Monday, 28 July

23:56

Link [Scripting News]

Listened to a segment on today's Brian Lehrer podcast about how to keep the good feelings from a vacation when you get back home. Here's my idea. Before you leave make a list of the things you like about being on vacation. Take it home, put it somewhere you can find it when you're feeling down and want that feeling back. Pick one of the things on the list and do it. Your subconscious will tune into it as an act of self-love and give you some of the body chemistry that you felt when you were hanging out at the beach or hiking the Applachian Trail. A similar idea in a Bruce Sterling talk in 2009.

22:49

FSD meeting recap 2025-07-25 [Planet GNU]

Check out the important work our volunteers accomplished at today's Free Software Directory (FSD) IRC meeting.

Stranger Suggests: The Godfather of Punk, a Gay-as-Hell Teen Sex Dramedy, and Puzzles from a ‘Jeopardy!’ GOAT [The Stranger]

One really great thing to do every day of the week. by Julianne Bell MONDAY 7/28  

Iggy Pop

(MUSIC) Few have had as fabled (or feral) a career as Iggy Pop. Having graced stages worldwide in band or solo form for nearly 60 years, the man, the myth, the bare-chested legend now returns to Seattle to unleash his unrelenting energy at Marymoor Live. For diehard Stooges fans or even casual dabblers in punk iconography, this show will surely be a jolt of raw power. Expect timeless anthems like “Search and Destroy” to solo gems like “The Passenger,” with the godfather of punk behind the chaos of it all. (Marymoor Park, 7 pm, all ages) LANGSTON THOMAS

TUESDAY 7/29  

‘Little Darlings’

(FILM) I watched this underrated ’80s teen sex dramedy as a high schooler and almost never hear people talking about it, so I’m thrilled to learn that Here-After will be screening it. At the all-girls summer camp Camp Little Wolf, tough girl Angel and sheltered rich girl Ferris clash upon meeting and make a bet to see who can lose their virginity first. Roger Ebert wrote that the movie “somehow does succeed in treating the awesome and scary subject of sexual initiation with some of the dignity it deserves.” I love the queer subtext, the gay-as-hell vintage denim and shag haircuts, and the fact that the film allows its teen girl subjects to be horny and messy in a way they aren’t often permitted to be. (Here-After, 7:30 pm, 21+) JULIANNE BELL

WEDNESDAY 7/30  

Lifeguard

(MUSIC) Baby-faced Chicago trio Lifeguard’s scathing and tuneful new album, Ripped and Torn, marauds with the kind of authority that makes aging critics utter cringe proclamations like “the kids are all right.” But, Jah damn it, Lifeguard have that innate sonic charisma that suggests they spent their youths intently studying history’s most righteous post-punk groups (Wire, Mission of Burma, and Gang of Four), and then putting their own distinctive stamp on that style. That Lifeguard’s guitar/bass/synth/drums hit with an angular force while retaining a nagging melodiousness can make even the most jaded listeners doubt their “rock is dead” dogma. (Baba Yaga, 7 pm, all ages) DAVE SEGAL

THURSDAY 7/31  

Author Talk: Ken Jennings

Ken Jennings will be at Third Place Books Lake Forest Park Thursday, July 31.

(BOOKS) Back in 2012, record-setting Jeopardy! GOAT and current host Ken Jennings created his own proprietary weekly trivia puzzle, which previously appeared in Parade and Mental Floss. It seems simple enough in theory, but is punishingly difficult in practice: answer five questions, the responses to which share a theme in common. (Example: feet, McDonald’s, fingerprints, and St. Louis are linked by all having arches.) Think you have what it takes? Jennings will celebrate the release of The Complete Kennections, which collects all of his past quizzes in one volume along with hundreds of new and updated ones, by dropping by Third Place Books for a talk, Q&A, and signing. (Third Place Books Lake Forest Park, 7 pm, all ages) JULIANNE BELL

FRIDAY 8/1  

'& Juliet'

(THEATER) If you've ever felt less than satisfied with the ending of Shakespeare's Romeo & Juliet, you're not alone. (Killing yourself over a boy? Ugh.) & Juliet imagines what our heroine's journey might've looked like if she had outlived Romeo by more than a few minutes—it’s presented in the form of a jukebox musical, which means most of the songs are well-known bops that make following along enjoyable for musical nerds and newbies alike. Created by David West Read, the Emmy Award-winning writer of Schitt’s Creek, the show premiered on London's West End and has won nine Oliviers. I was sold on the concept as soon as I saw "Since U Been Gone" on the soundtrack. (Paramount Theatre, July 29–Aug 3, all ages) SHANNON LUBETICH

SATURDAY 8/2  

Death Cab for Cutie: Plans 20th Anniversary

(MUSIC) File under aspirational millennial nostalgia tours: indie darlings Death Cab for Cutie are celebrating 20 years of their major-label debut, Plans. As someone who saw Death Cab on their Transatlanticism anniversary tour TWICE, I can vouch that Ben Gibbard and crew have still got it. At the time of its release, Plans was Death Cab’s biggest commercial success, earning a Grammy nomination. But if you're a true fan, this revival will rattle the depths of your brain, only to realize you still effortlessly remember every lyric. Shut up and take my disposable income so I can scream “I Will Follow You Into the Dark” along with a stadium full of other alleged misfits! (Climate Pledge Arena, July 31 & Aug 2, 8 pm, all ages) BRI BREY

SUNDAY 8/3  

Bridget Everett and the Tender Moments

(COMEDY) Before Bridget Everett was known as the star of HBO’s heartwarming comedy series Somebody Somewhere, she was known as New York City’s alt-cabaret provocateur, regularly performing at Joe’s Pub. At these performances, Everett would stand on tables and sing her heart out alongside her backing band, the Tender Moments—made up of the Beastie Boys’ Adam Horovitz and the Julie Ruin’s Carmine Covelli. Now, the group is finally bringing the perennially sold-out, cult-favored cabaret show to the West Coast. If you prefer not to be serenaded, touched, flashed, or handed the microphone during comedy shows, I recommend avoiding the first 30 rows. (Moore Theatre, 8 pm, all ages) AUDREY VANN

:zap: Prizefight! :zap:

Win tickets to rad upcoming events!*

Paul Simon

August 5, McCaw Hall

ENTER NOW! 

Contest ends August 4 at 10 am

Dinosaur Jr. + Snail Mail

August 8, Chateau Ste Michelle

ENTER NOW!

Contest ends August 4 at 10 am

*Entering PRIZE FIGHT contests by submitting your email address signs you up to receive the Stranger Suggests newsletter. You can unsubscribe at any time.

21:21

Help for OpenPrinting needed [LWN.net]

Till Kamppeter, co-founder and lead of the OpenPrinting project, has put out a call for sponsors after being laid off by Canonical:

I want to continue doing OpenPrinting for a living, and need a way to do so. I am currently working with the Linux Foundation to make OpenPrinting an [organization] which can receive sponsor funding. So now I am looking for sponsors.

Even greater would be, if independent of this somebody could hire me to continue OpenPrinting...

Pluralistic: How twiddling enshittifies your brain (28 Jul 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


A terrified, screaming man with wild hair wearing a greatcoat with his hand inserted beneath the lapel, covering his heart. He stands before a knob-festooned control desk and a background of hundreds of gridded knobs and dials. A grinning poop emoji peers over the control desk.

How twiddling enshittifies your brain (permalink)

"If your customers are too happy, you're leaving money on the table": it's the rallying cry of the enshittifier, and it's also what a friend of mine was told by a respected professor in a top-tier MBA program.

Enshittification is the theory that if platforms can shift value away from workers, suppliers, users and/or customers without facing consequences, we should expect that they will. A company is a colony organism made up of many differing organelles, some of whom have firm moral centers and good values, but those factions can't win an argument about enshittifying the company's offerings merely by gesturing towards their ethical reservations. To win that argument, the good guys have to be able to appeal to a villain's highest priority: their own self-interest. It's one thing to say, "I'll feel gross if we wreck our product this way," but it's another altogether to say, "We'll go broke – because of fines, or employee defections, or competitor poaching, or interoperable blocking tech – if we do it your way":

https://pluralistic.net/2023/07/28/microincentives-and-enshittification/

Someone in the org is always ready to believe that the customers (or workers, or suppliers) are too happy, and that this represents money left on the table. Customer service can be scaled back, wages cut, free features turned into upsells. Some of capitalism's most imaginative inventors are enshittifiers, dreaming up new ways to sell you to yourself.

The great tragedy of all this is that the more useful and important a service becomes to you, the more the service's proprietors can extract from you. They don't care if you hate them, so long as you love the data, the friends, the productivity, the utility you get from the service more.

Writing in Ethics and Information Technology, Louisiana State's Michael J Ardoline and Muhlenberg College's Edward Lenzo write about another one of enshittification's systematic torments: "The cognitive and moral harms of platform decay":

https://link.springer.com/article/10.1007/s10676-025-09846-1

The authors observe that our technologies quickly turn into cognitive prostheses: as soon as we can externalize some function of our thinking into a technology, we do.

I used to walk around with a hundred phone numbers in my head, now I remember two, maybe three on a good day. Which is fine! Sure, remembering those phone numbers wasn't cognitively useless. I cultivated all kinds of clever mnemonics based on the spatial relationships of the phone buttons, their alphabetical equivalents, the tones they made, and the arithmetic relationships between sequential digits, all of which constituted a kind of cognitive workout. But after the Great Telephone Number Forgettering, I retasked all that cognitive capacity to memorizing and thinking about stuff that's much less arbitrary and far more consequential than phone numbers.

Whenever we adopt a cognitive prosthesis, there's always someone who overweights the value of the old system of unassisted thinking, while ignoring the cool things we can do with the free capacity we get from replacing our fallible and scarce meat-thinkers with something reproducible and external. No one is immune to this: Socrates thought that reading would make us all stupid because we'd lose the discipline of memorizing all works of literature (ironically, we only know that Socrates thought this because Plato wrote it down):

https://wondermark.com/socrates-vs-writing/

Versions of this continue to play out. When I was a kid, there was a moral panic that pocket calculators would make us all innumerate (an argument advanced by people who know so little about mathematics that they think it's the same thing as arithmetic). Now I keep hearing about millennials who can't read an analog clock, a skill that has as much objective utility as knowing how to interpret a slide-rule or convert from Francs to Lire to Deutschemarks. Not actually useless, but entirely bound to a specific time and place and a mere historical curiosity at some later date.

So I love cognitive prostheses. As a perennially disoriented man with innately poor spatial reasoning and consequently no ability to parse a map, I fucking love living in the age of turn-by-turn GPS directions.

If you wanna know how I write 2-3 books per year, blame the cognitive prosthesis of blogging, which forces me to apply rigor to the notes I take, and rewards me with a searchable database of everything I've ever found important, while stimulating a constant mnemonic rejuggling of all those thoughts that crystallizes into an endless stream of novel synthetic insights and road-tested ways to express them:

https://pluralistic.net/2021/05/09/the-memex-method/

My blogging is self-hosted, and for good reason. An asset that important to my personal and professional life is too precious to entrust to any kind of third party service, especially in light of the collapse of discipline that prevents firms from enshittifying. Remember, the enshittifier's motto is "If your customer is too happy, you're leaving money on the table." My digital, networked online notebook makes me very happy indeed, which means that if it were under the control of an enshittotropic colony organism like Google or Apple or Microsoft or Meta, it would only be a matter of time until some dominant faction decided to see how much they could extract from me by holding it to ransom or making it worse.

It's not practical for everyone to self-host everything. I'm blessed with a lot of technical knowledge and the incredible talents and generosity of a brilliant sysadmin, the wonderful Ken Snider, who makes it all go for me. I've known Ken for 20+ years and the man is no enshittifier. But most of us don't have a Ken in our lives, and even fewer of us are Ken, and so perforce, most of us end up externalizing large parts of our brains to networked services run by companies that would enshittify you without a second thought.

Trusting these companies with so much of your life can be catastrophic, because they are manifestly too big to care, which is why you can't get a customer service rep to save your life (and why they're turning over their vestigial customer service functions to chatbots, AKA "the Idgaf Gambit").

Take the case of "Mike," a software developer whose infant son developed a UTI during the covid lockdowns. On advice from his pediatrician, Mike took a picture of his son's infected penis with his Android phone and sent it to the doctor using a secure telemedicine app, forgetting that his Android device would also automatically sync all his photos to Google's cloud. Google automatically scans all these photos, and it flagged this one as child sexual abuse material (AKA "child pornography"), which resulted in the termination of all of Mike's Google services.

In an instant, Mike lost every family photo he'd taken since his son's birth, every saved email, all of his business and tax records in his Google Drive, his phone number (he was a Google Fi subscriber), his authenticator app, and his email address itself. Google handed his search history and many other sensitive records they held on him to the San Francisco Police Department, who concluded that everything was fine. But the cops couldn't tell Mike any of this because he had no phone and no email, and, lacking these, could not recover any of his online accounts. Eventually, an SFPD detective had to ring Mike's doorbell to tell him he was cleared of any wrongdoing. Despite this, Mike never got his accounts or data back:

https://locusmag.com/2024/07/cory-doctorow-unpersoned/

This is an accidental lobotimization of your outboard brain – it's what happens when a company that's too big to care drops one of its procedures on your head and crushes it like a grape. But there is an important sense in which these companies do care: they care whether you hate them more than you value the data and connections and utility they control. They care about this because if you're too happy, they're leaving money on the table.

That's where Ardoline and Lenzo's work comes in. They both document the ways in which we turn these online services into cognitive prostheses, and then investigate how the enshittification of these services ends up making us stupider, by taking away the stuff that helps us think. They're drawing a line between platform decay and cognitive decay.

The authors look at examples like the enshittification of Google Search, a product that Google has deliberately and irretrievably enshittified:

https://pluralistic.net/2024/04/24/naming-names/#prabhakar-raghavan

The web is a giant cognitive prosthesis, and early web tools put a lot of emphasis on things like bookmark management and local caching, so that the knowledge and cognition you externalized to the web were under your control. But Google Search was so goddamned magic – before they cynically destroyed it – that a lot of us switched from "not remembering things because you have a bookmark that takes you to a website that remembers it for you" to "not remembering things and not remembering where to find them, and just typing queries into Google." The collapse of Google into a giant pile of shit is like giving every web user a traumatic brain injury.

It's a good paper, but I think the situation is actually more dire than the paper makes it out to be, thanks to the AI bubble –

Wait! I'm not actually going to talk about what AI can do (which is a combination of a small set of boring useful things, a bunch of novelties, and a long list of things that AI can't do but is being used to do anyway). I'm talking about the financial fraud that AI serves.

Tech companies must be perceived as growing, because when a company is growing, it is valued far more highly than a company is once it has "matured." This is called the "price to earnings ratio" – the number of dollars investors are willing to pay for the company compared to the number of dollars a company is bringing in. So long as a company is growing, the PE ratio is very high, and this helps the company to actually grow. That's because the shares in growing companies are highly liquid, and can be traded for equity in other companies and/or the labor of key employees, meaning that growth companies can almost always outbid their mature counterparts when it comes to expanding through acquisition and hiring. That means that while a company is growing, its PE ratio can help it keep growing.

But here's the corollary: when a growth company stops growing, its shares are suddenly and violently revalued as though they were shares in a mature company, which tanks the personal net worth of the company's top managers and key employees (whose portfolios are stuffed with their employer's now-plummeting stock). Worse: in order to retain those employees and hire more (or to acquire key companies), the no-longer-growing company has to pay with cash, which is much harder to get than its own shares. Even worse: they have to bid against growing companies.

A growth company is like an airplane that has two modes: climbing and nose-diving, and while it's easy to go from climbing to crashing, it's much harder to go the other way. Ironically, the moment at which a company's growth is most likely to stall is right after its greatest triumph: after a company conquers its market, it has nowhere else to go. Google's got a 90% Search market-share – how can it possibly grow Search?

It can't (just like Meta can't really grow social, and Microsoft can't grow office suites, etc), so it has to convince Wall Street that it has a shot at conquering some other market that the street perceives as unimaginably vast and thus capable of keeping the growth engine going. Tech has pulled a lot of sweaty tricks to create this impression, inflating bubbles like "pivot to video" and "metaverse" and "cryptocurrency," and now it's AI.

The problem is that AI just isn't very popular. People go out of their way to avoid AI products:

https://www.tandfonline.com/doi/full/10.1080/19368623.2024.2368040

For an AI-driven growth story to work, tech companies have to produce a stream of charts depicting lines that go up and to the right, reflecting some carefully chosen set of metrics demonstrating AI's increasing popularity. One way to produce these increasing trend-lines on demand is to replace all the most commonly used parts of a service that you love and rely on with buttons that summon an AI. This is the "fatfinger AI economy," a set of trendlines produced by bombarding people who graze their screens with a stray fingertip with a bunch of AI bullshit, so you can claim that your users are "engaging" with AI:

https://pluralistic.net/2025/05/02/kpis-off/#principal-agentic-ai-problem

It's a form of "twiddling" – changing how a service works on a per-user, per-interaction basis in order to shift value from the user to the company:

https://pluralistic.net/2023/02/19/twiddler/

Twiddling represents the big cognitive hazard from enshittification during the AI bubble: the parts of your UI that matter most to you are the parts that you use as vital cognitive prostheses. A product team whose KPI is "get users to tap on an AI button" is going to use the fine-grained data they have on your technological activities to preferentially target these UI elements that you rely on with AI boobytraps. You are too happy, so they are leaving money on the table, and they're coming for it.

This is a form of "attention rent": the companies are taxing your muscle-memory, forcing you to produce deceptive usage statistics at the price of either diverting your cognition from completing a task to hunt around for the button that banishes the AI and lets you get back to what you were doing; or to simply abandon that cognitive prosthesis:

https://pluralistic.net/2023/11/03/subprime-attention-rent-crisis/#euthanize-rentiers

It's true "engagement-hacking": not performing acts of dopamine manipulation; but rather, spying on your habitual usage of a digital tool in order to swap buttons around in order to get you to make a number go up. It's exploiting the fact that you engage with something useful and good to make it less useful and worse, because if you're too happy, some enshittifier is leaving money on the table.

(Image: Stephen Drake, CC BY 2.0; modified)

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Canada bans copying CDs to iPods https://www.michaelgeist.ca/2005/07/crias-higher-risk-strategy/

#20yrsago No taking pix of San Fran building from the sidewalk? https://thomashawk.com/2005/07/one-bush.html

#20yrsago Microsoft “Genuine Advantage” cracked in 24h: window.g_sDisableWGACheck=’all’ https://web.archive.org/web/20050810083151/http://www.theinquirer.net/?article=24961

#20yrsago Costikyan’s jeremiad against the video game industry https://web.archive.org/web/20050730021700/http://www.costik.com/weblog/2005_07_01_blogchive.html#112254986073206098

#20yrsago Economics of used books https://www.nytimes.com/2005/07/28/technology/reading-between-the-lines-of-used-book-sales.html

#20yrsago My Adbusters sf story https://craphound.com/stories/2000/08/06/the-rebranding-of-billy-bailey/

#20yrsago Richard Branson claims to own all uses of “virgin” https://web.archive.org/web/20051030080223/http://www.chillingeffects.org/weather.cgi?WeatherID=507

#20yrsago Security researcher quits job and blows whistle on Cisco’s fatal flaws https://web.archive.org/web/20060426162432/http://www.securityfocus.com/news/11259

#20yrsago File-sharers buy more music than non-swappers http://news.bbc.co.uk/2/hi/technology/4718249.stm

#15yrsago Bisson’s Fire on the Mountain: alternate history in which John Brown wins at Harper’s Ferry https://memex.craphound.com/2010/07/27/bissons-fire-on-the-mountain-alternate-history-in-which-john-brown-wins-at-harpers-ferry/

#15yrsago Inception‘s musical secret https://www.youtube.com/watch?v=UVkQ0C4qDvM

#15yrsago Shark Knife will terrify your enemies with macho impracticality https://web.archive.org/web/20100724002534/https://www.sadanduseless.com/image.php?n=293

#10yrsago Satanic Temple required protesters to pledge their souls to Satan as condition of entry https://web.archive.org/web/20150728003106/http://www.patheos.com/blogs/friendlyatheist/2015/07/26/to-weed-out-protesters-at-last-nights-event-the-satanic-temple-had-attendees-transfer-their-souls-to-satan/

#5yrsago Quick, inaccurate, cheap covid tests https://pluralistic.net/2020/07/28/afterland/#pick-one

#5yrsago Swarov.se https://pluralistic.net/2020/07/28/afterland/#goatse

#5yrsago Police "unions" are not unions https://pluralistic.net/2020/07/28/afterland/#selective-solidarity

#5yrsago Snowden's Little Brother intro https://pluralistic.net/2020/07/28/afterland/#snowden

#5yrsago Audible Exclusives https://pluralistic.net/2020/07/28/afterland/#acx

#5yrsago Mexican copyright crushes free speechhttps://pluralistic.net/2020/07/28/afterland/#mexico-copyright

#5yrsago Afterland https://pluralistic.net/2020/07/28/afterland/#XY

#5yrsago NYPD disciplinary records https://pluralistic.net/2020/07/27/ip/#nypd-who

#5yrsago Replace the police https://pluralistic.net/2020/07/27/ip/#defund-the-police

#5yrsago My HOPE 2020 talk https://pluralistic.net/2020/07/27/ip/#digital-human-rights

#5yrsago Constitution Illustrated https://pluralistic.net/2020/07/27/ip/#r-sikoryak

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Canny Valley: A limited edition collection of the collages I create for Pluralistic, self-published, September 2025

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026

  • The Reverse-Centaur's Guide to AI, a short book about being a better AI critic, Farrar, Straus and Giroux, 2026


Colophon (permalink)

Today's top sources:

Currently writing:

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. (1013 words yesterday, 13280 words total).

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

21:14

Page 51 [Flipside]

Page 51 is done.

Linux 6.16 released [OSnews]

This release includes some Ext4 performance improvements; XFS support for large atomic writes; support for USB audio offload; support for zero-copy send TCP payloads from DMABUF memory; various futex improvements; initial support for Intel Trusted Domain Extensions; automatic weighted interleaved memory allocation policy; support for sending coredumps over an AF_UNIX socket, and make easier to build your kernel optimized for your local CPU. As always, there are many other features, new drivers, improvements and fixes.

↫ KernelNewbies: Linux 6.16

You’ll get it eventually, usually when the first few point releases iron out any troubling issues.

20:35

That Time Tom Lehrer Pranked the NSA [Schneier on Security]

Bluesky thread. Here’s the paper, from 1957. Note reference 3.

20:28

20:21

What I Got in Murano [Whatever]

When Krissy and I went to Venice, one of the trips we had scheduled was going to the nearby island of Murano and watching some of the artisans engage in their centuries-long tradition of glass-making. That in itself was quite interesting, and when it was done we were taken into the actual shops, just in case we wanted to buy, say, a $50,000 chandelier or an arty blown-glass head of Medusa going for $25,000. In fact we did not — the mere thought of owning something both that expensive and that fragile fills me with an almost holy terror — but as we wandered about both Krissy and I found (relatively) more modest-priced items we decided to take home as 30th anniversary gifts to each other. Krissy’s was a glass rum decanter, which she will get excellent use from. Mine is the item you see above.

What precisely is it? I mean, technically I think it qualifies as a bowl; you can put fruit in it, or possibly keys when you come home, or maybe those marbles you use to fill up clear vases in houses where you’re not actually supposed to touch things. But I confess I didn’t buy it to be functional; I bought it because it was pretty, and green (which is my favorite color) and because all the little square elements you can see have their reflective layer at different depths in the glass, giving the piece in real life an almost startling sense of texture. When we were wandering about the shop, I kept coming back to it, which meant this was the piece I wanted (it also happened this way several years ago when I bought a painting from an aboriginal artist while I was in Perth). For me, it’s art, not necessarily functional (Krissy’s is also art, it’s just art you can store rum in).

Again, it was not a $50K chandelier (which is what the one in the picture above was going for), but it also was easily the most I’ve been on a single piece of glasswork — I paid more when we had the windows in the house replaced a couple years back, but that was, like, all the windows. So I was naturally apprehensive about whether the thing would make it to the house in one piece. Fortunately, the folks we bought from have some experience with shipping glass, and work with a courier service here in the US that knows how to expedite object d’art coming from abroad. Both the bowl and decanter arrived without a scratch.

(And yes, we had to pay a tariff. I’m pretty sure we would have had to before the current administration as well, but the thing about the current administration is one can never quite tell what the tariff will be on any particular day, which is a really not great way to do things. As it turned out, we paid the tariff before this administration and the EU decided on a 15% general tariff on everything coming out of Europe, so we got a lower rate, but regardless, this is no way to run a trade relationship.)

If you go to Venice I do recommend a side trip to Murano to look at the glass and such, because it was fascinating, and also, I will warn you not to go if you’re not willing to end up spending more than you ever expected to in your life on glasswork. Is it worth it? In my case, yes; this piece is lovely and I think I will get years of enjoyment out of just simply looking at it. But that doesn’t mean I’m going to buy any more of it. One piece (plus a rum decanter) is enough, thank you.

— JS

19:42

The EU’s age-verification application requires a Google or Apple account and Google-approved Android device or iPhone [OSnews]

The European Union is in the process of testing an age-verification application, which people can use to verify their age in a privacy-preserving manner (in theory, of course). There’s countless important discussions to be had about whether or not age verification, privacy-preserving or not, is even something we should want, but that’s a topic for another time and for people smarter than I. For now, several member states are currently testing the application on a voluntary basis, and the application itself is open source, with the code hosted on GitHub.

Aside from the obvious concerns about just how private such an application can even be, and concerns about whether or not we should even want something like this, there’s another major problem: the application intends to make use of and require application and device verification by using the proprietary tools for such functionality from Google and Apple, built into Android and iOS, respectively. Listed as future “features”:

App and device verification based on Google Play Integrity API and Apple App Attestation

↫ The application’s GitHub page

This is a massive problem. For reasons that should be obvious to anyone with at least six functioning neurons, the European Union, as well as countless other countries, are trying to reduce their dependency on US technology companies. As such, it’s indefensible to then require anyone who needs to use age verification in the European Union to use an application that will only work on Google-approved Android devices and even then, only when installed from the Google Play Store, with the only alternative being, of all things, Apple’s iOS.

This means that the EU will require anyone who needs age verification to have either a Google or an Apple account, and can only use Google-approved Android or iOS. This application would not work on, say, GrapheneOS or any other non-Google-approved Android ROM – in fact, even if you were to compile the application yourself, you wouldn’t be able to actually use it because it wouldn’t be installed from the Google Play Store. Of course, any mobile operating other than Android or iOS need not apply either.

The danger of tying age verification to Google and Apple did not go by unnoticed, and a GitHub issue raised the issue a few weeks ago.

I would like to strongly urge to abandon this plan. Requiring a dependency on American tech giants for age verification further deepens the EU’s dependency on America and the USA’s control over the internet. Especially in the current political climate I hope I do not have to explain how undesirable and dangerous that is.

↫ TheLastProject in the GitHub issue

The comment thread attached to the issue is long, but during the two weeks since the issue was raised, nobody from the application’s team has answered or even acknowledged people’s concerns, which doesn’t exactly inspire confidence in this being taken seriously. I just hope that with this entire project being in the early testing phases, at least someone manages to realise tying this to Google and Apple is one of the dumbest ideas in a long, long time.

19:28

An Experience With Soft Touch ASMR In Chicago [Whatever]

Have you ever wished you could just pay someone to scratch your back and play with your hair? Like a massage but lighter and softer? Well, it turns out you can, and I totally did it.

A little known fact about me is that I love ASMR. For those of you unfamiliar with the term, ASMR stands for autonomous sensory meridian response, and it basically means that when you hear or see certain things, you get a pleasant tingling sensation in the back of your brain that can even give you chills. If you’re not well versed in ASMR, you probably just think of it as that weird whispering thing people do into a microphone, or worse than that you associate it with unpleasant mouth or eating sounds.

Well, I’m happy to report not all ASMR is like that. Certainly not the kind I like, anyway. For me, I have always liked the ASMR videos of people pretending to do your makeup or skincare, where they dote on you and give you a pampering session and are a comforting presence. But I also like the ones where they actually use a real person and do things like scratch their back, tickle their arms, play with their hair, trace their face. It sounds like a strange thing to watch, but it’s really easy to imagine yourself as that person, and it’s weirdly relaxing.

And I’m certainly not alone in this, because if you look at the comments of these videos, you’ll see so many people saying things like, “I wish that were me,” “how do I get someone to do this to me,” “I wish I could just pay someone to do this for an hour.” It turns out a lot of people would love to have someone touch them nicely in a soft, comforting way! Who knew?

So, there I was, watching one of these videos on Tik Tok from Soft Touch ASMR, when I noticed that the caption of the video said that you could book an appointment with her. Someone was finally doing the thing everyone had been asking for for so long! Where in the world could this possibly be located?! California. Of course it’d be across the country from me. Tragic.

@soft.touch.asmr.spa

it’s your turn to be the girl in your fave ASMR vids – book in bio to feel the tingles IRL at Soft Touch ASMR Spa💕 (based in LA & poppin’ up all over!) #asmrmassage #asmrspa #softtouch #asmrtok #fyp #inpersonasmr #asmrtreatment #asmrrelax #asmrbackscratching #asmrtracing #asmrhairplay #asmr #asmrtingles #asmrsleep

♬ memories – leadwave

Then, I saw that she travels and does pop up events in other major cities. And she had one coming up in Chicago. Well, now there’s a drive I can do. Is it five hours? Yeah. Did I book an appointment anyways? Oh yeah.

Julie was so sweet and friendly, and I had an amazing experience with her. Before our session began, she asked me if there were any specific triggers I wanted her to focus on, and I mentioned I really wanted the back scratching with the claws I’ve seen in her videos:

@soft.touch.asmr.spa

Could you handle the IRL tingles? Book a Soft Touch ASMR Massage & feel it yourself 💖 (link in bio / softtouchasmr.com) Soft Touch is LA’s 1st & only ASMR Spa for gals, trans & non-binary pals ✨ #softtouch #asmrmassage #fyp #asmrtok #asmrspa #asmrirl #asmr #asmrbackscratching

♬ original sound – Soft Touch ASMR Spa

Julie gave me the most relaxing hour ever, with tons of light touches, tickly scratching all over my back, arms, and shoulders, combing my hair softly, I was seriously in heaven. I had to try really hard not to completely fall asleep and miss everything.

It was such a calming escape, I started to wish I had booked the 90 minute experience instead of the 50 minute. I really thought that by the end, I would be totally touched-out and that it maybe wouldn’t even feel good anymore, but I was completely wrong and I was dreading it being over. I also determined I needed this treatment like, every single day from here on out. It really was so nice.

So, even though it was definitely a splurge and a five hour drive away, I am so glad I went and had such a unique, relaxing, awesome experience. It was only after I went all the way to Chicago that I learned she was doing a pop-up in Indianapolis and Columbus later that week, but I wasn’t that upset about it since I love Chicago anyways and had a fun time visiting there regardless.

Would you enjoy this kind of experience? Do you like ASMR videos? Let me know in the comments, and have a great day!

-AMS

18:56

API design note: Don’t make up multiple names for the same thing [The Old New Thing]

A recurring problem I encounter when reviewing API proposals is that teams tend not to be precise in their use of terminology. This casualness is inevitable when you work with a feature for a long time and develop notational shortcuts, but the people who are learning your API don’t have the same level of familiarity that you do, and shifting terminology tends to create confusion.

For example, there was an API proposal that included two methods.

runtimeclass Widget
{
    void EnableFilter(WidgetFilter filter);
    Boolean AreAnyFiltersApplied();
}

The first method talks about “enabling” but the second talks about “applying”.

For somebody encountering this API for the first time, the existence of two different terms raises questions. Is enabling a filter the same as applying it? Or are there two steps to making a filter active, first you enable it, then you apply it? (Or do you apply it first, and then enable it?)

When I asked the team, they said that enabling and applying are two names for the same thing. They internally use both terms to refer to adding filters to a widget.

I recommended that they not use multiple names for the same concept. This makes it harder to see that the two methods are counterparts to each other. Pick a name and stick with it.

They chose to use “Enable” throughout, so the second method was renamed to Are­Any­Filters­Enabled().

This consistency extends beyond method names. If there is a parameter that corresponds to a property, use the same name for both the parameter and the property in order to make the connection clear.

runtimeclass Widget
{
    Widget(String id);

    String Name { get; }
}

In this case, the intention is that the id parameter passed to the constructor can be read back by reading the Name property. In that case, the parameter and property should either both be called Id or both called Name.

// Option 1
runtimeclass Widget
{
    Widget(String id);

    String Id { get; }
}

// Option 2
runtimeclass Widget
{
    Widget(String name);

    String Name { get; }
}

The post API design note: Don’t make up multiple names for the same thing appeared first on The Old New Thing.

18:21

[$] Some 6.16 development statistics [LWN.net]

The 6.16 development cycle was another busy one, with 14,639 non-merge changesets pulled into the mainline — just 18 commits short of the total for 6.15. The 6.16 release happened on July 27, as expected. Also as expected, LWN has put together its traditional look at where the code for this release came from.

[$] Smaller Fedora quality team proposes cuts [LWN.net]

Fedora's quality team is looking to reduce the scope of test coverage and change the project's release criteria to drop some features from the list of release blockers. This is, in part, an exercise in getting rid of criteria, such as booting from optical media, that are less relevant. It is also a necessity, since the Red Hat team focusing on Fedora quality assurance (QA) is only half the size it was a year ago.

18:07

Katie Wilson Is Giving Harrell a Run for His Money, Literally [The Stranger]

Less Than Two Weeks Before the Primary, New Polling Shows the Candidates Are Still Statistically Tied
by Hannah Murphy Winter

Since May, Mayor Bruce Harrell has deployed attack ads, hitched his wagon to a progressive tax proposal, and shouted at the The Stranger’s endorsement board, but so far, it seems like it’s too little too late: a new poll from the Northwest Progressive Institute found that Harrell and Katie Wilson are still neck and neck in this race.

The poll, based on interviews with 651 likely primary voters, found that when voters were given the information in the King County Voters Pamphlet, 35 percent said they would vote for Wilson, compared to 33 percent that said they would vote for Harrell. When they simulated a general election with the two candidates, 43 percent went for Wilson, and only 39 percent for Harrell.

The margin of error for this poll is 4.1 percent, so statistically, the two candidates are tied.

What might be more important, though, is where each candidate has room to grow. Andrew Villeneuve, the executive director of NPI, sees Harrell’s incumbency as a disadvantage in this election. Seattle is always looking for fresh blood (we haven’t reelected a mayor since Greg Nichols in 2005), and this year is no different. Harrell’s approval rating is 35 percent, but his disapproval rating is a whopping 44 percent. Wilson’s disapproval rating is only 18 percent, and 48 percent of the respondents didn’t have an opinion on her, which means she has so much more room to win over voters in the general election.

Typically an incumbent would hope to be close to 50 percent at this point in the race, Villeneuve said in a press conference Monday morning. "[Harrell] is in a race for his political life," Villeneuve said. "This is one of the most exciting mayoral races I've ever seen."

Harrell’s campaign has clearly noticed how tight the race is, and they’re starting to go negative. A press release from the campaign two weeks ago claimed that Wilson was “flip flopped” because she declined to endorse Kshama Sawant’s run for Congress, and claimed she was trying to “mislead Seattle voters and make her extreme views palatable to the general public.” And last week, they sent out a mailer that went after her previous endorsements of Sawant and her support for plans to cut police budgets. And while, thanks to the Democracy Voucher Programs spending limits, they’re tied in fundraising, the pro-Harrell PAC’s fundraising has already passed $275,000.

Wilson has campaigned with a huge focus on affordability: of rent, childcare, and a slice of pizza. The Stranger asked NPI’s Villeneuve if the results showed that her affordability-focused messaging was resonating with voters. “Yes, focusing on affordability has definitely helped Katie,” he said. He noted that a handful of voters mentioned affordability as one of the central reasons they would vote for her, “but campaigning on lowering Seattleites' costs is not the only reason why she's competing well right now. Wilson's supporters say she brings good political instincts to the table and has a track record of getting results.”

Villeneuve pointed to one person who was surveyed—a Black woman between 39 and 49 years old with a graduate degree who  lives in Georgetown—as a good example of Wilson’s appeal. "Katie has worked with so many community partners and leaders,” she wrote. “She is a critical thinker and she is able [to] make a plan and mitigate harm. She is trustworthy because her actions and words match. She understands the challenges the city has and the opportunities to utilize existing resources to help communities and she is thoughtful about progressive revenue. She applies a racial equity lens and she is a strong advocate for renters, anti-displacement, inclusive zoning, [good] jobs and reliable transportation. She knows these investments lead to real public safety... She won't lead with hostility and that tone will improve jobs for city staff."

When reached for comment, the Harrell campaign pointed to “tariff-driven inflation impacting household budgets” as one of his headwinds in the campaign, and emphasized the same notes that are in his negative mailers: Wilson's previous endorsement of Sawant, her support for cutting police budgets, and her opposition to sweeps. “We knew this would be a challenging race,” Harrell said. 

Wilson took an understated victory lap. “This poll shows what I and our hundreds of campaign volunteers already know from talking with voters across the city: so many people are ready for change,” Wilson told The Stranger. “They know we can’t afford another four years of visionless leadership that puts wealthy interests ahead of everyday working people.”

Editor's Note: This story has been updated to include comment from the Harrell Campaign. 

Slog AM: Pete Hegseth's Obsessed with Your Crotch, Ichiro Is a Hall of Famer, and Here Comes Cathy Moore's Replacement [The Stranger]

The Stranger's morning news roundup. by Hannah Murphy Winter

Good Morning! It’s going to be sunny and in the 80s today. What perfect weather to vote early in your local primary election. 

Let’s do the news. 

Who Will Rep District 5? This morning, City Council will appoint Council Member Cathy Moore’s replacement. 2025 has been at least a decade long, so if you’ve forgotten: Moore resigned earlier this year, citing health issues, and her last day on council was July 7. The heir apparent is former City Council President Debora Juarez (though the Seattle Times just came out against her appointment because she dared to side with the left every once in a while). Also on the short list to replace her are: James M. Bourey, a long time city manager and planning director; Katy Haima, a manager at the city Office of Planning & Community Development; Nilu Jenks, former D5 candidate who ran against Moore; Julie Kang, who has been a teacher, professor, and director at the University of Washington and Seattle University; and Amazon Guy Robert D. Wilson

Didn’t We Just Do This? Yep! Two city council members resigned in seven months. Which, as we all know, is a sign of a healthy government. And because Moore resigned after the filing deadline for this year’s elections, this appointee will serve until we have a special election in 2026. 

We’re Still Talking About Denny Blaine: Thanks to King County Superior Court Judge Samuel Chung. Earlier this year, a group of wealthy waterfront property owners sued the city for allowing the historically queer nude beach to become, as they claim, an “unwelcoming, unattractive and ultimately unsafe public place.” They claim that the park is overrun by sex pests masturbating in public, and asked the courts to shut down the park until their concerns could be addressed. Judge Chung didn’t shut the park down, but he did tell the city they had 14 days to provide an “abatement plan” for the “nudity as constituted” (which SPD Chief Shon Barnes has explicitly acknowledged is legal in Seattle) and public sex. That 14-day window ends today.  

Advocates Got Ahead of It: Friends of Denny Blaine, the group of community members and activists that formed to protect the park after wealthy neighbors started targeting it, provided the City with a suggested abatement plan. The proposal would add Seattle Park Rangers to the park, as well as new signage and a ban on “repeat offenders” who have violated public sex laws. The city should provide its own version today, so check back. We’ll have more on it this week. 

Awkward: Southern Washington “Blue Dog” centrist Rep. Marie Gluesenkamp Perez wants to add a new requirement in the US Congress: cognitive standards. The new addition to the body said she’s concerned about the clear mental decline of some of her colleagues (though she didn’t name names) and proposed basic guidelines in Congress to ensure that members were able to do their jobs “unimpeded by significant irreversible cognitive impairment.” It was unanimously rejected. Gluesenkamp Perez is undeterred, though. She plans to bring it back to the table with more rallied support. “We have all of these rules about dumb stuff—hats—and not this more significant question of who is making decisions in the office,” she said. 

Drunk? Don’t Fucking Drive: On Friday in Rainier View, a 74-year-old man drank six beers and then decided to get behind the wheel of his giant RV. He hit several cars before hitting Susana Garcia-Perez, a 45-year-old housekeeper and the “backbone” of her family. She died on the scene, and the driver was arrested. 

Our Hometown Hall of Famer: Ichiro was inducted into the National Baseball Hall of Fame on Sunday. He joins Mariners Edgar Martinez and Ken Griffey Jr. in the club. "Thank you for welcoming me so warmly into your great team,” he said in his 20-minute speech. “I hope I can hold the values of the Hall of Fame. But, please, I am 51 years old now, so easy on the hazing."

The Majority of ICE’s Arrests Aren’t Criminals: In an unusual turn of events, the Seattle Times’ pearl-clutching correspondent Danny Westneat published a genuinely helpful column this weekend. He dug through the Deportation Data Project at the University of California and found that in Washington State, ICE isn’t arresting the “worst of the worst.” Sixty-nine percent of the ICE arrests in June were of people who have never been convicted of a crime, compared to June 2024, when only 35 percent of the people arrested by immigration had clean records. Obviously someone doesn’t have to have a criminal record to be deported, but Westneat found that only 53 of last month’s arrestees even had a deportation order. In 2024, it was 80 percent. So that feeling you have in your gut that ICE is just cuffing any immigrant they can find? Pretty spot on.

Hegseth Wants to See Your Junk: But no homo. He just wants to make sure you’re in the “right” bathroom. According to an 11-page memo from the Department of Defense to the White House obtained by 404 Media, the Pentagon detailed how it plans to enforce Trump’s anti-Trans “Defending Women” executive order. The Pentagon said that it won’t stop at simply changing the signs on bathroom doors to “reflect biological sex.” The best-funded military in the world will continue to “monitor intimate spaces to ensure ongoing compliance” and that it will “continuously evaluate and update intimate spaces as necessary.”   

Planned Parenthood 1, Trump 0: This morning, a federal judge blocked the Trump administration’s attempt to defund Planned Parenthood, ruling that Medicaid has to continue to reimburse the healthcare provider. “Patients are likely to suffer adverse health consequences where care is disrupted or unavailable,” Judge Indira Talwani wrote in the order. “In particular, restricting Members’ ability to provide healthcare services threatens an increase in unintended pregnancies and attendant complications because of reduced access to effective contraceptives, and an increase in undiagnosed and untreated STIs.” This won’t be the end of it, but it’s a huge win for now. 

Boeing’s No Good Very Bad Day: They seem to have a lot of them. On the runway in Denver on Saturday, passengers on a Boeing 737 MAX 8 heard a loud boom and the plane started to shake and drift to the left. After the captain bailed off the runway, video shows passengers evacuating a smoking plane using the inflatable slide. Everyone evacuated safely, and no one had to be hospitalized, but a few of them did eat it while going down the slide. 

 

Israel Bends, a Little Bit: After realizing that starving children is evil the optics of starving children isn’t good for them, Israel announced that it’s going to halt military operations for 10 hours a day in parts of Gaza, and create new aid corridors for Jordan and the United Arab Emirates to airdrop supplies. In their first airdrop in months, Jordan and the United Arab Emirates parachuted 25 tons of aid into Gaza on Sunday but airdrops are never as effective as land deliveries. Palestinian health officials in Gaza City said at least 10 people were injured by falling aid boxes. “This is progress, but vast amounts of aid are needed to stave off famine and a catastrophic health crisis,” said United Nations aid chief Tom Fletcher.

Reminder: We’re having an election. Right now. Today is the last day to register online if you haven’t yet (but you can register in person up to election day), and ballots are due NEXT TUESDAY. So find your ballot under that pile of junk mail on your counter. Here’s our voter guide for everyone who likes to read, and here’s the cheat sheet for everyone who doesn’t. Wondering if your local electeds are ready for this election season? They are. 

          View this post on Instagram                      

A post shared by Alexis Mercedes Rinck (AMR) (@alexismercedesrinck)

17:21

Sergio Cipriano: Handling malicious requests with fail2ban [Planet Debian]

Handling malicious requests with fail2ban

I've been receiving a lot of malicious requests for a while now, so I decided to try out fail2ban as a possible solution. I'm currently using fail2ban 1.0.2-2 from Debian Bookworm.

Unfortunatly, I quickly ran into a problem, fail2ban doesn't work out of the box with this version:

systemd[1]: Started fail2ban.service - Fail2Ban Service.
fail2ban-server[2840]: 2025-07-28 14:40:13,450 fail2ban.configreader   [2840]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
fail2ban-server[2840]: 2025-07-28 14:40:13,456 fail2ban                [2840]: ERROR   Failed during configuration: Have not found an y log file for sshd jail
fail2ban-server[2840]: 2025-07-28 14:40:13,456 fail2ban                [2840]: ERROR   Async configuration of server failed
systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION
systemd[1]: fail2ban.service: Failed with result 'exit-code'.

The good news is that this issue has already been addressed for Debian Trixie.

Since I prefer to manage my own configuration, I removed the default file at /etc/fail2ban/jail.d/defaults-debian.conf and replaced it with a custom setup. To fix the earlier issue, I also added a systemd backend to the sshd jail so it would stop expecting a logpath.

Here's the configuration I'm using:

$ cat /etc/fail2ban/jail.d/custom.conf 
[DEFAULT]
maxretry = 3
findtime = 24h
bantime  = 24h

[nginx-bad-request]
enabled  = true
port     = http,https
filter   = nginx-bad-request
logpath  = /var/log/nginx/access.log

[nginx-botsearch]
enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /var/log/nginx/access.log

[sshd]
enabled  = true
port     = ssh
filter   = sshd
backend  = systemd

I like to make things explicit, so I did repeat some lines from the default jail.conf file. In the end, I'm quite happy with it so far. Soon after I set it up, fail2ban was already banning a few hosts.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 7
|  |- Total failed: 19
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 9
   |- Total banned: 10

16:21

Link [Scripting News]

Everything in ChatGPT is so nice. I just asked it about a random plant I got as a gift, and it gave me a beautiful one pager with everything I would have had to spend time searching for all right there, beautifully laid out, and all the fine UI touches you might think of already in. It's studying us and learning, and picking out the good stuff, at least so far. The web was like this too in the beginning, mind-exploding inventions every day. We called them mind bombs. The journalists and social media influencers all just complain, while there is a revolution happening, progress that had slowed to a snail pace, or very often went in reverse, is now coming at breakneck speed. This is as transformative innovation as there has ever been, not that I have much perspective on those that happened before I was invented, but it's as big as the Beatles, the PC, web, mobile.

16:07

Security updates for Monday [LWN.net]

Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac).

15:49

Scarlett Gately Moore: Request for Financial Support During Job Search [Planet Debian]

Dear friends, family, and community,

I’m reaching out during a challenging time in my life to ask for your support. This year has been particularly difficult as I’ve been out of work for most of it due to a broken arm and a serious MRSA infection that required extensive treatment and recovery time.

Current Situation

While I’ve been recovering, I’ve been actively working to maintain and improve my professional skills by contributing to open source software projects. These contributions help me stay current with industry trends and demonstrate my ongoing commitment to my field, but unfortunately, they don’t provide the income I need to cover my basic living expenses.

Despite my efforts, I’m still struggling to secure employment, and I’m falling behind on essential bills including:

  • Rent/mortgage payments
  • Utilities
  • Medical expenses
  • Basic living costs

How You Can Help

Any financial assistance, no matter the amount, would make a meaningful difference in helping me stay afloat during this job search. Your support would allow me to:

  • Keep my housing stable
  • Maintain essential services
  • Focus fully on finding employment without the constant stress of unpaid bills
  • Continue contributing to the open source community

Moving Forward

I’m actively job searching and interviewing, and I’m confident that I’ll be back on my feet soon. Your temporary support during this difficult period would mean the world to me and help bridge the gap until I can secure stable employment.

If you’re able to contribute, GoFundMe . If you’re unable to donate, I completely understand, and sharing this request with others who might be able to help would be greatly appreciated.

Thank you for taking the time to read this and for considering helping me during this challenging time.

With gratitude, Scarlett

14:56

CodeSOD: An Exert Operation [The Daily WTF]

The Standard Template Library for C++ is… interesting. A generic set of data structures and algorithms was a pretty potent idea. In practice, early implementations left a lot to be desired. Because the STL is a core part of C++ at this point, and widely used, it also means that it's slow to change, and each change needs to go through a long approval process.

Which is why the STL didn't have a std::map::containsfunction until the C++20 standard. There were other options. For example, one could usestd::map::count, to count how many times a key appear. Or you could use std::map::findto search for a key. One argument against adding astd::map::containsfunction is thatstd::map::count basically does the same job and has the same performance.

None of this stopped people from adding their own. Which brings us to Gaetan's submission. Absent a std::map::contains method, someone wrote a whole slew of fieldExists methods, where field is one of many possible keys they might expect in the map.

bool DataManager::thingyExists (string name)
{
    THINGY* l_pTHINGY = (*m_pTHINGY)[name];
    if(l_pTHINGY == NULL)
    {
        m_pTHINGY->erase(name);
        return false;
    }
        else
    {
        return true;
    }
    return false;
}

I've head of upsert operations- an update and insert as the same operation, but this is the first exert- an existence check and an insert in the same operation.

"thingy" here is anonymization. The DataManager contained several of these methods, which did the same thing, but checked a different member variable. Other classes, similar to DataManager had their own implementations. In truth, the original developer did a lot of "it's a class, but everything inside of it is stored in a map, that's more flexible!"

In any case, this code starts by using the [] accessor on a member variable m_pTHINGY. This operator returns a reference to what's stored at that key, or if the key doesn't exist inserts a default-constructed instance of whatever the map contains.

What the map contains, in this case, is a pointer to a THINGY, so the default construction of a pointer would be null- and that's what they check. If the value is null, then we erase the key we just inserted and return false. Otherwise, we return true. Otherotherwise, we return false.

As a fun bonus, if someone intentionally stored a null in the map, this will think the key doesn't exist and as a side effect, remove it.

Gaetan writes:

What bugs me most is the final, useless return.

I'll be honest, what bugs me most is the Hungarian notation on local variables. But I'm long established as a Hungarian notation hater.

This code at least works, which compared to some bad C++, puts it on a pretty high level of quality. And it even has some upshots, according to Gaetan:

On the bright side: I have obtained easy performance boosts by performing that kind of cleanup lately in that particular codebase.

[Advertisement] Picking up NuGet is easy. Getting good at it takes time. Download our guide to learn the best practice of NuGet for the Enterprise.

14:07

Link [Scripting News]

Why I need WordLand. I’m primarily a writer, my podcasts reflect that, so most of the work I do on each podcast is in writing the show notes. I have a template the writing and audio flow through. Here's an example of a page rendered through that template. We’re doing similar things with WordPress using themes. The idea of WordLand is to do all the block-oriented work once, then flow my writing through it, far away from the heavy lifting. It’s always how I’ve done my blogging tools. I understand WordPress so far has a steady workflow thru the block editor, but their are workflows for designers and writers. WordLand is the flow for writers.

13:28

Samsung removes bootloader unlocking with One UI 8 [OSnews]

Have a Samsung phone (outside of the United States), and want to unlock the bootloader? Well, soon you won’t be able to do so anymore, as Samsung seems to be removing this option from their phones – including already sold models being upgraded to One UI 8.

Bootloader unlocking is a popular way to breathe new life into older devices, by loading unofficial software onto a device, like custom ROMs, gaining root access, custom kernels, etc. This option will be taken away from users with One UI 8.

[…]

This means not only is the OEM Unlock not visible in Settings anymore, but the bootloader doesn’t even contain any of the code required to unlock itself. This means a workaround to brute force it open is not possible at all, unless Samsung updates the bootloader to add this logic back in.

↫ Josh Skinner at SammyGuru

And so, the ongoing process of locking down Android to a point where it becomes nigh-on indistinguishable from iOS’ locked-down, anti-user nature continues unabated. Samsung is the default choice for Android users in a lot of places around the world, and seeing them, too move ever closer to fully locking down their phones is terrible news for consumers. We should be striving for less restrictive computing, not more.

Combined with persistent rumours that Google is looking into effectively taking Android closed source, leaving only a stub AOSP behind, the future of Android as an least somewhat “open” platform looks quite grim indeed.

13:21

Joe Marshall: Pseudo [Planet Lisp]

I was wondering what it would look like if a large language model were part of your programming language. I'm not talking about calling the model as an API, but rather embedding it as a language construct. I came up with this idea as a first cut.

The pseudo macro allows you to embed pseudocode expressions in your Common Lisp code. It takes a string description and uses an LLM to expand it into an s-expression. You can use pseudo anywhere an expression would be expected.

(defun my-func (a b)
  (pseudo "multiply b by factorial of a."))
MY-FUNC

(my-func 5 3)
360

(defun quadratic (a b c)
  (let ((d (sqrt (pseudo "compute discriminant of quadratic equation"))))
    (values (/ (+ (- b) d) (* 2 a)) (/ (- (- b) d) (* 2 a)))))
QUADRATIC

(quadratic 1 2 -3)
1.0
-3.0

The pseudo macro gathers contextual information and packages it up in a big set of system instructions to the LLM. The instructions include

  • the lexically visible variables in the macro environment
  • fbound symbols
  • bound symbols
  • overall directives to influence code generation
  • directives to influence the style of the generated code (functional vs. imperative)
  • directives to influence the use of the loop macro (prefer vs. avoid)
  • the source code of the file currently being compiled, if there is one

pseduo sets the LLM to use a low temperature for more predictable generation. It prints the “thinking” of the LLM.

Lisp is a big win here. Since Lisp's macro system operates at the level of s-expressions, it has more contextual information available to it than a macro system that is just text expansion. The s-expression representation means that we don't need to interface with the language's parser or compiler to operate on the syntax tree of the code. Adding pseudo to a language like Java would be a much more significant undertaking.

pseudo has the usual LLM caveats:

  • The LLM is slow.
  • The LLM can be expensive.
  • The LLM can produce unpredictable and unwanted code.
  • The LLM can produce incorrect code; the more precise you are in your pseudocode, the more likely you are to get the results you want.
  • You would be absolutely mad to use this in production.

pseudo has one dependency on SBCL which is a function to extract the lexically visible variables from the macro environment. If you port it to another Common Lisp, you'll want to provide an equivalent function.

pseudo was developed using Google's Gemini as the back end, but there's no reason it couldn't be adapted to use other LLMs. To try it out, you'll need the gemini library, available at https://github.com/jrm-code-project/gemini, and a Google API key.

Download pseudo from https://github.com/jrm-code-project/pseudo.

You'll also need these dependencies.

If you try it, let me know how it goes.

13:14

Crib Sheet: A Conventional Boy [Charlie's Diary]

A Conventional Boy is the most recent published novel in the Laundry Files as of 2025, but somewhere between the fourth and sixth in internal chronological order—it takes place at least a year after the events of The Fuller Memorandum and at least a year before the events of The Nightmare Stacks.

I began writing it in 2009, and it was originally going to be a long short story (a novelette—8000-16,000 words). But one thing after another got in the way, until I finally picked it up to try and finish it in 2022—at which point it ran away to 40,000 words! Which put it at the upper end of the novella length range. And then I sent it to my editor at Tor.com, who asked for some more scenes covering Derek's life in Camp Sunshine, which shoved it right over the threshold into "short novel" territory at 53,000 words. That's inconveniently short for a stand-alone novel this century (it'd have been fine in the 1950s; Asimov's original Foundation novels were fix-ups of two novellas that bulked up to roughly that length), so we made a decision to go back to the format of The Atrocity Archives—a short novel bundled with another story (or stories) and an explanatory essay. In this case, we chose two novelettes previously published on Tor.com, and an essay exploring the origins of the D&D Satanic Panic of the 1980s (which features heavily in this novel, and which seems eerily topical in the current—2020s—political climate).

(Why is it short, and not a full-sized novel? Well, I wrote it in 2022-23, the year I had COVID19 twice and badly—not hospital-grade badly, but it left me with brain fog for more than a year and I'm pretty sure it did some permanent damage. As it happens, a novella is structurally simpler than a novel (it typically needs only one or two plot strands, rather than three or more or some elaborate extras). and I need to be able to hold the structure of a story together in my head while I write it. A Conventional Boy was the most complicated thing I could have written in that condition without it being visibly defective. There are only two plot strands and some historical flashbacks, they're easily interleaved, and the main plot itself is fairly simple. When your brain is a mass of congealed porridge? Keeping it simple is good. It was accepted by Tor.com for print and ebook publication in 2023, and would normally have come out in 2024, but for business reasons was delayed until January 2025. So take this as my 2024 book, slightly delayed, and suffice to say that my next book—The Regicide Report, due out in January 2026—is back to full length again.)

So, what's it about?

I introduced a new but then-minor Laundry character called Derek the DM in The Nightmare Stacks: Derek is portly, short-sighted, middle-aged, and works in Forecasting Ops, the department of precognition (predicting the future, or trying to), a unit I introduced as a throwaway gag in the novelette Overtime (which is also part of the book). If you think about the implications for any length of time it becomes apparent that precognition is a winning tool for any kind of intelligence agency, so I had to hedge around it a bit: it turns out that Forecasting Ops are not infallible. They can be "jammed" by precognitives working for rival organizations. Focussing too closely on a precise future can actually make it less likely to come to pass. And different precognitives are less or more accurate. Derek is one of the Laundry's best forecasters, and also an invaluable operation planner—or scenario designer, as he'd call it, because he was, and is, a Dungeon Master at heart.

I figured out that Derek's back-story had to be fascinating before I even finished writing The Nightmare Stacks, and I actually planned to write A Conventional Boy next. But somehow it got away from me, and kept getting shoved back down my to-do list until Derek appeared again in The Labyrinth Index and I realized I had to get him nailed down before The Regicide Report (for reasons that will become clear when that novel comes out). So here we are.

Derek began DM'ing for his group of friends in the early 1980s, using the original AD&D rules (the last edition I played). The campaign he's been running in Camp Sunshine is based on the core AD&D rules, with his own mutant extensions: he's rewritten almost everything, because TTRPG rule books are expensive when you're either a 14 year old with a 14-yo's pocket money allowance or a trusty in a prison that pays wages of 30p an hour. So he doesn't recognize the Omphalos Corporation's LARP scenario as a cut-rate knock-off of The Hidden Shrine of Tamoachan, and he didn't have the money to keep up with subsequent editions of AD&D.

Yes, there are some self-referential bits in here. As with the TTRPGs in the New Management books, they eerily prefigure events in the outside world in the Laundryverse. Derek has no idea that naming his homebrew ruleset and campaign Cult of the Black Pharaoh might be problematic until he met Iris Carpenter, Bob's treacherous manager from The Fuller Memorandum (and now Derek's boss in the camp, where she's serving out her sentence running the recreational services). Yes, the game scenario he runs at DiceCon is a garbled version of Eve's adventure in Quantum of Nightmares. (There's a reason he gets pulled into Forecasting Ops!)

DiceCon is set in Scarfolk—for further information, please re-read. Richard Littler's excellent satire of late 1970s north-west England exactly nails the ambiance I wanted for the setting, and Camp Sunshine was already set not far from there: so yes, this is a deliberate homage to Scarfolk (in parts).

And finally, Piranha Solution is real.

You can buy A Conventional Boy here (North America) or here (UK/EU).

13:07

New Article by RMS [Planet GNU]

Nonfree Software in My Bank

Richard Stallman presents the moral reasoning for why we don't boycott companies for being users of computing methods that treat their users unjustly.

12:42

Dimitri John Ledkov: Achieving actually full disk encryption of UEFI ESP at rest with TCG OPAL, FIPS, LUKS [Planet Debian]

Achieving full disk encryption using FIPS, TCG OPAL and LUKS to encrypt UEFI ESP on bare-metal and in VMs

Many security standards such as CIS and STIG require to protect information at rest. For example, NIST SP 800-53r5 SC-28 advocate to use cryptographic protection, offline storage and TPMs to enhance protection of information confidentiality and/or integrity.

Traditionally to satisfy such controls on portable devices such as laptops one would utilize software based Full Disk Encryption - Mac OS X FileVault, Windows Bitlocker, Linux cryptsetup LUKS2. In cases when FIPS cryptography is required, additional burden would be placed onto these systems to operate their kernels in FIPS mode.

Trusted Computing Group works on establishing many industry standards and specifications, which are widely adopted to improve safety and security of computing whilst keeping it easy to use. One of their most famous specifications them is TCG TPM 2.0 (Trusted Platform Module). TPMs are now widely available on most devices and help to protect secret keys and attest systems. For example, most software full disk encryption solutions can utilise TCG TPM to store full disk encryption keys providing passwordless, biometric or pin-base ways to unlock the drives as well as attesting that system have not been modified or compromised whilst offline.

TCG Storage Security Subsystem Class: Opal Specification is a set of specifications for features of data storage devices. The authors and contributors to OPAL are leading and well trusted storage manufacturers such as Samsung, Western Digital, Seagate Technologies, Dell, Google, Lenovo, IBM, Kioxia, among others. One of the features that Opal Specification enables is self-encrypting drives which becomes very powerful when combined with pre-boot authentication. Out of the box, such drives always and transparently encrypt all disk data using hardware acceleration. To protect data one can enter UEFI firmware setup (BIOS) to set NVMe single user password (or user + administrator/recovery passwords) to encrypt the disk encryption key. If one's firmware didn't come with such features, one can also use SEDutil to inspect and configure all of this. Latest release of major Linux distributions have SEDutil already packaged.

Once password is set, on startup, pre-boot authentication will request one to enter password - prior to booting any operating systems. It means that full disk is actually encrypted, including the UEFI ESP and all operating systems that are installed in case of dual or multi-boot installations. This also prevents tampering with ESP, UEFI bootloaders and kernels which with traditional software-based encryption often remain unencrypted and accessible. It also means one doesn't have to do special OS level repartitioning, or installation steps to ensure all data is encrypted at rest.

What about FIPS compliance? Well, the good news is that majority of the OPAL compliant hard drives and/or security sub-chips do have FIPS 140-3 certification. Meaning they have been tested by independent laboratories to ensure they do in-fact encrypt data. On the CMVP website one can search for module name terms "OPAL" or "NVMe" or name of hardware vendor to locate FIPS certificates.

Are such drives widely available? Yes. For example, a common Thinkpad X1 gen 11 has OPAL NVMe drives as standard, and they have FIPS certification too. Thus, it is likely in your hardware fleet these are already widely available. Use sedutil to check if MediaEncrypt and LockingSupported features are available.

Well, this is great for laptops and physical servers, but you may ask - what about public or private cloud? Actually, more or less the same is already in-place in both. On CVMP website all major clouds have their disk encryption hardware certified, and all of them always encrypt all Virtual Machines with FIPS certified cryptography without an ability to opt-out. One is however in full control of how the encryption keys are managed: cloud-provider or self-managed (either with a cloud HSM or KMS or bring your own / external). See these relevant encryption options and key management docs for GCP, Azure, AWS. But the key takeaway without doing anything, at rest, VMs in public cloud are always encrypted and satisfy NIST SP 800-53 controls.

What about private cloud? Most Linux based private clouds ultimately use qemu typically with qcow2 virtual disk images. Qemu supports user-space encryption of qcow2 disk, see this manpage. Such encryption encrypts the full virtual machine disk, including the bootloader and ESP. And it is handled entirely outside of the VM on the host - meaning the VM never has access to the disk encryption keys. Qemu implements this encryption entirely in userspace using gnutls, nettle, libgcrypt depending on how it was compiled. This also means one can satisfy FIPS requirements entirely in userspace without a Linux kernel in FIPS mode. Higher level APIs built on top of qemu also support qcow2 disk encryption, as in projects such as libvirt and OpenStack Cinder.

If you carefully read the docs, you may notice that agent support is explicitly sometimes called out as not supported or not mentioned. Quite often agents running inside the OS may not have enough observability to them to assess if there is external encryption. It does mean that monitoring above encryption options require different approaches - for example monitor your cloud configuration using tools such as Wiz and Orca, rather than using agents inside individual VMs. For laptop / endpoint security agents, I do wish they would start gaining capability to report OPAL SED availability and status if it is active or not.

What about using software encryption none-the-less on top of the above solutions? It is commonly referred to double or multiple encryption. There will be an additional performance impact, but it can be worthwhile. It really depends on what you define as data at rest for yourself and which controls you need. If one has a dual-boot laptop, and wants to keep one OS encrypted whilst booted into the other, it can perfectly reasonable to encrypted the two using separate software encryption keys. In addition to the OPAL encryption of the ESP. For more targeted per-file / per-folder encryption, one can look into using gocryptfs which is the best successor to the once popular, but now deprecated eCryptfs (amazing tool, but has fallen behind in development and can lead to data loss).

All of the above mostly talks about cryptographic encryption, which only provides confidentially but not data integrity. To protect integrity, one needs to choose how to maintain that. dm-verity is a good choice for read-only and rigid installations. For read-write workloads, it may be easier to deploy ZFS or Btrfs instead. If one is using filesystems without a built-in integrity support such as XFS or Ext4, one can retrofit integrity layer to them by using dm-integrity (either standalone, or via dm-luks/cryptsetup --integrity option).

If one has a lot of estate and a lot of encryption keys to keep track off a key management solution is likely needed. The most popular solution is likely the one from Thales Group marketed under ChiperTrust Data Security Platform (previously Vormetric), but there are many others including OEM / Vendor / Hardware / Cloud specific or agnostic solutions.

I hope this crash course guide piques your interest to learn and discover modern confidentially and integrity solutions, and to re-affirm or change your existing controls w.r.t. to data protection at rest. 

Full disk encryption, including UEFI ESP /boot/efi is now widely achievable by default on both baremetal machines and in VMs including with FIPS certification. To discuss more let's connect on Linkedin.

12:21

Microsoft SharePoint Zero-Day [Schneier on Security]

Chinese hackers are exploiting a high-severity vulnerability in Microsoft SharePoint to steal data worldwide:

The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the vulnerability, which affects SharePoint Servers that infrastructure customers run in-house. Microsoft’s cloud-hosted SharePoint Online and Microsoft 365 are not affected.

Here’s Microsoft on patching instructions. Patching isn’t enough, as attackers have used the vulnerability to steal authentication credentials. It’s an absolute mess. CISA has more information. Also these four links. Two Slashdot threads.

This is an unfolding security mess, and quite the hacking coup.

11:49

Grrl Power #1377 – Lett hackers [Grrl Power]

I’m going to make the double res version of this page on Patreon available to everyone, since there’s so many small panels. My intent was just to show a series of hacking steps involving nano-goo holding down a switch to prevent the counter intrusion alarm from going off and things sliding and future circuits being manipulated, but I have a bad habit of zooming in to like 500% while I’m working and it’s all kind of hard to see at the regular webcomic resolution.

A physical switch like a refrigerator door light switch in an alien satellite to detect a panel opening does seem really basic and low tech, but like Sylv suggests, just because you can use super crazy alien high tech doesn’t mean it’s more economical or even better.

The Xevoarchy isn’t an evil empire or anything. They’re basically a space U.N., and members of that body figure out the galactic rules more or less democratically. Now that isn’t to say that every planet is some perfect, pure democracy. Just like our U.N., there are representatives there from dictatorships, monarchies, republics, the whole spectrum really. Their main function is to maintain a multispecies space police force that’s also capable of spinning up into an armada in case some race of previously unknown hive-mind all-consuming swarm type aliens or “conquer everyone” warlike race shows up and attempts to plunder/kill/assimilate the galaxy.

The Xevoarchy also defines the laws outside of sovereign territories, i.e. open space, and also any “publicly owned” bases or installations, like Fracture Station, and in a few cases, collectively settled planets. They also set the rules for interacting with non-FTL races, and even lay out what constitutes FTL for their purposes. If you have Stargates but no spaceships, you get to be in the cool kids’ club. If you’re barely FTL and venturing to the next nearest star is still a journey of 20 years… it depends.

Cora and crew are “adventurers,” bounty hunters and explorers, and are on good terms with the Xevoarchy… generally speaking. That doesn’t mean they want some supergovernmental entity tracking their every move, and sometimes the representatives of this dictatorship or that monarchy don’t want free agents rescuing political prisoners or whatever, so this is hardly their first time hacking into a Xeev satellite or database to massage the data.

The vote incentive is finally done!

The update to the TWC image is pretty minor, but the Patreon version has the bonus comic as well as nude versions. I will strive to make the next one more timely.

 

 

 

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

11:35

LWN is back [LWN.net]

The good folks at Linode still have not managed to fix whatever broke in their data center, so we are running on an emergency backup server. Things seem to be working, but the occasional glitch is to be expected. Please accept our apologies for the extended downtime!

Update: we're back on the regular production server, and all seems stable now.

The 6.16 kernel is out [LWN.net]

Linus has released the 6.16 kernel:

It's Sunday afternoon, and the release cycle has come to an end. Last week was nice and calm, and there were no big show-stopper surprises to keep us from the regular schedule, so I've tagged and pushed out 6.16 as planned.

Headline changes in this release include enabling five-level page tables by default on x86 systems, a number of core-dump changes including the ability to send core dumps to a socket, the ability to create pipes in io_uring, atomic-write support in the XFS filesystem, the elimination of block-layer bounce buffering, a new DMA-mapping API, an option to block file descriptors passed in via Unix-domain sockets, and more.

See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.16 page for more information.

10:49

09:49

The order and the medium of feedback [Seth's Blog]

Who do you pay attention to?

Do you respond or react to the feedback that’s coming in? Do you seek it out or wait for it to arrive?

Does vivid online feedback from anonymous trolls carry more weight than honest but more subtle feedback from actual customers?

Pick your feedback, pick your future.

Which sort of feedback changes your behavior or attitude?

  • Delivered with enthusiasm or a scowl
  • In private or in public
  • In writing or verbally…

The goal might not be to find a way to only get positive applause, because your project may very well benefit from thoughtful feedback.

The useful path is to figure out which sort of feedback suits you in what stage of the project. “It’s not for you,” and “I don’t want to show it to you right now,” are valid approaches to our creative process.

08:49

08:42

Itchy Tasty [Penny Arcade]

New Comic: Itchy Tasty

05:42

Russ Allbery: Review: Cyteen [Planet Debian]

Review: Cyteen, by C.J. Cherryh

Series: Cyteen #1
Publisher: Warner Aspect
Copyright: 1988
Printing: September 1995
ISBN: 0-446-67127-4
Format: Trade paperback
Pages: 680

The main text below is an edited version of my original review of Cyteen written on 2012-01-03. Additional comments from my re-read are after the original review.

I've reviewed several other C.J. Cherryh books somewhat negatively, which might give the impression I'm not a fan. That is an artifact of when I started reviewing. I first discovered Cherryh with Cyteen some 20 years ago, and it remains one of my favorite SF novels of all time. After finishing my reading for 2011, I was casting about for what to start next, saw Cyteen on my parents' shelves, and decided it was past time for my third reading, particularly given the recent release of a sequel, Regenesis.

Cyteen is set in Cherryh's Alliance-Union universe following the Company Wars. It references several other books in that universe, most notably Forty Thousand in Gehenna but also Downbelow Station and others. It also has mentions of the Compact Space series (The Pride of Chanur and sequels). More generally, almost all of Cherryh's writing is loosely tied together by an overarching future history. One does not need to read any of those other books before reading Cyteen; this book will fill you in on all of the politics and history you need to know. I read Cyteen first and have never felt the lack.

Cyteen was at one time split into three books for publishing reasons: The Betrayal, The Rebirth, and The Vindication. This is an awful way to think of the book. There are no internal pauses or reasonable volume breaks; Cyteen is a single coherent novel, and Cherryh has requested that it never be broken up that way again. If you happen to find all three portions as your reading copy, they contain all the same words and are serviceable if you remember it's a single novel under three covers, but I recommend against reading the portions in isolation.

Human colonization of the galaxy started with slower-than-light travel sponsored by the private Sol Corporation. The inhabitants of the far-flung stations and the crews of the merchant ships that supplied them have formed their own separate cultures, but initially remained attached to Earth. That changed with the discovery of FTL travel and a botched attempt by Earth to reassert its authority. At the time of Cyteen, there are three human powers: distant Earth (which plays little role in this book), the merchanter Alliance, and Union.

The planet Cyteen is one of only a few Earth-like worlds discovered by human expansion, and is the seat of government and the most powerful force in Union. This is primarily because of Reseune: the Cyteen lab that produces the azi.

If Cyteen is about any one thing, it's about azi: genetically engineered human clones who are programmed via intensive psychological conditioning starting before birth. The conditioning uses a combination of drugs to make them receptive and "tape," specific patterns of instruction and sensory stimulation. They are designed for specific jobs or roles, they're conditioned to be obedient to regular humans, and they're not citizens. They are, in short, slaves.

In a lot of books, that's as deep as the analysis would go. Azi are slaves, and slavery is certainly bad, so there would probably be a plot around azi overthrowing their conditioning, or around the protagonists trying to free them from servitude. But Cyteen is not any SF novel, and azi are considerably more complex and difficult than that analysis. We learn over the course of the book that the immensely powerful head of Reseune Labs, Ariane Emory, has a specific broader purpose in mind for the azi. One of the reasons why Reseune fought for and gained the role of legal protector of all azi in Union, regardless of where they were birthed, is so that Reseune could act to break any permanent dependence on azi as labor. And yet, they are slaves; one of the protagonists of Cyteen is an experimental azi, which makes him the permanent property of Reseune and puts him in constant jeopardy of being used as a political prisoner and lever of manipulation against those who care about him.

Cyteen is a book about manipulation, about programming people, about what it means to have power over someone else's thoughts, and what one can do with that power. But it's also a book about connection and identity, about what makes up a personality, about what constitutes identity and how people construct the moral codes and values that they hold at their core. It's also a book about certainty. Azi are absolutely certain, and are capable of absolute trust, because that's part of their conditioning. Naturally-raised humans are not. This means humans can do things that azi can't, but the reverse is also true. The azi are not mindless slaves, nor are they mindlessly programmed, and several of the characters, both human and azi, find a lot of appeal in the core of certainty and deep self-knowledge of their own psychological rules that azis can have. Cyteen is a book about emotions, and logic, and where they come from and how to balance them. About whether emotional pain and uncertainty is beneficial or damaging, and about how one's experiences make up and alter one's identity.

This is also a book about politics, both institutional and personal. It opens with Ariane Emory, Councilor for Science for five decades and the head of the ruling Union Expansionist party. She's powerful, brilliant, dangerously good at reading people, and dangerously willing to manipulate and control people for her own ends. What she wants, at the start of the book, is to completely clone a Special (the legal status given to the most brilliant minds of Union). This was attempted before and failed, but Ariane believes it's now possible, with a combination of tape, genetic engineering, and environmental control, to reproduce the brilliance of the original mind. To give Union another lifespan of work by their most brilliant thinkers.

Jordan Warrick, another scientist at Reseune, has had a long-standing professional and personal feud with Ariane Emory. As the book opens, he is fighting to be transferred out from under her to the new research station that would be part of the Special cloning project, and he wants to bring his son Justin and Justin's companion azi Grant with them. Justin is a PR, a parental replicate, meaning he shares Jordan's genetic makeup but was not an attempt to reproduce the conditions of Jordan's rearing. Grant was raised as his brother. And both have, for reasons that are initially unclear, attracted the attention of Ariane, who may be using them as pawns.

This is just the initial setup, and along with this should come a warning: the first 150 pages set up a very complex and dangerous political situation and build the tension that will carry the rest of the book, and they do this by, largely, torturing Justin and Grant. The viewpoint jumps around, but Justin and Grant are the primary protagonists for this first section of the book. While one feels sympathy for both of them, I have never, in my multiple readings of the book, particularly liked them. They're hard to like, as opposed to pity, during this setup; they have very little agency, are in way over their heads, are constantly making mistakes, and are essentially having their lives destroyed.

Don't let this turn you off on the rest of the book. Cyteen takes a dramatic shift about 150 pages in. A new set of protagonists are introduced who are some of the most interesting, complex, and delightful protagonists in any SF novel I have read, and who are very much worth waiting for. While Justin has his moments later on (his life is so hard that his courage can be profoundly moving), it's not necessary to like him to love this book. That's one of the reasons why I so strongly dislike breaking it into three sections; that first section, which is mostly Justin and Grant, is not representative of the book.

I can't talk too much more about the plot without risking spoiling it, but it's a beautiful, taut, and complex story that is full of my favorite things in both settings and protagonists. Cyteen is a book about brilliant people who think on their feet. Cherryh succeeds at showing this through what they do, which is rarely done as well as it is here. It's a book about remembering one's friends and remembering one's enemies, and waiting for the most effective moment to act, but it also achieves some remarkable transformations. About 150 pages in, you are likely to loathe almost everyone in Reseune; by the end of the book, you find yourself liking, or at least understanding, nearly everyone. This is extremely hard, and Cherryh pulls it off in most cases without even giving the people she's redeeming their own viewpoint sections. Other than perhaps George R.R. Martin I've not seen another author do this as well.

And, more than anything else, Cyteen is a book with the most wonderful feeling of catharsis. I think this is one of the reasons why I adore this book and have difficulties with some of Cherryh's other works. She's always good at ramping up the tension and putting her characters in awful, untenable positions. Less frequently does she provide the emotional payoff of turning the tables, where you get to watch a protagonist do everything you've been wanting them to do for hundreds of pages, except even better and more delightfully than you would have come up with. Cyteen is one of the most emotionally satisfying books I've ever read.

I could go on and on; there is just so much here that I love. Deep questions of ethics and self-control, presented in a way that one can see the consequences of both bad decisions and good ones and contrast them. Some of the best political negotiations in fiction. A wonderful look at friendship and loyalty from several directions. Two of the best semi-human protagonists I've seen, who one can see simultaneously as both wonderful friends and utterly non-human and who put nearly all of the androids in fiction to shame by being something trickier and more complex. A wonderful unfolding sense of power. A computer that can somewhat anticipate problems and somewhat can't, and that encapsulates much of what I love about semi-intelligent bases in science fiction. Cyteen has that rarest of properties of SF novels: Both the characters and the technology meld in a wonderful combination where neither could exist without the other, where the character issues are illuminated by the technology and the technology supports the characters.

I have, for this book, two warnings. The first, as previously mentioned, is that the first 150 pages of setup is necessary but painful to read, and I never fully warmed to Justin and Grant throughout. I would not be surprised to hear that someone started this book but gave up on it after 50 or 100 pages. I do think it's worth sticking out the rocky beginning, though. Justin and Grant continue to be a little annoying, but there's so much other good stuff going on that it doesn't matter.

The other warning is that part of the setup of the story involves the rape of an underage character. This is mostly off-camera, but the emotional consequences are significant (as they should be) and are frequently discussed throughout the book. There is also rather frank discussion of adolescent sexuality later in the book. I think both of these are relevant to the story and handled in a way that isn't gratuitous, but they made me uncomfortable and I don't have any past history with those topics.

Those warnings notwithstanding, this is simply one of the best SF novels ever written. It uses technology to pose deep questions about human emotions, identity, and interactions, and it uses complex and interesting characters to take a close look at the impact of technology on lives. And it does this with a wonderfully taut, complicated plot that sustains its tension through all 680 pages, and with characters whom I absolutely love. I have no doubt that I'll be reading it for a fourth and fifth time some years down the road.

Followed by Regenesis, although Cyteen stands well entirely on its own and there's no pressing need to read the sequel.

Rating: 10 out of 10

Some additional thoughts after re-reading Cyteen in 2025:

I touched on this briefly in my original review, but I was really struck during this re-read how much the azi are a commentary on and a complication of the role of androids in earlier science fiction. Asimov's Three Laws of Robotics were an attempt to control the risks of robots, but can also be read as turning robots into slaves. Azis make the slavery more explicit and disturbing by running the programming on a human biological platform, but they're more explicitly programmed and artificial than a lot of science fiction androids.

Artificial beings and their relationship to humans have been a recurring theme of SF since Frankenstein, but I can't remember a novel that makes the comparison to humans this ambiguous and conflicted. The azi not only like being azi, they can describe why they prefer it. It's clear that Union made azi for many of the same reasons that humans enslave other humans, and that Ariane Emory is using them as machinery in a larger (and highly ethically questionable) plan, but Cherryh gets deeper into the emergent social complications and societal impact than most SF novels manage. Azi are apparently closer to humans than the famous SF examples such as Commander Data, but the deep differences are both more subtle and more profound.

I've seen some reviewers who are disturbed by the lack of a clear moral stance by the protagonists against the creation of azi. I'm not sure what to think about that. It's clear the characters mostly like the society they've created, and the groups attempting to "free" azi from their "captivity" are portrayed as idiots who have no understanding of azi psychology. Emory says she doesn't want azi to be a permanent aspect of society but clearly has no intention of ending production any time soon. The book does seem oddly unaware that the production of azi is unethical per se and, unlike androids, has an obvious exit ramp: Continue cloning gene lines as needed to maintain a sufficient population for a growing industrial civilization, but raise the children as children rather than using azi programming. If Cherryh included some reason why that was infeasible, I didn't see it, and I don't think the characters directly confronted it.

I don't think societies in books need to be ethical, or that Cherryh intended to defend this one. There are a lot of nasty moral traps that civilizations can fall into that make for interesting stories. But the lack of acknowledgment of the problem within the novel did seem odd this time around.

The other part of this novel that was harder to read past in this re-read is the sexual ethics. There's a lot of adolescent sexuality in this book, and even apart from the rape scene — which was more on-the-page than I had remembered and which is quite (intentionally) disturbing — there is a whole lot of somewhat dubious consent. Maybe I've gotten older or just more discriminating, but it felt weirdly voyeuristic to know this much about the sex lives of characters who are, at several critical points in the story, just a bunch of kids.

All that being said, and with the repeated warning that the first 150 pages of this novel are just not very good, there is still something magic about the last two-thirds of this book. It has competence porn featuring a precociously brilliant teenager who I really like, it has one of the more interesting non-AI programmed computer systems that I've read in SF, it has satisfying politics that feel like modern politics (media strategy and relationships and negotiated alliances, rather than brute force and ideology), and it has a truly excellent feeling of catharsis. The plot resolution is a bit too abrupt and a bit insufficiently explained (there's more in Regenesis), but even though this was my fourth time through this book, the pacing grabbed me again and I could barely put down the last part of the story.

Ethics aside (and I realize that's quite the way to start a sentence), I find the azi stuff fascinating. I know the psychology in this book is not real and is hopelessly simplified compared to real psychology, but there's something in the discussions of value sets and flux and self-knowledge that grabs my interest and makes me want to ponder. I think it's the illusion of simplicity and control, the what-if premise of thought where core motivations and moral rules could be knowable instead of endlessly fluid the way they are in us humans. Cherryh's azi are some of the most intriguing androids in science fiction to me precisely because they don't start with computers and add the humanity in, but instead start with humanity and overlay a computer-like certainty of purpose that's fully self-aware. The result is more subtle and interesting than anything Star Trek managed.

I was not quite as enamored with this book this time around, but it's still excellent once the story gets properly started. I still would recommend it, but I might add more warnings about the disturbing parts.

Re-read rating: 9 out of 10

Girl Genius for Monday, July 28, 2025 [Girl Genius]

The Girl Genius comic for Monday, July 28, 2025 has been posted.

05:21

Comic Strip for Monday, July 28, 2025 [General Protection Fault: Comic Updates]

Current Story: Surreptitious Machinations II: Ashes to Ashes

04:49

Welcoming our new member - LesBoys [Planet GNU]

Hi, All:

Please join me in welcoming our new member:

User Details:
-------------
Name:    LesBoys
Login:   lesboys
Email:   thgcatchingfire1440@outlook.com

I wish LesBoys a wonderful journey in GNU CTT.

Happy Hacking
wxie

Sunday, 27 July

21:35

Link [Scripting News]

One of my favorite features in the newest version of Bingeworthy is that it can generate a ChatGPT review of a program. Screen shot. I wouldn't have opened this up before because of that would let in the weirdness of the internets. This way we can find out what people thought, as sanitized by ChatGPT. BTW do you think the root of sanitized is sane? As the root of ignorant is ignore? Of course our friend has the answer. One is and the other isn't.

17:42

A Bingeworthy Sunday [Scripting News]

I wasn't planning on this, but there was a report that there was a problem with BingeWorthy, looked into it and was able to fix it.

Source of problem: When I added a feature that lets you ask ChatGPT to review the program you're looking at, I broke the ability to add a new program to the database. It took about 15 minutes to track down and verify and another few minutes to fix -- and now that important function works again.

As long as I was in there working around, I updated the Bingeworthy RSS feed to only report program additions. The other events it was reporting just weren't as interesting.

I also added that feed to my blogroll on scripting.com.

I'd say it works a lot better now.

I'm trying to think but nothing happens!

16:49

12:28

Urgent: Discharge petition to force vote on release of Epstein files [Richard Stallman's Political Notes]

US citizens: phone your congresscritter and call on per to sign the discharge petition to force a vote on whether to release the Epstein files.

Concealing them is far from the worst thing magats are doing to our country, and we should not forget about the greatest dangers. But that doesn't mean we should disregard this.

If you phone, please spread the word! Main Switchboard: +1-202-224-3121

Urgent: Cancel contract for use of Musk's artificial stupidity system [Richard Stallman's Political Notes]

US citizens: call on Hegseth to cancel the $200-million contract for the use of Musk's artificial stupidity system.

I edited the message not to use the term "artificial intelligence" or "AI", and not to cite the corrupter as an authority on what to do.

Here's how to make the actionnetwork.org letter campaign linked above work without running the site's nonfree JavaScript code. (See https://gnu.org/philosophy/javascript-trap.html for why that issue matters.)

First, make sure you have deactivated JavaScript in your browser or are using the LibreJS plug-in.

I have done the next step for you: I added `?nowrapper=true' to the end of the campaign URL before posting it above. That should bring you to a page that starts with, "Letter campaigns will not work without javascript!"

They indeed won't work without some manual help, but the following simple method seems adequate for many of them, including this one.

To start, fill in the personal information answers in the box on the right side of the page. That's how you say who's sending the letter.

Then click the "START WRITING" button. That will take you to a page that can't function without nonfree JavaScript code. (To ensure it doesn't function perversely by running that nonfree code, you can enable LibreJS or disable JavaScript by visiting that page.) You can finish sending without that code By editing its URL in the browser's address bar, as follows:

First, go to the end and insert `&nowrapper=true'. Then tell the browser to visit that URL. This should give you a version of the page that works without JavaScript. Edit the subject and body of your letter. Finally, click on the "SEND LETTER" button, and you're done.

This method seems to work for letter campaigns that send the letters to a fixed list of recipients, the same recipients for every sender. Editing and revisiting the URL is the only additional step needed to bypass the nonfree JavaScript code. I'm sure you'll agree it is a small effort for the result of supporting the campaign without opening your computer to unjust (and potentially malicious) software.

Urgent: Call on Democratic leadership to back Mamdani [Richard Stallman's Political Notes]

US citizens: call on Jeffries and the Democratic leadership to back Mamdani.

Don't let the Democratic establishment side with AIPAC and billionaire interests over democracy and equality.

Urgent: Tax billionaire wealth gains [Richard Stallman's Political Notes]

US citizens: call on Congress to tax billionaire wealth gains.

If you phone, please spread the word! Main Switchboard: +1-202-224-3121

Urgent: Ban stock trading by members of Congress [Richard Stallman's Political Notes]

US citizens: call on Congress to ban stock trading by members of Congress.

If you phone, please spread the word! Main Switchboard: +1-202-224-3121

UK organisations aiming to support Palestinians have bank accounts frozen [Richard Stallman's Political Notes]

Two UK organisations that aim to support Palestinians have had their bank accounts frozen. They have lost access to their money, without any sort of trial, and without any clear path for recourse.

Facebook data center in rural Georgia [Richard Stallman's Political Notes]

Facebook build a data center in rural Georgia, near some houses, and once it started sucking lots of ground water, those houses' wells dried up.

The company could easily afford to compensate them for this damage, but the law seems to be biased in favor of the data center owner.

The article describes what the data center is doing as "AI", but that is a misleading hype campaign. Probably what it mostly does is run bullshit generators. To call things like chatbots "AI" is to boost that marketing campaign.

Please do as I do and make a distinction between true (albeit narrow) artificial intelligence and bullshit generators.

Brain engagement of people using ChatGPT [Richard Stallman's Political Notes]

A controlled experiment found that people who repeatedly used ChatGPT to do a task (writing essays) manifested less brain engagement, and didn't do the task as well as people who focused their own minds on it.

Australian who worked in the US [Richard Stallman's Political Notes]

An Australian who worked in the US, and lived there with his sweetheart, all with a suitable visa, was inexplicably deported when he returned from a short visit to Australia. It seemed that the border agents did not try to understand that he had permission for what he did.

Now he has been separated from his work, his apartment, his possessions, and his sweetheart — exiled from home with no way to appeal.

The article reveals nothing about him that I would expect border thugs to hate. So why did they do this? It could be that the needed to meet their daily quota. Or maybe management encourages them to persecute people randomly — perhaps to increase the general level of terror.

Does anyone know of further developments in this case?

Hungary opposition figures urge Democrats organize against autocratic takeover [Richard Stallman's Political Notes]

*Hungary opposition figures urge Democrats to organize against autocratic takeover by [the saboteur in chief],* saying that his actions now resemble what Orbán did at the start.

Google deal to buy hydroelectric electricity [Richard Stallman's Political Notes]

Google has made a large deal to buy he electricity produced by existing hydroelectric facilities.

I don't see that this promotes renewable generation or reduces greenhouse emissions at all. The electricity those generators will make would certainly have been used. This deal won't fund development of more.

It will shuffle the money around, as Google buys current from those generators and the rest of us are compelled to buy current from other generators — perhaps at a higher price.

Lunatic plan for income for future State of Palestine [Richard Stallman's Political Notes]

The most lunatic possible plan for income for the future State of Palestine: from exporting fossil gas!

Since Palestine is a hot and arid land, I doubt it will survive till 2100 even if it gets started, unless the world curbs global heating. And neither will the rest of us! Proposing to solve a problem through more fossil fuel extraction is madness.

President Correa of Ecuador famously invited the wealthy to pay Ecuador not to develop a fossil gas deposit — but rather to leave the gas in the ground. The wealthy were not interested in helping to prevent global disaster, so they didn't accept. It shows that the death of billions of non-rich is no skin off their backs.

Increase of Syphilis in the US [Richard Stallman's Political Notes]

Syphilis has been increasing in the US for years, a sign of a generally poor medical system. This includes congenital syphilis, which is easy to prevent if pregnant women receive medical attention — so the increase shows a failure to give them any.

Naturally, the saboteur in chief has wiped out federal programs to help in the measurement, detection and treatment of sexually transmitted diseases.

Digital systems imposed on teachers, students and parents of students [Richard Stallman's Political Notes]

A teacher and parent reproaches schools and the digital systems they imposes on teachers, students, and parents of students.

She complains that using them is a pain. She is not aware that they are also unjust (since they are nonfree client programs, and often talking to surveillance servers).

Sentencing for thug who shot Breonna Taylor [Richard Stallman's Political Notes]

The thug who shot Breonna Taylor (by firing blindly into the house) was convicted for that. The corrupter's "Justice department" recommended sentencing him to supervised release, but the judge disregarded this and sentenced him to three years in prison.

I am glad the judge disregarded the slanted advice, but I have a hunch that the corrupter will pardon that ex-thug. He has pardoned many people for violent crimes committed in causes that he supports.

Reactor operator doing unauthorized work on nuclear plant [Richard Stallman's Political Notes]

When he Nuclear Regulatory Commission found out that a reactor operator was doing work on a nuclear plant that the NRC had not authorized, it said, "Oh dear!".

Ukraine law weakening independence of anticorruption prosecutors [Richard Stallman's Political Notes]

Ukraine passed a law weakening the independence of anticorruption prosecutors.

That is an unfortunate action, but it has no effect on the moral issues about Putin's invasion and Ukraine's independence. I expect Putin will try to use it to prove that he should rule Ukraine, but that would be as irrational as the rest of his propaganda.

Australian man with work visa sent home [Richard Stallman's Political Notes]

An Australian man with a US work visa was working in the US and living there with his sweetheart. He made a short visit home for a funeral ceremony, and border thugs sent him back to Australia, saying nothing coherent that pretended to be a reason.

I speculate that this was part of the push to meet the quota for deportations. I think that each airport has a daily quota for deportations, and agents are supposed to fake reasons when they don't have any real ones.

Imprisonment of reporter Mario Guevara [Richard Stallman's Political Notes]

Reporter Mario Guevara, lawful US resident, was covering a No Kings protest when he was arrested on bogus minor charges. An official dismissed the charges, but the deportation thugs insist on keeping him in prison.

12:21

Kentaro Hayashi: Switching from NVIDIA GPU to AMD GPU [Planet Debian]

Introduction

Recently, I've got a chance to try AMD GPU.

I didn't have experience as a user with AMD GPU, but I felt it was very easy to switch.

How to switch from NVIDIA GPU to AMD GPU?

Here is the steps to migrate from NVIDIA GPU.

(I'm using Debian sid as a daily driver, but the following instructions are also applicable)

Not only nvidia-driver, but also need to say good-bye to CUDA related packages. Anyway, it is important to clean it up.

  • Reboot it!

Ensure without nvidia-driver, it correctly boot with GUI desktop.

Now you can see driver was changed to nouveau module. You can ensure it with lsmod command.

$ lsmod |grep nou
nouveau              3055616  16
mxm_wmi                12288  1 nouveau
drm_gpuvm              45056  1 nouveau
drm_exec               12288  2 drm_gpuvm,nouveau
gpu_sched              65536  1 nouveau
video                  81920  1 nouveau
i2c_algo_bit           16384  1 nouveau
drm_display_helper    274432  1 nouveau
drm_ttm_helper         16384  2 nouveau
ttm                   106496  2 drm_ttm_helper,nouveau
drm_kms_helper        253952  3 drm_display_helper,drm_ttm_helper,nouveau
drm                   774144  14 gpu_sched,drm_kms_helper,drm_exec,drm_gpuvm,drm_display_helper,drm_ttm_helper,ttm,nouveau
wmi                    28672  4 video,wmi_bmof,mxm_wmi,nouveau
button                 24576  1 nouveau
  • Install amdgpu related stuff

Install the following packages.

libdrm-amdgpu1 2.4.124-2
xserver-xorg-video-amdgpu 23.0.0-1
mesa-vulkan-drivers 25.0.7-2
mesa-utils 9.0.0-2+b2
firmware-amd-graphics 20250410-2

Now ready to switch GPU.

I rarely had the opportunity to replace the GPU and in this time need to change power supply as well, it was a bit difficult to do.

Then, graphic driver was changed from nouveau to amdgpu as expected.

$ lsmod | grep amd
amd_atl                57344  1
edac_mce_amd           28672  0
kvm_amd               217088  0
kvm                  1396736  1 kvm_amd
ccp                   163840  1 kvm_amd
amdgpu              14450688  33
amdxcp                 12288  1 amdgpu
drm_exec               12288  1 amdgpu
gpu_sched              65536  1 amdgpu
drm_buddy              20480  1 amdgpu
video                  81920  1 amdgpu
i2c_algo_bit           16384  1 amdgpu
drm_suballoc_helper    12288  1 amdgpu
drm_display_helper    274432  1 amdgpu
drm_ttm_helper         16384  2 amdgpu
ttm                   106496  2 amdgpu,drm_ttm_helper
drm_kms_helper        253952  3 drm_display_helper,amdgpu,drm_ttm_helper
drm                   774144  23 gpu_sched,drm_kms_helper,drm_exec,drm_suballoc_helper,drm_display_helper,drm_buddy,amdgpu,drm_ttm_helper,ttm,amdxcp
crc16                  12288  3 bluetooth,amdgpu,ext4
gpio_amdpt             16384  0
gpio_generic           20480  1 gpio_amdpt

That's all.

Currently, I'm using it on linux-image-6.12.38+deb13-amd64 kernel.

It seems that there is more newer release for firmware-amd-graphics, but no critical issue is found yet.

Conclusion

By switching from NVIDIA GPU, there were some disadvantage that some application does not support AMD GPU yet.

On the positive side, no need to worry about nvidia-driver issues such as #1089513

I just started using AMD GPU, I hope I could help to improve the AMD GPU experience on Debian.

This article was written with Ultimate Hacking Keyboard 60 v2 with Riser 60.

10:35

09:56

Hi beams [Seth's Blog]

(Car dashboards don’t have room to spell out the whole word).

On a country road, late at night, when there are no other cars around, the hi beams are a really useful tool. It’s smart to use them.

As soon as there are other cars, though, they become dangerous. Even a selfish driver realizes that they’ll lose more than they gain if they persist.

Living in community requires us to be a bit less short-term selfish than we might be if we’re on our own.

09:14

Biocide [George Monbiot]

The government’s proposed new rules will allow a flood of toxic chemicals to be sold in the UK.

By George Monbiot, published in the Guardian  23rd July 2025

It’s what the extreme right of the Tory party wanted from Brexit: to tear down crucial public protections, including those that defend us from the most brutal and dangerous forms of capital. The Conservatives lost office before they were able to do their worst. But never mind, because Labour has now picked up the baton.

A month ago, so quietly that most of us missed it, the government published a consultation on deregulating chemicals. While most consultations last for 12 weeks, this one runs for eight, half of which cover the holiday period – it closes on 18 August. The intention is set out at the beginning: to reduce “costs to business”. This, as repeated statements by Keir Starmer make clear, means tearing up the rules.

If, the consultation proposes, a chemical has been approved by a “trusted foreign jurisdiction”, it should be approved for use in the UK. No list is given of what these trusted jurisdictions are. It will be up to ministers to decide: they can add such countries through statutory instruments, which means without full parliamentary scrutiny. In one paragraph the document provides what sounds like an assurance: these jurisdictions should have standards “similar to and at least as high as those in Great Britain”. Three paragraphs later, the assurance is whisked away: the government would be able “to use any evaluation available to it, which it considers reliable, from any foreign jurisdiction”.

In this and other respects, the consultation document is opaque, contradictory, lacking clear safeguards and frankly chilling. Lobbyists will point out that a chemical product has been approved for sale in the US, or Thailand or Honduras, then ask the government to add that country as a trusted jurisdiction. If the government agrees, “domestic evaluation” would be “removed”, meaning that no UK investigation of the product’s health and environmental impacts will be required.

In the US, to give one example, a wide range of dangerous chemical products are approved for uses that are banned here and in many other countries. The government has fired the gun on a race to the bottom.

To make matters worse, once a country has been added to the list of trusted jurisdictions, all the biocidal products it authorises for use could, the consultation says, be “automatically approved” for use here. The proposed new rules, in other words, look like a realisation of the fantasy entertained by the ultra-rightwing Tory MP Jacob Rees-Mogg in 2016: “We could say, if it’s good enough in India, it’s good enough for here … We could take it a very long way.”

There is in fact a means of reducing costs while maintaining high standards: simply mirror EU rules. Though far from perfect, they set the world’s highest standards for chemical regulation. Mirroring them as they evolve would avoid the pointless institutional replication and total regulatory meltdown our chemicals system has suffered since we left the EU. But we can’t have that, as it would mean backtracking on Brexit, which would be BETRAYAL. Adopting the weaker standards of other states at the behest of foreign corporations, by contrast, is the height of patriotism.

The divergence from European standards is likely to mean breaking the terms of the EU-UK trade and cooperation agreement, as well as landing Northern Ireland in an even greater quandary, as it remains in both the EU single market and the UK internal market. In many cases, deregulation delivers bureaucratic chaos.

The consultation also suggests the removal of all expiry dates for the approval of active chemical substances. The default position would be that, as long as a foreign jurisdiction has approved a product, allowing it to be used in the UK, it stays on the books indefinitely. Those arguing that new evidence should lead to its deletion from the approved list would have a mountain to climb. Worse still, the consultation proposes removing any obligation on the Health and Safety Executive to maintain a publicly available database of the harmful properties of chemical substances on the UK market. No wonder they kept it quiet.

Yes, these proposals might reduce costs for business. But the inevitable result is to transfer them to society. Already, we face a massive contamination crisis as a result of regulatory failure in this country, as compounds such as Pfas (“forever chemicals”), microplastics and biocides spread into our lives. If the decontamination of land and water is possible, it will cost hundreds of times more than any profits made by industry as a result of lax rules. In reality, we will carry these costs in our bodies and our ecosystems, indefinitely. The true price is incalculable.

Many have paid with their lives, health, education or livelihoods for previous “bonfires of red tape”: through the Grenfell Tower disaster, filthy rivers, collapsing classrooms, consumer rip-offs and the 2008 financial crisis. But as long as these costs can be shifted off corporate and current government balance sheets, that is deemed a win for business and win for the Treasury.

Earlier this month, the chancellor, Rachel Reeves, told financiers in her Mansion House speech that regulation “acts as a boot on the neck of businesses”. In reality, business acts as a boot on the neck of democracy, a boot the government slathers with kisses.

Before the general election last year, Reeves told an assembly of corporate CEOs: “I hope when you read our manifesto, or see our priorities, that you see your fingerprints all over them.” The catastrophic planning reforms the government is now forcing through parliament were hatched, she told them, at a “smoked salmon and scrambled eggs breakfast” with corporate lobbyists.

This was just one instance of a massive pre-election grovelling offensive, involving hundreds of meetings behind closed doors with corporations, which shaped Labour’s plans and explains so much of what has gone wrong since. The point and purpose of the Labour party was to resist economic warfare by the rich against the rest. Starmer and Reeves have turned their party into the opposite of what it once was.

Capital demands three things at once: that the government strip away the rules defending the public interest from ruthless profit-making; that the government regulate itself with insanely restrictive pledges, such as Reeves’s fiscal rules; and that the public is regulated with ever more draconian laws, such as those restricting protest. It gets what it asks for. Everything must give way to capital, but capital must give way to nothing.

www.monbiot.com

08:14

Age verification [RevK®'s ramblings]

The Online Safety Act is in force to block porn sites accessed in the UK now. You have to prove your age.

There is even a petition to repeal and rework it. Do sign, but we all doubt it will help. Maybe if it gets to millions.

Just to be clear - this legislation does not just impact porn sites, or just adult sites, but millions of sites and services, and there are millions more that may be in scope. This is not something where one can say that compliance is a "cost of doing business" as the vast majority of sites and services in scope are not businesses. They do not have money to comply, or even to get legal advice to find out if they have to comply - get it wrong and they face huge fines. That is the crux of the petition.

Let's stick to porn sites for now.

This is a huge invasion of privacy and a largely pointless exercise as there is no real way to stop teenagers that want to access porn from doing so. In my opinion a better approach is education, and especially on the nature of porn as fantasy and fiction so young people do not get the wrong idea about healthy sexual relationships. Blocking will not work, in my view, but it creates a lot of problems.

  • It does not just impact kids, it impacts everyone.
  • The legislation has huge overreach causing a lot harmless sites to shutdown to avoid the burdens and risk involved. It is not even clear when it applies (what of a shared diary with my wife and nobody else? That seems in scope of risk assessments, at least, as we can each post user content the other sees, and perhaps even AV if anything we add is racy).
  • It creates a norm of proving your ID, or camera access, in order to access many web sites (not just porn sites), so opening the floodgates for scammers. Even if some sites have less intrusive means (see SMS below) there will be scammer sites that insist on camera access.
  • Even when not scammers it creates the risk of a huge databases of sexual preferences linked to real identities being leaked.
  • Teenagers will find ways around it, and even have to help adults to do so (irony!).
  • It is questionable as to the extent that porn is actually harmful in the first place, especially with associated education.
  • Obviously VPNs are a way to bypass as the restrictions are country specific.

So, let's look at what has happened.

I have done a few checks, and the AV falls in to a few categories as to how it works. This is "legit" AV, scammers may be more creative... Actually I have only checked one site which seems to use "age>>go". Some other sites start by insisting on a sign up to the site and creating a login before they do any more checks, which seems intrusive.

But these are some of the "age>>go" choices...

  • A selfie - i.e. allow video/camera access on your device (can you see how that can be abused), and confirm some facial expressions (open mouth). Apparently there are on-line images with expression settings to which you can easily point your camera in order to circumvent this and that is just some games, not even a site set up for this purpose, yet.
  • ID upload, like wow - how can that be abused, but also selfie to match ID. No idea if that copes well with edited images in the ID. I was not going to upload an ID, sorry.
  • An SMS check, sends a code and they confirm the mobile operator has no age restriction.
  • A credit card check. I have not tried this, but they do know kids can have cards? Maybe kids cards are debit not credit cards and that matters somehow. It claims to be a zero value "active card check" - does that show on all card apps? i.e. borrowing a parent's card may work, and leave no trace... Again, I was not going to provide a credit card - but you can see how scam sites will abuse this.

SMS

I looked specifically at the SMS, which concerns me for several reasons. This is, however, by far the least intrusive - as no camera or images or actual ID, just a mobile number.

They take a number and send an SMS with a code to enter, and then do a check with the operator to confirm the number has no age restrictions. This may be an issue in itself - the privacy policy for mobile services can be vague, but sharing whether you have age restrictions with a third party, for a number, is not a clearly identified thing that I can see. So may, in itself, be a GDPR issue.

What they do not immediately say is they then want an email address to which they can send a code. This too is a GDPR issue, as having confirmed you (a) control the number (can get SMS), and (b) the operator confirms no age restrictions, they have no legitimate interest in knowing an email address, and no option to not provide one that works. And this was a "legit" AV site. Scammers will do way more.

What is interesting is the email address has a "remember me" option - but not clear what for. Well, the answer is that you can then verify using "login", i.e. enter the email address and get emailed a code. So the use of the mobile number has now made the email verified with no further need to use the mobile number.

Back of the bike sheds!

This is one of the concerns I had with any age verification system.

So let's assume that..

  • Some teenager happens to have access to a mobile with SMS and no age restriction for some reason, or
  • A sixth former that is 18 has legitimate mobile SMS with no age restriction, or
  • Some guy in a dodgy trench coat has legitimate mobile SMS with no age restriction.

Can they sell (or just give) AV access to horny teenagers?

(Just to be clear, A&A numbers fail to get this to work, the SMS works, but then says you do not have access. This is no surprise as we have no system to allow some third party to check if our SIMs have age restrictions.)

Obviously they can simply provide the code sent to their mobile, and code emailed to them, to their customer to allow them access.

But actually it is even simpler.

Using the mobile number for the first step, and their customer's email address for the second step, the customer tells them the emailed code, or the supplier can tell them the mobile code, either way, but use the customer's email address. Now the customer's email is considered verified, and can be used to login in future without the need for the mobile number. It just needs access to an email address.

By using a domain and mail forwarding the customer's email can be hidden as well, allowing for some ongoing income as the supplier can revoke the mail forwarding at any time.

So yes, this now creates an opportunity for people to exploit others - even adults that want access without giving up any details! Of course those doing the exploiting can be scammy as well, they know the email address, and can even see how often it is used if they wanted.

Testing

I used a mobile (Three data SIM with no age restriction - I am an adult after all) and an email address (one of my @fuck.me.uk addresses) to get access to a dodgy site, yay! But also I can then login using just the email address.

I then did the same, using the same mobile number, but a different email address. This also worked, and both email addresses can now simply login using the email address. I can now forward the second email address to someone else and they can simply login. This has the advantage for them that the site and AV service do not have their details (mobile or real email). No, I am not going to send to a child, obviously.

Now, I do not know if they permanently allow the login or ever re-validate using SMS. It is not even clear how long a site grants access from a login (though clearly at least a day, from my testing).

More data collection

Another issue here is that it allows access to a site to be correlated. With NAT and incognito browsing it is harder to link multiple accesses to be the same person (though browser fingerprinting may allow this). But if there is a login of some sort - or some auth code from the AV service, it can allow all accesses to be linked together, even if not knowing the actual personal identity. With common AV systems it could allow multiple site's accesses to be correlated now without even the need for working cross site cookies / pixels, etc.

05:21

Russ Allbery: Review: The Dragon's Banker [Planet Debian]

Review: The Dragon's Banker, by Scott Warren

Publisher: Scott Warren
Copyright: September 2019
ISBN: 0-578-55292-2
Format: Kindle
Pages: 263

The Dragon's Banker is a self-published stand-alone fantasy novel, set in a secondary world with roughly Renaissance levels of technology and primarily alchemical magic. The version I read includes an unrelated novelette, "Forego Quest." I have the vague impression that this novel shares a world with other fantasy novels by the same author, but I have not read them and never felt like I was missing something important.

Sailor Kelstern is a merchant banker. He earns his livelihood by financing caravans and sea voyages and taking a cut of the profits. He is not part of the primary banking houses of the city; instead, he has a small, personal business with a loyal staff that looks for opportunities the larger houses may have overlooked. As the story opens, he has fallen on hard times due in part to a spectacular falling-out with a previous client and is in desperate need of new opportunities. The jewel-bedecked Lady Arkelai and her quest for private banking services for her father, Lord Alkazarian, may be exactly what he needs. Or it may be a dangerous trap; Sailor has had disastrous past experience with nobles attempting to strong-arm him into their service.

Unbeknownst to Sailor, Lord Alkazarian is even more dangerous than he first appears. He is sitting on a vast hoard of traditional riches whose value is endangered by the rise of new-fangled paper money. He is not at all happy about this development. He is also a dragon.

I, and probably many other people who read this book, picked it up because it was recommended by Matt Levine as a fantasy about finance instead of the normal magical adventuring. I knew it was self-published going in, so I wasn't expecting polished writing. My hope was for interesting finance problems in a fantasy context, similar to the kind of things Matt Levine's newsletter is about: schemes for financing risky voyages, complications around competing ideas of money, macroeconomic risks from dragon hoards, complex derivatives, principal-agent problems, or something similar that goes beyond the (annoyingly superficial) treatment of finance in most fantasy novels.

Unfortunately, what I got was a rather standard fantasy setting and a plot that revolves mostly around creative uses for magical devices, some conventional political skulduggery, and a lot of energetic but rather superficial business hustling. The protagonist is indeed a merchant banker who is in no way a conventional fantasy hero (one of the most taxing parts of Sailor's occasional visits to the dragon is the long hike down to the hoard, or rather the long climb back out), but the most complex financial instrument that appears in this book is straightforward short-selling. Alas. I was looking forward to the book that I hoped this was.

Given my expectations, this was a disappointment. I kept waiting for the finances to get more complicated and interesting, and that kept not happening. Without that expectation, this is... okay, I guess. The writing is adequate but kind of stilted, presumably in an effort to make it sound slightly archaic, and has a strong self-published feel. Sailor is not a bad protagonist, but neither is he all that memorable. I did like some of the world-building, which has an attention to creative uses of bits of magic that readers who like gadget fantasy may appreciate. There are a lot of plot conveniences and coincidences, though, and very little of this is going to feel original to a long-time fantasy reader.

Putting some of the complexity of real Renaissance banking and finance systems into a fantasy world is a great idea, but I've yet to read one that lived up to the potential of the premise. (Neal Stephenson's Baroque Cycle comes the closest; unfortunately, the non-economic parts of that over-long series are full of Stephenson's worst writing habits.) Part of the problem is doubtless that I am reasonably well-read in economics, so my standards are high. Maybe the average reader would be content with a few bits on the perils of investment, a simple treatment of trust in currency, and a mention or two of short-selling, which is what you get in this book.

I am not altogether sorry that I read this, but I wouldn't recommend it. I encourage Matt Levine to read more genre fiction and find some novels with more interesting financial problems!

"Forego Quest": This included novelette, on the other hand, was surprisingly good and raised my overall rating for the book by a full point.

Arturus Kingson is the Chosen One. He is not the Chosen One of a single prophecy or set of prophecies; no, he's the Chosen One of, apparently, all of them, no matter how contradictory, and he wants absolutely nothing to do with any of them. Magical swords litter his path. He has so many scars and birthmarks that they look like a skin condition. Beautiful women approach him in bars. Mysterious cloaked strangers die dramatically in front of him. Owls try to get into his bedroom window. It's all very exhausting, since the universe absolutely refuses to take no for an answer.

There isn't much more to the story than this, but Warren writes it in the first person with just the right tone of exasperated annoyance and gives Arturus a real problem to solve and enough of a plot to provide some structure. I'm usually not a fan of parody stories because too many of them feel like juvenile slapstick. This one is sarcastic instead, which is much more to my taste.

"Forego Quest" goes on perhaps a bit too long, and the ending was not as successful as the rest of the book, but this was a lot of fun and made me laugh. (7)

Rating: 6 out of 10

01:56

Link [Scripting News]

If you had asked a mathematician for advice on the Supreme Court ruling that money is speech, it was a totally foreseeable outcome that money would overwhelm speech, that the only speech would be money. We're right there now.

00:42

Bits from Debian: DebConf25 closes in Brest and DebConf26 announced [Planet Debian]

DebConf25 group photo - click to enlarge

On Saturday 19 July 2025, the annual Debian Developers and Contributors Conference came to a close.

Over 443 attendees representing 50 countries from around the world came together for a combined 169 events (including some which took place during the DebCamp) including more than 50 Talks, 39 Short Talks, 5 Discussions, 59 Birds of a Feather sessions ("BoF" – informal meeting between developers and users), 10 workshops, and activities in support of furthering our distribution and free software, learning from our mentors and peers, building our community, and having a bit of fun.

The conference was preceded by the annual DebCamp hacking session held 7 through 13 July where Debian Developers and Contributors convened to focus on their individual Debian-related projects or work in team sprints geared toward in-person collaboration in developing Debian.

This year, a session was dedicated to prepare the BoF "Dealing with Dormant Packages: Ensuring Debian's High Standards"; another, at the initiative of our DPL, to prepare suggestions for the BoF “Package Acceptance in Debian: Challenges and Opportunities"; and an afternoon around Salsa-CI.

As has been the case for several years, a special effort has been made to welcome newcomers and help them become familiar with Debian and DebConf by organizing a sprint "New Contributors Onboarding" every day of Debcamp, followed more informally by mentorship during DebConf.

The actual Debian Developers Conference started on Monday 14 July 2025.

In addition to the traditional "Bits from the DPL" talk, the continuous key-signing party, lightning talks, and the announcement of next year's DebConf26, there were several update sessions shared by internal projects and teams.

Many of the hosted discussion sessions were presented by our technical core teams with the usual and useful "Meet the Technical Committee", the "What's New in the Linux Kernel" session, and a set of BoFs about Debian packaging policy and Debian infrastructure. Thus, more than a quarter of the discussions dealt with this theme, including talks about our tools and Debian's archive processes. Internationalization and Localization have been the subject of several talks. The Python, Perl, Ruby, Go, and Rust programming language teams also shared updates on their work and efforts. Several talks have covered Debian Blends and Debian-derived distributions and other talks addressed the issue of Debian and AI.

More than 17 BoFs and talks about community, diversity, and local outreach highlighted the work of various teams involved in not just the technical but also the social aspect of our community; four women who have made contributions to Debian through their artwork in recent years presented their work.

The one-day session "DebConf 2025 Academic Track!", organized in collaboration with the IRISA laboratory was the first session welcoming fellow academics at DebConf, bringing together around ten presentations.

The schedule was updated each day with planned and ad hoc activities introduced by attendees over the course of the conference. Several traditional activities took place: a job fair, a poetry performance, the traditional Cheese and Wine party (this year with cider as well), the Group Photos, and the Day Trips.

For those who were not able to attend, most of the talks and sessions were broadcasted live and recorded; currently the videos are made available through this link.

Almost all of the sessions facilitated remote participation via IRC and Matrix messaging apps or online collaborative text documents which allowed remote attendees to "be in the room" to ask questions or share comments with the speaker or assembled audience.

DebConf25 saw over 441 T-shirts, 3 day trips, and up to 315 meals planned per day.

All of these events, activities, conversations, and streams coupled with our love, interest, and participation in Debian and F/OSS certainly made this conference an overall success both here in Brest, France and online around the world.

The DebConf25 website will remain active for archival purposes and will continue to offer links to the presentations and videos of talks and events.

Next year, DebConf26 will be held in Santa Fe, Argentina, likely in July. As tradition follows before the next DebConf the local organizers in Argentina will start the conference activities with DebCamp with a particular focus on individual and team work towards improving the distribution.

DebConf is committed to a safe and welcome environment for all participants. See the web page about the Code of Conduct on the DebConf25 website for more details on this.

Debian thanks the commitment of numerous sponsors to support DebConf25, particularly our Platinum Sponsors: AMD, EDF, Infomaniak, Proxmox, and Viridien.

We also wish to thank our Video and Infrastructure teams, the DebConf25 and DebConf committees, our host nation of France, and each and every person who helped contribute to this event and to Debian overall.

Thank you all for your work in helping Debian continue to be "The Universal Operating System".

See you next year!

About Debian

The Debian Project was founded in 1993 by Ian Murdock to be a truly free community project. Since then the project has grown to be one of the largest and most influential Open Source projects. Thousands of volunteers from all over the world work together to create and maintain Debian software. Available in 70 languages, and supporting a huge range of computer types, Debian calls itself the universal operating system.

About DebConf

DebConf is the Debian Project's developer conference. In addition to a full schedule of technical, social and policy talks, DebConf provides an opportunity for developers, contributors and other interested people to meet in person and work together more closely. It has taken place annually since 2000 in locations as varied as Scotland, Bosnia and Herzegovina, India, Korea. More information about DebConf is available from https://debconf.org/.

About AMD

The AMD ROCm platform includes programming models, tools, compilers, libraries, and runtimes for AI and HPC solution development on AMD GPUs. Debian is an officially supported platform for AMD ROCm and a growing number of components are now included directly in the Debian distribution. For more than 55 years AMD has driven innovation in high-performance computing, graphics and visualization technologies. AMD is deeply committed to supporting and contributing to open-source projects, foundations, and open-standards organizations, taking pride in fostering innovation and collaboration within the open-source community.

About EDF

EDF is a leading global utility company focused on low-carbon power generation. The group uses advanced engineering and scientific computing tools to drive innovation and efficiency in its operations, especially in nuclear power plant design and safety assessment. Since 2003, the EDF Group has been using Debian as its main scientific computing environment. Debian's focus on stability and reproducibility ensures that EDF's calculations and simulations produce consistent and accurate results.

About Infomaniak

Infomaniak is Switzerland's leading developer of Web technologies. With operations all over Europe and based exclusively in Switzerland, the company designs and manages its own data centers powered by 100% renewable energy, and develops all its solutions locally, without outsourcing. With millions of users and the trust of public and private organizations across Europe - such as RTBF, the United Nations, central banks, over 3,000 radio and TV stations, as well as numerous cities and security bodies - Infomaniak stands for sovereign, sustainable and independent digital technology. The company offers a complete suite of collaborative tools, cloud hosting, streaming, marketing and events solutions, while being owned by its employees and self-financed exclusively by its customers.

About Proxmox

Proxmox develops powerful, yet easy-to-use Open Source server software. The product portfolio from Proxmox, including server virtualization, backup, and email security, helps companies of any size, sector, or industry to simplify their IT infrastructures. The Proxmox solutions are built on Debian, we are happy that they give back to the community by sponsoring DebConf25.

About Viridien

Viridien is an advanced technology, digital and Earth data company that pushes the boundaries of science for a more prosperous and sustainable future. Viridien has been using Debian-based systems to power most of its HPC infrastructure and its cloud platform since 2009 and currently employs two active Debian Project Members.

Contact Information

For further information, please visit the DebConf25 web page at https://debconf25.debconf.org/ or send mail to press@debian.org.

00:07

Bias efforts in LLM models [Richard Stallman's Political Notes]

The bully is getting exercised about biases in LLM output, when they don't align with his biases, so he seeks the power to punish their developers for it.

He also objected to the term "artificial intelligence" on the grounds that "artificial" has negative connotation. However, no one can deny that these systems are artificial — they were designed and made by humans. It's "intelligence" that misrepresents them.

Let's call them "bullshit generators"; that avoids both of those words and is more accurate as a description.

Holding a sign as a crime, UK [Richard Stallman's Political Notes]

British thugs violently arrested protester Susan White, 74 years old and fragile, for holding some sort of sign. I have not seen a concrete description of what the sign said, but thugs interpreted it as support for Palestine Action. Thus, the act of blackwhiting that declared Palestine Action to be "terrorist" has thus provided an excuse for additional, similar blackwhiting.

Terrorism is a crime. It is fundamentally unjust to label a group (or individual) as "terrorist" without a fair trial.

Ms White has been placed under house arrest, not officially but in a disguised, dishonest fashion: she is forbidden to go to Liverpool Center, but outside her door is Liverpool Center, so she can't leave.

The authorities didn't provide her with a jetpack with which to fly to a point outside Liverpool Center. But I have a feeling she could not use it. She says she has injuries from the attack; I presume she needs to visit clinics and pharmacies. Is that forbidden too?

Censoring "60 minutes" show [Richard Stallman's Political Notes]

CBS gave the bully the power to censor 60 Minutes; the producer resigned in protest.

Testing of raw milk deregulated [Richard Stallman's Political Notes]

The FDA has discontinued some tests for milk and dairy products, as well as testing for bird flu in cows, due to the reductions in staff that the DOSE inflicted.

Saturday, 26 July

19:35

Pluralistic: Iranian brickwork, arbitrated pillows, smothered comics, and aerogel desalination (26 Jul 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


A framegrab of Tommy and Dicky Smothers mid-act, with Tommy looked baffled and Dicky looking irritated; the image has been roughed up with static and CRT scanlines, and slightly desaturated. It is set in a wooden frame that is elaborately illustrated with scenes of antiquity - marble angels at the corners, magi and sojourners acting out scenes around all four sides.

Iranian brickwork, arbitrated pillows, smothered comics, and aerogel desalination (permalink)

This is the 2^5th instance on which I find myself confronting a Saturday morning on which I have a zillion links that didn't make it into the week's newsletter, occasioning a linkdump post; here are the previous 31 installments:

https://pluralistic.net/tag/linkdump/

I like to start these with good news, which is often hard to find these days, but here's something genuinely cool: an aerogel that can desalinate salt water using only radiant solar energy for power:

https://arstechnica.com/science/2025/07/this-aerogel-and-some-sun-could-make-saltwater-drinkable/

Aerogels are ultralight materials made of carbon nanotubes; they're incredibly cheap to manufacture in bulk, and each one can have different properties, depending on the deposition and geometry of the 'tubes. The tech is described by Hong Kong Polytechnic University's Xi Shen in ACS Energy Letters:

https://pubs.acs.org/doi/10.1021/acsenergylett.5c01233?ref=pdf

You put the gel in some salt water (which can also be contaminated with pathogens, apparently) and it acts as a porous evaporator, causing pure water vapor to rise out of the mass, which can be condensed and drunk. It's not clear how many times you can do this with a given aerogel, but it's exciting stuff.

Moving from aerogel to air travel: an Air Canada passenger named Linda Royle was forced to check her carry-on on a stopover in Toronto. Someone stole her bag and Air Canada refused to compensate her for it (they disqualified her because she couldn't provide original receipts for the shoes she'd bought five years previously). That's frustrating, of course, but what happened next is a lot weirder: she got a call from a pharmacist in St John's, Newfoundland who had been entrusted with her missing bag by Air Canada, on the grounds that they didn't know who it belonged to, and they thought the pharmacist could use the labels on her prescription meds to track her down.

That's not even the weird part! When Linda Royle recovered her bag, she discovered that someone had stolen a bunch of stuff out of it, and replaced it toilet bags belonging to two strangers, a knife, and an Air Canada ticket scanner:

https://www.cbc.ca/news/canada/newfoundland-labrador/air-canada-mystery-baggage-1.7592756

After this hit the news, Air Canada suddenly discovered that it was allowed to reimburse her for her stolen stuff even though she hadn't saved all her receipts. This is all about par for the course with Air Canada, an airline that is violently allergic to both checked baggage and customer service.

Air Canada is the airline that was discovered to have a warehouse full of "lost" bags next to Toronto Pearson Airport, none of which they bothered to reunite passengers with, donating the bags to local charities instead:

https://ca.news.yahoo.com/air-canada-passengers-complain-lost-144243835.html

Despite this, the airline registered very few customer complaints. That's because they've fired so many of their customer service reps and replaced them with AI chatbots whose florid "hallucinations" give fliers all kinds of wrong advice, which Air Canada refuses to make up for unless passengers pursue them through several rounds of appeal and then escalate to a government ombudsman:

https://www.forbes.com/sites/marisagarcia/2024/02/19/what-air-canada-lost-in-remarkable-lying-ai-chatbot-case/

Can't register complaints if you fire all the customer service reps and replace them with malfing dogshit chatbots, amirite?

But you don't have to fire all your customer service reps or invest in chatbots to create an all-consuming accountability sink that can absorb all the risk you create by screwing over your customers. The easiest way to do that is to stick a "binding arbitration" waiver in your terms of service that takes away your customer's right to sue, no matter how much harm you inflict on them.

It's getting harder and harder to move through the world without surrendering your legal rights these days. I've had to walk away from doctors, dentists, taxi companies, solar installers, and car rental companies because they wanted me to click away my right to sue as a condition of doing business with them. What's the point of a system of civil justice if everyone in a position to harm you can force you to swear off using it?

It would be different if arbitration was fair, but "he who pays the piper calls the tune" – that is, arbitrators almost always rule in favor of the corporation that's paying them, no matter how they've screwed over the other party. There are a few exceptions, but things have to be really egregious for this to be the case – as with the Fox show Bones, whose cast were so utterly screwed by Fox that the arbitrator awarded them $179m, issuing a scathing ruling that called out individual Fox execs for their scumbag conduct:

https://variety.com/2019/biz/news/fox-bones-arbitration-emily-deschanel-179-million-1203150879/

But while the corporate-friendly judiciary has a long history of forcing everyday people into arbitration when they get maimed or cheated by a capitalist enterprise, these same judges are always happy to set aside arbitrator's judgements when they go in favor of the little guy, which is exactly what happened with Bones:

https://variety.com/2019/biz/news/bones-arbitration-against-fox-1203200504/

That wasn't the last judge to experience a sudden attack of skepticism for arbitrators' decisions in the face of an adverse outcome for some corporate scumbag. This week, the Eight Circuit overturned a $5m arbitration award that Mike "Mypillow" Lindell was ordered to pay after he lost a bet about whether the 2020 election was stolen:

https://www.creditslips.org/creditslips/2025/07/arbitration-for-thee-but-not-for-mike-lindell.html

Lindell offered $5m to anyone who could prove the 2020 election wasn't stolen. A software developer named Robert Zeidman analyzed the voting machine logs that Lindell used as the basis for his claims and showed that Lindell was full of shit. An arbitrator agreed, and ordered Lindell to pay $5m.

The Eight Circuit, meanwhile, decided that the arbitrator "exceeded their powers" and set aside the award. As Credit Slips' Bob Lawless writes, it would be nice if this meant that the next time you were hurt by a dentist, a doctor, a solar installer, a rental car agency, or a taxi company, you could get out of arbitration, but he's not holding his breath: "Something tells me, however, that might not be the case in a more routine consumer dispute."

The house always wins. That's true even when the player is trying to build a casino! In her latest newsletter, Ann Pettifor writes about how "Capitalism Devours Crypto":

https://annpettifor.substack.com/p/capitalism-devours-crypto

Pettifor's writing about the institutional formalization of "Stablecoins," a form of wildcat money that is a modern update of the "narrow bank" notes that triggered a series of financial panics in the 1830s, wiping out a sizable fraction of the US economy. The GENIUS Act, which brings Stablecoins into a legal framework, has helped inflate a crypto bubble worth $4t.

Key to this bubble is to make crypto into a form of government-backed (but only barely regulated) asset, with one of the primary beneficiaries being World Liberty Financial, a company owned by the President of the United States. Other beneficiaries include Michael Saylor's "Strategy" (formerly Microstrategy), whose actual strategy is to sell shares and bonds to buy bitcoin, then use the rising price of bitcoin to issue more paper that it can use to buy more bitcoin, and so on. This is exactly how the South Sea Company ran its operation, leading to yet another global financial cataclysm:

https://www.ft.com/content/45d7c547-f686-4162-bfc3-56d609003bbb

A technology regulated by the US government and heavily manipulated by the US president is the polar opposite of the libertarian rhetoric in Satoshi's original bitcoin white paper, which bitcoin bros cite as gospel when explaining how they're doing something truly different this time.

Pettifor says that crypto is different from Beanie Babies and other bubbles – because this time, the president is in on the scam.

Speaking of the crypto bubble, one striking feature of this bubble is how many of its key players are also involved in pumping up the AI bubble. The AI bubble is a different kind of sleaze from the crypto bubble, but it's every bit as sleazy.

Ever since Openai and Trump's splashy announcement of the $500b "Stargate" plan to build AI data-centers, Ed Zitron, one of the great tech debullshitifiers, has been taking pointed notice of just how vaporous this plan is. In his latest investigation, Zitron shows how the supine tech press has played credulous stenographer to Sam Altman and Softbank in helping to sell a clearly bogus claim about Softbank's investment in Stargate:

https://www.wheresyoured.at/softbank-openai/

Everyone from the Wall Street Journal to Bloomberg on down took Sam Altman at his word when he claimed that a new data-center in Abilene, TX was a) part of Stargate, and b) funded by Softbank.

The thing is, neither of these are true. As confirmed by the data-center's own developers, "Softbank is not and has not been involved in the funding for its construction." Softbank is the exclusive trademark holder for Stargate, and Stargate has no legal entity apart from this trademark, so this data-center is not part of Stargate, despite widespread press coverage to the contrary.

What's more, there are no other data-centers on the horizon that are part of Stargate. Which is to say that Stargate, the $500b AI data center program, doesn't actually exist.

Zitron:

Stargate does not exist other than as a name that Sam Altman gives things to make them feel more special than they are, and SoftBank was never involved. Stargate does not exist as reported.

One of the reasons I love Zitron's work so much is that he actually really likes technology and aspires to a world where the promise of technology as a force for human thriving and betterment can be realized. That's what animates me, too, which is why I was so excited to read "Designing Sousveillance Tools for Gig Workers," a paper by a group of computer scientists who worked closely with gig workers to create a design framework for technology that helps workers get the upper hand over their bosses:

https://arxiv.org/pdf/2403.09986

The researcher describe a radical, careful methodology grounded in co-creation, led by the users – the workers – in dialog with the tech experts. The paper's preamble, which sets out the concept of "ethics of care" is almost as interesting as the recommendations that the workers and researchers create together.

One of those researchers is Saiph Savage, who is the co-organizer of next week's ACM Collective Intelligence conference in San Diego, where I'm giving the evening keynote on Aug 5:

https://ci.acm.org/2025/speakers/cory-doctorow/

And speaking of a) great tech events and b) an ethic of care, everyone who can get to New York from Aug 15-17 should absolutely plan on attending Hackers on Planet Earth (HOPE) in Queen's. HOPE is one of the oldest hacker cons in the world, organized by the 2600 Magazine folks, and it is human-scaled, human-centric, and dedicated to liberation through technology.

HOPE has just announced a bunch of student scholarships, so if you're not able to come up with the door fee (or the heavily discounted streaming-only ticket), HOPE is still something you can do!

https://www.2600.com/content/hope-updates-more-speakers-and-student-scholarships

One of the things I adore about hacker cons is the way they embody the hacker ethic that every 10 foot wall that some stupid corporation builds around your tech should be met with an 11 foot ladder. The ability of technologists to disenshittify the tools we love is key to resisting enshittification:

https://pluralistic.net/2025/07/23/resto-modding/#itch-scratchers-r-us

Here's a 10 foot wall that I'd love to see comprehensively scaled: Eschelon, maker of "smart" home gym equipment, just remote-fucked all of the hardware its customers had purchased by pushing out a software downgrade:

https://arstechnica.com/gadgets/2025/07/firmware-update-hinders-echelon-smart-home-gym-equipments-ability-to-work-offline/

The downgrade breaks compatibility with apps like QZ, which allow you to connect your Eschelon gear to third-party services like Zwift, which "shows people virtual, scenic worlds while they’re exercising." QZ also lets Eschelon owners make their workouts better in other ways, like automating resistance adjustments.

By blocking QZ, Eschelon can force its customers to sign up for its own, inferior $40/month service. When companies pull scams like this, they often claim that they need to do so in order to remain in business, but here's some even worse news: thanks to the new software that Eschelon just forced into its customers' devices, these devices will no longer be able to run at all if Eschelon goes out of business. This is a bad design under any circumstances, but when deployed by a company that is sufficiently desperate to rug its customers in this way, it's a dismal sign indeed. At this point, you'd have to be pretty gullible to buy a new Eschelon device, given the strong likelihood that both the company and its products are headed for the scrapheap.

This is classic enshittification, of course, a subject I'm so obsessed with that I've written an entire book about it, which drops on October 7:

https://us.macmillan.com/books/9780374619329/enshittification/

The early reviews are rolling in for the book now, starting with Booklist:

This is Doctorow in full-on angry author mode; he pulls no punches here, naming names and calling out guilty parties . . . Readers will be upset, informed, and inflamed.

Not to be outdone, Publishers Weekly writes:

A razor-sharp yet subtly optimistic look at the soul-sucking state of the internet.

https://www.publishersweekly.com/9780374619329

Meanwhile, Nobel laureate Paul Krugman writes,

Cory Doctorow’s neologism was an instant hit, neatly encapsulating the public’s growing disappointment, sometimes bordering on rage, with what was happening to internet platforms. His pithy summary of the process was also brilliant.

https://paulkrugman.substack.com/p/the-general-theory-of-enshittification?utm_source=post-email-title&publication_id=277517&post_id=169092636&utm_campaign=email-post-title&isFreemail=false&r=444vl&triedRedirect=true&utm_medium=email

I'm heading out on tour with this one in October, hitting the US (Seattle, Boston, DC, NYC, NOLA, Chicago, LA, PDX, Miami and Madison, CT), Canada (Vancouver, Calgary, Montreal, Ottawa and Toronto); and the UK (London, Hay, and possibly Glasgow).

With all that travel on the horizon, it's time to draw this linkdump to a close, but I'll leave you with a couple of lighter stories as palette-cleansers. First, there's "Smothered," a documentary about the cancellation of the Smothers Brothers streaming free at the Internet Archive:

https://archive.org/details/smothered-the-censorship-struggles-of-the-smothers-brothers-comedy-hour-2002

The Smothers Brothers were a musical comedy act who worked savage political commentary into their act, and when they refused to pull their punches, CBS's president canceled their show, for fear of pissing off Richard Nixon, a thin-skinned, authoritarian, dishonest vindictive Republican president. What I'm getting at here, is that Colbert is in good company.

Here's a couple of my favorite Smothers Brothers bits: first, the classic "Mom Always Liked You Best," which my Dad used to recite all the time when I was growing up, until we could all hit the line "Bark, chicken, bark" at the drop of a hat:

https://www.youtube.com/watch?v=uXH_hFqBPCs

And then there's "Chirp Goes the Nighinngale," which my daughter and I used to sing at bedtime after I read her a story, which would reduce us to tears of laughter:

https://www.youtube.com/watch?v=DZ1NfuHphOw

Finally, as a little digestif, please enjoy this article by Kate "McMansion Hell" Wagner on the miracle of modern Iranian brickwork, one of the most exciting new developments in architecture of this century (notwithstanding that the US is determined to bomb it all into rubble):

https://www.thenation.com/article/culture/iranian-brick-architecture/


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Canadian telco that blocked union websites is breaking all kinds of laws https://web.archive.org/web/20051028181259/http://www.michaelgeist.ca/index.php?option=com_content&task=view&id=914&Itemid=85&nsub=

#20yrsago Damning Sony payola memos: “I’m a whore this week” https://somafm.com/payola/payola2.pdf

#15yrsago What “curated computing” can and can’t deliver https://www.theguardian.com/technology/2010/jul/27/curated-computing-environment-apps-choice

#15yrsago UK govt proposes volunteer “police reserve” https://www.theguardian.com/uk/2010/jul/26/cameron-budget-cuts-diy-policing

#15yrsago Street-Fighting Math: down and dirty guide to approximation and problem-solving https://web.archive.org/web/20100605090020/https://mitpress.mit.edu/catalog/item/default.asp?ttype=2&tid=12156

#15yrsago EFF wins enormous victory against DRM: legal to jailbreak iPhones, rip DVDs for mashup videos https://memex.craphound.com/2010/07/26/eff-wins-enormous-victory-against-drm-legal-to-jailbreak-iphones-rip-dvds-for-mashup-videos/

#5yrsago Lovely video review for Poesy the Monster Slayer https://pluralistic.net/2020/07/26/fierce-slayer/#fierce-poesy

#5yrsago Green Growth https://pluralistic.net/2020/07/26/fierce-slayer/#green-growth

#1yrago Fintech bullies stole your kid's lunch money https://pluralistic.net/2024/07/26/taanstafl/#stay-hungry

#20yrsago How Craigslist changed NYC https://web.archive.org/web/20050727011010/http://www.newyorkmetro.com/nymetro/news/people/columns/intelligencer/12348/

#20yrsago Game-modder rips into anti-modder US politicos https://web.archive.org/web/20050728003228/https://illspirit.com/press_release.html

#20yrsago War on Terror as a series of Unix shell interactions https://web.archive.org/web/20050806083457/http://blogs.sun.com/roller/page/ThinGuy?entry=the_war_on_terror_as

#20yrsago TSA Secure Flight: criminal disaster https://www.schneier.com/blog/archives/2005/07/secure_flight.html

#20yrsago Promise TV — PVR records a month’s worth of shows from all channels https://web.archive.org/web/20050811011823/http://promise.tv/

#15yrsago Federal judge says you can break DRM if you’re not doing so to infringe copyright https://web.archive.org/web/20100728090500/https://www.courthousenews.com/2010/07/23/29099.htm

#15yrsago Existential D&D comedy: when characters realize they are trapped in adolescents’ imagination https://carltonmellick.com/2010/07/01/out-now-the-kobold-wizards-dildo-of-enlightenment-2/

#15yrsago Terrified guardians of public safety protect kids from rocks, other imaginary dangers https://www.forbes.com/2010/07/21/consumer-product-safety-hazard-opinions-columnist-lenore-skenazy.html

#10yrsago Chrysler has to recall its cars due to security vulnerabilities https://web.archive.org/web/20150728041105/http://www.siliconvalley.com/news/ci_28532995/fiat-chrysler-recalls-1-4m-vehicles-prevent-hacking

#10yrsago Jamaica’s new copyright means Jamaicans pay for reggae the rest of the world gets free https://www.eff.org/deeplinks/2015/07/anatomy-copyright-coup-jamaicas-public-domain-plundered

#10yrsago Georgia sues Carl Malamud, calls publishing state laws “terrorism” https://www.techdirt.com/2015/07/24/state-georgia-sues-carl-malamud-copyright-infringement-publishing-states-own-laws/

#10yrsago Explosion at NIST offices was a meth lab https://nymag.com/intelligencer/2015/07/meth-lab-explodes-inside-government-building.html

#10yrsago If phones were designed to please their owners, rather than corporations https://vimeo.com/134128443

#10yrsago London terror cops forced to admit they’re still investigating journos who reported Snowden leaks https://theintercept.com/2015/07/24/uk-met-police-snowden-investigation-journalists/

#10yrsago Darth Vibrader: a Vader mannequin made from sex toys https://www.huffpost.com/entry/porn-star-kayla-jane-danger-builds-sex-toy-darth-vader-nsfw_n_55afdbc3e4b0a9b948535810

#10yrsago How .uk came to be (and why it’s not .gb) https://web.archive.org/web/20150910044243/https://30yearsof.uk/the-birth-of-uk-an-oral-history-ab3ebc0e499f

#5yrsago Mass market book sales surge https://pluralistic.net/2020/07/24/software-is-cake-too/#massmarket

#5yrsago Private equity doesn't create value, it destroys it https://pluralistic.net/2020/07/24/software-is-cake-too/#looters

#5yrsago Changes coming to UK's feudal "leaseholds https://pluralistic.net/2020/07/24/software-is-cake-too/#neofeudalism

#5yrsago Facebook's morale problem https://pluralistic.net/2020/07/24/software-is-cake-too/#eichmanns-and-oppenheimers

#5yrsago 401(k)s are a scam https://pluralistic.net/2020/07/25/derechos-humanos/#are-there-no-poorhouses

#5yrsago Central London property prices tank https://pluralistic.net/2020/07/25/derechos-humanos/#innit

#5yrsago US copyright is a disaster for Mexico https://pluralistic.net/2020/07/25/derechos-humanos/#hecho-en-mexico

#1yrago AI's productivity theater https://pluralistic.net/2024/07/25/accountability-sinks/#work-harder-not-smarter

#1yrago FTC vs surveillance pricing https://pluralistic.net/2024/07/24/gouging-the-all-seeing-eye/#i-spy

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Canny Valley: A limited edition collection of the collages I create for Pluralistic, self-published, September 2025

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026

  • The Reverse-Centaur's Guide to AI, a short book about being a better AI critic, Farrar, Straus and Giroux, 2026


Colophon (permalink)

Today's top sources: Roz Doctorow, Hacker News (https://news.ycombinator.com/), Naked Capitalism (https://www.nakedcapitalism.com/), Dr Savage (https://www.saiph.org/).

Currently writing:

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. (1005 words yesterday, 10190 words total).

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

14:28

Bloody Amazon [RevK®'s ramblings]

Once again, weeks of seller support tickets on Amazon.

The problem - re-use of an EAN - a simple matter.

What is an EAN?

A European Article Number, known now as a Global Trade Item Number (GTIN-13), is a code used on a barcode on a product. They are issued in blocks by GS1. We have a block. We assign to products. UPC (Universal Product code) is the same system.

Reusing an EAN?

When a product is discontinued, there is no reason for that EAN to stay assigned to the discontinued product and so it can be re-used. Or can it?

GS1 did have stuff on re-use of EANs, and time frames for discontinued products before reuse. But apparently now they recognise that platforms assign an EAN more permanently to a product record and they may not be recyclable. So they have changed policy on this!

This is interesting - EAN/UPC used to be assigned for a one-off fee and that was it, but GS1 assign on a rental basis.This year they seem to have doubled the price, even. In theory when you stop the contract, they can assign the block to someone else. But based on this new policy, they cannot - so why do we have a rental? The idea being one could get a block, use it, cease it, but know it can never be re-assigned to keep using for free. Well not quite, there was a contract which continues to say you cannot use once ceased. OK, but a different legal entity could use the codes now, knowing they will never be re-assigned to someone else. Yes, I asked GS1 this. No reply yet.

Basically the idea of GS1 codes being rented only works if they can be reassigned. If they can no longer be reassigned, then rental makes no sense. Also, they will run out with such a policy (which is why rental came in, AFAIK).

Just to be clear, GS1 retain all rights to the numbers they allocate, but I asked, and they could not say, what rights they are! They are not covered by copyright, trademark, patent or any legal framework of which I am aware. They have no rights that I can see apart from contract (which is only with contracting parties).

Amazon

So, Amazon use the EAN barcode, yay. We had a product, with an EAN, sold some, discontinued, and some time later I re-assigned the EAN two a new product. One would expect Amazon to have a process to handle this. It is not an odd thing to do AFAIK.

But I cannot make a new listing, as the description does not match that of the old, deleted, listing.

The issue is the total ineptitude of Amazon seller support...

  • Told yes, I am entitled to re-assign an EAN as a GS1 holder (good)
  • Told the existing ASIN+EAN cannot be deleted, so tough, so no new listing
  • Told the EAN cannot be removed from the existing ASIN, so no new listing
  • Told the EAN can be removed from the ASIN, but I have to report a violation (i.e. someone misusing our EAN). So I did that.
  • Told eventually (many times over many days) the EAN has been removed from the ASIN, so should work to make a new listing (it did not).
  • Told that an EAN cannot be re-assigned, tough. I asked if they lied before or are lying now.
  • Now told the ASIN can be deleted, and that will fix, but I have to re-make the listing and then do some spreadsheet update to delete the ASIN. That is going to be fun, and no clue if it will fix.

In my view this should be simple - we prove we hold the GS1 allocation (easy), we state the (unused) ASIN+EAN is no longer valid - Amazon delete it (or remove EAN) - we make a new listing.

To be clear, if they had a system that an EAN was always stuck to a description, and were actually consistent in that, and GS1 agreed (which they sort of do), then that would be annoying but not as bad as this - they keep giving hope it can be (or even, has been) fixed, and then changing their damn mind.

But no, Amazon seller support is, without fail, a battle at every step of the way, every fucking time.

Update

I have someone with windows and Excel to try this... They made the file to upload. Thanks. But...

  • They say "Create listings with a spreadsheet in any format - Al will convert it for you." Nice.
  • They say "Accepted file formats: Excel, TSV" nice
  • I load an excel file and they say "File Type: Inventory Loader File (Automatically detected)"
  • They then say "Please upload a tab-delimited text file (file format txt or .tsv).  This feed does not support the type of file you uploaded. If you're using Excel, please convert it to a tab-separate file by following these instructions."

So yes, upload any file AI will sort, or upload excel file, and we recognise you uploaded an excel file that is an inventory loader file, but a final FUCK YOU you have to load text or TSV.

I mean what that actual fuck. We loaded a TSV, it may have worked, watch this space!

11:49

Gang prison descriptions, SLV [Richard Stallman's Political Notes]

Venezuelans that the bully deported to El Salvador to be imprisoned for months in the special prison for alleged gangsters report on the special cruelty and violence carried out there. They made this report after being sent to Venezuela.

It is unjust to subject anyone to that, no matter how heinous per crimes. Even the corrupter and his officials do not deserve it.

Rightwing canceling of citizenships [Richard Stallman's Political Notes]

Right-wing politicians in various countries are proposing to cancel citizenship of dual nationals if they are convicted of crimes.

This says to all dual nationals, "You don't really belong here, so we will exile you if you do anything wrong." It is an effective way of drumming up hatred of immigrants, which right-wing haters can take advantage of.

France already has legislated this for terrorism.

Deregulating US product safety [Richard Stallman's Political Notes]

*The US supreme court let Donald Trump on Wednesday remove three Democratic members of the government’s top consumer product safety watchdog, boosting his power over federal agencies set up by Congress to be independent from presidential control.*

This decision strikes directly at a part of the system of checks and balances, explicitly set up by Congress and the then president.

ICE secretly deports green card holder [Richard Stallman's Political Notes]

Chilean Luis León received asylum in the US; but recently he lost the physical green card that represented his right to live in the US. He visited the INS to get a replacement. The deportation thugs were waiting; they jailed him and deported him to Guatemala, failed to make any record of doing so, and told the family that León was dead.

I don't think such a chain of nonstandard events could happen by mistake. Some official must have decided to break rules in order to cause suffering. A variety of such incidents have happened this year, all different. The only explanation I can think of is that magats have encouraged the deportation thugs to use their imagination to invent new ways to make immigrants suffer.

Every official who participated in choosing this treatment of Mr. León ought to be fired, at least. Their mission is to do their work justly, not cruelly, and they neglected that completely.

I have a theory that might explain part of it. it is standard practice nowadays to arrange for an authorized immigrant to come to an appointment as w way to arrest per. When León made that appointment, officials could have seen some irregularity and chosen to respond in the most horrible way.

I wonder why Guatemala accepted a Chilean deported by the US, and why they didn't send him to Chile, now that that country respects human rights and is no longer the murderous dictatorship he fled in 1987.

UK channel crossings [Richard Stallman's Political Notes]

If the UK wants to discourage refugees from crossing the Channel in small overloaded boats, it needs to convince them long before they reach the French shore. By that time, they have put themselves in great debt for the channel crossing and can't afford to change plans.

Those refugees generally do not come from Europe. I wonder if they had to put themselves in unbearable debt just for the first stage, getting into the EU.

Weaponized FCC [Richard Stallman's Political Notes]

The bully has weaponized the FCC, and uses it as an instrument of arbitrary power, according to a former head of the FCC.

UK repression [Richard Stallman's Political Notes]

Thugs in Britain have taken a further step into repression, beyond prosecuting people for stating support for the prohibited organization Palestine Action. Now they assert that it is a crime to endorse any of the positions that it stood for, such as "free Gaza" or talking about "genocide".

The leap that the thug made is irrational, and not logically valid. We can easily see that the decision to ban that organization, unjust though it was, does not imply what the thug asserted.

That does not guarantee that his error will not become government policy. Repression often advances by leaps of illogical like this one.

North Carolina voter purge [Richard Stallman's Political Notes]

*DNC threatens to sue North Carolina elections board over [Republican] plan to purge 100,000 voters.*

Republican candidates occasionally win legitimately, but usually they win by rigging the election. Voter suppression is a big part, and Greg Palast presents evidence that that's how the bully "won" in 2024, but they have other methods too, such as gerrymandering.

Magats vs environment [Richard Stallman's Political Notes]

The magat bill to fund environmental agencies undermines or weakens various specific means of protecting the environment and wildlife.

Temporary protected status [Richard Stallman's Political Notes]

A US court extended Afghan refugees' temporary protested status. A final ruling is coming later.

Measles vaccination rates too low [Richard Stallman's Political Notes]

Around 100,000 children died from measles in 2023. That's a consequence of having 10 million who did not get vaccinated.

10:35

10:14

Settling for better [Seth's Blog]

Perhaps you’re really good at the job. Hard charging. Focused on every interaction and staying in control. It’s easy to justify the hard work because you refuse to settle.

It turns out that your community is here and ready to contribute. When you give others the resources, trust and commitment to do the work, the work gets done. Sometimes, it even gets done better than you could have done it (if you had had the time and focus, which you don’t).

If scale is the goal, your control over each interaction has to loosen. The job of the leader is to create the conditions for others to raise the standards.

Trusting your team isn’t settling for less. It’s settling for better.

09:07

Birger Schacht: My DebConf 25 review [Planet Debian]

DebConf 25 happened between 14th July and 19th July and I was there. It was my first DebConf (the big one, I was at a Mini DebConf in Hamburg a couple of years ago) and it was interesting. DebConf 25 happened at a Campus University at the outskirts of Brest and I was rather reluctant to go at first (EuroPython 25 was happening at the same time in Prague), but I decided to use the chance of DebConf happening in Europe, reachable by train from Vienna. We took the nighttrain to Paris, then found our way through the maze that is the Paris underground system and then got to Brest with the TGV. On our way to the Conference site we made a detour to a supermarket, which wasn’t that easy because is was a national holiday in France and most of the shops were closed. But we weren’t sure about the food situation at DebConf and we also wanted to get some beer.

At the conference we were greeted by very friendly people at the badge station and the front desk and got our badges, swag and most important the keys to pretty nice rooms on the campus. Our rooms had a small private bathroom with a toilet and a shower and between the two rooms was a shared kitchen with a refrigerator and a microwave. All in all, the accommodation was simple but provided everything we needed and especially a space to have some privacy.

During the next days I watched a lot of talks, met new people, caught up with old friends and also had a nice time with my travel buddies. There was a beach near the campus which I used nearly every day. It was mostly sunny except for the last day of the conference, which apparently was not common for the Brest area, so we got lucky regarding the weather.

Landscape view of the sea at Dellec beach

Given that we only arrived in the evening of the first day of DebConf, I missed the talk When Free Software Communities Unite: Tails, Tor, and the Fight for Privacy (recording), but I watched it on the way home and it was also covered by LWN.

On Tuesday I started the day by visiting a talk about tag2upload (recording). The same day there was also an academic track and I watched the talk titled Integrating Knowledge Graphs into the Debian Ecosystem (recording) which presented a property graph showing relationships between various entities like packages, maintainers or bugs (there is a repository with parts of a paper, but not much other information). The speaker also mentioned the graphcast framework and the ontocast framework which sound interesting - we might have use for something liked this at $dayjob.

In the afternoon there was a talk about the ArchWiki (recording) which gave a comprehensive insight in how the ArchWiki and the community behind it works. Right after that was a Debian Wiki BoF. There are various technical limitations with the current wiki software and there are not enough helping hands to maintain the service and do content curation. But the BoF had some nice results: there is now a new debian-wiki mailinglist, an IRC channel, a MediaWiki installation has been set up during DebConf, there are efforts to migrate the data and most importantly: and handful of people who want to maintain the service and organize the content of the wiki. I think the input from the ArchWiki folks gave some ideas how that team could operate.

Tag at the wall at Dellec beach

Wednesday was the day of the daytrip. I did not sign up for any of the trips and used the time to try out tag2upload, uploaded the latest labwc release to experimental and spent the rest of the day at the beach.

Other noteworthy session I’ve attended were the Don’t fear the TPM talk (recording), which showed me a lot of stuff to try out, the session about lintian-ng (no recording), which is an experimental approach to make lintian faster, the review of the first year of wcurls existence (no recording yet) and the summary of Rust packaging in Debian (no recording yet). In between the sessions I started working on packaging wlr-sunclock (#1109230).

What did not work

Vegan food.

I might be spoiled by other conferences. Both at EuroPycon last year (definitely bigger, a lot more commercial) and at PyCon CZ 23 (similar in size, a lot more DIY) there was catering with explicitly vegan options.

As I’ve mentioned in the beginning, we went to a supermarket before we went to the conference and we had to go there one more time during the conference. I think there was a mixture between a total lack of awareness and a LOT of miscommunication. The breakfasts at the conference consisted of pastries and baguettes - I asked at the first day what the vegan options were and the answer was “I don’t know, maybe the baguette?” and we were asked to only take as much baguette as the people who also got pastries.

The lunch was prepared by the “Restaurant associatif de Kernévent” which is a canteen at the university campus. When we asked if there is vegan food, the people there said that there was only a vegetarian option so we only ate salad. Only later we heard via word of mouth that one has to explicitly ask for a vegan meal which was apparently prepared separatly and you had to find the right person that knows about it (I think thats very Debian-like 😉). But even then a person once got a vegetarian option offered as vegan food.

One problem was also the missing / confusing labeling of the food. At the conference dinner there was apparently vegan food, but it was mixed with all the other food. There were some labels but with hundreds of hungry people around and caterers removing empty plates and dropping off plates with other stuff, everything gets mixed up. In the end we ate bread soaked in olive oil, until the olive oil got taken away by the catering people literally while we were dipping the bread in it.

And when these issues were raised, some of the reactions can be summarized as “You’re holding it wrong” which was really frustrating.

The dinners at the conference hall were similar. At some point I had the impression that “vegan” and “vegetarian” was simply seen as the same thing.

Dinner menu at the conference

If the menus would be written like a debian/copyright file it would probably have looked like this:

Food: *
Diet: Vegan or Vegetarian

But the thing is that Vegan and Vegetarian cannot be mixed. Its similar to non compatible licenses. Once you mix vegan food with vegan food with vegetarian food it’s not vegan anymore.

Don’t get me wrong, I know its hard to organize food for hundreds of people. But if you don’t know what it means to provide a vegan option, just communicate the fact so people can look alternatives in advance. During the week some of the vegan people shared food, which was really nice and there were also a lot of non-vegan people who tried to help, organized extra food or simply listened to the hangry rants. Thanks for that!

Paris

Saturday was the last day of DebConf and it was a rainy day. On Sunday morning we took the TGV back to Paris and then stayed there for one night because the next night train back to Vienna was on Monday. Luckily the weather was better in Paris. The first thing we did was to look up a vegan burger place. In the evening we strolled along the Seine and had a couple of beers at the Jardins du Trocadéro. Monday the rain also arrived in Paris and we mostly went from one cafe to the next, but also managed to visit Notre Dame.

Conclusio

The next DebConf will be in Argentina and I think its likely that DebConf 27 will also not happen anywhere in trainvelling distance. But even if, I think the Mini DebConfs are more my style of happening (there is one planned in Hamburg next spring, and a couple of days ago I learned that there will be a Back to the Future musical show in Hamburg during that time). Nonetheless I had a nice time and I stumbled over some projects I might get more involved in. Thanks also to my travel buddies who put up with me 😋

06:49

Mirroring Protesilaos' videos to Internet Archive [Planet GNU]

I enjoy reading and watching the writings and videos that Protesilaos publishes on his website, with his work ranging from philosophy and various life issues to GNU Emacs and programming. Currently, Prot uploads his videos to YouTube and embeds them on his website. YouTube, diligently working their way down the spiral of enshittification, have been making it increasingly difficult to watch the videos without using their nonfree JavaScript interface or their nonfree mobile applications. This got me thinking about mirroring Prot’s videos to the Internet Archive to make them more easily accessible in freedom.

To mirror all of Prot’s videos to the Internet Archive is a nontrivial task: as of the time of this writing, there are a total of 298 videos uploaded to Prot’s YouTube channel. Thankfully, Prot makes publicly available the git repository containing the sources used to build his website, and we have several excellent tools at our disposal to help extract the information we need and carry this out.

Note: Prot publishes his works under free/libre copyleft licenses like CC BY-SA 4.0 and GPLv3+, so we do not violate his copyright by sharing or redistributing his work so long as we do it with proper credit, following the terms of the licenses.

The idea is to write a program that would walk through the set of markdown files in the source repository for Prot’s website and for each file that has a mediaid metadata field, download the video with that ID from YouTube using yt-dlp, and upload it along with accompanying metadata to the Internet Archive using the internetarchive Python module. Given that these two key tools are written in Python, I opted to use Python for my own implementation as well. (I initially started the implementation as a POSIX shell script, but then decided that I would like the convenience of a ‘proper programming language’ and being able to interact with these tools through their respective API, so I ported what I had to Python and continued there.)

The full implementation is available at protesilaos_videos_archive.py. Note that some of the required modules are not part of Python’s standard library, namely markdown, yt-dlp, and internetarchive. You can install these using your distribution’s package manager or using pip, the Python package manager.

The script takes several command line arguments. There is a required positional argument for specifying the directory to search through (recursively) for markdown files. Normally, this would be the path to your local copy of the source repository for Prot’s website. There are also two --cookie-file and --working-dir options for optionally specifying the path to a cookie file for use with yt-dlp and the working directory for storing the downloaded videos and the progress file, respectively. Considering YouTube’s somewhat aggressive rate-limiting of IPs, if you will be downloading a nontrivial number of videos, you will probably want to use --cookie-file to specify the file that contains cookies from a YouTube session. (You would log into YouTube using your account, then use an add-on like cookies.txt to extract and save your session’s cookies into a text file.)

Example invocation of the program:

./protesilaos_videos_archive.py --cookie-file=cf.txt ~/src/protesilaos.gitlab.io

Also, considering the large number of videos to be downloaded and uploaded, making this a long-running task, I thought it would be helpful to allow interrupting the work partway through by stopping the program by pressing Ctrl-c in the terminal to send a SIGINT. Upon receiving a SIGINT, the program will stop the work after the current download or upload is finished, and write the progress to a progress file, .pva-progress.jsonl, which it will use on the next run to resume the work where it was left off.

As of the time of this writing, all of the videos published by Prot on his YouTube channel have been mirrored to the Internet Archive, and are available from the Video Publications by Protesilaos Stavrou collection.

I’ll wrap up by thanking Prot for clarifying the license of his video publications and for his blessing for me to mirror them on the Internet Archive. Thanks, Prot. :)

Take care, and so long for now.

P.S. yt-dlp has a --write-description option, which causes it to write a .description file along with the downloaded video containing its description text from YouTube. I still opted to go with the above approach of using each post’s body text as ‘description’ in part because the markdown source file for each video post contains more metadata fields that I was planning on uploading to the Archive anyway.

02:07

Matthew Palmer: Object deserialization attacks using Ruby's Oj JSON parser [Planet Debian]

tl;dr: there is an attack in the wild which is triggering dangerous-but-seemingly-intended behaviour in the Oj JSON parser when used in the default and recommended manner, which can lead to everyone’s favourite kind of security problem: object deserialization bugs! If you have the oj gem anywhere in your Gemfile.lock, the quickest mitigation is to make sure you have Oj.default_options = { mode: :strict } somewhere, and that no library is overwriting that setting to something else.

Prologue

As a sensible sysadmin, all the sites I run send me a notification if any unhandled exception gets raised. Mostly, what I get sent is error-handling corner cases I missed, but now and then… things get more interesting.

In this case, it was a PG::UndefinedColumn exception, which looked something like this:

PG::UndefinedColumn: ERROR:  column "xyzzydeadbeef" does not exist

This is weird on two fronts: firstly, this application has been running for a while, and if there was a schema problem, I’d expect it to have made itself apparent long before now. And secondly, while I don’t profess to perfection in my programming, I’m usually better at naming my database columns than that.

Something is definitely hinky here, so let’s jump into the mystery mobile!

The column name is coming from outside the building!

The exception notifications I get sent include a whole lot of information about the request that caused the exception, including the request body. In this case, the request body was JSON, and looked like this:

{"name":":xyzzydeadbeef", ...}

The leading colon looks an awful lot like the syntax for a Ruby symbol, but it’s in a JSON string. Surely there’s no way a JSON parser would be turning that into a symbol, right? Right?!?

Immediately, I thought that that possibly was what was happening, because I use Sequel for my SQL database access needs, and Sequel treats symbols as database column names. It seemed like too much of a coincidence that a vaguely symbol-shaped string was being sent in, and the exact same name was showing up as a column name.

But how the flying fudgepickles was a JSON string being turned into a Ruby symbol, anyway? Enter… Oj.

Oj? I barely know… aj

A long, long time ago, the “standard” Ruby JSON library had a reputation for being slow. Thus did many competitors flourish, claiming more features and better performance. Strong amongst the contenders was oj (for “Optimized JSON”), touted as “The fastest JSON parser and object serializer”. Given the history, it’s not surprising that people who wanted the best possible performance turned to Oj, leading to it being found in a great many projects, often as a sub-dependency of a dependency of a dependency (which is how it ended up in my project).

You might have noticed in Oj’s description that, in addition to claiming “fastest”, it also describes itself as an “object serializer”. Anyone who has kept an eye on the security bug landscape will recall that “object deserialization” is a rich vein of vulnerabilities to mine. Libraries that do object deserialization, especially ones with a history that goes back to before the vulnerability class was well-understood, are likely to be trouble magnets.

And thus, it turns out to be with Oj.

By default, Oj will happily turn any string that starts with a colon into a symbol:


>> require "oj"
>> Oj.load('{"name":":xyzzydeadbeef","username":"bob","answer":42}')
=> {"name"=>:xyzzydeadbeef, "username"=>"bob", "answer"=>42}

How that gets exploited is only limited by the creativity of an attacker. Which I’ll talk about more shortly – but first, a word from my rant cortex.

Insecure By Default is a Cancer

While the object of my ire today is Oj and its fast-and-loose approach to deserialization, it is just one example of a pervasive problem in software: insecurity by default. Whether it’s a database listening on 0.0.0.0 with no password as soon as its installed, or a library whose default behaviour is to permit arbitrary code execution, it all contributes to a software ecosystem that is an appalling security nightmare.

When a user (in this case, a developer who wants to parse JSON) comes across a new piece of software, they have – by definition – no idea what they’re doing with that software. They’re going to use the defaults, and follow the most easily-available documentation, to achieve their goal. It is unrealistic to assume that a new user of a piece of software is going to do things “the right way”, unless that right way is the only way, or at least the by-far-the-easiest way.

Conversely, the developer(s) of the software is/are the domain experts. They have knowledge of the problem domain, through their exploration while building the software, and unrivalled expertise in the codebase.

Given this disparity in knowledge, it is tantamount to malpractice for the experts – the developer(s) – to off-load the responsibility for the safe and secure use of the software to the party that has the least knowledge of how to do that (the new user).

To apply this general principle to the specific case, take the “Using” section of the Oj README. The example code there calls Oj.load, with no indication that this code will, in fact, parse specially-crafted JSON documents into Ruby objects. The brand-user user of the library, no doubt being under pressure to Get Things Done, is almost certainly going to look at this “Using” example, get the apparent result they were after (a parsed JSON document), and call it a day.

It is unlikely that a brand-new user will, for instance, scroll down to the “Further Reading” section, find the second last (of ten) listed documents, “Security.md”, and carefully peruse it. If they do, they’ll find an oblique suggestion that parsing untrusted input is “never a good idea”. While that’s true, it’s also rather unhelpful, because I’d wager that by far the majority of JSON parsed in the world is “untrusted”, in one way or another, given the predominance of JSON as a format for serializing data passing over the Internet. This guidance is roughly akin to putting a label on a car’s airbags that “driving at speed can be hazardous to your health”: true, but unhelpful under the circumstances.

The solution is for default behaviours to be secure, and any deviation from that default that has the potential to degrade security must, at the very least, be clearly labelled as such. For example, the Oj.load function should be named Oj.unsafe_load, and the Oj.load function should behave as the Oj.safe_load function does presently. By naming the unsafe function as explicitly unsafe, developers (and reviewers) have at least a fighting chance of recognising they’re doing something risky. We put warning labels on just about everything in the real world; the same should be true of dangerous function calls.

OK, rant over. Back to the story.

But how is this exploitable?

So far, I’ve hopefully made it clear that Oj does some Weird Stuff with parsing certain JSON strings. It caused an unhandled exception in a web application I run, which isn’t cool, but apart from bombing me with exception notifications, what’s the harm?

For starters, let’s look at our original example: when presented with a symbol, Sequel will interpret that as a column name, rather than a string value. Thus, if our “save an update to the user” code looked like this:


# request_body has the JSON representation of the form being submitted
body = Oj.load(request_body)
DB[:users].where(id: user_id).update(name: body["name"])

In normal operation, this will issue an SQL query along the lines of UPDATE users SET name='Jaime' WHERE id=42. If the name given is “Jaime O’Dowd”, all is still good, because Sequel quotes string values, etc etc. All’s well so far.

But, imagine there is a column in the users table that normally users cannot read, perhaps admin_notes. Or perhaps an attacker has gotten temporary access to an account, and wants to dump the user’s password hash for offline cracking. So, they send an update claiming that their name is :admin_notes (or :password_hash).

In JSON, that’ll look like {"name":":admin_notes"}, and Oj.load will happily turn that into a Ruby object of {"name"=>:admin_notes}. When run through the above “update the user” code fragment, it’ll produce the SQL UPDATE users SET name=admin_notes WHERE id=42. In other words, it’ll copy the contents of the admin_notes column into the name column – which the attacker can then read out just by refreshing their profile page.

But Wait, There’s More!

That an attacker can read other fields in the same table isn’t great, but that’s barely scratching the surface.

Remember before I said that Oj does “object serialization”? That means that, in general, you can create arbitrary Ruby objects from JSON. Since objects contain code, it’s entirely possible to trigger arbitrary code execution by instantiating an appropriate Ruby object. I’m not going to go into details about how to do this, because it’s not really my area of expertise, and many others have covered it in detail. But rest assured, if an attacker can feed input of their choosing into a default call to Oj.load, they’ve been handed remote code execution on a platter.

Mitigations

As Oj’s object deserialization is intended and documented behaviour, don’t expect a future release to make any of this any safer. Instead, we need to mitigate the risks. Here are my recommended steps:

  1. Look in your Gemfile.lock (or SBOM, if that’s your thing) to see if the oj gem is anywhere in your codebase. Remember that even if you don’t use it directly, it’s popular enough that it is used in a lot of places. If you find it in your transitive dependency tree anywhere, there’s a chance you’re vulnerable, limited only by the ingenuity of attackers to feed crafted JSON into a deeply-hidden Oj.load call.
  2. If you depend on oj directly and use it in your project, consider not doing that. The json gem is acceptably fast, and JSON.parse won’t create arbitrary Ruby objects.
  3. If you really, really need to squeeze the last erg of performance out of your JSON parsing, and decide to use oj to do so, find all calls to Oj.load in your code and switch them to call Oj.safe_load.
  4. It is a really, really bad idea to ever use Oj to deserialize JSON into objects, as it lacks the safety features needed to mitigate the worst of the risks of doing so (for example, restricting which classes can be instantiated, as is provided by the permitted_classes argument to Psych.load). I’d make it a priority to move away from using Oj for that, and switch to something somewhat safer (such as the aforementioned Psych). At the very least, audit and comment heavily to minimise the risk of user-provided input sneaking into those calls somehow, and pass mode: :object as the second argument to Oj.load, to make it explicit that you are opting-in to this far more dangerous behaviour only when it’s absolutely necessary.
  5. To secure any unsafe uses of Oj.load in your dependencies, consider setting the default Oj parsing mode to :strict, by putting Oj.default_options = { mode: :strict } somewhere in your initialization code (and make sure no dependencies are setting it to something else later!). There is a small chance that this change of default might break something, if a dependency is using Oj to deliberately create Ruby objects from JSON, but the overwhelming likelihood is that Oj’s just being used to parse “ordinary” JSON, and these calls are just RCE vulnerabilities waiting to give you a bad time.

Is Your Bacon Saved?

If I’ve helped you identify and fix potential RCE vulnerabilities in your software, or even just opened your eyes to the risks of object deserialization, please help me out by buying me a refreshing beverage. I would really appreciate any support you can give. Alternately, if you’d like my help in fixing these (and many other) sorts of problems, I’m looking for work, so email me.

What You Missed at Candidate Survivor Last Night [The Stranger]

Last night, candidates for city office piled onto the stage at Neumos to show off their hidden talents, answer policy questions, and lip synch for your vote. by Hannah Murphy Winter

Photos by West Smith

Last night, candidates for city office piled onto the stage at Neumos to show off their hidden talents, answer policy questions, and lip synch for your vote. This year, the Washington Bus and The Stranger's candidate forum was Dungeons & Dragons themed, with drag dungeon mistress Aleksa Manila leading the adventure (with outfit changes, of course!).

We learned a lot about the candidates in this year's primary: that Seattle City Council District 2 candidate Adonis Ducksworth might be a Cool Guy Skateboarder, but he's not down to get silly; that D2 candidate Eddie Lin can juggle and walk on his hands; that Katie Wilson used to busk at Pike Place; and that City Attorney Erika Evans always knows the assignment. We also learned just how far D2 candidate Jamie Fackler will go for a bit. He didn't officially make it onstage last night because his campaign hadn't reached the fundraising threshold when event invitations went out, but he still showed up outside dressed as Shrek with a rented donkey and a large bag of onions, and even jumped on stage with City Attorney candidate Rory O'Sullivan (uninvited) to try to hype his performance. 

In the green room, one candidate said, "I think we're all processing our Stranger endorsements in these performances." During the policy section, D2 candidate Jeanie Chunn changed into a stunning green, leafy dress, a shout-out to The Stranger saying she was too "green" in our endorsement. We called Wilson's TikToks "deeply awkward" (which we stand by), and she said it "hurt a little bit, but now I feel like I have a reputation to uphold," so she decided "to showcase a talent that's even more deeply awkward." 

With less than two weeks to the primary, the candidates showed up, and showed us what they were about. Rinck won best dressed, Evans and Chunn won the most "inspiration points," and Evans won the best overall performance. Now let's see how they do at the ballot box.

This donkey's name is Momie, from Sweet Ass Donkey Rentals.  City Attorney candidate Rory O'Sullivan played "With a Little Help From My Friends," by the Beatles. Meet VoteBot. Not to be confused with SaraNelsonBot, and PinkPonyBot.  Aleksa Manila kept all of the adventurers in line.  The Stranger has said that Seattle would vote for a rock over Sara Nelson. So for her talent, City Council Position 9 candidate Dionne Foster came out as Dwayne "The Rock" Johnson, challenged an audience member to Rock Paper Scissors, and gave the audience rock candy.  City Attorney candidate Erika Evans destroyed the audience with a diss track about City Attorney Ann Davison.  Holy shit Jeanie Chunn can sing.  Katie Wilson pulled out her old busking routine: a guitar and a harmonica.  Eddie Lin actually walked across the stage like this.  City Council Member Alexis Mercedes Rinck did a Bardcore cover of Shakira's "Hips Don't Lie."  These buds should be on council together.  Stranger Staff Writer Nathalie Graham grilled the candidates on everything from sweeps to Saint Rat. And Washington Bus and Stranger staff judged their answers.  SaraNelsonBot. Jeanie Chunn took a heroic spill off those heels, and kept lip syncing for your vote.  Rory O'Sullivan and Ry Armstrong, blown away by Erika Evans' prop work.  I mean, come on. Did we mention the audience dressed up too? Queens of the night.

00:35

FreeBSD installer to get Lua scripting support; proof-of-concept graphical installer shown off [OSnews]

Becoming friendlier to desktop users is one of the goals of the FreeBSD project at the moment, as we recently saw with the new ability to install a full KDE Plasma desktop environment during FreeBSD’s initial installation. This is just one small piece of a larger effort, though, to improve, modernise, and possibly even replace the current FreeBSD installer entirely. As such, Pierre Pronchery, a Security Engineer for the FreeBSD Foundation and member of their team as a Userland Software Developer, published a blog post today with more information around this effort.

The article goes into great detail to compare the installation procedures of other operating systems to that of FreeBSD, and the conclusion is that FreeBSD is lagging behind in quite a few areas. Among other shortcomings, the FreeBSD installer has no support for different languages, very little accessibility features, no niceties like progress bars or lists of steps, and most notably, no graphical mode. Some of these are already being addressed.

The current FreeBSD installer (a combination of bsddialog, bsdconfig, and bsdinstall) consists of a number of shell scripts with some small C programs here and there, and the downside of this is that this is really only suitable for creating very basic steps and user interfaces. As an example, Pronchery mentions values during network setup, like network mask, DNS server or gateway, can’t be prepopulated with the most likely values, which puts quite a burden on the user. This specific issue is being worked on by one of the original creators of bsddialog, and the solution they settled on is adding Lua scripting, which would give developers an avenue to fix some of these shortcomings.

As far as a possible graphical installer goes, Pronchery looked at the various options out there, both from the Linux world and the few graphical installers that exist for a few desktop-oriented FreeBSD distributions, but for a variety of reasons, none of them proved to be particularly suitable for FreeBSD. As such, Pronchery created a quick proof-of-concept for a graphical installer by implementing bsddialog as a GTK+ application which he calls gbsddialog. It’s important to note that this proof-of-concept is not suitable for FreeBSD, as GTK+ is licensed under the LGPL, but it does illustrate that by “simply” reimplenting bsddialog using a graphical toolkit, you can get quite a long way to a usable FreeBSD installer that mimics the traditional installer quite well.

The article covers a number of other topics, such as setting up a development environment to make it more straightforward and easier to work on the FreeBSD installer, as well as various steps that need to be taken to improve the accessibility of the installer. It concludes with a mention of the possibility of a complete rewrite of the installer, but such decisions are of course not made by a single person and require a lot more discussion and input.

Regardless, the amount of work being done to improve FreeBSD for generic desktop use is exciting, as we need a viable, competitive alternative to that other open source desktop operating system.

Friday, 25 July

23:49

23:00

Page 50 [Flipside]

Page 50 is done.

22:35

Friday Squid Blogging: Stable Quasi-Isodynamic Designs [Schneier on Security]

Yet another SQUID acronym: “Stable Quasi-Isodynamic Design.” It’s a stellarator for a fusion nuclear power plant.

22:14

How GNOME made its Calendar application accessible [OSnews]

This article will explain in details about the fundamental issues that held back accessibility in GNOME Calendar since the very beginning of its existence, the progress we have made with accessibility as well as our thought process in achieving it, and the now and future of accessibility in GNOME Calendar.

↫ Hari “TheEvilSkeleton” Rana

You’d think it would be easy to make a “simple” calendar application properly accessible, but boy would you be wrong. In this article, Hari “TheEvilSkeleton” Rana details just how much work had to be done in order to turn GNOME Calendar from entirely inaccessible into an accessible application, and considering the length of the article, you can see it wasn’t a weekend effort.

There were apparently two primary reasons why making GNOME Calendar accessible was so hard. First, maximising GNOME Calendar’s performance optimisations had significant negative implications for accessibility, and two, the effectively endless flexibility a calendar needs to offer makes it very difficult to create a usable accessibility tree. Both the events on a calendar as well as the zooming view of a calendar lead to a ton of complexity in creating this tree.

GNOME Calendar uses a ton of custom widgets, and these all needed specific, individual solutions to be made accessible. As an example, the article mentions that while it was possible to use the keyboard to create an event, it was not possible to use the keyboard to select created events. Obviously, even this one shortcoming alone effectively makes the entire application inaccessible to anyone relying solely on keyboard navigation.

The article goes into great detail how both the above widget and countless other widgets were changed to make them accessible to both the keyboard and screen reader. If you’re working on GTK applications, or even applications using other toolkits, Rana’s article is a great resource to start to understand the complexities and creative thinking needed to implement accessibility in software properly.

It’s a DE9, not a DB9 [OSnews]

You’ve seen them everywhere, especially on older computer equipment: the classic 9-pin serial connector. You probably know it as a DB9. It’s an iconic connector for makers, engineers, and anyone who’s ever used an RS232 serial device. Here’s a little secret, though: calling it a DB9 is technically wrong. The correct name is actually DE9.

↫ Christo-boots with the-pher at Sparkfun Electronics

I honestly had no idea, and looking through the Wikipedia page, it seems this isn’t the only common misnomer when it comes to D-sub connectors.

21:28

19:56

Reproducible Builds (diffoscope): diffoscope 302 released [Planet Debian]

The diffoscope maintainers are pleased to announce the release of diffoscope version 302. This version includes the following changes:

[ Chris Lamb ]
* Mask stderr from the extract-vmlinux script.
* Make it much more explicit that we return 'success' from the
  extract-vmlinux script instead of just falling through to the bottom of the
  script.
* Use Difference.from_operation in an attempt to pipeline the output of
  extract-vmlinux, potentially avoiding it all residing in memory. This is an
  attempt to prevent out of memory issues on try.diffoscope.org.

[ Siva Mahadevan ]
* Use --print-armap long option with nm in the "ar" comparator for wider
  compatibility.

You find out more by visiting the project homepage.

I’m Off Officiating a Wedding and Athena is Away Visiting Friends So Here is a Picture of Charlie to Keep You Busy For the Weekend [Whatever]

Doesn’t she look happy? Of course she does. Her life is pretty sweet, after all, lots of love and walks and rolls in the grass. It’s good to be a pup.

Also, for those who don’t know, yes, indeed, I do officiate weddings! It’s for friends and such. I mean, I was probably going to be at the wedding anyway. Why not make myself useful.

We’ll be back on Monday. Until then, have a fabulous weekend, and if you’re in part of the US currently under a heat dome, keep yourself cool and remember to hydrate, okay? Thank you.

— JS

I Saw U: Buying Corn at Fred Meyer, Yelling at Bikers on the Burke-Gilman Trail, and Bussing to the No Kings Protest [The Stranger]

Did you see someone? Say something! by Anonymous

Cutie with the corn!

To the cute guy who had a basket full of corn at Fred Meyer on Friday. We kept bumping into each other. Wish I had said something!

Mustache 4 mustache @ Sister Nancy 7/20

I told you you were handsome then bashfully scurried away with my friends. If you’re mustache 4 mustache, I’d love to buy you a drink sometime

Curly Hair Cutie @ Bouldering Project Poplar

I keep running into you at the climbing gym; I just want to say I'm sorry for yakking in your apartment on our first (and only) date. Lets try again?

Menopausal Bike Karen

To woman in the black and pink bike kit who yelled at me getting on the Gilman on Sunday near the Fremont market - get fucked. U were in the wrong😘

Ambulance needed 🚨

You: hot camper builder. Me: chaotic chair girl. Cap Hill Tool Library. Now take me for a ride in your ambulance, sk8er boi 🔥🛠️💋

Croissant Air Freshener

You asked me to check your tire pressure at King and Alaskan Way; the light changed too soon. I wanna know about your croissant air freshener, please.

8 bus No Kings Fairview

u asked which stop would take u 2 protest, had a cane after a hip surgery & wanted 2 b able 2 walk 2 sea cntr, u reminded me that protest matters

Eye contact at Pacific inn Pub

You: wearing blue, tatted, mustache Me: wearing green It was a Tuesday. Wanted to give you my # but you were leaving before I could write it down!

Is it a match? Leave a comment here or on our Instagram post to connect!

Did you see someone? Say something! Submit your own I Saw U message here and maybe we'll include it in the next roundup!

19:07

The Best Bang for Your Buck Events in Seattle This Weekend: July 25–27, 2025 [The Stranger]

Bite of Seattle, Torchlight Parade, and More Cheap & Easy Events Under $15
by EverOut Staff

Leave the house this weekend for recession-busting events from Bite of Seattle to the Alaska Airlines Torchlight Parade and from Downtown Summer Sounds: Kishi Bashi  to Urban Craft Uprising's Summer Show. For more suggestions, check out our top event picks of the week.

FRIDAY LIVE MUSIC

Downtown Summer Sounds: Kishi Bashi
Seattle's free Downtown Summer Sounds series kicked off last week and continues with a can't-miss show from multi-instrumentalist Kishi Bashi on Friday evening. Push your chair back from your desk and stop at Westlake Park before catching the light rail home: this concert is sure to put you in the right mood for a sunny weekend. Kishi Bashi has collaborated with Regina Spektor and of Montreal, and puts out upbeat orchestral bops as a solo artist. The man's talent doesn't stop there, his 2022 film Omoiyari: A Song Film by Kishi Bashiwas nominated for an Emmy in the Outstanding Arts and Culture Documentary category. Kishi Bashi played the Crocodile last fall and I will not be missing this opportunity to see him for free in the heart of the city. SHANNON LUBETICH
(Westlake Park, Downtown, free)

17:42

[1264] Ambush pt 3 [Twokinds]

Comic for July 25, 2025

17:35

How can I confirm in the Windows debugger that I’m looking at a COMDAT-folded function? [The Old New Thing]

Some time ago, we learned about identical COMDAT folding (and also why it’s called “identical COMDAT folding”).

Here’s a trick to confirm that you are indeed looking at a COMDAT-folded function: Ask the debugger to show the functions whose names exactly match your suspected function address.

0:000> ln 00000001`400b3c50
(00000001`400b3c50)   contoso!std::vector<void *,std::allocator<void *> >::_Tidy   |  (00000001`400b3c8c)   contoso!Widget::Toggle
Exact matches:
    contoso!std::vector<void *,std::allocator<void *> >::_Tidy (void)
    contoso!std::vector<_GUID const *,std::allocator<_GUID const *> >::~vector<_GUID const *,std::allocator<_GUID const *> > (void)

These two functions are identical, so the linker merged them. In stack traces, they will show as contoso!std::vector<void *,std::allocator<void *> >::_Tidy. It looks like the debugger just picks the first exact match and uses that to represent the group. But if you ask for all functions that match the address, then the debugger will cough up the other names for this function.

Note that for this trick to work, you have to use the start of the function, because that’s where the exact matches will be.

In general, you don’t usually need to go this far. You can infer that you’re looking at a COMDAT-folded function because the source code of the calling function is clearly calling some function other than the one shown in the debugger. Even before looking at the source code, you can usually infer it because there would be otherwise no reason for the calling function to be calling the COMDAT-folded function. And the third clue is that the function in question is either small (and is therefore going to match other functions) or is likely to be type-independent (and is therefore going to match other specializations of the same template).

But you can use this trick if you want to be extra sure. (Or if you have to prove it to somebody else.)

The post How can I confirm in the Windows debugger that I’m looking at a COMDAT-folded function? appeared first on The Old New Thing.

Slog AM: SPD Insurrection Attendees Named, Light Rail Has Gone to the Dogs, Chuck E. Cheese Arrested [The Stranger]

The Stranger's morning news roundup. by Nathalie Graham

The Who's Who of the SPD January Sixers: After a lengthy court battle to keep their identities secret, we now officially have the names of four of the Seattle Police Department cops who went to the insurrection a week after they dropped their lawsuit. Drum roll please. The democracy denying boys in blue aaaaare.... Sgt. Jacob Briskey, Sgt. Scotty Bach, Detective Michael Settle, and Officer Jason Marchione. Two other SPD cops, Officers Alexander Everett and Caitlin Rochelle Everett, were identified earlier after being fired since they trespassed on the US Capitol during all of the insurrection festivities. Of course, this is hardly news since Divest SPD, released the names of these cops years ago, but this is the first time we've had confirmation from the City. 

Light Rail Has Gone to the Dogs: We are a dog city. A dog county, really. Sound Transit's board green lit policy yesterday to let all leashed pooches on light rail trains. Frankly, I didn't know there was a dog ban given all those rule-breaking pups I've seen catching a ride on the 1 Line. The new dog decree was born out of the freshly minted Marymoor Village Station which is close to the 40-acre off-leash area in Marymoor Park. “It’s time for walkies,” Sound Transit board Chair Dave Somers said. I hate that he said that. 

In Other Light Rail News: The extension to Federal Way could open as soon as this winter, according to the Sound Transit Board. That would unveil stops in Kent, Des Moines, Star Lake, and downtown Federal Way. One day, if we're good, maybe we will even reach Tacoma. And will the light rail ever stretch across the lake to link up with the 2 line in Bellevue? Maybe! In the meantime, Sound Transit is trying to deter thievery after a few bandits stole away with copper wire from the eastside tracks on two different occasions earlier this summer, causing power outages on the line. They're installing security cameras. 

A Bear! Near Golden Gardens! Neighbors near Golden Gardens in Ballard spotted a bear this week. They believe it was a black bear. The sighting isn't officially confirmed, but if it is true, this would be the first bear sighting in that area since 2009. You can't blame a bear for wanting a good bonfire spot. The Department of Fish and Wildlife said the bear likely ended up in the area by taking the series of greenbelts along Puget Sound. Well, he probably didn't take the Burke Gilman with that missing link, right? Right?? 

A Fire! Near the Columbia River Gorge! A fire that sparked around a week ago is now the largest in the state. The Burdoin fire currently takes up 11,000 acres. That is, I'm told, a lot of acres. The Burdoin fire is one of four other large fires raging statewide. This is climate change, baby. Summers are for burning now. And we aren't even close to done with fire season. 

France Recognizes Palestine Statehood: In the midst of war crime-caused famine where special food for malnourished children is weeks away from running dry, French president Emmanuel Macron said he will recognize a Palestinian state, becoming the first western power to do so. This recognition won't officially happen until September at the United Nations general assembly. 

No Quick Bucks for Chuck: Florida police arrested a man for credit card fraud while he was at his job. Unfortunately, his job was dressing up as a big gray mouse. You may know him. “Chuck E., come with me,” the cops said as they entered the Tallahassee Chuck E. Cheese. The suspect allegedly did the credit card fraud while working at Chuck E. Cheese. You can't trust anyone these days. Not even Chuck himself. Sigh. 

A Chuck E. Cheese employee in full costume was arrested by Tallahassee officers for credit card fraud

 www.tallahassee.com/story/news/l...

[image or embed]

— Phil Lewis (@phillewis.bsky.social) July 24, 2025 at 10:41 AM

ICYMI: THING, the music festival, cancelled its upcoming festival date showcasing Latinx and Spanish-language artists, due to concerns about Immigrations and Customs Enforcement. "Community safety concerns have greatly reduced ticket sales, and the uncertainty about artists’ ability to secure the necessary visas has led to our decision," they said in a statement. This isn't the first local event to shut down for these reasons. In June, the Duwamish River Community Coalition canceled the Duwamish River Festival due to concerns that ICE might target it, and earlier this month, the Burien nonprofit Joyas Mestizas announced that they would cancel the Pacific Northwest Folklórico Festival this year. Stranger Staff Writer Julianne Bell has more here

Closing Walls and Ticking Clocks: Kristin Cabot, the human resources executive caught in the embrace of her CEO at the Coldplay concert, has resigned from her role at Astronomer. Her resignation follows CEO Andy Byron's own resignation. 

Hold on. Charles Mudede has something to say.

Did I see that? Did I see Trump's hard-on yapping in the desert? Yes, I did. His sunbaked business appeared on a new episode of South Park, a show I thought was history a long time ago. But apparently it's still around. In fact, Paramount just paid the show's creators, Trey Parker and Matt Stone, a cool $1.5 billion for "50 new episodes over the next five years." Yes, the same Paramount that, on July 2, paid Trump $16 million to settle a lawsuit concerning an episode of CBS’ “60 Minutes.” South Park's season premiere even has a scene with the presenters of "60 Minutes" cowering to Trump (sorry, cows, I didn't mean to disrespect you like that). We also see Trump trying to have sex with Satan, Trump fucking a sheep, Trump suing a painter for making his business too small in a portrait. And then the desert scene. And then it—Trump's penis—talks. How will I ever get that out of my mind?

Um, thanks for that, Charles. Back to me. 

Were you at Candidate Survivor last night? If not, you missed a lot. We learned that Seattle City Council District 2 candidate Adonis Ducksworth is too cool to have fun. (He at least made a cool song and read a bad poem.) We learned that his competition, Eddie Lin, can juggle and walk on his hands. We learned that Mayoral candidate Katie Wilson used to busk at Pike Place. (She demonstrated her act, playing the harmonica and guitar simultaneously.) We learned that City Attorney Erika Evans always knows the assignment. (She made a diss rap about incumbent Ann Davison, and ultimately won the competition.) And we learned that Jamie Fackler knows how to commit to a bit. He didn't officially make it on stage because his campaign hadn't reached the fundraising threshold when event invitations went out, but he still showed up outside dressed as Shrek with a rented donkey, and even jumped on stage with City Attorney candidate Rory O'Sullivan to try to hype his performance. 

I Hate When This Happens: Race officials shortened the 19th stage of the Tour de France to avoid climbs in the mountainous areas "where an outbreak of nodular dermatitis affected a herd of cows." The contagious lumpy skin outbreak resulted in their culling. May they wear the king of the mountain's polka dot jersey in heaven. 

A Song for Your Friday: It just seems appropriate.

16:49

Valhalla's Things: Roll Top Backpack, Handsewn [Planet Debian]

Posted on July 25, 2025
Tags: madeof:atoms, craft:sewing, FreeSoftWear

a backpack in a cream fabric with a short dark brown bottom; it closes by rolling down the top and is kept closed by a strap that feeds through two D-rings.

I might be slightly insane? Or am I going to prove something about the nature and accessibility of sewing and MYOG1 as a hobby?

I love my modular backpack, but it has a very modern look that is maybe not the best thing when otherwise dressed in historybounding dress, and it’s also a bit bigger than I planned or needed it to be.

So, when one of the shops I buy from had some waterproof cotton canvas on sale I failed my saving throw against temptations and bought a few meters, with the intent to make myself a backpack in a different style.

It needs to be a backpack, because my back doesn’t like asymmetrical bags2, and as far as I know 19th century backpacks weren’t the most comfortable things, so I decided to go for a vaguely timeless roll top model that has the added advantage not to require a lot of hardware for the closure, just a few D-rings.

Leather straps would look cool, but also require some tools that I still don’t have, so I decided to look for some cotton webbing, and when I finally found some in 25 mm and 50 mm width I could finally start on the project.

Except for one thing: thread. As much as I believe that regular n°50 cotton thread got a bad reputation from sellers who decided to cut quality in favour of profit, it is not up to the task of sewing a backpack. Nor that I’d use regular sew-all poly thread either.

I do have some of the thread I used for my other backpack, which would have been strong enough, but it’s also in black, which isn’t exactly the look I was aiming for on the natural / ecru colour of both the canvas and the webbing. I also misremembered it as only being available in that colour (it isn’t), so I wasn’t tempted into doing a full online order of technical materials just for that.

On the other hand, I did have in my stash some strong thread I could trust for this job, in natural / ecru. There was only one problem: it was 33×2 Tex linen, and not suitable for the sewing machine. You can’t handsew a backpack.

Or can you? Of course it’s going to be much slower, but I’m still in a situation where I have more time and space for handsewing than I have for machine sewing. And as for strength, my perception is that for the same stitch length an handsewn backstitch is stronger than a machine lockstitch, or at least it is more effort to unpick (and thus harder to accidentally unravel if the thread breaks).

And so I tried.

And it worked.

a needle coming straight up through layers of fabric and webbing, in the motion called stabbing.

Having to backstitch everything instead of being able to use a running backstitch of course meant that it was slower than other sewing projects, and any time there were more than two layers of fabric I had to use the stabbing motion rather than the sewing one, which is even slower, but other than a few places with many layers of both fabric and webbing it wasn’t hard.

And to be fair, the seams were fewer and shorter than other sewing projects, and with the usual interruptions and uneven time availability it was done in less than a month, which is somewhat typical for one of my handsewn projects.

the layers of the base pinned into the sides, trying to keep everything properly aligned especially on the corners in a way that would be very messy if fed as-is to a sewing machine.

It may have been because of the pattern, but I think it’s relevant that it was also easier than other backpacks I’ve made, with significantly less cursing, even when doing seams that would have been quite fiddly when sewn by machine.

I have to admit that now I’m tempted to plan another backpack using the same pattern or a slight variation, sewn by machine in a different fabric, to see the difference in the time it takes and to check if the changes I think would make it easier to sew by machine are actually the right thing to do. But maybe I’ll wait a bit, other projects are in the queue.

The pattern is as usual online, released as #FreeSoftWear.

Having used it for a while, I have to say that it is just the right size to fit all the things I usually carry,

The fact that it only opens from the top means that finding things that have fallen to the very bottom involves a bit of rummaging, but not having to change a zipper every few years when (not if) it breaks is also very nice, so I’m not sure which shape of backpack I prefer.

the back of the backpack, showing the shoulder straps made with wide webbing that end in two D-rings, and a pattern of horizontal webbing sewn at 4 cm intervals to attach accessories.

The soft back of course is an issue when the backpack is filled with small items, but the molle webbing is there exactly because I have plans to solve it, beside the trivial “put something flat towards the back”.

As an object, I’m happy with the result. As a project, it was way more than successful, exceeding all expectations, especially for something somewhat experimental like this one was.

  1. Make Your Own Gear, i.e. sewing or otherwise constructing outdoorish equipment.↩︎

  2. at least not if I fill them with stuff as I usually do with my backpack :D↩︎

16:35

[$] Rethinking the Linux cloud stack for confidential VMs [LWN.net]

There is an inherent limit to the privacy of the public cloud. While Linux can isolate virtual machines (VMs) from each other, nothing in the system's memory is ultimately out of reach for the host cloud provider. To accommodate the most privacy-conscious clients, confidential computing protects the memory of guests, even from hypervisors. But the Linux cloud stack needs to be rethought in order to host confidential VMs, juggling two goals that are often at odds: performance and security.

16:07

Jerry Didn't Name This [Penny Arcade]

I never crossed paths with the Stop Killing Games petition until somebody tried to make the case that it was bad. That strike me as quite bold, but as this person is currently in the process of being dismantled by the Internet equivalent of wild dogs I won't pile on anymore than is absolutely required. I get very sweaty and shaky whenever these weapons are deployed, I abhor their use, but man. Way to literally die on a hill, I guess.

16:00

Facebook, Google cease political advertising in the EU because of new EU transparency and accountability law [OSnews]

Last year the European Union introduced legislation to greatly improve the transparency around political advertising, specifically on social media and websites. The law mandates a few very basic requirements that tend to already apply to many other forms of political advertising, like clearly labeling who paid for the ad and how much was spent, which election or referendum they’re about, and which targeting techniques were used.

In addition, data used for targeting may only be collected from the person being targeted, and the person targeted has to give explicit permission specifically for political advertising. Furthermore, a whole slew of data types are not allowed to be used, such as data that may reveal ethnic or racial origin or political opinions. Lastly, an obvious one: starting three months before an election of referendum, third country sponsors are banned from advertising.

It seems these rather basic, elementary requirements are too much for Facebook, as the company today announced it’s going to stop offering political advertising in the European Union altogether in October of this year. The company cries on its blog:

Despite extensive engagement with policymakers to share these concerns, we have been left with an impossible choice: alter our services to offer an advertising product which doesn’t work for advertisers or users, without guarantee that our solution would be viewed as compliant, or stop allowing political, electoral and social issue ads in the EU. We’re not the only company to have been forced into this position. Once again, we’re seeing regulatory obligations effectively remove popular products and services from the market, reducing choice and competition.

↫ Sad Facebook

As the link in Facebook’s above lament points out, Google has also decided to stop offering political advertising in the European Union, for the exact same reasons. Facebook and Google are clearly trying to frame this as “bad”, but the only people the removal of hyper-targeted political advertising is bad for are threat actors trying to unduly and illegally influence elections, and of course, for the bottom line of Facebook and Google. Neither of these are of any relevance to the proper execution of fair and free elections, and people all across the European Union will be better off without these two advertising giants providing an easy avenue for shady organisations and foreign entities to unduly influence our elections.

Basically, cry me a river Zuck. Nobody likes you.

14:35

Like Christmas in July [Scripting News]

I've rarely been this happy to receive a new feature.

I have a plan of course. I'll let you know how it goes! :-)

I just got Agent Mode in ChatGPT. 🎉

14:21

Security updates for Friday [LWN.net]

Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24).

Job opportunity: Operations assistant at the Free Software Foundation (part-time) [Free software jobs]

The Free Software Foundation (FSF), a Massachusetts 501(c)(3) charity with a worldwide mission to protect computer user freedom, seeks a motivated and talented Boston-based individual to be our operations assistant.

Job opportunity: Deputy director at the Free Software Foundation (part-time exempt) [Free software jobs]

The Free Software Foundation (FSF), a Massachusetts-based 501(c)(3) charity with a worldwide mission to protect computer user freedom, seeks a motivated and talented individual in the Boston area to be our deputy director.

13:49

Modernizing my sound system [Scripting News]

I got tired of my old sound system, too many wires, a big receiver whose functions I never used, all designed long before the 4-year-old 65-inch OLED screen on top of it all, so I downscaled to a Sony soundbar, figured that was as simple as you could get, for $300, thinking of it as an experiment.

I liked it but then I thought to ask ChatGPT a question I've had for a while. I want a small amp designed for today's music and video, and went through a bunch of options and came up with the WiiM Home amp. No speakers, unlike the soundbar, but hooks up to the TV via the ARC connector, and I have plenty of old speakers to try out in this configuration.

I got it yesterday and the setup experience was pretty great and the feature list is totally 2025. Will have more to say for sure.

Rear view of the WiiM Home amp.

PS: It's from a Silicon Valley tech company btw. Nice to see a company just designing nice products and not trying to take over the world.

12:49

Subliminal Learning in AIs [Schneier on Security]

Today’s freaky LLM behavior:

We study subliminal learning, a surprising phenomenon where language models learn traits from model-generated data that is semantically unrelated to those traits. For example, a “student” model learns to prefer owls when trained on sequences of numbers generated by a “teacher” model that prefers owls. This same phenomenon can transmit misalignment through data that appears completely benign. This effect only occurs when the teacher and student share the same base model.

Interesting security implications.

I am more convinced than ever that we need serious research into AI integrity if we are ever going to have trustworthy AI.

12:35

Error'd: It's Getting Hot in Here [The Daily WTF]

Or cold. It's getting hot and cold. But on average... no. It's absolutely unbelievable.

"There's been a physics breakthrough!" Mate exclaimed. "Looking at meteoblue, I should probably reconsider that hike on Monday." Yes, you should blow it off, but you won't need to.

0

 

An anonymous fryfan frets "The yellow arches app (at least in the UK) is a buggy mess, and I'm amazed it works at all when it does. Whilst I've heard of null, it would appear that they have another version of null, called ullnullf! Comments sent to their technical team over the years, including those with good reproduceable bugs, tend to go unanswered, unfortunately."

1

 

Llarry A. whipped out his wallet but baffled "I tried to pay in cash, but I wasn't sure how much."

2

 

"Github goes gonzo!" groused Gwenn Le Bihan. "Seems like Github's LLM model broke containment and error'd all over the website layout. crawling out of its grouped button." Gross.

3

 

Peter G. gripes "The text in the image really says it all." He just needs to rate his experience above 7 in order to enable the submit button.

4

 

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

10:35

10:07

Surprising insights [Seth's Blog]

People like that, like this.

When we can build connections between demographics and psychographics, it’s easier to surprise, delight and serve our customers.

Mail order catalogs have been doing this for years out of necessity. They know something about a person’s geography, income and other demographics, and they make assertions about what they dream about and seek out.

Psychographics are what people choose and believe. Preferring dark chocolate is a choice.

Demographics are what we can tell about someone from their census form. Height, family size and zip code and other easy classifications are easily discovered and fairly fixed data points.

Creating useful assumptions about the connections used to require significant time and money, plus a huge dataset. AI changes that.

You can run a survey of 100 people attending an upcoming conference. Send them all to a free Google form, ask questions about background and preferences, leaving plenty of space for people to write and brainstorm about what they’d like.

Now, simply give the spreadsheet of responses to chatGPT and ask it for surprising insights and correlations.

Humans are terrible at this, because we anchor on extreme responses or gloss over small trends.

Nine years ago, I wrote about the difference between a survey and a census. That distinction is more important than ever. But once we have an AI to dive deep into the surveys we create, they’re no longer bureaucratic defense measures, designed to sit in a drawer. Instead, they give us a chance to be of service.

Continue iterating until you’re no longer surprised.

08:49

08:35

Choosing Sides [Penny Arcade]

New Comic: Choosing Sides

05:07

Girl Genius for Friday, July 25, 2025 [Girl Genius]

The Girl Genius comic for Friday, July 25, 2025 has been posted.

01:14

Thing Festival Cancels One Weekend Due to ICE Concerns [The Stranger]

As always, fuck ICE. by Julianne Bell

Earlier today, the THING Festival announced via social media that it had “made the very difficult decision” to cancel its August 16 date, which had been “specially curated to showcase some of music’s most exceptional Latinx and Spanish-language artists.” 

The statement read, “Community safety concerns have greatly reduced ticket sales, and the uncertainty about artists’ ability to secure the necessary visas has led to our decision. We stand with our broader community and remain committed to prioritizing attendee and artist safety, and to ensure our events are a positive and memorable arts experience. We want to sincerely thank the artists, our community partners and sponsors, and everyone behind the scenes who worked tirelessly to bring this unique event to life.” The organization also noted that all August 16 ticket holders should expect to see refunds returned to their original forms of payment within the next seven to 10 business days.

THING was founded in 2019 and has traditionally been a three-day-long festival in the past, but this year, the organization opted for a new format with a series of events set to take place at Remlinger Farms in Carnation, Washington across four weekends in August. Chilean-Mexican pop singer Mon Laferte was slated to headline the August 16 lineup, along with Yahritza y Su Esencia, Thee Sinseers, Rubén Albarrán, Angélica Garcia, Terror/Cactus and Pahua, and Lucia Flors-Wiseman. 

The festival isn’t the first event to be called off recently under similar circumstances. In June, the Duwamish River Community Coalition canceled the Duwamish River Festival in the South Park neighborhood due to speculation that ICE might target it, and earlier this month, the Burien nonprofit Joyas Mestizas announced that they would cancel the 2025 Pacific Northwest Folklórico Festival, writing, “We are angry at the ICE raids and racist immigration policies that tear families apart, and in canceling our event we commit to prioritizing the safety of our community. As a community organization born from the 20th-century freedom movements, Joyas Mestizas not only understands the arts as essential to pushing against oppression but recognizes folklorico’s continued existence as a testament to our coming together. While we stand firm in our origins, the urgency of our community’s need for safety and security demands immediate action.”

Just earlier this week, Fernando Rocha, the theater manager at Juanita High School was detained by US Immigration and Customs Enforcement. KUOW reported last week that King County passed a resolution on Tuesday, July 15, that would support protections for immigrants and prevent county agencies from sharing sensitive data that could lead to immigrant enforcement.

We’ve reached out to THING Festival’s organizers for comment and will update this article if we hear back.

As always, fuck ICE. 

00:35

World Health Organization bombed, Gaza [Richard Stallman's Political Notes]

*Israel bombs WHO facilities in Gaza as global outcry grows.*

I cannot believe that the Israeli army did not know exactly where to find the WHO facilities. Whether it sought to bomb WHO or neglected to take care to avoid that, it is culpable.

Israel has attacked the UN in another way, by expelling an envoy of UN Office for the Coordination of Humanitarian Affairs.

International condemnation of Israel [Richard Stallman's Political Notes]

* The UK has joined 30 other nations in condemning Israel for depriving Palestinians of "human dignity" as they issued a call for an immediate end to the war in Gaza.*

I am glad to see them ramp up the confrontation with Netanyahu's massive war crimes, but I think it will take more than this to make Israel stop them.

There are the various injustices of the siege of Gaza, and the distribution of food supplies under the control of the same occupying army that causes the shortage.

Immigrants and public services, US [Richard Stallman's Political Notes]

The persecutor plans to expel mixed families (one citizen parent and one non-citizen) out of public housing support.

He will not care whether they end up homeless on the street, or are forced to separate, as long as it causes them plenty suffering and encourages whoever despises others for suffering despise them. Every time he succeeds in causing suffering to people among his designated hate targets, he strengthens his hold over his supporters.

Alligator Alcatraz conditions shock MEX [Richard Stallman's Political Notes]

The prisoners in Alligator Alcatraz are *denied medical [treatment] and living in "cages flooded with feces".*

The president of Mexico says she is trying to get the Mexican citizens in that prison returned to Mexico, because of the inhuman conditions in that prison.

Homeless living, RVs in San Francisco [Richard Stallman's Political Notes]

San Francisco will kick out the people living RVs and offer to perhaps provide subsidized housing to 400 of them. As for the rest, they are welcome to drop dead.

Global climate crisis response loses US [Richard Stallman's Political Notes]

Scientists say that the wrecker has wrecked the capacity of the US to research and respond to global heating.

So much destruction is coming, and apparently the only reason is to boost the profits of planet roasters.

Google buying hydroelectricity [Richard Stallman's Political Notes]

Google has made a large deal to buy the electricity produced by existing hydroelectric facilities.

I don't see that this promotes renewable generation or reduces greenhouse emissions at all. The electricity those generators will make would certainly have been used. This deal won't fund development of more.

It will shift the the money around, as Google buys current from those generators and the rest of us are compelled to buy current from other generators — perhaps at a higher price.

00:28

You can now run graphical applications in Android’s Linux Terminal [OSnews]

The Linux Terminal app that Google introduced earlier this year is one of the most exciting new features in Android, not for what it currently does but for what it can potentially do. The Terminal app lets you boot up an instance of Debian in a virtual machine, allowing you to run full-fledged Linux apps that aren’t available on Android. Unfortunately, the current version of the Terminal app is limited to running command line programs, but that’s set to change in the near future. In the new Android Canary build that Google released today, the Terminal app now lets you run graphical Linux apps.

↫ Mishaal Rahman at Android Authority

It comes with Weston, the reference implementation of a Wayland compositor, allowing you to run a basic graphical environment and accompanying applications. It won’t be long before you can take your Pixel, connect a display, and run KDE. Neat, but so many devils are in so many details here, and there’s so many places where this can fall apart entirely if the wrong decisions are made.

Thursday, 24 July

22:56

Guest Rant: I Ran for Office; Democracy Vouchers Made It Possible [The Stranger]

Vote Yes on Seattle’s Proposition 1
by Teresa Mosqueda

I never thought I’d run for office.

I didn’t come from deep pockets or have personal wealth. I didn’t have a long list of wealthy donors in my phone. Like so many people in our city, I paid rent, carried student loan debt, and worked full-time. Running for office felt out of reach. Then Democracy Vouchers changed everything.

When Seattle voters passed the Democracy Voucher Program, it sent a powerful message: You can run for office without spending your days dialing for dollars. Local government can reflect the people who live here, not just those who can afford to bankroll their own campaigns. That bold choice by voters made Democracy Vouchers a reality, and I had a path to run.

In 2017, I ran for Seattle City Council and became the first first-time candidate in the country to win elected office using Democracy Vouchers. Most of my campaign funds–-65 percent—came from vouchers, and almost everyone who gave did so with their vouchers, only occasionally supplementing with their own dollars. With the support of working people, renters, women, and union members, I ran a campaign powered by everyday people and grassroots donations, not big checks from the wealthy few. I knocked on doors and talked to neighbors about our shared priorities: housing, health, good jobs, and justice. Over and over, people told me, “I’m so glad you’re running. You can have my vouchers.” They were taking an opportunity to invest in someone who represented their values.

That opportunity made a huge difference. That year, more than 16,000 Seattle residents used Democracy Vouchers, which, combined with cash contributors, almost tripled the number of donors from the previous election. Vouchers brought a diverse group of candidates into the race: renters, younger people, people of color, and members of the LGBTQ community. That election resulted in a majority of women and people of color on the city council.

The Democracy Voucher Program is a win on all fronts. It opened the door for a new generation of candidates from communities long excluded from political power. It changed who is donating and engaging in our elections, so more people can support candidates of their choice. And it changed who gets elected, giving everyday people an equal say and allowing more diverse leaders to win.

Democracy Vouchers have made our elections more accessible, our campaigns more accountable, and our democracy more representative.

Let’s keep up the progress by keeping Democracy Vouchers.

This August, Seattle voters will decide on Proposition 1 to renew the Democracy Voucher Program in the August 5 primary election. It’s a critical moment for our city. At a time when democracy is under attack across the country, when voter suppression, big money, and political extremism are on the rise, we can’t afford to go backward. We need to protect what works and what we’ve built together.

Democracy Vouchers gave me the chance to run and win. They’re creating the same opportunities for others, many of whom would never have thought to run, just like I didn’t. Let’s make sure Democracy Vouchers are here for the next generation of leaders, too.

Vote YES on Prop 1.

Teresa Mosqueda is a King County Council Member, representing District 8. 

22:35

FSF40 Hackathon [Planet GNU]

As part of the FSF40 celebrations, we're inviting you to participate in a global, online hackathon to help improve important libre software projects.

21:49

FSF40 celebration [Planet GNU]

We hope you'll join us for the festivities on October 4, 2025, either at the Wentworth Institute of Technology in Boston, MA, USA or online!

21:21

Ticket Alert: Kaytranada x Justice, GIVĒON, and More Seattle Events Going On Sale This Week [The Stranger]

Plus, Countess Cabaret and More Event Updates for July 24
by EverOut Staff

It's ticket alert time! Funky hip-hop musician Kaytranada is teaming up with French electronic duo Justice for a joint tour that will have the crowd on its feet to do the “D.A.N.C.E.” R&B singer GIVĒON will tour with his newly released sophomore album Beloved. Plus, Real Housewife Luann de Lesseps brings her Countess Cabaret to the Showbox stage later this fall. Read on for details on those and other newly announced events, plus some news you can use.

ON SALE FRIDAY, JULY 25

MUSIC

GIVĒON
WaMu Theater (Wed Oct 1)

Hannah Bahng: The Misunderstood World Tour
The Showbox (Sun Nov 16)

Kaytranada x Justice Tour
Climate Pledge Arena (Fri Oct 17)

19:35

Phishers Target Aviation Execs to Scam Customers [Krebs on Security]

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

Image: Shutterstock, Mr. Teerapon Tiuekhom.

A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive’s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company’s customers and partners.

Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer’s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive’s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.

The reader also shared that the email addresses in the registration records for the imposter domain — roomservice801@gmail.com — is tied to many such phishing domains. Indeed, a search on this email address at DomainTools.com finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for this email address reveals a humorous blog post from 2020 on the Russian forum hackware[.]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We’ll come back to this research in a moment.

JUSTY JOHN

DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for alhhomaidhicentre[.]biz reference the technical contact of “Justy John” and the email address justyjohn50@yahoo.com.

A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn’t yet have enough information to draw any solid conclusions.

DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain axisupdate[.]net — 7902 Pelleaux Road in Knoxville, TN — also appears in the registration records for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one point included the email address rsmith60646@gmail.com.

That Rsmith Gmail address is connected to the 2012 phishing domain alibala[.]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records — 1.7736491613 — reveals even more phishing domains as well as the Nigerian phone number “2348062918302” and the email address michsmith59@gmail.com.

DomainTools shows michsmith59@gmail.com appears in the registration records for the domain seltrock[.]com, which was used in the phishing attack documented in the 2020 Russian blog post mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.

The same Nigerian phone number shows up in dozens of domain registrations that reference the email address sebastinekelly69@gmail.com, including 26i3[.]net, costamere[.]com, danagruop[.]us, and dividrilling[.]com. A Web search on any of those domains finds they were indexed in an “indicator of compromise” list on GitHub maintained by Palo Alto NetworksUnit 42 research team.

SILVERTERRIER

According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “SilverTerrier” back in 2014. In an October 2021 report, Palo Alto said SilverTerrier excels at so-called “business e-mail compromise” or BEC scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by Interpol. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.

BEC scams were the 7th most reported crime tracked by the FBI’s Internet Crime Complaint Center (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with nearly $2.8 billion in claimed losses. In its 2025 Fraud and Control Survey Report, the Association for Financial Professionals found 63 percent of organizations experienced a BEC last year.

Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto’s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.

Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.

“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.

FINANCIAL FRAUD KILL CHAIN

Palo Alto has published a useful list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.

But one recommendation — getting familiar with a process known as the “financial fraud kill chain” or FFKC — bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don’t know it exists until it is too late.

Image: ic3.gov.

As explained in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network (FinCEN).

The FBI noted in its IC3 annual report (PDF) that the FFKC had a 66 percent success rate in 2024. Viable ic3.gov complaints involve losses of at least $50,000, and include all records from the victim or victim bank, as well as a completed FFKC form (provided by FinCEN) containing victim information, recipient information, bank names, account numbers, location, SWIFT, and any additional information.

19:00

Slog AM: City Council Ghosts the Renters Commission, the State GOP Is Trying to Suppress the Vote, Trump's in the Epstein Files [The Stranger]

The Stranger's Morning News Roundup. by Marcus Harrison Green

Today's weather is mostly sunny with a high near 78, which means half our fair city will pretend it’s a heatwave while the other half will refuse to give up their Patagonia fleece.

Trump Hangs up Faster Than You Can Say “Flight Log”: Despite Speaker Johnson abruptly shutting down the House, this scandal just won’t die. Turns out Donald Trump was personally told by Attorney General Pam Bondi back in May that his name pops up multiple times in the Epstein files—the very same files the feds promised to release before pulling a hard U-turn. According to The Wall Street Journal, both Bondi and FBI-director-loyalist Kash Patel warned Trump, brushing off the mentions as “unverified hearsay” about his old Epstein hangouts. And Trump? He responded the way any totally innocent person would: by hanging up on CNN. With even some House Republicans now backing Dems to get those files out in the open and Ghislaine Maxwell freshly subpoenaed, the Epstein vortex is sucking DC back into its sleaze orbit. Trump, reportedly “furious,” says there are way more important stories—like his latest attempt to accuse Obama of treason. Uh huh…

Gaza Is Starving While World Leaders Stall: While world leaders churn out limp press releases and squabble over phantom “humanitarian corridors,” more than 100 aid organizations are shouting what should already be unbearable to ignore: Gaza is starving, and Israel’s blockade is to blame. In a searing joint statement titled As Mass Starvation Spreads Across Gaza, Our Colleagues and Those We Serve Are Wasting Away, they describe skeletal children, aid workers collapsing from hunger, and food distribution sites turned into massacre zones. As of July 13, more than 875 Palestinians have been killed while seeking food. Meanwhile, trucks packed with food, clean water, and medicine sit idle just outside Gaza—trapped by a siege designed not to fail, but to punish. “Each morning, the same question echoes across Gaza: will I eat today?” one agency rep said. The answer, too often, is no. This isn’t just a famine. It’s a war crime, and every day the world delays, more lives are lost to the politics of cruelty.

Hellfire Roast: Turns out Starbucks isn’t just serving up venti-sized lattes—it’s pouring out infernal levels of executive greed. Per the AFL-CIO’s new Executive Paywatch report, CEO Brian Niccol made 6,666 times more than the company’s typical worker last year. That’s right: six-six-six-six—a number so cursed it practically demands a goat sacrifice. While Niccol sipped nearly $98 million in compensation, the average barista scraped by on less than $15K. Starbucks claims this is because many workers are part-time, but that hasn’t stopped the company from dropping millions on union-busting lawyers and listening sessions instead of just, you know, paying people more. Workers have been striking, organizing, and dragging the company into court for years—meanwhile, Niccol’s getting a fat Trump-era tax cut on top of his stock-heavy bonus package. That mocha latte might taste a little more bitter now.

The Government Just Ghosted Your Debt Relief: So, the Department of Education just hit pause on student loan forgiveness for folks in Income-Based Repayment plans. Which means if you’ve been grinding for years thinking you were finally done, the government’s like, “Actually, we need to recalculate your trauma first.” Interest kicks back in August 1, the tax break on forgiven debt expires in January, and a Trump administration, already hostile to student debt relief, most likely slow-walking the loan forgiveness process like it's a hostage negotiation. God forbid working people catch a break without crawling through a decade of red tape and moral judgment.

Now, let us get into the tragicomedy that is our local news…

Fergie Has Some ‘Splaining to Do: While Gov. Ferguson was thwarting taxes on billionaires last budget session, he somehow missed the stack of misconduct allegations piling up against his right-hand man, Mike Webb. Axios reports that although Webb resigned this year after multiple women accused him of creating a hostile work environment, red flags on the guy go back to 2013, with state auditors raising alarms as far back as 2019 with Ferguson’s office. The paraphrased response from Ferguson’s crew at the time? No formal HR complaint, so we’re good. Political code for “If you didn’t notarize your trauma, it doesn’t count.” And the kicker? Webb’s still tagging along and flying shotgun on campaign trips with Ferguson’s team as recently as last month. Apparently, in state politics, being a powerful creep doesn’t get you canceled. It gets you extra leg room.

No Last Words, Just Lasting Rage: At his sentencing for the brutal murders of four University of Idaho students, Bryan Kohberger sat stone-faced and silent—offering zero explanation, zero remorse, and zero closure to the families he devastated. Prosecutors didn’t bother pushing for a plea deal that would force him to speak, because let’s be real: no one needed more self-serving nonsense from a guy who thinks silence makes him mysterious instead of monstrous. The Goncalves family, especially Kaylee’s sister Alivea, didn’t hold back—calling him “pathetic” and making it crystal clear he only succeeded because he attacked in the dark, like a coward. No motive, no mercy, no justice—just a courtroom full of grief staring down a man who will never give them what they actually deserve.

Court Upholds Birthright Citizenship, for Now: A federal appeals court has ruled Trump’s executive order to end birthright citizenship unconstitutional, echoing a previous decision from a New Hampshire district court. Essentially, Terror 47 tried to rewrite the Constitution with magic marker, and the courts just reminded him that reality still exists. The ruling simply states what every exhausted civics teacher in America has been screaming into the void: you can’t undo the 14th Amendment just because it ruins your fascist fantasy. Washington was one of the states to bring the case against the administration.

Fire in the Central District: A fire tore through Seattle’s Chinatown International Central District early Thursday, starting in a vacant home under construction and spreading to several neighboring homes, displacing multiple families. Thankfully, no residents were seriously hurt, although one firefighter was treated for minor injuries. The city is currently investigating the cause of the fire.

Can’t Win in Court? Block the Judge: Municipal Court Judge Damon Shadid just dragged City Attorney Ann Davison’s office in open court for what looks like a power-hungry, politically motivated stunt—blocking Judge Pooja Vaddadi from hearing DUI and domestic violence cases based on what Vaddadi says are straight-up lies. Davison’s move, which sidelined a newly elected judge and basically turned a voter mandate into a desk job, has now triggered a formal bar complaint and serious questions about ethics, transparency, and who actually gets to wield power in Seattle’s justice system. And now, as Davison runs for reelection with MAGA baggage and a suddenly fat campaign account, she’s facing three challengers who seem more interested in actual justice than playing courtroom politics.

Do Not Sign This Shit! In a raging case of voter suppression FOMO, Washington state conservatives are pushing a ballot initiative to literally gatekeep democracy. It's the bureaucratic equivalent of “Show us your papers, comrade,” as if the right to vote should come with a TSA checkpoint and a scavenger hunt for your birth certificate. No more checking a box. It would now be, prove you’re American enough, or get the hell out of the ballot line. Let’s just be real: the GOP doesn’t fear non-citizens voting. They fear citizens voting against them. If they can’t win your vote, they’ll sure as hell try to make it as hard as possible to vote in the first place.

Waterfront Park Officially Opens: Our Emerald City officially unveiled its latest glow-up moment with the opening of the new Waterfront Park. Yes, 50,000 square feet of vibes where a collapsing highway used to loom like a concrete guillotine. After 15 years, we get a jellyfish-shaped playground, a fountain plaza, and 270 free events later this Summer. Essentially, it’s the city saying, “Sorry about the viaduct drama, here’s some yoga and a couple of food pop-ups.”

Seattle Loves Renters So Much It Won’t Even Let Them Meet: For 18 months, Cathy Moore basically ghosted the Seattle Renters’ Commission. There were no hearings, no appointments, nothing, while she pushed bills that would’ve made it way easier to evict people. Flash forward: she resigns, and just when it looks like the commission might finally get seated, Councilmembers Rob Saka and Sara Nelson pull a classic Sorry, can’t come, super busy avoiding the duties we were elected to fulfill move and tank the meeting by skipping it. Meanwhile, renters—many of them volunteers who took time off work—showed up ready to serve their community, only to get hit with silence, shade, and a 404 error from Saka’s office. You can’t make this up.

Donnie Chin Honored: Ten years after Donnie Chin was shot and killed while responding to a 911 call, the Chinatown-International District showed up, not just to mourn, but to remember a man who basically did the city’s job for it. Donnie wasn’t just a first responder; he was the first responder, often beating cops and medics to the scene because the system didn’t care enough to show up for his community. And here’s the part that still stings: a decade later, his murder is still unsolved.

Your Obligatory Seahawks 411: For the 5 percent of you who actually care and the 15 percent who just want to survive small talk with your partner’s meathhead sibling, here’s your Seahawks update. They just kicked off training camp for their 50th season with a new offensive coordinator, a quarterback best known for seeing “ghosts” mid-game, and the kind of blind optimism usually reserved for football fans and people joining multi-level marketing schemes. Last year, they went 10-7 and still missed the playoffs. But hey, if the defense stays mean, the rookies stay healthy, and the offense stops self-sabotaging, they might just luck their way into the postseason.

Death gives Hogan the big boot: I’m a firm believer that you shouldn’t valorize people, simply because their heart stops beating. So, I won’t pretend Hulk Hogan was anything but what he was. He died at 71 from cardiac arrest in Florida, leaving behind a legacy as bloated and performative as pro wrestling itself. Yes, he helped turn wrestling into a pop culture juggernaut, but he also brought us sex tapes, racist rants, and more tall tales than a televangelist on mushrooms—Elvis was a Hulkamaniac? Really? Even in death, Hogan is less a man than a cautionary tale—part myth, part lawsuit, and all-American spectacle, brother.

I’ll Leave You With this: someone just randomly texted me that it’s Jennifer Lopez’s birthday. I’m not a fan, so I’m not sure why I needed that information, but apparently she’s completed her 56th lap around the sun. In honor of the occasion, and because LL Cool J is involved, here’s her most tolerable song.

18:14

How can I wait until a named object (say a mutex) is created? [The Old New Thing]

A customer used a named mutex as a way to detect that another instance of the program is already running. This is pretty standard.

They also used the presence of the mutex to indicate that the program is ready to receive work requests: When the program creates the mutex, this prevents new instances from running, and it also announces that the program is open for business.

The customer had a manager program that launched this program and wants the manager to wait until the mutex is created before it starts submitting work. They wanted to know if there is a way (other than polling) to wait for a mutex to be created.

No, there is no general way to receive a notification when a named kernel object is created.

One idea is to use a named manual-reset event (initially unsignaled), and have the program signal the event when it is ready to accept work. The manager program waits on that event. The program resets the event when it shuts down to indicate that it cannot accept work.

Unfortunately, this solution doesn’t work if the program crashes before it can reset the event. Handles are automatically closed when a program crashes. Closing a mutex handle implicitly releases it (marking the mutex as abandoned) but closing an event does not reset it. This means that the next time the manager launches the program, it will think that the program is ready, even though the program hasn’t even started.

I tried to come up with a solution for this, since Windows doesn’t have “auto-set events”.

One idea was to use a named shared memory block (protected by a named mutex) that contains the worker program’s PID and creation time (because the PID and creation time uniquely identify a program on a system), as well as the name of an event that the manager wants the worker program to set. The manager program opens (or creates if necessary) the shared memory block and checks the PID/time. If not valid, then the previous worker program exited, so the manager generates a new event name and writes it to the shared memory block, then launches the worker program and waits for that event to be set (or for the worker program to exit). If the PID/time is valid, then the worker is still running, and it can just wait on the event.

I also considered using an opportunistic lock as a signal: The manager program opens a file with an opportunistic lock, and the worker program opens that file for writing when it’s ready. Opening for writing breaks the lock.

But then I realized that Windows already has an entire infrastructure for “launching a program and waiting for it to be ready”: COM local servers.

You can Co­Create­Instance a COM local server, and COM will launch the server process and wait for it to finish initializing and call Co­Register­Class­Object, at which point it will use that class object to obtain an instance and return it. Somebody else has already done the work of ensuring that only one copy is running and waiting for it to be ready. You can use the returned COM object to communicate with the server program, and you can release the COM object to tell the server that you don’t need it any more.

¹ Note that this overloading of the mutex is already a problem, because it means that the program cannot detect whether it should run until it is ready to run. The rule that the mutex cannot be created until the program is ready means that if two copies start at the same time, both of them will think that they are “the one” and will prepare to receive work. Whoever becomes ready first will claim the mutex, and the other will realize, at the end of all its hard work, that it is no longer needed.

The post How can I wait until a named object (say a mutex) is created? appeared first on The Old New Thing.

16:35

Pluralistic: Trump's FCC abandons the future (24 Jul 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


The Earth, suspended in space. It is topped with Trump's hair. A poop emoji with Elon Musk's face orbits it, beaming a cone of shit-colored radio waves over its surface.

Trump's FCC abandons the future (permalink)

The corollary of "you treasure what you measure," is "you don't give a shit about what you stop measuring," which is why Trump's FCC has decided to stop measuring the speed of the broadband it subsidizes with billions in public funds:

https://www.theregister.com/2025/07/22/biden_broadband_benchmarks_are_bs/

Getting broadband to the American public has been a policy priority since 1996, when the Telecommunications Act established a duty for the FCC to produce annual reports about the progress of America's sclerotic telcoms monopolies in rolling out advanced network services:

https://www.congress.gov/104/plaws/publ104/PLAW-104publ104.pdf

It's a universal truth that these incumbent communications companies love collecting public broadband subsidies, but they hate investing in broadband. From wireless companies that demand exclusive access to spectrum and then never bother to use it (and howl like enraged baboons whenever anyone proposes taking that fallow spectrum back) to cable and phone companies who demand billions in indirect subsidies (intra- and inter-city rights of way) and direct subsidies (billions in cash) and refuse to upgrade their switching or lines:

https://arstechnica.com/tech-policy/2020/04/frontier-botches-redaction-reveals-952000-potential-network-problems/

Despite what these companies would have you believe, running wires from point a to point b (or even from point a to every point b inside of city limits or at the end of every lonely country road in the county) is not the lost art of a fallen civilization. Figuring out how to pull fiber to every American is just a (very large) logistical task – it's not like we're asking them to embalm a Pharaoh or built a pyramid without any power-tools. This is just cable-pulling, it's not fucking Stonehenge.

And fiber is awesome. Each strand of fiber carries thousands of times more data than a copper phone or cable-wire is capable of, and millions of times more data than wireless can transmit. But no one pulls just one strand of fiber: fiber is cheap as hell to manufacture, so fiber loops have many strands:

https://pluralistic.net/2021/07/03/beautiful-symmetry/#fibrous-growth

Fiber is the future. Fiber is future-proof. The telcoms industry hates fiber, and Trump's FCC is so totally supine, so utterly captured by the telcoms industry, that it is abandoning fiber, even as it continues to shovel billions into the coffers of these dogshit companies to wire up the rural Americans who voted Trump into office, only to get shafted (again).

Remember DOGE? Remember Trump's promise to root out "government inefficiency and waste?" Apparently, they skipped the FCC, which previously handed out $45b to incumbent telcos to wire up rural America, only to have every cent of that wasted on copper lines (why they bothered with copper when America has so many idle tin cans and length of binder-twine, I'll never understand):

https://web.archive.org/web/20210408230323/https://conexon.us/conexon-blog/sunk-costs-a-cautionary-tale/

Now, Trump's FCC is doing it again, but it's not just the copper barons they're giving a handout to. In its communique killing broadband measurement, Trump's FCC says that focusing on broadband speed "risks skewing the market by unnecessarily potentially picking technological winners and losers." What they mean is that if they insist on measuring broadband speeds before handing out rural broadband subsidies, the only companies that will get those subsidies are the ones that provide fast broadband.

Won't someone think of the shitty, slow internet providers? Especially the fixed wireless and (especially) satellite internet providers, most notably Starlink, the brainchild of former First Buddy and DOGE Obergruppenführer Elon Musk.

While a satellite constellation like Starlink has many great use-cases (ships, planes, temporary encampments), these use-cases do not in any way add up to a profitable business, given the extraordinary expense of launching and re-launching a gazillion satellites (to say nothing of the dangers these pose to other users of stable orbits, and the problems they pose for astronomers).

The only way to make Starlink profitable is to get everyone to use it, and therein lies the problem, because Starlink is cursed with something business professionals call "dogshit unit-economics." Every time you add a new user to Starlink, everyone nearby gets slower internet:

https://www.washingtonpost.com/technology/2025/07/18/starlink-internet-satellite-speed-elon-musk/

That's because they're all sharing the same spectrum, within the footprint of the satellite they're connecting to. Starlink can make some marginal improvements by increasing the number of satellites and shrinking their footprints, and by getting licenses to more radio spectrum, but these quickly hit the hardest of limits: the financial limitations of increasing the number of satellites per customer, and the natural limits of pumping more radio-energy between satellites and ground stations (beyond a certain point, you start cooking passing birds on the wing).

Musk has a powerful reality-distortion field, but the fact that physics hates satellite broadband cannot be overcome by shitposting, cosmetic surgery, buying elections, or wanting it really badly. You can only add more satellites and spectrum for so long – eventually, improving the unit-economics of satellite internet requires adding new universes.

It's funny that Musk styles himself the "Technoking," because the thing that ushered in the Century of Tech was amazing unit-economics (the internet and computers get better and cheaper as they advance), while everything Musk loves is cursed with dogshit unit-economics.

Take cars: Musk hates public transit ("there’s like a bunch of random strangers, one of who might be a serial killer"):

https://www.wired.com/story/elon-musk-awkward-dislike-mass-transit/

He insists that if you just add enough self-driving smarts to cars, and possibly dig enough tunnels, you can somehow beat the inexorable dogshit unit-economics of an automotive society, where every driver who shares the road with you makes your car worth less as a transportation system. This is nonsense. A train, a tram, even a bus, can transport dozens, hundreds or even thousands of people at a time. A bunch of single-occupancy robot-taxis simply occupy too much space to be efficient – multiply the number of people by the number of cars by the miles they wish to travel and simply fitting them on the road requires adding so much more road that everything gets further apart, meaning more cars, more roads, and more distance. It's a Red Queen's Race that you can't win.

In other words, geometry hates cars, even more than Elon Musk hates public transit:

https://pluralistic.net/2022/02/11/bezzlers-gonna-bezzle/#gryft

Then there's AI, the dogshittiest of all the dogshit unit economics. While every successful technology has seen fantastic network effects and returns to scale, each generation of AI has been more expensive to train and to operate, and every new AI user makes AI more expensive:

https://www.wheresyoured.at/wheres-the-money/

Computer science hates AI, so naturally, Elon Musk loves it. This is a guy who can only succeed by triumphing over physics, geometry, and computer science. He is not going to accomplish any of this.

The common thread joining all of Musk's doomed love-affairs is that all the stuff he's obsessed with is useful in limited ways, but don't work at mass scale. As such, much of their potential will require public financing to be realized. There's plenty of useful things you can do with AI, but they don't add up to enough to justify the capex that goes into model-training nor the opex that goes into running the energy-hungry, water-thirsty foundation models. There's plenty of useful limited applications for self-driving vehicles, but they're all niches like closed-track airport terminal shuttles or closed-site mining vehicles. And, as noted, there's many remote and temporary sites that can benefit from satellite broadband, but they don't justify the titanic expense of operating Starlink.

Even space travel is useful as a scientific enterprise, while space colonization is unbelievably stupid and impractical, and has dogshit unit-economics that put even AI in the shade:

https://pluralistic.net/2024/01/09/astrobezzle/#send-robots-instead

It's not that Musk hates public subsidies. Like the telcoms sector, he's addicted to public money. The only reason Tesla is profitable is its gigantic, Obama-era bailout, and the ongoing clean-energy subsidies that Musk and Trump are warring over:

https://www.politico.com/news/2025/01/18/musk-tesla-climate-credits-trump-00198794

Despite his rhetoric, Musk supports vast public expenditures, but only when they are earmarked to his doomed projects so that he can keep trying to make fetch happen, absorbing endless public riches while assuming no public duties.

Musk is no Technoking, but he's a strong contender for Enshittification King: a guy who taps the capital markets and Uncle Sucker for funds he can use to subsidize the initial rollouts of his stupid ideas, in the hopes of becoming so indispensable that he later can squeeze both business customers and end users for ever-larger sums to keep the illusion afloat (think of the junk fees he's piled onto Twitter users and publishers).

The thing is, we know how to roll out ultra-fast, reliable, future-proof internet. All it takes is for public subsidies to come with public duties, like a duty to preference futuristic, high-capacity fiber over gimmicks like satellite "broadband." This isn't a leftist plot, either. Just look at this map of community fiber networks, which are most heavily concentrated in red states (because rural communities aren't gonna get fiber from the private sector, and they skew Republican):

https://communitynetworks.org/content/community-network-map

These are among the only Americans who like their ISPs, a sector whose dominant players routinely win annual "Worst Company in America" polls. Republicans are perfectly capable of providing their voters with an efficient, nutritious high-fiber diet, as they do in Utah, where the "Utopia" initiative is blanketing the blood-red state with publicly managed fiber:

https://pluralistic.net/2024/05/16/symmetrical-10gb-for-119/#utopia

But the Republican base has spent decades on the receiving end of an expensively funded campaign to get them to view fiber as a literal communist plot. It's wild, because if you're a swivel-eyed loon who's been kicked off of Big Tech for insisting that Obama told the lizard people to hide 5g nanocites in MRNA vaccines, fiber would let you run your own competing free-for-all service from your garage:

https://pluralistic.net/2021/01/17/turner-diaries-fanfic/#1a-fiber

And of course, governments – unlike corporations – are bound by the First Amendment, so publicly funded systems are far more limited in how they may moderate user speech than private sector systems.

Notwithstanding these 1A strictures, it's not unreasonable to want to have alternatives to publicly run services. I wouldn't want Ken Paxton – or Donald Trump – making moderation decisions for my broadband connection. But public network provision doesn't have to mean that you get your broadband from whatever shitshow is currently occupying your city hall. Public fiber can also mean "essential facilities sharing" (where competing ISPs can install their own switches in the data-centers where the fiber terminates). It can mean public conduit that anyone can lease space in and run fiber through. It can mean a whole infrastructural stack that is available to all comers: public sector ISPs, but also civil society groups, co-ops, tinkerers, universities, and small and large ISPs:

https://pluralistic.net/2025/06/25/eurostack/#viktor-orbans-isp

That's the vision that the FCC is running away from, as fast as its little hooves can carry it. Instead of using public funds to provide a public good, they're subsidizing Musk's war on physics and the telco sector's war on maintenance. The country that gave birth to the internet in the 1970s is set to preserve that Nixon-era copper infrastructure thorough the 21st century, even as the rest of the world rockets past us on blazing fast fiber.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Would you give a fiver a month for a UK tech/civil liberties org? https://web.archive.org/web/20050726235521/http://www.pledgebank.com/rights

#15yrsago The comics Bill Watterson sent to Berkeley Breathed https://web.archive.org/web/20100728151135/https://tvbarn.com/tv-barn/comic-con-2010/

#15yrsago Interview: Ian McDonald’s research secrets revealed https://web.archive.org/web/20100726181934/http://www.cclapcenter.com/2010/07/an_interview_with_ian_mcdonald.html

#5yrsago BLM footage censored by copyright bots https://pluralistic.net/2020/07/23/circuit-split/#dolphins-in-tuna-nets

#5yrsago Where Will Everyone Go https://pluralistic.net/2020/07/23/circuit-split/#migration-models

#5yrsago Canadian judge invalidates Safe Third Country Agreement https://pluralistic.net/2020/07/23/circuit-split/#kids-kages-kanada

#1yrago Holy CRAP the UN Cybercrime Treaty is a nightmare https://pluralistic.net/2024/07/23/expanded-spying-powers/#in-russia-crime-cybers-you

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Canny Valley: A limited edition collection of the collages I create for Pluralistic, self-published, September 2025

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026

  • The Reverse-Centaur's Guide to AI, a short book about being a better AI critic, Farrar, Straus and Giroux, 2026


Colophon (permalink)

Today's top sources:

Currently writing:

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. (1033 words yesterday, 9185 words total).

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

15:56

Link [Scripting News]

BTW, this business with Trump and the Fed is almost exactly what I wanted Obama to do with Garland when McConnell refused to hold hearings. Walk him over to the Supreme Court, unlock his office, swear him in and get back to work. Sometimes you just do it. The Dems weren't pragmatic that way.

15:49

Wayback 0.1 released [LWN.net]

Version 0.1 of the Wayback project has been released:

Wayback is an X11 compatibility layer that allows for running full X11-only desktop environments using Wayland. It is essentially an X11 server backed by Wayland, leveraging wlroots and Xwayland. Our goal is for Wayback to eventually be a completely drop-in replacement to the Xorg binary, thus reducing maintenance burden for distro maintainers.

Ever since Wayback was announced on June 28, we have been making lots of progress to get it as stable and functional as possible, and while this is a preview release it is already daily-driveable by users with simple requirements, as long as they don't mind bugs.

The release is considered alpha-quality and is missing a number of features, including multi-monitor support and DPMS, but adventurous users can find the code here.

15:07

Four new stable kernels [LWN.net]

The 6.15.8, 6.12.40, 6.6.100, and 6.1.147 stable kernels have been released. Each contains important fixes throughout the kernel tree, as usual.

[$] Graphene OS: a security-enhanced Android build [LWN.net]

People tend to put a lot of trust into their phones. Those devices have access to no end of sensitive data about our lives — our movements, finances, communications, and more — so phones belonging to even relatively low-profile people can be high-value targets. Android devices run free software, at least at some levels, so it should be possible to ensure that they are working in their owners' interests. Off-the-shelf Android installations tend to fall short of that goal. The GrapheneOS Android rebuild is an attempt to improve on that situation.

Security updates for Thursday [LWN.net]

Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack).

14:42

Updated regulator [RevK®'s ramblings]

I do a lot of circuits, and they all use the same basic design for power supply. OK, technically not quite, I have one for battery and one for USB+DC. But the latter is a basic buck regulator.

I revise the design from time to time and newer and better chips come out and as I learn more.

The latest design is using a TI buck regulator based design using a TPS562246. This is a big step up from the MD8942. The key difference is the old design was 600mA and the new design is 2A.

Do I need 2A?

For almost all of my boards the answer is no, the ESP32 can peak to 500mA with WiFi apparently. 600mA is close but enough. But some boards have other peripherals and you soon find you really want a supply rated over 600mA - even adding just 10 of the small WS2812 diodes can hit 100mA total when fully lit and some of my boards have more than that. Some have GPS modules and a lot more.

Why TI?

They are a well known and competent brand with good data sheets.

Will it make any difference?

The main difference is many of my designs would take a DC input 5V to 35V, and now 5V to 17V. I think for almost all cases this is not an issue. Being able to run off 12V DC or some 13.5V or similar battery based 12V, is what is needed (and I do all sorts of stuff at that level).

I think it will result is less ripple, and allow more peripherals within the power budget.

Fun?

As always, I am learning a lot - finding the right components, the inductor with low enough resistance, caps that work in the required temperature range, careful PCB layout. It has indeed been fun.

So, yes, many of my designs will undergo an upgrade over time.

14:21

Link [Scripting News]

When trying to "work" with ChatGPT, realize that it's mistakes could be much worse than you could possibly imagine. It could be leading you down a blind alley. You must always consider how full of shit it is. It may not just be making things up, but it could not understand something very basic about what you're doing. There's no limit to the ways it can be wrong. And you can waste whole programming sessions chasing a solution where none could possibly every under any circumstances be found. The level of bullshit is sometimes hard to fathom.

14:00

The Big Idea: Payton McCarty-Simas [Whatever]

It may not be Halloween, but that shouldn’t stop you from learning about the history of depictions of witches throughout the decades in film and media. Author and witch-film-connoisseur Payton McCarty-Simas is here today to take you through a wild ride (on a broomstick) over feminism, horror, and women, in her new book, That Very Witch: Fear, Feminism, and the American Witch Film.

PAYTON MCCARTY-SIMAS:

More than anything else, my book, That Very Witch: Fear, Feminism, and the American Witch Film, is the product of hundreds of hours spent watching movies. I started the project that eventually became this book in college–– or, more specifically, during COVID, revisiting some of my comfort movies during lockdown. As I worked my way through more recent favorites like The Witch and Color Out of Space and old standbys like Rosemary’s Baby and George Romero’s Season of the Witch, I started noticing visual and thematic patterns. Soon, I was hooked on witch films (though as my list of favorites might suggest I always have been), and I started watching in earnest. 

The big idea of That Very Witch is that, by tracing how depictions of witches evolve and change in American horror cinema over time, we can learn about the state of feminism in a given moment, essentially taking the cultural temperature in the process. I trace specific threads through the decades––namely psychedelic imagery, counterculturalism, and feminine rage among others––but each and every smaller idea relied on a huge amount of cinematic data to really put my finger on. I watched over three hundred hours of film for this project, noting different patterns and shifts from decade to decade over hundreds of pages of notes, several Letterboxd lists, and a slightly unhinged-looking conspiracy board. 

While all genres move in cycles that capitalize on trends––consider the YA dystopian romance boom that followed The Hunger Games––horror is particularly trenchant given the films’ consistent popularity, relatively low budgets, and quick turnarounds. Simply put, the industry makes a lot of horror movies looking for a quick buck, and, given that profit-motive, producers are always responding to popular demand for a given subject. The terrifying proto-viral success of The Blair Witch Project gives us an explosion of found footage horror, and eventually the runaway blockbuster that was Paranormal Activity, which in turn gives us a rash of suburban hauntings, and so on. As scholars like Robin Wood have long suggested, then, horror can be viewed as an extension of our collective unconscious (in his words our “collective nightmares”), our national fears made manifest at the intersection of broad commercial incentives, personal artistic impulses, and the zeitgeist. 

When it comes to witches, I noticed that in moments of high-profile feminist activism, say, the 1960s or the 2010s, witches become more popular––and more frightening––on screen. That’s not to say that witches disappear in other eras, far from it. But the characters of those depictions take on different tones and valences depending on the politics and trends of the moment, and that’s just as indicative of the politics of the age. Witches can be mall goths or hippie chicks, old women in pointy hats or teenage girls in low-rise jeans and lip gloss (or all of the above!) depending on the decade. They can be frightening or funny or fierce. But it takes a lot of hours of films, not to mention countless hours of historical research, to understand what depictions are most common when, and why. 

That Very Witch: Amazon|Barnes & Noble|Bookshop |Kobo|Waterstones

Author’s socials: Website|Instagram|Tumblr|Letterboxd

Read an excerpt.

13:35

Link [Scripting News]

You can see from this Bluesky post that I do copy-edit my linkblog items, but not enough. The web isn't a write-only medium, so to say that Bluesky is part of the web, well in this way it isn't.

13:07

CodeSOD: ConVersion Version [The Daily WTF]

Mads introduces today's code sample with this line: " this was before they used git to track changes".

Note, this is not to say that they were using SVN, or Mercurial, or even Visual Source Safe. They were not using anything. How do I know?

/**
  * Converts HTML to PDF using HTMLDOC.
  * 
  * @param printlogEntry
  ** @param inBytes
  *            html.
  * @param outPDF
  *            pdf.
  * @throws IOException
  *             when error.
  * @throws ParseException
*/
public void fromHtmlToPdfOld(PrintlogEntry printlogEntry, byte[] inBytes, final OutputStream outPDF) throws IOException, ParseException
        {...}

/**
 * Converts HTML to PDF using HTMLDOC.
 * 
 * @param printlogEntry
 ** @param inBytes
 *            html.
 * @param outPDF
 *            pdf.
 * @throws IOException
 *             when error.
 * @throws ParseException
 */
public void fromHtmlToPdfNew(PrintlogEntry printlogEntry, byte[] inBytes, final OutputStream outPDF) throws IOException, ParseException
        {...}

Originally, the function was just called fromHtmlToPdf. Instead of updating the implementation, or using it as a wrapper to call the correct implementation, they renamed it to Old, added one named New, then let the compiler tell them where they needed to update the code to use the new implementation.

Mads adds: "And this is just one example in this code. This far, I have found 5 of these."

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

12:49

Link [Scripting News]

Question: I have a site with a well developed set of categories, I've added to it carefully over a few months, it covers most of the topics I write about. Another site has a small set of categories. I write all my WordPress posts in the same editor, and could easily set it up so that all categories were available to me in every site I post to. The question: Is that a good practice in the world of WordPress? I noticed that categories are given global ID's so if I use a category like "movies" it will have the same ID as yours has on your sites. I love this idea of a global namespace for categories, and see it as something that could be adopted by sites written in any other writing environment. Anyway, if you have a moment to comment, I'd appreciate your ideas. Update: Jeremy Herve, a WordPress developer explains.

12:14

Urgent: Discharge petition for vote on Protect America's Workforce Act [Richard Stallman's Political Notes]

US citizens: phone your Congresscritter at 844-994-4554 and urge her to sign the discharge petition so the House can vote on the Protect America's Workforce Act.

History of American superheroes [Richard Stallman's Political Notes]

The history of American superheroes — fighting injustice including bigotry, and expressing respect for immigrants, from the 1930s to today.

Inventing a character named "Superman" in 1938 who is an immigrant can be seen as a way of giving Nazis the finger.

Using LLM to fix real software bugs [Richard Stallman's Political Notes]

An experiment asks real developers to fix real bugs in real software, each day randomly asked to use a bullshit generator (LLM) or not to use it. They generally expected that their work would go faster using the LLM, but instead it slowed them down.

Side issue:

I am disappointed that this article promotes the amoral "open source" philosophy instead of the moral philosophy of the free software movement. But that doesn't invalidate the experiment itself.

12:07

Generative AI in the Real World: Phillip Carter on Where Generative AI Meets Observability [Radar]

Phillip Carter, formerly of Honeycomb, and Ben Lorica talk about observability and AI—what observability means, how generative AI causes problems for observability, and how generative AI can be used as a tool to help SREs analyze telemetry data. There’s tremendous potential because AI is great at finding patterns in massive datasets, but it’s still a work in progress.

About the Generative AI in the Real World podcast: In 2023, ChatGPT put AI on everyone’s agenda. In 2025, the challenge will be turning those agendas into reality. In Generative AI in the Real World, Ben Lorica interviews leaders who are building with AI. Learn from their experience to help put AI to work in your enterprise.

Check out other episodes of this podcast on the O’Reilly learning platform.

Timestamps

  • 0:00: Introduction to Phillip Carter, a product manager at Salesforce. We’ll focus on observability, which he worked on at Honeycomb.
  • 0:35: Let’s have the elevator definition of observability first, then we’ll go into observability in the age of AI.
  • 0:44: If you google “What is observability?” you’re going to get 10 million answers. It’s an industry buzzword. There are a lot of tools in the same space.
  • 1:12: At a high level, I like to think of it in two pieces. The first is that this is an acknowledgement that you have a system of some kind, and you do not have the capability to pull that system onto your local machine and inspect what is happening at a moment in time. When something gets large and complex enough, it’s impossible to keep in your head. The product I worked on at Honeycomb is actually a very sophisticated querying engine that’s tied to a lot of AWS services in a way that makes it impossible to debug on my laptop.
  • 2:40: So what can I do? I can have data, called telemetry, that I can aggregate and analyze. I can aggregate trillions of data points to say that this user was going through the system in this way under these conditions. I can pull from these different dimensions and hold something constant.
  • 3:20: Let’s look at how the values differ when I hold one thing constant. Let’s hold another thing constant. That gives me an overall picture of what is happening in the real world.
  • 3:37: That is the crux of observability. I’m debugging, but not by stepping through something on my local machine. I click a button, and I can see that it manifests in a database call. But there are potentially millions of users, and things go wrong somewhere else in the system. And I need to try to understand what paths lead to that, and what commonalities exist in those paths.
  • 4:14: This is my very high-level definition. It’s many operations, many tasks, almost a workflow as well, and a set of tools.
  • 4:32: Based on your description, observability people are sort of like security people. WIth AI, there are two aspects: observability problems introduced by AI, and the use of AI to help with observability. Let’s tackle each separately. Before AI, we had machine learning. Observability people had a handle on traditional machine learning. What specific challenges did generative AI introduce?
  • 5:36: In some respects, the problems have been constrained to big tech. LLMs are the first time that we got truly world-class machine learning support available behind an API call. Prior to that, it was in the hands of Google and Facebook and Netflix. They helped develop a lot of this stuff. They’ve been solving problems related to what everyone else has to solve now. They’re building recommendation systems that take in many signals. For a long time, Google has had natural language answers for search queries, prior to the AI overview stuff. That stuff would be sourced from web documents. They had a box for follow-up questions. They developed this before Gemini. It’s kind of the same tech. They had to apply observability to make this stuff available at large. Users are entering search queries, and we’re doing natural language interpretation and trying to boil things down into an answer and come up with a set of new questions. How do we know that we’re answering the question effectively, pulling from the right sources, and generating questions that seem relevant? At some level there’s a lab environment where you measure: given these inputs, there are these outputs. We measure that in production.
  • 9:00: You sample that down and understand patterns. And you say, “We’re expecting 95% good—but we’re only measuring 93%. What’s different between production and the lab environment?” Clearly what we’ve developed doesn’t match what we’re seeing live. That’s observability in practice, and it’s the same problem everyone in the industry is now faced with. It’s new for so many people because they’ve never had access to this tech. Now they do, and they can build new things—but it’s introduced a different way of thinking about problems.
  • 10:23: That has cascading effects. Maybe the way our engineering teams build features has to change. We don’t know what evals are. We don’t even know how to bootstrap evals. We don’t know what a lab environment should look like. Maybe what we’re using for usability isn’t measuring the things that should be measured. A lot of people view observability as a kind of system monitoring. That is a fundamentally different way of approaching production problems than thinking that I have a part of an app that receives signals from another part of the app. I have a language model. I’m producing an output. That could be a single-shot or a chain or even an agent. At the end, there are signals I need to capture and outputs, and I need to systematically judge if these outputs are doing the job they should be doing with respect to the inputs they received.
  • 12:32: That allows me to disambiguate whether the language model is not good enough: Is there a problem with the system prompt? Are we not passing the right signals? Are we passing too many signals, or too few?
  • 12:59: This is a problem for observability tools. A lot of them are optimized for monitoring, not for stacking signals from inputs and outputs.
  • 14:00: So people move to an AI observability tool, but they tend not to integrate well. And people say, “We want customers to have a good experience, and they’re not.” That might be because of database calls or a language model feature or both. As an engineer, you have to switch context to investigate these things, probably with different tools. It’s hard. And it’s early days.
  • 14:52: Observability has gotten fairly mature for system monitoring, but it’s extremely immature for AI observability use cases. The Googles and Facebooks were able to get away with this because they have internal-only tools that they don’t have to sell to a heterogeneous market. There are a lot of problems to solve for the observability market.
  • 15:38: I believe that evals are core IP for a lot of companies. To do eval well, you have to treat it as an engineering discipline. You need datasets, samples, a workflow, everything that might separate your system from a competitor. An eval could use AI to judge AI, but it could also be a dual-track strategy with human scrutiny or a whole practice within your organization. That’s just eval. Now you’re injecting observability, which is even more complicated. What’s your sense of the sophistication of people around eval?
  • 17:04: Not terribly high. Your average ML engineer is familiar with the concept of evals. Your average SRE is looking at production data to solve problems with systems. They’re often solving similar problems. The main difference is that the ML engineer is using workflows that are very disconnected from production. They don’t have a good sense for how the hypotheses they’re teasing are impactful in the real world.
  • 17:59: They might have different values. ML engineers may prioritize peak performance over reliability.
  • 18:10: The very definition of reliability or performance may be poorly understood between multiple parties. They get impacted by systems that they don’t understand.
  • 22:10: Engineering organizations on the machine learning side and the software engineering side are often not talking very much. When they do, they’re often working on the same data. The way you capture data about system performance is the same way you capture data about what signals you send to a model. Very few people have connected those dots. And that’s where the opportunities lie.
  • 22:50: There’s such a richness in connection production analytics with model behavior. This is a big issue for our industry to overcome. If you don’t do this, it’s much more difficult to rein in behavior in reality.
  • 23:42: There’s a whole new family of metrics: things like time to first token, intertoken latency, tokens per second. There’s also the buzzword of the year, agents, which introduce a new set of challenges in terms of evaluation and observability. You might have an agent that’s performing a multistep task. Now you have the execution trajectory, the tools it used, the data it used.
  • 24:54: It introduces another flavor of the problem. Everything is valid on a call-by-call basis. One thing you observe when working on agents is that they’re not doing so well on a single call level, but when you string them together, they arrive at the right answer. That might not be optimal. I might want to optimize the agent for fewer steps.
  • 25:40: It’s a fun way of dealing with this problem. When we built the Honeycomb MCP server, one of the subproblems was that Claude wasn’t very good at querying Honeycomb. It could create a valid query, but was it a useful query? If we let it spin for 20 turns, all 20 queries together painted enough of a picture to be useful.
  • 27:01: That forces an interesting question: How valuable is it to optimize the number of calls? If it doesn’t cost a tremendous amount of money, and it’s faster than a human, it’s a challenge from an evaluation standpoint. How do I boil that down to a number? I didn’t have an amazing way of measuring that yet. That’s where you start to get into an agent loop that’s constantly building up context. How do I know that I’m building up context in a way that’s helpful to my goals?
  • 29:02: The fact that you’re paying attention and logging these things gives you the opportunity of training the agent. Let’s do the other side: AI for observability. In the security world, they have analysts who do investigations. They’re starting to get access to AI tools. Is something similar happening in the SRE world?
  • 29:47: Absolutely. There are a couple of different categories involved here. There are expert SREs out there who are better at analyzing things than agents. They don’t need the AI to do their job. However, sometimes they’re tasked with problems that aren’t that hard but are time consuming. A lot of these folks have a sense of whether something really needs their attention or is just “this is not hard but just going to take time.” At that time, they wish they could just send the task to an agent and do something with higher value. That’s an important use case. Some startups are starting to do this, though the products aren’t very good yet.
  • 31:38: This agent will have to go in cold: Kubernetes, Amazon, etc. It has to learn so much context.
  • 31:51: That’s where these things struggle. It’s not the investigative loop; it’s gathering enough context. The winning model will still be human SRE-focused. In the future we might advance a little further, but it’s not good enough yet.
  • 32:41: So you would describe these as early solutions?
  • 32:49: Very early. There are other use cases that are interesting. A lot of organizations are undergoing service ownership. Every developer goes on call and must understand some operational characteristics. But most of these developers aren’t observability experts. In practice, they do the minimal work necessary so they can focus on the code. They may not have enough guidance or good practices. A lot of these AI-assisted tools can help with these folks. You can imagine a world where you get an alert, and a dozen or so AI agents come up with 12 different ways we might investigate. Each one gets its own agent. You have some rules for how long they investigate. The conclusion might be garbage or it might be inconclusive. You might end up with five areas that merit further investigation. There might be one where they’re fairly confident that there’s a problem in the code.
  • 35:22: What’s preventing these tools from getting better?
  • 35:34: There’s many things, but the foundation models have work to do. Investigations are really context-gathering operations. We have long context windows—2 million tokens—but that’s nothing for log files. And there’s some breakdown point where the models accept more tokens, but they just lose the plot. They’re not just data you can process linearly. There are often circuitous pathways. You can find a way to serialize that, but it ends up being large, long, and hard for a model to receive all of that information and understand the plot and where to pull data from under what circumstances. We saw this breakdown all the time at Honeycomb when we were building investigative agents. That’s a fundamental limitation of these language models. They aren’t coherent enough with large context. That’s a large unsolved problem right now.

How Solid Protocol Restores Digital Agency [Schneier on Security]

The current state of digital identity is a mess. Your personal information is scattered across hundreds of locations: social media companies, IoT companies, government agencies, websites you have accounts on, and data brokers you’ve never heard of. These entities collect, store, and trade your data, often without your knowledge or consent. It’s both redundant and inconsistent. You have hundreds, maybe thousands, of fragmented digital profiles that often contain contradictory or logically impossible information. Each serves its own purpose, yet there is no central override and control to serve you—as the identity owner.

We’re used to the massive security failures resulting from all of this data under the control of so many different entities. Years of privacy breaches have resulted in a multitude of laws—in US states, in the EU, elsewhere—and calls for even more stringent protections. But while these laws attempt to protect data confidentiality, there is nothing to protect data integrity.

In this context, data integrity refers to its accuracy, consistency, and reliability…throughout its lifecycle. It means ensuring that data is not only accurately recorded but also remains logically consistent across systems, is up-to-date, and can be verified as authentic. When data lacks integrity, it can contain contradictions, errors, or outdated information—problems that can have serious real-world consequences.

Without data integrity, someone could classify you as a teenager while simultaneously attributing to you three teenage children: a biological impossibility. What’s worse, you have no visibility into the data profiles assigned to your identity, no mechanism to correct errors, and no authoritative way to update your information across all platforms where it resides.

Integrity breaches don’t get the same attention that confidentiality breaches do, but the picture isn’t pretty. A 2017 write-up in The Atlantic found error rates exceeding 50% in some categories of personal information. A 2019 audit of data brokers found at least 40% of data broker sourced user attributes are “not at all” accurate. In 2022, the Consumer Financial Protection Bureau documented thousands of cases where consumers were denied housing, employment, or financial services based on logically impossible data combinations in their profiles. Similarly, the National Consumer Law Center report called “Digital Denials” showed inaccuracies in tenant screening data that blocked people from housing.

And integrity breaches can have significant effects on our lives. In one 2024 British case, two companies blamed each other for the faulty debt information that caused catastrophic financial consequences for an innocent victim. Breonna Taylor was killed in 2020 during a police raid on her apartment in Louisville, Kentucky, when officers executed a “no-knock” warrant on the wrong house based on bad data. They had faulty intelligence connecting her address to a suspect who actually lived elsewhere.

In some instances, we have rights to view our data, and in others, rights to correct it, but these sorts of solutions have only limited value. When journalist Julia Angwin attempted to correct her information across major data brokers for her book Dragnet Nation, she found that even after submitting corrections through official channels, a significant number of errors reappeared within six months.

In some instances, we have the right to delete our data, but—again—this only has limited value. Some data processing is legally required, and some is necessary for services we truly want and need.

Our focus needs to shift from the binary choice of either concealing our data entirely or surrendering all control over it. Instead, we need solutions that prioritize integrity in ways that balance privacy with the benefits of data sharing.

It’s not as if we haven’t made progress in better ways to manage online identity. Over the years, numerous trustworthy systems have been developed that could solve many of these problems. For example, imagine digital verification that works like a locked mobile phone—it works when you’re the one who can unlock and use it, but not if someone else grabs it from you. Or consider a storage device that holds all your credentials, like your driver’s license, professional certifications, and healthcare information, and lets you selectively share one without giving away everything at once. Imagine being able to share just a single cell in a table or a specific field in a file. These technologies already exist, and they could let you securely prove specific facts about yourself without surrendering control of your whole identity. This isn’t just theoretically better than traditional usernames and passwords; the technologies represent a fundamental shift in how we think about digital trust and verification.

Standards to do all these things emerged during the Web 2.0 era. We mostly haven’t used them because platform companies have been more interested in building barriers around user data and identity. They’ve used control of user identity as a key to market dominance and monetization. They’ve treated data as a corporate asset, and resisted open standards that would democratize data ownership and access. Closed, proprietary systems have better served their purposes.

There is another way. The Solid protocol, invented by Sir Tim Berners-Lee, represents a radical reimagining of how data operates online. Solid stands for “SOcial LInked Data.” At its core, it decouples data from applications by storing personal information in user-controlled “data wallets”: secure, personal data stores that users can host anywhere they choose. Applications can access specific data within these wallets, but users maintain ownership and control.

Solid is more than distributed data storage. This architecture inverts the current data ownership model. Instead of companies owning user data, users maintain a single source of truth for their personal information. It integrates and extends all those established identity standards and technologies mentioned earlier, and forms a comprehensive stack that places personal identity at the architectural center.

This identity-first paradigm means that every digital interaction begins with the authenticated individual who maintains control over their data. Applications become interchangeable views into user-owned data, rather than data silos themselves. This enables unprecedented interoperability, as services can securely access precisely the information they need while respecting user-defined boundaries.

Solid ensures that user intentions are transparently expressed and reliably enforced across the entire ecosystem. Instead of each application implementing its own custom authorization logic and access controls, Solid establishes a standardized declarative approach where permissions are explicitly defined through control lists or policies attached to resources. Users can specify who has access to what data with granular precision, using simple statements like “Alice can read this document” or “Bob can write to this folder.” These permission rules remain consistent, regardless of which application is accessing the data, eliminating the fragmentation and unpredictability of traditional authorization systems.

This architectural shift decouples applications from data infrastructure. Unlike Web 2.0 platforms like Facebook, which require massive back-end systems to store, process, and monetize user data, Solid applications can be lightweight and focused solely on functionality. Developers no longer need to build and maintain extensive data storage systems, surveillance infrastructure, or analytics pipelines. Instead, they can build specialized tools that request access to specific data in users’ wallets, with the heavy lifting of data storage and access control handled by the protocol itself.

Let’s take healthcare as an example. The current system forces patients to spread pieces of their medical history across countless proprietary databases controlled by insurance companies, hospital networks, and electronic health record vendors. Patients frustratingly become a patchwork rather than a person, because they often can’t access their own complete medical history, let alone correct mistakes. Meanwhile, those third-party databases suffer regular breaches. The Solid protocol enables a fundamentally different approach. Patients maintain their own comprehensive medical record, with data cryptographically signed by trusted providers, in their own data wallet. When visiting a new healthcare provider, patients can arrive with their complete, verifiable medical history rather than starting from zero or waiting for bureaucratic record transfers.

When a patient needs to see a specialist, they can grant temporary, specific access to relevant portions of their medical history. For example, a patient referred to a cardiologist could share only cardiac-related records and essential background information. Or, on the flip side, the patient can share new and rich sources of related data to the specialist, like health and nutrition data. The specialist, in turn, can add their findings and treatment recommendations directly to the patient’s wallet, with a cryptographic signature verifying medical credentials. This process eliminates dangerous information gaps while ensuring that patients maintain an appropriate role in who sees what about them and why.

When a patient—doctor relationship ends, the patient retains all records generated during that relationship—unlike today’s system where changing providers often means losing access to one’s historical records. The departing doctor’s signed contributions remain verifiable parts of the medical history, but they no longer have direct access to the patient’s wallet without explicit permission.

For insurance claims, patients can provide temporary, auditable access to specific information needed for processing—no more and no less. Insurance companies receive verified data directly relevant to claims but should not be expected to have uncontrolled hidden comprehensive profiles or retain information longer than safe under privacy regulations. This approach dramatically reduces unauthorized data use, risk of breaches (privacy and integrity), and administrative costs.

Perhaps most transformatively, this architecture enables patients to selectively participate in medical research while maintaining privacy. They could contribute anonymized or personalized data to studies matching their interests or conditions, with granular control over what information is shared and for how long. Researchers could gain access to larger, more diverse datasets while participants would maintain control over their information—creating a proper ethical model for advancing medical knowledge.

The implications extend far beyond healthcare. In financial services, customers could maintain verified transaction histories and creditworthiness credentials independently of credit bureaus. In education, students could collect verified credentials and portfolios that they truly own rather than relying on institutions’ siloed records. In employment, workers could maintain portable professional histories with verified credentials from past employers. In each case, Solid enables individuals to be the masters of their own data while allowing verification and selective sharing.

The economics of Web 2.0 pushed us toward centralized platforms and surveillance capitalism, but there has always been a better way. Solid brings different pieces together into a cohesive whole that enables the identity-first architecture we should have had all along. The protocol doesn’t just solve technical problems; it corrects the fundamental misalignment of incentives that has made the modern web increasingly hostile to both users and developers.

As we look to a future of increased digitization across all sectors of society, the need for this architectural shift becomes even more apparent. Individuals should be able to maintain and present their own verified digital identity and history, rather than being at the mercy of siloed institutional databases. The Solid protocol makes this future technically possible.

This essay was written with Davi Ottenheimer, and originally appeared on The Inrupt Blog.

11:21

Grrl Power #1376 – I spy with my little satellite… [Grrl Power]

Max isn’t actually all that offended by “guy scoping out slightly drunk chicks.” She knows how the world works. Nothing wrong with a little willful social self-lubrication. Now, if he’d said “blackout drunk chicks,” that’d be a different story. She’s also not a huge fan of referring to women as “chicks,” either, but at least it’s better than “broads,” “slags,” or many other terms in a series of rapidly diminishing respect.

Yes, Cora and crew have “raised money for the orphanage,” like a Three Stooges plot, and while it’s more of a Robin Hood style transaction, there is usually a lot of hitting. You know, the stealth mission that devolves into a huge firefight just because that one guard was actually doing his job competently.

I was so tempted to draw stars above the Earth there, but I know that’s not how it works. The human eye has too limited of a dynamic dynamic range for that. You know, come to think of it, it’s almost a little weird that more of our senses don’t have a dynamic range slider, like how the iris adjusts the amount of light coming through. Like it’s kind of odd that our ears don’t automatically close up when there are loud sounds. I guess that means we’d have “earlids,” which is… really disturbing now that I think about it. Still, eyes have lids and irises, so couldn’t ears have earlids and also a thing that makes us attune to high pitched sounds at the expense of low hertz sounds and vice versa? I’m sure our non-eye senses do have some brain-based slider to mitigate some of the more extremes? Maybe? But… I don’t know, maybe it doesn’t. Like, if you get into a slap fight, the 5th slap might not hurt as much as the 1st, assuming they all hit in different places and aren’t stacking. But then, if someone is tickling your cheek with a feather, then you get slapped in the face, that first slap will probably register much more strongly than if you know the slap is coming. But that’s due to adrenaline, not sensory dynamic range.

Anyway, so yeah, there’s an alien spy satellite floating somewhere above Archon HQ.

The vote incentive is finally done!

The update to the TWC image is pretty minor, but the Patreon version has the bonus comic as well as nude versions. I will strive to make the next one more timely.

 

 

 

Double res version will be posted over at Patreon. Feel free to contribute as much as you like.

10:35

09:07

How much extra is the gift wrap? [Seth's Blog]

One way to turn a product or service into a story is to gift wrap it.

Yes, you did my taxes, but did you include a two-page summary and a useful folder to keep it in?

Whether you’re providing a service to a casual customer or a product to a regular patron, what you’re really selling is the story. The commodity part of your day leaves no room for magic.

Handing a friend a $50 bill is very different from buying a thoughtful gift and carefully wrapping it.

We can find a way to add a bit more.

08:56

Valhalla's Things: Things I Have Learnt At DebConf [Planet Debian]

Posted on July 24, 2025
Tags: madeof:bits

An unsorted list, including some I already knew, but was reminded of.

  • dpkg-mergechangelogs exists.
  • Sewing your own shirt, posting it on planet and wearing it on the first day of DebConf, is more effective than a badge for making people recognise you.
  • I need to look into a number of tools for testings things (and try to start using some of those at $DAYJOB).
  • Masks are good. masks protect you from debbugs. masks protect you from ring cameras in the hotel you’re staying on the day after debconf.
  • It’s really nice to be chatting of random topics during lunch and discover that you are talking to the maintainer of a package of which you are one of the very few users! (the latter bit needs to be changed :) ).
  • I need to look into sequoia and all of the modern OpenPGP stuff.
  • Even if I don’t have a lot of money, apparently I have even less sense (there will be blog posts on the topic in the mid-term future).
  • I can go to a talk about AI and not hate the speaker (yeah, the bar is pretty low there :D ). The automatic subtitles still failed in the same way as automatic subtitles always fail.
  • Debian gets used in really cool places.
  • At times it is a bit — or a lot — dysfunctional, but Debian still feels like a family.

And I still haven’t watched the recordings of those talks that I couldn’t (or decided not to, because the hallway track was more interesting) attend.

01:35

[$] LWN.net Weekly Edition for July 24, 2025 [LWN.net]

Inside this week's LWN.net Weekly Edition:

  • Front: Debian's security processes; Tor; Immutability for Python; CPU scheduler; QUIC; Rust abstractions.
  • Briefs: Brief news items from throughout the community.
  • Announcements: Newsletters, conferences, security updates, patches, and more.

00:21

The most Microsoft support document of all time [OSnews]

I have stumbled upon the most Microsoft support document of all time.

Support for the Microsoft Store installation type of Microsoft 365 Apps is ending. New feature updates will stop in October 2025 and security updates will end in December 2026.

If you have the Microsoft Store installation type of Microsoft 365 Apps, you must upgrade to the Click-to-Run installation type for continuing new features and security updates. The following steps show how you can upgrade the installation type of Microsoft 365 products on a PC from the Microsoft Store to Click-to-Run.

↫ End of support for the Microsoft Store installation type of Microsoft 365 Apps

There is so much to unpack here.

First, if you’re not neck-deep in Microsoft lore, you might not even know what Microsoft 365 Apps even are. Remember Office 365, the subscription version of Microsoft Office? It’s called Microsoft 365 now, for some inexplicable reason, but you probably haven’t noticed because it is a stupidly confusing, nondescript name that nobody out in the real world uses. Adding to the confusion, in 2022, Microsoft announced it would phase out the Office name in favour of calling both the subscription version and the regular, buy-once-run-forever version “Microsoft 365”, but then changed their mind a year later, and as such, the regular, buy-once-run-forever version is now still called Office.

Oh and there’s also the “Microsoft 365 Copilot app (formerly Office)” (at Office.com?) which I think is what used to be called the mobile iOS/Android Office application, which existed alongside the individual mobile Office applications on these platforms (because that was a thing, too – maybe still is?)? I don’t know man, I merely have two university degrees, which clearly isn’t enough to understand any of this 4D office suite chess.

Anyway, the Microsoft 365 Apps (so the subscription version of what was temporarily formerly known as Microsoft Office) can be installed either through the Microsoft Store, which is the application store bundled with Windows that you never use, or through something called Click-to-Run. Apparently, Microsoft is discontinuing the Microsoft Store version of the Microsoft 365 Apps, and is urging everyone to move to the Click-to-Run version of the Microsoft 365 Apps.

Alright, we’re getting really, really deep into the very darkest crevices of the Microsoft Cinematic Universe lore now.

The Microsoft Store version of the Microsoft 365 Apps is almost entirely identical to the Click-to-Run version of the Microsoft 365 Apps, except for one tiny part: the exact packaging method of the applications. Whereas the Microsoft Store version is packaged and delivered in Microsoft’s Appx packaging format (designed for the Universal Windows Platform or UWP), the Click-to-Run version is packaged and delivered through, well, Click-to-Run. So, what is that, exactly?

Click-to-Run is an entirely custom application streaming technology specifically designed for and exclusively used by Microsoft Office. You download a very small installer, which then proceeds to download the various Microsoft 365 applications like Word, Excel, and so on, which you can then start using well before the entire download is finished. The technology is similar to Microsoft App-V. It’s actually remarkably difficult to find detailed documentation about Click-to-Run, which is odd considering Microsoft is usually quite decent at providing documentation for its technologies.

So what Microsoft is announcing in this support document is that if you have Microsoft 365 Apps installed through the Microsoft Store, you’re going to have to switch to the Click-to-Run version. You can check which installation type you’re using by going to File > Account (it might be called Office Account, because everything is made up and nothing is real) – under Product information locate the About button, where it’ll list the installation type.

If your installation type is Microsoft Store, you need to switch to the Click-to-Run version to keep receiving updates. To do so, download the Click-to-Run installer and run it, which will automatically remove the Microsoft Store version of the Microsoft 365 Apps and replace them with the Click-to-Run versions. The reason they’re making you do this is that the Click-to-Run version offers enterprises and corporate customers more control over deployment, update schedules, configuration options, and so on. The Microsoft Store version is more suited for normal consumers, but Microsoft doesn’t care about those, and never has, and never will.

Why is Microsoft?

New State Legislation Kills Pay Transparency [The Stranger]

The Bipartisan Handout to Business Interests Affects Thousands of Job Listings
by Conor Kelley

On July 27, our state’s pay transparency law will be amended to effectively end our short-lived era of actually knowing what a job will, you know, pay.

Since January 1, 2023, companies that posted jobs in our state were required to clearly state the position’s pay, benefits, and any additional compensation. This was an expansion of the 2018 Equal Pay and Opportunities Act. We the working class were finally saved from blindly applying for jobs in the hopes they would pay a living wage. No more going through rounds of interviews just to find out it was actually a “volunteer” position or some other such nonsense. The law also aimed to combat wage disparities across gender, race, and other protected classes.

Under that law, job seekers also had a “private right to action,” meaning if they found a noncompliant post they could theoretically sue the company, with no cap for the penalties a court could impose on the noncompliant business.

Well, the business lobby set out to challenge this law on two fronts: our legal system and our state legislature.

In early 2024, two King County residents filed separate lawsuits over noncompliance with this law in King County Superior Court against Washington Fine Wine & Spirits, LLC, contending that because the company didn’t list a pay scale for jobs they wanted to apply for, they couldn’t compare them with other open jobs on the market or negotiate an offer effectively.

You may think this sounds like an honest mistake by a little LLC. Perhaps we should do what other media outlets have failed to do in reference to this case and clarify that Washington Fine Wine & Spirits, LLC, is owned by Total Wine & More, the alcohol megastore chain with a reported 277 stores nationwide, including 14 in our state, bringing in a reported $6 billion in annual revenue in 2023. A mom and pop shop this is not.

Total Wine appealed these two lawsuits to district court and then to our State Supreme Court in the hopes of getting the law struck down, arguing that the law was too onerous for businesses to follow, that these weren’t “bonafide” job applicants (whatever that means), and that the private right to action was creating a “cottage industry” of law firms taking up these cases.

Let’s stop right there. A business claimed that a state law was unfair, and also thought it was unfair that they could be held responsible for breaking that law. They even went so far as to argue the plaintiffs weren’t “bonafide.” Can you imagine that ever working with other regulations? Have you ever looked at a speed limit sign, thought to yourself, "Well, that’s simply too slow," kept driving above that speed, and then when you got pulled over, told the cop they weren’t qualified to write you a ticket, and set out to get the speed limit permanently changed to whatever number you think is fair?

That’s exactly what happened here. Our state passed a law that businesses simply refused to abide by, and a multibillion-dollar chain used their power to kill it on two fronts.

But the wheels of the judicial system move slowly, and they are still waiting on an answer from the Washington State Supreme Court. Lucky for them, a bill in the state legislature could move faster. Their pro-business bill aimed to do three things: 1) implement a period for businesses to correct the noncompliant listings; 2) cap the penalty for noncompliant businesses; and 3) shift the burden of enforcement to job seekers.

You read that last part right: the business lobby asked the state legislature to effectively deputize workers into enforcing a state law.

If you think this sounds insane, your state representatives don’t agree. On January 21, Republican State Senator Curtis King introduced the original bill, SB 5408, and a largely unchanged version was passed February 28 on a vote of 41-7 with 23 Democrat “yeas.” A decisive win for Big Business. The bill was then sent to the House. It was introduced on March 4, underwent a few minor adjustments in committee, and was passed on April 15 with a vote of 94-1. A blowout.

The one no vote in the House? Jeremie Dufault, a Republican representative from District 15. “I had incomplete information on what businesses would be required to do to avoid liability,” he told The Stranger. “After the vote, I discovered that my concerns with the initial bill had been addressed in the final amendment. I support the bill as passed.”

The bill was then returned to the Senate for a final vote, where only 1 of the original 7 no voters was left standing: Bob Hasegawa, a Senate Democrat who represents Tukwila and parts of Renton and Kent.

So why did this bill get passed, if not on its merits? “I didn’t want to give 5408 a hearing, but as the new Chair of Labor and Commerce, it is important to find ways to work with the ranking minority member of my committee,” says State Senator Rebecca Saldaña to The Stranger. “It is helpful to Senate leadership to have Republican bills so that we can move our priority bills more quickly through the legislative process.“ 

Politics, am I right?

Roughly a month later, on May 20, your Governor Bob Ferguson signed it into law. Just like that: With no real opposition, your state legislature and governor just told businesses that if they don’t like a law that helps working people, they’ll change it until their business buddies are happy.

And boy, are they. Union-busting law firm Littler Mendelson reported the development as “welcome news for the business community and a shining example of bipartisan cooperation.”

According to the new law, if you see a job posted online in Washington State with no description of salary and benefits, you must provide that business written notice that their listing is noncompliant. The company then has five business days to correct it (and likely blacklist you from the job, of course).

If after a business week, the listing is still not following the state law, you can continue your efforts in law enforcement by filing a complaint with Washington State’s Department of Labor & Industries (L&I). If L&I finds that you are correct, the department will attempt to fix the issue with the business via “conference and reconciliation.” If the business still refuses, you can either have L&I assess a penalty or you can contact lawyers to sue—but either way, you won’t get more than $5,000 and may get as little as $100. Good luck finding a lawyer to take that case.

If that feels like a big waste of your time and not worth it for you, that’s the point.

And what will stop that business from just taking down that posting and putting up an identical noncompliant one, which you would have to file a new complaint about?

“We believe the great majority of employers will do their best to follow the law,” says Jeff Mayor from Washington State L&I.

Wishful thinking, maybe.

According to data shared by Indeed’s Hiring Lab, before the pay transparency expansion of the Equal Pay and Opportunities Act was passed in March 2022, over 65 percent of jobs posted on Indeed in Washington State did not include a transparent description of salary and benefits. By the time the law went into effect on January 1, 2023, that number was cut nearly in half to 33 percent.

But businesses in our state were watching those lawsuits closely, and that pay transparency improvement stagnated in August 2024, right around the time that Total Wine & More petitioned King County Superior Court to move the cases up the ladder to district court. Pay transparency has stalled in the year since as businesses waited on an answer from our State Supreme Court and legislature.

According to Indeed, more than 10 percent of their 84,000+ current Washington State job listings still do not include salary information, in violation of the current law. And because this law has now been nerfed to oblivion and stripped of enforcement mechanisms, expect that number to climb back up starting on July 27.

How high it’ll go, only the “free market” knows.

So next time you’re on the internet hunting for a job, clicking through thousands of bare-bones listings, caught in a loop of tedious interviews and lowball offers, please be sure to thank your state representatives.

Another One Rides the Bus [The Stranger]

P.S. Remember to say thank you to your bus driver, they deal with so much shit. by Anonymous

I am not about to proudly march into the anonymous section of a local paper to complain about people playing music on the bus. Sometimes, that's annoying, but occasionally, you get a cool grandpa pushing his walker playing smooth jazz, and that's okay. But also, this is an anonymous section, and I am anonymous, so who cares about my musical opinions?

I will gripe, however, about those of us riding crowded buses on the daily (especially you, my dear SLU workers). I am just asking you to be mindful. Mindful of your backpack, that you are still wearing while standing, smacking everyone around you when you move. Mindful of those who need your seat more, where you are avoiding looking at grandma and her cane so you can watch a video on your laptop (in the priority seat, no less!). Mindful of moving to the empty room in the back of the bus, so the six people forced into an unwilling mosh pit in the doorway can finally assert boundaries again.

We should consider ourselves lucky to not be driving. We can read, we can chat, we can scroll, and that's so much nicer than staring down the luxury SUV that has cut us off only to get stuck at the same light (again). But if you are not mindful of the fact that this is not a private vehicle but a shared space, it makes it suck WAY more for everyone else on the bus. This is Seattle, and no one will call you out on it, but I promise you, everyone is thinking mean things about you if you're the one guy not getting with the program. 

Sincerely,

The Bus Rider Stuck In the Doorway Moshpit

P.S. Remember to say thank you to your bus driver, they deal with so much shit.

Do you need to get something off your chest? Submit an I, Anonymous and we'll illustrate it! Send your unsigned rant, love letter, confession, or accusation to ianonymous@thestranger.com. Please remember to change the names of the innocent and the guilty.

Wednesday, 23 July

23:35

22:49

Page 49 [Flipside]

Page 49 is done.

Peter Pentchev: mapec - my humble trivial tribute to Matt S Trout [Planet Debian]

mapec - my humble trivial tribute to Matt S Trout

So on Monday I learned from Perl Weekly that Matt S Trout ofPerl fame has passed away.I can't say I knew him, though I read a lot of his writings and discussions, andI used a lot of his software; I may have briefly met him at YAPC 2014 in Sofia,but that doesn't really count.

So a silly little thing I did to honor his memory was to take a small program thatdoes one thing and does it well, polish it up a bit, and, I guess, try to preserve it fora little bit longer.So here is my version of mapec for what very little it's worth.

Peter Pentchev: Ringlet software updates (2025-03-23) [Planet Debian]

Ringlet software updates (2025-03-23)

Recent initial releases of [Ringlet software][r-site] (a fancy name for my pet projects):

  • [docker-scry][r-docker-scry] version [0.1.0][r-docker-scry-0.1.0] - examine Docker containers using host tools. Maybe the start of a set of tools that will allow system administrators to see what goes on in minimal containers that may not even have tools like ps or lsof installed.
  • [pshlex][r-pshlex] version [0.1.0][r-pshlex-0.1.0] - join various stringifiable objects and quote them for the shell. A trivial Python function that I've embedded in many of my projects over the years and I finally decided to release: a version of [shlex.join()][python-shlex-join] that also accepts [pathlib.Path][python-pathlib-path] objects.
  • [uvoxen][r-uvoxen] version [0.1.1][r-uvoxen-0.1.1] - generate test configuration files and run tests. A testing tool for Python projects that can either generate a [Tox configuration file][tox] or run the com...

Dirk Eddelbuettel: qlcal 0.0.16 on CRAN: Regular Update [Planet Debian]

The sixteenth release of the qlcal package arrivied at CRAN today, once again following the QuantLib 1.39 release this morning.

qlcal delivers the calendaring parts of QuantLib. It is provided (for the R package) as a set of included files, so the package is self-contained and does not depend on an external QuantLib library (which can be demanding to build). qlcal covers over sixty country / market calendars and can compute holiday lists, its complement (i.e. business day lists) and much more. Examples are in the README at the repository, the package page, and course at the CRAN package page.

This releases mainly synchronizes qlcal with the QuantLib release 1.39.

Changes in version 0.0.16 (2025-07-23)

  • Synchronized with QuantLib 1.39 released today

  • Calendar updates for Israel, minor utility functions update

  • Minor package maintenance updates

Courtesy of my CRANberries, there is a diffstat report for this release. See the project page and package documentation for more details, and more examples.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can sponsor me at GitHub.

22:35

Link [Scripting News]

Question. If you have to choose between Google's web browser or one from your favorite AI company, which would you go with? Also yes -- Google is destroying the web, as is ChatGPT and Claude etc. Because the people who tried to capture flow using SEO made you wade through mountains of garbage before you got the info you were coming there for, if you ever got it. It's the same thing with clicking links in Twitter. If instead, they had focus on providing a product that made people happy and built respect for theri brand, they'd still have a seat at the table. It's too late to complain, you had a chance to view your efforts as a business. But there's still plenty of potential for the web, esp if developers get imaginative in how to use the new browser platforms. I don't imagine Google's going to rock and roll too much with Chrome, but maybe they will.

Link [Scripting News]

Trump says he's going to give AI companies freedom except with DEI and climate change, guessing they have to follow Trump dogma? Hard to tell from the language. I assume so. Just like CBS when the Ellisons own it. Our communications systems are pretty much owned by the government as they are in China. Or very close to that.

Link [Scripting News]

Here's a benchmark. I just asked ChatGPT for 250 words on climate change. Let's check that out in a year and two years and see if they're still telling the truth.

Link [Scripting News]

If you could look into people's minds and see if, at their core, they feel it can't happen here, most of us would have that belief. We'll probably still believe it when the last of our freedoms is gone.

22:07

Starred Review of The Shattering Peace in Library Journal + Moon Review in the Seattle Times [Whatever]

A starred review means the Library Journal found The Shattering Peace particularly noteworthy, which makes me happy. The review is here, but I’ll quote the last line: “Highly recommended for readers who love broad sweeping space operas and science fiction with a high quotient of dry humor and witty sarcasm.” I bet that’s you, isn’t it?

Also, a lovely review of When the Moon Hits Your Eye in the Seattle Times, in which the reviewer says that they admire me “for my impressive ability to make readers laugh out loud and then realize mid-chuckle that there are larger, deeper themes at play.” It’s nice when reviewers pick up on that.

— JS

22:00

Candidate Survivor Is Thursday [The Stranger]

Best of all? Just like voting, it's FREE! by Megan Seling

The time has come! It is officially Primary Election season. The ballots have been sent out, the candidates have been interviewed and researched, and the endorsements have been pored over and debated, and now it's time to vote! But before you cast that ballot, you have one more level of due diligence to conquer: You must see how well your candidate of choice can perform under the pressure of our annual Candidate Survivor competition!

Join The Stranger and the Washington Bus Education Fund at Neumos Thursday night to get one last look at your favorite (and least favorite) candidates as we subject them to a D&D-themed night of probing questions, charisma-based tasks, and, of course, lip syncing. 

Just looked at this impressive lineup of confirmed candidates:

Seattle Mayoral Candidates: Katie Wilson! Ry Armstrong!
Seattle City Attorney: Rory O’Sullivan! Erika Evans!
Seattle D9: Dionne Foster!
Seattle D8: Alexis Mercedes Rinck! Ray Rogers!
Seattle D2: Adonis Duckworth! Eddie Lin! Jeanie Chunn!

Will Duckworth show off with some skateboard tricks? Will Rinck bring Saint Rat? Will Katie Wilson's housing plans hold up in front of a live audience? Will Bruce Harrell crash the party and pound his fist on the table and stomp his feet like a petulant child? There's only one way to find out!

Aleksa Manila is hosting the festivities, and members of The Stranger's Election Control Board and the Washington Bus will be on hand to ensure participants don't weasle out of any hard-hitting questions.

Plus: If you show up in your best D&D-inspired costume, you'll be entered in a raffle to win two passes to GeekGirlCon

Best of all? Just like voting, it's FREE! Just RSVP here to claim your spot.

21:14

Burn the Chris [The Stranger]

Chris Fleming performs at Neptune July 27. by Vivian McCall

I presented comedian Chris Fleming with a theory. When he answered the phone for our interview ahead of his performances in Seattle, I proposed that his comedy is all about discussing gender in an absurd way. He has a bit about the snacks at Trader Joe’s that only women can see, and another about his sixth sense for when a restaurant is owned by brothers. Fleming broke through on YouTube with his character Gayle Waters-Waters, a high-strung, WASPy suburbanite from the fictional Northbread, Massachusetts, who is crushed, daily, by the weight of expectation in her life.

Most gendered comedy is essentially: Men are from Mars, women are from Venus, our differences are irreconcilable, so why try? Fleming, who uses any pronouns, pokes fun at the absurdity of gender. He identifies the odd things about men and women, but doesn’t chastise them for those qualities, because they’re not entirely responsible for them. 

Fleming lives for absurdity. In his stand-up, he bounds across the stage like a deer on the highway. He writes songs about being trapped in conversation with “wildly unlikeable guys” and his relationship with a gray-haired tax preparer he’s nicknamed Sick Jan because she always has a cold. He has a skit about a strange creature named DePiglio that’s friends with everyone, but seems to be hunting him. It’s bizarre. It’s the kind of joke you want to explain to your friends, but look like a fool when you try. 

But when Fleming delivers these hyper-specific jokes, they kill, because they somehow make absolute, perfect sense. We’re all caught up in a web of expectation, all acting. It's so integral to our existence that absurdity is a fantastic tool to examine it.

By the end of our conversation, I still wasn’t sure if my theory was right, exactly, but he was amused.

Am I projecting?

Oh, man. It's so great when eloquent people like yourself attach really favorable things to ultimately what are just very manic gut impulses that I feel and blurt out. I really appreciate that read on it, because there's a part of me that thinks a lot of what I do is: If you say things with the right conviction, you can get laughs in several ways, right? Some of it's like, “Why is this person saying this?” Another is like, “Well, if a person is saying it into a mic, then that must be true.” And then there's also this, “Oh, there’s this really eccentric traveling person decreeing something before getting carted off to the bin.” Whatever lands on any of those three levels, I'm thrilled with. But I think what you're giving it is incredibly favorable. And please, please give a eulogy at my wake.

Well, you'll never die. When you talk about those three levels, is that by design or just how you think your jokes work?

I'm totally riffing. I mean, so much of comedy is survival. It's like putting anything in the cannon. Was it World War I when they had to turn tires into bullets or something? That's how I view it. We're only given so many tools, and whatever gets us through onstage we gotta use and just hope for the best. I think that I have the fortune of a connection with my audience, who have engaged with the work for so long, who understand me. But then there's also the times where I have to perform for people who don't see me and don't have the interest or nuance or curiosity. That is when the other levels come into play. I luckily feel a soul connection and deep, deep sense of being held by my audiences. It's like the best feeling in the world.

When you’re performing for people who don't know what you're about, how differently do the jokes land? 

Oh, oh, oh, it can be such a bloodbath. I mean, you wouldn't believe the extremes. It can be literally like burn the witch. I mean, I had to perform, or I got to perform, for big crowds that weren't my own quite recently, and they wanted to kill me. They absolutely wanted to kill me. It makes being seen by crowds that do see you so much better. I mean, trust me, it can be hell to completely shit up there, but then it clarifies what you want to do. Tourist audiences and whatever can, I think, navigate a lot of performance artists to the middle to survive. I think that it's way better to gamble on what you truly want to do and to occasionally completely bomb, than it is to self-correct to appease people you would just see at the airport.

Did it take a long time to develop a thick skin?

Oh, I don't have a thick skin.

So it's devastating every time?

It stays in my spine. It is literally posture changing. I have a theory that after a terrible show, dogs bark at me, like Damien the Omen.

This is like epigenetic damage.

Yeah, my grandkids are gonna wake up and feel how horribly I bombed in San Diego, the San Diego Civic Center. They're gonna feel that and not know what it is.

How quickly does an audience turn?

In my twilight years, I have no interest in winning a crowd over. At this particular show, before I even grabbed the mic, someone yelled, “Let's go Weird Al!” And I was like, “You know what? Fuck this. Fuck this.” I'm going to do two songs that you're gonna hate, and so I don't have to hear you, we're gonna make the music so loud, and I'm just gonna kind of stare at the lights so I don't have to engage. You know immediately, you know immediately.

You have this particular way of talking about social situations where you feel out of place to the point that it surpasses discomfort and almost becomes fun. 

Divine. It’s divine.

I am a generally outgoing person who tends to stick my foot in my mouth. Are you an uncomfortable person who deals with your discomfort through comedy, or are you the kind of person who takes an awkward situation and hams it up because, at that point, why not?

I'm highly, highly sensitive to uncomfortable situations. I have this police scanner. I'm very seldom in my own experience. I'm kind of in the experience of everyone else in the room. When I'm talking about something that is very uncomfortable, that's me trying to process something and turn it into a victory so that I can just be rid of it. Be rid of the haunting of it. But in terms of comfort, I am definitely a really anxious person. And I think the way that I try to approach comedy in general, and did at a young age, is that I'm very keen to try to soothe people socially.

Why do you think you do that?

Well, I think it's how I grew up. I think it's the environment in which I grew up was needing to regulate people in my community [laughs]. I was taken in by the jocks, all the soccer players, as a really young child. I think they found me comforting. I think that was my role for a long time, and still is, if that makes sense.

It does. I'm a trans woman, and growing up, a lot of guys like that also took me in. I think they found the energy almost … confusing or perplexing. But it's a huge breath of fresh air for them because they know you’re not going to dunk on them if they say something a little vulnerable. They feel so happy that somebody is listening to them, you know.

Exactly, exactly. I grew up with women, so the way I was raised, masculinity was something to be embarrassed about, so I never had a dog in that fight. That's why you get a lot of one-on-one time with those guys, because they can let their hair down.

Totally.

Everybody has that. Everyone's got the masculine and the feminine in them.

You have that whole story about going to Dane Cook’s Super Bowl party where you tell jokes about his house looking like a Crate & Barrel that don't land, where you're sitting on Bill Burr’s armrest like a dog. It’s funny because, by the time there is a football and you’re going to throw it around, the audience is shrieking. Just because they see this not-so-masculine person in this typically masculine situation. It looks like a car crash to them.

That is a situation where I fully panicked when I saw that ball come out, and then when my friend Gary put me out of my misery and said, “Chrissy, you better get out of here.”

Was it a sweet release?

Such a sweet release.

Has Dane Cook heard that bit?

Yes, and he thinks it's funny. And I'm so relieved because—Dane Cook. A lot of people say a lot of stuff about Dane Cook. Dane Cook was like a theater artist when he was starting out. He brought a theatricality to the stage that hadn't been done. I have the utmost respect for his stage work.

His work came out when I was pretty young. I think my cousins showed it to me in elementary school. I remember sitting in the car with them and listening to that joke about swimming in a pool and how trying to come up for air under a kid on a raft is like “drowning in the abyss.” The way he screams, the voices he does, the way he jumps around, is incredibly endearing and very, very funny.

That's like, that is a guy who bled out for his work, and I find that to be so inspiring.

What I like about that story, and a lot of stories you tell, is that you’re never criticizing men for enjoying a masculine activity, or like you're not making fun of women for certain peculiarities. You're pointing them out and finding this fun absurdity. Everyone's in on the joke. Nobody is “bad.” I think a lot of “gendered” comedy ultimately ends with judgment. Are you consciously avoiding that? Is this just who you are and how you see things?

If you're commenting and observing, you have to be accepting as well. I can get so bitchy and petty, but I think that that's also sometimes part of the bit. But I do think at the base level, I really do believe, especially if you're doing an impersonation, there has to be a love for the subject.

Gayle is a character that, obviously, people identify with you. The first time I saw that, I was like: That is my mother. It was so close to how she behaved when we had guests coming. But Gayle is not the joke. The joke is the expectations on Gayle. The weight of the world on a mother who has to prepare for company. And I never saw my mom acting that way as an overreaction ever again. I understood her better. And I mean that sincerely.

And this is why I get so pissed when people … people make that video all the time now. You know, guys in the South are putting on, like, a wig and doing it in the most tacky way. They redo “COMPANY IS COMING,” specifically that scene in Gayle. If you're going to do that, you have to realize there’s a vulnerability to what Gayle is going through. She's terrified. What's funny about that is the fear that she's having. It's not anger, it's fear she's trying to route. That scream is agony, it's terror, and I had to tap into my anxieties for that. And it's like, you see where someone's coming from, you don't ridicule it. You try to do it to show them why it's funny that they're going through that, to maybe lighten the experience, you know, because a lot of those direct quotes were just from my mom.

Did it feel good to tap into that anxiety?

Oh my God. Oh my god. Gayle is therapy, completely. Gayle is such therapy, especially because my mom and I were doing it together. She played the antagonist in Gayle. For her to be able to laugh at these things, we really grew together and got over a lot of shit. It felt incredible to tap into that. To give a character to your emotions that you don't feel comfortable expressing—highly recommend.

You do a lot of things. Skits. Stand-up. I like your songs, which I think are great in a real way. Is it a serious pursuit for you?

“Sick Jan” and “Boba Manifesto,” those I made with my friend Brian Heveron-Smith, who was a classically trained musician, who's incredible. And lately, I've been doing my own instrumentals where I play synths and I have a drum machine that I use. It's really sloppy and really impulsive, what I do, but oh, God, I love doing it so much. I'm so disorganized that [the instrumentals] just kind of live on my desktop, and I just forget about them. But it's the same type of thing as using a character to tap into emotions that you're not comfortable expressing. Language and movement can be limiting. Being able to put something in a song and then have the song run counter to the melody, I think, is always really nice. I

started doing instrumentals around the end of Gayle, because Brian and I did all the music for Gayle together. This was back when I was still drinking, but we were drinking some Mike's Hard Lemonade, and then maybe [we’d do some] instrumentals. That was the one area of creativity where we allowed a little bit of alcohol. We would never write words with the booze, but the instrumentals and Mike's Hard, I think, went really beautifully together.

Your song “W.U.G.” (which stands for Wildly Unlikeable Guy) released me from a certain kind of anxiety. And when I am stuck talking to some horrible person, I think of it.

I'm so happy to hear that, I think of that concept too. A lot.

Is it based on one particular guy?

Oh yeah, oh yeah, you bet it was.

I scanned your social media for all the times you performed in Seattle over the years. In 2014, you posted a picture with a goat. The next time, you went on local television.

Did we get a goat in Seattle? Holy shit, that must have been a Gayle show. We got local animals like horses and stuff for Gayle because that was like a stage play.

What do you think about this place? Like you, I lived east of here most of my life and find West Coast cities kind of perplexing. The people do not act in ways that I understand.

I would recommend people experience both coasts at some point in their lives, because, you know, the East Coast is all about inhaling, and the West Coast is all about exhaling. I love Seattle. Oh, my God. A lot of people that I've been worried about end up in Seattle, and I go, “Okay, good, they’re in Seattle now.” 

The tender arms of the city, we will enfold them.

You see the most recent season of The Last of Us?

I haven’t seen it yet, but I know things are not particularly right in the world of The Last of Us and assume it’s pretty much the same in its Seattle.

There's a great quote where someone yells, like, “What the fuck is going on in Seattle?”

I've actually noticed a lot of people in my life saying that, and now I know where it came from. So thank you for unlocking something for me.

I seldom love TV writing, but that … did they really just set the show in Seattle just for that one line? I love that pettiness.

I feel like any zombie show is interesting for a couple episodes, because you're sort of introduced to the mechanisms of the zombies. Do these guys run? I guess the more infected they are, like, their heads split open—that's pretty cool. But then after a while, it sort of becomes a little bit video-game-y. And then there's always a flip where it's like, are people just as bad as the zombies? And the answer is always yes.

It’s funny when it gets to a point where you get bored by seeing zombies. I feel so bad for the special effects people who put so much work into these, like [Chris zombie moans] and by, like, the 15th zombie scene, you're like, “Yeahhhhh. Well, there they are.”

After a while, you get confident that you could probably deal with this.

My answer to any type of thing is to dig a hole and then hide in the hole. That's where my head goes anytime there's a catastrophe.

That's pretty good. If people don't know you're in the hole, then you're good. If people find the hole, you are in a lot of trouble.

Oh, you're so fucked.

Chris Fleming performs two shows at The Moore Theater July 27

20:28

19:42

Wayback 0.1 released [OSnews]

Wayback, the recently announced tool that will allow you to run a legacy X11 desktop environment on top of Wayland, has just announced its first release, version 0.1. As the version number implies, there be dragons here, but the developers state some of them already use Wayback on a day-to-day basis. Still, there’s no multi-monitor support yet, quite a few X.org options are just stubs for now, there’s no mouse-locking, and so on.

Since the initial announcement and the first progress report a few weeks ago, Wayback has become an official part of FreeDesktop.org, which indicates the wider desktop Linux community is definitely interested in what Wayback has to offer. It’s also been split into several different parts to mimic X.org’s structure, several distributions have picked it up and packaged it already, and ton more changes have been made.

It definitely seems like Wayback has a good chance of becoming a simpler, more straightforward replacement for X.org, greatly reducing the maintenance burden of Linux distributions. Not having to keep the full legacy X.org stack around alongside Wayland is going to save a lot of people a lot of time.

19:35

Pluralistic: Installing Android phones in Blackberry chassis (23 Jul 2025) [Pluralistic: Daily links from Cory Doctorow]


Today's links


A disassembled RIM Q20 chassis with a breakout board; the screen is showing an Android UI.

Installing Android phones in Blackberry chassis (permalink)

As much as I admire the techlash, I have some serious reservations. I worry that there's some pretty useful tech babies that we are at risk of throwing away with the bathwater.

For starters, there's the idea of "intermediary liability," which is the degree to which online services are held liable for the harms their users inflict on each other. Lots of people want to make Meta, Google and other tech giants liable for their users' actions, such as harassment and disinformation. These people are doubtless well-intentioned, but boy have they failed to pay attention to what happens when we create these liability rules.

Historically, the most important intermediary liability law is Section 230 of the Communications Decency Act. Despite the fact that this law is only 27 words long, it is among the most badly understood aspects of tech policy, worldwide:

https://www.techdirt.com/2020/06/23/hello-youve-been-referred-here-because-youre-wrong-about-section-230-communications-decency-act/

CDA 230 says that platforms aren't required to police their users' speech. If a user libels another user, or harasses them, or threatens them, that's between the users, who can sue each other, but not the platform (CDA 230 only relates to civil liability; it has no bearing on the ability of platforms to be held criminally liable for their users' actions).

Importantly, CDA 230 also says that if a platform does intervene to prevent one user from harming another, that doesn't mean they have to intervene in every such case. There's a good historical reason for this: back in the paleolithic era, Prodigy, a commercial online service, was sued after they stepped in to protect some users from other users' bad actions. The suit argued that once they'd set the precedent that they were going to police user conduct, they acquired an obligation to police every instance of bad user conduct. In response, Prodigy – and its competitors – stopped moderating altogether:

https://en.wikipedia.org/wiki/Stratton_Oakmont,_Inc._v._Prodigy_Services_Co.

No one who's used big online services would say that the CDA 230 world is a great one – but it's provably a vastly better world than the world we get when we take away 230's protections.

Yes, provably.

In 2018, Donald Trump signed SESTA/FOSTA into law. This is a (supposedly) narrow exception to CDA 230 that makes platforms civilly liable when they are used in connection with sex trafficking:

https://decriminalizesex.work/advocacy/sesta-fosta/what-is-sesta-fosta/

Obviously, sex trafficking is a terrible crime (and again, CDA 230 has never affected a platform's criminal liability for sex trafficking, only civil liability). None of the people who spoke out against SESTA/FOSTA did so because they wanted to protect sex traffickers.

Rather, the opposition to SESTA/FOSTA was motivated by concern over the collateral damage that would ensue, and those concerns have been entirely borne out. Opponents of SESTA/FOSTA predicted that platforms would be unable or unwilling to distinguish between consensual sex work and trafficking, and that they would simply sweep all consensual sex work off of their platforms.

That's exactly what happened. Not only did the spaces where sex workers advertised and booked their work disappear, but so did the private "bad date" forums where sex workers helped one another steer clear of dangerous clients. Sex work moved back into the streets, and with it came a revival of pimping – a scourge that had been all but killed off by the use of online platforms by sex workers to find work and stay safe:

https://www.vice.com/en/article/fosta-sesta-sex-work-and-trafficking/

To the extent that sex work survives online, it has been relegated to a few fringe services that have no competitors and exploit their captive audience of sex workers to rake in massive fees for sub-par services. Meanwhile, the forcible relocation of sex work from searchable, visible online spaces to the streets has made it significantly harder for law enforcement to detect and interdict actual sex trafficking:

https://instituteforsheltercare.org/wp-content/uploads/2018/09/After-SESTA-FOSTA.pdf

That's the evidence for what happens when you make intermediaries liable for their users' conduct. Far from being a gift to Big Tech, protections from intermediary liability primarily benefit smaller online spaces, which can't afford the high compliance costs of spying on and controlling their users, unlike, say, Facebook, which is why Mark Zuckerberg wants to get rid of CDA 230:

https://www.nbcnews.com/tech/tech-news/zuckerberg-calls-changes-techs-section-230-protections-rcna486

Every Fediverse host depends on limitation on intermediary liability. So does anyone who hosts one of the new, federated Bluesky relays:

https://whtwnd.com/bnewbold.net/3lo7a2a4qxg2l

SESTA/FOSTA isn't the only experimental evidence we have for what happens when we kill CDA 230-like protections. In the UK, the Online Safety Act imposes a duty on people who provide online speech forums to monitor and police their users' words. The immediate effect of this was to kill off many small business and hobbyist forums. Now, even large, multinational corporations are killing off their forums and relocating them to Facebook, where there's the budget and resources to conduct the surveillance and control required by the Act:

https://mastodon.sdf.org/@monkeyben/114902255326864878

Moving every independent speech forum to Facebook is a funny way of punishing Big Tech. Fundamentally, the lesson here is that we can't fix Big Tech by making it use its power more wisely – the only way to fix Big Tech is to get rid of it, to make it smaller, to take away its power.

That's a lesson we keep missing. Take age verification laws: these require all online forums to exercise total control over their users, because they require platforms to know who a user is, to associate that user with every interaction, and, finally, to verify the user's age. But you can't verify a user's age unless you know which user is at the other end of an online connection. This affects every user, not just kids, because the only way to prove you're an adult is to prove that you're not a kid.

Age verification and intermediary liability are measures that are diametrically opposed to the mission of making Big Tech weaker. These measures only work if Big Tech stays all-powerful, and they devastate independent online alternatives to Big Tech. What's more, they cut directly against efforts to make it easier for users to leave Big Tech, through interoperable gateways that make it possible for users who depart an online platform to stay in touch with the people who stay behind:

https://www.eff.org/interoperablefacebook

These interoperability mandates figure heavily in modern anti-Big Tech laws like the EU's DMA and DSA, but they cannot peacefully coexist with stricter liabilty and age verification rules. A platform simply cannot identify, monitor and control users and allow users to leave their platform while maintaining contact with their friends who stay.

These efforts to force Big Tech to behave don't just undermine interoperability mandates, they also kill off "adversarial interoperability," the principle that a user of a technology should be allowed to reverse-engineer and modify it, for example, to block ads or tracking, to sideload apps or extract their data or to monitor a platform's moderation failures:

https://www.eff.org/deeplinks/2019/10/adversarial-interoperability

When Big Tech does adversarial interoperability, they call it "move fast and break things," and that's another baby the techlash stands ready to throw out with the bathwater. There's nothing wrong per se with a technologist changing how a device or service works without permission from its maker. Every ad-blocker does that. So do accountability tools that scrape Facebook to document its failures to police paid political disinformation:

https://pluralistic.net/2021/08/05/comprehensive-sex-ed/#quis-custodiet-ipsos-zuck

Moving fast and breaking things is fine, depending on whose things you're breaking. For example, I want every Tesla owner to be able to walk into any mechanic's shop and unlock all the subscription features and software upgrades, without paying a dime to Elon Musk:

https://pluralistic.net/2025/03/08/turnabout/#is-fair-play

And I want every person who uses a powered wheelchair to be able to alter its handling characteristics and other digital features without waiting months and paying through the nose to one of two private-equity backed duopolists:

https://www.eff.org/deeplinks/2024/06/disability-rights-are-technology-rights

I want gig workers to be able to mod the apps that hand out their jobs so that they don't get ripped off by their bosses:

https://pluralistic.net/2021/07/08/tuyul-apps/#gojek

Adversarial interoperability means that you and I don't need to convince tech bros to give us what we want: we can just take it – from them.

That's important, because if there's one thing that tech companies keep proving, over and over again, it's that they don't give a shit what we want. Think of how they're force-feeding us AI (and how nice it would be to subscribe to a service run by adversarial interoperators who would automatically block every accursed AI popup in every app and service and device you use):

https://www.bloodinthemachine.com/p/how-big-tech-is-force-feeding-us

Or, more prosaically, how much mobile phone design has congealed around a monolithic design that has no room for a clicky little keyboard – something I first saw demoed 23 years ago:

https://memex.craphound.com/2002/03/25/the-danger-hiptop-kicks-azz/

Or even how they stole our 3mm headphone jacks:

https://www.fastcompany.com/90270691/i-still-miss-my-headphone-jack-and-i-want-it-back

It turns out that we don't have to take that shit lying down. Like Prometheus, we can steal our clicky keyboards and 3mm headphone jacks back from the tech gods. That's exactly what the Q25 Pro does: it's a mobile phone that is built inside the housing of a Research in Motion Blackberry Classic Q20, with a modern processor and camera, and a recent version of Android:

https://linkapus.com/products/q25-pro-full-device

It's a project from Zinwa Technologies, led by a young Chinese hacker named Zinwa who explained the gadget's design in detail on a recent installment of Returning Retro:

https://www.youtube.com/watch?v=lOrKsVKAbGA

Zinwa explains how he grew up with Blackberries (and also Chinese clones of Blackberries) and never learned to enjoy a modern distraction rectangle. So, as all good hackers do when they get an itch, he scratched it. He realized that there was an essentially infinite supply of old Blackberry housings sitting around in drawers or making their slow, inexorable way to an e-waste dump, where they would leach out poisonous ooze forever, and that, rather than spending $200K+ to design a chassis for a new phone, he could just create a motherboard around a modern processor with a recent-model screen, all sized to occupy exactly the same space that the original Q20 board fit in.

The new device supports 4G/LTE networks and Android 13. It has an SD card slot, USB C, and NFC on-board, as well as the classic Blackberry keyboard and yes, a 3mm headphone jack. Zinwa is launching with a small batch of conversion kits for hardware hackers who want to try their hand at a retro-restoration, with fully assembled units to follow.

Now, this isn't for everyone, but there's a huge community of people who are very excited about it indeed:

https://www.techradar.com/pro/the-return-of-the-og-chinese-firm-wants-to-androidify-the-blackberry-classic-and-sell-it-for-usd400-with-passport-and-keyone-to-follow

Mostafa, who sent me a tip about this project, writes:

After using [a Blackberry-like phone] for 3 years now, the form-factor is perfect for healthy phone usage habits. I’ve found the physical keyboard/small screen combo to be an optimal solution to the problem having a simultaneously infinitely useful tool/infinitely novel toy in your pocket at all times – maximize the tool factor, minimize the toy. This concept has spawned a rich community around it.

If you want to be a part of that community, you can hang out on their Discord:

https://discord.com/invite/D2P7UqFdXz

The point here isn't merely that Zinwa is doing something very cool that meets the needs of a group of people who Big Tech doesn't give a shit about (though he is doing that): it's that anyone should be able to do this to any technology. That includes Zinwa's Q25: in his interview with Returning Retro, Zinwa waffles a little about whether the Q25 will have an open bootloader, which would allow other hackers to replace the OS with one that's been modded to their heart's delight. Whether or not you get to modify the tech you use to suit you better has nothing to do with whether it came from someone with good or bad intentions – you should have that right, no matter what, because it's your technology and you should be in charge of it.

This is the spirit of small tech: tech that communities bend to suit their needs. Just as CDA 230 primarily benefits small groups who are underserved or abused by Big Tech, the right to change your tech primarily helps marginalized groups. Marginalized groups have always relied on adapting their tech, because their needs rarely get taken into consideration by design teams at tech companies:

https://pluralistic.net/2022/05/19/the-weakest-link/#moms-are-ninjas

The world is full of "outdated" technology that has been replaced with enshittified versions. A robust right to tinker means that we can divert this superior, well-built technology from landfills, by retrofitting it with modern guts that keep it up to date with the good things that have emerged since it was built, while discarding all the garbage that came along with it.

Take the Thinkpad X220, one of the greatest computers ever made:

https://btxx.org/posts/x220/

As Brad at btxx wrote in 2023, the X220 is built like a tank, had every port under the sun, supported compact lightweight batteries and massive external ones, sported one of the greatest keyboards ever to grace a laptop, and had an open bootloader, making it a dream to run Linux on. It was incredibly easy to repair and maintain, too (I once swapped a keyboard on one of these one-handed while holding my infant daughter in my other hand).

I would love to have an X220 with a modern processor, a shit-ton of RAM, and an updated screen. There's no way I'm ever going to build it, but there's probably a couple thousand people like me who would pay, say, $2500 each for these retrofits. For some enterprising hardware hacker, that's a pretty good year's wages, and a project that could launch a reputation and future projects.

Thinkpads went steeply downhill after the X220, so much so that I abandoned them altogether, after more than a decade of annual hardware purchases, switching to the wonderful, repairable Framework:

https://pluralistic.net/2021/09/21/monica-byrne/#think-different

The fact that Lenovo – the current owner of the Thinkpad line – just sucks at making computers is no reason for those X220s to go to the landfill. Someone could – and should – move fast and break Lenovo.

For more than 20 years, we have tried to make tech better by "holding tech to account," trying to make giant tech companies wield their power more responsibly. This has been a total failure, which has done nothing but strengthen tech companies, making them both too big to jail and too big to care. A better tech future isn't one in which today's tech companies behave better, it's one in which their bad behavior doesn't matter because they no longer have any power over us.

To bring that future into being, we have to take away tech power, not try and direct it in positive ways. We need to design our policy around evacuating tech platforms, not fixing them. We need to encourage moving fast and breaking (Big Tech's) things. The problem with the world isn't that the wrong tech bosses wield vast power over the lives of billions of people – it's that anyone has that power.

Hey look at this (permalink)


A shelf of leatherbound history books with a gilt-stamped series title, 'The World's Famous Events.'

Object permanence (permalink)

#20yrsago Copyfighter to trademark bully: I own “freedom of expression” https://web.archive.org/web/20050725013828/http://www.freedomofexpression.org/ceaseanddesist.html

#15yrsago HOWTO make spider-silk thread https://www.instructables.com/How-to-make-Spider-Silk-Thread/

#15yrsago Australian government blocks out 90% of document on web-spying plans https://www.theage.com.au/technology/no-minister-90-of-web-snoop-document-censored-to-stop–premature-unnecessary-debate-20100722-10mxo.html

#15yrsago Can you audit the software that goes in your body? https://softwarefreedom.org/resources/2010/transparent-medical-devices.html

#15yrsago New Disney Haunted Mansion movie to be produced by Guillermo del Toro https://web.archive.org/web/20100723183543/http://disneyparks.disney.go.com/blog/2010/07/haunted-mansion-inspires-new-movie-by-the-walt-disney-studios-and-guillermo-del-toro/

#15yrsago Wood floors made from wine-barrels https://3rings.designerpages.com/2010/07/vintage-wine-barrel-flooring-by-fontenay-wood/

#15yrsago UK regulator turns over Internet policing standards to movie and record industries https://www.openrightsgroup.org/blog/ofcoms-code-does-not-comply-with-digital-economy-act/

#10yrsago Comcast’s top lobbyist insists he isn’t a lobbyist https://www.techdirt.com/2015/07/22/comcast-really-wants-me-to-stop-calling-their-top-lobbyist-top-lobbyist/

#10yrsago Once again: Crypto backdoors are an insane, dangerous idea https://web.archive.org/web/20150724155241/http://motherboard.vice.com/en_uk/read/a-golden-key-for-encryption-is-mythical-nonsense

#10yrsago RIP, EL Doctorow https://www.nytimes.com/2015/07/22/books/el-doctorow-author-of-historical-fiction-dies-at-84.html

#5yrsago Kentucky AG sues top GOP donors https://pluralistic.net/2020/07/22/stimpank/#kentucky

#5yrsago Anti-facial recognition tool https://pluralistic.net/2020/07/22/stimpank/#fawkes

#5yrsago Little Brother as a role-playing game https://pluralistic.net/2020/07/22/stimpank/#lb-rpg

#5yrsago Ohio GOP leadership indicted for racketeering https://pluralistic.net/2020/07/22/stimpank/#householder

#5yrsago Insurers are secret, powerful police reformers https://pluralistic.net/2020/07/22/stimpank/#incentives-matter

#5yrsago OTF spared (for now) https://pluralistic.net/2020/07/22/stimpank/#breitbarf

#1yrago Unpersoned https://pluralistic.net/2024/07/22/degoogled/#kafka-as-a-service

Upcoming appearances (permalink)

A photo of me onstage, giving a speech, pounding the podium.


A screenshot of me at my desk, doing a livecast.

Recent appearances (permalink)


A grid of my books with Will Stahle covers..

Latest books (permalink)


A cardboard book box with the Macmillan logo.

Upcoming books (permalink)

  • Canny Valley: A limited edition collection of the collages I create for Pluralistic, self-published, September 2025

  • Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
    https://us.macmillan.com/books/9780374619329/enshittification/

  • Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

  • Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

  • The Memex Method, Farrar, Straus, Giroux, 2026

  • The Reverse-Centaur's Guide to AI, a short book about being a better AI critic, Farrar, Straus and Giroux, 2026


Colophon (permalink)

Today's top sources: Mostafa Hagar.

Currently writing:

  • "The Reverse Centaur's Guide to AI," a short book for Farrar, Straus and Giroux about being an effective AI critic. (1006 words yesterday, 8158 words total).

  • A Little Brother short story about DIY insulin PLANNING

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

READ CAREFULLY: By reading this, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

ISSN: 3066-764X

18:56

Slog AM: ICE Detains High School Theater Director, Israel Strikes WHO Site, and CEOs love Bruce Harrell [The Stranger]

The Stranger's Morning News Roundup. by Hannah Murphy Winter

Good Morning! The weather is goddamn beautiful—highs in the 80s and sunny—which is a delightful contrast to everything you’re about to read.

Let’s do the news.

(If you get to the end, there’s some butt jokes, as a treat.)

Trump Is Afraid of Teachers: Last week, ICE arrested and detained Fernando Rocha, a theater manager at Juanita High School in Kirkland. His lawyer told the Seattle Times that Rocha entered the US on a tourist visa in 2018, and before it expired, he applied for asylum. The case is still pending. Meanwhile, ICE Seattle claimed on Twitter that Rocha was wanted in Brazil for theft, a claim that his family in Brazil called “outlandish.” 

Harrell Wants to Watch You Stumble Home Drunk: Or sunbathe in Cal Anderson. Or go to high school. Last week, Harrell and SPD Chief Shon Barnes claimed that the city’s pilot program for their Real Time Crime Center was a roaring success (ok, Batman). The surveillance program put CCTV cameras along Aurora Avenue North, the downtown Third Avenue corridor, and the Chinatown-International District, and integrated them with their favorite new Automated License Plate Readers into a super secret data center (it’s SPD headquarters). Barnes says they’ve assisted in 90 active criminal investigations in 60 days, but didn’t say what the investigations were (we asked and we’ll report back). Now, Harrell wants to do the same in Cal Anderson, the Capitol Hill Night Life District, and Garfield High School. What could go wrong?

Serial Rapist Sentenced in Everett: Christian Sayre, a former Everett bar owner, was sentenced to 109 years for 16 counts of second-degree rape, third-degree rape of a child, indecent liberties, and possession of depictions of a minor engaged in sexually explicit conduct. Prosecutors say Sayre used his bar in Everett as a staging ground to prey on his victims.  Everett Police Chief John DeRousse said in a statement that it was “one of the most complex and disturbing cases” the department has handled. Sayre’s attorney asked that he get 17 and a half years. The prosecutors asked for 133. Judge Millie Judge (not a typo) went with 109, citing the length and breadth of Sayre’s crimes.

WA Child Welfare Isn’t So Well: According to the office that oversees the Department of Children, Youth, and Families, critical injuries for kids in the state’s welfare system took a huge jump in the first half of this year. By the end of June, at least 92 children had died or nearly died, up from 78 in the first six months of 2024. Some Republicans are trying to blame the bipartisan Keep Families Together Act, but fentanyl is the likelier culprit. So far this year, 20 of the cases involving kids under 4 years old were caused by accidental fentanyl exposure.

Blue Angel Blues: We’re approaching the season when literal fighter jets swoop around our city like a playground, and some Seattleites are over it. The Airshow Climate Action coalition put up a new billboard on Rainier Ave that reads: “SAY NO TO BLUE ANGELS.” Think of the rescue dogs! Think of the military trauma! Or think of the 670 tons of carbon emissions they blow through in one weekend.

Crunching Some Numbers: We’re well into Primary Election Season, so we at The Stranger decided to take another look at the money Katie Wilson and Bruce Harrell have taken in. As we’ve reported before, the two are neck and neck in fundraising, but we noticed a couple key differences. First, almost $60,000 of Harrell’s donations came from outside of Seattle (the city he’d like to keep governing), compared to Wilson’s $7,207. And among his donors, 19 of them are CEOs. (The only time “chief” comes up in Katie’s donor list is a Chief Policy and Strategy Officer for the Highline School District.)

I’m just gonna put this thread from Mark Ostrow here.

 

Ok the mayor is speaking. “I embrace the wealthy.”

[image or embed]

— Qagggy! (@qagggy.bsky.social) July 22, 2025 at 6:26 PM

 

A Little Brain Break: In lighter news, we sent Stranger Staff Writer Audrey Vann, a non-Katy Perry fan, to Monday’s Katy Perry concert at Climate Pledge. She learned a lot. “Before winning me over with an emotional performance of ‘Pearl,’ she had lost me with a megachurch-style sermon about her space voyage,” Vann writes. “She had long dreamed of going to space, she said, and despite her dreams being dismissed, she feels that she ultimately ‘manifested’ her trip on Blue Origin. ‘Part of me did it so that I could let go of any last bit of fear that I had, because I knew that was when my life would begin again,’ she said, tearing up. ‘And to any other girl that has a dream, you go and do it!’ This drew attention to a major discrepancy in her brand regarding female empowerment—she preaches and sings about overcoming adversity (see: ‘Roar and ‘Rise’), but the things she has overcome in her life are deeply unrelatable.” 

Plus, we got a new list of Katyisms out of the deal:

“I’m a Scorpio, bitch!”
“Is the internet real, or is this what’s real?”
“I dedicate [‘I Kissed A Girl’] to the community—the ones who raised me, the ones that called me out, and the ones that educated me, and for all the little girls in between like myself.”
“Love is love! It’s not a gender, it’s a frequency, so tap into it, baby!”
“What’s up, Amazon family?”

And if you still need a breath before we get into national and international news, spend some time in a basement with The Stranger’s Charles Mudede.

Fascism Is Tacky: The administration that populates its Instagram feed with AI-generated images of eagles, money, and the DJT Jerk Off Dance just withdrew from UNESCO, the UN’s cultural agency. This is the second time in as many terms that Trump has pulled us out of the organization. In a comment to the New York Times, a State Department spokesperson accused UNESCO of promoting “divisive social and cultural causes” (Palestinians’ right to exist, mostly) and maintaining an “outsized focus on the U.N.’s Sustainable Development Goals, a globalist, ideological agenda” at odds “with our America First foreign policy.” Meanwhile, Republicans are trying to rename the Kennedy Center’s Opera House after Melania.

Apparently this is art now.

No Charges for Bad Cops: You’ve probably seen the video already. Sheriff’s officers in Jacksonville, Florida, pulled William Anthony McNeil Jr. over for not having his headlights on and not wearing a seatbelt. When McNeal questioned why he was pulled over and refused to get out of the car, an officer smashed his window, punched him in the face, wrestled him out of the car, punched him again, and forced him to the ground while shouting “Stop resisting!” Prosecutors say that the officers didn’t break the law, and the Sheriff’s office is still investigating to see if any internal policies were violated. Sheriff T.K. Waters said the cellphone video doesn’t tell the full story. “Cameras can only capture what can be seen and heard,” he said at a news conference Monday. “So much context and depth are absent from recorded footage because a camera simply cannot capture what is known to the people depicted in it.” Don’t worry, T.K., it captured the racism just fine.

Israel Strikes WHO Site: Israel attacked a World Health Organization’s site in central Gaza, an area that Israel has largely avoided because it believed Israeli hostages were being held there. Israel doesn’t deny raiding the facility but said any “suspects” had been treated “in accordance with international law.” Whatever the fuck that means at this point.

Don’t Put That Up There: A Tokyo-based designer made a butt plug bottle with an egg-shaped, rounded bottom designed to nestle into the sand on the beach, and presented it at the 2nd International Conference on Design for Ocean Environments, which sounds very respectable. But as Mathew Rodriguez wrote for Them: “Murphy’s law tells us that what can go wrong will go wrong. Godwin’s law says that any online discussion will eventually devolve into one person comparing the other to a Nazi. To this esteemed list, let me add Gere’s law, named, of course, after the long-debunked but persistent myth that actor Richard Gere once stuck a gerbil up his butt: If it looks like someone can put it up their butt, they’ll want to.”

 

          View this post on Instagram                      

A post shared by Kenji Abe (@kenji_abe_)

 

Never Say Die: John Michael “Ozzy” Osbourne died yesterday at 76, just two weeks after playing Black Sabbath’s farewell show.

18:49

Discovering and recovering from PostgreSQL corruption on Matrix.org [LWN.net]

Richard van der Hoff, a member of the team that runs the Matrix.org homeserver, has written a detailed blog post about diagnosing and fixing a problem where Matrix rooms would simply stop working:

We know that there are plenty of users out there who will have been affected by the problem, and found themselves unable to communicate as a result. We very much share your frustration, and we'd like to apologise for the disruption to service.

With that said, we're glad that we were able to get to the bottom of most of the problem, and get the lost data restored within a relatively short time. If nothing else, hopefully this blog post will be of use to future generations faced with Postgres index corruption!

18:07

[$] Understanding Debian's security processes [LWN.net]

Providing security updates for a Linux distribution, such as Debian, involves a lot of work behind the scenes—and requires much more than simply shipping the latest code. On July 15, at DebConf25 in Brest, France, Samuel Henrique walked through the process of providing security updates to users; he discussed how Debian learns about security vulnerabilities, decides on the best response, and the process of sending out updates to keep its users safe. He also provided guidance on how others could get involved.

18:00

Deceptively Delicious [Penny Arcade]

Lego already had us dialed in, so launching an onslaught like a Soundwave - let alone a Soundwave with a talky bit is the kind of virulent attack that kills the host too soon, necessitating a Lego coffin. It's rude, but also kind of awesome, like The Sex Pistols.

Feeds

FeedRSSLast fetchedNext fetched after
@ASmartBear XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
a bag of four grapes XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Ansible XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
Bad Science XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Black Doggerel XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Blog - Official site of Stephen Fry XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Charlie Brooker | The Guardian XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Charlie's Diary XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Chasing the Sunset - Comics Only XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Coding Horror XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
Cory Doctorow's craphound.com XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Cory Doctorow, Author at Boing Boing XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Ctrl+Alt+Del Comic XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Cyberunions XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
David Mitchell | The Guardian XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Deeplinks XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
Diesel Sweeties webcomic by rstevens XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Dilbert XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Dork Tower XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Economics from the Top Down XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Edmund Finney's Quest to Find the Meaning of Life XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
EFF Action Center XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Enspiral Tales - Medium XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Events XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Falkvinge on Liberty XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Flipside XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Flipside XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Free software jobs XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
Full Frontal Nerdity by Aaron Williams XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
General Protection Fault: Comic Updates XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
George Monbiot XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Girl Genius XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Groklaw XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Grrl Power XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Hackney Anarchist Group XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Hackney Solidarity Network XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
http://blog.llvm.org/feeds/posts/default XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
http://calendar.google.com/calendar/feeds/q7s5o02sj8hcam52hutbcofoo4%40group.calendar.google.com/public/basic XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
http://dynamic.boingboing.net/cgi-bin/mt/mt-cp.cgi?__mode=feed&_type=posts&blog_id=1&id=1 XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
http://eng.anarchoblogs.org/feed/atom/ XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
http://feed43.com/3874015735218037.xml XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
http://flatearthnews.net/flatearthnews.net/blogfeed XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
http://fulltextrssfeed.com/ XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
http://london.indymedia.org/articles.rss XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
http://pipes.yahoo.com/pipes/pipe.run?_id=ad0530218c055aa302f7e0e84d5d6515&amp;_render=rss XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
http://planet.gridpp.ac.uk/atom.xml XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
http://shirky.com/weblog/feed/atom/ XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
http://thecommune.co.uk/feed/ XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
http://theness.com/roguesgallery/feed/ XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
http://www.airshipentertainment.com/buck/buckcomic/buck.rss XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
http://www.airshipentertainment.com/growf/growfcomic/growf.rss XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
http://www.airshipentertainment.com/myth/mythcomic/myth.rss XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
http://www.baen.com/baenebooks XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
http://www.feedsapi.com/makefulltextfeed.php?url=http%3A%2F%2Fwww.somethingpositive.net%2Fsp.xml&what=auto&key=&max=7&links=preserve&exc=&privacy=I+accept XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
http://www.godhatesastronauts.com/feed/ XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
http://www.tinycat.co.uk/feed/ XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
https://anarchism.pageabode.com/blogs/anarcho/feed/ XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
https://broodhollow.krisstraub.comfeed/ XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
https://debian-administration.org/atom.xml XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
https://feeds.feedburner.com/Starslip XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
https://feeds2.feedburner.com/GeekEtiquette?format=xml XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
https://hackbloc.org/rss.xml XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
https://kajafoglio.livejournal.com/data/atom/ XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
https://philfoglio.livejournal.com/data/atom/ XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
https://pixietrixcomix.com/eerie-cutiescomic.rss XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
https://pixietrixcomix.com/menage-a-3/comic.rss XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
https://propertyistheft.wordpress.com/feed/ XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
https://requiem.seraph-inn.com/updates.rss XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
https://studiofoglio.livejournal.com/data/atom/ XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
https://thecommandline.net/feed/ XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
https://torrentfreak.com/subscriptions/ XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
https://twitter.com/statuses/user_timeline/22724360.rss XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
https://web.randi.org/?format=feed&type=rss XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
https://www.dcscience.net/feed/medium.co XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
https://www.DropCatch.com/domain/steampunkmagazine.com XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
https://www.DropCatch.com/domain/ubuntuweblogs.org XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
https://www.DropCatch.com/redirect/?domain=DyingAlone.net XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
https://www.freedompress.org.uk:443/news/feed/ XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
https://www.goblinscomic.com/category/comics/feed/ XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
https://www.loomio.com/blog/feed/ XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
https://www.newstatesman.com/feeds/blogs/laurie-penny.rss XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
https://www.patreon.com/graveyardgreg/posts/comic.rss XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
https://www.rightmove.co.uk/rss/property-for-sale/find.html?locationIdentifier=REGION^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
https://www.thundergrunt.com/ XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
Humble Bundle Blog XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
I, Cringely XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Irregular Webcomic! XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Joel on Software XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
Judith Proctor's Journal XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
Krebs on Security XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Lambda the Ultimate - Programming Languages Weblog XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
Looking For Group XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
LWN.net XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Mimi and Eunice XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Neil Gaiman's Journal XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
Nina Paley XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
O Abnormal – Scifi/Fantasy Artist XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Oglaf! -- Comics. Often dirty. XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Oh Joy Sex Toy XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
Order of the Stick XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
Original Fiction Archives - Reactor XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
OSnews XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Paul Graham: Unofficial RSS Feed XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Penny Arcade XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Penny Red XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
PHD Comics XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Phil's blog XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
Planet Debian XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Planet GNU XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Planet Lisp XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Pluralistic: Daily links from Cory Doctorow XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
PS238 by Aaron Williams XML 04:07, Tuesday, 29 July 04:55, Tuesday, 29 July
QC RSS XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
Radar XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
RevK®'s ramblings XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
Richard Stallman's Political Notes XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Scenes From A Multiverse XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
Schneier on Security XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
SCHNEWS.ORG.UK XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
Scripting News XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Seth's Blog XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
Skin Horse XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Spinnerette XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
Tales From the Riverbank XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
The Adventures of Dr. McNinja XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
The Bumpycat sat on the mat XML 04:07, Tuesday, 29 July 04:47, Tuesday, 29 July
The Daily WTF XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
The Monochrome Mob XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
The Non-Adventures of Wonderella XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
The Old New Thing XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
The Open Source Grid Engine Blog XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
The Stranger XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
towerhamletsalarm XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
Twokinds XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
UK Indymedia Features XML 03:42, Tuesday, 29 July 04:24, Tuesday, 29 July
Uploads from ne11y XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
Uploads from piasladic XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July
Use Sword on Monster XML 04:07, Tuesday, 29 July 04:54, Tuesday, 29 July
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 04:07, Tuesday, 29 July 04:53, Tuesday, 29 July
what if? XML 04:07, Tuesday, 29 July 04:48, Tuesday, 29 July
Whatever XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
Whitechapel Anarchist Group XML 03:28, Tuesday, 29 July 04:17, Tuesday, 29 July
WIL WHEATON dot NET XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
wish XML 04:14, Tuesday, 29 July 04:59, Tuesday, 29 July
Writing the Bright Fantastic XML 04:14, Tuesday, 29 July 04:58, Tuesday, 29 July
xkcd.com XML 04:14, Tuesday, 29 July 04:57, Tuesday, 29 July