Planet Russell


Planet DebianJonathan Dowland: Lockdown music

Last Christmas, to make room for a tree, I dis-assembled my hifi unit and (temporarily, I thought) lugged my hi-fi and records up to the study.

Power, Corruption & Lies

I had been thinking about expanding the amount of storage I had for hifi and vinyl, perhaps moving from 2x2 storage cubes to 2x3, although Ikea don't make a 2x3 version of their stalwart vinyl storage line, the Kallax. I had begun exploring other options, both at Ikea and other places. Meanwhile, I re-purposed my old Expedit unit as storage for my daughter's Sylvanian Families.

Under Lockdown, I've spent a lot more time in my study, and so I've set up the hifi there. It turns out I have a lot more opportunity to enjoy the records up here, during work, and I've begun to explore some things which I haven't listened to in a long time, or possibly ever. I thought I'd start keeping track of some of them.

Power, Corruption and Lies is not something rarely listened to. It's steadily become my favourite New Order album. When I came across this copy (Factory, 1983), it was in pristine condition, but it now bears witness to my (mostly careful) use. There's now a scratch somewhere towards the end of the first track Age of Consent which causes my turntable to loop. By some good fortune the looping point is perfectly aligned to a bar. I don't always notice it straight away. This record rarely makes it back down from the turntable to where it's supposed to live.

Worse Than FailureCodeSOD: Dates by the Dozen

Before our regularly scheduled programming, Code & Supply, a developer community group we've collaborated with in the past, is running a salary survey, to gauge the state of the industry. More responses are always helpful, so I encourage you to take a few minutes and pitch in.

Cid was recently combing through an inherited Java codebase, and it predates Java 8. That’s a fancy way of saying “there were no good date builtins, just a mess of cruddy APIs”. That’s not to say that there weren’t date builtins prior to Java 8- they were just bad.

Bad, but better than this. Cid sent along a lot of code, and instead of going through it all, let’s get to some of the “highlights”. Much of this is stuff we’ve seen variations on before, but have been combined in ways to really elevate the badness. There are dozens of these methods, which we are only going to look at a sample of.

Let’s start with the String getLocalDate() method, which attempts to construct a timestamp in the form yyyyMMdd. As you can already predict, it does a bunch of string munging to get there, with blocks like:

switch (calendar.get(Calendar.MONTH)){
      case Calendar.JANUARY:
      case Calendar.FEBRUARY:

Plus, we get the added bonus of one of those delightful “how do I pad an integer out to two digits?” blocks:

if (calendar.get(Calendar.DAY_OF_MONTH) < 10) {
  sb.append("0" + calendar.get(Calendar.DAY_OF_MONTH));
else {

Elsewhere, they expect a timestamp to be in the form yyyyMMddHHmmssZ, so they wrote a handy void checkTimestamp method. Wait, void you say? Shouldn’t it be boolean?

Well here’s the full signature:

public static void checkTimestamp(String timestamp, String name)
  throws IOException

Why return a boolean when you can throw an exception on bad input? Unless the bad input is a null, in which case:

if (timestamp == null) {

Nulls are valid timestamps, which is useful to know. We next get a lovely block of checking each character to ensure that they’re digits, and a second check to ensure that the last is the letter Z, which turns out to be double work, since the very next step is:

int year = Integer.parseInt(timestamp.substring(0,4));
int month = Integer.parseInt(timestamp.substring(4,6));
int day = Integer.parseInt(timestamp.substring(6,8));
int hour = Integer.parseInt(timestamp.substring(8,10));
int minute = Integer.parseInt(timestamp.substring(10,12));
int second = Integer.parseInt(timestamp.substring(12,14));

Followed by a validation check for day and month:

if (day < 1) {
  throw new IOException(msg);
if ((month < 1) || (month > 12)) {
  throw new IOException(msg);
if (month == 2) {
  if ((year %4 == 0 && year%100 != 0) || year%400 == 0) {
    if (day > 29) {
      throw new IOException(msg);
  else {
    if (day > 28) {
      throw new IOException(msg);
if (month == 1 || month == 3 || month == 5 || month == 7
|| month == 8 || month == 10 || month == 12) {
  if (day > 31) {
    throw new IOException(msg);
if (month == 4 || month == 6 || month == 9 || month == 11) {
  if (day > 30) {
    throw new IOException(msg);

The upshot is they at least got the logic right.

What’s fun about this is that the original developer never once considered “maybe I need an intermediate data structure beside a string to manipulate dates”. Nope, we’re just gonna munge that string all day. And that is our entire plan for all date operations, which brings us to the real exciting part, where this transcends from “just regular old bad date code” into full on WTF territory.

Would you like to see how they handle adding units of time? Like days?

public static String additionOfDays(String timestamp, int intervall) {
  int year = Integer.parseInt(timestamp.substring(0,4));
  int month = Integer.parseInt(timestamp.substring(4,6));
  int day = Integer.parseInt(timestamp.substring(6,8));
  int len = timestamp.length();
  String timestamp_rest = timestamp.substring(8, len);
  int lastDayOfMonth = 31;
  int current_intervall = intervall;
  while (current_intervall > 0) {
    lastDayOfMonth = getDaysOfMonth(year, month);
    if (day + current_intervall > lastDayOfMonth) {
      current_intervall = current_intervall - (lastDayOfMonth - day);
      if (month < 12) {
      else {
        month = 1;
      day = 0;
    else {
      day = day + current_intervall;
      current_intervall = 0;
  String new_year = "" + year + "";
  String new_month = null;
  if (month < 10) {
    new_month = "0" + month + "";
  else {
    new_month = "" + month + "";
  String new_day = null;
  if (day < 10) {
    new_day = "0" + day + "";
  else {
    new_day = "" + day + "";
  return new String(new_year + new_month + new_day + timestamp_rest);

The only thing I can say is that here they realized that “hey, wait, maybe I can modularize” and figured out how to stuff their “how many days are in a month” logic into getDaysOfMonth, which you can see invoked above.

Beyond that, they manually handle carrying, and never once pause to think, “hey, maybe there’s a better way”.

And speaking of repeating code, guess what- there’s also a public static String additionOfSeconds(String timestamp, int intervall) method, too.

There are dozens of similar methods, Cid has only provided us a sample. Cid adds:

This particular developer didn’t trust in too fine modularization and code reusing (DRY!). So for every of this dozen of methods, he has implemented these date parsing/formatting algorithms again and again! And no, not just copy/paste; every time it is a real wheel-reinvention. The code blocks and the position of single code lines look different for every method.

Once Cid got too frustrated by this code, they went and reimplemented it in modern Java date APIs, shrinking the codebase by hundreds of lines.

The full blob of code Cid sent in follows, for your “enjoyment”:

public static String getLocalDate() {
  TimeZone tz = TimeZone.getDefault();
  GregorianCalendar calendar = new GregorianCalendar(tz);
  calendar.setTime(new Date());
  StringBuffer sb = new StringBuffer();
  switch (calendar.get(Calendar.MONTH)){
    case Calendar.JANUARY:
    case Calendar.FEBRUARY:
    case Calendar.MARCH:
    case Calendar.APRIL:
    case Calendar.MAY:
    case Calendar.JUNE:
    case Calendar.JULY:
    case Calendar.AUGUST:
    case Calendar.SEPTEMBER:
    case Calendar.OCTOBER:
    case Calendar.NOVEMBER:
    case Calendar.DECEMBER:
  if (calendar.get(Calendar.DAY_OF_MONTH) < 10) {
    sb.append("0" + calendar.get(Calendar.DAY_OF_MONTH));
  else {
  return sb.toString();

public static void checkTimestamp(String timestamp, String name)
throws IOException {
  if (timestamp == null) {
  String msg = new String(
      "Wrong date or time. (" + name + "=\"" + timestamp + "\")");
  int len = timestamp.length();
  if (len != 15) {
    throw new IOException(msg);
  for (int i = 0; i < (len - 1); i++) {
    if (! Character.isDigit(timestamp.charAt(i))) {
      throw new IOException(msg);
  if (timestamp.charAt(len - 1) != 'Z') {
    throw new IOException(msg);
  int year = Integer.parseInt(timestamp.substring(0,4));
  int month = Integer.parseInt(timestamp.substring(4,6));
  int day = Integer.parseInt(timestamp.substring(6,8));
  int hour = Integer.parseInt(timestamp.substring(8,10));
  int minute = Integer.parseInt(timestamp.substring(10,12));
  int second = Integer.parseInt(timestamp.substring(12,14));
  if (day < 1) {
    throw new IOException(msg);
  if ((month < 1) || (month > 12)) {
    throw new IOException(msg);
  if (month == 2) {
    if ((year %4 == 0 && year%100 != 0) || year%400 == 0) {
      if (day > 29) {
        throw new IOException(msg);
    else {
      if (day > 28) {
        throw new IOException(msg);
  if (month == 1 || month == 3 || month == 5 || month == 7
  || month == 8 || month == 10 || month == 12) {
    if (day > 31) {
      throw new IOException(msg);
  if (month == 4 || month == 6 || month == 9 || month == 11) {
    if (day > 30) {
      throw new IOException(msg);
  if ((hour < 0) || (hour > 24)) {
    throw new IOException(msg);
  if ((minute < 0) || (minute > 59)) {
    throw new IOException(msg);
  if ((second < 0) || (second > 59)) {
    throw new IOException(msg);

public static String additionOfDays(String timestamp, int intervall) {
  int year = Integer.parseInt(timestamp.substring(0,4));
  int month = Integer.parseInt(timestamp.substring(4,6));
  int day = Integer.parseInt(timestamp.substring(6,8));
  int len = timestamp.length();
  String timestamp_rest = timestamp.substring(8, len);
  int lastDayOfMonth = 31;
  int current_intervall = intervall;
  while (current_intervall > 0) {
    lastDayOfMonth = getDaysOfMonth(year, month);
    if (day + current_intervall > lastDayOfMonth) {
      current_intervall = current_intervall - (lastDayOfMonth - day);
      if (month < 12) {
      else {
        month = 1;
      day = 0;
    else {
      day = day + current_intervall;
      current_intervall = 0;
  String new_year = "" + year + "";
  String new_month = null;
  if (month < 10) {
    new_month = "0" + month + "";
  else {
    new_month = "" + month + "";
  String new_day = null;
  if (day < 10) {
    new_day = "0" + day + "";
  else {
    new_day = "" + day + "";
  return new String(new_year + new_month + new_day + timestamp_rest);

public static String additionOfSeconds(String timestamp, int intervall) {
  int hour = Integer.parseInt(timestamp.substring(8,10));
  int minute = Integer.parseInt(timestamp.substring(10,12));
  int second = Integer.parseInt(timestamp.substring(12,14));
  int new_second = (second + intervall) % 60;
  int minute_intervall = (second + intervall) / 60;
  int new_minute = (minute + minute_intervall) % 60;
  int hour_intervall = (minute + minute_intervall) / 60;
  int new_hour = (hour + hour_intervall) % 24;
  int day_intervall = (hour + hour_intervall) / 24;
  StringBuffer new_time = new StringBuffer();
  if (new_hour < 10) {
    new_time.append("0" + new_hour + "");
  else {
    new_time.append("" + new_hour + "");
  if (new_minute < 10) {
    new_time.append("0" + new_minute + "");
  else {
    new_time.append("" + new_minute + "");
  if (new_second < 10) {
    new_time.append("0" + new_second + "");
  else {
    new_time.append("" + new_second + "");
  if (day_intervall > 0) {
    return additionOfDays(timestamp.substring(0,8) + new_time.toString() + "Z", day_intervall);
  else {
    return (timestamp.substring(0,8) + new_time.toString() + "Z");

public static int getDaysOfMonth(int year, int month) {
  int lastDayOfMonth = 31;
  switch (month) {
    case 1: case 3: case 5: case 7: case 8: case 10: case 12:
      lastDayOfMonth = 31;
    case 2:
      if ((year % 4 == 0 && year % 100 != 0) || year %400 == 0) {
        lastDayOfMonth = 29;
      else {
        lastDayOfMonth = 28;
    case 4: case 6: case 9: case 11:
      lastDayOfMonth = 30;
  return lastDayOfMonth;
[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

CryptogramEFF's 30th Anniversary Livestream

It's the EFF's 30th birthday, and the organization is having a celebratory livestream today from 3:00 to 10:00 pm PDT.

There are a lot of interesting discussions and things. I am having a fireside chat at 4:10 pm PDT to talk about the Crypto Wars and more.

Stop by. And thank you for supporting EFF.

EDITED TO ADD: This event is over, but you can watch a recorded version on YouTube.


Planet DebianIan Jackson: MessagePack vs CBOR (RFC7049)

tl;dr: Use MessagePack, rather than CBOR.


I recently wanted to choose a binary encoding. This was for a project using Rust serde, so I looked at the list of formats there. I ended up reading about CBOR and MessagePack.

Both of these are binary formats for a JSON-like data model. Both of them are "schemaless", meaning you can decode them without knowing the structure. (This also provides some forwards compatibility.) They are, in fact, quite similar (although they are totally incompatible). This is no accident: CBOR is, effectively, a fork of MessagePack.

Both formats continue to exist and both are being used in new programs. I needed to make a choice but lacked enough information. I thought I would try to examine the reasons and nature of the split, and to make some kind of judgement about the situation. So I did a lot of reading [11]. Here are my conclusions.

History and politics

Between about 2010 and 2013 there was only MessagePack. Unfortunately, MessagePack had some problems. The biggest of these was that it lacked a separate string type. Strings were to be encoded simply as byte blocks. This caused serious problems for many MessagePack library implementors: for example, when decoding a MessagePack file the Python library wouldn't know whether to produce a Python bytes object, or a string. Straightforward data structures wouldn't round trip through MessagePack. [1] [2]

It seems that in late 2012 this came to the attention to someone with an IETF background. According to them, after unsatisfactory conversations with MessagePack upstream, they decided they would have to fork. They submitted an Internet Draft for a partially-incompatible protocol [3] [4]. Little seemed to happen in the IETF until soon before the Orlando in-person IETF meeting in February 2013.[5]

These conversations sparked some discussion in the MessagePack issue tracker. There were long threads including about process [1,2,4 ibid]. But there was also a useful technical discussion, about proposed backward compatible improves to the MessagePack spec.[5] The prominent IETF contributor provided some helpful input in these discussions in the MessagePack community - but also pushed quite hard for a "tagging" system, which suggestion was not accepted (see my technical analysis, below).

An improved MessagePack spec resulted, with string support, developed largely by the MessagePack community. It seems to have been available in useable form since mid-2013 and was officially published as canonical in August 2013.

Meanwhile a parallel process was pursued in the IETF, based on the IETF contributor's fork, with 11 Internet-Drafts from February[7] to September[8]. This seems to have continued even though the original technical reason for the fork - lack of string vs binary distinction - no longer applied. The IETF proponent expressed unhappiness about MessagePack's stewardship and process as much as they did about the technical details [4, ibid]. The IETF process culminated in the CBOR RFC[9].

The discussion on process questions between the IETF proponent and MessagePack upstream, in the MessagePack issue tracker [4, ibid] should make uncomfortable reading for IETF members. The IETF acceptance of CBOR despite clear and fundamental objections from MessagePack upstream[13] and indeed other respected IETF members[14], does not reflect well on the IETF. The much vaunted openness of the IETF process seems to have been rather one-sided. The IETF proponent here was an IETF Chair. Certainly the CBOR author was very well-spoken and constantly talks about politeness and cooperation and process; but what they actually did was very hostile. They accused the MessagePack community of an "us and them" attitude while simultaneously pursuing a forked specification!

The CBOR RFC does mention MessagePack in Appendix E.2. But not to acknowledge that CBOR was inspired by MessagePack. Rather, it does so to make a set of tendentious criticisms of MessagePack. Perhaps these criticisms were true when they were first written in an I-D but they were certainly false by the time the RFC was actually published, which occurred after the MessagePack improvement process was completely concluded, with a formal spec issued.

Since then both formats have existed in parallel. Occasionally people discuss which one is better, and sometimes it is alleged that "yes CBOR is the successor to MessagePack", which is not really fair.[9][10]

Technical differences

The two formats have a similar arrangement: initial byte which can encode small integers, or type and length, or type and specify a longer length encoding. But there are important differences. Overall, MessagePack is very significantly simpler.

Floating point

CBOR supports five floating point formats! Not only three sizes of IEEE754, but also decimal floating point, and bigfloats. This seems astonishing for a supposedly-simple format. (Some of these are supported via the semi-optional tag mechanism - see below.)

Indefinite strings and arrays

Like MessagePack, CBOR mostly precedes items with their length. But CBOR also supports "indefinite" strings, arrays, and so on, where the length is not specified at the beginning. The object (array, string, whatever) is terminated by a special "break" item. This seems to me to be a mistake. If you wanted the kind of application where MessagePack or CBOR would be useful, streaming sub-objects of unknown length is not that important. This possibility considerably complicates decoders.

CBOR tagging system

CBOR has a second layer of sort-of-type which can be attached to each data item. The set of possible tags is open-ended and extensible, but the CBOR spec itself gives tag values for: two kinds of date format; positive and negative bignums; decimal floats (see above); binary but expected to be encoded if converted to JSON (in base64url, base64, or base16); nestedly encoded CBOR; URIs; base64 data (two formats); regexps; MIME messages; and a special tag to make file(1) work.

In practice it is not clear how many of these are used, but a decoder must be prepared to at least discard them. The amount of additional spec complexity here is quite astonishing. IMO binary formats like this will (just like JSON) be used by a next layer which always has an idea of what the data means, including (where the data is a binary blob) what encoding it is in etc. So these tags are not useful.

These tags might look like a middle way between (i) extending the binary protocol with a whole new type such as an extension type (incompatible with old readers) and encoding your new kind data in a existing type (leaving all readers who don't know the schema to print it as just integers or bytes or string). But I think they are more trouble than they are worth.

The tags are uncomfortably similar to the ASN.1 tag system, which is widely regarded as one of ASN.1's unfortunate complexities.

MessagePack extension mechanism

MessagePack explicitly reserves some encoding space for users and for future extensions: there is an "extension type". The payload is an extension type byte plus some more data bytes; the data bytes are in a format to be defined by the extension type byte. Half of the possible extension byte values are reserved for future specification, and half are designated for application use. This is pleasingly straightforward.

(There is also one unused primary initial byte value, but that would be rejected by existing decoders and doesn't seem like a likely direction for future expansion.)

Minor other differences in integer encoding

The encodings of integers differ.

In MessagePack, signed and unsigned integers have different typecodes. In CBOR, signed and unsigned positive integers have the same typecodes; negative integers have a different set of typecodes. This means that a CBOR reader which knows it is expecting a signed value will have to do a top-bit-set check on the actual data value! And a CBOR writer must check the value to choose a typecode.

MessagePack reserves fewer shortcodes for small negative integers, than for small positive integers.

Conclusions and lessons

MessagePack seems to have been prompted into fixing the missing string type problem, but only by the threat of a fork. However, this fork went ahead even after MessagePack clearly accepted the need for a string type. MessagePack had a fixed protocol spec before the IETF did.

The continued pursuit of the IETF fork was ostensibly been motivated by a disapproval of the development process and in particular a sense that the IETF process was superior. However, it seems to me that the IETF process was abused by CBOR's proponent, who just wanted things their own way. I have seen claims by IETF proponents that the open decisionmaking system inherently produces superior results. However, in this case the IETF process produced a bad specification. To the extent that other IETF contributors had influence over the ultimate CBOR RFC, I don't think they significantly improved it. CBOR has been described as MessagePack bikeshedded by the IETF. That would have been bad enough, but I think it's worse than that. To a large extent CBOR is one person's NIH-induced bad design rubber stamped by the IETF. CBOR's problems are not simply matters of taste: it's significantly overcomplicated.

One lesson for the rest of us is that although being the upstream and nominally in charge of a project seems to give us a lot of power, it's wise to listen carefully to one's users and downstreams. Once people are annoyed enough to fork, the fork will have a life of its own.

Another lesson is that many of us should be much warier of the supposed moral authority of the IETF. Many IETF standards are awful (Oauth 2 [12]; IKE; DNSSEC; the list goes on). Sometimes (especially when network adoption effects are weak, as with MessagePack vs CBOR) better results can be obtained from a smaller group, or even an individual, who simply need the thing for their own uses.

Finally, governance systems of public institutions like the IETF need to be robust in defending the interests of outsiders (and hence of society at large) against eloquent insiders who know how to work the process machinery. Any institution which nominally serves the public good faces a constant risk of devolving into self-servingness. This risk gets worse the more powerful and respected the institution becomes.


  1. #13: First-class string type in serialization specification (MessagePack issue tracker, June 2010 - August 2013)
  2. #121: Msgpack can't differentiate between raw binary data and text strings (MessagePack issue tracker, November 2012 - February 2013)
  3. draft-bormann-apparea-bpack-00: The binarypack JSON-like representation format (IETF Internet-Draft, October 2012)
  4. #129: MessagePack should be developed in an open process (MessagePack issue tracker, February 2013 - March 2013)
  5. Re: JSON mailing list and BoF (IETF apps-discuss mailing list message from Carsten Bormann, 18 February 2013)
  6. #128: Discussions on the upcoming MessagePack spec that adds the string type to the protocol (MessagePack issue tracker, February 2013 - August 2013)
  7. draft-bormann-apparea-bpack-01: The binarypack JSON-like representation format (IETF Internet-Draft, February 2013)
  8. draft-bormann-cbor: Concise Binary Object Representation (CBOR) (IETF Internet-Drafts, May 2013 - September 2013)
  9. RFC 7049: Concise Binary Object Representation (CBOR) (October 2013)
  10. "MessagePack should be replaced with [CBOR] everywhere ..." (floatboth on Hacker News, 8th April 2017)
  11. Discussion with very useful set of history links (camgunz on Hacker News, 9th April 2017)
  12. OAuth 2.0 and the Road to Hell (Eran Hammer, blog posting from 2012, via Wayback Machine)
  13. Re: [apps-discuss] [Json] msgpack/binarypack (Re: JSON mailing list and BoF) (IETF list message from Sadyuki Furuhashi, 4th March 2013)
  14. "no apologies for complaining about this farce" (IETF list message from Phillip Hallam-Baker, 15th August 2013)
    Edited 2020-07-14 18:55 to fix a minor formatting issue, and 2020-07-14 22:54 to fix two typos

comment count unavailable comments

Krebs on Security‘Wormable’ Flaw Leads July Microsoft Patches

Microsoft today released updates to plug a whopping 123 security holes in Windows and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July’s care package from Redmond has a little something for everyone. So if you’re a Windows (ab)user, it’s time once again to back up and patch up (preferably in that order).

Top of the heap this month in terms of outright scariness is CVE-2020-1350, which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request.

Microsoft said it is not aware of reports that anyone is exploiting the weakness (yet), but the flaw has been assigned a CVSS score of 10, which translates to “easy to attack” and “likely to be exploited.”

“We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction,” Microsoft wrote in its documentation of CVE-2020-1350. “DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts.”

CVE-2020-1350 is just the latest worry for enterprise system administrators in charge of patching dangerous bugs in widely-used software. Over the past couple of weeks, fixes for flaws with high severity ratings have been released for a broad array of software products typically used by businesses, including Citrix, F5, Juniper, Oracle and SAP. This at a time when many organizations are already short-staffed and dealing with employees working remotely thanks to the COVID-19 pandemic.

The Windows Server isn’t the only nasty one addressed this month that malware or malcontents can use to break into systems without any help from users. A full 17 other critical flaws fixed in this release tackle security weaknesses that Microsoft assigned its most dire “critical” rating, such as in Office, Internet Exploder, SharePoint, Visual Studio, and Microsoft’s .NET Framework.

Some of the more eyebrow-raising critical bugs addressed this month include CVE-2020-1410, which according to Recorded Future concerns the Windows Address Book and could be exploited via a malicious vcard file. Then there’s CVE-2020-1421, which protects against potentially malicious .LNK files (think Stuxnet) that could be exploited via an infected removable drive or remote share. And we have the dynamic duo of CVE-2020-1435 and CVE-2020-1436, which involve problems with the way Windows handles images and fonts that could both be exploited to install malware just by getting a user to click a booby-trapped link or document.

Not to say flaws rated “important” as opposed to critical aren’t also a concern. Chief among those is CVE-2020-1463, a problem within Windows 10 and Server 2016 or later that was detailed publicly prior to this month’s Patch Tuesday.

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for a particular Windows update to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files. Last month’s bundle of joy from Microsoft sent my Windows 10 system into a perpetual crash state. Thankfully, I was able to restore from a recent backup.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Also, keep in mind that Windows 10 is set to apply patches on its own schedule, which means if you delay backing up you could be in for a wild ride. If you wish to ensure the operating system has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches whenever it sees fit, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, keep an eye on the AskWoody blog from Woody Leonhard, who keeps a reliable lookout for buggy Microsoft updates each month.

TEDAll together now: Notes on Session 8 of TED2020

It’s been an unforgettable eight weeks of TED2020, the first-ever virtual TED conference. For the final session: a call to moral leadership, a rethink on what it means to be a citizen, some pointers on how to make a good argument from a Supreme Court litigator and much more. Below, read a recap of the inspiring ideas by amazing speakers (and check out the full coverage of the conference here).

“If you make a good argument, it has the power to outlive you, to stretch beyond your core, to reach future minds,” says Supreme Court litigator Neal Katyal. He speaks at TED2020: Uncharted on July 9, 2020. (Photo courtesy of TED)

Neal Katyal, Supreme Court litigator

Big idea: Empathy and long-term drive are key to crafting persuasive and successful arguments.

Why? Winning an argument isn’t just about drowning out an opponent or proving them wrong — it’s about leveraging empathy and human connection to draw a comprehensive understanding of the circumstance and, ultimately, highlight the most just solution. As a Supreme Court litigator, Neal Katyal has argued some of the most impactful cases of recent history, including the case against the 2017 Muslim travel ban and the case against waterboarding and Guantanamo Bay military tribunals. In his experience, he realized that while good courtroom practices include extensive practice and avoiding displays of emotion, crafting a successful argument takes more. Sometimes arguments fail — and it’s at that moment of failure that empathy is most important. Katyal hasn’t won every case he’s argued, but through failure he’s been able to better understand the core of his work and refine his arguments to resonate more deeply. By drawing strength and drive from our personal histories and principles, we can identify why our arguments advance justice and how we can articulate it more clearly to our opponents. “The question is not how to win every argument — it’s how to get back up when we lose,” Katyal says. “In the long run, good arguments will win out. If you make a good argument, it has the power to outlive you, to stretch beyond your core, to reach future minds. Even if you don’t win right now, if you make a good argument, history will prove you right.”

“America is above all an idea, however unrealized and imperfect, one that only exists because the first settlers came here freely without worry of citizenship,” says immigrant rights advocate Jose Antonio Vargas. He speaks at TED2020: Uncharted on July 9, 2020. (Photo courtesy of TED)

Jose Antonio Vargas, immigrant rights advocate

Big idea: Americans need to identify their own immigrant narratives — and overturn their preconceived notions of what it means to be a citizen.

How? If you live in the United States and are not a Native American (whose ancestors were already in North America when the first European settlers arrived) or an African American (whose ancestors were brought to the US by force), you are the descendant of an immigrant — and chances are you haven’t thought enough about what American citizenship means, says Jose Antonio Vargas. “What most people don’t understand about immigration is what they don’t understand about themselves — their family’s old migration stories and the processes they had to go through before green cards and walls even existed, or what shaped their understanding of citizenship itself,” he says. By asking yourself three questions — “Where did you come from?” “How did you get here?” and “Who paid?” — Vargas believes that people can come to realize that citizenship doesn’t mean simply being accepted into a society by an accident of birth or a rule of law; it also means participating in and contributing to a community, and educating others. And it demands that we become something greater than ourselves: citizens who are ultimately responsible to each other.

Abena Koomson-Davis performs “People Get Ready” and “Love in Need of Love” at TED2020: Uncharted on July 9, 2020. (Photo courtesy of TED)

Performer, educator and wordsmith Abena Koomson Davis keeps the session moving with a capella performances of “People Get Ready” and “Love in Need of Love.”

“Let this be our moment to move forward with the fierce urgency of a new generation, fortified with our most profound and collective wisdom,” says Jacqueline Novogratz, founder and CEO of Acumen. She speaks at TED2020: Uncharted on July 9, 2020. (Photo courtesy of TED)

Jacqueline Novogratz, founder and CEO of Acumen

Big idea: We must start the hard, long work of moral revolution, putting our shared humanity and the sustainability of the earth at the center of our systems and prioritizing the collective instead of the individual.

How? Our problems are interdependent and entangled. To fix them, we need more than a systems shift — we need a mindshift, says Jacqueline Novogratz. Pulling from her storied career empowering people in underdeveloped communities worldwide, she shares some of the wisdom and knowledge she’s earned in transforming her own unbridled optimism into hard-edged hope and lasting change. For humanity to spark its own moral revolution, we need an entirely new set of operating principles, of which she offers three to start: moral imagination, in seeing people equal to ourselves, neither idealizing or victimizing; holding opposing values in tension, with leaders cultivating trust by making important decisions in service of others, not themselves; and accompaniment, encouraging others to join in and walk along the side of morality. This work may seem tough, but Novogratz reminds us that we don’t change in the easy times, we change in the difficult times. Discomfort can be seen as a proxy for progress. “Let this be our moment to move forward with the fierce urgency of a new generation, fortified with our most profound and collective wisdom” she says. “And ask yourself: What can you do with the rest of today, and the rest of your life, to give back to the world more than you take?”

Eric Whitacre introduces “Sing Gently,” an original composition performed by a virtual choir made up of singers from across the globe. He speaks at TED2020: Uncharted on July 9, 2020. (Photo courtesy of TED)

Eric Whitacre, composer and conductor

Big idea: A virtual choir — representing 17,572 singers across 129 countries — can show us how connected we all still are.

How? When the COVID-19 crisis hit, Whitacre felt compelled to create a virtual choir. (Check out his epic performance from TED2013 to hear what that sounds like.) He wanted to make a kind of music to help the world heal, to encourage a gentle way of living with each other. So he composed “Sing Gently,” a piece inspired by the Japanese art form kintsugi — the art of repairing broken pottery with gilded epoxies, thereby illuminating the pottery’s “wounds,” as opposed to hiding them. Whitacre hopes that his staggeringly large virtual choir, spliced together with contributions of singers across the globe, will have the same kind of effect on our torn social fabric. “When we are through all of this, we will be stronger and more beautiful because of it,” he says.

“I truly feel that if all of us took care of the earth as a practice, as a culture, none of us would have to be full-time climate activists,” says Xiye Bastida. She speaks at TED2020: Uncharted on July 9, 2020. (Photo courtesy of TED)

Xiye Bastida, climate activist

Big idea: Humanity needs to cultivate the heart and courage to love the world.

How? In a letter to her abuela, Xiye Bastida reflects on being a leading voice of youth climate activism and Indigenous and immigrant visibility. Bastida’s days are occupied with mobilizing masses in New York City to join the climate movement, joining Greta Thunberg’s global climate strike and becoming fluent in climate science (all while sacrificing the normal activities of a teenager). “I do this work because you showed me that resilience, love and knowledge are enough to make a difference,” she writes to her abuela. Bastida shows us that, with unwavering commitment rooted in love, we are capable of igniting far more than we can imagine. “People make it so easy for me to talk to them, but they make it so hard for me to teach them,” Bastida says. “I want them to have the confidence to always do their best. I want them to have the heart and the courage to love the world.”

TEDConversations on what’s next in tech, government and activism: Week 8 of TED2020

The final week of TED2020 featured conversations with experts on work, tech, government, activism and more, who shared thoughts on how we can build back better after the pandemic. Below, a recap of insights shared throughout the week.

“We are living through the tech-enabled unraveling of full-time employment itself,” says anthropologist Mary L. Gray. She speaks with TED business curator Corey Hajim at TED2020: Uncharted on July 6, 2020. (Photo courtesy of TED)

Mary L. Gray, anthropologist

Big idea: AI-driven, service-on-demand companies like TaskRabbit, Amara and Amazon have built a new, invisible workforce.

How? The COVID-19 pandemic has sharply accelerated the world’s online services economy, and it’s amplifying a transition to a distributed workforce. If the thousands of jobs with no benefits, health care or safety net are any indication, society has yet to figure out how to treat the isolated human service provider, says Mary L. Gray. Over the next five years, we’ll need to fill millions of new tech jobs, most of which are built around solving the problems artificial intelligence can’t handle. How will we safeguard the new, abundant and diverse workforce that will fill these jobs, while ensuring that our changing economy is both equitable and sustainable? We often don’t value the people behind the scenes, but Gray believes it’s in society’s best interest to help workers thrive in a chaotic career landscape by providing the social services that companies don’t. “The marketplace alone can’t make the future of AI-enabled service work equitable or sustainable,” Gray says. “That’s up to us.”

Zoom CEO Eric Yuan discusses the company’s explosive growth in conversation with TED technology curator Simone Ross at TED2020: Uncharted on July 6, 2020. (Photo courtesy of TED)

Eric Yuan, CEO, Zoom

Big idea: Although we might be physically separated by distance, we can still create connection.

How? When coronavirus hit, Zoom’s business exploded overnight. Originally built for business meetings and remote work, the software is now used by people all over the world to teach school classes, do yoga with friends and even get married. Zoom CEO Eric Yuan discusses how the company met this new demand and their plans to grow quickly, explaining how Zoom created the most popular video chat software by listening to its users and creating a product to suit their needs. He envisions a Zoom of the future that will be even more user-centric, by providing an experience that rivals face-to-face gatherings with things like digital handshakes and real-time language translations. After the pandemic, Yuan doesn’t think all business and events should be conducted over Zoom. Instead, he predicts a hybrid model where people work from home more often but still go into the office for social interaction and connection. Addressing recent security concerns, he explains that the company will design a simplified security package for first-time users to protect their privacy online. “We are going to keep working as hard as we can to make the world a better place,” he says.

“UV is like hitting the RNA of the virus with a sledgehammer,” says radiation scientist David Brenner, discussing how far-UVC light could be used to stop the spread of SARS-CoV-2. He speaks with TED science curator David Biello at TED2020: Uncharted on July 7, 2020. (Photo courtesy of TED)

David Brenner, radiation scientist

Big idea: We can use far-UVC light to stop the spread of SARS-CoV-2, the virus responsible for COVID-19.

How? Far-UVC light is a wavelength of ultraviolet light that kills bacteria and, crucially, is safe to use around humans. Over the past five years, Brenner and colleagues have conducted studies showing that far-UVC light doesn’t penetrate human skin or eyes but does have powerful germicidal capacities, killing coronaviruses at a highly effective rate. (He first laid out that idea for us in his talk from TED2017.) His team is now testing far-UVC light against SARS-CoV-2, paving the way for a potentially game-changing tool in the fight against COVID-19 and future coronavirus pandemics. Here’s how it would work: we’d install far-UVC lights in ceilings (just like normal lights) and keep them on continuously throughout the day — in hospital waiting rooms, subways and other indoor spaces — to maintain a sterilization effect. This doesn’t mean we would stop wearing masks or social distancing, Brenner notes, but we would have a powerful new weapon against the novel coronavirus. The primary challenge now lies in ramping up production of far-UVC products, Brenner says, though he’s hopeful a plethora of them will be available by the end of the year — providing a ray of hope in these pandemic times. “UV is like hitting the RNA of the virus with a sledgehammer,” he says.

“If you change your city, you’re changing the world,” says Eric Garcetti, chair of C40 Cities and mayor of City of Los Angeles. He speaks with TED current affairs curator Whitney Pennington Rodgers at TED2020: Uncharted on July 7, 2020. (Photo courtesy of TED)

Eric Garcetti, chair of C40 Cities and mayor of City of Los Angeles

Big idea: We need to rebuild our cities to be inclusive, green and sustainable.

How? In this moment of rebuilding, Garcetti shares the tangible ways Los Angeles and other cities around the world are working towards economic and social justice and climate action while battling COVID-19. By focusing on greening infrastructure, transportation and energy production, cities are turning this moment into an opportunity. “If we don’t have a just economy, the social fabric will tear apart … whether that’s based on racial prejudice and racism that’s historic, whether it’s based on economic discrimination caste systems, whether it’s looking at the way that the economy is putting more and more wealth in the hands of fewer and fewer people,” Garcetti says. “We really see an opportunity to bring these together because the big mega industries of tomorrow are green industries.” By setting the responsibility of racial and gender equality on the shoulders of leadership, measuring progress and holding them accountable, he thinks we can create a more inclusive and prosperous future.

“There’s never that moment where you feel: ‘OK this the right moment to challenge the system.’ Because you might end up waiting your whole life,” says education activist Malala Yousafzai. She speaks with TED current affairs curator Whitney Pennington Rodgers at TED2020: Uncharted on July 8, 2020. (Photo courtesy of TED)

Malala Yousafzai, education activist

Big idea: In the wake of the coronavirus pandemic, things won’t be the same. But it’s an important opportunity for change — with Gen Z leading the way.

How? Let’s start with Yousafzai herself: a recent graduate of Oxford University and the youngest person to ever win a Nobel Peace Prize, whose biggest dream and current activism encompasses gender equality. Her activism is grounded in education for girls, with the hope that it transforms the world into a place where women are empowered to positively impact every corner of society. Before COVID-19 and between classes, she traveled on behalf of her organization, the Malala Fund, to help create a platform for girls to speak out and urge leaders to eradicate unfair treatment based on gender. Now she’s concerned about the many girls who will lose their access to education because of the pandemic, and she maintains that we must continue to fight for them as the world changes. She has fears just like everyone else but holds on to hope through examples of Gen Z activists and change-makers taking the lead across the world to fight for a better future for all. A few ways to help now? Support activists and organizations working in your community, organize social media campaigns and start writing letters to your political leaders demanding progress, so that you too can join in fixing what’s broken.

Planet DebianMarkus Koschany: My Free Software Activities in June 2020

Welcome to Here is my monthly report (+ the first week in July) that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

Short news

  • The last month saw a new upstream release of Minetest (version 5.3.), a multi-player sandbox game similar to Minecraft. A backport to buster-backports will follow shortly.
  • Asher Gordon helped release a new version of Berusky 2, a sokoban like logic game but in 3D. The game received several improvements including bug fixes, code polishing and a new way to access the data files. Previously those files were all packed in a special container format but now they can be accessed directly without someone having to rely on some sort of unarchiver. I have uploaded this version as 0.12-1 to Debian unstable.
  • I tested an upstream patch for empire to address the build failure with GCC 10. This one is a better solution than the currently implemented workaround and I expect it to be included in the next upstream release.
  • I fixed two FTBFS in simutrans-pak64 and simutrans-pak128.britain, two addon packages for the simulation game simutrans.

Debian Java

  • New upstream versions this month: hsqldb, libpdfbox2-java, jackson-jr, jackson-dataformat-xml and jackson-databind. The latter upload addressed several security vulnerabilites which have become rather minor because upstream has enabled safe default typing by default now. Nevertheless I have prepared a buster-security update as well which is already available in buster-proposed-updates.


  • I packaged new versions of wabt, privacybadger and binaryen and applied another upstream patch for xarchiver to address the incomplete fix for Debian bug #959914, to better handle encrypted multi-volume 7zip archives.
  • By popular request I uploaded imlib2 version 1.6 to buster-backports because the image library supports the webp format now.

Debian LTS

This was my 52. month as a paid contributor and I have been paid to work 60 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-2278-1. Issued a security update for squid3 fixing 19 CVE.
  • DLA-2279-1. Issued a security update for tomcat8 fixing 2 CVE.
  • Prepared and uploaded a stretch-pu update for jackson-databind fixing 20 CVE. (#964727)
  • Synced the proftpd-dfsg version from Jessie with Stretch to address a memory leak which leads to a denial-of-service and correct the version number to make seemless updates work.
  • Prepared the security update for imagemagick triaging and/or fixing 76 CVE.
  • Worked on updating the database about embedded code copies to determine how packages are affected by security vulnerabilities in embedded code copies. This included a) compiling a list of important packages which are regular affected by CVE, b) investigating if embedded code copies are present, c) determining the possible impact of a security vulnerability in those embedded code copies, d) writing a script that automates printing those findings on demand.

Thanks for reading and see you next time.

CryptogramEnigma Machine for Sale

A four-rotor Enigma machine -- with rotors -- is up for auction.

CryptogramHalf a Million IoT Passwords Leaked

It is amazing that this sort of thing can still happen:

...the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Telnet? Default passwords? In 2020?

We have a long way to go to secure the IoT.

EDITED TO ADD (7/14): Apologies, but I previously blogged this story in January.

Worse Than FailureRepresentative Line: An Exceptional Leader

IniTech’s IniTest division makes a number of hardware products, like a protocol analyzer which you can plug into a network and use to monitor data in transport. As you can imagine, it involves a fair bit of software, and it involves a fair bit of hardware. Since it’s a testing and debugging tool, reliability, accuracy, and stability are the watchwords of the day.

Which is why the software development process was overseen by Russel. Russel was the “Alpha Geek”, blessed by the C-level to make sure that the software was up to snuff. This lead to some conflict- Russel had a bad habit of shoulder-surfing his fellow developers and telling them what to type- but otherwise worked very well. Foibles aside, Russel was technically competent, knew the problem domain well, and had a clean, precise, and readable coding style which all the other developers tried to imitate.

It was that last bit which got Ashleigh’s attention. Because, scattered throughout the entire C# codebase, there are exception handlers which look like this:

	// some code, doesn't matter what
	// ...
catch (Exception ex)
   ex = ex;

This isn’t the sort of thing which one developer did. Nearly everyone on the team had a commit like that, and when Ashleigh asked about it, she was told “It’s just a best practice. We’re following Russel’s lead. It’s for debugging.”

Ashleigh asked Russel about it, but he just grumbled and had no interest in talking about it beyond, “Just… do it if it makes sense to you, or ignore it. It’s not necessary.”

If it wasn’t necessary, why was it so common in the codebase? Why was everyone “following Russel’s lead”?

Ashleigh tracked down the original commit which started this pattern. It was made by Russel, but the exception handler had one tiny, important difference:

catch (Exception ex)
   ex = ex; //putting this here to set a breakpoint

Yes, this was just a bit of debugging code. It was never meant to be committed. Russel pushed it into the main history by accident, and the other developers saw it, and thought to themselves, “If Russel does it, it must be the right thing to do,” and started copying him.

By the time Russel noticed what was going on, it was too late. The standard had been set while he wasn’t looking, and whether it was ego or cowardice, Russel just could never get the team to follow his lead away from the pointless pattern.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Planet DebianRussell Coker: Debian PPC64EL Emulation

In my post on Debian S390X Emulation [1] I mentioned having problems booting a Debian PPC64EL kernel under QEMU. Giovanni commented that they had PPC64EL working and gave a link to their site with Debian QEMU images for various architectures [2]. I tried their image which worked then tried mine again which also worked – it seemed that a recent update in Debian/Unstable fixed the bug that made QEMU not work with the PPC64EL kernel.

Here are the instructions on how to do it.

First you need to create a filesystem in an an image file with commands like the following:

truncate -s 4g /vmstore/ppc
mkfs.ext4 /vmstore/ppc
mount -o loop /vmstore/ppc /mnt/tmp

Then visit the Debian Netinst page [3] to download the PPC64EL net install ISO. Then loopback mount it somewhere convenient like /mnt/tmp2.

The package qemu-system-ppc has the program for emulating a PPC64LE system, the qemu-user-static package has the program for emulating PPC64LE for a single program (IE a statically linked program or a chroot environment), you need this to run debootstrap. The following commands should be most of what you need.

apt install qemu-system-ppc qemu-user-static

update-binfmts --display

# qemu ppc64 needs exec stack to solve "Could not allocate dynamic translator buffer"
# so enable that on SE Linux systems
setsebool -P allow_execstack 1

debootstrap --foreign --arch=ppc64el --no-check-gpg buster /mnt/tmp file:///mnt/tmp2
chroot /mnt/tmp /debootstrap/debootstrap --second-stage

cat << END > /mnt/tmp/etc/apt/sources.list
deb buster main
deb buster/updates main
echo "APT::Install-Recommends False;" > /mnt/tmp/etc/apt/apt.conf

echo ppc64 > /mnt/tmp/etc/hostname

# /usr/bin/awk: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
# only needed for chroot
setsebool allow_execmod 1

chroot /mnt/tmp apt update
# why aren't they in the default install?
chroot /mnt/tmp apt install perl dialog
chroot /mnt/tmp apt dist-upgrade
chroot /mnt/tmp apt install bash-completion locales man-db openssh-server build-essential systemd-sysv ifupdown vim ca-certificates gnupg
# install kernel last because systemd install rebuilds initrd
chroot /mnt/tmp apt install linux-image-ppc64el
chroot /mnt/tmp dpkg-reconfigure locales
chroot /mnt/tmp passwd

cat << END > /mnt/tmp/etc/fstab
/dev/vda / ext4 noatime 0 0
#/dev/vdb none swap defaults 0 0

mkdir /mnt/tmp/root/.ssh
chmod 700 /mnt/tmp/root/.ssh
cp ~/.ssh/ /mnt/tmp/root/.ssh/authorized_keys
chmod 600 /mnt/tmp/root/.ssh/authorized_keys

rm /mnt/tmp/vmlinux* /mnt/tmp/initrd*
mkdir /boot/ppc64
cp /mnt/tmp/boot/[vi]* /boot/ppc64

# clean up
umount /mnt/tmp
umount /mnt/tmp2

# setcap binary for starting bridged networking
setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper

# afterwards set the access on /etc/qemu/bridge.conf so it can only
# be read by the user/group permitted to start qemu/kvm
echo "allow all" > /etc/qemu/bridge.conf

Here is an example script for starting kvm. It can be run by any user that can read /etc/qemu/bridge.conf.

set -e

KERN="kernel /boot/ppc64/vmlinux-4.19.0-9-powerpc64le -initrd /boot/ppc64/initrd.img-4.19.0-9-powerpc64le"

# single network device, can have multiple
NET="-device e1000,netdev=net0,mac=02:02:00:00:01:04 -netdev tap,id=net0,helper=/usr/lib/qemu/qemu-bridge-helper"

# random number generator for fast start of sshd etc
RNG="-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0"

# I have lockdown because it does no harm now and is good for future kernels
# I enable SE Linux everywhere
KERNCMD="net.ifnames=0 noresume security=selinux root=/dev/vda ro lockdown=confidentiality"

kvm -drive format=raw,file=/vmstore/ppc64,if=virtio $RNG -nographic -m 1024 -smp 2 $KERN -curses -append "$KERNCMD" $NET

TEDConversations on building back better: Week 7 of TED2020

Week 7 of TED2020 featured conversations on where the coronavirus pandemic is heading, the case for reparations, how we can better connect with each other and how capitalism must change to build a more equitable society. Below, a recap of insights shared throughout the week.

Bill Gates discusses where the coronavirus pandemic is heading, in conversation with head of TED Chris Anderson at TED2020: Uncharted on June 29, 2020. (Photo courtesy of TED)

Bill Gates, technologist, philanthropist

Big idea: The coronavirus pandemic isn’t close to being over, but we’re making scientific progress to mitigate its impact.

How? Bill Gates talks best (and worst) case scenarios for the coronavirus pandemic in the months ahead. This fall could be quite bad in the United States, he admits, as there is speculation among researchers that COVID-19 may be seasonal and its force of infection will increase as the weather cools. But there’s also good progress on the innovation track, he says: the steroid dexamethasone was found to have benefits for critically ill patients, and monoclonal antibodies seem promising, as well. In short: we’ll have some additional support for the fall if things do indeed get worse. Gates also explains the challenges of reducing virus transmission (namely, the difficulty of identifying “superspreaders”); provides an update on promising vaccine candidates; offers his thoughts on reopening; takes a moment to address conspiracy theories circulating about himself; and issues a critical call to fellow philanthropists to ramp up their action, ambition and awareness to create a better world for all.

Chloé Valdary shares the thinking behind the “theory of enchantment,” a framework that uses pop culture as an educational tool. She speaks with TED business curator Corey Hajim at TED2020: Uncharted on June 30, 2020. (Photo courtesy of TED)

Chloé Valdary, writer, entrepreneur

Big Idea: Pop culture can show us how to love ourselves and one another, the first step in creating systemic change.

How? Chloé Valdary developed the “theory of enchantment,” a social-emotional learning program that applies pop culture to teach people how to meet the hardships of life by developing tools for resilience, including learning to love oneself. This love for oneself, she believes, is foundational to loving others. Built on the idea of “enchantment” — the process by which you delight someone with a concept, idea, personality or thing — the program uses beloved characters like Disney’s Moana, lyrics from Kendrick Lamar and Beyoncé and even trusted brands like Nike to teach three principles: treat people like human beings, not political abstractions; never criticize a person to tear them down, only to uplift and empower them; and root everything you do in love and compassion. The program aims to engender love and ultimately advance social change. “If you don’t understand the importance of loving yourself and loving others, you’re more prone to descend into rage and to map into madness and become that bad actor and to treat people unfairly, unkindly,” she says. “As a result that will, of course, contribute to a lot of the systemic injustice that we’re seeing today.”

Economist and author William “Sandy” Darity makes the case for reparations — and explains why they must be structured to eliminate the racial wealth gap in the United States. He speaks with TED current affairs curator Whitney Pennington Rodgers at TED2020: Uncharted on June 30, 2020. (Photo courtesy of TED)

William “Sandy” Darity, economist, author

Big Idea: The time has come to seriously talk about reparations: direct financial payments to the descendants of slaves for hundreds of years of injustice.

How? A growing consciousness of America’s systemic white supremacy (built on mass incarceration, police violence, discrimination in markets and the immense wealth gap between black and white communities) has brought contemporary politics to a boil. How does the country dismantle the intertwined legacies of slavery and the unequal, trans-generational wealth distribution that has overwhelmingly benefited white people? Reparations are not only a practical means to address the harm visited upon Black Americans by centuries of economic exclusion, but also a chance for white America to acknowledge the damage that has been done — a crucial step to reconciliation and true equality. To truly redress the harm done to descendants of slavery, reparations must seek to eliminate the racial wealth gap. Darity believes that, for the first time since Reconstruction promised formerly enslaves people “40 acres and a mule,” reparations are entering the mainstream political discussion, and a once wildly speculative idea seems to lie within the realm of possibility. “It’s always an urgent time to adopt reparations,” Darity says. “It has been an urgent time for the 155 years since the end of American slavery, where no restitution has been provided. It’s time for the nation to pay the debt; it’s time for racial justice.”

“Hope is the oxygen of democracy and we, through inequality and the economic injustice, we see far too much of an America literally asphyxiating hope,” says Darren Walker, president of the Ford Foundation. He speaks with head of TED Chris Anderson at TED2020: Uncharted on July 1, 2020. (Photo courtesy of TED)

Darren Walker, president of the Ford Foundation

Big idea: We need to consider a new kind of philanthropy and capitalism rooted in accountability and equity.

Why? Darren Walker says wealthy philanthropists shouldn’t ask themselves, “What do I do to give back?” — but rather, “What am I willing to give up?” Discussing how comfort and privilege intermix to contribute to injustice, Walker shows why for true progress to be made, tax policies must be changed for wealthier citizens and entitlement cast aside. In a country full of exhaustion, grief and anger, Walker calls for nuance in handling complex ideas like defunding the police. In order for change to be long-lasting, we must eliminate tokenism and hold corporations accountable long after they fade from the day’s headlines. Quoting Langston Hughes, Walker says: “I believe that we no longer can wait for that ‘someday’ — that this generation should not have to say ‘someday in the future, America will be America.’ The time for America to be America is today.”

Quote of the talk: “Hope is the oxygen of democracy and we, through inequality and the economic injustice, we see far too much of an America literally asphyxiating hope. Just as we saw the murder of George Floyd, the breath was taken out of his body by a man who was there to protect and promote. It’s a metaphor for what is happening in our society, where people who are Black and Brown, queer, marginalized are literally being asphyxiated by a system that does not recognize their humanity. If we are to build back better, that must change.”


Krebs on SecurityBreached Data Indexer ‘Data Viper’ Hacked

Data Viper, a security startup that provides access to some 15 billion usernames, passwords and other information exposed in more than 8,000 website breaches, has itself been hacked and its user database posted online. The hackers also claim they are selling on the dark web roughly 2 billion records Data Viper collated from numerous breaches and data leaks, including data from several companies that likely either do not know they have been hacked or have not yet publicly disclosed an intrusion.

The apparent breach at St. Louis, Mo. based Data Viper offers a cautionary and twisted tale of what can happen when security researchers seeking to gather intelligence about illegal activity online get too close to their prey or lose sight of their purported mission. The incident also highlights the often murky area between what’s legal and ethical in combating cybercrime.

Data Viper is the brainchild of Vinny Troia, a security researcher who runs a cyber threat intelligence company called Night Lion Security. Since its inception in 2018, Data Viper has billed itself as a “threat intelligence platform designed to provide organizations, investigators and law enforcement with access to the largest collection of private hacker channels, pastes, forums and breached databases on the market.”

Many private companies sell access to such information to vetted clients — mainly law enforcement officials and anti-fraud experts working in security roles at major companies that can foot the bill for these often pricey services.

Data Viper has sought to differentiate itself by advertising “access to private and undisclosed breach data.” As KrebsOnSecurity noted in a 2018 story, Troia has acknowledged posing as a buyer or seller on various dark web forums as a way to acquire old and newly-hacked databases from other forum members.

But this approach may have backfired over the weekend, when someone posted to the deep web a link to an “e-zine” (electronic magazine) describing the Data Viper hack and linking to the Data Viper user base. The anonymous poster alleged he’d been inside Data Viper for months and had exfiltrated hundreds of gigabytes of breached data from the service without notice.

The intruder also linked to several dozen new sales threads on the dark web site Empire Market, where they advertise the sale of hundreds of millions of account details from dozens of leaked or hacked website databases that Data Viper allegedly acquired via trading with others on cybercrime forums.

An online post by the attackers who broke into Data Viper.

Some of the databases for sale tie back to known, publicly reported breaches. But others correspond to companies that do not appear to have disclosed a security incident. As such, KrebsOnSecurity is not naming most of those companies and is currently attempting to ascertain the validity of the claims.

KrebsOnSecurity did speak with Victor Ho, the CEO of, a company that helps smaller firms run customer loyalty programs. The hackers claimed they are selling 44 million records taken from Fivestars last year. Ho said he was unaware of any data security incident and that no such event had been reported to his company, but that Fivestars is now investigating the claims. Ho allowed that the number of records mentioned in the dark web sales thread roughly matches the number of users his company had last year.

But on Aug. 3, 2019, Data Viper’s Twitter account casually noted, “FiveStars — 44m breached records added – incl Name, Email, DOB.” The post, buried among a flurry of similar statements about huge caches of breached personal information added to Data Viper, received hardly any attention and garnered just one retweet.


Reached via Twitter, Troia acknowledged that his site had been hacked, but said the attackers only got access to the development server for Data Viper, and not the more critical production systems that power the service and which house his index of compromised credentials.

Troia said the people responsible for compromising his site are the same people who hacked the databases they are now selling on the dark web and claiming to have obtained exclusively from his service.

What’s more, Troia believes the attack was a preemptive strike in response to a keynote he’s giving in Boston this week: On June 29, Troia tweeted that he plans to use the speech to publicly expose the identities of the hackers, who he suspects are behind a large number of website break-ins over the years.

Hacked or leaked credentials are prized by cybercriminals engaged in “credential stuffing,” a rampant form of cybercrime that succeeds when people use the same passwords across multiple websites. Armed with a list of email addresses and passwords from a breached site, attackers will then automate login attempts using those same credentials at hundreds of other sites.

Password re-use becomes orders of magnitude more dangerous when website developers engage in this unsafe practice. Indeed, a January 2020 post on the Data Viper blog suggests credential stuffing is exactly how the group he plans to discuss in his upcoming talk perpetrated their website compromises.

In that post, Troia wrote that the hacker group, known variously as “Gnostic Players” and “Shiny Hunters,” plundered countless website databases using roughly the same method: Targeting developers using credential stuffing attacks to log into their GitHub accounts.

“While there, they would pillage the code repositories, looking for AWS keys and similar credentials that were checked into code repositories,” Troia wrote.

Troia said the intrusion into his service wasn’t the result of the credential re-use, but instead because his developer accidentally left his credentials exposed in documents explaining how customers can use Data Viper’s application programming interface.

“I will say the irony of how they got in is absolutely amazing,” Troia said. “But all of this stuff they claim to be selling is [databases] they were already selling. All of this is from Gnostic players. None of it came from me. It’s all for show to try and discredit my report and my talk.”

Troia said he didn’t know how many of the databases Gnostic Players claimed to have obtained from his site were legitimate hacks or even public yet.

“As for public reporting on the databases, a lot of that will be in my report Wednesday,” he said. “All of my ‘reporting’ goes to the FBI.”


The e-zine produced by the Data Viper hackers claimed that Troia used many nicknames on various cybercrime forums, including the moniker “Exabyte” on OGUsers, a forum that’s been closely associated with account takeovers.

In a conversation with KrebsOnSecurity, Troia acknowledged that this Exabyte attribution was correct, noting that he was happy about the exposure because it further solidified his suspicions about who was responsible for hacking his site.

This is interesting because some of the hacked databases the intruders claimed to have acquired after compromising Data Viper correspond to discoveries credited to Troia in which companies inadvertently exposed tens of millions of user details by leaving them publicly accessible online at cloud services like Amazon’s EC2.

For example, in March 2019, Troia said he’d co-discovered a publicly accessible database containing 150 gigabytes of plaintext marketing data — including 763 million unique email addresses. The data had been exposed online by, an email validation firm.

On Oct 12, 2019, a new user named Exabyte registered on RaidForums — a site dedicated to sharing hacked databases and tools to perpetrate credential stuffing attacks. That Exabyte account was registered less than two weeks after Troia created his Exabyte identity on OGUsers. The Exabyte on RaidForums posted on Dec. 26, 2019 that he was providing the community with something of a belated Christmas present: 200 million accounts leaked from

“ is finally here!” Exabyte enthused. “This release contains 69 of 70 of the original databases, totaling 200+ million accounts.”

Exabyte’s offer of the database on RaidForums.

In May 2018, Troia was featured in and many other publications after discovering that sales intelligence firm Apollo left 125 million email addresses and nine billion data points publicly exposed in a cloud service. As I reported in 2018, prior to that disclosure Troia had sought my help in identifying the source of the exposed data, which he’d initially and incorrectly concluded was exposed by Rather, Apollo had scraped and collated the data from many different sites, including LinkedIn.

Then in August 2018, someone using the nickname “Soundcard” posted a sales thread to the now-defunct Kickass dark web forum offering the personal information of 212 million LinkedIn users in exchange for two bitcoin (then the equivalent of ~$12,000 USD). Incredibly, Troia had previously told me that he was the person behind that Soundcard identity on the Kickass forum.

Soundcard, a.k.a. Troia, offering to sell what he claimed was all of LinkedIn’s user data, on the Dark Web forum Kickass.

Asked about the Exabyte posts on RaidForums, Troia said he wasn’t the only one who had access to the data, and that the full scope of what’s been going on would become clearer soon.

“More than one person can have the same name ‘Exabyte,” Troia said. “So much from both sides you are seeing is smoke and mirrors.”

Smoke and mirrors, indeed. It’s entirely possible this incident is an elaborate and cynical PR stunt by Troia to somehow spring a trap on the bad guys. Troia recently published a book on threat hunting, and on page 360 (PDF) he describes how he previously staged a hack against his own site and then bragged about the fake intrusion on cybercrime forums in a bid to gather information about specific cybercriminals who took the bait — the same people, by the way, he claims are behind the attack on his site.


While the trading of hacked databases may not technically be illegal in the United States, it’s fair to say the U.S. Department of Justice (DOJ) takes a dim view of those who operate services marketed to cybercriminals.

In January 2020, U.S. authorities seized the domain of, an online service that for three years sold access to data hacked from other websites. Two men were arrested in connection with that seizure. In February 2017, the Justice Department took down LeakedSource, a service that operated similarly to WeLeakInfo.

The DOJ recently released guidance (PDF) to help threat intelligence companies avoid the risk of prosecution when gathering and purchasing data from illicit sources online. The guidelines suggest that some types of intelligence gathering — particularly exchanging ill-gotten information with others on crime forums as a way to gain access to other data or to increase one’s status on the forum — could be especially problematic.

“If a practitioner becomes an active member of a forum and exchanges information and communicates directly with other forum members, the practitioner can quickly become enmeshed in illegal conduct, if not careful,” reads the Feb. 2020 DOJ document.

The document continues:

“It may be easier for an undercover practitioner to extract information from sources on the forum who have learned to trust the practitioner’s persona, but developing trust and establishing bona fides as a fellow criminal may involve offering useful information, services, or tools that can be used to commit crimes.”

“Engaging in such activities may well result in violating federal criminal law. Whether a crime has occurred usually hinges on an individual’s actions and intent. A practitioner must avoid doing anything that furthers the criminal objectives of others on the forums. Even though the practitioner has no intention of committing a crime, assisting others engaged in criminal conduct can constitute the federal offense of aiding and abetting.”

“An individual may be found liable for aiding and abetting a federal offense if her or she takes an affirmative act — even an act that is lawful on its own — that is in furtherance of the crime and conducted with the intent of facilitating the crime’s commission.”

Planet DebianAntoine Beaupré: Not recommending Purism

This is just a quick note to mention that I have updated my hardware documentation on the Librem 13v4 laptop. It has unfortunately turned into a rather lengthy (and ranty) piece about Purism. Let's just say that waiting weeks for your replacement laptop (yes, it died again) does wonders for creativity. To quote the full review:

TL;DR: I recommend people avoid the Purism brand and products. I find they have questionable politics, operate in a "libre-washing" fashion, and produce unreliable hardware. Will not buy again.

People who have read the article might want to jump directly to the new sections:

I have also added the minor section of the missing mic jack.

I realize that some folks (particularly at Debian) might still work at Purism, and that this article might be demoralizing for their work. If that is the case, I am sorry this article triggered you in any way and I hope this can act as a disclaimer. But I feel it is my duty to document the issues I am going through, as a user, and to call bullshit when I see it (let's face it, the anti-interdiction stuff and the Purism 5 crowd-funding campaign were total bullshit).

I also understand that the pandemic makes life hard for everyone, and probably makes a bad situation at Purism worse. But those problems existed before the pandemic happened. They were issues I had identified in 2019 and that I simply never got around to document.

I wish that people wishing to support the free software movement would spend their energy towards organisations that actually do honest work in that direction, like System76 and Pine64. And if you're going to go crazy with an experimental free hardware design, why not go retro with the MNT Reform.

In the meantime, if you're looking for a phone, I recommend you give the Fairphone a fair chance. It really is a "fair" (as in, not the best, but okay) phone that you can moderately liberate, and it actually frigging works. See also my hardware review of the FP2.

TEDConversations on capitalism and climate change: Week 6 of TED2020

For week 6 of TED2020, experts in the economy and climate put a future driven by sustainable transformation into focus. Below, a recap of insights shared throughout the week.

Economist Mariana Mazzucato talks about how to make sure the trillions we’re investing in COVID-19 recovery are actually put to good use — and explores how innovative public-private partnerships can drive change. She speaks with TED Global curator Bruno Giussani at TED2020: Uncharted on June 22, 2020. (Photo courtesy of TED)

Mariana Mazzucato, economist

Big idea: Government can (and should) play a bold, dynamic and proactive role in shaping markets and sparking innovation — working together with the private sector to drive deep structural change.

How? In the face of three simultaneous crises — health, finance and climate — we need to address underlying structural problems instead of hopping from one crisis to the next, says Mariana Mazzucato. She calls for us to rethink how government and financial systems work, shifting towards a system in which the public sector creates value and take risks. (Learn more about value creation in Mazzucato’s talk from 2019.) “We need a different [economic] framing, one that’s much more about market cocreation and market-shaping, not market fixing,” she says. How do you shape a market? Actively invest in essential systems like health care and public education, instead of justing responding once the system is already broken. Mazzucato calls for businesses and government to work together around a new social contract — one that brings purpose and stakeholder value to the center of the ecosystem. To motivate this, she makes the case for a mission-oriented approach, whereby public entities, corporations and small businesses focus their various efforts on a big problem like climate change or COVID-19. It starts with an inspirational challenge, Mazzucato says, paving the way for projects that galvanize innovation and bottom-up experimentation.

“When survival is at stake, and when our children and future generations are at stake, we’re capable of more than we sometimes allow ourselves to think we can do,” says climate advocate Al Gore. “This is such a time. I believe we will rise to the occasion and we will create a bright, clean, prosperous, just and fair future. I believe it with all my heart.” Al Gore speaks with head of TED Chris Anderson at TED2020: Uncharted on June 23, 2020. (Photo courtesy of TED)

Al Gore, climate advocate

Big idea: To continue lowering emissions, we must focus on transitioning manufacturing, transportation and agriculture to wind- and solar-powered electricity.

How? As coronavirus put much of the world on pause, carbon emissions dropped by five percent. But keeping those rates down to reach the Paris Climate Agreement goal of zero emissions by 2050 will require active change in our biggest industries, says climate advocate Al Gore. He discusses how the steadily declining cost of wind- and solar-generated electricity will transform transportation, manufacturing and agriculture, while creating millions of new jobs and offering a cleaner and cheaper alternative to fossil fuels and nuclear energy. He offers specific measures we can implement, such as retrofitting inefficient buildings, actively managing forests and oceans and adopting regenerative agriculture like sequestering carbon in topsoil. With serious national plans, a focused global effort and a new generation of young people putting pressure on their employers and political parties, Gore is optimistic about tackling climate change. “When survival is at stake, and when our children and future generations are at stake, we’re capable of more than we sometimes allow ourselves to think we can do,” he says. “This is such a time. I believe we will rise to the occasion and we will create a bright, clean, prosperous, just and fair future. I believe it with all my heart.” Watch the full conversation here.

“We collectively own the capital market, and we are all universal owners,” says financier Hiro Mizuno says. “So let’s work together to make the whole capital market and business more sustainable and protect our own investment and our own planet.” He speaks with TED business curator Corey Hajim at TED2020: Uncharted on June 24, 2020. (Photo courtesy of TED)

Hiro Mizuno, financier and former chief investment officer of Japan’s Government Investment Pension Fund

Big idea: For investors embracing ESG principles (responsible investing in ecology, social and governance), it’s not enough to “break up” with the bad actors in our portfolios. If we really want zero-carbon markets, we must also tilt towards the good global business citizens and incentivize sustainability for the market as a whole.

How? Hiro Mizuno believes that fund managers have two main tools at their disposal to help build a more sustainable market. First, steer funds towards businesses that are transforming to become more sustainable — because if we just punish those that aren’t, we’re merely allowing irresponsible investors to reap their profits. Second, fund managers must take a more active role in the governance of companies via proxy voting in order to lead the fight against climate change. “We collectively own the capital market, and we are all universal owners,” Mizuno says. “So let’s work together to make the whole capital market and business more sustainable and protect our own investment and our own planet.”

What would happen if we shifted our stock-market mindset to encompass decades, lifetimes or even generations? Michelle Greene, president of the Long-Term Stock Exchange, explores that idea in conversation with Chris Anderson and Corey Hajim as part of TED2020: Uncharted on June 24, 2020. (Photo courtesy of TED)

Michelle Greene, president of the Long-Term Stock Exchange

Big idea: In today’s markets, investors tend to think in daily and quarterly numbers — and as a result, we have a system that rewards short-term decisions that harm the long-term health of our economy and the planet. What would happen if we shifted that mindset to encompass decades, lifetimes or even generations?

How? In order to change how companies “show up” in the world, we need to change the playing field entirely. And since the stock exchange makes the rules that govern listed companies, why not create a new one? By holding companies to binding rules, the Long-Term Stock Exchange does just that, with mandatory listing standards built around core principles like diversity and inclusion, investment in employees and environmental responsibility. “What we’re trying to do is create a place where companies can maintain their focus on their long-term mission and vision, and at the same time be accountable for their impact on the broader world,” Greene says.

TEDTED and Qatar Foundation unveil TEDinArabic: A new initiative to identify and amplify ideas in the Arabic language

TED and Qatar Foundation have launched TEDinArabic. The joint two-year initiative, featuring an ideas search, live event and custom digital destination, will provide a global platform for thinkers, researchers, artists and change-makers across the Arabic-speaking world to share their ideas with a global audience.

As part of its mission of “ideas worth spreading,” TED is committed to enabling inspiring ideas to crisscross languages and borders. TEDinArabic is TED’s first initiative to focus on sharing solutions, inventions and stories in the Arabic language. Qatar Foundation — a nonprofit organization supporting Qatar on its journey to becoming a diversified and sustainable economy — believes in unlocking human potential. It is committed to preserving, promoting and celebrating the Arabic language and providing platforms for people to share their knowledge, perspectives and ideas.

TEDinArabic is where these two beliefs meet. Recognizing the value of diverse perspectives, TEDinArabic will spread the ideas of Arabic speakers to new audiences, magnifying their reach and impact.

“We are thrilled to partner with Qatar Foundation to bring ideas from Arabic-speaking regions to the world,” said Chris Anderson, head of TED. “We at TED have always valued the power of delivering talks in one’s native language, and the nuance and richness that comes with doing so. The TEDinArabic initiative is an important step in that journey. As we bring this program to life, together with Qatar Foundation, we are grateful for the support of an organization that shares our passion and dedication to education and ideas.”

Her Excellency Sheikha Hind bint Hamad Al Thani, Vice Chairperson and CEO of Qatar Foundation, said: “Language is more than just a means of communication: it influences the way we think and how we frame our perceptions on a subconscious level. With TEDinArabic, I hope we can continue the process of amplifying ideas from our region to a global audience in a language that is synonymous with innovation and new thinking. We are proud to be partnering with TED, with whom we share the belief that everyone’s mind and voice can make a difference, as together we aim to build a new culture of idea-generation that stretches across the Arab world and beyond.” 

A foundational part of the initiative’s engagement approach is an ideas search spanning the Middle East, during which selected ideas will be celebrated at regional events throughout 2021. The idea search will result in the selection of 16 speakers to give TED Talks at the partnership’s culminating flagship event in Doha, Qatar, in 2022. This event will offer the TED conference experience in the heart of the Middle East, and showcase the boldest and most inspiring ideas to emerge from the Arabic-speaking world. 

To house the initiative’s content library, TED has built a custom digital destination. Content will focus on topics that matter to the Arabic-speaking world and will include a combination of TED-original and TED-translated content, such as blog articles, TED-Ed video lessons and custom video content. 

The impact of TEDinArabic is intended to endure long after this two-year partnership, with the digital destination and its content remaining live after the culmination of this partnership.

You can find out more at Or, check out a conversation hosted as part of TED2020: Uncharted, in which TED global curator Bruno Giussani sat down with Dr. Ahmad M. Hasnah of Qatar Foundation’s Hamad Bin Khalifa University to discuss education amid the pandemic.

Cory DoctorowFull Employment

This week’s podcast is a reading of Full Employment, my latest Locus column. It’s a counter to the argument about automation-driven unemployment – namely, that we will have hundreds of years of full employment facing the climate emergency and remediating the damage it wreaks. From relocating all our coastal cities to replacing aviation routes with high-speed rails to the caring and public health work for hundreds of millions of survivors of plagues, floods and fires, we are in no danger of running out of work. The real question is: how will we mobilize people to do the work needed to save our species and the only known planet in the entire universe that can sustain it?


Planet DebianBits from Debian: Debian Long Term Support (LTS) users and contributors survey

On July 18th Stretch LTS starts, offering two more years of security support to the Debian Stretch release. Stretch LTS will be the fourth iteration of LTS, following Squeeze LTS which started in 2014, Wheezy LTS in 2016 and Jessie LTS in 2018.

However, for the first time, we have prepared a small survey about our users and contributors, who they are and why they are using LTS.

Filling out the survey should take less than 10 minutes. We would really appreciate if you could participate in the survey online!

In two weeks (July 27th 2020) we will close the survey, so please don't hesitate and participate now! After that, there will be a followup email with the results.

More information about Debian LTS is available at, including generic contact information.

Click here to fill out the survey now!

CryptogramA Peek into the Fake Review Marketplace

A personal account of someone who was paid to buy products on Amazon and leave fake reviews.

Fake reviews are one of the problems that everyone knows about, and no one knows what to do about -- so we all try to pretend doesn't exist.

Worse Than FailureA Revolutionary Vocabulary

Changing the course of a large company is much like steering the Titanic: it's probably too late, it's going to end in tears, and for some reason there's going to be a spirited debate about the bouyancy and stability of the doors.

Shena works at Initech, which is already a gigantic, creaking organization on the verge of toppling over. Management recognizes the problems, and knows something must be done. They are not, however, particularly clear about what that something should actually be, so they handed the Project Management Office a budget, told them to bring in some consultants, and do something.

The PMO dutifully reviewed the list of trendy buzzwords in management magazines, evaluated their budget, and brought in a team of consultants to "Establish a culture of continuous process improvement" that would "implement Agile processes" and "break down silos" to ensure "high functioning teams that can successfully self-organize to meet institutional objectives on time and on budget" using "the best-in-class tools" to support the transition.

Any sort of organizational change is potentially scary, to at least some of the staff. No matter how toxic or dysfunctional an organization is, there's always someone who likes the status quo. There was a fair bit of resistance, but the consultants and PMO were empowered to deal with them, laying off the fortunate, or securing promotions to vaguely-defined make-work jobs for the deeply unlucky.

There were a handful of true believers, the sort of people who had landed in their boring corporate gig years before, and had spent their time gently suggesting that things could possibly be better, slightly. They saw the changes as an opportunity, at least until they met the reality of trying to acutally commit to changes in an organization the size of Initech.

The real hazard, however, were the members of the Project Management Office who didn't actually care about Initech, their peers, or process change: they cared about securing their own little fiefdom of power. People like Debbie, who before the consultants came, had created a series of "Project Checkpoint Documents". Each project was required to fill out the 8 core documents, before any other work began, and Debbie was the one who reviewed them- which meant projects didn't progress without her say-so. Or Larry, who was a developer before moving into project management, and thus was in charge of the code review processes for the entire company, despite not having written anything in a language newer than COBOL85.

Seeing that the organizational changes would threaten their power, people like Debbie or Larry did the only thing they could do: they enthusiastically embraced the changes and labeled themselves the guardians of the revolution. They didn't need to actually do anything good, they didn't need to actually facilitate the changes, they just needed to show enthusiasm and look busy, and generate the appearance that they were absolutely critical to the success of the transition.

Debbie, specifically, got herself very involved in driving the adoption of Jira as their ticket tracking tool, instead of the hodge-podge of Microsoft Project, spreadsheets, emails, and home-grown ticketing systems. Since this involved changing the vocubulary they used to talk about projects, it meant Debbie could spend much of her time policing the language used to describe projects. She ran trainings to explain what an "Epic" or a "Story" were, about how to "rightsize stories so you can decompose them into actionable tasks". But everything was in flux, which meant the exact way Initech developers were meant to use Jira kept changing, almost on a daily basis.

Which is why Shena eventually received this email from the Project Management Office.


As part of our process improvement efforts, we'll be making some changes to how we track work in JIRA. Epics are now to only be created by leadership. They will represent mission-level initiatives that we should all strive for. For all development work tracking, the following shall be the process going forward to account for the new organizational communication directive:

  • Treat Features as Epics
  • Treat Stories as Features
  • Treat Tasks as Stories
  • Treat Sub-tasks as Tasks
  • If you need Sub-tasks, create a spreadsheet to track them within your team.

Additionally, the following is now reflected in the status workflows and should be adhered to:

  • Features may not be deleted once created. Instead, use the Cancel functionality.
  • Cancelled tasks will be marked as Done
  • Done tasks should now be marked as Complete

As she read this glorious and transcended piece of Newspeak, Shena couldn't help but wonder about her laid off co-workers, and wonder if perhaps she shouldn't join them.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


Planet DebianAntoine Beaupré: On contact tracing apps

I have strong doubts about the efficiency of any tracing app of the sort, and even less in the context where it is unlikely that a majority of the population will use it.

There's also the problem that this app would need to work on Apple phones, or be incompatible with them, and cause significant "fracture" between those who have access to technology, and those who haven't. See this text for more details.

Such an app would be a security and privacy liability at no benefit to public health. There are better options, see for this research on hardware tokens. But I doubt any contact tracing app or hardware will actually work anyways.

I am a computer engineer with more than 20 years of experience in the domain, and I have been following this question closely.

Please don't do this.

I wrote the above in a response to the Québec government's survey about a possible tracing app.

Update: a previous version of this article was titled plainly "on contact tracing". In case that was not obvious, I definitely do not object to contact tracing per se. I believe it's a fundamental, critical, and important part of fighting the epidemic and I think we should do it. I do not believe any engineer has found a proper way of doing it with "apps" so far, but I do not deny the utility and importance of "contact tracing" itself. Apologies for the confusion.

Pour une raison que je m'explique mal, le sondage m'été envoyé en anglais, et j'ai donc écrit ma réponse dans la langue de Shakespeare au lieu de celle de molière... Je serai heureux de fournir une traduction française à ceux ou celles qui en ont besoin...

Planet DebianEnrico Zini: Police brutality links

I was a police officer for nearly ten years and I was a bastard. We all were.
We've detected that JavaScript is disabled in your browser. Would you like to proceed to legacy Twitter?
As nationwide protests over the deaths of George Floyd and Breonna Taylor are met with police brutality, John Oliver discusses how the histories of policing ...
La morte di Stefano Cucchi avvenne a Roma il 22 ottobre 2009 mentre il giovane era sottoposto a custodia cautelare. Le cause della morte e le responsabilità sono oggetto di procedimenti giudiziari che hanno coinvolto da un lato i medici dell'ospedale Pertini,[1][2][3][4] dall'altro continuano a coinvolgere, a vario titolo, più militari dell’Arma dei Carabinieri[5][6]. Il caso ha attirato l'attenzione dell'opinione pubblica a seguito della pubblicazione delle foto dell'autopsia, poi riprese da agenzie di stampa, giornali e telegiornali italiani[7]. La vicenda ha ispirato, altresì, documentari e lungometraggi cinematografici.[8][9][10]
La morte di Giuseppe Uva avvenne il 14 giugno 2008 dopo che, nella notte tra il 13 e il 14 giugno, era stato fermato ubriaco da due carabinieri che lo portarono in caserma, dalla quale venne poi trasferito, per un trattamento sanitario obbligatorio, nell'ospedale di Varese, dove morì la mattina successiva per arresto cardiaco. Secondo la tesi dell'accusa, la morte fu causata dalla costrizione fisica subita durante l'arresto e dalle successive violenze e torture che ha subito in caserma. Il processo contro i due carabinieri che eseguirono l'arresto e contro altri sei agenti di polizia ha assolto gli imputati dalle accuse di omicidio preterintenzionale e sequestro di persona[1][2][3][4]. Alla vicenda è dedicato il documentario Viva la sposa di Ascanio Celestini[1][5].
Il caso Aldrovandi è la vicenda giudiziaria causata dall'uccisione di Federico Aldrovandi, uno studente ferrarese, avvenuta il 25 settembre 2005 a seguito di un controllo di polizia.[1][2][3] I procedimenti giudiziari hanno condannato, il 6 luglio 2009, quattro poliziotti a 3 anni e 6 mesi di reclusione, per "eccesso colposo nell'uso legittimo delle armi";[1][4] il 21 giugno 2012 la Corte di cassazione ha confermato la condanna.[1] All'inchiesta per stabilire la cause della morte ne sono seguite altre per presunti depistaggi e per le querele fra le parti interessate.[1] Il caso è stato oggetto di grande attenzione mediatica e ha ispirato un documentario, È stato morto un ragazzo.[1][5]
Federico Aldrovandi (17 July 1987 in Ferrara – 25 September 2005 in Ferrara) was an Italian student, who was killed by four policemen.[1]
24 Giugno 2020

Planet DebianEvgeni Golov: Using Ansible Molecule to test roles in monorepos

Ansible Molecule is a toolkit for testing Ansible roles. It allows for easy execution and verification of your roles and also manages the environment (container, VM, etc) in which those are executed.

In the Foreman project we have a collection of Ansible roles to setup Foreman instances called forklift. The roles vary from configuring Libvirt and Vagrant for our CI to deploying full fledged Foreman and Katello setups with Proxies and everything. The repository also contains a dynamic Vagrant file that can generate Foreman and Katello installations on all supported Debian, Ubuntu and CentOS platforms using the previously mentioned roles. This feature is super helpful when you need to debug something specific to an OS/version combination.

Up until recently, all those roles didn't have any tests. We would run ansible-lint on them, but that was it.

As I am planning to do some heavier work on some of the roles to enhance our upgrade testing, I decided to add some tests first. Using Molecule, of course.

Adding Molecule to an existing role is easy: molecule init scenario -r my-role-name will add all the necessary files/examples for you. It's left as an exercise to the reader how to actually test the role properly as this is not what this post is about.

Executing the tests with Molecule is also easy: molecule test. And there are also examples how to integrate the test execution with the common CI systems.

But what happens if you have more than one role in the repository? Molecule has support for monorepos, however that is rather limited: it will detect the role path correctly, so roles can depend on other roles from the same repository, but it won't find and execute tests for roles if you run it from the repository root. There is an undocumented way to set MOLECULE_GLOB so that Molecule would detect test scenarios in different paths, but I couldn't get it to work nicely for executing tests of multiple roles and upstream currently does not plan to implement this. Well, bash to the rescue!

for roledir in roles/*/molecule; do
    pushd $(dirname $roledir)
    molecule test

Add that to your CI and be happy! The CI will execute all available tests and you can still execute those for the role you're hacking on by just calling molecule test as you're used to.

However, we can do even better.

When you initialize a role with Molecule or add Molecule to an existing role, there are quite a lot of files added in the molecule directory plus an yamllint configuration in the role root. If you have many roles, you will notice that especially the molecule.yml and .yamllint files look very similar for each role.

It would be much nicer if we could keep those in a shared place.

Molecule supports a "base config": a configuration file that gets merged with the molecule.yml of your project. By default, that's ~/.config/molecule/config.yml, but Molecule will actually look for a .config/molecule/config.yml in two places: the root of the VCS repository and your HOME. And guess what? The one in the repository wins (that's not yet well documented). So by adding a .config/molecule/config.yml to the repository, we can place all shared configuration there and don't have to duplicate it in every role.

And that .yamllint file? We can also move that to the repository root and add the following to Molecule's (now shared) configuration:

lint: yamllint --config-file ${MOLECULE_PROJECT_DIRECTORY}/../../.yamllint --format parsable .

This will define the lint action as calling yamllint with the configuration stored in the repository root instead of the project directory, assuming you store your roles as roles/<rolename>/ in the repository.

And that's it. We now have a central place for our Molecule and yamllint configurations and only need to place role-specific data into the role directory.

Planet DebianDirk Eddelbuettel: drat 0.1.7: New functionality

drat user

A new version of drat arrived on CRAN yesterday. Once again, this release is mostly the work of Felix Ernst who extended some work from the previous release, and added support for repository updates (outside of package insertion) and more.

drat stands for drat R Archive Template, and helps with easy-to-create and easy-to-use repositories for R packages. Since its inception in early 2015 it has found reasonably widespread adoption among R users because repositories with marked releases is the better way to distribute code.

As your mother told you: Friends don’t let friends install random git commit snapshots. Rolled-up releases it is. drat is easy to use, documented by five vignettes and just works.

The NEWS file summarises the release as follows:

Changes in drat version 0.1.7 (2020-07-10)

  • Functions insertPackages, archivePackages and prunePackages are now vectorised (Patrick Schratz and Felix Ernst in #93, #100).

  • The new functionality is supported by unit tests (Felix Ernst in #93, and #102 fixing #101).

  • Added new function updateRepo (Felix Ernst in #95, #97).

Courtesy of CRANberries, there is a comparison to the previous release. More detailed information is on the drat page.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.


Planet DebianSimon Quigley: Adventures in Writing

The Linux community is a fascinating and powerful space.

When I joined the Ubuntu project approximately five years ago, I (vaguely at the time) understood that there was a profound sense of community and passion everywhere that is difficult to find in other spaces. My involvement has increased, and so has my understanding. I had thought of starting a blog as a means of conveying the information that I stumbled across, but my writing skills were very crude and regrettable, being in my early teenage years.

I have finally decided to take the leap. In this blog, I would like to occasionally provide updates on my work, either through focused deep dives on a particular topic, or broad updates on low hanging fruit that has been eliminated. While the articles may be somewhat spontaneous, I decided that an initial post was in order to explain my goals. Feel free to subscribe for more detailed posts in the future, as there are many more to come.

CryptogramFriday Squid Blogging: China Closing Its Squid Spawning Grounds

China is prohibiting squid fishing in two areas -- both in international waters -- for two seasons, to give squid time to recover and reproduce.

This is the first time China has voluntarily imposed a closed season on the high seas. Some experts regard it as an important step forward in China's management of distant-water fishing (DWF), and crucial for protecting the squid fishing industry. But others say the impact will be limited and that stronger oversight of fishing vessels is needed, or even a new fisheries management body specifically for squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.


TEDConversations on social progress: Week 3 of TED2020

For week 3 of TED2020, global leaders in technology, vulnerability research and activism gathered for urgent conversations on how to foster connection, channel energy into concrete social action and work to end systemic racism in the United States. Below, a recap of their insights.

“When we see the internet of things, let’s make an internet of beings. When we see virtual reality, let’s make it a shared reality,” says Audrey Tang, Taiwan’s digital minister for social innovation. She speaks with TED science curator David Biello at TED2020: Uncharted on June 1, 2020. (Photo courtesy of TED)

Audrey Tang, Taiwan’s digital minister for social innovation

Big idea: Digital innovation rooted in communal trust can create a stronger, more transparent democracy that is fast, fair — and even fun.

How? Taiwan has built a “digital democracy” where digital innovation drives active, inclusive participation from all its citizens. Sharing how she’s helped transform her government, Audrey Tang illustrates the many creative and proven ways technology can be used to foster community. In responding to the coronavirus pandemic, Taiwan created a collective intelligence system that crowdsources information and ideas, which allowed the government to act quickly and avoid a nationwide shutdown. They also generated a publicly accessible map that shows the availability of masks in local pharmacies to help people get supplies, along with a “humor over rumor” campaign that combats harmful disinformation with comedy. In reading her job description, Tang elegantly lays out the ideals of digital citizenship that form the bedrock of this kind of democracy: “When we see the internet of things, let’s make an internet of beings. When we see virtual reality, let’s make it a shared reality. When we see machine learning, let’s make it collaborative learning. When we see user experience, let’s make it about human experience. And whenever we hear the singularity is near, let us always remember the plurality is here.”

Brené Brown explores how we can harness vulnerability for social progress and work together to nurture an era of moral imagination. She speaks with TED’s head of curation Helen Walters at TED2020: Uncharted on June 2, 2020. (Photo courtesy of TED)

Brené Brown, Vulnerability researcher, storyteller

Big question: The United States is at its most vulnerable right now. Where do we go from here?

Some ideas: As the country reels from the COVID-19 pandemic and the murder of George Floyd, along with the protests that have followed, Brené Brown offers insights into how we might find a path forward. Like the rest of us, she’s in the midst of processing this moment, but believes we can harness vulnerability for progress and work together to nurture an era of moral imagination. Accountability must come first, she says: people have to be held responsible for their racist behaviors and violence, and we have to build safe communities where power is shared. Self-awareness will be key to this work: the ability to understand your emotions, behaviors and actions lies at the center of personal and social change and is the basis of empathy. This is hard work, she admits, but our ability to experience love, belonging, joy, intimacy and trust — and to build a society rooted in empathy — depend on it. “In the absence of love and belonging, there’s nothing left,” she says.

Dr. Phillip Atiba Goff, Rashad Robinson, Dr. Bernice King and Anthony D. Romero share urgent insights into this historic moment. Watch the discussion on

In a time of mourning and anger over the ongoing violence inflicted on Black communities by police in the US and the lack of accountability from national leadership, what is the path forward? In a wide-ranging conversation, Dr. Phillip Atiba Goff, the CEO of Center for Policing Equity; Rashad Robinson, the president of Color of Change; Dr. Bernice Albertine King, the CEO of the King Center; and Anthony D. Romero, the executive director of the American Civil Liberties Union, share urgent insights into how we can dismantle the systems of oppression and racism responsible for tragedies like the murders of Ahmaud Arbery, Breonna Taylor, George Floyd and far too many others — and explored how the US can start to live up to its ideals. Watch the discussion on

TEDThe bill has come due for the US’s legacy of racism: Week 3 of TED2020

In response to the historic moment of mourning and anger over the ongoing violence inflicted on Black communities by police in the United States, four leaders in the movement for civil rights — Dr. Phillip Atiba Goff, CEO of Center for Policing Equity; Rashad Robinson, president of Color Of Change; Dr. Bernice Albertine King, CEO of the King Center; and Anthony D. Romero, executive director of the American Civil Liberties Union — joined TED2020 to explore how we can dismantle the systems of oppression and racism. Watch the full discussion on, and read a recap below.

“The history that we have in this country is not just a history of vicious neglect and targeted abuse of Black communities. It’s also one where we lose our attention for it,” says Dr. Phillip Atiba Goff. He speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Dr. Phillip Atiba Goff, CEO of the Center for Policing Equity

Big idea: The bill has come due for the unpaid debts the United States owes to its Black residents. But we’re not going to get to where we need to go just by reforming police.

How? What we’re seeing now isn’t just the response to one gruesome, cruel, public execution — a lynching. And it’s not just the reaction to three of them: Ahmaud Arbery, Breonna Taylor and George Floyd. What we’re seeing is the bill come due for the unpaid debts that the US owes to its Black residents, says Dr. Phillip Atiba Goff, CEO of the Center for Policing Equity (CPE). In addition to the work that CPE is known for — working with police departments to use their own data to improve relationships with the communities they serve — Goff and his team are encouraging departments and cities to take money from police budgets and instead invest it directly in public resources for the community, so people don’t need the police for public safety in the first place. Learn more about how you can support the Center for Policing Equity »

“This is the time for white allies to stand up in new ways, to do the type of allyship that truly dismantles structures, not just provides charity,” says Rashad Robinson, president of Color of Change. He speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Rashad Robinson, president of Color Of Change

Big idea: In the wake of the murders of George Floyd, Breonna Taylor and Ahmaud Arbery, people are showing up day after day in support of the Movement for Black Lives and in protest of police brutality against Black communities. We need to channel that presence and energy into power and material change.

How? The presence and visibility of a movement can often lead us to believe that progress is inevitable. But building power and changing the system requires more than conversations and retweets. To create material change in the racist systems that enable and perpetuate violence against Black communities, we need to translate the energy of these global protests into specific demands and actions, says Robinson. We have to pass new laws and hold those in power — from our police chiefs to our city prosecutors to our representatives in Congress — accountable to them. If we want to disentangle these interlocking systems of violence and complicity, Robinson says, we need to get involved in local, tangible organizing and build the power necessary to change the rules. You can’t sing our songs, use our hashtags and march in our marches if you are on the other end supporting the structures that put us in harm’s way, that literally kill us,” Robinson says. “This is the time for white allies to stand up in new ways, to do the type of allyship that truly dismantles structures, not just provides charity.”

“We can do this,” says Dr. Bernice Albertine King. “We can make the right choice to ultimately build the beloved community.” She speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Dr. Bernice Albertine King, CEO of The King Center

Big idea: To move towards a United States rooted in benevolent coexistence, equity and love, we must destroy and replace systems of oppression and violence towards Black communities. Nonviolence, accountability and love must pave the way.

How? The US needs a course correction that involves both hard work and “heart work” — and no one is exempt from it, says Dr. Bernice Albertine King. King continues to spread and build upon the wisdom of her father, Dr. Martin Luther King Jr., and she believes the US can work towards unity and collective healing. To do so, racism, systemic oppression, militarism and violence must end. She calls for a revolution of values, allies that listen and engage and a world where anger is given space to be rechanneled into creating social and economic change. In this moment, as people have reached a boiling point and are being asked to restructure the nature of freedom, King encourages us to follow her father’s words of nonviolent coexistence, and not continue on the path of violent coannihilation. “You as a person may want to exempt yourself, but every generation is called,” King says. “And so I encourage corporations in America to start doing anti-racism work within corporate America. I encourage every industry to start doing anti-racism work and pick up the banner of understanding nonviolent change personally and from a social change perspective. We can do this. We can make the right choice to ultimately build the beloved community.”

“Can we really become an equal people, equally bound by law?” asks Anthony D. Romero, executive director of the ACLU. He speaks at TED2020: Uncharted on June 3, 2020. (Photo courtesy of TED)

Anthony D. Romero, executive director of the American Civil Liberties Union (ACLU)

Big idea: No matter how frightened we are by the current turmoil, we must stay positive, listen to and engage with unheard or silenced voices, and help answer what’s become the central question of democracy in the United States: Can we really become an equal people, equally bound by law, when so many of us are beaten down by racist institutions and their enforcers?

How? This is no time for allies to disconnect — it’s time for them to take a long look in the mirror, ponder viewpoints they may not agree with or understand and engage in efforts to dismantle institutional white supremacy, Romero says. Reform is not enough anymore. Among many other changes, the most acute challenge the ACLU is now tackling is how to defund militarized police forces that more often look like more standing armies than civil servants — and bring them under civilian control. “For allies in this struggle, and those of us who don’t live this experience every day, it is time for us to lean in,” Romero says. “You can’t change the channel, you can’t tune out, you can’t say, ‘This is too hard.’ It is not that hard for us to listen and learn and heed.”

TEDConversations on rebuilding a healthy economy: Week 1 of TED2020

To kick off TED2020, leaders in business, finance and public health joined the TED community for lean-forward conversations to answer the question: “What now?” Below, a recap of the fascinating insights they shared.

“If you don’t like the pandemic, you are not going to like the climate crisis,” says Kristalina Georgieva, Managing Director of the International Monetary Fund. She speaks with head of TED Chris Anderson at TED2020: Uncharted on May 18, 2020. (Photo courtesy of TED)

Kristalina Georgieva, Managing Director of the International Monetary Fund (IMF)

Big idea: The coronavirus pandemic shattered the global economy. To put the pieces back together, we need to make sure money is going to countries that need it the most — and that we rebuild financial systems that are resilient to shocks.

How? Kristalina Georgieva is encouraging an attitude of determined optimism to lead the world toward recovery and renewal amid the economic fallout of COVID-19. The IMF has one trillion dollars to lend — it’s now deploying these funds to areas hardest hit by the pandemic, particularly in developing countries, and it’s also put a debt moratorium into effect for the poorest countries. Georgieva admits recovery is not going to be quick, but she thinks that countries can emerge from this “great transformation” stronger than before if they build resilient, disciplined financial systems. Within the next ten years, she hopes to see positive shifts towards digital transformation, more equitable social safety nets and green recovery. And as the environment recovers while the world grinds to a halt, she urges leaders to maintain low carbon footprints — particularly since the pandemic foreshadows the devastation of global warming. “If you don’t like the pandemic, you are not going to like the climate crisis,” Georgieva says. Watch the interview on »

“I’m a big believer in capitalism. I think it’s in many ways the best economic system that I know of, but like everything, it needs an upgrade. It needs tuning,” says Dan Schulman, president and CEO of PayPal. He speaks with TED business curators Corey Hajim at TED2020: Uncharted on May 19, 2020. (Photo courtesy of TED)

Dan Schulman, President and CEO of PayPal

Big idea: Employee satisfaction and consumer trust are key to building the economy back better.

How? A company’s biggest competitive advantage is its workforce, says Dan Schulman, explaining how PayPal instituted a massive reorientation of compensation to meet the needs of its employees during the pandemic. The ripple of benefits of this shift have included increased productivity, financial health and more trust. Building further on the concept of trust, Schulman traces how the pandemic has transformed the managing and moving of money — and how it will require consumers to renew their focus on privacy and security. And he shares thoughts on the new roles of corporations and CEOs, the cashless economy and the future of capitalism. “I’m a big believer in capitalism. I think it’s in many ways the best economic system that I know of, but like everything, it needs an upgrade. It needs tuning,” Schulman says. “For vulnerable populations, just because you pay at the market [rate] doesn’t mean that they have financial health or financial wellness. And I think everyone should know whether or not their employees have the wherewithal to be able to save, to withstand financial shocks and then really understand what you can do about it.”

Biologist Uri Alon shares a thought-provoking idea on how we could get back to work: a two-week cycle of four days at work followed by 10 days of lockdown, which would cut the virus’s reproductive rate. He speaks with head of TED Chris Anderson at TED2020: Uncharted on May 20, 2020. (Photo courtesy of TED)

Uri Alon, Biologist

Big idea: We might be able to get back to work by exploiting one of the coronavirus’s key weaknesses. 

How? By adopting a two-week cycle of four days at work followed by 10 days of lockdown, bringing the virus’s reproductive rate (R₀ or R naught) below one. The approach is built around the virus’s latent period: the three-day delay (on average) between when a person gets infected and when they start spreading the virus to others. So even if a person got sick at work, they’d reach their peak infectious period while in lockdown, limiting the virus’s spread — and helping us avoid another surge. What would this approach mean for productivity? Alon says that by staggering shifts, with groups alternating their four-day work weeks, some industries could maintain (or even exceed) their current output. And having a predictable schedule would give people the ability to maximize the effectiveness of their in-office work days, using the days in lockdown for more focused, individual work. The approach can be adopted at the company, city or regional level, and it’s already catching on, notably in schools in Austria.

“The secret sauce here is good, solid public health practice … this one was a bad one, but it’s not the last one,” says Georges C. Benjamin, Executive Director of the American Public Health Association. He speaks with TED science curator David Biello at TED2020: Uncharted on May 20, 2020. (Photo courtesy of TED)

Georges C. Benjamin, Executive Director of the American Public Health Association

Big Idea: We need to invest in a robust public health care system to lead us out of the coronavirus pandemic and prevent the next outbreak.

How: The coronavirus pandemic has tested the public health systems of every country around the world — and, for many, exposed shortcomings. Georges C. Benjamin details how citizens, businesses and leaders can put public health first and build a better health structure to prevent the next crisis. He envisions a well-staffed and equipped governmental public health entity that runs on up-to-date technology to track and relay information in real time, helping to identify, contain, mitigate and eliminate new diseases. Looking to countries that have successfully lowered infection rates, such as South Korea, he emphasizes the importance of early and rapid testing, contact tracing, self-isolation and quarantining. Our priority, he says, should be testing essential workers and preparing now for a spike of cases during the summer hurricane and fall flu seasons.The secret sauce here is good, solid public health practice,” Benjamin says. “We should not be looking for any mysticism or anyone to come save us with a special pill … because this one was a bad one, but it’s not the last one.”

TEDConversations on climate action and contact tracing: Week 2 of TED2020

For week 2 of TED2020, global leaders in climate, health and technology joined the TED community for insightful discussions around the theme “build back better.” Below, a recap of the week’s fascinating and enlightening conversations about how we can move forward, together.

“We need to change our relationship to the environment,” says Chile’s former environment minister Marcelo Mena. He speaks with TED current affairs curator Whitney Pennington Rodgers at TED2020: Uncharted on May 26, 2020. (Photo courtesy of TED)

Marcelo Mena, environmentalist and former environment minister of Chile

Big idea: People power is the antidote to climate catastrophe.

How? With a commitment to transition to zero emissions by 2050, Chile is at the forefront of resilient and inclusive climate action. Mena shares the economic benefits instilling green solutions can have on a country: things like job creation and reduced cost of mobility, all the result of sustainability-minded actions (including phasing coal-fired power plants and creating fleets of energy-efficient buses). Speaking to the air of social unrest across South America, Mena traces how climate change fuels citizen action, sharing how protests have led to green policies being enacted. There will always be those who do not see climate change as an imminent threat, he says, and economic goals need to align with climate goals for unified and effective action. “We need to change our relationship to the environment,” Mena says. “We need to protect and conserve our ecosystems so they provide the services that they do today.”

“We need to insist on the future being the one that we want, so that we unlock the creative juices of experts and engineers around the world,” says Nigel Topping, UK High Level Climate Action Champion, COP26. He speaks with TED Global curator Bruno Giussani at TED2020: Uncharted on May 26, 2020. (Photo courtesy of TED)

Nigel Topping, UK High Level Climate Action Champion, COP26

Big idea: The COVID-19 pandemic presents a unique opportunity to break from business as usual and institute foundational changes that will speed the world’s transition to a greener economy. 

How? Although postponed, the importance of COP26 — the UN’s international climate change conference — has not diminished. Instead it’s become nothing less than a forum on whether a post-COVID world should return to old, unsustainable business models, or instead “clean the economy” before restarting it. In Topping’s view, economies that rely on old ways of doing business jeopardize the future of our planet and risk becoming non-competitive as old, dirty jobs are replaced by new, cleaner ones. By examining the benefits of green economics, Topping illuminates the positive transformations happening now and leverages them to inspire businesses, local governments and other economic players to make radical changes to business as usual. “From the bad news alone, no solutions come. You have to turn that into a motivation to act. You have to go from despair to hope, you have to choose to act on the belief that we can avoid the worst of climate change… when you start looking, there is evidence that we’re waking up.”

“Good health is something that gives us all so much return on our investment,” says Joia Mukherjee. Shes speaks with head of TED Chris Anderson at TED2020: Uncharted on May 27, 2020. (Photo courtesy of TED)

Joia Mukherjee, Chief Medical Officer, Partners in Health (PIH)

Big idea: We need to massively scale up contact tracing in order to slow the spread of COVID-19 and safely reopen communities and countries.

How? Contact tracing is the process of identifying people who come into contact with someone who has an infection, so that they can be quarantined, tested and supported until transmission stops. The earlier you start, the better, says Mukherjee — but, since flattening the curve and easing lockdown measures depend on understanding the spread of the disease, it’s never too late to begin. Mukherjee and her team at PIH are currently supporting the state of Massachusetts to scale up contact tracing for the most vulnerable communities. They’re employing 1,700 full-time contact tracers to investigate outbreaks in real-time and, in partnership with resource care coordinators, ensuring infected people receive critical resources like health care, food and unemployment benefits. With support from The Audacious Project, a collaborative funding initiative housed at TED, PIH plans to disseminate its contact tracing expertise across the US and support public health departments in slowing the spread of COVID-19. “Good health is something that gives us all so much return on our investment,” Mukherjee says. See what you can do for this idea »

Google’s Chief Health Officer Karen DeSalvo shares the latest on the tech giant’s critical work on contact tracing. She speaks with head of TED Chris Anderson at TED2020: Uncharted on May 27, 2020. (Photo courtesy of TED)

Karen DeSalvo, Chief Health Officer, Google

Big idea: We can harness the power of tech to combat the pandemic — and reshape the future of public health.

How? Google and Apple recently announced an unprecedented partnership on the COVID-19 Exposure Notifications API, a Bluetooth-powered technology that would tell people they may have been exposed to the virus. The technology is designed with privacy at its core, DeSalvo says: it doesn’t use GPS or location tracking and isn’t an app but rather an API that public health agencies can incorporate into their own apps, which users could opt in to — or not. Since smartphones are so ubiquitous, the API promises to augment contact tracing and help governments and health agencies reduce the spread of the coronavirus. Overall, the partnership between tech and public health is a natural one, DeSalvo says; communication and data are pillars of public health, and a tech giant like Google has the resources to distribute those at a global scale. By helping with the critical work of contact tracing, DeSalvo hopes to ease the burden on health workers and give scientists time to create a vaccine. “Having the right information at the right time can make all the difference,” DeSalvo says. “It can literally save lives.”

After the conversation, Karen DeSalvo was joined by Joia Mukherjee to further discuss how public health entities can partner with tech companies. Both DeSalvo and Mukherjee emphasize the importance of knitting together the various aspects of public health systems — from social services to housing — to create a healthier and more just society. They also both emphasize the importance of celebrating community health workers, who provide on-the-ground information and critical connection with people across the world.

TEDConversations on rebuilding society: Week 4 of TED2020

For week 4 of TED2020, leaders in international development, history, architecture and public policy explored how we might rebuild during the COVID-19 pandemic and the ongoing protests against racial injustice in the United States. Below, a recap of their insights.

Achim Steiner, head of the UNDP, discusses how the COVID-19 pandemic is leading people to reexamine the future of society. He speaks at TED2020: Uncharted on June 8, 2020. (Photo courtesy of TED)

Achim Steiner, head of the United National Development Programme

Big idea: The public and private sectors must work together to rebuild communities and economies from the COVID-19 pandemic.

Why? When the coronavirus hit, many governments and organizations were unprepared and ill-equipped to respond effectively, says Achim Steiner. He details the ways the UNDP is partnering with both private companies and state governments to help developing countries rebuild, including delivering medicine and supplies, setting up Zoom accounts for governing bodies and building virus tracking systems. Now that countries are beginning to think broadly about life after COVID-19, Steiner says that widespread disenchantment with the state is leading people to question the future of society. They’re rethinking the relationship between the state and its citizens, the role of the private sector and the definition of a public good. He believes that CEOs and business leaders need to step forward and forge alliances with the public sector in order to address societal inequalities and shape the future of economies. “It is not that the state regulates all the problems and the private sector is essentially best off if it can just focus on its own shareholders or entrepreneurial success,” he says. “We need both.”

“The heartbeat of antiracism is confession,” says author and historian Ibram X. Kendi. He speaks at TED2020: Uncharted on June 9, 2020. (Photo courtesy of TED)

Ibram X. Kendi, Author and historian

Big idea: To create a more just society, we need to make antiracism part of our everyday lives.

How? There is no such thing as being “not racist,” says Ibram X. Kendi. He explains that an idea, behavior or policy is either racist (suggesting that any racial group is superior or inferior in any way) or antiracist (suggesting that the racial groups are equals in all their apparent differences). In this sense, “racist” isn’t a fixed identity — a bad, evil person — but rather a descriptive term, highlighting what someone is doing in a particular moment. Anyone can be racist or antiracist; the difference is found in how we choose to see ourselves and others. Antiracism is vulnerable work, Kendi says, and it requires persistent self-awareness, self-examination and self-criticism, grounded in a willingness to concede your privileges and admit when you’re wrong. As we learn to more clearly recognize, take responsibility for and reject prejudices in our public policies, workplaces and personal beliefs, we can actively use this awareness to uproot injustice and inequality in the world — and replace it with love. “The heartbeat of racism itself has always been denial,” he says. “The heartbeat of antiracism is confession.” Watch the full discussion on

What’s the connection between poetry and policy? Aaron Maniam explains at TED2020: Uncharted on June 10, 2020. (Photo courtesy of TED)

Aaron Maniam, Poet and policymaker

Big idea: By crafting a range of imaginative, interlocking metaphors, we can better understand COVID-19, its real-time impacts and how the pandemic continues to change our world.

How? As a poet and a policymaker in Singapore, Maniam knows the importance of language to capture and evoke the state of the world — and to envision our future. As people across the world share their stories of the pandemic’s impact, a number of leading metaphors have emerged. In one lens, humanity has “declared war” on COVID-19 — but that angle erases any positive effects of the pandemic, like how many have been able to spend more time with loved ones. In another lens, COVID-19 has been a global “journey” — but that perspective can simplify the way class, race and location severely impact how people move through this time. Maniam offers another lens: that the pandemic has introduced a new, constantly evolving “ecology” to the world, irrevocably changing how we live on local, national and global levels. But even the ecology metaphor doesn’t quite encompass the entirety of this era, he admits. Maniam instead encourages us to examine and reflect on the pandemic across a number of angles, noting that none of these lenses, or any others, are mutually exclusive. Our individual and collective experiences of this unprecedented time deserve to be told and remembered in expansive, robust and inclusive ways. “Each of us is never going to have a monopoly on truth,” he says. “We have to value the diversity that others bring by recognizing their identity diversity … and their competent diversity — the importance of people coming from disciplines like engineering, history, public health, etc. — all contributing to a much richer understanding and totality of the situation we’re in.”

Vishaan Chakrabarti explores how the coronavirus pandemic might reshape life in cities. He speaks at TED2020: Uncharted on June 10, 2020. (Photo courtesy of TED)

Vishaan Chakrabarti, Architect

Big idea: Cities are facing a crisis of inequity and a crisis in health. To recover and heal, we need to plan our urban areas around inclusion and equality. 

How? In order to implement a new urban agenda rooted in equity, Vishaan Chakrabarti says that we need to consider three components: affordable housing and accessible health care; sustainable urban mobility; and attainable social and cultural resources. Chakrabarti shatters the false narrative of having to choose between an impoverished city or a prosperous one, instead envisioning one whose urban fabric is diverse with reformed housing policies and budgets. “Housing is health,” he says. “You cannot have a healthy society if people are under housing stress or have homelessness.” With a third of public space dedicated to private cars in many cities, Chakrabarti points to the massive opportunity we have to dedicate more space to socially distanced ways to commute and ecologically conscious modes of transportation, like walking or biking. We will need to go directly to communities and ask what their needs are to build inclusive, eco-friendly and scalable solutions. “We need a new narrative of generosity, not austerity,” he says.

TEDConversations on the future of vaccines, tech, government and art: Week 5 of TED2020

Week 5 of TED2020 featured wide-ranging discussions on the quest for a coronavirus vaccine, the future of the art world, what it’s like to lead a country during a pandemic and much more. Below, a recap of insights shared.

Jerome Kim, Director General of the International Vaccine Institute, shares an update on the quest for a coronavirus vaccine in conversation with TED science curator David Biello at TED2020: Uncharted on June 15, 2020. (Photo courtesy of TED)

Jerome Kim, Director General of the International Vaccine Institute

Big idea: There’s a lot of work still to be done, but the world is making progress on developing a COVID-19 vaccine. 

How? A normal vaccine takes five to 10 years to develop and costs about a billion dollars, with a failure rate of 93 percent. Under the pressure of the coronavirus pandemic, however, we’re being asked to speed things up to within a window of 12 to 18 months, says Jerome Kim. How are things going? He updates us on the varied field of vaccine candidates and approaches, from Moderna’s mRNA vaccine to AstraZeneca’s vectored vaccine to whole inactivated vaccines, and how these companies are innovating to develop and manufacture their products in record time. In addition to the challenge of making a sufficient amount of a safe, effective vaccine (at the right price), Kim says we must think about how to distribute it for the whole world — not just rich nations. The question of equity and access is the toughest one of all, he says, but the answer will ultimately lead us out of this pandemic.

Bioethicist Nir Eyal discusses the mechanism and ethics of human challenge trials in vaccine development with head of TED Chris Anderson at TED2020: Uncharted on June 15, 2020. (Photo courtesy of TED)

Nir Eyal, Bioethicist

Big idea: Testing vaccine efficacy is normally a slow, years-long process, but we can ethically accelerate COVID-19 vaccine development through human challenge trials.

How? Thousands of people continue to die every day from COVID-19 across the globe, and we risk greater death and displacement if we rely on conventional vaccine trials, says bioethicist Nir Eyal. While typical trials observe experimental and control groups over time until they see meaningful differences between the two, Eyal proposes using human challenge trials in our search for a vaccine — an approach that deliberately exposes test groups to the virus in order to quickly determine efficacy. Human challenge trials might sound ethically ambiguous or even immoral, but Eyal suggests the opposite is true. Patients already take informed risks by participating in drug trials and live organ donations; if we look at statistical risk and use the right bioethical framework, we can potentially hasten vaccine development while maintaining tolerable risks. The key, says Eyal, is the selection criteria: by selecting young participants who are free from risk factors like hypertension, for example, the search for a timely solution to this pandemic is possible. “The dramatic number of people who could be aided by a faster method of testing vaccines matters,” he says. “It’s not the case that we are violating the rights of individuals to maximize utility. We are both maximizing utility and respecting rights, and this marriage is very compelling in defending the use of these accelerated [vaccine trial] designs.”

“What is characteristic of our people is the will to overcome the past and to move forward. Poverty is real. Inequality is real. But we also have a very determined population that embraces the notion of the Republic and the notion of citizenship,” says Ashraf Ghani, president of Afghanistan. He speaks with head of TED Chris Anderson at TED2020: Uncharted on June 16, 2020. (Photo courtesy of TED)

Ashraf Ghani, President of Afghanistan

Big Idea: Peacemaking is a discipline that must be practiced daily, both in life and politics. 

How? Having initiated sweeping economic, trade and social reforms, Afghanistan president Ashraf Ghani shares key facets of peacemaking that he relies on to navigate politically sensitive relationships and the ongoing health crisis: mutual respect, listening and humanity. Giving us a glimpse of Afghanistan that goes beyond the impoverished, war-torn image painted in the media, he describes the aspirations, entrepreneurship and industry that’s very much alive there, especially in its youth and across all genders. “What I hear from all walks of life, men and women, girls and boys, [is] a quest for normalcy. We’re striving to be normal. It’s not we who are abnormal; it’s the circumstances in which we’ve been caught. And we are attempting to carve a way forward to overcome the types of turbulence that, in interaction with each other, provide an environment of continuous uncertainty. Our goal is to overcome this, and I think with the will of the people, we will be able to,” he says. President Ghani also shares perspective on Afghanistan’s relationship to China, the Taliban and Pakistan — expressing a commitment to his people and long term peace that fuels every conversation. “The ultimate goal is a sovereign, democratic, united Afghanistan at peace with itself in the world,” he says. 

“How do we make it so that if you’re having a conversation with someone and you have to be separated by thousands of miles, it feels as close to face-to-face?” asks Will Cathcart, head of WhatsApp. He speaks with head of TED Chris Anderson at TED2020: Uncharted on June 16, 2020. (Photo courtesy of TED)

Will Cathcart, head of WhatsApp

Big idea: Tech platforms have a responsibility to provide privacy and security to users.

Why? On WhatsApp, two billion users around the world send more than 100 billion messages every day. All of them are protected by end-to-end encryption, which means that the conversations aren’t stored and no one can access them — not governments, companies or even WhatsApp itself. Due to the COVID-19 pandemic, more and more of our conversations with family, friends and coworkers have to occur through digital means. This level of privacy is a fundamental right that has never been more important, says Cathcart. To ensure their encryption services aren’t misused to promote misinformation or conduct crime, WhatsApp has developed tools and protocols that keep users safe without disrupting the privacy of all of its users. “It’s so important that we match the security and privacy you have in-person, and not say, ‘This digital world is totally different: we should change all the ways human beings communicate and completely upend the rules.’ No, we should try to match that as best we can, because there’s something magical about people talking to each other privately.”

“Museums are among the few truly public democratic spaces for people to come together. We’re places of inspiration and learning, and we help expand empathy and moral thinking. We are places for difficult and courageous conversations. I believe we can, and must be, places in real service of community,” says Anne Pasternak, director of the Brooklyn Museum. She speaks with TED design curator Chee Pearlman at TED2020: Uncharted on June 17, 2020. (Photo courtesy of TED)

Anne Pasternak, Director of the Brooklyn Museum

Big idea: We need the arts to be able to document and reflect on what we’re living through, express our pain and joy and imagine a better future.

How? Museums are vital community institutions that reflect the memories, knowledge and dreams of a society. Located in a borough of more than 2.5 million people, the Brooklyn Museum is one of the largest and most influential museums in the world, and it serves a community that has been devastated by the COVID-19 pandemic. Pasternak calls on museums to take a leading role in manifesting community visions of a better world. In a time defined by dramatic turmoil and global suffering, artists will help ignite the radical imagination that leads to cultural, political and social change, she says. Museums also have a responsibility to uplift a wide variety of narratives, taking special care to highlight communities who have historically been erased from societal remembrance and artmaking. The world has been irreversibly changed and devastated by the pandemic. It’s time to look to art as a medium of collective memorializing, mourning, healing and transformation.

“Art changes minds, shifts mentalities, changes the behavior of people and the way they think and how they feel,” says Honor Harger. She speaks with TED current affairs curator Whitney Pennington Rodgers at TED2020: Uncharted on June 17, 2020. (Photo courtesy of TED)

Honor Harger, Executive Director of the ArtScience Museum

Big Idea: Cultural institutions can care for their communities by listening to and amplifying marginalized voices.

How: The doors of Singapore’s famed ArtScience Museum building are closed — but online, the museum is engaging with its community more deeply than ever. Executive director Honor Harger shares how the museum has moved online with ArtScience at Home, a program offering online talks, streamed performances and family workshops addressing COVID-19 and our future. Reflecting on the original meaning of “curator” (from the Latin curare, or “to care”), Harger shares how ArtScience at Home aims to care for its community by listening to underrepresented groups. The program seeks out marginalized voices and provides a global platform for them to tell their own stories, unmediated and unedited, she says. Notably, the program included a screening of Salary Day by Ramasamy Madhavan, the first film made by a migrant worker in Singapore. The programming will have long-lasting effects on the museum’s curation in the future and on its international audience, Harger says. “Art changes minds, shifts mentalities, changes the behavior of people and the way they think and how they feel,” she says. “We are seeing the power of culture and art to both heal and facilitate dramatic change.”

Planet DebianEnrico Zini: Wait until a command opened a file

In my last post I wrote:

The sleep 0.3s is needed because xdg-open exits right after starting the program, and when invoked by mutt it means that mutt could delete the attachment before evince has a chance to open it. I had to use the same workaround for sensible-browser, since the same happens when a browser opens a document in an existing tab. I feel like writing some wrapper about all this that forks the viewer, then waits for an IN_OPEN event on its argument via inotify before exiting.

I wrote it:

$ ./waitused --help
usage: waitused [-h] path ...

Run a command exiting only after it quits and a given file has been opened and

positional arguments:
  path        file to monitor
  command     command to run

optional arguments:
  -h, --help  show this help message and exit

This works around situations like mutt deleting the temporary attachment file after run-mailcap is run, while run-mailcap runs a program that backgrounds before opening its input file.


waitused file.pdf xdg-open file.pdf
waitused file.pdf run-mailcap file.pdf

Example ~/.mailcap entry

application/pdf; waitused -- %s xdg-open %s; test=test -n "$DISPLAY"

Update: Teddy Hogeborn pointed out that the initial mailcap entry would fail on files starting with a dash. I added -- for waitused, but unfortunately there seems to be no way at the moment to have xdg-open open files starting with a dash (see: #964949

Planet DebianIain R. Learmonth: Light OpenStreetMapping with GPS

Now that lockdown is lifting a bit in Scotland, I’ve been going a bit further for exercise. One location I’ve been to a few times is Tyrebagger Woods. In theory, I can walk here from my house via Brimmond Hill although I’m not yet fit enough to do that in one go.

Instead of following the main path, I took a detour along some route that looked like it wanted to be a path but it hadn’t been maintained for a while. When I decided I’d had enough of this, I looked for a way back to the main path but OpenStreetMap didn’t seem to have the footpaths mapped out here yet.

I’ve done some OpenStreetMap surveying before so I thought I’d take a look at improving this, and moving some of the tracks on the map closer to where they are in reality. In the past I’ve used OSMTracker which was great, but now I’m on iOS there doesn’t seem to be anything that matches up.

My new handheld radio, a Kenwood TH-D74 has the ability to record GPS logs so I thought I’d give this a go. It records the logs to the SD card with one file per session. It’s a very simple logger that records the NMEA strings as they are received. The only sentences I see in the file are GPGGA (Global Positioning System Fix Data) and GPRMC (Recommended Minimum Specific GPS/Transit Data).

I tried to import this directly with JOSM but it seemed to throw an error and crash. I’ve not investigated this, but I thought a way around could be to convert this to GPX format. This was easier than expected:

apt install gpsbabel
gpsbabel -i nmea -f "/sdcard/KENWOOD/TH-D74/GPS_LOG/25062020_165017.nme" \
                 -o gpx,gpxver=1.1 -F "/tmp/tyrebagger.gpx"

This imported into JOSM just fine and I was able to adjust some of the tracks to better fit where they actually are.

I’ll take the radio with me when I go in future and explore some of the other paths, to see if I can get the whole woods mapped out nicely. It is fun to just dive into the trees sometimes, along the paths that looks a little forgotten and overgrown, but also it’s nice to be able to find your way out again when you get lost.

CryptogramBusiness Email Compromise (BEC) Criminal Ring

A criminal group called Cosmic Lynx seems to be based in Russia:

Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles.


For example, rather than use free accounts, Cosmic Lynx will register strategic domain names for each BEC campaign to create more convincing email accounts. And the group knows how to shield these domains so they're harder to trace to the true owner. Cosmic Lynx also has a strong understanding of the email authentication protocol DMARC and does reconnaissance to assess its targets' specific system DMARC policies to most effectively circumvent them.

Cosmic Lynx also drafts unusually clean and credible-looking messages to deceive targets. The group will find a company that is about to complete an acquisition and contact one of its top executives posing as the CEO of the organization being bought. This phony CEO will then involve "external legal counsel" to facilitate the necessary payments. This is where Cosmic Lynx adds a second persona to give the process an air of legitimacy, typically impersonating a real lawyer from a well-regarded law firm in the United Kingdom. The fake lawyer will email the same executive that the "CEO" wrote to, often in a new email thread, and share logistics about completing the transaction. Unlike most BEC campaigns, in which the messages often have grammatical mistakes or awkward wording, Cosmic Lynx messages are almost always clean.

Sam VargheseRacism: Holding and Rainford-Brent do some plain speaking

Michael Anthony Holding, one of the feared West Indies pace bowlers from the 1970s and 1980s, bowled his best spell on 10 July, in front of the TV cameras.

Holding, in England to commentate on the Test series between England and the West Indies, took part in a roundtable on the Black Lives Matter protests which have been sweeping the world recently after an African-American man, George Floyd, was killed by a police officer in Minneapolis on May 25.

Holding speaks frankly, Very frankly. Along with former England cricketer Ebony Rainford-Brent, he spoke about the issues he had faced as a black man, the problems in cricket and how they could be resolved.

There was no bitterness in his voice, just audible pain and sadness. At one point, he came close to breaking down and later told one of the hosts that the memory of his mother being ostracised by her own family because she had married a very dark man had led to this.

Holding spoke of the need for education, to wipe out the centuries of conditioning that have resulted in black people knowing that white lives matter, while white people do not really care about black lives. He cited studies from American universities like Yale to make his points.

And much as white people will dismiss whatever he says, one could not escape the fact that here was a 66-year-old who had seen it all and some calling for a sane solution to the ills of racism.

He provided examples of racism from each of England, South Africa and Australia. In England, he cited the case when he was trying to flag down a cab while going home with his wife-to-be – a woman of Portuguese ancestry who is white. The driver had his meter up to indicate his cab was not occupied, but then on seeing Holding quickly offed the meter light and drove on. An Englishman of West Indian descent who recognised Holding, called out to him, “Hey Mikey, you have to put her in front.” To which Holding, characteristically, replied, “I would rather walk.”

In Australia, he cited a case during a tour; the West Indies teams were always put on a single floor in any hotel they stayed in. Holding said he and three of his fast bowling colleagues were coming down in a lift when it stopped at a floor on the way down. “There was a man waiting there,” Holding said. “He looked at us and did not get into the lift. That’s fine, maybe he was intimidated by the presence of four, big black men.

“But then, just before the lift doors closed, he shouted a racial eipthet at us.

And in South Africa, Holding cited a case when he and his Portuguese friend had gone to a hotel to stay. Someone came to him and was getting the details to book him in; meanwhile some other hotel staffer went to his companion and tried to book her in. “To their way of thinking, she could not possibly be with me, because she was white,” was Holding’s comment. “After all, I am black, am I not?”

Rainford-Brent, who took part in a formal video with Holding, also ventilated the problems that black women cricketers faced in England and spoke with tremendous feeling about the lack of people of colour at any level of the sport.

She was in tears occasionally as she spoke, as frankly as Holding, but again with no bitterness of the travails black people have when they join up to play cricket.

One only hopes that the talk does not end there and something is done about equality. Sky Sports, the broadcaster which ran this remarkable and unusual discussion, has pledged put 30 million pounds into efforts to narrow the gap. Holding’s view was that if enough big companies got involved then the gap would close that much faster.

If he has hope after what he has endured, then there is no reason why the rest of us should not.

Worse Than FailureError'd: They Said the Math Checks Out!

"So...I guess...they want me to spend more?" Angela A. writes.


"The '[object Object]' feature must be extremely rare and expensive considering that none of the phones in the list have it!" Jonathan writes.


Joel T. wrote, "I was checking this Covid-19 dashboard to see if it was safe to visit my family and well, I find it really thoughtful of them to cover the Null states, where I grew up."


"Thankfully after my appointment, I discovered I am healthier than my doctor's survey system," writes Paul T.


Peter C. wrote, "I am so glad that I went to college in {Other_Region}."


"I tried out this Excel currency converter template and it scrapes for up to date exchange rates," Kevin J. writes, "but, I think someone updated the website without thinking about this template."


[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

Planet DebianReproducible Builds (diffoscope): diffoscope 151 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 151. This version includes the following changes:

[ Chris Lamb]

* Improvements and bug fixes:

  - Pass the absolute path when extracting members from SquashFS images as we
    run the command with our working directory set to the temporary
    directory. (Closes: #964365, reproducible-builds/diffoscope#189)
  - Increase the minimum length of the output from strings(1) to 8 characters
    to avoid unnecessary diff noise. (Re. reproducible-builds/diffoscope#148)

* Logging improvements:

  - Fix the compare_files message when the file does not have a literal name.
  - Reduce potential log noise by truncating the has_some_content messages.

* Codebase changes:

  - Clarify use of a "null" diff in order to remember an exit code.
  - Don't alias a variable when don't end up it; use "_" instead.
  - Use a  "NullChanges" file to represent missing data in the Debian package
  - Update some miscellaneous terms.

You find out more by visiting the project homepage.


Dave HallLogging Step Functions to CloudWatch

Many AWS Services log to CloudWatch. Some do it out of the box, others need to be configured to log properly. When Amazon released Step Functions, they didn’t include support for logging to CloudWatch. In February 2020, Amazon announced StepFunctions could now log to CloudWatch. Step Functions still support CloudTrail logs, but CloudWatch logging is more useful for many teams.

Users need to configure Step Functions to log to CloudWatch. This is done on a per State Machine basis. Of course you could click around he console to enable it, but that doesn’t scale. If you use CloudFormation to manage your Step Functions, it is only a few extra lines of configuration to add the logging support.

In my example I will assume you are using YAML for your CloudFormation templates. I’ll save my “if you’re using JSON for CloudFormation you’re doing it wrong” rant for another day. This is a cut down example from one of my services:

AWSTemplateFormatVersion: '2010-09-09'
Description: StepFunction with Logging Example.
    Type: AWS::IAM::Role
        Version: '2012-10-17'
        - Effect: Allow
            Service: !Sub "states.${AWS::Region}"
          - sts:AssumeRole
      Path: "/"
      - PolicyName: StepFunctionExecRole
          Version: '2012-10-17'
          - Effect: Allow
            - lambda:InvokeFunction
            - lambda:ListFunctions
            Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:my-lambdas-namespace-*"
          - Effect: Allow
            - logs:CreateLogDelivery
            - logs:GetLogDelivery
            - logs:UpdateLogDelivery
            - logs:DeleteLogDelivery
            - logs:ListLogDeliveries
            - logs:PutResourcePolicy
            - logs:DescribeResourcePolicies
            - logs:DescribeLogGroups
            Resource: "*"
    Type: AWS::Logs::LogGroup
      LogGroupName: /aws/stepfunction/my-step-function
      RetentionInDays: 14
    Type: AWS::StepFunctions::StateMachine
      StateMachineName: my-step-function
      StateMachineType: STANDARD
          - CloudWatchLogsLogGroup:
             LogGroupArn: !GetAtt MyStateMachineLogGroup.Arn
        IncludeExecutionData: True
        Level: ALL
        !Sub |
          ... JSON Step Function definition goes here
      RoleArn: !GetAtt StepFunctionExecRole.Arn

The key pieces in this example are the second statement in the IAM Role with all the logging permissions, the LogGroup defined by MyStateMachineLogGroup and the LoggingConfiguration section of the Step Function definition.

The IAM role permissions are copied from the example policy in the AWS documentation for using CloudWatch Logging with Step Functions. The CloudWatch IAM permissions model is pretty weak, so we need to grant these broad permissions.

The LogGroup definition creates the log group in CloudWatch. You can use what ever value you want for the LogGroupName. I followed the Amazon convention of prefixing everything with /aws/[service-name]/ and then appended the Step Function name. I recommend using the RetentionInDays configuration. It stops old logs sticking around for ever. In my case I send all my logs to ELK, so I don’t need to retain them in CloudWatch long term.

Finally we use the LoggingConfiguration to tell AWS where we want to send out logs. You can only specify a single Destinations. The IncludeExecutionData determines if the inputs and outputs of each function call is logged. You should not enable this if you are passing sensitive information between your steps. The verbosity of logging is controlled by Level. Amazon has a page on Step Function log levels. For dev you probably want to use ALL to help with debugging but in production you probably only need ERROR level logging.

I removed the Parameters and Output from the template. Use them as you need to.

CryptogramTraffic Analysis of Home Security Cameras

Interesting research on home security cameras with cloud storage. Basically, attackers can learn very basic information about what's going on in front of the camera, and infer when there is someone home.

News article.

Slashdot thread.

Planet DebianEnrico Zini: Mime type associations

The last step of my laptop migration was to fix mime type associations, that seem to associate opening file depending on whatever application was installed last, phases of the moon, and what option is the most annoying.

The state of my system after a fresh install, is that, for application/pdf, xdg-open (used for example by pcmanfm) runs inkscape, and run-mailcap (used for example by neomutt) runs the calibre ebook viewer.

It looks like there are at least two systems to understand, debug and fix, instead of one.


This comes from package xdg-utils, and works using .desktop files:

# This runs inkscape
$ xdg-open file.pdf

There is a tool called xdg-mime that queries what .desktop file is associated with a given mime type:

$ xdg-mime query default application/pdf

You can use xdg-mime default to change an association, and it works nicely:

$ xdg-mime default org.gnome.Evince.desktop application/pdf
$ xdg-mime query default application/pdf

However, if you accidentally mistype the name of the .desktop file, it won't complain and it will silently reset the association to the arbitrary default:

$ xdg-mime default org.gnome.Evince.desktop application/pdf
$ xdg-mime query default application/pdf
$ xdg-mime default evince.desktop application/pdf
$ echo $?
$ xdg-mime query default application/pdf

You can use a GUI like xfce4-mime-settings from the xfce4-settings package to perform the same kind of changes avoiding typing mistakes.

The associations seem to be saved in ~/.config/mimeapps.list


This comes from the package mime-support

You can test things by running it using --norun:

$ run-mailcap --norun file.pdf
ebook-viewer file.pdf

run-mailcap uses the ~/.mailcap and /etc/mailcap to map mime types to commands. This is what's in the system default:

$ grep application/pdf /etc/mailcap
application/pdf; ebook-viewer %s; test=test -n "$DISPLAY"
application/pdf; calibre %s; test=test -n "$DISPLAY"
application/pdf; gimp-2.10 %s; test=test -n "$DISPLAY"
application/pdf; evince %s; test=test -n "$DISPLAY"

To fix this, I copypasted the evince line into ~/.mailcap, and indeed it gets used:

$ run-mailcap --norun file.pdf
evince file.pdf

There is a /etc/mailcap.order file providing a limited way to order entries in /etc/mailcap, but it can only be manipulated system-wide, and cannot be used for user preferences.

Sadly, this means that if a package changes its mailcap invocation because of, say, a security issue in the former one, the local override will never get fixed.

I am really not comfortable about that. As a workaround, I put this in my ~/.mailcap:

application/pdf; xdg-open %s && sleep 0.3s; test=test -n "$DISPLAY"

The sleep 0.3s is needed because xdg-open exits right after starting the program, and when invoked by mutt it means that mutt could delete the attachment before evince has a chance to open it. I had to use the same workaround for sensible-browser, since the same happens when a browser opens a document in an existing tab. I feel like writing some wrapper about all this that forks the viewer, then waits for an IN_OPEN event on its argument via inotify before exiting.

I wonder if there is any reason run-mailcap could not be implemented as a wrapper to xdg-open.

I reported #964723 elaborating on these thoughts.

Planet DebianEnrico Zini: Laptop migration

This laptop used to be extra-flat

My laptop battery started to explode in slow motion. HP requires 10 business days to repair my laptop under warranty, and I cannot afford that length of downtime.

Alternatively, HP quoted me 375€ + VAT for on-site repairs, which I tought was very funny.

For 376.55€ + VAT, which is pretty much exactly the same amount, I bought instead a refurbished ThinkPad X240 with a dual-core I5, 8G of RAM, 250G SSD, and a 1920x1080 IPS display, to use as a spare while my laptop is being repaired. I'd like to thank HP for giving me the opportunity to own a ThinkPad.

Since I'm migrating all my system to the spare and then (hopefully) back, I'm documenting what I need to be fully productive on new hardware.

Install Debian

A basic Debian netinst with no tasks selected is good enough to get going.

Note that if wifi worked in Debian Installer, it doesn't mean that it will work in the minimal system it installed. See here for instructions on quickly bringing up wifi on a newly installed minimal system.

Copy /home

A simple tar of /home is all I needed to copy my data over.

A neat way to do it was connecting the two laptops with an ethernet cable, and using netcat:

# On the source
tar -C / -zcf - home | nc -l -p 12345 -N
# On the target
nc 12345 | tar -C / -zxf -

Since the data travel unencrypted in this way, don't do it over wifi.

Install packages

I maintain a few simple local metapackages that depend on the packages I usually used.

I could just install those and let apt bring in their dependencies.

For the build dependencies of the programs I develop, I use mk-build-deps from the devscripts package to create metapackages that make sure they are installed.

Here's an extract from debian/control of the metapackage:

Source: enrico
Section: admin
Priority: optional
Maintainer: Enrico Zini <>
Build-Depends: debhelper (>= 11)

Package: enrico
Section: admin
Architecture: all
  mc, mmv, moreutils, powertop, syncmaildir, notmuch,
  ncdu, vcsh, ddate, jq, git-annex, eatmydata,
  vdirsyncer, khal, etckeeper, moc, pwgen
Description: Enrico's working environment

Package: enrico-devel
Section: devel
Architecture: all
  git, python3-git, git-svn, gitk, ansible, fabric,
  valgrind, kcachegrind, zeal, meld, d-feet, flake8, mypy, ipython3,
  strace, ltrace
Description: Enrico's development environment

Package: enrico-gui
Section: x11
Architecture: all
  xclip, gnome-terminal, qalculate-gtk, liferea, gajim,
  mumble, sm, syncthing, virt-manager
Recommends: k3b
Description: Enrico's GUI environment

Package: enrico-sanity
Section: admin
Architecture: all
Conflicts: libapache2-mod-php, libapache2-mod-php5, php5, php5-cgi, php5-fpm, libapache2-mod-php7.0, php7.0, libphp7.0-embed, libphp-embed, libphp5-embed
Description: Enrico's sanity
 Metapackage with a list of packages that I do not want anywhere near my

System-wide customizations

I tend to avoid changing system-wide configuration as much as possible, so copying over /home and installing packages takes care of 99% of my needs.

There are a few system-wide tweaks I cannot do without:

  • setup postfix to send mail using my mail server
  • copy Network Manager system connections files in /etc/NetworkManager/system-connections/
  • update-alternatives --config editor

For postfix, I have a little ansible playbook that takes care of it.

Network Manager system connections need to be copied manually: a plain copy and a systemctl restart network-manager are enough. Note that Network Manager will ignore the files unless their owner and permissions are what it expects.

Fine tuning

Comparing the output of dpkg --get-selections between the old and the new system might highlight packages manually installed in a hurry and not added to the metapackages.

Finally, what remains is fixing the sad state of mimetype associations, which seem to associate opening file depending on whatever application was installed last, phases of the moon, and what option is the most annoying.

Currently on my system, PDFs are opened in inkscape by xdg-open and in calibre by run-mailcap. Let's see how long it takes to figure this one out.

Worse Than FailureCodeSOD: Is It the Same?

A common source of bad code is when you have a developer who understands one thing very well, but is forced- either through organizational changes or the tides of history- to adapt to a new tool which they don’t understand. But a possibly more severe problem is modern developers not fully understanding why certain choices may have been made. Today’s code isn’t a WTF, it’s actually very smart.

Eric P was digging through some antique Fortran code, just exploring some retrocomputing history, and found a block which needed to check if two values were the same.

The normal way to do that in Fortran would be to use the .EQ. operator, e.g.:


Now, in this specific case, I happen to know that LOUTP(IOUTP) and LPHAS1(IOUTP) happen to be boolean expressions. I know this, in part, because of how the original developer actually wrote an equality comparison:

      LSAME = ((     LOUTP(IOUTP)).AND.(     LPHAS1(IOUTP)).OR.
               (.NOT.LOUTP(IOUTP)).AND.(.NOT.LPHAS1(IOUTP)) )

Now, Eric sent us two messages. In their first message:

This type of comparison appears in at least 5 different places and the result is then used in other unnecessarily complicated comparisons and assignments.

But that doesn’t tell the whole story. We need to understand the actual underlying purpose of this code. And the purpose of this block of code is to translate symbolic formula expressions to execute on Programmable Array Logic (PAL) devices.

PAL’s were an early form of programmable ROM, and to describe the logic you wanted them to perform, you had to give them instructions essentially in terms of gates. Essentially, you ’d throw a binary representation of the gate arrangements at the chip, and it would now perform computations for you.

So Eric, upon further review, followed up with a fresh message:

The program it is from was co-written by the manager of the project to create the PAL (Programmable Array Logic) device. So, of course, this is exactly, down to the hardware logic gate, how you would implement an equality comparison in a hardware PAL!
It’s all NOTs, ANDs, and ORs!

Programming is about building a model. Most of the time, we want our model to be clear to humans, and we focus on finding ways to describe that model in clear, unsurprising ways. But what’s “clear” and “unsurprising” can vary depending on what specifically we’re trying to model. Here, we’re modeling low-level hardware, really low-level, and what looks weird at first is actually pretty darn smart.

Eric also included a link to the code he was reading through, for the PAL24 Assembler.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!


Rondam RamblingsGame over for Hong Kong

The Washington Post reports: Early Wednesday, under a heavy police presence and before any public announcement about the matter, officials inaugurated the Office for Safeguarding National Security of the Central People’s Government in the Hong Kong Special Administrative Region at a ceremony that took place behind water-filled barricades. They played the Chinese national anthem and raised the

Worse Than FailureCodeSOD: A Private Matter

Tim Cooper was digging through the code for a trip-planning application. This particular application can plan a trip across multiple modes of transportation, from public transit to private modes, like rentable scooters or bike-shares.

This need to discuss private modes of transportation can lead to some… interesting code.

// for private: better = same
TIntSet myPrivates = getPrivateTransportSignatures(true);
TIntSet othersPrivates = other.getPrivateTransportSignatures(true);
if (myPrivates.size() != othersPrivates.size()
        || ! myPrivates.containsAll(othersPrivates)
        || ! othersPrivates.containsAll(myPrivates)) {
    return false;

This block of code seems to worry a lot about the details of othersPrivates, which frankly is a bad look. Mind your own business, code. Mind your own business.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!


Planet DebianNoah Meyerhans: Setting environment variables for gnome-session

Am I missing something obvious? When did this get so hard?

In the old days, you configured your desktop session on a Linux system by editing the .xsession file in your home directory. The display manager (login screen) would invoke the system-wide xsession script, which would either defer to your personal .xsession script or set up a standard desktop environment. You could put whatever you want in the .xsession script, and it would be executed. If you wanted a specific window manager, you’d run it from .xsession. Start emacs or a browser or an xterm or two? .xsession. It was pretty easy, and super flexible.

For the past 25 years or so, I’ve used X with an environment started via .xsession. Early on it was fvwm with some programs, then I replaced fvwm with Window Maker (before that was even its name!), then switched to KDE. More recently (OK, like 10 years ago) I gradually replaced KDE with awesome and various custom widgets. Pretty much everything was based on a .xsession script, and that was fine. One particularly nice thing about it was that I could keep .xsession and any related helper programs in a git repository and manage changes over time.

More recently I decided to give Wayland and GNOME an honest look. This has mostly been fine, but everything I’ve been doing in .xsession is suddenly useless. OK, fine, progress is good. I’ll just use whatever new mechanisms exist. How hard can it be?

OK, so here we go. I am running GNOME. This isn’t so bad. Alt+F2 brings up the “Run Command” dialog. It’s a different keystroke than what I’m used to, but I can adapt. (Obviously I can reconfigure the key binding, and maybe someday I will, but that’s not the point here.) I have some executables in ~/bin. Oops, the run command dialog can’t find them. No problem, I just need to update the PATH variable that it sees. Hmmm… So how does one do that, anyway? GNOME has a help system, but searching that doesn’t doesn’t reveal anything. But that’s fine, maybe it’s inherited from the parent process. But there’s no xsession script equivalent, since this isn’t X anymore at all. The familiar stuff in /etc/X11/Xsession is no longer used. What’s the equivalent in Wayland? Turns out, there isn’t a shell script at all anymore, at least not in how Wayland and GNOME interact in Debian’s configuration, which seems fairly similar to how anybody else would set this up. The GNOME session runs from a systemd-managed user session.

Digging in to some web search results suggests that systemd provides a mechanism for setting some environment variables for services started by the user instance of the system. OK, so let’s create some files in ~/.config/environment.d and we should be good. Except no, this isn’t working. I can set some variables, but something is overriding PATH. I can create this file:

$ cat ~/.config/environment.d/01_path.conf

After logging in, the “Run a command” dialog still doesn’t see my PATH. So I use Alt+F2 and sh -c "env > /tmp/env" to capture the environment, and this is what I see:


So, my environment.d file is there, and it’s getting looked at, but something else is clobbering my PATH later in the startup process. But what? Where? Why? The systemd docs don’t indicate that there’s anything special about PATH, and nothing in /lib/systemd/user-environment-generators/ seems to treat it specially. The string “PATH” doesn’t appear in /lib/systemd/user/ either. Looking for the specific value that’s getting assigned to PATH in /etc shows the only occurrence of it being in /etc/zsh/zshenv, so maybe that’s where it’s coming from? But that should only get set there if it’s otherwise unset or otherwise very minimally set. So I still have no idea where it’s coming from.

OK, so ignoring where my custom value is getting overridden, maybe what’s configured in /lib/systemd/user will point me in the right direction. systemd --user status suggests that the interesting part of my session is coming from gnome-shell-wayland.service. Can we use a standard systemd drop-in as documented in systemd.unit(5)? It turns out that we can. This file sets things up the way I want:

$ cat .config/systemd/user/gnome-shell-wayland.service.d/path.conf

Is that right? It really doesn’t feel ideal to me. Systemd’s Environment directive can’t reference existing environment variables, and I can’t use conditionals to do things like add a directory to the PATH only if it exists, so it’s still a functional regression from what we had before. But at least it’s a text file, edited by hand, trackable in git, so that’s not too bad.

There are some people out there who hate systemd, and will cite this as an illustration of why. However, I’m not one of those people, and I very much like systemd as an init system. I’d be happy to throw away sysvinit scripts forever, but I’m not quite so happy with the state of .xsession’s replacements. Despite the similarities, I don’t think .xsession is entirely the same as SysV-style init scripts. The services running on a system are vastly more important than my personal .xsession, and systemd is far better at managing them than the pile of shell scripts used to set things up under sysvinit. Further, systemd the init system maintains compatibility with init scripts, so if you really want to keep using them, you can. As far as I can tell, though, systemd the user session manager does not seem to maintain compatibility with .xsession scripts, and that’s unfortunate.

I still haven’t figured out what was overriding the ~/.config/environment.d/ setting. Any ideas?

Planet DebianDirk Eddelbuettel: RcppSimdJson 0.1.0: Now on Windows, With Parsers and Faster Still!

A smashing new RcppSimdJson release 0.1.0 containing several small updates to upstream simdjson (now at 0.4.6) in part triggered by very excisting work by Brendan who added actual parser from file and string—and together with Daniel upstream worked really hard to make Windows builds as well as complete upstream tests on our beloved (ahem) MinGW platform possible. So this version will, once the builders have caught up, give everybody on Windows a binary—with a JSON parser running circles around the (arguably more feature-rich and possibly easier-to-use) alternatives. Dave just tweeted a benchmark snippet by Brendan, the full set is at the bottom our issue ticket for this release.

RcppSimdJson wraps the fantastic and genuinely impressive simdjson library by Daniel Lemire and collaborators, which in its upstream release 0.4.0 improved once more (also see the following point releases). Via very clever algorithmic engineering to obtain largely branch-free code, coupled with modern C++ and newer compiler instructions, it results in parsing gigabytes of JSON parsed per second which is quite mindboggling. The best-case performance is ‘faster than CPU speed’ as use of parallel SIMD instructions and careful branch avoidance can lead to less than one cpu cycle use per byte parsed; see the video of the recent talk by Daniel Lemire at QCon (which was also voted best talk).

As mentioned, this release expands the reach of the package to Windows, and adds new user-facing functions. A big thanks for most of this is owed to Brendan, so buy him a drink if you run across him. The full NEWS entry follows.

Changes in version 0.1.0 (2020-07-07)

  • Upgraded to simdjson 0.4.1 which adds upstream Windows support (Dirk in #27 closing #26 and #14, plus extensive work by Brendan helping upstream with mingw tests).

  • Upgraded to simdjson 0.4.6 with further upstream improvements (Dirk in #30).

  • Change Travis CI to build matrix over g++ 7, 8, 9, and 10 (Dirk in #31; and also Brendan in #32).

  • New JSON functions fparse and fload (Brendan in #32) closing #18 and #10).

Courtesy of CRANberries, there is also a diffstat report for this release.

For questions, suggestions, or issues please use the issue tracker at the GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianDirk Eddelbuettel: AsioHeaders 1.16.1-1 on CRAN

An updated version of the AsioHeaders package arrived on CRAN today (after a we days of “rest” in the incoming directory of CRAN). Asio provides a cross-platform C++ library for network and low-level I/O programming. It is also included in Boost – but requires linking when used as part of Boost. This standalone version of Asio is a header-only C++ library which can be used without linking (just like our BH package with parts of Boost).

This release brings a new upstream version. Its changes required a corresponding change in one of (only) three reverse depends which delayed the CRAN admisstion by a few days.

Changes in version 1.16.1-1 (2020-06-28)

  • Upgraded to Asio 1.16.1 (Dirk in #5).

  • Updated with standard set of badges

Via CRANberries, there is a diffstat report relative to the previous release.

Comments and suggestions about AsioHeaders are welcome via the issue tracker at the GitHub GitHub repo.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

TEDA smarter future: Notes from Session 7 of TED2020

For the penultimate session of TED2020, an exploration of amazing forces shaping the future — from cancer-fighting venom to spacecraft powered by lazers and much more. Below, a recap of the night’s talks and performances.

Amanda Gorman shares a powerful spoken-word poem about ending the devastation of climate change. She speaks at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Amanda Gorman, poet

Big idea: We all have the power to end the devastation of climate change. Let’s get to work.

How? In a stunning spoken word poem, Gorman calls on us all to recognize the urgency of climate action. She weaves vivid imagery and metaphors to underscore searing insights on the state of global environmental damage, and hope for a sustainable future. Gorman encourages us to use our unique abilities and expertise to reverse the harm of climate change, and says that we all have a place in the movement. “We see the face of a planet anew, we relish the view … which inspires us to ask deeply, wholly, what can we do,” she says.

“Someday, snail venom might just save your life,” says molecular chemist Mandë Holford. She speaks at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Mandë Holford, molecular chemist

Big Idea: Venom can kill … or it can cure. We’re now learning how it can be used as a force for good. 

How: Chemist Mandë Holford is investigating the power of venom to treat diseases and disorders, like certain cancers. Beyond common venomous snakes and spiders, Holford introduces us to the underbelly of the animal kingdom: killer snails, deadly platypuses and assassin Gila monsters. But she sees these creatures as both the supervillain and superhero, and she’s harnessing their venom to transform lives. She explains that venom’s power lies in its complex mixture of deadly peptides — a “cluster bomb” that attacks specific physiological targets like the blood, brains or membranes of the victim. Holford’s research focuses on discovering and utilizing these peptides to create therapeutics that disrupt cancer cells communications, particularly liver cancer. Venomics, or the study of venom, is an especially attractive area of research because poison has been honed and tested by nature over millennia, making for particularly potent, successful concoctions. “Someday, snail venom might just save your life,” Holford says.

Physicist Philip Lubin investigates how to use concentrated light as a propellant for spacecraft. He speaks at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Phillip Lubin, physicist

Big idea: By using massive quantities of concentrated light as a propellant, we can fuel spacecraft to journey to explore solar systems beyond our own.

How? We’re making huge strides in the field of laser technology that will enable us to transform how we launch and fuel spacecraft. Much like wind in a sailboat, light can be concentrated as energy to push spacecraft towards new and farther destinations. This would work by synchronizing enormous numbers of lasers into “phased arrays”, which may be as large as a city, to build up the power necessary for inter-solar system flight. Though spacecraft may initially only be as big as a human hand, the discoveries this technology could reveal are awe-inspiring. Traveling to another solar system could alter our fundamental understanding of life itself — and breakthroughs in this technology could revolutionize how we live on Earth as well. “Everything is profound in life. The same is true of the lowly photon which we use to see every day,” says Lubin, “But when we look outside and imagine something vastly greater, we can imagine things which are extraordinary. The ability to go to another star is one of those extraordinary capabilities.”

Antonio Muñoz Fernández plays “Taranta” and “Calblanque” at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Guitarist and composer Antonio Muñoz Fernández keeps the session moving and lively with performances of plays “Taranta” and “Calblanque.”

“What would America look like if everyone had a seat at the table?” asks Shari Davis, executive director of the Participatory Budgeting Project. She speaks at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Shari Davis, executive director, Participatory Budgeting Project

Big idea: We have to throw out the top-down processes that have hobbled democracy, and throw the doors of government open so wide that all kinds of people will be inspired to claim the reins.

How? For most of US history, government has overwhelmingly consisted of rich white men, who installed systems rewarding people like themselves, says Davis. “What would America look like if everyone had a seat at the table?” she asks. Participatory budgeting is a grassroots democratic initiative that empowers marginalized voices from young queer communities, communities of color and the economically disenfranchised, by giving them chunks of city budgets to solve problems close to their hearts. In Boston, this came about via Youth Lead the Change, an initiative to increase education, expand technology access to students and give graffiti artists a space to legally practice their art. By nurturing new political leaders drawn from those historically denied governmental access, participatory budgeting has become a global phenomenon with the potential to transform democracy. “Participatory budgeting is actually about collective radical imagination,” Davis says. Everyone has a role to play in PB, and it works because it allows community members to craft real solutions to real problems. It provides the infrastructure for the promise of government.”

“If machines can learn, or process memories, can they also dream, hallucinate, involuntarily remember or make connections between multiple people’s dreams?” asks media artist Refik Anadol. He speaks at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Refik Anadol, media artist

Big idea: What does it mean to be an AI in the 21st century?

How? The year is simultaneously 1991 and 2019, media artist Refik Anadol having just seen Blade Runner and its sci-fi future for the first time — an experience which sets in motion his inspired career of using architectural spaces as canvases to make buildings dream and hallucinate via AI. Anadol brings us on a journey from that formative childhood moment to his studio’s collaborations with architects, data scientists, neuroscientists, musicians and storytellers in experimenting with ways of augmenting our perceptions to collide the virtual and physical worlds. Each project showcases the poetic, ethereal and dynamic power of data — such as “Archive Dreaming,” conceptualizing vast knowledge in the age of AI; “Machine Hallucination,” an exploration of time and space; and “Melting Memories,” which visualizes the moment of remembering — evoking a meditative experience beyond human imagination while simultaneously enveloping you into the mind of the machine. “If machines can learn, or process memories, can they also dream, hallucinate, involuntarily remember or make connections between multiple people’s dreams?” Anadol asks.

“Most people think technology and they think that’s going to lead to unethical behavior. I think it’s exactly the opposite: I think new technologies lead to more ethical behaviors,” says futurist Juan Enriquez. He speaks at TED2020: Uncharted on July 2, 2020. (Photo courtesy of TED)

Juan Enriquez, futurist

Big idea: Tech doesn’t always lead to unethical behavior. 

How? By making problematic systems obsolete, technology is actually a powerful force for ethical change. If we embrace these changes, we’ll put ourselves on the right side of history for issues like civil rights, climate change and economic justice. As ethics continue to evolve over time, technology’s explosive growth will lead to an exponential transformation of culture. Some examples: our tolerance of wasteful meat production will soon change with lab-created, cruelty-free beef, and as tech revolutionizes renewable energy, we will naturally leave behind coal and oil. “Technology is moving at exponential rates,” Enriquez says. “Technology is changing ethics, and therefore one might expect ethics could change exponentially, and that means your notion of right and wrong changes exponentially.”

TEDHope, action, change: Notes from Session 5 of TED2020

Daring, bold, systems-disrupting change requires big dreams and an even bigger vision. For Session 5 of TED2020, the Audacious Project, a collaborative funding initiative housed at TED, highlighted bold plans for social change from Southern New Hampshire University, SIRUM, BRAC, Harlem Children’s Zone, Humanitarian OpenStreetMap Team (HOT), Project CETI and One Acre Fund. From aiding the ultra-poor to upending medicine pricing to ensuring all communities are visible on a map, these solutions are uniquely positioned to help us rebuild key systems and push the boundaries of what’s possible through breakthrough science and technology. Learn more about these thrilling projects and how you can help them change the world.

“We can create radical access to medications based on a fundamental belief that people who live in one of the wealthiest nations in the world can and should have access to medicine they need to survive and to thrive,” says Kiah Williams, cofounder of SIRUM. She speaks at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Kiah Williams, cofounder of SIRUM

Big idea: No one should have to choose between paying bills or affording lifesaving medications. 

How? Every day in the US, people must make impossible health decisions at the intersection of life and livelihood. The result is upwards of ten thousand deaths annually — more than opioid overdoses and car accidents combined — due to the high prices of prescription drugs. Kiah Williams and her team at SIRUM are tapping into an alternative that circumvents the traditional medical supply chain while remaining budget-friendly to underserved communities: unused medication. Sourced from manufacturer surplus, health care facilities (like hospitals, pharmacies and nursing homes) and personal donations, Williams and her team partner with medical professionals to provide prescriptions for conditions, ranging from heart disease to mental health, at flat, transparent costs. They currently supply 150,000 people with access to medicine they need — and they’re ready to expand. In the next five years, SIRUM plans to reach one million people across 12 states with a billion dollars’ worth of unused medicine, with the hopes of driving down regional pricing in low-income communities. “We can create radical access to medications based on a fundamental belief that people who live in one of the wealthiest nations in the world can and should have access to medicine they need to survive and to thrive,” Williams says.

Shameran Abed, senior director of the Microfinance and Ultra-Poor Graduation Program at BRAC, shares his organization’s work lifting families out of ultra-poverty at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Shameran Abed, senior director of the Microfinance and Ultra-Poor Graduation Program at BRAC

Big idea: Let’s stop imagining a world without ultra-poverty and start building it instead.

How? At the end of 2019, approximately 400 million people worldwide lived in ultra-poverty — a situation that goes beyond the familiar monetary definition, stripping individuals of their dignity, purpose, self-worth, community and ability to imagine a better future. When he founded BRAC in 1972, Shameran Abed’s father saw that for poverty reduction programs to work, a sense of hope and self-worth needs to be instilled alongside assets. He pioneered a graduation approach that, over the course of two years, addressed both the deficit of income and hope in four steps: (1) supporting the basic needs with food or cash, (2) guiding the individual towards a decent livelihood by providing an asset like livestock and training them to earn money from it, (3) training them to save, budget and invest the new wealth, (4) integrating the individual socially. Since starting this program in 2002, two million Bangladeshi women have lifted themselves and their families out of ultra-poverty. With BRAC at a proven and effective nationwide scale, the organization plans to aid other governments in adopting and scaling graduation programs themselves — helping another 21 million people lift themselves out of ultra-poverty across eight countries over the next six years, with BRAC teams onsite and embedded in each country to provide an obtainable, foreseeable future for all. “Throughout his life, [my father] saw optimism triumph over despair; that when you light the spark of self-belief in people, even the poorest can transform their lives,” Abed says.

Pop-soul singer Emily King performs her songs “Distance” and “Sides” at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Lending her extraordinary voice to keep the session lively, singer and songwriter Emily King performs her songs “Distance” and “Sides” from her home in New York City.

Chrystina Russell, executive director of SNHU’s Global Education Movement, is helping displaced people earn college degrees. She speaks at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Chrystina Russell, executive director of SNHU’s Global Education Movement

Big idea: Expand access to accredited, college-level education to marginalized populations by reaching learners wherever they are in the world.

How? Education empowers — and perhaps nowhere more so than in the lives of displaced people, says executive director of SNHU’s Global Education Movement (GEM) Chrystina Russell. Harnessing the power of education to improve the world lies at the foundation of GEM, a program that offers accredited bachelor’s degrees and pathways to employment for refugees in Lebanon, Kenya, Malawi, Rwanda and South Africa. Today, the humanitarian community understands that global displacement will be a permanent problem, and that traditional education models remain woefully inaccessible to these vulnerable populations. The magic of GEM, Russell says, is that it addresses refugee lives as they currently exist. Degrees are competency-based, and without classes, lectures, due dates or final exams, students choose where and when to learn. GEM has served more than 1,000 learners to date, helping them obtain bachelor’s degrees and earn incomes at twice the average of their peers. Only three percent of refugees have access to higher education; GEM is now testing its ability to scale competency-based online learning in an effort to empower greater numbers of marginalized people through higher education. “This is a model that really stops putting time and university policies and procedures at the center — and instead puts the student at the center,” Russell says.

David Gruber shares his mind-blowing work using AI to understand and communicate with sperm whales. He speaks at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

David Gruber, marine biologist, explorer, professor

Big idea: Through the innovations of machine learning, we may be able to translate the astounding languages of sperm whales and crack the interspecies communication code. 

How? Sperm whales are some of the most intelligent animals on the planet; they live in complex matriarchal societies and communicate with each other through a series of regionally specific click sequences called codas. These codas may be the key to unlocking interspecies communication, says David Gruber. He shares a bold prediction: with the help of machine learning technology, we will soon be able to understand the languages of sperm whales — and talk back to them. Researchers have developed a number of noninvasive robots to record an enormous archive of codas, focusing on the intimate relationship between mother and calf. Using this data, carefully trained algorithms will be able to decode these codas and map the sounds and logic of sperm whale communication. Gruber believes that by deeply listening to sperm whales, we can create a language blueprint that will enable us to communicate with countless other species around the world. “By listening deeply to nature, we can change our perspective of ourselves and reshape our relationship with all life on this planet,” he says.

“Farmers stand at the center of the world,” says Andrew Youn, sharing One Acre Fund’s work helping small-scale farmers in sub-Saharan Africa. He speaks at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Andrew Youn, social entrepreneur

Big idea: By equipping small-scale farmers in sub-Saharan Africa with the tools and resources they need to expand their work, they will be able to upend cycles of poverty and materialize their innovation, knowledge and drive into success for their local communities and the world.

How? Most small-scale farmers in sub-Saharan Africa are women who nourish their families and communities and fortify their local economies. But they’re often not able to access the technology, resources or capital they need to streamline their farms, which leads to small harvests and cycles of poverty. The One Acre Fund, a two-time Audacious Project recipient, seeks to upend that cycle by providing resources like seeds and fertilizer, mentorship in the form of local support guides and training in modern agricultural practices. The One Acre Fund intends to reach three milestones by 2026: to serve 2.5 million families (which include 10 million children) every year through their direct full-service program; to serve an additional 4.3 million families per year with the help of local government and private sector partners; and to shape a sustainable green revolution by reimagining our food systems and launching a campaign to plant one billion trees in the next decade. The One Acre Fund enables farmers to transform their work, which vitalizes their families, larger communities and countries. “Farmers stand at the center of the world,” Youn says.

Rebecca Firth is helping map the earth’s most vulnerable populations using a free, open-source software tool. She speaks at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Rebecca Firth, director of partnerships and community at Humanitarian OpenStreetMap Team (HOT)

Big idea: A new tool to add one billion people to the map, so first responders and aid organizations can save lives. 

How? Today, more than one billion people are literally not on the map, says Rebecca Firth, director of partnerships and community at Humanitarian OpenStreetMap Team (HOT), an organization that helps map the earth’s most vulnerable populations using a free, open-source software tool. The tool works in two stages: first, anyone anywhere can map buildings and roads using satellite images, then local community members fill in the map by identifying structures and adding place names. HOT’s maps help organizations on the ground save lives; they’ve been used by first responders after Haiti’s 2010 earthquake and in Puerto Rico after Hurricane Maria, by health care workers distributing polio vaccines in Nigeria and by refugee aid organizations in South Sudan, Syria and Venezuela. Now, HOT’s goal is to map areas in 94 countries that are home to one billion of the world’s most vulnerable populations — in just five years. To do this, they’re recruiting more than one million mapping volunteers, updating their tech and, importantly, raising awareness about the availability of their maps to local and international humanitarian organizations. “It’s about creating a foundation on which so many organizations will thrive,” Firth says. “With open, free, up-to-date maps, those programs will have more impact than they would otherwise, leading to a meaningful difference in lives saved or improved.”

“Our answer to COVID-19 — the despair and inequities plaguing our communities — is targeting neighborhoods with comprehensive services. We have certainly not lost hope, and we invite you to join us on the front lines of this war,” says Kwame Owusu-Kesse, COO of Harlem Children’s Zone. He speaks at TED2020: Uncharted on June 18, 2020. (Photo courtesy of TED)

Kwame Owusu-Kesse, COO, Harlem Children’s Zone

Big idea: In the midst of a pandemic that’s disproportionately devastating the Black community, how do we ensure that at-risk children can continue their education in a safe and healthy environment?

How? Kwame Owusu-Kesse understands that in order to surpass America’s racist economic, educational, health care and judicial institutions, a child must have a secure home and neighborhood. In the face of the coronavirus pandemic, Harlem Children’s Zone has taken on a comprehensive mission to provide uninterrupted, high-quality remote education, as well as food and financial security, unfettered online access and mental health services. Through these programs, Owusu-Kesse hopes to rescue a generation that risks losing months (or years) of education to the impacts of quarantine. “Our answer to COVID-19 — the despair and inequities plaguing our communities — is targeting neighborhoods with comprehensive services,” he says. “We have certainly not lost hope, and we invite you to join us on the front lines of this war.”

TEDListening to nature: Notes from Session 1 of TED2020

TED looks a little different this year, but much has also stayed the same. The TED2020 mainstage program kicked off Thursday night with a session of talks, performances and visual delights from brilliant, creative individuals who shared ideas that could change the world — and stories of people who already have. But instead of convening in Vancouver, the TED community tuned in to the live, virtual broadcast hosted by TED’s Chris Anderson and Helen Walters from around the world — and joined speakers and fellow community members on an interactive, TED-developed second-screen platform to discuss ideas, ask questions and give real-time feedback. Below, a recap of the night’s inspiring talks, performances and conversations.

Sharing incredible footage of microscopic creatures, Ariel Waldman takes us below meters-thick sea ice in Antarctica to explore a hidden ecosystem. She speaks at TED2020: Uncharted on May 21, 2020. (Photo courtesy of TED)

Ariel Waldman, Antarctic explorer, NASA advisor

Big idea: Seeing microbes in action helps us more fully understand (and appreciate) the abundance of life that surrounds us. 

How: Even in the coldest, most remote place on earth, our planet teems with life. Explorer Ariel Waldman introduces the thousands of organisms that call Antarctica home — and they’re not all penguins. Leading a five-week expedition, Waldman descended the sea ice and scaled glaciers to investigate and film myriad microscopic, alien-looking creatures. Her footage is nothing short of amazing — like wildlife documentary at the microbial level! From tiny nematodes to “cuddly” water bears, mini sea shrimp to geometric bugs made of glass, her camera lens captures these critters in color and motion, so we can learn more about their world and ours. Isn’t nature brilliant?

Did you know? Tardigrades, also known as water bears, live almost everywhere on earth and can even survive in the vacuum of space. 

Tracy Edwards, Trailblazing sailor

Big Idea: Despite societal limits, girls and women are capable of creating the future of their dreams. 

How: Though competitive sailing is traditionally dominated by men, women sailors have proven they are uniquely able to navigate the seas. In 1989, Tracy Edwards led the first all-female sailing crew in the Whitbread Round the World Yacht Race. Though hundreds of companies refused to sponsor the team and bystanders warned that an all-female team was destined to fail, Edwards knew she could trust in the ability of the women on her team. Despite the tremendous odds, they completed the trip and finished second in their class. The innovation, kindness and resourcefulness of the women on Edwards’s crew enabled them to succeed together, upending all expectations of women in sailing. Now, Edwards advocates for girls and women to dive into their dream fields and become the role models they seek to find. She believes women should understand themselves as innately capable, that the road to education has infinite routes and that we all have the ability to take control of our present and shape our futures.

Quote of the talk: “This is about teaching girls: you don’t have to look a certain way; you don’t have to feel a certain way; you don’t have to behave a certain way. You can be successful. You can follow your dreams. You can fight for them.”

Classical musicians Sheku Kanneh-Mason and Isata Kanneh-Mason perform intimate renditions of Sergei Rachmaninov’s “Muse” and Frank Bridge’s “Spring Song” at TED2020: Uncharted on May 21, 2020. (Photo courtesy of TED)

Virtuosic cellist Sheku Kanneh-Mason, whose standout performance at the wedding of Prince Harry and Meghan Markle made waves with music fans across the world, joins his sister, pianist Isata Kanneh-Mason, for an intimate living room performance of “Muse” by Sergei Rachmaninov and “Spring Song” by Frank Bridge.

And for a visual break, podcaster and design evangelist Debbie Millman shares an animated love letter to her garden — inviting us to remain grateful that we are still able to make things with our hands.

Dallas Taylor, Host/creator of Twenty Thousand Hertz podcast

Big idea: There is no such thing as true silence.

Why? In a fascinating challenge to our perceptions of sound, Dallas Taylor tells the story of a well-known, highly-debated and perhaps largely misunderstood piece of music penned by composer John Cage. Written in 1952, 4′33″ is more experience than expression, asking the listener to focus on and accept things the way they are, through three movements of rest — or, less technically speaking, silence. In its “silence,” Cage invites us to contemplate the sounds that already exist when we’re ready to listen, effectively making each performance a uniquely meditative encounter with the world around us. “We have a once in a lifetime opportunity to reset our ears,” says Taylor, as he welcomes the audience to settle into the first movement of 4’33” together. “Listen to the texture and rhythm of the sounds around you right now. Listen for the loud and soft, the harmonic and dissonant … enjoy the magnificence of hearing and listening.”

Quote of the talk: “Quietness is not when we turn our minds off to sound, but when we really start to listen and hear the world in all of its sonic beauty.”

Dubbed “the woman who redefined man” by her biographer, Jane Goodall has changed our perceptions of primates, people and the connection between the two. She speaks with head of TED Chris Anderson at TED2020: Uncharted on May 21, 2020. (Photo courtesy of TED)

Jane Goodall, Primatologist, conservationist

Big idea: Humanity’s long-term livelihood depends on conservation.

Why? After years in the field reinventing the way the world thinks about chimpanzees, their societies and their similarities to humans, Jane Goodall began to realize that as habitats shrink, humanity loses not only resources and life-sustaining biodiversity but also our core connection to nature. Worse still, as once-sequestered animals are pulled from their environments and sold and killed in markets, the risk of novel diseases like COVID-19 jumping into the human population rises dramatically. In conversation with head of TED Chris Anderson, Goodall tells the story of a revelatory scientific conference in 1986, where she awakened to the sorry state of global conservation and transformed from a revered naturalist into a dedicated activist. By empowering communities to take action and save natural habitats around the world, Goodall’s institute now gives communities tools they need to protect their environment. As a result of her work, conservation has become part of the DNA of cultures from China to countries throughout Africa, and is leading to visible transformations of once-endangered forests and habitats.

Quote of the talk: Every day you live, you make an impact on the planet. You can’t help making an impact … If we all make ethical choices, then we start moving towards a world that will be not quite so desperate to leave for our great-grandchildren.”

TEDValues reset: Notes from Session 2 of TED2020

There’s a theory that the shock we’re currently experiencing is intense enough to force a radical reset of our values — of how we are and how we act. In an idea-packed session 2 of TED2020, speakers from across disciplines and walks of life looked to this aspiration of a “values reset,” sharing new thinking on topics ranging from corporate responsibility down to our individual responsibilities and the things each of us can right now. Below, a recap of the night’s inspiring talks and performances.

“Nobody works in a vacuum. The men and women who run companies actively cocreate the reality we all have to share. And just like with global warming, we are each of us responsible for the collective consequences of our individual decisions and actions,” says filmmaker and activist Abigail Disney. She speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Abigail Disney, Filmmaker, activist

Big idea: Respect, dignity and a guaranteed livable wage are the right of all workers, not the privilege of a select few.

How? As CEO of the Disney Company, Roy Disney believed he had a moral obligation to every person who worked at the company. Though her grandfather wasn’t perfect, Abigail Disney says he believed that workers were worthy of immense respect — and he put that belief into practice by creating jobs with fair wages and benefits. In honor of her grandfather’s legacy, Disney advocates for income equality for all workers — and calls out the company that bears her name, asking them to do better for their workers. Our conscience and empathy should drive us, she says, not profits or economic growth. Disney believes we need a system-wide shift, one that recognizes that all workers deserve the wages, protections and benefits that would enable them to live full, secure and dignified lives.

Quote of the talk: “Nobody works in a vacuum. The men and women who run companies actively cocreate the reality we all have to share. And just like with global warming, we are each of us responsible for the collective consequences of our individual decisions and actions.”

Backed by brilliant illustrations from Laolu Senbanjo, journalist and satirist Adeola Fayehun shares her work exposing corruption in Africa with sharp, incisive humor. She speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Adeola Fayehun, Journalist, satirist

Big idea: Africa is overflowing with all the natural resources, intellectual skill and talent it needs. To flourish, its people need to hold corrupt leaders accountable.

Why? On her show Keeping It Real With Adeola, Adeola Fayehun exposes corruption in Africa with sharp, incisive humor. She urges those outside Africa to stop seeing the continent through the lens of their biases, and encourages us all to call out false policies and shatter stereotypes. “Please listen more,” she says. “Listen to your African friends without a preconceived notion of what you think they’re going to say. Read African books, watch African movies, visit Africa or, at the very least, learn some of the names of our 54 beautiful countries.”

Quote of the talk: “Africa is like a sleeping giant. The truth is I am trying to wake up this giant. That’s why I air the dirty laundry of those in charge of the giant.”

Rufus Wainwright performs “Peaceful Afternoon” and “Going To A Town” at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

From his home in Los Angeles, songwriter Rufus Wainwright shares intimate versions of his songs “Peaceful Afternoon” and “Going To A Town.” Gorgeous slow pans are courtesy of Jörn Weisbrodt, Wainwright’s husband and videographer for the performances.

“We hate the idea that really important things in life might happen by luck or by chance, that really important things in our life are not under our control,” says psychology professor Barry Schwartz. He speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Barry Schwartz, Psychology professor

Big idea: Our society is predicated on the idea that the distribution of opportunity is fair — but, in reality, working hard and playing by the rules is no guarantee of success. Good fortune and luck have far more to do with our opportunities (and therefore our future success) than we’re willing to admit.

How? Just look at the ultra-competitive landscape of college admissions, where a dearth of slots for qualified and capable students has created an epidemic of anxiety and depression among teenage university applicants long before they even make it to the job market. Schwartz suggests that the belief that working hard automatically leads to success blinds us to a core injustice: many of us simply will not get what we want. If our educational institutions — and our nation’s employers — were to emphasize this injustice by picking their students and employees randomly from a pool of those most likely to succeed, we might be forced to recognize the role that fortune plays in our lives.

Quote of the talk: “We hate the idea that really important things in life might happen by luck or by chance, that really important things in our life are not under our control.”

“I have a choice, right now, in the midst of the storm, to decide to overcome,” says Seattle Seahawks quarterback Russell Wilson. He speaks at TED2020: Uncharted on May 28, 2020. (Photo courtesy of TED)

Russell Wilson, Seattle Seahawks quarterback

Big idea: “Neutral thinking” can transform your life and help you unlock sustained personal success.

How? Athletes train their bodies to run faster, jump higher, achieve more — so why don’t they train their minds, too? For the past 10 years, Wilson has been doing just that with the assistance of mental conditioning coach Trevor Moawad. By harnessing the technique of “neutral thinking” — a strategy that emphasizes judgment-free acceptance of the present moment — Wilson has been able to maintain focus in high-pressure situations. Positivity can be dangerous and distracting, Wilson says, and negativity is sure to bring you down — but by honing a neutral mental game and executing in the present moment, you set yourself up to succeed.

Quote of the talk:I have a choice, right now, in the midst of the storm, to decide to overcome.”

TEDWays of seeing: Notes from Session 3 of TED2020

TED’s head of curation Helen Walters (left) and writer, activist and comedian Baratunde Thurston host Session 3 of TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Session 3 of TED2020, hosted by TED’s head of curation Helen Walters and writer, activist and comedian Baratunde Thurston, was a night of something different — a night of camaraderie, cleverness and, as Baratunde put it, “a night of just some dope content.” Below, a recap of the night’s talks and performances.

Actor and performer Cynthia Erivo recites Maya Angelou’s iconic 2006 poem, “A Pledge to Rescue Our Youth.” She speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

In a heartfelt and candid moment to start the session, Tony- and Emmy-winner Cynthia Erivo performs “A Pledge to Rescue Our Youth,” an iconic 2006 poem by Maya Angelou. “You are the best we have. You are all we have. You are what we have become. We pledge you our whole hearts from this day forward,” Angelou writes.

“Drawing has taught me to create my own rules. It has taught me to open my eyes and see not only what is, but what can be. Where there are broken systems … we can create new ones that actually function and benefit all, instead of just a select few,” says Shantell Martin. She speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Shantell Martin, Artist

Big idea: Drawing is more than just a graphic art — it’s a medium of self-discovery that enables anyone to let their hands spin out freestyle lines independent of rules and preconceptions. If we let our minds follow our hands, we can reach mental spaces where new worlds are tangible and art is the property of all – regardless of ethnicity or class.

How? A half-Nigerian, half-English artist growing up in a council estate in southeast London, Martin has firsthand knowledge of the race and class barriers within England’s institutions. Drawing afforded her a way out, taking her first to Tokyo and then to New York, where her large-scale, freestyle black and white drawings (often created live in front of an audience) taught her the power of lines to build new worlds. By using our hands to draw lines that our hearts can follow, she says, we not only find solace, but also can imagine and build worlds where every voice is valued equally. “Drawing has taught me to create my own rules,” Martin says. “It has taught me to open my eyes and see not only what is, but what can be. Where there are broken systems … we can create new ones that actually function and benefit all, instead of just a select few.”

“If we’re not protecting the arts, we’re not protecting our future, we’re not protecting this world,” says Swizz Beatz. He speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Swizz Beatz, Music producer, entrepreneur, art enthusiast

Big idea: Art is for everyone. Let’s make it that way.

Why? Creativity heals us — and everybody who harbors love for the arts deserves access to them, says Swizz Beatz. Interweaving a history of his path as a creative in the music industry, Beatz recounts his many successful pursuits in the art of giving back. In creating these spaces at the intersection of education, celebration, inclusion and support — such as The Dean Collection, No Commissions, The Dean’s Choice and Verzuz — he plans to outsmart lopsided industries that exploit creatives and give the power of art back to the people. “If we’re not protecting the arts, we’re not protecting our future, we’re not protecting this world,” he says.

“In this confusing world, we need to be the bridge between differences. You interrogate those differences, you hold them for as long as you can until something happens, something reveals itself,” says Jad Abumrad. He speaks at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Jad Abumrad, host of RadioLab and Dolly Parton’s America

Big Idea: Storytellers and journalists are the bridge that spans conflict and difference to reveal a new meaning. 

How: When journalist Jad Abumrad began storytelling in 2002, he crafted each story to culminate the same way: mind-blowing science discoveries, paired with ear-tickling auditory creations, resolved into “moments of wonder.” But after 10 years, he began to wonder himself: Is this the only way to tell a story? Seeking an answer, Abumrad turned to more complex, convoluted stories and used science to sniff out the facts. But these stories often ended without an answer or resolution, instead leading listeners to “moments of struggle,” where truth collided with truth. It wasn’t until Abumrad returned to his home of Tennessee where he met an unlikely teacher in the art of storytelling: Dolly Parton. In listening to the incredible insights she had into her own life, he realized that the best stories can’t be summarized neatly and instead should find revelation — or what he calls “the third.” A term rooted in psychotherapy, the third is the new entity created when two opposing forces meet and reconcile their differences. For Abumrad, Dolly had found resolution in her life, fostered it in her fanbase and showcased it in her music — and revealed to him his new purpose in telling stories. “In this confusing world, we need to be the bridge between differences,” Abumrad says. “You interrogate those differences, you hold them for as long as you can until something happens, something reveals itself.”

Aloe Blacc performs “Amazing Grace” at TED2020: Uncharted on June 4, 2020. (Photo courtesy of TED)

Backed by piano from Greg Phillinganes, singer, songwriter and producer Aloe Blacc provides balm for the soul with a gorgeous rendition of “Amazing Grace.”

Congressman John Lewis, politician and civil rights leader, interviewed by Bryan Stevenson, public interest lawyer and founder of the Equal Justice Initiative — an excerpt from the upcoming TED Legacy Project

Big idea: As a new generation of protesters takes to the streets to fight racial injustice, many have looked to the elders of the Civil Rights Movement — like John Lewis — to study how previous generations have struggled not just to change the world but also to maintain morale in the face of overwhelming opposition.

How? In order to truly effect change and move people into a better world, contemporary protestors must learn tactics that many have forgotten — especially nonviolent engagement and persistence. Fortunately, John Lewis sees an emerging generation of new leaders of conscience, and he urges them to have hope, to be loving and optimistic and, most of all, to keep going tirelessly even in the face of setbacks. As interviewer Bryan Stevenson puts it, “We cannot rest until justice comes.”

TEDWHAAAAAT?: Notes from Session 4 of TED2020

For Session 4 of TED2020, experts in biohacking, synthetic biology, psychology and beyond explored topics ranging from discovering the relationship between the spinal cord and asparagus to using tools of science to answer critical questions about racial bias. Below, a recap of the night’s talks and performances.

“Every scientist can tell you about the time they ignored their doubts and did the experiment that would ‘never’ work,” says biomedical researcher Andrew Pelling. “And the thing is, every now and then, one of those experiments works out.” He speaks at TED2020: Uncharted on June 11, 2020. (Photo courtesy of TED)

Andrew Pelling, biomedical researcher

Big idea: Could we use asparagus to repair spinal cords?

How? Andrew Pelling researches how we might use fruits, vegetables and plants to reconstruct damaged or diseased human tissues. (Check out his 2016 talk about making ears out of apples.) His lab strips these organisms of their DNA and cells, leaving just the fibers behind, which are then used as “scaffolds” to reconstruct tissue. Now, they’re busy working with asparagus, experimenting to see if the vegetable’s microchannels can guide the regeneration of cells after a spinal cord injury. There’s evidence in rats that it’s working, the first data of its kind to show that plant tissues might be capable of repairing such a complex injury. Pelling is also the cofounder of Spiderwort, a startup that’s translating these innovative discoveries into real-world applications. “Every scientist can tell you about the time they ignored their doubts and did the experiment that would ‘never’ work,” he says. “And the thing is, every now and then, one of those experiments works out.”

Synthetic designer Christina Agapakis shares projects that blur the line between art and science at TED2020: Uncharted on June 11, 2020. (Photo courtesy of TED)

Christina Agapakis, synthetic designer

Big idea: Synthetic biology isn’t an oxymoron; it investigates the boundary between nature and technology — and it could shape the future.

How? From teaching bacteria how to play sudoku to self-healing concrete, Christina Agapakis introduces us to the wonders of synthetic biology: a multidisciplinary science that seeks to create and sometimes redesign systems found in nature. “We have been promised a future of chrome, but what if the future is fleshy?” asks Agapakis. She delves into the ways biology could expand technology and alter the way we understand ourselves, exposing the surprisingly blurred lines between art, science and society. “It starts by recognizing that we as synthetic biologists are also shaped by a culture that values ‘real’ engineering more than any of the squishy stuff. We get so caught up in circuits and what happens inside of computers that we sometimes lose sight of the magic that’s happening inside of us,” says Agapakis.

Jess Wolfe and Holly Laessig of Lucius perform “White Lies” and “Turn It Around” at TED2020: Uncharted on June 11, 2020. (Photo courtesy of TED.)

Jess Wolfe and Holly Laessig of indie pop band Lucius provide an enchanting musical break between talks, performing their songs “White Lies” and “Turn It Around.”

“[The] association with blackness and crime … makes its way into all of our children, into all of us. Our minds are shaped by the racial disparities we see out in the world, and the narratives that help us to make sense of the disparities we see,” says psychologist Jennifer L. Eberhardt. She speaks at TED2020: Uncharted on June 11, 2020. (Photo courtesy of TED)

Jennifer L. Eberhardt, psychologist

Big idea: We can use science to break down the societal and personal biases that unfairly target Black people.

How? When Jennifer Eberhardt flew with her five-year-old son one day, he turned to her after looking at the only other Black man on the plane and said, “I hope he doesn’t rob the plane” — showing Eberhardt undeniable evidence that racial bias seeps into every crack of society. For Eberhardt, a MacArthur-winning psychologist specializing in implicit bias, this surfaced a key question at the core of our society: How do we break down the societal and personal biases that target blackness? Just because we’re vulnerable to bias doesn’t mean we need to act on it, Eberhardt says. We can create “friction” points that eliminate impulsive social media posts based on implicit bias, such as when Nextdoor fought back against its “racial profiling problem” that required users to answer a few simple questions before allowing them to raise the alarm on “suspicious” visitors to their neighborhoods. Friction isn’t just a matter of online interaction, either. With the help of similar questions, the Oakland Police Department instituted protocols that reduce traffic stops of African-Americans by 43 percent. “Categorization and the bias that it seeds allow our brains to make judgments more quickly and efficiently,” Eberhardt says. “Just as the categories we create allow us to make quick decisions, they also reinforce bias — so the very things that help us to see the world also can blind us to it. They render our choices effortless, friction-free, yet they exact a heavy toll.”


Biological programmer Michael Levin (right) speaks with head of TED Chris Anderson about the wild frontiers of cellular memory at TED2020: Uncharted on June 11, 2020. (Photo courtesy of TED)

Michael Levin, biological programmer

Big idea: DNA isn’t the only builder in the biological world — there’s also an invisible electrical matrix directing cells to change into organs, telling tadpoles to become frogs, and instructing flatworms to regenerate new bodies once sliced in half. If Michael Levin and his colleagues can learn this cellular “machine language,” human beings may be one step closer to curing birth defects, eliminating cancer and evading aging.

How? As cells become organs, systems and bodies, they communicate via an electrical system dictating where the finished parts will go. Guided by this cellular network, organisms grow, transform and even build new limbs (or bodies) after trauma. At Michael Levin’s lab, scientists are cracking this code — and have even succeeded in creating autonomous organisms out of skin cells by altering the cell electrically without genetic manipulation. Mastering this code could not only allow humans to create microscopic biological “xenobots” to rebuild and medicate our bodies from the inside but also let us to grow new organs — and perhaps rejuvenate ourselves as we age. “We are now beginning to crack this morphogenetic code to ask: How is it that these tissues store a map of what to do?” Levin asks. “[How can we] go in and rewrite that map to new outcomes?”

“My vision for the future is that when things come to life, they do so with joy,” says Ali Kashani. He speaks at TED2020: Uncharted on June 11, 2020. (Photo courtesy of TED)

Ali Kashani, VP of special projects at Postmates

Big idea: Robots are becoming a part of everyday life in urban centers, which means we’ll have to design them to be accessible, communicative and human-friendly.

How? On the streets of San Francisco and Los Angeles, delivery robots bustle along neighborhood sidewalks to drop-off packages and food. With potential benefits ranging from environmental responsibility to community-building, these robots offer us an incredible glimpse into the future. The challenge now is ensuring that robots can move out of the lab and fit into our world and among us as well, says Kashani. At Postmates, Kashani designs robots with human reaction in mind. Instead of frightening, dystopian imagery, he wants people to understand robots as familiar and friendly. This is why Postmates’s robots are reminiscent of beloved characters like the Minions and Wall-E; they can use their eyes to communicate with humans and acknowledge obstacles like traffic stops in real-time. There are so many ways robots can help us and our communities: picking up extra food from restaurants for shelters, delivering emergency medication to those in need and more. By designing robots to integrate into our physical and social infrastructures, we can welcome them to the world seamlessly and create a better future for all. “My vision for the future is that when things come to life, they do so with joy,” Kashani says.

TEDBeauty everywhere: Notes from Session 6 of TED2020

We’re six weeks into TED2020! For session 6: a celebration of beauty on every level, from planet-trekking feats of engineering to art that deeply examines our past, present, future — and much more.

Planetary scientist Elizabeth “Zibi” Turtle shows off the work behind Dragonfly: a rotorcraft being developed to explore Titan, Saturn’s largest moon, by air. She speaks at TED2020: Uncharted on June 25, 2020. (Photo courtesy of TED)

Elizabeth “Zibi” Turtle, planetary scientist 

Big idea: The Dragonfly Mission, set to launch in 2026, will study Titan, the largest moon orbiting Saturn. Through this mission, scientists may discover the secrets of the solar system’s origin, the history of life on Earth — and even the potential for life beyond our planet.

How? Launched in 1997, the Cassini-Huygens Mission provided scientists with incredible information about Titan, a water-based moon with remarkable similarities to Earth. We learned that Titan’s geography includes sand dunes, craters and mountains, and that vast oceans of water — perhaps 10 times as large as Earth’s total supply — lie deep underneath Titan’s surface. In many ways, Titan is the closest parallel to pre-life, early Earth, Elizabeth Turtle explains. The Cassini-Huygens Mission ended in 2004, and now hundreds of scientists across the world are working on the Dragonfly Mission, which will dramatically expand our knowledge of Titan. Unlike the Cassini-Huygens spacecraft, Dragonfly will live within Titan’s atmosphere, flying across the moon to gather samples and study its chemical makeup, weather and geography. The data Dragonfly sends back may bring us closer to thrilling discoveries on the makeup of the solar system, the habitability of other planets and the beginnings of life itself. “Dragonfly is a search for greater understanding — not just of Titan and the mysteries of our solar system, but of our own origins,” Turtle says.

“Do you think human creativity matters?” asks actor, writer and director Ethan Hawke. He gives us his compelling answer at TED2020: Uncharted on June 25, 2020. (Photo courtesy of TED)

Ethan Hawke, actor, writer, director

Big idea: Creativity isn’t a luxury; it’s vital to the human experience.

How? We often struggle to give ourselves permission to be creative because we’re all a little suspect of our own talent, says Ethan Hawke. Recounting his own journey of creative discovery over a 30-year career in acting — along with the beauty he sees in everyday moments with his family — Hawke encourages us to reframe this counterproductive definition of human creativity. Creative expression has nothing to do with talent, he says, but rather is a process of learning who you are and how you connect to other people. Instead of giving in to the pull of old habits and avoiding new experiences — maybe you’re hesitant to enroll in that poetry course or cook that complicated 20-step recipe — Hawke urges us to engage in a rich variety of creative outlets and, most importantly, embrace feeling foolish along the way. “I think most of us really want to offer the world something of quality, something that the world will consider good or important — and that’s really the enemy,” Hawke says. “Because it’s not up to us whether what we do is any good. And if history has taught us anything, the world is an extremely unreliable critic. So, you have to ask yourself, do you think human creativity matters?”

Singer-songwriter and multiinstrumentalist Bob Schneider performs for TED2020: Uncharted on June 25, 2020. (Photo courtesy of TED)

Keeping the beauty of the session flowing, singer-songwriter Bob Schneider performs “Joey’s Song,” “The Other Side” and “Lorena.”

“We have thousands of years of ancient knowledge that we just need to listen to and allow it to expand our thinking about designing symbiotically with nature,” says architect Julia Watson. “By listening, we’ll only become wiser and ready for those 21st-century challenges that we know will endanger our people and our planet.” She speaks at TED2020: Uncharted on June 25, 2020. (Photo courtesy of TED)

Julia Watson, architect, landscape designer, author

Big idea: Ancient Indigenous technology can teach us how to design with nature, instead of against it, when facing challenges. We just need to look and listen. 

How? In her global search for ancient design systems and solutions, Julia Watson has encountered wondrous innovations to counter climate challenges that we all can learn from. “High-tech solutions are definitely going to help us solve some of these problems, but in our rush towards the future, we tend to forget about the past in other parts of the world,” she says. Watson takes us to the villages of Khasi, India, where people have built living bridges woven from ancient roots that strengthen over time to enable travel when monsoon season hits. She introduces us to a water-based civilization in the Mesopotamian Marshlands, where for 6,000 years, the Maʻdān people have lived on manmade islands built from harvested reeds. And she shows us a floating African city in Benin, where buildings are stilted above flooded land. “I’m an architect, and I’ve been trained to seek solutions in permanence, concrete, steel, glass. These are all used to build a fortress against nature,” Watson says. “But my search for ancient systems and Indigenous technologies has been different. It’s been inspired by an idea that we can seed creativity in crisis.”

TED Fellow and theater artist Daniel Alexander Jones lights up the stage at TED2020: Uncharted on June 25, 2020. (Photo courtesy of TED)

TED Fellow and theater artist Daniel Alexander Jones lights up the (virtual) stage by channeling Jomama Jones, a mystical alter ego who shares some much-needed wisdom. “What if I told you, ‘You will surprise yourself’?” Jomama asks. “What if I told you, ‘You will be brave enough’?”

“It takes creativity to be able to imagine a future that is so different from the one before you,” says artist Titus Kaphar. He speaks at TED2020: Uncharted on June 25, 2020. (Photo courtesy of TED)

Titus Kaphar, artist

Big idea: Beauty can open our hearts to difficult conversations.

How? A painting’s color, form or composition pulls you in, functioning as a kind of Trojan horse out of which difficult conversations can emerge, says artist Titus Kaphar. (See for yourself in his unforgettable live workshop from TED2017.) Two weeks after George Floyd’s death and the Movement for Black Lives protests that followed, Kaphar reflects on his evolution as an artist and takes us on a tour of his work — from The Jerome Project, which examines the US criminal justice system through the lens of 18th- and 19th-century American portraiture, to his newest series, From a Tropical Space, a haunting body of work about Black mothers whose children have disappeared. In addition to painting, Kaphar shares the work and idea behind NXTHVN, an arts incubator and creative community for young people in his hometown of Dixwell, Connecticut. “It takes creativity to be able to imagine a future that is so different from the one before you,” he says.

CryptogramIoT Security Principles

The BSA -- also known as the Software Alliance, formerly the Business Software Alliance (which explains the acronym) -- is an industry lobbying group. They just published "Policy Principles for Building a Secure and Trustworthy Internet of Things."

They call for:

  • Distinguishing between consumer and industrial IoT.
  • Offering incentives for integrating security.
  • Harmonizing national and international policies.
  • Establishing regularly updated baseline security requirements

As with pretty much everything else, you can assume that if an industry lobbying group is in favor of it, then it doesn't go far enough.

And if you need more security and privacy principles for the IoT, here's a list of over twenty.

Planet DebianGunnar Wolf: Raspberry Pi 4, now running your favorite distribution!

Great news, great news! New images available!Grab them while they are hot!

With lots of help (say, all of the heavy lifting) from the Debian Raspberry Pi Maintainer Team, we have finally managed to provide support for auto-building and serving bootable minimal Debian images for the Raspberry Pi 4 family of single-board, cheap, small, hacker-friendly computers!

The Raspberry Pi 4 was released close to a year ago, and is a very major bump in the Raspberry lineup; it took us this long because we needed to wait until all of the relevant bits entered Debian (mostly the kernel bits). The images are shipping a kernel from our Unstable branch (currently, 5.7.0-2), and are less tested and more likely to break than our regular, clean-Stable images. Nevertheless, we do expect them to be useful for many hackers –and even end-users– throughout the world.

The images we are generating are very minimal, they carry basically a minimal Debian install. Once downloaded, of course, you can install whatever your heart desires (because… Face it, if your heart desires it, it must free and of high quality. It must already be in Debian!)

Oh — And very important: Due to a change in the memory layout, if you get the 8GB model (currently the top-of-the-line RPi4), it will still not have USB support, due to a change in its memory layout (that means, no local keyboard/mouse ☹). We are working on getting it ironed out!

Worse Than FailureCodeSOD: Your Personal Truth

There are still some environments where C may not have easy access to a stdbool header file. That's easy to fix, of course. The basic pattern is to typedef an integer type as a boolean type, and then define some symbols for true and false. It's a pretty standard pattern, three lines of code, and unless you insist that FILE_NOT_FOUND is a boolean value, it's pretty hard to mess up.

Julien H was compiling some third-party C code, specifically in Visual Studio 2010, and as it turns out, VS2010 doesn't support C99, and thus doesn't have a stdbool. But, as stated, it's an easy pattern to implement, so the third party library went and implemented it:

#ifndef _STDBOOL_H_VS2010 #define _STDBOOL_H_VS2010 typedef int bool; static bool true = 1; static bool false = 0; #endif

We've asked many times, what is truth? In this case, we admit a very post-modern reality: what is "true" is not constant and unchanging, it cannot merely be enumerated, it must be variable. Truth can change, because here we've defined true and false as variables. And more than that, each person must identify their own truth, and by making these variables static, what we guarantee is that every .c file in our application can have its own value for truth. The static keyword, applied to a global variable, guarantees that each .c file gets its own scope.

I can only assume this header was developed by Jacques Derrida.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!


Cory DoctorowFull Employment

My latest Locus column is “Full Employment,” in which I forswear “Fully Automated Luxury Communism” as totally incompatible with the climate emergency, which will consume 100%+ of all human labor for centuries to come.

This fact is true irrespective of any breakthroughs in AI OR geoengineering. Technological unemployment is vastly oversold and overstated (for example, that whole thing about truck drivers is bullshit).

But even if we do manage to automate away all of jobs, the climate emergency demands unimaginably labor intensive tasks for hundreds of years – jobs like relocating every coastal city inland, or caring for hundreds of millions of refugees.

Add to those: averting the exinctions of thousands of species, managing wave upon wave of zoonotic and insect-borne plagues, dealing with wildfires and tornados, etc.

And geoengineering won’t solve this: we’ve sunk a lot of heat into the oceans. It’s gonna warm them up. That’s gonna change the climate. It’s not gonna be good. Heading this off doesn’t just involve repealing thermodynamics – it also requires a time-machine.

But none of this stuff is insurmountable – it’s just hard. We CAN do this stuff. If you were wringing your hands about unemployed truckers, good news! They’ve all got jobs moving thousands of cities inland!

It’s just (just!) a matter of reorienting our economy around preserving our planet and our species.

And yeah, that’s hard, too – but if “the economy” can’t be oriented to preserving our species, we need a different economy.


Rondam RamblingsMark your calendars: I am debating Ken Hoving on July 9

I've recently taken up a new hobby of debating young-earth creationists on YouTube.  (It's a dirty job, but somebody's gotta do it.)  I've done two of them so far [1][2], both on a creationist channel called Standing For Truth.  My third debate will be against Kent Hovind, one of the more prominent and, uh, outspoken members of the YEC community.  In case you haven't heard of him, here's a sample

Planet DebianDirk Eddelbuettel: Rcpp 1.0.5: Several Updates

rcpp logo

Right on the heels of the news of 2000 CRAN packages using Rcpp (and also hitting 12.5 of CRAN package, or one in eight), we are happy to announce release 1.0.5 of Rcpp. Since the ten-year anniversary and the 1.0.0 release release in November 2018, we have been sticking to a four-month release cycle. The last release has, however, left us with a particularly bad taste due to some rather peculiar interactions with a very small (but ever so vocal) portion of the user base. So going forward, we will change two things. First off, we reiterate that we have already made rolling releases. Each minor snapshot of the main git branch gets a point releases. Between release 1.0.4 and this 1.0.5 release, there were in fact twelve of those. Each and every one of these was made available via the drat repo, and we will continue to do so going forward. Releases to CRAN, however, are real work. If they then end up with as much nonsense as the last release 1.0.4, we think it is appropriate to slow things down some more so we intend to now switch to a six-months cycle. As mentioned, interim releases are always just one install.packages() call with a properly set repos argument away.

Rcpp has become the most popular way of enhancing R with C or C++ code. As of today, 2002 packages on CRAN depend on Rcpp for making analytical code go faster and further, along with 203 in BioConductor. And per the (partial) logs of CRAN downloads, we are running steady at around one millions downloads per month.

This release features again a number of different pull requests by different contributors covering the full range of API improvements, attributes enhancements, changes to Sugar and helper functions, extended documentation as well as continuous integration deplayment. See the list below for details.

Changes in Rcpp patch release version 1.0.5 (2020-07-01)

  • Changes in Rcpp API:

    • The exception handler code in #1043 was updated to ensure proper include behavior (Kevin in #1047 fixing #1046).

    • A missing Rcpp_list6 definition was added to support R 3.3.* builds (Davis Vaughan in #1049 fixing #1048).

    • Missing Rcpp_list{2,3,4,5} definition were added to the Rcpp namespace (Dirk in #1054 fixing #1053).

    • A further updated corrected the header include and provided a missing else branch (Mattias Ellert in #1055).

    • Two more assignments are protected with Rcpp::Shield (Dirk in #1059).

    • One call to abs is now properly namespaced with std:: (Uwe Korn in #1069).

    • String object memory preservation was corrected/simplified (Kevin in #1082).

  • Changes in Rcpp Attributes:

    • Empty strings are not passed to R CMD SHLIB which was seen with R 4.0.0 on Windows (Kevin in #1062 fixing #1061).

    • The short_file_name() helper function is safer with respect to temporaries (Kevin in #1067 fixing #1066, and #1071 fixing #1070).

  • Changes in Rcpp Sugar:

    • Two sample() objects are now standard vectors and not R_alloc created (Dirk in #1075 fixing #1074).
  • Changes in Rcpp support functions:

    • Rcpp.package.skeleton() adjusts for a (documented) change in R 4.0.0 (Dirk in #1088 fixing #1087).
  • Changes in Rcpp Documentation:

    • The pdf file of the earlier introduction is again typeset with bibliographic information (Dirk).

    • A new vignette describing how to package C++ libraries has been added (Dirk in #1078 fixing #1077).

  • Changes in Rcpp Deployment:

    • Travis CI unit tests now run a matrix over the versions of R also tested at CRAN (rel/dev/oldrel/oldoldrel), and coverage runs in parallel for a net speed-up (Dirk in #1056 and #1057).

    • The exceptions test is now partially skipped on Solaris as it already is on Windows (Dirk in #1065).

    • The default CI runner was upgraded to R 4.0.0 (Dirk).

    • The CI matrix spans R 3.5, 3.6, r-release and r-devel (Dirk).

Thanks to CRANberries, you can also look at a diff to the previous release. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page. Bugs reports are welcome at the GitHub issue tracker as well (where one can also search among open or closed issues); questions are also welcome under rcpp tag at StackOverflow which also allows searching among the (currently) 2455 previous questions.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

CryptogramThiefQuest Ransomware for the Mac

There's a new ransomware for the Mac called ThiefQuest or EvilQuest. It's hard to get infected:

For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it. It's a good reminder to get your software from trustworthy sources, like developers whose code is "signed" by Apple to prove its legitimacy, or from Apple's App Store itself. But if you're someone who already torrents programs and is used to ignoring Apple's flags, ThiefQuest illustrates the risks of that approach.

But it's nasty:

In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Planet DebianJonathan Dowland: Review: Roku Express

I don't generally write consumer reviews, here or elsewhere; but I have been so impressed by this one I wanted to mention it.

For Holly's birthday this year, taking place under Lockdown, we decided to buy a year's subscription to "Disney+". Our current TV receiver (A Humax Freesat box) doesn't support it so I needed to find some other way to get it onto the TV.

After a short bit of research, I bought the "Roku Express" streaming media player. This is the most basic streamer that Roku make, bottom of their range. For a little bit more money you can get a model which supports 4K (although my TV obviously doesn't: it, and the basic Roku, top out at 1080p) and a bit more gets you a "stick" form-factor and a Bluetooth remote (rather than line-of-sight IR).

I paid £20 for the most basic model and it Just Works. The receiver is very small but sits comfortably next to my satellite receiver-box. I don't have any issues with line-of-sight for the IR remote (and I rely on a regular IR remote for the TV itself of course). It supports Disney+, but also all the other big name services, some of which we already use (Netflix, YouTube BBC iPlayer) and some of which we didn't, since it was too awkward to access them (Google Play, Amazon Prime Video). It has now largely displaced the FreeSat box for accessing streaming content because it works so well and everything is in one place.

There's a phone App that remote-controls the box and works even better than the physical remote: it can offer a full phone-keyboard at times when you need to input text, and can mute the TV audio and put it out through headphones attached to the phone if you want.

My aging Plasma TV suffers from burn-in from static pictures. If left paused for a duration the Roku goes to a screensaver that keeps the whole frame moving. The FreeSat doesn't do this. My Blu Ray player does, but (I think) it retains some static elements.

Planet DebianReproducible Builds: Reproducible Builds in June 2020

Welcome to the June 2020 report from the Reproducible Builds project. In these reports we outline the most important things that we and the rest of the community have been up to over the past month.

What are reproducible builds?

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security.

But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.


The GitHub Security Lab published a long article on the discovery of a piece of malware designed to backdoor open source projects that used the build process and its resulting artifacts to spread itself. In the course of their analysis and investigation, the GitHub team uncovered 26 open source projects that were backdoored by this malware and were actively serving malicious code. (Full article)

Carl Dong from Chaincode Labs uploaded a presentation on Bitcoin Build System Security and reproducible builds to YouTube:

The app intended to trace infection chains of Covid-19 in Switzerland published information on how to perform a reproducible build.

The Reproducible Builds project has received funding in the past from the Open Technology Fund (OTF) to reach specific technical goals, as well as to enable the project to meet in-person at our summits. The OTF has actually also assisted countless other organisations that promote transparent, civil society as well as those that provide tools to circumvent censorship and repressive surveillance. However, the OTF has now been threatened with closure. (More info)

It was noticed that Reproducible Builds was mentioned in the book End-user Computer Security by Mark Fernandes (published by WikiBooks) in the section titled Detection of malware in software.

Lastly, reproducible builds and other ideas around software supply chain were mentioned in a recent episode of the Ubuntu Podcast in a wider discussion about the Snap and application stores (at approx 16:00).

Distribution work

In the ArchLinux distribution, a goal to remove .doctrees from installed files was created via Arch’s ‘TODO list’ mechanism. These .doctree files are caches generated by the Sphinx documentation generator when developing documentation so that Sphinx does not have to reparse all input files across runs. They should not be packaged, especially as they lead to the package being unreproducible as their pickled format contains unreproducible data. Jelle van der Waa and Eli Schwartz submitted various upstream patches to fix projects that install these by default.

Dimitry Andric was able to determine why the reproducibility status of FreeBSD’s base.txz depended on the number of CPU cores, attributing it to an optimisation made to the Clang C compiler []. After further detailed discussion on the FreeBSD bug it was possible to get the binaries reproducible again [].

For the GNU Guix operating system, Vagrant Cascadian started a thread about collecting reproducibility metrics and Jan “janneke” Nieuwenhuizen posted that they had further reduced their “bootstrap seed” to 25% which is intended to reduce the amount of code to be audited to avoid potential compiler backdoors.

In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update as well as made the following changes within the distribution itself:


Holger Levsen filed three bugs (#961857, #961858 & #961859) against the reproducible-check tool that reports on the reproducible status of installed packages on a running Debian system. They were subsequently all fixed by Chris Lamb [][][].

Timo Röhling filed a wishlist bug against the debhelper build tool impacting the reproducibility status of 100s of packages that use the CMake build system which led to a number of tests and next steps. []

Chris Lamb contributed to a conversation regarding the nondeterministic execution of order of Debian maintainer scripts that results in the arbitrary allocation of UNIX group IDs, referencing the Tails operating system’s approach this []. Vagrant Cascadian also added to a discussion regarding verification formats for reproducible builds.

47 reviews of Debian packages were added, 37 were updated and 69 were removed this month adding to our knowledge about identified issues. Chris Lamb identified and classified a new uids_gids_in_tarballs_generated_by_cmake_kde_package_app_templates issue [] and updated the paths_vary_due_to_usrmerge as deterministic issue, and Vagrant Cascadian updated the cmake_rpath_contains_build_path and gcc_captures_build_path issues. [][][].

Lastly, Debian Developer Bill Allombert started a mailing list thread regarding setting the -fdebug-prefix-map command-line argument via an environment variable and Holger Levsen also filed three bugs against the debrebuild Debian package rebuilder tool (#961861, #961862 & #961864).


On our website this month, Arnout Engelen added a link to our Mastodon account [] and moved the SOURCE_DATE_EPOCH git log example to another section []. Chris Lamb also limited the number of news posts to avoid showing items from (for example) 2017 [].

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. It is used automatically in most Debian package builds. This month, Mattia Rizzolo bumped the debhelper compatibility level to 13 [] and adjusted a related dependency to avoid potential circular dependency [].

Upstream work

The Reproducible Builds project attempts to fix unreproducible packages and we try to to send all of our patches upstream. This month, we wrote a large number of such patches including:

Bernhard M. Wiedemann also filed reports for frr (build fails on single-processor machines), ghc-yesod-static/git-annex (a filesystem ordering issue) and ooRexx (ASLR-related issue).


diffoscope is our in-depth ‘diff-on-steroids’ utility which helps us diagnose reproducibility issues in packages. It does not define reproducibility, but rather provides a helpful and human-readable guidance for packages that are not reproducible, rather than relying essentially-useless binary diffs.

This month, Chris Lamb uploaded versions 147, 148 and 149 to Debian and made the following changes:

  • New features:

    • Add output from strings(1) to ELF binaries. (#148)
    • Dump PE32+ executables (such as EFI applications) using objdump(1). (#181)
    • Add support for Zsh shell completion. (#158)
  • Bug fixes:

    • Prevent a traceback when comparing PDF documents that did not contain metadata (ie. a PDF /Info stanza). (#150)
    • Fix compatibility with jsondiff version 1.2.0. (#159)
    • Fix an issue in GnuPG keybox file handling that left filenames in the diff. []
    • Correct detection of JSON files due to missing call to File.recognizes that checks candidates against file(1). []
  • Output improvements:

    • Use the CSS word-break property over manually adding U+200B zero-width spaces as these were making copy-pasting cumbersome. (!53)
    • Downgrade the tlsh warning message to an ‘info’ level warning. (#29)
  • Logging improvements:

  • Testsuite improvements:

    • Update tests for file(1) version 5.39. (#179)
    • Drop accidentally-duplicated copy of the --diff-mask tests. []
    • Don’t mask an existing test. []
  • Codebase improvements:

    • Replace obscure references to WF with “Wagner-Fischer” for clarity. []
    • Use a semantic AbstractMissingType type instead of remembering to check for both types of ‘missing’ files. []
    • Add a comment regarding potential security issue in the .changes, .dsc and .buildinfo comparators. []
    • Drop a large number of unused imports. [][][][][]
    • Make many code sections more Pythonic. [][][][]
    • Prevent some variable aliasing issues. [][][]
    • Use some tactical f-strings to tidy up code [][] and remove explicit u"unicode" strings [].
    • Refactor a large number of routines for clarity. [][][][]

trydiffoscope is the web-based version of diffoscope. This month, Chris Lamb also corrected the location for the celerybeat scheduler to ensure that the clean/tidy tasks are actually called which had caused an accidental resource exhaustion. (#12)

In addition Jean-Romain Garnier made the following changes:

  • Fix the --new-file option when comparing directories by merging and (#180)
  • Allow user to mask/filter diff output via --diff-mask=REGEX. (!51)
  • Make child pages open in new window in the --html-dir presenter format. []
  • Improve the diffs in the --html-dir format. [][]

Lastly, Daniel Fullmer fixed the Coreboot filesystem comparator [] and Mattia Rizzolo prevented warnings from the tlsh fuzzy-matching library during tests [] and tweaked the build system to remove an unwanted .build directory []. For the GNU Guix distribution Vagrant Cascadian updated the version of diffoscope to version 147 [] and later 148 [].

Testing framework

We operate a large and many-featured Jenkins-based testing framework that powers Amongst many other tasks, this tracks the status of our reproducibility efforts across many distributions as well as identifies any regressions that have been introduced. This month, Holger Levsen made the following changes:

  • Debian-related changes:

    • Prevent bogus failure emails from every night. []
    • Merge a fix from David Bremner’s database of .buildinfo files to include a fix regarding comparing source vs. binary package versions. []
    • Only run the Debian package rebuilder job twice per day. []
    • Increase bullseye scheduling. []
  • System health status page:

    • Add a note displaying whether a node needs to be rebooted for a kernel upgrade. []
    • Fix sorting order of failed jobs. []
    • Expand footer to link to the related Jenkins job. []
    • Add archlinux_html_pages, openwrt_rebuilder_today and openwrt_rebuilder_future to ‘known broken’ jobs. []
    • Add HTML <meta> header to refresh the page every 5 minutes. []
    • Count the number of ignored jobs [], ignore permanently ‘known broken’ jobs [] and jobs on ‘known offline’ nodes [].
    • Only consider the ‘known offline’ status from Git. []
    • Various output improvements. [][]
  • Tools:

    • Switch URLs for the Grml Live Linux and PureOS package sets. [][]
    • Don’t try to build a disorderfs Debian source package. [][][]
    • Stop building diffoscope as we are moving this to Salsa. [][]
    • Merge several “is diffoscope up-to-date on every platform?” test jobs into one [] and fail less noisily if the version in Debian cannot be determined [].

In addition: Marcus Hoffmann was added as a maintainer of the F-Droid reproducible checking components [], Jelle van der Waa updated the “is diffoscope up-to-date in every platform” check for Arch Linux and diffoscope [], Mattia Rizzolo backed up a copy of a “remove script” run on the Codethink-hosted ‘jump server‘ [] and Vagrant Cascadian temporarily disabled the fixfilepath on bullseye, to get better data about the ftbfs_due_to_f-file-prefix-map categorised issue.

Lastly, the usual build node maintenance was performed by Holger Levsen [][], Mattia Rizzolo [] and Vagrant Cascadian [][][][][].

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

This month’s report was written by Bernhard M. Wiedemann, Chris Lamb, Eli Schwartz, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.

CryptogramiPhone Apps Stealing Clipboard Data

iOS apps are repeatedly reading clipboard data, which can include all sorts of sensitive information.

While Haj Bakry and Mysk published their research in March, the invasive apps made headlines again this week with the developer beta release of iOS 14. A novel feature Apple added provides a banner warning every time an app reads clipboard contents. As large numbers of people began testing the beta release, they quickly came to appreciate just how many apps engage in the practice and just how often they do it.

This YouTube video, which has racked up more than 87,000 views since it was posted on Tuesday, shows a small sample of the apps triggering the new warning.

EDITED TO ADD (7/6): LinkedIn and Reddit are doing this.

Worse Than FailureCodeSOD: Classic WTF: Dimensioning the Dimension

It was a holiday weekend in the US, so we're taking a little break. Yes, I know that most people took Friday off, but as this article demonstrates, dates remain hard. Original -- Remy

It's not too uncommon to see a Java programmer write a method to get the name of a month based on the month number. Sure, month name formatting is built in via SimpleDateFormat, but the documentation can often be hard to read. And since there's really no other place to find the answer, it's excusable that a programmer will just write a quick method to do this.

I have to say though, Robert Cooper's colleague came up with a very interesting way of doing this: adding an[other] index to an array ...

public class DateHelper
  private static final String[][] months = 
      { "0", "January" }, 
      { "1", "February" }, 
      { "2", "March" }, 
      { "3", "April" }, 
      { "4", "May" }, 
      { "5", "June" }, 
      { "6", "July" }, 
      { "7", "August" }, 
      { "8", "September" }, 
      { "9", "October" }, 
      { "10", "November" }, 
      { "11", "December" }

  public static String getMonthDescription(int month)
    for (int i = 0; i < months.length; i++)
      if (Integer.parseInt(months[i][0]) == month)
          return months[i][1];
    return null;

If you enjoyed friday's post (A Pop-up Potpourii), make sure to check out the replies. There were some great error messages posted.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!


Cory DoctorowSomeone Comes to Town, Someone Leaves Town (part 09)

Here’s part nine of my new reading of my novel Someone Comes to Town, Someone Leaves Town (you can follow all the installments, as well as the reading I did in 2008/9, here).

This is easily the weirdest novel I ever wrote. Gene Wolfe (RIP) gave me an amazing quote for it: “Someone Comes to Town, Someone Leaves Town is a glorious book, but there are hundreds of those. It is more. It is a glorious book unlike any book you’ve ever read.”

Here’s how my publisher described it when it came out:

Alan is a middle-aged entrepeneur who moves to a bohemian neighborhood of Toronto. Living next door is a young woman who reveals to him that she has wings—which grow back after each attempt to cut them off.

Alan understands. He himself has a secret or two. His father is a mountain, his mother is a washing machine, and among his brothers are sets of Russian nesting dolls.

Now two of the three dolls are on his doorstep, starving, because their innermost member has vanished. It appears that Davey, another brother who Alan and his siblings killed years ago, may have returned, bent on revenge.

Under the circumstances it seems only reasonable for Alan to join a scheme to blanket Toronto with free wireless Internet, spearheaded by a brilliant technopunk who builds miracles from scavenged parts. But Alan’s past won’t leave him alone—and Davey isn’t the only one gunning for him and his friends.

Whipsawing between the preposterous, the amazing, and the deeply felt, Cory Doctorow’s Someone Comes to Town, Someone Leaves Town is unlike any novel you have ever read.


Planet DebianEnrico Zini: COVID-19 and Capitalism

If the Reopen America protests seem a little off to you, that's because they are. In this video we're going to talk about astroturfing and how insidious it i...
Techdirt has just written about the extraordinary legal action taken against a company producing Covid-19 tests. Sadly, it's not the only example of some individuals putting profits before people. Here's a story from Italy, which is...
Berlin is trying to stop Washington from persuading a German company seeking a coronavirus vaccine to move its research to the United States.
Amazon cracked down on coronavirus price gouging. Now, while the rest of the world searches, some sellers are holding stockpiles of sanitizer and masks.
And 3D-printed valve for breathing machine sparks legal threat
Ischgl, an Austrian ski resort, has achieved tragic international fame: hundreds of tourists are believed to have contracted the coronavirus there and taken it home with them. The Tyrolean state government is now facing serious criticism. EURACTIV Germany reports.
We are seeing how the monopolistic repair and lobbying practices of medical device companies are making our response to the coronavirus pandemic harder.
Las Vegas, Nevada has come under criticism after reportedly setting up a temporary homeless shelter in a parking lot complete with social distancing barriers.

Planet DebianThorsten Alteholz: My Debian Activities in June 2020

FTP master

This month I accepted 377 packages and rejected 30. The overall number of packages that got accepted was 411.

Debian LTS

This was my seventy-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2255-1] libtasn1-6 security update for one CVE
  • [DLA 2256-1] libtirpc security update for one CVE
  • [DLA 2257-1] pngquant security update for one CVE
  • [DLA 2258-1] zziplib security update for eight CVEs
  • [DLA 2259-1] picocom security update for one CVE
  • [DLA 2260-1] mcabber security update for one CVE
  • [DLA 2261-1] php5 security update for one CVE

I started to work on curl as well but did not upload a fixed version, so this has to go to ELTS now.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty fourth ELTS month.

Unfortunately in the last month of Wheezy ELTS even I did not find any package to fix a CVE, so during my small allocated time I didn’t uploaded anything.

But at least I did some days of frontdesk duties und updated my working environment for the new ELTS Jessie.

Other stuff

I uploaded a new upstream version of …

Planet DebianRussell Coker: Debian S390X Emulation

I decided to setup some virtual machines for different architectures. One that I decided to try was S390X – the latest 64bit version of the IBM mainframe. Here’s how to do it, I tested on a host running Debian/Unstable but Buster should work in the same way.

First you need to create a filesystem in an an image file with commands like the following:

truncate -s 4g /vmstore/s390x
mkfs.ext4 /vmstore/s390x
mount -o loop /vmstore/s390x /mnt/tmp

Then visit the Debian Netinst page [1] to download the S390X net install ISO. Then loopback mount it somewhere convenient like /mnt/tmp2.

The package qemu-system-misc has the program for emulating a S390X system (among many others), the qemu-user-static package has the program for emulating S390X for a single program (IE a statically linked program or a chroot environment), you need this to run debootstrap. The following commands should be most of what you need.

# Install the basic packages you need
apt install qemu-system-misc qemu-user-static debootstrap

# List the support for different binary formats
update-binfmts --display

# qemu s390x needs exec stack to solve "Could not allocate dynamic translator buffer"
# so you probably need this on SE Linux systems
setsebool allow_execstack 1

# commands to do the main install
debootstrap --foreign --arch=s390x --no-check-gpg buster /mnt/tmp file:///mnt/tmp2
chroot /mnt/tmp /debootstrap/debootstrap --second-stage

# set the apt sources
cat << END > /mnt/tmp/etc/apt/sources.list
deb http://YOURLOCALMIRROR/pub/debian/ buster main
deb buster/updates main
# for minimal install do not want recommended packages
echo "APT::Install-Recommends False;" > /mnt/tmp/etc/apt/apt.conf

# update to latest packages
chroot /mnt/tmp apt update
chroot /mnt/tmp apt dist-upgrade

# install kernel, ssh, and build-essential
chroot /mnt/tmp apt install bash-completion locales linux-image-s390x man-db openssh-server build-essential
chroot /mnt/tmp dpkg-reconfigure locales
echo s390x > /mnt/tmp/etc/hostname
chroot /mnt/tmp passwd

# copy kernel and initrd
mkdir -p /boot/s390x
cp /mnt/tmp/boot/vmlinuz* /mnt/tmp/boot/initrd* /boot/s390x

# setup /etc/fstab
cat << END > /mnt/tmp/etc/fstab
/dev/vda / ext4 noatime 0 0
#/dev/vdb none swap defaults 0 0

# clean up
umount /mnt/tmp
umount /mnt/tmp2

# setcap binary for starting bridged networking
setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper

# afterwards set the access on /etc/qemu/bridge.conf so it can only
# be read by the user/group permitted to start qemu/kvm
echo "allow all" > /etc/qemu/bridge.conf

Some of the above can be considered more as pseudo-code in shell script rather than an exact way of doing things. While you can copy and past all the above into a command line and have a reasonable chance of having it work I think it would be better to look at each command and decide whether it’s right for you and whether you need to alter it slightly for your system.

To run qemu as non-root you need to have a helper program with extra capabilities to setup bridged networking. I’ve included that in the explanation because I think it’s important to have all security options enabled.

The “-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-ccw,rng=rng0” part is to give entropy to the VM from the host, otherwise it will take ages to start sshd. Note that this is slightly but significantly different from the command used for other architectures (the “ccw” is the difference).

I’m not sure if “noresume” on the kernel command line is required, but it doesn’t do any harm. The “net.ifnames=0” stops systemd from renaming Ethernet devices. For the virtual networking the “ccw” again is a difference from other architectures.

Here is a basic command to run a QEMU virtual S390X system. If all goes well it should give you a login: prompt on a curses based text display, you can then login as root and should be able to run “dhclient eth0” and other similar commands to setup networking and allow ssh logins.

qemu-system-s390x -drive format=raw,file=/vmstore/s390x,if=virtio -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-ccw,rng=rng0 -nographic -m 1500 -smp 2 -kernel /boot/s390x/vmlinuz-4.19.0-9-s390x -initrd /boot/s390x/initrd.img-4.19.0-9-s390x -curses -append "net.ifnames=0 noresume root=/dev/vda ro" -device virtio-net-ccw,netdev=net0,mac=02:02:00:00:01:02 -netdev tap,id=net0,helper=/usr/lib/qemu/qemu-bridge-helper

Here is a slightly more complete QEMU command. It has 2 block devices, for root and swap. It has SE Linux enabled for the VM (SE Linux works nicely on S390X). I added the “lockdown=confidentiality” kernel security option even though it’s not supported in 4.19 kernels, it doesn’t do any harm and when I upgrade systems to newer kernels I won’t have to remember to add it.

qemu-system-s390x -drive format=raw,file=/vmstore/s390x,if=virtio -drive format=raw,file=/vmswap/s390x,if=virtio -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-ccw,rng=rng0 -nographic -m 1500 -smp 2 -kernel /boot/s390x/vmlinuz-4.19.0-9-s390x -initrd /boot/s390x/initrd.img-4.19.0-9-s390x -curses -append "net.ifnames=0 noresume security=selinux root=/dev/vda ro lockdown=confidentiality" -device virtio-net-ccw,netdev=net0,mac=02:02:00:00:01:02 -netdev tap,id=net0,helper=/usr/lib/qemu/qemu-bridge-helper

Try It Out

I’ve got a S390X system online for a while, “ssh” with password “SELINUX” to try it out.


I’ve tried running a PPC64 virtual machine, I did the same things to set it up and then tried launching it with the following result:

qemu-system-ppc64 -drive format=raw,file=/vmstore/ppc64,if=virtio -nographic -m 1024 -kernel /boot/ppc64/vmlinux-4.19.0-9-powerpc64le -initrd /boot/ppc64/initrd.img-4.19.0-9-powerpc64le -curses -append "root=/dev/vda ro"

Above is the minimal qemu command that I’m using. Below is the result, it stops after the “4.” from “4.19.0-9”. Note that I had originally tried with a more complete and usable set of options, but I trimmed it to the minimal needed to demonstrate the problem.

  Copyright (c) 2004, 2017 IBM Corporation All rights reserved.
  This program and the accompanying materials are made available
  under the terms of the BSD License available at

Booting from memory...
Linux ppc64le
#1 SMP Debian 4.

The kernel is from the package linux-image-4.19.0-9-powerpc64le which is a dependency of the package linux-image-ppc64el in Debian/Buster. The program qemu-system-ppc64 is from version 5.0-5 of the qemu-system-ppc package.

Any suggestions on what I should try next would be appreciated.


Krebs on SecurityE-Verify’s “SSN Lock” is Nothing of the Sort

One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.

A reader who was recently the victim of unemployment insurance fraud said he was told he should create an account at the Department of Homeland Security‘s myE-Verify website, and place a lock on his Social Security number (SSN) to minimize the chances that ID thieves might abuse his identity for employment fraud in the future.

DHS’s myE-Verify homepage.

According to the website, roughly 600,000 employers at over 1.9 million hiring sites use E-Verify to confirm the employment eligibility of new employees. E-Verify’s consumer-facing portal myE-Verify lets users track and manage employment inquiries made through the E-Verify system. It also features a “Self Lock” designed to prevent the misuse of one’s SSN in E-Verify.

Enabling this lock is supposed to mean that for the next year thereafter, if an unauthorized individual attempts to fraudulently use a SSN for employment authorization, he or she cannot use the SSN in E-Verify, even if the SSN is that of an employment authorized individual. But in practice, this service may actually do little to deter ID thieves from impersonating you to a potential employer.

At the request of the reader who reached out (and in the interest of following my own advice to plant one’s flag), KrebsOnSecurity decided to sign up for a myE-Verify account. After verifying my email address, I was asked to pick a strong password and select a form of multi-factor authentication (MFA). The most secure MFA option offered (a one-time code generated by an app like Google Authenticator or Authy) was already pre-selected, so I chose that.

The site requested my name, address, SSN, date of birth and phone number. I was then asked to select five questions and answers that might be asked if I were to try to reset my password, such as “In what city/town did you meet your spouse,” and “What is the name of the company of your first paid job.” I chose long, gibberish answers that had nothing to do with the questions (yes, these password questions are next to useless for security and frequently are the cause of account takeovers, but we’ll get to that in a minute).

Password reset questions selected, the site proceeded to ask four, multiple-guess “knowledge-based authentication” questions to verify my identity. The U.S. Federal Trade Commission‘s primer page on preventing job-related ID theft says people who have placed a security freeze on their credit files with the major credit bureaus will need to lift or thaw the freeze before being able to answer these questions successfully at myE-Verify. However, I did not find that to be the case, even though my credit file has been frozen with the major bureaus for years.

After successfully answering the KBA questions (the answer to each was “none of the above,” by the way), the site declared I’d successfully created my account! I could then see that I had the option to place a “Self Lock” on my SSN within the E-Verify system.

Doing so required me to pick three more challenge questions and answers. The site didn’t explain why it was asking me to do this, but I assumed it would prompt me for the answers in the event that I later chose to unlock my SSN within E-Verify.

After selecting and answering those questions and clicking the “Lock my SSN” button, the site generated an error message saying something went wrong and it couldn’t proceed.

Alas, logging out and logging back in again showed that the site did in fact proceed and that my SSN was locked. Joy.

But I still had to know one thing: Could someone else come along pretending to be me and create another account using my SSN, date of birth and address but under a different email address? Using a different browser and Internet address, I proceeded to find out.

Imagine my surprise when I was able to create a separate account as me with just a different email address (once again, the correct answers to all of the KBA questions was “none of the above”). Upon logging in, I noticed my SSN was indeed locked within E-Verify. So I chose to unlock it.

Did the system ask any of the challenge questions it had me create previously? Nope. It just reported that my SSN was now unlocked. Logging out and logging back in to the original account I created (again under a different IP and browser) confirmed that my SSN was unlocked.


Obviously, if the E-Verify system allows multiple accounts to be created using the same name, address, phone number, SSN and date of birth, this is less than ideal and somewhat defeats the purpose of creating one for the purposes of protecting one’s identity from misuse.

Lest you think your SSN and DOB is somehow private information, you should know this static data about U.S. residents has been exposed many times over in countless data breaches, and in any case these digits are available for sale on most Americans via Dark Web sites for roughly the bitcoin equivalent of a fancy caffeinated drink at Starbucks.

Being unable to proceed through knowledge-based authentication questions without first unfreezing one’s credit file with one or all of the big three credit bureaus (Equifax, Experian and TransUnion) can actually be a plus for those of us who are paranoid about identity theft. I couldn’t find any mention on the E-Verify site of which company or service it uses to ask these questions, but the fact that the site doesn’t seem to care whether one has a freeze in place is troubling.

And when the correct answer to all of the KBA questions that do get asked is invariably “none of the above,” that somewhat lessens the value of asking them in the first place. Maybe that was just the luck of the draw in my case, but also troubling nonetheless. Either way, these KBA questions are notoriously weak security because the answers to them often are pulled from records that are public anyway, and can sometimes be deduced by studying the information available on a target’s social media profiles.

Speaking of silly questions, relying on “secret questions” or “challenge questions” as an alternative method of resetting one’s password is severely outdated and insecure. A 2015 study by Google titled “Secrets, Lies and Account Recovery” (PDF) found that secret questions generally offer a security level that is far lower than just user-chosen passwords. Also, the idea that an account protected by multi-factor authentication could be undermined by successfully guessing the answer(s) to one or more secret questions (answered truthfully and perhaps located by thieves through mining one’s social media accounts) is bothersome.

Finally, the advice given to the reader whose inquiry originally prompted me to sign up at myE-Verify doesn’t seem to have anything to do with preventing ID thieves from fraudulently claiming unemployment insurance benefits in one’s name at the state level. KrebsOnSecurity followed up with four different readers who left comments on this site about being victims of unemployment fraud recently, and none of them saw any inquiries about this in their myE-Verify accounts after creating them. Not that they should have seen signs of this activity in the E-Verify system; I just wanted to emphasize that one seems to have little to do with the other.

Planet DebianDirk Eddelbuettel: Rcpp now used by 2000 CRAN packages–and one in eight!

2000 Rcpp packages

As of yesterday, Rcpp stands at exactly 2000 reverse-dependencies on CRAN. The graph on the left depicts the growth of Rcpp usage (as measured by Depends, Imports and LinkingTo, but excluding Suggests) over time.

Rcpp was first released in November 2008. It probably cleared 50 packages around three years later in December 2011, 100 packages in January 2013, 200 packages in April 2014, and 300 packages in November 2014. It passed 400 packages in June 2015 (when I tweeted about it), 500 packages in late October 2015, 600 packages in March 2016, 700 packages last July 2016, 800 packages last October 2016, 900 packages early January 2017, 1000 packages in April 2017, 1250 packages in November 2017, 1500 packages in November 2018 and then 1750 packages last August. The chart extends to the very beginning via manually compiled data from CRANberries and checked with crandb. The next part uses manually saved entries. The core (and by far largest) part of the data set was generated semi-automatically via a short script appending updates to a small file-based backend. A list of packages using Rcpp is available too.

Also displayed in the graph is the relative proportion of CRAN packages using Rcpp. The four per-cent hurdle was cleared just before useR! 2014 where I showed a similar graph (as two distinct graphs) in my invited talk. We passed five percent in December of 2014, six percent July of 2015, seven percent just before Christmas 2015, eight percent in the summer of 2016, nine percent mid-December 2016, cracked ten percent in the summer of 2017 and eleven percent in 2018. We now passed 12.5 percent—so one in every eight CRAN packages dependens on Rcpp. Stunning. There is more detail in the chart: how CRAN seems to be pushing back more and removing more aggressively (which my CRANberries tracks but not in as much detail as it could), how the growth of Rcpp seems to be slowing somewhat outright and even more so as a proportion of CRAN – as one would expect a growth curve to.

To mark the occassion, I sent out two tweets yesterday: first a shorter one with “just the numbers”, followed by a second one also containing the few calculation steps. The screenshot from the second one is below.

2000 Rcpp packages

2000 user packages is pretty mind-boggling. We can use the progression of CRAN itself compiled by Henrik in a series of posts and emails to the main development mailing list. Not that long ago CRAN itself did have only 1000 packages, then 5000, 10000, and here we are at just over 16000 with Rcpp at 12.5% and still growing (though maybe more slowly). Amazeballs.

The Rcpp team continues to aim for keeping Rcpp as performant and reliable as it has been. A really big shoutout and Thank You! to all users and contributors of Rcpp for help, suggestions, bug reports, documentation or, of course, code.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianPetter Reinholdtsen: Working on updated Norwegian Bokmål edition of Debian Administrator's Handbook

Three years ago, the first Norwegian Bokmål edition of "The Debian Administrator's Handbook" was published. This was based on Debian Jessie. Now a new and updated version based on Buster is getting ready. Work on the updated Norwegian Bokmål edition has been going on for a few months now, and yesterday, we reached the first mile stone, with 100% of the texts being translated. A lot of proof reading remains, of course, but a major step towards a new edition has been taken.

The book is translated by volunteers, and we would love to get some help with the proof reading. The translation uses the hosted Weblate service, and we welcome everyone to have a look and submit improvements and suggestions. There is also a proof readers PDF available on request, get in touch if you want to help out that way.

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

CryptogramEncroChat Hacked by Police

French police hacked EncroChat secure phones, which are widely used by criminals:

Encrochat's phones are essentially modified Android devices, with some models using the "BQ Aquaris X2," an Android handset released in 2018 by a Spanish electronics company, according to the leaked documents. Encrochat took the base unit, installed its own encrypted messaging programs which route messages through the firm's own servers, and even physically removed the GPS, camera, and microphone functionality from the phone. Encrochat's phones also had a feature that would quickly wipe the device if the user entered a PIN, and ran two operating systems side-by-side. If a user wanted the device to appear innocuous, they booted into normal Android. If they wanted to return to their sensitive chats, they switched over to the Encrochat system. The company sold the phones on a subscription based model, costing thousands of dollars a year per device.

This allowed them and others to investigate and arrest many:

Unbeknownst to Mark, or the tens of thousands of other alleged Encrochat users, their messages weren't really secure. French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users' communications for months. Investigators then shared those messages with agencies around Europe.

Only now is the astonishing scale of the operation coming into focus: It represents one of the largest law enforcement infiltrations of a communications network predominantly used by criminals ever, with Encrochat users spreading beyond Europe to the Middle East and elsewhere. French, Dutch, and other European agencies monitored and investigated "more than a hundred million encrypted messages" sent between Encrochat users in real time, leading to arrests in the UK, Norway, Sweden, France, and the Netherlands, a team of international law enforcement agencies announced Thursday.

EncroChat learned about the hack, but didn't know who was behind it.

Going into full-on emergency mode, Encrochat sent a message to its users informing them of the ongoing attack. The company also informed its SIM provider, Dutch telecommunications firm KPN, which then blocked connections to the malicious servers, the associate claimed. Encrochat cut its own SIM service; it had an update scheduled to push to the phones, but it couldn't guarantee whether that update itself wouldn't be carrying malware too. That, and maybe KPN was working with the authorities, Encrochat's statement suggested (KPN declined to comment). Shortly after Encrochat restored SIM service, KPN removed the firewall, allowing the hackers' servers to communicate with the phones once again. Encrochat was trapped.

Encrochat decided to shut itself down entirely.

Lots of details about the hack in the article. Well worth reading in full.

The UK National Crime Agency called it Operation Venetic: "46 arrests, and £54m criminal cash, 77 firearms and over two tonnes of drugs seized so far."

Many more news articles. EncroChat website. Slashdot thread. Hacker News threads.

Planet DebianRuss Allbery: Review: The Light Brigade

Review: The Light Brigade, by Kameron Hurley

Publisher: Saga
Copyright: 2019
ISBN: 1-4814-4798-X
Format: Kindle
Pages: 355

In the wake of the Blink, which left a giant crater where São Paulo was, Dietz signed up for the military. To be a hero. To satisfy an oath of vengeance. To kill aliens.

Corporations have consumed the governments that used to run Earth and have divided the world between them. Dietz's family, before the Blink, were ghouls in Tene-Silva territory, non-citizens who scavenged a precarious life on the margins. Citizenship is a reward for loyalty and a mechanism of control. The only people who don't fit into the corporate framework are the Martians, former colonists who went dark for ten years and re-emerged as a splinter group offering to use their superior technology to repair environmental damage to the northern hemisphere caused by corporate wars. When the Blink happens, apparently done with technology far beyond what the corporations have, corporate war with the Martians is the unsurprising result.

Long-time SF readers will immediately recognize The Light Brigade as a response to Starship Troopers with far more cynical world-building. For the first few chapters, the parallelism is very strong, down to the destruction of a large South American city (São Paulo instead of Buenos Aires), a naive military volunteer, and horrific basic training. But, rather than dropships, the soldiers in Dietz's world are sent into battle via, essentially, Star Trek transporters. These still very experimental transporters send Dietz to a different mission than the one in the briefing.

Advance warning that I'm going to talk about what's happening with Dietz's drops below. It's a spoiler, but you would find out not far into the book and I don't think it ruins anything important. (On the contrary, it may give you an incentive to stick through the slow and unappealing first few chapters.)

I had so many suspension of disbelief problems with this book. So many.

This starts with the technology. The core piece of world-building is Star Trek transporters, so fine, we're not talking about hard physics. Every SF story gets one or two free bits of impossible technology, and Hurley does a good job showing the transporters through a jaundiced military eye. But, late in the book, this technology devolves into one of my least-favorite bits of SF hand-waving that, for me, destroyed that gritty edge.

Technology problems go beyond the transporters. One of the bits of horror in basic training is, essentially, torture simulators, whose goal is apparently to teach soldiers to dissociate (not that the book calls it that). One problem is that I never understood why a military would want to teach dissociation to so many people, but a deeper problem is that the mechanics of this simulation made no sense. Dietz's training in this simulator is a significant ongoing plot point, and it kept feeling like it was cribbed from The Matrix rather than something translatable into how computers work.

Technology was the more minor suspension of disbelief problem, though. The larger problem was the political and social world-building.

Hurley constructs a grim, totalitarian future, which is a fine world-building choice although I think it robs some nuance from the story she is telling about how militaries lie to soldiers. But the totalitarian model she uses is one of near-total information control. People believe what the corporations tell them to believe, or at least are indifferent to it. Huge world events (with major plot significance) are distorted or outright lies, and those lies are apparently believed by everyone. The skepticism that exists is limited to grumbling about leadership competence and cynicism about motives, not disagreement with the provided history. This is critical to the story; it's a driver behind Dietz's character growth and is required to set up the story's conclusion.

This is a model of totalitarianism that's familiar from Orwell's Nineteen Eighty-Four. The problem: The Internet broke this model. You now need North Korean levels of isolation to pull off total message control, which is incompatible with the social structure or technology level that Hurley shows.

You may be objecting that the modern world is full of people who believe outrageous propaganda against all evidence. But the world-building problem is not that some people believe the corporate propaganda. It's that everyone does. Modern totalitarians have stopped trying to achieve uniformity (because it stopped working) and instead make the disagreement part of the appeal. You no longer get half a country to believe a lie by ensuring they never hear the truth. Instead, you equate belief in the lie with loyalty to a social or political group, and belief in the truth with affiliation with some enemy. This goes hand in hand with "flooding the zone" with disinformation and fakes and wild stories until people's belief in the accessibility of objective truth is worn down and all facts become ideological statements. This does work, all too well, but it relies on more information, not less. (See Zeynep Tufekci's excellent Twitter and Tear Gas if you're unfamiliar with this analysis.) In that world, Dietz would have heard the official history, the true history, and all sorts of wild alternative histories, making correct belief a matter of political loyalty. There is no sign of that.

Hurley does gesture towards some technology to try to explain this surprising corporate effectiveness. All the soldiers have implants, and military censors can supposedly listen in at any time. But, in the story, this censorship is primarily aimed at grumbling and local disloyalty. There is no sign that it's being used to keep knowledge of significant facts from spreading, nor is there any sign of the same control among the general population. It's stated in the story that the censors can't even keep up with soldiers; one would have to get unlucky to be caught. And yet the corporation maintains preternatural information control.

The place this bugged me the most is around knowledge of the current date. For reasons that will be obvious in a moment, Dietz has reasons to badly want to know what month and year it is and is unable to find this information anywhere. This appears to be intentional; Tene-Silva has a good (albeit not that urgent) reason to keep soldiers from knowing the date. But I don't think Hurley realizes just how hard that is.

Take a look around the computer you're using to read this and think about how many places the date shows up. Apart from the ubiquitous clock and calendar app, there are dates on every file, dates on every news story, dates on search results, dates in instant messages, dates on email messages and voice mail... they're everywhere. And it's not just the computer. The soldiers can easily smuggle prohibited outside goods into the base; knowledge of the date would be much easier. And even if Dietz doesn't want to ask anyone, there are opportunities to go off base during missions. Somehow every newspaper and every news bulletin has its dates suppressed? It's not credible, and it threw me straight out of the story.

These world-building problems are unfortunate, since at the heart of The Light Brigade is a (spoiler alert) well-constructed time travel story that I would have otherwise enjoyed. Dietz is being tossed around in time with each jump. And, unlike some of these stories, Hurley does not take the escape hatch of alternate worlds or possible futures. There is a single coherent timeline that Dietz and the reader experience in one order and the rest of the world experiences in a different order.

The construction of this timeline is incredibly well-done. Time can only disconnect at jump and return points, and Hurley maintains tight control over the number of unresolved connections. At every point in the story, I could list all of the unresolved discontinuities and enjoy their complexity and implications without feeling overwhelmed by them. Dietz gains some foreknowledge, but in a way that's wildly erratic and hard to piece together fast enough for a single soldier to do anything about the plot. The world spins out of control with foreshadowing of grimmer and grimmer events, and then Hurley pulls it back together in a thoroughly satisfying interweaving of long-anticipated scenes and major surprises.

I'm not usually a fan of time travel stories, but this is one of the best I've read. It also has a satisfying emotional conclusion (albeit marred for me by some unbelievable mystical technobabble), which is impressive given how awful and nasty Hurley makes this world. Dietz is a great first-person narrator, believably naive and cynical by turns, and piecing together the story structure alongside the protagonist built my emotional attachment to Dietz's character arc. Hurley writes the emotional dynamics of soldiers thoughtfully and well: shit-talking, fights, sudden moments of connection, shared cynicism over degenerating conditions, and the underlying growth of squad loyalty that takes over other motivations and becomes the reason to keep on fighting.

Hurley also pulled off a neat homage to (and improvement on) Starship Troopers that caught me entirely by surprise and that I've hopefully not spoiled.

This is a solid science fiction novel if you can handle the world-building. I couldn't, but I understand why it was nominated for the Hugo and Clarke awards. Recommended if you're less picky about technological and social believability than I am, although content warning for a lot of bloody violence and death (including against children) and a horrifically depressing world.

Rating: 6 out of 10


CryptogramFriday Squid Blogging: Strawberry Squid


As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianMichael Prokop: Grml 2020.06 – Codename Ausgehfuahangl

We did it again™, at the end of June we released Grml 2020.06, codename Ausgehfuahangl. This Grml release (a Linux live system for system administrators) is based on Debian/testing (AKA bullseye) and provides current software packages as of June, incorporates up to date hardware support and fixes known issues from previous Grml releases.

I am especially fond of our cloud-init and qemu-guest-agent integration, which makes usage and automation in virtual environments like Proxmox VE much more comfortable.

Once as the Qemu Guest Agent setting is enabled in the VM options (also see Proxmox wiki), you’ll see IP address information in the VM summary:

Screenshot of qemu guest agent integration

Using a cloud-init drive allows using an SSH key for login as user "grml", and you can control network settings as well:

Screenshot of cloud-init integration

It was fun to focus and work on this new Grml release together with Darsha, and we hope you enjoy the new Grml release as much as we do!

Planet DebianNorbert Preining: KDE/Plasma Status Update 2020-07-04

Great timing for 4th of July, here is another status update of KDE/Plasma for Debian. Short summary: everything is now available for Debian sid and testing, for both i386 and am64 architectures!

(Update 2020-07-07: Plasma 5.19.3 is included!)

With Qt 5.14 arriving in Debian/testing, and some tweaks here and there, we finally have all the packages (2 additional deps, 82 frameworks, 47 Plasma, 216 Apps, 3 other apps) built on both Debian unstable and Debian testing, for both amd64 and i386 architectures. Again, big thanks to OBS!

For Unstable:

deb ./
deb ./
deb ./
deb ./
deb ./

For Testing:

deb ./
deb ./
deb ./
deb ./
deb ./

As usual, don’t forget that you need to import my OBS gpg key: obs-npreining.asc, best to download it and put the file into /etc/apt/trusted.gpg.d/obs-npreining.asc.


Planet DebianDirk Eddelbuettel: #28: Welcome RSPM and test-drive with Bionic and Focal

Welcome to the 28th post in the relatively random R recommendations series, or R4 for short. Our last post was a “double entry” in this R4 series and the newer T4 video series and covered a topic touched upon in this R4 series multiple times: easy binary install, especially on Ubuntu.

That post already previewed the newest kid on the block: RStudio’s RSPM, now formally announced. In the post we were only able to show Ubuntu 18.04 aka bionic. With the formal release of RSPM support has been added for Ubuntu 20.04 aka focal—and we are happy to announce that of course we added a corresponding Rocker r-rspm container. So you can now take full advantage of RSPM either via docker pull rocker/r-rspm:18.04 or via docker pull rocker/r-rspm:20.04 covering the two most recent LTS releases.

RSPM is a nice accomplishment. Covering multiple Linux distributions is an excellent achievement. Allowing users to reason in terms of the CRAN packages (i.e. installing xml2, not r-cran-xml2) eases use. Doing it from via the standard R command install.packages() (or wrapper around it like our install.r from littler package) is very good too and an excellent technical achievement.

There is, as best as I can tell, only one shortcoming, along with one small bit of false advertising. The shortcoming is technical. By bringing the package installation into the user application domain, it is separated from the system and lacks integration with system libraries. What do I mean here? If you were to add R to a plain Ubuntu container, say 18.04 or 20.04, then added the few lines to support RSPM and install xml2 it would install. And fail. Why? Because the system library libxml2 does not get installed with the RSPM package—whereas the .deb from the distribution or PPAs does. So to help with some popular packages I added libxml2, libunits and a few more for geospatial work to the rocker/r-rspm containers. Being already present ensures packages xml2 and units can run immediately. Please file issue tickets at the Rocker repo if you come across other missing libraries we could preload. (A related minor nag is incomplete coverage. At least one of my CRAN packages does not (yet?) come as a RSPM binary. Then again, CRAN has 16k packages, and the RSPM coverage is much wider than the PPA one. But completeness would be neat. The final nag is lack of Debian support which seems, well, odd.)

So what about the small bit of false advertising? Well it is claimed that RSPM makes installation “so much faster on Linux”. True, faster than the slowest possible installation from source. Also easier. But we had numerous posts on this blog showing other speed gains: Using ccache. And, of course, using binaries. And as the initial video mentioned above showed, installing from the PPAs is also faster than via RSPM. That is easy to replicate. Just set up the rocker/r-ubuntu:20.04 (or 18.04) container alongside the rocker/r-rspm:20.04 (or also 18.04) container. And then time install.r rstan (or install.r tinyverse) in the RSPM one against apt -y update; apt install -y r-cran-rstan (or ... r-cran-tinyverse). In every case I tried, the installation using binaries from the PPA was still faster by a few seconds. Not that it matters greatly: both are very, very quick compared to source installation (as e.g. shown here in 2017 (!!)) but the standard Ubuntu .deb installation is simply faster than using RSPM. (Likely due to better CDN usage so this may change over time. Neither method appears to do downloads in parallel so there is scope for both for doing better.)

So in sum: Welcome to RSPM, and nice new tool—and feel free to “drive” it using rocker/r-rspm:18.04 or rocker/r-rspm:20.04.

If you like this or other open-source work I do, you can now sponsor me at GitHub. For the first year, GitHub will match your contributions.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Sam VargheseDavid Warner must pay for his sins. As everyone else does

What does one make of the argument that David Warner, who was behind the ball tampering scandal in South Africa in 2018, was guilty of less of a mistake than Ben Stokes who indulged in public fights? And the argument that since Stokes has been made England captain for the series against the West Indies, Warner, who committed what is called a lesser sin, should also be in line for the role of Australian skipper?

The suggestion has been made by Peter Lalor, a senior cricket writer at The Australian, that Warner has paid a bigger price for past mistakes than Stokes. Does that argument really hold water?

Stokes was involved in a fracas outside a nightclub in Bristol a few years back and escaped tragedy and legal issues. He got into a brawl and was lucky to get off without a prison term.

But that had no connection to the game of cricket. And when we talk of someone bringing the game into disrepute, such incidents are not in the frame.

Had Stokes indulged in such immature behaviour on the field of play or insulted spectators who were at a game, then we would have to criticise the England board for handing him the mantle of leadership.

Warner brought the game into disrepute. He hatched a plot to use sandpaper in order to get the ball to swing, then shamefully recruited the youngest player in the squad, rookie Cameron Bancroft, to carry out his plan, and then expects to be forgiven and given a chance to lead the national team.

Really? Lalor argues that the ball tampering did not hurt anyone and the umpires did not even have to change the ball. Such is the level of morality we have come to, where arguments that have little ballast are advanced because nationalistic sentiments come into the picture.

It is troubling that as senior a writer as Lalor would seek to advance such an argument, when someone has clearly violated the spirit of the game. Doubtless there will be cynics who poke fun at any suggestion that cricket is still a gentleman’s game, but without those myths that surround this pursuit, would it still have its appeal?

The short answer to that is a resounding no.

Lalor argues that Stokes’ fate would have been different had he been an Australian, I doubt that very much because given the licence extended to Australian sports stars to behave badly, his indulgences would have been overlooked. The word used to excuse him would have ” larrikinism”.

But Warner cheated. And the Australian public, no matter what their shortcomings, do not like cheats.

Unfortunately, at a pivotal moment during the cricket team’s South African tour, this senior member could only think of cheating to win. That is sad, unfortunate, and even tragic. It speaks of a big moral chasm somewhere.

But once one has done the crime, one must do the time. Arguing as Lalor does, that both Steve Smith, the captain at the time, and Bancroft got away with no leadership bans, does not carry any weight.

The man who planned the crime was nailed with the heaviest punishment. And it is doubtful whether anyone who has a sense of justice would argue against that.

Worse Than FailureError'd: Take a Risk on NaN

"Sure, I know how long the free Standard Shipping will take, but maybe, just maybe, if I choose Economy, my package will have already arrived! Or never," Philip G. writes.


"To be honest, I would love to hear how a course on guitar will help me become certified on AWS!" Kevin wrote.


Gergő writes, "Hooray! I'm going to be so productive for the next 0 days!"


"I guess that inbox count is what I get for using Yahoo mail?" writes Becky R.


Marc W. wrote, "Try all you want, PDF Creator, but you'll never sweet talk me with your 'great' offer!"


Mark W. wrote, "My neighborhood has a personality split, but at least they're both Pleasant."


[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

Planet DebianReproducible Builds (diffoscope): diffoscope 150 released

The diffoscope maintainers are pleased to announce the release of diffoscope version 150. This version includes the following changes:

[ Chris Lamb ]
* Don't crash when listing entries in archives if they don't have a listed
  size (such as hardlinks in .ISO files).
  (Closes: reproducible-builds/diffoscope#188)
* Dump PE32+ executables (including EFI applications) using objdump.
  (Closes: reproducible-builds/diffoscope#181)
* Tidy detection of JSON files due to missing call to File.recognizes that
  checks against the output of file(1) which was also causing us to attempt
  to parse almost every file using json.loads. (Whoops.)
* Drop accidentally-duplicated copy of the new --diff-mask tests.
* Logging improvements:
  - Split out formatting of class names into a common method.
  - Clarify that we are generating presenter formats in the opening logs.

[ Jean-Romain Garnier ]
* Remove objdjump(1) offsets before instructions to reduce diff noise.
  (Closes: reproducible-builds/diffoscope!57)

You find out more by visiting the project homepage.


Planet DebianBen Hutchings: Debian LTS work, June 2020

I was assigned 20 hours of work by Freexian's Debian LTS initiative, and worked all 20 hours this month.

I sent a final request for testing for the next update to Linux 3.16 in jessie. I also prepared an update to Linux 4.9, included in both jessie and stretch. I completed backporting of kernel changes related to CVE-2020-0543, which was still under embargo, to Linux 3.16.

Finally I uploaded the updates for Linux 3.16 and 4.9, and issued DLA-2241 and DLA-2242.

The end of June marked the end of long-term support for Debian 8 "jessie" and for Linux 3.16. I am no longer maintaining any stable kernel branches, but will continue contributing to them as part of my work on Debian 9 "stretch" LTS and other Debian releases.

CryptogramThe Security Value of Inefficiency

For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that's a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that's all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient. Using many small suppliers is inefficient. Inefficiency is unprofitable.

But inefficiency is essential security, as the COVID-19 pandemic is teaching us. All of the overcapacity that has been squeezed out of our healthcare system; we now wish we had it. All of the redundancy in our food production that has been consolidated away; we want that, too. We need our old, local supply chains -- not the single global ones that are so fragile in this crisis. And we want our local restaurants and businesses to survive, not just the national chains.

We have lost much inefficiency to the market in the past few decades. Investors have become very good at noticing any fat in every system and swooping down to monetize those redundant assets. The winner-take-all mentality that has permeated so many industries squeezes any inefficiencies out of the system.

This drive for efficiency leads to brittle systems that function properly when everything is normal but break under stress. And when they break, everyone suffers. The less fortunate suffer and die. The more fortunate are merely hurt, and perhaps lose their freedoms or their future. But even the extremely fortunate suffer -- maybe not in the short term, but in the long term from the constriction of the rest of society.

Efficient systems have limited ability to deal with system-wide economic shocks. Those shocks are coming with increased frequency. They're caused by global pandemics, yes, but also by climate change, by financial crises, by political crises. If we want to be secure against these crises and more, we need to add inefficiency back into our systems.

I don't simply mean that we need to make our food production, or healthcare system, or supply chains sloppy and wasteful. We need a certain kind of inefficiency, and it depends on the system in question. Sometimes we need redundancy. Sometimes we need diversity. Sometimes we need overcapacity.

The market isn't going to supply any of these things, least of all in a strategic capacity that will result in resilience. What's necessary to make any of this work is regulation.

First, we need to enforce antitrust laws. Our meat supply chain is brittle because there are limited numbers of massive meatpacking plants -- now disease factories -- rather than lots of smaller slaughterhouses. Our retail supply chain is brittle because a few national companies and websites dominate. We need multiple companies offering alternatives to a single product or service. We need more competition, more niche players. We need more local companies, more domestic corporate players, and diversity in our international suppliers. Competition provides all of that, while monopolies suck that out of the system.

The second thing we need is specific regulations that require certain inefficiencies. This isn't anything new. Every safety system we have is, to some extent, an inefficiency. This is true for fire escapes on buildings, lifeboats on cruise ships, and multiple ways to deploy the landing gear on aircraft. Not having any of those things would make the underlying systems more efficient, but also less safe. It's also true for the internet itself, originally designed with extensive redundancy as a Cold War security measure.

With those two things in place, the market can work its magic to provide for these strategic inefficiencies as cheaply and as effectively as possible. As long as there are competitors who are vying with each other, and there aren't competitors who can reduce the inefficiencies and undercut the competition, these inefficiencies just become part of the price of whatever we're buying.

The government is the entity that steps in and enforces a level playing field instead of a race to the bottom. Smart regulation addresses the long-term need for security, and ensures it's not continuously sacrificed to short-term considerations.

We have largely been content to ignore the long term and let Wall Street run our economy as efficiently as it can. That's no longer sustainable. We need inefficiency -- the right kind in the right way -- to ensure our security. No, it's not free. But it's worth the cost.

This essay previously appeared in Quartz.

Planet DebianMike Gabriel: My Work on Debian LTS (June 2020)

In June 2020, I have worked on the Debian LTS project for 8 hours (of 8 hours planned).

LTS Work

  • frontdesk: CVE bug triaging for Debian jessie LTS: mailman, alpine, python3.4, redis, pound, pcre3, ngircd, mutt, lynis, libvncserver, cinder, bison, batik.
  • upload to jessie-security: libvncserver (DLA-2264-1 [1], 9 CVEs)
  • upload to jessie-security: mailman (DLA-2265-1 [2], 1 CVE)
  • upload to jessie-security: mutt (DLA-2268-1 [3] and DLA-2268-2 [4]), 2 CVEs)

Other security related work for Debian

  • make sure all security fixes for php-horde-* are also in Debian unstable
  • upload freerdp2 2.1.2+dfsg-1 to unstable (9 CVEs)


Planet DebianRussell Coker: Desklab Portable USB-C Monitor

I just got a 15.6″ 4K resolution Desklab portable touchscreen monitor [1]. It takes power via USB-C and video input via USB-C or mini HDMI, has touch screen input, and has speakers built in for USB or HDMI sound.

PC Use

I bought a mini-DisplayPort to HDMI adapter and for my first test ran it from my laptop, it was seen as a 1920*1080 DisplayPort monitor. The adaptor is specified as supporting 4K so I don’t know why I didn’t get 4K to work, my laptop has done 4K with other monitors.

The next thing I plan to get is a VGA to HDMI converter so I can use this on servers, it can be a real pain getting a monitor and power cable to a rack mounted server and this portable monitor can be powered by one of the USB ports in the server. A quick search indicates that such devices start at about $12US.

The Desklab monitor has no markings to indicate what resolution it supports, no part number, and no serial number. The only documentation I could find about how to recognise the difference between the FullHD and 4K versions is that the FullHD version supposedly draws 2A and the 4K version draws 4A. I connected my USB Ammeter and it reported that between 0.6 and 1.0A were drawn. If they meant to say 2W and 4W instead of 2A and 4A (I’ve seen worse errors in manuals) then the current drawn would indicate the 4K version. Otherwise the stated current requirements don’t come close to matching what I’ve measured.


The promise of USB-C was power from anywhere to anywhere. I think that such power can theoretically be done with USB 3 and maybe USB 2, but asymmetric cables make it more challenging.

I can power my Desklab monitor from a USB battery, from my Thinkpad’s USB port (even when the Thinkpad isn’t on mains power), and from my phone (although the phone battery runs down fast as expected). When I have a mains powered USB charger (for a laptop and rated at 60W) connected to one USB-C port and my phone on the other the phone can be charged while giving a video signal to the display. This is how it’s supposed to work, but in my experience it’s rare to have new technology live up to it’s potential at the start!

One thing to note is that it doesn’t have a battery. I had imagined that it would have a battery (in spite of there being nothing on their web site to imply this) because I just couldn’t think of a touch screen device not having a battery. It would be nice if there was a version of this device with a big battery built in that could avoid needing separate cables for power and signal.

Phone Use

The first thing to note is that the Desklab monitor won’t work with all phones, whether a phone will take the option of an external display depends on it’s configuration and some phones may support an external display but not touchscreen. The Huawei Mate devices are specifically listed in the printed documentation as being supported for touchscreen as well as display. Surprisingly the Desklab web site has no mention of this unless you download the PDF of the manual, they really should have a list of confirmed supported devices and a forum for users to report on how it works.

My phone is a Huawei Mate 10 Pro so I guess I got lucky here. My phone has a “desktop mode” that can be enabled when I connect it to a USB-C device (not sure what criteria it uses to determine if the device is suitable). The desktop mode has something like a regular desktop layout and you can move windows around etc. There is also the option of having a copy of the phone’s screen, but it displays the image of the phone screen vertically in the middle of the landscape layout monitor which is ridiculous.

When desktop mode is enabled it’s independent of the phone interface so I had to find the icons for the programs I wanted to run in an unsorted list with no search usable (the search interface of the app list brings up the keyboard which obscures the list of matching apps). The keyboard takes up more than half the screen and there doesn’t seem to be a way to make it smaller. I’d like to try a portrait layout which would make the keyboard take something like 25% of the screen but that’s not supported.

It’s quite easy to type on a keyboard that’s slightly larger than a regular PC keyboard (a 15″ display with no numeric keypad or cursor control keys). The hackers keyboard app might work well with this as it has cursor control keys. The GUI has an option for full screen mode for an app which is really annoying to get out of (you have to use a drop down from the top of the screen), full screen doesn’t make sense for a display this large. Overall the GUI is a bit clunky, imagine Windows 3.1 with a start button and task bar. One interesting thing to note is that the desktop and phone GUIs can be run separately, so you can type on the Desklab (or any similar device) and look things up on the phone. Multiple monitors never really interested me for desktop PCs because switching between windows is fast and easy and it’s easy to resize windows to fit several on the desktop. Resizing windows on the Huawei GUI doesn’t seem easy (although I might be missing some things) and the keyboard takes up enough of the screen that having multiple windows open while typing isn’t viable.

I wrote the first draft of this post on my phone using the Desklab display. It’s not nearly as easy as writing on a laptop but much easier than writing on the phone screen.

Currently Desklab is offering 2 models for sale, 4K resolution for $399US and FullHD for $299US. I got the 4K version which is very expensive at the moment when converted to Australian dollars. There are significantly cheaper USB-C monitors available (such as this ASUS one from Kogan for $369AU), but I don’t think they have touch screens and therefore can’t be used with a phone unless you enable the phone screen as touch pad mode and have a mouse cursor on screen. I don’t know if all Android devices support that, it could be that a large part of the desktop experience I get is specific to Huawei devices.

One annoying feature is that if I use the phone power button to turn the screen off it shuts down the connection to the Desklab display, but the phone screen will turn off it I leave it alone for the screen timeout (which I have set to 10 minutes).


When I ordered this I wanted the biggest screen possible. But now that I have it the fact that it doesn’t fit in the pocket of my Scott e Vest jacket [2] will limit what I can do with it. Maybe I’ll be buying a 13″ monitor in the near future, I expect that Desklab will do well and start selling them in a wide range of sizes. A 15.6″ portable device is inconvenient even if it is in the laptop format, a thin portable screen is inconvenient in many ways.

Netflix doesn’t display video on the Desklab screen, I suspect that Netflix is doing this deliberately as some misguided attempt at stopping piracy. It is really good for watching video as it has the speakers in good locations for stereo sound, it’s a pity that Netflix is difficult.

The functionality on phones from companies other than Huawei is unknown. It is likely to work on most Android phones, but if a particular phone is important to you then you want to Google for how it worked for others.

Planet DebianEmmanuel Kasper: Test a webcam from the command line on Linux with VLC

Since this info was too well hidden on the internet, here is the information:
cvlc v4l2:///dev/video0
and there you go.
If you have multiple cameras connected, you can try /dev/video0 up to /dev/video5

Planet DebianEvgeni Golov: Automatically renaming the default git branch to "devel"

It seems GitHub is planning to rename the default brach for newly created repositories from "master" to "main". It's incredible how much positive PR you can get with a one line configuration change, while still working together with the ICE.

However, this post is not about bashing GitHub.

Changing the default branch for newly created repositories is good. And you also should do that for the ones you create with git init locally. But what about all the repositories out there? GitHub surely won't force-rename those branches, but we can!

Ian will do this as he touches the individual repositories, but I tend to forget things unless I do them immediately…

Oh, so this is another "automate everything with an API" post? Yes, yes it is!

And yes, I am going to use GitHub here, but something similar should be implementable on any git hosting platform that has an API.

Of course, if you have SSH access to the repositories, you can also just edit HEAD in an for loop in bash, but that would be boring ;-)

I'm going with devel btw, as I'm already used to develop in the Foreman project and devel in Ansible.

acquire credentials

My GitHub account is 2FA enabled, so I can't just use my username and password in a basic HTTP API client. So the first step is to acquire a personal access token, that can be used instead. Of course I could also have implemented OAuth2 in my lousy script, but ain't nobody have time for that.

The token will require the "repo" permission to be able to change repositories.

And we'll need some boilerplate code (I'm using Python3 and requests, but anything else will work too):

#!/usr/bin/env python3

import requests


headers = {'User-Agent': '@{}'.format(USER)}
auth = (USER, TOKEN)

session = requests.Session()
session.auth = auth
session.verify = True

This will store our username, token, and create a requests.Session so that we don't have to pass the same data all the time.

get a list of repositories to change

I want to change all my own repos that are not archived, not forks, and actually have the default branch set to master, YMMV.

As we're authenticated, we can just list the repositories of the currently authenticated user, and limit them to "owner" only.

GitHub uses pagination for their API, so we'll have to loop until we get to the end of the repository list.

repos_to_change = []

url = '{}/user/repos?type=owner'.format(BASE)
while url:
    r = session.get(url)
    if r.ok:
        repos = r.json()
        for repo in repos:
            if not repo['archived'] and not repo['fork'] and repo['default_branch'] == 'master':
        if 'next' in r.links:
            url = r.links['next']['url']
            url = None
        url = None

create a new devel branch and mark it as default

Now that we know which repos to change, we need to fetch the SHA of the current master, create a new devel branch pointing at the same commit and then set that new branch as the default branch.

for repo in repos_to_change:
    master_data = session.get('{}/repos/evgeni/{}/git/ref/heads/master'.format(BASE, repo)).json()
    data = {'ref': 'refs/heads/devel', 'sha': master_data['object']['sha']}'{}/repos/{}/{}/git/refs'.format(BASE, USER, repo), json=data)
    default_branch_data = {'default_branch': 'devel'}
    session.patch('{}/repos/{}/{}'.format(BASE, USER, repo), json=default_branch_data)
    session.delete('{}/repos/{}/{}/git/refs/heads/{}'.format(BASE, USER, repo, 'master'))

I've also opted in to actually delete the old master, as I think that's the safest way to let the users know that it's gone. Letting it rot in the repository would mean people can still pull and won't notice that there are no changes anymore as the default branch moved to devel.



I've updated all my (those in the evgeni namespace) non-archived repositories to have devel instead of master as the default branch.

Have fun updating!


#!/usr/bin/env python3

import requests


headers = {'User-Agent': '@{}'.format(USER)}
auth = (USER, TOKEN)

session = requests.Session()
session.auth = auth
session.verify = True

repos_to_change = []

url = '{}/user/repos?type=owner'.format(BASE)
while url:
    r = session.get(url)
    if r.ok:
        repos = r.json()
        for repo in repos:
            if not repo['archived'] and not repo['fork'] and repo['default_branch'] == 'master':
        if 'next' in r.links:
            url = r.links['next']['url']
            url = None
        url = None

for repo in repos_to_change:
    master_data = session.get('{}/repos/evgeni/{}/git/ref/heads/master'.format(BASE, repo)).json()
    data = {'ref': 'refs/heads/devel', 'sha': master_data['object']['sha']}'{}/repos/{}/{}/git/refs'.format(BASE, USER, repo), json=data)
    default_branch_data = {'default_branch': 'devel'}
    session.patch('{}/repos/{}/{}'.format(BASE, USER, repo), json=default_branch_data)
    session.delete('{}/repos/{}/{}/git/refs/heads/{}'.format(BASE, USER, repo, 'master'))

Worse Than FailureABCD

As is fairly typical in our industry, Sebastian found himself working as a sub-contractor to a sub-contractor to a contractor to a big company. In this case, it was IniDrug, a pharmaceutical company.

Sebastian was building software that would be used at various steps in the process of manufacturing, which meant he needed to spend a fair bit of time in clean rooms, and on air-gapped networks, to prevent trade secrets from leaking out.

Like a lot of large companies, they had very formal document standards. Every document going out needed to have the company logo on it, somewhere. This meant all of the regular employees had the IniDrug logo in their email signatures, e.g.:

Bill Lumbergh
Senior Project Lead
  _____       _ _____                   
 |_   _|     (_|  __ \                  
   | |  _ __  _| |  | |_ __ _   _  __ _ 
   | | | '_ \| | |  | | '__| | | |/ _` |
  _| |_| | | | | |__| | |  | |_| | (_| |
 |_____|_| |_|_|_____/|_|   \__,_|\__, |
                                   __/ |

At least, they did until Sebastian got an out of hours, emergency call. While they absolutely were not set up for remote work, Sebastian could get webmail access. And in the webmail client, he saw:

Bill Lumbergh
Senior Project Lead

At first, Sebastian assumed Bill had screwed up his sigline. Or maybe the attachment broke? But as Sebastian hopped on an email chain, he noticed a lot of ABCDs. Then someone sent out a Word doc (because why wouldn’t you catalog your emergency response in a Word document?), and in the space where it usually had the IniDrug logo, it instead had “ABCD”.

The crisis resolved itself without any actual effort from Sebastian or his fellow contractors, but they had to reply to a few emails just to show that they were “pigs and not chickens”- they were committed to quality software. The next day, Sebastian mentioned the ABCD weirdness.

“I saw that too. I wonder what the deal was?” his co-worker Joanna said.

They pulled up the same document on his work computer, the logo displayed correctly. He clicked on it, and saw the insertion point blinking back at him. Then he glanced at the formatting toolbar and saw “IniDrug Logo” as the active font.

Puzzled, he selected the logo and changed the font. “ABCD” appeared.

IniDrug had a custom font made, hacked so that if you typed ABCD the resulting output would look like the IniDrug logo. That was great, if you were using a computer with the font installed, or if you remembered to make sure your word processor was embedding all your weird custom fonts.

Which also meant a bunch of outside folks were interacting with IniDrug employees, wondering why on Earth they all had “ABCD” in their siglines. Sebastian and Joanna got a big laugh about it, and shared the joke with their fellow contractors. Helping the new contractors discover this became a rite of passage. When contractors left for other contracts, they’d tell their peers, “It was great working at ABCD, but it’s time that I moved on.”

There were a lot of contractors, all chuckling about this, and one day in a shared break room, a bunch of T-Shirts appeared: plain white shirts with “ABCD” written on them in Arial.

That, as it turned out, was the bridge too far, and it got the attention of someone who was a regular IniDrug employee.

To the Contracting Team:
In the interests of maintaining a professional environment, we will be updating the company dress code. Shirts decorated with the text “ABCD” are prohibited, and should not be worn to work. If you do so, you will be asked to change or conceal the offending content.

Bill Lumbergh
Senior Project Lead

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

Planet DebianRussell Coker: Isolating PHP Web Sites

If you have multiple PHP web sites on a server in a default configuration they will all be able to read each other’s files in a default configuration. If you have multiple PHP web sites that have stored data or passwords for databases in configuration files then there are significant problems if they aren’t all trusted. Even if the sites are all trusted (IE the same person configures them all) if there is a security problem in one site it’s ideal to prevent that being used to immediately attack all sites.


The first thing I tried was mpm_itk [1]. This is a version of the traditional “prefork” module for Apache that has one process for each HTTP connection. When it’s installed you just put the directive “AssignUserID USER GROUP” in your VirtualHost section and that virtual host runs as the user:group in question. It will work with any Apache module that works with mpm_prefork. In my experiment with mpm_itk I first tried running with a different UID for each site, but that conflicted with the pagespeed module [2]. The pagespeed module optimises HTML and CSS files to improve performance and it has a directory tree where it stores cached versions of some of the files. It doesn’t like working with copies of itself under different UIDs writing to that tree. This isn’t a real problem, setting up the different PHP files with database passwords to be read by the desired group is easy enough. So I just ran each site with a different GID but used the same UID for all of them.

The first problem with mpm_itk is that the mpm_prefork code that it’s based on is the slowest mpm that is available and which is also incompatible with HTTP/2. A minor issue of mpm_itk is that it makes Apache take ages to stop or restart, I don’t know why and can’t be certain it’s not a configuration error on my part. As an aside here is a site for testing your server’s support for HTTP/2 [3]. To enable HTTP/2 you have to be running mpm_event and enable the “http2” module. Then for every virtual host that is to support it (generally all https virtual hosts) put the line “Protocols h2 h2c http/1.1” in the virtual host configuration.

A good feature of mpm_itk is that it has everything for the site running under the same UID, all Apache modules and Apache itself. So there’s no issue of one thing getting access to a file and another not getting access.

After a trial I decided not to keep using mpm_itk because I want HTTP/2 support.

php-fpm Pools

The Apache PHP module depends on mpm_prefork so it also has the issues of not working with HTTP/2 and of causing the web server to be slow. The solution is php-fpm, a separate server for running PHP code that uses the fastcgi protocol to talk to Apache. Here’s a link to the upstream documentation for php-fpm [4]. In Debian this is in the php7.3-fpm package.

In Debian the directory /etc/php/7.3/fpm/pool.d has the configuration for “pools”. Below is an example of a configuration file for a pool:

# cat /etc/php/7.3/fpm/pool.d/
user =
group =
listen = /run/php/
listen.owner = www-data = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

Here is the upstream documentation for fpm configuration [5].

Then for the Apache configuration for the site in question you could have something like the following:

ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/run/php/|fcgi://localhost/usr/share/wordpress/"

The “|fcgi://localhost” part is just part of the way of specifying a Unix domain socket. From the Apache Wiki it appears that the method for configuring the TCP connections is more obvious [6]. I chose Unix domain sockets because it allows putting the domain name in the socket address. Matching domains for the web server to port numbers is something that’s likely to be error prone while matching based on domain names is easier to check and also easier to put in Apache configuration macros.

There was some additional hassle with getting Apache to read the files created by PHP processes (the options include running PHP scripts with the www-data group, having SETGID directories for storing files, and having world-readable files). But this got things basically working.


My Google searches for running multiple PHP sites under different UIDs didn’t turn up any good hits. It was only after I found the DigitalOcean page on doing this with Nginx [7] that I knew what to search for to find the way of doing it in Apache.

Krebs on SecurityRansomware Gangs Don’t Need PR Help

We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.

Often the rationale behind couching these events as newsworthy is that the attacks involve publicly traded companies or recognizable brands, and that investors and the public have a right to know. But absent any additional information from the victim company or their partners who may be affected by the attack, these kinds of stories and blog posts look a great deal like ambulance chasing and sensationalism.

Currently, more than a dozen ransomware crime gangs have erected their own blogs to publish sensitive data from victims. A few of these blogs routinely issue self-serving press releases, some of which gallingly refer to victims as “clients” and cast themselves in a beneficent light. Usually, the blog posts that appear on ransom sites are little more than a teaser — screenshots of claimed access to computers, or a handful of documents that expose proprietary or financial information.

The goal behind the publication of these teasers is clear, and the ransomware gangs make no bones about it: To publicly pressure the victim company into paying up. Those that refuse to be extorted are told to expect that huge amounts of sensitive company data will be published online or sold on the dark web (or both).

Emboldened by their successes, several ransomware gangs recently have started demanding two ransoms: One payment to secure a digital key that can unlock files, folders and directories encrypted by their malware, and a second to avoid having any stolen information published or shared with others.

KrebsOnSecurity has sought to highlight ransomware incidents at companies whose core business involves providing technical services to others — particularly managed service providers that have done an exceptionally poor job communicating about the attack with their customers.

Overall, I’ve tried to use each story to call attention to key failures that frequently give rise to ransomware infections, and to offer information about how other companies can avoid a similar fate.

But simply parroting what professional extortionists have posted on their blog about victims of cybercrime smacks of providing aid and comfort to an enemy that needs and deserves neither.

Maybe you disagree, dear readers? Feel free to sound off in the comments below.


Rondam RamblingsI Will Remember Ricky Ray Rector

I've always been very proud of the fact that I came out in support of gay marriage before it was cool.   I have been correspondingly chagrined at my failure to speak out sooner and more vociferously about the shameful and systemic mistreatment of people of color, and black people in particular, in the U.S.  For what it's worth, I hereby confess my sins, acknowledge my white privilege, and

Planet DebianJoachim Breitner: Template Haskell recompilation

I was wondering: What happens if I have a Haskell module with Template Haskell that embeds some information from the environment (time, environment variables). Will such a module be reliable recompiled? And what if it gets recompiled, but the source code produced by Template Haskell is actually unchanged (e.g., because the environment variable has not changed), will all depending modules be recompiled (which would be bad)?

Here is a quick experiment, using GHC-8.8:

/tmp/th-recom-test $ cat Foo.hs
{-# LANGUAGE TemplateHaskell #-}
{-# OPTIONS_GHC -fforce-recomp #-}
module Foo where

import Language.Haskell.TH
import Language.Haskell.TH.Syntax
import System.Process

theMinute :: String
theMinute = $(runIO (readProcess "date" ["+%M"] "") >>= stringE)
[jojo@kirk:2] Mi, der 01.07.2020 um 17:18 Uhr ☺
/tmp/th-recom-test $ cat Main.hs
import Foo
main = putStrLn theMinute

Note that I had to set {-# OPTIONS_GHC -fforce-recomp #-} – by default, GHC will not recompile a module, even if it uses Template Haskell and runIO. If you are reading from a file you can use addDependentFile to tell the compiler about that depenency, but that does not help with reading from the environment.

So here is the test, and we get the desired behaviour: The Foo module is recompiled every time, but unless the minute has changed (see my prompt), Main is not recomipled:

/tmp/th-recom-test $ ghc --make -O2 Main.hs -o test
[1 of 2] Compiling Foo              ( Foo.hs, Foo.o )
[2 of 2] Compiling Main             ( Main.hs, Main.o )
Linking test ...
[jojo@kirk:2] Mi, der 01.07.2020 um 17:20 Uhr ☺
/tmp/th-recom-test $ ghc --make -O2 Main.hs -o test
[1 of 2] Compiling Foo              ( Foo.hs, Foo.o )
Linking test ...
[jojo@kirk:2] Mi, der 01.07.2020 um 17:20 Uhr ☺
/tmp/th-recom-test $ ghc --make -O2 Main.hs -o test
[1 of 2] Compiling Foo              ( Foo.hs, Foo.o )
[2 of 2] Compiling Main             ( Main.hs, Main.o ) [Foo changed]
Linking test ...

So all well!

Update: It seems that while this works with ghc --make, the -fforce-recomp does not cause cabal build to rebuild the module. That’s unfortunate.

CryptogramSecuring the International IoT Supply Chain

Together with Nate Kim (former student) and Trey Herr (Atlantic Council Cyber Statecraft Initiative), I have written a paper on IoT supply chain security. The basic problem we try to solve is: how to you enforce IoT security regulations when most of the stuff is made in other countries? And our solution is: enforce the regulations on the domestic company that's selling the stuff to consumers. There's a lot of detail between here and there, though, and it's all in the paper.

We also wrote a Lawfare post:

...we propose to leverage these supply chains as part of the solution. Selling to U.S. consumers generally requires that IoT manufacturers sell through a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or Amazon. The Federal Trade Commission can apply regulatory pressure to this distributor to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. That would put pressure on manufacturers to make sure their products are compliant with the standards set out in this security framework, including pressuring their component vendors and original device manufacturers to make sure they supply parts that meet the recognized security framework.

News article.

Planet DebianSylvain Beucler: Debian LTS and ELTS - June 2020

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 5.25h for ELTS (out of 20 max; all done).

While LTS is part of the Debian project, fellow contributors sometimes surprise me: suggestion to vote for sponsors-funded projects with concorcet was only met with overhead concerns, and there were requests for executive / business owner decisions (we're currently heading towards consultative vote); I heard concerns about discussing non-technical issues publicly (IRC team meetings are public though); the private mail infrastructure was moved from self-hosting straight to Google; when some got an issue with Debian Social for our first video conference, there were immediate suggestions to move to Zoom...
Well, we do need some people to make those LTS firmware updates in non-free :)

Also this was the last month before shifting suites: goodbye to Jessie LTS and Wheezy ELTS, welcome Stretch LTS and Jessie ELTS.

ELTS - Wheezy

  • mysql-connector-java: improve testsuite setup; prepare wheezy/jessie/stretch triple builds; coordinate versioning scheme with security-team; security upload ELA 234-1
  • ntp: wheezy+jessie triage: 1 ignored (too intrusive to backport); 1 postponed (hard to exploit, no patch)
  • Clean-up (ditch) wheezy VMs :)

LTS - Jessie

  • mysql-connector-java: see common work in ELTS
  • mysql-connector-java: security uploads DLA 2245-1 (LTS) and DSA 4703 (oldstable)
  • ntp: wheezy+jessie triage (see ELTS)
  • rails: global triage, backport 2 patches, security upload DLA 2251-1
  • rails: global security: prepare stretch/oldstable update
  • rails: new important CVE on unmaintained 4.x, fixes introduce several regressions, propose new fix to upstream, update stretch proposed update [and jessie, but rails will turn out unsupported in ELTS]
  • python3.4: prepare update to fix all pending non-criticial issues, 5/6 ready
  • private video^W^Wpublic IRC team meeting


Planet DebianJunichi Uekawa: Already July and still stuck at home.

Already July and still stuck at home.

Worse Than FailureCodeSOD: locurlicenseucesss

The past few weeks, I’ve been writing software for a recording device. This is good, because when I’m frustrated by the bugs I put in the code and I start cursing at it, it’s not venting, it’s testing.

There are all sorts of other little things we can do to vent. Imagine, if you will, you find yourself writing an if with an empty body, but an else clause that does work. You’d probably be upset at yourself. You might be stunned. You might be so tired it feels like a good idea at the time. You might be deep in the throes of “just. work. goddammit”. Regardless of the source of that strain, you need to let it out somewhere.

Emmanuelle found this is a legacy PHP codebase:

    // Congratulations, you has locurlicenseucesss asdfghjk
} else {
    header("Location: feed.php");

I think being diagnosed with locurlicenseucesss should not be a cause for congratulations, but maybe I’m the one that’s confused.

Emmanuelle adds: “Honestly, I have no idea how this happened.”

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Planet DebianUtkarsh Gupta: FOSS Activites in June 2020

Here’s my (ninth) monthly update about the activities I’ve done in the F/L/OSS world.


This was my 16th month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/

This month was a little intense. I did a a lot of different kinds of things in Debian this month. Whilst most of my time went on doing security stuff, I also sponosred a bunch of packages.

Here are the following things I did this month:

Uploads and bug fixes:

Other $things:

  • Hosted Ruby team meeting. Logs here.
  • Mentoring for newcomers.
  • FTP Trainee reviewing.
  • Moderation of -project mailing list.
  • Sponsored ruby-ast for Abraham, libexif for Hugh, djangorestframework-gis and karlseguin-ccache for Nilesh, and twig-extensions, twig-i18n-extension, and mariadb-mysql-kbs for William.

GSoC Phase 1, Part 2!

Last month, I got selected as a Google Summer of Code student for Debian again! \o/
I am working on the Upstream-Downstream Cooperation in Ruby project.

The first half of the first month is blogged here, titled, GSoC Phase 1.
Also, I log daily updates at

Whilst the daily updates are available at the above site^, I’ll breakdown the important parts of the later half of the first month here:

  • Documented the first cop, GemspecGit via PR #2.
  • Made an initial release, v0.1.0! 💖
  • Spread the word/usage about this tool/library via adding them in the official RuboCop docs.
  • We had our third weekly meeting where we discussed the next steps and the things that are supposed to be done for the next set of cops.
  • Wrote more tests so as to cover different aspects of the GemspecGit cop.
  • Opened PR #4 for the next Cop, RequireRelativeToLib.
  • Introduced rubocop-packaging to the outer world and requested other upstream projects to use it! It is being used by 6 other projects already 😭💖
  • Had our fourth weekly meeting where we pair-programmed (and I sucked :P) and figured out a way to make the second cop work.
  • Found a bug, reported at issue #5 and raised PR #6 to fix it.
  • And finally, people loved the library/tool (and it’s outcome):

    (for those who don’t know, @bbatsov is the author of RuboCop, @lienvdsteen is an amazing fullstack engineer at GitLab, and @pboling is the author of some awesome Ruby tools and libraries!)

Whilst I have already mentioned it multiple times but it’s still not enough to stress how amazing Antonio Terceiro and David Rodríguez are! 💖
They’re more than just mentors to me!

Well, only they know how much I trouble them with different things, which are not only related to my GSoC project but also extends to the projects they maintain! :P
David maintains rubygems and bundler and Antonio maintains debci.

So on days when I decide to hack on rubygems or debci, only I know how kind and nice David and Anotonio are to me!
They very patiently walk me through with whatever I am stuck on, no matter what and no matter when.

Thus, with them around, I contributed to these two projects and more, with regards to working on rubocop-packaging.
Following are a few things that I raised:

Debian LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

This was my ninth month as a Debian LTS paid contributor. I was assigned 30.00 hours and worked on the following things:

CVE Fixes and Announcements:

Other LTS Work:

  • Triaged sympa, apache2, qemu, and coturn.
  • Add fix for CVE-2020-0198/libexif.
  • Requested CVE for bug#60251 against apache2 and prodded further.
  • Raised issue #947 against sympa reporting an incomplete patch for CVE-2020-10936. More discussions internally.
  • Created the LTS Survey on the self-hosted LimeSurvey instance.
  • Attended the third LTS meeting. Logs here.
  • General discussion on LTS private and public mailing list.


Sometimes it gets hard to categorize work/things into a particular category.
That’s why I am writing all of those things inside this category.
This includes two sub-categories and they are as follows.


This month I did the following things:

  • Wrote and published v0.1.0 of rubocop-packaging on RubyGems! 💯
    It’s open-sourced and the repository is here.
    Bug reports and pull requests are welcomed! 😉
  • Integrated a tiny (yet a powerful) hack to align images in markdown for my blog.
    Commit here. 🚀
  • Released v0.4.0 of batalert on RubyGems! 🤗

Open Source:

Again, this contains all the things that I couldn’t categorize earlier.
Opened several issues and PRs:

Thank you for sticking along for so long :)

Until next time.
:wq for today.

Planet DebianPaul Wise: FLOSS Activities June 2020


This month I didn't have any particular focus. I just worked on issues in my info bubble.





  • Debian BTS: usertags QA
  • Debian IRC channels: fixed a channel mode lock
  • Debian wiki: unblock IP addresses, approve accounts, ping folks with bouncing email


  • Respond to queries from Debian users and developers on the mailing lists and IRC


The ifenslave and apt-listchanges work was sponsored by my employer. All other work was done on a volunteer basis.


Planet DebianChris Lamb: Free software activities in June 2020

Here is my monthly update covering what I have been doing in the free software world during June 2020 (previous month):

  • Opened two pull requests against the Ghostwriter distraction-free Markdown editor to:

    • Persist whether "focus mode" is enabled across between sessions. (#522)
    • Correct the ordering of the MarkdownAST::toString() debugging output. (#520)
  • Will McGugan's "Rich" is a Python library to output formatted text, tables, syntax etc. to the terminal. I filed a pull request in order to allow for easy enabling and disabling of displaying the file path in Rich's logging handler. (#115)

  • As part of my duties of being on the board of directors of the Open Source Initiative and Software in the Public Interest I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet, as well as the usual internal discussions regarding logistics and policy etc.

  • Filed a pull request against the PyQtGraph Scientific Graphics and graphical user interface library to make the documentation build reproducibly. (#1265)

  • Reviewed and merged a large number of changes by Pavel Dolecek to my Strava Enhancement Suite, a Chrome extension to improve the user experience on the Strava athletic tracker.

For Lintian, the static analysis tool for Debian packages:

  • Don't emit breakout-link for architecture-independent .jar files under /usr/lib. (#963939)
  • Correct a reference to override_dh_ in the long description of the excessive-debhelper-overrides tag. [...]
  • Update data/fields/perl-provides for Perl 5.030003. [...]
  • Check for execute_after and execute_before spelling mistakes just like override_*. [...]


Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:


Elsewhere in our tooling, I made the following changes to diffoscope including preparing and uploading versions 147, 148 and 149 to Debian:

  • New features:

    • Add output from strings(1) to ELF binaries. (#148)
    • Allow user to mask/filter diff output via --diff-mask=REGEX. (!51)
    • Dump PE32+ executables (such as EFI applications) using objdump(1). (#181)
    • Add support for Zsh shell completion. (#158)
  • Bug fixes:

    • Prevent a traceback when comparing PDF documents that did not contain metadata (ie. a PDF /Info stanza). (#150)
    • Fix compatibility with jsondiff version 1.2.0. (#159)
    • Fix an issue in GnuPG keybox file handling that left filenames in the diff. [...]
    • Correct detection of JSON files due to missing call to File.recognizes that checks candidates against file(1). [...]
  • Output improvements:

    • Use the CSS word-break property over manually adding U+200B zero-width spaces as these were making copy-pasting cumbersome. (!53)
    • Downgrade the tlsh warning message to an "info" level warning. (#29)
  • Logging improvements:

  • Testsuite improvements:

    • Update tests for file(1) version 5.39. (#179)
    • Drop accidentally-duplicated copy of the --diff-mask tests. [...]
    • Don't mask an existing test. [...]
  • Codebase improvements:

    • Replace obscure references to "WF" with "Wagner-Fischer" for clarity. [...]
    • Use a semantic AbstractMissingType type instead of remembering to check for both types of "missing" files. [...]
    • Add a comment regarding potential security issue in the .changes, .dsc and .buildinfo comparators. [...]
    • Drop a large number of unused imports. [...][...][...][...][...]
    • Make many code sections more Pythonic. [...][...][...][...]
    • Prevent some variable aliasing issues. [...][...][...]
    • Use some tactical f-strings to tidy up code [...][...] and remove explicit u"unicode" strings [...].
    • Refactor a large number of routines for clarity. [...][...][...][...]

trydiffoscope is the web-based version of diffoscope. This month, I specified a location for the celerybeat scheduler to ensure that the clean/tidy tasks are actually called which had caused an accidental resource exhaustion. (#12)



I filed three bugs against:

  • cmark: Please update the homepage URI. (#962576)
  • petitboot: Please update Vcs-Git urls. (#963123)
  • python-pauvre: FTBFS if the DISPLAY environment variable is exported. (#962698)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 5¼ hours on its sister Extended LTS project.

  • Investigated and triaged angular.js [...],icinga2 [...], intel-microcode [...], jquery [...], pdns-recursor [...], unbound [...] & wordpress [...].

  • Frontdesk duties, including responding to user/developer questions, reviewing others' packages, participating in mailing list discussions as well as attending our contributor meeting.

  • Issued DLA 2233-1 to fix two issues in the Django web development framework in order to fix a potential data leakage via malformed memcached keys (CVE-2020-13254) and to prevent a cross-site scripting attack in the Django administration system (CVE-2020-13596). This was followed by DLA 2233-2 to address a regression as well as uploads to Debian stretch (1.10.7-2+deb9u9) and buster (1.11.29-1~deb10u1). (More info)

  • Issued DLA 2235-1 to prevent a file descriptor leak in the D-Bus message bus (CVE-2020-12049).

  • Issued DLA 2239-1 for a security module for using the TACACS+ authentication service to prevent an issue where shared secrets such as private server keys were being added in plaintext to various logs.

  • Issued DLA 2244-1 to address an escaping issue in PHPMailer, an email generation utility class for the PHP programming language.

  • Issued DLA 2252-1 for the ngircd IRC server as it was discovered that there was an out-of-bounds access vulnerability in the server-to-server protocol.

  • Issued DLA 2253-1 to resolve a vulnerability in the Lynis a security auditing tool because a shared secret could be obtained by simple observation of the process list when a data upload is being performed.

You can find out more about the project via the following video:


CryptogramAndroid Apps Stealing Facebook Credentials

Google has removed 25 Android apps from its store because they steal Facebook credentials:

Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times.

The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same.

According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games.

The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone's foreground.

Krebs on SecurityCOVID-19 ‘Breach Bubble’ Waiting to Pop?

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse.

The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data.

An ad for a site selling stolen payment card data, circa March 2020.

That’s according to Gemini Advisory, a New York-based cyber intelligence firm that closely tracks the inventories of dark web stores trafficking in stolen payment card data.

Stas Alforov, Gemini’s director of research and development, said that since the beginning of 2020 the company has seen a steep drop in demand for compromised “card present” data — digits stolen from hacked brick-and-mortar merchants with the help of malicious software surreptitiously installed on point-of-sale (POS) devices.

Alforov said the median price for card-present data has dropped precipitously over the past few months.

“Gemini Advisory has seen over 50 percent decrease in demand for compromised card present data since the mandated COVID-19 quarantines in the United States as well as the majority of the world,” he told KrebsOnSecurity.

Meanwhile, the supply of card-present data has remained relatively steady. Gemini’s latest find — a 10-month-long card breach at dozens of Chicken Express locations throughout Texas and other southern states that the fast-food chain first publicly acknowledged today after being contacted by this author — saw an estimated 165,000 cards stolen from eatery locations recently go on sale at one of the dark web’s largest cybercrime bazaars.

“Card present data supply hasn’t wavered much during the COVID-19 period,” Alforov said. “This is likely due to the fact that most of the sold data is still coming from breaches that occurred in 2019 and early 2020.”

A lack of demand for and steady supply of stolen card-present data in the underground has severely depressed prices since the beginning of the COVID-19 pandemic. Image: Gemini Advisory

Naturally, crooks who ply their trade in credit card thievery also have been working from home more throughout the COVID-19 pandemic. That means demand for stolen “card-not-present” data — customer payment information extracted from hacked online merchants and typically used to defraud other e-commerce vendors — remains high. And so have prices for card-not-present data: Gemini found prices for this commodity actually increased slightly over the past few months.

Andrew Barratt is an investigator with Coalfire, the cyber forensics firm hired by Chicken Express to remediate the breach and help the company improve security going forward. Barratt said there’s another curious COVID-19 dynamic going on with e-commerce fraud recently that is making it more difficult for banks and card issuers to trace patterns in stolen card-not-present data back to hacked web merchants — particularly smaller e-commerce shops.

“One of the concerns that has been expressed to me is that we’re getting [fewer] overlapping hotspots,” Barratt said. “For a lot of the smaller, more frequently compromised merchants there has been a large drop off in transactions. Whilst big e-commerce has generally done okay during the COVID-19 pandemic, a number of more modest sized or specialty online retailers have not had the same access to their supply chain and so have had to close or drastically reduce the lines they’re selling.”

Banks routinely take groups of customer cards that have experienced fraudulent activity and try to see if some or all of them were used at the same merchant during a similar timeframe, a basic anti-fraud process known as “common point of purchase” or CPP analysis. But ironically, this analysis can become more challenging when there are fewer overall transactions going through a compromised merchant’s site, Barratt said.

“With a smaller transactional footprint means less Common Point of Purchase alerts and less data to work on to trigger a forensic investigation or fraud alert,” Barratt said. “It does also mean less fraud right now – which is a positive. But one of the big concerns that has been raised to us as investigators — literally asking if we have capacity for what’s coming — has been that merchants are getting compromised by ‘lie in wait’ type intruders.”

Barratt says there’s a suspicion that hackers may have established beachheads [breachheads?] in a number of these smaller online merchants and are simply biding their time. If and when transaction volumes for these merchants do pick up, the concern is then hackers may be in a better position to mix the sale of cards stolen from many hacked merchants and further confound CPP analysis efforts.

“These intruders may have a beachhead in a number of small and/or middle market e-commerce entities and they’re just waiting for the transaction volumes to go back up again and they’ve suddenly got the capability to have skimmers capturing lots of card data in the event of a sudden uptick in consumer spending,” he said. “They’d also have a diverse portfolio of compromise so could possibly even evade common point of purchase detection for a while too. Couple all of that with major shopping cart platforms going out of support (like Magento 1 this month) and furloughed IT and security staff, and there’s a potentially large COVID-19 breach bubble waiting to pop.”

With a majority of payment cards issued in the United States now equipped with a chip that makes the cards difficult and expensive for thieves to clone, cybercriminals have continued to focus on hacking smaller merchants that have not yet installed chip card readers and are still swiping the cards’ magnetic stripe at the register.

Barratt said his company has tied the source of the breach to malware known as “PwnPOS,” an ancient strain of point-of-sale malware that first surfaced more than seven years ago, if not earlier.

Chicken Express CEO Ricky Stuart told KrebsOnSecurity that apart from “a handful” of locations his family owns directly, most of his 250 stores are franchisees that decide on their own how to secure their payment operations. Nevertheless, the company is now forced to examine each store’s POS systems to remediate the breach.

Stuart blamed the major point-of-sale vendors for taking their time in supporting and validating chip-capable payment systems. But when asked how many of the company’s 250 stores had chip-capable readers installed, Stuart said he didn’t know. Ditto for the handful of stores he owns directly.

“I don’t know how many,” he said. “I would think it would be a majority. If not, I know they’re coming.”

Planet DebianEmmanuel Kasper: Learning openshift: a good moment to revisit awk too

I can’t believe I spent all these years using only grep.

Most of us know how to use awk to print the nth column of a file:

$ awk '{print $1}' /etc/hosts

will print all IP addresses from /etc/hosts

But you can also do filtering before printing the chosen column:

$ awk '$5 >= 2 {print $2}' /path/to/file

will print the second column of all lines, where the 5th column is greater than 2. That would have been hard with grep.

Now I can use that to find out all deployments on my openshift cluster, where the number of current replicas is greater than 2.

$ oc get deployments --all-namespaces | awk '$5 >= 2 {print $2}'

I know that openshift/kubernetes both have a powerful query selector syntax, but for the moment awk will do.

Worse Than FailureCodeSOD: The Data Class

There has been a glut of date-related code in the inbox lately, so it’s always a treat where TRWTF isn’t how they fail to handle dates, and instead, something else. For example, imagine you’re browsing a PHP codebase and see something like:

$fmtedDate = data::now();

You’d instantly know that something was up, just by seeing a class named data. That’s what got Vania’s attention. She dug in, and found a few things.

First, clearly, data is a terrible name for a class. It’d be a terrible name if it was a data access layer, but it has a method now, which tells us that it’s not just handling data.

But it’s not handling data at all. data is more precisely a utility class- the dumping ground for methods that the developer couldn’t come up with a way to organize. It contains 58 methods, 38 of which are 100% static methods, 7 of which should have been declared static but weren’t, and the remainder are actually interacting with $this. All in all, this class must be incredibly “fun”.

Let’s look at the now implementation:

class data
    // ...

    public static function now()
        return date('Y', time())."-".date('m', time())."-".date('d')." ".date('H').":".	date('i').":".	date('s');

Finally, we get to your traditional bad date handling code. Instead of just using a date format string to get the desired output, we manually construct the string by invoking date a bunch of times. There are some “interesting” choices here- you’ll note that the PHP date function accepts a date parameter- so you can format an arbitrary date- and sometimes they pass in the result of calling time() and sometimes they don’t. This is mostly not a problem, since date will invoke time itself if you don’t hand it one, so that’s just unnecessary.

But Vania adds some detail:

Because of the multiple calls to time() this code contains a subtle race condition. If it is called at, say, 2019-12-31 23:59:59.999, the date('Y', time()) part will evaluate to “2019”. If the time now ticks over to 2020-01-01 00:00:00.000, the next date() call will return a month value of “01” (and so on for the rest of the expression). The result is a timestamp of “2019–01–01 00:00:00”, which is off by a year. A similar issue happens at the end of every month, day, hour, and minute; i.e. every minute there is an opportunity for the result to be off by a minute.

It’s easy to fix, of course, you could just: return date('Y-m-d H:i:s');, which does exactly the same thing, but correctly. Unfortunately, Vania has this to add:

Unfortunately there is no budget for making this kind of change to the application. Also, its original authors seem to have been a fan of “code reuse” by copy/paste: There are four separate instances of this now() function in the codebase, all containing exactly the same code.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Planet DebianRuss Allbery: Review: The Fifth Risk

Review: The Fifth Risk, by Michael Lewis

Publisher: W.W. Norton
Copyright: 2018
Printing: 2019
ISBN: 0-393-35745-7
Format: Kindle
Pages: 254

The Fifth Risk starts with the presidential transition. Max Stier, the first person profiled by Lewis in this book, is the founder of the Partnership for Public Service. That foundation helped push through laws to provide more resources and structure for the transition of the United States executive branch from one president to the next. The goal was to fight wasted effort, unnecessary churn, and pointless disruption in the face of each administration's skepticism about everyone who worked for the previous administration.

"It's Groundhog Day," said Max. "The new people come in and think that the previous administration and the civil service are lazy or stupid. Then they actually get to know the place they are managing. And when they leave, they say, 'This was a really hard job, and those are the best people I've ever worked with.' This happens over and over and over."

By 2016, Stier saw vast improvements, despite his frustration with other actions of the Obama administration. He believed their transition briefings were one of the best courses ever produced on how the federal government works. Then that transition process ran into Donald Trump.

Or, to be more accurate, that transition did not run into Donald Trump, because neither he nor anyone who worked for him were there. We'll never know how good the transition information was because no one ever listened to or read it. Meetings were never scheduled. No one showed up.

This book is not truly about the presidential transition, though, despite its presence as a continuing theme. The Fifth Risk is, at its heart, an examination of government work, the people who do it, why it matters, and why you should care about it. It's a study of the surprising and misunderstood responsibilities of the departments of the United States federal government. And it's a series of profiles of the people who choose this work as a career, not in the upper offices of political appointees, but deep in the civil service, attempting to keep that system running.

I will warn now that I am far too happy that this book exists to be entirely objective about it. The United States desperately needs basic education about the government at all levels, but particularly the federal civil service. The public impression of government employees is skewed heavily towards the small number of public-facing positions and towards paperwork frustrations, over which the agency usually has no control because they have been sabotaged by Congress (mostly by Republicans, although the Democrats get involved occasionally). Mental images of who works for the government are weirdly selective. The Coast Guard could say "I'm from the government and I'm here to help" every day, to the immense gratitude of the people they rescue, but Reagan was still able to use that as a cheap applause line in his attack on government programs.

Other countries have more functional and realistic social attitudes towards their government workers. The United States is trapped in a politically-fueled cycle of contempt and ignorance. It has to stop. And one way to help stop it is someone with Michael Lewis's story-telling skills writing a different narrative.

The Fifth Risk is divided into a prologue about presidential transitions, three main parts, and an afterword (added in current editions) about a remarkable government worker whom you likely otherwise would never hear about. Each of the main parts talks about a different federal department: the Department of Energy, the Department of Agriculture, and the Department of Commerce. In keeping with the theme of the book, the people Lewis profiles do not do what you might expect from the names of those departments.

Lewis's title comes from his discussion with John MacWilliams, a former Goldman Sachs banker who quit the industry in search of more personally meaningful work and became the chief risk officer for the Department of Energy. Lewis asks him for the top five risks he sees, and if you know that the DOE is responsible for safeguarding nuclear weapons, you will be able to guess several of them: nuclear weapons accidents, North Korea, and Iran. If you work in computer security, you may share his worry about the safety of the electrical grid. But his fifth risk was project management. Can the government follow through on long-term hazardous waste safety and cleanup projects, despite constant political turnover? Can it attract new scientists to the work of nuclear non-proliferation before everyone with the needed skills retires? Can it continue to lay the groundwork with basic science for innovation that we'll need in twenty or fifty years? This is what the Department of Energy is trying to do.

Lewis's profiles of other departments are similarly illuminating. The Department of Agriculture is responsible for food stamps, the most effective anti-poverty program in the United States with the possible exception of Social Security. The section on the Department of Commerce is about weather forecasting, specifically about NOAA (the National Oceanic and Atmospheric Administration). If you didn't know that all of the raw data and many of the forecasts you get from weather apps and web sites are the work of government employees, and that AccuWeather has lobbied Congress persistently for years to prohibit the NOAA from making their weather forecasts public so that AccuWeather can charge you more for data your taxes already paid for, you should read this book. The story of American contempt for government work is partly about ignorance, but it's also partly about corporations who claim all of the credit while selling taxpayer-funded resources back to you at absurd markups.

The afterword I'll leave for you to read for yourself, but it's the story of Art Allen, a government employee you likely have never heard of but whose work for the Coast Guard has saved more lives than we are able to measure. I found it deeply moving.

If you, like I, are a regular reader of long-form journalism and watch for new Michael Lewis essays in particular, you've probably already read long sections of this book. By the time I sat down with it, I think I'd read about a third in other forms on-line. But the profiles that I had already read were so good that I was happy to read them again, and the additional stories and elaboration around previously published material was more than worth the cost and time investment in the full book.

It was never obvious to me that anyone would want to read what had interested me about the United States government. Doug Stumpf, my magazine editor for the past decade, persuaded me that, at this strange moment in American history, others might share my enthusiasm.

I'll join Michael Lewis in thanking Doug Stumpf.

The Fifth Risk is not a proposal for how to fix government, or politics, or polarization. It's not even truly a book about the Trump presidency or about the transition. Lewis's goal is more basic: The United States government is full of hard-working people who are doing good and important work. They have effectively no public relations department. Achievements that would result in internal and external press releases in corporations, not to mention bonuses and promotions, go unnoticed and uncelebrated. If you are a United States citizen, this is your government and it does important work that you should care about. It deserves the respect of understanding and thoughtful engagement, both from the citizenry and from the politicians we elect.

Rating: 10 out of 10

Planet DebianCraig Sanders: Fuck Grey Text

fuck grey text on white backgrounds
fuck grey text on black backgrounds
fuck thin, spindly fonts
fuck 10px text
fuck any size of anything in px
fuck font-weight 300
fuck unreadable web pages
fuck themes that implement this unreadable idiocy
fuck sites that don’t work without javascript
fuck reactjs and everything like it

thank fuck for Stylus. and uBlock Origin. and uMatrix.

Fuck Grey Text is a post from: Errata

Planet DebianNorbert Preining: TeX Live Debian update 20200629

More than a month has passed since the last update of TeX Live packages in Debian, so here is a new checkout!

All arch all packages have been updated to the tlnet state as of 2020-06-29, see the detailed update list below.


New packages

akshar, beamertheme-pure-minimalistic, biblatex-unified, biblatex-vancouver, bookshelf, commutative-diagrams, conditext, courierten, ektype-tanka, hvarabic, kpfonts-otf, marathi, menucard, namedef, pgf-pie, pwebmac, qrbill, semantex, shtthesis, tikz-lake-fig, tile-graphic, utf8add.

Updated packages

abnt, achemso, algolrevived, amiri, amscls, animate, antanilipsum, apa7, babel, bangtex, baskervillef, beamerappendixnote, beamerswitch, beamertheme-focus, bengali, bib2gls, biblatex-apa, biblatex-philosophy, biblatex-phys, biblatex-software, biblatex-swiss-legal, bibleref, bookshelf, bxjscls, caption, ccool, cellprops, changes, chemfig, circuitikz, cloze, cnltx, cochineal, commutative-diagrams, comprehensive, context, context-vim, cquthesis, crop, crossword, ctex, cweb, denisbdoc, dijkstra, doclicense, domitian, dps, draftwatermark, dvipdfmx, ebong, ellipsis, emoji, endofproofwd, eqexam, erewhon, erewhon-math, erw-l3, etbb, euflag, examplep, fancyvrb, fbb, fbox, fei, fira, fontools, fontsetup, fontsize, forest-quickstart, gbt7714, genealogytree, haranoaji, haranoaji-extra, hitszthesis, hvarabic, hyperxmp, icon-appr, kpfonts, kpfonts-otf, l3backend, l3build, l3experimental, l3kernel, latex-amsmath-dev, latexbangla, latex-base-dev, latexdemo, latexdiff, latex-graphics-dev, latexindent, latex-make, latexmp, latex-mr, latex-tools-dev, libertinus-fonts, libertinust1math, lion-msc, listings, logix, lshort-czech, lshort-german, lshort-polish, lshort-portuguese, lshort-russian, lshort-slovenian, lshort-thai, lshort-ukr, lshort-vietnamese, luamesh, lua-uca, luavlna, lwarp, marathi, memoir, mnras, moderntimeline, na-position, newcomputermodern, newpx, nicematrix, nodetree, ocgx2, oldstandard, optex, parskip, pdfcrop, pdfpc, pdftexcmds, pdfxup, pgf, pgfornament, pgf-pie, pgf-umlcd, pgf-umlsd, pict2e, plautopatch, poemscol, pst-circ, pst-eucl, pst-func, pstricks, pwebmac, pxjahyper, quran, rec-thy, reledmac, rest-api, sanskrit, sanskrit-t1, scholax, semantex, showexpl, shtthesis, suftesi, svg, tcolorbox, tex4ht, texinfo, thesis-ekf, thuthesis, tkz-doc, tlshell, toptesi, tuda-ci, tudscr, twemoji-colr, univie-ling, updmap-map, vancouver, velthuis, witharrows, wtref, xecjk, xepersian-hm, xetex-itrans, xfakebold, xindex, xindy, xltabular, yathesis, ydoc, yquant, zref.


Cory DoctorowSomeone Comes to Town, Someone Leaves Town (part 08)

Here’s part eight of my new reading of my novel Someone Comes to Town, Someone Leaves Town (you can follow all the installments, as well as the reading I did in 2008/9, here).

This is easily the weirdest novel I ever wrote. Gene Wolfe (RIP) gave me an amazing quote for it: “Someone Comes to Town, Someone Leaves Town is a glorious book, but there are hundreds of those. It is more. It is a glorious book unlike any book you’ve ever read.”

Here’s how my publisher described it when it came out:

Alan is a middle-aged entrepeneur who moves to a bohemian neighborhood of Toronto. Living next door is a young woman who reveals to him that she has wings—which grow back after each attempt to cut them off.

Alan understands. He himself has a secret or two. His father is a mountain, his mother is a washing machine, and among his brothers are sets of Russian nesting dolls.

Now two of the three dolls are on his doorstep, starving, because their innermost member has vanished. It appears that Davey, another brother who Alan and his siblings killed years ago, may have returned, bent on revenge.

Under the circumstances it seems only reasonable for Alan to join a scheme to blanket Toronto with free wireless Internet, spearheaded by a brilliant technopunk who builds miracles from scavenged parts. But Alan’s past won’t leave him alone—and Davey isn’t the only one gunning for him and his friends.

Whipsawing between the preposterous, the amazing, and the deeply felt, Cory Doctorow’s Someone Comes to Town, Someone Leaves Town is unlike any novel you have ever read.


Worse Than FailureAnother Immovable Spreadsheet


Steve had been working as a web developer, but his background was in mathematics. Therefore, when a job opened up for internal transfer to the "Statistics" team, he jumped on it and was given the job without too much contest. Once there, he was able to meet the other "statisticians:" a group of well-meaning businessfolk with very little mathematical background who used The Spreadsheet to get their work done.

The Spreadsheet was Excel, of course. To enter data, you had to cut and paste columns from various tools into one of the many sheets, letting the complex array of formulas calculate the numbers needed for the quarterly report. Shortly before Steve's transfer, there had apparently been a push to automate some of the processes with SAS, a tool much more suited to this sort of work than a behemoth of an Excel spreadsheet.

A colleague named Stu showed Steve the ropes. Stu admitted there was indeed a SAS process that claimed to do the same functions as The Spreadsheet, but nobody was using it because nobody trusted the numbers that came out of it.

Never the biggest fan of Excel, Steve decided to throw his weight behind the SAS process. He ran the SAS algorithms multiple times, giving the outputs to Stu to compare against the Excel spreadsheet output. The first three iterations, everything seemed to match exactly. On the fourth, however, Stu told him that one of the outputs was off by 0.2.

To some, this was vindication of The Spreadsheet; after all, why would they need some fancy-schmancy SAS process when Excel worked just fine? Steve wasn't so sure. An error in the code might lead to a big discrepancy, but this sounded more like a rounding error than anything else.

Steve tracked down the relevant documentation for Excel and SAS, and found that both used 64-bit floating point numbers on the 32-bit Windows machines that the calculations were run on. Given that all the calculations were addition and multiplication with no exponents, the mistake had to be in either the Excel code or the SAS code.

Steve stepped through the SAS process, ensuring that the intermediate outputs in SAS matched the accompanying cells in the Excel sheet. When he'd just about given up hope, he found the issue: a ROUND command, right at the end of the chain where it didn't belong.

All of the SAS code in the building had been written by a guy named Brian. Even after Steve had taken over writing SAS, people still sought out Brian for updates and queries, despite his having other work to do.

Steve had no choice but to do the same. He stopped by Brian's cube, knocking perfunctorily before asking, "Why is there a ROUND command at the end of the SAS?"

"There isn't. What?" replied Brian, clearly startled out of his thinking trance.

"No, look, there is," replied Steve, waving a printout. "Why is it there?"

"Oh. That." Brian shrugged. "Excel was displaying only one decimal place for some godforsaken reason, and they wanted the SAS output to be exactly the same."

"I should've known," said Steve, disgustedly. "Stu told me it matched, but it can't have been matching exactly this whole time, not with rounding in there."

"Sure, man. Whatever."

Sadly, Steve was transferred again before the next quarterly run—this time to a company doing proper statistical analysis, not just calculating a few figures for the quarterly presentation. He instructed Stu how to check to fifteen decimal places, but didn't hold out much hope that SAS would come to replace the Excel sheet.

Steve later ran into Stu at a coffee hour. He asked about how the replacement was going.

"I haven't had time to check the figures from SAS," Stu replied. "I'm too busy with The Spreadsheet as-is."

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Planet DebianNorbert Preining: Cinnamon 4.6 for Debian

After a few rounds of testing in experimental, I have uploaded Cinnamon 4.6 packages to Debian/unstable. Nothing spectacular new besides the usual stream of fixes. Enjoy the new Cinnamon!


CryptogramCOVID-19 Risks of Flying

I fly a lot. Over the past five years, my average speed has been 32 miles an hour. That all changed mid-March. It's been 105 days since I've been on an airplane -- longer than any other time in my adult life -- and I have no future flights scheduled. This is all a prelude to saying that I have been paying a lot of attention to the COVID-related risks of flying.

We know a lot more about how COVID-19 spreads than we did in March. The "less than six feet, more than ten minutes" model has given way to a much more sophisticated model involving airflow, the level of virus in the room, and the viral load in the person who might be infected.

Regarding airplanes specifically: on the whole, they seem safer than many other group activities. Of all the research about contact tracing results I have read, I have seen no stories of a sick person on an airplane infecting other passengers. There are no superspreader events involving airplanes. (That did happen with SARS.) It seems that the airflow inside the cabin really helps.

Airlines are trying to make things better: blocking middle seats, serving less food and drink, trying to get people to wear masks. (This video is worth watching.) I've started to see airlines requiring masks and banning those who won't, and not just strongly encouraging them. (If mask wearing is treated the same as the seat belt wearing, it will make a huge difference.) Finally, there are a lot of dumb things that airlines are doing.

This article interviewed 511 epidemiologists, and the general consensus was that flying is riskier than getting a haircut but less risky than eating in a restaurant. I think that most of the risk is pre-flight, in the airport: crowds at the security checkpoints, gates, and so on. And that those are manageable with mask wearing and situational awareness. So while I am not flying yet, I might be willing to soon. (It doesn't help that I get a -1 on my COVID saving throw for type A blood, and another -1 for male pattern baldness. On the other hand, I think I get a +3 Constitution bonus. Maybe, instead of sky marshals we can have high-level clerics on the planes.)

And everyone: wear a mask, and wash your hands.

EDITED TO ADD (6/27): Airlines are starting to crowd their flights again.


Krebs on SecurityRussian Cybercrime Boss Burkov Gets 9 Years

A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Photo: Andrei Shirokov / Tass via Getty Images.

Aleksei Burkov of St. Petersburg, Russia admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers.

As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.”

Burkov was arrested in 2015 on an international warrant while visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States.

When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned Israeli citizen Naama Issachar on trumped-up drug charges in a bid to trade prisoners. Nevertheless, Burkov was extradited to the United States in November 2019. Russian President Vladimir Putin pardoned Issachar in January 2020, just hours after Burkov pleaded guilty.

Arkady Bukh is a New York attorney who has represented a number of accused and convicted cybercriminals from Eastern Europe and Russia. Bukh said he suspects Burkov did not cooperate with Justice Department investigators apart from agreeing not to take the case to trial.

“Nine years is a huge sentence, and the government doesn’t give nine years to defendants who cooperate,” Bukh said. “Also, the time span [between Burkov’s guilty plea and sentencing] was very short.”

DirectConnection was something of a Who’s Who of major cybercriminals, and many of its most well-known members have likewise been extradited to and prosecuted by the United States. Those include Sergey “Fly” Vovnenko, who was sentenced to 41 months in prison for operating a botnet and stealing login and payment card data. Vovnenko also served as administrator of his own cybercrime forum, which he used in 2013 to carry out a plan to have Yours Truly framed for heroin possession.

As noted in last year’s profile of Burkov, an early and important member of DirectConnection was a hacker who went by the moniker “aqua” and ran the banking sub-forum on Burkov’s site. In December 2019, the FBI offered a $5 million bounty leading to the arrest and conviction of aqua, who’s been identified as Maksim Viktorovich Yakubets. The Justice Department says Yakubets/aqua ran a transnational cybercrime organization called “Evil Corp.” that stole roughly $100 million from victims.

In this 2011 screenshot of DirectConnection, we can see the nickname of “aqua,” who ran the “banking” sub-forum on DirectConecttion. Aqua, a.k.a. Maksim V. Yakubets of Russia, now has a $5 million bounty on his head from the FBI.

According to a statement of facts in Burkov’s case, the author of the infamous SpyEye banking trojan — Aleksandr “Gribodemon” Panin— was personally vouched for by Burkov. Panin was sentenced in 2016 to more than nine years in prison.

Other top DirectConnection members include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

Also on Friday, the Justice Department said it obtained a guilty plea from another top cybercrime forum boss — Sergey “Stells” Medvedev — who admitted to administering the Infraud forum. The government says Infraud, whose slogan was “In Fraud We Trust,” attracted more than 10,000 members and inflicted more than $568 million in actual losses from the sale of stolen identity information, payment card data and malware.

A copy of the 108-month judgment entered against Burkov is available here (PDF).

Planet Linux AustraliaDonna Benjamin: Vale Marcus de Rijk

Vale Marcus de Rijk kattekrab Sat, 27/06/2020 - 10:16


CryptogramFriday Squid Blogging: Fishing for Jumbo Squid

Interesting article on the rise of the jumbo squid industry as a result of climate change.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramThe Unintended Harms of Cybersecurity

Interesting research: "Identifying Unintended Harms of Cybersecurity Countermeasures":

Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity.The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex,multi-stakeholder challenges associated with the prevention of cyberbullying as an applied example. Our framework aims to illuminate harmful consequences, not to paralyze decision-making, but so that potential unintended harms can be more thoroughly considered in risk management strategies. The framework can support identification and preemptive planning to identify vulnerable populations and preemptively insulate them from harm. There are opportunities to use the framework in coordinating risk management strategy across stakeholders in complex cyberphysical environments.

Security is always a trade-off. I appreciate work that examines the details of that trade-off.

Worse Than FailureError'd: The Exception

Alex A. wrote, "Vivaldi only has two words for you when you forget to switch back to your everyday browser for email after testing a website in Edge."


"So was my profile successfully created wrongly, wrongly created successfully?" writes Francesco A.


"I will personally wait for next year's show at undefined, undefined, given the pandemic and everything," writes Drew W.


Bill T. wrote, "I'm not sure if Adobe is confused about me being me, or if they think that I could be schizophrenic."


"FedEx? There's something a little bit off about your website for me. Are you guys okay in there?" wrote Martin P.


"Winn-Dixie's 'price per each' algorithm isn't exactly wrong but it definitely isn't write either," Mark S. writes.


[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!


Krebs on SecurityNew Charges, Sentencing in Satori IoT Botnet Conspiracy

The U.S. Justice Department today charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced today to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy.

Indictments unsealed by a federal court in Alaska today allege 20-year-old Aaron Sterritt from Larne, Northern Ireland, and 21-year-old Logan Shwydiuk of Saskatoon, Canada conspired to build, operate and improve their IoT crime machines over several years.

Prosecutors say Sterritt, using the hacker aliases “Vamp” and “Viktor,” was the brains behind the computer code that powered several potent and increasingly complex IoT botnet strains that became known by exotic names such as “Masuta,” “Satori,” “Okiru” and “Fbot.”

Shwydiuk, a.k.a. “Drake,” “Dingle, and “Chickenmelon,” is alleged to have taken the lead in managing sales and customer support for people who leased access to the IoT botnets to conduct their own DDoS attacks.

A third member of the botnet conspiracy — 22-year-old Kenneth Currin Schuchman of Vancouver, Wash. — pleaded guilty in Sept. 2019 to aiding and abetting computer intrusions in September 2019. Schuchman, whose role was to acquire software exploits that could be used to infect new IoT devices, was sentenced today by a judge in Alaska to 18 months of community confinement and drug treatment, followed by three years of supervised release.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

The government says the defendants built and maintained their IoT botnets by constantly scanning the Web for insecure devices. That scanning primarily targeted devices that were placed online with weak, factory default settings and/or passwords. But the group also seized upon a series of newly-discovered security vulnerabilities in these IoT systems — commandeering devices that hadn’t yet been updated with the latest software patches.

Some of the IoT botnets enslaved hundreds of thousands of hacked devices. For example, by November 2017, Masuta had infected an estimated 700,000 systems, allegedly allowing the defendants to launch crippling DDoS attacks capable of hurling 100 gigabits of junk data per second at targets — enough firepower to take down many large websites.

In 2015, then 15-year-old Sterritt was involved in the high-profile hack against U.K. telecommunications provider TalkTalk. Sterritt later pleaded guilty to his part in the intrusion, and at his sentencing in 2018 was ordered to complete 50 hours of community service.

The indictments against Sterritt and Shwydiuk (PDF) do not mention specific DDoS attacks thought to have been carried out with the IoT botnets. In an interview today with KrebsOnSecurity, prosecutors in Alaska declined to discuss any of their alleged offenses beyond building, maintaining and selling the above-mentioned IoT botnets.

But multiple sources tell KrebsOnSecuirty Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

In 2018, authorities with the U.K.’s National Crime Agency (NCA) interviewed a suspect in connection with the Dyn attack, but ultimately filed no charges against the youth because all of his digital devices had been encrypted.

“The principal suspect of this investigation is a UK national resident in Northern Ireland,” reads a June 2018 NCA brief on their investigation into the Dyn attack (PDF), dubbed Operation Midmonth. “In 2018 the subject returned for interview, however there was insufficient evidence against him to provide a realistic prospect of conviction.”

The login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian Kreb’s [sic] 4head.” To be precise, it’s a 5head.

The unsealing of the indictments against Sterritt and Shwydiuk came just minutes after Schuchman was sentenced today. Schuchman has been confined to an Alaskan jail for the past 13 months, and Chief U.S. District Judge Timothy Burgess today ordered the sentence of 18 months community confinement to begin Aug. 1.

Community confinement in Schuchman’s case means he will spend most or all of that time in a drug treatment program. In a memo (PDF) released prior to Schuchman’s sentencing today, prosecutors detailed the defendant’s ongoing struggle with narcotics, noting that on multiple occasions he was discharged from treatment programs after testing positive for Suboxone — which is used to treat opiate addiction and is sometimes abused by addicts — and for possessing drug contraband.

The government’s sentencing memo also says Schuchman on multiple occasions absconded from pretrial supervision, and went right back to committing the botnet crimes for which he’d been arrested — even communicating with Sterritt about the details of the ongoing FBI investigation.

“Defendant’s performance on pretrial supervision has been spectacularly poor,” prosecutors explained. “Even after being interviewed by the FBI and put on restrictions, he continued to create and operate a DDoS botnet.”

Prosecutors told the judge that when he was ultimately re-arrested by U.S. Marshals, Schuchman was found at a computer in violation of the terms of his release. In that incident, Schuchman allegedly told his dad to trash his computer, before successfully encrypting his hard drive (which the Marshals service is still trying to decrypt). According to the memo, the defendant admitted to marshals that he had received and viewed videos of “juveniles engaged in sex acts with other juveniles.”

“The circumstances surrounding the defendant’s most recent re-arrest are troubling,” the memo recounts. “The management staff at the defendant’s father’s apartment complex, where the defendant was residing while on abscond status, reported numerous complaints against the defendant, including invitations to underage children to swim naked in the pool.”

Adam Alexander, assistant US attorney for the district of Alaska, declined to say whether the DOJ would seek extradition of Sterritt and Shwydiuk. Alexander said the success of these prosecutions is highly dependent on the assistance of domestic and international law enforcement partners, as well as a list of private and public entities named at the conclusion of the DOJ’s press release on the Schuchman sentencing (PDF).

However, a DOJ motion (PDF) to seal the case records filed back in September 2019 says the government is in fact seeking to extradite the defendants.

Chief Judge Burgess was the same magistrate who presided over the 2018 sentencing of the co-authors of Mirai, a highly disruptive IoT botnet strain whose source code was leaked online in 2016 and was built upon by the defendants in this case. Both Mirai co-authors were sentenced to community service and home confinement thanks to their considerable cooperation with the government’s ongoing IoT botnet investigations.

Asked whether he was satisfied with the sentence handed down against Schuchman, Alexander maintained it was more than just another slap on the wrist, noting that Schuchman has waived his right to appeal the conviction and faces additional confinement of two years if he absconds again or fails to complete his treatment.

“In every case the statutory factors have to do with the history of the defendants, who in these crimes tend to be extremely youthful offenders,” Alexander said. “In this case, we had a young man who struggles with mental health and really pronounced substance abuse issues. Contrary to what many people might think, the goal of the DOJ in cases like this is not to put people in jail for as long as possible but to try to achieve the best balance of safeguarding communities and affording the defendant the best possible chance of rehabilitation.”

William Walton, supervisory special agent for the FBI’s cybercrime investigation division in Anchorage, Ala., said he hopes today’s indictments and sentencing send a clear message to what he described as a relatively insular and small group of individuals who are still building, running and leasing IoT-based botnets to further a range of cybercrimes.

“One of the things we hope in our efforts here and in our partnerships with our international partners is when we identify these people, we want very much to hold them to account in a just but appropriate way,” Walton said. “Hopefully, any associates who are aspiring to fill the vacuum once we take some players off the board realize that there are going to be real consequences for doing that.”

TEDThe Audacious Project expands its support of pandemic relief and recovery work

The Audacious Project, a funding initiative housed at TED, is continuing its support of solutions tailored to COVID-19 rapid response and long-term recovery. As the COVID-19 pandemic continues to develop, The Audacious Project is committed to targeting key systems in crisis and supporting them as they rebuild better and with greater resilience. In this phase, more than 55 million dollars have been catalyzed towards Fast Grants, an initiative to accelerate COVID-19 related scientific research; GiveDirectly, which distributes unconditional cash transfers to those most in need; and Harlem Children’s Zone, one of the pioneers in neighborhood-specific “cradle-to-career” programs in support of low-income children and communities in the United States.

Accelerating our scientific understanding of COVID-19 and providing immediate relief to communities hardest hit by the virus are just two of the myriad challenges we must address in the face of this pandemic,” said Anna Verghese, Executive Director of The Audacious Project. “With our COVID-19 rapid response cohort, we are supporting organizations with real-world solutions that are actionable now. But that aid should extend beyond recovery, which is why we look forward to the work these organizations will continue to do to ensure better systems for the future.” 

Funding directed toward these three new initiatives is in addition to the more than 30 million dollars that was dedicated to Partners In Health, Project ECHO and World Central Kitchen for their COVID-19 rapid response work earlier this year.

Announcing three new projects in the Audacious COVID-19 response cohort

Fast Grants aims to accelerate funding for the development of treatments and vaccines and to further scientific understanding of COVID-19. (Photo courtesy of Fast Grants)

Fast Grants

The big idea: Though significant inroads have been made to advance our understanding of how the novel coronavirus spreads, and encouraging progress is underway in the development of vaccines and treatments, there are still many unknowns. We need to speed up the pace of scientific discovery in this area now more than ever, but the current systems for funding research do not meet this urgent need. Fast Grants is looking to solve that problem. They have created and are deploying a highly credible model to accelerate funding for the development of treatments and vaccines and to further scientific understanding of COVID-19. By targeting projects that demand greater speed and flexibility than traditional funding methods can offer, they will accelerate scientific discovery that can have an immediate impact and provide follow-on funding for promising early-stage discoveries.

How they’ll do it: Since March, Fast Grants has distributed 22 million dollars to fund 127 projects, leveraging a diverse panel of 20 experts to vet and review projects across a broad range of scientific disciplines. With Audacious funding, they will catalyze 80 to 115 research projects, accelerate timelines by as much as six to nine months and, in many cases, support projects that would otherwise go unfunded. This will accelerate research in testing, treatments, vaccines and many other areas critically needed to save lives and safely reopen economies. They will also build a community to share results and track progress while also connecting scientists to other funding platforms and research teams that can further advance the work. 

GiveDirectly helps families living in extreme poverty by making unconditional cash transfers to them via mobile phones. (Photo courtesy of Shutterstock)


The big idea: The COVID-19 pandemic could push more than 140 million people globally into extreme poverty. As the pandemic hampers humanitarian systems that typically address crises, the ability to deliver aid in person has never been more complicated. Enter GiveDirectly. For nearly a decade, they have provided no-strings-attached cash transfers to the world’s poorest people. Now they are leveraging the growth in the adoption of mobile technologies across Sub-Saharan Africa to design and deploy a breakthrough, fully remote model of humanitarian relief to respond to the COVID-19 crisis.

How they’ll do it: Over the next 12 months, GiveDirectly will scale their current model to provide unconditional cash transfers to more than 300,000 people who need it most. GiveDirectly will enroll and identify recipients without in-person contact, first using the knowledge of community-based organizations to identify and target beneficiaries within their existing networks, and second by leveraging data from national telephone companies to target those most in need. GiveDirectly will also systematize the underlying processes and algorithms so that they can be deployed for future disasters, thereby demonstrating a new model for rapid humanitarian relief.

Harlem Children’s Zone, one of the leading evidence-based, Black-led organizations in the US, is supercharging efforts to address Black communities’ most urgent needs and support recovery from the COVID-19 crisis. (Photo courtesy of Harlem Children’s Zone)

Harlem Children’s Zone

The big idea: In the United States, the coronavirus pandemic is disproportionately affecting Black communities. Not only are Black people being infected by the virus and dying at greater rates, the effects of the economic crisis are also hitting hardest vulnerable communities that were already facing a shrinking social safety net. At the onset of the pandemic, Harlem Children’s Zone (HCZ), one of the leading evidence-based, Black-led organizations in the US, pioneered a comprehensive approach to emergency response and recovery. The model is focused on five urgent areas: bridging the digital divide, preventing learning loss, mitigating the mental health crisis and providing economic relief and recovery.

How they’ll do it: Based in Harlem, New York, HCZ is leveraging deeply rooted community trust and best-in-class partners to deploy vital emergency relief and wrap-around support, including: health care information and protective gear to keep communities safe from the virus; quality, developmentally appropriate distance-learning resources, while developing plans for safe school reentry; and the provision of cash relief. They are also equipping backbone organizations across the US with the capacity to execute on a community-driven vision of their model nationally. They will be working side-by-side with leading, anchor institutions in six cities — Minneapolis, Oakland, Newark, Detroit, Chicago and Atlanta — to supercharge efforts to address Black communities’ most urgent needs and support recovery.

To learn more about The Audacious Project, visit

Sociological ImagesThe Hidden Cost of Your New Wardrobe

More than ever, people desire to buy more clothes. Pushed by advertising, we look for novelty and variety, amassing personal wardrobes unimaginable in times past. With the advent of fast fashion, brands like H&M and ZARA are able to provide low prices by cutting costs where consumers can’t see—textile workers are maltreated, and our environment suffers.

In this film, I wanted to play with the idea of fast fashion advertising and turn it on its head. I edited two different H&M look books to show what really goes into the garments they advertise and the fast fashion industry as a whole. I made this film for my Introduction to Sociology class after being inspired by a reading we did earlier in the semester.

Robert Reich’s (2007) book, Supercapitalism, discusses how we have “two minds,” one as a consumer/investor and another as a citizen. He explains that as a consumer, we want to spend as little money as possible while finding the best deals—shopping at stores like H&M. On the other hand, our “citizen mind” wants workers to be treated fairly and our environment to be protected. This film highlights fast fashion as an example of Reich’s premise of the conflict between our two minds—a conflict that is all too prevalent in our modern world with giant brands like Walmart and Amazon taking over consumer markets. I hope that by thinking about the fast fashion industry with a sociological mindset, we can see past the bargain prices and address what really goes on behind the scenes.

Graham Nielsen is a Swedish student studying an interdisciplinary concentration titled “Theory and Practice: Digital Media and Society” at Hamilton college. He’s interested in advertising, marketing, video editing, fashion, as well as film and television culture and video editing.

Read More:

Links to the original look books: Men Women

Kant, R. (2012) “Textile dyeing industry an environmental hazard.” Natural Science4, 22-26. doi: 10.4236/ns.2012.41004.

Annamma J., J. F. Sherry Jr, A. Venkatesh, J. Wang & R. Chan (2012) “Fast Fashion, Sustainability, and the Ethical Appeal of Luxury Brands.” Fashion Theory, 16:3, 273-295, DOI: 10.2752/175174112X13340749707123

Aspers, P., and F. Godart (2013) “Sociology of Fashion: Order and Change.” Annual Review of Sociology  39:1, 171-192

(View original at

CryptogramAnalyzing IoT Security Best Practices

New research: "Best Practices for IoT Security: What Does That Even Mean?" by Christopher Bellman and Paul C. van Oorschot:

Abstract: Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) "best practice" means, independent of meaningfully identifying specific individual practices. Confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. How do best practices, good practices, and standard practices differ? Or guidelines, recommendations, and requirements? Can something be a best practice if it is not actionable? We consider categories of best practices, and how they apply over the lifecycle of IoT devices. For concreteness in our discussion, we analyze and categorize a set of 1014 IoT security best practices, recommendations, and guidelines from industrial, government, and academic sources. As one example result, we find that about 70\% of these practices or guidelines relate to early IoT device lifecycle stages, highlighting the critical position of manufacturers in addressing the security issues in question. We hope that our work provides a basis for the community to build on in order to better understand best practices, identify and reach consensus on specific practices, and then find ways to motivate relevant stakeholders to follow them.

Back in 2017, I catalogued nineteen security and privacy guideline documents for the Internet of Things. Our problem right now isn't that we don't know how to secure these devices, it's that there is no economic or regulatory incentive to do so.

Worse Than FailureCodeSOD: Classic WTF: Pointless Revenge

As we enjoy some summer weather, we should take a moment to reflect on how we communicate with our peers. We should always do it with kindness, even when we really want revenge. Original -- Kind regards, Remy

We write a lot about unhealthy workplaces. We, and many of our readers, have worked in such places. We know what it means to lose our gruntle (becoming disgruntled). Some of us, have even been tempted to do something vengeful or petty to “get back” at the hostile environment.

Milton from 'Office Space' does not receive any cake during the a birthday celebration. He looks on, forlornly, while everyone else in the office enjoys cake.

But none of us actually have done it (I hope ?). It’s self defeating, it doesn’t actually make anything better, and even if the place we’re working isn’t, we are professionals. While it’s a satisfying fantasy, the reality wouldn’t be good for anyone. We know better than that.

Well, most of us know better than that. Harris M’s company went through a round of layoffs while flirting with bankruptcy. It was a bad time to be at the company, no one knew if they’d have a job the next day. Management constantly issued new edicts, before just as quickly recanting them, in a panicked case of somebody-do-something-itis. “Bob” wasn’t too happy with the situation. He worked on a reporting system that displayed financial data. So he hid this line in one of the main include files:

#define double float
//Kind Regards, Bob

This created some subtle bugs. It was released, and it was months before anyone noticed that the reports weren’t exactly reconciling with the real data. Bob was long gone, by that point, and Harris had to clean up the mess. For a company struggling to survive, it didn’t help or improve anything. But I’m sure Bob felt better.

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

MEHow Will the Pandemic Change Things?

The Bulwark has an interesting article on why they can’t “Reopen America” [1]. I wonder how many changes will be long term. According to the Wikipedia List of Epidemics [2] Covid-19 so far hasn’t had a high death toll when compared to other pandemics of the last 100 years. People’s reactions to this vary from doing nothing to significant isolation, the question is what changes in attitudes will be significant enough to change society.


One thing that has been happening recently is a transition in transport. It’s obvious that we need to reduce CO2 and while electric cars will address the transport part of the problem in the long term changing to electric public transport is the cheaper and faster way to do it in the short term. Before Covid-19 the peak hour public transport in my city was ridiculously overcrowded, having people unable to board trams due to overcrowding was really common. If the economy returns to it’s previous state then I predict less people on public transport, more traffic jams, and many more cars idling and polluting the atmosphere.

Can we have mass public transport that doesn’t give a significant disease risk? Maybe if we had significantly more trains and trams and better ventilation with more airflow designed to suck contaminated air out. But that would require significant engineering work to design new trams, trains, and buses as well as expense in refitting or replacing old ones.

Uber and similar companies have been taking over from taxi companies, one major feature of those companies is that the vehicles are not dedicated as taxis. Dedicated taxis could easily be designed to reduce the spread of disease, the famed Black Cab AKA Hackney Carriage [3] design in the UK has a separate compartment for passengers with little air flow to/from the driver compartment. It would be easy to design such taxis to have entirely separate airflow and if setup to only take EFTPOS and credit card payment could avoid all contact between the driver and passengers. I would prefer to have a Hackney Carriage design of vehicle instead of a regular taxi or Uber.

Autonomous cars have been shown to basically work. There are some concerns about safety issues as there are currently corner cases that car computers don’t handle as well as people, but of course there are also things computers do better than people. Having an autonomous taxi would be a benefit for anyone who wants to avoid other people. Maybe approval could be rushed through for autonomous cars that are limited to 40Km/h (the maximum collision speed at which a pedestrian is unlikely to die), in central city areas and inner suburbs you aren’t likely to drive much faster than that anyway.

Car share services have been becoming popular, for many people they are significantly cheaper than owning a car due to the costs of regular maintenance, insurance, and depreciation. As the full costs of car ownership aren’t obvious people may focus on the disease risk and keep buying cars.

Passenger jets are ridiculously cheap. But this relies on the airline companies being able to consistently fill the planes. If they were to add measures to reduce cross contamination between passengers which slightly reduces the capacity of planes then they need to increase ticket prices accordingly which then reduces demand. If passengers are just scared of flying in close proximity and they can’t fill planes then they will have to increase prices which again reduces demand and could lead to a death spiral. If in the long term there aren’t enough passengers to sustain the current number of planes in service then airline companies will have significant financial problems, planes are expensive assets that are expected to last for a long time, if they can’t use them all and can’t sell them then airline companies will go bankrupt.

It’s not reasonable to expect that the same number of people will be travelling internationally for years (if ever). Due to relying on economies of scale to provide low prices I don’t think it’s possible to keep prices the same no matter what they do. A new economic balance of flights costing 2-3 times more than we are used to while having significantly less passengers seems likely. Governments need to spend significant amounts of money to improve trains to take over from flights that are cancelled or too expensive.


The article on The Bulwark mentions Las Vegas as a city that will be hurt a lot by reductions in travel and crowds, the same thing will happen to tourist regions all around the world. Australia has a significant tourist industry that will be hurt a lot. But the mention of Las Vegas makes me wonder what will happen to the gambling in general. Will people avoid casinos and play poker with friends and relatives at home? It seems that small stakes poker games among friends will be much less socially damaging than casinos, will this be good for society?

The article also mentions cinemas which have been on the way out since the video rental stores all closed down. There’s lots of prime real estate used for cinemas and little potential for them to make enough money to cover the rent. Should we just assume that most uses of cinemas will be replaced by Netflix and other streaming services? What about teenage dates, will kissing in the back rows of cinemas be replaced by “Netflix and chill”? What will happen to all the prime real estate used by cinemas?

Professional sporting matches have been played for a TV-only audience during the pandemic. There’s no reason that they couldn’t make a return to live stadium audiences when there is a vaccine for the disease or the disease has been extinguished by social distancing. But I wonder if some fans will start to appreciate the merits of small groups watching large TVs and not want to go back to stadiums, can this change the typical behaviour of groups?

Restaurants and cafes are going to do really badly. I previously wrote about my experience running an Internet Cafe and why reopening businesses soon is a bad idea [4]. The question is how long this will go for and whether social norms about personal space will change things. If in the long term people expect 25% more space in a cafe or restaurant that’s enough to make a significant impact on profitability for many small businesses.

When I was young the standard thing was for people to have dinner at friends homes. Meeting friends for dinner at a restaurant was uncommon. Recently it seemed to be the most common practice for people to meet friends at a restaurant. There are real benefits to meeting at a restaurant in terms of effort and location. Maybe meeting friends at their home for a delivered dinner will become a common compromise, avoiding the effort of cooking while avoiding the extra expense and disease risk of eating out. Food delivery services will do well in the long term, it’s one of the few industry segments which might do better after the pandemic than before.


Many companies are discovering the benefits of teleworking, getting it going effectively has required investing in faster Internet connections and hardware for employees. When we have a vaccine the equipment needed for teleworking will still be there and we will have a discussion about whether it should be used on a more routine basis. When employees spend more than 2 hours per day travelling to and from work (which is very common for people who work in major cities) that will obviously limit the amount of time per day that they can spend working. For the more enthusiastic permanent employees there seems to be a benefit to the employer to allow working from home. It’s obvious that some portion of the companies that were forced to try teleworking will find it effective enough to continue in some degree.

One company that I work for has quit their coworking space in part because they were concerned that the coworking company might go bankrupt due to the pandemic. They seem to have become a 100% work from home company for the office part of the work (only on site installation and stock management is done at corporate locations). Companies running coworking spaces and other shared offices will suffer first as their clients have short term leases. But all companies renting out office space in major cities will suffer due to teleworking. I wonder how this will affect the companies providing services to the office workers, the cafes and restaurants etc. Will there end up being so much unused space in central city areas that it’s not worth converting the city cinemas into useful space?

There’s been a lot of news about Zoom and similar technologies. Lots of other companies are trying to get into that business. One thing that isn’t getting much notice is remote access technologies for desktop support. If the IT people can’t visit your desk because you are working from home then they need to be able to remotely access it to fix things. When people make working from home a large part of their work time the issue of who owns peripherals and how they are tracked will get interesting. In a previous blog post I suggested that keyboards and mice not be treated as assets [5]. But what about monitors, 4G/Wifi access points, etc?

Some people have suggested that there will be business sectors benefiting from the pandemic, such as telecoms and e-commerce. If you have a bunch of people forced to stay home who aren’t broke (IE a large portion of the middle class in Australia) they will probably order delivery of stuff for entertainment. But in the long term e-commerce seems unlikely to change much, people will spend less due to economic uncertainty so while they may shift some purchasing to e-commerce apart from home delivery of groceries e-commerce probably won’t go up overall. Generally telecoms won’t gain anything from teleworking, the Internet access you need for good Netflix viewing is generally greater than that needed for good video-conferencing.


I previously wrote about a Basic Income for Australia [6]. One of the most cited reasons for a Basic Income is to deal with robots replacing people. Now we are at the start of what could be a long term economic contraction caused by the pandemic which could reduce the scale of the economy by a similar degree while also improving the economic case for a robotic workforce. We should implement a Universal Basic Income now.

I previously wrote about the make-work jobs and how we could optimise society to achieve the worthwhile things with less work [7]. My ideas about optimising public transport and using more car share services may not work so well after the pandemic, but the rest should work well.


There are a number of big companies that are not aiming for profitability in the short term. WeWork and Uber are well documented examples. Some of those companies will hopefully go bankrupt and make room for more responsible companies.

The co-working thing was always a precarious business. The companies renting out office space usually did so on a monthly basis as flexibility was one of their selling points, but they presumably rented buildings on an annual basis. As the profit margins weren’t particularly high having to pay rent on mostly empty buildings for a few months will hurt them badly. The long term trend in co-working spaces might be some sort of collaborative arrangement between the people who run them and the landlords similar to the way some of the hotel chains have profit sharing agreements with land owners to avoid both the capital outlay for buying land and the risk involved in renting. Also city hotels are very well equipped to run office space, they have the staff and the procedures for running such a business, most hotels also make significant profits from conventions and conferences.

The way the economy has been working in first world countries has been about being as competitive as possible. Just in time delivery to avoid using storage space and machines to package things in exactly the way that customers need and no more machines than needed for regular capacity. This means that there’s no spare capacity when things go wrong. A few years ago a company making bolts for the car industry went bankrupt because the car companies forced the prices down, then car manufacture stopped due to lack of bolts – this could have been a wake up call but was ignored. Now we have had problems with toilet paper shortages due to it being packaged in wholesale quantities for offices and schools not retail quantities for home use. Food was destroyed because it was created for restaurant packaging and couldn’t be packaged for home use in a reasonable amount of time.

Farmer’s markets alleviate some of the problems with packaging food etc. But they aren’t a good option when there’s a pandemic as disease risk makes them less appealing to customers and therefore less profitable for vendors.


Many religious groups have supported social distancing. Could this be the start of more decentralised religion? Maybe have people read the holy book of their religion and pray at home instead of being programmed at church? We can always hope.


CryptogramCryptocurrency Pump and Dump Scams

Really interesting research: "An examination of the cryptocurrency pump and dump ecosystem":

Abstract: The surge of interest in cryptocurrencies has been accompanied by a proliferation of fraud. This paper examines pump and dump schemes. The recent explosion of nearly 2,000 cryptocurrencies in an unregulated environment has expanded the scope for abuse. We quantify the scope of cryptocurrency pump and dump schemes on Discord and Telegram, two popular group-messaging platforms. We joined all relevant Telegram and Discord groups/channels and identified thousands of different pumps. Our findings provide the first measure of the scope of such pumps and empirically document important properties of this ecosystem.

Worse Than FailureTales from the Interview: Classic WTF: Slightly More Sociable

As we continue our vacation, this classic comes from the ancient year of 2007, when "used to being the only woman in my engineering and computer science classes" was a much more common phrase. Getting a job can feel competitive, but there are certain ways you can guarantee you're gonna lose that competition. Original --Remy

Today’s Tale from the Interview comes from Shanna...

Fresh out of college, and used to being the only woman in my engineering and computer science classes, I wasn't quite sure what to expect in the real world. I happily ended up finding a development job in a company which was nowhere near as unbalanced as my college classes had been. The company was EXTREMELY small and the entire staff, except the CEO, was in one office. I ended up sitting at a desk next to the office admin, another woman who was hired a month or two after me.

A few months after I was hired, we decided we needed another developer. I found out then that there was another person who had been up for my position who almost got it instead of me. He was very technically skilled, but ended up not getting the position because I was more friendly and sociable. My boss decided to call him back in for another interview because it had been a very close decision, and they wanted to give him another chance. He was still looking for a full-time job, so he said he'd be happy to come in again. The day he showed up, he looked around the office, and then he and my boss went in to the CEO's office to discuss the position again.

The interview seemed to be going well, and he was probably on track for getting the position. Then he asked my boss, "So, did you ever end up hiring a developer last time you were looking?" My boss answered "Oh, yeah, we did." The interviewee stopped for a second and, because he'd noticed that the only different faces in the main office were myself and the office admin, said "You mean, you hired one of those GIRLS out there?"

Needless to say, the interview ended quickly after that, and he didn't get the position.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!


Sociological ImagesRacism & Hate Crimes in a Pandemic

Despite calls to physically distance, we are still seeing reports of racially motivated hate crimes in the media. Across the United States, anti-Asian discrimination is rearing its ugly head as people point fingers to blame the global pandemic on a distinct group rather than come to terms with underfunded healthcare systems and poorly-prepared governments.

Governments play a role in creating this rhetoric. Blaming racialized others for major societal problems is a feature of populist governments. One example is Donald Trump’s use of the phrase “Chinese virus” to describe COVID-19. Stirring up racialized resentment is a political tactic used to divert responsibility from the state by blaming racialized members of the community for a global virus. Anti-hate groups are increasingly concerned that the deliberate dehumanization of Asian populations by the President may also fuel hate as extremist groups take this opportunity to create social division.

Unfortunately, this is not new and it is not limited to the United States. During the SARS outbreak there were similar instances of institutional racism inherent in Canadian political and social structures as Chinese, Southeast and East Asian Canadians felt isolated at work, in hospitals, and even on public transportation. As of late May in Vancouver British Columbia Canada, there have been 29 cases of anti-Asian hate crimes.

In this crisis, it is easier for governments to use racialized people as scapegoats than to admit decisions to defund and underfund vital social and healthcare resources. By stoking racist sentiments already entrenched in the Global North, the Trump administration shifts the focus from the harm their policies will inevitably cause, such their willingness to cut funding for the CDC and NIH.

Sociological research shows how these tactics become more widespread as politicians use social media to communicate directly with citizens. creating instantaneous polarizing content. Research has also shown an association between hate crimes in the United States and anti-Muslim rhetoric expressed by Trump as early as 2015. Racist sentiments expressed by politicians have a major impact on the attitudes of the general population, because they excuse and even promote blame toward racialized people, while absolving blame from governments that have failed to act on social issues.     

Kayla Preston is an incoming PhD student in the department of sociology at the University of Toronto. Her research centers on right-wing extremism and deradicalization.

(View original at

CryptogramNation-State Espionage Campaigns against Middle East Defense Contractors

Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about "several hints suggesting a possible link" to the Lazarus group (aka North Korea), but that's by no means definite.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representatives of well-known companies in the aerospace and defense industries. In our investigation, we've seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.

Detailed report.

Worse Than FailureClassic WTF: The Developmestuction Environment

We continue to enjoy a brief respite from mining horrible code and terrible workplaces. This classic includes this line: "It requires that… Adobe Indesign is installed on the web server." Original --Remy

Have you ever thought what it would take for you to leave a new job after only a few days? Here's a fun story from my colleague Jake Vinson, whose co-worker of three days would have strongly answered "this."

One of the nice thing about externalizing connection strings is that it's easy to duplicate a database, duplicate the application's files, change the connection string to point to the new database, and bam, you've got a test environment.

From the programmer made famous by tblCalendar and the query string parameter admin=false comes what I think is the most creatively stupid implementation of a test environment ever.

We needed a way to show changes during development of an e-commerce web site to our client. Did our programmer follow a normal method like the one listed above? It might surprise you to find out that no, he didn't.

Instead, we get this weird mutant development/test/production environment (or "developmestuction," as I call it) for not only the database, but the ASP pages. My challenge to you, dear readers, is to identify a step of the way in which there could've been a worse way to do things. I look forward to reading the comments on this post.

Take, for example, a page called productDetail.asp. Which is the test page? Why, productDetail2.asp, of course! Or perhaps test_productDetail.asp. Or perhaps if another change branched off of that, test_productDetail2.asp, or productDetail2_t.asp, or t_pD2.asp.

And the development page? productDetaildev.asp. When the changes were approved, instead of turning t_pD2.asp to productDetail.asp, the old filenames were kept, along with the old files. That means that all links to productDetail.asp became links to t_pD2.asp once they were approved. Except in places that were forgotten, or not included in the sitewide search-and-replace.

As you may've guessed, there are next to no comments, aside from the occasional ...

' Set strS2f to false
strS2f = false

Note: I've never seen more than one comment on any of the pages.

Additional note: I've never seen more than zero comments that are even remotely helpful on any of the pages

OK, so the file structure is next to impossible to understand, especially to the poor new developer we'd hired who just stopped showing up to work after 3 days on this particular project.

What was it that drove him over the edge? Well, if the arrangement of the pages wasn't enough, the database used the same conventions (as in, randomly using test_tblProducts, or tblTestProducts, tblTestProductsFinal, or all of them). Of course, what if we need a test column, rather than a whole table? Flip a coin, if it's heads, create another tblTestWhatever, or if it's tails, just add a column to the production table called test_ItemID. Oh, and there's another two copies of the complete test database, which may or may not be used.

You think I'm done, right? Wrong. All of these inconsistencies in naming are handled individually, in code on the ASP pages. For the table names that follow some remote semblance of a consistent naming convention, the table name is stored in an unencrypted cookie, which is read into dynamic SQL queries. I imagine it goes without saying that all SQL queries were dynamic with no attempts to validate the data or replace quotes.

Having personally seen this system, I want to share a fun little fact about it. It requires that, among a handful of other desktop applications, Adobe Indesign is installed on the web server. I'll leave it to your imagination as to what it could possibly require that for and the number of seconds between each interval that it opens and closes it.
[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

MESquirrelmail vs Roundcube

For some years I’ve had SquirrelMail running on one of my servers for the people who like such things. It seems that the upstream support for SquirrelMail has ended (according to the SquirrelMail Wikipedia page there will be no new releases just Subversion updates to fix bugs). One problem with SquirrelMail that seems unlikely to get fixed is the lack of support for base64 encoded From and Subject fields which are becoming increasingly popular nowadays as people who’s names don’t fit US-ASCII are encoding them in their preferred manner.

I’ve recently installed Roundcube to provide an alternative. Of course one of the few important users of webmail didn’t like it (apparently it doesn’t display well on a recent Samsung Galaxy Note), so now I have to support two webmail systems.

Below is a little Perl script to convert a SquirrelMail abook file into the csv format used for importing a RoundCube contact list.


print "First Name,Last Name,Display Name,E-mail Address\n";
  my @fields = split(/\|/, $_);
  printf("%s,%s,%s %s,%s\n", $fields[1], $fields[2], $fields[0], $fields[4], $fields[3]);


Cory DoctorowSomeone Comes to Town, Someone Leaves Town (part 07)

Here’s part seven of my new reading of my novel Someone Comes to Town, Someone Leaves Town (you can follow all the installments, as well as the reading I did in 2008/9, here).

This is easily the weirdest novel I ever wrote. Gene Wolfe (RIP) gave me an amazing quote for it: “Someone Comes to Town, Someone Leaves Town is a glorious book, but there are hundreds of those. It is more. It is a glorious book unlike any book you’ve ever read.”

Here’s how my publisher described it when it came out:

Alan is a middle-aged entrepeneur who moves to a bohemian neighborhood of Toronto. Living next door is a young woman who reveals to him that she has wings—which grow back after each attempt to cut them off.

Alan understands. He himself has a secret or two. His father is a mountain, his mother is a washing machine, and among his brothers are sets of Russian nesting dolls.

Now two of the three dolls are on his doorstep, starving, because their innermost member has vanished. It appears that Davey, another brother who Alan and his siblings killed years ago, may have returned, bent on revenge.

Under the circumstances it seems only reasonable for Alan to join a scheme to blanket Toronto with free wireless Internet, spearheaded by a brilliant technopunk who builds miracles from scavenged parts. But Alan’s past won’t leave him alone—and Davey isn’t the only one gunning for him and his friends.

Whipsawing between the preposterous, the amazing, and the deeply felt, Cory Doctorow’s Someone Comes to Town, Someone Leaves Town is unlike any novel you have ever read.


CryptogramIdentifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other Internet Bread Crumbs

Interesting story of how the police can identify someone by following the evidence chain from website to website.

According to filings in Blumenthal's case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30.

It showed the woman, in flame-retardant gloves, grabbing a burning piece of a police barricade that had already been used to set one squad car on fire and tossing it into the police SUV parked nearby. Within seconds, that car was also engulfed in flames.

Investigators discovered other images depicting the same scene on Instagram and the video sharing website Vimeo. Those allowed agents to zoom in and identify a stylized tattoo of a peace sign on the woman's right forearm.

Scouring other images ­-- including a cache of roughly 500 photos of the Philly protest shared by an amateur photographer ­-- agents found shots of a woman with the same tattoo that gave a clear depiction of the slogan on her T-shirt.


That shirt, agents said, was found to have been sold only in one location: a shop on Etsy, the online marketplace for crafters, purveyors of custom-made clothing and jewelry, and other collectibles....

The top review on her page, dated just six days before the protest, was from a user identifying herself as "Xx Mv," who listed her location as Philadelphia and her username as "alleycatlore."

A Google search of that handle led agents to an account on Poshmark, the mobile fashion marketplace, with a user handle "lore-elisabeth." And subsequent searches for that name turned up Blumenthal's LinkedIn profile, where she identifies herself as a graduate of William Penn Charter School and several yoga and massage therapy training centers.

From there, they located Blumenthal's Jenkintown massage studio and its website, which featured videos demonstrating her at work. On her forearm, agents discovered, was the same distinctive tattoo that investigators first identified on the arsonist in the original TV video.

The obvious moral isn't a new one: don't have a distinctive tattoo. But more interesting is how different pieces of evidence can be strung together in order to identify someone. This particular chain was put together manually, but expect machine learning techniques to be able to do this sort of thing automatically -- and for organizations like the NSA to implement them on a broad scale.

Another article did a more detailed analysis, and concludes that the Etsy review was the linchpin.

Note to commenters: political commentary on the protesters or protests will be deleted. There are many other forums on the Internet to discuss that.

Worse Than FailureClassic WTF: A Gassed Pump

Wow, it's summer. Already? We're taking a short break this week at TDWTF, and reaching back through the archives for some classic stories. If you've cancelled your road trip this year, make a vicarious stop at a filthy gas station with this old story. Original --Remy

“Staff augmentation,” was a fancy way of saying, “hey, contractors get more per hour, but we don’t have to provide benefits so they are cheaper,” but Stuart T was happy to get more per hour, and even happier to know that he’d be on to his next gig within a few months. That was how he ended up working for a national chain of gas-station/convenience stores. His job was to build a “new mobile experience for customer loyalty” (aka, wrapping their website up as an app that can also interact with QR codes).

At least, that’s what he was working on before Miranda stormed into his cube. “Stuart, we need your help. ProdTrack is down, and I can’t fix it, because I’ve got to be at a mandatory meeting in ten minutes.”

A close-up of a gas pump

ProdTrack was their inventory system that powered their point-of-sale terminals. For it to be down company wide was a big problem, and essentially rendered most of their stores inoperable. “Geeze, what mandatory meeting is more important than that?”

“The annual team-building exercise,” Miranda said, using a string of profanity for punctuation. “They’ve got a ‘no excuses’ policy, so I have to go, ‘or else’, but we also need to get this fixed.”

Miranda knew exactly what was wrong. ProdTrack could only support 14 product categories. But one store- store number 924- had decided that they needed 15. So they added a 15th category to the database, threw a few products into the category, and crossed their fingers. Now, all the stores were crashing.

“You’ll need to look at the StoreSQLUpdates and the StoreSQLUpdateStatements tables,” Miranda said. “And probably dig into the ProductDataPump.exe app. Just do a quick fix- we’re releasing an update supports any number of categories in three weeks or so, we just need to hold this together till then.”

With that starting point, Stuart started digging in. First, he puzzled over the tables Miranda had mentioned. StoreSQLUpdates looked like this:

145938DELETE FROM SupplierInfo90
148939INSERT INTO ProductInfo VALUES(12348, 3, 6)112

Was this an audit tables? What was StoreSQLUpdateStatements then?

168597INSERT INTO StoreSQLUpdates(statement, statement_order) VALUES (‘DELETE FROM SupplierInfo’, 90)
168598INSERT INTO StoreSQLUpdates(statement, statement_order) VALUES (‘INSERT INTO ProductInfo VALUES(12348, 3, 6)’, 112)

Stuart stared at his screen, and started asking questions. Not questions about what he was looking at, but questions about the life choices that had brought him to this point, questions about whether it was really that bad an idea to start drinking at work, and questions about the true nature of madness- if the world was mad, and he was the only sane person left, didn’t that make him the most insane person of all?

He hoped the mandatory team building exercise was the worst experience of Miranda’s life, as he sent her a quick, “WTF?” email message. She obviously still had her cellphone handy, as she replied minutes later:

Oh, yeah, that’s for data-sync. Retail locations have flaky internet, and keep a local copy of the data. That’s what’s blowing up. Check ProductDataPump.exe.

Stuart did. ProductDataPump.exe was a VB.Net program in a single file, with one beautifully named method, RunIt, that contained nearly 2,000 lines of code. Some saintly soul had done him the favor of including a page of documentation at the top of the method, and it started with an apology, then explained the data flow.

Here’s what actually happened: a central database at corporate powered ProdTrack. When any data changed there, those changes got logged into StoreSQLUpdateStatements. A program called ProductDataShift.exe scanned that table, and when new rows appeared, it executed the statements in StoreSQLUpdateStatements (which placed the actual DML commands into StoreSQLUpdates).

Once an hour, ProductDataPump.exe would run. It would attempt to connect to each retail location. If it could, it would read the contents of the central StoreSQLUpdates and the local StoreSQLUpdates, sorting by the order column, and through a bit of faith and luck, would hopefully synchronize the two databases.

Buried in the 2,000 line method, at about line 1,751, was a block that actually executed the statements:

If bolUseSQL Then
    For Each sTmp As String In sProductsTableSQL
        sTmp = sTmp.Trim()
        If sTmp <> "" Then
            SQLUpdatesSQL(lngIDSQL, sTmp, dbQR5)
        End If
    Next sTmp
End If

Once he was done screaming at the insanity of the entire process, Stuart looked at the way product categories worked. Store 924 didn’t carry anything in the ALCOHOL category, due to state Blue Laws, but had added a PRODUCE category. None of the other stores had a PRODUCE category (if they carried any produce, they just put it in PREPARED_FOODS). Fixing the glitch that caused the application to crash when it had too many categories would take weeks, at least- and Miranda already told him a fix was coming. All he had to do was keep it from crashing until then.

Into the StoreSQLUpdates table, he added a DELETE statement that would delete every category that contained zero items. That would fix the immediate problem, but when the ProductDataPump.exe ran, it would just copy the broken categories back around. So Stuart patched the program with the worst fix he ever came up with.

If bolUseSQL Then
    For Each sTmp As String In sProductsTableSQL
        sTmp = sTmp.Trim()
        If sTmp <> "" Then
            If nStoreNumber = 924 And sTmp.Contains("ALCOHOL") Then
                Continue For
            ElseIf nStoreNumber <> 924 And sTmp.Contains("PRODUCE") Then
                Continue For
                SQLUpdatesSQL(lngIDSQL, sTmp, dbQR5)
            End If
        End If
    Next sTmp
End If
[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

Krebs on Security‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.

The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.

A partial screenshot of the BlueLeaks data cache.

In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Fusion centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.

KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

“Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.”

The NFCA said it appears the data published by BlueLeaks was taken after a security breach at Netsential, a Houston-based web development firm.

“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA wrote. “Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

Reached via phone Sunday evening, Netsential Director Stephen Gartrell declined to comment for this story.

The NFCA said a variety of cyber threat actors, including nation-states, hacktivists, and financially-motivated cybercriminals, might seek to exploit the data exposed in this breach to target fusion centers and associated agencies and their personnel in various cyber attacks and campaigns.

The BlueLeaks data set was released June 19, also known as “Juneteenth,” the oldest nationally celebrated commemoration of the ending of slavery in the United States. This year’s observance of the date has generated renewed public interest in the wake of widespread protests against police brutality and the filmed killing of George Floyd at the hands of Minneapolis police.

Stewart Baker, an attorney at the Washington, D.C. office of Steptoe & Johnson LLP and a former assistant secretary of policy at the U.S. Department of Homeland Security, said the BlueLeaks data is unlikely to shed much light on police misconduct, but could expose sensitive law enforcement investigations and even endanger lives.

“With this volume of material, there are bound to be compromises of sensitive operations and maybe even human sources or undercover police, so I fear it will put lives at risk,” Baker said. “Every organized crime operation in the country will likely have searched for their own names before law enforcement knows what’s in the files, so the damage could be done quickly. I’d also be surprised if the files produce much scandal or evidence of police misconduct. That’s not the kind of work the fusion centers do.”


Planet Linux AustraliaDavid Rowe: Open IP over VHF/UHF

I’ve recently done a lot of work on the Codec 2 FSK modem, here is the new README_fsk. It now works at lower SNRs, has been refactored, and is supported by a suite of automated tests.

There is some exciting work going on with Codec 2 modems and VHF/UHF IP links using TAP/TUN (thanks Tomas and Jeroen) – a Linux technology for building IP links from user space “data pumps” – like the Codec 2 modems.

My initial goal for this work is a “100 kbit/s IP link” for VHF/UHF using Codec 2 modems and SDR. One application is moving Ham Radio data past the 1995-era “9600 bits/s data port” paradigm to real time IP.

I’m also interested in IP over TV Whitespace (spare VHF/UHF spectrum) for emergency and developing world applications. I’m a judge for developing world IT grants and the “last 100km” problem comes up again and again. This solution requires just a Raspberry Pi and RTLSDR. At these frequencies antennas could be simply fabricated from wire (cut for the frequency of operation), and soldered directly to the Pi.

Results and Link Budget

As a first step, I’ve taken another look at using RpiTx for FSK, this time at VHF and starting at a modest 10 kbits/s. Over the weekend I performed some Minimum Detectable Signal (MDS) tests and confirmed the 2FSK modem built with RpiTx, a RTL-SDR, and the Codec 2 modem is right on theory at 10 kbits/s, with a MDS of -120dBm.

Putting this in context, a UHF signal has a path loss of 125dB over 100km. So if you have a line of site path, a 10mW (10dBm) signal will be 10-125 = -115dBm at your receiver (assuming basic 0dBi antennas). As -115dBm is greater than the -120dBm MDS, this means your data will be received error free (especially when we add forward error correction). We have sufficient “link margin” and the “link” is closed.

While our 10 kbits/s starting point doesn’t sound like much – even at that rate we get to send 10000*3600*24/8/140 = 771,000 140 byte text messages each day to another station on your horizon. That’s a lot of connectivity in an emergency or when the alternative where you live is nothing.


I’m using the GitHub PR as a logbook for the work, I quite like GitHub and Markdown. This weekends MDS experiments start here.

I had the usual fun and games with attenuating the Rx signal from the Pi down to -120dBm. The transmit signal tries hard to leak around the attenuators via a RF path. I moved the unshielded Pi into another room, and built a “plastic bag and aluminium foil” Faraday cage which worked really well:

These are complex systems and many things can go wrong. Are your Tx/Rx sample clocks close enough? Is your rx signal clipping? Is the gain of your radio sufficient to reduce quantisation noise? Bug in your modem code? DC line in your RTLSDR signal? Loose SMA connector?

I’ve learnt the hard way to test very carefully at each step. First, I run off air samples through a non-real time modem Octave simulation to visualise what’s going on inside the modem. A software oscilloscope.

An Over the Cable (OTC) test is essential before trying Over the Air (OTA) as it gives you a controlled environment to spot issues. MDS tests that measure the Bit error Rate (BER) are also excellent, they effectively absorb every factor in the system and give you an overall score (the Bit Error Rate) you can compare to theory.

Spectral Purity

Here is the spectrum of the FSK signal for a …01010… sequence at 100 kbit/s, at two resolution bandwidths:

The Tx power is about 10dBm, this plot is after some attenuation. I haven’t carefully checked the spurious levels, but the above looks like around -40dBc (off a low 10mW EIRP) over this 1MHz span. If I am reading the Australian regulations correctly (Section 7A of the Amateur LCD) the requirement is 43+10log(P) = 43+10log10(0.01) = 23dBc, so we appear to pass.


This is “extreme open source”. The transmitter is software, the modem is software. All open source and free as in beer and speech. No chipsets or application specific radio hardware – just some CPU cycles and a down converter supplied by the Pi and RTLSDR. The only limits are those of physics – which we have reached with the MDS tests.

Reading Further

FSK modem support for TAP/TUN – GitHub PR for this work
Testing a RTL-SDR with FSK on HF
High Speed Balloon Data Links
Codec 2 FSK modem README – includes lots of links and sample applications.


CryptogramFriday Squid Blogging: Giant Squid Washes Up on South African Beach

Fourteen feet long and 450 pounds. It was dead before it washed up.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Krebs on SecurityTurn on MFA Before Crooks Do It For You

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident.

As a career chief privacy officer for different organizations, Dennis Dayman has tried to instill in his twin boys the importance of securing their online identities against account takeovers. Both are avid gamers on Microsoft’s Xbox platform, and for years their father managed their accounts via his own Microsoft account. But when the boys turned 18, they converted their child accounts to adult, effectively taking themselves out from under their dad’s control.

On a recent morning, one of Dayman’s sons found he could no longer access his Xbox account. The younger Dayman admitted to his dad that he’d reused his Xbox profile password elsewhere, and that he hadn’t enabled multi-factor authentication for the account.

When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account. When they went to turn on multi-factor authentication for his son’s Xbox profile — which was tied to a non-Microsoft email address — the Xbox service said it would send a notification of the change to unauthorized Gmail account in his profile.

Wary of alerting the hackers that they were wise to their intrusion, Dennis tried contacting Microsoft Xbox support, but found he couldn’t open a support ticket from a non-Microsoft account. Using his other son’s Outlook account, he filed a ticket about the incident with Microsoft.

Dennis soon learned the unauthorized Gmail address added to his son’s hacked Xbox account also had enabled MFA. Meaning, his son would be unable to reset the account’s password without approval from the person in control of the Gmail account.

Luckily for Dayman’s son, he hadn’t re-used the same password for the email address tied to his Xbox profile. Nevertheless, the thieves began abusing their access to purchase games on Xbox and third-party sites.

“During this period, we started realizing that his bank account was being drawn down through purchases of games from Xbox and [Electronic Arts],” Dayman the elder recalled. “I pulled the recovery codes for his Xbox account out of the safe, but because the hacker came in and turned on multi-factor, those codes were useless to us.”

Microsoft support sent Dayman and his son a list of 20 questions to answer about their account, such as the serial number on the Xbox console originally tied to the account when it was created. But despite answering all of those questions successfully, Microsoft refused to let them reset the password, Dayman said.

“They said their policy was not to turn over accounts to someone who couldn’t provide the second factor,” he said.

Dayman’s case was eventually escalated to Tier 3 Support at Microsoft, which was able to walk him through creating a new Microsoft account, enabling MFA on it, and then migrating his son’s Xbox profile over to the new account.

Microsoft told KrebsOnSecurity that while users currently are not prompted to enable two-step verification upon sign-up, they always have the option to enable the feature.

“Users are also prompted shortly after account creation to add additional security information if they have not yet done so, which enables the customer to receive security alerts and security promotions when they login to their account,” the company said in a written statement. “When we notice an unusual sign-in attempt from a new location or device, we help protect the account by challenging the login and send the user a notification. If a customer’s account is ever compromised, we will take the necessary steps to help them recover the account.”

Certainly, not enabling MFA when it is offered is far more of a risk for people in the habit of reusing or recycling passwords across multiple sites. But any service to which you entrust sensitive information can get hacked, and enabling multi-factor authentication is a good hedge against having leaked or stolen credentials used to plunder your account.

What’s more, a great many online sites and services that do support multi-factor authentication are completely automated and extremely difficult to reach for help when account takeovers occur. This is doubly so if the attackers also can modify and/or remove the original email address associated with the account.

KrebsOnSecurity has long steered readers to the site, which details the various MFA options offered by popular websites. Currently, lists nearly 900 sites that have some form of MFA available. These range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).

Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.

CryptogramSecurity and Human Behavior (SHB) 2020

Today is the second day of the thirteenth Workshop on Security and Human Behavior. It's being hosted by the University of Cambridge, which in today's world means we're all meeting on Zoom.

SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The forty or so attendees include psychologists, economists, computer security researchers, sociologists, political scientists, criminologists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. We've done pretty well translating this format to video chat, including using the random breakout feature to put people into small groups.

I invariably find this to be the most intellectually stimulating two days of my professional year. It influences my thinking in many different, and sometimes surprising, ways.

This year's schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, and twelfth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops. Ross also maintains a good webpage of psychology and security resources.

MEStorage Trends

In considering storage trends for the consumer side I’m looking at the current prices from MSY (where I usually buy computer parts). I know that other stores will have slightly different prices but they should be very similar as they all have low margins and wholesale prices are the main factor.

Small Hard Drives Aren’t Viable

The cheapest hard drive that MSY sells is $68 for 500G of storage. The cheapest SSD is $49 for 120G and the second cheapest is $59 for 240G. SSD is cheaper at the low end and significantly faster. If someone needed about 500G of storage there’s a 480G SSD for $97 which costs $29 more than a hard drive. With a modern PC if you have no hard drives you will notice that it’s quieter. For anyone who’s buying a new PC spending an extra $29 is definitely worthwhile for the performance, low power use, and silence.

The cheapest 1TB disk is $69 and the cheapest 1TB SSD is $159. Saving $90 on the cost of a new PC probably isn’t worth while.

For 2TB of storage the cheapest options are Samsung NVMe for $339, Crucial SSD for $335, or a hard drive for $95. Some people would choose to save $244 by getting a hard drive instead of NVMe, but if you are getting a whole system then allocating $244 to NVMe instead of a faster CPU would probably give more benefits overall.

Computer stores typically have small margins and computer parts tend to quickly either become cheaper or be obsoleted by better parts. So stores don’t want to stock parts unless they will sell quickly. Disks smaller than 2TB probably aren’t going to be profitable for stores for very long. The trend of SSD and NVMe becoming cheaper is going to make 2TB disks non-viable in the near future.


M.2 NVMe devices are at comparable prices to SATA SSDs. For some combinations of quality and capacity NVMe is about 50% more expensive and for some it’s slightly cheaper (EG Intel 1TB NVMe being cheaper than Samsung EVO 1TB SSD). Last time I checked about half the motherboards on sale had a single M.2 socket so for a new workstation that doesn’t need more than 2TB of storage (the largest NVMe that MSY sells) it wouldn’t make sense to use anything other than NVMe.

The benefit of NVMe is NOT throughput (even though NVMe devices can often sustain over 4GB/s), it’s low latency. Workstations can’t properly take advantage of this because RAM is so cheap ($198 for 32G of DDR4) that compiles etc mostly come from cache and because most filesystem writes on workstations aren’t synchronous. For servers a large portion of writes are synchronous, for example a mail server can’t acknowledge receiving mail until it knows that it’s really on disk, so there’s a lot of small writes that block server processes and the low latency of NVMe really improves performance. If you are doing a big compile on a workstation (the most common workstation task that uses a lot of disk IO) then the writes aren’t synchronised to disk and if the system crashes you will just do all the compilation again. While NVMe doesn’t give a lot of benefit over SSD for workstation use (I’ve uses laptops with SSD and NVMe and not noticed a great difference) of course I still want better performance. ;)

Last time I checked I couldn’t easily buy a PCIe card that supported 2*NVMe cards, I’m sure they are available somewhere but it would take longer to get and probably cost significantly more than twice as much. That means a RAID-1 of NVMe takes 2 PCIe slots if you don’t have an M.2 socket on the motherboard. This was OK when I installed 2*NVMe devices on a server that had 18 disks and lots of spare PCIe slots. But for some systems PCIe slots are an issue.

My home server has all PCIe slots used by a video card and Ethernet cards and the BIOS probably won’t support booting from NVMe. It’s a Dell server so I can’t just replace the motherboard with one that has more PCIe slots and M.2 on the motherboard. As it’s running nicely and doesn’t need replacing any time soon I won’t be using NVMe for home server stuff.

Small Servers

Most servers that I am responsible for have less than 2TB of storage. For my clients I now only recommend SSD storage for small servers and am recommending SSD for replacing any failed disks.

My home server has 2*500G SSDs in a BTRFS RAID-1 for the root filesystem, and 3*4TB disks in a BTRFS RAID-1 for storing big files. I bought the SSDs when 500G SSDs were about $250 each and bought 2*4TB disks when they were about $350 each. Currently that server has about 3.3TB of space used and I could probably get it down to about 2.5TB if I deleted things I don’t really need. If I was getting storage for that server now I’d use 2*2TB SSDs and 3*1TB hard drives for the stuff that doesn’t fit on SSDs (I have some spare 1TB disks that came with servers). If I didn’t have spare hard drives I’d get 3*2TB SSDs for that sort of server which would give 3TB of BTRFS RAID-1 storage.

Last time I checked Dell servers had a card for supporting M.2 as an optional extra so Dells probably won’t boot from NVMe without extra expense.

Ars Technica has an informative article about WD selling SMR disks as “NAS” disks [1]. The Shingled Magnetic Recording technology allows greater storage density on a platter which leads to either larger capacity or cheaper disks but at the cost of lower write performance and apparently extremely bad latency in some situations. NAS disks are supposed to be low latency as the expectation is that they will be used in a RAID array and kicked out of the array if they have problems. There are reports of ZFS kicking SMR disks from RAID sets. I think this will end the use of hard drives for small servers. For a server you don’t want to deal with this sort of thing, by definition when a server goes down multiple people will stop work (small server implies no clustering). Spending extra to get SSDs just to avoid the risk of unexpected SMR would be a good plan.

Medium Servers

The largest SSD and NVMe devices that are readily available are 2TB but 10TB disks are commodity items, there are reports of 20TB hard drives being available but I can’t find anyone in Australia selling them.

If you need to store dozens or hundreds of terabytes than hard drives have to be part of the mix at this time. There’s no technical reason why SSDs larger than 10TB can’t be made (the 2.5″ SATA form factor has more than 5* the volume of a 2TB M.2 card) and it’s likely that someone sells them outside the channels I buy from, but probably at a price higher than what my clients are willing to pay. If you want 100TB of affordable storage then a mid range server like the Dell PowerEdge T640 which can have up to 18*3.5″ disks is good. One of my clients has a PowerEdge T630 with 18*3.5″ disks in the 8TB-10TB range (we replace failed disks with the largest new commodity disks available, it used to have 6TB disks). ZFS version 0.8 introduced a “Special VDEV Class” which stores metadata and possibly small data blocks on faster media. So you could have some RAID-Z groups on hard drives for large storage and the metadata on a RAID-1 on NVMe for fast performance. For medium size arrays on hard drives having a “find /” operation take hours is not uncommon, for large arrays having it take days isn’t that uncommon. So far it seems that ZFS is the only filesystem to have taken the obvious step of storing metadata on SSD/NVMe while bulk data is on cheap large disks.

One problem with large arrays is that the vibration of disks can affect the performance and reliability of nearby disks. The ZFS server I run with 18 disks was originally setup with disks from smaller servers that never had ZFS checksum errors, but when disks from 2 small servers were put in one medium size server they started getting checksum errors presumably due to vibration. This alone is a sufficient reason for paying a premium for SSD storage.

Currently the cost of 2TB of SSD or NVMe is between the prices of 6TB and 8TB hard drives, and the ratio of price/capacity for SSD and NVMe is improving dramatically while the increase in hard drive capacity is slow. 4TB SSDs are available for $895 compared to a 10TB hard drive for $549, so it’s 4* more expensive on a price per TB. This is probably good for Windows systems, but for Linux systems where ZFS and “special VDEVs” is an option it’s probably not worth considering. Most Linux user cases where 4TB SSDs would work well would be better served by smaller NVMe and 10TB disks running ZFS. I don’t think that 4TB SSDs are at all popular at the moment (MSY doesn’t stock them), but prices will come down and they will become common soon enough. Probably by the end of the year SSDs will halve in price and no hard drives less than 4TB will be viable.

For rack mounted servers 2.5″ disks have been popular for a long time. It’s common for vendors to offer 2 versions of a rack mount server for 2.5″ and 3.5″ disks where the 2.5″ version takes twice as many disks. If the issue is total storage in a server 4TB SSDs can give the same capacity as 8TB HDDs.

SMR vs Regular Hard Drives

Rumour has it that you can buy 20TB SMR disks, I haven’t been able to find a reference to anyone who’s selling them in Australia (please comment if you know who sells them and especially if you know the price). I expect that the ZFS developers will soon develop a work-around to solve the problems with SMR disks. Then arrays of 20TB SMR disks with NVMe for “special VDEVs” will be an interesting possibility for storage. I expect that SMR disks will be the majority of the hard drive market by 2023 – if hard drives are still on the market. SSDs will be large enough and cheap enough that only SMR disks will offer enough capacity to be worth using.

I think that it is a possibility that hard drives won’t be manufactured in a few years. The volume of a 3.5″ disk is significantly greater than that of 10 M.2 devices so current technology obviously allows 20TB of NVMe or SSD storage in the space of a 3.5″ disk. If the price of 16TB NVMe and SSD devices comes down enough (to perhaps 3* the price of a 20TB hard drive) almost no-one would want the hard drive and it wouldn’t be viable to manufacture them.

It’s not impossible that in a few years time 3D XPoint and similar fast NVM technologies occupy the first level of storage (the ZFS “special VDEV”, OS swap device, log device for database servers, etc) and NVMe occupies the level for bulk storage with no space left in the market for spinning media.

Computer Cases

For servers I expect that models supporting 3.5″ storage devices will disappear. A 1RU server with 8*2.5″ storage devices or a 2RU server with 16*2.5″ storage devices will probably be of use to more people than a 1RU server with 4*3.5″ or a 2RU server with 8*3.5″.

My first IBM PC compatible system had a 5.25″ hard drive, a 5.25″ floppy drive, and a 3.5″ floppy drive in 1988. My current PC is almost a similar size and has a DVD drive (that I almost never use) 5 other 5.25″ drive bays that have never been used, and 5*3.5″ drive bays that I have never used (I have only used 2.5″ SSDs). It would make more sense to have PC cases designed around 2.5″ and maybe 3.5″ drives with no more than one 5.25″ drive bay.

The Intel NUC SFF PCs are going in the right direction. Many of them only have a single storage device but some of them have 2*M.2 sockets allowing RAID-1 of NVMe and some of them support ECC RAM so they could be used as small servers.

A USB DVD drive costs $36, it doesn’t make sense to have every PC designed around the size of an internal DVD drive that will probably only be used to install the OS when a $36 USB DVD drive can be used for every PC you own.

The only reason I don’t have a NUC for my personal workstation is that I get my workstations from e-waste. If I was going to pay for a PC then a NUC is the sort of thing I’d pay to have on my desk.

CryptogramNew Hacking-for-Hire Company in India

Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India.

Key Findings:

  • Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.

  • Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.

  • We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.

  • We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entities.

  • Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign. At the request of several targets, Citizen Lab shared information about their targeting with the US Department of Justice (DOJ). We are in the process of notifying additional targets.

BellTroX InfoTech Services has assisted clients in spying on over 10,000 email accounts around the world, including accounts of politicians, investors, journalists and activists.

News article. Boing Boing post

Planet Linux AustraliaLinux Users of Victoria (LUV) Announce: LUV June 2020 Workshop: Emergency Security Discussion

Jun 20 2020 12:30
Jun 20 2020 14:30
Jun 20 2020 12:30
Jun 20 2020 14:30
Online event (TBA)

On Friday morning, our prime minister held an unprecedented press conference to warn Australia (Governments, Industry & Individuals) about a sophisticated cyber attack that is currently underway.



Linux Users of Victoria is a subcommittee of Linux Australia.

June 20, 2020 - 12:30

read more

CryptogramZoom Will Be End-to-End Encrypted for All Users

Zoom is doing the right thing: it's making end-to-end encryption available to all users, paid and unpaid. (This is a change; I wrote about the initial decision here.)

...we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe -- free and paid -- while maintaining the ability to prevent and fight abuse on our platform.

To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools -- including our Report a User function -- we can continue to prevent and fight abuse.

Thank you, Zoom, for coming around to the right answer.

And thank you to everyone for commenting on this issue. We are learning -- in so many areas -- the power of continued public pressure to change corporate behavior.

EDITED TO ADD (6/18): Let's do Apple next.

Worse Than FailureError'd: Fast Hail and Round Wind

"He's not wrong. With wind and hail like this, an isolated tornado definitely ranks third in severity," Rob K. writes.


"Upon linking my Days of Wonder account with Steam, I was initially told that I had 7 days to verify my email before account deletion and then I was told something else..." Ian writes.


Harvey wrote, "Great. Thanks for the warm welcome to your site ${AUCTION_WEBSITE}"


Peter G. writes, "In this case, I imagine the art department did something like 'OK Google, find image of Pentagon, insert into document'."


"I'm happy with my efforts but I feel for Terri. 1,400km in 21 days, 200km in the lead and she's barely overcome by this 'NaN' individual," wrote Roger G.


Sam writes, "While I admire the honesty of this particular scammer, I do rather think they missed the point."


[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!


Krebs on SecurityFEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy

An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.

On June 16, authorities in Michigan arrested 29-year-old Justin Sean Johnson in connection with a 43-count indictment on charges of conspiracy, wire fraud and aggravated identity theft.

Federal prosecutors in Pittsburgh allege that in 2013 and 2014 Johnson hacked into the Oracle PeopleSoft databases for UPMC, a $21 billion nonprofit health enterprise that includes more than 40 hospitals.

According to the indictment, Johnson stole employee information on all 65,000 then current and former employees, including their names, dates of birth, Social Security numbers, and salaries.

The stolen data also included federal form W-2 data that contained income tax and withholding information, records that prosecutors say Johnson sold on dark web marketplaces to identity thieves engaged in tax refund fraud and other financial crimes. The fraudulent tax refund claims made in the names of UPMC identity theft victims caused the IRS to issue $1.7 million in phony refunds in 2014.

“The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII,” reads a statement from U.S. Attorney Scott Brady. “These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.”

Johnson could not be reached for comment. At a court hearing in Pittsburgh this week, a judge ordered the defendant to be detained pending trial. Johnson’s attorney declined to comment on the charges.

Prosecutors allege Johnson’s intrusion into UPMC was not an isolated occurrence, and that for several years after the UPMC hack he sold personally identifiable information (PII) to buyers on dark web forums.

The indictment says Johnson used the hacker aliases “DS and “TDS” to market the stolen records to identity thieves on the Evolution and AlphaBay dark web marketplaces. However, archived copies of the now-defunct dark web forums indicate those aliases are merely abbreviations that stand for “DearthStar” and “TheDearthStar,” respectively.

“You can expect good things come tax time as I will have lots of profiles with verified prior year AGIs to make your refund filing 10x easier,” TheDearthStar advertised in an August 2015 message to AlphaBay members.

In some cases, it appears these DearthStar identities were actively involved in not just selling PII and tax refund fraud, but also stealing directly from corporate payrolls.

In an Aug. 2015 post to AlphaBay titled “I’d like to stage a heist but…,” TheDearthStar solicited people to help him cash out access he had to the payroll systems of several different companies:

“… I have nowhere to send the money. I’d like to leverage the access I have to payroll systems of a few companies and swipe a chunk of their payroll. Ideally, I’d like to find somebody who has a network of trusted individuals who can receive ACH deposits.”

When another AlphaBay member asks how much he can get, TheDearthStar responds, “Depends on how many people end up having their payroll records ‘adjusted.’ Could be $1,000 could be $100,000.”

2014 and 2015 were particularly bad years for tax refund fraud, a form of identity theft which cost taxpayers and the U.S. Treasury billions of dollars. In April 2014, KrebsOnSecurity wrote about a spike in tax refund fraud perpetrated against medical professionals that caused many to speculate that one or more major healthcare providers had been hacked.

A follow-up story that same month examined the work of a cybercrime gang that was hacking into HR departments at healthcare organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms.

The Justice Department’s indictment quotes from Johnson’s online resume as stating that he is proficient at installing and administering Oracle PeopleSoft systems. A LinkedIn resume for a Justin Johnson from Detroit says the same, and that for the past five months he has served as an information technology specialist at FEMA. A Facebook profile with the same photo belongs to a Justin S. Johnson from Detroit.

Johnson’s resume also says he was self-employed for seven years as a “cyber security researcher / bug bounty hunter” who was ranked in the top 1,000 by reputation on Hacker One, a program that rewards security researchers who find and report vulnerabilities in software and web applications.

CryptogramTheft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security

The Washington Post is reporting on an internal CIA report about its "Vault 7" security breach:

The breach -- allegedly committed by a CIA employee -- was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release "Vault 7," and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA's history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency's techniques.

The October 2017 report by the CIA's WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were "woefully lax" within the special unit that designed and built the tools, the report said.

Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. "Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss," the task force concluded.

The task force report was provided to The Washington Post by the office of Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, who has pressed for stronger cybersecurity in the intelligence community. He obtained the redacted, incomplete copy from the Justice Department.

It's all still up on WikiLeaks.

Worse Than FailureCodeSOD: Rings False

There are times when a code block needs a lot of setup, and there are some where it mostly speaks for itself. Today’s anonymous submitter found this JavaScript in a React application, coded by one of the senior team-members.

if (false === false){
} else {

Look, I know how this code got there. At some point, they planned to check a configuration or a feature flag, but during development, it was just faster to do it this way. Then they forgot, and then it got released to production.

Had our submitter not gone poking, it would have sat there in production until someone tried to flip the flag and nothing happened.

This is why you do code reviews.

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

CryptogramSecurity Analysis of the Democracy Live Online Voting System

New research: "Security Analysis of the Democracy Live Online Voting System":

Abstract: Democracy Live's OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and (optionally) online voting. Three states -- Delaware, West Virginia, and New Jersey -- recently announced that they will allow certain voters to cast votes online using OmniBallot, but, despite the well established risks of Internet voting, the system has never been the subject of a public, independent security review.

We reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to detail the system's operation and analyze its security.We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter's device and by insiders or other attackers who can compromise Democracy Live, Amazon,Google, or Cloudflare. In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information­ -- including the voter's identity, ballot selections, and browser fingerprint­ -- that could be used to target political ads or disinformation campaigns.Even when OmniBallot is used to mark ballots that will be printed and returned in the mail, the software sends the voter's identity and ballot choices to Democracy Live, an unnecessary security risk that jeopardizes the secret ballot. We recommend changes to make the platform safer for ballot delivery and marking. However, we conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection.

News story.

EDITED TO ADD: This post has been translated into Portuguese.

CryptogramFacebook Helped Develop a Tails Exploit

This is a weird story:

Hernandez was able to evade capture for so long because he used Tails, a version of Linux designed for users at high risk of surveillance and which routes all inbound and outbound connections through the open-source Tor network to anonymize it. According to Vice, the FBI had tried to hack into Hernandez's computer but failed, as the approach they used "was not tailored for Tails." Hernandez then proceeded to mock the FBI in subsequent messages, two Facebook employees told Vice.

Facebook had tasked a dedicated employee to unmasking Hernandez, developed an automated system to flag recently created accounts that messaged minors, and made catching Hernandez a priority for its security teams, according to Vice. They also paid a third party contractor "six figures" to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip. Three sources told Vice that an intermediary passed the tool onto the FBI, who then obtained a search warrant to have one of the victims send a modified video file to Hernandez (a tactic the agency has used before).


Facebook also never notified the Tails team of the flaw -- breaking with a long industry tradition of disclosure in which the relevant developers are notified of vulnerabilities in advance of them becoming public so they have a chance at implementing a fix. Sources told Vice that since an upcoming Tails update was slated to strip the vulnerable code, Facebook didn't bother to do so, though the social media company had no reason to believe Tails developers had ever discovered the bug.


"The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls," a Facebook spokesperson told Vice. "This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice."

I agree with that last paragraph. I'm fine with the FBI using vulnerabilities: lawful hacking, it's called. I'm less okay with Facebook paying for a Tails exploit, giving it to the FBI, and then keeping its existence secret.

Another article.

EDITED TO ADD: This post has been translated into Portuguese.


Krebs on SecurityWhen Security Takes a Backseat to Productivity

“We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.” -CIA’s Wikileaks Task Force.

So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the world’s most secretive entities, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.

The CIA produced the report in October 2017, roughly seven months after Wikileaks began publishing Vault 7 — reams of classified data detailing the CIA’s capabilities to perform electronic surveillance and cyber warfare. But the report’s contents remained shrouded from public view until earlier this week, when heavily redacted portions of it were included in a letter by Sen. Ron Wyden (D-Ore.) to the Director of National Intelligence.

The CIA acknowledged its security processes were so “woefully lax” that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:

  • Failing to rapidly detect security incidents.
  • Failing to act on warning signs about potentially risky employees.
  • Moving too slowly to enact key security safeguards.
  • A lack of user activity monitoring or robust server audit capability.
  • No effective removable media controls.
  • No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
  • Historical data available to all users indefinitely.

Substitute the phrase “cyber weapons” with “productivity” or just “IT systems” in the CIA’s report and you might be reading the post-mortem produced by a security firm hired to help a company recover from a highly damaging data breach.

A redacted portion of the CIA’s report on the Wikileaks breach.


A key phrase in the CIA’s report references deficiencies in “compartmentalizing” cybersecurity risk. At a high level (not necessarily specific to the CIA), compartmentalizing IT environments involves important concepts such as:

  • Segmenting one’s network so that malware infections or breaches in one part of the network can’t spill over into other areas.
  • Not allowing multiple users to share administrative-level passwords
  • Developing baselines for user and network activity so that deviations from the norm stand out more prominently.
  • Continuously inventorying, auditing, logging and monitoring all devices and user accounts connected to the organization’s IT network.

“The Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed,” the CIA observed. “While often fulfilling a valid purpose, this ‘shadow IT’ exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves.”

All organizations experience intrusions, security failures and oversights of key weaknesses. In large enough enterprises, these failures likely happen multiple times each day. But by far the biggest factor that allows small intrusions to morph into a full-on data breach is a lack of ability to quickly detect and respond to security incidents.

Also, because employees tend to be the most abundant security weakness in any organization, instituting some kind of continuing security awareness training for all employees is a good idea. Some security experts I know and respect dismiss security awareness programs as a waste of time and money, observing that no matter how much training a company does, there will always be some percentage of users who will click on anything.

That may or may not be accurate, but even if it is, at least the organization then has a much better idea which employees probably need more granular security controls (i.e. more compartmentalizing) to keep them from becoming a serious security liability.

Sen. Wyden’s letter (PDF), first reported on by The Washington Post, is worth reading because it points to a series of continuing security weaknesses at the CIA, many of which have already been addressed by other federal agencies, including multi-factor authentication for domain names and access to classified/sensitive systems, and anti-spam protections like DMARC.

Sociological ImagesWhat’s Trending? The Happiness Drop

One important lesson from political science and sociology is that public opinion often holds steady. This is because it is difficult to get individual people to change their minds. Instead, people tend to keep consistent views as “settled dispositions” over time, and mass opinion changes slowly as new people age into taking surveys and older people age out.

Sometimes public opinion does change quickly, though, and these rapid changes are worth our attention precisely because they are rare. For example, one of the most notable recent changes is the swing toward majority support for same-sex marriage in the United States in just the last decade.

That’s why a new finding is so interesting and so troubling: NORC is reporting a pretty big swing in self-reported happiness since the pandemic broke out using a new 2020 survey conducted in late May. Compared to earlier trends from the General Social Survey, fewer people are reporting they are “very happy,” optimism about the future is down, and feelings of isolation and loneliness are up. The Associated Press has dynamic charts here, and I made an open-access, creative commons version of one visualization using GSS data and NORC’s estimates:

As with any survey trend, we will need more data to get the true shape of the change and see whether it will persist over time. Despite this, one important point here is the consistency before the new 2020 data. Think about all the times aggregated happiness reports didn’t really change: we don’t see major shifts around September 11th, 2001, and there are only small changes around the Gulf War in 1990 or the 2008 financial crisis.

There is something reassuring about such a dramatic drop now, given this past resilience. If you’re feeling bad, you’re not alone. We have to remember that emotions are social. People have a remarkable ability to persist through all kinds of trying times, but that is often because they can connect with others for support. The unprecedented isolation of physical distancing and quarantine has a unique impact on our social relationships and, in turn, it could have a dramatic impact on our collective wellbeing. The first step to fixing this problem is facing it honestly.

Inspired by demographic facts you should know cold, “What’s Trending?” is a post series at Sociological Images featuring quick looks at what’s up, what’s down, and what sociologists have to say about it.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at

CryptogramBank Card "Master Key" Stolen

South Africa's Postbank experienced a catastrophic security failure. The bank's master PIN key was stolen, forcing it to cancel and replace 12 million bank cards.

The breach resulted from the printing of the bank's encrypted master key in plain, unencrypted digital language at the Postbank's old data centre in the Pretoria city centre.

According to a number of internal Postbank reports, which the Sunday Times obtained, the master key was then stolen by employees.

One of the reports said that the cards would cost about R1bn to replace. The master key, a 36-digit code, allows anyone who has it to gain unfettered access to the bank's systems, and allows them to read and rewrite account balances, and change information and data on any of the bank's 12-million cards.

The bank lost $3.2 million in fraudulent transactions before the theft was discovered. Replacing all the cards will cost an estimated $58 million.