Tuesday, 18 March

00:42

We Could Have Had Universal Healthcare [The Stranger]

Last Wednesday was the final day for bills to make it out of their house of origin in the Washington State legislature. While many bills still in play are worth paying attention to, I want to focus on a pair that didn’t make the cut: Senate Bill 5233 and House Bill 1445. by Tobias Coughlin-Bogue

Last Wednesday was the final day for bills to make it out of their house of origin in the Washington State legislature. While many bills still in play are worth paying attention to, I want to focus on a pair that didn’t make the cut: Senate Bill 5233 and House Bill 1445

Both bills would have created the Washington Health Trust (WHT), a system of universal healthcare for the residents of our state. Introducing universal healthcare bills to both houses in the same session is a first, and these bills enjoyed unprecedented support. Efforts to enact universal healthcare at a state level have been underway in some form since 2016, but this year the bills received a record number of cosponsors in each chamber—11 in the Senate and 17 in the House—plus the endorsement of the Washington State Democratic Party.

Our state has a Democratic trifecta, meaning that the committees that both bills needed to pass through—Health & Long-Term Care in the Senate and Health Care & Wellness in the House—are chaired by Democrats. In this case, Sen. Annette Cleveland (D-Vancouver) and Rep. Dan Bronoske (D-Lakewood). Universal healthcare has been a part of the Washington State Democratic Party’s platform for almost a decade.

The bills also arrived at a time when our country’s system of private insurance is at an all-time low in popularity. Conversely, the concept of universal healthcare is polling better than ever. Our state’s bills would do exactly what has made universal healthcare such a popular idea: provide comprehensive coverage to all residents of Washington State at low or no cost.

So, if everyone loves universal healthcare and all the politicians involved say they do too, why the hell didn’t it get a hearing?

“That's a question I've been asking since 2016,” said Andre Stackhouse, the executive director of Whole Washington, one of the groups behind the WHT bills. 

“I wish I could say that I was surprised that the bills didn't get a hearing this year,” he said. “We have worked very hard to establish something of a dialogue and a working relationship with Chair Cleveland, but this is something she's held firm on ever since she was elected chair.”

This year, at least, she offered some explanation as to why. In response to a letter from Healthcare is a Human Right Washington (HCHR-WA) that went to her and Rep. Bronoske, she wrote:

“Regarding your request for a hearing, I have been clear in all discussions that Senator Hasegawa’s Washington Health Trust bill, SB 5233, would not be heard this year because I am not willing to disingenuously give advocates hope by hearing a bill that will not be moved out of committee. We are facing very dire budget shortfalls as a state this year that prevents bills with large fiscal notes from moving forward.  In addition, it is premature to consider SB 5233 when we still face the roadblock of the federal government in preventing implementation. Finally, the work of the Universal Health Care Commission must be more fully completed before any policy is considered.”

Earlier in her response, she told advocates copied on the email, “Be assured that I am a continued strong advocate of our shared goal.” 

While one might expect a strong advocate of state-level universal healthcare to advance a bill that would create such a system out of the committee she controls, she went on to list several things she is doing instead of that.

One was to join Sen. Bob Hasegawa (D-Seattle), one of SB 5233’s cosponsors, in writing a letter to the Universal Health Care Commission asking them to study SB 5233 and develop recommendations for future legislation. Never mind that the bill is pretty finely tuned already. The other was to wait on passage of Rep. Hasegawa’s Senate Joint Memorial 8004, a nonbinding resolution that would ask the federal government very nicely to let us do universal healthcare.

Democrats are once again gearing up to tell us that better things are not possible, and they really like sounding like the voice of reason when they do it. “Just wait, we’re working on it, someone else is stopping us, these things take time.” But is this actually reasonable? Let’s take a closer look.

First off, while the Universal Healthcare Commission (UHCC)  is still studying the issue and plans to issue a final report that could potentially inform future legislation, it is by no means opposed to the WHT.

“The UHCC has published their Washington Health Trust Analysis Report and found that it aligns with their universal health care system design,” HCHR-WA wrote in its letter. Saying we need to wait for the UHCC to wrap up is something of a stalling tactic here, it seems.

Second, it is not fiscally irresponsible to enact universal healthcare. Not enacting universal healthcare is, in fact, the fiscally irresponsible choice, according to HCHR-WA’s letter:

“The Washington Health Care Authority’s Work Group Report has also estimated that a system like the WHT would potentially save $800 million to $2.5 billion in an implementation year, and up to $5.6 billion on an annual basis in total health care spending once its transition is complete. The WHT raises all necessary revenue and will result in savings for the state across other sectors like housing and law enforcement. In a year in which the state is experiencing significant budgetary challenges, revenue and savings like these may be necessary to implement the budget.”

It might sound preposterous that making the state responsible for all Washingtonians’ healthcare costs would pencil out, but there would be plenty of money coming in. The WHT’s coverage obligations would be backed by a lot of new revenue, specifically in the form of taxes on business and capital gains.

Employers would pay a new 4.5-10.5 percent tax on wages, while sole proprietors would pay 2 percent of earnings. Investors with capital gains of over $200,000 would pay 5 to 9 percent of their profits. For capital gains exceeding $300,000, they’d pay an extra 2 percent. However, profits from home sales or retirement accounts would be exempt, as would capital gains reinvested in a primary residence.

“[The cost is] very similar to the current system where the employers pay premiums and they usually share those premiums with the employee,” Stackhouse said. “I think for most people [it’s] very competitive compared to what they're paying.”

Several studies have shown that the only people who pay more under a system like the WHT are people in the top 1 percent of earners.

“It's really only incomes above, I think, $500,000 that pay significantly more,” Stackhouse added. “And the biggest, biggest impact is [in favor of] the working and middle class who right now pay the highest percentage of their income on healthcare.”

While there is no federal law explicitly preventing states from setting up universal healthcare systems, to make such a system work, states would need to use the money they get from the federal government for Medicare and Medicaid to cover the cost. To do that, they need a waiver allowing them to apply that money to the WHT. If a state enacts a universal healthcare plan and then approaches the Department of Health and Human Services only to be denied, it could leave you in quite a bind. States are required to balance their budget every year, and if they’ve suddenly taken on the cost of covering all residents while losing a major revenue source earmarked for that purpose, they won’t be able to balance shit. 

“They are in financial peril,” Stackhouse said, referring to programs that cover low-income residents like Medicaid or Cascade Care. “So even just to save existing programs, we need to talk about raising revenue.”

So if it’s not really about cost, because it might actually save us money, and it’s not really about federal barriers, what is it about? You could point to a lot of more, shall we say, transactional reasons why Sen. Cleveland continues to table the bill — her 2024 campaign donor list is chock full of large insurers, pharmaceutical companies, and healthcare industry associations, as is Rep. Bronoske’s — but let’s examine what Sen. Cleveland said about not getting anyone’s hopes up.

Cleveland is not wrong about the barriers something like the WHT faces, whether legislative or logistical. Getting away from the miserable, bloodsucking system of private insurance that we have now takes time. Private insurance won’t go away overnight or perhaps ever (nor is it intended to under the WHT). Funding for universal healthcare might get pulled out from under us like a rug. The deranged fascists in charge of the federal government might come down even harder than that, denying funding for other things until we give up our silly notions of socialized medicine. Right now, we have no way of knowing what would happen if the WHT was enacted into law.

But part of why we don’t is because we haven’t done it. We’ve known it’s the right thing to do for decades and now, when we have a viable plan to do it, the people who are supposed to be fighting for us are stalling.

Full disclosure: If I come off biased in favor of these bills, it’s because I am. I have lived with type 1 diabetes for almost 15 years. I have navigated every nook and cranny of the private insurance landscape. I have paid thousands of dollars, even while insured, for the simple privilege of being alive. And I’m lucky to have been able to stay insured. Without coverage, financial ruin comes to most diabetics in a matter of months. 

Frederick Banting invented insulin in 1921 and sold the U.S. patent for it for $1, with explicit instructions to make it cheap and widely available.

“Insulin does not belong to me, it belongs to the world,” he said.

It now belongs to three massive pharmaceutical companies and costs $300 a vial. It costs them $2 to make that vial. If we lived in a just society, the price-fixing ghouls who have created this reality would face consequences.

When it comes to hope, I would say it’s too late. I already have hope. I hope every day for a system that doesn’t do this to people. But every day I see people in power preserve a system that actively does this to people — that causes medical bankruptcies and denies claims and drives people to ration their insulin until they fucking die — and my hope turns into anger.

In this case, I think anger is very appropriate. I think we should all be very, very angry that anyone allows this insane, criminal system to continue. I think that no matter our political affiliation, we should be asking anyone who wants to represent us what they really mean to do for us. And when. Are they willing to stand up to their donors? Or better yet, are they willing to forego donations from the people they’re charged with regulating? Are they on our side? If not, well, the word primary is also a verb.

So what’s next for Washington’s Universal Healthcare dream? Whole Washington, the group behind the WHT, is not giving up so easily. They’re starting the ballot initiative process as soon as this month. Despite what Brian Heywood thinks, they’re not only for billionaires to buy policy. and if you want to put the ballot initiative back in the hands of the people, Whole Washington would love your help.

Monday, 17 March

23:56

Page 55 [Flipside]

Page 55 is done.

23:07

GIMP 3.0 released [LWN.net]

The long-awaited GIMP 3.0 release is now available. Major changes in 3.0 include non‑destructive editing for most commonly‑used filters, improved text creation, better color space management, and an update to GTK 3.

This is the end result of seven years of hard work by volunteer developers, designers, artists, and community members (for reference, GIMP 2.10 was first published in 2018 and the initial development version of GIMP 3.0 was released in 2020).

See the release notes and NEWS file for more details about this release. LWN covered a near-final release of GIMP 3.0 in November last year.

GIMP 3.0 released [OSnews]

It’s taken a Herculean seven-year effort, but GIMP 3.0 has finally been released. There are so many new features, changes, and improvements in this release that it’s impossible to highlight all of them. First and foremost, GIMP 3.0 marks the shift to GTK3 – this may be surprising considering GTK4 has been out for a while, but major applications such as GIMP tend to stick to more tried and true toolkit versions. GTK4 also brings with it the prickly discussion concerning a possible adoption of libadwaita, the GNOME-specific augmentations on top of GTK4. The other major change is full support for Wayland, but users of the legacy X11 windowing system don’t have to worry just yet, since GIMP 3.0 supports that, too.

As far as actual features go, there’s a ton here. Non-destructive layer effects is one of the biggest improvements.

Another big change introduced in GIMP 3.0 is non-destructive (NDE) filters. In GIMP 2.10, filters were automatically merged onto the layer, which prevented you from making further edits without repeatedly undoing your changes. Now by default, filters stay active once committed. This means you can re-edit most GEGL filters in the Fx menu on the layer dockable without having to revert your work. You can also toggle them on or off, selectively delete them, or even merge them all down destructively. If you prefer the original GIMP 2.10 workflow, you can select the “Merge Filters” option when applying a filter instead.

↫ GIMP 3.0 release notes

There’s also much better color space management, better layer management and control, the user interface has been improved across the board, and support for a ton of file formats have been added, from macOS icons to Amiga ILBM/IFF formats, and much more. GIMP 3.0 also improves compatibility with Photoshop files, and it can import more palette formats, including proprietary ones like Adobe Color Book (ACB) and Adobe Swatch Exchange (ASE).

This is just a small selection, as GIMP 3.0 truly is a massive update. It’s available for Linux, Windows, and macOS, and if you wait for a few days it’ll probably show up in your distribution’s package repositories.

21:49

Link [Scripting News]

This is the data we keep for every post in WordLand.

20:07

SystemRescue 12.00 released [LWN.net]

Version 12.00 of the SystemRescue live Linux system has been released. SystemRescue is an Arch Linux based bootable toolkit for repairing systems in the event of a crash. Notable changes in this release include an update to Linux 6.12.19, support for bcachefs, and a number of updated disk utilities. See the package list for a complete list of software included in this release.

20:00

Sergio Talens-Oliag: Configuring forgejo actions [Planet Debian]

Last week I decided I wanted to try out forgejo actions to build this blog instead of using webhooks, so I looked the documentation and started playing with it until I had it working as I wanted.

This post is to describe how I’ve installed and configured a forgejo runner, how I’ve added an oci organization to my instance to build, publish and mirror container images and added a couple of additional organizations (actions and docker for now) to mirror interesting actions.

The changes made to build the site using actions will be documented on a separate post, as I’ll be using this entry to test the new setup on the blog project.

Installing the runner

The first thing I’ve done is to install a runner on my server, I decided to use the OCI image installation method, as it seemed to be the easiest and fastest one.

The commands I’ve used to setup the runner are the following:

$ cd /srv
$ git clone https://forgejo.mixinet.net/blogops/forgejo-runner.git
$ cd forgejo-runner
$ sh ./bin/setup-runner.sh

The setup-runner.sh script does multiple things:

  • create a forgejo-runner user and group
  • create the necessary directories for the runner
  • create a .runner file with a predefined secret and the docker label

The setup-runner.sh code is available here.

After running the script the runner has to be registered with the forgejo server, it can be done using the following command:

$ forgejo forgejo-cli actions register --name "$RUNNER_NAME" \
    --secret "$FORGEJO_SECRET"

The RUNNER_NAME variable is defined on the setup-runner.sh script and the FORGEJO_SECRET must match the value used on the .runner file.

Note:

The secret was pre-created on the setup-runner.sh script using openssl, but the runner can also be created using the forgejo server web interface; in that case the setup-runner.sh script would have to be modified to use the secret provided by the web interface.

Starting it with docker-compose

To launch the runner I’m going to use a docker-compose.yml file that starts two containers, a docker in docker service to run the containers used by the workflow jobs and another one that runs the forgejo-runner itself.

The initial version used a TCP port to communicate with the dockerd server from the runner, but when I tried to build images from a workflow I noticed that the containers launched by the runner were not going to be able to execute another dockerd inside the dind one and, even if they were, it was going to be expensive computationally.

To avoid the issue I modified the dind service to use a unix socket on a shared volume that can be used by the runner service to communicate with the daemon and also re-shared with the job containers so the dockerd server can be used from them to build images.

Warning:

The use of the same docker server that runs the jobs from them has security implications, but this instance is for a home server where I am the only user, so I am not worried about it and this way I can save some resources (in fact, I could use the host docker server directly instead of using a dind service, but just in case I want to run other containers on the host I prefer to keep the one used for the runner isolated from it).

For those concerned about sharing the same server an alternative would be to launch a second dockerd only for the jobs (i.e. actions-dind) using the same approach (the volume with its socket will have to be shared with the runner service so it can be re-shared, but the runner does not need to use it).

The final docker-compose.yaml file is as follows:

services:
  dind:
    image: docker:dind
    container_name: 'dind'
    privileged: 'true'
    command: ['dockerd', '-H', 'unix:///dind/docker.sock', '-G', '$RUNNER_GID']
    restart: 'unless-stopped'
    volumes:
      - ./dind:/dind
  runner:
    image: 'data.forgejo.org/forgejo/runner:6.2.2'
    links:
      - dind
    depends_on:
      dind:
        condition: service_started
    container_name: 'runner'
    environment:
      DOCKER_HOST: 'unix:///dind/docker.sock'
    user: $RUNNER_UID:$RUNNER_GID
    volumes:
      - ./config.yaml:/config.yaml
      - ./data:/data
      - ./dind:/dind
    restart: 'unless-stopped'
    command: '/bin/sh -c "sleep 5; forgejo-runner daemon -c /config.yaml"'

There are multiple things to comment about this file:

  1. The dockerd server is started with the -H unix:///dind/docker.sock flag to use the unix socket to communicate with the daemon instead of using a TCP port (as said, it is faster and allows us to share the socket with the containers started by the runner).
  2. We are running the dockerd daemon with the RUNNER_GID group so the runner can communicate with it (the socket gets that group which is the same used by the runner).
  3. The runner container mounts three volumes: the data directory, the dind folder where docker creates the unix socket and a config.yaml file used by us to change the default runner configuration.

The config.yaml file was originally created using the forgejo-runner:

$ docker run --rm data.forgejo.org/forgejo/runner:6.2.2 \
    forgejo-runner generate-config > config.yaml

The changes to it are minimal, the runner capacity has been increased to 2 (that allows it to run two jobs at the same time) and the /dind/docker.sock value has been added to the valid_volumes key to allow the containers launched by the runner to mount it when needed; the diff against the default version is as follows:

@@ -13,7 +13,8 @@
   # Where to store the registration result.
   file: .runner
   # Execute how many tasks concurrently at the same time.
-  capacity: 1
+  # STO: Allow 2 concurrent tasks
+  capacity: 2
   # Extra environment variables to run jobs.
   envs:
     A_TEST_ENV_NAME_1: a_test_env_value_1
@@ -87,7 +88,9 @@
   # If you want to allow any volume, please use the following configuration:
   # valid_volumes:
   #   - '**'
-  valid_volumes: []
+  # STO: Allow to mount the /dind/docker.sock on the containers
+  valid_volumes:
+    - /dind/docker.sock
   # overrides the docker client host with the specified one.
   # If "-" or "", an available docker host will automatically be found.
   # If "automount", an available docker host will automatically be found and ...

To start the runner we export the RUNNER_UID and RUNNER_GID variables and call docker-compose up to start the containers on the background:

$ RUNNER_UID="$(id -u forgejo-runner)" RUNNER_GID="$(id -g forgejo-runner)" \
    docker compose up -d

If the server was configured right we are now able to start using actions with this runner.

Preparing the system to run things locally

To avoid unnecessary network traffic we are going to create a multiple organizations in our forgejo instance to maintain our own actions and container images and mirror remote ones.

The rationale behind the mirror use is that we reduce a lot the need to connect to remote servers to download the actions and images, which is good for performance and security reasons.

In fact, we are going to build our own images for some things to install the tools we want without needing to do it over and over again on the workflow jobs.

Mirrored actions

The actions we are mirroring are on the actions and docker organizations, we have created the following ones for now (the mirrors were created using the forgejo web interface and we have disabled manually all the forgejo modules except the code one for them):

To use our actions by default (i.e., without needing to add the server URL on the uses keyword) we have added the following section to the app.ini file of our forgejo server:

[actions]
ENABLED = true
DEFAULT_ACTIONS_URL = https://forgejo.mixinet.net

Setting up credentials to push images

To be able to push images to the oci organization I’ve created a token with package:write permission for my own user because I’m a member of the organization and I’m authorized to publish packages on it (a different user could be created, but as I said this is for personal use, so there is no need to complicate things for now).

To allow the use of those credentials on the actions I have added a secret (REGISTRY_PASS) and a variable (REGISTRY_USER) to the oci organization to allow the actions to use them.

I’ve also logged myself on my local docker client to be able to push images to the oci group by hand, as I it is needed for bootstrapping the system (as I’m using local images on the worflows I need to push them to the server before running the ones that are used to build the images).

Local and mirrored images

Our images will be stored on the packages section of a new organization called oci, inside it we have created two projects that use forgejo actions to keep things in shape:

  • images: contains the source files used to generate our own images and the actions to build, tag and push them to the oci organization group.
  • mirrors: contains a configuration file for the regsync tool to mirror containers and an action to run it.

On the next sections we are going to describe the actions and images we have created and mirrored from those projects.

The oci/images project

The images project is a monorepo that contains the source files for the images we are going to build and a couple of actions.

The image sources are on sub directories of the repository, to be considered an image the folder has to contain a Dockerfile that will be used to build the image.

The repository has two workflows:

  • build-image-from-tag: Workflow to build, tag and push an image to the oci organization
  • multi-semantic-release: Workflow to create tags for the images using the multi-semantic-release tool.

As the workflows are already configured to use some of our images we pushed some of them from a checkout of the repository using the following commands:

registry="forgejo.mixinet.net/oci"
for img in alpine-mixinet node-mixinet multi-semantic-release; do
  docker build -t $registry/$img:1.0.0 $img
  docker tag $registry/$img:1.0.0 $registry/$img:latest
  docker push $registry/$img:1.0.0
  docker push $registry/$img:latest
done

On the next sub sections we will describe what the workflows do and will show their source code.

build-image-from-tag workflow

This workflow uses a docker client to build an image from a tag on the repository with the format image-name-v[0-9].[0-9].[0-9]+.

As the runner is executed on a container (instead of using lxc) it seemed unreasonable to run another dind container from that one, that is why, after some tests, I decided to share the dind service server socket with the runner container and enabled the option to mount it also on the containers launched by the runner when needed (I only do it on the build-image-from-tag action for now).

The action was configured to run using a trigger or when new tags with the right format were created, but when the tag is created by multi-semantic-release the trigger does not work for some reason, so now it only runs the job on triggers and checks if it is launched for a tag with the right format on the job itself.

The source code of the action is as follows:

name: build-image-from-tag
on:
  workflow_dispatch:
jobs:
  build:
    # Don't build the image if the registry credentials are not set, the ref is not a tag or it doesn't contain '-v'
    if: ${{ vars.REGISTRY_USER != '' && secrets.REGISTRY_PASS != '' && startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-v') }}
    runs-on: docker
    container:
      image: forgejo.mixinet.net/oci/node-mixinet:latest
      # Mount the dind socket on the container at the default location
      options: -v /dind/docker.sock:/var/run/docker.sock
    steps:
      - name: Extract image name and tag from git and get registry name from env
        id: job_data
        run: |
          echo "::set-output name=img_name::${GITHUB_REF_NAME%%-v*}"
          echo "::set-output name=img_tag::${GITHUB_REF_NAME##*-v}"
          echo "::set-output name=registry::$(
            echo "${{ github.server_url }}" | sed -e 's%https://%%'
          )"
          echo "::set-output name=oci_registry_prefix::$(
            echo "${{ github.server_url }}/oci" | sed -e 's%https://%%'
          )"
      - name: Checkout the repo
        uses: actions/checkout@v4
      - name: Export build dir and Dockerfile
        id: build_data
        run: |
          img="${{ steps.job_data.outputs.img_name }}"
          build_dir="$(pwd)/${img}"
          dockerfile="${build_dir}/Dockerfile"
          if [ -f "$dockerfile" ]; then
            echo "::set-output name=build_dir::$build_dir"
            echo "::set-output name=dockerfile::$dockerfile"
          else
            echo "Couldn't find the Dockerfile for the '$img' image"
            exit 1
          fi
      - name: Login to the Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ steps.job_data.outputs.registry }}
          username: ${{ vars.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASS }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and Push
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: |
            ${{ steps.job_data.outputs.oci_registry_prefix }}/${{ steps.job_data.outputs.img_name }}:${{ steps.job_data.outputs.img_tag }}
            ${{ steps.job_data.outputs.oci_registry_prefix }}/${{ steps.job_data.outputs.img_name }}:latest
          context: ${{ steps.build_data.outputs.build_dir }}
          file: ${{ steps.build_data.outputs.dockerfile }}
          build-args: |
            OCI_REGISTRY_PREFIX=${{ steps.job_data.outputs.oci_registry_prefix }}/

Some notes about this code:

  1. The if condition of the build job is not perfect, but it is good enough to avoid wrong uses as long as nobody uses manual tags with the wrong format and expects things to work (it checks if the REGISTRY_USER and REGISTRY_PASS variables are set, if the ref is a tag and if it contains the -v string).
  2. To be able to access the dind socket we mount it on the container using the options key on the container section of the job (this only works if supported by the runner configuration as explained before).
  3. We use the job_data step to get information about the image from the tag and the registry URL from the environment variables, it is executed first because all the information is available without checking out the repository.
  4. We use the job_data step to get the build dir and Dockerfile paths from the repository (right now we are assuming fixed paths and checking if the Dockerfile exists, but in the future we could use a configuration file to get them, if needed).
  5. As we are using a docker daemon that is already running there is no need to use the docker/setup-docker-action to install it.
  6. On the build and push step we pass the OCI_REGISTRY_PREFIX build argument to the Dockerfile to be able to use it on the FROM instruction (we are using it in our images).

multi-semantic-release workflow

This workflow is used to run the multi-semantic-release tool on pushes to the main branch.

It is configured to create the configuration files on the fly (it prepares things to tag the folders that contain a Dockerfile using a couple of template files available on the repository’s .forgejo directory) and run the multi-semantic-release tool to create tags and push them to the repository if new versions are to be built.

Initially we assumed that the tag creation pushed by multi-semantic-release would be enough to run the build-tagged-image-task action, but as it didn’t work we removed the rule to run the action on tag creation and added code to trigger the action using an api call for the newly created tags (we get them from the output of the multi-semantic-release execution).

The source code of the action is as follows:

name: multi-semantic-release
on:
  push:
    branches:
      - 'main'
jobs:
  multi-semantic-release:
    runs-on: docker
    container:
      image: forgejo.mixinet.net/oci/multi-semantic-release:latest
    steps:
      - name: Checkout the repo
        uses: actions/checkout@v4
      - name: Generate multi-semantic-release configuration
        shell: sh
        run: |
          # Get the list of images to work with (the folders that have a Dockerfile)
          images="$(for img in */Dockerfile; do dirname "$img"; done)"
          # Generate a values.yaml file for the main packages.json file
          package_json_values_yaml=".package.json-values.yaml"
          echo "images:" >"$package_json_values_yaml"
          for img in $images; do
            echo " - $img" >>"$package_json_values_yaml"
          done
          echo "::group::Generated values.yaml for the project"
          cat "$package_json_values_yaml"
          echo "::endgroup::"
          # Generate the package.json file validating that is a good json file with jq
          tmpl -f "$package_json_values_yaml" ".forgejo/package.json.tmpl" | jq . > "package.json"
          echo "::group::Generated package.json for the project"
          cat "package.json"
          echo "::endgroup::"
          # Remove the temporary values file
          rm -f "$package_json_values_yaml"
          # Generate the package.json file for each image
          for img in $images; do
            tmpl -v "img_name=$img" -v "img_path=$img" ".forgejo/ws-package.json.tmpl" | jq . > "$img/package.json"
            echo "::group::Generated package.json for the '$img' image"
            cat "$img/package.json"
            echo "::endgroup::"
          done
      - name: Run multi-semantic-release
        shell: sh
        run: |
          multi-semantic-release | tee .multi-semantic-release.log
      - name: Trigger builds
        shell: sh
        run: |
          # Get the list of tags published on the previous steps
          tags="$(
            sed -n -e 's/^\[.*\] \[\(.*\)\] .* Published release \([0-9]\+\.[0-9]\+\.[0-9]\+\) on .*$/\1-v\2/p' \
              .multi-semantic-release.log
          )"
          rm -f .multi-semantic-release.log
          if [ "$tags" ]; then
            # Prepare the url for building the images
            workflow="build-image-from-tag.yaml"
            dispatch_url="${{ github.api_url }}/repos/${{ github.repository }}/actions/workflows/$workflow/dispatches"
            echo "$tags" | while read -r tag; do
              echo "Triggering build for tag '$tag'"
              curl \
                -H "Content-Type:application/json" \
                -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
                -d "{\"ref\":\"$tag\"}" "$dispatch_url"
            done
          fi

Notes about this code:

  1. The use of the tmpl tool to process the multi-semantic-release configuration templates comes from previous uses, but on this case we could use a different approach (i.e. envsubst could be used) but we left it because it keeps things simple and can be useful in the future if we want to do more complex things with the template files.
  2. We use tee to show and dump to a file the output of the multi-semantic-release execution.
  3. We get the list of pushed tags using sed against the output of the multi-semantic-release execution and for each one found we use curl to call the forgejo API to trigger the build job; as the call is against the same project we can use the GITHUB_TOKEN generated for the workflow to do it, without creating a user token that has to be shared as a secret.

The .forgejo/package.json.tmpl file is the following one:

{
  "name": "multi-semantic-release",
  "version": "0.0.0-semantically-released",
  "private": true,
  "multi-release": {
    "tagFormat": "${name}-v${version}"
  },
  "workspaces": {{ .images | toJson }}
}

As can be seen it only needs a list of paths to the images as argument (the file we generate contains the names and paths, but it could be simplified).

And the .forgejo/ws-package.json.tmpl file is the following one:

{
  "name": "{{ .img_name }}",
  "license": "UNLICENSED",
  "release": {
    "plugins": [
      [
        "@semantic-release/commit-analyzer",
        {
          "preset": "conventionalcommits",
          "releaseRules": [
            { "breaking": true, "release": "major" },
            { "revert": true, "release": "patch" },
            { "type": "feat", "release": "minor" },
            { "type": "fix", "release": "patch" },
            { "type": "perf", "release": "patch" }
          ]
        }
      ],
      [
        "semantic-release-replace-plugin",
        {
          "replacements": [
            {
              "files": [ "{{ .img_path }}/msr.yaml" ],
              "from": "^version:.*$",
              "to": "version: ${nextRelease.version}",
              "allowEmptyPaths": true
            }
          ]
        }
      ],
      [
        "@semantic-release/git",
        {
          "assets": [ "msr.yaml" ],
          "message": "ci(release): {{ .img_name }}-v${nextRelease.version}\n\n${nextRelease.notes}"
        }
      ]
    ],
    "branches": [ "main" ]
  }
}

The oci/mirrors project

The repository contains a template for the configuration file we are going to use with regsync (regsync.envsubst.yml) to mirror images from remote registries using a workflow that generates a configuration file from the template and runs the tool.

The initial version of the regsync.envsubst.yml file is prepared to mirror alpine containers from version 3.21 to 3.29 (we explicitly remove version 3.20) and needs the forgejo.mixinet.net/oci/node-mixinet:latest image to run (as explained before it was pushed manually to the server):

version: 1
creds:
  - registry: "$REGISTRY"
    user: "$REGISTRY_USER"
    pass: "$REGISTRY_PASS"
sync:
  - source: alpine
    target: $REGISTRY/oci/alpine
    type: repository
    tags:
      allow:
        - "latest"
        - "3\\.2\\d+"
        - "3\\.2\\d+.\\d+"
      deny:
        - "3\\.20"
        - "3\\.20.\\d+"

mirror workflow

The mirror workflow creates a configuration file replacing the value of the REGISTRY environment variable (computed by removing the protocol from the server_url), the REGISTRY_USER organization value and the REGISTRY_PASS secret using the envsubst command and running the regsync tool to mirror the images using the configuration file.

The action is configured to run daily, on push events when the regsync.envsubst.yml file is modified on the main branch and can also be triggered manually.

The source code of the action is as follows:

.forgejo/workflows/mirror.yaml 
name: mirror
on:
  schedule:
    - cron: '@daily'
  push:
    branches:
      - main
    paths:
      - 'regsync.envsubst.yml'
  workflow_dispatch:
jobs:
  mirror:
    if: ${{ vars.REGISTRY_USER != '' && secrets.REGISTRY_PASS != '' }}
    runs-on: docker
    container:
      image: forgejo.mixinet.net/oci/node-mixinet:latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Sync images
        run: |
          REGISTRY="$(echo "${{ github.server_url }}" | sed -e 's%https://%%')" \
          REGISTRY_USER="${{ vars.REGISTRY_USER }}" \
          REGISTRY_PASS="${{ secrets.REGISTRY_PASS }}" \
            envsubst <regsync.envsubst.yml >.regsync.yml
          regsync --config .regsync.yml once
          rm -f .regsync.yml

Conclusion

We have installed a forgejo-runner and configured it to run actions for our own server and things are working fine.

This approach allows us to have a powerful CI/CD system on a modest home server, something very useful for maintaining personal projects and playing with things without needing SaaS platforms like github or gitlab.

More pro for the DEC Professional 380 (featuring PRO/VENIX) [OSnews]

Settle down children, it’s time for another great article by Cameron Kaiser. This time, they’re going to tell us about the DEC Professional 380 running PRO/VENIX.

The Pro 380 upgraded to the beefier J-11 (“Jaws”) CPU from the PDP-11/73, running two to three times faster than the 325 and 350. It had faster RAM and came with more of it, and boasted quicker graphics with double the vertical resolution built right into the logic board. The 380 still has its faults, notably being two-thirds the speed of the 11/73 and having no cache, plus all of the 325/350’s incompatibilities. Taken on its merits, though, it’s a tank of a machine, a reasonably powerful workstation, and the most practical PDP-adjacent thing you can actually slap on a (large) desk.

This particular unit is one of the few artifacts I have left from a massive DEC haul almost twelve years ago. It runs PRO/VENIX, the only official DEC Unix option for the Pros, but in its less common final release (we’ll talk about versions of Venix). I don’t trust the clanky ST-506 hard drive anymore, so today we’ll convert it to solid state and double its base RAM to make it even more professional, and then play around in VENIX some for a taste of old-school classic Unix — after, of course, some history.

↫ Cameron Kaiser

Detailed, interesting, fascinating, and full of photos as always.

19:28

Is What It Is [Penny Arcade]

I'm way down in the M-hole, which sounds bad, and maybe it is. Maybe it's not safe to be in the M-hole for this duration. One reason might be the prevalence of M down there, or Monsters. It's literally their hole and they don't like it when you go in. Obviously you need guild authorization to hunt monsters but, uh, it's not super hard to get.

18:28

Torrey Peters’s Stag Dance Poses the Right Questions About Gender at the Right Time [The Stranger]

See Torrey Peters at Town Hall Seattle Wednesday, March 19. by Blair Stenvick

Stag Dance: A Novel & Stories opens with a note from author Torrey Peters. Still on the heels of her 2021 hit novel Detransition, Baby, Peters shares that she was motivated to keep digging into trans identity this time, posing an underlying question connecting the four stories in her new book: “What does it even mean to be trans?”

It’s quite a question to be asking at this moment in time, as fascist gender policing reaches a boiling point. Those in power are interested in defining transness only insofar that they think they can separate and eradicate it. Well-meaning allies seek to define it through the lens of oppression, lack, and cookie-cutter narratives; even trans folks ourselves can get caught up in gatekeeping traps, seduced by the notion that if we can only find the right words, the right timeline, the right way to be trans, then existential threats will vanish.

The trans characters in Stag Dance didn’t fall out of a coconut tree; they all live under the stifling weight of gender norms. But rather than focusing on the macro, Peters zooms into their interiorities, desires, and close relationships, lighting up the pages with specificity, sucker-punch revelations, and some good old-fashioned romantic suspense.

In the titular novel at the heart of the book, a seemingly all-male camp of grizzly lumberjacks plan a dance. To liven things up, lumberjacks have the option to pin a brown cloth triangle onto the crotch of their pants—a makeshift “bush”—and attend as “women” for courting and dancing with. The opportunity stirs something inside Babe, the biggest and ugliest guy in the group, who is the first to claim a bush for himself. He tries to play it for laughs at first, but that changes as he gets to know Lisen, a more delicate and effeminate lumberjack who flirts and wrestles with the other guys.

Watching Lisen tease the men, Babe feels a difficult-to-name stirring:

“His sauciness disturbed me, or rather, I was disturbed by the unctuous temptation it endangered in me, a queer need like how it feels to forget the perfect word for something, even as you know somewhere in your mind you must have the word, that you don’t lack it at all, only its use.”

Trans people can recognize this feeling; it’s the first time you encounter another trans person and feel a terrified-yet-excited surge of familiarity. This crew of 1800s lumberjacks haven’t heard the
word “transgender,” and they certainly don’t have knowledge of gender-affirming care. But none of that matters when Babe wears his brown cloth and hooks up with the camp boss: “With eyes closed, there existed no difference between the triangle and myself: Distinction collapsed, and it was on me and of me and in me.”

Like “Stag Dance, short story “The Chaser” also takes place in the single-sex environment of a boarding school bedroom, where a teenage boy starts secretly hooking up with his feminine roommate Robbie. In the confines of a dark bedroom, where bodies become shapes and curves, their attraction is undeniable. But when a new semester comes and room assignments change, tenderness with Robbie becomes humiliating and untenable for the protagonist: “What was hot for me before was that he was feminine and available, and I set all the terms.”

That’s just one instance of many in which trans women are betrayed in Stag Dance. To be a trans woman in Peters’ stories is to constantly live on a razor’s edge between cis people’s desire and disgust, which often co-mingle. And it often means betraying other trans people yourself, in the pursuit of mainstream approval.

You can see that dichotomy in today’s conservative media: There’s a rabid obsession with all trans people—but especially transfem folks—that so clearly stems from insecurity. They are angry at trans people for alighting their own gender and sexuality anxieties, for exposing the absurdity of the gender binary.

There’s a reason transphobes hate being asked their pronouns, and try to claim “cisgender” is a slur: If you have to work to define your cisness, then that means you are in some way defining your own gender, and then doesn’t that make you a little bit trans, too?

That’s exactly what “Infect Your Friends and Loved Ones,” the collection’s most inventive story, explores so deftly. A small team of trans women in Seattle develop and disperse a highly contagious injection that takes away humans’ ability to produce their own hormones, and the US quickly becomes a civil war-torn free-
for-all, where everyone is forced to source their own hormones.

“I was thinking I want to live in a world where everyone has to choose their gender,” one of the culprits says by way of explanation. But interestingly, this does not erase the distinction between trans and cis: A group of trans women who transitioned well before the infection broke out find each other and develop their own community on an abandoned farm, living under the shared principle of “t4t.” The familiar dating app acronym becomes a philosophy of respecting and looking out for other trans folks above all else.

While they’re ostensibly living in a world where everyone is trans in the physical sense, these trans women still find safety primarily in each other. Old resentments, rivalries, and desperation to appeal to cis people for safety and validation fade away. “All it took was the end of the world t o make that happen,” one trans homesteader observes.

The stories in Stag Dance aren’t about brave, articulate transgender people overcoming oppression and leading the way into a genderless utopia. They are instead about messy, flawed trans people attempting to find survival while achieving a modicum of authenticity, in a hostile world where cis people’s own gender anxieties—and the violence those anxieties can provoke—lurk around every corner.

In the end, true safety can only be found with each other. That seems a salient lesson to remember as new policies attempt to separate the “QT” from the “LGB”—and even to distinguish the good, quiet trans
people who keep to themselves from the ones who insist on playing sports, dressing outside the binary, using restrooms without passing, teaching young people, and other apparently flagrant offenses.

Still, it’d be a disservice to present these stories only as political fodder. As Peters notes in her introduction, this collection is about trans people as “just people yearning, crashing, loving, and messing up.” These characters stayed with me, and once you crack open Stag Dance, you’ll want to spend some time with them as well.

See Torrey Peters at Town Hall Wednesday, March 19, 7:30 pm, free–$35, optional book add-on for $28, all ages.

This story was originally published in our sister paper, Portland Mercury.

17:56

Some Quick, Spoiler-Free Thoughts On “Mickey 17” [Whatever]

On Friday, I went to see Mickey 17 in theaters. Unlike most movies I’ve seen in theaters recently, I actually saw a ton of marketing for Mickey 17. This was one movie I wasn’t going into completely blind, which I generally try to do.

If you have yet to see one of its trailers, Mickey 17 is a science fiction film about a guy who volunteers to be “an expendable” on a journey across space to another planet. He’s given grueling tasks that are often fatal, and when he dies he is reprinted so he can keep on keepin’ on. Most of the story revolves around the titular character, Mickey 17. Of course, hijinks ensue when Mickey 17 is still alive, but they already printed Mickey 18. This causes some issues, as “multiples” are not allowed.

The premise definitely interested me, but what really made me want to see it was Robert Pattinson. Not gonna lie, I am a big Rob fan. Yes, I was indeed a Twilight kid, but more than that I think he is a fantastic actor, and to see him in increasingly strange and wonderful roles over the past few years has been a joy. I especially love his Batman.

Watching Robert Pattinson play two characters that are the same guy but wildly different is a treat. The way he interacts with himself on screen is so fun and interesting. I think playing two characters shows just how impressive his range as an actor really is. It reminds me a lot of Michael Fassbender’s performance as both David and Walter in Alien: Covenant and how interesting it is to see him interact with what is essentially another version of himself.

Aside from Robert Pattinson’s double whammy, Mark Ruffalo and Toni Collette both provide extremely fun performances as well. They were superbly cast, and really added to my enjoyment of the film.

Performances aside, Mickey 17 was very different than I had imagined it would be. It was much more of a comedy than I anticipated, with a lot of rather goofy dialogue and line deliveries. The plot went in an unexpected direction, and I never knew what was going to happen next! It was definitely a unique movie, both in plot and in tone.

I actually really love the whole “your memories are stored and then implanted into a new body” type stories because it raises so many ethical and moral questions. It reminds me a lot of Astro Boy, and how even though Toby’s “consciousness” and memories are uploaded into a robot body, the real Toby did die, and Astro Boy is not truly Toby.

These existential dilemmas are presented in Mickey 17 as well. After all, how many times can you be reprinted before there’s not really any Mickey 1 left in the copies? Truly fascinating stuff, and also heartbreaking to reconcile with the knowledge that the previous “you” really did die. Love it.

All that being said, I recommend catching this one in theaters if you can. It’s a lot of fun and I think y’all will really enjoy it. It’s nice to see some more sci-fi in the theaters, especially some that isn’t sci-fi horror like Alien: Romulus. I like goofy sci-fi (not biased)!

Have you seen Mickey 17 yet? What did you think? Do you like clone-type stories, too? Let me know in the comments, and have a great day!

-AMS

17:49

17:42

The Top 36 Events in Seattle This Week: Mar 17–23, 2025 [The Stranger]

Moisture Festival, Snow Patrol, and More
by EverOut Staff

Thursday may be the first day of spring, but the Washington weather is determined to rain on its parade. However, there's still plenty of fun to be had this week at events from Kells 42nd Annual St. Patrick’s Irish Festival to Snow Patrol and from the Seattle Moisture Festival to the 5th Avenue Theatre's production of Waitress

MONDAY ST. PATRICK'S DAY

Kells 42nd Annual St. Patrick’s Irish Festival
Kells' 42nd annual shamrock-festooned celebration wraps up over a week of revelry today. As usual, Post Alley and First Avenue will be closed to traffic and covered by a large tent to support expanded celebrations, including rugby watch parties and performances by local musicians like the Belfast Bandits, Máirtín Ó Huigin, and U2 tribute band Vertigo Zoo. Don't forget the house-brewed beers and classic Irish dishes—corned beef, anyone? SHANNON LUBETICH
(Kells Irish Restaurant & Pub, Pike Place Market)

16:56

Dirk Eddelbuettel: RcppExamples 0.1.10: New factor Example, Other Updates [Planet Debian]

A new version 0.1.10 of the RcppExamples package is now on CRAN, and marks the first release in five and half years.

RcppExamples provides a handful of short examples detailing by concrete working examples how to set up basic R data structures in C++. It also provides a simple example for packaging with Rcpp. The package provides (generally fairly) simple examples, more (and generally longer) examples are at the Rcpp Gallery.

This releases brings a bi-directorial example of factor conversion, updates the Date example, removes the explicitly stated C++ compilation standard (which CRAN now nags about) and brings a number of small fixes and maintenance that accrued since the last release. The NEWS extract follows:

Changes in RcppExamples version 0.1.10 (2025-03-17)

  • Simplified DateExample by removing unused API code

  • Added a new FactorExample with conversion to and from character vectors

  • Updated and modernised continuous integrations multiple times

  • Updated a few documentation links

  • Updated build configuration

  • Updated README.md badges and URLs

  • No longer need to set a C++ compilation standard

Courtesy of my CRANberries, there is also a diffstat report for this release. For questions, suggestions, or issues please use the issue tracker at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub.

Slog AM: Measles Vaccinations Decline in Washington, Social Security Association Declares Alive Seattle Man Dead, Trump Deportations Ramp Up [The Stranger]

The Stranger's morning news roundup. by Nathalie Graham

Please vaccinate your kids: Measles is running rampant among unvaccinated kids in Texas and New Mexico. The outbreaks have seen a total of 300 cases and two deaths so far. Isolated measles cases are popping up across the country, even in Seattle. You'd think this would be enough to sway the anti-vax parents, yet according to data the Washington State Department of Health measles vaccination rates in kindergartners declined in 36 of 39 Washington counties. The only county with a kindergarten vaccination rate above the herd immunity threshold of 95% was Yakima County where 96.4% of students are vaccinated. 

Go Dawgs: The University of Washington's women's basketball team will head to the Big Dance, otherwise known as the 2025 NCAA Tournament, for the first time in eight years. They'll square off against the Columbia Lions on Thursday. 

Not dead yet! Elon Musk and his team of doofuses at the so-called Department of Government Efficiency (DOGE) believe dead people are receiving Social Security benefits. They've dedicated a whole team to rooting out those deceased freeloaders. Except, according to the Seattle Times, the opposite just happened. Leonard Johnson, an 82-year-old very much alive Capitol Hill resident was essentially erroneously declared dead by the Social Security Administration (SSA) last month. His wife received a notice from his bank explaining the SSA requested the return of Johnson's Social Security funds after his death. The bank had pulled $5,201 in payments Johnson received for December and January. He hasn't received payments for February or March. He's been trying to resurrect himself by convincing the SSA he's alive. After unsuccessful calls, Johnson went to a physical office, waited for hours, and finally proved he had a pulse. The bank returned the money it took from his account, but those other monthly payments from the SSA have yet to show up. The whole thing is like this Monty Python sketch:

Remember the teen killed during CHOP? Antonio Mays Jr., 16, was shot and killed inside a stolen Jeep in 2020's Capitol Hill Organized Protest Zone when the "autonomous" area took a darker turn. Yet, five years later, police have filed no charges in his death, reports the Seattle Times. They won't answer questions about it either. Mays' family is embroiled in a wrongful death lawsuit against the city and recently sent a letter to the U.S. House Committee on Oversight and Government Reform urging Congress to probe into CHOP and the Seattle Police Department's homicide investigation. 

The weather: We have a true Seattle week ahead of us. Rain, rain, rain, and—you guessed it—more rain. So, wear a raincoat today. 

Storms kill 39: Severe weather events including "unusually vicious and damaging" tornadoes, dust storms, and wildfires killed at least 39 people across multiple southern states. 

Public transit is still kicking: Knock on wood, but things are looking good for Seattle-area transit ridership. Local transit agencies saw a 12% increase in ridership between 2023 and 2024. Everett Transit had the biggest jump with a 32% increase in ridership—the only local agency to report more transit ridership than its pre-pandemic levels. What's their secret sauce? Frequent ridership. Take notes, other agencies. 

Give her back: French Socialist member of parliament Raphaël Glucksmann said if the United States embraces dictators then it should give the Statue of Liberty back to France. The current goings ons in America are contrary to the values that led to France bestowing Lady Liberty upon us 140 years ago. “We gave it to you as a gift, but apparently you despise it. So it will be just fine here at home,” she said. 

Exhibit A: The Department of Defense removed a Black Medal of Honor winner from its website. US Army Major General Charles Calvin Rogers received the award after being wounded three times while defending a base in the Vietnam War. Rogers was the highest ranking Black person to receive the award. Now, the Department of Defense's page on Rogers results in a "404 – Page Not Found" error. The URL to his page on the site was changed, too: "medal" was replaced with "DEI medal." 

Seems bad: The US stock market lost over $5 trillion in value in just three weeks. 

Immigration gets messier: A British Columbia woman's family says she has been detained for 10 days after "attempting to cross the [US] border with a job offer and visa paperwork in hand." Dr. Rasha Alawieh, a doctor and professor at Brown University, returned to the US after a trip to Lebanon. Customs and Border Protection deported her back to Lebanon despite her having a valid US visa. The deportation occurred despite a court order demanding Alawieh not be removed. A German green card holder and New Hampshire resident was detained at Logan Airport in Boston and is being held by US Immigration and Customs Enforcement at a facility in Rhode Island. He told his wife ICE agents had "pressured him to give up his green card" and described inhumane treatment. 

El Salvador deportations could violate court order: Over the weekend, the US government deported hundreds of Venezuelan immigrants to a prison in El Salvador after Trump signed an executive order Friday invoking the Alien Enemies Act of 1798 to "rapidly arrest and deport" people he labeled as "gang members." The law allows the deportation of those from countries at war with the US. Unsurprisingly, since all of this occurred without legal oversight, Judge James E. Boasberg of the Federal District Court in Washington D.C. issued a temporary restraining order to block these deportations. However, the deportation occurred in spite of the court order. Whether or not the administration violated the order will depend on when the flights took off. 

Happy St. Patrick's Day! All of this deportation news and hostility toward immigrants makes celebrating St. Patrick's Day—a celebration of the Irish—feel a little off. Still, kiss an Irish person today. Gorge yourself on Guinness. Eat corned beef and cabbage for dinner. Remind yourself that we are a country of immigrants. 

A song for your Monday: Sticking with the Irish theme, here's U2. 

16:07

Apple’s long-lost hidden recovery partition from 1994 has been found [OSnews]

In 1994, a single Macintosh Performa model, the 550, came from the factory with a dedicated, hidden recovery partition that contained a System 7 system folder and a small application that would be set as bootable if the main operating system failed to boot. This application would then run, allowing you to recover your Mac using the system folder inside the recovery partition. This feature was apparently so obscure, few people knew it existed, and nobody had access to the original contents of the recovery partition anymore.

It took Doug Brown a lot of searching to find a copy of this recovery partition. The issue is that nobody really knows how this partition is populated with the recovery data, so the only way to explore its contents was to somehow find a Performa 550 hard drive with a specific version of Mac OS that had never been reformatted after leaving the factory.

The thing is, this whole functionality was super obscure. It’s understandable that people weren’t familiar with it. Apple publicly stated it was only included with this one specific Performa model. Their own documentation also said that it would be lost if you reformatted the hard drive. It was hiding in the background, so nobody really knew it was there, let alone thought about saving it. Also, I can say that the first thing a lot of people do when they obtain a classic computer is erase it in order to restore it to the factory state. Little did anyone know, if they reformatted the hard drive on a Performa 550, they could have been wiping out rare data that hadn’t been preserved!

↫ Doug Brown

Brown found a copy, and managed to get the whole original functionality working again. It’s a fairly basic way of doing this, but we shouldn’t forget we’re talking 1994 here, and I don’t think any other operating system at the time had the ability to recover from an unbootable state like this. Like Brown, I wonder why it was abandoned so quickly. Perhaps Apple was unwilling to sacrifice the hard drive space?

Groundbreaking or not, it’s still great to have this recovered and preserved for the ages.

Microsoft accidentally cares about its users, releases update that unintentionally deletes Copilot from Windows [OSnews]

It’s rare in this day and age that proprietary operating system vendors like Microsoft and Apple release updates you’re more than happy to install, but considering even a broken clock is right twice a day, we’ve got one for you today. Microsoft released KB5053598 (OS Build 26100.3476) which “addresses security issues for your Windows operating system”. One of the “security issues” this update addresses, is Microsoft’s “AI” text generator, Copilot. To address this glaring security issue, this update removes Copilot from your Windows installation altogether.

Sadly, it’s only by mistake, and not by design.

We’re aware of an issue with the Microsoft Copilot app affecting some devices. The app is unintentionally uninstalled and unpinned from the taskbar.

[…]

Microsoft is working on a resolution to address this issue.

In the meantime, affected users can reinstall the app from the Microsoft Store and manually pin it to the taskbar.

↫ Microsoft Support

Well, at least until Microsoft “fixes” this “issue” with KB5053598, consider this update a simple way to get rid of Copilot. Microsoft accidentally cared about its users for once, so cherish this moment – it won’t happen again.

15:42

Link [Scripting News]

Palfrey's alarm yesterday was about the Americans who were whisked off to El Salvador. Who they are and what they're accused of is unknown, as if there's any substance to the accusation. No indictment, trial, verdict, appeals, etc. El Salvador wants to be the US dumping ground for undesirables. This is where we have, as Timothy Snyder says, regime change. I thought the elmination of Social Security would have been the moment the light went on for most Americans, but this should be it. Citizens like you and me being disappeared. It's a pretty quick way to get most of the people to behave according to the rules of the government, or off you go.

Link [Scripting News]

Poking around on old servers I found this cute little app that jsonifies an RSS feed. Not sure why I did it. Postscript, it only works for one feed, mine. I replaced it with a template in the feeder app which was a useful version of the cute little app. Here's a demo of it viewing the contents of a feed in JSON using a special template.

15:35

[$] Looking forward to mapcount madness 2025 [LWN.net]

One of the many important tasks that the kernel's memory-management subsystem must handle is keeping track of how pages of memory are mapped into the address spaces of the processes running on the system. As long as mappings to a given page exist, that page must be kept in place. As it turns out, tracking these mappings is harder than it seems it should be, and the move to folios within the memory-management subsystem is adding some complexities of its own. As a follow-up to the "mapcount madness" session that he ran at the 2024 Linux Storage, Filesystem, Memory-Management, and BPF summit, David Hildenbrand has posted a patch series intended to improve the handling of mapping counts for folios — but exact accounting remains elusive in some situations.

Improvements in Brute Force Attacks [Schneier on Security]

New paper: “GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3.”

Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit keys are recommended, there are many standards and real-world applications that use shorter keys. In order to estimate the actual threat imposed by using those short keys, precise estimates for attacks are crucial.

In this work we provide optimized implementations of several widely used algorithms on GPUs, leading to interesting insights on the cost of brute force attacks on several real-word applications.

In particular, we optimize KASUMI (used in GPRS/GSM),SPECK (used in RFID communication), andTEA3 (used in TETRA). Our best optimizations allow us to try 235.72, 236.72, and 234.71 keys per second on a single RTX 4090 GPU. Those results improve upon previous results significantly, e.g. our KASUMI implementation is more than 15 times faster than the optimizations given in the CRYPTO’24 paper [ACC+24] improving the main results of that paper by the same factor.

With these optimizations, in order to break GPRS/GSM, RFID, and TETRA communications in a year, one needs around 11.22 billion, and 1.36 million RTX 4090GPUs, respectively.

For KASUMI, the time-memory trade-off attacks of [ACC+24] can be performed with142 RTX 4090 GPUs instead of 2400 RTX 3090 GPUs or, when the same amount of GPUs are used, their table creation time can be reduced to 20.6 days from 348 days,crucial improvements for real world cryptanalytic tasks.

Attacks always get better; they never get worse. None of these is practical yet, and they might never be. But there are certainly more optimizations to come.

14:49

Security updates for Monday [LWN.net]

Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), Oracle (kernel and krb5), Red Hat (grub2, libreoffice, mysql:8.0, pcs, thunderbird, tigervnc, webkit2gtk3, and xorg-x11-server), Slackware (expat, freetype, and php), SUSE (amazon-ssm-agent, chromedriver, ed25519-java, google-cloud-sap-agent, google-guest-agent, govulncheck-vulndb, libexslt0, libzvbi-chains0, php8, restic, rubygem-rack, subversion, tomcat, and tomcat10), and Ubuntu (freetype, resteasy, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

14:35

Dubious security vulnerability: A program does not run correctly if you run it the wrong way [The Old New Thing]

Two similar denial of service security vulnerability reports arrived on the same day, and a third a day later. Each one took roughly this form, but with different programs substituted for XYZ.exe.

If you run the XYZ.exe program from the command prompt, it immediately crashes. This is a denial of service attack against XYZ.exe.

In all of the cases, the XYZ.exe programs are intended to be run in a special way. One is a service executable, and when it calls ServiceMain to register itself with the service control manager, the call fails (“Why are you calling me? You’re not a service!”), and the program exits with an assertion failure. In the other two cases, the programs are intended to be run as UWP programs, but the finder was executing them outside the AppContainer environment. The programs try to communicate with the UWP execution environment and fail, and they exit with assertion failures.

These assertion failures generate Windows Error Reports so that the problem can be investigated by the respective feature teams. After all, there might be a bug in the way the programs registered themselves to be run in their intended execution environments, so the teams want to investigate how their program got into a bad state.

But that’s not the case here. The programs fail to start not because they were registered improperly, but because the weren’t even being launched by the intended launcher program in the first place!

This was reported as a denial of service, but it’s not clear whose service is being denied.

I think the argument is that since the helper program crashes, the denial of service is that it fails to perform its intended task.

But did you prevent it from performing its intended task?

What you crashed was a copy of the helper program that you yourself created. You didn’t have any effect on the copies of the helper program used by the main programs. Those are the ones who actually have an intended purpose. And those copies still work fine.

It’s like buying an ambulance and putting the wrong kind of gasoline in it. This damages the ambulance. Is this a denial of service against ambulances?

No, this is just a denial of service against your ambulance. The ambulances owned by the hospital still work fine.

Now, if you had found a way to get the hospital to put the wrong kind of gasoline in their ambulances, then that would be interesting. But so far, this is just a case of destroying your own property. And you are perfectly within your rights to destroy your own property. There is no security vulnerability here.

Bonus chatter: A few weeks later, there was another report very similar to these, but in reverse. “Instead of running the XYZ.exe program from the command prompt or Start menu, run it in a low IL AppContainer. It crashes immediately.” Again, it’s crashing because you are running it in a way that it was never meant to be run, and in a way that the system never actually tries to run it. Running the program in a low IL AppContainer is nothing the system ever does, nor does the system ever invite the user to do so. Furthermore, the crashing of the program has no impact on anybody else.

The post Dubious security vulnerability: A program does not run correctly if you run it the wrong way appeared first on The Old New Thing.

13:28

Link [Scripting News]

I put out a call for Old School Bloggers, and got back a bunch of notes on Mastodon. Gettin' the band back together! :-)

Link [Scripting News]

Pradeep is using WordLand for some of his WordPress blog posts, and has given them a special category. Very smart, good use of categories.

13:00

James Valleroy: What’s New for FreedomBox in Debian 13 “trixie” [Planet Debian]

FreedomBox is a Debian blend that makes it easier to run your own server. Approximately every two years, there is a new stable release of Debian. This year’s release will be called Debian 13 "trixie".

This post will provide an overview of changes between FreedomBox 23.6 (the version that shipped in Debian 12 "bookworm") and 25.5 (the latest release). Note: Debian 13 "trixie" is not yet released, so things may still change, be added or removed, before the official release.

General

  • A number of translations were updated, including Albanian, Arabic, Belarusian, Bulgarian, Chinese (Simplified Han script), Chinese (Traditional Han script), Czech, Dutch, French, German, Hindi, Japanese, Norwegian Bokmål, Polish, Portuguese, Russian, Spanish, Swedish, Telugu, Turkish, and Ukrainian.
  • Fix cases where a package or service is used by multiple apps, so that disabling or uninstalling one app does not affect the other app.
  • When uninstalling an app, purge the packages, to remove all data and configuration.
  • For configuration files that need to be placed into folders owned by other packages, we now install these files under /usr/share/freedombox/etc/, and create a symbolic link to the other package’s configuration folder. This prevents the files being lost when other packages are purged.
  • Add an action to re-run the setup process for an app. This can fix many of the possible issues that occur.
  • Various improvements related to the "force upgrade" feature, which handles upgrading packages with conffile prompts.
  • Fix install/uninstall issues for apps that use MySQL database (WordPress, Zoph).
  • Improve handling of file uploads (Backups, Feather Wiki, Kiwix).
  • Switch to Bootstrap 5 front-end framework.
  • Removed I2P app, since the i2p package was removed from Debian.
  • Various user interface changes, including:
    • Add tags for apps, replacing short descriptions. When a tag is clicked, search and filter for one or multiple tags.
    • Organize the System page into sections.
    • Add breadcrumbs for page hierarchy navigation.
    • Add next steps page after initial FreedomBox setup.

Diagnostics

  • Add diagnostic checks to detect common errors.
  • Add diagnostics daily run, with notifications about failures.
  • Add Repair action for failed diagnostics, and option for automatic repairs.

Name Services

  • Move hostname and domain name configuration to Names page.
  • Support multiple static and/or dynamic domains.
  • Use systemd-resolved for DNS resolution.
  • Add options for setting global DNS-over-TLS and DNSSEC preferences.

Networks

  • Add more options for IPv6 configuration method.
  • Overhaul Wi-Fi networks scan page.

Privacy

  • Add option to disable fallback DNS servers.
  • Add option to set the lookup URL to get the public IP address of the FreedomBox.

Users and Groups

  • Delete or move home folder when user is deleted or renamed.
  • When a user is inactivated, also inactivate the user in LDAP.

Deluge

  • This BitTorrent client app should be available once again in Debian 13 "trixie".

Ejabberd

  • Turn on Message Archive Management setting by default, to help various XMPP clients use it.

Feather Wiki

  • Add new app for note taking.
  • This app lives in a single HTML file, which is downloaded from the FreedomBox website.

GitWeb

  • Disable snapshot feature, due to high resource use.
  • Various fixes for repository operations.

GNOME

  • Add new app to provide a graphical desktop environment.
  • Requires a monitor, keyboard, and mouse to be physically connected to the FreedomBox.
  • Not suitable for low-end hardware.

ikiwiki

  • Disable discussion pages by default for new wiki/blog, to avoid spam.

Kiwix

  • Add new app for offline reader of Wikipedia and other sites.

Matrix Synapse

  • Add an option for token-based registration verification, so that users signing up for new accounts will need to provide a token during account registration.

MediaWiki

  • Allow setting the site language code.
  • Increase PHP maximum execution time to 100 seconds.

MiniDLNA

  • Add media directory selection form.

Miniflux

  • Add new app for reading news from RSS/ATOM feeds.

Nextcloud

  • Add new app for file sync and collaboration.
  • Uses a Docker container maintained by the Nextcloud community. The container is downloaded from FreedomBox container registry.

OpenVPN

  • Renew server/client certificates, and set expiry to 10 years.

Postfix/Dovecot

  • Fix DKIM signing.
  • Show DNS entries for all domains.

Shadowsocks Server

  • Add new app for censorship resistance, separate from Shadowsocks Client app.

SOGo

  • Add new app for groupware (webmail, calendar, tasks, and contacts).
  • Works with Postfix/Dovecot email server app.

TiddlyWiki

  • Add new app for note taking.
  • This app lives in a single HTML file, which is downloaded from the FreedomBox website.

Tor Proxy

  • Add new app for Tor SOCKS proxy, separate from Tor app.

Transmission

  • Allow remote user interfaces to connect.

Conclusion

Over the past two years, FreedomBox has been increasing the number of features and applications available to its users. We have also focused on improving the reliability of the system, detecting unexpected situations, and providing means to return to a known good state. With these improvements, FreedomBox has become a good solution for people with limited time or energy to set up and start running a personal server, at home or in the cloud.

Looking forward, we would like to focus on making more powerful hardware available with FreedomBox pre-installed and ready to be used. This hardware would also support larger storage devices, making it suitable as a NAS or media server. We are also very interested in exploring new features such as atomic updates, which will further enhance the reliability of the system.

12:14

11:28

Too Many Red Flags [The Daily WTF]

Fresh out of university, Remco accepted a job that allowed him to relocate to a different country. While entering the workforce for the first time, he was also adjusting to a new home and culture, which is probably why the red flags didn't look quite so red.

The trouble had actually begun during his interview. While being questioned about his own abilities, Remco learned about Conglomcorp's healthy financial position, backed by a large list of clients. Everything seemed perfect, but Remco had a bad gut feeling he could neither explain nor shake off. Being young and desperate for a job, he ignored his misgivings and accepted the position. He hadn't yet learned how scarily accurate intuition often proves to be.

Red Flags Tiananmen Square

The second red flag was run up the mast at orientation. While teaching him about the company's history, one of the senior managers proudly mentioned that Conglomcorp had recently fired 50% of their workforce, and were still doing great. This left Remco feeling more concerned than impressed, but he couldn't reverse course now.

Flag number three waved during onboarding, as Remco began to learn about the Java application he would be helping to develop. He'd been sitting at the cubicle of Lars, a senior developer, watching over his shoulder as Lars familiarized him with the application's UI.

"Garbage Collection." Using his mouse, Lars circled a button in the interface labeled just that. "We added this to solve a bug some users were experiencing. Now we just tell everyone that if they notice any weird behavior in the application, they should click this button."

Remco frowned. "What happens in the code when you click that?"

"It calls System.gc()."

But that wasn't even guaranteed to run! The Java virtual machine handled its own garbage collection. And in no universe did you want to put a worse-than-useless button in your UI and manipulate clients into thinking it did something. But Remco didn't feel confident enough to speak his mind. He kept silent and soldiered on.

When Remco was granted access to the codebase, it got worse. The whole thing was a pile of spaghetti full of similar design brillance that mostly worked well enough to satisfy clients, although there was a host of bugs in the bug tracker, some of which had been rotting there for over 7 years. Remco had been given the unenviable task of fixing the oldest ones.

Remco slogged through another few months. Eventually, he was tasked with implementing a new feature that was supposed to be similar to existing features already in the application. He checked these other features to see how they were coded, intending to follow the same pattern. As it turned out, each and every one of them had been implemented in a different, weird way. The wheel had been reinvented over and over, and none of the implementations looked like anything he ought to be imitating.

Flummoxed, Remco approached Lars' cubicle and explained his findings. "How should I proceed?" he finally asked.

Lars shrugged, and looked up from a running instance of the application. "I don't know." Lars turned back to his screen and pushed "Garbage Collect".

Fairly soon after that enlightening experience, Remco moved on. Conglomcorp is still going, though whether they've retained their garbage collection button is anyone's guess.

[Advertisement] Picking up NuGet is easy. Getting good at it takes time. Download our guide to learn the best practice of NuGet for the Enterprise.

Vincent Bernat: Offline PKI using 3 YubiKeys and an ARM single board computer [Planet Debian]

An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA.

PKI relying on a set of 3 YubiKeys: 2 for the root CA and 1 for the intermediate CA.
Offline PKI backed up by 3 YubiKeys

This post describes an offline PKI system using the following components:

  • 2 YubiKeys for the root CA (with a 20-year validity),
  • 1 YubiKey for the intermediate CA (with a 5-year validity), and
  • 1 Libre Computer Sweet Potato as an air-gapped SBC.

It is possible to add more YubiKeys as a backup of the root CA if needed. This is not needed for the intermediate CA as you can generate a new one if the current one gets destroyed.

The software part

offline-pki is a small Python application to manage an offline PKI. It relies on yubikey-manager to manage YubiKeys and cryptography for cryptographic operations not executed on the YubiKeys. The application has some opinionated design choices. Notably, the cryptography is hard-coded to use NIST P-384 elliptic curve.

The first step is to reset all your YubiKeys:

$ offline-pki yubikey reset
This will reset the connected YubiKey. Are you sure? [y/N]: y
New PIN code:
Repeat for confirmation:
New PUK code:
Repeat for confirmation:
New management key ('.' to generate a random one):
WARNING[pki-yubikey] Using random management key: e8ffdce07a4e3bd5c0d803aa3948a9c36cfb86ed5a2d5cf533e97b088ae9e629
INFO[pki-yubikey]  0: Yubico YubiKey OTP+FIDO+CCID 00 00
INFO[pki-yubikey] SN: 23854514
INFO[yubikit.management] Device config written
INFO[yubikit.piv] PIV application data reset performed
INFO[yubikit.piv] Management key set
INFO[yubikit.piv] New PUK set
INFO[yubikit.piv] New PIN set
INFO[pki-yubikey] YubiKey reset successful!

Then, generate the root CA and create as many copies as you want:

$ offline-pki certificate root
Management key for Root X:
Plug YubiKey "Root X"...
INFO[pki-yubikey]  0: Yubico YubiKey CCID 00 00
INFO[pki-yubikey] SN: 23854514
INFO[yubikit.piv] Data written to object slot 0x5fc10a
INFO[yubikit.piv] Certificate written to slot 9C (SIGNATURE), compression=True
INFO[yubikit.piv] Private key imported in slot 9C (SIGNATURE) of type ECCP384
Copy root certificate to another YubiKey? [y/N]: y
Plug YubiKey "Root X"...
INFO[pki-yubikey]  0: Yubico YubiKey CCID 00 00
INFO[pki-yubikey] SN: 23854514
INFO[yubikit.piv] Data written to object slot 0x5fc10a
INFO[yubikit.piv] Certificate written to slot 9C (SIGNATURE), compression=True
INFO[yubikit.piv] Private key imported in slot 9C (SIGNATURE) of type ECCP384
Copy root certificate to another YubiKey? [y/N]: n

You can inspect the result:

$ offline-pki yubikey info
INFO[pki-yubikey]  0: Yubico YubiKey CCID 00 00
INFO[pki-yubikey] SN: 23854514
INFO[pki-yubikey] Slot 9C (SIGNATURE):
INFO[pki-yubikey]   Private key type: ECCP384
INFO[pki-yubikey]   Public key:
INFO[pki-yubikey]     Algorithm:  secp384r1
INFO[pki-yubikey]     Issuer:     CN=Root CA
INFO[pki-yubikey]     Subject:    CN=Root CA
INFO[pki-yubikey]     Serial:     1
INFO[pki-yubikey]     Not before: 2024-07-05T18:17:19+00:00
INFO[pki-yubikey]     Not after:  2044-06-30T18:17:19+00:00
INFO[pki-yubikey]     PEM:
-----BEGIN CERTIFICATE-----
MIIBcjCB+aADAgECAgEBMAoGCCqGSM49BAMDMBIxEDAOBgNVBAMMB1Jvb3QgQ0Ew
HhcNMjQwNzA1MTgxNzE5WhcNNDQwNjMwMTgxNzE5WjASMRAwDgYDVQQDDAdSb290
IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERg3Vir6cpEtB8Vgo5cAyBTkku/4w
kXvhWlYZysz7+YzTcxIInZV6mpw61o8W+XbxZV6H6+3YHsr/IeigkK04/HJPi6+i
zU5WJHeBJMqjj2No54Nsx6ep4OtNBMa/7T9foyMwITAPBgNVHRMBAf8EBTADAQH/
MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAwNoADBlAjEAwYKy/L8leJyiZSnn
xrY8xv8wkB9HL2TEAI6fC7gNc2bsISKFwMkyAwg+mKFKN2w7AjBRCtZKg4DZ2iUo
6c0BTXC9a3/28V5aydZj6rvx0JqbF/Ln5+RQL6wFMLoPIvCIiCU=
-----END CERTIFICATE-----

Then, you can create an intermediate certificate with offline-pki yubikey intermediate and use it to sign any CSR with offline-pki certificate sign. Be careful and inspect the CSR before signing it, as only the subject name can be overridden. Check the documentation for more details. Get the available options using the --help flag.

The hardware part

To ensure the operations on the root and intermediate CAs are air-gapped, a cost-efficient solution is to use an ARM64 single board computer. The Libre Computer Sweet Potato SBC is a more open alternative to the well-known Raspberry Pi.1

Libre Computer Sweet Potato single board computer relying on the Amlogic S905X SOC
Libre Computer Sweet Potato SBC, powered by the AML-S905X SOC

I interact with it through an USB to TTL UART converter:

$ tio /dev/ttyUSB0
[16:40:44.546] tio v3.7
[16:40:44.546] Press ctrl-t q to quit
[16:40:44.555] Connected to /dev/ttyUSB0
GXL:BL1:9ac50e:bb16dc;FEAT:ADFC318C:0;POC:1;RCY:0;SPI:0;0.0;CHK:0;
TE: 36574

BL2 Built : 15:21:18, Aug 28 2019. gxl g1bf2b53 - luan.yuan@droid15-sz

set vcck to 1120 mv
set vddee to 1000 mv
Board ID = 4
CPU clk: 1200MHz
[…]

The Nix glue

To bring everything together, I am using Nix with a Flake providing:

  • a package for the offline-pki application, with shell completion,
  • a development shell, including an editable version of the offline-pki application,
  • a NixOS module to setup the offline PKI, resetting the system at each boot,
  • a QEMU image for testing, and
  • an SD card image to be used on the Sweet Potato or an ARM64 SBC.
# Execute the application locally
nix run github:vincentbernat/offline-pki -- --help
# Run the application inside a QEMU VM
nix run github:vincentbernat/offline-pki\#qemu
# Build a SD card for the Sweet Potato or for the Raspberry Pi
nix build --system aarch64-linux github:vincentbernat/offline-pki\#sdcard.potato
nix build --system aarch64-linux github:vincentbernat/offline-pki\#sdcard.generic
# Get a development shell with the application
nix develop github:vincentbernat/offline-pki

  1. The key for the root CA is not generated by the YubiKey. Using an air-gapped computer is all the more important. Put it in a safe with the YubiKeys when done! ↩︎

10:56

Terms for a would-be autocrat of US [Richard Stallman's Political Notes]

Ralph Nader's derogatory terms for the would-be autocrat of America. If you use them often enough, they can help you decide to take other other necessary actions.

Dumb Donald Convicted Crook Donald Trump Lying Donald Delusional Donald Dangerous Donald Disgusting Donald Serial Law-breaker Donald Deceiver Donald Loser Donald Trump-serial abuser of women Lazy Donald Violence Inciter Donald Trump-obstructor of Justice Dictator Donald Dictator-lover Donald Weak Donald Dishonest Donald Deadly Donald – Early Covid Denier Fake Donald Tax Escapee Donald Unstable Donald The Lyin’ King Cheating Donald Low IQ DONALD Racist Trump Know-Nothing Donald Know It All Trump Insecure Donald Don the Con The Incompetent Trump Trump the Grifter Betrayer Trump Greedy Trump Pardon Myself Donald Lawless Donald Corrupt Don Ignorant Don Bragging Trump Trump Fantasy Land Daily Lawbreaking Donald Egomaniacal Donald The Trump Dump

You may have seen these used here: The Aggressor The Bullshitter The Cheater The Corrupter The Corruptor The Disease-spreader The Exploiter The Fascist The Gangster The Grandstander The Grifter The Hustler The Hate-monger The Hater The Hate-spreader The Hostage-taker The Liar The Loser The Monster The Murderer-in-chief The Persecutor The Poisoner The Provocateur The Pussy-grabber The Repressor The Saboteur The Saboteur The Scapegoater The Truth-hater The War-dreamer The War-lover The Warlover The Warmonger The Warmonger-in-chief The Wrecker

10:21

Grrl Power #1339 – Qaplonk’ [Grrl Power]

SYDNEY: “Wait, how am I a danger to myself?”
MAXIMA: “Well, you did you just hit your superior officer with a deadly weapon… even if it’s decidedly non-deadly to me. Still, you did just volunteer to peel every potato in…”
SYDNEY: //fidgeting with bat’leth, drops it on foot.//
SYDNEY: “Ow! Ow! OW! Back of the handle right on the long bones!”
MAXIMA: “Also that.”

If you were an agent of chaos, handing Sydney a giant, awkward, heavy, bladed thing isn’t the worst plan. Or giving her artifacts that grant her amazing superpowers. I’m not suggesting Deus had anything to do with that, but… if he had been in a position to arrange it, he certainly would have considered it.

I think a proper, steel bat’leth would weigh about 20-25 pounds? Depending entirely on how thick it was. The prop that Worf had on the show looked like it was maybe 1/3″ thick, and almost certainly not made of steel. Maybe aluminum? I could probably google it. Hmm. I found a prop replica, 1/4″ thick, made of aluminum, weighing in at 4 pounds. Honestly I thought Worf’s bat’leth looked like a dull nerf weapon if not for the way it caught the light sometimes. I’d assume they’d have two versions of the prop – a dangerously sharp one for display and closeups, then a HEMA or SCA safe version for twirling around and stage fights. The Sword of Kahless looked way chonkier and sharper. I found a “full size” prop on Amazon for sale made of steel, but it weighed less than a pound, because it looked about as thin as a piece of sheet metal. If the prop on the show was made of steel, I’m sure it would be impractically heavy. At least for a human to wield in a fight.

Klingons were supposedly something like 4 or 5 times stronger than humans, but that was just something the writers said. The guys staging the fights never got the memo, because human starfleet officers almost never lost a fight to one on camera. Major Kira, beanpole that she was, won every melee she got into against a klingon if I recall correctly. Oh, but she was an expert guerilla combatant, you say? That’s fine if she’s lacing the hallways with claymores, but I distinctly remember her blocking an overhead strike from a klingon by holding her phaser rifle sideways, then shunting the bat’leth off to the side, then hitting the klingon with the rifle, and he went down. That was definitely just lazy “main character VS. the one-hit-die schlub” writing, but really, a woman (and it was never established if bajorans had any particular strength or skeletal advantage over humans, so let’s just assume that Major Kira was as strong as a fit, slender human woman), a woman blocking an overhead strike from a man who, as most guys cast as kingons go, probably had six inches on her and a hundred pounds… Okay, sure. I can see that happening. If she meets the strike just right and yes, she has a decade of experience as a soldier. Not impossible. If her opponent was a human male and was only twice her strength. However, if that guy is 4 times as strong as her – and really – a female klingon would be 4 times as strong as her. A male klingon would probably be closer to six to eight times as strong as her, her arms would have buckled or her shoulders would have dislocated, or her rifle would have been ripped out of her grip (let’s assume the rifle is made of space polymers and doesn’t just snap in half) and that bat’leth should slammed into her brainpan.

So I submit to you that klingons were nowhere near 4 times stronger than humans. 40% stronger, maybe.

You know what’s weird and unnecessary? You won’t guess what I’m going to write, so I’ll just tell you. Memory Alpha had a wiki page for an “hour.” Is it a space-hour that takes into account time dilation or some sort of galactic unit of time that’s different than a standard 20th century Earth hour? No. It’s just an hour. Why it needs a dedicated page on the Star Trek wiki is baffling to me, but it’s late as I write this so maybe I’m missing something obvious.

I’m going to try something with this new vote incentive.

This month, I’m closing on a new house, selling my Mom’s house, finishing packing Mom’s house, moving city to city to the new house, forwarding mail, canceling utilities, all that. And after that’s done, I get to start the process of selling my old house, which needs a little work before it can realistically go on the market.

SO. I’m going to try and do this vote incentive in stages. Currently it’s just pencils. The TopWebcomics one will update with colors and detail until we get to the no clothes versions, then that will continue over at Patreon. Also there will be a comic or two in between each version to fill out the story.

I know it’s hard to tell from just the pencils, but this is Heatwave and Jiggawatt. The comics will explain why they’re doing what they’re doing. Although I feel like even saying that much makes it easy to guess, but hopefully the journey will still amuse.

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

09:49

You are a media theorist [Seth's Blog]

If you’ve ever caught a ball, you’re a physicist. You might not be trained in it, but your intuitive sense of where the ball is going to land requires having a theory about gravity.

And if you’ve ever taken aspirin for a headache, you’ve articulated a theory about medicine.

Studying physics is unlikely to make you a better baseball player, but understanding economics will probably make you a better investor.

How are your theories working out for you?

Everyone who votes (or chooses not to) has a theory of politics. And when those theories don’t square up with what’s happening, it might benefit us to look into why. Defaulting to intuitive theory making is fine, as long as the theories pay off.

Every time you read, post, listen or engage with media, you’re engaging in media theory. Assertions about why you focus your attention in one place instead of another. Theories about how accurate the insights you’re getting are, or the benefits you’ll get from being informed in this place instead of that one.

The culture we live in always feels normal, but it’s a new normal, almost completely different from the one our parents lived in. A lot of the normal is in media. Where we get our news, what gets put on our agenda, how the noise turns into information and how the information changes our affect…

Don’t surrender agency too easily. Articulating a theory of media and being choosy about how we spend our focus and our trust helps us thrive.

09:35

Pluralistic: David Enrich's "Murder the Truth" (17 Mar 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


The cover for the Harpercollins edition of David Enrich's 'Murder the Truth.'

David Enrich's "Murder the Truth" (permalink)

David Enrich's Murder the Truth: Fear, the First Amendment, and a Secret Campaign to Protect the Powerful is a brave, furious book about the long-running plan by America's wealthy and corrupt to "open up the libel laws" so they can destroy their critics:

https://www.harpercollins.com/products/murder-the-truth-david-enrich

Enrich is a veteran business reporter at the New York Times; he's reported extensively on high finance and sleaze, and has a knack for piercing the Shield of Boredom that protects finance crimes from scrutiny. His 2017 book The Spider's Web manages the nearly impossible trick of making the LIBOR-rigging conspiracy – which involved trillions, but in ways that were so baroque that hardly anyone noticed – comprehensible:

https://memex.craphound.com/2017/09/24/the-spider-network-a-novelistic-account-of-the-mediocre-rich-men-who-robbed-the-world-with-libor/

In taking on the libel-industrial complex – a network of shadowy, thin-skinned, wealthy litigation funders; crank academics; buck-chasing lawyer lickspittle sociopaths; and the most corrupt Supreme Court justice on the bench today – Enrich is wading into dangerous territory. After all, he's reporting on people who've made it their life's mission to financially destroy anyone who has the temerity to report on their misdeeds.

As such, Enrich's writing is extremely cautious, sometimes comically so, but always intentionally, in a way that highlights the absurd chilling effect his subjects are attempting to induce in all of us.

The book primarily concerns itself with the effort to overturn Sullivan, a 1964 Supreme Court case that established protections for media outlets that report on public figures and commit minor factual errors, provided that the errors were neither negligent nor malicious.

Since Sullivan, media outlets have held the upper hand when reporting on public figures. While Sullivan isn't a license to simply make stuff up about celebrities, politicians and business leaders, it does mean that if a reporter makes a minor misstatement, it's on the subject of the reporting to prove that the error was negligent and/or malicious.

Before Sullivan, most defamation litigation happened in state courts, and southern courts allowed lawmakers and cops to sue newspapers that reported on racial terror campaigns during the civil rights fight. The judgments involved were so large that many media outlets simply gave up on reporting on the intimidation, violence and murder taking place in the Jim Crow south.

True to form, Clarence Thomas has led the charge to dismantle a law that was key to the struggle for rights for Black people and other disfavored minorities. In Enrich's telling, Thomas's animus for Sullivan started during his confirmation hearings, when Anita Hill described his relentless sexual harassment of the lawyers who worked for him, including Hill. Being the subject of a media firestorm that painted him as a disgusting, cruel sex-pest seems to have inspired Thomas in a decades-long campaign to find a case that would let him tear down Sullivan, so that wealthy people could once again intimidate reporters into silence. Of course, Thomas's hatred for Sullivan only grew when Propublica revealed that he had taken numerous "gifts" from wealthy "friends" who had business before the courts, revelations that will forever make Thomas's name a synonym for corruption.

Enrich's cast of characters includes a clutch of whiny, ultra-rich axe-grinders, who finance (often in secret) lawsuits that are designed to chip away at Sullivan. Some are international looters or corrupt ex-Soviet oligarchs, but others are ideologues, committed to the principle of impunity for the powerful.

He also introduces us to the lawyers who wage these battles. As you might imagine, the kind of lawyer who sits up at night figuring out how to help wealthy, powerful people destroy their critics is often a crank themselves, with "colorful" personal relations that Enrich reports on with meticulous prose, including the many denials and non-denials his subjects sent when he sought comment.

As with his LIBOR book, Enrich does yeoman duty here unpacking complex matters that would be dull in a lesser writer's hands. The litigation strategies devised by Sullivan's enemies are always convoluted and are sometimes clever, much like the litigation strategies used to kill campaign finance limits (Citizens United) and abortion rights (Dobbs). Indeed, many of the financiers, think-tanks and lawyers behind those plots are also would-be Sullivan slayers.

The best of these legal gambits are actually rather clever – locating innocent people who've been genuinely wronged by Sullivan (as the saying goes, "hard cases make bad law") and then using them to undermine Sullivan, without actually helping them in any way. It's positively fiendish.

We're in a moment when a lot of powerful people are getting far more powerful, and abusing that power to commit wildly corrupt acts. The only way we'll know about this is if the press can freely report on their misdeeds. Murder the Truth is a vital guide to the next Citizens United, the next Dobbs – a campaign to take away your right to know about the next assault on your rights that plutocrats will launch.

Hey look at this (permalink)


A Wayback Machine banner.

Object permanence (permalink)

#20yrsago Help defend bloggers’ rights to keep their sources secret https://www.eff.org/cases/apple-v-does

#20yrsago Fans beg Sony to sell them lost Fiona Apple album that’s on P2P https://www.sfgate.com/entertainment/morford/article/Who-Will-Free-Fiona-Apple-Suddenly-on-the-2723119.php

#20yrsago Grokster scorecard: what theories of liability do the amici endorse? https://craphound.com/grokster-charts.pdf

#20yrsago ETECH Notes: Life Hacks Live! https://craphound.com/etech2005-lifehacks.txt

#20yrsago Sterling and Steffen’s SXSW keynote https://web.archive.org/web/20050318074350/http://www.worldchanging.com/archives/002353.html

#20yrsago Orrin Hatch is head of new IP subcommitee https://www.technewsworld.com/story/hatch-to-lead-senate-panel-on-intellectual-property-41548.html

#20yrsago Hollywood stars look like crap in high-def https://web.archive.org/web/20050324045011/http://www.onhd.tv/thelist.htm

#20yrsago Self-replicating 3D printers https://web.archive.org/web/20050410074636/https://www.newscientist.com/article.ns/?id=dn7165

#20yrsago Andre Norton, RIP https://web.archive.org/web/20050318045717/https://www.cnn.com/2005/SHOWBIZ/books/03/17/obit.norton.ap/index.html

#15yrsago YouTube: Viacom secretly posted its videos even as they sued us for not taking down Viacom videos https://blog.youtube/news-and-events/broadcast-yourself/

#15yrsago Entertainment industry sours on term “pirate” — too sexy https://arstechnica.com/tech-policy/2010/03/piracy-sounds-too-sexy-say-rightsholders/

#15yrsago Is the UK record industry arrogant or stupid? https://www.theguardian.com/technology/2010/mar/18/digital-economy-bill-calculated-loss

#15yrsago Michael Lewis’s THE BIG SHORT, visiting the econopocalypse through the lens of LIAR’S POKER https://memex.craphound.com/2010/03/17/michael-lewiss-the-big-short-visiting-the-econopocalypse-through-the-lens-of-liars-poker/

#10yrsago Playing the unplayable Death March (but not releasing the penguins) https://www.youtube.com/watch?v=O3Nc4iR7rGA

#10yrsago NYPD officers who wikiwashed police brutality pages will get wrist-slaps https://www.dnainfo.com/new-york/20150316/civic-center/2-nypd-officers-who-edited-wikipedia-posts-face-no-punishment-sources-say/

#10yrsago The Glorkian Warrior Eats Adventure Pie https://memex.craphound.com/2015/03/17/the-glorkian-warrior-eats-adventure-pie/

#10yrsago J. Edgar Hoover palled around with a suspected commie spy https://www.muckrock.com/news/archives/2015/feb/26/fbi-files-congressman-dickstein-show-close-relatio/

#10yrsago DRM for woo: “light therapy” mask’s LED only works 30 times https://www.techdirt.com/2015/03/18/drm-how-to-make-30000-hour-led-bulbs/

#10yrsago Canadian court hands a gimme to copyright trolls https://www.michaelgeist.ca/2015/03/defending-privacy-doesnt-pay-federal-court-issues-ruling-in-voltage-teksavvy-costs/

#10yrsago Clinton’s sensitive email was passed through a third-party spam filtering service https://web.archive.org/web/20150317223142/http://www.dvorak.org/blog/2015/03/16/breaking-news-spam-filtering-service-had-access-to-clinton-classified-emails/comment-page-1/

#10yrsago Following the key Trans-Pacific Partnership senator with a 30′ blimp https://www.youtube.com/watch?v=WDKzwB8GhN0

#5yrsago Plague precautions from 1665 https://pluralistic.net/2020/03/18/diy-tp/#hello-1665

#5yrsago How to make your own toilet paper https://pluralistic.net/2020/03/18/diy-tp/#diy-tp

#5yrsago If nothing is for sale, how will covid stimulus work? https://pluralistic.net/2020/03/18/diy-tp/#covid-stimulus

#5yrsago 3D printed ventilator hero got a patent threat https://pluralistic.net/2020/03/18/diy-tp/#patently-absurd

#5yrsago Epidemiology and public health in 14 minutes https://pluralistic.net/2020/03/18/diy-tp/#explainer

#5yrsago Bigoted Republican Congressjerk votes against coronavirus relief because it might cover same-sex partnerships https://pluralistic.net/2020/03/18/diy-tp/#repandybiggs

#5yrsago How to split a single ventilator for four patients https://pluralistic.net/2020/03/18/diy-tp/#ventilator-sharing

#5yrsago John Green's mutual aid manifesto https://pluralistic.net/2020/03/18/diy-tp/#nerdfighters

#5yrsago American Airlines blew billions, now it wants a bailout https://pluralistic.net/2020/03/18/diy-tp/#aa-crashes

#5yrsago MAGA firefighters dismiss coronavirus as Democrat hoax https://pluralistic.net/2020/03/18/diy-tp/#trump-virus

#5yrsago Charter orders all workers to keep showing up https://pluralistic.net/2020/03/18/diy-tp/#sociopathy

#5yrsago Patent trolls try to shut down covid testing https://pluralistic.net/2020/03/17/pluralistic-17-mar-2020/#fortress-investment-group

#5yrsago Talking digital writing careers with the Writing Excuses podcast https://pluralistic.net/2020/03/17/pluralistic-17-mar-2020/#writing-excuses

#5yrsago Naomi Klein: this disaster has no room for disaster capitalism https://pluralistic.net/2020/03/17/pluralistic-17-mar-2020/#disaster-socialism

#5yrsago The Masque of the Red Death and Punch Brothers Punch https://pluralistic.net/2020/03/17/pluralistic-17-mar-2020/#punchmasque

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026


Colophon (permalink)

Today's top sources:

Currently writing:

  • Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Status: second pass edit underway (readaloud)

  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025

Latest podcast: With Great Power Came No Responsibility: How Enshittification Conquered the 21st Century and How We Can Overthrow It https://craphound.com/news/2025/02/26/with-great-power-came-no-responsibility-how-enshittification-conquered-the-21st-century-and-how-we-can-overthrow-it/

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

09:07

Joe Marshall: Series vs. streams [Planet Lisp]

A generator is an abstraction of a sequence of values. It is a procedure that returns the next value in the sequence each time it is invoked. The generator can run out of items to return at some point if the sequence is finite, or it can keep generating values if the sequence is ininite.

A generator is decidely non-functional. Each time it is called it has the potential to return a different value. But let's make it functional. Instead of returning a single value, let's return two values: the next value in the sequence and the next state of the generator. The generator can now be pure functional and return the exact same two values each time. The caller will keep track of the current generator will replace the current generator with the next one returned by the call.

We implement generators as a promise that returns a pair of the next value and the next generator. The returned pair is what S&ICP call a stream. In other words, a stream is output of a functional generator that is 180 degrees out of phase of the generator.

Streams are similar to series in that you can write computations that operate on the aggregate stream, but it will be piplined to operate one element at time. But rather than having the compiler perform a code walk to set up an explicit pipeline, the runtime system sets up an implicit pipeline through the constraints of the promises. This makes streams a bit more flexible than series.

Series are more efficient than streams because the compiler can turn the implicit pipeline into an explicit one that is easy to optimize. Streams turn into a series of nested lexical closures with the attendant overhead.

One of the difficulties in using streams is that you often have to pay very careful attention to avoid fencepost errors and generating elements one beyond what is necessary. This isn't just a matter of using up a tad more storage, but it can lead to unexpected infinite loops because you attempt to reach one beyond the base case. Very often you find that you need two versions of each function: one that takes a stream argument, and one that takes a generator argument that you are careful to avoid calling unless necessary.

Streams are lazy by nature. Laziness introduces a need for static types. If you have a computed value, you can examine it to find out its type, but if you have a promise, you cannot tell what type of object it will return without forcing the promise. You cannot do a type dispatch on a promise because you don't know what it will return. A static type would indicate the type of the returned value without forcing the promise.

Series requires that the entire pipeline from source to sink be visible to the compiler. Streams do not have this requirement.

Despite their drawbacks, I rather like streams. I use them in my linear-fractional-transformations package to represent exact real numbers as streams of linear fractional transformations. I also use streams of integers to represent the continued fraction expansion of exact real numbers.

08:00

Is What It Is [Penny Arcade]

New Comic: Is What It Is

07:35

04:28

Girl Genius for Monday, March 17, 2025 [Girl Genius]

The Girl Genius comic for Monday, March 17, 2025 has been posted.

04:07

Comic Strip for Monday, March 17, 2025 [General Protection Fault: Comic Updates]

Current Story: Surreptitious Machinations II: Ashes to Ashes

02:21

Sunday, 16 March

23:49

Kernel prepatch 6.14-rc7 [LWN.net]

Linus has released the seventh (and probably last) prepatch for the 6.14 release. "Things continue to look quite calm, and I expect to release the final 6.14 next weekend unless something very surprising happens".

23:21

Brain damage in seabirds [Richard Stallman's Political Notes]

*Plastic pollution leaves seabirds with brain damage similar to Alzheimer's.*

This doesn't prove it harms humans too, but it makes that seem likely.

Oil and gas conference [Richard Stallman's Political Notes]

*At a major oil and gas conference in Texas this week, companies publicly retreated from their flashy climate pledges of years past, redoubling their commitment to planet-[roasting] fossil fuels.*

These companies are taking actions that will wipe out increasing fractions of future generations in America and other countries.

Young people who condemn democracy [Richard Stallman's Political Notes]

Why do young people who condemn democracy for its flaws, and would prefer autarchy, not understand how bad that is?

"Ethics waiver" to advisor of "AI" and cryptocurrency [Richard Stallman's Political Notes]

The corrupter gave his special advisor for so-called AI and cryptocurrency an "ethics waiver", meaning he is permitted to give advice on questions that directly affect his own business interests.

Since the corrupter/bully disregards ethics in favor of crude power, he wants advisors who do the same.

Reforming corps of military lawyers [Richard Stallman's Political Notes]

The wrecker plans to reform the corps of military lawyers to systematically condone some kinds of war crimes.

We can call this MABA, or Make America Barbaric Again.

Miami Beach trying to evict cinema [Richard Stallman's Political Notes]

Miami Beach is trying to evict an independent cinema for showing the Oscar-winning documentary, No Other Land, which documents expulsion of Palestinians from their homes in the West Bank. The film was made by Palestinians and Israelis working together.

This documentary has faced powerful censorship in the US.

Based on what I have read, it would not surprise me if the film contains occasional antisemitic statements that I would disapprove of, alongside occasional statements of antimuslimism and antiarabism that I would also disapprove of. I don't think the movie endorses any of those views. I don't know enough to say more than that about the film.

I can, however, condemn the repression that aims to prevent showing the film.

Thugs attacked demonstrators who were retired people [Richard Stallman's Political Notes]

*More than 1,000 riot [thugs] used teargas, rubber[-coated steel] bullets and water cannons [plus clubs] to [attack] demonstrators [who were retired people] late on Wednesday.* The aged protesters were protesting the right-wing extremist's cuts to their medicines.

Their signs saying things like "Don't hit us, we are your parents" did not restrain the thugs from going wild with violence.

That is the spirit that right-wing extremism builds up and looses against its scapegoats.

Lesson in patriotism [Richard Stallman's Political Notes]

A lesson in patriotism from President T. Roosevelt for people who are more loyal to one leader than to their country.

Convincing big pollution emitters to save themselves [Richard Stallman's Political Notes]

The UK's energy minister recognizes that saving the UK from global heating disaster depends on convincing big emitters such as China to save themselves.

Apple fighting UK government [Richard Stallman's Political Notes]

Apple is fighting a lawsuit by the UK government which demands that Apple add a back door to examine whatever users store in Apple's encrypted storage servers.

Does anyone with a UK legal background know how this case compares to the case of a laptop with GPG loaded on it? If there is a legal difference between that case and the case of the iThing, can you explain what that difference is?

23:00

22:49

Blogging is due for a refresh [Scripting News]

A lot has changed since the last time we took a serious look at blogging. A few items, as examples.

  1. When RSS came along Markdown didn't exist. The two technologies belong together, imho.
  2. Websockets have replaced long polling.
  3. Servers got cheap! (and easy to deploy).
  4. SQL is fast and the tools are much better.
  5. The user interfaces of all the Web 2.0+ products didn't exist last time we created new blogging communities. We can borrow ideas from twitter-like systems, even huge products like Facebook and Spotify have innovations that come long after the initial wave of blogging.

But one thing stays the same -- all the components are replaceable. Absolutely zero lock-in. We use simple standard APIs where they exist, and create new minimal formats and protocols where they don't.

Blogging has a simple philosophy that remains constant.

22:07

WordLand v0.50 [Scripting News]

Adding and deleting categories are part of WordLand 0.50, released earlier today. These are the same categories you can edit in the WordPress user interface. But I learned that you need to be able to add categories when you're writing. You want this functionality to be close-by.

Two columns in the Categories dialog. More efficient use of space.

Context menu with two new commands.

Change notes are here.

17:07

The Church Desk [Whatever]

A few weeks ago I inaugurated my work desk at the church, but there were still a couple of things missing, namely a full-sized keyboard and monitor. The MacBook is nice and all, but I notice getting a crick in my neck after a while. The monitor and keyboard (and mouse) are nothing especially fancy, but they are more comfortable to use for a long period of time. Plus now if I want I can open up the MacBook and rock a dual screen. Look at me being fancy.

This is how I’m spending my weekend. Hope yours is all right for you.

— JS

16:42

Link [Scripting News]

Adding and deleting categories coming to WordLand, probably later today. These are the same categories you can edit in the WordPress user interface. But I learned that you need to be able to add categories when you're writing. You want this functionality to be close-by.

14:28

14:07

13:42

Bits from Debian: Debian Med Sprint in Berlin [Planet Debian]

Debian Med sprint in Berlin on 15 and 16 February

The Debian Med team works on software packages that are associated with medicine, pre-clinical research, and life sciences, and makes them available for the Debian distribution. Seven Debian developers and contributors to the team gathered for their annual Sprint, in Berlin, Germany on 15 and 16 February 2025. The purpose of the meeting was to tackle bugs in Debian-Med packages, enhance the quality of the team's packages, and coordinate the efforts of team members overall.

This sprint allowed participants to fix dozens of bugs, including release-critical ones. New upstream versions were uploaded, and the participants took some time to modernize some packages. Additionally, they discussed the long-term goals of the team, prepared a forthcoming invited talk for a conference, and enjoyed working together.

More details on the event and individual agendas/reports can be found at https://wiki.debian.org/Sprints/2025/DebianMed.

10:56

Freedoms in speech and academia, UK [Richard Stallman's Political Notes]

*Stimulate debate on contentious topics, expert urges English universities.*

Debate on controversial political and philosophical questions is a traditional part of studying politics and moral philosophy.

Mahmoud Khalil deportation [Richard Stallman's Political Notes]

The attempt to deport Mahmoud Khalil is based on stretching an obscure law that allows the State Department to declare that a foreigner's presence in the US would have "potentially serious adverse foreign policy consequences."

This is so vague that, if it is accepted by courts, it would give officials an excuse to cancel the green card of nearly anyone who disagrees with some US government practice.

Other countries have been attacking freedom of speech for foreigners too.

Ceasefire proposal, UKR [Richard Stallman's Political Notes]

Ukraine has accepted the bully's demand for a temporary cease-fire with Russia. If Putin accepts that, it will put Ukraine in an even worse situation.

It would be easy for a cease-fire to extend slowly into annexation of the territory already conquered. However, Ukraine's control of Russian territory in Kursk may help prevent that, because Putin won't want to accept permanent loss of any Russian territory.

Oppression against Mahmoud Khalil, US [Richard Stallman's Political Notes]

Lawyers for Mahmoud Khalil accuse the deportation thugs of taking him rapidly to two other prisons as a means of making him suffer and hampering his lawyers from communicating with him.

CAN, Europe, boycotting US [Richard Stallman's Political Notes]

*From Canada to Europe, a movement to boycott US goods is spreading.*

I understand the feeling, but I think it would be more effective, as well as more just, to target their rage and disgust more specifically. They could boycott the muskrat's companies, and Amazon, and Face-gram, and perhaps others that might be identified.

I implore them to extend their hatred for Nazish Americans to apply also to Nazish Europeans.

Urgent: Protect protesting students [Richard Stallman's Political Notes]

US citizens: call on various university presidents to protect protesting students from threats of government repression.

signing without Javascript

Here's how to make the actionnetwork.org letter campaign linked above work without running the site's nonfree JavaScript code. (See https://gnu.org/philosophy/javascript-trap.html.)

First, make sure you have deactivated JavaScript in your browser or are using the LibreJS plug-in.

I have done the next step for you: I added `?nowrapper=true' to the end of the campaign URL before posting it above. That should bring you to a page that starts with, "Letter campaigns will not work without javascript!"

They indeed won't work without some manual help, but the following simple method seems adequate for many of them, including this one.

To start, fill in the personal information answers in the box on the right side of the page. That's how you say who's sending the letter.

Then click the "START WRITING" button. That will take you to a page that can't function without nonfree JavaScript code. (To ensure it doesn't function perversely by running that nonfree code, you can enable LibreJS or disable JavaScript by visiting that page.) You can finish sending without that code By editing its URL in the browser's address bar, as follows:

First, go to the end and insert `&nowrapper=true'. Then tell the browser to visit that URL. This should give you a version of the page that works without JavaScript. Edit the subject and body of your letter. Finally, click on the "SEND LETTER" button, and you're done.

This method seems to work for letter campaigns that send the letters to a fixed list of recipients, the same recipients for every sender. Editing and revisiting the URL is the only additional step needed to bypass the nonfree JavaScript code. I'm sure you'll agree it is a small effort for the result of supporting the campaign without opening your computer to unjust (and potentially malicious) software.

My letter

Here is the text I sent.

Defend academic freedom and rule of law

I call on you to defend and protect students from punishment for courageously speaking out against a long campaign of deadly atrocities combined with a deadly siege.

International students now face a new threat from right-wing extremists in our government, who seek to deport them without trial for speaking up against atrocities. This attacks the Bill of Rights and academic freedom in the United States, as well as international humanitarian law whose enforcement they advocate.

Students should be saluted for nonviolent political action, not punished, and never victimized by police or ICE for exercising their rights. Shutting down dissent undermines the principles of free speech, rule of law and academic freedom that universities are meant to uphold.

I implore you to resist illegal un-American orders from un-American officials, and defend human rights in our country.

Sincerely,

Richard Stallman

Urgent: Protect judicial independence [Richard Stallman's Political Notes]

US citizens: call on Congress to protect judicial independence.

If you phone, please spread the word! Main Switchboard: +1-202-224-3121

Cops acted wrong in arrest and killing of Manuel Páez [Richard Stallman's Political Notes]

Records of the arrest — and killing — of "Cop City" protester Manuel Páez show that the cops acted dangerously wrong, in several ways.

They started by not wearing body cameras, which suggests they were preparing to cover something up. After meeting Páez, they shot first at him as he hid in his tent.

Those first shots were less-often-lethal "pepper balls", rather than bullets, but one can hardly blame Páez for not knowing that. He must have thought they were shooting to kill him. In moral terms, they started the shooting, and spoke a deceptive half-truth when they claimed he started it.

Applause to Vance being called "a knob" [Richard Stallman's Political Notes]

The leader of Australia's Labor Party, just before an election, called Vance "a knob", and received applause. (Or should I say "just before an erection"?)

Bravo, Australians, for openly despising the Tr-ance.

Trump being Putin's stooge [Richard Stallman's Political Notes]

*Being Putin’s stooge won’t win Trump a peace prize. The Order of Lenin, though, is in the bag.*

Military tactics brought to occupied West Bank [Richard Stallman's Political Notes]

B'tselem reports that *Israel has brought the military tactics of its war in Gaza to the occupied West Bank, where Palestinians face mass forced displacements, a surge in airstrikes and a sharp rise in attacks on children and other civilians.*

I've cited here some of B'tselem's reports for many years.

Hispanic US citizen arrested [Richard Stallman's Political Notes]

Jensy Machado, a naturalized Hispanic US citizen from Virginia, was pulled out of his car and arrested by deportation thugs. He invited them to look at his driver's license, to prove his identity and citizenship, but they declined to look at it.

Their behavior suggests they were bigots seeking an excuse to harass some Hispanics.

Edtech companies recording and selling student behavior data [Richard Stallman's Political Notes]

Edtech companies claim that they do not record everything each student does and make a profile to rent out, but some of them actually do it.

You can't trust a nonfree program not to mistreat you — the way to protect your privacy from the nonfree program is not to let it get data about you.

British tourist traveling from US to Canada [Richard Stallman's Political Notes]

Rebecca Burke, a British tourist, tried to go from the US to Canada, but Canada did not allow her entry because of a matter of visa conditions. Canada told her to return to the US and reapply — but the US jailed her and she was not told why.

She wants to go home to the UK, but has no idea how long she will be jailed before she is given a chance to tell that to a judge.

US immigration has a history of occasional nonsensical cruelty, such as beating and jailing science fiction writer Peter Watts.

I recommend his books because they are interesting, but the reason I make a point of buying each book is by way of apology for my country's conduct towards him.

RFK Jr. trying to prove vaccines cause autism [Richard Stallman's Political Notes]

RFK jr. is trying once again to prove that a vaccine causes autism, although there was never any honest evidence for this.

The supposed "evidence" linking the MMR vaccine (which prevents measles as well as mumps and rubella) was dishonest: it came from a paper later found to be fraudulent and false. The Lancet retracted the paper and its author's medical license was canceled]

RFK jr, is one of the wrecker's middle-finger appointees, which the wrecker's used to demonstrate that nobody was so unqualified and unfit that Republicans would refuse to confirm him once nominated by the wrecker.

Why US is jailing foreign tourists [Richard Stallman's Political Notes]

The reason the US is jailing foreign tourists for weeks, when what it really wants is for them to leave, is that the default response to any violation of a rule is an overreaction: to jail them.

It seems that deportation thugs are harming the US as well as the unfortunate tourists who broke a rule, by being self-defeatingly authoritarian toward them.

I can imagine various safe ways to give then a chance to leave soon on their own power — perhaps while using an ankle bracelet to make sure that they leave reasonably soon.

Thugs confiscated books in Palestinian business [Richard Stallman's Political Notes]

Thugs visited a Palestinian business, Education Bookshop, in Jerusalem again, without a warrant, and confiscated "subversive" books by Banksy, Noam Chomsky and Israeli academic Ilan Pappé.

Then they arrested one of the owners, not stating any charge, took him to a thug station and released him. This was clearly a campaign of harassment, showing how Israel respects freedom of the press.

Ex-president of Philippines being tried by International Criminal Court [Richard Stallman's Political Notes]

Ex-president Do-Dirty of the Philippines is now being tried by the International Criminal Court on charges of killing supposed drug dealers without bothering to establish that they were guilty of anything.

He called this the "war on drugs", and it confirms that when a war is on drugs, it is likely to kill innocent people.

Federal judge orders release of Doge internal records [Richard Stallman's Political Notes]

*Federal judge orders Doge to release internal records for transparency* and release its internal documents.

Meanwhile, its first target, USAid, has been destroying secrets. I am guessing that this was illegal, and that the motive for this was to prevent courts from figuring out how to reconstruct what was destroyed.

Customers of payment tech [Richard Stallman's Political Notes]

Republicans are trying to leave the customers of payment tech vulnerable to cheating.

As it happens, I am one of the few who will not be vulnerable to this. Those systems are nonfree, and I have always rejected them on principle for that reason. A nonfree program is "owned" by someone and that puts users under the power of that owner. See https://gnu.org/philosophy/free-software-even-more-important.html. If you don't reject them on principle, at least reject them on grounds of safety.

Prisoners held in isolation [Richard Stallman's Political Notes]

In those US states that still carry out capital punishment, prisoners sentenced to execution are typically held in extreme conditions of isolation for months or even years.

This is a form of psychological torture, and it takes strength of character to avoid cracking. As far as I can see, no conceivable justification exists for it. It can't be based on rational concern that a given prisoner might try to escape, or engage in violence, because those risks are not specific to those sentenced to death.

As far as I can see, the practice of "death row" is nothing but a way of acting out despisement through cruelty. The primary evil is the death penalty itself, but this secondary evil contributes substantially to that.

09:35

09:21

Asking for directions [Seth's Blog]

It hadn’t happened in such a long time that I hesitated to respond.

As I was walking through town, a driver pulled up, rolled down his window and said, “is this the way to Irvington?”

We now take for granted that we’re unlikely to ever again be in a car and not know where we are.

It’s not just cars or GPS. Now that we have Perplexity and Claude, our need to ask a person for directions of any kind continues to decrease.

What we need more than ever, though, is help in discovering if we’re asking the right questions and choosing to go to the right place.

“Should I be going to Irvington?” might be a better thing to ask a trusted friend or advisor.

09:07

Joe Marshall: Universal Function [Planet Lisp]

Lisp was an early language. These days everyone and his brother has a new language, but Lisp was the first of its kind. John McCarthy, mathematician that he was, wanted to prove that his new language was universal. He broke this down into two steps.

First, he showed that S-expressions — the list structure representation of Lisp — could faithfully represent Church’s lambda expressions. This is kind of taken for granted now, but McCarthy made the effort to prove it. Church had already proven that lambda expressions could represent any computable function, so McCarthy had a proof that S-expressions, too, could represent any computable function.

Then, he showed that his language could implement a universal function. A universal function is a function that can emulate any other function. If you have a universal function, you can emulate any other function, so you can compute any computable function. A universal function takes two arguments, a specification of what function to emulate and (a list of) some inputs. It returns the same value as if the function had been called with those inputs.

McCarthy’s universal function took a function specification in the form of a lambda expression and a list of arguments. It binds the arguments to the formal parameters of the lambda expression, the performs a recursive descent evaluation of the body of the body of the lambda expression. McCarthy called his universal function APPLY. By writing APPLY in Lisp, McCarthy showed that Lisp was universal. (EVAL began its existance as a helper function for APPLY).

To tell the truth, this is pretty studly: McCarthy proved that his new language was universal by writing the first meta-circular evaluator in it. These days, people invent languages by throwing together enough features until they have something that looks like a language. It’ll probably be universal — universality turns out to be fairly easy to achieve — but how do you know? If you can write a Lisp interpreter in your language, it’s universal.

07:00

Stroke [RevK®'s ramblings]

The NHS have been very thorough investigating the stroke I had.

Thankfully the ongoing effects are slight - my typing is still more iffy than it was before, but good news.

They even did an ultrasound on my heart to try and find the underlying cause.


The good news is they found nothing. Well, I'll take it as good news. It also means they could not explain it, which is not so good. But given I had a stroke immediately after COVID, that seems a likely cause.

However, the one thing I find odd is the NHS efficiency here. The letter arrived this week (13th March 2025).


So what happened. I don't think even Royal Mail have a 17th class post that takes 6 months to deliver a letter. So that is rather weird.



05:07

Russell Coker: Article Recommendations via FOSS [Planet Debian]

Google tracking everything we read is bad, particularly since Google abandoned the “don’t be evil” plan and are presumably open to being somewhat evil.

The article recommendations on Chrome on Android are useful and I’d like to be able to get the same quality of recommendations without Google knowing about everything I read. Ideally without anything other than the device I use knowing what interests me.

A ML system to map between sources of news that are of interest should be easy to develop and run on end user devices. The model could be published and when given inputs of articles you like give an output of sites that contain other articles you like. Then an agent on the end user system could spider the sites in question and run a local model to determine which articles to present to the user.

Mapping for hate following is possible for such a system (Google doesn’t do that), the user could have 2 separate model runs for regular reading and hate-following and determine how much of each content to recommend. It could also give negative weight to entries that match the hate criteria.

Some sites with articles (like Medium) give an estimate of reading time. An article recommendation system should have a fixed limit of articles (both in articles and in reading time) to support the “I spend half an hour reading during lunch” model not doom scrolling.

For getting news using only FOSS it seems that the best option at the moment is to use the Lemmy FOSS social network which is like Reddit [1] to recommend articles etc.

The Lemoa client for Lemmy uses GTK [2] but it’s no longer maintained. The Lemonade client for Lemmy is written in Rust [3]. It would be good if one of those was packaged for Debian, preferably one that’s maintained.

Related posts:

  1. The AP and Copyright on the Web The New York Times has an article about the Associated...
  2. Public Lectures About FOSS Eventbrite I’ve recently started using the Eventbrite Web site [1]...
  3. 8k Video Cards I previously blogged about getting an 8K TV [1]. Now...

Saturday, 15 March

23:56

Link [Scripting News]

Looking for help with wpcom API in Node.js app.

19:14

[1251] Maeve and Reed 3 - Complements [Twokinds]

Comic for March 15, 2025

15:35

Pluralistic: Amazon annihilates Alexa privacy settings, turns on continuous, nonconsensual audio uploading (15 Mar 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


A cylindrical black Alexa speaker on a coffee table; it is wearing a Darth Vader helmet.

Amazon annihilates Alexa privacy settings, turns on continuous, nonconsensual audio uploading (permalink)

Even by Amazon standards, this is extraordinarily sleazy: starting March 28, each Amazon Echo device will cease processing audio on-device and instead upload all the audio it captures to Amazon's cloud for processing, even if you have previously opted out of cloud-based processing:

https://arstechnica.com/gadgets/2025/03/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-on-march-28/

It's easy to flap your hands at this bit of thievery and say, "surveillance capitalists gonna surveillance capitalism," which would confine this fuckery to the realm of ideology (that is, "Amazon is ripping you off because they have bad ideas"). But that would be wrong. What's going on here is a material phenomenon, grounded in specific policy choices and by unpacking the material basis for this absolutely unforgivable move, we can understand how we got here – and where we should go next.

Start with Amazon's excuse for destroying your privacy: they want to do AI processing on the audio Alexa captures, and that is too computationally intensive for on-device processing. But that only raises another question: why does Amazon want to do this AI processing, even for customers who are happy with their Echo as-is, at the risk of infuriating and alienating millions of customers?

For Big Tech companies, AI is part of a "growth story" – a narrative about how these companies that have already saturated their markets will still continue to grow. It's hard to overstate how dominant Amazon is: they are the leading cloud provider, the most important retailer, and the majority of US households already subscribe to Prime. This may sound like a good place to be, but for Amazon, it's actually very dangerous.

Amazon has a sky-high price/earnings ratio – about triple the ratio of other retailers, like Target. That scorching P/E ratio reflects a belief by investors that Amazon will continue growing. Companies with very high p/e ratios have an unbeatable advantage relative to mature competitors – they can buy things with their stock, rather than paying cash for them. If Amazon wants to hire a key person, or acquire a key company, it can pad its offer with its extremely high-value, growing stock. Being able to buy things with stock instead of money is a powerful advantage, because money is scarce and exogenous (Amazon must acquire money from someone else, like a customer), while new Amazon stock can be conjured into existence by typing zeroes into a spreadsheet:

https://pluralistic.net/2025/03/06/privacy-last/#exceptionally-american

But the downside here is that every growth stock eventually stops growing. For Amazon to double its US Prime subscriber base, it will have to establish a breeding program to produce tens of millions of new Americans, raising them to maturity, getting them gainful employment, and then getting them to sign up for Prime. Almost by definition, a dominant firm ceases to be a growing firm, and lives with the constant threat of a stock revaluation as investors belief in future growth crumbles and they punch the "sell" button, hoping to liquidate their now-overvalued stock ahead of everyone else.

For Big Tech companies, a growth story isn't an ideological commitment to cancer-like continuous expansion. It's a practical, material phenomenon, driven by the need to maintain investor confidence that there are still worlds for the company to conquer.

That's where "AI" comes in. The hype around AI serves an important material need for tech companies. By lumping an incoherent set of poorly understood technologies together into a hot buzzword, tech companies can bamboozle investors into thinking that there's plenty of growth in their future.

OK, so that's the material need that this asshole tactic satisfies. Next, let's look at the technical dimension of this rug-pull.

How is it possible for Amazon to modify your Echo after you bought it? After all, you own your Echo. It is your property. Every first year law student learns this 18th century definition of property, from Sir William Blackstone:

That sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.

If the Echo is your property, how come Amazon gets to break it? Because we passed a law that lets them. Section 1201 of 1998's Digital Millennium Copyright Act makes it a felony to "bypass an access control" for a copyrighted work:

https://pluralistic.net/2024/05/24/record-scratch/#autoenshittification

That means that once Amazon reaches over the air to stir up the guts of your Echo, no one is allowed to give you a tool that will let you get inside your Echo and change the software back. Sure, it's your property, but exercising sole and despotic dominion over it requires breaking the digital lock that controls access to the firmware, and that's a felony punishable by a five-year prison sentence and a $500,000 fine for a first offense.

The Echo is an internet-connected device that treats its owner as an adversary and is designed to facilitate over-the-air updates by the manufacturer that are adverse to the interests of the owner. Giving a manufacturer the power to downgrade a device after you've bought it, in a way you can't roll back or defend against is an invitation to run the playbook of the Darth Vader MBA, in which the manufacturer replies to your outraged squawks with "I am altering the deal. Pray I don't alter it any further":

https://pluralistic.net/2023/10/26/hit-with-a-brick/#graceful-failure

The ability to remotely, unilaterally alter how a device or service works is called "twiddling" and it is a key factor in enshittification. By "twiddling" the knobs and dials that control the prices, costs, search rankings, recommendations, and core features of products and services, tech firms can play a high-speed shell-game that shifts value away from customers and suppliers and toward the firm and its executives:

https://pluralistic.net/2023/02/19/twiddler/

But how can this be legal? You bought an Echo and explicitly went into its settings to disable remote monitoring of the sounds in your home, and now Amazon – without your permission, against your express wishes – is going to start sending recordings from inside your house to its offices. Isn't that against the law?

Well, you'd think so, but US consumer privacy law is unbelievably backwards. Congress hasn't passed a consumer privacy law since 1988, when the Video Privacy Protection Act banned video store clerks from disclosing which VHS cassettes you brought home. That is the last technological privacy threat that Congress has given any consideration to:

https://pluralistic.net/2023/12/06/privacy-first/#but-not-just-privacy

This privacy vacuum has been filled up with surveillance on an unimaginable scale. Scumbag data-brokers you've never heard of openly boast about having dossiers on 91% of adult internet users, detailing who we are, what we watch, what we read, who we live with, who we follow on social media, what we buy online and offline, where we buy, when we buy, and why we buy:

https://gizmodo.com/data-broker-brags-about-having-highly-detailed-personal-information-on-nearly-all-internet-users-2000575762

To a first approximation, every kind of privacy violation is legal, because the concentrated commercial surveillance industry spends millions lobbying against privacy laws, and those millions are a bargain, because they make billions off the data they harvest with impunity.

Regulatory capture is a function of monopoly. Highly concentrated sectors don't need to engage in "wasteful competition," which leaves them with gigantic profits to spend on lobbying, which is extraordinarily effective, because a sector that is dominated by a handful of firms can easily arrive at a common negotiating position and speak with one voice to the government:

https://pluralistic.net/2022/06/05/regulatory-capture/

Starting with the Carter administration, and accelerating through every subsequent administration except Biden's, America has adopted an explicitly pro-monopoly policy, called the "consumer welfare" antitrust theory. 40 years later, our economy is riddled with monopolies:

https://pluralistic.net/2024/01/17/monopolies-produce-billionaires/#inequality-corruption-climate-poverty-sweatshops

Every part of this Echo privacy massacre is downstream of that policy choice: "growth stock" narratives about AI, twiddling, DMCA 1201, the Darth Vader MBA, the end of legal privacy protections. These are material things, not ideological ones. They exist to make a very, very small number of people very, very rich.

Your Echo is your property, you paid for it. You paid for the product and you are still the product:

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

Now, Amazon says that the recordings your Echo will send to its data-centers will be deleted as soon as it's been processed by the AI servers. Amazon's made these claims before, and they were lies. Amazon eventually had to admit that its employees and a menagerie of overseas contractors were secretly given millions of recordings to listen to and make notes on:

https://archive.is/TD90k

And sometimes, Amazon just sent these recordings to random people on the internet:

https://www.washingtonpost.com/technology/2018/12/20/amazon-alexa-user-receives-audio-recordings-stranger-through-human-error/

Fool me once, etc. I will bet you a testicle* that Amazon will eventually have to admit that the recordings it harvests to feed its AI are also being retained and listened to by employees, contractors, and, possibly, randos on the internet.

*Not one of mine

(Image: Stock Catalog/https://www.quotecatalog.com, Sam Howzit; CC BY 2.0; modified)

Hey look at this (permalink)


A Wayback Machine banner.

Object permanence (permalink)

#20yrsago ETECH Notes: Feral Robotics and Some Other Quacking, Shaking, Bubbling Robots https://craphound.com/etech05-feral.txt

#20yrsago ETECH Notes: Folksonomy, or How I Learned to Stop Worrying and Love the Mess https://craphound.com/etech2005-folksonomy.txt

#20yrsago My talk from ETECH: All Complex Ecosystems Have Parasites https://craphound.com/complexecosystems.txt

#20yrsago Apple steals iTunes customers’ paid-for rights to stream https://memex.craphound.com/2005/03/16/apple-steals-itunes-customers-paid-for-rights-to-stream/

#15yrsago Tim Bray on the iPhone vision https://www.tbray.org/ongoing/When/201x/2010/03/15/Joining-Google

#15yrsago London restaurant serves WWII rationing cuisine https://web.archive.org/web/20100315142846/http://www.timeout.com/london/restaurants/venue/2:26733/kitchen-front

#15yrsago Microbes on keyboards can be used to identify typists https://www.pnas.org/doi/10.1073/pnas.1000162107

#10yrsago Jeb Bush sold patronage and favors to his top political donors https://apnews.com/events-united-states-presidential-election-abeefccf71df4010bed132abb141efc8

#10yrsago Sending Terry Pratchett home with HTTP headers http://www.gnuterrypratchett.com

#10yrsago Constituent silenced by spammer-turned-UK Tory party chairman was telling the truth https://www.theguardian.com/politics/2015/mar/15/grant-shapps-admits-he-had-second-job-as-millioniare-web-marketer-while-mp

#5yrsago Italian hospitals fix their ventilators with 3D printed parts https://pluralistic.net/2020/03/16/tiktoks-secrets/#3dp-breathfree

#5yrsago Trump wants a US-only vaccine https://pluralistic.net/2020/03/16/tiktoks-secrets/#americavirus

#5yrsago How to pull your business out of China https://pluralistic.net/2020/03/15/denominators-matter/#strategic-withdrawal

#5yrsago Covered Dish https://pluralistic.net/2020/03/15/denominators-matter/#covereddish

#5yrsago Things to do with kids during lockdowns https://pluralistic.net/2020/03/15/denominators-matter/#family-time

#5yrsago Euroleaks: exposing the secret workings of the Eurogroup https://pluralistic.net/2020/03/15/denominators-matter/#euroleaks

#5yrsago The CIA's information security is really terrible https://pluralistic.net/2020/03/15/denominators-matter/#vault7

#5yrsago The Onion is there for us https://pluralistic.net/2020/03/15/denominators-matter/#ha-ha-only-serious

#5yrsago Chelsea Manning's supporters pay off her $256,000 fine in a day https://pluralistic.net/2020/03/15/denominators-matter/#chelsea-free

#5yrsago HRDAG analyzes the best covid-19 studies https://pluralistic.net/2020/03/15/denominators-matter/#denominators-matter

#1yrago Wellness surveillance makes workers unwell https://pluralistic.net/2024/03/15/wellness-taylorism/#sick-of-spying

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026


Colophon (permalink)

Today's top sources:

Currently writing:

  • Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Status: second pass edit underway (readaloud)

  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025

Latest podcast: With Great Power Came No Responsibility: How Enshittification Conquered the 21st Century and How We Can Overthrow It https://craphound.com/news/2025/02/26/with-great-power-came-no-responsibility-how-enshittification-conquered-the-21st-century-and-how-we-can-overthrow-it/

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

14:35

Link [Scripting News]

I'd love to get a list of old school bloggers who are still at it. How would you go about that? I decided to give it to Gemini, limiting it at first to 100 bloggers. Here's the prompt I wrote. For a while I was wondering what "deep research" was for, but as it's starting the work, I'm thinking of resources that would fit in -- like blogtree.com -- a fascinating site, gives a clear picture how blogs emerge out of the community of an earlier blog. Anyway it's working on it while I write this post. 😄

Link [Scripting News]

An application ChatGPT is great it. You're staring at some code, it's really straightforward, you've done this a thousand times, but it doesn't work. Stare at it some more. Try re-entering it. Change the names of things. Still doesn't work. Copy and paste the problem code into ChatGPT and in an instant it tells you without you even having to ask that your comment isn't properly terminated, so the runtime was never seeing the code, and nothing I did made the slightest difference. The information was there. I had been staring at it, but humans see what we expect to see. Machines don't have that problem, at least not in this way (thinking of hallucinations).

13:49

Link [Scripting News]

Why is scripting.com not https? I hope you can see that I have no trouble deploying https sites here. I use Caddy on my Linux servers, and I don't see why anyone uses anything else. It's really easy and requires none of the work people complain about. Anyway the reason scripting.com is http and not https is that the site dates back to 1994, before there was such a thing as https. Google didn't start their push to get the web to convert to https until 2014, 20 years after I started blogging. Have a look at any of my archived blog posts and docs, the're pretty much all there. This is something I'm proud of. I wanted to create a record from the start, it was very deliberate. I was already an experienced developer when the web started up, so I had an idea what I was doing. I also use images on my site, in the right margin of posts, and lately as "inline" images, in their own boxes with a caption. It's a way for me to play with the ideas, and adds color to pages that are almost all text. So if I were to move the site from S3 to one of my hosted servers, which would be a fairly major undertaking on its own and add a lot of overhead because Amazon takes care of a lot of the bullshit you have to deal with, there would be a small matter of what about the images? They would all break if scripting.com was hosted on https and they were served from http. Now you might say -- Dave all you have to do is move all those images to a place with https support and remap the domains, and take care of all the michegas that's going to pop up. Or suffer with broken images. I decided to instead tell Google to stop trying to own something that belongs to no one and everyone. If they want a more secure web, create it, and make a browser for it, and respect the original web alone. Hopefully this clears it up.

Link [Scripting News]

I asked ChatGPT when Google started making HTTPS a requirement. Then I asked when was HTTPS first deployed, and was surprised it was in 1994 in Netscape Navigator. But apparently it was really buggy and wasn't codified until much later. Then I asked when HTTPS became the norm? 2017. So there's a lot of web out there that isn't being maintained by anyone, it just works, that predates HTTPS being widely adopted, if you believe the timelines ChatGPT produced.

Link [Scripting News]

BTW, these days the images are served via HTTPS so they don't show up in broken links in RSS readers, including my own FeedLand which is served over HTTPS.

Link [Scripting News]

Another BTW, I'm still thinking about how I want to transition from the public and open-to-anyone FeedLand servers. So if you're still using .org or .com, they're still on the air doing the same thing they've been doing all along.

13:35

Scarlett Gately Moore: KDE snaps fixed, Thank you for your support [Planet Debian]

KDE MascotKDE Mascot

Thank you everyone for keeping the lights on for a bit longer. KDE snaps have been restored. I also released 24.12.3! In addition, I have moved “most” snaps to core24. The remaining snaps need newer qt6/kf6, which is a WIP. “The Bad luck girl” has been hit once again with another loss, so with that, I will be reducing my hours on snaps while I consider my options for my future. I am still around, just a bit less.

Thanks again everyone, if you can get me through one more ( lingering broken arm ) surgery I would be forever grateful! https://gofund.me/d5d59582

09:35

09:14

Bad design might simply be obsolete design [Seth's Blog]

Perhaps you’ve encountered a sink with two taps, not one. One for hot, one for cold, without a chance to mix them before you scald or chill yourself.

It seems absurd that the folks who figured out the technology to build sinks with running water couldn’t be bothered with the last step of making it useful.

But this isn’t the case. Centuries ago, the hot water in a home was suspect. It might have been in an unclean cistern for a while, it might carry disease–you didn’t want to mix it with the clean water unintentionally.

Now that we’ve mostly nailed the sanitary conditions of hot water, the design is obsolete. But it persists, because systems and style and culture allow it to.

We’re surrounded by obsolete design. It’s worth asking “what’s it for?” and consider what it used to be for.

Once it’s obsolete, good design becomes bad design.

08:56

Ironclad 0.6 released [OSnews]

It’s been a while, but there’s a new release of Ironclad, the formally verified, hard real-time capable kernel written in SPARK and Ada. Aside from the usual bugfixes, this release moves Ironclad from multiboot to Limine, adds x86_64 ACPI support for poweroff and reboot, improvements to PTY support, the VFS layer, and much more.

The easiest way to try out Ironclad is to download Gloire, a distribution that uses Ironclad and the GNU tools. It can be installed in both a virtual machine and on real hardware.

A look at Firefox forks [OSnews]

Mozilla’s actions have been rubbing many Firefox fans the wrong way as of late, and inspiring them to look for alternatives. There are many choices for users who are looking for a browser that isn’t part of the Chrome monoculture but is full-featured and suitable for day-to-day use. For those who are willing to stay in the Firefox “family” there are a number of good options that have taken vastly different approaches. This includes GNU IceCat, Floorp, LibreWolf, and Zen.

↫ Joe Brockmeier

It’s a tough situation, as we’re all aware. We don’t want the Chrome monoculture to get any worse, but with Mozilla’s ever-increasing number of dubious decisions some people have been warning about for years, it’s only natural for people to look elsewhere. Once you decide to drop Firefox, there’s really nowhere else to go but Chrome and Chrome skins, or the various Firefox skins. As an aside, I really don’t think these browsers should be called Firefox “forks”; all they really do is change some default settings, add in an extension or two, and make some small UI tweaks. They may qualify as forks in a technical sense, but I think that overstates the differentiation they offer.

Late last year, I tried my best to switch to KDE’s Falkon web browser, but after a few months the issues, niggles, and shortcomings just started to get under my skin. I switched back to Firefox for a little while, contemplating where to go from there. Recently, I decided to hop onto the Firefox skin train just to get rid of some of the Mozilla telemetry and useless ‘features’ they’ve been adding to Firefox, and after some careful consideration I decided to go with Waterfox.

Waterfox strikes a nice balance between the strict choices of LibreWolf – which most users of LibreWolf seem to undo, if my timeline is anything to go by – and the choices Mozilla itself makes. On top of that, Waterfox enables a few very nice KDE integrations Firefox itself and the other Firefox skins don’t have, making it a perfect choice for KDE users. Sadly, Waterfox isn’t packaged for most Linux distributions, so you’ll have to resort to a third-party packager.

In the end, none of the Firefox skins really address the core problem, as they’re all still just Firefox. The problem with Firefox is Mozilla, and no amount of skins is going to change that.

08:28

Joe Marshall: Obscure suggestions [Planet Lisp]

Suppose you have come up with an elegant recursive algorithm that is easy to understand and implement. This will not do. A true mathematician is judged by how clever he must be to understand his algorithm. To that end, you must make your algorithm as difficult to understand as possible. This is how you prove that you are smarter than your readers. Here are some suggestions:

  • Instead of giving the next state as function of the current state, give the current state as a function of the next state and let your audience invert the function.
  • Split your recursion into two parts, but give one part recursively and the other co-recursively. Your readers will enjoy the fun puzzle of figuring out how to stitch the parts back together.
  • Remove the recursion by replacing it with re-assignment and explicit stack manipulation.
  • Avoid motivating examples.
  • Omit all unnecessary details, and a few of the necessary ones as well.
  • Unicode gives you thousands of single character variable names.
  • Use existance proofs rather than constructive ones. You can prove there is a base case without explicitly stating what it is.
  • Let X refer to a set or an element of a set, depending on context.
  • Depend on the context. A lot.
  • There is no rule that says variable names must be unique.

Take and apply some of these ideas and you can turn your elegant algorithm into something that will humiliate the smartest of your readers.

02:28

Link [Scripting News]

My suggestion re Schumer et al. It's over -- remember the lessons, let's look forward, tonight's vote is already history. Let the Dems in the Senate take care of themselves. It's we, the people, who created this country, and we the people are the only ones who can make it work again.

00:21

This Week in Seattle Food News [The Stranger]

A Chinese Fusion Chain Lands in Bellevue, Mr. Gyros Returns, and Taku Bids Farewell
by EverOut Staff This week, we're cheering for the triumphant return of Mr. Gyros in Greenwood and mourning the closure of Taku and Tio Baby's. Plus, get your hands on some Grasslands Barbecue this weekend and learn where to snag Lucky Charms cookies and horchata chai with pistachio cold foam. For more ideas, check out our St. Patrick's Day guide and our food and drink guide.

OPENINGS

Four Diamonds
This casual spot hosted its grand opening downtown this week, serving boba drinks and Vietnamese fare like pho and rice plates.
Downtown

Friday, 14 March

23:35

Google makes Vulkan the official graphics API for Android [OSnews]

Google’s biggest announcement today, at least as it pertains to Android, is that the Vulkan graphics API is now the official graphics API for Android. Vulkan is a modern, low-overhead, cross-platform 3D graphics and compute API that provides developers with more direct control over the GPU than older APIs like OpenGL. This increased control allows for significantly improved performance, especially in multi-threaded applications, by reducing CPU overhead. In contrast, OpenGL is an older, higher-level API that abstracts away many of the low-level details of the GPU, making it easier to use but potentially less efficient. Essentially, Vulkan prioritizes performance and explicit hardware control, while OpenGL emphasizes ease of use and cross-platform compatibility.

↫ Mishaal Rahman at Android Authority

Android has supported Vulkan since Android 7.0, released in 2016, so it’s not like we’re looking at something earth-shattering here. The issue has been, as always with Android, fragmentation: it’s taken this long for about 85% of Android devices currently in use to support Vulkan in the first place. In other words, Google might’ve wanted to standardise on Vulkan much sooner, but if only a relatively small number of Android devices support it, that’s going to be a hard sell.

In any event, from here on out, every application or game that wants to use the GPU on Android will have to do so through Vulkan, including everything inside Android. It’s still going to be a long process, though, as the requirement to use Vulkan will not fully come into effect until Android 17, and even then there will be exceptions for certain applications. Android tends to implement changes like this in phases, and the move to Vulkan is no different.

All of this does mean that older devices with GPUs that do not support Vulkan, or at least not properly, will not be able to be updated to the Vulkan-only releases of Android, but let’s be real here – those kinds of devices were never going to be updated anyway.

Hell Is on the Way [The Stranger]

This is the one customer service desk where the customer is always wrong. And no matter what, you’re going to Hell. by Hannah Murphy Winter

“Welcome to Hell. This is the Hellp Desk.”

A young woman with long, red hair and a glower that would make Miranda Priestly tremble stands in front of the gates of Hell. She holds your Soul File in her hand—a list of everything the Universe weighed when it decided if you were going to Paradise or headed to the gate you’re looking at now.

Most of Hell is run by demons, but Lily, the woman holding your file, is a human: one who had a short lifetime full of customer service experience. And the line you’re in isn’t for everyone. It’s for the Karens, the crypto-bros, people who insist it was “just a joke.” Everyone who, on Earth, learned that if you’re loud, obnoxious, or cruel enough, you’ll eventually get what you want.

Not here. This is the one customer service desk where the customer is always wrong. And no matter what, you’re going to Hell.

All of it is courtesy of Hell’s Belles, the TikTok series created by Seattle’s Jaysea Lynn. Born of two traumas—religious indoctrination and customer service work—Hell’s Belles has built the afterlife we all wish existed: fair, nuanced, respectful of religion but devoid of dogma. The series has spent four years exploring morality, justice, and some of our best and worst human instincts, with a sprinkling of demon smut on top. The series has 1.8 million followers who scroll in five days a week to watch updates from the Hellp Desk.

Hell’s Belles was only supposed to last a few episodes—an idea that Lynn had during a particularly bad day in, you guessed it, customer service. “This lady just told me to go to Hell,” Lynn told The Stranger. “The first skit came to me, and I was like ‘Cool, I’ll do, like, three or four of these. It’ll be cathartic, and I will fade into obscurity.’ And that was almost 600 episodes ago.”

Lynn started out by pulling material from her own life, growing up in Astoria (yes, of The Goonies fame) in a conservative, religious home. “In college, I lived in an all-women’s Christian co-op that was essentially a cult,” she says. “When I connected with those same people after college, we had all left religion—and some of us had left faith completely. And it was like, ‘Okay, what were the things that happened? They mattered and they hurt us, and they’re worth talking about.’ Hell’s Belles was a place where I could start expressing that malcontent and that hurt and not have someone immediately go, ‘Well, that’s not God,’ to make it more comfortable for them to hear. It’s really validating to hear someone say, ‘That’s not what should have happened.’ Or ‘You were assaulted, and it wasn’t God trying to get your attention.’”

In the Hell’s Belles afterlife, we’re all judged by the Universe on the same basic scale: Did you do your honest best to avoid doing harm? If you did, head to the paradise of your choosing. If you didn’t, you’ll find yourself walking past the Hellp Desk toward the gates of Hell. The first two levels aren’t punishment—think of them more like therapy. A place to work through the reasons you weren’t able to be as decent as you should have been on Earth. As you get deeper, the punishments get more severe, but Lynn’s version of Hell assumes that everyone is redeemable. No one is doomed to rot there as long as they’re willing to put in the work.

Some of the desk’s patrons are archetypes: Christian mothers who rejected their queer children, abusers, and backyard puppy mill breeders. Others are pulled straight from headlines: the day Anita Bryant died, Miss Oklahoma came up to the desk (“The gay is not a determining factor in how many stairs you have to do.”) When Luigi Mangione shot and killed Brian Thompson, an unnamed healthcare CEO passed through (“When you were lying in that bed, dying, did you still think it was best for healthcare decisions to be made by an insurance panel with no medical training?” Lily asked. “Your claim for hellp has been denied.”)

But between the Hellp Desk patrons is the whole “life” part of the afterlife. Lily falls in love with a hunky demon named Bel, they have a little found family that passes between the many levels of the afterlife and plays sexy trivia and sings “Margaritaville” karaoke, and of course, that’s where the sprinkling of demon smut comes in.

The show ran for four years, and in addition to the whirlwind that comes with TikTok notoriety, Hell’s Belles also helped reconcile some of that religious trauma in her personal life. “I started living more authentically,” Lynn says. “And it was like creative therapy for me. I’m more willing to talk to my mom about this. And we were able to have these sometimes sad or harsh conversations that built over time.”

But in January, as the TikTok ban loomed, it seemed like a chapter might be coming to an end. But the same week that TikTok went dark (if only for a day), Lynn signed a seven-figure, three-book deal, including her already self-published prequel to the series, For Whom the Belle Tolls. No matter which oligarch owns our various social media platforms, the Hell’s Belles universe will live on.

The series prequel starts when Lily is still alive, sitting in her car that refused to start, just after getting a bleak cancer prognosis: “The doctor had given her options, of course. Options to prolong. To ease. But options were for people with money. People whose cars would start.” By Chapter 3, though, we’re in the afterlife: Lily gets judged by the Universe, sorted into her own paradise, and the Hellp Desk comes to be.

The first book was the largest writing project Lynn has ever taken on—she doesn’t even script the Hell’s Belles episodes. But she’s excited to eventually move away from the daily grind of filming, editing, and posting an episode every day. “It’s not my favorite storytelling medium,” she says. And with a three-book deal, she may have the chance to (very, very slowly) move away from it. “At first I was like ‘Do you have two more books in you?’” she says. “As soon as I had the deal, I was like ‘Maybe I’m a fraud, and I only ever had one book in me, and this was all a fluke, and this is a lie, and they’re gonna put me in author jail.’ And then it was I took a nap and ate something, and I went, ‘No, I think I’ll be okay.’”

There are two possibly perfect descriptions I’ve read of For Whom the Belle Tolls. The first comes from a document titled “Reading waiver for dad.” When Lynn’s religious father expressed interest in reading the manuscript before it was published, she agreed, but first, he had to initial and sign on a few dotted lines. “I know, from prior conversations, that you have read Dostoevsky and believe this book to be similar. While I am flattered, I’m also concerned,” the letter starts. “For Whom the Belle Tolls does—like Dostoevsky—deal with religion, morality, the human experience, and satire. However, it is not, in any way, like anything Dostoevsky wrote. Dostoevsky did not write sexy demons. Dostoevsky did not have customer service trauma that affected his work. Dostoevsky did not write sex scenes.”

The second comes from the book’s dedication: “For anyone who has ever felt temporary. And for the nerds.”

Police Arrest 16 as Starbucks Workers Escalate Fight for a Fair Contract [The Stranger]

On Tuesday in Seattle, as well as in five other cities across the country, Starbucks workers went on strike to demand a fair contract—provoking a police response that included 16 arrests. This occurred one day before Starbucks held its annual shareholder meeting. by Conor Kelley

On Tuesday in Seattle, as well as in five other cities across the country, Starbucks workers went on strike to demand a fair contract—provoking a police response that included 16 arrests. This occurred one day before Starbucks held its annual shareholder meeting.

It’s the latest episode in a contract battle between Starbucks and its workers that has lasted more than three years.

You may be thinking—“But Conor, weren’t these contract negotiations supposedly wrapping up late last year?” Good eye. As I reported in November, the coffee giant and Starbucks Workers United (SBWU) were engaged in negotiations that both sides swore were moving quickly toward a fair resolution. But given Starbucks’ long history of refusing to accept unions in their ranks and hiring the notorious union-busting law firm Littler Mendleson to argue against workers’ rights in court, some (certainly not me) were skeptical that the company would suddenly start playing nice.

Yeah, they didn’t.

In the final bargaining meeting in December, Starbucks reportedly offered SBWU no new wage increases, only a 1.5% increase in future years, and broke their promise to resolve the hundreds of pending Unfair Labor Practice charges the union has filed with the National Labor Relations Board.

The union viewed this offer as outrageous. “This is backtracking on months and months of progress and promises from the company to work toward an end-of-year framework ratification,” union leader Michelle Eisen said at the time.

In response, SBWU coordinated escalating strikes over five days starting on December 20, typically a very profitable time of year for Starbucks. The strike peaked on Christmas Eve, when 5,000 baristas at over 300 stores walked out.

On January 31, the two sides agreed to bring in the Federal Mediation and Conciliation Service to help them hash out a framework contract for their 550 unionized stores representing over 11,000 workers. Those talks are ongoing. Neither side will disclose details on how the talks are proceeding, but perhaps this latest action speaks to its progress—or lack thereof.

Tuesday, community members aligned with Starbucks workers staged over 100 actions they dubbed “sip-ins” in six cities: Easton, PA; Chicago, New York, Pittsburgh, St. Louis, and here in Seattle at the shop on The Ave and 42nd.

This location, just a couple blocks off the UW campus, has been a hotbed for activity in this years-long saga. In 2022, workers called the store a “high-incident” location with frequent disruptions and security issues they felt ill-equipped to handle, but expressed concerns that if they filed incident reports with corporate, theirs would be the next store closed on dubious grounds.

Last month, on February 11, workers at this store walked out after Starbucks spent millions to run a Super Bowl promotion offering a free coffee at any of their locations—but neglected to staff up for the huge crush of folks who arrived and overwhelmed the staff.

Two weeks ago, UW students protested the school’s relationship with Starbucks, demanding in a letter to UW administration that the school stop serving Starbucks coffee on campus until the company offers their workers an acceptable contract.

On Tuesday morning, nearly 100 workers and community supporters sat inside the shop and protested outside, holding signs and chanting, “No contract, no coffee! No workers, no Starbucks!”

This week, we took direct action to show Starbucks the urgency of finalizing contracts with the wages, staffing, and protections we need to thrive.

We’re doing what it takes to win. And we won't stop until we do.

[image or embed]

— Starbucks Workers United (@sbworkersunited.org) March 13, 2025 at 10:51 AM

 “I’m out here because our store won a union election in 2022 and it's 2025 and we have yet to see our first contract,” said Emma Cox, a barista trainer. “Starbucks pledged to proceed with bargaining in good faith last year but they have not followed through with that promise. It’s never been that they don’t have the money to give us raises. It’s that they don’t put the needs of their workers first.”

Police scanner audio confirms that around 1 p.m., the store manager called the cops and requested seven protestors inside the store be “trespassed”—arrested for trespassing. Store management also informed the police they would “assist in prosecution,” according to police scanner audio.

SPD leapt into action, dispatching officers a mere three hours later to set up a “command post” in a parking lot at 42nd and Brooklyn, equipped with a “crowd management package,” which according to the SPD manual consists of blast balls and pepper spray. A photo a Reddit user posted shows Seattle’s Finest standing around chatting. That same user later reported seeing two more vans and four other officers around the corner, making a grand total of 10 vehicles and 20 officers deployed for a peaceful protest in a little coffee shop. SPD cleared out the protestors by around 5:15 p.m., without altercation.

Your tax dollars hard at work!

“Tuesday’s actions here in Seattle and across the country sent a clear message to Starbucks shareholders: It’s time for fair contracts. Starbucks needs to take care of their workers and the first step of that would be to finalize fair contracts with the wages, staffing, and protections baristas need to thrive,” said Ty Newbill, a Bremerton barista present at the protest.

“It's disappointing to see Workers United disrupt our stores and undermine the ongoing mediation process for single store contracts,” said a representative from Starbucks. “Since last April, Starbucks and Workers United have made significant progress through respectful dialogue and have reached a number of important agreements. Our success starts and ends with our partners (employees) and we’re committed to providing the best job in retail.”

In January, Starbucks reported $9.4 billion in global net revenue last quarter. Starbucks’ CEO Brian Niccol made $95.8 million in 2024 for four months of remote work from California. Meanwhile, SBWU claims that Starbucks workers make on average only $16.50/hour. The company disputes that—but still claims “the best job in retail” pays $18/hour.

“We are still without a first contract, from a company who can certainly afford to do right by its workers,” said union leader Michelle Eisen, one of 16 protestors arrested nationwide yesterday. “We deserve better.”

The Starbucks shareholder meeting the day after the protests was a spicy one. One shareholder from the well-funded conservative anti-labor National Legal and Policy Center advocacy group proposed that Starbucks consider the “commission of a report on human rights risks related to labor organizing.” (The board recommended voting against it.)

Shareholders also grilled CEO Brian Niccol on his private jet usage and interrogated the company’s lack of diversity on their board of directors.

Later, a shareholder asked when Starbucks would negotiate its first union contract.

Niccol stumbled through the beginnings of an answer before throwing the ball to Sara Kelly, their head of human resources. Kelly talked about how much they value their “partners,” and how much progress they’ve been making in negotiations.

She concluded by saying, “When a partner elects a union to represent them, we are committed to engaging in good faith with that union and the partners who have selected that union to negotiate fair contracts.”

Sound familiar?

23:07

ClickFix: How to Infect Your PC in Three Easy Steps [Krebs on Security]

A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.

ClickFix attacks mimic the “Verify You are a Human” tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:

This malware attack pretends to be a CAPTCHA intended to separate humans from bots.

Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity.

Executing this series of keypresses prompts Windows to download password-stealing malware.

Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.

Step 3 — pressing the “Enter” key — causes Windows to download and launch malicious code through “mshta.exe,” a Windows program designed to run Microsoft HTML application files.

“This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,” Microsoft wrote in a blog post on Thursday. “Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.”

According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities — all in a bid to convince people to step through one of these ClickFix attacks.

In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts. From there, they sent out phishing messages asking for financial information from people who’d just booked travel through the company’s app.

Earlier this month, the security firm Arctic Wolf warned about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.

An alert (PDF) released in October 2024 by the U.S. Department of Health and Human Services warned that the ClickFix attack can take many forms, including fake Google Chrome error pages and popups that spoof Facebook.

ClickFix tactic used by malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.

The ClickFix attack — and its reliance on mshta.exe — is reminiscent of phishing techniques employed for years that hid exploits inside Microsoft Office macros. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.

Alas, the email security vendor Proofpoint has documented plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the “Solution” or “How to Fix” button.

HTML files containing ClickFix instructions. Examples for attachments named “Report_” (on the left) and “scan_doc_” (on the right). Image: Proofpoint.

Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions to prevent Windows from executing the “run” command when users hit the Windows key and the “R” key simultaneously.

22:49

A more robust raw OpenBSD syscall demo [OSnews]

Ted Unangst published dude, where are your syscalls? on flak yesterday, with a neat demonstration of OpenBSD’s pinsyscall security feature, whereby only pre-registered addresses are allowed to make system calls. Whether it strengthens or weakens security is up for debate, but regardless it’s an interesting, low-level programming challenge. The original demo is fragile for multiple reasons, and requires manually locating and entering addresses for each build. In this article I show how to fix it. To prove that it’s robust, I ported an entire, real application to use raw system calls on OpenBSD.

↫ Chris Wellons

Some light reading for the weekend.

21:35

Friday Squid Blogging: SQUID Band [Schneier on Security]

A bagpipe and drum band:

SQUID transforms traditional Bagpipe and Drum Band entertainment into a multi-sensory rush of excitement, featuring high energy bagpipes, pop music influences and visually stunning percussion!

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

20:28

Dima Kogan: Getting precise timings out of RS-232 output [Planet Debian]

For uninteresting reasons I need very regular 58Hz pulses coming out of an RS-232 Tx line: the time between each pulse should be as close to 1/58s as possible. I produce each pulse by writing an \xFF byte to the device. The start bit is the only active-voltage bit being sent, and that produces my pulse. I wrote this obvious C program:

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>
#include <stdint.h>
#include <sys/time.h>

static uint64_t gettimeofday_uint64()
{
    struct timeval tv;
    gettimeofday(&tv, NULL);
    return (uint64_t) tv.tv_sec * 1000000ULL + (uint64_t) tv.tv_usec;
}

int main(int argc, char* argv[])
{
    // open the serial device, and make it as raw as possible
    const char* device = "/dev/ttyS0";
    const speed_t baud = B9600;

    int fd = open(device, O_WRONLY|O_NOCTTY);
    tcflush(fd, TCIOFLUSH);

    struct termios options = {.c_iflag = IGNBRK,
                              .c_cflag = CS8 | CREAD | CLOCAL};
    cfsetspeed(&options, baud);
    tcsetattr(fd, TCSANOW, &options);

    const uint64_t T_us = (uint64_t)(1e6 / 58.);

    const uint64_t t0 = gettimeofday_uint64();
    for(int i=0; ; i++)
    {
        const uint64_t t_target = t0 + T_us*i;
        const uint64_t t1       = gettimeofday_uint64();

        if(t_target > t1)
            usleep(t_target - t1);

        write(fd, &((char){'\xff'}), 1);
    }
    return 0;
}

This tries to make sure that each write() call happens at 58Hz. I need these pulses to be regular, so I need to also make sure that the time between each userspace write() and when the edge actually hits the line is as short as possible or, at least, stable.

Potential reasons for timing errors:

  1. The usleep() doesn't wake up exactly when it should. This is subject to the Linux scheduler waking up the trigger process
  2. The write() almost certainly ends up scheduling a helper task to actually write the \xFF to the hardware. This helper task is also subject to the Linux scheduler waking it up.
  3. Whatever the hardware does. RS-232 doesn't give you any guarantees about byte-byte timings, so this could be an unfixable source of errors

The scheduler-related questions are observable without any extra hardware, so let's do that first.

I run the ./trigger program, and look at diagnostics while that's running.

I look at some device details:

# ls -lh /dev/ttyS0
crw-rw---- 1 root dialout 4, 64 Mar  6 18:11 /dev/ttyS0

# ls -lh /sys/dev/char/4:64/
total 0
-r--r--r-- 1 root root 4.0K Mar  6 16:51 close_delay
-r--r--r-- 1 root root 4.0K Mar  6 16:51 closing_wait
-rw-r--r-- 1 root root 4.0K Mar  6 16:51 console
-r--r--r-- 1 root root 4.0K Mar  6 16:51 custom_divisor
-r--r--r-- 1 root root 4.0K Mar  6 16:51 dev
lrwxrwxrwx 1 root root    0 Mar  6 16:51 device -> ../../../0000:00:16.3:0.0
-r--r--r-- 1 root root 4.0K Mar  6 16:51 flags
-r--r--r-- 1 root root 4.0K Mar  6 16:51 iomem_base
-r--r--r-- 1 root root 4.0K Mar  6 16:51 iomem_reg_shift
-r--r--r-- 1 root root 4.0K Mar  6 16:51 io_type
-r--r--r-- 1 root root 4.0K Mar  6 16:51 irq
-r--r--r-- 1 root root 4.0K Mar  6 16:51 line
-r--r--r-- 1 root root 4.0K Mar  6 16:51 port
drwxr-xr-x 2 root root    0 Mar  6 16:51 power
-rw-r--r-- 1 root root 4.0K Mar  6 16:51 rx_trig_bytes
lrwxrwxrwx 1 root root    0 Mar  6 16:51 subsystem -> ../../../../../../../class/tty
-r--r--r-- 1 root root 4.0K Mar  6 16:51 type
-r--r--r-- 1 root root 4.0K Mar  6 16:51 uartclk
-rw-r--r-- 1 root root 4.0K Mar  6 16:51 uevent
-r--r--r-- 1 root root 4.0K Mar  6 16:51 xmit_fifo_size

Unsurprisingly, this is a part of the tty subsystem. I don't want to spend the time to really figure out how this works, so let me look at all the tty kernel calls and also at all the kernel tasks scheduled by the trigger process, since I suspect that the actual hardware poke is happening in a helper task. I see this:

# bpftrace -e 'k:*tty* /comm=="trigger"/
               { printf("%d %d %s\n",pid,tid,probe); }
               t:sched:sched_wakeup /comm=="trigger"/
               { printf("switching to %s(%d); current backtrace:", args.comm, args.pid); print(kstack());  }'

...

3397345 3397345 kprobe:tty_ioctl
3397345 3397345 kprobe:tty_check_change
3397345 3397345 kprobe:__tty_check_change
3397345 3397345 kprobe:tty_wait_until_sent
3397345 3397345 kprobe:tty_write
3397345 3397345 kprobe:file_tty_write.isra.0
3397345 3397345 kprobe:tty_ldisc_ref_wait
3397345 3397345 kprobe:n_tty_write
3397345 3397345 kprobe:tty_hung_up_p
switching to kworker/0:1(3400169); current backtrace:
        ttwu_do_activate+268
        ttwu_do_activate+268
        try_to_wake_up+605
        kick_pool+92
        __queue_work.part.0+582
        queue_work_on+101
        rpm_resume+1398
        __pm_runtime_resume+75
        __uart_start+85
        uart_write+150
        n_tty_write+1012
        file_tty_write.isra.0+373
        vfs_write+656
        ksys_write+109
        do_syscall_64+130
        entry_SYSCALL_64_after_hwframe+118

3397345 3397345 kprobe:tty_update_time
3397345 3397345 kprobe:tty_ldisc_deref

... repeated with each pulse ...

Looking at the sources I see that uart_write() calls __uart_start(), which schedules a task to call serial_port_runtime_resume() which eventually calls serial8250_tx_chars(), which calls some low-level functions to actually send the bits.

I look at the time between two of those calls to quantify the scheduler latency:

pulserate=58

sudo zsh -c \
  '( echo "# dt_write_ns dt_task_latency_ns";
     bpftrace -q -e "k:vfs_write /comm==\"trigger\" && arg2==1/
                     {\$t=nsecs(); if(@t0) { @dt_write = \$t-@t0; } @t0=\$t;}
                     k:serial8250_tx_chars /@dt_write/
                     {\$t=nsecs(); printf(\"%d %d\\n\", @dt_write, \$t-@t0);}"
   )' \
| vnl-filter                  \
    --stream -p dt_write_ms="dt_write_ns/1e6 - 1e3/$pulserate",dt_task_latency_ms=dt_task_latency_ns/1e6 \
| feedgnuplot  \
    --stream   \
    --lines    \
    --points   \
    --xlen 200 \
    --vnl      \
    --autolegend \
    --xlabel 'Pulse index' \
    --ylabel 'Latency (ms)'

Here I'm making a realtime plot showing

  • The offset from 58Hz of when each write() call happens. This shows effect #1 from above: how promptly the trigger process wakes up
  • The latency of the helper task. This shows effect #2 above.

The raw data as I tweak things lives here. Initially I see big latency spikes:

timings.scheduler.1.noise.svg

These can be fixed by adjusting the priority of the trigger task. This tells the scheduler to wake that task up first, even if something else is currently using the CPU. I do this:

sudo chrt -p 90 `pidof trigger`

And I get better-looking latencies:

timings.scheduler.2.clean.svg

During some experiments (not in this dataset) I would see high helper-task timing instabilities as well. These could be fixed by prioritizing the helper task. In this kernel (6.12) the helper task is called kworker/N where N is the CPU index. I tie the trigger process to cpu 0, and priorities all the relevant helpers:

taskset -c 0 ./trigger 58

pgrep -f kworker/0 | while { read pid } { sudo chrt -p 90 $pid }

This fixes the helper-task latency spikes.

OK, so it looks like on the software side we're good to within 0.1ms of the true period. This is in the ballpark of the precision I need; even this might be too high. It's possible to try to push the software to do better: one could look at the kernel sources a bit more, to do smarter things with priorities or to try an -rt kernel. But all this doesn't matter if the serial hardware adds unacceptable delays. Let's look.

Let's look at it with a logic analyzer. I use a saleae logic analyzer with sigrok. The tool spits out the samples as it gets them, and an awk script finds the edges and reports the timings to give me a realtime plot.

samplerate=500000;
pulserate=58.;
sigrok-cli -c samplerate=$samplerate -O csv --continuous -C D1 \
| mawk -Winteractive  \
    "prev_logic==0 && \$0==1 \
     { 
       iedge = NR;
       if(prev_iedge)
       {
         di = iedge -prev_iedge;
         dt = di/$samplerate;
         print(dt*1000);
       }
       prev_iedge = iedge;
     }
     {
       prev_logic=\$0;
     } " | feedgnuplot --stream --ylabel 'Period (ms)' --equation "1000./$pulserate title \"True ${pulserate}Hz period\""

On the server I was using (physical RS-232 port, ancient 3.something kernel):

timings.hw.serial-server.svg

OK… This is very discrete for some reason, and generally worse than 0.1ms. What about my laptop (physical RS-232 port, recent 6.12 kernel)?

timings.hw.serial-laptop.svg

Not discrete anymore, but not really any more precise. What about using a usb-serial converter? I expect this to be worse.

timings.hw.usbserial.svg

Yeah, looks worse. For my purposes, an accuracy of 0.1ms is marginal, and the hardware adds non-negligible errors. So I cut my losses, and use an external signal generator:

timings.hw.generator.svg

Yeah. That's better, so that's what I use.

Album Preview Revue [The Stranger]

Here comes new music from Suzzallo, Dead Bars, Perfume Genius, Kinski, and more! by Stranger Staff Dead Bars

All Dead Bars Go to Heaven

(Iodine Recordings)

March 21

For a certain crowd, the phrase pop punk often conjures up imagery of white dudes with frosted tips singing through their nose about how all girls suck. But Dead Bars aren’t like that. That was 2006. Today’s pop punk is different—it’s not plasticized misogyny, it’s optimistic. It’s punk with a pep in its step, not because everything is great, but because everything is terrible, and at least we have each other. On their new album, All Dead Bars Go to Heaven, the band’s vocalist John Maiello delivers earnest lyrics about finding community in music (“Your favorite singers are on your side / let the riffs come alive”) and visiting dead friends through his records (“I wanna be a ghost tonight / I wanna party with my friends on the other side”). That all may sound a little too saccharine on paper, but the band’s buoyant, melodic punk riffs and rough-and-tumble percussion adds enough of an edge to let you feel like you’re still a badass even while sitting in your feelings. (Dead Bars’ album release show is April 26 at the Sunset) MEGAN SELING 

Perfume Genius

Glory

(Matador Records)

March 28

In the words of a YouTube comment I read at 2 a.m. on the music video for the Perfume Genius single “It’s a Mirror”: “We’re about to witness the slay of the century.” YES. Give me a big mood, big music, big art direction; by all means, take up space on the strength of an album cover alone. An uncannily strawberry blond Mike Hadreas, in a crop top and low-rise jeans, strewn across the floor of a mysterious cabin? We needed this. For his seventh album, Glory, Hadreas and company swerve towards a fuller, more driving rock sound, while keeping it very weird and very queer. The sweaty, fever-dreamlike videos for both singles, “It’s a Mirror” (featuring a leather-clad Hadreas riding a motorcycle, getting a full facial of gasoline in a field, and so much more) and “No Front Teeth” (featuring Aldous Harding in a psychotic waffle-making-and-eating scene, and so much more) were made by Cody Critcheloe, whose warped aesthetic, as always, sets the whole thing off. (Perfume Genius play the Showbox June 26) EMILY NOKES

Swamp Wife

Your Love Is All I Know

(LACE Records)

April 4

Sifting through show listings last year, I didn’t expect to find a special band. I knew I had when I heard “Your Turn,” a desperate howl about the last short end of a relationship, at the point you’re ready to ask someone if they still love you, and to show you how. If Your Love Is All I Know is like Swamp Wife’s self-titled first EP, it will be emotionally forthright and play smart with big, brittle guitars. Swamp Wife doesn’t play loud for the sake of it—they play for the friends they wrote the song with. The first single from Your Love Is All I Know, “Cadmium Red Light,” released Valentine’s Day, oozes Chastity Belt, Pixies, and Pixies offshoot the Amps. The band plays like a single dark, mechanical instrument. Singer Abby Wrath stands alone in its murk. As if illuminated in intense red light, Wrath whispers, yells, and stretches each word until it breaks. (Swamp Wife’s EP release show is April 11 at Black Lodge April 11) VIVIAN MCCALL

Adrian Younge

Something About April III

(Linear Labs Records)

April 18

Self-taught musician, composer, producer, and orchestrater Adrian Younge is known for his work with big names like Kendrick Lamar, Wu-Tang Clan, Ghostface Killah, the Delfonics, and Snoop Dogg. However, the multi-talented artist has also released countless albums and soundtracks on his own. In 2011, Younge released the first installment of his Something about April trilogy—a pseudo-soundtrack series of dark psychedelic soul and cinematic instrumentals. After the album was sampled by hiphop heavies Timbaland and Jay-Z, Younge went on to release part two in 2016, and Something About April III will be released April 18. Don’t miss Younge as he stops by the Tractor Tavern with tracks from the trilogy with his 10-piece orchestra. I just have one question... how will that many musicians fit onto the Tractor’s little stage? (Adrian Younge plays Tractor Tavern on March 26) AUDREY VANN

Suzzallo

The Quiet Year

(Thirty Something Records)

May 5

The term supergroup has been overused to the point of meaning nothing at all, but please believe me and put some respect on that word when I tell you Suzzallo is the most exciting supergroup to come from Seattle in quite some time. The band came together in 2022 after vocalist/guitarist Rocky Votolato’s child unexpectedly died in a car accident. Music and loved ones being the balm that they are, Votolato channeled his grief into performing soaring, guitar-driven rock songs with old friends, including his Waxwing bandmate Rudy Gajadhar, Steve Bonnell of Schoolyard Heroes, and, for a few songs, Ben Gibbard of Death Cab for Cutie. You can almost hear the heart healing—or, at least, finding a sustainable balance of love and grief—within the melodies. If you’re new to town and all these names mean nothing to you, know this: Seattle and the world are so excited about this record that Suzzallo raised more than $100K in presales via Kickstarter to make it happen. (Suzzallo’s album release show is May 17 at Madame Lou’s) MEGAN SELING

Even More Albums to Look Out For

February 28
Max Nordile
Crystal Rescue Flux Code cassette
(Music For People)

March 7
Kinski
Stumbledown Terrace
(Comedy Minus One)

March 7
Lake
Bucolic Gone
(Don Giovanni)

March 8
Tennis Pro
Mismatch
(self-released)

March 21
Death Spa
Ewwwphoria
(self-released)

March 28
Great Grandpa
Patience, Moonbeam
(Run for Cover)

April 18
Melvins
Thunderball
(Ipecac)

May 30
The Minus 5
Oar On, Penelope!
(Yep Roc)

June 13
Casual Hex
Zig Zag Lady Illusion II
(Youth Riot Records)

June 13
Sea Lemon
Diving For a Prize
(Luminelle Recordings)

19:42

Musk’s Tesla warns Trump’s tariffs and trade wars will harm Tesla [OSnews]

Elon Musk’s Tesla is waving a red flag, warning that Donald Trump’s trade war risks dooming US electric vehicle makers, triggering job losses, and hurting the economy.

In an unsigned letter to the US Trade Representative (USTR), Tesla cautioned that Trump’s tariffs could increase costs of manufacturing EVs in the US and forecast that any retaliatory tariffs from other nations could spike costs of exports.

↫ Ashley Belanger at Ars Technica

Back in 2020, scientists at the University of Twente, The Netherlands, created the smallest string instrument that can produce tones audible by human ears when amplified. Its strings were a mere micrometer thin, or one millionth of a meter, and about half to one millimeter long. Using a system of tiny weights and combs producing tiny vibrations, tones can be created.

And yet, this tiny violin still isn’t small enough for Tesla.

18:56

I Saw U: Using Crutches at Ballard Pool, Eating at Taurus Ox, and Gossiping at Time Warp [The Stranger]

See someone? Say something! by Anonymous

Cute masked person on 3/11 redeye to Detroit

You: Ponytail, green jacket, brown gingham skirt. Me: Long braid, giant sweater. We landed at 6am; I couldn’t think. Are you gay? Coffee?

Missing wallet

To whoever found my wallet on the 36 and brought it to the BECU on Ranier Ave, thank you so much!!! Let me get you a coffee?

My haircut isn’t cool enough

I don’t have a mullet, but I did eavesdrop your compliments to a friend at Rough & Tumble and clapped. Of COURSE your name is Jen (all good ones are!)

Eye contact galore at Taurus Ox

You: Blonde gal with 3 pals at Taurus Ox on 3/7. Me: Bearded guy clad in a sweater vest with 2 pals. Wish we'd traded more than just repeated glances!

Crutching it at Ballard Pool

You hurt your knee skiing but it didn't keep you out of the fast lane! I was too shy to hold the door for you and your chaperone - red jacket, Mondays

T4T friendship?

You and your partner said my boyfriend and I were cute together at Time Warp. We shared gossip from eavesdropping. Want to be friends?

Star-Fated at the Rave

Said you were a Libra and we agreed it was fate. Kept finding you on the dancefloor, but I was coming & you were going. Can the starfated cross again?

Lowe’s Londoner, Mt. Baker

Actually you’re from the north of England and we chatted about my squeegee. I could talk with you 4ever. Me: dude (enthralled), you: so charming.

Is it a match? Leave a comment here or on our Instagram post to connect!

Did you see someone? Say something! Submit your own I Saw U message here and maybe we'll include it in the next roundup!

18:35

Git 2.49.0 released [LWN.net]

Version 2.49.0 of the Git source-code management system has been released. This release comprises 460 non-merge commits since 2.48.0, with contributions from 89 people, including 24 new contributors. There is a long list of improvements and bug fixes; see the highlights blog from GitHub's Taylor Blau for some of the more interesting features.

18:28

New Books and ARCs, 3/14/25 [Whatever]

Tomorrow is the Ides of March, and here at the Scalzi Compound we have a whole stack of new books and ARCs to peruse. Which of these books would you like to take a stab at? Share in the comments!

— JS

18:07

Seattle's Only News Quiz [The Stranger]

Seattle's only human generated news quiz. by Sally Neumann & Leah Caglio

Create your own user feedback survey

The Best Bang for Your Buck Events in Seattle This Weekend: Mar 14–16, 2025 [The Stranger]

St. Patrick's Day Parade, Capitol Hill Swap Meet, and More Cheap & Easy Events Under $15
by EverOut Staff

You're in luck this weekend, because there's plenty to do on a dime. We're suggesting events from 54th Annual St. Patrick's Day Parade to Capitol Hill Swap Meet - CHASM and from Roq La Rue's Grand Re-Opening Party to a Grasslands Barbecue Pop-Up. For more suggestions, check out our top picks of the week and our St. Patrick's Day guide.

FRIDAY COMEDY

Almost Yours
Almost Yours feels like the sarcastic sister of I Saw U, The Stranger's version of Craigslist Missed Connections. If you're a fan of the heart-eyed drama that transpires on either site, head to this improv show, which "brings near-misses and 'what ifs' to life on stage" and is inspired by real-life unspoken connections. It's the perfect place to cry-laugh about what could have been. LINDSAY COSTELLO
(Here-After at the Crocodile, Belltown, $15)

17:56

Holodick [Penny Arcade]

Ed Zitron of Better Offline and Where's Your Ed At engages regularly in a unilateral war of aggression against Sam Altman. He has done a ton of research on Sam, as he has for other "rot economy" tech figures, and thus has a sophisticated factual scaffold built around them he can hold them to. For me, it's just like a… taste, or smell. I'm receiving information from some kind of sense, and it is setting off red lights on the panel. Is that fair? I dunno. If I saw a huge lizard gnawing at the roots of Yggdrasil, to what extent am I required to give it the benefit of the doubt? We clown ourselves when we hold ourselves to baroque standards of fairness around malefactors like this. They know about the rules, they just think those rules are for other people. They depend on this asymmetry. They rely on it.

17:21

Page 54 [Flipside]

Page 54 is done.

Ravi Dwivedi: Libreoffice Conference 2024 in Luxembourg [Planet Debian]

Last year, I attended the annual LibreOffice Conference in Luxembourg with the help of a generous travel grant by The Document Foundation (TDF). It was a three-day event from the 10th to the 12th of October 2024, with an additional day for community meetup on the 9th.

Luxembourg is a small (twice as big as Delhi) country in Western Europe. After going through an arduous visa process, I reached Luxembourg on the 8th of October. Upon arriving in Luxembourg, I took a bus to the city center, where my hotel — Park Inn — was located. All the public transport in Luxembourg was free of cost. It was as if I stepped in another world. There were separate tracks for cycling and a separate lane for buses, along with good pedestrian infrastructure. In addition, the streets were pretty neat and clean.

Luxembourg's Findel Airport

Separate cycling tracks in Luxembourg

My hotel was 20 km from the conference venue in Belval. However, the commute was convenient due to a free of cost train connection, which were comfortable, smooth, and scenic, covering the distance in half an hour. The hotel included a breakfast buffet, recharging us before the conference.

This is what trains look like in Luxembourg

Pre-conference, a day was reserved for the community meetup on the 9th of October. On that day, the community members introduced themselves and their contributions to the LibreOffice project. It acted as a brainstorming session. I got a lovely conference bag, which contained a T-Shirt, a pen and a few stickers. I also met my long time collaborators Mike, Sophie and Italo from the TDF, whom I had interacted only remotely till then. Likewise, I also met TDF’s sysadmin Guilhem, who I interacted before regarding setting up my LibreOffice mirror.

Conference bag

The conference started on the 10th. There were 5 attendees from India, including me, while most of the attendees were from Europe. The talks were in English. One of the talks that stood out for me was about Luxchat — a chat service run by the Luxembourg government based on the Matrix protocol for the citizens of Luxembourg. I also liked Italo’s talk on why document formats must be freedom-respecting. On the first night, the conference took us to a nice dinner in a restaurant. It offered one more way to socialize with other attendees and explore food at the same time.

One of the slides of Italo's talk

Picture of the hall in which talks were held

On the 11th of October, I went for a walk in the morning with Biswadeep for some sightseeing around our hotel area. As a consequence, I missed the group photo of the conference, which I wanted to be in. Anyway, we enjoyed roaming around the picturesque Luxembourg city. We also sampled a tram ride to return to our hotel.

We encountered such scenic views during our walk

Another view of Luxembourg city area

The conference ended on the 12th with a couple of talks. This conference gave me an opportunity to meet the global LibreOffice community, connect and share ideas. It also gave me a peek into the country of Luxembourg and its people, where I had good experience. English was widely known, and I had no issues getting by.

Thanks to all the organizers and sponsors of the conference!

Slog AM: Pike Place Park Opens, Hoh Road Repairs Get Funding, Chuck Schumer Will Back GOP Bill [The Stranger]

The Stranger's morning news roundup. by Nathalie Graham

When one park closes... Little Saigon's eight-month-old Hoa Mai Park will temporarily close due to public safety concerns. It has become a gathering place for the unhoused and for drug activity such as fentanyl use, according to nearby residents. Unfortunately, since it's in this city's nature to restrict any and all places for impoverished people, the park will close until further notice. This feels like a sweep but in a different font. And, let's be clear—the rising crime in the International District and Little Saigon is correlated with Bruce Harrell's push to "clean up" downtown. There is nowhere for these people to go and there won't be a place unless the city provides one. When it reopens, Hoa Mai Park will do so with a lockable gate and with reduced night time hours. 

... Another park opens: Victor Steinbruck Park, the grassy gathering space next to Pike Place Market, will finally reopen today after two years. A dispute over the totem poles delayed the reopening. Don't you hate it when that happens? The March 14 opening will happen regardless of totem poles. As for the poles, they'll be restored now with the help of a Native carver and will be reinstalled once they're good as new. 

The weather: Gray. Cold, but not too cold. Rain returns tomorrow. 

A Tesla tinderbox: An arsonist in Capitol Hill dumped gasoline onto a Tesla parked at the intersection of 15th Avenue East and East Harrison then lit the car ablaze. No one was injured, but that Tesla sure won't be operable any time soon. Police apprehended the suspect. 

Help a Hoh out: The only road to Olympic National Park's Hoh Rainforest has been washed out with big bites eroded away since December. Each year, the Upper Hoh Road carries 460,000 visitors. Without enough funds in the county and with a federal government unwilling to help, road restoration hope has dwindled. But, tight-pursed Gov. Bob Ferguson announced yesterday the state will help. He directed $623,000 of reserve funds to help patch up the road. One hundred individual donors also contributed a total of $27,000. Thanks, Bob! 

Did you see the Blood Moon and Lunar Eclipse last night? This was the first total lunar eclipse in two years. If you missed it, you can watch this time lapse from the Griffith Park Observatory in Los Angeles. I hope this is a good omen astrologically. What do we make of it, star readers?

 

Got home in time for totality! 

2nd picture was taken by my daughter who’s at an observatory! 

#lunareclipse #photography #moon

[image or embed]

— Mubashar “Mubs” Iqbal (@mubashariqbal.com) March 13, 2025 at 11:41 PM

 

Reading the tea leaves, it seems as if the omen may be bad: There's an impending federal government shutdown. Democrats are in a tricky situation. Do they side with the GOP ghouls and pass a spending bill that erodes much of Congress's power on government spending and gives that power to Donald Trump and the executive branch? Or, do they allow the shutdown to happen and potentially grant Trump more power that way? Minority leader Chuck Schumer announced he's going to side with the Republicans and vote for the spending bill. Why? He thinks a shutdown is the worse option of the two evils and that it would grant Trump and Elon Musk "full authority to deem whole agencies, programs, and personnel nonessential, furloughing staff with no promise that they would ever be rehired." Ugh, yes, but voting alongside the baddies...? There surely must be better ways to resist than to roll over and show your belly, right? 

Dr. Oz goes to Washington: Celebrity doctor and homeopathic freak Dr. Mehmet Oz wants to be the guy who oversees health insurance under the Department of Health. He'll face a confirmation hearing with the Senate Finance Committee today. Seems like he'll get it. Ahead of his confirmation, Oz announced he'd try to mitigate some of his massive financial conflicts of interest and sell "his interest in more than 70 companies and investment funds, including UnitedHealth Group, HCA Healthcare and Amazon, which now has significant health care ventures," according to the New York Times

Some good news: People keep booing JD Vance.

 

JD Vance was booed at the Kennedy Center.

[image or embed]

— Pop Crave (@popcrave.com) March 13, 2025 at 8:03 PM

 

Go for gold: With uncertainty about tariffs and a cratering stock market, investors are choosing to invest in something solid, something tangible, something... gold. The yellow metal broke $3,000 Friday—an all-time high. Gold dust or bust, baby. 

Parents sue Trump: A class-action federal lawsuit brought by parents against the Trump administration is suing on the grounds that decimating the Department of Education's Office for Civil Rights will lead to discrimination at school. That violates the equal protection clause under the Fifth Amendment, according to the suit. Parents brought the suit three days after the Department of Education announced it was firing 1,300 workers including the entire staffs at seven of 12 regional civil rights offices. The firings amounted to a 50% cut in the department's work force.

Are you a potential political enemy of this administration? If you're reading this on this heretical blog, then you probably are. So read this Wired article about how to protect yourself from digital surveillance. 

Climate change stories everywhere: Jessie Holmes, a former cast member on the reality TV show "Life Below Zero," won the Iditarod Trail Sled Dog Race. It was the longest Iditarod ever. Why? Well, the route had to change since there wasn't enough snow north of the Alaska Range. You can't sled dog race without snow. The route changed and ballooned from 1,000 miles to 1,129 miles. Holmes and his team of dogs finished the race in 10 days, 14 hours, 55 minutes and 41 seconds. 

New details in Mahmoud Khalil case: I write "case," but there is no case since Khalil, a former Columbia University graduate student, committed no crime. He was taken from his New York home in the middle of the night by Immigrations and Customs Enforcement officers. According to a new lawsuit filed by his lawyers, Khalil said the ICE agents never identified themselves. He felt as though he was "being kidnapped" when they took him from his home in front of his eight-months pregnant wife to a detention facility in Louisiana where he slept without a pillow or blanket. "This is a targeted, retaliatory and extreme attack on the right of free expression,” Khalil's lawyer Donna Lieberman. She said Khalil was only detained "for having ideas." He is still in custody. 

Protesters demand Khalil’s release: Yesterday, progressive Jewish protesters flooded Trump Tower, demanding the release of Khalil—100 were arrested. Their message? “Fight Nazis, not students,” and “We will not comply.” Khalil’s detention is looking less like an immigration case and more like a test run for mass political arrests.
 
Columbia’s federal funds ransom: Nearing final form fascist, the Trump administration has outlined its criteria to restore $400 million of federal funding to Columbia. The demands? The Ivy League university cracks down on protests, redefines antisemitism on Trump’s terms, and hands more power to campus cops. Among the specifics: ban most masks, centralize discipline, and put entire academic departments under government oversight. Columbia has until March 20 to meekly acquiesce or stay cut off.

A song for your Friday: This is stuck in my head this morning. 

16:35

The case of COM failing to pump messages in a single-threaded COM apartment [The Old New Thing]

A customer encountered a hang caused by COM not pumping messages while waiting for a cross-thread operation to complete. They were using the task_sequencer class for serializing asynchronous operations on a UI thread they created to handle accessibility callbacks.

The hang stack looked like this:

ntdll!ZwWaitForMultipleObjects+0x4
KERNELBASE!WaitForMultipleObjectsEx+0xe0
combase!MTAThreadDispatchCrossApartmentCall+0x3a0
combase!CSyncClientCall::SendReceive2+0x65c
combase!DefaultSendReceive+0x88
combase!CSyncClientCall::SendReceive+0x390
combase!CClientChannel::SendReceive+0xc0
combase!NdrExtpProxySendReceive+0x68
rpcrt4!NdrpClientCall3+0x764
combase!ObjectStublessClient+0x180
combase!ObjectStubless+0x34
combase!CObjectContext::InternalContextCallback+0x3f0
combase!CObjectContext::ContextCallback+0x80
contoso!winrt::impl::resume_apartment_sync+0x58
contoso!winrt::impl::resume_apartment+0xe8
contoso!winrt::impl::apartment_awaiter::await_suspend+0x6c
contoso!⟦lambda...⟧::operator()<⟦...⟧>+0x1c8
contoso!task_sequencer::chained_task::continue_with+0x38
contoso!task_sequencer::QueueTaskAsync<⟦...⟧>+0xd0
contoso!⟦lambda...⟧::<lambda_invoker_cdecl>+0xa0
user32!__ClientCallWinEventProc+0x34
ntdll!KiUserCallbackDispatcherReturn
win32u!ZwUserGetMessage+0x4
user32!GetMessageW+0x28
contoso!⟦lambda...⟧::operator()+0x204
contoso!std::thread::_Invoke<⟦lambda...⟧>+0x24
ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x48
kernel32!BaseThreadInitThunk+0x40
ntdll!RtlUserThreadStart+0x44

We see that we have a UI thread (notice the Get­Message at the bottom of the stack), yet COM decided to block without pumping messages (Wait­For­Multiple­Objects­Ex instead of (Msg­Wait­For­Multiple­Objects­Ex).

Is this a bug in the task sequencer?

Let’s look at the stack more closely. A message arrived via __Client­Call­Win­Event­Proc, and that then queued a task into the task sequencer. The continue_with saw that the task sequencer had no active task, so it ran the new task immediately. That new task wants to run on a different thread, so C++/WinRT’s apartment-switching code kicked in.

The apartment-switching code went to resume_apartment_sync, which in turn called our friend IContext­Callback::Context­Callback, and that called into the COM thread-switching infrastructure, which doesn’t pump messages while wiating for the destination apartment to respond.

Now, COM is a rather mature technology, and this code path is execised constantly throughout the system, so it’s unlikely that it simply “forgot” to pump messages. The function name MTA­Thread­Dispatch­Cross­Apartment­Call strongly suggests that COM thinks that the thread is in an MTA. And the use of resume_apartment_sync suggests that C++/WinRT also thinks that the thread is in an MTA:

else if (is_sta_thread())
{
    resume_apartment_on_threadpool(
        context.m_context, handle, failure);
    return true;
}
else
{
    return resume_apartment_sync(           
        context.m_context, handle, failure);
}

If this were an STA thread, then we would have called resume_apartment_on_threadpool instead of resume_apartment_sync.

Let’s take a closer look at this thread:

// Create a thread to receive accessibility notifications.
m_thread = std::thread([this] {
    ::SetThreadDescription(::GetCurrentThread(), L"Accessibility STA");

    ⟦ ... ⟧

    wil::unique_hwineventhook hook(SetWinEventHook(⟦...⟧));
    THROW_LAST_ERROR_IF_NULL(hook);

    MSG msg;
    while (!m_stop && GetMessage(&msg, NULL, 0, 0)) {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }
});

Ah, so there’s your problem.

The thread claims to be an STA thread:

    ::SetThreadDescription(::GetCurrentThread(), L"Accessibility STA");

But there is nothing in the thread procedure that actually makes it an STA thread. It never initialized COM in single-threaded mode.

The thread merely engaged in wishful thinking, proclaming itself to be an STA thread without actually becoming one. (Or maybe it believed in nominative determinism: The mere act of calling itself an STA thread was sufficient to make it true.)

Since COM is already initialized elsewhere in the process, the new thread gets put into the implicit MTA by default, and it took no action to leave it, so from COM’s point of view, this thread is an MTA thread. And MTA threads are allowed to block without pumping messages.

What they need to do is actually make it an STA thread, say, by calling Co­Initialize­Ex with the COINIT_APARTMENT­THREADED flag, and then uninitializing COM before the thread exits to return the thread to its original state. You can kill two birds with one stone with the help of the WIL RAII type.

// Create a thread to receive accessibility notifications.
m_thread = std::thread([this] {
    auto uninit = wil::CoInitializeEx(COINIT_APARTMENTTHREADED);

    ::SetThreadDescription(::GetCurrentThread(), L"Accessibility STA");

    ⟦ ... ⟧

    wil::unique_hwineventhook hook(SetWinEventHook(⟦...⟧));
    THROW_LAST_ERROR_IF_NULL(hook);

    MSG msg;
    while (!m_stop && GetMessage(&msg, NULL, 0, 0)) {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }
});

The post The case of COM failing to pump messages in a single-threaded COM apartment appeared first on The Old New Thing.

16:21

Link [Scripting News]

Question for WordLand users. When you published your first post, were you surprised that the window didn't clear? Did you understand that you can make changes and update the public post? I was just talking with a friend who didn't expect it to behave the way it did.

Upcoming Speaking Engagements [Schneier on Security]

This is a current list of where and when I am scheduled to speak:

The list is maintained on this page.

15:49

15:35

GNUnet 0.24.0 [Planet GNU]

GNUnet 0.24.0 released

We are pleased to announce the release of GNUnet 0.24.0.
GNUnet is an alternative network stack for building secure, decentralized and privacy-preserving distributed applications. Our goal is to replace the old insecure Internet protocol stack. Starting from an application for secure publication of files, it has grown to include all kinds of basic protocol components and applications towards the creation of a GNU internet.

This is a new major release. Major versions may break protocol compatibility with the 0.23.0X versions. Please be aware that Git master is thus henceforth (and has been for a while) INCOMPATIBLE with the 0.23.0X GNUnet network, and interactions between old and new peers will result in issues. In terms of usability, users should be aware that there are still a number of known open issues in particular with respect to ease of use, but also some critical privacy issues especially for mobile users. Also, the nascent network is tiny and thus unlikely to provide good anonymity or extensive amounts of interesting information. As a result, the 0.24.0 release is still only suitable for early adopters with some reasonable pain tolerance .

After almost a year of testing we believe that the meson build system is stable enough that it can be used as the default build system. In order to reduce maintenance overhead, we are planning to phase out the autotools build until the next major release. Meson shows up to 10x better development build times. It also facilitates building a single libgnunet.so for future requirements of a monolithic build on other platforms such as Android.

Download links

The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

Note that due to mirror synchronization, not all links might be functional early after the release. For direct access try http://ftp.gnu.org/gnu/gnunet/

Changes

A detailed list of changes can be found in the git log , the NEWS and the bug tracker . Noteworthy highlights are

  • Build system: After almost a year of testing we believe that the meson build system is stable enough that it can be used as the default build system. In order to reduce maintenance overhead, we are planning to phase out the autotools build until the next major release.

Known Issues

  • There are known major design issues in the CORE subsystems which will need to be addressed in the future to achieve acceptable usability, performance and security.
  • There are known moderate implementation limitations in CADET that negatively impact performance.
  • There are known moderate design issues in FS that also impact usability and performance.
  • There are minor implementation limitations in SET that create unnecessary attack surface for availability.
  • The RPS subsystem remains experimental.

In addition to this list, you may also want to consult our bug tracker at bugs.gnunet.org which lists about 190 more specific issues.

Thanks

This release was the work of many people. The following people contributed code and were thus easily identified: Christian Grothoff, Florian Dold, dvn, TheJackiMonster, oec, ch3, and Martin Schanzenbach.

Link [Scripting News]

I asked ChatGPT to write a blog post using the technology of 1993.

14:49

Link [Scripting News]

I was looking over my blog archive for August 2006, which was when I started using Twitter, and came across this video of Jason Calacanis, at a Wikipedia conference in Cambridge. This is what videos were like back then. I probably took it with a fairly expensive Nikon camera.

14:07

Link [Scripting News]

I heard an idea that really resonated in a Brian Lehrer interview with Anand Giridharadas, who says among many other things, that we should aim our ire at the leaders of the MAGA movement, and stop bringing our angst to the people who voted for them. Every time I see a condescending TikTok story about them, I think about how that takes us further from getting where we must go. We have to reconcile, we share a country, and our interests are totally aligned. We need each other, that will become completely obvious, and the sooner it does the better.

Link [Scripting News]

Saw an interview with Mark Cuban where they asked why would Elon Musk do something that would cause Tesla stock to tank. He's got the power to play with the biggest financial thing that has ever existed, and quite possibly that ever will exist. In comparison Tesla is just one car company, with a lot of competition, a market-leading product for sure, but the competition is catching up. They're constantly lowering prices to keep the volume up, so eventually the stock will have to come down anyway. He certainly knows stuff about the company that no one else can see, maybe their new product pipeline is empty? He also has had to deal with short-sellers who have the incentive to drive the price down, and he can't bet alongside them (how would that look, a CEO betting against his own company). No matter what, there is nothing bigger than the USA, and he's got it, and plans to keep it. But he's human, and thus has frailties, and he loses as often as he wins and knows it. Unfortunately for us we're all in his boat now, unless somehow we can wrench it back.

[$] The burden of knowledge: dealing with open-source risks [LWN.net]

Organizations relying on open-source software have a wide range of tools, scorecards, and methodologies to try to assess security, legal, and other risks inherent in their so-called supply chain. However, Max Mehl argued recently in a short talk at FOSS Backstage in Berlin (and online) that all of this objective information and data is insufficient to truly understand and address risk. Worse, this information doesn't provide options to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DB Systel, encouraged better risk assessment using qualitative data and direct participation in open source.

13:21

"It's the people, stupid!" [Scripting News]

I keep hearing pundits and incumbent Democrats missing the point, that the people are the ones whose opinion matters about the Republicans dismantling our democracy in the United States.

I want to celebrate those leaders who totally get that the power is with the people, notably Alexandria Ocasio-Cortez and Bernie Sanders. They are an inspiration! I live in New York and while AOC doesn't represent me in Congress (Pat Ryan is my rep), in a political and spiritual way she most definitely represents me. She should be the next president, as far as I'm concerned. She has all the leadership abilities we could ever want.

My contribution for today is the slogan that's the title of this piece. It's derived from James Carville's slogan when Bill Clinton was running for president in 1992, updated for 2025.

"It's the people, dummy!" was always the right slogan. It's we, the people, who created this country, and we the people are the only ones who can make it work again.

Security updates for Friday [LWN.net]

Security updates have been issued by Fedora (iniparser, thunderbird, trafficserver, and xorg-x11-server), Mageia (opensc), Oracle (.NET 8.0, .NET 9.0, gcc, kernel, and libxml2), Red Hat (firefox, grub2, and krb5), Slackware (libxslt), SUSE (amazon-ssm-agent, bsdtar, build, ffmpeg-4, forgejo-runner, kernel, python, python3, python313, rubygem-rack-1_6, and tailscale), and Ubuntu (linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15).

13:14

The Return of the AppyHour Box [Whatever]

Hey, everyone! I’m back today with another AppyHour Box. I wasn’t sure if I was going to make these a regular thing, but it seemed like you guys enjoyed the first one I did, so I figured we’d keep it goin’ until y’all tell me you’re sick of them.

And thank you to everyone who used to my referral code! I was only expecting a couple of people to give it a whirl, but a whole 20 of you did. Now I have $20 off my next box for, uhh.. a good long while.

If you didn’t see my first post over AppyHour, it’s a subscription box that comes with artisan meats and cheeses, as well as accompaniments like nuts, jams, and crackers, so you can go from “box to board in 10 minutes” (their words, but I have found it to be pretty true!).

Here’s what I got in my February box, the theme of which was “Southern Comforts”:

All the items I got from the box, still in their packages, laid out on the counter.

From left to right (roughly), we’ve got Berkshire coppa, raspberry mostarda, Quince & Apple apples and cranberry preserves, Firehook multigrain flax Mediterranean baked crackers, praline pecans, honey clover gouda, black pepper cherry prosciutto, Sweet Grass Dairy pimento cheese, Georgia tomme, and dried mangoes.

After looking at the list of everything that was possible to end up with, I am surprised to have received dried mangoes, as I didn’t see them on the list.

Here’s a closer look at the honey clover gouda:

A wedge of the honey clover gouda. The cheese is a creamy white with specks of herbs seen throughout, and the rind is a bright orange-y yellow.

AppyHour says that this cheese is award winning, made in Wisconsin, and crafted by a female cheese master from the Netherlands! Pretty wild stuff.

Here’s the tomme:

A triangular wedge of tomme, pale yellow in color with a beige-ish rind. It has some holes throughout.

I was pretty sure I had never heard of tomme before, but apparently it’s a semi-hard cow’s milk cheese, and this one is made in Georgia.

And finally, the pimento cheese:

A top-down shot of the plastic container containing the bright orange pimento cheese spread. Specks of red from the pepper can be seen throughout the creamy mixture.

I was very surprised to read on their info page that this pimento cheese spread is made with tomme. After delving further into Sweet Grass Dairy’s website, they use the exact same tomme that is in the box! I can only assume the tomme is from the same farm as the pimento spread, and they use their own tomme to make their pimento. Just thought that was kind of funny.

So, here’s how I made up this board:

A slim, grey marble-esque looking board. The pimento cheese spread is in a small black ceramic bowl in the middle of the board. Next to it is a salami rose, a river of prosciutto, a handful of praline pecans, a pile of dried mangoes, and each of the small jams in their respective jars. At each end of the board is a crumbled cheese.

I served the crackers separately, as it was a slimmer board than I usually work with so I had to prioritize the space for the meats and cheeses.

I thought this was a pretty okay board! While I wasn’t a huge fan of the multigrain crackers, I did really love the pimento cheese spread, and both the jams I received were seriously delicious. The honey clover gouda was creamy and floral, and the coppa was surprisingly buttery in texture. I can’t say I tasted much cherry in the black pepper cherry prosciutto, but it was still good. The dried mangoes were an odd addition, I didn’t really feel like they fit with the rest of the board, but it was a good contrast of texture, at least. And of course who doesn’t love praline pecans? I never get tired of them.

This month’s (March) theme is Old World Tavern, and I’m really looking forward to seeing what comes in that! If you also want to see what March’s box entails, feel free to use my referral code for $20 off your first box. I already have a plethora of $20 off coupons thanks to y’all, but I’m glad I can offer you guys a discount, at least!

Which item from this Southern Comforts box looked the best to you? Do you like pimento cheese? Let me know in the comments, and have a great day!

-AMS

12:35

Link [Scripting News]

Please, today -- write a blog post that explains why you believe in The Writer's Web. That's the best way to express our ideas on the web is with all the tools that writers have invented. And while we may enjoy using social media like Bluesky or Mastodon, we understand that they are not for writing and are not the web. Please send me a link to your post and I will read what you've written with thanks for believing in writers and the web! You can use any blogging software you like. My email address is dave.winer@gmail.com. And thank you. (And btw, your post can be about whatever you like, by just writing a blog post you're expressing your support for the writing on the web!)

11:28

Error'd: No Time Like the Present [The Daily WTF]

I'm not entirely sure I understand the first item today, but maybe you can help. I pulled a couple of older items from the backlog to round out this timely theme.

Rudi A. reported this Errord, chortling "Time flies when you're having fun, but it goes back when you're walking along the IJ river!" Is the point here that the walking time is quoted as 77 minutes total, but the overall travel time is less than that? I must say I don't recommend swimming the Ij in March, Rudi.

1

 

I had to go back quite a while for this submission from faithful reader Adam R., who chimed "I found a new type of datetime handling failure in this timestamp of 12:8 PM when checking my past payments at my medical provider." I hope he's still with us.

4

 

Literary critic Jay commented "Going back in time to be able to update your work after it gets published but before everyone else in your same space time fabric gets to see your mistakes, that's privilege." This kind of error is usually an artifact of Daylight Saving Time, but it's a day too late.

0

 

Lucky Luke H. can take his time with this deal. "The board is proud to approve a 20% discount for the next 8 millenia," he crowed.

2

 

At nearly the other end of the entire modern era, Carlos found himself with a nostalgic device. "Excel crashed. When it came back, it did so showing this update banner." Some programmer confused "restore state" with the English Restoration. Not that state, bub.

3

 

[Advertisement] Picking up NuGet is easy. Getting good at it takes time. Download our guide to learn the best practice of NuGet for the Enterprise.

The gangster pushing Tesla [Richard Stallman's Political Notes]

The wrecker said that the boycott of Tesla is illegal.

That is impossible, in the US legal system. But I don't know whether the real laws can prevail over the magat prosecutors' fake laws.

Freedom of speech hit [Richard Stallman's Political Notes]

The wrecker's regime is directly attacking freedom of speech in the US, by deporting Palestinian student Mahmoud Khalil who was a negotiator for the protest movement at Columbia University in 2024.

Khalil is not a Columbia student nowadays because he has graduated since then, but he remains a lawful permanent resident of the US. And anyone in the US has the right of freedom of speech.

When the wrecker claims the authority to arbitrarily jail any non-citizen for deportation, he is trying to abolish constitutional rights, not only in practice but in principle. The legal right to freedom of speech means that no official can arbitrarily decide which views to "tolerate", and repress other views.

The article explains at length what US law actually says about "support for HAMAS" &mash not that you should trust what the wrecker or his agents say about anyone's supposed "support for HAMAS", because they commonly stretch the law on that question.

See what I recently posted about about how the US ought to determine whether an organization is terrorist or not.

Urgent: Release Mahmoud Khalil now [Richard Stallman's Political Notes]

US citizens: phone your congresscritter and call on per to demand that the government release Mahmoud Khalil and then respect his human rights.

If you phone, please spread the word! Main Switchboard: +1-202-224-3121

Budget bill [Richard Stallman's Political Notes]

US citizens: phone your congresscritter, whether perse Democrat or Republican, and call on per to vote against the Republican cut-the-poor budget bill.

Call a Republican because it's their bill.

Call a Democrat because there is a danger that some Democrats will yield to pressure to vote for it. Please make sure perse does not.

People for the American Way reports:

If Republicans get their way, this bill will:
  • Delay Social Security checks for millions of seniors who rely on them to make ends meet.
  • Reduce FEMA resources, leaving communities vulnerable in the face of natural disasters.
  • Cut cancer research funding, putting lifesaving treatments on the chopping block.
  • Make air travel less safe, cutting staff who ensure aviation safety.
  • Slash $23 billion in veterans' benefits, betraying those who served our country by gutting healthcare and assistance programs.

I did not make a link to their page because it suggests using a nonfree program. It is against my principles to legitimize that.

I think the same bill would also attack Medicaid.

Censorship at Washington Post [Richard Stallman's Political Notes]

Bezos, the owner of amazon.com, is imposing strict censorship of political opinions on the Washington Post. We can punish Bezos for this and other hostility to human rights by boycotting amazon.com, at the same time as we protect ourselves from the way the company's mistreatment described here .

Gov't historical, DEI, material deleted [Richard Stallman's Political Notes]

The US air force deleted material about the Tuskegee airmen and acceptance of women as pilots.

Why cover this up? To end the explicit policy of DEI does not by itself entail hushing up historic facts.

To have a reason to delete those, the government would need to have a policy in favor of discrimination, exclusion and injustice. It would not surprise me if that's what the bully demands.

11:07

TP-Link Router Botnet [Schneier on Security]

There is a new botnet that is infecting TP-Link routers:

The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.

[…]

Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexico.

Details.

09:42

Decoding the Knock Knock situation [Seth's Blog]

Novels, movies, even consulting, are based on a knock knock business model.

Tom Cruise made a movie, and you need to buy a ticket to see it. Jane Collins is an engineering professional and you need to pay to get their insight about how to fix your bridge. This 300-page autobiography is worth your time to read.

The publication or offering creates tension (there’s something here, you might want it) and the way to relieve the tension is for the person you’re reaching to buy access to it.

Huge swaths of our culture are based on this simple approach to intellectual property. The idea comes in a wrapper, the wrapper costs money, the money pays the bills.

Mass media was the way creators could spread the tension and announce their work. You’re waiting for “who’s there!”

It’s worth distinguishing these knock knock offerings from cultural organizations, communities, and tools. In these cases, you can tell the whole story, give away the entire idea, and the IP is worth more, not less.

When people around you are all talking about using the tools in Atomic Habits or This is Strategy, the book becomes a foundation for what happens next. If you’re open to signing up for the blog after you read the book, that’s a hint. That’s not true for The Power Broker.

Rocky Horror Picture Show isn’t like Mission: Impossible. At Rocky Horror, the ticket buys you a chance to see a movie you know by heart–with other people. Being in the club is where the real value is.

Music succeeds when it becomes an anthem. And anthems spread, are played on the radio and become part of our culture. So it doesn’t make sense to say, “I have a new song but you can’t hear it.”

Yes, you need to start with a great piece of music, but the real work is in creating community and ubiquity, Grateful Dead style, not to put your secret recipe behind the doors of a vault.

You can see where the tension for creators comes in.

If you create a knock knock situation, you have to alert people to what’s on offer, but not actually give them what’s on offer. You need ‘who’s there’. That means that your online posts and videos are about the thing, they aren’t the thing itself.

And the opportunity for tool builders and community organizers is to give away the punchline, often. To focus on abundance (of connection and utility and trust) not scarcity.

Many of the creators I’ve worked with over the years feel this tension and then fall into a gap. They have a fine knock knock on offer, but promotion is grating, endless and feels demeaning. Hustle isn’t the solution, not any longer. The best way for this sort of work to become popular is for people who have engaged with it to tell their friends (see the Blair Witch Project for an example). But “getting the word out” has never been more frustrating or difficult than it is now. The web is not TV.

We need this sort of thoughtful, long-form scholarship, but the business model for it is shaky indeed. The breakthroughs happen via peer-to-peer promotion, not hustle.

At the same time, it’s never been more productive to build tools and communities. And it helps to do it with intent.

09:35

08:49

Joe Marshall: Defclass vs. defstruct [Planet Lisp]

Common Lisp provides two ways to create new compound data types: defstruct and defclass. Defstruct creates simple cartesian record types, while defclass is part of a full object-oriented programming system. How do you decide which one to use?

It’s easy. Unless you have a compelling reason to use defstruct, just use defclass. Even if you don’t use any other features of CLOS, defclass better supports class redefinition, and this just makes life easier.

If you modify a defstruct and recompile it, the old instances of that struct type become obsolete. They probably won’t work with the new definition. You’ll most likely have to rebuild them. If things get too screwed up, you’ll end up having to restart your Lisp image.

CLOS, on the othe hard, is designed to be dynamic. You can redefine and recompile a class on the fly. You can change the class of an instance. As you develop your code, you’ll be adding and removing slots and changing the class hierarchy. defclass usually handles these sorts of dynamic changes transparently, without having to restart your Lisp image.

CLOS achieves this by adding an extra level of indirection, and perhaps you cannot tolerate the extra overhead. Then by all means use defstruct. But if you are indifferent, defclass is a better choice.

08:07

Holodick [Penny Arcade]

New Comic: Holodick

04:56

Girl Genius for Friday, March 14, 2025 [Girl Genius]

The Girl Genius comic for Friday, March 14, 2025 has been posted.

01:49

Junichi Uekawa: Filing tax this year was really painful. [Planet Debian]

Filing tax this year was really painful. But mostly because my home network. It was ipv4 over ipv6 was not working correctly. First I swapped the Router which was trying to reinitialize the MAP-E table every time there was a dhcp client reconfiguration and overwhelming the server. Then I changed the DNS configuration not use ipv4 UDP lookup which was overwhelming the ipv4 ports. Tax return itself is a painful process. Debugging network issues is making things was just making everything more painful.

01:42

Hipster Comedy [QC RSS]

girl ain't got no butt

00:14

Haiku gets new malloc implementation, removes Gopher support from its browser [OSnews]

We’ve got the Haiku activity report covering February, and aside from the usual slew of bug fixes and minor improvements, there’s one massive improvement that deserves attention.

waddlesplash continued his ongoing memory management improvements, fixes, and cleanups, implementing more cases of resizing (expanding/shrinking) memory areas when there’s a virtual memory reservation adjacent to them (and writing tests for these cases) in the kernel. These changes were the last remaining piece needed before the new malloc implementation for userland (mostly based on OpenBSD’s malloc, but with a few additional optimizations and a Haiku-specific process-global cache added) could be merged and turned on by default. There were a number of followup fixes to the kernel and the new allocator’s “glue” and global caching logic since, but the allocator has been in use in the nightlies for a few weeks with no serious issues. It provides modest performance improvements over the old allocator in most cases, and in some cases that were pathological for the old allocator (GCC LTO appears to have been one), provides order-of-magnitude (or mode) performance improvements.

↫ waddlesplash on the Haiku website

Haiku also continues replacing implementations of standard C functions with those from musl, Haiku can now be built on FreeBSD and Linux distributions that use musl, C5/C6 C-states were disabled for Intel Skylake to fix boot problems on that platform, and many, many more changes. There’s also bad news for fans of Gopher: support for the protocol was removed from WebPositive, Haiku’s native web browser.

00:07

The Church FAQ [Whatever]

A few years ago, we bought a church building. Since then, every time I mention it online and/or on social media, someone always responds, “wait, you bought a church, what” and then asks some standard questions. At this point it makes good sense to offer up a Church FAQ to answer some of those most common questions. Let’s begin!

Wait, you bought a church, what?

Indeed, we bought a church.

Where?

In our town of Bradford, Ohio.

What denomination used to be there?

It’s the former home of Bradford’s Methodist congregation. The church building itself dates back to at least 1919 (that being the year of a calendar we have that features a picture of the building). There was a congregation there until at least 2016. So they got about 100 years of use out of the building.

Why did they stop using it?

The congregation shrank over time, a not uncommon occurrence for mainline protestant churches these days. As I understand it the congregation merged with another congregation down the road, which has services at a different church building. I believe the West Ohio Conference of the Methodist Church (which previously owned the building) may have rented the building for a bit after the congregation left, but when we acquired the building it was not being used, which is probably why the Methodists decided to sell it.

So do you live there?

No, we have an actual house to live in. I know old churches are frequently turned into funky residences, but reconfiguring a church to be an actual livable space on a daily basis takes a lot of effort. Our house is designed to be a residence for humans; we prefer to live in that house.

Are you going to use the building as a church and/or start a cult?

No and no. None of the Scalzis are particularly religious, especially in an organized fashion, and despite the actions of certain science fiction authors in the past offering precedent, I have no desire to start a cult. It seems like a lot of work and my ego does not run in the direction of needing acolytes.

Coffee shop and/or bookstore and/or brewpub and/or some other retail business?

I have worked hard all my life not to work in retail and don’t intend to start now, thank you.

Then why did you buy it?

Because we wanted office space. For a number of years Krissy and I talked about starting a company to develop creative projects that were not my novels, and also to handle the licensing and merchandising of the properties that I already had that were not already under option. That company would eventually become Scalzi Enterprises. Although I write my novels at home, we wanted to have office space elsewhere.

Why?

Because if we eventually hired other people to help us, we wanted them to have some place to work that was not our actual house. And in a general sense it would be useful to have extra space; our house is already full with a quarter-century of us living in it.

Why not get actual office space rather than a church building?

We tried, but we live in a small town without a lot of commercial real estate. We looked at a couple of buildings in town that went up for sale, but weren’t happy with their state of repair. We didn’t want to look outside of Bradford because then there would be a commute. We wanted something within a couple of miles of our house. Eventually it looked like to get what we wanted, we would have to buy a plot of land and then build on it. I went online to look at real estate websites to see what land was available, and as it happens a couple of hours prior, the Methodists put the church building up for sale. We saw the listing, made an appointment to see it that afternoon, and put in an offer when we got home from the viewing. We closed on the building in December of 2021.

What made you offer on the building?

It had everything we wanted — ample space for offices and an excellent location — and above and beyond what we already knew we wanted, when we viewed the space we saw that it offered other opportunities as well. I always wanted an extensive library, for example, and the building had a balcony area which would be perfect for one of those. The basement area would be perfect for having gatherings, and the sanctuary area was, of course, a natural place for concerts or readings or whatever else we might want to do there. And then there was the price.

How much was it?

$75,000.

WHAT

One of my favorite things to do is show the building to people who live on the coasts, ask them how much they think it cost, and watch them get angry every time I tell them to go lower. But more seriously, we knew that we wouldn’t find a better building anywhere close to us at anywhere near that price. It made absolute economic sense to get the building.

Usually when you get a building like this for that amount of money, it’s on the verge of falling down. Was it?

Thankfully, no. Krissy’s former job was as a insurance claims adjuster; she has certificates attesting to her ability to evaluate the soundness of structures. When we had our visit to the property, she literally climbed through the walls to see for herself what shape the building was in. Her determination: The building would need significant renovation, but fundamentally it was sound. We would need to put in money, but if the renovations were done right it wouldn’t be a money pit.

What renovations did you do?

A whole new roof, to start; now the building has a 50-year roof, which means it will almost certainly outlive me. The electricity was knob and tube and had to be redone. There was an outside retaining wall that had to be torn out and redone. The aforementioned balcony was actually not safe to be on; it was cantilevered out into space with no support and had a shin-high barrier that wouldn’t stop anyone from going over the side. That was fixed, and new floors and custom bookcases by a local artisan built in so I could have my library. The basement floor was redone; the kitchen space down there gutted and remodeled. We pulled up high-traffic industrial carpet glued to the sanctuary floor and reconditioned the hardwood floors underneath. New HVAC, and improved drainage for the maintenance room. The office and Sunday school room in the basement was turned into a guest suite. The structure was sealed against moisture and the walls were all replastered and repainted.

And so on. None of that was cheap, nor was it done quickly; the renovations took two years. Both the time and cost were affected by the work being done during the pandemic, but no matter what it would have been a laborious and expensive process. It was worth it.

Did you do any of that work yourself?

Oh, hell no; I’m not competent to do anything but sign checks. We had contractors do everything, and Krissy, who had 20 years of dealing with contractors in her previous job, managed the renovation on our end. She terrified them.

Are the renovations complete?

The major ones, yes. There are a few things to do but they are second order tasks. I want to recondition the old pastor’s study, get the organ functional again, and we want to make the sanctuary level more easily accessible via ramps and such. But all of that can be dealt with over time. At this point, most of what we wanted and needed to do is done, and we are able to use the building how we intended.

What did the people of Bradford think about you buying the church?

By and large the response was positive. We’ve lived in town since 2001 so we weren’t an unknown quantity; everyone here knows us. There was some concern that someone might buy the church for the land underneath it, tear it down and then put up, like, a check-cashing store or a vape shop. So when we bought it and stated our intention to renovate and maintain the building, there was some measure of communal relief. When the renovations were done we held an open house for the community so they could see what we’d done with the place. Most people seemed happy with it.

Likewise, we have the intent of keeping the space a part of the community, and not just as our office space. From time to time we plan to have events there (concerts, readings) that will be free and open to the town, sponsored by the Scalzi Family Foundation (yes, we have a foundation; it’s easier to do a lot of charitable things that way). The building will still be part of the civic life of Bradford.

Does this mean you are going to make the building available for event rentals?

Probably not. It’s one thing to offer private events, funded by our foundation, that are open to the townsfolk. It’s another thing to offer the space up as a commercial venue. One, that’s a lot more work for us, and two, we would have to make sure the building was up to code as rental space, which would entail more renovations and cost. We occasionally get inquiries and we’ve politely turned them down and are likely to continue to. There are other event spaces in town, from the community center to the local winery, and we encourage people to give them their money.

But you have used it for gatherings, yes?

Sure. My wife threw me a surprise party there for this blog’s 25th anniversary, and when we held an eclipse party in 2024, we had the pre- and post- parties at the church. The last couple of family reunions have been held at the church, and we hold Thanksgiving and Christmas parties there as well. Having a gathering at the church is much less stressful than having it at our house. People aren’t in our personal space, the pets don’t freak out, and people with allergies to cats and dogs don’t have to worry about sneezing. It works out great. Also, when people come to visit, they have the option of staying in the guest suite at the church instead of our more crowded (and cat hair-laden) guest room. So that’s a plus too.

You said something about getting the organ functional again. Do you have, like, a pipe organ?

We do, sort of. The pipes are there, but the organ hasn’t been attached to it for years, possibly decades. The organ itself (which played through a speaker) is also not functioning, and I need to get in touch with someone to repair it. Actually reattaching it to the pipes and making the whole thing work again would be an extremely expensive endeavor and would probably cost as much — if not more — than it cost us to buy the church. Pipe organs are an expensive hobby, basically. I’m not sure I’m ready to commit to that.

Does the church have a bell? And do you ring it?

It does have a bell, and we ring only very occasionally. We don’t want to annoy the neighbors.

Is the church haunted?

We have been told by former parishioners that it is, but I have not met the local ghosts yet. Perhaps they are waiting to see if I am worthy.

Isn’t it a little… quirky to own a church?

I mean, yes. I’ve noted before that now I’ve become a bit of a cliche, that cliche being the eccentric writer who owns a folly. Some own theaters and railways, some own Masonic temples, some own islands. I own a church. In my defense, I had a functional reason to own it, noted above, and I didn’t spend a genuinely silly amount of money for it, also noted above. As a folly, it is both practical and affordable.

What do you call the church now?

Not “Church of the Scalzi,” which is actually the name of a church in Venice, Italy. Its formal name now is “The Old Church.” But for day-to-day use we just say “the church.”

Hey, have you ever heard of that song, “Alice’s Restaurant”?

Yes, I have, and everyone thinks they are being terribly clever when they reference it to me. After the first thousand times it wears a smidge thin.

Is it true that your six-necked guitar now resides at the church?

It is true: The Beast, as it is called, and was called long before I owned it, currently resides on the altar. It surprises people every time they see it.

Are you sure you’re not starting a cult?

I’m sure. Besides, who would want to worship me? Krissy, maybe. Me, nah.

And that’s it for now. If there are more questions I think need to be in the FAQ, I’ll add them as I go along.

— JS

Thursday, 13 March

23:28

Making sure that a DLL loads only from your application directory [The Old New Thing]

A customer distributed a program and included its supporting DLLs in the same directory, because the application directory is the application bundle.

They worried about the case that the user deletes one of the supporting DLLs, and then when the program tries to load that DLL, a rogue copy somewhere else on the PATH gets loaded instead. They want to reject loading the DLL from anywhere other than the application directory.

You can accomplish this by explicitly calling Load­Library­Ex with the LOAD_LIBRARY_SEARCH_APPLICATION_DIR flag, which says that the function should look only in the application directory for the DLL. If it’s not there, it gives up without searching any other directories. After you load the library, you can use Get­Proc­Address to get the functions.

Unfortunately, this is rather cumbersome since you have to switch from implicit loading to explicit loading, so you don’t get the convenience of import libraries.

You might think that you can get the convenience back by using the /DEPENDENTLOADFLAG linker option with the value 0x200 (the numeric value of LOAD_LIBRARY_SEARCH_APPLICATION_DIR), but the problem is that the dependent load flag applies to all DLLs loaded via import tables, and that includes kernel32 and other DLLs you probably wanted to load from the system32 directory.

Now, the system32 directory is writable only by administrators, so we could consider that a “safe” directory, because if somebody attacks that directory, they have already taken over the system. Therefore, you could use the /DEPENDENTLOADFLAG linker option with the value 0xA00, which is the numeric value of LOAD_LIBRARY_SEARCH_APPLICATION_DIR | LOAD_LIBRARY_SEARCH_SYSTEM32. Alternatively, you could use the value 0x1000, which is the numeric value of LOAD_LIBRARY_SEARCH_DEFAULT_DIRS, which includes the application directory, the system32 directory, and any directories added by Add­Dll­Directory and Set­Dll­Directory.

But wait, what is the issue we are trying to defend against? The stated scenario is “The user deletes a DLL from the application directory.” In that case, the user already has write permission into the application directory, so instead of deleting the DLL, they can just replace it with a malicious DLL. Restricting the load to the application directory does not prevent a malicious DLL from being loaded.

But maybe your goal is not to create a security boundary but just to contain the scope of an error. If the user accidentally deletes the DLL from the application directory, at least prevent somebody else from injecting a DLL into the process by planting a DLL on the path.

Now, the directories on the path fall into two categories. You have the directories on the global path, and the directories that are specific to a single user. If an attacker can plant a DLL into a directory on the global path, then that means that they have gained write permission onto the global path. To do this without administrator privileges requires that the global path contain a directory writable by non-administrators, which is an insecure configuration, so we are in the case of creating an insecure system and then being surprised that it is insecure. Instead of planting a rogue DLL on the path, the attacker could just plant, say, a rogue notepad.exe, and steal all your attempts to run notepad.

The other case is that the directory under attack is a directory on the per-user path. The user chose to add that directory, and if they added a directory that is writable by non-administrators other than the current user, they have once again created an insecure system because they have granted non-administrators the ability to inject things into their path.

The only attacks against rogue DLLs on the path assume that the system has already been compromised. So this issue is not about protecting a secure system but rather trying to protect from an already-compromised system.

The post Making sure that a DLL loads only from your application directory appeared first on The Old New Thing.

WinRing0: why Windows is flagging your PC monitoring and fan control apps as a threat [OSnews]

When I checked where Windows Defender had actually detected the threat, it was in the Fan Control app I use to intelligently cool my PC. Windows Defender had broken it, and that’s why my fans were running amok. For others, the threat was detected in Razer Synapse, SteelSeries Engine, OpenRGB, Libre Hardware Monitor, CapFrameX, MSI Afterburner, OmenMon, FanCtrl, ZenTimings, and Panorama9, among many others.

“As of now, all third-party/open-source hardware monitoring softwares are screwed,” Fan Control developer Rémi Mercier tells me.

↫ Sean Hollister at The Verge

Anyone reading OSNews can probably solve this puzzle. Many fan control and hardware monitoring applications for Windows make use of the same open source driver: WinRing0. Uniquely, this kernel-level driver is signed, since it’s from back in the days when developers could self-sign these sorts of drivers, but the signed version has a known vulnerability that’s quite dangerous considering it’s a kernel-level driver. The vulnerability has been fixed, but signing this new version – and keeping it signed – is a big ordeal and quite expensive, since these days, drivers have to be signed by Microsoft.

And it just so happens that Windows Defender has started marking this driver, and thus any tool that uses it, as dangerous, sending it to quarantine. The result is failing hardware monitoring and fan control applications for quite a few Windows users. Some companies have invested in developing their own closed-source alternatives, but they’re not sharing them. Luckily, Windows OEM iBuyPower says it’s trying to get the patched version of WinRing0 signed, and if that happens, they will share it back with the community. Classy.

For now, though, hardware monitoring and fan control on Windows might be a bit of an ordeal.

KDE splits KWin into kwin_x11 and kwin_wayland [OSnews]

One of the biggest behind-the-scenes changes in the upcoming Plasma 6.4 release is the split of kwin_x11 and kwin_wayland codebases. With this blog post, I would like to delve in what led us to making such a decision and what it means for the future of kwin_x11.

↫ Vlad Zahorodnii

For the most part, this change won’t mean much for users of KWin on either Wayland or X11, at least for now. At least for the remainder of the Plasma 6.x life cycle, kwin_x11 will be maintained, and despite the split, you can continue to have both kwin_x11 and kwin_wayland installed and use them interchangeably. Don’t expect any new features, though; kwin_x11 will get the usual bug fixes, some backports, and they’ll make sure it keeps working with any new KDE frameworks introduced during the 6.x cycle, but that’s all you’re going to get if you’re using KDE on X11.

There’s one area where this split might cause problems, though, and that’s if you’re using a particular type of KWin extension. While KWin extensions written in JavaScript and QML are backend agnostic and can be used without issues on both variants of KWin, extensions written in C++ are not. These extensions need to be coded specifically for either kwin_x11 or kwin_wayland, and with Wayland being the default for KDE, this may mean some of these extensions will leave X11 users behind to reduce the maintenance burden.

It seems that very few people are still using KDE on X11, and kwin_x11 doesn’t receive much testing anymore, so it makes sense to start preparations for the inevitable deprecation. While I think the time of X11 on Linux has come and gone, it’s unclear what this will mean for KDE on the BSDs. While Wayland is available on all of the BSDs in varying states of maturity, I honestly don’t know if they’re ready for a Wayland-only KDE at this point in time.

21:56

Ticket Alert: Cyndi Lauper, Everclear, and More Seattle Events Going On Sale This Week [The Stranger]

Plus, More Event Updates for March 13
by EverOut Staff

We’re back with another batch of newly announced events! If you missed Cyndi Lauper’s farewell tour late last year, the pop icon is coming through the area for a second time this summer. Portland-grown alt-rockers Everclear will celebrate the 30th anniversary of their major label debut Sparkle and Fade on tour this fall. Plus, Iliza Shlesinger will head to Seattle to remind us that elder millennials can be funny, too. Read on for details and some news you can use.

ON SALE FRIDAY, MARCH 14

MUSIC

The Brian Jonestown Massacre
The Showbox (Sat Nov 15)

Broncho - Natural Pleasure Tour
Neumos (Sun June 22)

Cyndi Lauper: Girls Just Wanna Have Fun Farewell Tour
White River Amphitheatre (Tues Aug 19)

21:07

18:49

The False Promise To Oneself To Not Buy V-Bucks [Whatever]

I started playing Fortnite in November of 2023. I had never played before, and really had no interest in it, as I was sure I didn’t like the whole “battle royale online” type of games. But, my friends convinced me to try it out, and I figured why not since it’s a free game. No harm in giving it a try. I quickly got addicted, playing on an almost daily basis for a good bit there.

One thing I promised myself when I started playing, though, was that I was not going to spend real money on this silly game. I have friends that have been playing for years and have spent around a thousand dollars on V-Bucks, and I was determined to not fall into the same boat.

Everything you can buy is strictly cosmetic. Skins, back-bling, gun wraps, and of course the dances and emotes. I knew I didn’t need any of that nonsense just to play Fortnite. It was a free game, and I was going to keep it that way.

So I used the default skin and the default dance for a couple of weeks, and then the game started gifting me free items. I told myself I’d go ahead and use them, but I wasn’t going to fall into the trap of buying V-Bucks. Who on earth spends real money on a digital currency?!

Then, I saw Silver Surfer in the shop. That’s right y’all, the one and only Norrin Radd was standing in the shop, shiny and beautiful, and he came with his board as a glider! For the low low price of a thousand V-Bucks. Lucky for me, you can buy that exact amount of V-Bucks. For $9.

So I did this “one time purchase” for the sake of owning Silver Surfer, and told myself that that was my one purchase. Never again.

In case you’re not well acquainted with the currency difference between USD and V-Bucks, it goes like this:

1,000 V-Bucks = $8.99

2,800 V-Bucks = $22.99

5,000 V-Bucks = $36.99

13,500 V-Bucks = $89.99

The more you buy, the more you save! What a steal!

But how many V-Bucks does stuff actually cost in the shop? I’m glad you asked.

Skins are roughly 1,000 to about 1,500 V-Bucks depending on what skin it is or if it comes with a glider and/or pickaxe. Emotes are generally about 500 V-Bucks, but some can be as low as 200, and some are as expensive as 800 (don’t buy emotes for 800, it’s not worth it). Things like gun wraps and pickaxes vary, but usually the only thing that cost over 1,000 V-Bucks will be skins.

Also, the Battle Pass is 950 V-Bucks. If you complete the Battle Pass, you actually get more V-Bucks back than you spent in the first place. Plus, you get tons of skins and emotes and so much other stuff from the Battle Pass.

And if you subscribe to Fortnite Crew, which is a recurring monthly cost of $11.99, you automatically get the Battle Pass, an extra 1,000 V-Bucks, and other stuff I don’t actually care about, like the LEGO and Rocket League stuff.

All this being said, I think I’ve spent about $400 dollars on Fortnite at this point, and have been subscribed to Fortnite Crew for about three months now. It’s so worth it! I’m really spending my money smartly.

It is a slippery slope, my friends. Fortnite’s power was too great, and I was indeed susceptible to stupid dances and emotes. Listen, I just really like griddy-ing on people after I kill them, okay? Especially if they have the Skibidi Toilet back bling! (Yes, I am just saying buzzwords to make you feel out of touch and old. I sure as hell do, anyway.)

Man, I love Fortnite, and I truly never thought I’d say that. But it’s so fun and silly and easy, and a very odd cultural phenomenon. It’s kind of fascinating, and I’m glad I started playing eventually.

Do you like Fortnite? Ever play any PUBG? Let me know in the comments, and have a great day!

-AMS

What to Eat & Drink in Seattle for St. Patrick's Day 2025 [The Stranger]

Guinness Floats, Key Lime Pie Cake, and More
by EverOut Staff Pick out your most verdant outfit and pluck some three-leaf clovers: St. Patrick's Day is on Monday, March 17. Whether you'd like to mark the occasion with corned beef and cabbage sliders, Irish stout, or chocolate Guinness cookies, Seattle bars and restaurants have you covered. For more ideas, check out our food and drink guide.

Currant Bistro
This restaurant inside the Sound Hotel will be shaking and stirring up on-theme cocktails like the "Cliffs of Moher" (Jameson and Guinness, of course) and "The Giant's Causeway" (Caffe Vita cold espresso, Bailey's, Jameson, and Georgetown Brewing's 9lb Porter). In between sips, snack on shareable plates of Irish potato salad, corned beef and cabbage sliders, and shepherd's pie.
Belltown

18:35

Choi: announcing Casual Make [LWN.net]

Charles Choi has announced the release of the Casual Make: a menu-driven interface, implemented as part of the Casual suite of tools, for Makefile Mode in GNU Emacs.

Emacs supports makefile editing with make-mode which has a mix of useful and half-baked (though thankfully obsoleted in 30.1) commands. It is from this substrate that I'm happy to announce the next Casual user interface: Casual Make.

Of particular note to Casual Make is its attention to authoring and identifying automatic variables whose arcane syntax is un-memorizable. Want to know what $> means? Just select it in the makefile and use the . binding in the Casual Make menu to identify what it does in the mini-buffer.

Casual Make is part of Casual 2.4.0, released on March 12 and is available from MELPA. The 2.4.0 update to Casual also includes documentation in the Info format for the first time.

18:00

17:49

Pluralistic: The future of Amazon coders is the present of Amazon warehouse workers (13 Mar 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


A magnified image of the inside of an automated backup tape library, with gleaming racks of silver tape drives receding into the distance. In the foreground is a pile of dirt being shoveled by three figures in prisoner's stripes. Two of the figures' heads have been replaced with cliche hacker-in-hoodie heads, from which shine yellow, inverted Amazon 'smile' logos, such that the smile is a frown. The remaining figure's head has been replaced with a horse's head. Behind the figure is an impatiently poised man in a sharp business suit, glaring at his watch. His head has been replaced with the glaring red eye of HAL 9000 from Kubrick's '2001: A Space Odyssey.'

The future of Amazon coders is the present of Amazon warehouse workers (permalink)

My theory of the "shitty technology adoption curve" holds that you can predict the future impact of abusive technologies on you by observing the way these are deployed against people who have less social power than you:

https://pluralistic.net/2023/06/11/the-shitty-tech-adoption-curve-has-a-business-model/

When you have a new, abusive technology, you can't just aim it at rich, powerful people, because when they complain, they get results. To successfully deploy that abusive tech, you need to work your way up the privilege gradient, starting with people with no power, like prisoners, refugees, and mental patients. This starts the process of normalization, even as it sands down some of the technology's rough edges against their tender bodies. Once that's done, you can move on to people with more social power – immigrants, blue collar workers, school children. Step by step, you normalize and smooth out the abusive tech, until you can apply it to everyone – even rich and powerful people. Think of the deployment of CCTV, facial recognition, location tracking, and web surveillance.

All this means that blue collar workers are the pioneering early adopters of the bossware that will shortly be tormenting their white-collar colleagues elsewhere in the business. It's as William Gibson prophesied: "The future is here, it's just not evenly distributed" (it's pooled up thick and noxious around the ankles of blue-collar workers, refugees, mental patients, etc).

Nowhere is this rule more salient than in Big Tech firms. Tech companies have thoroughly segregated workforces. Delivery drivers, customer service reps, data-labelers, warehouse workers and other "green badge," low-status workers are the testing ground for their employer's own disciplinary technology, which monitors them down to the keystroke, the eye-movement, and the pee break. Meanwhile, the "blue badge" white-collar coders get stock options, gourmet cafeterias, free massages, day care and complimentary egg-freezing so they can delay fertility. Companies like Google not only use separate entrances for their different classes of workers – they stagger their shifts so that the elite workers don't even see their lower-status counterparts.

Importantly, almost none of these workers – whether low-status or high – are unionized. Tech union density is so thin, it's almost nonexistent. It's easy to see why elite tech workers wouldn't bother with unionizing: with such fantastic wages and so many perks, why endure the tedium of meetings and memos? But then there's the rest of the workers, who are subjected to endless "electronic whipping" by bossware and who take home wages that look like pocket change when compared to the tech division's compensation. These workers have every reason to unionize, living as they do in the dystopian future of labor.

At Amazon warehouses, workers are injured at three times the rate of warehouse workers at competing firms. They are penalized for "time off task" (like taking a piss break). They are made to stand in long, humiliating body-search lines when they go on- and off-shift, hours every week, without compensation. Variations on this theme play out in other blue-collar sectors of the Amazon empire, like Amazon delivery drivers and Whole Food shelf-stockers.

Those workers have every reason to unionize, and they have done their damndest, but Amazon has defeated worker union drives, again and again. How does Amazon win these battles? Simple: they cheat. They illegally fire union organizers:

https://pluralistic.net/2020/03/31/reality-endorses-sanders/#instacart-wholefoods-amazon

And then they smear unions to the press and to their own workers with lies (that subsequently leak):

https://pluralistic.net/2020/04/03/socially-useless-parasite/#christian-smalls

They spend millions on anti-union tech, spying on workers and creating "heatmaps" that let them direct their anti-union efforts to specific stores and facilities:

https://pluralistic.net/2020/04/21/all-in-it-together/#guard-labor-v-redistribution

They make workers use an official chat app, and then block any messages containing forbidden words, like "fairness," "grievance" and "diversity":

https://pluralistic.net/2022/04/05/doubleplusrelentless/#quackspeak

That's just the tip of the iceberg. A new investigation by Northwestern University's Teke Wiggin draws on worker interviews and FOIA requests to the NLRB to assemble a first-of-its-kind catalog of Amazon's labor-disciplining, union-busting tactics:

https://journals.sagepub.com/doi/10.1177/23780231251318389

Disciplining labor and busting unions go hand in hand. It's a simple equation: the harder it is for your workers to form a union, the worse you can treat them without facing labor reprisals, because individual workers' options are limited to a) quitting or b) sucking it up, while unionized workers can grieve, sue, and strike.

At the core of Amazon's labor discipline technology is "algorithmic management," which is exactly what it sounds like: replacing middle managers with software that counts your keystrokes, watches your eyeballs, or applies a virtual caliper to some other metric to decide whether you're a good worker or a rotten apple:

https://pluralistic.net/2024/11/26/hawtch-hawtch/#you-treasure-what-you-measure

Automation theory describes two poles of workplace automation: centaurs (in which workers are assisted by technology) and "reverse-centaurs" (in which workers provide assistance to technology):

https://pluralistic.net/2021/03/19/the-shakedown/#weird-flex

Amazon is a reverse-centaurism pioneer. Take the delivery drivers whose every maneuver, eyeball movement, and turn signal is analyzed and inevitably, found wanting, as workers seek to satisfy impossible quotas that can't even be met if you pee in a bottle instead of taking toilet breaks:

https://pluralistic.net/2023/10/20/release-energy/#the-bitterest-lemon

Then there's the warehouse workers who are also tormented with impossible, pisscall-annihilating quotas. Some of these workers are fitted with haptic wristbands that buzz to tell them they're being too slow at picking up an item and dropping it into a box, pushing them to faster, joint-destroying paces that account for Amazon's enduring position as the most worker-maiming warehouse employer in the nation:

https://pluralistic.net/2021/02/05/la-bookseller-royalty/#megacycle

In his paper, Wiggin does important work connecting these "electronic whips" to Amazon's arsenal of traditional union-busting weapons, like "captive audience" meetings where workers are forced to sit through hours of anti-union indoctrination. For Wiggin, bossware tools aren't just a stick to beat workers with – they're also a carrot that can be used to diffuse a worker's outrage ahead of a key union vote.

Algorithmic management isn't just software that wrings more work out of workers – it's software that replaces managers. By surveilling workers – both on the job and in social media spaces (like subreddits) where workers gather to talk, Amazon can tune the "electronic whip," reducing quotas and easing the pace of work so that workers view their jobs more favorably and are more receptive to anti-union propaganda.

This is "twiddling" – exploiting the digital flexibility of a system to "twiddle the knobs" governing its business logic, changing everything from prices to wages, search rankings to recommendations, in realtime, for every customer and worker:

https://pluralistic.net/2023/02/19/twiddler/

Twiddling combines surveillance data with flexible business logic to create an unbeatable house advantage. If you're an Amazon shopper, you get twiddled all the time, as Amazon replaces the best matches for your searches with paid results. If you buy that first product result, you'll pay an average of 29% more than the best match for your search:

https://pluralistic.net/2023/11/06/attention-rents/#consumer-welfare-queens

Worker-side twiddling is even more dystopian. When a nurse is assigned a shift by an "Uber for nurses" app, the app checks whether the worker has overdue credit card bills, which trigger lower wages (on the theory that an indebted worker is a desperate worker):

https://pluralistic.net/2024/12/18/loose-flapping-ends/#luigi-has-a-point

When it comes to union-busting, Amazon's found a new use for twiddling: lessening the pace of work, which Wiggin calls "algorithmic slack-cutting." The important thing about algorithmic slack-cutting is that it's only temporary. The algorithm that reduces your work-load in the runup to a union vote can then dial the pace of work up afterward, by small, random increments that are below the threshold at which they register on the human sensory apparatus. They're not so much boiling the frog as poaching it.

Meanwhile, Amazon gets to flood the zone with anti-union messages, including mandatory messages on the app that assigns your shifts – a captive audience meeting in every pocket.

Between social media surveillance and on-the-job surveillance, Amazon has built a powerful training set for algorithms designed to crush workplace democracy. That's how things go for Amazon's warehouse workers and delivery drivers, and the shelf-stockers at Whole Foods.

But of course, the picture is very different for Amazon's techies, who enjoy the industry standard of high wages and lavish perks.

For now.

The tech industry is in the midst of three years' worth of mass layoffs: 260K in 2023, 150k in 2024, tens of thousands this year. None of this is due to a shortfall in profits, mind: Google laid off 12,000 workers just weeks after staging a stock buyback that would have funded their salaries for 27 years. Meta just announced a 5% across-the-board headcount cut and that it was doubling its executive bonuses.

In other words, tech is firing workers not because it must, but because it can. When workers depend on scarcity – instead of unions – as a source of power, they dig their own graves. For well-paid, scarcity-based coders, every new computer science graduate is the enemy, eroding the scarcity that your wages depend on.

Amazon coders get to come to work with pink mohawks, facial piercings, and black t-shirts that say things their bosses don't understand. They get to pee whenever they want to. That's not because Jeff Bezos is sentimentally attached to techies and bears personal animus toward warehouse workers. Jeff Bezos wants to pay his workforce as little as he can. He treats his tech workers with respect because he's afraid of them, because if they quit, he can't replace them, and without their work, he can't make money.

Once there's an army of unemployed coders who'll take your job, Jeff Bezos doesn't have to fear you anymore. He can fire you and replace you the next day.

Bezos is obviously incredibly horny for this. Like most tech bosses, he dreams of a world in which entitled hackers can't call their bosses dumbshits and decline to frog when they shout "jump!" That's why Amazon PR puts so much energy into trumpeting the business's use of AI to replace coders:

https://www.hrgrapevine.com/us/content/article/2024-08-22-amazon-cloud-ceo-warns-software-engineers-ai-could-replace-your-coding-work-within-2-years

It's not just that they're excited about firing coders and saving money – they're even more excited about transforming the job of "Amazon coder," from someone who solves complex technical problems to someone who performs tedious code review on automatically generated code barfed up by a chatbot:

https://pluralistic.net/2024/04/01/human-in-the-loop/#monkey-in-the-middle

"Code reviewer" is a much less fulfilling job than "programmer." Code reviewers are also easier to replace than programmers. A code reviewer is a reverse-centaur, a servant to the machine. Every time you hear "AI-assisted programmer," you should substitute "programmer-assisted AI."

Programming is even more bossware-ready than working in a warehouse. The machines coders use are much easier to fit with surveillance technology that monitors their performance – and spies on their communications, looking for dissenting chatter – than a warehouse floor. The only thing that stopped Jeff Bezos from treating his programmers like his warehouse workers is their scarcity. That scarcity is now going away.

That's bad news for Amazon customers, too. Tech workers often feel a sense of duty to their users, a "vocational awe" that drives them to put in long hours to make things their users will enjoy. The labor power of tech workers has long served as a check on the impulse to enshittify those products:

https://pluralistic.net/2023/11/25/moral-injury/#enshittification

As tech workers' power wanes, they don't just lose the ability to protect themselves from their bosses' greediest, most sadistic urges – they also lose the power to defend all of us. Smart tech workers know this. That's why Amazon tech workers walked out in support of Amazon warehouse workers:

https://pluralistic.net/2021/01/19/deastroturfing/#real-power

Which led to their prompt dismissal:

https://pluralistic.net/2020/04/14/abolish-silicon-valley/#hang-together-hang-separately

Tech worker/gig worker solidarity is the only way workers can win against tech bosses and defeat the shitty technology adoption curve:

https://pluralistic.net/2024/01/13/solidarity-forever/#tech-unions

Wiggin's report isn't just a snapshot of Amazon warehouse workers' dystopian present – it's a promise of Amazon tech workers' future. The future is here, in Amazon warehouses, and every day, it's getting closer to Amazon's technical offices.

(Image: Cryteria, CC BY 3.0, modified)

Hey look at this (permalink)


A Wayback Machine banner.

Object permanence (permalink)

#20yrsago How DRM will harm the developing world https://web.archive.org/web/20050317005030/https://www.eff.org/IP/DRM/itu_drm.php

#20yrsago AOL weasels about its Terms of Service https://yro.slashdot.org/story/05/03/14/0138215/aol-were-not-spying-on-aim-users

#20yrsago State of the Blogosphere: it’s big and it’s growing https://web.archive.org/web/20050324095805/http://www.sifry.com/alerts/archives/000298.html

#10yrsago Anti-vaxxer ordered to pay EUR100K to winner of “measles aren’t real” bet https://web.archive.org/web/20150315001712/http://calvinayre.com/2015/03/13/business/biologist-ordered-to-pay-e100k-after-losing-wager-that-a-virus-causes-measles/

#5yrsago TSA lifts liquid bans, telcos lift data caps https://pluralistic.net/2020/03/14/masque-of-the-red-death/#security-theater

#5yrsago Honest Government Ads, Covid-19 edition https://pluralistic.net/2020/03/14/masque-of-the-red-death/#honest-covid

#5yrsago Ada Palmer on historical and modern censorship https://pluralistic.net/2020/03/14/masque-of-the-red-death/#ickyspeech

#5yrsago When Sysadmins Ruled the Earth https://pluralistic.net/2020/03/14/masque-of-the-red-death/#eschatology-watch

#5yrsago Masque of the Red Death https://pluralistic.net/2020/03/14/masque-of-the-red-death/#masque

#1yrago The Coprophagic AI crisis https://pluralistic.net/2024/03/14/inhuman-centipede/#enshittibottification

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026


Colophon (permalink)

Today's top sources:

Currently writing:

  • Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Status: second pass edit underway (readaloud)

  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025

Latest podcast: With Great Power Came No Responsibility: How Enshittification Conquered the 21st Century and How We Can Overthrow It https://craphound.com/news/2025/02/26/with-great-power-came-no-responsibility-how-enshittification-conquered-the-21st-century-and-how-we-can-overthrow-it/

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

16:28

Song Premiere: “Lose Your Mind” by Cumulus [The Stranger]

We’ve Got It All is drenched in nostalgia but not in the usual saccharine, obsessed-with-our-fleeting-youth sort of way. by Megan Seling

Alexandra Lockhart’s project Cumulus has always been a collaborative effort. It may have started as a solo(ish) project, at times literally existing in a bedroom, but for more than a decade now, Lockhart has surrounded herself with friends and fellow musicians to help bring her music to life both in the studio and onstage.

Among them, at least since 2018’s Comfort World, has been William Cremin, who’s worked with Travis Thompson, the Torn ACLs, and Skeletons With Flesh on Them, among others. Last year, while recording the fourth Cumulus full-length We’ve Got It All, Lockhart and Cremin made their music partnership official, announcing Cremin was a permanent part of the band. 

“For this new record, I wanted to explore more territory emotionally and sonically that I knew would require being more vulnerable and opening myself up to bigger contributions from William,” says Alex. “So it just made sense to say out in the open: These songs are as much William’s as they are mine!”

We’ve Got It All is drenched in nostalgia but not in the usual saccharine, obsessed-with-our-fleeting-youth sort of way. Instead of getting lost in the good old days, Lockhart remembers the music that shaped her into who she grew up to be and uses those memories as a map to help her find her place in today’s world.

Take, for example, the album's second single, “Lose Your Mind.” Lockhart’s optimistic lyrics are at first only accompanied by piano, but the song blooms into a vibrant burst of harmonies and guitar that almost feel like it was plucked from a jam session from the Band’s The Last Waltz.

For The Stranger’s premiere of the track, Lockhart and Cremin offered a little more insight into the creative process behind the upcoming record, and the music that inspired it.

One thing I’ve always appreciated about Cumulus and your songwriting is your focus on prioritizing comfort, especially when the rest of the world feels so unsettling and scary. Your 2018 album was called Comfort World, in 2022 you offered Something Brighter. You acknowledge the bullshit but then offer not an escape, really, but a cozy place to decompress. A reminder to slow down. Does that trend continue on this album, too? 

Alex: Your observation is going to make me emotional! I’ve always looked to songs that I love as like… being in the company of a good friend. When a songwriter is honest about how they are experiencing the world around them, as a listener, I can’t help but feel connected, inspired, and less alone. If my songs offer a cozy place to decompress, I would say that probably has happened naturally out of the fact that it’s the exact reason I go to music myself. I don’t go to music to escape. I go to music to feel things more deeply, maybe think about things a little differently, and connect myself to the world. Thank you for giving me the best compliment a songwriter could ever ask for! 

William: Yes! There’s always a balance between taking care of yourself and staying engaged with this increasingly horrifying world, not looking away. That’s obviously something we’re all reckoning with, and it’s a big part of this album. For me, one of the most crucial bits of sequencing was putting our self-care mantra, “Welcome Back to Me,” right after “Bad News.” You have to face the heaviness, and you also have to balance that out somehow.

Related to that, We’ve Got It All also celebrates the music that has shaped you. “Wolves,” “Old Friend,” “Dad Song”—several tracks refer to lyrics and liner notes and bonding with others through music. Who are some of the musicians, or what are some of the songs that were running through your mind as you wrote these? 

Alex: I love that you noticed this theme! This was a record where I wanted to be really unabashed about my influences and nostalgia of ’90s/ early-2000s music. “Wolves” is a reflection on growing up in Oak Harbor, a military town, and discovering punk music with these girls I idolized who eventually became my best friends (and still are!). They skateboarded and played in a band, wore their hair in liberty spikes, and in my most vivid memories we would spend hours in the garage just rocking out to the Distillers’ Coral Fang album. They helped me imagine more possibilities for myself. 

“Old Friend” is a song I wrote with Aaron Guest, who plays piano on the record as well. We got together in 2022 and started this song just as a fun co-writing attempt, and in 2024 as I was looking at old notebooks of lyrics, the lyric sheet literally fell out, and I was like, “Oh shit, I love this song!” When Aaron and I initially got together, I think this song leaned heavily into the storytelling tradition of John Prine, and Bruce Springsteen, where the finer details are fiction but still telling a very real story. For both the person who stays in the hometown and gives up a dream, and the person who leaves to chase it—there is real sacrifice, and the grass is always greener on the other side. 

“Dad Song” is a bit of a long story, but ultimately, it’s about my fandom of my dad and also Third Eye Blind. My dad’s love of live music and radio stations like 103.7 the Mountain was infectious to me, and I fell in love with the pop-rock bands of that era. We went to Bumbershoot together in 1998, and I was 10 years old, singing along to every word on “Semi-Charmed Life” with obviously no idea about the drug references. Many years later, as Blue came out, my dad and I were on our yearly summer road trip to Lake Chelan, listening to Third Eye Blind and reading all the liner notes. We got to “Deep Inside of You,” and it became a true “birds and the bees” moment that still cracks me up all these years later. 

You also reference road trips and long drives, so I have to ask (because I love to talk about snacks): What is your go-to road-trip snack?

Alex: I’m a drowsy driver, so I always need caffeine on a road trip, and despite hating most energy drinks, I love the Monster Rehab tea. Maybe some Boom Chicka Pop Sweet and Salty popcorn and some adult Lunchable-type salami-and-cracker snack. 

William: On one tour, I brought a huge stash of GoMacro bars, which absolutely saved the day on more than one occasion.

I read that you are donating a portion of your album proceeds to an organization that focuses on mental health. Can you tell me a little more about that and why that’s important to you to do that in connection with your music? 

Alex: When I was pursuing music full time, one of the biggest struggles was having health insurance so heavily tied to an employer and being in and out of jobs in sacrifice to gigging and touring. I think this is a big part of what prevents creatives from being able to imagine the arts as a lifelong pursuit. MusiCares is a Grammy Foundation non-profit that provides musicians with resources to therapists, coverage for emergency medical care and regular health check clinics, as well as recovery funds for natural disasters like the fires that just happened in LA. I’ve struggled with depression and financial instability for most of my adult life, so I can’t help but want to support an organization like MusiCares, which is one of the only safety nets specifically for musicians and music industry professionals. Working with a non-profit record label like Share It Music is amazing because we get to release a record and give a little bit back. 

You recorded the album with a great group of musicians—John van Deusen from the Lonely Forest, Aaron Guest, Aaron Ball—what will the Cumulus lineup look like for the record release shows in May? Will it be a full band? 

Alex: Yes!! We will be playing as a six-piece band for all three release shows. Aaron Guest (Polecat) on Piano, Aaron Ball (Dryland) on drums, Brad Lockhart (Dryland/husband) on guitar, Jeff Ballew (Baby Cakes) on bass, and William on lead guitar (plus me singing and occasionally strumming!).

Preorder We've Got It All on Bandcamp. Cumulus play three record release shows next month. See them at the Wild Buffalo in Bellingham May 1, the Unknown in Anacortes May 2, and Conor Byrne in Seattle May 3.

Slog AM: Beloved Ave Resturant Might Be Replaced by a McDonald's, Beacon Hill Trees at Risk, King County is Growing Fast Again [The Stranger]

Seattle's only news roundup. by Charles Mudede

Say it ain't so. According to U District Advocates, Cedar's of Lebanon, "the oldest restaurant on The Ave," might be replaced by, of all things, a McDonald's. True, this is something rather new in this city, where the normal running of things is to give small businesses the boot for luxury towers that offer hoity-toity dining. In this case, it's the other way around: instead of going up, we are going down to a joint that basically doesn't really serve food, like Cedar's of Lebanon, but something like what humans are in The Matrix: batteries. If this bad business goes through, if we lose Cedar's of Lebanon, a key part of what for many years was known as Little Lebanon (it included Flowers Bar and Restaurant and Samir's Mediterranean Grill Lebanese Cuisine), for a Ronald McDonald, I'm going "to throw up both my hands."

In the words of U District Advocates: "For some of us, the introduction of a corporate chain restaurant, replacing three independent, small businesses with a block-wide façade, directly across the street from the entrance to our main light rail station, is very troubling." Indeed, indeed. And, more importantly, Cedar's of Lebanon has top-notch gyros. As for McDonald's, you have to go all the way up to our vast and once friendly neighbor to eat at that place. Canada actually makes sure their Mickey D's put real eggs and pork in their breakfast sandwiches. 

 

Beacon Hill also has some bad news on its plate. Seattle Department of Transportation (SDOT) may cut down a whole bunch of huge, often old Maple trees that line Beacon Avenue. This section of South Seattle demonstrates what Enrique Peñalosa, the former urbanist mayor of Bogota, meant when he described a sidewalk as “relatives of parks—not passing lanes for cars.” Sadly, however, Beacon Avenue's sidewalk is about to look less like a park and more like its opposite. After years of neglecting the street’s cracked and buckling sidewalks, SDOT is now faced with a project that demands a good deal of imagination to solve. But it seems the department wants to take an easy (or more "efficient") way around the problem, which is the destruction of numerous trees. And this destruction could begin tomorrow.

Though SDOT claims it's making every effort to be transparent, its press secretary, Ethan Bergerson, described the plan to me (it "will [get] started over the coming weeks with the initial sidewalk repairs that can be done without affecting trees") in way that doesn't jibe with the announcement SDOT posted on suspect trees: "If  the root pruning needed [for sidewalk improvements] does not allow the tree to remain stable and viable, it may be necessary to remove the tree within 14 days of this posting." The announcement was posted on February 27. That's two weeks ago. When I asked Bergerson if SDOT has ever considered a project that would require the destruction of lots of trees in North Seattle, I received no answer.

 

Seattle is still refusing to just die already. In fact, its county is growing like it's the "2010s again." Seattle Times' Gene Balk examined the data from the U.S. Census Bureau and found that "[the area's] population grew by about 43,400 from July 1, 2023, to July 1, 2024, for a growth rate of 1.9%." That’s the kind of increase our city saw when Amazon appeared to be a UTFO ("Untouchable Force Organization"). King County now has a population of 2.34 million.

After yesterday's tipping down, Seattle will experience a "'grab-bag' of weather." We have entered that zone of confusion ("confusion de confusiones") between the seasons. Expect days that behave like a nutter. Crying in the morning, laughing in the afternoon, screaming when entering evening, weeping again all night. So, it's not surprising that today we may experience "passing showers," and "a few thunder rumbles," and a "breezy afternoon," and the "occasional peeks of sunshine." 

Last week, two coyotes did a Bonnie and Clyde on Bellevue, reports King 5. One of them was killed by the Washington Department of Fish and Wildlife (WDFW); the other is still on the run. Officials have connected both with "five different attacks"—biting legs of citizens; trying to steal or stealing backpacks from defenseless schoolchildren. One of the coyotes even bit the hand of a kid (they will never forget that horrible moment in their childhood). King 5: "Officers are increasing patrols in that area in an attempt to locate the second animal."  

After the Fire, the Rain: Southern California is getting lots and lots and way too much of it. Evacuations and mudslides are just around the corner. Nothing can be normal anymore. We only live in the extremes.

Tech billionaires are now talking about building their own damn cities. Cities that follow their orders and money-fervid fantasies to a tee. No more of this democracy nonsense; no more "government oversight." These will be Freedom Cities. But what could a Freedom City do that, say, Hudson Yards doesn't? Billionaires already have everything. This is not our world; it's yours, all yours. 

Maybe now is a good time to return to these powerful lines by T. S. Eliot:

When the Stranger says: “What is the meaning of this city ?
Do you huddle close together because you love each other?”
What will you answer? “We all dwell together
To make money from each other”? or “This is a community”? 

Looks like Seattle's iconic billionaire, Bill Gates, is giving up on all "that hopey, changey stuff" and, according to the Seattle Times, "retooling his empire for the Trump era." Breakthrough Energy, a forward-thinking climate organization he bankrolls, has announced it's going the way of our DOGE-slashed Big Government: cuts, cuts, cuts, and more cuts. It's now time for him to play catch-up with the leaders of his pack. He, too, must become a gora (a vulture capitalist); he too must stick his long featherless neck into the rot of America. You see Beyoncé, this is why you should never want to be "a black Bill Gates in the making."  

These VP eyes transpired during the Irish prime minister's White House visit. The VP's socks also made some noise. 

JD Vance went heavy on the eyeliner this morning

[image or embed]

— Aaron Rupar (@atrupar.com) March 12, 2025 at 7:17 AM

 

Let's end with this excellent poem by Badu on the importance of being woke (its on her slamming track Master Teacher):

Even if yo baby ain't got no money
To support ya baby, you
(I stay woke)
Even when the preacher tell you some lies
And cheatin' on ya mama, you stay woke
(I stay woke)
Even though you go through struggle and strife
To keep a healthy life, I stay woke
(I stay woke)
Everybody knows a black or white, there's
Creatures in every shape and size
(I stay woke)

This Saturday, March 15, the Royal Room will celebrate the music and wokeness of badass Erykah Badu with a band lead by Sheila Kay. 

16:21

RIP Mark Klein [Schneier on Security]

2006 AT&T whistleblower Mark Klein has died.

15:35

[$] Warming up to frozen pages for networking [LWN.net]

When the 6.14 kernel is released later this month, it will include the usual set of internal changes that users should never notice, with the possible exception of changes that bring performance improvements. One of those changes is frozen pages, a memory-management optimization that should fly mostly under the radar. When Hannes Reinecke reported a crash in 6.14, though, frozen pages suddenly came into view. There is a workaround for this problem, but it seems there is a fair amount of work to be done that nobody had counted on to solve the problem properly.

Seven new stable kernels [LWN.net]

Greg Kroah-Hartman has announced the release of the 6.13.7, 6.12.19, 6.6.83, 6.1.131, 5.15.179, 5.10.235, and 5.4.291 stable kernels. They all contain a relatively large number of important fixes throughout the kernel tree.

14:49

Security updates for Thursday [LWN.net]

Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, netatalk, python3.5, python3.8, rar, unrar-nonfree, and xorg-server, xwayland).

14:28

The writer's web [Scripting News]

The web was initially designed for writers. Styling, links, paragraphs, titles (at all levels). The ability to edit. No character limits. That's what we had to work with when we started blogging in the mid-late 90s.

Then there was a big corner-turn in 2006. In an instant the web shrunk to almost nothing. No titles, no style, no links, 140 chars max. Enough to say "I'm waiting in line at the bank." Nothing wrong with that, but it isn't what I think of as writing.

A couple of years ago, I decided to focus on writers once again. I started developing ideas of what the writer's web would look like if we used today's technology. And here are the three main directions.

  • New technology. Since the last time we looked, Markdown was invented. RSS feeds had become instant. Websockets replaced long polling. Servers got cheap! And SQL is fast and the tools are much better. We'll use all the best new technology.
  • Modern interfaces. We'll borrow the best ideas from twitter-like systems. Writing a new post should be as easy as writing a tweet, but with all the features writers need at-hand, easy to access.
  • Open, for real. And best of all, it'll be open, for real, now -- not some day. Each component will be completely replaceable with simple APIs, and lots of example code.

I'm going to use WordPress as my basic back-end technology because it is reliable and broadly deployed, but you don't have to. The great thing about the web is that it's already federated. Nothing to wait for. 😄

We know how to do this. The only question is whether we choose to.

Best way to get started -- write a blog post about what the writer's web means to you. Send me a link. I'll read it.

dave@scripting.com

14:07

Paul Wise: FLOSS Activities February 2025 [Planet Debian]

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

Issues

Sponsors

The SWH work was sponsored. All other work was done on a volunteer basis.

13:21

CodeSOD: Don't Date Me [The Daily WTF]

I remember in some intro-level compsci class learning that credit card numbers were checksummed, and writing basic functions to validate those checksums as an exercize. I was young and was still using my "starter" credit card with a whopping limit of $500, so that was all news to me.

Alex's company had a problem processing credit cards: they rejected a lot of credit cards as being invalid. The checksum code seemed to be working fine, so what could the problem be? Well, the problem became more obvious when someone's card worked one day, and stopped working the very next day, and they just so happened to be the first and last day of the month.

    protected function validateExpirationCcDate($i_year, $i_month) {
        return (((int)strftime('%y') <= $i_year) && ((int)strftime ('%m') <= $i_month))? true : false;
    }

This function is horrible; because it uses strftime (instead of taking the comparison date and time as a parameter) it's not unit-testable. We're (ab)using casts to convert strings into integers so we can do our comparison. We're using a ternary to return a boolean value instead of just returning the result of the boolean expression.

But of course, that's all the amuse bouche: the main course is the complete misunderstanding of basic logic. According to this code, a credit card is valid if the expiration year is less than or equal to the current year and the month is less than or equal to the current month. As this article goes live in March, 2025, this code would allow credit cards from April, 2026, as it should. But it would reject any cards with an expiration of February, 2028.

Per Alex, "This is a credit card date validation that has been in use for ages."

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

10:49

A replacement for plastic [Richard Stallman's Political Notes]

A new kind of plastic degrades in sea water into compounds that will be eaten by bacteria, with no harmful residue.

Resist worldwide dystopia led by US [Richard Stallman's Political Notes]

*The world’s most admired democracy is being held hostage by a clique of far-right thugs. It would be a mistake to placate them.*

I am not sure that the US was really the most admired democracy a year ago. Certainly it had big flaws, introduced by earlier stages of plutocratist subversion. But it was, arguably, the oldest stable democracy.

Disconnected identities, UK and US [Richard Stallman's Political Notes]

*We've witnessed the rise of a kind of identity politics that sidelines class. And the far right is benefiting from it.*

An insightful article explains how identity politics on antisocial media tends to divide people into groups that argue about which of the many kinds of cruelty, and of the many groups that sometimes are caused to suffer, deserves the "worst oppression" award.

I don't like this competition. I prefer Martin Luther King's message, that we should try to help others who suffer and to end social injustices, regardless of "identity" groups.

Executive order: judge firings' legality [Richard Stallman's Political Notes]

One of the underminer's executive orders says that he can fire anyone in the federal government who disputes his version of what the law requires.

"The essence of it is that Donald Trump is trying, quite consciously, to make himself an elected dictator," said law professor Frank Bowman.

10:42

Grrl Power #1338 – Shadowcraft [Grrl Power]

Sciona’s managed to get herself on Maxima’s “More info needed” list. She’ll pass on her suspicions to Zephan about it he’ll assign someone to investigate further.

It’s got to be a party foul when you’re hanging out with people who can see in perfect darkness, and you light a cigar by emitting plasma from your fingertip. That’s quite a bit of contrast all at once. Of course, beings that can see in pitch black may not be doing it with some sort of visible light enhancement. They’re probably using infravision and, oh yeah, plasma is like 50,000 degrees. So, that would probably scar a Yautja’s retinas. Geeze, a lightning storm would blind whole cities on their world. (A yautja is a Predator, BTW.)

Oh, and Max didn’t exactly “shrug off” the 125mm round. Not that should couldn’t do it nowadays, but the T-72 event happened earlier in her career, and for P.R. reasons, she describes it as “shrugging off.” That scene may eventually be explained in the comic, but probably not as extensively as Peggy’s flashback.

I’m going to try something with this new vote incentive.

This month, I’m closing on a new house, selling my Mom’s house, finishing packing Mom’s house, moving city to city to the new house, forwarding mail, canceling utilities, all that. And after that’s done, I get to start the process of selling my old house, which needs a little work before it can realistically go on the market.

SO. I’m going to try and do this vote incentive in stages. Currently it’s just pencils. The TopWebcomics one will update with colors and detail until we get to the no clothes versions, then that will continue over at Patreon. Also there will be a comic or two in between each version to fill out the story.

I know it’s hard to tell from just the pencils, but this is Heatwave and Jiggawatt. The comics will explain why they’re doing what they’re doing. Although I feel like even saying that much makes it easy to guess, but hopefully the journey will still amuse.

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

09:35

09:21

The big sort [Seth's Blog]

The phone book was a groundbreaking innovation. For the first time, you could actually look up the person you were seeking to reach.

At about the same time, the department store arrived. You could actually have a shot at finding what you were hoping to buy.

TV Guide was, at one time, the most valuable magazine in the US, worth more than any TV network. Directories transform consumption.

Incrementally, slowly then all at once, we’ve multiplied the sorting and directory building of our world. We didn’t notice it happening, but we’ve sorted the people, the ideas, the media, the culture, healthcare, even which lake to go fishing on. Serendipity used to be normal, now it’s rare.

Why stumble when you can look it up?

It’s not simply the extraordinary efficiency of this sort that makes it important. It also represents a different expectation of how the world works.

There’s no place to go look up what to do with that insight, so we’ll have to figure it out as we go.

09:07

Joe Marshall: Tip: Alphabetize arbitrary lists [Planet Lisp]

Whenever I have a list of items, if there is no other better order for them, I arrange them in alphabetical order. Arbitrary lists have a way of getting large and unweildy over time, but if they are kept in alphabetical order, you can find the entries and spot omissions easier.

If there is a better ordering, then certainly use it. But keeping arbitrary lists alphabetized has two advantages: first, they are easier to use because you can find entries quicker. Second, it is a signal to the reader that the list is in fact in an arbitrary order.

07:21

04:42

01:14

Be Our Guest [QC RSS]

we all saw it coming

00:56

Iconography of the PuTTY tools [OSnews]

Ah, PuTTY. Good old reliable PuTTY. This little tool is one of those cornerstone applications in the toolbox of most of us, without any fuss, without any upsells or anti-user nonsense – it just does its job, and it has been doing its job for 30 years. Have you ever wondered, though, where PuTTY’s icons come from, how they were made, and how they evolved over time?

PuTTY’s icon designs date from the late 1990s and early 2000s. They’ve never had a major stylistic redesign, but over the years, the icons have had to be re-rendered under various constraints, which made for a technical challenge as well.

↫ Simon Tatham

The icons have basically not changed since the late ’90s, and I think that’s incredibly fitting for the kind of tool PuTTY is. It turns out people actually offer to redesign all the icons in a modern style, but that’s not going to happen.

People sometimes object to the entire 1990s styling, and volunteer to design us a complete set of replacements in a different style. We’ve never liked any of them enough to adopt them. I think that’s probably because the 1990s styling is part of what makes PuTTY what it is – “reassuringly old-fashioned”. I don’t know if there’s any major redesign that we’d really be on board with.

↫ Simon Tatham

Amen.

No Cuts, No Furloughs—Tax the Rich! [The Stranger]

Donald Trump is determined to harm working and poor people’s living standards. With 13 billionaires in his cabinet, including Elon Musk, he has slashed over 14,000 federal union jobs and gutted social programs. His party’s threats to Medicaid come as they push more tax cuts for the rich. by Jozi Uebelhoer

Donald Trump is determined to harm working and poor people’s living standards. With 13 billionaires in his cabinet, including Elon Musk, he has slashed over 14,000 federal union jobs and gutted social programs. His party’s threats to Medicaid come as they push more tax cuts for the rich.

Democrats in Congress have failed to fight back, despite calling Trump an “existential threat.” This is no surprise, as they also serve elite interests. The party recently accepted $2.5 million from a top lobbyist for SpaceX and Palantir, companies set to profit from Trump’s cuts to unions and social programs.

Failing to fight Trump in D.C. is bad enough, but in Washington state, Governor Bob Ferguson is preparing to slash $7 billion from the budget, targeting over 50,000 unionized workers in the Washington Federation of State Employees (WFSE). These workers provide essential services, from child safety to infrastructure, clean waterways, and public education.

Ferguson plans mandatory monthly furloughs for two years, along with deep cuts to healthcare for low-income residents and firefighting services. This will lead to hospital ward closures, reduced juvenile rehabilitation, and fewer housing options for adults with developmental disabilities.

Republicans in DC have majorities in the house and senate, giving federal Democrats some leeway to claim powerlessness against Trump’s anti-worker attacks. But in Washington, state Democrats control both legislative houses—and yet they still plan to undermine working and poor people’s livelihoods. This comes as the state’s wealth grows, with 13 billionaires and a growing millionaire class. Adding to the hypocrisy, state politicians pushing furloughs on public workers recently gave themselves a 14% salary hike, with Ferguson’s pay rising from $204,205 to $234,275. Meanwhile, public-sector workers face a meager 5% raise over two years, effectively canceled out by furlough days and inflation.

Washington remains a haven for the wealthy while becoming unaffordable for the rest of us. The state’s tax system is the second most regressive in the nation. Democrats have controlled the governor’s office for 30 years, the Senate for 20, and the House for 23—yet they continue serving the elite. 

WFSE leadership rightly opposes the cuts and furloughs, demanding taxes on the rich instead. But a real fightback requires mass protests and a coordinated statewide strike, demanding zero cuts to workers and social programs and full funding through taxation on the rich. This would send a powerful message of working-class resistance against attacks from both Trump and the Democrats.

Without a mass movement, Ferguson and his party will not change course.

Why should we play by their rules? Waiting until after the budget is finalized to bargain again would be disastrous, locking in cuts and demoralizing workers. We’re told we must choose between rejecting furloughs or providing essential services—an outright lie. We must fight for both or risk losing everything.

Statewide union leadership has failed to act, so we, the rank-and-file, are taking it upon ourselves to do so. 

On Monday, the members of WFSE Local 889 unanimously passed a resolution calling for a mass statewide Day of Action on Wednesday, April 9, involving thousands of WFSE members, and solidarity from other unions and working people, before the budget deadline on April 27. The local also passed a resolution calling on WFSE statewide to rescind the endorsement of Governor Ferguson. 

WFSE President Mike Yestramski and labor leaders should be organizing mass protests, solidarity actions, and a one-day strike against Democratic austerity and Trump’s attacks. Workers—not billionaires or their political allies—keep the state running, and shutting it down is the necessary first step to defeating these cuts. Next, WFSE should lead a ballot initiative to end Washington’s regressive tax system, securing funding for housing, healthcare, education, and protecting unions.

We urge WFSE members and working people to join Workers Strike Back at a March 15th town hall to expose Democratic betrayals and organize against both parties of the bosses.

Seattle’s working people showed how to win under Kshama Sawant’s leadership, securing the nation’s highest minimum wage, at the time, through an engaged worker-led movement of everyday people. We must follow this example and fight back with everything we’ve got.

We built mass meetings, rallies, marches, neighborhood action groups, and a ballot initiative to pressure big business and Democrats: pass $15 or face the voters. Despite their attempts to block or weaken it, we won—turning $15 from a slogan into a nationwide movement. In 2020, Sawant and the Tax Amazon movement secured a historic tax on Seattle’s richest corporations, raising over $400 million last year alone for affordable housing. Sawant’s office won these victories alongside workers and union leaders, including WFSE’s Paula Lukaszek.

Now, Workers Strike Back is carrying this strategy forward nationwide. Our Fight the Rich campaign is building a movement to take down Trump, the billionaires, and both their parties. Defeating Trump means confronting the Democrats, whose betrayals let him pose as a friend of workers. Both parties serve the ruling class—we must fight both to win real change.

Capitalism is rule by and for the rich, built on stealing the wealth workers create. But we have the power to shut it down and force real change. Millions would stand with us if we did.

Jozi Uebelhoer is a social worker and a rank-and-file member of WFSE Local 889. Grey Martin is a hospital staff member and a rank-and-file member of WFSE Local 3488. Both are members of Workers Strike Back in Seattle and write in a personal capacity.

 

00:35

[$] LWN.net Weekly Edition for March 13, 2025 [LWN.net]

Inside this week's LWN.net Weekly Edition:

  • Front: PyPI terms of service; Zig 0.14; Matrix; Timer IDs and ABI; Module integrity checking; Capability analysis.
  • Briefs: Path traversal; Below vulnerability; Ubuntu 25.04; Flang; Gstreamer 1.26.0; Framework Mono 6.14.0; Quotes; ...
  • Announcements: Newsletters, conferences, security updates, patches, and more.

Feeds

FeedRSSLast fetchedNext fetched after
@ASmartBear XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
a bag of four grapes XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Ansible XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
Bad Science XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Black Doggerel XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Blog - Official site of Stephen Fry XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Charlie Brooker | The Guardian XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Charlie's Diary XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Chasing the Sunset - Comics Only XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Coding Horror XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
Cory Doctorow's craphound.com XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Cory Doctorow, Author at Boing Boing XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Ctrl+Alt+Del Comic XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Cyberunions XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
David Mitchell | The Guardian XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Deeplinks XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
Diesel Sweeties webcomic by rstevens XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Dilbert XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Dork Tower XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Economics from the Top Down XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Edmund Finney's Quest to Find the Meaning of Life XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
EFF Action Center XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Enspiral Tales - Medium XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Events XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Falkvinge on Liberty XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Flipside XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Flipside XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Free software jobs XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
Full Frontal Nerdity by Aaron Williams XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
General Protection Fault: Comic Updates XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
George Monbiot XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Girl Genius XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Groklaw XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Grrl Power XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Hackney Anarchist Group XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Hackney Solidarity Network XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
http://blog.llvm.org/feeds/posts/default XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
http://calendar.google.com/calendar/feeds/q7s5o02sj8hcam52hutbcofoo4%40group.calendar.google.com/public/basic XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
http://dynamic.boingboing.net/cgi-bin/mt/mt-cp.cgi?__mode=feed&_type=posts&blog_id=1&id=1 XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
http://eng.anarchoblogs.org/feed/atom/ XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
http://feed43.com/3874015735218037.xml XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
http://flatearthnews.net/flatearthnews.net/blogfeed XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
http://fulltextrssfeed.com/ XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
http://london.indymedia.org/articles.rss XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
http://pipes.yahoo.com/pipes/pipe.run?_id=ad0530218c055aa302f7e0e84d5d6515&amp;_render=rss XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
http://planet.gridpp.ac.uk/atom.xml XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
http://shirky.com/weblog/feed/atom/ XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
http://thecommune.co.uk/feed/ XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
http://theness.com/roguesgallery/feed/ XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
http://www.airshipentertainment.com/buck/buckcomic/buck.rss XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
http://www.airshipentertainment.com/growf/growfcomic/growf.rss XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
http://www.airshipentertainment.com/myth/mythcomic/myth.rss XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
http://www.baen.com/baenebooks XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
http://www.feedsapi.com/makefulltextfeed.php?url=http%3A%2F%2Fwww.somethingpositive.net%2Fsp.xml&what=auto&key=&max=7&links=preserve&exc=&privacy=I+accept XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
http://www.godhatesastronauts.com/feed/ XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
http://www.tinycat.co.uk/feed/ XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
https://anarchism.pageabode.com/blogs/anarcho/feed/ XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
https://broodhollow.krisstraub.comfeed/ XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
https://debian-administration.org/atom.xml XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
https://feeds.feedburner.com/Starslip XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
https://feeds2.feedburner.com/GeekEtiquette?format=xml XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
https://hackbloc.org/rss.xml XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
https://kajafoglio.livejournal.com/data/atom/ XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
https://kubatpharmacy.com/ XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
https://philfoglio.livejournal.com/data/atom/ XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
https://pixietrixcomix.com/eerie-cutiescomic.rss XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
https://pixietrixcomix.com/menage-a-3/comic.rss XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
https://propertyistheft.wordpress.com/feed/ XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
https://requiem.seraph-inn.com/updates.rss XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
https://studiofoglio.livejournal.com/data/atom/ XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
https://thecommandline.net/feed/ XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
https://torrentfreak.com/subscriptions/ XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
https://twitter.com/statuses/user_timeline/22724360.rss XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
https://web.randi.org/?format=feed&type=rss XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
https://www.dcscience.net/feed/medium.co XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
https://www.DropCatch.com/domain/steampunkmagazine.com XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
https://www.DropCatch.com/domain/ubuntuweblogs.org XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
https://www.DropCatch.com/redirect/?domain=DyingAlone.net XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
https://www.freedompress.org.uk:443/news/feed/ XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
https://www.goblinscomic.com/category/comics/feed/ XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
https://www.loomio.com/blog/feed/ XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
https://www.newstatesman.com/feeds/blogs/laurie-penny.rss XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
https://www.patreon.com/graveyardgreg/posts/comic.rss XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
https://www.rightmove.co.uk/rss/property-for-sale/find.html?locationIdentifier=REGION^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Humble Bundle Blog XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
I, Cringely XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Irregular Webcomic! XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Joel on Software XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
Judith Proctor's Journal XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
Krebs on Security XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Lambda the Ultimate - Programming Languages Weblog XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
Looking For Group XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
LWN.net XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Mimi and Eunice XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Neil Gaiman's Journal XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
Nina Paley XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
O Abnormal – Scifi/Fantasy Artist XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Oglaf! -- Comics. Often dirty. XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Oh Joy Sex Toy XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
Order of the Stick XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
Original Fiction Archives - Reactor XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
OSnews XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Paul Graham: Unofficial RSS Feed XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Penny Arcade XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Penny Red XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
PHD Comics XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Phil's blog XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
Planet Debian XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Planet GNU XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Planet Lisp XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Pluralistic: Daily links from Cory Doctorow XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
PS238 by Aaron Williams XML 00:14, Tuesday, 18 March 01:02, Tuesday, 18 March
QC RSS XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
Radar XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
RevK®'s ramblings XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
Richard Stallman's Political Notes XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Scenes From A Multiverse XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
Schneier on Security XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
SCHNEWS.ORG.UK XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
Scripting News XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Seth's Blog XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
Skin Horse XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Spinnerette XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
Tales From the Riverbank XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
The Adventures of Dr. McNinja XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
The Bumpycat sat on the mat XML 00:35, Tuesday, 18 March 01:15, Tuesday, 18 March
The Daily WTF XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
The Monochrome Mob XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
The Non-Adventures of Wonderella XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
The Old New Thing XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
The Open Source Grid Engine Blog XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
The Stranger XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
towerhamletsalarm XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
Twokinds XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
UK Indymedia Features XML 00:56, Tuesday, 18 March 01:38, Tuesday, 18 March
Uploads from ne11y XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
Uploads from piasladic XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March
Use Sword on Monster XML 00:14, Tuesday, 18 March 01:01, Tuesday, 18 March
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 00:35, Tuesday, 18 March 01:21, Tuesday, 18 March
what if? XML 00:35, Tuesday, 18 March 01:16, Tuesday, 18 March
Whatever XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
Whitechapel Anarchist Group XML 00:07, Tuesday, 18 March 00:56, Tuesday, 18 March
WIL WHEATON dot NET XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
wish XML 00:42, Tuesday, 18 March 01:27, Tuesday, 18 March
Writing the Bright Fantastic XML 00:42, Tuesday, 18 March 01:26, Tuesday, 18 March
xkcd.com XML 00:42, Tuesday, 18 March 01:25, Tuesday, 18 March