) on a k8s Vagrant VM.

This proves only that there’s no show stopper there, but a lot of work remains.

Stay tuned.

Update: I’ve finally managed to get it to work on the antidote-selfmedicate base too. See my branch at:

Planet DebianSylvestre Ledru: Debian rebuild with clang 10 + some patches

Because of the lock-down in France and thanks to Lucas, I have been able to make some progress rebuilding Debian with clang instead of gcc.


Instead of patching clang itself, I used a different approach this time: patching Debian tools or implementing some workaround to mitigate an issue.
The percentage of packages failing drop from 4.5% to 3.6% (1400 packages to 1110 - on a total of 31014).

I focused on two classes of issues:


As I have no intention to merge the patch upstream, I used a very dirty workaround. I overwrote the g++ qmake file by clang's:

I dropped the number of this failure to 0, making some packages build flawlessly (example: qtcreator, chessx, fwbuilder, etc).

However, some packages are still failing later and therefore increasing the number of failures in some other categories like link error. For example, qtads fails because of ordered comparison between pointer and zero or oscar fails on a -Werror,-Wdeprecated-copy error.

Breaking the build later also highlighted some new classes of issues which didn't occur with clang < 10.
For example, warnings related to C++ range loop or implicit int float conversion (I fixed a bunch of them in Firefox) .

Symbol differences  

Historically, symbol management for C++ in Debian has been a pain. Russ Allbery wrote a blog post in 2012 explaining the situation. AFAIK, it hasn't changed much.
Once more, I took the dirty approach: if there new or missing symbols, don't fail the build.
The rational is the following: Packages in the Debian archive are supposed to build without any issue. If there is new or missing symbols, it is probably clang generating a different library but this library is very likely working as expected (and usable by a program compiled with g++ or clang). It is purely a different approach taken by the compiler developer.

In order to mitigate this issue, before the build starts, I am modifying dpkg-gensymbols to transform the error into a warning.
So, the typical Debian error some new symbols appeared in the symbols file or some symbols or patterns disappeared in the symbols file will NOT fail the build.

Unsurprisingly, all but one package (libktorrent) build.

Even if I am pessimistic, I reported a bug on dpkg-dev to evaluate if we could improve dpkg-gensymbol not to fail on these cases.

Next steps  

The next offender is Imake.tmpl:2243:10: fatal error: ' X11 .rules' file not found with more than an hundred occurrences, reported upstream quite sometime ago.

Then, the big issues are going to be much harder to fix as they are real issues/warnings (with -Werror) in the code of the packages. Example: -Wc++11-narrowing & Wreserved-user-defined-literal... The list is long.
I will probably work on that when llvm/clang 11 are in RC phase.

For maintainers & upstream  

Maintainer of Debian/Ubuntu packages? I am providing a list of failing packages per maintainer:
For upstream, it is also easy to test with clang. Usually, apt install clang && CC=clang CXX=clang++ <build step> is good enough.


With these two changes, I have been able to fix about 290 packages. I think I will be able to get that down a bit more but we will soon reach a plateau as many warnings/issues will have to fix in the C/C++ code itself.

Krebs on SecurityREvil Ransomware Gang Starts Auctioning Victim Data

The criminal group behind the REvil ransomware enterprise has begun auctioning off sensitive data stolen from companies hit by its malicious software. The move marks an escalation in tactics aimed at coercing victims to pay up — and publicly shaming those who don’t. But it may also signal that ransomware purveyors are searching for new ways to profit from their crimes as victim businesses struggle just to keep the lights on during the unprecedented economic slowdown caused by the COVID-19 pandemic.

Over the past 24 hours, the crooks responsible for spreading the ransom malware “REvil” (a.k.a. “Sodin” and “Sodinokibi“) used their Dark Web “Happy Blog” to announce its first ever stolen data auction, allegedly selling files taken from a Canadian agricultural production company that REvil says has so far declined its extortion demands.

A partial screenshot from the REvil ransomware group’s Dark Web blog.

The victim firm’s auction page says a successful bidder will get three databases and more than 22,000 files stolen from the agricultural company. It sets the minimum deposit at $5,000 in virtual currency, with the starting price of $50,000.

Prior to this auction, REvil — like many other ransomware gangs — has sought to pressure victim companies into paying up mainly by publishing a handful of sensitive files stolen from their extortion targets, and threatening to release more data unless and until the ransom demand is met.

Experts say the auction is a sign that ransomware groups may be feeling the financial pinch from the current economic crisis, and are looking for new ways to extract value from victims who are now less likely or able to pay a ransom demand.

Lawrence Abrams, editor of the computer help and news Web site BleepingComputer, said while some ransomware groups have a history of selling victim data on cybercrime forums, this latest move by REvil may be just another tactic used by criminals to force victims to negotiate a ransom payment.

“The problem is a lot of victim companies just don’t have the money [to pay ransom demands] right now,” Abrams said. “Others have gotten the message about the need for good backups, and probably don’t need to pay. But maybe if the victim is seeing their data being actively bid on, they may be more inclined to pay the ransom.”

There is some evidence to suggest that the recent economic downturn wrought by COVID-19 has had a measurable impact on ransomware payouts. A report published in mid-April by cryptocurrency research firm Chainalysis found that ransomware payments “have decreased significantly since the COVID-19 crisis intensified in the U.S. and Europe in early March.”

Abrams said other ransomware groups have settled on different methods to increase victim payouts, noting that one prominent gang is now doubly extorting targets — demanding one payment amount in return for a digital key that can unlock files scrambled by the malware, and another payment in exchange for a promise to permanently delete data stolen from the victim.

The implied threat is that victims who pay to recover their files but don’t bite on the deletion payment can expect to see their private data traded, published or sold on the Dark Web.

“Some of these [extortion groups] have said if they don’t get paid they’re going to sell the victim’s data on the Dark Web, in order to recoup their costs,” Abrams said. “Others are now charging a few not only for the ransomware decryptor, but also a fee to delete the victim’s data. So it’s a double vig.”

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files. In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual.

Here are a few tips that can help reduce the likelihood that you or your organization will fall victim to a ransomware attack:

-Patch, early and often: Many ransomware attacks leverage known security flaws in servers and desktops.

-Disable RDP: Short for Remote Desktop Protocol, this feature of Windows allows a system to be remotely administered over the Internet. A ridiculous number of businesses — particularly healthcare providers — get hit with ransomware because they leave RDP open to the Internet and secured with easy-to-guess passwords. And there are a number of criminal services that sell access to brute-forced RDP installations.

-Filter all email: Invest in security systems that can block executable files at the email gateway.

-Isolate mission-critical systems and data: This can be harder than it sounds. It may be worth hiring a competent security firm to make sure this is done right.

-Backup key files and databases: Bear in mind that ransomware can encrypt any network or cloud-based files or folders that are mapped and have been assigned a drive letter. Backing up to a secondary system that is not assigned a drive letter or is disconnected when it’s not backing up data is key. The old “3-2-1” backup rule comes into play here: Wherever possible, keep three backups of your data, on two different storage types, with at least one backup offsite.

-Disable macros in Microsoft Office: Block external content in Office files. Educate users that ransomware very often succeeds only when a user opens Office file attachment sent via email and manually enables Macros.

-Enable controlled folder access: Create rules to disallow the running of executable files in Windows from local user profile folders (App Data, Local App Data, ProgramData, Temp, etc.)

Sites like distribute free decryptor tools that can help some ransomware victims recover files without paying a ransom demand.

Planet DebianLisandro Damián Nicanor Pérez Meyer: Simplified Monitoring of Patients in Situations of Mass Hospitalization (MoSimPa) - Fighting COVID-19

I have been quite absent from Debian stuff lately, but this increased since COVID-19 hits us. In this blog post I'll try to sketch what I have been doing to help fight COVID-19 this last few months.

In the beginning

When the pandemic reached Argentina the government started a quarantine. We engineers (like engineers around the world) started to think on how to put our abilities in order to help with the situation. Some worked toward providing more protection elements to medical staff, some towards increasing the number of ventilation machines at disposal. Another group of people started thinking on another ways of helping. In Bahía Blanca arised the idea of monitoring some variables remotely and in masse.

Simplified Monitoring of Patients in Situations of Mass Hospitalization (MoSimPa)

This is where the idea of remotely monitored devices came in, and MoSimPa (from the spanish of "monitoreo simplificado de pacientes en situación de internación masiva") started to get form. The idea is simple: oximetry (SpO2), heart rate and body temperature will be recorded and, instead of being shown in a display in the device itself, they will be transmitted and monitored in one or more places. In this way medical staff doesn't has to reach a patient constantly and monitoring could be done by medical staff for more patients at the same time. In place monitoring can also happen using a cellphone or tablet.

The devices do not have a screen of their own and almost no buttons, making them more cheap to build and thus more in line with the current economic reality of Argentina.

This is where the project Para Ayudar was created. The project aims to produce the aforementioned non-invasive device to be used in health institutions, hospitals, intra hospital transports and homes.

It is worth to note that the system is designed as a complementary measure for continuous monitoring of a pacient. Care should be taken to check that symptomps and overall patient status don't mean an inmediate life threat. In other words, it is NOT designed for ICUs.

All the above done with Free/Libre/Open Source software and hardware designs. Any manufacturing company can then use them for mass production.

The importance of early pneumonia detection

We were already working in MoSimPa when an NYTimes article caught or attention: "The Infection That’s Silently Killing Coronavirus Patients". From the article:

A vast majority of Covid pneumonia patients I met had remarkably low oxygen saturations at triage — seemingly incompatible with life — but they were using their cellphones as we put them on monitors. Although breathing fast, they had relatively minimal apparent distress, despite dangerously low oxygen levels and terrible pneumonia on chest X-rays.

This greatly reinforced the idea we were on the right track.

The project from a technical standpoint

As the project is primarily designed for and by Argentinians the current system design and software documentation is written in spanish, but the source code (or at least most of it) is written in english. Should anyone need it in english please do not hesitate in asking me.

General system description

System schema

The system is comprised of the devices, a main machine acting as a server (in our case for small setups a Raspberry Pi) and the possibility of accessing data trough cell phones, tablets or other PCs in the network.

The hardware

As of today this is the only part in which I still can't provide schematics, but I'll update this blog post and technical doc with them as soon as I get my hands into them.

Again the design is due to be built in Argentina where getting our hands on hardware is not easy. Moreover it needs to be as cheap as possible, specially now that the Argentinian currency, the peso, is every day more depreciated. So we decided on using an ESP32 as the main microprocessor and a set of Maxim sensors devices. Again, more info when I have them at hand.

The software

Here we have many more components to describe. Firstly the ESP32 code is done with the Arduino SDK. This part of the stack will receive many updates soon, as soon as the first hardware prototypes are out.

For the rest of the stack I decided to go ahead with whatever is available in Debian stable. Why? Well, Raspbian provides a Debian stable-based image and I'm a Debian Developer, so things should go just natural for me in that front. Of course each component has its own packaging. I'm one of Debian's Qt maintainers then using Qt will also be quite natural for me. Plots? Qwt, of course. And with that I have most of my necessities fulfilled. I choose PostgreSql as database server and Mosquitto as MQTT broker.

Between the database and MQTT is mosimpa-datakeeper. The piece of software from which medical staff monitor patients is unsurprisingly called mosimpa-monitor.

MoSimPa's monitor main screen

mosimpa-monitor plots
Plots of a patient's data

Alarm thresholds setup

And for managing patients, devices, locations and internments (CRUD anyone?) there is currently a Qt-based application called mosimpa-abm.

ABM main screen

ABM internments view

The idea is to replace it with a web service so it doesn't needs to be confined to the RPi or require installations in other machines. I considered using webassembly but I would have to also build PostgreSql in order to compile Qt's plugin.

Translations? Of course! As I have already mentioned the code is written in English. Qt allows to easily translate applications, so I keep a Spanish one as the code changes (and we are primarily targeting spanish-speaking people). But of course this also means it can be easily translated to whichever language is necessary.

Even if I am a packager I still have some stuff to fix from the packaging itself, like letting datakeeper run with its own user. I just haven't got to it yet.


We are working towards getting the system certified by ANMAT, which is the Argentinian equivalent for EEUU's FDA.


While all the people involved are working ad-honorem funding is still required in order to buy materials, create the prototypes, etc. The project created payments links with Mercado Pago (in spanish and argentinian pesos) and other bank methods (PDF, also in spanish).

I repeat the links here with an aproximation to US$.

You can check the actual convertion rate in

The project was also presented at a funding call of argentinian Agencia de Promoción de la Investigación, el Desarrollo Tecnológico y la Innovación (Agencia I+D+i). 900+ projects where presented and 64 funded, MoSimPa between them.

CryptogramPassword Changing After a Breach

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password.

Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users perform these and other security-enhancing actions after breaches, we must first have some understanding of the current effectiveness of companies' post-breach practices. To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine­ -- based on real-world password data from 249 participants­ -- whether and how constructively participants changed their passwords after a breach announcement.

Of the 249 participants, 63 had accounts on breached domains;only 33% of the 63 changed their passwords and only 13% (of 63)did so within three months of the announcement. New passwords were on average 1.3× stronger than old passwords (when comparing log10-transformed strength), though most were weaker or of equal strength. Concerningly, new passwords were overall more similar to participants' other passwords, and participants rarely changed passwords on other sites even when these were the same or similar to their password on the breached domain.Our results highlight the need for more rigorous password-changing requirements following a breach and more effective breach notifications that deliver comprehensive advice.

News article.

EDITED TO ADD (6/2): Another news aricle. Slashdot thread.

Cryptogram"Sign in with Apple" Vulnerability

Researcher Bhavuk Jain discovered a vulnerability in the "Sign in with Apple" feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any account.

It is fixed.

EDITED TO ADD (6/2): Another story.

Planet DebianOlivier Berger: Experimenting on distant labs and labs on the Cloud

I have delivered a speech last week about some ideas and experiments I have about the use of remote access and Cloud technologies for labs. I have collected the speech recording and stuff, in french, in another post.

The presentation was in french originaly, so I’ve quickly translated my slides and recorded an english version.

I mention tools like Guacamole, MeshCentral, NRELab’s Antidote, Eclipse Che and Labtainers, as well as k8s and Docker, as interesting tools that may allow us to continue teaching in labs while allowing more flexibility, distant learning, and hopefully improved quality.

You can find the slides here:, and the recording is here:

Experimenting on distant labs and labs on the Cloud.

Planet DebianSylvain Beucler: Debian LTS and ELTS - May 2020

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 17.25h for LTS (out of 30 max; all done) and 9.25h for ELTS (out of 20 max; all done).

A survey will be published very shortly to gather feedback from all parties involved in LTS (users, other Debian teams...) -- let us know what you think, so we start the forthcoming new (Stretch) LTS cycle in the best conditions :)

Discussion is progressing on funding & governance of larger LTS-related projects. Who should decide: contributors, Freexian, sponsors? Do we fund with a percentage or by capping resources allocated on security updates? I voiced concerns over funding these at the expense of smaller, more organic, more recurrent tasks that are less easy to specify but greatly contribute to the overall quality nevertheless.

ELTS - Wheezy

  • mysql-connector-java: upgrade to 5.1.49, refresh patches, document/run test suite, prepare upload, prepare upgrade path (+ see LTS)
  • CVE-2020-3810/apt: triage (affected), enquire about failing test, run testsuite, security upload ELA 228-1

LTS - Jessie

  • ansible: global triage: finish last month's triage, fix affected versions, provide reproducer
  • ansible: backport patches to early version, security upload DLA 2202-1
  • mysql-connector-java: propose 5.1.49 update to all dists (+ see ELTS)
  • CVE-2019-20637/varnish: global triage: ping upstream, get PoC, determine status for all Debian dists, jessie not-affected
  • public IRC team meeting


Planet DebianWouter Verhelst: SReview 0.6

... isn't ready yet, but it's getting there.

I had planned to release a new version of SReview, my online video review and transcoding system that I wrote originally for FOSDEM but is being used for DebConf, too, after it was set up and running properly for FOSDEM 2020. However, things got a bit busy (both in my personal life and in the world at large), so it fell a bit by the wayside.

I've now also been working on things a bit more, in preparation for an improved administrator's interface, and have started implementing a REST API to deal with talks etc through HTTP calls. This seems to be coming along nicely, thanks to OpenAPI and the Mojolicious plugin for parsing that. I can now design the API nicely, and autogenerate client side libraries to call them.

While at it, because libmojolicious-plugin-openapi-perl isn't available in Debian 10 "buster", I moved the docker containers over from stable to testing. This revealed that both bs1770gain and inkscape changed their command line incompatibly, resulting in me having to work around those incompatibilities. The good news is that I managed to do so in a way that keeps running SReview on Debian 10 viable, provided one installs Mojolicious::Plugin::OpenAPI from CPAN rather than from a Debian package. Or installs a backport of that package, of course. Or, heck, uses the Docker containers in a kubernetes environment or some such -- I'd love to see someone use that in production.

Anyway, I'm still finishing the API, and the implementation of that API and the test suite that ensures the API works correctly, but progress is happening; and as soon as things seem to be working properly, I'll do a release of SReview 0.6, and will upload that to Debian.

Hopefully that'll be soon.

Planet DebianSteinar H. Gunderson: Nageru 2.0.0 released

I've released version 2.0.0 of Nageru, my live video mixer. Obviously, version 2 of anything is a major milestone; in this case, it wasn't so much this specific release being so big, but the combined work that has gone on through the 1.x versions. (Also, if you go from 1.9.0 to 1.10.0, you can be pretty sure 2.0 is never coming!) There were several major features where I could probably have justified a 2.0 bump alone (e.g., the multichannel audio processing support, HTML5 graphics, slow motion through Futatabi, or the large reworking of the themes in 1.9.0), and now, it was time. Interestingly enough, despite growing by 40,000 lines or so since the 1.0.0 release four and a half years ago, the basic design has proved fairly robust; there are always things I would like to do different, but I'm fairly happy about how flexible and reliable things have turned out to be, even though my own use cases have shifted from simple conference video to complex sports productions.

The poster feature this time around is SRT support; SRT is a video transport protocol designed for running over the public Internet, with all its loss and such. I'm always a bit skeptical at people who try to reinvent TCP without TCP (often, the gains tend to be more about having worse congestion control, so that you push everyone else out), but SRT has a reasonable story in that if things really go wrong, it's better to drop packets/frames and go on with it instead of running forever. SRT is based around inserting controlled latency in the stream (by default 120 ms), so that there's room for some retransmits, and some FEC (forward error correction). Nageru 2.0.0 supports SRT cameras as inputs, so you can take e.g. your phone running Larix, point it to port 9710 on Nageru, and a new camera just instantly appears. (I've had to report a few bugs with the Larix people, but they've been very responsive.) SRT has huge momentum right now, and I believe it's only a question of time before it replaces RTMP as the de facto contribution protocol on the Internet, too.

As always, you can get the new version from the Nageru home page. Normally, I'd also make an upload to Debian, but the libsrt package is built against OpenSSL, which has license issues. So I'm waiting for bug #933180 to be fixed, and then we can run with it :-)

Worse Than FailureCodeSOD: Try a Different Version

Back when I was still working for a large enterprise company, I did a lot of code reviews. This particular organization didn’t have much interest in code quality, so a lot of the code I was reviewing was just… bad. Often, I wouldn’t even need to read the code to see that it was bad.

In the olden times, inconsistent or unclear indentation was a great sign that the code would be bad. As IDEs started automating indentation, you lost that specific signal, but gained a new one. You can just tell code is bad when it’s shaped like this:

public List<Integer> getDocSectionsChanged(CustomerVersionTag versionTag) {
	Set<Integer> sections = new HashSet<>();
	for (Map.Entry<String, List<String>> entry : getVersionChanges().get(versionTag).entrySet()) {
		for (F.Tuple<CustomerVersioningDocSection, Map<String, List<String>>> tuple : getDocSectionToSdSection()) {
			for (Map.Entry<String, List<String>> entry2 : tuple._2.entrySet()) {
				if (entry.getKey().startsWith(entry2.getKey())) {
					for (String change : entry.getValue()) {
						for (String lookFor : entry2.getValue()) {
							if (change.startsWith(lookFor)) {

Torvalds might not think much of 80 character lines, but exceedingly long lines are definitely a code smell, especially when they're mostly whitespace.

This is from a document management system. It tracks versions of documents, and a new feature was requested: finer grained reporting on which sections of the document changed between versions. That information was already stored, so all a developer needed to do was extract it into a list of section numbers.

Edda’s entire team agreed that this would be a simple task, and estimated a relatively short time to build it- hours, maybe a day at the outside. Two weeks later when it was finally delivered, the project manager wanted to know how their estimate had gotten so off.

At a glance, you know the code is bad, because it’s shaped badly. That level of indentation is always a quick sign that something’s badly built. But then note the tested loops: a startsWith in a loop in a loop in a startsWith in a loop in a loop in a loop. The loops don’t even always make sense to be nested- the outermost loops across an entrySet to get entries, but the next loop iterates across the result of getDocSectionToSdSection(), which takes no parameters- the 2nd loop isn’t actually driven by anything extracted in the 1st loop. The inner-most pair of loops seem to be an attempt compare every change in two entry objects to see if there’s a difference at any point.

I don’t know their API, so I certainly don’t know the right approach, but at a glance, it’s clear that this is the wrong approach. With the nesting code structures and the deeply nested generics (types like F.Tuple<CustomerVersioningDocSection, Map<String, List<String>>> are another key sign somebody messed up), I don’t have any idea what the developer was thinking or what the purpose of this code was. I don’t know what they were going for, but I hope to the gods they missed.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!


Planet DebianJonathan Carter: Free Software Activities for 2020-05

I would say that this was a crazy month, but with everything ever escalating, does that even mean anything anymore?

I lost track of tracking my activities in the second half of the month, and I’m still not very good at logging the “soft stuff”, that is, things like non-technical work but that also takes up a lot of time, but will continue to work on it.

Towards the end of the month I spent a huge amount of time on MiniDebConf Online, I’m glad it all worked out, and will write a seperate blog entry on that. Thank you again to everyone for making it a success!

I’m also moving DPL activities to the DPL blog, so even though it’s been a busy month in the free software world… my activity log here will look somewhat deceptively short this month…

MiniDebConf Online

2020-05-06: Help prepare initial CfP mail.

2020-05-06: Process some feedback regarding accessibility on Jitsi.

Debian Packaging

2020-05-02: Upload package gnome-shell-extension-workspaces-to-dock (53-1) to Debian unstable.

2020-05-02: Upload package tetzle (2.1.6-1) to Debian unstable.

2020-05-06: Upload package bundlewrap (3.9.0-1) to Debian unstable.

2020-05-06: Accept MR#1 for connectagram.

2020-05-06: Upload package connectagram (1.2.11-1) to Debian unstable.

2020-05-07: Upload package gnome-shell-extension-multi-monitors (20-1) to Debian unstable (Closes: #956169).

2020-05-07: Upload package tanglet (1.5.6-1) to Debian unstable.

2020-05-16: Upload package calamares (3.2.24-1) to Debian unstable.

2020-05-16: Accept MR#1 for tuxpaint-config.

2020-05-16: Accept MR#7 for debian-live.

2020-05-18: Upload package bundlewrap (3.10.0) to Debian unstable.

Debian Mentoring

2020-05-02: Sponsor package gamemode (1.5.1-3) (Games team request).

2020-05-16: Sponsor package gamemode (1.5.1-4) (Games team request).

Cory DoctorowHow Big Tech Monopolies Distort Our Public Discourse

This week, I’m podcasting How Big Tech Monopolies Distort Our Public Discourse, a new article I wrote for the Electronic Frontier Foundation’s Deeplinks blog. It’s the most comprehensive of the articles I’ve written about the problems of surveillance capitalism, a subject I’ve also addressed in a forthcoming, book-length essay. In a nutshell, my dispute with the “surveillance capitalism” hypothesis is that I think it overstates how effective Big Tech is at changing our minds with advanced machine learning techniques, while underplaying the role that monopoly plays in allowing Big Tech to poison and distort our public discourse.

I think this is a distinction with a difference, because if Big Tech has figured out how to use data to rob us of our free will, anti-monopoly enforcement won’t solve the problem – it’ll just create lots of smaller companies with their own Big Data mind-control rays. But if the problem rests in monopoly itself, then we can solve the problem with anti-monopoly techniques that have been used to counter every other species of robber-baron, from oil to aluminum to groceries to telephones.


Planet DebianMike Gabriel: My Work on Debian LTS (May 2020)

In May 2020, I have worked on the Debian LTS project for 14.5 hours (of 14.5 hours planned).

LTS Work

  • Frontdesk: CVE bug triaging for Debian jessie LTS: exim4, cups, log4net, apt, openconnect, libexif, json-c, tomcat8, and graphicsmagick.
  • review and sponsor upload to jessie-security: libexif (DLA-2214-1 [1], 5 CVEs)
  • review and sponsor upload to jessie-security: libexif (DLA-2222-1 [2], 4 CVEs)
  • upload to jessie-security: json-c (DLA-2228-1 [3] and DLA-2228-2 [4], 1 CVE)
  • upload to jessie-security: php-horde-gollem (DLA-2228-1 [5], 1 CVE)
  • upload to jessie-security: php-horde (DLA-2280-1) [6], 1 CVE)
  • start looking into the current FreeRDP (v1.1) and FreeRDP (v2) CVE hell...

Other security related work for Debian

  • review and sponsor uploads of libexif to stretch, buster and unstable (8 CVE fixes for stretch, 5 CVE fixes for buster) [7]
  • revisit long overdue uploads of ssvnc to stretch and buster (4 CVE fixes each) [8]
  • upload php-horde-gollem to stretch and buster (1 CVE fix each) [9]
  • upload php-horde to stretch and buster (1 CVE fix each) [10]


  • Many thanks to Hugh McMaster for handling all the libexif security upload preparations himself. This was really good work. Hugh, please consider becoming a(n official) developer in the Debian project (at the very least you should aim at obtaining Debian Maintainer status).


Planet DebianDebian GSoC Kotlin project blog: Kotlin Update

A Quick Recap from last year:

Kotlin is being packaged under the Google Summer of Code within the Debian organization itself. The major reason behind bringing Kotlin in Debian is to update all the Android packages which are now heavily dependent upon the Kotlin libraries.

The major work to bring Kotlin into Debian is done for the version 1.3.30, by Saif Abdul Cassim (goes by m36 on IRC) as a part of his GSoC'2019. All his contributions to the team can be found in his blog posts.

So, for now, we have a bootstrap package and a Kotlin package for the version with 1.3.30. There were still changes needed as we lacked some of the dependencies for Kotlin, and the source package lacked copyright information and didn’t comply with Debian standards.

What's the present year brought for Kotlin?

To be specific the following were mainly left dependencies for Kotlin:

  • JLine3
  • intellij-community-idea
  • kotlin-bootstrap

And, we lack documentation for the newbies in order to get them started :(

Most importantly the crucial part was and still is, to figure out how to upload the package?

For GSoC'20, three students are selected as a part of project Android SDK tools in Debian.

What's the work done/left?

Work Done

  • A couple of dependencies were completed and reside in NEW Queue, those include Jline3 (done by @samyak-jn, myself), and intellij-community-idea (finished by @The_LoudSpeaker, Raman Sarda).

  • The kotlin package residing in m36’s repository had a couple of issues that were needed to be fixed to meet Debian standards, but Kotlin was building fine locally with the mentioned dependencies. :D

  • I (Samyak Jain) took the work for converting all the commits to the patches as all the changes were made directly to the source, and henceforth fixed rules and control files to meet Debian Standards. Debian is very particular about its license policies. The copyright was a pending task that was completed for Good. The newer package exists at Samyak's repo.

  • I set up an initial wiki page for Kotlin as well, so everyone can follow. Thanks, Hans (@_hc) for the help with that. The wiki page for Kotlin exists here.

What's Blocking?

  • The most uncertain thing is to decide, how Kotlin will be uploaded to the Debian Archive?

What is the problem being faced?

The Kotlin-Bootstrap package consists of JAR files for various dependencies of kotlin such as Gradle, kotlin compiler, and kotlinx. The package is added to the build-depends of the main package so that the JAR files can be provided. Since the kotlin-bootstrap consists of binaries (JAR files), it is not feasible to upload the package as free software.

The other workaround was the Gradle 6.4 version, which consists of Kotlin files and generates a suitable JAR. But since the package needed Kotlin language itself, it was never updated, as it created a cyclic dependency.

Final workaround came, which proposed Kotlin to build from itself, that was a pretty impressive suggestion. But, we still have to look if the solution is feasible? Because, as far as I last checked and conversed with ebourg on the mailing list here, Emmanuel Bbourg mentioned very clearly that the rebuilt package is our interest. So, this is under WIP.

But, I fail to acknowledge the fact if we can drop the kotlin-bootstrap package totally, Kotlin will not be able to be built because each and every JAR file present in the bootstrap is needed.

That pretty much is the ongoing work and the update on the kotlin package. We intend to bring Kotlin to the Debian Archive as soon as possible :)

Have any queries or suggestions for Kotlin?

Please feel to drop a message at #debian-mobile channel on OFTC.

Worse Than FailureCodeSOD: Don't be so Negative Online

It's fair to say that regardless of their many advantages, "systems languages", like C, are much harder to use than their more abstract cousins.Vendors know this, which is why they often find a way to integrate across language boundaries. You might write critical functions in C or C++, then invoke them in Python or from Swift or… Visual Basic 6.

And crossing those language boundaries can pose other challenges. For example, Python has a built-in boolean type. C, for quite a long time didn't. Which means a lot of C code has blocks like this:

#define BOOL int #define FALSE 0 #define TRUE 1 #define FILE_NOT_FOUND 2

Carl C provides that block, just for illustration purposes. Awhile back, he inherited a big pile of antique COM+ and the associated VB6 front end, along with a herd of "COM Wizards" and "Junior VB Programmers" to help maintain it.

The idea of the system was that all the "hard stuff" would be done in C++, while the UI would be a VB6 application. The C++ COM layer talked to some hardware which could be attached to the PC, and the VB6 layer let the user check the status and interact with the device.

Unfortunately, the Junior VB Programmers quickly encountered a problem: they could NEVER get the device online. Plugging, unplugging, rebooting, trying different ports, different computers, it never worked. But when the "COM wizards" tossed them a diagnostic program written in C++, things worked fine.

"Must be a problem in your VB code," was the obvious conclusion.

Dim oHardware as New HardwareServer ' Initialize Hardware oHardware.Initialize 0 If oHardware.ONLINE = True Then Set oActuator = oHardware.Actuator Else MsgBox "Hardware did not initialize correctly." End End If

Reading through that code, it's hard to see at a glance what could be wrong about it. Could the problem be in the COM layer?

interface IHardwareServer : IDispatch { [propget, id(1)] HRESULT Actuator([out, retval] IActuator* *pVal); [propget, id(2)] HRESULT ONLINE([out, retval] BOOL *pVal); [id(3)] HRESULT Initialize(short interfaceID); }; coclass HardwareServer { [default] interface IHardwareServer; };

While the COM approach to defining a property is a little awkward, nothing at a glance looks wrong here, either. ONLINE is a property that returns a BOOL.

But this is a C++ boolean. Defined so that true is one and false is zero.

Visual Basic, in addition to letting arrays start at 1 if you really wanted to, had another quirk. It was pretty loosey-goosey with types (defaulting to the handy Variant type, which is a fancy way of saying "basically no type at all"), and the internal implementation of its types could be surprising.

For example, in VB6, False was zero, much like you'd expect. And True was… -1. Yes, -1. Carl suggests this was to "kinda sorta mostly hide the distinction between bitwise and logical operations", which does sound like the sort of design choice Visual Basic would make. This is also TRWTF.

Now, it's easy to see how the Visual Basic code above is wrong: oHardware.ONLINE = True is testing to see if ONLINE is equal to -1, which is not true. A more correct way of writing the Visual Basic would be simply to test if oHardware.ONLINE then…. Visual Basic is okay with falsy/truthy statements, so whether ONLINE is 1 or -1, that would evaluate as true.

That doesn't let the COM programmers off the hook though. COM was designed to work across languages, and COM was designed with the understanding that different languages might have different internal representations of boolean values.

As Carl adds:

Of course if they were really COM wizards they would have used the VARIANT_BOOL type in the first place, and returned VARIANT_TRUE or VARIANT_FALSE.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

Planet DebianUtkarsh Gupta: FOSS Activites in May 2020

Here’s my (eighth) monthly update about the activities I’ve done in the F/L/OSS world.


This month marks my 15 months of contributing to Debian. And 6th month as a DD! \o/

Whilst I love doing Debian stuff, I have started spending more time on the programming side now. And I hope to keep it this for some time now.
Of course, I’ll keep doing the Debian stuff, but just lesser in amount.

Anyway, the following are the things I did in May.


Other $things:

  • Hosted Ruby team meeting. Logs here.
  • Attended Debian Perl Sprints. Report here.
  • Sponsored git-repo-updater and mplcursors for Sudip.
  • Mentoring for newcomers.
  • FTP Trainee reviewing.
  • Moderation of -project mailing list.
  • Got selected for GSoC’20 for Debian!

Experimenting and improving Ruby libraries FTW!

I have been very heavily involved with the Debian Ruby team for over an year now.
Thanks to Antonio Terceiro (and GSoC), I’ve started experimenting and taking more interest in upstream development and improvement of these libraries.

This has the sole purpose of learning. It has gotten fun since I’ve started doing Ruby.
And I hope it stays this way.

This month, I opened some issues and proposed a few pull requests. They are:

  • Issue #802 against whenever for Ruby2.7 test failures.
  • Issue #8 against aggregate asking upstream for a release on rubygems.
  • Issue #104 against irb for asking more about Array.join("\n").
  • Issue #1391 against mail asking upstream to cut a new release.
  • Issue #1655 against rack reporting test failures in the CVE fix.
  • Issue #84 against ruby-dbus for help with Debian bug #836296.
  • Issue #85 against ruby-dbus asking if they still use rDoc for doc generation.
  • PR #9 against aggregate for dropping git from gemspec.
  • PR #804 against whenever for dropping git from gemspec.
  • Packaged ruby-cmath as it was split from Ruby2.7; cf: (#961213).

Debian LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

This was my eighth month as a Debian LTS paid contributor. I was assigned 17.25 hours and worked on the following things:

CVE Fixes and Announcements:

Other LTS Work:

  • Triaged tika, freerdp, and apache2.
  • Mark CVE-2020-12105/openconnect as no-dsa not-affected for Jessie.
  • Mark CVE-2020-9489/tika as no-dsa ignored for Jessie.
  • Mark CVE-2020-11025/wordpres as not-affected for Jessie.
  • Add fix for Add fix for CVE-2019-18823/condor.
  • Requested CVE for bug#60251 against apache2.
  • Raised issue #947 against sympa reporting an incomplete patch for CVE-2020-10936.
  • Created the LTS Survey on the self-hosted LimeSurvey instance.
  • Attended the second LTS meeting. Logs here.
  • General discussion on LTS private and public mailing list.


Sometimes it gets hard to categorize work/things into a particular category.
That’s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.


This month I could get the following things done:

  • Wrote and published my first Ruby gem/library/tool on RubyGems! 💯
    It’s open-sourced and the repository is here.
    Bug reports and pull requests are welcomed! 😉
  • Wrote a small Ruby script (available here) to install Ruby gems from Gemfile(.lock).
    Needed this when I hit a bug while using ruby-standalone, which Antonio fixed pretty quickly! 🚀
  • Had a coffee chat with John Coghlan! 🤗
    Tweet here.

Open Source:

Again, this contains all the things that I couldn’t categorize earlier.
Opened several issues and did a PR review:

  • Issue #15434 against phantomjs, asking to look into CVE-2019-17221. Still no action :/
  • Issue #947 against sympa, reporting an incomplete patch for CVE-2020-10936.
  • Issue #2102 against polybar, mentioning that the build is not reproducible.
  • Issue #5521 against libgit2, mentioning that the build is not reproducible.
  • Reviewed PR #5523 for polybar, which was a fix for the above issue.

Until next time.
:wq for today.

Planet DebianPaul Wise: FLOSS Activities May 2020


This month I didn't have any particular focus. I just worked on issues in my info bubble.





  • nsntrace: talk to upstream about collaborative maintenance
  • Debian: deploy changes, debug issue with GPS markers file generation, migrate bls/DUCK from alioth-archive to salsa
  • Debian website: ran map cron job, synced mirrors
  • Debian wiki: approve accounts, ping folks with bouncing email



The apt-offline work and the libfile-libmagic-perl backports were sponsored. All other work was done on a volunteer basis.


Planet DebianEnrico Zini: Controversial inventors

Paul-Félix Armand-Delille (3 July 1874 in Fourchambault, Nièvre – 4 September 1963) was a physician, bacteriologist, professor, and member of the French Academy of Medicine who accidentally brought about the collapse of rabbit populations throughout much of Europe and beyond in the 1950s by infecting them with myxomatosis.
Charles Franklin Kettering (August 29, 1876 – November 25, 1958) sometimes known as Charles "Boss" Kettering[1] was an American inventor, engineer, businessman, and the holder of 186 patents.[2] He was a founder of Delco, and was head of research at General Motors from 1920 to 1947. Among his most widely used automotive developments were the electrical starting motor[3] and leaded gasoline.[4][5] In association with the DuPont Chemical Company, he was also responsible for the invention of Freon refrigerant for refrigeration and air conditioning systems. At DuPont he also was responsible for the development of Duco lacquers and enamels, the first practical colored paints for mass-produced automobiles. While working with the Dayton-Wright Company he developed the "Bug" aerial torpedo, considered the world's first aerial missile.[6] He led the advancement of practical, lightweight two-stroke diesel engines, revolutionizing the locomotive and heavy equipment industries. In 1927, he founded the Kettering Foundation, a non-partisan research foundation. He was featured on the cover of Time magazine on January 9, 1933.
John Charles Cutler (June 29, 1915 – February 8, 2003) was a senior surgeon, and the acting chief of the venereal disease program in the United States Public Health Service. After his death, his involvement in several controversial and unethical medical studies of syphilis was revealed, including the Guatemala and the Tuskegee syphilis experiments.
Ivy Ledbetter Lee (July 16, 1877 – November 9, 1934) was an American publicity expert and a founder of modern public relations. Lee is best known for his public relations work with the Rockefeller family. His first major client was the Pennsylvania Railroad, followed by numerous major railroads such as the New York Central, the Baltimore and Ohio, and the Harriman lines such as the Union Pacific. He established the Association of Railroad Executives, which included providing public relations services to the industry. Lee advised major industrial corporations, including steel, automobile, tobacco, meat packing, and rubber, as well as public utilities, banks, and even foreign governments. Lee pioneered the use of internal magazines to maintain employee morale, as well as management newsletters, stockholder reports, and news releases to the media. He did a great deal of pro bono work, which he knew was important to his own public image, and during World War I, he became the publicity director for the American Red Cross.[1]

Planet DebianChris Lamb: Free software activities in May 2020

Here is my monthly update covering what I have been doing in the free software world during May 2020 (previous month):

  • Opened a pull request against the kitty shell to set a default socket timeout when retrieving remote items via the icat command-line tool. (#659)

  • Opened a pull request to make the documentation for the Wand Python/ImageMagick graphics library to build in reproducible manner. [...]

  • Fixed an issue in my tickle-me-email library that implements Gettings Things Done (GTD)-like behaviours in IMAP inboxes to prevent a traceback when adding text attachments that were not valid UTF-8. ...]

In Lintian, the static analysis tool for Debian packages:

  • New features:

    • Check for packages that use ${misc:Pre-Depends) in the Depends field. (#961290)
    • Check for packages installing icon cache files directly under /usr/share/icons/hicolor as they will invariably clash with other packages. (#959855)
    • Check for Homepage fields in debian/control that point to known directory listing pages. (#960366)
    • Update data/fields/perl-provides. [...]
  • Bug fixes:

  • Reporting/output:

  • Code improvements:

    • Replace Copyright (C) with the Unicode copyright symbol for consistency [...] and update my copyright years [...].
    • Factor out matching Homepage fields to data/fields/bad-homepages. [...]
    • Various alterations for the continuous integration pipeline. [...][...]

Reproducible builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

Elsewhere in our tooling, I made the following changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including preparing and uploading versions 142, 143, 144, 145 and 146 to Debian:

  • Comparison improvements:

    • Improve fuzzy matching of JSON files as file now supports recognising JSON data. (#106)
    • Refactor .changes and .buildinfo handling to show all details (including the GnuPG header and footer components) even when referenced files are not present. (#122)
    • Use our BuildinfoFile comparator (etc.) regardless of whether the associated files (such as the orig.tar.gz and the .deb) are present. [...]
    • Include GnuPG signature data when comparing .buildinfo, .changes, etc. [...]
    • Add support for printing Android APK signatures via apksigner(1). (#121)
    • Identify "iOS App Zip archive data" as .zip files. (#116)
    • Add support for Apple Xcode .mobilepovision files. (#113)
  • Bug fixes:

    • Don't print a traceback if we pass a single, missing argument to diffoscope (eg. a JSON diff to re-load). [...]
    • Correct differences typo in the ApkFile handler. (#127)
  • Output improvements:

    • Never emit the same id="foo" anchor reference twice in the HTML output, otherwise identically-named parts will not be able to linked to via a #foo anchor. (#120)
    • Never emit an empty "id" anchor either; it is not possible to link to #. [...]
    • Don't pretty-print the output when using the --json presenter; it will usually be too complicated to be readable by the human anyway. [...]
    • Use the SHA256 over MD5 hash when generating page names for the HTML directory-style presenter. (#124)
  • Reporting improvements:

    • Clarify the message when we truncate the number of lines to standard error [...] and reduce the number of maximum lines printed to 25 as usually the error is obvious by then [...].
    • Print the amount of free space that we have available in our temporary directory as a debugging message. [...]
    • Clarify Command […] failed with exit code messages to remove duplicate exited with exit but also to note that diffoscope is interpreting this as an error. [...]
    • Don't leak the full path of the temporary directory in Command […] exited with 1 messages. (#126)
    • Clarify the warning message when we cannot import the debian Python module. [...]
    • Don't repeat stderr from {} if both commands emit the same output. [...]
    • Clarify that an external command emits for both files, otherwise it can look like we are repeating itself when, in reality, it is being run twice. [...]
  • Testsuite improvements:

    • Prevent apksigner test failures due to lack of binfmt_misc, eg. on Salsa CI and elsewhere. [...]
    • Drop .travis.yml as we use Salsa instead. [...]
  • Dockerfile improvements:

    • Add a .dockerignore file to whitelist files we actually need in our container. (#105)
    • Use ARG instead of ENV when setting up the DEBIAN_FRONTEND environment variable at runtime. (#103)
    • Run as a non-root user in container. (#102)
    • Install/remove the build-essential during build so we can install the recommended packages from Git. [...]
  • Codebase improvements:

    • Bump the officially required version of Python from 3.5 to 3.6. (#117)
    • Drop the (default) shell=False keyword argument to subprocess.Popen so that the potentially-unsafe shell=True is more obvious. [...]
    • Perform string normalisation in Black [...] and include the Black output in the assertion failure too [...].
    • Inline MissingFile's special handling of deb822 to prevent leaking through abstract layers. [...][...]
    • Allow a bare try/except block when cleaning up temporary files with respect to the flake8 quality assurance tool. [...]
    • Rename in_dsc_path to dsc_in_same_dir to clarify the use of this variable. [...]
    • Abstract out the duplicated parts of the debian_fallback class [...] and add descriptions for the file types. [...]
    • Various commenting and internal documentation improvements. [...][...]
    • Rename the Openssl command class to OpenSSLPKCS7 to accommodate other command names with this prefix. [...]
  • Misc:

    • Rename the --debugger command-line argument to --pdb. [...]
    • Normalise filesystem stat(2) "birth times" (ie. st_birthtime) in the same way we do with the stat(1) command's Access: and Change: times to fix a nondeterministic build failure in GNU Guix. (#74)
    • Ignore case when ordering our file format descriptions. [...]
    • Drop, add and tidy various module imports. [...][...][...][...]

I also performed a huge overhaul of diffoscope's website:

  • Add a completely new design. [...][...]
  • Add a separate, canonical page for every new release. [...][...][...]
  • Generate a 'latest release' section and display that with the corresponding date on the homepage. [...]
  • Add an RSS feed of our releases [...][...][...][...][...][...] and add to Planet Debian [...].
  • Dynamically generate our contributor list [...] and supported file formats [...] from the main Git repository.
  • Use Jekyll's absolute_url and relative_url where possible [...][...] and move a number of configuration variables to _config.yml [...][...].

Lastly, I made a large number of changes to the main Reproducible Builds website and documentation:

  • Rename the "Who" page to "Projects". [...]
  • Ensure that Jekyll enters the _docs subdirectory to find the _docs/ file after an internal move. (#27)
  • Wrap etc. in preformatted quotes. [...]
  • Wrap the SOURCE_DATE_EPOCH Python examples onto more lines to prevent visual overflow on the page. [...]
  • Correct a "preferred" spelling error. [...]

Debian LTS

This month I contributed 17¼ hours to Debian Long Term Support (LTS) and 9¼ hours on its sister Extended LTS project.

  • Investigated and triaged freerdp, keystone, nginx, tcpreplay & thunderbird, as well as tended to the general upkeep of the dla-needed.txt and ela-needed.txt files, adding various notes, references, attributions and citations.

  • Frontdesk duties including responding to user/developer questions, reviewing others' packages, participating in mailing list discussions as well as attending our second regular IRC contributor meeting.

  • Issued DLA 2201-1 to prevent a Denial of Service (DoS) vulnerability the ntp network time protocol server/client. ntp allowed an "off-path" attacker to block unauthenticated synchronisation via a server mode packet with a spoofed source IP address because transmissions were rescheduled even if a packet lacked a valid "origin timestamp".

  • Issued DLA 2203-1 for the SQLite database to prevent a denial of service attack. In the event of a semantic error in an aggregate query, SQLite did not return early from the resetAccumulator() function which would lead to a crash via a segmentation fault.

  • Issued DLA 2204-1 for the Mailman mailing list manager to prevent an arbitrary content injection attack.

  • Issued DLA 2211-1 in order to prevent an XML external entity vulnerability in log4net, a logging API for the ECMA Common Language Infrastructure (CLI), sometimes referred to as "Mono". This type of attack occurs when XML input containing a reference to an internet-faced entity is processed by a weakly configured XML parser.

  • Prepared and issued ELA-229-1 and DLA 2217-1 for the Apache Tomcat Java server to prevent a remote code execution exploit.

You can find out more about the two projects via the following video:


I filed the following bug reports in Debian this month:

  • apksigner: Uses en-dashes (U+2013) in manpage over two hyphens. (#960778)

  • devscripts: dd-list -nou results in "unknown option: […]". (#960891)

  • node-redis: autopkgtest regressions against Redis 6.x. (#960105)

I also filed a number of bugs against packages that are not compatible with Django 3.x, (organised around a single master bug) including django-taggit, sorl-thumbnail, django-simple-captcha, django-cas-server, django-cors-headers, python-django-csp, django-pipeline, python-django-jsonfield, python-django-contact-form, django-model-utils, django-fsm, django-modeltranslation, django-oauth-toolkit, libthumbor, python-django-extensions, python-django-imagekit, python-django-navtag, python-django-tagging, djangorestframework, django-haystack, django-taggit, django-simple-captcha, python-django-registration, python-django-pyscss, python-django-compressor, python-django-crispy-forms & python-django-mptt,

Lastly, I made the following uploads to Debian:

I also sponsored an upload for adminer (4.7.7-1), also uploading it to buster-backports.

Planet DebianDirk Eddelbuettel: T^4 #4: Introducing Byobu

The next video (following the announcement, and shells sessions one, two, and three) is up in the T^4 series of video lightning talks with tips, tricks, tools, and toys. This time we introduce the wonderful byobu tool which is called both a ‘text-based window manager’ and a ‘terminal multiplexer’:

The slides are here.

This repo at GitHub support the series: use it to open issues for comments, criticism, suggestions, or feedback.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianJonathan Dowland: Golf Peaks



This one was a bit of a surprise hit. Golf Peaks is a Golf-themed puzzle game. The objective is to get the golf ball into the hole, obviously, but how you do that is by choosing from a set of fixed moves (e.g., move one square; jump one square; etc.) and a direction.

This works well with my eldest daughter. She takes one joy-con and I take the other. I typically am responsible for direction, and she hits 'A' to move the ball. We discuss which move to make, which has been a good test of her numeracy.

TEDValues reset: The talks of TED2020 Session 2

There’s a theory that the shock we’re currently experiencing is intense enough to force a radical reset of our values — of how we are and how we act. In an idea-packed session 2 of TED2020, speakers from across disciplines and walks of life looked to this aspiration of a “values reset,” sharing new thinking on topics ranging from corporate responsibility down to our individual responsibilities and the things each of us can right now. Below, a recap of the night’s inspiring talks and performances.

“Nobody works in a vacuum. The men and women who run companies actively cocreate the reality we all have to share. And just like with global warming, we are each of us responsible for the collective consequences of our individual decisions and actions,” says filmmaker and activist Abigail Disney. She speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Abigail Disney, Filmmaker, activist

Big idea: Respect, dignity and a guaranteed livable wage are the right of all workers, not the privilege of a select few.

How? As CEO of the Disney Company, Roy Disney believed he had a moral obligation to every person who worked at the company. Though her grandfather wasn’t perfect, Abigail Disney says he believed that workers were worthy of immense respect — and he put that belief into practice by creating jobs with fair wages and benefits. In honor of her grandfather’s legacy, Disney advocates for income equality for all workers — and calls out the company that bears her name, asking them to do better for their workers. Our conscience and empathy should drive us, she says, not profits or economic growth. Disney believes we need a system-wide shift, one that recognizes that all workers deserve the wages, protections and benefits that would enable them to live full, secure and dignified lives.

Quote of the talk: “Nobody works in a vacuum. The men and women who run companies actively cocreate the reality we all have to share. And just like with global warming, we are each of us responsible for the collective consequences of our individual decisions and actions.”

Backed by brilliant illustrations from Laolu Senbanjo, journalist and satirist Adeola Fayehun shares her work exposing corruption in Africa with sharp, incisive humor. She speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Adeola Fayehun, Journalist, satirist

Big idea: Africa is overflowing with all the natural resources, intellectual skill and talent it needs. To flourish, its people need to hold corrupt leaders accountable.

Why? On her show Keeping It Real With Adeola, Adeola Fayehun exposes corruption in Africa with sharp, incisive humor. She urges those outside Africa to stop seeing the continent through the lens of their biases, and encourages us all to call out false policies and shatter stereotypes. “Please listen more,” she says. “Listen to your African friends without a preconceived notion of what you think they’re going to say. Read African books, watch African movies, visit Africa or, at the very least, learn some of the names of our 54 beautiful countries.”

Quote of the talk: “Africa is like a sleeping giant. The truth is I am trying to wake up this giant. That’s why I air the dirty laundry of those in charge of the giant.”

Rufus Wainwright performs “Peaceful Afternoon” and “Going To A Town” at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

From his home in Los Angeles, songwriter Rufus Wainwright shares intimate versions of his songs “Peaceful Afternoon” and “Going To A Town.” Gorgeous slow pans are courtesy of Jörn Weisbrodt, Wainwright’s husband and videographer for the performances.

“We hate the idea that really important things in life might happen by luck or by chance, that really important things in our life are not under our control,” says psychology professor Barry Schwartz. He speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Barry Schwartz, Psychology professor

Big idea: Our society is predicated on the idea that the distribution of opportunity is fair — but, in reality, working hard and playing by the rules is no guarantee of success. Good fortune and luck have far more to do with our opportunities (and therefore our future success) than we’re willing to admit.

How? Just look at the ultra-competitive landscape of college admissions, where a dearth of slots for qualified and capable students has created an epidemic of anxiety and depression among teenage university applicants long before they even make it to the job market. Schwartz suggests that the belief that working hard automatically leads to success blinds us to a core injustice: many of us simply will not get what we want. If our educational institutions — and our nation’s employers — were to emphasize this injustice by picking their students and employees randomly from a pool of those most likely to succeed, we might be forced to recognize the role that fortune plays in our lives.

Quote of the talk: “We hate the idea that really important things in life might happen by luck or by chance, that really important things in our life are not under our control.”

“I have a choice, right now, in the midst of the storm, to decide to overcome,” says Seattle Seahawks quarterback Russell Wilson. He speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Russell Wilson, Seattle Seahawks quarterback

Big idea: “Neutral thinking” can transform your life and help you unlock sustained personal success.

How? Athletes train their bodies to run faster, jump higher, achieve more — so why don’t they train their minds, too? For the past 10 years, Wilson has been doing just that with the assistance of mental conditioning coach Trevor Moawad. By harnessing the technique of “neutral thinking” — a strategy that emphasizes judgment-free acceptance of the present moment — Wilson has been able to maintain focus in high-pressure situations. Positivity can be dangerous and distracting, Wilson says, and negativity is sure to bring you down — but by honing a neutral mental game and executing in the present moment, you set yourself up to succeed.

Quote of the talk:I have a choice, right now, in the midst of the storm, to decide to overcome.”

Planet DebianJonathan McDowell: OpenOCD snapshot uploaded to Debian experimental

One of the things I maintain in Debian is OpenOCD. I say maintain, but it’s so far required very little work, as it’s been 3 years since a release (0.10.0). I’ve talked about doing a git snapshot package for some time (I have an email from last DebConf in my inbox about it, and that wasn’t the first time someone had asked), but never got around to it. Spurred on by some moves towards a 0.11.0 release I’ve built a recent snapshot and uploaded it to the experimental suite in Debian.

Of particular interest is the support for more recent architectures that this brings - ARMv8/aarch64 and RISC-V being the big ones, but also MIPS64 and various other ARM improvements. I no longer have access to Xilinx Zynq or Mellanox Bluefield platforms to test against so I’ve just done some some basic tests with a Sheevaplug and BusPirate/STM32F103, but those worked just fine.

Builds should hopefully happen shortly. Enjoy!

Planet Linux AustraliaDavid Rowe: Effective Altruism

Long term readers of the blog may recall my daughter Amy. Well, she has moved on from teenage partying and is now e-volunteering at Effective Altruism Australia. She recently pointed me at the free e-book The Life You Can Save by Peter Singer.

I was already familiar with the work of Peter Singer, having read “the Most Good You Can Do”. Peter puts numbers on altruistic behaviour to evaluate them. This appeals to me – as an engineer I uses numbers to evaluate artefacts I build like modems, or other processes going on in the world like COVD-19.

Using technology to help people is a powerful motivator for Geeks. I’ve been involved in a few of these initiatives myself (OLPC and The Village Telco). It’s really tough to create something that helps people long term. A wider set of skills and capabilities are required than just “the technology”.

On my brief forays into the developing world I’ve seen ecologies of people (from the first and developing worlds) living off development dollars. In some cases there is no incentive to report the true outcomes, for example how many government bureaucrats want to report failure? How many consultants want the gig to end?

So I really get the need for scientific evaluation of any development endeavours. Go Peter and the Effective Altruism movement!

I spend around 1000 hours a year writing open source code, a strong argument that I am “doing enough” in the community space. However I have no idea how effective that code is. Is it helping anyone? My inclination to help is also mixed with “itch scratching” – geeky stuff I want to work on because I find it interesting.

So after the reading the book and having a think – I’m sold. I have committed 5% of my income to Effective Altruism Australia, selecting Give Directly as a target for my funds as it appealed to me personally.

I asked Amy proof read this post – and she suggested that instead of $ you, can donate time – that’s what she does. She also said:

Effective Altrusim opens your eyes to alternative ways to interact with charities. It combines the board field of social science to explore how may aspects intersect; by applying the scientific method to that of economics, psychology, international development, and anthropology.

Reading Further

Busting Teenage Partying with a Fluksometer
Effective Altruism Australia


Planet DebianSean Whitton: GNU Emacs' Transient Mark mode

Something I’ve found myself doing as the pandemic rolls on is picking out and (re-)reading through sections of the GNU Emacs manual and the GNU Emacs Lisp reference manual. This has got me (too) interested in some of the recent history of Emacs development, and I did some digging into archives of emacs-devel from 2008 (15M mbox) regarding the change to turn Transient Mark mode on by default and set mark-even-if-inactive to true by default in Emacs 23.1.

It’s not always clear which objections to turning on Transient Mark mode by default take into account the mark-even-if-inactive change. I think that turning on Transient Mark mode along with mark-even-if-inactive is a good default. The question that remains is whether the disadvantages of Transient Mark mode are significant enough that experienced Emacs users should consider altering Emacs’ default behaviour to mitigate them. Here’s one popular blog arguing for some mitigations.

How might Transient Mark mode be disadvantageous?

The suggestion is that it makes using the mark for navigation rather than for acting on regions less convenient:

  1. setting a mark just so you can jump back to it (i) is a distinct operation you have to think of separately; and (ii) requires two keypresses, C-SPC C-SPC, rather than just one keypress

  2. using exchange-point-and-mark activates the region, so to use it for navigation you need to use either C-u C-x C-x or C-x C-x C-g, neither of which are convenient to type, or else it will be difficult to set regions at the place you’ve just jumped to because you’ll already have one active.

There are two other disadvantages that people bring up which I am disregarding. The first is that it makes it harder for new users to learn useful ways in which to use the mark when it’s deactivated. This happened to me, but it can be mitigated without making any behavioural changes to Emacs. The second is that the visual highlighting of the region can be distracting. So far as I can tell, this is only a problem with exchange-point-and-mark, and it’s subsumed by the problem of that command actually activating the region. The rest of the time Emacs’ automatic deactivation of the region seems sufficient.

How might disabling Transient Mark mode be disadvantageous?

When Transient Mark mode is on, many commands will do something usefully different when the mark is active. The number of commands in Emacs which work this way is only going to increase now that Transient Mark mode is the default.

If you disable Transient Mark mode, then to use those features you need to temporarily activate Transient Mark mode. This can be fiddly and/or require a lot of keypresses, depending on exactly where you want to put the region.

Without being able to see the region, it might be harder to know where it is. Indeed, this is one of the main reasons for wanting Transient Mark mode to be the default, to avoid confusing new users. I don’t think this is likely to affect experienced Emacs users often, however, and on occasions when more precision is really needed, C-u C-x C-x will make the region visible. So I’m not counting this as a disadvantage.

How might we mitigate these two sets of disadvantages?

Here are the two middle grounds I’m considering.

Mitigation #1: Transient Mark mode, but hack C-x C-x behaviour

(defun spw/exchange-point-and-mark (arg)
  "Exchange point and mark, but reactivate mark a bit less often.

Specifically, invert the meaning of ARG in the case where
Transient Mark mode is on but the region is inactive."
  (interactive "P")
   (if (and transient-mark-mode (not mark-active))
       (not arg)
(global-set-key [remap exchange-point-and-mark] &aposspw/exchange-point-and-mark)

We avoid turning Transient Mark mode off, but mitigate the second of the two disadvantages given above.

I can’t figure out why it was thought to be a good idea to make C-x C-x reactivate the mark and require C-u C-x C-x to use the action of exchanging point and mark as a means of navigation. There needs to a binding to reactivate the mark, but in roughly ten years of having Transient Mark mode turned on, I’ve found that the need to reactivate the mark doesn’t come up often, so the shorter and longer bindings seem the wrong way around. Not sure what I’m missing here.

Mitigation #2: disable Transient Mark mode, but enable it temporarily more often

(setq transient-mark-mode nil)
(defun spw/remap-mark-command (command &optional map)
  "Remap a mark-* command to temporarily activate Transient Mark mode."
  (let* ((cmd (symbol-name command))
         (fun (intern (concat "spw/" cmd)))
         (doc (concat "Call `"
                      "&apos and temporarily activate Transient Mark mode.")))
    (fset fun `(lambda ()
                 (call-interactively #&apos,command)
    (if map
        (define-key map (vector &aposremap command) fun)
      (global-set-key (vector &aposremap command) fun))))

(dolist (command &apos(mark-word
  (spw/remap-mark-command command))
(with-eval-after-load &aposorg
  (spw/remap-mark-command &aposorg-mark-element org-mode-map)
  (spw/remap-mark-command &aposorg-mark-subtree org-mode-map))

;; optional
(global-set-key "\M-=" (lambda () (interactive) (activate-mark)))
;; resettle the previous occupant
(global-set-key "\C-cw" &aposcount-words-region)

Here we remove both of the disadvantages of Transient Mark mode given above, and mitigate the main disadvantage of not activating Transient Mark mode by making it more convenient to activate it temporarily.

For example, this enables using C-M-SPC C-M-SPC M-( to wrap the following two function arguments in parentheses. And you can hit M-h a few times to mark some blocks of text or code, then operate on them with commands like M-% and C-/ which behave differently when the region is active.1

Comparing these mitigations

Both of these mitigations handle the second of the two disadvantages of Transient Mark mode given above. What remains, then, is

  1. under the effects of mitigation #1, how much of a barrier to using marks for navigational purposes is it to have to press C-SPC C-SPC instead of having a single binding, C-SPC, for all manual mark setting2

  2. under the effects of mitigation #2, how much of a barrier to taking advantage of commands which act differently when the region is active is it to have to temporarily enable Transient Mark mode with C-SPC C-SPC, M-= or one of the mark-* commands?

These are unknowns.3 So I’m going to have to experiment, I think, to determine which mitigation to use, if either. In particular, I don’t know whether it’s really significant that setting a mark for navigational purposes and for region marking purposes are distinct operations under mitigation #1.

My plan is to start with mitigation #2 because that has the additional advantage of allowing me to confirm or disconfirm my belief that not being able to see where the region is will only rarely get in my way.

  1. The idea of making the mark-* commands activate the mark comes from an emacs-devel post by Stefan Monnier in the archives linked above.
  2. One remaining possibility I’m not considering is mitigation #1 plus binding something else to do the same as C-SPC C-SPC. I don’t believe there are any easily rebindable keys which are easier to type than typing C-SPC twice. And this does not deal with the two distinct mark-setting operations problem.
  3. Another way to look at this is the question of which of setting a mark for navigational purposes and activating a mark should get C-SPC and which should get C-SPC C-SPC.

Planet DebianDirk Eddelbuettel: drat 0.1.6: Rewritten macOS binary support

drat user

A new version of drat arrived on CRAN overnight, once again taking advantage of the fully automated process available for such packages with few reverse depends and no open issues. As we remarked at the last release fourteen months ago when we scored the same nice outcome: Being a simple package can have its upsides…

This release is mostly the work of Felix Ernst who took on what became a rewrite of how binary macOS packages are handled. If you need to distribute binary packages for macOS users, this may help. Two more small updates were made, see below for full details.

drat stands for drat R Archive Template, and helps with easy-to-create and easy-to-use repositories for R packages. Since its inception in early 2015 it has found reasonably widespread adoption among R users because repositories with marked releases is the better way to distribute code.

As your mother told you: Friends don’t let friends install random git commit snapshots. Rolled-up releases it is. drat is easy to use, documented by five vignettes and just works.

The NEWS file summarises the release as follows:

Changes in drat version 0.1.6 (2020-05-29)

  • Changes in drat functionality

    • Support for the various (current) macOS binary formats was rewritten (Felix Ernst in #89 fixing #88).

    • Travis CI use was updated to R 4.0.0 and bionic (Dirk).

    • A drat repo was added to the README (Thomas Fuller in #86)

Courtesy of CRANberries, there is a comparison to the previous release. More detailed information is on the drat page.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet Linux AustraliaSimon Lyall: AudioBooks – May 2020

Fewer books this month. At home on lockdown and weather a bit worse so less time to go on walks walks and listen.

Save the Cat! Writes a Novel: The Last Book On Novel Writing You’ll Ever Need by Jessica Brody

A fairly straight adaption of the screenplay-writing manual. Lots of examples from well-known books including full breakdowns of beats. 3/5

Happy Singlehood: The Rising Acceptance and Celebration of Solo Living by Elyakim Kislev

Based on 142 interviews. A lot of summaries of findings with quotes for interviewees and people’s blogs. Last chapter has some policy push but a little lights 3/5

Scandinavia: A History by Ewan Butler

Just a a 6 hour long quick spin though history. First half suffers a bit with lists of Kings although there is a bit more colour later in. Okay prep for something meatier 3/5

One Giant Leap: The Impossible Mission That Flew Us to the Moon by Charles Fishman

A bit of a mix. It covers the legacy of Apollo but the best bits are chapters on the Computers, Politics and other behind the scenes things. A compliment to astronaut and mission orientated books. 4/5

My Scoring System

  • 5/5 = Brilliant, top 5 book of the year
  • 4/5 = Above average, strongly recommend
  • 3/5 = Average. in the middle 70% of books I read
  • 2/5 = Disappointing
  • 1/5 = Did not like at all


Planet DebianMartin Michlmayr: ledger2beancount 2.2 released

I released version 2.2 of ledger2beancount, a ledger to beancount converter.

Here are the changes in 2.2:

  • Show warning for unknown apply directive
  • Recognize apply rate directive (an alias of apply fixed)
  • Don't convert meta-data on ignored virtual postings but keep as comments
  • Update location of beancount repository

You can get ledger2beancount from GitHub.

Thanks to GitHub user MarinBernard for reporting a bug with virtual postings!

Planet DebianReproducible Builds (diffoscope): diffoscope 146 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 146. This version includes the following changes:

[ Chris Lamb ]
* Refactor .changes and .buildinfo handling to show all details (including
  the GPG header and footer components), even when referenced files are not
  present. (Closes: reproducible-builds/diffoscope#122)
* Normalise filesystem stat(2) "birth times" (ie. st_birthtime) in the same
  way we do with stat(1)'s "Access:" and "Change:" times to fix a
  nondetermistic build failure on GNU Guix.
  (Closes: reproducible-builds/diffoscope#74)
* Drop the (default) subprocess.Popen(shell=False) keyword argument so that
  the more unsafe shell=True is more obvious.
* Ignore lower vs. upper-case when ordering our file format descriptions.
* Don't skip string normalisation in Black.

[ Mattia Rizzolo ]
* Add a "py3dist" override for the rpm-python module (Closes: #949598)
* Bump the debhelper compat level to 13 and use the new
  execute_after_*/execture_before_* style rules.
* Fix a spelling error in changelog.

[ Daniel Fullmer ]
* Mount GuestFS filesystem images readonly.

[ Jean-Romain Garnier ]
* Prevent an issue where (for example) LibarchiveMember's has_same_content
  method is called regardless of the actual type of file.

You find out more by visiting the project homepage.


CryptogramFriday Squid Blogging: Humboldt Squid Communication

Humboldt Squid communicate by changing their skin patterns and glowing.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Krebs on SecurityCareer Choice Tip: Cybercrime is Mostly Boring

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path.

Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

“The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

From the paper:

“We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

“However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.


For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

“And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”


Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

“While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”


Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

“Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

“If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

“Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

“Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

CryptogramBogus Security Technology: An Anti-5G USB Stick

The 5GBioShield sells for £339.60, and the description sounds like snake oil:

...its website, which describes it as a USB key that "provides protection for your home and family, thanks to the wearable holographic nano-layer catalyser, which can be worn or placed near to a smartphone or any other electrical, radiation or EMF [electromagnetic field] emitting device".

"Through a process of quantum oscillation, the 5GBioShield USB key balances and re-harmonises the disturbing frequencies arising from the electric fog induced by devices, such as laptops, cordless phones, wi-fi, tablets, et cetera," it adds.

Turns out that it's just a regular USB stick.

TEDTED2020 seeks the uncharted

The world has shifted, and so has TED.

We need brilliant ideas and thinkers more than ever. While we can’t convene in person, we will convene. Rather than a one-week conference, TED2020 will be an eight-week virtual experience — all held in the company of the TED community. Each week will offer signature TED programming and activities, as well as new and unique opportunities for connection and interaction. 

We have an opportunity to rebuild our world in a better, fairer and more beautiful way. In line with TED2020’s original theme, Uncharted, the conference will focus on the roles we all have to play in building back better. The eight-week program will offer ways to deepen community relationships and, together, re-imagine what the future can be.

Here’s what the TED2020 weekly program will look like: On Monday, Tuesday and Wednesday, a series of 45-minute live interviews, talks and debates centered on the theme Build Back Better. TED attendees can help shape the real-time conversation on an interactive, TED-developed virtual platform they can use to discuss ideas, share questions and give feedback to the stage. On Thursday, the community will gather to experience a longer mainstage TED session packed with unexpected moments, performances, visual experiences and provocative talks and interviews. Friday wraps up the week with an all-day, à la carte Community Day featuring an array of interactive choices including Discovery Sessions, speaker meetups and more.

 TED2020 speakers and performers include: 

  • JAD ABUMRAD, RadioLab founder 
  • CHRISTINA AGAPAKIS, Synthetic biology adventurer
  • REFIK ANADOL, Digital arts maestro
  • XIYE BASTIDA, Climate justice activist
  • SWIZZ BEATZ, Hip-hop artist, producer
  • GEORGES C. BENJAMIN, Executive Director, American Public Health Association
  • BRENÉ BROWN, Vulnerability researcher, storyteller 
  • WILL CATHCART, Head of WhatsApp
  • JAMIE DIMON, Global banker
  • ABIGAIL DISNEY, Filmmaker, activist
  • BILL GATES, Technologist, philanthropist
  • KRISTALINA GEORGIEVA, Managing Director, International Monetary Fund
  • JANE GOODALL, Primatologist, conservationist
  • AL GORE, Climate advocate
  • TRACY EDWARDS, Trailblazer
  • NEAL KATYAL, Supreme Court litigator
  • EMILY KING, Singer, songwriter
  • YANN LECUN, AI pioneer
  • MICHAEL LEVIN, Cellular explorer
  • PHILIP LUBIN, Physicist
  • MARIANA MAZZUCATO, Policy influencer
  • MARCELO MENA, Environment minister of Chile
  • DAN SCHULMAN, CEO and President, PayPal
  • AUDREY TANG, Taiwan’s digital minister for social innovation
  • DALLAS TAYLOR, Sound designer, podcaster
  • NIGEL TOPPING, Climate action champion
  • RUSSELL WILSON, Quarterback, Seattle Seahawks

The speaker lineup is being unveiled on in waves throughout the eight weeks, as many speakers will be addressing timely and breaking news. Information about accessing the high-definition livestream of the entire conference and TED2020 membership options are also available on

The TED Fellows class of 2020 will once again be a highlight of the conference, with talks, Discovery Sessions and other special events sprinkled throughout the eight-week program. 

TED2020 members will also receive special access to the TED-Ed Student Talks program, which helps students around the world discover, develop and share their ideas in the form of TED-style talks. TEDsters’ kids and grandkids (ages 8-18) can participate in a series of interactive sessions led by the TED-Ed team and culminating in the delivery of each participant’s very own big idea.

As in the past, TED Talks given during the conference will be made available to the public in the coming weeks. Opening TED up to audiences around the world is foundational to TED’s mission of spreading ideas. Founded in 1984, the first TED conferences were held in Monterey, California. In 2006, TED experimented with putting TED Talk videos online for free — a decision that opened the doors to giving away all of its content. Today there are thousands of TED Talks available on What was once a closed-door conference devoted to Technology, Entertainment and Design has become a global platform for sharing talks across a wide variety of disciplines. Thanks to the support of thousands of volunteer translators, TED Talks are available in 116 languages. TEDx, the licensing program that allows communities to produce independently organized TED events, has seen more than 28,000 events held in more than 170 countries. TED-Ed offers close to 1,200 free animated lessons and other learning resources for a youth audience and educators. Collectively, TED content attracts billions of views and listens each year.

TED has partnered with a number of innovative organizations to support its mission and contribute to the idea exchange at TED2020. They are collaborating with the TED team on innovative ways to engage a virtual audience and align their ideas and perspectives with this year’s programming. This year’s partners include: Accenture, BetterUp, Boston Consulting Group, Brightline™ Initiative, Cognizant, Hilton, Lexus, Project Management Institute, Qatar Foundation, Robert Wood Johnson Foundation, SAP, Steelcase and Target.

Get the latest information and updates on TED2020 on

CryptogramFacebook Announces Messenger Security Features that Don't Compromise Privacy

Note that this is "announced," so we don't know when it's actually going to be implemented.

Facebook today announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provide tips and suggest you block the offenders. The feature, which Facebook started rolling out on Android in March and is now bringing to iOS, uses machine learning analysis of communications across Facebook Messenger's billion-plus users to identify shady behaviors. But crucially, Facebook says that the detection will occur only based on metadata­ -- not analysis of the content of messages­ -- so that it doesn't undermine the end-to-end encryption that Messenger offers in its Secret Conversations feature. Facebook has said it will eventually roll out that end-to-end encryption to all Messenger chats by default.

That default Messenger encryption will take years to implement.


Facebook hasn't revealed many details about how its machine-learning abuse detection tricks will work. But a Facebook spokesperson tells WIRED the detection mechanisms are based on metadata alone: who is talking to whom, when they send messages, with what frequency, and other attributes of the relevant accounts -- essentially everything other than the content of communications, which Facebook's servers can't access when those messages are encrypted. "We can get pretty good signals that we can develop through machine learning models, which will obviously improve over time," a Facebook spokesperson told WIRED in a phone call. They declined to share more details in part because the company says it doesn't want to inadvertently help bad actors circumvent its safeguards.

The company's blog post offers the example of an adult sending messages or friend requests to a large number of minors as one case where its behavioral detection mechanisms can spot a likely abuser. In other cases, Facebook says, it will weigh a lack of connections between two people's social graphs -- a sign that they don't know each other -- or consider previous instances where users reported or blocked a someone as a clue that they're up to something shady.

One screenshot from Facebook, for instance, shows an alert that asks if a message recipient knows a potential scammer. If they say no, the alert suggests blocking the sender, and offers tips about never sending money to a stranger. In another example, the app detects that someone is using a name and profile photo to impersonate the recipient's friend. An alert then shows the impersonator's and real friend's profiles side-by-side, suggesting that the user block the fraudster.

Details from Facebook

Planet Linux AustraliaLev Lafayette: Using Live Linux to Save and Recover Your Data

There are two types of people in the world; those who have lost data and those who are about to. Given that entropy will bite eventually, the objective should be to minimise data loss. Some key rules for this backup, backup often, and backup with redundancy. Whilst an article on that subject will be produced, at this stage discussion is directed to the very specific task of recovering data from old machines which may not be accessible anymore using Linux. There number of times I've done this in past years is somewhat more than the number of fingers I have - however, like all good things it deserves to be documented in the hope that other people might find it useful.

To do this one will need a Linux live distribution of some sort as an ISO, as a bootable USB drive. A typical choice would be a Ubuntu Live or Fedora Live. If one is dealing with damaged hardware the old Slackware-derived minimalist distribution Recovery is Possible (RIP) is certainly worth using; it's certainly saved me in the past. If you need help in creating a bootable USB, the good people at HowToGeek provide some simple instructions.

With a Linux bootable disk of some description inserted in one's system, the recovery process can begin. Firstly, boot the machine and change the book order (in BIOS/UEFI) that the drive in question becomes the first in the boot order. Once the live distribution boots up, usually in a GUI environment, one needs to open the terminal application (e.g., GNOME in Fedora uses Applications, System Tools, Terminal) and change to the root user with the su command (there's no password on a live CD to be root!).

At this point one needs to create a mount point directory, where the data is going to be stored; mkdir /mnt/recovery. After this one needs to identify the disk which one is trying to access. The fdisk -l command will provide a list of all disks in the partition table. Some educated guesswork from the results is required here, which will provide the device filesystem Type; it almost certainly isn't an EFI System, or Linux swap for example. Typically one is trying to access something like /dev/sdaX.

Then one must mount the device to the directory that was just created, for example: mount /dev/sda2 /mnt/recovery. Sometimes a recalcitrant device will need to have the filesystem explicitly stated; the most common being ext3, ext4, fat, xfs, vfat, and ntfs-3g. To give a recent example I needed to run mount -t ext3 /dev/sda3 /mnt/recovery. From there one can copy the data from the mount point to a new source; a USB drive is probably the quickest, although one may take the opportunity to copy it to an external system (e.g., google drive) - and that's it! You've recovered your data!

Worse Than FailureError'd: A Pattern of Errors

"Who would have thought that a newspaper hired an ex-TV technician to test their new CMS with an actual test pattern!" wrote Yves.


"Guess I should throttle back on binging all of Netflix," writes Eric S.


Christian K. wrote, "So, does this let me listen directly to my network packets?"


"I feel this summarizes very well the current Covid-19 situation in the US," Henrik B. wrote.


Steve W. writes, "I don't know if I've been gardening wrong or computing wrong, but at least know I know how best to do it!"


"Oh, how silly of me to search a toy reseller's website for 'scrabble' when I really meant to search for 'scrabble'. It's so obvious now!"


[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!


Planet Linux AustraliaFrancois Marier: Fixing locale problem in MythTV 30

After upgrading to MythTV 30, I noticed that the interface of mythfrontend switched from the French language to English, despite having the following in my ~/.xsession for the mythtv user:

export LANG=fr_CA.UTF-8
exec ~/bin/start_mythtv

I noticed a few related error messages in /var/log/syslog:

mythbackend[6606]: I CoreContext mythcorecontext.cpp:272 (Init) Assumed character encoding: fr_CA.UTF-8
mythbackend[6606]: N CoreContext mythcorecontext.cpp:1780 (InitLocale) Setting QT default locale to FR_US
mythbackend[6606]: I CoreContext mythcorecontext.cpp:1813 (SaveLocaleDefaults) Current locale FR_US
mythbackend[6606]: E CoreContext mythlocale.cpp:110 (LoadDefaultsFromXML) No locale defaults file for FR_US, skipping
mythpreviewgen[9371]: N CoreContext mythcorecontext.cpp:1780 (InitLocale) Setting QT default locale to FR_US
mythpreviewgen[9371]: I CoreContext mythcorecontext.cpp:1813 (SaveLocaleDefaults) Current locale FR_US
mythpreviewgen[9371]: E CoreContext mythlocale.cpp:110 (LoadDefaultsFromXML) No locale defaults file for FR_US, skipping

Searching for that non-existent fr_US locale, I found that others have this in their logs and that it's apparently set by QT as a combination of the language and country codes.

I therefore looked in the database and found the following:

MariaDB [mythconverg]> SELECT value, data FROM settings WHERE value = 'Language';
| value    | data |
| Language | FR   |
1 row in set (0.000 sec)

MariaDB [mythconverg]> SELECT value, data FROM settings WHERE value = 'Country';
| value   | data |
| Country | US   |
1 row in set (0.000 sec)

which explains the non-sensical FR-US locale.

I fixed the country setting like this

MariaDB [mythconverg]> UPDATE settings SET data = 'CA' WHERE value = 'Country';
Query OK, 1 row affected (0.093 sec)
Rows matched: 1  Changed: 1  Warnings: 0

After logging out and logging back in, the user interface of the frontend is now using the fr_CA locale again and the database setting looks good:

MariaDB [mythconverg]> SELECT value, data FROM settings WHERE value = 'Country';
| value   | data |
| Country | CA   |
1 row in set (0.000 sec)

Krebs on SecurityUK Ad Campaign Seeks to Deter Cybercrime

The United Kingdom’s anti-cybercrime agency is running online ads aimed at young people who search the Web for services that enable computer crimes, specifically trojan horse programs and DDoS-for-hire services. The ad campaign follows a similar initiative launched in late 2017 that academics say measurably dampened demand for such services by explaining that their use to harm others is illegal and can land potential customers in jail.

For example, search in Google for the terms “booter” or “stresser” from a U.K. Internet address, and there’s a good chance you’ll see a paid ad show up on the first page of results warning that using such services to attack others online is illegal. The ads are being paid for by the U.K.’s National Crime Agency, which saw success with a related campaign for six months starting in December 2017.

A Google ad campaign paid for by the U.K.’s National Crime Agency.

NCA Senior Manager David Cox said the agency is targeting its ads to U.K. males age 13 to 22 who are searching for booter services or different types of remote access trojans (RATs), as part of an ongoing effort to help steer young men away from cybercrime and toward using their curiosity and skills for good. The ads link to advertorials and to the U.K.’s Cybersecurity Challenge, which tries gamify computer security concepts and highlight potential careers in cybersecurity roles.

“The fact is, those standing in front of a classroom teaching children have less information about cybercrime than those they’re trying to teach,” Cox said, noting that the campaign is designed to support so-called “knock-and-talk” visits, where investigators visit the homes of young people who’ve downloaded malware or purchased DDoS-for-hire services to warn them away from such activity. “This is all about showing people there are other paths they can take.”

While it may seem obvious to the casual reader that deploying some malware-as-a-service or using a booter to knock someone or something offline can land one in legal hot water, the typical profile of those who frequent these services is young, male, impressionable and participating in online communities of like-minded people in which everyone else is already doing it.

In 2017, the NCA published “Pathways into Cyber Crime,” a report that drew upon interviews conducted with a number of young men who were visited by U.K. law enforcement agents in connection with various cybercrime investigations.

Those findings, which the NCA said came about through knock-and-talk interviews with a number of suspected offenders, found that 61 percent of suspects began engaging in criminal hacking before the age of 16, and that the average age of suspects and arrests of those involved in hacking cases was 17 years old.

The majority of those engaged in, or on the periphery of, cyber crime, told the NCA they became involved via an interest in computer gaming.

A large proportion of offenders began to participate in gaming cheat websites and “modding” forums, and later progressed to criminal hacking forums.

The NCA learned the individuals visited had just a handful of primary motivations in mind, including curiosity, overcoming a challenge, or proving oneself to a larger group of peers. According to the report, a typical offender faces a perfect storm of ill-boding circumstances, including a perceived low risk of getting caught, and a perception that their offenses in general amounted to victimless crimes.

“Law enforcement activity does not act as a deterrent, as individuals consider cyber crime to be low risk,” the NCA report found. “Debrief subjects have stated that they did not consider law enforcement until someone they knew or had heard of was arrested. For deterrence to work, there must be a closing of the gap between offender (or potential offender) with law enforcement agencies functioning as a visible presence for these individuals.”

Cox said the NCA will continue to run the ads indefinitely, and that it is seeking funding from outside sources — including major companies in online gaming industry, whose platforms are perhaps the most targeted by DDoS-for-hire services. He called the program a “great success,” noting that in the past 30 days (13 of which the ads weren’t running for funding reasons), the ads generated some 5.32 million impressions, and more than 57,000 clicks.


Richard Clayton is director of the University of Cambridge Cybercrime Centre, which has been monitoring DDoS attacks for several years using a variety of sensors across the Internet that pretend to be the types of systems which are typically commandeered and abused to help launch such assaults.

Last year, Clayton and fellow Cambridge researchers published a paper showing that law enforcement interventions — including the NCA’s anti-DDoS ad campaign between 2017 and 2018 — demonstrably slowed the growth in demand for DDoS-for-hire services.

“Our data shows that by running that ad campaign, the NCA managed to flatten out demand for booter services over that period,” Clayton said. “In other words, the demand for these services didn’t grow over the period as we would normally see, and we didn’t see more people doing it at the end of the period than at the beginning. When we showed this to the NCA, they were ever so pleased, because that campaign cost them less than ten thousand [pounds sterling] and it stopped this type of cybercrime from growing for six months.”

The Cambridge study found various interventions by law enforcement officials had measurable effects on the demand for and damage caused by booter and stresser services. Source: Booting the Booters, 2019.

Clayton said part of the problem is that many booter/stresser providers claim they’re offering lawful services, and many of their would-be customers are all too eager to believe this is true. Also, the price point is affordable: A typical booter service will allow customers to launch fairly high-powered DDoS attacks for just a few dollars per month.

“There are legitimate companies that provide these types of services in a legal manner, but there are all types of agreements that have to be in place before this can happen,” Clayton said. “And you don’t get that for ten bucks a month.”


The NCA’s ad campaign is competing directly with Google ads taken out by many of the same people running these DDoS-for-hire services. It may surprise some readers to learn that cybercrime services often advertise on Google and other search sites much like any legitimate business would — paying for leads that might attract new customers.

Several weeks back, KrebsOnSecurity noticed that searching for “booter” or “stresser” in Google turned up paid ads for booter services prominently on the first page of results. But as I noted in a tweet about the finding, this is hardly a new phenomenon.

A booter ad I reported to Google that the company subsequently took offline.

Cambridge’s Clayton pointed me to a blog post he wrote in 2018 about the prevalence of such ads, which violate Google’s policies on acceptable advertisements via its platform. Google says it doesn’t allow ads for services that “cause damage, harm or injury,” and that they don’t allow adverts for services that “are designed to enable dishonest behavior.”

Clayton said Google eventually took down the offending ads. But as my few seconds of Googling revealed, the company appears to have decided to play wack-a-mole when people complain, instead of expressly prohibiting the placement of (and payment for) ads with these terms.

Google told KrebsOnSecurity that it relies on a combination of technology and people to enforce its policies.

“We have strict ad policies designed to protect users on our platforms,” Google said in a written statement. “We prohibit ads that enable dishonest behavior, including services that look to take advantage of or cause harm to users. When we find an ad that violates our policies we take action. In this case, we quickly removed the ads.”

Google pointed to a recent blog post detailing its enforcement efforts in this regard, which said in 2019 the company took down more than 2.7 billion ads that violated its policies — or more than 10 million ads per day — and that it removed a million advertiser accounts for the same reason.

The ad pictured above ceased to appear shortly after my outreach to them. Unfortunately, an ad for a different booter service (shown below) soon replaced the one they took down.

An ad for a DDoS-for-hire service that appeared shortly after Google took down the ones KrebsOnSecurity reported to them.

Planet Linux AustraliaMichael Still: Introducing Shaken Fist


The first public commit to what would become OpenStack Nova was made ten years ago today — at Thu May 27 23:05:26 2010 PDT to be exact. So first off, happy tenth birthday to Nova!

A lot has happened in that time — OpenStack has gone from being two separate Open Source projects to a whole ecosystem, developers have come and gone (and passed away), and OpenStack has weathered the cloud wars of the last decade. OpenStack survived its early growth phase by deliberately offering a “big tent” to the community and associated vendors, with an expansive definition of what should be included. This has resulted in most developers being associated with a corporate sponser, and hence the decrease in the number of developers today as corporate interest wanes — OpenStack has never been great at attracting or retaining hobbist contributors.

My personal involvement with OpenStack started in November 2011, so while I missed the very early days I was around for a lot and made many of the mistakes that I now see in OpenStack.

What do I see as mistakes in OpenStack in hindsight? Well, embracing vendors who later lose interest has been painful, and has increased the complexity of the code base significantly. Nova itself is now nearly 400,000 lines of code, and that’s after splitting off many of the original features of Nova such as block storage and networking. Additionally, a lot of our initial assumptions are no longer true — for example in many cases we had to write code to implement things, where there are now good libraries available from third parties.

That’s not to say that OpenStack is without value — I am a daily user of OpenStack to this day, and use at least three OpenStack public clouds at the moment. That said, OpenStack is a complicated beast with a lot of legacy that makes it hard to maintain and slow to change.

For at least six months I’ve felt the desire for a simpler cloud orchestration layer — both for my own personal uses, and also as a test bed for ideas for what a smaller, simpler cloud might look like. My personal use case involves a relatively small environment which echos what we now think of as edge compute — less than 10 RU of machines with a minimum of orchestration and management overhead.

At the time that I was thinking about these things, the Australian bushfires and COVID-19 came along, and presented me with a lot more spare time than I had expected to have. While I’m still blessed to be employed, all of my social activities have been cancelled, so I find myself at home at a loose end on weekends and evenings at lot more than before.

Thus Shaken Fist was born — named for a Simpson’s meme, Shaken Fist is a deliberately small and highly opinionated cloud implementation aimed at working well in small deployments such as homes, labs, edge compute locations, deployed systems, and so forth.

I’d taken a bit of trouble with each feature in Shaken Fist to think through what the simplest and highest value way of doing something is. For example, instances always get a config drive and there is no metadata server. There is also only one supported type of virtual networking, and one supported hypervisor. That said, this means Shaken Fist is less than 5,000 lines of code, and small enough that new things can be implemented very quickly by a single middle aged developer.

Shaken Fist definitely has feature gaps — API authentication and scheduling are the most obvious at the moment — but I have plans to fill those when the time comes.

I’m not sure if Shaken Fist is useful to others, but you never know. Its apache2 licensed, and available on github if you’re interested.


Worse Than FailureCodeSOD: This is Your Last Birthday

I have a philosophy on birthdays. The significant ones aren’t the numbers we usually choose- 18, 21, 40, whatever- it’s the ones where you need an extra bit. 2, 4, 8, and so on. By that standard, my next birthday landmark isn’t until 2044, and I’m a patient sort.

Christian inherited some legacy C# code which deals in birthdays. Specifically, it needs to be able to determine when your last birthday was. Now, you have to be a bit smarter than simply “lop off the year and insert this year,” since that could be a future birthday, but not that much smarter.

The basic algorithm most of us would choose, though, might start there. If their birthday is, say, 12/31/1969, then we could ask, is 12/31/2020 in the future? It is. Then their last birthday was on 12/31/2019. Whereas, for someone born on 1/1/1970, we know that 1/1/2020 is in the past, so their last birthday was 1/1/2020.

Christian’s predecessor didn’t want to do that. Instead, they found this… “elegant” approach:

static DateTime GetLastBirthday(DateTime dayOfBirth)
    var now = DateTime.Now;

    var former = dayOfBirth;
    var current = former.AddYears(1);

    while (current < DateTime.Now)
        former = current;
        current = current.AddYears(1);

    return former;

Start with their birthdate. Then add one to the year, and store that as current. While current is in the past, remember it as former, and then add one to current. When current is finally a date in the future, former must be a date in the past, and store their last birthday.

The kicker here, though, is that this isn’t used to calculate birthdays. It’s used to calculate the “Start of the Case Year”. Which operates like birthdays, or any anniversary for that matter.

var currentCaseYearStart = GetLastBirthday(caseStart);

Sure, that’s weird naming, but Christian has this to add:

Anyways, [for case year starts] it has a (sort of) off-by-one error.

Christian doesn’t expand on that, and I’m not entirely certain what the off-by-one-like behavior would be in that case, and I assume it has something to do with their business rules around case start dates.

Christian has simplified the date calculation, but has yet to rename it: it turns out this method is called in several places, but never to calculate a birthday.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


LongNowLong-term Perspectives During a Pandemic

Long Conversation speakers (from top left): Stewart Brand, Esther Dyson, David Eagleman, Ping fu, Katherine Fulton, Danny Hillis, Kevin Kelly, Ramez Naam, Alexander Rose, Paul Saffo, Peter Schwartz, Tiffany Shlain, Bina Venkataraman, and Geoffrey West.

On April 14th, 02020, The Long Now Foundation convened a Long Conversation¹ featuring members of our board and invited speakers. Over almost five hours of spirited discussion, participants reflected on the current moment, how it fits into our deeper future, and how we can address threats to civilization that are rare but ultimately predictable. The following are excerpts from the conversation, edited and condensed for clarity.

Stewart Brand is co-founder and President of The Long Now Foundation. Photograph: Mark Mahaney/Redux.

The Pandemic is Practice for Climate Change

Stewart Brand

I see the pandemic as practice for dealing with a much tougher problem, and one that has a different timescale, which is climate change. And this is where Long Now comes in, where now, after this — and it will sort out, it’ll take a lot longer to sort out than people think, but some aspects are already sorting out faster than people expected. As this thing sorts out and people arise and say: Well, that was weird and terrible. And we lost so and so, and so and so, and so and so, and so we grieve. But it looks like we’re coming through it. Humans in a sense caused it by making it so that bat viruses could get into humans more easily, and then connecting in a way that the virus could get to everybody. But also humans are able to solve it.

Well, all of that is almost perfectly mapped onto climate change, only with a different timescale. In a sense everybody’s causing it: by being part of a civilization, running it at a much higher metabolic rate, using that much more energy driven by fossil fuels, which then screwed up the atmosphere enough to screw up the climate enough to where it became a global problem caused by basically the global activity of everybody. And it’s going to engage global solutions.

Probably it’ll be innovators in cities communicating with other innovators in other cities who will come up with the needed set of solutions to emerge, and to get the economy back on its legs, much later than people want. But nevertheless, it will get back, and then we’ll say, “Okay, well what do you got next?” Because there’ll now be this point of reference. And it’ll be like, “If we can put a man on the moon, we should be able to blah, blah, blah.” Well, if we can solve the coronavirus, and stop a plague that affected everybody, we should be able to do the same damn thing for climate.

Watch Stewart Brand’s conversation with Geoffrey West.

Watch Stewart Brand’s conversation with Alexander Rose.

Esther Dyson is an investor, consultant, and Long Now Board member. Photograph: Christopher Michel.

The Impact of the Pandemic on Children’s Ability to Think Long-term

Esther Dyson

We are not building resilience into the population. I love the Long Now; I’m on the board. But at the same time we’re pretty intellectual. Thinking long-term is psychological. It’s what you learn right at the beginning. It’s not just an intellectual, “Oh gee, I’m going to be a long-term thinker. I’m going to read three books and understand how to do it.” It’s something that goes deep back into your past.

You know the marshmallow test, the famous Stanford test where you took a two-year-old and you said, “Okay, here’s a marshmallow. You sit here, the researcher is going to come back in 10 minutes, maybe 15 and if you haven’t eaten the first marshmallow you get a second one.” And then they studied these kids years later. And the ones who waited, who were able to have delayed gratification, were more successful in just about every way you can count. Educational achievement, income, whether they had a job at all, et cetera.

But the kids weren’t just sort of randomly, long-term or short-term. The ones that felt secure and who trusted their mother, who trusted — the kid’s not stupid; if he’s been living in a place where if they give you a marshmallow, grab it because you can’t trust what they say.

We’re raising a generation and a large population of people who don’t trust anybody and so they are going to grab—they’re going to think short-term. And the thing that scares me right now is how many kids are going to go through, whether it’s two weeks, two months, two years of living in these kinds of circumstances and having the kind of trauma that is going to make you into such a short-term thinker that you’re constantly on alert. You’re always fighting the current battle rather than thinking long-term. People need to be psychologically as well as intellectually ready to do that.

Watch Esther Dyson’s conversation with Peter Schwartz.

Watch Esther Dyson’s conversation with Ramez Naam.

David Eagleman is a world-renowned neuroscientist studying the structure of the brain, professor, entrepreneur, and author. He is also a Long Now Board member. Photograph: CNN.

The Neuroscience of the Unprecedented

David Eagleman

I’ve been thinking about this thing that I’m temporarily calling “the neuroscience of the unprecedented.” Because for all of us, in our lifetimes, this was unprecedented. And so the question is: what does that do to our brains? The funny part is it’s never been studied. In fact, I don’t even know if there’s an obvious way to study it in neuroscience. Nonetheless, I’ve been thinking a lot about this issue of our models of the world and how they get upended. And I think one of the things that I have noticed during the quarantine—and everybody I talked to has this feeling—is that it’s impossible to do long-term thinking while everything’s changing. And so I’ve started thinking about Maslow’s hierarchy of needs in terms of the time domain.

Here’s what I mean. If you have a good internal model of what’s happening and you understand how to do everything in the world, then it’s easy enough to think way into the distance. That’s like the top of the hierarchy, the top of the pyramid: everything is taken care of, all your physiologic needs, relationship needs, everything. When you’re at the top, you can think about the big picture: what kind of company you want to start, and why and where that goes, what that means for society and so on. When we’re in a time like this, where people are worried about if I don’t get that next Instacart delivery, I actually don’t have any food left, that kind of thing, it’s very hard to think long-term. When our internal models are our frayed, it’s hard to use those to make predictions about the future.

Watch David Eagleman’s conversation with Tiffany Shlain.

Watch David Eagleman’s conversation with Ping Fu.

The Virus as a Common Enemy and the Pandemic as a Whole Earth Event

Danny Hillis and Ping Fu

Danny Hillis: Do you think this is the first time the world has faced a problem, simultaneously, throughout the whole world?

Ping Fu: Well, how do you compare it to World War II? That was also simultaneous, although it didn’t impact every individual. In terms of something that touches every human being on Earth, this may be the first time.

Danny Hillis: Yeah. And also, we all are facing the same problem, whereas during wars, people face each other. They’re each other’s problem.

Ping Fu: I am worried we are making this virus an imaginary war.

Danny Hillis: Yes, I think that’s a problem. On the other hand, we are making it that, or at least our politicians are. But I don’t think people feel that they’re against other people. In fact, I think people realize, much like when they saw that picture of the whole earth, that there’s a lot of other people that are in the same boat they are.

Ping Fu: Well, I’m not saying that this particular imaginary war is necessarily negative, because in history we always see that when there is a common enemy, people get together, right? This feels like the first time the entire earth identified a common enemy, even though viruses have existed forever. We live with viruses all the time, but there was not a political social togetherness in identifying one virus as a common enemy of our humanity.

Danny Hillis: Does that permanently change us, because we all realize we’re facing a common enemy? I think we’ve had a common enemy before, but I don’t think it’s happened quickly enough, or people were aware of that enough. Certainly, one can imagine that global warming might have done that, but it happens so slowly. But this causes a lot of people to realize they’re in it together in real time, in a way, that I don’t think we’ve ever been before.

Ping Fu: When you talk about global warming, or clean air, clean water, it’s also a common enemy. It’s just more long term, so it’s not as urgent. And this one is now. That is making people react to it. But I’m hoping this will make us realize there are many other common enemies to the survival of humanity, so that we will deal with them in a more coherent or collaborative way.

Watch Ping Fu’s conversation with David Eagleman.

Watch Ping Fu’s conversation with Danny Hillis.

Watch Danny Hillis’ conversation with Geoffrey West.

Katherine Fulton is a philanthropist, strategist, author, who works for social change. She is also a Long Now Board member. Photograph: Christopher Michel.

An Opportunity for New Relationships and New Allies

Katherine Fulton

One of the things that fascinates me about this moment is that most big openings in history were not about one thing, they were about the way multiple things came together at the same time in surprising ways. And one of the things that happens at these moments is that it’s possible to think about new relationships and new allies.

For instance, a lot of small business people in this country are going to go out of business. And they’re going to be open to thinking about their future and what they do in the next business they start and who is their ally. In ways that don’t fit into any old ideological boxes I would guess.

When I look ahead at what these new institutions might be, I think they’re going to be hybrids. They’re going to bring people together to look at the cross-issue sectors or cross-business and nonprofit and cross-country. It’s going to bring people together in relationship that never would have been in relationship because you’ll need these new capabilities in different ways.

You often have a lot of social movement people who are very suspicious of business and historically very suspicious of technology — not so much now. So how might there be completely new partnerships? How might the tech companies, who are going to be massively empowered, the big tech companies by this, how might they invest in new kinds of partnerships and be much more enlightened in terms of creating the conditions in which their businesses will need to succeed?

So it seems to me we need a different kind of global institution than the ones that were invented after World War II.

Watch Katherine Fulton’s conversation with Ramez Naam.

Watch Katherine Fulton’s conversation with Kevin Kelly.

Kevin Kelly is Senior Maverick at Wired, a magazine he helped launch in 01993. He served as its Executive Editor from its inception until 01999. From 01984–01990 Kelly was publisher and editor of the Whole Earth Review, a journal of unorthodox technical news. He is also a Long Now board member. Photograph: Christopher Michel.

The Loss of Consensus around Truth

Kevin Kelly

We’re in a moment of transition, accelerated by this virus, where we’ve gone from trusting in authorities to this postmodern world we have to assemble truth. This has put us in a position where all of us, myself included, have difficulty in figuring out, like, “Okay, there’s all these experts claiming expertise even among doctors, and there’s a little bit of contradictory information right now.”

Science works well at getting a consensus when you have time to check each other, to have peer review, to go through publications, to take the doubts and to retest. But it takes a lot of time. And in this fast-moving era where this virus isn’t waiting, we don’t have the luxury of having that scientific consensus. So we are having to turn, it’s like, “Well this guy thinks this, this person thinks this, she thinks that. I don’t know.”

We’re moving so fast that we’re moving ahead of the speed of science, even though science is itself accelerating. That results in this moment where we don’t know who to trust. Most of what everybody knows is true. But sometimes it isn’t. So we have a procedure to figure that out with what’s called science where we can have a consensus over time and then we agree. But if we are moving so fast and we have AI come in and we have viruses happening at this global scale, which speeds things up, then we’re outstripping our ability to know things. I think that may be with us longer than just this virus time.

We are figuring out a new way to know, and in what knowledge we can trust. Young people have to understand in a certain sense that they have to assemble what they believe in themselves; they can’t just inherit that from an authority. You actually have to have critical thinking skills, you actually have to understand that for every expert there’s an anti-expert over here and you have to work at trying to figure out which one you’re going to believe. I think, as a society, we are engaged in this process of coming up with an evolution in how we know things and where to place our trust. Maybe we can make some institutions and devices and technologies and social etiquettes and social norms to help us in this new environment of assembling truth.

Watch Kevin Kelly’s conversation with Katherine Fulton.

Watch Kevin Kelly’s conversation with Paul Saffo.

Ramez Naam holds a number of patents in technology and artificial intelligence and was involved in key product development at Microsoft. He was also CEO of Apex Nanotechnologies. His books include the Nexus trilogy of science fiction thrillers. Photograph: Phil Klein/Ramez Naam.

The Pandemic Won’t Help Us Solve Climate Change

Ramez Naam

There’s been a lot of conversations, op-eds, and Twitter threads about what coronavirus teaches us about climate change. And that it’s an example of the type of thinking that we need.

I’m not so optimistic. I still think we’re going to make enormous headway against climate change. We’re not on path for two degrees Celsius but I don’t think we’re on path for the four or six degrees Celsius you sometimes hear talked about. When I look at it, coronavirus is actually a much easier challenge for people to conceptualize. And I think of humans as hyperbolic discounters. We care far more about the very near term than we do about the long-term. And we discount that future at a very, very steep rate.

And so even with coronavirus — well, first the coronavirus got us these incredible carbon emissions and especially air quality changes. You see these pictures of New Delhi in India before and after, like a year ago versus this week. And it’s just brown haze and crystal clear blue skies, it’s just amazing.

But it’s my belief that when the restrictions are lifted, people are going to get back in their cars. And we still have billions of people that barely have access to electricity, to transportation to meet all their needs and so on. And so that tells me something: that even though we clearly can see the benefit of this, nevertheless people are going to make choices that optimize for their convenience, their whatnot, that have this effect on climate.

And that in turn tells me something else, which is: in the environmentalist movement, there’s a couple of different trains of thought of how we address climate change. And on the more far left of the deep green is the notion of de-growth, limiting economic growth, even reducing the size of the economy. And I think what we’re going to see after coronavirus will make it clear that that’s just not going to happen. That people are barely willing to be in lockdown for something that could kill them a couple of weeks from now. They’re going to be even less willing to do that for something that they perceive as a multi-decade threat.

And so the solution still has to be that we make clean choices, clean electricity, clean transportation, and clean industry, cheaper and better than the old dirty ones. That’s the way that we win. And that’s a hard story to tell people to some extent. But it is an area where we’re making progress.

Watch Ramez Naam’s conversation with Esther Dyson.

Watch Ramez Naam’s conversation with Katherine Fulton.

Alexander Rose is an industrial designer and has been working with The Long Now Foundation and computer scientist Danny Hillis since 01997 to build a monument scale, all mechanical 10,000 Year Clock. As the director of Long Now, Alexander founded The Interval and has facilitated a range of projects including The Organizational Continuity Project, The Rosetta Project, Long Bets, Seminars About Long Term Thinking, Long Server and others. Photograph: Christopher Michel.

The Lessons of Long-Lived Organizations

Alexander Rose

Any organization that has lasted for centuries has lived through multiple events like this. Any business that’s been around for just exactly 102 years, lived through the last one of these pandemics that was much more vast, much less understood, came through with much less communication.

I’m talking right now to heads of companies that have been around for several hundred years and in some cases—some of the better-run family ones and some of the corporate ones that have good records—and they’re pulling from those times. But even more important than pulling the exact strategic things that helped them survive those times, they’re able to tell the story that they survived to their own corporate or organizational culture, which is really powerful. It’s a different narrative than what you hear from our government and others who are largely trying in a way to get out from under the gun of saying this was a predictable event even though it was. They’re trying to say that this was a complete black swan, that we couldn’t have known it was going to happen.

There’s two problems with that. One, it discounts all of this previous prediction work and planning work that in some cases has been heeded by some cultures and some cases not. But I think more importantly, it gets people out of this narrative that we have survived, that we can survive, that things are going to come back to normal, that they can come back so far to normal that we are actually going to be bad at planning for the next one in a hundred years if we don’t put in new safeguards.

And I think it’s crucial to get that narrative back in to the story that we do survive these things. Things do go back to normal. We’re watching movies right now on Netflix where you watch people touch, and interact, and it just seems alien. But I think we will forget it quicker than we adopted it.

Watch Alexander Rose’s conversation with Bina Venkataraman.

Watch Alexander Rose’s conversation with Stewart Brand.

Paul Saffo is a forecaster with over two decades experience helping stakeholders understand and respond to the dynamics of large-scale, long-term change. Photograph: Vodafone.

How Do We Inoculate Against Human Folly?

Paul Saffo

I think, in general, yes, we’ve got to work more on long-term thinking. But the failure with this pandemic was not long-term thinking at all. The failure was action.

I think long-term thinking will become more common. The question is can we take that and turn it to action, and can we get the combination of the long-term look ahead, but also the fine grain of understanding when something really is about to change?

I think that this recent event is a demonstration that the whole futurist field has fundamentally failed. All those forecasts had no consequence. All it took was the unharmonic convergence of some short sighted politicians who had their throat around policy to completely unwind all the foresight and all the preparation. So thinking about what’s different in 50 or 100 or 500 years, I think that the fundamental challenge is how do we inoculate civilization against human folly?

This is the first of pandemics to come, and I think despite the horror that has happened, despite the tragic loss of life, that we’re going to look at this pandemic the way we looked at the ’89 earthquake in San Francisco, and recognize that it was a pretty big one. It wasn’t the big one in terms of virus lethality, it’s more a political pandemic in terms of the idiotic response. The highest thing that could come out of this is if we finally take public health seriously.

Watch Paul Saffo’s conversation with Kevin Kelly.

Watch Paul Saffo’s conversation with Tiffany Shlain.

Peter Schwartz is the Senior Vice President for Global Government Relations and Strategic Planning for Prior to that, Peter co-founded Global Business Network, a leader in scenario planning in 01988, where he served as chairman until 02011. Photograph: Christopher Michel.

How to Convince Those in Positions of Power to Trust Scenario Planning

Peter Schwartz

Look, I was a consultant in scenario planning, and I can tell you that it was never a way to get more business to tell a CEO, “Listen, I gave you the scenarios and you didn’t listen.”

My job was to make them listen. To find ways to engage them in such a way that they took it seriously. If they didn’t, it was my failure. Central to the process of thinking about the future like that is finding out how you engage the mind of the decision maker. Good scenario planning begins with a deep understanding of the people who actually have to use the scenarios. If you don’t understand that, you’re not going to have any impact.

[The way to make Trump take this pandemic more seriously would’ve been] to make him a hero early. That is, find a way to tell the story in such a way that Donald Trump in January, as you’re actually warning him, can be a hero to the American people, because of course that is what he wants in every interaction, right? This is a narcissist, so how do you make him be a leader in his narcissism from day one?

The honest truth is that that was part of the strategy with some CEOs that I’ve worked with in the past. I think Donald Trump is an easy person to understand in that respect; he’s very visible. The problem was that he couldn’t see any scenario in which he was a winner, and so he had to deny. You have to give him a route out, a route where he can win, and that’s what I think the folks around him didn’t give him.

Watch Peter Schwartz’s conversation with Bina Venkataraman.

Watch Peter Schwartz’s conversation with Esther Dyson.

Honored by Newsweek as one of the “Women Shaping the 21st Century,” Tiffany Shlain is an Emmy-nominated filmmaker, founder of The Webby Awards and author of 24/6: The Power of Unplugging One Day A Week. Photograph: Anitab.

The Power of Unplugging During the Pandemic

Tiffany Shlain

We’ve been doing this tech shabbat for 10 years now, unplugging on Friday night and having a day off the network. People ask me: “Can you unplug during the pandemic?” Not only can I, but it has been so important for Ken and I and the girls at a moment when there’s such a blur about time. We know all the news out there, we just need to stay inside and have a day to be together without the screens and actually reflect, which is what the Long Now is all about.

I have found these Tech Shabbats a thousand times more valuable for my health because I’m sleeping so well on Friday night. I just feel like I get perspective, which I think I’m losing during the week because it’s so much coming at me all the time. I think this concept of a day of rest has lasted for 3000 years for a reason. And what does that mean today and what does that mean in a pandemic? It means that you go off the screens and be with your family in an authentic way, be with yourself in an authentic way if you’re not married or with kids. Just take a moment to process. There’s a lot going on and it would be a missed opportunity if we don’t put our pen to paper, and I literally mean paper, to write down some of our thoughts right now in a different way. It’s so good to put your mind in a different way.

The reason I started doing Tech Shabbats in the first place is that I lost my father to brain cancer and Ken’s and my daughter was born within days. And it was one of those moments where I felt like life was grabbing me by the shoulders and saying, “Focus on what’s important.” And that series of dramatic events made me change the way I lived. And I feel like this moment that we’re in is the earth and life grabbing us all by the shoulders and saying, “Focus on what’s important. Look at the way you’re living.” And so I’m hopeful that this very intense, painful experience gets us thinking about how to live differently, about what’s important, about what matters. I’m hopeful that real behavioral change can come out of this very dramatic moment we’re in.

Watch Tiffany Shlain’s conversation with Paul Saffo.

Watch Tiffany Shlain’s conversation with David Eagleman.

Bina Venkataraman is the editorial page editor of The Boston Globe. Previously, she served as a senior adviser for climate change innovation in the Obama White House, was the director of Global Policy Initiatives at the Broad Institute of MIT and Harvard, and taught in the Program on Science, Technology, and Society at MIT. Photograph: Podchaser.

We Need a Longer Historical Memory

Bina Venkataraman

We see this pattern—it doesn’t even have to be over generations—that when a natural disaster happens in an area, an earthquake or a flood, we see spikes in people going out and buying insurance right after those events, when they’re still salient in people’s memory, when they’re afraid of those events happening again. But as the historical memory fades, as time goes on, people don’t buy that insurance. They forget these disasters.

I think historical memory is just one component of a larger gap between prediction and action, and what is missing in that gap is imagination. Historical memory is one way to revive the imagination about what’s possible. But I also think it’s beyond that, because with some of the events and threats that are predicted, they might not have perfect analogs in history. I think about climate change as one of those areas where we’ve just never actually had a historical event or anything that even approximates it in human experience, and so cognitively it’s really difficult for people, whether it’s everyday people in our lives or leaders, to be able to take those threats or opportunities seriously.

People think about the moon landing as this incredible feat of engineering, and of course it was, but before it was a feat of engineering, it was a feat of imagination. To accomplish something that’s unprecedented in human experience takes leaps of imagination, and they can come from different sources, from either the source of competition, from the knowledge of history, and indeed from technology, from story, from myth.

Watch Bina Venkataraman’s conversation with Alexander Rose.

Watch Bina Venkataraman’s conversation with Peter Schwartz.

Theoretical physicist Geoffrey West was president of Santa Fe Institute from 2005 to 2009 and founded the high energy physics group at Los Alamos National Laboratory. Photograph: Minesh Bacrania Photography.

The Pandemic is a Red Light for Future Planetary Threats

Geoffrey West

If you get sick as an individual, you take time off. You go to bed. You may end up in hospital, and so forth. And then hopefully you recover in a week, or two weeks, a few days. And of course, you have built into your life a kind of capacity, a reserve, that even though you’ve shut down — you’re not working, you’re not really thinking, probably — nevertheless you have that reserve. And then you recover, and there’s been sufficient reserve of energy, metabolism, finances, that it doesn’t affect you. Even if it is potentially a longer illness.

I’ve been trying to think of that as a metaphor for what’s happening to the planet. And of course what you realize is that how little we actually have in reserve, that it didn’t take very much in terms of us as a globe, as a planet going to bed for a few days, a few weeks, a couple months that we quickly ran out of our resources.

And some of the struggle is to try to come to terms with that, and to reestablish ourselves. And part of the reason for that, is of course that we are, as individuals, in a sort of meta stable state, whereas the planet is, even on these very short timescales, continually changing and evolving. And we live at a time where the socioeconomic forces are themselves exponentially expanding. And this is what causes the problem for us, the acceleration of time and the continual pressures that are part of the fabric of society.

We’re in a much more strong position than we would have been 100 years ago during the Flu Epidemic of 01918. I’m confident that we’re going to get through this and reestablish ourselves. But I see it as a red light that’s going on. A little rehearsal for some of the bigger questions that we’re going to have to face in terms of threats for the planet.

Watch Geoffrey West’s conversation with Danny Hillis.

Watch Geoffrey West’s conversation with Stewart Brand.


[1] Long Conversation is a relay conversation of 20 minute one-to-one conversations; each speaker has an un-scripted conversation with the speaker before them, and then speaks with the next participant before they themselves rotate off. This relay conversation format was first presented under the auspices of Artangel in London at a Longplayer performance in 02009.

CryptogramWebsites Conducting Port Scans

Security researcher Charlie Belmer is reporting that commercial websites such as eBay are conducting port scans of their visitors.

Looking at the list of ports they are scanning, they are looking for VNC services being run on the host, which is the same thing that was reported for bank sites. I marked out the ports and what they are known for (with a few blanks for ones I am unfamiliar with):

  • 5900: VNC
  • 5901: VNC port 2
  • 5902: VNC port 3
  • 5903: VNC port 4
  • 5279:
  • 3389: Windows remote desktop / RDP
  • 5931: Ammy Admin remote desktop
  • 5939:
  • 5944:
  • 5950: WinVNC
  • 6039: X window system
  • 6040: X window system
  • 63333: TrippLite power alert UPS
  • 7070: RealAudio

No one seems to know why:

I could not believe my eyes, but it was quickly reproduced by me (see below for my observation).

I surfed around to several sites, and found one more that does this (the citibank site, see below for my observation)

I further see, at least across and the same ports, in the same sequence getting scanned. That implies there may be a library in use across both sites that is doing this. (I have not debugged into the matter so far.)

The questions:

  • Is this port scanning "a thing" built into some standard fingerprinting or security library? (if so, which?)
  • Is there a plugin for firefox that can block such behavior? (or can such blocking be added to an existing plugin)?

I'm curious, too.

Worse Than FailureCodeSOD: Is We Equal?

Testing for equality is hard. Equal references are certainly equal, but are equal values? What does it mean for two objects to “equal” each other? It’s especially hard in a language like JavaScript, which is “friendly” about type conversions.

In JavaScript land, you’re likely to favor a tool like “lodash”, which provides utility functions like isEqual.

Mohsin was poking around an old corner of their codebase, which hadn’t been modified in some time. Waiting there was this “helpful” function.

import _ from 'lodash';

export function areEqual(prevProps, nextProps) {
  if (_.isEqual(prevProps, nextProps)) {
    return true;
  return false;

In this case, our unknown developer is the best kind of correct: grammatically correct. isEqual should rightly be called areEqual, since we’re testing if two objects “are equal” to each other.

Does that justify implementing a whole new method? Does it justify implementing it with an awkward construct where we use an if to determine if we should return true or false, instead of just, y’know, returning true or false.

isEqual already returns a boolean value, so you don’t need that if: return _.isEqual(…) would be quite enough. Given that functions are data in JavaScript, we could even shorten that by export const areEqual = _.isEqual.

Or, we could just not do this at all.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

Planet Linux AustraliaRusty Russell: 57 Varieties of Pyrite: Exchanges Are Now The Enemy of Bitcoin

TL;DR: exchanges are casinos and don’t want to onboard anyone into bitcoin. Avoid.

There’s a classic scam in the “crypto” space: advertize Bitcoin to get people in, then sell suckers something else entirely. Over the last few years, this bait-and-switch has become the core competency of “bitcoin” exchanges.

I recently visited the homepage of Australian exchange what a mess. There was a list of dozens of identical-looking “cryptos”, with bitcoin second after something called “XRP”; seems like it was sorted by volume?

Incentives have driven exchanges to become casinos, and they’re doing exactly what you’d expect unregulated casinos to do. This is no place you ever want to send anyone.

Incentives For Exchanges

Exchanges make money on trading, not on buying and holding. Despite the fact that bitcoin is the only real attempt to create an open source money, scams with no future are given false equivalence, because more assets means more trading. Worse than that, they are paid directly to list new scams (the crappier, the more money they can charge!) and have recently taken the logical step of introducing and promoting their own crapcoins directly.

It’s like a gold dealer who also sells 57 varieties of pyrite, which give more margin than selling actual gold.

For a long time, I thought exchanges were merely incompetent. Most can’t even give out fresh addresses for deposits, batch their outgoing transactions, pay competent fee rates, perform RBF or use segwit.

But I misunderstood: they don’t want to sell bitcoin. They use bitcoin to get you in the door, but they want you to gamble. This matters: you’ll find subtle and not-so-subtle blockers to simply buying bitcoin on an exchange. If you send a friend off to buy their first bitcoin, they’re likely to come back with something else. That’s no accident.

Looking Deeper, It Gets Worse.

Regrettably, looking harder at specific exchanges makes the picture even bleaker.

Consider Binance: this mainland China backed exchange pretending to be a Hong Kong exchange appeared out of nowhere with fake volume and demonstrated the gullibility of the entire industry by being treated as if it were a respected member. They lost at least 40,000 bitcoin in a known hack, and they also lost all the personal information people sent them to KYC. They aggressively market their own coin. But basically, they’re just MtGox without Mark Karpales’ PHP skills or moral scruples and much better marketing.

Coinbase is more interesting: an MBA-run “bitcoin” company which really dislikes bitcoin. They got where they are by spending big on regulations compliance in the US so they could operate in (almost?) every US state. (They don’t do much to dispel the wide belief that this regulation protects their users, when in practice it seems only USD deposits have any guarantee). Their natural interest is in increasing regulation to maintain that moat, and their biggest problem is Bitcoin.

They have much more affinity for the centralized coins (Ethereum) where they can have influence and control. The anarchic nature of a genuine open source community (not to mention the developers’ oft-stated aim to improve privacy over time) is not culturally compatible with a top-down company run by the Big Dog. It’s a running joke that their CEO can’t say the word “Bitcoin”, but their recent “what will happen to cryptocurrencies in the 2020s” article is breathtaking in its boldness: innovation is mainly happening on altcoins, and they’re going to overtake bitcoin any day now. Those scaling problems which the Bitcoin developers say they don’t know how to solve? This non-technical CEO knows better.

So, don’t send anyone to an exchange, especially not a “market leading” one. Find some service that actually wants to sell them bitcoin, like CashApp or Swan Bitcoin.


Krebs on SecurityReport: ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office

A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office, according to a new complaint filed with the government’s internal affairs division.

As detailed this week by the Mexican daily Reforma, several Mexican federal, state and municipal officers filed a complaint saying the attorney general office responsible for combating corruption had initiated formal proceedings against them for investigating Romanians living in Mexico who are thought to be part of the ATM skimming operation.

Florian Tudor (right) and his business associates at a press conference earlier this year. Image: Reforma.

Reforma said the complaint centers on Camilo Constantino Rivera, who heads the unit in the Mexican Special Prosecutor’s office responsible for fighting corruption. It alleges Rivera has an inherent conflict of interest because his brother has served as a security escort and lawyer for Floridan Tudor, the reputed boss of a Romanian crime syndicate recently targeted by the FBI for running an ATM skimming and human trafficking network that operates throughout Mexico and the United States.

Tudor, a.k.a. “Rechinu” or “The Shark,” and his ATM company Intacash, were the subject of a three part investigation by KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang which was rumored to be bribing and otherwise coercing ATM technicians into installing Bluetooth-based skimming devices inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

In 2018, 44-year-old Romanian national Sorinel Constantin Marcu was found shot dead in his car in Mexico. Marcu’s older brother told KrebsOnSecurity shortly after the murder that his brother was Tudor’s personal bodyguard but at some point had a falling out with Tudor and his associates over money. Marcu the elder said his brother was actually killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to make it look like he was slain in his car instead.

On March 31, 2019, police in Cancun, Mexico arrested 42-year-old Tudor and 37-year-old Adrian Nicholae Cosmin for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations. Two months later, a judge authorized the search of several of Tudor’s properties.

The Reforma report says Rivera’s office subsequently initiated proceedings against and removed several agents who investigated the crime ring, alleging those agents abused their authority and conducted illegal searches. The complaint against Rivera charges that the criminal protection racket also included the former chief of police in Cancun.

In September 2019, prosecutors with the Southern District of New York unsealed indictments and announced arrests against 18 people accused of running an ATM skimming and money laundering operation that netted $20 million. The defendants in that case — nearly all of whom are Romanians living in the United States and Mexico — included Florian Claudio Martin, described by Romanian newspapers as “the brother of Rechinu,” a.k.a. Tudor.

The news comes on the heels of a public relations campaign launched by Mr. Tudor, who recently denounced harassment from the news media and law enforcement by taking out a full two-page ad in Novedades, the oldest daily newspaper in the Mexican state of Quintana Roo (where Cancun is located). In a news conference with members of the local press, Tudor also reportedly accused this author of having been hired by his enemies to slander him and ruin his legitimate business.

A two-page ad taken out earlier this year in a local newspaper by Florian Tudor, accusing the head of the state police department of spying on businessmen in order to extort and harass them.

Obviously, there is no truth to Tudor’s accusations, and this would hardly be the first time the reputed head of a transnational crime syndicate has insinuated that I was paid by his enemies to disrupt his operations.

Next week, KrebsOnSecurity will publish highlights from an upcoming lengthy investigation into Tudor and his company by the Organized Crime and Corruption Reporting Project (OCCRP), a consortium of investigative journalists operating in Eastern Europe, Central Asia and Central America.

Here’s a small teaser: Earlier this year, I was interviewed on camera by reporters with the OCCRP, who at one point in the discussion handed me a transcript of some text messages shared by law enforcement officials that allegedly occurred between Tudor and his associates directly after the publication of my 2015 investigation into Intacash.

The text messages suggested my story had blown the cover off their entire operation, and that they intended to shut it all down after the series was picked up in the Mexican newspapers. One text exchange seems to indicate the group even briefly contemplated taking out a hit on this author in retribution.

The Mexican attorney general’s office could not be immediately reached for comment. The “contact us” email link on the office’s homepage leads to a blank email address, and a message sent to the one email address listed there as the main contact for the Mexican government portal ( bounced back as an attempt to deliver to a non-existent domain name.

Further reading:

Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico, Part II

Who’s Behind Bluetooth Skimming in Mexico?

TEDListening to nature: The talks of TED2020 Session 1

TED looks a little different this year, but much has also stayed the same. The TED2020 mainstage program kicked off Thursday night with a session of talks, performances and visual delights from brilliant, creative individuals who shared ideas that could change the world — and stories of people who already have. But instead of convening in Vancouver, the TED community tuned in to the live, virtual broadcast hosted by TED’s Chris Anderson and Helen Walters from around the world — and joined speakers and fellow community members on an interactive, TED-developed second-screen platform to discuss ideas, ask questions and give real-time feedback. Below, a recap of the night’s inspiring talks, performances and conversations.

Sharing incredible footage of microscopic creatures, Ariel Waldman takes us below meters-thick sea ice in Antarctica to explore a hidden ecosystem. She speaks at TED2020: Uncharted on May 21, 2020. (Photo courtesy of TED)

Ariel Waldman, Antarctic explorer, NASA advisor

Big idea: Seeing microbes in action helps us more fully understand (and appreciate) the abundance of life that surrounds us. 

How: Even in the coldest, most remote place on earth, our planet teems with life. Explorer Ariel Waldman introduces the thousands of organisms that call Antarctica home — and they’re not all penguins. Leading a five-week expedition, Waldman descended the sea ice and scaled glaciers to investigate and film myriad microscopic, alien-looking creatures. Her footage is nothing short of amazing — like wildlife documentary at the microbial level! From tiny nematodes to “cuddly” water bears, mini sea shrimp to geometric bugs made of glass, her camera lens captures these critters in color and motion, so we can learn more about their world and ours. Isn’t nature brilliant?

Did you know? Tardigrades, also known as water bears, live almost everywhere on earth and can even survive in the vacuum of space. 

Tracy Edwards, Trailblazing sailor

Big Idea: Despite societal limits, girls and women are capable of creating the future of their dreams. 

How: Though competitive sailing is traditionally dominated by men, women sailors have proven they are uniquely able to navigate the seas. In 1989, Tracy Edwards led the first all-female sailing crew in the Whitbread Round the World Yacht Race. Though hundreds of companies refused to sponsor the team and bystanders warned that an all-female team was destined to fail, Edwards knew she could trust in the ability of the women on her team. Despite the tremendous odds, they completed the trip and finished second in their class. The innovation, kindness and resourcefulness of the women on Edwards’s crew enabled them to succeed together, upending all expectations of women in sailing. Now, Edwards advocates for girls and women to dive into their dream fields and become the role models they seek to find. She believes women should understand themselves as innately capable, that the road to education has infinite routes and that we all have the ability to take control of our present and shape our futures.

Quote of the talk: “This is about teaching girls: you don’t have to look a certain way; you don’t have to feel a certain way; you don’t have to behave a certain way. You can be successful. You can follow your dreams. You can fight for them.”

Classical musicians Sheku Kanneh-Mason and Isata Kanneh-Mason perform intimate renditions of Sergei Rachmaninov’s “Muse” and Frank Bridge’s “Spring Song” at TED2020: Uncharted on May 21, 2020. (Photo courtesy of TED)

Virtuosic cellist Sheku Kanneh-Mason, whose standout performance at the wedding of Prince Harry and Meghan Markle made waves with music fans across the world, joins his sister, pianist Isata Kanneh-Mason, for an intimate living room performance of “Muse” by Sergei Rachmaninov and “Spring Song” by Frank Bridge.

And for a visual break, podcaster and design evangelist Debbie Millman shares an animated love letter to her garden — inviting us to remain grateful that we are still able to make things with our hands.

Dallas Taylor, Host/creator of Twenty Thousand Hertz podcast

Big idea: There is no such thing as true silence.

Why? In a fascinating challenge to our perceptions of sound, Dallas Taylor tells the story of a well-known, highly-debated and perhaps largely misunderstood piece of music penned by composer John Cage. Written in 1952, 4′33″ is more experience than expression, asking the listener to focus on and accept things the way they are, through three movements of rest — or, less technically speaking, silence. In its “silence,” Cage invites us to contemplate the sounds that already exist when we’re ready to listen, effectively making each performance a uniquely meditative encounter with the world around us. “We have a once in a lifetime opportunity to reset our ears,” says Taylor, as he welcomes the audience to settle into the first movement of 4’33” together. “Listen to the texture and rhythm of the sounds around you right now. Listen for the loud and soft, the harmonic and dissonant … enjoy the magnificence of hearing and listening.”

Quote of the talk: “Quietness is not when we turn our minds off to sound, but when we really start to listen and hear the world in all of its sonic beauty.”

Dubbed “the woman who redefined man” by her biographer, Jane Goodall has changed our perceptions of primates, people and the connection between the two. She speaks with head of TED Chris Anderson at TED2020: Uncharted on May 21, 2020. (Photo courtesy of TED)

Jane Goodall, Primatologist, conservationist

Big idea: Humanity’s long-term livelihood depends on conservation.

Why? After years in the field reinventing the way the world thinks about chimpanzees, their societies and their similarities to humans, Jane Goodall began to realize that as habitats shrink, humanity loses not only resources and life-sustaining biodiversity but also our core connection to nature. Worse still, as once-sequestered animals are pulled from their environments and sold and killed in markets, the risk of novel diseases like COVID-19 jumping into the human population rises dramatically. In conversation with head of TED Chris Anderson, Goodall tells the story of a revelatory scientific conference in 1986, where she awakened to the sorry state of global conservation and transformed from a revered naturalist into a dedicated activist. By empowering communities to take action and save natural habitats around the world, Goodall’s institute now gives communities tools they need to protect their environment. As a result of her work, conservation has become part of the DNA of cultures from China to countries throughout Africa, and is leading to visible transformations of once-endangered forests and habitats.

Quote of the talk: Every day you live, you make an impact on the planet. You can’t help making an impact … If we all make ethical choices, then we start moving towards a world that will be not quite so desperate to leave for our great-grandchildren.”

Rondam RamblingsA review of John Sanford's "Genetic Entropy"

1.  Introduction (Feel free to skip this part.  It's just some context for what comes next.) As regular readers will already know, I put a fair amount of effort into understanding points of view that I don't agree with.  I think if you're going to argue against a position it is incumbent upon you to understand what you're arguing against so that your arguments are actually on point and you're

CryptogramBluetooth Vulnerability: BIAS

This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device:

Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).

Our attacks are standard compliant, and are therefore effective against any standard compliant Bluetooth device regardless the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details. Our attacks are stealthy because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication. To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

News articles.

Worse Than FailureA Vintage Printer

IBM 1130 (16758008839)

Remember Robert, the student who ruined his class curve back in the 1960s? Well, proving the old adage that the guy who graduates last from medical school is still a doctor, he managed to find another part-time job at a small hospital, earning just enough to pay his continued tuition.

Industry standard in those days was the IBM System/360 series, but it was out of the price range of this hospital. Instead, they had an IBM 1130, which was designed to be used in laboratories and small scientific research facilities. It used FORTRAN, which was pretty inappropriate for business use, but a set of subroutines offered by IBM contained routines for dealing with currency values and formatting. The hospital captured charges on punch cards and those were used as input to a billing program.

The printer was a monstrous beast, spinning a drum of characters and firing hammers to print characters as they went by. In order to print in specific boxes on the billing forms, it was necessary to advance the paper to a specific point on the page. This was done using a loop of paper tape that had 12 channels in its width. A hole was punched at the line in the tape where the printer needed to stop. Wire brushes above the tape would hit the hole, making contact with the metal drum inside the loop and stopping the paper feed.

There was one box in the billing form that was used infrequently, only every few days. When the program issued the code to skip to that channel, paper would begin spewing for a few seconds, and then the printer would shut down with a fault. This required stopping, removing the paper, typing the necessary data into the partially-printed bill, and then restarting the job from the point of failure.

IBM Field Engineering was called, but was unable to find a reason for the problem. Their considered opinion was that it was a software fault. After dealing with the problem on a fairly regular basis, things escalated. The IBM Systems Engineer assigned to the site was brought in.

Robert's boss, the author of the billing software, had relied on an IDEAL subroutine package provided by IBM—technically unsupported, but written by IBM employees, so generally one would assume it was safe to use. The Systems Engineer spent a while looking over that package, but eventually declared it innocent and moved on. He checked over the code Robert's boss had written, but ultimately that, too, failed to provide any answers.

"Then it must be the machine," Robert's boss stated.

This was the wrong thing to say. "It couldn't be the machine!" The Engineer, a prideful young woman, bristled at the insinuation. "These machines are checked. Everything's checked before it leaves the factory!"

Tempers flared, voices on the edge of shouting. Robert ducked back into the room with the computer, followed rapidly by the Field Engineer who had come along earlier in the day to do his own checks. Trying to pretend they couldn't hear the argument, the pair began another once-over on the machine, looking for any sign of mechanical fault.

"Hey, a question," said Robert, holding the thick cable that connected the printer to the computer. "Could it be a problem with the cable?"

The Field Engineer unplugged the cable and examined it. "The pin for that channel doesn't look seated," he admitted sheepishly. "Let's replace it and see what happens."

That day Robert learned two valuable lessons in debugging. Number one: when in doubt, go over each piece of the machine, no matter how unlikely. Number two: never tell an IBM Engineer that the problem is on their end.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!


Planet Linux AustraliaStewart Smith: op-build v2.5 firmware for the Raptor Blackbird

Well, following on from my post where I excitedly pointed out that Raptor Blackbird support: all upstream in op-build v2.5, that means I can do another in my series of (close to) upstream Blackbird firmware builds.

This time, the only difference from straight upstream op-build v2.5 is my fixes for buildroot so that I can actually build it on Fedora 32.

So, head over to and grab blackbird.pnor to flash it on your blackbird, let me know how it goes!

Planet Linux AustraliaMatthew Oliver: GNS3 FRR Appliance

In my spare time, what little I have, I’ve been wanting to play with some OSS networking projects. For those playing along at home, during last Suse hackweek I played with wireguard, and to test the environment I wanted to set up some routing.
For which I used FRR.

FRR is a pretty cool project, if brings the networking routing stack to Linux, or rather gives us a full opensource routing stack. As most routers are actually Linux anyway.

Many years ago I happened to work at Fujitsu working in a gateway environment, and started playing around with networking. And that was my first experience with GNS3. An opensource network simulator. Back then I needed to have a copy of cisco IOS images to really play with routing protocols, so that make things harder, great open source product but needed access to proprietary router OSes.

FRR provides a CLI _very_ similar to ciscos, and make we think, hey I wonder if there is an FRR appliance we can use in GNS3?
And there was!!!

When I downloaded it and decompressed the cow2 image it was 1.5GB!!! For a single router image. It works great, but what if I wanted a bunch of routers to play with things like OSPF or BGP etc. Surely we can make a smaller one.


At Suse we use kiwi-ng to build machine images and release media. And to make things even easier for me we already have a kiwi config for small OpenSuse Leap JEOS images, jeos is “just enough OS”. So I hacked one to include FRR. All extra tweaks needed to the image are also easily done by bash hook scripts.

I wont go in to too much detail how because I created a git repo where I have it all including a detailed README:

So feel free to check that would and build and use the image.

But today, I went one step further. OpenSuse’s Open Build System, which is used to build all RPMs for OpenSuse, but can also build debs and whatever build you need, also supports building docker containers and system images using kiwi!

So have now got the OBS to build the image for me. The image can be downloaded from:

And if you want to send any OBS requests to change it the project/package is:

To import it into GNS3 you need the gns3a file, which you can find in my git repo or in the OBS project page.

The best part is this image is only 300MB, which is much better then 1.5GB!
I did have it a little smaller, 200-250MB, but unfortunately the JEOS cut down kernel doesn’t contain the MPLS modules, so had to pull in the full default SUSE kernel. If this became a real thing and not a pet project, I could go and build a FRR cutdown kernel to get the size down, but 300MB is already a lot better then where it was at.

Hostname Hack

When using GNS3 and you place a router, you want to be able to name the router and when you access the console it’s _really_ nice to see the router name you specified in GNS3 as the hostname. Why, because if you have a bunch, you want want a bunch of tags all with the localhost hostname on the commandline… this doesn’t really help.

The FRR image is using qemu, and there wasn’t a nice way to access the name of the VM from inside the container, and now an easy way to insert the name from outside. But found 1 approach that seems to be working, enter my dodgy hostname hack!

I also wanted to to it without hacking the gns3server code. I couldn’t easily pass the hostname in but I could pass it in via a null device with the router name its id:


So I simply wrote a script that sets the hostname based on the existence of this device. Made the script a systemd oneshot service to start at boot and it worked!

This means changing the name of the FRR router in the GNS3 interface, all you need to do is restart the router (stop and start the device) and it’ll apply the name to the router. This saves you having to log in as root and running hostname yourself.

Or better, if you name all your FRR routers before turning them on, then it’ll just work.

In conclusion…

Hopefully now we can have a fully opensource, GNS3 + FRR appliance solution for network training, testing, and inspiring network engineers.

Worse Than FailureCodeSOD: Classic WTF: A Char'd Enum

It's a holiday in the US today, so we're reaching back into the archives while doing some quarantine grilling. This classic has a… special approach to handling enums. Original. --Remy

Ah yes, the enum. It's a convenient way to give an integer a discrete domain of values, without having to worry about constants. But you see, therein lies the problem. What happens if you don't want to use an integer? Perhaps you'd like to use a string? Or a datetime? Or a char?

If that were the case, some might say just make a class that acts similarly, or then you clearly don't want an enum. But others, such as Dan Holmes' colleague, go a different route. They make sure they can fit chars into enums.

'******* Asc Constants ********
Private Const a = 65
Private Const b = 66
Private Const c = 67
Private Const d = 68
Private Const e = 69
Private Const f = 70
Private Const H = 72
Private Const i = 73
Private Const l = 76
Private Const m = 77
Private Const n = 78
Private Const O = 79
Private Const p = 80
Private Const r = 82
Private Const s = 83
Private Const t = 84
Private Const u = 85
Private Const x = 88

  ... snip ...

'******* Status Enums *********
Public Enum MessageStatus
  MsgError = e
  MsgInformation = i
  ProdMsg = p
  UpLoad = u
  Removed = x
End Enum

Public Enum PalletTable
  Shipped = s   'Pallet status code
  Available = a
End Enum
[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Cory DoctorowSomeone Comes to Town, Someone Leaves Town (part 04)

Here’s part four of my new reading of my novel Someone Comes to Town, Someone Leaves Town (you can follow all the installments, as well as the reading I did in 2008/9, here).

In this installment, we meet Kurt, the crustypunk high-tech dumpster-diver. Kurt is loosely based on my old friend Darren Atkinson, who pulled down a six-figure income by recovering, repairing and reselling high-tech waste from Toronto’s industrial suburbs. Darren was the subject of the first feature I ever sold to Wired, Dumpster Diving, which was published in the September, 1997 issue.

This is easily the weirdest novel I ever wrote. Gene Wolfe (RIP) gave me an amazing quote for it: “Someone Comes to Town, Someone Leaves Town is a glorious book, but there are hundreds of those. It is more. It is a glorious book unlike any book you’ve ever read.”

Here’s how my publisher described it when it came out:

Alan is a middle-aged entrepeneur who moves to a bohemian neighborhood of Toronto. Living next door is a young woman who reveals to him that she has wings—which grow back after each attempt to cut them off.

Alan understands. He himself has a secret or two. His father is a mountain, his mother is a washing machine, and among his brothers are sets of Russian nesting dolls.

Now two of the three dolls are on his doorstep, starving, because their innermost member has vanished. It appears that Davey, another brother who Alan and his siblings killed years ago, may have returned, bent on revenge.

Under the circumstances it seems only reasonable for Alan to join a scheme to blanket Toronto with free wireless Internet, spearheaded by a brilliant technopunk who builds miracles from scavenged parts. But Alan’s past won’t leave him alone—and Davey isn’t the only one gunning for him and his friends.

Whipsawing between the preposterous, the amazing, and the deeply felt, Cory Doctorow’s Someone Comes to Town, Someone Leaves Town is unlike any novel you have ever read.



Planet Linux AustraliaFrancois Marier: Printing hard-to-print PDFs on Linux

I recently found a few PDFs which I was unable to print due to those files causing insufficient printer memory errors:

I found a detailed explanation of what might be causing this which pointed the finger at transparent images, a PDF 1.4 feature which apparently requires a more recent version of PostScript than what my printer supports.

Using Okular's Force rasterization option (accessible via the print dialog) does work by essentially rendering everything ahead of time and outputing a big image to be sent to the printer. The quality is not very good however.

Converting a PDF to DjVu

The best solution I found makes use of a different file format: .djvu

Such files are not PDFs, but can still be opened in Evince and Okular, as well as in the dedicated DjVuLibre application.

As an example, I was unable to print page 11 of this paper. Using pdfinfo, I found that it is in PDF 1.5 format and so the transparency effects could be the cause of the out-of-memory printer error.

Here's how I converted it to a high-quality DjVu file I could print without problems using Evince:

pdf2djvu -d 1200 2002.04049.pdf > 2002.04049-1200dpi.djvu

Converting a PDF to PDF 1.3

I also tried the DjVu trick on a different unprintable PDF, but it failed to print, even after lowering the resolution to 600dpi:

pdf2djvu -d 600 dow-faq_v1.1.pdf > dow-faq_v1.1-600dpi.djvu

In this case, I used a different technique and simply converted the PDF to version 1.3 (from version 1.6 according to pdfinfo):

ps2pdf13 -r1200x1200 dow-faq_v1.1.pdf dow-faq_v1.1-1200dpi.pdf

This eliminates the problematic transparency and rasterizes the elements that version 1.3 doesn't support.


Krebs on SecurityRiding the State Unemployment Fraud ‘Wave’

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.

Last week, the U.S. Secret Service warned of “massive fraud” against state unemployment insurance programs, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses.

Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states.

Denizens of a Telegram chat channel newly rededicated to stealing state unemployment funds discussing cashout methods.

Yes, for roughly $50 worth of bitcoin, you too can quickly jump on the unemployment fraud “wave” and learn how to swindle unemployment insurance money from different states. The channel pictured above and others just like it are selling different “methods” for defrauding the states, complete with instructions on how best to avoid getting your phony request flagged as suspicious.

Although, at the rate people in these channels are “flexing” — bragging about their fraudulent earnings with screenshots of recent multiple unemployment insurance payment deposits being made daily — it appears some states aren’t doing a whole lot of fraud-flagging.

A still shot from a video a fraudster posted to a Telegram channel overrun with people engaged in unemployment insurance fraud shows multiple $800+ payments in one day from Massachusetts’ Department of Unemployment Assistance (DUA).

A federal fraud investigator who’s helping to trace the source of these crimes and who spoke with KrebsOnSecurity on condition of anonymity said many states have few controls in place to spot patterns in fraudulent filings, such as multiple payments going to the same bank accounts, or filings made for different people from the same Internet address.

In too many cases, he said, the deposits are going into accounts where the beneficiary name does not match the name on the bank account. Worse still, the source said, many states have dramatically pared back the amount of information required to successfully request an unemployment filing.

“The ones we’re seeing worst hit are the states that aren’t asking where you worked,” the investigator said. “It used to be they’d have a whole list of questions about your previous employer, and you had to show you were trying to find work. But now because of the pandemic, there’s no such requirement. They’ve eliminated any controls they had at all, and now they’re just shoveling money out the door based on Social Security number, name, and a few other details that aren’t hard to find.”


Earlier this week, email security firm Agari detailed a fraud operation tied to a seasoned Nigerian cybercrime group it dubbed “Scattered Canary,” which has been busy of late bilking states and the federal government out of economic stimulus and unemployment payments. Agari said this group has been filing hundreds of successful claims, all effectively using the same email address.

“Scattered Canary uses Gmail ‘dot accounts’ to mass-create accounts on each target website,” Agari’s Patrick Peterson wrote. “Because Google ignores periods when interpreting Gmail addresses, Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (”

Image: Agari.

Indeed, the very day the IRS unveiled its site for distributing CARES Act payments last month, KrebsOnSecurity warned that it was very likely to be abused by fraudsters to intercept stimulus payments from U.S. citizens, mainly because the only information required to submit a claim was name, date of birth, address and Social Security number.

Agari notes that since April 29, Scattered Canary has filed at least 174 fraudulent claims for unemployment with the state of Washington.

“Based on communications sent to Scattered Canary, these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks,” Peterson wrote. “Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a maximum potential loss as a result of these fraudulent claims of $4.7 million.”


A number of states have suffered security issues with the PUA websites that exposed personal details of citizens filing unemployment insurance claims. Perhaps the most galling example comes from Arkansas, whose site exposed the SSNs, bank account and routing numbers for some 30,000 applicants.

In that instance, The Arkansas Times alerted the state after hearing from a computer programmer who was filing for unemployment on the site and found he could see other applicants’ data simply by changing the site’s URL slightly. State officials reportedly ignored the programmer’s repeated attempts to get them to fix the issue, and when it was covered by the newspaper the state governor accused the person who found it of breaking the law.

Over the past week, several other states have discovered similar issues with their PUA application sites, including Colorado, Illinois, and Ohio.

Planet Linux AustraliaMichael Still: A totally cheating sour dough starter


This is the third in a series of posts documenting my adventures in making bread during the COVID-19 shutdown. I’d like to imagine I was running science experiments in making bread on my kids, but really all I was trying to do was eat some toast.

I’m not sure what it was like in other parts of the world, but during the COVID-19 pandemic Australia suffered a bunch of shortages — toilet paper, flour, and yeast were among those things stores simply didn’t have any stock of. Luckily we’d only just done a costco shop so were ok for toilet paper and flour, but we were definitely getting low on yeast. The obvious answer is a sour dough starter, but I’d never done that thing before.

In the end my answer was to cheat and use this recipe. However, I found the instructions unclear, so here’s what I ended up doing:

Starting off

  • 2 cups of warm water
  • 2 teaspoons of dry yeast
  • 2 cups of bakers flour

Mix these three items together in a plastic container with enough space for the mix to double in size. Place in a warm place (on the bench on top of the dish washer was our answer), and cover with cloth secured with a rubber band.


Once a day you should feed your starter with 1 cup of flour and 1 cup of warm water. Stir throughly.

Reducing size

The recipe online says to feed for five days, but the size of my starter was getting out of hand by a couple of days, so I started baking at that point. I’ll describe the baking process in a later post. The early loaves definitely weren’t as good as the more recent ones, but they were still edible.


Once the starter is going, you feed daily and probably need to bake daily to keep the starters size under control. That obviously doesn’t work so great if you can’t eat an entire loaf of bread a day. You can hybernate the starter by putting it in the fridge, which means you only need to feed it once a week.

To wake a hybernated starter up, take it out of the fridge and feed it. I do this at 8am. That means I can then start the loaf for baking at about noon, and the starter can either go back in the fridge until next time or stay on the bench being fed daily.

I have noticed that sometimes the starter comes out of the fridge with a layer of dark water on top. Its worked out ok for us to just ignore that and stir it into the mix as part of the feeding process. Hopefully we wont die.


Planet Linux AustraliaStewart Smith: Refurbishing my Macintosh Plus

Somewhere in the mid to late 1990s I picked myself up a Macintosh Plus for the sum of $60AUD. At that time there were still computer Swap Meets where old and interesting equipment was around, so I headed over to one at some point (at the St Kilda Town Hall if memory serves) and picked myself up four 1MB SIMMs to boost the RAM of it from the standard 1MB to the insane amount of 4MB. Why? Umm… because I could? The RAM was pretty cheap, and somewhere in the house to this day, I sometimes stumble over the 256KB SIMMs as I just can’t bring myself to get rid of them.

This upgrade probably would have cost close to $2,000 at the system’s release. If the Macintosh system software were better at disk caching you could have easily held the whole 800k of the floppy disk in memory and still run useful software!

One of the annoying things that started with the Macintosh was odd screws and Apple gear being hard to get into. Compare to say, the Apple ][ which had handy clips to jump inside whenever. In fitting my massive FOUR MEGABYTES of RAM back in the day, I recall using a couple of allen keys sticky-taped together to be able to reach in and get the recessed Torx screws. These days, I can just order a torx bit off Amazon and have it arrive pretty quickly. Well, two torx bits, one of which is just too short for the job.

My (dusty) Macintosh Plus

One thing had always struck me about it, it never really looked like the photos of the Macintosh Plus I saw in books. In what is an embarrassing number of years later, I learned that a lot can be gotten from the serial number printed on the underside of the front of the case.

So heading over to the My Old Mac Serial Number Decoder I can find out:

Manufactured in: F => Fremont, California, USA
Year of production: 1985
Week of production: 14
Production number: 3V3 => 4457
Model ID: M0001WP => Macintosh 512K (European Macintosh ED)

Your Macintosh 512K (European Macintosh ED) was the 4457th Mac manufactured during the 14th week of 1985 in Fremont, California, USA.

Pretty cool! So it is certainly a Plus as the logic board says that, but it’s actually an upgraded 512k! If you think it was madness to have a GUI with only 128k of RAM in the original Macintosh, you’d be right. I do not envy anybody who had one of those.

Some time a decent (but not too many, less than 10) years ago, I turn on the Mac Plus to see if it still worked. It did! But then… some magic smoke started to come out (which isn’t so good), but the computer kept working! There’s something utterly bizarre about looking at a computer with smoke coming out of it that continues to function perfectly fine.

Anyway, as the smoke was coming out, I decided that it would be an opportune time to turn it off, open doors and windows, and put it away until I was ready to deal with it.

One Global Pandemic Later, and now was the time.

I suspected it was going to be a capacitor somewhere that blew, and figured that I should replace it, and probably preemptively replace all the other electrolytic capacitors that could likely leak and cause problems.

First thing’s first though: dismantle it and clean everything. First, taking the case off. Apple is not new to the game of annoying screws to get into things. I ended up spending $12 on this set on Amazon, as the T10 bit can actually reach the screws holding the case on.

Cathode Ray Tubes are not to be messed with. We’re talking lethal voltages here. It had been many years since electricity went into this thing, so all was good. If this all doesn’t work first time when reassembling it, I’m not exactly looking forward to discharging a CRT and working on it.

The inside of my Macintosh Plus, with lots of grime.

You can see there’s grime everywhere. It’s not the worst in the world, but it’s not great (and kinda sticky). Obviously, this needs to be cleaned! The best way to do that is take a lot of photos, dismantle everything, and clean it a bit at a time.

There’s four main electronic components inside a Macintosh Plus:

  1. The CRT itself
  2. The floppy disk drive
  3. The Logic Board (what Mac people call what PC people call the motherboard)
  4. The Analog Board

There’s also some metal structure that keeps some things in place. There’s only a few connectors between things, which are pretty easy to remove. If you don’t know how to discharge a CRT and what the dangers of them are you should immediately go and find out through reading rather than finding out by dying. I would much prefer it if you dyed (because creative fun) rather than died.

Once the floppy connector and the power connector is unplugged, the logic board slides out pretty easily. You can see from the photo below that I have the 4MB of RAM installed and the resistor you need to snip is, well, snipped (but look really closely for that). Also, grime.

Macintosh Plus Logic Board

Cleaning things? Well, there’s two ways that I have used (and considering I haven’t yet written the post with “hurray, it all works”, currently take it with a grain of salt until I write that post). One: contact cleaner. Two: detergent.

Macintosh Plus Logic Board (being washed in my sink)

I took the route of cleaning things first, and then doing recapping adventures. So it was some contact cleaner on the boards, and then some soaking with detergent. This actually all worked pretty well.

Logic Board Capacitors:

  • C5, C6, C7, C12, C13 = 33uF 16V 85C (measured at 39uF, 38uF, 38uF, 39uF)
  • C14 = 1uF 50V (measured at 1.2uF and then it fluctuated down to around 1.15uF)

Analog Board Capacitors

  • C1 = 35V 3.9uF (M) measured at 4.37uF
  • C2 = 16V 4700uF SM measured at 4446uF
  • C3 = 16V 220uF +105C measured at 234uF
  • C5 = 10V 47uF 85C measured at 45.6uF
  • C6 = 50V 22uF 85C measured at 23.3uF
  • C10 = 16V 33uF 85C measured at 37uF
  • C11 = 160V 10uF 85C measured at 11.4uF
  • C12 = 50V 22uF 85C measured at 23.2uF
  • C18 = 16V 33uF 85C measured at 36.7uF
  • C24 = 16V 2200uF 105C measured at 2469uF
  • C27 = 16V 2200uF 105C measured at 2171uF (although started at 2190 and then went down slowly)
  • C28 = 16V 1000uF 105C measured at 638uF, then 1037uF, then 1000uF, then 987uF
  • C30 = 16V 2200uF 105C measured at 2203uF
  • C31 = 16V 220uF 105C measured at 236uF
  • C32 = 16V 2200uF 105C measured at 2227uF
  • C34 = 200V 100uF 85C measured at 101.8uF
  • C35 = 200V 100uF 85C measured at 103.3uF
  • C37 = 250V 0.47uF measured at <exploded>. wheee!
  • C38 = 200V 100uF 85C measured at 103.3uF
  • C39 = 200V 100uF 85C mesaured at 99.6uF (with scorch marks from next door)
  • C42 = 10V 470uF 85C measured at 556uF
  • C45 = 10V 470uF 85C measured at 227uF, then 637uF then 600uF

I’ve ordered an analog board kit from and when trying to put them in, I learned that the US Analog board is different to the International Analog board!!! Gah. Dammit.

Note that C30, C32, C38, C39, and C37 were missing from the kit I received (probably due to differences in the US and International boards). I did have an X2 cap (for C37) but it was 0.1uF not 0.47uF. I also had two extra 1000uF 16V caps.

Macintosh Repair and Upgrade Secrets (up to the Mac SE no less!) holds an Appendix with the parts listing for both the US and International Analog boards, and this led me to conclude that they are in fact different boards rather than just a few wires that are different. I am not sure what the “For 120V operation, W12 must be in place” and “for 240V operation, W12 must be removed” writing is about on the International Analog board, but I’m not quite up to messing with that at the moment.

So, I ordered the parts (linked above) and waited (again) to be able to finish re-capping the board.

I found video to be a good one for learning a bunch about the insides of compact Macs, I recommend it and several others on his YouTube channel. One interesting thing I learned is that the X2 cap (C37 on the International one) is before the power switch, so could blow just by having the system plugged in and not turned on! Okay, so I’m kind of assuming that it also applies to the International board, and mine exploded while it was plugged in and switched on, so YMMV.

Additionally, there’s an interesting list of commonly failing parts. Unfortunately, this is also for the US logic board, so the tables in Macintosh Repair and Upgrade Secrets are useful. I’m hoping that I don’t have to replace anything more there, but we’ll see.

But, after the Nth round of parts being delivered….

Note the lack of an exploded capacitor

Yep, that’s where the exploded cap was before. Cleanup up all pretty nicely actually. Annoyingly, I had to run it all through a step-up transformer as the board is all set for Australian 240V rather than US 120V. This isn’t going to be an everyday computer though, so it’s fine.

Woohoo! It works. While I haven’t found my supply of floppy disks that (at least used to) work, the floppy mechanism also seems to work okay.

Next up: waiting for my Floppy Emu to arrive as it’ll certainly let it boot. Also, it’s now time to rip the house apart to find a floppy disk that certainly should have made its way across the ocean with the move…. Oh, and also to clean up the mouse and keyboard.


CryptogramFriday Squid Blogging: Squid Can Edit Their Own Genomes

This is new news:

Revealing yet another super-power in the skillful squid, scientists have discovered that squid massively edit their own genetic instructions not only within the nucleus of their neurons, but also within the axon -- the long, slender neural projections that transmit electrical impulses to other neurons. This is the first time that edits to genetic information have been observed outside of the nucleus of an animal cell.


The discovery provides another jolt to the central dogma of molecular biology, which states that genetic information is passed faithfully from DNA to messenger RNA to the synthesis of proteins. In 2015, Rosenthal and colleagues discovered that squid "edit" their messenger RNA instructions to an extraordinary degree -- orders of magnitude more than humans do -- allowing them to fine-tune the type of proteins that will be produced in the nervous system.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

TEDFragility, resilience and restoration at TED2020: The Prequel

It’s a new, strange, experimental day for TED. In a special Earth Day event, TED2020: The Prequel brought the magic of the TED conference to the virtual stage, inviting TED2020 community members to gather for three sessions of talks and engaging, innovative opportunities to connect. Alongside world-changing ideas from leaders in science, political strategy and environmental activism, attendees also experienced the debut of an interactive, TED-developed second-screen technology that gave them the opportunity to discuss ideas, ask questions of speakers and give real-time (emoji-driven) feedback to the stage. Below, a recap of the day’s inspiring talks, performances and conversations.

Session 1: Fragility

The opening session featured thinking on the fragile state of the present — and some hopes for the future.

Larry Brilliant, epidemiologist

Big idea: Global cooperation is the key to ending the novel coronavirus pandemic.

How? In a live conversation with head of TED Chris Anderson, epidemiologist Larry Brilliant reviews the global response to SARS-CoV-2 and reflects on what we can do to end the outbreak. While scientists were able to detect and identify the virus quickly, Brilliant says, political incompetence and fear delayed action. Discussing the deadly combination of a short incubation period with a high transmissibility rate, he explains how social distancing doesn’t stamp out the disease but rather slows its spread, giving us the time needed to execute crucial contact tracing and develop a vaccine. Brilliant shares how scientists are collaborating to speed up the vaccine timeline by running multiple processes (like safety testing and manufacturing) in parallel, rather than in a time-consuming sequential process. And he reminds us that to truly conquer the pandemic, we must work together across national boundaries and political divides. Watch the conversation on » 

Quote of the talk: This is what a pandemic forces us to realize: we are all in it together, we need a global solution to a global problem. Anything less than that is unthinkable.”

Now is a time “to be together rather than to try to pull the world apart and crawl back into our own nationalistic shells,” says Huang Hung.

Huang Hung, writer, publisher

Big idea: Individual freedom as an abstract concept in a pandemic is meaningless. It’s time for the West to take a step toward the East.

How? By embracing and prizing collective responsibility. In conversation with TED’s head of curation, Helen Walters, writer and publisher Huang Hung discusses how the Chinese people’s inherent trust in their government to fix problems (even when the solutions are disliked) played out with COVID-19, the handling of coronavirus whistleblower Dr. Li Wenliang and what, exactly, “wok throwing” is. What seems normal and appropriate to the Chinese, Hung says — things like contact tracing and temperature checks at malls — may seem surprising and unfamiliar to Westerners at first, but these tools can be our best bet to fight a pandemic. What’s most important now is to think about the collective, not the individual. “It is a time to be together rather than to try to pull the world apart and crawl back into our own nationalistic shells,” she says.

Fun fact: There’s a word — 乖, or “guai” — that exists only in Chinese: it means a child who listens to their parents.

Watch Oliver Jeffer’s TED Talk, “An ode to living on Earth,” at

Oliver Jeffers, artist, storyteller

Big idea: In the face of infinite odds, 7.5 billion of us (and counting) find ourselves here, on Earth, and that shared existence is the most important thing we have.

Why? In a poetic effort to introduce life on Earth to someone who’s never been here before, artist Oliver Jeffers wrote his newborn son a letter (which grew into a book, and then a sculpture) full of pearls of wisdom on our shared humanity. Alongside charming, original illustrations, he gives some of his best advice for living on this planet. Jeffers acknowledges that, in the grand scheme of things, we know very little about existence — except that we are experiencing it together. And we should relish that connection. Watch the talk on »

Quote of the talk: “‘For all we know,’ when said as a statement, means the sum total of all knowledge. But ‘for all we know’ when said another way, means that we do not know at all. This is the beautiful, fragile drama of civilization. We are the actors and spectators of a cosmic play that means the world to us here but means nothing anywhere else.”

Musical interludes from 14-year old prodigy Lydian Nadhaswaram, who shared an energetic, improvised version of Gershwin’s “Summertime,” and musician, singer and songwriter Sierra Hull, who played her song “Beautifully Out of Place.”


Session 2: Resilience

Session 2 focused on The Audacious Project, a collaborative funding initiative housed at TED that’s unlocking social impact on a grand scale. The session saw the debut of three 2020 Audacious grantees — Crisis Text Line, The Collins Lab and ACEGID — that are spearheading bold and innovative solutions to the COVID-19 pandemic. Their inspirational work on the front lines is delivering urgent support to help the most vulnerable through this crisis.

Pardis Sabeti and Christian Happi, disease researchers

Big idea: Combining genomics with new information technologies, Sentinel — an early warning system that can detect and respond to emerging viral threats in real-time — aims to radically change how we catch and control outbreaks. With the novel coronavirus pandemic, Sentinel is pivoting to become a frontline responder to COVID-19.

How? From advances in the field of genomics, the team at Sentinel has developed two tools to detect viruses, track outbreaks and watch for mutations. First is Sherlock, a new method to test viruses with simple paper strips — and identify them within hours. The second is Carmen, which enables labs to test hundreds of viruses simultaneously, massively increasing diagnostic ability. By pairing these tools with mobile and cloud-based technologies, Sentinel aims to connect health workers across the world and share critical information to preempt pandemics. As COVID-19 sweeps the globe, the Sentinel team is helping scientists detect the virus quicker and empower health workers to connect and better contain the outbreak. See what you can do for this idea »

Quote of the talk: “The whole idea of Sentinel is that we all stand guard over each other, we all watch. Each one of us is a sentinel.”

Jim Collins, bioengineer

Big idea: AI is our secret weapon against the novel coronavirus.

How? Bioengineer Jim Collins rightly touts the promise and potential of technology as a tool to discover solutions to humanity’s biggest molecular problems. Prior to the coronavirus pandemic, his team combined AI with synthetic biology data, seeking to avoid a similar battle that’s on the horizon: superbugs and antibiotic resistance. But in the shadow of the present global crisis, they pivoted these technologies to help defeat the virus. They have made strides in using machine learning to discover new antiviral compounds and develop a hybrid protective mask-diagnostic test. Thanks to funding from The Audacious Project, Collins’s team will develop seven new antibiotics over seven years, with their immediate focus being treatments to help combat bacterial infections that occur alongside SARS-CoV-2. See what you can do for this idea »

Quote of the talk: “Instead of looking for a needle in a haystack, we can use the giant magnet of computing power to find many needles in multiple haystacks simultaneously.”

“This will be strangers helping strangers around the world — like a giant global love machine,” says Crisis Text Line CEO Nancy Lublin, outlining the expansion of the crisis intervention platform.

Nancy Lublin, health activist

Big idea: Crisis Text Line, a free 24-hour service that connects with people via text message, delivers crucial mental health support to those who need it. Now they’re going global.

How? Using mobile technology, machine learning and a large distributed network of volunteers, Crisis Text Line helps people in times of crisis, no matter the situation. Here’s how it works: If you’re in the United States or Canada, you can text HOME to 741741 and connect with a live, trained Crisis Counselor, who will provide confidential help via text message. (Numbers vary for the UK and Ireland; find them here.) The not-for-profit launched in August 2013 and within four months had expanded to all 274 area codes in the US. Over the next two-and-a-half years, they’re committing to providing aid to anyone who needs it not only in English but also in Spanish, Portuguese, French and Arabic — covering 32 percent of the globe. Learn how you can join the movement to spread empathy across the world by becoming a Crisis Counselor. See what you can do for this idea »

Quote of the talk: “This will be strangers helping strangers around the world — like a giant global love machine.”

Music and interludes from Damian Kulash and OK Go, who showed love for frontline pandemic workers with the debut of a special quarantine performance, and David Whyte, who recited his poem “What to Remember When Waking,” inviting us to celebrate that first, hardly-noticed moment when we wake up each day. “What you can plan is too small for you to live,” Whyte says.


Session 3: Restoration

The closing session considered ways to restore our planet’s health and work towards a beautiful, clean, carbon-free future.

Watch Tom Rivett-Carnac’s TED Talk, “How to shift your mindset and choose your future,” at

Tom Rivett-Carnac, political strategist

Big idea: We need stubborn optimism coupled with action to meet our most formidable challenges.

How: Speaking from the woods outside his home in England, political strategist Tom Rivett-Carnac addresses the loss of control and helplessness we may feel as a result of overwhelming threats like climate change. Looking to leaders from history who have blazed the way forward in dark times, he finds that people like Rosa Parks, Winston Churchill and Mahatma Gandhi had something in common: stubborn optimism. This mindset, he says, is not naivety or denial but rather a refusal to be defeated. Stubborn optimism, when paired with action, can infuse our efforts with meaning and help us choose the world we want to create. Watch the talk on »

Quote of the talk: “This stubborn optimism is a form of applied love … and it is a choice for all of us.”

Kristine Tompkins, Earth activist, conservationist

Big idea: Earth, humanity and nature are all interconnected. To restore us all back to health, let’s “rewild” the world. 

Why? The disappearance of wildlife from its natural habitat is a problem to be met with action, not nostalgia. Activist and former Patagonia CEO Kristine Tompkins decided she would dedicate the rest of her life to that work. By purchasing privately owned wild habitats, restoring their ecosystems and transforming them into protected national parks, Tompkins shows the transformational power of wildlands philanthropy. She urgently spreads the importance of this kind of “rewilding” work — and shows that we all have a role to play. “The power of the absent can’t help us if it just leads to nostalgia or despair,” she says. “It’s only useful if it motivates us toward working to bring back what’s gone missing.”

Quote of the talk: “Every human life is affected by the actions of every other human life around the globe. And the fate of humanity is tied to the health of the planet. We have a common destiny. We can flourish or we can suffer, but we’re going to be doing it together.”

Music and interludes from Amanda Palmer, who channels her inner Gonzo with a performance of “I’m Going To Go Back There Someday” from The Muppet Movie; Baratunde Thurston, who took a moment to show gratitude for Earth and reflect on the challenge humanity faces in restoring balance to our lives; singer-songwriter Alice Smith, who gives a hauntingly beautiful vocal performance of her original song “The Meaning,” dedicated of Mother Earth; and author Neil Gaiman, reading an excerpt about the fragile beauty that lies at the heart of life.

Worse Than FailureError'd: Rest in &;$(%{>]$73!47;£*#’v\

"Should you find yourself at a loss for words at the loss of a loved one, there are other 'words' you can try," Steve M. writes.


"Cool! I can still use the premium features for -3 days! Thanks, Mailjet!" writes Thomas.


David C. wrote, "In this time of virus outbreak, we all know you've been to the doctor so don't try and lie about it."


Gavin S. wrote, "I guess Tableau sets a low bar for its Technical Program Managers?"


"Ubutuntu: For when your Linux desktop isn't frilly enough!" Stuart L. wrote.


"Per Dropbox's rules, this prompt valid only for strings with a length of 5 that are greater than or equal to 6," Robert H. writes.


[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!


Worse Than FailureCodeSOD: Checking Your Options

If nulls are a “billion dollar mistake”, then optional/nullable values are the $50 of material from the hardware store that you use to cover up that mistake. It hasn’t really fixed anything, but if you’re handy, you can avoid worrying too much about null references.

D. Dam Wichers found some “interesting” Java code that leverages optionals, and combines them with the other newish Java feature that everyone loves to misuse: streams.

First, let’s take a look at the “right” way to do this though. The code needs to take a list of active sessions, filter out any older than a certain threshold, and then summarize them together into a single composite session object. This is a pretty standard filter/reduce scenario, and in Java, you might write it something like this:


The this::… syntax is Java’s way of passing references to methods around, which isn’t a replacement for lambdas but is often easier to use in Java. The stream call starts a stream builder, and then we attach the filter and reduce operations. One of the key advantages here is that this can be lazily evaluated, so we haven’t actually filtered yet. This also might not actually return anything, so the result is implicitly wrapped in an Optional type.

With the “right” way firmly in mind, let’s look at the body of a method D. Dam found.

   Optional<CachedSession> theSession;

   theSession =
                     .filter(session -> filterOldSessions(session))
                     .reduce((first, second) -> reduceByStatus(first, second));

   if (theSession.isPresent()) {
        return Optional.of(theSession.get());
   } else {
        return Optional.empty();

This code isn’t wrong, it just highlights a developer unfamiliar with their tools. First, note the use of lambdas instead of the this::… syntax. It’s functionally the same, but this is harder to read- it’s less clear.

The real confusion, though, is after they’ve gotten the result. They understand that the stream operation has returned an Optional. So they check if that Optional isPresent- if it has a value. If it does, they get the value and wrap it in a new Optional (Optional.of is a static factory method which generates new Optionals). Otherwise, if it’s empty, we return an empty optional. Which, if they’d just returned the result of the stream operation, they would have gotten the same result.

It’s always frustrating to see this kind of code. It’s a developer who is so close to getting it, but who just isn’t quite there yet. That said, it’s not all bad, as D. Dam points out:

In defense of the original code: it is a little more clear that an Optional is setup properly and returned.

I’m not sure that it’s necessary to make that clear, but this code isn’t bad, it’s just annoying. It’s the kind of thing that you need to bring up in a code review, but somebody’s going to think you’re nit-picking, and when you start using words like readability, there’ll always be a manager who just wants this commit in production yesterday and says, “Readability is different for everyone, it’s fine.”

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


TED“TEDx SHORTS”, a TED original podcast hosted by actress Atossa Leoni, premieres May 18

Launching on Monday, May 18, TED’s new podcast TEDx SHORTS gives listeners a quick and meaningful taste of curiosity, skepticism, inspiration and action drawn from TEDx Talks. In less than 10 minutes, host Atossa Leoni guides listeners through fresh perspectives, inspiring stories and surprising information from some of the most compelling TEDx Talks. 

TEDx events are organized and run by a passionate community of independent volunteers who are at the forefront of giving a platform to global voices and sharing new ideas that spark conversations in their local areas. Since 2009, there have been more than 28,000 independently organized TEDx events in over 170 countries across the world. TEDx organizers have given voice to some of the world’s most recognized speakers, including Brené Brown and Greta Thunberg. 

TEDx SHORTS host and actress Atossa Leoni is known for her roles in the award-winning television series Homeland and the film adaptation of The Kite Runner, based on Khaled Hosseini’s best-selling novel. Atossa is fluent in five languages and is recognized for her work in promoting international human rights and women’s rights.

“Every day, TEDx Talks surface new ideas, research and perspectives from around the world,” says Jay Herratti, Executive Director of TEDx. “With TEDx SHORTS, we’ve curated short excerpts from some of the most thought-provoking and inspiring TEDx Talks so that listeners can discover them in bite-sized episodes.”

Produced by TED in partnership with PRX, TEDx SHORTS is one of TED’s seven original podcasts, which also include The TED Interview, TED Talks Daily, TED en Español, Sincerely, X, WorkLife with Adam Grant and TED Radio Hour. TED’s podcasts are downloaded more than 420 million times annually.

TEDx SHORTS debuts Monday, May 18 on Apple Podcasts or wherever you like to listen to podcasts.

CryptogramBart Gellman on Snowden

Bart Gellman's long-awaited (at least by me) book on Edward Snowden, Dark Mirror: Edward Snowden and the American Surveillance State, will finally be published in a couple of weeks. There is an adapted excerpt in the Atlantic.

It's an interesting read, mostly about the government surveillance of him and other journalists. He speaks about an NSA program called FIRSTFRUITS that specifically spies on US journalists. (This isn't news; we learned about this in 2006. But there are lots of new details.)

One paragraph in the excerpt struck me:

Years later Richard Ledgett, who oversaw the NSA's media-leaks task force and went on to become the agency's deputy director, told me matter-of-factly to assume that my defenses had been breached. "My take is, whatever you guys had was pretty immediately in the hands of any foreign intelligence service that wanted it," he said, "whether it was Russians, Chinese, French, the Israelis, the Brits. Between you, Poitras, and Greenwald, pretty sure you guys can't stand up to a full-fledged nation-state attempt to exploit your IT. To include not just remote stuff, but hands-on, sneak-into-your-house-at-night kind of stuff. That's my guess."

I remember thinking the same thing. It was the summer of 2013, and I was visiting Glenn Greenwald in Rio de Janeiro. This was just after Greenwald's partner was detained in the UK trying to ferry some documents from Laura Poitras in Berlin back to Greenwald. It was an opsec disaster; they would have been much more secure if they'd emailed the encrypted files. In fact, I told them to do that, every single day. I wanted them to send encrypted random junk back and forth constantly, to hide when they were actually sharing real data.

As soon as I saw their house I realized exactly what Ledgett said. I remember standing outside the house, looking into the dense forest for TEMPEST receivers. I didn't see any, which only told me they were well hidden. I guessed that black-bag teams from various countries had already been all over the house when they were out for dinner, and wondered what would have happened if teams from different countries bumped into each other. I assumed that all the countries Ledgett listed above -- plus the US and a few more -- had a full take of what Snowden gave the journalists. These journalists against those governments just wasn't a fair fight.

I'm looking forward to reading Gellman's book. I'm kind of surprised no one sent me an advance copy.

TED“Pindrop,” a TED original podcast hosted by filmmaker Saleem Reshamwala, premieres May 27

TED launches Pindrop — its newest original podcast — on May 27. Hosted by filmmaker Saleem Reshamwala, Pindrop will take listeners on a journey across the globe in search of the world’s most surprising and imaginative ideas. It’s not a travel show, exactly. It’s a deep dive into the ideas that shape a particular spot on the map, brought to you by local journalists and creators. From tiny islands to megacities, each episode is an opportunity to visit a new location — Bangkok, Mantua Township, Nairobi, Mexico City, Oberammergau — to find out: If this place were to give a TED Talk, what would it be about?

With Saleem as your guide, you’ll hear stories of police officers on motorbikes doubling as midwives in Bangkok, discover a groundbreaking paleontology site behind a Lowe’s in New Jersey’s Mantua Township, learn about Nairobi’s Afrobubblegum art movement and more. With the guidance of local journalists and TED Fellows, Pindrop gives listeners a unique lens into a spectrum of fascinating places  — an important global connection during this time of travel restrictions.

My family is from all over, and I’ve spent a lot of my life moving around,” said Saleem. “I’ve always wanted to work on something that captured the feeling of diving deep into conversation in a place you’ve never been before, where you’re getting hit by new ideas and you just feel more open to the world. Pindrop is a go at recreating that.”

Produced by TED and Magnificent Noise, Pindrop is one of TED’s nine original podcasts, which also include TEDxSHORTS, Checking In with Susan David, WorkLife with Adam Grant, The TED Interview, TED Talks Daily, TED en Español, Sincerely, X and TED Radio Hour.  TED’s podcasts are downloaded more than 420 million times annually.

TED strives to tell partner stories in the form of authentic, story-driven content developed in real time and aligned with the editorial process — finding and exploring brilliant ideas from all over the world. Pindrop is made possible with support from Women Will, a Grow with Google program. Working together, we’re spotlighting women who are finding unique ways of impacting their communities. Active in 48 countries, this Grow with Google program helps inspire, connect and educate millions of women.

Pindrop launches May 27 for a five-episode run, with five additional episodes this fall. New 30-minute episodes air weekly and are available on Apple Podcasts, Spotify and wherever you like to listen to podcasts.

CryptogramCriminals and the Normalization of Masks

I was wondering about this:

Masks that have made criminals stand apart long before bandanna-wearing robbers knocked over stagecoaches in the Old West and ski-masked bandits held up banks now allow them to blend in like concerned accountants, nurses and store clerks trying to avoid a deadly virus.

"Criminals, they're smart and this is a perfect opportunity for them to conceal themselves and blend right in," said Richard Bell, police chief in the tiny Pennsylvania community of Frackville. He said he knows of seven recent armed robberies in the region where every suspect wore a mask.


Just how many criminals are taking advantage of the pandemic to commit crimes is impossible to estimate, but law enforcement officials have no doubt the numbers are climbing. Reports are starting to pop up across the United States and in other parts of the world of crimes pulled off in no small part because so many of us are now wearing masks.

In March, two men walked into Aqueduct Racetrack in New York wearing the same kind of surgical masks as many racing fans there and, at gunpoint, robbed three workers of a quarter-million dollars they were moving from gaming machines to a safe. Other robberies involving suspects wearing surgical masks have occurred in North Carolina, and Washington, D.C, and elsewhere in recent weeks.

The article is all anecdote and no real data. But this is probably a trend.

Worse Than FailureCodeSOD: A Maskerade

Josh was writing some code to interact with an image sensor. “Fortunately” for Josh, a co-worker had already written a nice large pile of utility methods in C to make this “easy”.

So, when Josh wanted to know if the sensor was oriented in landscape or portrait (or horizontal/vertical), there was a handy method to retrieve that information:

// gets the sensor orientation
// 0 = horizontal, 1 = vertical
uint8_t get_sensor_orient(void);

Josh tried that out, and it correctly reported horizontal. Then, he switched the sensor into vertical, and it incorrectly reported horizontal. In fact, no matter what he did, get_sensor_orient returned 0. After trying to diagnose problems with the sensor, with the connection to the sensor, and so on, Josh finally decided to take a look at the code.

#define BYTES_TO_WORD(lo, hi)   (((uint16_t)hi << 8) + (uint16_t)lo)
#define SENSOR_ADDR             0x48  
#define SENSOR_SETTINGS_REG     0x24

#define SENSOR_ORIENT_MASK      0x0002

// gets the sensor orientation  
// 0 = horizontal, 1 = vertical  
uint8_t get_sensor_orient(void)  
    uint8_t buf;  
    read_sensor_reg(SENSOR_ADDR, SENSOR_SETTINGS_REG, &buf, 1);

    uint16_t tmp = BYTES_TO_WORD(0, buf) & SENSOR_ORIENT_MASK;

    return tmp & 0x0004;  

This starts reasonable. We create byte called buf and pass a reference to that byte to read_sensor_reg. Under the hood, that does some magic and talks to the image sensor and returns a byte that is a bitmask of settings on the sensor.

Now, at that point, assuming the the SENSOR_ORIENT_MASK value is correct, we should just return (buf & SENSOR_ORIENT_MASK) != 0. They could have done that, and been done. Or one of many variations on that basic concept which would let them return either a 0 or a 1.

But they can’t just do that. What comes next isn’t a simple matter of misusing bitwise operations, but a complete breakdown of thinking: they convert the byte into a word. They have a handy macro defined for that, which does some bitwise operations to combine two bytes.

Let’s assume the sensor settings mask is simply b00000010. We bitshift that to make b0000001000000000, and then add b00000000 to it. Then we and it with SENSOR_ORIENT_MASK, which would be b0000000000000010, which of course isn’t aligned with the layout of the word, so that returns zero.

There’s no reason to expand the single byte into two. That BYTES_TO_WORD macro might have other uses in the program, but certainly not here. Even if it is used elsewhere in the program, I wonder if they’re aware of the parameter order; it’s unusual (to me, anyway) to accept the lower order bits as the first parameter, and I suspect that’s part of what tripped this programmer up. Once they decided to expand the word, they assumed the macro would expand it in the opposite order, in which case their bitwise operation would have worked.

Of course, even if they had correctly extracted the correct bit, the last line of this method completely undoes all of that anyway: tmp & 0x0004 can’t possibly return a non-zero value after you’ve done a buf & 0x0002, as b00000100 and b00000010 have no bits in common.

As written, you could just replace this method with return 0 and it’d do the same thing, but more efficiently. “Zero” also happens to be how much faith I have in the developer who originally wrote this.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


Krebs on SecurityUkraine Nabs Suspect in 773M Password ‘Megabreach’

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled “the largest collection of stolen data in history.” A subsequent review by KrebsOnSecurity quickly determined the data was years old and merely a compilation of credentials pilfered from mostly public data breaches. Earlier today, authorities in Ukraine said they’d apprehended a suspect in the case.

The Security Service of Ukraine (SBU) on Tuesday announced the detention of a hacker known as Sanix (a.k.a. “Sanixer“) from the Ivano-Frankivsk region of the country. The SBU said they found on Sanix’s computer records showing he sold databases with “logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, and information about computers hacked for further use in botnets and for organizing distributed denial-of-service (DDoS) attacks.”

Items SBU authorities seized after raiding Sanix’s residence. Image: SBU.

Sanix became famous last year for posting to hacker forums that he was selling the 87GB password dump, labeled “Collection #1.” Shortly after his sale was first detailed by Troy Hunt, who operates the HaveIBeenPwned breach notification service, KrebsOnSecurity contacted Sanix to find out what all the fuss was about. From that story:

“Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his ‘freshest’ offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.”

Alex Holden, chief technology officer and founder of Milwaukee-based Hold Security, said Sanixer’s claim to infamy was simply for disclosing the Collection #1 data, which was just one of many credential dumps amalgamated by other cyber criminals.

“Today, it is even a more common occurrence to see mixing new and old breached credentials,” Holden said. “In fact, large aggregations of stolen credentials have been around since 2013-2014. Even the original attempt to sell the Yahoo breach data was a large mix of several previous unrelated breaches. Collection #1 was one of many credentials collections output by various cyber criminals gangs.”

Sanix was far from a criminal mastermind, and left a long trail of clues that made it almost child’s play to trace his hacker aliases to the real-life identity of a young man in Burshtyn, a city located in Ivano-Frankivsk Oblast in western Ukraine.

Still, perhaps Ukraine’s SBU detained Sanix for other reasons in addition to his peddling of Collection 1. According to cyber intelligence firm Intel 471, Sanix has stayed fairly busy selling credentials that would allow customers to remotely access hacked resources at several large organizations. For example, as recently as earlier this month, Intel 471 spotted Sanix selling access to nearly four dozen universities worldwide, and to a compromised VPN account for the government of San Bernardino, Calif.

KrebsOnSecurity is covering Sanix’s detention mainly to close the loop on an incident that received an incredible amount of international attention. But it’s also another excuse to remind readers about the importance of good password hygiene. A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when available.

By far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.

Your email account may be worth far more than you imagine.

And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes far more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.

If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Finally, if you haven’t done so lately, mosey on over to and see if you are taking full advantage of the strongest available multi-factor authentication option at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device, phone number, or security key. Not saying these additional security methods aren’t also vulnerable to compromise (they absolutely are), but they’re definitely better than just using a password.

Worse Than FailureThe Dangerous Comment

It is my opinion that every developer should dabble in making their own scripting language at least once. Not to actually use, mind you, but to simply to learn how languages work. If you do find yourself building a system that needs to be extendable via scripts, don’t use your own language, but use a well understood and well-proven embeddable scripting language.

Which is why Neil spends a lot of time looking at Tcl. Tcl is far from a dead language, and its bundled in pretty much every Linux or Unix, including ones for embedded platforms, meaning it runs anywhere. It’s also a simple language, with its syntax described by a relatively simple collection of rules.

Neil’s company deployed embedded network devices from a vendor. Those embedded network devices were one of the places that Tcl runs, and the company which shipped the devices decided that configuration and provisioning of the devices would be done via Tcl.

It was nobody’s favorite state of affairs, but it was more-or-less fine. The challenges were less about writing Tcl and more about learning the domain-specific conventions for configuring these devices. The real frustration was that most of the time, when something went wrong, especially in this vendor-specific dialect, the error was simply: “Unknown command.”

As provisioning needs got more and more complicated, scripts calling out to other scripts became a more and more common convention, which made the “Unknown command” errors even more frustrating to track down.

It was while digging into one of those that Neil discovered a special intersection of unusual behaviors, in a section of code which may have looked something like:

# procedure for looking up config options
proc lookup {fname} {
  # does stuff …

Neil spent a good long time trying to figure out why there was an “Unknown command” error. While doing that hunting, and referring back to the “Dodekalogue” of rules which governs Tcl, Neil had a realization, specifically while looking at the definition of a comment:

If a hash character (“#”) appears at a point where Tcl is expecting the first character of the first word of a command, then the hash character and the characters that follow it, up through the next newline, are treated as a comment and ignored. The comment character only has significance when it appears at the beginning of a command.

In Tcl, a command is a series of words, where the first word is the name of the command. If the command name starts with a “#”, then the command is a comment.

That is to say, comments are commands. Which doesn’t really sound interesting, except for one very important rule about this vendor-specific deployment of Tcl: it restricted which commands could be executed based on the user’s role.

Most of the time, this never came up. Neil and his peers logged in as admins, and admins could do anything. But this time, Neil was logged in as a regular user. It didn’t take much digging for Neil to discover that in the default configuration the “#” command was restricted to administrators.

The vendor specifically shipped their devices configured so that comments couldn’t be added to provisioning scripts unless those scripts were executed by administrators. It wasn’t hard for Neil to fix that, but with the helpful “Unknown Command” errors, it was hard to find out what needed to be fixed.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!


Planet Linux AustraliaFrancois Marier: Displaying client IP address using Apache Server-Side Includes

If you use a Dynamic DNS setup to reach machines which are not behind a stable IP address, you will likely have a need to probe these machines' public IP addresses. One option is to use an insecure service like Oracle's which echoes back your client IP, but you can also do this on your own server if you have one.

There are multiple options to do this, like writing a CGI or PHP script, but those are fairly heavyweight if that's all you need mod_cgi or PHP for. Instead, I decided to use Apache's built-in Server-Side Includes.

Apache configuration

Start by turning on the include filter by adding the following in /etc/apache2/conf-available/ssi.conf:

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

and making that configuration file active:

a2enconf ssi

Then, find the vhost file where you want to enable SSI and add the following options to a Location or Directory section:

<Location /ssi_files>
    Options +IncludesNOEXEC
    Header set Content-Security-Policy: "default-src 'none'"
    Header set X-Content-Type-Options: "nosniff"

before adding the necessary modules:

a2enmod headers
a2enmod include

and restarting Apache:

apache2ctl configtest && systemctl restart apache2.service

Create an shtml page

With the web server ready to process SSI instructions, the following HTML blurb can be used to display the client IP address:

<!--#echo var="REMOTE_ADDR" -->

or any other built-in variable.

Note that you don't need to write a valid HTML for the variable to be substituted and so the above one-liner is all I use on my server.

Security concerns

The first thing to note is that the configuration section uses the IncludesNOEXEC option in order to disable arbitrary command execution via SSI. In addition, you can also make sure that the cgi module is disabled since that's a dependency of the more dangerous side of SSI:

a2dismod cgi

Of course, if you rely on this IP address to be accurate, for example because you'll be putting it in your DNS, then you should make sure that you only serve this page over HTTPS, which can be enforced via the SSLRequireSSL directive.

I included two other headers in the above vhost config (Content-Security-Policy and X-Content-Type-Options) in order to limit the damage that could be done in case a malicious file was accidentally dropped in that directory.

Finally, I suggest making sure that only the root user has writable access to the directory which has server-side includes enabled:

$ ls -la /var/www/ssi_includes/
total 12
drwxr-xr-x  2 root     root     4096 May 18 15:58 .
drwxr-xr-x 16 root     root     4096 May 18 15:40 ..
-rw-r--r--  1 root     root        0 May 18 15:46 index.html
-rw-r--r--  1 root     root       32 May 18 15:58 whatsmyip.shtml

TEDTED2020 postponed

Update 5/18/20: TED2020 will not be held in Vancouver, BC. Starting May 18, 2020, the conference is being convened as an eight-week virtual experience.

Based on a community-wide decision, TED2020 will move from April 20-24 to July 26-30 — and will still be held in Vancouver, BC.

With the COVID-19 virus spreading across the planet, we’re facing many challenges and uncertainties, which is why we feel passionately that TED2020 matters more than ever. Knowing our original April dates would no longer work, we sought counsel and guidance from our vast community. Amidst our network of artists, entrepreneurs, innovators, creators, scientists and more, we also count experts in health and medicine among our ranks. After vetting all of the options, we offered registered attendees the choice to either postpone the event or hold a virtual version. The majority expressed a preference for a summer TED, so that’s the official plan.

We’ve spent the past year putting together a spectacular program designed to chart the future. Our speakers are extraordinary. You, our beloved community, are also incredible. Somehow, despite the global health crisis, we will use this moment to share insights, spark action and host meaningful discussions of the ideas that matter most in the world.

As head of TED Chris Anderson noted in his letter to attendees: “Our north star in making decisions has been your health and safety. This is a moment when community matters like never before. I believe passionately in the power, wisdom and collective spirit of this community. We’re stronger together.”

Learn more about TED2020: Uncharted

Krebs on SecurityThis Service Helps Malware Authors Fix Flaws in their Code

Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware. But the reality is most malicious software also has its share of security holes that open the door for security researchers or ne’er-do-wells to liberate or else seize control over already-hacked systems. Here’s a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web’s top cybercriminals.

It is not uncommon for crooks who sell malware-as-a-service offerings such as trojan horse programs and botnet control panels to include backdoors in their products that let them surreptitiously monitor the operations of their customers and siphon data stolen from victims. More commonly, however, the people writing malware simply make coding mistakes that render their creations vulnerable to compromise.

At the same time, security companies are constantly scouring malware code for vulnerabilities that might allow them peer to inside the operations of crime networks, or to wrest control over those operations from the bad guys. There aren’t a lot of public examples of this anti-malware activity, in part because it wades into legally murky waters. More importantly, talking publicly about these flaws tends to be the fastest way to get malware authors to fix any vulnerabilities in their code.

Enter malware testing services like the one operated by “RedBear,” the administrator of a Russian-language security site called Krober[.]biz, which frequently blogs about security weaknesses in popular malware tools.

For the most part, the vulnerabilities detailed by Krober aren’t written about until they are patched by the malware’s author, who’s paid a small fee in advance for a code review that promises to unmask any backdoors and/or harden the security of the customer’s product.

RedBear’s profile on the Russian-language xss[.]is cybercrime forum.

RedBear’s service is marketed not only to malware creators, but to people who rent or buy malicious software and services from other cybercriminals. A chief selling point of this service is that, crooks being crooks, you simply can’t trust them to be completely honest.

“We can examine your (or not exactly your) PHP code for vulnerabilities and backdoors,” reads his offering on several prominent Russian cybercrime forums. “Possible options include, for example, bot admin panels, code injection panels, shell control panels, payment card sniffers, traffic direction services, exchange services, spamming software, doorway generators, and scam pages, etc.”

As proof of his service’s effectiveness, RedBear points to almost a dozen articles on Krober[.]biz which explain in intricate detail flaws found in high-profile malware tools whose authors have used his service in the past, including; the Black Energy DDoS bot administration panel; malware loading panels tied to the Smoke and Andromeda bot loaders; the RMS and Spyadmin trojans; and a popular loan scan script.


RedBear doesn’t operate this service on his own. Over the years he’s had several partners in the project, including two very high-profile cybercriminals (or possibly just one, as we’ll see in a moment) who until recently operated under the hacker aliases “upO” and “Lebron.”

From 2013 to 2016, upO was a major player on Exploit[.]in — one of the most active and venerated Russian-language cybercrime forums in the underground — authoring almost 1,500 posts on the forum and starting roughly 80 threads, mostly focusing on malware. For roughly one year beginning in 2016, Lebron was a top moderator on Exploit.

One of many articles Lebron published on Krober[.]biz that detailed flaws found in malware submitted to RedBear’s vulnerability testing service.

In 2016, several members began accusing upO of stealing source code from malware projects under review, and then allegedly using or incorporating bits of the code into malware projects he marketed to others.

up0 would eventually be banned from Exploit for getting into an argument with another top forum contributor, wherein both accused the other of working for or with Russian and/or Ukrainian federal authorities, and proceeded to publish personal information about the other that allegedly outed their real-life identities.

The cybercrime actor “upO” on Exploit[.]in in late 2016, complaining that RedBear was refusing to pay a debt owed to him.

Lebron first appeared on Exploit in September 2016, roughly two months before upO was banished from the community. After serving almost a year on the forum while authoring hundreds of posts and threads (including many articles first published on Krober), Lebron abruptly disappeared from Exploit.

His departure was prefaced by a series of increasingly brazen accusations by forum members that Lebron was simply upO using a different nickname. His final post on Exploit in May 2017 somewhat jokingly indicated he was joining an upstart ransomware affiliate program.


According to research from cyber intelligence firm Intel 471, upO had a strong interest in ransomware and had partnered with the developer of the Cerber ransomware strain, an affiliate program operating between Feb. 2016 and July 2017 that sought to corner the increasingly lucrative and competitive market for ransomware-as-a-service offerings.

Intel 471 says a rumor has been circulating on Exploit and other forums upO frequented that he was the mastermind behind GandCrab, another ransomware-as-a-service affiliate program that first surfaced in January 2018 and later bragged about extorting billions of dollars from hacked businesses when it closed up shop in June 2019.

Multiple security companies and researchers (including this author) have concluded that GandCrab didn’t exactly go away, but instead re-branded to form a more exclusive ransomware-as-a-service offering dubbed “REvil” (a.k.a. “Sodin” and “Sodinokibi”). REvil was first spotted in April 2019 after being installed by a GandCrab update, but its affiliate program didn’t kick into high gear until July 2019.

Last month, the public face of the REvil ransomware affiliate program — a cybercriminal who registered on Exploit in July 2019 using the nickname “UNKN” (a.k.a. “Unknown”) — found himself the target of a blackmail scheme publicly announced by a fellow forum member who claimed to have helped bankroll UNKN’s ransomware business back in 2016 but who’d taken a break from the forum on account of problems with the law.

That individual, using the nickname “Vivalamuerte,” said UNKN still owed him his up-front investment money, which he reckoned amounted to roughly $190,000. Vivalamuerte said he would release personal details revealing UNKN’s real-life identity unless he was paid what he claims he is owed.

In this Google-translated blackmail post by Vivalamuerte to UNKN, the latter’s former nickname was abbreviated to “L”.

Vivalamuerte also claimed UNKN has used four different nicknames, and that the moniker he interacted with back in 2016 began with the letter “L.” The accused’s full nickname was likely redacted by forum administrators because a search on the forum for “Lebron” brings up the same post even though it is not visible in any of Vivalamuerte’s threatening messages.

Reached by KrebsOnSecurity, Vivalamuerte declined to share what he knew about UNKN, saying the matter was still in arbitration. But he said he has proof that Lebron was the principle coder behind the GandCrab ransomware, and that the person behind the Lebron identity plays a central role in the REvil ransomware extortion enterprise as it exists today.

Cory DoctorowSomeone Comes to Town, Someone Leaves Town (part 03)

Here’s part three of my new reading of my novel Someone Comes to Town, Someone Leaves Town (you can follow all the installments, as well as the reading I did in 2008/9, here).

This is easily the weirdest novel I ever wrote. Gene Wolfe (RIP) gave me an amazing quote for it: “Someone Comes to Town, Someone Leaves Town is a glorious book, but there are hundreds of those. It is more. It is a glorious book unlike any book you’ve ever read.”

Here’s how my publisher described it when it came out:

Alan is a middle-aged entrepeneur who moves to a bohemian neighborhood of Toronto. Living next door is a young woman who reveals to him that she has wings—which grow back after each attempt to cut them off.

Alan understands. He himself has a secret or two. His father is a mountain, his mother is a washing machine, and among his brothers are sets of Russian nesting dolls.

Now two of the three dolls are on his doorstep, starving, because their innermost member has vanished. It appears that Davey, another brother who Alan and his siblings killed years ago, may have returned, bent on revenge.

Under the circumstances it seems only reasonable for Alan to join a scheme to blanket Toronto with free wireless Internet, spearheaded by a brilliant technopunk who builds miracles from scavenged parts. But Alan’s past won’t leave him alone—and Davey isn’t the only one gunning for him and his friends.

Whipsawing between the preposterous, the amazing, and the deeply felt, Cory Doctorow’s Someone Comes to Town, Someone Leaves Town is unlike any novel you have ever read.


CryptogramRamsey Malware

A new malware, called Ramsey, can jump air gaps:

ESET said they've been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).

Each version was different and infected victims through different methods, but at its core, the malware's primary role was to scan an infected computer, and gather Word, PDF, and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later date.

Other versions also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely moved the infected executables between the company's different network layers, and eventually end up on an isolated system.

ESET says that during its research, it was not able to positively identify Ramsay's exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.

Honestly, I can't think of any threat actor that wants this kind of feature other than governments:

The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group that many believe to operate in the interests of the South Korean government.

Seems likely.


Planet Linux AustraliaRussell Coker: A Good Time to Upgrade PCs

PC hardware just keeps getting cheaper and faster. Now that so many people have been working from home the deficiencies of home PCs are becoming apparent. I’ll give Australian prices and URLs in this post, but I think that similar prices will be available everywhere that people read my blog.

From MSY (parts list PDF ) [1] 120G SATA SSDs are under $50 each. 120G is more than enough for a basic workstation, so you are looking at $42 or so for fast quiet storage or $84 or so for the same with RAID-1. Being quiet is a significant luxury feature and it’s also useful if you are going to be in video conferences.

For more serious storage NVMe starts at around $100 per unit, I think that $124 for a 500G Crucial NVMe is the best low end option (paying $95 for a 250G Kingston device doesn’t seem like enough savings to be worth it). So that’s $248 for 500G of very fast RAID-1 storage. There’s a Samsung 2TB NVMe device for $349 which is good if you need more storage, it’s interesting to note that this is significantly cheaper than the Samsung 2TB SSD which costs $455. I wonder if SATA SSD devices will go away in the future, it might end up being SATA for slow/cheap spinning media and M.2 NVMe for solid state storage. The SATA SSD devices are only good for use in older systems that don’t have M.2 sockets on the motherboard.

It seems that most new motherboards have one M.2 socket on the motherboard with NVMe support, and presumably support for booting from NVMe. But dual M.2 sockets is rare and the price difference is significantly greater than the cost of a PCIe M.2 card to support NVMe which is $14. So for NVMe RAID-1 it seems that the best option is a motherboard with a single NVMe socket (starting at $89 for a AM4 socket motherboard – the current standard for AMD CPUs) and a PCIe M.2 card.

One thing to note about NVMe is that different drivers are required. On Linux this means means building a new initrd before the migration (or afterwards when booted from a recovery image) and on Windows probably means a fresh install from special installation media with NVMe drivers.

All the AM4 motherboards seem to have RADEON Vega graphics built in which is capable of 4K resolution at a stated refresh of around 24Hz. The ones that give detail about the interfaces say that they have HDMI 1.4 which means a maximum of 30Hz at 4K resolution if you have the color encoding that suits text (IE for use other than just video). I covered this issue in detail in my blog post about DisplayPort and 4K resolution [2]. So a basic AM4 motherboard won’t give great 4K display support, but it will probably be good for a cheap start.

$89 for motherboard, $124 for 500G NVMe, $344 for a Ryzen 5 3600 CPU (not the cheapest AM4 but in the middle range and good value for money), and $99 for 16G of RAM (DDR4 RAM is cheaper than DDR3 RAM) gives the core of a very decent system for $656 (assuming you have a working system to upgrade and peripherals to go with it).

Currently Kogan has 4K resolution monitors starting at $329 [3]. They probably won’t be the greatest monitors but my experience of a past cheap 4K monitor from Kogan was that it is quite OK. Samsung 4K monitors started at about $400 last time I could check (Kogan currently has no stock of them and doesn’t display the price), I’d pay an extra $70 for Samsung, but the Kogan branded product is probably good enough for most people. So you are looking at under $1000 for a new system with fast CPU, DDR4 RAM, NVMe storage, and a 4K monitor if you already have the case, PSU, keyboard, mouse, etc.

It seems quite likely that the 4K video hardware on a cheap AM4 motherboard won’t be that great for games and it will definitely be lacking for watching TV documentaries. Whether such deficiencies are worth spending money on a PCIe video card (starting at $50 for a low end card but costing significantly more for 3D gaming at 4K resolution) is a matter of opinion. I probably wouldn’t have spent extra for a PCIe video card if I had 4K video on the motherboard. Not only does using built in video save money it means one less fan running (less background noise) and probably less electricity use too.

My Plans

I currently have a workstation with 2*500G SATA SSDs in a RAID-1 array, 16G of RAM, and a i5-2500 CPU (just under 1/4 the speed of the Ryzen 5 3600). If I had hard drives then I would definitely buy a new system right now. But as I have SSDs that work nicely (quiet and fast enough for most things) and almost all machines I personally use have SSDs (so I can’t get a benefit from moving my current SSDs to another system) I would just get CPU, motherboard, and RAM. So the question is whether to spend $532 for more than 4* the CPU performance. At the moment I’ll wait because I’ll probably get a free system with DDR4 RAM in the near future, while it probably won’t be as fast as a Ryzen 5 3600, it should be at least twice as fast as what I currently have.

Worse Than FailureCodeSOD: Extra Strict

One of the advantages of a strongly typed language is that many kinds of errors can be caught at compile time. Without even running the code, you know you've made a mistake. This adds a layer of formality to your programs, which has the disadvantage of making it harder for a novice programmer to get started.

At least, that's my understanding of why every language that's designed to be "easy to use" defaults to being loosely typed. The result is that it's easy to get started, but then you inevitably end up asking yourself wat?

Visual Basic was one of those languages. It wanted to avoid spitting out errors at compile time, because that made it "easy" to get started. This meant, for example, that in old versions of Visual Basic, you didn't need to declare your variables- they were declared on use, a feature that persists into languages like Python today. Also, in older versions, you didn't need to declare variables as having a type, they could just hold anything. And even if you declared a type, the compiler would "do its best" to stuff one type into another, much like JavaScript does today.

Microsoft recognized that this would be a problem if a large team was working on a Visual Basic project. And large teams and large Visual Basic projects are a thing that sadly happened. So they added features to the language which let you control how strict it would be. Adding Option Explicit to a file would mean that variables needed to be declared before use. Option Strict would enforce strict type checking, and preventing surprising implicit casts.

One of the big changes in VB.Net was the defaults for those changed- Option Explicit defaulted to being on, and you needed to specify Option Explicit Off to get the old behavior. Option Strict remained off by default, though, so many teams enabled it. In .NET, it was even more important, since while VB.Net might let you play loose with types at compile time, the compiled MSIL output didn't.

Which brings us to Russell F's code. While the team's coding standards do recommend that Option Strict be enabled, one developer hasn't quite adapted to that reality. Which is why pretty much any code that interacts with form fields looks like this:

Public i64Part2 As Int64 'later… i64Part2 = Format(Convert.ToInt64(txtIBM2.Text), "00000")

txtIBM2 is, as you might guess from the Hungarian tag, a text box. So we need to convert that to a number, hence the Convert.ToInt64. So far so good.

Then, perplexingly, we Format the number back into a string that is 5 characters long. Then we let an implicit cast turn the string back into a number, because i64Part2 is an Int64. So that's a string converted explicitly into a number, formatted into a string and then implicitly converted back to a number.

The conversion back to a number undoes whatever was accomplished by the formatting. Worse, the format give you a false sense of security- the format string only supports 5 digits, but what happens if you pass a 6 digit number in? Nothing: the Format method won't truncate, so your six digit number comes out as six digits.

Maybe the "easy to use" languages are onto something. Types do seem hard.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!


Planet Linux AustraliaLev Lafayette: Notes on Installing Ubuntu 20 VM on an MS-Windows 10 Host

Some thirteen years ago I worked with Xen virtual machines as part of my day job, and gave a presentation at Linux Users of Victoria on the subject (with additional lecture notes). A few years after that I gave another presentation on the Unified Extensible Firmware Interface (UEFI), itself which (indirectly) led to a post on Linux and MS-Windows 8 dual-booting. All of this now leads to a some notes on using MS-Windows as a host for Ubuntu Linux guest machines.

Why Would You Want to do This?

Most people these have at least heard of Linux. They might even know that every single supercomputer in the world uses Linux. They may know that the overwhelming majority of embedded devices, such as home routers, use Linux. Or maybe even that the Android mobile 'phone uses a Linux kernel. Or that MacOS is built on the same broad family of UNIX-like operating systems. Whilst they might be familiar with their MS-Windows environment, because that's what they've been brought up on and what their favourite applications are designed for, they might also be "Linux curious", especially if they are hoping to either scale-up the complexity and volume of the datasets they're working with (i.e., towards high performance computing) or scale-down their applications (i.e., towards embedded devices). If this is the case, then introducing Linux via a virtual machine (VM) is a relatively safe and easy path to experiment with.

About VMs

Virtual machines work by emulating a computer system, including hardware, in a software environment, a technology that has been around for a very long time (e.g., CP/CMS, 1967). The VMs in a host system is managed by a hypervisor, or Virtual Machine Monitor (VMM), that manages one or more guest systems. In the example that follows VirtualBox, a free-and-open source hypervisor. Because the guest system relies on the host it cannot have the same performance as a host system, unlike a dual-boot system. It will share memory, it will share processing power, it must take up some disk space, and will also have the overhead of the hypervisor itself (although this has improved a great deal in recent years). In a production environment, VMs are usually used to optimise resource allocation for very powerful systems, such as web-server farms and bodies like the Nectar Research Cloud, or even some partitions on systems like the University of Melbourne's supercomputer, Spartan. In a development environment, VMs are an excellent tool for testing and debugging.

Install VirtualBox and Enable Virtualization

For most environments VirtualBox is an easy path for creating a virtual machine, ARM systems excluded (QEMU suggested for Raspberry Pi or Android, or QEMU's fork, KVM). For the example given here, simply download VirtualBox for MS-Windows and click one's way through the installation process, noting that it VirtualBox will make changes to your system and that products from Oracle can be trusted (*blink*). Download for other operating environments are worth looking at as well.

It is essential to enable virtualisation on your MS-Windows host through the BIOS/UEFI, which is not as easy as it used to be. A handy page from some smart people in the Czech Republic provides quick instructions for a variety of hardware environments. The good people at laptopmag provide the path from within the MS-Windows environment. In summary; select Settings (gear icon), select Update & Security, Select Recovery (this sounds wrong), Advanced Startup, Restart Now (which is also wrong, you don't restart now), Troubleshoot, Advanced Options, UEFI Firmware Settings, then Restart.

Install Linux and Create a Shared Folder

Download a Ubuntu 20.04 LTS (long-term support) ISO and save to the MS-Windows host. There are some clever alternatives, such as the Ubuntu Linux terminal environment for MS-Windows (which is possibly even a better choice these days, but that will be for another post), or Multipass which allows one to create their own mini-cloud environment. But this is a discussion for a VM, so I'll resist the temptation to go off on a tangent.

Creating a VM in VirtualBox is pretty straight-forward; open the application, select "New", give the VM a name, and allocate resources (virtual hard disk, virtual memory). It's worthwhile tending towards the generous in resource allocation. After that it is a case selecting the ISO in settings and storage; remember a VM does not have a real disk drive, so it has a virtual (software) one. After this one can start the VM, and it will boot from the ISO and begin the installation process for Ubuntu Linux desktop edition, which is pretty straight forward. One amusing caveat, when the installation says it's going to wipe the disk it doesn't mean the host machine, just that of the virtual disk that has been build for it. When the installation is complete go to "Devices" on the VM menu, and remove the boot disk and restart the guest system; you now have a Ubuntu VM installed on your MS-Windows system.

By default, VMs do not have access to the host computer. To provide that access one will want to set up a shared folder in the VM and on the host. The first step in this environment would be to give the Linux user (created during installation) membership to the vboxsf, e.g., on the terminal sudo usermod -a -G vboxsf username. In VirtualBox, select Settings, and add a Share under as a Machine Folders, which is a permanent folder. Under Folder Path set the name and location on the host operating system (e.g., UbuntuShared on the Desktop); leave automount blank (we can fix that soon enough). Put a test file in the shared folder.

Ubuntu now needs additional software installed to work with VirtualBox's Guest Additions, including kernel modules. Also, mount VirtualBox's Guest Additions to the guest VM, under Devices as a virtual CD; you can download this from the VirtualBox website.

Run the following commands, entering the default user's password as needed:

sudo apt-get install -y build-essential linux-headers-`uname -r`
sudo /media/cdrom/./
sudo shutdown -r now # Reboot the system
mkdir ~/UbuntuShared
sudo mount -t vboxsf shared ~/UbuntuShared
cd ~/UbuntuShared

The file that was put in the UbuntuShared folder in MS-Windows should now be visible in ~/UbuntuShared. Add a file (e.g., touch testfile.txt) from Linux and check if it can seen in MS-Windows. If this all succeeds, make the folder persistent.

sudo nano /etc/fstab # nano is just fine for short configuration files
# Add the following, separate by tabs, and save
shared /home//UbuntuShared vboxsf defaults 0 0
# Edit modules
sudo nano /etc/modules
# Add the following
# Exit and reboot
sudo shutdown -r now

You're done! You now have a Ubuntu desktop system running as a VM guest using VirtualBox on an MS-Windows 10 host system. Ideal for learning, testing, and debugging.

CryptogramAnother California Data Privacy Law

The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive:

In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer Privacy Act." Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor. While the proposed privacy initiative was initially met with significant opposition, particularly from large technology companies, some of that opposition faded in the wake of the Cambridge Analytica scandal and Mark Zuckerberg's April 2018 testimony before Congress. By May 2018, the initiative appeared to have garnered sufficient support to appear on the November 2018 ballot. On June 21, 2018, the sponsors of the ballot initiative and state legislators then struck a deal: in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act. The initiative was withdrawn, and the state legislature passed (and the Governor signed) the CCPA on June 28, 2018.

Since then, it was substantially amended -- that is, watered down -- at the request of various surveillance capitalism companies. Enforcement was supposed to start this year, but we haven't seen much yet.

And we could have had that ballot initiative.

It looks like Alastair Mactaggart and others are back.

Advocacy group Californians for Consumer Privacy, which started the push for a state-wide data privacy law, announced this week that it has the signatures it needs to get version 2.0 of its privacy rules on the US state's ballot in November, and submitted its proposal to Sacramento.

This time the goal is to tighten up the rules that its previously ballot measure managed to get into law, despite the determined efforts of internet giants like Google and Facebook to kill it. In return for the legislation being passed, that ballot measure was dropped. Now, it looks like the campaigners are taking their fight to a people's vote after all.


The new proposal would add more rights, including the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation. It would also triples existing fines for companies caught breaking the rules surrounding data on children (under 16s) and would require an opt-in to even collect such data.

The proposal would also give Californians the right to know when their information is used to make fundamental decisions about them, such as getting credit or employment offers. And it would require political organizations to divulge when they use similar data for campaigns.

And just to push the tech giants from fury into full-blown meltdown the new ballot measure would require any amendments to the law to require a majority vote in the legislature, effectively stripping their vast lobbying powers and cutting off the multitude of different ways the measures and its enforcement can be watered down within the political process.

I don't know why they accepted the compromise in the first place. It was obvious that the legislative process would be hijacked by the powerful tech companies. I support getting this onto the ballot this year.

EDITED TO ADD(5/17): It looks like this new ballot initiative isn't going to be an improvement.

Planet Linux AustraliaMichael Still: A super simple non-breadmaker loaf


This is the second in a series of posts documenting my adventures in making bread during the COVID-19 shutdown. Yes I know all the cool kids made bread for themselves during the shutdown, but I did it too!

A loaf of bread

So here we were, in the middle of a pandemic which closed bakeries and cancelled almost all of my non-work activities. I found this animated GIF on Reddit for a super simple no-kneed bread and decided to give it a go. It turns out that a few things are true:

  • animated GIFs are a super terrible way store recipes
  • that animated GIF was a export of this YouTube video which originally accompanied this blog post
  • and that I only learned these things while to trying and work out who to credit for this recipe

The basic recipe is really easy — chuck the following into a big bowl, stir, and then cover with a plate. Leave resting a warm place for a long time (three or four hours), then turn out onto a floured bench. Fold into a ball with flour, and then bake. You can see a more detailed version in the YouTube video above.

  • 3 cups of bakers flour (not plain white flour)
  • 2 tea spoons of yeast
  • 2 tea spooons of salt
  • 1.5 cups of warm water (again, I use 42 degrees from my gas hot water system)

The dough will seem really dry when you first mix it, but gets wetter as it rises. Don’t panic if it seems tacky and dry.

I think the key here is the baking process, which is how the oven loaf in my previous post about bread maker white loaves was baked. I use a cast iron camp oven (sometimes called a dutch oven), because thermal mass is key. If I had a fancy enamelized cast iron camp oven I’d use that, but I don’t and I wasn’t going shopping during the shutdown to get one. Oh, and they can be crazy expensive at up to $500 AUD.

Another loaf of bread

Warm the oven with the camp oven inside for at least 30 minutes at 230 degrees celsius. Then place the dough inside the camp oven on some baking paper — I tend to use a triffet as well, but I think you could skip that if you didn’t have one. Bake for 30 minutes with the lid on — this helps steam the bread a little and forms a nice crust. Then bake for another 12 minutes with the camp over lid off — this darkens the crust up nicely.

A final loaf of bread

Oh, and I’ve noticed a bit of variation in how wet the dough seems to be when I turn it out and form it in flour, but it doesn’t really seem to change the outcome once baked, so that’s nice.

The original blogger for this receipe also recommends chilling the dough overnight in the fridge before baking, but I haven’t tried that yet.


Planet Linux AustraliaMatt Palmer: Private Key Redaction: UR DOIN IT RONG

Because posting private keys on the Internet is a bad idea, some people like to “redact” their private keys, so that it looks kinda-sorta like a private key, but it isn’t actually giving away anything secret. Unfortunately, due to the way that private keys are represented, it is easy to “redact” a key in such a way that it doesn’t actually redact anything at all. RSA private keys are particularly bad at this, but the problem can (potentially) apply to other keys as well.

I’ll show you a bit of “Inside Baseball” with key formats, and then demonstrate the practical implications. Finally, we’ll go through a practical worked example from an actual not-really-redacted key I recently stumbled across in my travels.

The Private Lives of Private Keys

Here is what a typical private key looks like, when you come across it:


Obviously, there’s some hidden meaning in there – computers don’t encrypt things by shouting “BEGIN RSA PRIVATE KEY!”, after all. What is between the BEGIN/END lines above is, in fact, a base64-encoded DER format ASN.1 structure representing a PKCS#1 private key.

In simple terms, it’s a list of numbers – very important numbers. The list of numbers is, in order:

  • A version number (0);
  • The “public modulus”, commonly referred to as “n”;
  • The “public exponent”, or “e” (which is almost always 65,537, for various unimportant reasons);
  • The “private exponent”, or “d”;
  • The two “private primes”, or “p” and “q”;
  • Two exponents, which are known as “dmp1” and “dmq1”; and
  • A coefficient, known as “iqmp”.

Why Is This a Problem?

The thing is, only three of those numbers are actually required in a private key. The rest, whilst useful to allow the RSA encryption and decryption to be more efficient, aren’t necessary. The three absolutely required values are e, p, and q.

Of the other numbers, most of them are at least about the same size as each of p and q. So of the total data in an RSA key, less than a quarter of the data is required. Let me show you with the above “toy” key, by breaking it down piece by piece1:

  • MGI – DER for “this is a sequence”
  • CAQ – version (0)
  • CxjdTmecltJEz2PLMpS4BXn
  • AgMBAAe
  • ECEDKtuwD17gpagnASq1zQTYd
  • AgkAkahDUXL0RSdmp1
  • ECCB78r2SnsJC9dmq1
  • AghaOK3FsKoELg==iqmp

Remember that in order to reconstruct all of these values, all I need are e, p, and q – and e is pretty much always 65,537. So I could “redact” almost all of this key, and still give all the important, private bits of this key. Let me show you:


Now, I doubt that anyone is going to redact a key precisely like this… but then again, this isn’t a “typical” RSA key. They usually look a lot more like this:


People typically redact keys by deleting whole lines, and usually replacing them with [...] and the like. But only about 345 of those 1588 characters (excluding the header and footer) are required to construct the entire key. You can redact about 4/5ths of that giant blob of stuff, and your private parts (or at least, those of your key) are still left uncomfortably exposed.

But Wait! There’s More!

Remember how I said that everything in the key other than e, p, and q could be derived from those three numbers? Let’s talk about one of those numbers: n.

This is known as the “public modulus” (because, along with e, it is also present in the public key). It is very easy to calculate: n = p * q. It is also very early in the key (the second number, in fact).

Since n = p * q, it follows that q = n / p. Thus, as long as the key is intact up to p, you can derive q by simple division.

Real World Redaction

At this point, I’d like to introduce an acquaintance of mine: Mr. Johan Finn. He is the proud owner of the GitHub repo johanfinn/scripts. For a while, his repo contained a script that contained a poorly-redacted private key. He since deleted it, by making a new commit, but of course because git never really deletes anything, it’s still available.

Of course, Mr. Finn may delete the repo, or force-push a new history without that commit, so here is the redacted private key, with a bit of the surrounding shell script, for our illustrative pleasure:

#Add private key to .ssh folder
cd /home/johan/.ssh/
echo  "-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----" >> id_rsa

Now, if you try to reconstruct this key by removing the “obvious” garbage lines (the ones that are all repeated characters, some of which aren’t even valid base64 characters), it still isn’t a key – at least, openssl pkey doesn’t want anything to do with it. The key is very much still in there, though, as we shall soon see.

Using a gem I wrote and a quick bit of Ruby, we can extract a complete private key. The irb session looks something like this:

>> require "derparse"
>> b64 = <<EOF
>> b64 += <<EOF
>> der = b64.unpack("m").first
>> c =
>> version = c.value
=> 0
>> c = c.next_node
>> n = c.value
=> 80071596234464993385068908004931... # (etc)
>> c = c.next_node
>> e = c.value
=> 65537
>> c = c.next_node
>> d = c.value
=> 58438813486895877116761996105770... # (etc)
>> c = c.next_node
>> p = c.value
=> 29635449580247160226960937109864... # (etc)
>> c = c.next_node
>> q = c.value
=> 27018856595256414771163410576410... # (etc)

What I’ve done, in case you don’t speak Ruby, is take the two “chunks” of plausible-looking base64 data, chuck them together into a variable named b64, unbase64 it into a variable named der, pass that into a new DerParse instance, and then walk the DER value tree until I got all the values I need.

Interestingly, the q value actually traverses the “split” in the two chunks, which means that there’s always the possibility that there are lines missing from the key. However, since p and q are supposed to be prime, we can “sanity check” them to see if corruption is likely to have occurred:

>> require "openssl"
=> true
=> true

Excellent! The chances of a corrupted file producing valid-but-incorrect prime numbers isn’t huge, so we can be fairly confident that we’ve got the “real” p and q. Now, with the help of another one of my creations we can use e, p, and q to create a fully-operational battle key:

>> require "openssl/pkey/rsa"
>> k = OpenSSL::PKey::RSA.from_factors(p, q, e)
=> #<OpenSSL::PKey::RSA:0x0000559d5903cd38>
>> k.valid?
=> true
>> k.verify(, k.sign(, "bob"), "bob")
=> true

… and there you have it. One fairly redacted-looking private key brought back to life by maths and far too much free time.

Sorry Mr. Finn, I hope you’re not still using that key on anything Internet-facing.

What About Other Key Types?

EC keys are very different beasts, but they have much the same problems as RSA keys. A typical EC key contains both private and public data, and the public portion is twice the size – so only about 1/3 of the data in the key is private material. It is quite plausible that you can “redact” an EC key and leave all the actually private bits exposed.

What Do We Do About It?

In short: don’t ever try and redact real private keys. For documentation purposes, just put “KEY GOES HERE” in the appropriate spot, or something like that. Store your secrets somewhere that isn’t a public (or even private!) git repo.

Generating a “dummy” private key and sticking it in there isn’t a great idea, for different reasons: people have this odd habit of reusing “demo” keys in real life. There’s no need to encourage that sort of thing.

  1. Technically the pieces aren’t 100% aligned with the underlying DER, because of how base64 works. I felt it was easier to understand if I stuck to chopping up the base64, rather than decoding into DER and then chopping up the DER. 

Planet Linux AustraliaDavid Rowe: MicroHams Digital Conference (MHDC) 2020

On May 9 2020 (PST) I had the pleasure of speaking at the MicroHams Digital Conference (MHDC) 2020. Due to COVID-19 presenters attended via Zoom, and the conference was live streamed over YouTube.

Thanks to hard work of the organisers, this worked really well!

Looking at the conference program, I noticed the standard of the presenters was very high. The organisers I worked with (Scott N7SS, and Grant KB7WSD) explained that a side effect of making the conference virtual was casting a much wider net on presenters – making the conference even better than IRL (In Real Life)! The YouTube streaming stats showed 300-500 people “attending” – also very high.

My door to door travel time to West Coast USA is about 20 hours. So a remote presentation makes life much easier for me. It takes me a week to prepare, means 1-2 weeks away from home, and a week to recover from the jetlag. As a single parent I need to find a carer for my 14 year old.

Vickie, KD7LAW, ran a break out room for after talk chat which worked well. It was nice to “meet” several people that I usually just have email contact with. All from the comfort of my home on a Sunday morning in Adelaide (Saturday afternoon PST).

The MHDC 2020 talks have been now been published on YouTube. Here is my talk, which is a good update (May 2020) of Codec 2 and FreeDV, including:

  • The new FreeDV 2020 mode using the LPCNet neural net vocoder
  • Embedded FreeDV 700D running on the SM1000
  • FreeDV over the QO-100 geosynchronous satellite and KiwiSDRs
  • Introducing some of the good people contributing to FreeDV

The conference has me interested in applying the open source modems we have developed for digital voice to Amateur Radio packet and HF data. So I’m reading up on Winlink, Pat, Direwolf and friends.

Thanks Scott, Grant, and Vickie and the MicroHams club!


Planet Linux AustraliaStewart Smith: Raptor Blackbird support: all upstream in op-build

Thanks to my most recent PR being merged, op-build v2.5 will have full support for the Raptor Blackbird! This includes support for the “IPL Monitor” that’s required to get fan control going.

Note that if you’re running Fedora 32 then you need some patches to buildroot to have it build, but if you’re building on something a little older, then upstream should build and work straight out of the box (err… git tree).

I also note that the work to get Secure Boot for an OS Kernel going is starting to make its way out for code reviews, so that’s something to look forward to (although without a TPM we’re going to need extra code).

Krebs on SecurityU.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

A memo seen by KrebsOnSecurity that the Secret Service circulated to field offices around the United States on Thursday says the ring has been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims, and that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.”

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” the Secret Service warned. “The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.”

The Secret Service said the fraud network is believed to consist of hundred of “mules,” a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” the notice continues.

The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year.

In those schemes, the scammers typically recruit people — often victims of online romance scams or those who also are out of work and looking for any source of income — to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators.

A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said financial institutions in her state earlier this week started seeing a flood of high-dollar transfers tied to employment claims filed for people in Washington, with many transfers in the $9,000 to $20,000 range.

“It’s been unbelievable to see the huge number of bogus filings here, and in such large amounts,” Dodd said, noting that one fraudulent claim sent to a mule in Oklahoma was for more than $29,000. “I’m proud of our bankers because they’ve managed to stop a lot of these transfers, but some are already gone. Most mules seem to have [been involved in] romance scams.”

While it might seem strange that people in Washington would be asking to receive their benefits via ACH deposits at a bank in Oklahoma, Dodd said the people involved seem to have a ready answer if anyone asks: One common refrain is that the claimants live in Washington but were riding out the Coronavirus pandemic while staying with family in Oklahoma.

The Secret Service alert follows news reports by media outlets in Washington and Rhode Island about millions of dollars in fraudulent unemployment claims in those states. On Thursday, The Seattle Times reported that the activity had halted unemployment payments for two days after officials found more than $1.6 million in phony claims.

“Between March and April, the number of fraudulent claims for unemployment benefits jumped 27-fold to 700,” the state Employment Security Department (ESD) told The Seattle Times. The story noted that the ESD’s fraud hotline has been inundated with calls, and received so many emails last weekend that it temporarily shut down.

WPRI in Rhode Island reported on May 4 that the state’s Department of Labor and Training has received hundreds of complaints of unemployment insurance fraud, and that “the number of purportedly fraudulent accounts is keeping pace with the unprecedented number of legitimate claims for unemployment insurance.”

The surge in fraud comes as many states are struggling to process an avalanche of jobless claims filed as a result of the Coronavirus pandemic. The U.S. government reported Thursday that nearly three million people filed unemployment claims last week, bringing the total over the last two months to more than 36 million. The Treasury Department says unemployment programs delivered $48 billion in payments in April alone.

A few of the states listed as key targets of this fraud ring are experiencing some of the highest levels of unemployment claims in the country. Washington has seen nearly a million unemployment claims, with almost 30 percent of its workforce currently jobless, according to figures released by the U.S. Chamber of Commerce. Rhode Island is even worse off, with 31.4 percent of its workforce filing for unemployment, the Chamber found.

Dodd said she recently heard from an FBI agent who was aware of a company in Oklahoma that has seven employees and has received notices of claims on several hundred persons obviously not employed there.

“Oklahoma will likely be seeing the same thing,” she said. “There must be other states that are getting filings on behalf of Oklahomans.”

Indeed, the Secret Service says this scam is likely to affect all states that don’t take additional steps to weed out fraudulent filings.

“The banks targeted have been at all levels including local banks, credit unions, and large national banks,” the Secret Service alert concluded. “It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already.”

Update, May 16, 1:20 p.m. ET: Added comments from the Oklahoma Bankers Association.


CryptogramFriday Squid Blogging: Vegan "Squid" Made from Chickpeas

It's beyond Beyond Meat. A Singapore company wants to make vegan "squid" -- and shrimp and crab -- from chickpeas.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramOn Marcus Hutchins

Long and nuanced story about Marcus Hutchins, the British hacker who wrote most of the Kronos malware and also stopped WannaCry in real time. Well worth reading.

Worse Than FailureError'd: Destination Undefined

"It's good that I'm getting off at LTH, otherwise God knows what'd have happened to me," Elliot B. writes.


"Ummmm...Thanks for the 'great' deal, FedEx?" writes Ginnie.


David wrote, "Sure am glad that they have a men's version of this...I have so many things to do with my kitchen hands."


"I mean, the fact that you can't ship to undefined isn't wrong, but it's not right either," Kevin K. wrote.


Peter G. writes, "This must have been written by physicists, it's within +/- 10% of being correctly sorted."


"As if the thought of regular enemas don't make me clench my cheeks enough, there's this," wrote Quentin G.


[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!


CryptogramUS Government Exposes North Korean Malware

US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February.

The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool (RAT) "used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities."

This RAT is known for its capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.

TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft's Narrator.

The trojan "downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

Last but not least, PEBBLEDASH is yet another North Korean trojan acting like a full-featured beaconing implant and used by North Korean-backed hacking groups "to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

It's interesting to see the US government take a more aggressive stance on foreign malware. Making samples public, so all the antivirus companies can add them to their scanning systems, is a big deal -- and probably required some complicated declassification maneuvering.

Me, I like reading the codenames.

Lots more on the US-CERT website.